What Is Active Directory?

Active Directory consists of a series of components that constitute

both its logical structure and its physical structure. It provides a
way for organizations to centrally manage and store their user
objects, computer objects, group membership, and define
security boundaries in a logical database structure.
Purpose of Active Directory
Active Directory stores information about users, computers, and
network resources and makes the resources accessible to users
and applications. It provides a consistent way to name, describe,
locate, access, manage, and secure information about these
resources.
Functions of Active Directory
Active Directory provides the following functions:
●Centralizes control of network resources
By centralizing control of resources such as servers, shared files,
and printers, only authorized users can access resources in Active
Directory.
●Centralizes and decentralizes resource management
Administrators have Centralized Administration with the ability to
delegate administration of subsets of the network to a limited
number of individuals giving them greater granularity in resource
management.
●Store objects securely in a logical structure
Active Directory stores all of the resources as objects in a secure,
hierarchical logical structure.
●Optimizes network traffic
The physical structure of Active Directory enables you to use
network bandwidth more efficiently. For example, it ensures that,
when users log on to the network, the authentication authority
that is nearest to the user, authenticates them reducing the
amount of network traffic.
Sites within Active Directory
Sites are defined as groups of well-connected computers. When
you establish sites, domain controllers within a single site
communicate frequently. This communication minimizes the
latency within the site; that is, the time required for a change that
is made on one domain controller to be replicated to other
domain controllers. You create sites to optimize the use of
bandwidth between domain controllers that are in different
locations.
Operations Master Roles
When a change is made to a domain, the change is replicated
across all of the domain controllers in the domain. Some changes,
such as those made to the schema, are replicated across all of
the domains in the forest. This replication is called multimaster
replication.
During multimaster replication, a replication conflict can occur if
originating updates are performed concurrently on the same
object attribute on two domain controllers. To avoid replication
conflicts, Active Directory uses single master replication,
which designates one domain controller as the only domain
controller on which certain directory changes can be made. This
way, changes cannot occur at different places in the network at
the same time. Active Directory uses single master replication for
important changes, such as the addition of a new domain or a
change to the forest-wide schema.Operations that use single-
master replication are arranged together in specific roles in a
forest or domain. These roles are called operations master
roles. For each operations master role, only the domain controller
that holds that role can make the associated directory changes.
The domain controller that is responsible for a particular role is
called an operations master for that role. Active Directory stores
information about which domain controller holds a specific role.
Forest-wide Roles
Forest-wide roles are unique to a forest,forest-wide roles are:
●Schema masterControls all updates to the schema. The schema
contains the master list of object classes and attributes that are
used to create all Active Directory objects, such as users,
computers, and printers.
●Domain naming masterControls the addition or removal of
domains in the forest. When you add a new domain to the forest,
only the domain controller that holds the domain naming master
role can add the new domain.There is only one schema master
and one domain naming master in the entire forest.
Domain-wide Roles
Domain-wide roles are unique to each domain in a forest, the
domain-wide roles are:
●Primary domain controller emulator (PDC)
Acts as a Windows NT PDC to support any backup domain
controllers (BDCs) running Microsoft Windows® NT within a
mixed-mode domain. This type of domain has domain controllers
that run Windows NT 4.0. The PDC emulator is the first domain
controller that you create in a new domain.
●Relative identifier master (RID)
When a new object is created, the domain controller creates a
new security principal that represents the object and assigns the
object a unique security identifier (SID). This SID consists of a
domain SID, which is the same for all security principals created
in the domain, and a RID, which is unique for each security
principal created in the domain. The RID master allocates blocks
of RIDs to each domain controller in the domain. The domain
controller then assigns a RID to objects that are created from its
allocated block of RIDs.
●Infrastructure master
when objects are moved from one domain to another, the
infrastructure master updates object references in its domain that
point to the object in the other domain. The object reference
contains the object’s globally unique identifier (GUID),
distinguished name, and a SID. Active Directory periodically
updates the distinguished name and the SID on the object
reference to reflect changes made to the actual object, such as
moves within and between domains and the deletion of the
object.

The global catalog contains

●The attributes that are most frequently used in queries, such as
a user’s first name, last name, and logon name.
●The information that is necessary to determine the location of
any object in the directory.
●The access permissions for each object and attribute that is
stored in the global catalog. If you search for an object that you
do not have the appropriate permissions to view, the object will
not appear in the search results. Access permissions ensure that
users can find only objects to which they have been assigned
access.A global catalog server is a domain controller that, in
addition to its full, writable domain directory partition replica, also
stores a partial, read-only replica of all other domain directory
partitions in the forest. Taking a user object as an example, it
would by default have many different attributes such as first
name, last name, phone number, and many more. The GC will by
default only store the most common of those attributes that
would be used in search operations (such as a user’s first and last
names, or login name, for example). The partial attributes that it
has for that object would be enough to allow a search for that
object to be able to locate the full replica of the object in active
directory. This allows searches done against a local GC, and
reduces network traffic over the WAN in an attempt to locate
objects somewhere else in the network.
Domain Controllers always contain the full attribute list for objects
belonging to their domain. If the Domain Controller is also a GC, it
will also contain a partial replica of objects from all other domains
in the forest.
Active Directory uses DNS as the name resolution service to
identify domains and domain host computers during processes
such as logging on to the network
Similar to the way a Windows NT 4.0 client will query WINS for a
NetBIOS DOMAIN[1B] record to locate a PDC, or a NetBIOS
DOMAIN record for domain controllers, a Windows 2000, 2003, or
Windows XP client can query DNS to find a domain controller by
looking for SRV records.
Integration of DNS and Active Directory
The integration of DNS and Active Directory is essential because a
client computer in a Windows 2000 network must be able to
locate a domain controller so that users can log on to a domain or
use the services that Active Directory provides. Clients locate
domain controllers and services by using A resource records and
SRV records. The A resource record contains the FQDN and IP
address for the domain controller. TheSRV record contains the
FQDN of the domain controller and the name of the service that
the domain controller provides.
What Are Active Directory Integrated Zones?
One benefit of integrating DNS and Active Directory is the ability
to integrate DNS zones into an Active Directory database. A zone
is a portion of the domain namespace that has a logical grouping
of resource records, which allows zone transfers of these records
to operate as one unit.
Active Directory Integrated Zones
Microsoft DNS servers store information that is used to resolve
host names to IP addresses and IP addresses to host names in a
database file that has the extension .dns
for each zone.Active Directory integrated zones are primary zones
that are stored as objects in the Active Directory database. If zone
objects are stored in an Active Directory domain partition, they
are replicated to all domain controllers in the domain.
What Are DNS Zones?
A zone starts as a storage database for a single DNS domain
name. If other domains are added below the domain used to
create the zone, these domains can either be part of the same
zone or belong to another zone. Once a subdomain is added, it
can then either be:
●Managed and included as part of the original zone records, or
●Delegated away to another zone created to support the
subdomain
Types of Zones
There are two types of zones, forward lookup and reverse lookup.
Forward lookup zones contain information needed to resolve
names within the DNS domain. They must include SOA and NS
records and can include any type of resource record except the
PTR resource record. Reverse lookup zones contain information
needed to perform reverse lookups. They usually include SOA, NS,
PTR, and CNAME records.
With most queries, the client supplies a name and requests the IP
address that corresponds to that name. This type of query is
typically described as a forward lookup. Active Directory requires
forward lookup zones.
However, what if a client already has a computer's IP address and
wants to determine the DNS name for the computer? This is
important for programs that implement security based on the
connecting FQDN, and is used for TCP/IP network troubleshooting.
The DNS standard provides for this possibility through reverse
lookups.
Once you have installed Active Directory, you have two options
for storing your zones when operating the DNS server at the new
domain controller:
Standard Zone
Zones stored this way are located in .dns text files that are stored
in the %SystemRoot%\System32\Dns
folder on each computer operating a DNS server. Zone file names
correspond to the name you choose for the zone when creating it,
such as Example.microsoft.com.dns if the zone name was
example.microsoft.com
This type offers the choice of using either a Standard Primary
zone or a Standard Secondary zone.

Standard Primary Zone

For standard primary-type zones, only a single DNS server can
host and load the master copy of the zone. If you create a zone
and keep it as a standard primary zone, no additional primary
servers for the zone are permitted. Only one server is allowed to
accept dynamic updates, also known as DDNS, and process zone
changes. The standard primary model implies a single point of
failure.
Standard Secondary Zone
A secondary name server gets the data for its zones from another
name server (either a primary name server or another secondary
name server) for that zone across the network. The data in a
Secondary zone is Read only, and updated information must
come from additional zone transfers. The process of obtaining this
zone information (i.e., the database file) across the network is
referred to as a zone transfer. Zone transfers occur over TCP port
53. Secondary servers can provide a means to offload DNS query
traffic in areas of the network where a zone is heavily queried and
used. Additionally, if a primary server is down, a secondary server
can provide some name resolution in the zone until the primary
server is available.
Note
A Standard Primary zone will not replicate its information to any
other DNS servers, but may allow zone transfers to Secondary
zones. Win2003 also supports stub zones. A secondary or stub
zone cannot be hosted on a DNS server that hosts a primary zone
for the same domain name.
Directory-integrated Zone
Zones stored this way are located in the Active Directory tree
under the domain object container. Each directory-integrated
zone is stored in a dnsZone container object identified by the
name you choose for the zone when creating it. Active Directory
integrated zones will replicate this information to other domain
controllers in that domain.

Note
If DNS is running on a Windows 2000 server that is not a domain
controller, it will not be able to use an Active Directory integrated
zones, or replicate with other domain controllers since it does not
have Active Directory installed.
DNS Records
After you create a zone, additional resource records need to be
added to it. The most common resource records (RRs) to be
added are:Table 1. Record Types

Name Description
Host (A) For mapping a DNS domain name to an IP address used
by a computer.
Alias (CNAME) For mapping an alias DNS domain name to another
primary or
canonical name.
Mail Exchanger (MX) For mapping a DNS domain, name to the
name of a computer that exchange
for forwards mail
Pointer (PTR) For mapping a reverse DNS domain name based on
the IP address of a computer that points to the forward DNS
domain name of that computer.
Service location (SRV) For mapping a DNS domain name to a
specified list of DNS host computers
that offer a specific type of service, such as Active Directory
domain controllers.

Q1. What does the logical component of the Active

Directory structure include?
■ Objects:-Resources are stored in the Active Directory as objects.
Sub category:object class
An object is really just a collection of attributes. A user object, for
example, is made up of attributes such as name, password, phone
number, group membership, and so on. The attributes that make
up an object are defined by an object class. The user class, for
example, specifies the attributes that make up the user object.
The Active Directory Schema:-
The classes and the attributes that they define are collectively
referred to as the Active Directory Schema—in database terms, a
schema is the structure of the tables and fields and how they are
related to one another. You can think of the Active Directory
Schema as a collection of data (object classes) that defines how
the real data of the directory (the attributes of an object) is
organized and stored
■ Domains
The basic organizational structure of the Windows Server 2003
networking model is the domain. A domain represents an
administrative boundary. The computers, users, and other objects
within a domain share a common security database.
■ Trees
Multiple domains are organized into a hierarchical structure called
a tree. Actually, even if you have only one domain in your
organization, you still have a tree. The first domain you create in
a tree is called the root domain. The next domain that you add
becomes a child domain of that root. This expandability of
domains makes it possible to have many domains in a tree. Figure
1-1 shows an example of a tree. Microsoft.com was the first
domain created in Active Directory in this example and is
therefore the root domain.

Figure 1-1 A tree is a hierarchical organization of multiple

domains.All domains in a tree share a common schema and a
contiguous namespace. In the example shown in Figure 1-1, all of
the domains in the tree under the microsoft.com root domain
share the namespace microsoft.com. Using a single tree is fine if
your organization is confined within a single DNS namespace.
However, for organizations that use multiple DNS namespaces,
your model must be able to expand outside the boundaries of a
single tree. This is where the forest comes in.
■ Forest
A forest is a group of one or more domain trees that do not form a
contiguous namespace but may share a common schema and
global catalog. There is always at least one forest on a network,
and it is created when the first Active Directory–enabled
computer (domain controller) on a network is installed.
This first domain in a forest, called the forest root domain, is
special because it holds the schema and controls domain naming
for the entire forest. It cannot be removed from the forest without
removing the entire forest itself. Also, no other domain can ever
be created above the forest root domain in the forest domain
hierarchy.
Figure 1-2 shows an example of a forest with two trees. Each tree
in the forest has its own namespace. In the figure, microsoft.com
is one tree and contoso.com is a second tree. Both are in a forest
named microsoft.com (after the first domain created).
A forest is the outermost boundary of Active Directory; the
directory cannot be larger than the forest. However, you can
create multiple forests and then create trust relationships
between specific domains in those forests; this would let you
grant access to resources and accounts that are outside of a
particular forest.

■Organizational Units
Organizational Units (OUs) provide a way to create administrative
boundaries within a domain. Primarily, this allows you to delegate
administrative tasks within the domain.OUs serve as containers
into which the resources of a domain can be placed. You can then
assign administrative permissions on the OU itself. Typically, the
structure of OUs follows an organization’s business or functional
structure. For example, a relatively small organization with a
single domain might create separate OUs for departments within
the organization.
Q2. What does the physical structure of active directory
contain?
Physical structures include domain controllers and sites.
Q3.What is nesting?
The creation of an OU inside another OU.IMP: - once you go
beyond about 12 OUs deep in a nesting structure, you start
running into significant performance issues.
Q4. What is trust relationship and how many types of trust
relationship is there in exchange 2003?
Since domains represent security boundaries, special
mechanisms called trust relationships allow objects in one domain
(called the trusted domain) to access resources in another
domain (called the trusting domain). Windows Server 2003
supports six types of trust relationships:
■ Parent and child trusts
■ Tree-root trusts
■ External trusts
■ Shortcut trusts
■ Realm trusts
■ Forest trusts

Q5. What is a site?

A Windows Server 2003 site is a group of domain controllers that
exist on one or more IP subnets (see Lesson 3 for more on this)
and are connected by a fast, reliable network connection. Fast
means connections of at least 1Mbps. In other words, a site
usually follows the boundaries of a local area network (LAN). If
different LANs on the network are connected by a wide area
network (WAN), you’ll likely create one site for each LAN.
Q6. What is the use of site?
Sites are primarily used to control replication traffic. Domain
controllers within a site are pretty much free to replicate changes
to the Active Directory database whenever changes are made.
Domain controllers in different sites compress the replication
traffic and operate based on a defined schedule, both of which
are intended to cut down on network traffic
More specifically, sites are used to control the following:
■ Workstation logon traffic
■ Replication traffic
■ Distributed File System (DFS)
Distributed File System (DFS) is a server component that provides
a unified naming convention for folders and files stored on
different servers on a network. DFS lets you create a single logical
hierarchy for folders and files that is consistent on a network,
regardless of where on the network those items are actually
stored. Files represented in the DFS might be stored in multiple
locations on the network, so it makes sense that Active Directory
should be able to direct users to the closest physical location of
the data they need. To this end, DFS uses site information to
direct a client to the server that is hosting the requested data
within the site. If DFS does not find a copy of the data within the
same site as the client, DFS uses the site information in Active
Directory to determine which file server that has DFS shared data
is closest to the client.

■ File Replication Service (FRS)

Every domain controller has a built-in collection of folders named
SYSVOL (for System Volume). The SYSVOL folders provide a
default Active Directory location for files that must be replicated
throughout a domain. You can use SYSVOL to replicate Group
Policy Objects, startup and shutdown scripts, and logon and logoff
scripts. A Windows Server 2003 service named File Replication
Service (FRS) is responsible for replicating files in the SYSVOL
folders between domain controllers. FRS uses site boundaries to
govern the replication of items in the SYSVOL folders.
Q7. What are the objects a site contains?
Sites contain only two types of objects. The first type is the
domain controllers contained in the site. The second type of
object is the site links configured to connect the site to other
sites.
Q8.What is a Site link?
Within a site, replication happens automatically. For replication to
occur between sites, you must establish a link between the sites.
There are two components to this link: the actual physical
connection between the sites (usually a WAN link) and a site link
object. The site link object is created within Active Directory and
determines the protocol used for transferring replication traffic
(Internet Protocol [IP] or Simple Mail Transfer Protocol [SMTP]).
The site link object also governs when replication is scheduled to
occur.
Q9. Explain Replication in Active directory?
Windows Server 2003 uses a replication model called multimaster
replication, in which all replicas of the Active Directory database
are considered equal masters. You can make changes to the
database on any domain controller and the changes will be
replicated to other domain controllers in the domain.Domain
controllers in the same site replicate on the basis of notification.
When changes are made on a domain controller, it notifies its
replication partners (the other domain controllers in the site); the
partners then request the changes and replication occurs.
Because of the high-speed, low-cost connections assumed within
a site, replication occurs as needed rather than according to a
schedule.You should create additional sites when you need to
control how replication traffic occurs over slower WAN links. For
example, suppose you have a number of domain controllers on
your main LAN and a few domain controllers on a LAN at a branch
location. Those two LANs are connected to one another with a
slow (256K) WAN link. You would want replication traffic to occur
as needed between the domain controllers on each LAN, but you
would want to control traffic across the WAN link to prevent it
from affecting higher priority network traffic. To address this
situation, you would set up two sites— one site that contained all
the domain controllers on the main LAN and one site that
contained all the domain controllers on the remote LAN.
Q10. What are the different types of replication?
Single site (called intrasite replication)
Replication between sites (called intersite replication)
■ Intrasite Replication
Intrasite replication sends replication traffic in an uncompressed
format. This is because of the assumption that all domain
controllers within the site are connected by high-bandwidth links.
Not only is the traffic uncompressed, but replication occurs
according to a change notification mechanism. This means that if
changes are made in the domain, those changes are quickly
replicated to the other domain controllers.
■ Intersite Replication
Intersite replication sends all data compressed. This shows an
appreciation for the fact that the traffic will probably be going
across slower WAN links (as opposed to the LAN connectivity
intrasite replication assumes), but it increases the server load
because compression/decompression is added to the processing
requirements. In addition to the compression, the replication can
be scheduled for times that are more appropriate to your
organization. For example, you may decide to allow replication
only during slower times of the day. Of course, this delay in
replication (based on the schedule) can cause inconsistency
between servers in different sites.

Q11. What is LDAP?

LDAP, Lightweight Directory Access Protocol, is an Internet
protocol that email and other programs use to look up information
from a server.An LDAP-aware directory service (such as Active
Directory) indexes all the attributes of all the objects stored in the
directory and publishes them. LDAP-aware clients can query the
server in a wide variety of ways.
Q12.What types of naming convention active directory
uses?
Active Directory supports several types of names for the different
formats that can accessActive Directory.These names include:■
Relative Distinguished NamesThe relative distinguished name
(RDN) of an object identifies an object uniquely, but only within its
parent container. Thus the name uniquely identifies the object
relative to the other objects within the same container. In the
example CN=wjglenn,CN=Users,DC=contoso,DC=com, the
relative distinguished name of the object is CN=wjglenn. The
relative distinguished name of the parent organizational unit is
Users. For most objects, the relative distinguished name of an
object is the same as that object’s Common Name attribute.
Active Directory creates the relative distinguished name
automatically, based on information provided when the object is
created. Active Directory does not allow two objects with the
same relative distinguished name to exist in the same parent
container.The notations used in the relative distinguished name
(and in the distinguished name discussed in the next section) use
special notations called LDAP attribute tags to identify each part
of the name. The three attribute tags used include:
■ DC
The Domain Component (DC) tag identifies part of the DNS name
of the domain, such as COM or ORG.
■ OU
The Organizational Unit (OU) tag identifies an organizational unit
container.
■ CN
The Common Name (CN) tag identifies the common name
configured for an Active Directory object.
■ Distinguished Names
Each object in the directory has a distinguished name (DN) that is
globally unique and identifies not only the object itself, but also
where the object resides in the overall object hierarchy. You can
think of the distinguished name as the relative distinguished
name of an object concatenated with the relative distinguished
names of all parent containers that make up the path to the
object.An example of a typical distinguished name would
be:CN=wjglenn,CN=Users,DC=contoso,DC=com.This
distinguished name would indicate that the user object wjglenn is
in the Users container, which in turn is located in the contoso.com
domain. If the wjglenn object is moved to another container, its
DN will change to reflect its new position in the hierarchy.
Distinguished names are guaranteed to be unique in the forest,
similar to the way that a fully qualified domain name uniquely
identifies an object’s placement in a DNS hierarchy. You cannot
have two objects with the same distinguished name.
■ User Principal Names
The user principal name that is generated for each object is in the
form username@ domain_name. Users can log on with their user
principal name, and an administrator can define suffixes for user
principal names if desired. User principal names should be
unique, but Active Directory does not enforce this requirement.
It’s best, however, to formulate a naming convention that avoids
duplicate user principal names.
■ Canonical Names
An object’s canonical name is used in much the same way as the
distinguished name— it just uses a different syntax. The same
distinguished name presented in the preceding section would
have the canonical name:contoso.com/Users/wjglenn.As you can
see, there are two primary differences in the syntax of
distinguished names and canonical names. The first difference is
that the canonical name presents the root of the path first and
works downward toward the object name. The second difference
is that the canonical name does not use the LDAP attribute tags
(e.g., CN and DC).
Q13. What is multimaster replication?
Active Directory follows the multimaster replication which every
replica of the Active Directory partition held on every domain is
considered an equal master. Updates can be made to objects on
any domain controller, and those updates are then replicated to
other domain controllers.
Q14.Which two operations master roles should be
available when new security principals are being created
and named?
Domain naming master and the relative ID master
Q15. What are different types of groups?
■ Security groups
Security groups are used to group domain users into a single
administrative unit. Security groups can be assigned permissions
and can also be used as e-mail distribution lists. Users placed into
a group inherit the permissions assigned to the group for as long
as they remain members of that group. Windows itself uses only
security groups.
■ Distribution groups
These are used for nonsecurity purposes by applications other
than Windows. One of the primary uses is within an e-mailAs with
user accounts, there are both local and domain-level groups.
Local groups are stored in a local computer’s security database
and are intended to control resource access on that computer.
Domain groups are stored in Active Directory and let you gather
users and control resource access in a domain and on domain
controllers.
Q16. What is a group scope and what are the different types of
group scopes?
Group scopes determine where in the Active Directory forest a
group is accessible and what objects can be placed into the
group. Windows Server 2003 includes three group scopes: global,
domain local, and universal.

■ Global groups
are used to gather users that have similar permissions
requirements. Global groups have the following characteristics:1.
Global groups can contain user and computer accounts only from
the domain in which the global group is created.2. When the
domain functional level is set to Windows 2000 native or Windows
Server 2003 (i.e., the domain contains only Windows 2000 or
2003 servers), global groups can also contain other global groups
from the local domain.3. Global groups can be assigned
permissions or be added to local groups in any domain in a forest.
■ Domain local groups
exist on domain controllers and are used to control access to
resources located on domain controllers in the local domain (for
member servers and workstations, you use local groups on those
systems instead). Domain local groups share the following
characteristics:1. Domain local groups can contain users and
global groups from any domain in a forest no matter what
functional level is enabled.2. When the domain functional level is
set to Windows 2000 native or Windows Server 2003, domain
local groups can also contain other domain local groups and
universal groups.
■ Universal groups: are normally used to assign permissions to
related resources in multiple domains. Universal groups share the
following characteristics:
1. Universal groups are available only when the forest functional
level is set to Windows 2000 native or Windows Server 2003.
2. Universal groups exist outside the boundaries of any particular
domain and are managed by Global Catalog servers.
3. Universal groups are used to assign permissions to related
resources in multiple domains.
4. Universal groups can contain users, global groups, and other
universal groups from any domain in a forest.
5. You can grant permissions for a universal group to any
resource in any domain.
Q17. What are the items that groups of different scopes
can contain in mixed and native mode domains?
Q18. What is group nesting?
Placing of one group in another is called as group nestingFor
example, suppose you had juniorlevel administrators in four
different geographic locations, as shown in Figure 4-10. You could
create a separate group for each location (named something like
Dallas JuniorAdmins). Then, you could create a single group
named Junior Admins and make each of the location-based groups
a member of the main group. This approach would allow you to
set permissions on a single group and have those permissions
flow down to the members, yet still be able to subdivide the junior
administrators by location.
Q19. How many characters does a group name contain?
Ans) 64

Q1. What does the logical component of the Active

Directory structure include?
■ Objects:-Resources are stored in the Active Directory as objects.
Sub category:object class
An object is really just a collection of attributes. A user object, for
example, is made up of attributes such as name, password, phone
number, group membership, and so on. The attributes that make
up an object are defined by an object class. The user class, for
example, specifies the attributes that make up the user object.
The Active Directory Schema:-
The classes and the attributes that they define are collectively
referred to as the Active Directory Schema—in database terms, a
schema is the structure of the tables and fields and how they are
related to one another. You can think of the Active Directory
Schema as a collection of data (object classes) that defines how
the real data of the directory (the attributes of an object) is
organized and stored
■ Domains
The basic organizational structure of the Windows Server 2003
networking model is the domain. A domain represents an
administrative boundary. The computers, users, and other objects
within a domain share a common security database.
■ Trees
Multiple domains are organized into a hierarchical structure called
a tree. Actually, even if you have only one domain in your
organization, you still have a tree. The first domain you create in
a tree is called the root domain. The next domain that you add
becomes a child domain of that root. This expandability of
domains makes it possible to have many domains in a tree. Figure
1-1 shows an example of a tree. Microsoft.com was the first
domain created in Active Directory in this example and is
therefore the root domain.
Figure 1-1 A tree is a hierarchical organization of multiple
domains.All domains in a tree share a common schema and a
contiguous namespace. In the example shown in Figure 1-1, all of
the domains in the tree under the microsoft.com root domain
share the namespace microsoft.com. Using a single tree is fine if
your organization is confined within a single DNS namespace.
However, for organizations that use multiple DNS namespaces,
your model must be able to expand outside the boundaries of a
single tree. This is where the forest comes in.
■ Forest
A forest is a group of one or more domain trees that do not form a
contiguous namespace but may share a common schema and
global catalog. There is always at least one forest on a network,
and it is created when the first Active Directory–enabled
computer (domain controller) on a network is installed.
This first domain in a forest, called the forest root domain, is
special because it holds the schema and controls domain naming
for the entire forest. It cannot be removed from the forest without
removing the entire forest itself. Also, no other domain can ever
be created above the forest root domain in the forest domain
hierarchy.
Figure 1-2 shows an example of a forest with two trees. Each tree
in the forest has its own namespace. In the figure, microsoft.com
is one tree and contoso.com is a second tree. Both are in a forest
named microsoft.com (after the first domain created).
A forest is the outermost boundary of Active Directory; the
directory cannot be larger than the forest. However, you can
create multiple forests and then create trust relationships
between specific domains in those forests; this would let you
grant access to resources and accounts that are outside of a
particular forest.

■Organizational Units
Organizational Units (OUs) provide a way to create administrative
boundaries within a domain. Primarily, this allows you to delegate
administrative tasks within the domain.OUs serve as containers
into which the resources of a domain can be placed. You can then
assign administrative permissions on the OU itself. Typically, the
structure of OUs follows an organization’s business or functional
structure. For example, a relatively small organization with a
single domain might create separate OUs for departments within
the organization.
Q2. What does the physical structure of active directory
contain?
Physical structures include domain controllers and sites.
Q3.What is nesting?
The creation of an OU inside another OU.IMP: - once you go
beyond about 12 OUs deep in a nesting structure, you start
running into significant performance issues.
Q4. What is trust relationship and how many types of trust
relationship is there in exchange 2003?
Since domains represent security boundaries, special
mechanisms called trust relationships allow objects in one domain
(called the trusted domain) to access resources in another
domain (called the trusting domain). Windows Server 2003
supports six types of trust relationships:
■ Parent and child trusts
■ Tree-root trusts
■ External trusts
■ Shortcut trusts
■ Realm trusts
■ Forest trusts

Q5. What is a site?

A Windows Server 2003 site is a group of domain controllers that
exist on one or more IP subnets (see Lesson 3 for more on this)
and are connected by a fast, reliable network connection. Fast
means connections of at least 1Mbps. In other words, a site
usually follows the boundaries of a local area network (LAN). If
different LANs on the network are connected by a wide area
network (WAN), you’ll likely create one site for each LAN.
Q6. What is the use of site?
Sites are primarily used to control replication traffic. Domain
controllers within a site are pretty much free to replicate changes
to the Active Directory database whenever changes are made.
Domain controllers in different sites compress the replication
traffic and operate based on a defined schedule, both of which
are intended to cut down on network traffic
More specifically, sites are used to control the following:
■ Workstation logon traffic
■ Replication traffic
■ Distributed File System (DFS)
Distributed File System (DFS) is a server component that provides
a unified naming convention for folders and files stored on
different servers on a network. DFS lets you create a single logical
hierarchy for folders and files that is consistent on a network,
regardless of where on the network those items are actually
stored. Files represented in the DFS might be stored in multiple
locations on the network, so it makes sense that Active Directory
should be able to direct users to the closest physical location of
the data they need. To this end, DFS uses site information to
direct a client to the server that is hosting the requested data
within the site. If DFS does not find a copy of the data within the
same site as the client, DFS uses the site information in Active
Directory to determine which file server that has DFS shared data
is closest to the client.
■ File Replication Service (FRS)
Every domain controller has a built-in collection of folders named
SYSVOL (for System Volume). The SYSVOL folders provide a
default Active Directory location for files that must be replicated
throughout a domain. You can use SYSVOL to replicate Group
Policy Objects, startup and shutdown scripts, and logon and logoff
scripts. A Windows Server 2003 service named File Replication
Service (FRS) is responsible for replicating files in the SYSVOL
folders between domain controllers. FRS uses site boundaries to
govern the replication of items in the SYSVOL folders.
Q7. What are the objects a site contains?
Sites contain only two types of objects. The first type is the
domain controllers contained in the site. The second type of
object is the site links configured to connect the site to other
sites.
Q8.What is a Site link?
Within a site, replication happens automatically. For replication to
occur between sites, you must establish a link between the sites.
There are two components to this link: the actual physical
connection between the sites (usually a WAN link) and a site link
object. The site link object is created within Active Directory and
determines the protocol used for transferring replication traffic
(Internet Protocol [IP] or Simple Mail Transfer Protocol [SMTP]).
The site link object also governs when replication is scheduled to
occur.
Q9. Explain Replication in Active directory?
Windows Server 2003 uses a replication model called multimaster
replication, in which all replicas of the Active Directory database
are considered equal masters. You can make changes to the
database on any domain controller and the changes will be
replicated to other domain controllers in the domain.Domain
controllers in the same site replicate on the basis of notification.
When changes are made on a domain controller, it notifies its
replication partners (the other domain controllers in the site); the
partners then request the changes and replication occurs.
Because of the high-speed, low-cost connections assumed within
a site, replication occurs as needed rather than according to a
schedule.You should create additional sites when you need to
control how replication traffic occurs over slower WAN links. For
example, suppose you have a number of domain controllers on
your main LAN and a few domain controllers on a LAN at a branch
location. Those two LANs are connected to one another with a
slow (256K) WAN link. You would want replication traffic to occur
as needed between the domain controllers on each LAN, but you
would want to control traffic across the WAN link to prevent it
from affecting higher priority network traffic. To address this
situation, you would set up two sites— one site that contained all
the domain controllers on the main LAN and one site that
contained all the domain controllers on the remote LAN.
Q10. What are the different types of replication?
Single site (called intrasite replication)
Replication between sites (called intersite replication)
■ Intrasite Replication
Intrasite replication sends replication traffic in an uncompressed
format. This is because of the assumption that all domain
controllers within the site are connected by high-bandwidth links.
Not only is the traffic uncompressed, but replication occurs
according to a change notification mechanism. This means that if
changes are made in the domain, those changes are quickly
replicated to the other domain controllers.
■ Intersite Replication
Intersite replication sends all data compressed. This shows an
appreciation for the fact that the traffic will probably be going
across slower WAN links (as opposed to the LAN connectivity
intrasite replication assumes), but it increases the server load
because compression/decompression is added to the processing
requirements. In addition to the compression, the replication can
be scheduled for times that are more appropriate to your
organization. For example, you may decide to allow replication
only during slower times of the day. Of course, this delay in
replication (based on the schedule) can cause inconsistency
between servers in different sites.

Q11. What is LDAP?

LDAP, Lightweight Directory Access Protocol, is an Internet
protocol that email and other programs use to look up information
from a server.An LDAP-aware directory service (such as Active
Directory) indexes all the attributes of all the objects stored in the
directory and publishes them. LDAP-aware clients can query the
server in a wide variety of ways.
Q12.What types of naming convention active directory
uses?
Active Directory supports several types of names for the different
formats that can accessActive Directory.These names include:■
Relative Distinguished NamesThe relative distinguished name
(RDN) of an object identifies an object uniquely, but only within its
parent container. Thus the name uniquely identifies the object
relative to the other objects within the same container. In the
example CN=wjglenn,CN=Users,DC=contoso,DC=com, the
relative distinguished name of the object is CN=wjglenn. The
relative distinguished name of the parent organizational unit is
Users. For most objects, the relative distinguished name of an
object is the same as that object’s Common Name attribute.
Active Directory creates the relative distinguished name
automatically, based on information provided when the object is
created. Active Directory does not allow two objects with the
same relative distinguished name to exist in the same parent
container.The notations used in the relative distinguished name
(and in the distinguished name discussed in the next section) use
special notations called LDAP attribute tags to identify each part
of the name. The three attribute tags used include:
■ DC
The Domain Component (DC) tag identifies part of the DNS name
of the domain, such as COM or ORG.
■ OU
The Organizational Unit (OU) tag identifies an organizational unit
container.
■ CN
The Common Name (CN) tag identifies the common name
configured for an Active Directory object.
■ Distinguished Names
Each object in the directory has a distinguished name (DN) that is
globally unique and identifies not only the object itself, but also
where the object resides in the overall object hierarchy. You can
think of the distinguished name as the relative distinguished
name of an object concatenated with the relative distinguished
names of all parent containers that make up the path to the
object.An example of a typical distinguished name would
be:CN=wjglenn,CN=Users,DC=contoso,DC=com.This
distinguished name would indicate that the user object wjglenn is
in the Users container, which in turn is located in the contoso.com
domain. If the wjglenn object is moved to another container, its
DN will change to reflect its new position in the hierarchy.
Distinguished names are guaranteed to be unique in the forest,
similar to the way that a fully qualified domain name uniquely
identifies an object’s placement in a DNS hierarchy. You cannot
have two objects with the same distinguished name.
■ User Principal Names
The user principal name that is generated for each object is in the
form username@ domain_name. Users can log on with their user
principal name, and an administrator can define suffixes for user
principal names if desired. User principal names should be
unique, but Active Directory does not enforce this requirement.
It’s best, however, to formulate a naming convention that avoids
duplicate user principal names.
■ Canonical Names
An object’s canonical name is used in much the same way as the
distinguished name— it just uses a different syntax. The same
distinguished name presented in the preceding section would
have the canonical name:contoso.com/Users/wjglenn.As you can
see, there are two primary differences in the syntax of
distinguished names and canonical names. The first difference is
that the canonical name presents the root of the path first and
works downward toward the object name. The second difference
is that the canonical name does not use the LDAP attribute tags
(e.g., CN and DC).
Q13. What is multimaster replication?
Active Directory follows the multimaster replication which every
replica of the Active Directory partition held on every domain is
considered an equal master. Updates can be made to objects on
any domain controller, and those updates are then replicated to
other domain controllers.
Q14.Which two operations master roles should be
available when new security principals are being created
and named?
Domain naming master and the relative ID master
Q15. What are different types of groups?
■ Security groups
Security groups are used to group domain users into a single
administrative unit. Security groups can be assigned permissions
and can also be used as e-mail distribution lists. Users placed into
a group inherit the permissions assigned to the group for as long
as they remain members of that group. Windows itself uses only
security groups.
■ Distribution groups
These are used for nonsecurity purposes by applications other
than Windows. One of the primary uses is within an e-mailAs with
user accounts, there are both local and domain-level groups.
Local groups are stored in a local computer’s security database
and are intended to control resource access on that computer.
Domain groups are stored in Active Directory and let you gather
users and control resource access in a domain and on domain
controllers.
Q16. What is a group scope and what are the different types of
group scopes?
Group scopes determine where in the Active Directory forest a
group is accessible and what objects can be placed into the
group. Windows Server 2003 includes three group scopes: global,
domain local, and universal.
■ Global groups
are used to gather users that have similar permissions
requirements. Global groups have the following characteristics:1.
Global groups can contain user and computer accounts only from
the domain in which the global group is created.2. When the
domain functional level is set to Windows 2000 native or Windows
Server 2003 (i.e., the domain contains only Windows 2000 or
2003 servers), global groups can also contain other global groups
from the local domain.3. Global groups can be assigned
permissions or be added to local groups in any domain in a forest.
■ Domain local groups
exist on domain controllers and are used to control access to
resources located on domain controllers in the local domain (for
member servers and workstations, you use local groups on those
systems instead). Domain local groups share the following
characteristics:1. Domain local groups can contain users and
global groups from any domain in a forest no matter what
functional level is enabled.2. When the domain functional level is
set to Windows 2000 native or Windows Server 2003, domain
local groups can also contain other domain local groups and
universal groups.
■ Universal groups
are normally used to assign permissions to related resources in
multiple domains. Universal groups share the following
characteristics:
1. Universal groups are available only when the forest functional
level is set to Windows 2000 native or Windows Server 2003.
2. Universal groups exist outside the boundaries of any particular
domain and are managed by Global Catalog servers.
3. Universal groups are used to assign permissions to related
resources in multiple domains.
4. Universal groups can contain users, global groups, and other
universal groups from any domain in a forest.
5. You can grant permissions for a universal group to any
resource in any domain.
Q17. What are the items that groups of different scopes
can contain in mixed and native mode domains?
Q18. What is group nesting?
Placing of one group in another is called as group nestingFor
example, suppose you had juniorlevel administrators in four
different geographic locations, as shown in Figure 4-10. You could
create a separate group for each location (named something like
Dallas JuniorAdmins). Then, you could create a single group
named Junior Admins and make each of the location-based groups
a member of the main group. This approach would allow you to
set permissions on a single group and have those permissions
flow down to the members, yet still be able to subdivide the junior
administrators by location.
Q19. How many characters does a group name contain?
64
Q20. Is site part of the Active Directory namespace?
NO: - When a user browses the logical namespace, computers and
users are grouped into domains and OUs without reference to
sites. However, site names are used in the Domain Name System
(DNS) records, so sites must be given valid DNS names.
Q21. What is DFS?
The Distributed File System is used to build a hierarchical view of
multiple file servers and shares on the network. Instead of having
to think of a specific machine name for each set of files, the user
will only have to remember one name; which will be the 'key' to a
list of shares found on multiple servers on the network. Think of it
as the home of all file shares with links that point to one or more
servers that actually host those shares.DFS has the capability of
routing a client to the closest available file server by using Active
Directory site metrics. It can also be installed on a cluster for even
better performance and reliability.
Understanding the DFS Terminology
It is important to understand the new concepts that are part of
DFS. Below is an definition of each of them.
Dfs root:
You can think of this as a share that is visible on the network, and
in this share you can have additional files and folders.
Dfs link:
A link is another share somewhere on the network that goes
under the root. When a user opens this link they will be redirected
to a shared folder.
Dfs target (or replica):
This can be referred to as either a root or a link. If you have two
identical shares, normally stored on different servers, you can
group them together as Dfs Targets under the same link.
Windows 2003 offers a revamped version of the Distributed File
System found in Windows 2000, which has been improved to
better performance and add additional fault tolerance, load
balancing and reduced use of network bandwidth. It also comes
with a powerful set of command-line scripting tools which can be
used to make administrative backup and restoration tasks of the
DFS namespaces easier. The client windows operating system
consists of a DFS client which provides additional features as well
as caching.
Q22. What are the types of replication in DFS?
There are two types of replication: * Automatic - which is only
available for Domain DFS * Manual - which is available for stand
alone, DFS and requires all files to be replicated manually.
Q23. Which service is responsible for replicating files in
SYSVOL folder?
File Replication Service (FRS)
Q24. What all can a site topology owner do?
The site topology owner is the name given to the administrator
(or administrators) that oversee the sitetopology. The owner is
responsible for making any necessary changes to the site as the
physical network grows and changes. The site topology owner’s
responsibilities include:■ Making changes to the site topology
based on changes to the physical network topology.■ Tracking
subnetting information for the network. This includes IP
addresses, subnet masks, and the locations of the subnets.■
Monitoring network connectivity and setting the costs for links
between sites.
Q1. What is DNS.
DNS provides name registration and name to address resolution
capabilities. And DNS drastically lowers the need to remember
numeric IP addresses when accessing hosts on the Internet or any
other TCP/IP-based network.Before DNS, the practice of mapping
friendly host or computer names to IP addresses was handled via
host files. Host files are easy to understand. These are static ASCII
text files that simply map a host name to an IP address in a table-
like format. Windows ships with a HOSTS file in the
\winnt\system32\drivers\etc subdirectoryThe fundamental
problem with the host files was that these files were labor
intensive. A host file is manually modified, and it is typically
centrally administrated.The DNS system consists of three
components: DNS data (called resource records), servers (called
name servers), and Internet protocols for fetching data from the
servers.
Q2. Which are the four generally accepted naming
conventions?
NetBIOS Name (for instance, SPRINGERS01)
TCP/IP Address (121.133.2.44)
Host Name (Abbey)
Media Access Control (MAC) —this is the network adapter
hardware address
Q3. How DNS really works?
DNS uses a client/server model in which the DNS server maintains
a static database of domain names mapped to IP addresses. The
DNS client, known as the resolver, perform queries against the
DNS servers. The bottom line? DNS resolves domain names to IP
address using these steps
Step 1. A client (or “resolver”) passes its request to its local
name server. For example, the URL term www.idgbooks.com
typed into Internet Explorer is passed to the DNS server identified
in the client TCP/IP configuration. This DNS server is known as the
local name server.
Step 2. If, as often happens, the local name server is unable to
resolve the request, other name servers are queried so that the
resolver may be satisfied.
Step 3. If all else fails, the request is passed to more and more,
higher-level name servers until the query resolution process
starts with far-right term (for instance, com) or at the top of the
DNS tree with root name servers
Q4. Which are the major records in DNS?
1. Host or Address Records (A):-
map the name of a machine to its numeric IP address. In clearer
terms, this record states the hostname and IP address of a certain
machine. Have three fields: Host Name, Domain, Host IP Address.
E.g.:- eric.foobarbaz.com. IN A 36.36.1.6
It is possible to map more than one IP address to a given
hostname. This often happens for people who run a firewall and
have two 19thernet cards in one machine. All you must do is add
a second A record, with every column the same save for the IP
address.
2. Aliases or Canonical Name Records (CNAME)
“CNAME” records simply allow a machine to be known by more
than one hostname. There must always be an A record for the
machine before aliases can be added. The host name of a
machine that is stated in an A record is called the canonical, or
official name of the machine. Other records should point to the
canonical name. Here is an example of a
CNAME:www.foobarbaz.com. IN CNAME eric.foobarbaz.com.You
can see the similarities to the previous record. Records always
read from left to right, with the subject to be queried about on the
left and the answer to the query on the right. A machine can have
an unlimited number of CNAME aliases. A new record must be
entered for each alias.You can add A or CNAME records for the
service name pointing to the machines you want to load balance.
3. Mail Exchange Records (MX)
MX” records are far more important than they sound. They allow
all mail for a domain to be routed to one host. This is exceedingly
useful – it abates the load on your internal hosts since they do not
have to route incoming mail, and it allows your mail to be sent to
any address in your domain even if that particular address does
not have a computer associated with it. For example, we have a
mail server running on the fictitious machine eric.foobarbaz.com.
For convenience sake, however, we want our email address to be
“user@foobarbaz.com” rather than “user@eric.foobarbaz.com”.
This is accomplished by the record shown below:
foobarbaz.com. IN MX 10 eric.foobarbaz.com.
The column on the far left signifies the address that you want to
use as an Internet email address. The next two entries have been
explained thoroughly in previous records. The next column, the
number “10”, is different from the normal DNS record format. It is
a signifier of priority. Often larger systems will have backup mail
servers, perhaps more than one. Obviously, you will only want the
backups receiving mail if something goes wrong with the primary
mail server. You can indicate this with your MX records. A lower
number in an MX record means a higher priority, and mail will be
sent to the server with the lowest number (the lowest possible
being 0). If something happens so that this server becomes
unreachable, the computer delivering the mail will attempt every
other server listed in the DNS tables, in order of priority.
Obviously, you can have as many MX records as you would like. It
is also a good idea to include an MX record even if you are having
mail sent directly to a machine with an A record. Some sendmail
programs only look for MX records.
It is also possible to include wildcards in MX records. If you have a
domain where your users each have their own machine running
mail clients on them, mail could be sent directly to each machine.
Rather than clutter your DNS entry, you can add an MX record like
this one:
*.foobarbaz.com. IN MX 10 eric.foobarbaz.com.
This would make any mail set to any individual workstation in the
foobarbaz.com domain go through the server eric.foobarbaz.com.
One should use caution with wildcards; specific records will be
given precedence over ones containing wildcards.
4. Pointer Records (PTR)
Although there are different ways to set up PTR records, we will
be explaining only the most frequently used method, called “in-
addr.arpa”.In-addr.arpa PTR records are the exact inverse of A
records. They allow your machine to be recognized by its IP
address. Resolving a machine in this fashion is called a “reverse
lookup”. It is becoming more and more common that a machine
will do a reverse lookup on your machine before allowing you to
access a service (such as a World Wide Web page). Reverse
lookups are a good security measure, verifying that your machine
is exactly who it claims to be. In-addr.arpa records look as
such:6.1.36.36.in-addr.arpa. IN PTR eric.foobarbaz.com.As you
can see from the example for the A record in the beginning of this
document, the record simply has the IP address in reverse for the
host name in the last column.A note for those who run their own
name servers: although Allegiance Internet is capable of pulling
zones from your name server, we cannot pull the inverse zones
(these in-addr.arpa records) unless you have been assigned a full
class C network. If you would like us to put PTR records in our
name servers for you, you will have to fill out the online web form
on the support.allegianceinternet.com page.
5. Name Server Records (NS)
NS records are imperative to functioning DNS entries. They are
very simple; they merely state the authoritative name servers for
the given domain. There must be at least two NS records in every
DNS entry. NS records look like this:foobarbaz.com. IN NS
draven.foobarbaz.com.There also must be an A record in your
DNS for each machine you enter as A NAME server in your
domain.If Allegiance Internet is doing primary and secondary
names service, we will set up these records for you automatically,
with “nse.algx.net” and “nsf.algx.net” as your two authoritative
name servers.
6. Start Of Authority Records (SOA)
The “SOA” record is the most crucial record in a DNS entry. It
conveys more information than all the other records combined.
This record is called the start of authority because it denotes the
DNS entry as the official source of information for its domain.
Here is an example of a SOA record, then each part of it will be
explained:foobarbaz.com. IN SOA draven.foobarbaz.com.
hostmaster.foobarbaz.com. (
1996111901 ; Serial
10800 ; Refresh
3600 ;Retry
3600000 ; Expire
86400 ) ; Minimum
The first column contains the domain for which this record begins
authority for. The next two entries should look familiar. The
“draven.foobarbaz.com” entry is the primary name server for the
domain. The last entry on this row is actually an email address, if
you substituted a “@” for the first “.”. There should always be a
viable contact address in the SOA record.
The next entries are a little more unusual then what we have
become used to. The serial number is a record of how often this
DNS entry has been updated. Every time a change is made to the
entry, the serial number must be incremented. Other name
servers that pull information for a zone from the primary only pull
the zone if the serial number on the primary name server’s entry
is higher than the serial number on it’s entry. In this way the
name servers for a domain are able to update themselves. A
recommended way of using your serial number is the
YYYYMMDDNN format shown above, where the NN is the number
of times that day the DNS has been changed.
Also, a note for Allegiance Internet customers who run their own
name servers: even if the serial number is incremented, you
should still fill out the web form and use the comment box when
you make changes asking us to pull the new zones.
All the rest of the numbers in the record are measurements of
time, in seconds. The “refresh” number stands for how often
secondary name servers should check the primary for a change in
the serial number. “Retry” is how long a secondary server should
wait before trying to reconnect to primary server if the connection
was refused. “Expire” is how long the secondary server should
use its current entry if it is unable to perform a refresh, and
“minimum” is how long other name servers should cache, or
save, this entry.
There can only be one SOA record per domain. Like NS
records, Allegiance Internet sets up this record for you if
you are not running your own name server.
Quick Summary of the major records in DNS
Q5.What is a DNS zone?
A zone is simply a contiguous section of the DNS namespace.
Records for a zone are stored and managed together. Often,
subdomains are split into several zones to make manageability
easier. For example, support.microsoft.com and
msdn.microsoft.com are separate zones, where support and msdn
are subdomains within the Microsoft.com domain.
Q6. Name the two Zones in DNS?
DNS servers can contain primary and secondary zones. A primary
zone is a copy of a zone where updates can be made, while a
secondary zone is a copy of a primary zone. For fault tolerance
purposes and load balancing, a domain may have several DNS
servers that respond to requests for the same information.The
entries within a zone give the DNS server the information it needs
to satisfy requests from other computersor DNS servers.
Q7. How many SOA record does each zone contain?
Each zone will have one SOA record. This records contains many
miscellaneous settings for the zone, such as who is responsible
for the zone, refresh interval settings, TTL (Time To Live) settings,
and a serial number (incremented with every update).
Q8. Short summary of the records in DNS?
The NS records are used to point to additional DNS servers. The
PTR record is used for reverse lookups (IP to name). CNAME
records are used to give a host multiple names. MX records are
used when configuring a domain for email.
Q9. What is an AD-integrated zone?
AD-integrated zones store the zone data in Active Directory and
use the same replication process used to replicate other data
between domain controllers. The one catch with AD-integrated
zones is that the DNS server must also be a domain controller.
Overloading DNS server responsibilities on your domain
controllers may not be something you want to do if you plan on
supporting a large volume of DNS requests.
Q10.What is a STUB zone?
A stub zone is a copy of a zone that contains only those resource
records necessary to identify the authoritative Domain Name
System (DNS) servers for that zone. A stub zone is used to resolve
names between separate DNS namespaces. This type of
resolution may be necessary when a corporate merger requires
that the DNS servers for two separate DNS namespaces resolve
names for clients in both namespaces.The master servers for a
stub zone are one or more DNS servers authoritative for the child
zone, usually the DNS server hosting the primary zone for the
delegated domain name.
Q11. What does a stub zone consists of?
A stub zone consists of:•The start of authority (SOA) resource
record, name server (NS) resource records, and the glue A
resource records for the delegated zone.•The IP address of one or
more master servers that can be used to update the stub zone.
Q12. How the resolution in a stub zone takes place?
When a DNS client performs a recursive query operation on a DNS
server hosting a stub zone, the DNS server uses the resource
records in the stub zone to resolve the query. The DNS server
sends an iterative query to the authoritative DNS servers
specified in the NS resource records of the stub zone as if it were
using NS resource records in its cache. If the DNS server cannot
find the authoritative DNS servers in its stub zone, the DNS server
hosting the stub zone attempts standard recursion using its root
hints.The DNS server will store the resource records it receives
from the authoritative DNS servers listed in a stub zone in its
cache, but it will not store these resource records in the stub zone
itself; only the SOA, NS, and glue A resource records returned in
response to the query are stored in the stub zone. The resource
records stored in the cache are cached according to the Time-to-
Live (TTL) value in each resource record. The SOA, NS, and glue A
resource records,
which are not written to cache, expire according to the expire
interval specified in the stub zone's SOA record, which is created
during the creation of the stub zone and updated during transfers
to the stub zone from the original, primary zone.If the query was
an iterative query, the DNS server returns a referral containing
the servers specified in the stub zone.
Q 13.What is the benefits of Active Directory Integration?
For networks deploying DNS to support Active Directory,
directory-integrated primary zones are strongly recommended
and provide the following benefits:
• Multimaster update and enhanced security based on
the capabilities of Active Directory
In a standard zone storage model, DNS updates are conducted
based upon a single-master update model. In this model, a single
authoritative DNS server for a zone is designated as the primary
source for the zone.
This server maintains the master copy of the zone in a local file.
With this model, the primary server for the zone represents a
single fixed point of failure. If this server is not available, update
requests from DNS clients are not processed for the zone.
With directory-integrated storage, dynamic updates to DNS are
conducted based upon a multimaster update model.
In this model, any authoritative DNS server, such as a domain
controller running a DNS server, is designated as a primary
source for the zone. Because the master copy of the zone is
maintained in the Active Directory database, which is fully
replicated to all domain controllers, the zone can be updated by
the DNS servers operating at any domain controller for the
domain.
With the multimaster update model of Active Directory, any of the
primary servers for the directory-integrated zone can process
requests from DNS clients to update the zone as long as a domain
controller is available and reachable on the network.
Also, when using directory-integrated zones, you can use access
control list (ACL) editing to secure a dnsZone object container in
the directory tree. This feature provides granulated access to
either the zone or a specified RR in the zone.
For example, an ACL for a zone RR can be restricted so that
dynamic updates are only allowed for a specified client computer
or a secure group such as a domain administrators group. This
security feature is not available with standard primary zones.
Note that when you change the zone type to be directory-
integrated, the default for updating the zone changes to allow
only secure updates. Also, while you may use ACLs on DNS-
related Active Directory objects, ACLs may only be applied to the
DNS client service.
• Directory replication is faster and more efficient than
standard DNS replication.
Because Active Directory replication processing is performed on a
per-property basis, only relevant changes are propagated. This
allows less data to be used and submitted in updates for
directory-stored zones.
Note: Only primary zones can be stored in the directory. A DNS
server cannot store secondary zones in the directory. It must
store them in standard text files. The multimaster replication
model of Active Directory removes the need for secondary zones
when all zones are stored in Active Directory.
Q8. When the group policy gets refreshed/applied?
Group Policies can be applied when a computer boots up, and/or
when a user logs in. However, policies are also refreshed
automatically according to a predefined schedule. This is called
Background Refresh
Background refresh for non DCs (PCs and Member Servers) is
every 90 mins., with a +/- 30 min.interval. So the refresh could be
60, 90 or 120 mins.
For DCs (Domain Controllers), background refresh is every 5
mins.Also, every 16 hours
every PC will request all group policies to be reapplied (user and
machine) These settings can be changed under Computer and
User Nodes, Administrative Templates,System, Group Policy.
Q9. Which are the policies which does not get affected by
background refresh?
Policies not affected by background refresh. These policies are
only applied at
Logon time:
Folder Redirection
Software InstallationLogon,
Logoff, Startup,
Shutdown Scripts
Q9. How to refresh Group Policies suing the command
line?
Secedit.exe is a command line tool that can be used to refresh
group policies on a Windows 2000 computer. To use secedit, open
a command prompt and type:
secedit /refreshpolicy user_policy to refresh the user policies
secedit /refreshpolicy machine_policy to refresh the machine (or
computer) policies These parameters will only refresh any user or
computer policies that have changed since the last refresh. To
force a reload of all group policies regardless of the last change,
use:
secedit /refreshpolicy user_policy /enforce
secedit /refreshpolicy machine_policy /enforce
Gpupdate.exe is a command line tool that can be used to refresh
group policies on a Windows XP computer. It has replaced the
secedit command. To use gpupdate, open a command prompt
and type:
gpupdate /target:user to refresh the user policies
gpupdate /target: machine to refresh the machine (or computer)
policies
As with secedit, these parameters will only refresh any user or
computer policies that have changed since the last refresh. To
force a reload of all group policies regardless of the last change,
use:
gpupdate /force
Notice the /force switch applies to both user and computer
policies. There is no separation of the two like there is with
secedit
Q10. What is the Default Setting for Dial-up users?
Win2000 considers a slow dial-up link as anything less than
500kbps. When a user logs into a domain on a link under 500k
some policies are not applied. Windows 2000 will automatically
detect the speed of the dial-up connection and make a decision
about applying Group Policies.
Q11. Which are the policies which get applied regardless
of the speed of the dial-up connection?
Some policies are always applied regardless of the speed of the
dial-up connection. These are:
Administrative Templates
Security Settings
EFS Recovery
IPSec
Q12. Which are the policies which do not get applied over
slow links?
IE Maintenance Settings
Folder Redirection Scripts
Disk Quota settings
Software Installation and Maintenance
These settings can be changed under Computer and User Nodes,
Administrative Templates, System, Group Policy.
If the user connects to the domain using "Logon Using Dial-up
Connection" from the logon screen, once the user is
authenticated, the computer policies are applied first, followed by
the user policies.
If the user connects to the domain using "Network and Dial-up
Connections", after they logon, the policies are applied using the
standard refresh cycle.
Q13. Which are the two types of default policies?
There are two default group policy objects that are created when
a domain is created. The Default Domain policy and the Default
Domain Controllers policy.
Default Domain Policy- this GPO can be found under the group
policy tab for that domain. It is the first policy listed. The default
domain policy is unique in that certain policies can only be
applied at the domain level.
If you double click this GPO and drill down to Computer
Configuration, Windows Settings, Security Settings, Account
Policies, you will see three policies listed:
Password Policy
Account Lockout Policy
Kerberos Policy
These 3 policies can only be set at the domain level. If you set
these policies anywhere else- Site or OU, they are ignored.
However, setting these 3 policies at the OU level will have the
effect of setting these policies for users who log on locally to their
PCs. Login to the domain you get the domain policy, login locally
you get the OU policy.
If you drill down to Computer Configuration, Windows Settings,
Security Settings, Local Policies, Security Options, there are 3
policies that are affected by Default Domain Policy:
Automatically log off users when logon time expires
Rename Administrator Account - When set at the domain level, it
affects the Domain Administrator account only.
Rename Guest Account - When set at the domain level, it affects
the Domain Guest account only.
The Default Domain Policy should be used only for the policies
listed above. If you want to create additional domain level
policies, you should create additional domain level GPOs. Do not
delete the Default Domain Policy. You can disable it, but it is not
recommended.
Default Domain Controllers Policy
- This policy can be found by right clicking the Domain Controllers
OU, choosing Properties, then the Group Policy tab. This policy
affects all Domain Controllers in the domain regardless of where
you put the domain controllers. That is, no matter where you put
your domain controllers in Active Directory (whatever OU you put
them in), they will still process this policy. Use the Default Domain
Controllers Policy to set
local policies for your domain controllers, e.g. Audit Policies,
Event Log settings, who can logon locally and so on.
Q14.How to restore Group policy setting back to default?
The following command would replace both the Default Domain
Security Policy and DefaultDomain Controller Security Policy. You
can specify Domain or DC instead of Both, to onlyrestore one or
the other.
> dcgpofix /target:Both
Note that this must be run from a domain controller in the target
domain where you want to reset the GPO
If you've ever made changes to the default GPOs and would like
to revert back to the original settings, the dcgpofix utility is your
solution. dcgpofix works with a particular version of schema. If the
version it expects to be current is different from what is in Active
Directory, itnot restore the GPOs. You can work around this by
using the /ignoreschema switch, whichrestore the GPO according
to the version dcgpofix thinks is current. The only time you
mightexperience this issue is if you install a service pack on a
domain controller (dc1) that extendsschema, but have not
installed it yet on a second domain controller (dc2). If you try to
run
dcgpofix from dc2, you will receive the error since a new version
of the schema and thedcgpofix utility was installed on dc1.
Resolving GPOs from Multiple Sources
Because GPOs can come from different sources to apply to a
single user or computer, there must be a way of determining how
those GPOs are combined. GPOs are processed in the following
order:
1. Local GPO The local GPO on the computer is processed and all
settings specified in that GPO are applied.
2. Site GPOs GPOs linked to the site in which the computer
resides are processed. Settings made at this level override any
conflicting settings made at the preceding level. If multiple GPOs
are linked to a site, the site administrator can control the order in
which those GPOs are processed.
3. Domain GPOs GPOs linked to the domain in which the
computer resides are processed and any settings are applied.
Settings made at the domain level override conflicting settings
applied at the local or site level. Again, the administrator can
control the processing order when multiple GPOs are linked to the
domain.
4. OU GPOs GPOs linked to any OUs that contain the user or
computer object are processed. Settings made at the OU level
override conflicting settings applied at the domain, local, or site
level. It is possible for a single object to be in multiple OUs. In this
case, GPOs linked to the highest level OU in the Active Directory
hierarchy are processed first, followed by the next highest level
OU, and so on. If multiple GPOs are linked to a single
.
Q15. What are the two exceptions to control the inheritance of
the group policy?
■ No Override
When you link a GPO to a container, you can configure a No
Override option that prevents settings in the GPO from being
overridden by settings in GPOs linked to child containers. This
provides a way to force child containers to conform to a particular
policy.
■ Block Inheritance
You can configure the Block Inheritance option on a container to
prevent the container from inheriting GPO settings from its parent
containers. However, if a parent container has the No Override
option set, the child container cannot block inheritance from this
parent.
Q16. How to Redirect New User and Computer Accounts?
By default, new user and computer accounts are created in the
Users and Computers containers, respectively. You cannot link a
GPO to either of these built-in containers. Even though the built-in
containers inherit GPOs linked to the domain, you may have a
situation that requires user accounts and computer accounts to
be stored in an OU to which you can link a GPO. Windows Server
2003 includes two new tools that let you redirect the target
locationfor new user and computer accounts. You can use
redirusr.exe to redirect user accounts and redircomp.exe to
redirect computer accounts. Once you choose the OU for
redirection, new user and computer accounts are createddirectly
in the new target OU, where the appropriate GPOs are linked. For
example, you could create an OU named New Users, link an
appropriate GPO to the OU, and then redirect the creation of new-
users accounts to the New Users OU. Any new users created
would immediately be affected by the settings in the GPO.
Administrators could then move the new user accounts to a more
appropriate location later. You can find both of these tools in the
%windir%\system32 folder on any computer running Windows
Server 2003. You can learn more about using these tools in
Knowledge Base article 324949, “Redirecting the Users and
Computers Containers in Windows Server 2003 Domains,” in the
Microsoft Knowledge Base at http://support.microsoft.com
.
Q17. What permissions should a administrator have to
manage GPOs?
Editing GPOs linked to sites requires Enterprise Administrative
permissions.
Editing GPOs linked to domains requires Domain Administrative
Editing GPOs linked to OUs requires permissions for the OU.
Q18. What is the client requirement for supporting GPOs?
For client computers to accept Group Policy settings, they must
be members of Active Directory. Support for Group Policy for key
operating systems includes the following:
■ Windows 95/98/Me do not support Group Policy.
■ Windows NT 4.0 and earlier versions do not support Group
Policy.
■ Windows 2000 Professional and Server support many of the
Group Policy settings available in Windows Server 2003, but not
all. Unsupported settings are ignored.
■ Windows XP Professional, Windows XP 64-bit Edition, and
Windows Server 2003 fully support Group Policy.

Q14. What is Scavenging?

DNS scavenging is the process whereby resource records are
automatically removed if they are not updated after a period of
time. Typically, this applies to only resource records that were
added via DDNS, but you can also scavenge manually added, also
referred to as static, records. DNS scavenging is a recommended
practice so that your DNS zones are automatically kept clean of
stale resource records.
Q15. What is the default interval when DNS server will
kick off the scavenging process?
The default value is 168 hours, which is equivalent to 7 days.
DNS Q&A corner
Q1. How do I use a load balancer with my name servers?
Just wanted to ask a question about load¬ balanced DNS servers
> via an external network load balancing appliance (i.e - F5's Big
IP,
> Cisco's Content Switches/ Local Directors).
> The main question being the configuration whether to use 2
> Master/Primary Servers or is it wiser to use 1 Primary and 1
> Secondary? The reason is that I feel there are two
configurations
> that could be setup. One in which only the resolvers query the
> virtual IP address on the load balancing appliance or actually
> configure your NS records to point to the Virtual Address so
that all
> queries, ie - both by local queries directly from local users and
> also queries from external DNS servers. I've included a text
> representation of the physical configuration. Have you ever
> heard or architected such a configuration?
> VIP = 167.147.1.5
> ------------------------------------
>> Load Balancer Device |
> ------------------------------------
>|
>|
> -----------------
>||
> ---------------- --------------
>> DNS 1 | | DNS 2 |
> ---------------- --------------
> 1.1.1.1 1.1.1.2
There's usually not much need to design solutions like these,
since most name server implementations will automatically
choose the name server that responds most quickly. In other
words, if DNS 1 fails, remote name servers will automatically try
DNS 2, and vice versa.
However, it can be useful for resolvers. In that case, you don't
need to worry about NS records (since resolvers don't use them),
just setting up a virtual IP address.
Also, is there any problem in running two Master/Primaries?
Just that you'd have to synchronize the zone data between the
two manually.
Q2. How does reverse mapping work?
How can reverse lookup possibly work on the Internet - how can a
local
> resolver or ISP's Dns server find the pointer records please? E.g.
I run
> nslookup 161.114.1.206 & get a reply for a Compaq server
> - how does it know where to look? Is there a giant reverse
lookup zone in
> the sky?
Yes, actually, there is: in-addr.arpa.
If a resolver needs to reverse map, say, 161.114.1.206 to a
domain name, it first inverts the octets of the IP address and
appends "in-addr.arpa." So, in this case, the IP address would
become the domain name 206.1.114.161.in-addr.arpa.
Then the resolver sends a query for PTR records attached to that
domain name. If necessary, the resolution process starts at the
root name servers. The root name servers refer the querier to the
161.in-addr.arpa name servers, run by an organization called
ARIN, the American Registry for Internet Numbers. These name
servers refer the querier to 1.114.161.in-addr.arpa name servers,
run by Compaq. And, finally, these name servers map the IP
address to inmail.compaq.com.
Q3. What are the pros and cons of running slaves versus
caching-only name servers?
> Question: I am in the process of setting up dns servers in
several locations for my
> business. I have looked into having a primary master server
running in my server
> room and adding slave servers in the other areas. I then
thought I could just
> setup a primary and a single slave server and run caching only
servers in the other
> areas. What are the pros and cons of these two options, or
should I run a slave
> server in every location and still have a caching server with it? I
just don't
> know what the best way would be. Please help. The main
advantage of having slaves everywhere is that you have a source
of your own zone data on each name server. So if you have a
community of hosts near each slave that look up domain names
in your zones, the local name server can answer most of their
queries. On the other hand, administering slaves is a little more
work than administering caching-only name servers, and a little
greater burden on the primary master name server.
Q4. Can I set a TTL on a specific record?
Is it possible to setup ttl values for individual records in bind?
Sure. You specify explicit TTLs in a record's TTL field, between the
owner field and the class field: foo. Example. 300 IN A 10.0.0.1
Q5. Can I use an A record instead of an MX record?
> I have a single machine running DNS mail and web for a
domain
> and I'm not sure that I have DNS setup properly. If the machine
> that is running the mail is the name of the domain does there
need
> to be an MX record for mail?
Technically, no. Nearly all mailers will look up A records for a
domain name in a mail destination if no MX records exist.
> If an MX record is not needed, how would you put in an MX
> record for a backup mail server.
You can't. If you want to use a backup mailer, you need to use MX
records.
> www cname 192.168.0.1
> mail cname 192.168.0.1
> pop cname 192.168.0.1
> smtp cname 192.168.0.1
These CNAME records are all incorrect. CNAME records createan
alias from one domain name to another, so the field after
"CNAME"must contain a domain name, not an IP address. For
example:www CNAME foo.example.
Q6. What are a zone's NS records used for?
> Could you elaborate a little bit on why do we need to put NS
records for
> the zone we are authoritative for ?
> The parent name server handles these already. Is there any
problem if our
> own NS records have lower TTLs than the records from parent
name server ?
That's a good question. The NS records from your zone data file
are used for several things:
- Your name servers returns them in responses to queries, in the
authority section of the DNS message. Moreover, the set of NS
records that comes directly from your name server supersedes
the set that a querier gets from your parent zone's name servers,
so if the two sets are different, yours "wins."
- Your name servers use the NS records to determine where to
send NOTIFY messages.- Dynamic updaters determine where to
send updates using the NS records, which they often get from the
authoritative name servers.
Q7. Do slaves only communicate with their masters over
TCP?
> When the slave zone checks in with the master zone for the
serial number, is> all this traffic happening on TCP. For example,
if you have acl's blocking> udp traffic but allowing tcp traffic will
the transfer work or will it fail
> due to the slaves inability to query for the SOA record on udp?
No. The refresh query (for the zone's SOA record) is usually done
over UDP.
Q8. What's the largest number I can use in an MX record?
> Could you tell us the highest possible number we can use for
the MX > preference ?Preference is an unsigned, 16-bit number,
so the largest number you can use is 65535.
Q9. Why are there only 13 root name servers?
> I'm very wondering why there are only 13 root servers on
globally.
> Some documents explain that one of the reason is technical
limit on Domain
> Name System (without any detailed explanation).
> From my understanding, it seems that some limitation of NS
record numbers
> in DNS packet that specified by certain RFCs, or just Internet
policy stuff.
>
> Which one is proper reason?
It's a technical limitation. UDP-based DNS messages can be up to
512 byteslong, and only 13 NS records and their corresponding A
records will fit into a DNS message that size.
Q2. What are their functions?
1.Schema Master
(Forest level) The schema master FSMO role holder is the Domain
Controller responsible for performing updates to the active
directory schema. It contains the only writable copy of the AD
schema. This DC is the only one that can process updates to the
directory schema, and once the schema update is complete, it is
replicated from the schema master to all other DCs in the forest.
There is only one schema master in the forest.
2.Domain Naming Master
(Forest level) The domain naming master FSMO role holder is the
DC responsible for making changes to the forest-wide domain
name space of the directory. This DC is the only one that can add
or remove a domain from the directory, and that is it's major
purpose. It can also add or remove cross references to domains in
external directories. There is only one domain naming master in
the active directory or forest.
3. PDC Emulator
(Domain level) In a Windows 2000 domain, the PDC emulator
server role performs the following functions:
Password changes performed by other DCs in the domain are
replicated preferentially to the PDC emulator first.
Authentication failures that occur at a given DC in a domain
because of an incorrect password are forwarded to the PDC
emulator for validation before a bad password failure message is
reported to the user.
Account lockout is processed on the PDC emulator.
Time synchronization for the domain.
Group Policy changes are preferentially written to the PDC
emulator.Additionally, if your domain is a mixed mode domain
that contains Windows NT 4 BDCs, then the Windows 2000
domain controller, that is the PDC emulator, acts as a Windows NT
4 PDC to the BDCs.
There is only one PDC emulator per domain.
Note: Some consider the PDC emulator to only be relevant in a
mixed mode domain. This is not true. Even after you have
changed your domain to native mode (no moreNT 4 domain
controllers), the PDC emulator is still necessary for the reasons
above.
4.RID Master
(Domain level) The RID master FSMO role holder is the single DC
responsible for processing RID Pool requests from all DCs within a
given domain. It is also responsible for removing an object from
its domain and putting it in another domain during an object
move. When a DC creates a security principal object such as a
user, group or computer account, it attaches a unique Security ID
(SID) to the object. This SID consists of a domain SID (the same
for all SIDs created in a domain), and a relative ID (RID) that
makes the object unique in a domain. Each Windows 2000 DC in a
domain is allocated a pool of RIDs that it assigns to the security
principals it creates. When a DC's allocated RID pool falls below a
threshold, that DC issues a request for additional RIDs to the
domain's RID master. The domain RID master responds to the
request by retrieving RIDs from the domain's unallocated RID pool
and assigns them to the pool of the requesting DC.There is one
RID master per domain in a directory.
5.Infrastructure Master
(Domain level) The DC that holds the Infrastructure Master FSMO
role is responsible for cross domain updates and lookups. When
an object in one domain is referenced by another object in
another domain, it represents the reference by the GUID, the SID
(for references to security principals), and the distinguished name
(DN) of the object being referenced. The Infrastructure role holder
is the DC responsible for updating an object's SID and
distinguished name in a cross-domain object reference.
When a user in DomainA is added to a group in DomainB, then
the Infrastructure master is involved. Likewise, if that user in
DomainA, who has been added to a group in DomainB, then
changes his username in DomainA, the Infrastructure master
must update the group membership(s) in DomainB with the name
change.
There is only one Infrastructure master per domain.
Q4. Where are these FSMO server roles found?
The first domain controller that is installed in a Windows 2000
domain, by default, holds all five of the FSMO server roles. Then,
as more domain controllers are added to the domain, the FSMO
roles can be moved to other domain controllers.
Q5. Can you Move FSMO roles?
Yes, moving a FSMO server role is a manual process, it does not
happen automatically. But what if you only have one domain
controller in your domain? That is fine. If you have only one
domain controller in your organization then you have one forest,
one domain, and of course the one domain controller. All 5 FSMO
server roles will exist on that DC. There is no rule that says you
have to have one server for each FSMO server role.
Q6. Where to place the FSMO roles?
Assuming you do have multiple domain controllers in your
domain, there are some best practices to follow for placing FSMO
server roles.
The Schema Master and Domain Naming Master should reside on
the same server, and that machine should be a Global Catalog
server.
Since all three are, by default, on the first domain controller
installed in a forest, then you can leave them as they are.
Note: According to MS, the Domain Naming master needs to be
on a Global Catalog Server. If you are going to separate the
Domain Naming master and Schema master, just make sure they
are both on Global Catalog servers.
IMP: - Why Infrastructure Master should not be on the
same server that acts as a Global Catalog server?
The Infrastructure Master should not be on the same server that
acts as a Global Catalog server.The reason for this is the Global
Catalog contains information about every object in the forest.
When the Infrastructure Master, which is responsible for updating
Active Directory information about cross domain object changes,
needs information about objects not in it's domain, it contacts the
Global Catalog server for this information. If they both reside on
the same server, then the Infrastructure Master will never think
there are changes to objects that reside in other domains
because the Global Catalog will keep it constantly updated. This
would result in the Infrastructure Master never replicating
changes to other domain controllers in its domain.
Note: In a single domain environment this is not an issue.
Microsoft also recommends that the PDC Emulator and RID Master
be on the same server. This is not mandatory like the
Infrastructure Master and the Global Catalog server above, but is
recommended. Also, since the PDC Emulator will receive more
traffic than any other FSMO role holder, it should be on a server
that can handle the load.
It is also recommended that all FSMO role holders be direct
replication partners and they have high bandwidth connections to
one another as well as a Global Catalog server.
Q7.What permissions you should have in order to transfer
a FSMO role?
Before you can transfer a role, you must have the appropriate
permissions depending on which role you plan to transfer:
FSMO TOOLS
Q8. Tools to find out what servers in your domain/forest
hold what server roles?
1. Active Directory Users and Computers:-
use this snap-in to find out where the domain level FSMO roles are
located (PDC Emulator, RID Master, Infrastructure Master), and
also to change the location of one or more of these 3 FSMO roles.
Open Active Directory Users and Computers, right click on the
domain you want to view the FSMO roles for and click "Operations
Masters". A dialog box (below) will open with three tabs, one for
each FSMO role. Click each tab to see what server that role
resides on. To change the server roles, you must first connect to
the domain controller you want to move it to. Do this by right
clicking "Active Directory Users and Computers" at the top of the
Active Directory Users and Computers snap-in and choose
"Connect to Domain Controller". Once connected to the DC, go
back into the Operations Masters dialog box, choose a role to
move and click the Change button.
When you do connect to another DC, you will notice the name of
that DC will be in the field below the Change button .
2. Active Directory Domains and Trusts
- use this snap-in to find out where the Domain Naming Master
FSMO role is and to change it's location.The process is the same
as it is when viewing and changing the Domain level FSMO roles
in Active Directory Users and Computers, except you use the
Active Directory Domains and Trusts snap-in. Open Active
Directory Domains and Trusts, right click "Active Directory
Domains and Trusts" at the top of the tree, and choose
"Operations Master". When you do, you will see the dialog box
below.
Changing the server that houses the Domain Naming Master
requires that you first connect to the new domain controller, then
click the Change button. You can connect to another domain
controller by right clicking "Active Directory Domains and Trusts"
at the top of the Active Directory Domains and Trusts snap-in and
choosing "Connect to Domain Controller".
3. Active Directory Schema
- this snap-in is used to view and change the Schema Master
FSMO role. However... the Active Directory Schema snap-in is not
part of the default Windows 2000 administrative tools or
installation. You first have to install the Support Tools from the
\Support directory on the Windows 2000 server CD or install the
Windows 2000 Server Resource Kit. Once you install the support
tools you can open up a blank Microsoft Management Console
(start, run, mmc) and add the snap-in to the console. Once the
snap-in is open, right click "Active Directory Schema" at the top of
the tree and choose "Operations Masters". You will see the dialog
box below.
Changing the server the Schema Master resides on requires you
first connect to another domain controller, and then click the
Change button.You can connect to another domain controller by
right clicking "Active Directory Schema" at the top of the Active
Directory Schema snap-in and choosing "Connect to Domain
Controller
4.Netdom
The easiest and fastest way to find out what server holds what
FSMO role is by using the
Netdom command line utility. Like the Active Directory Schema
snap-in, the Netdom utility is only available if you have installed
the Support Tools from the Windows 2000 CD or the Win2K Server
Resource Kit.To use Netdom to view the FSMO role holders, open
a command prompt window and type:netdom query fsmo and
press enter. You will see a list of the FSMO role servers:
5. Active Directory Relication Monitor
another tool that comes with the Support Tools is the
Active Directory Relication Monitor
. Open this utility from Start, Programs, Windows 2000 Support
Tools. Once open, click Edit, Add Monitored Server and add the
name of a Domain Controller. Once added, right click the Server
name and choose properties. Click the FSMO Roles tab to view the
servers holding the 5 FSMO roles (below). You cannot change
roles using Replication Monitor, but this tool has many other
useful purposes in regard to Active Directory information. It is
something you should check out if you haven't already.
Finally, you can use the
Ntdsutil.exe utility
to gather information about and change servers for FSMO roles.
Ntdsutil.exe, a command line utility that is installed with
Windows 2000 server, is rather complicated and beyond the
scope of this document.
6. DUMPFSMOS
Command-line tool to query for the current FSMO role holders
Part of the Microsoft Windows 2000 Server Resource Kit
Downloadable
fromhttp://www.microsoft.com/windows2000/techinfo/reskit/defau
lt.aspPrints to the screen, the current FSMO holders Calls
NTDSUTIL to get this information
7. NLTEST
Command-line tool to perform common network administrative
tasks Type “nltest /?” for syntax and switches Common uses Get
a list of all DCs in the domain Get the name of the PDC emulator
Query or reset the secure channel for a server Call DsGetDCName
to query for an available domain controller
8. Adcheck (470k)
(3rd party) A simple utility to view information about AD and FSMO
roleshttp://www.svrops.com/svrops/downloads/zipfiles/ADcheck.m
si
Q9. How to Transfer and Seize a FSMO Role?
GROUP POLICY
Q1. What are Group Policies?
Group Policies are settings that can be applied to Windows
computers, users or both. In Windows 2000 there are hundreds of
Group Policy settings. Group Policies are usually used to lock
down some aspect of a PC. Whether you don't want users to run
Windows Update or change their Display Settings, or you want to
insure certain applications are installed on computers - all this
can be done with Group Policies.Group Policies can be configured
either
Locally or by Domain Polices
. Local policies can be accessed by clicking Start, Run and typing
gpedit.msc. They can also be accessed by opening the Microsoft
Management Console (Start, Run type mmc), and adding the
Group Policy snap-in. You must be an Administrator to
configure/modify Group Policies. Windows 2000 Group Policies
can only be used on Windows 2000 computers or Windows XP
computers. They cannot be used on Win9x or WinNT computers.
Q2. Domain policy gets applied to whom ?
Domain Policies are applied to computers and users who are
members of a Domain, and these policies are configured on
Domain Controllers. You can access Domain Group Polices by
opening Active Directory Sites and Services (these policies apply
to the Site level only) or Active Directory Users and Computers
(these policies apply to the Domain and/or Organizational Units).
Q3. From Where to create a Group Policy?
To create a Domain Group Policy Object open Active Directory
Sites and Services and right click Default-First-Site-Name or
another Site name, choose properties, then the Group Policy tab,
then click the
New button Give the GPO a name, then click the Edit button to
configure the policies.
For Active Directory Users and Computers, it the same process
except you right click the Domain or an OU and choose
properties.
Q4. Who can Create/Modify Group Policies?
You have to have Administrative privileges to create/modify group
policies. The following table shows who can create/modify group
policies:
Q5. How are Group Policies Applied?
Group Polices can be configured locally, at the Site level, the
Domain level or at the Organizational Unit (OU) level. Group
Policies are applied in a Specific Order, LSDO -
Local policies first, then Site based policies, then Domain level
policies, then OU polices, then nested Polices (OUs within OUs).
Group polices cannot be linked to a specific user or group, only
container objects. In order to apply Group Polices to specific users
or computers, you add users (or groups) and computers to
container objects. Anything in the container object will then get
the policies linked to that container. Sites, Domains and OUs are
considered container objects. Computer and User Active Directory
objects do not have to put in the same container object. For
example, Sally the user is an object in Active Directory. Sally's
Windows 2000 Pro PC is also an object in Active Directory. Sally
the user object can be in one OU, while her computer object can
be another OU. It all depends on how you organize your Active
Directory structure and what Group Policies you want applied to
what objects.
There are two nodes in each Group Policy Object that is created. A
Computer node and a User Node. They are called Computer
Configuration and User Configuration (see image above). The
polices configured in the Computer node apply to the computer as
a whole. Whoever logs onto that computer will see those policies.
Note: Computer policies are also referred to as machine policies.
User policies are user specific. They only apply to the user that is
logged on. When creating Domain Group Polices you can disable
either the Computer node or User node of the Group Policy Object
you are creating. By disabling a node that no policies are defined
for, you are decreasing the time it takes to apply the polices.
To disable the node polices: After creating a Group Policy
Object, click that Group Policy Object on the Group Policy tab,
then click the Properties button. You will see two check boxes at
the bottom of the General tab.
It's important to understand that when Group Policies are being
applied, all the policies for a node are evaluated first, and then
applied. They are not applied one after the other. For example,
say Sally the user is a member of the Development OU, and the
Security OU. When Sally logs onto her PC the policies set in the
User node of the both the Development OU and the Security OU
Group Policy Objects are evaluated, as a whole, and then applied
to Sally the user. They are not applied Development OU first, and
then Security OU (or visa- versa).The same goes for Computer
policies. When a computer boots up, all the Computer node
polices for that computer are evaluated, and then applied.
When computers boot up, the Computer policies are applied.
When users login, the User policies are applied. When user and
computer group policies overlap, the computer policy wins
Note: IPSec and EFS policies are not additive. The last policy
applied is the policy the user/computer will have
When applying multiple Group Policies Objects from any
container, Group Policies are applied from bottom to top in the
Group Policy Object list. The top Group Policy in the list is the last
to be applied. In the above image you can see three Group Policy
Objects associated with the Human Resources OU. These polices
would be applied No Windows Update first, then No Display
Settings, then No Screen Saver. If there were any conflicts in the
policy settings, the one above it would take precedence.

Q6.How to disable Group Policy Objects?

When you are creating a Group Policy Object, the changes
happen immediately. There is no "saving" of GPOs. To prevent a
partial GPO from being applied,
disable the GPO while you are configuring it. To do this, click the
Group Policy Object on the Group Policy tab and under the Disable
column, double click - a little check will appear. Click the Edit
button, make your changes, then double click under the Disable
column to re-enable the GPO. Also, if you want to temporarily
disable a GPO for troubleshooting reasons, this is the place to do
it. You can also click the Options button on the Group Policy tab
and select the Disabled check box.
Q7. When does the group policy Scripts run?
Startup scripts are processed at computer boot up and before the
user logs in.
Shutdown scripts are processed after a user logs off, but before
the computer shuts down.
Login scripts are processed when the user logs in.
Log off scripts are processed when the user logs off, but before
the shutdown script runs.
Q8. When the group policy gets refreshed/applied?
Group Policies can be applied when a computer boots up, and/or
when a user logs in. However, policies are also refreshed
automatically according to a predefined schedule. This is called
Background Refresh
Background refresh for non DCs (PCs and Member Servers) is
every 90 mins., with a +/- 30 min.interval. So the refresh could be
60, 90 or 120 mins.
For DCs (Domain Controllers), background refresh is every 5
mins.Also, every 16 hours
every PC will request all group policies to be reapplied (user and
machine) These settings can be changed under Computer and
User Nodes, Administrative Templates,System, Group Policy.
Q9. Which are the policies which does not get affected by
background refresh?
Policies not affected by background refresh. These policies are
only applied at
Logon time:
Folder Redirection
Software InstallationLogon,
Logoff, Startup,
Shutdown Scripts
Q9. How to refresh Group Policies suing the command
line?
Secedit.exe is a command line tool that can be used to refresh
group policies on a Windows 2000 computer. To use secedit, open
a command prompt and type:
secedit /refreshpolicy user_policy to refresh the user policies
secedit /refreshpolicy machine_policy to refresh the machine (or
computer) policies These parameters will only refresh any user or
computer policies that have changed since the last refresh. To
force a reload of all group policies regardless of the last change,
use:
secedit /refreshpolicy user_policy /enforce
secedit /refreshpolicy machine_policy /enforce
Gpupdate.exe is a command line tool that can be used to refresh
group policies on a Windows XP computer. It has replaced the
secedit command. To use gpupdate, open a command prompt
and type:
gpupdate /target:user to refresh the user policies
gpupdate /target: machine to refresh the machine (or computer)
policies
As with secedit, these parameters will only refresh any user or
computer policies that have changed since the last refresh. To
force a reload of all group policies regardless of the last change,
use:
gpupdate /force
Notice the /force switch applies to both user and computer
policies. There is no separation of the two like there is with
secedit
Q10. What is the Default Setting for Dial-up users?
Win2000 considers a slow dial-up link as anything less than
500kbps. When a user logs into a domain on a link under 500k
some policies are not applied. Windows 2000 will automatically
detect the speed of the dial-up connection and make a decision
about applying Group Policies.
Q11. Which are the policies which get applied regardless
of the speed of the dial-up connection?
Some policies are always applied regardless of the speed of the
dial-up connection. These are:
Administrative Templates
Security Settings
EFS Recovery
IPSec
Q12. Which are the policies which do not get applied over
slow links?
IE Maintenance Settings
Folder Redirection Scripts
Disk Quota settings
Software Installation and Maintenance
These settings can be changed under Computer and User Nodes,
Administrative Templates, System, Group Policy.
If the user connects to the domain using "Logon Using Dial-up
Connection" from the logon screen, once the user is
authenticated, the computer policies are applied first, followed by
the user policies.
If the user connects to the domain using "Network and Dial-up
Connections", after they logon, the policies are applied using the
standard refresh cycle.
Q13. Which are the two types of default policies?
There are two default group policy objects that are created when
a domain is created. The Default Domain policy and the Default
Domain Controllers policy.
Default Domain Policy- this GPO can be found under the group
policy tab for that domain. It is the first policy listed. The default
domain policy is unique in that certain policies can only be
applied at the domain level.
If you double click this GPO and drill down to Computer
Configuration, Windows Settings, Security Settings, Account
Policies, you will see three policies listed:
Password Policy
Account Lockout Policy
Kerberos Policy
These 3 policies can only be set at the domain level. If you set
these policies anywhere else- Site or OU, they are ignored.
However, setting these 3 policies at the OU level will have the
effect of setting these policies for users who log on locally to their
PCs. Login to the domain you get the domain policy, login locally
you get the OU policy.
If you drill down to Computer Configuration, Windows Settings,
Security Settings, Local Policies, Security Options, there are 3
policies that are affected by Default Domain Policy:
Automatically log off users when logon time expires
Rename Administrator Account - When set at the domain level, it
affects the Domain Administrator account only.
Rename Guest Account - When set at the domain level, it affects
the Domain Guest account only.
The Default Domain Policy should be used only for the policies
listed above. If you want to create additional domain level
policies, you should create additional domain level GPOs. Do not
delete the Default Domain Policy. You can disable it, but it is not
recommended.
Default Domain Controllers Policy
- This policy can be found by right clicking the Domain Controllers
OU, choosing Properties, then the Group Policy tab. This policy
affects all Domain Controllers in the domain regardless of where
you put the domain controllers. That is, no matter where you put
your domain controllers in Active Directory (whatever OU you put
them in), they will still process this policy. Use the Default Domain
Controllers Policy to set
local policies for your domain controllers, e.g. Audit Policies,
Event Log settings, who can logon locally and so on.
Q14.How to restore Group policy setting back to default?
The following command would replace both the Default Domain
Security Policy and DefaultDomain Controller Security Policy. You
can specify Domain or DC instead of Both, to onlyrestore one or
the other.
> dcgpofix /target:Both
Note that this must be run from a domain controller in the target
domain where you want to reset the GPO
If you've ever made changes to the default GPOs and would like
to revert back to the original settings, the dcgpofix utility is your
solution. dcgpofix works with a particular version of schema. If the
version it expects to be current is different from what is in Active
Directory, itnot restore the GPOs. You can work around this by
using the /ignoreschema switch, whichrestore the GPO according
to the version dcgpofix thinks is current. The only time you
mightexperience this issue is if you install a service pack on a
domain controller (dc1) that extendsschema, but have not
installed it yet on a second domain controller (dc2). If you try to
run
dcgpofix from dc2, you will receive the error since a new version
of the schema and thedcgpofix utility was installed on dc1.
Resolving GPOs from Multiple Sources
Because GPOs can come from different sources to apply to a
single user or computer, there must be a way of determining how
those GPOs are combined. GPOs are processed in the following
order:
1. Local GPO The local GPO on the computer is processed and all
settings specified in that GPO are applied.
2. Site GPOs GPOs linked to the site in which the computer
resides are processed. Settings made at this level override any
conflicting settings made at the preceding level. If multiple GPOs
are linked to a site, the site administrator can control the order in
which those GPOs are processed.
3. Domain GPOs GPOs linked to the domain in which the
computer resides are processed and any settings are applied.
Settings made at the domain level override conflicting settings
applied at the local or site level. Again, the administrator can
control the processing order when multiple GPOs are linked to the
domain.
4. OU GPOs GPOs linked to any OUs that contain the user or
computer object are processed. Settings made at the OU level
override conflicting settings applied at the domain, local, or site
level. It is possible for a single object to be in multiple OUs. In this
case, GPOs linked to the highest level OU in the Active Directory
hierarchy are processed first, followed by the next highest level
OU, and so on. If multiple GPOs are linked to a single

.
Q15. What are the two exceptions to control the inheritance of
the group policy?
■ No Override
When you link a GPO to a container, you can configure a No
Override option that prevents settings in the GPO from being
overridden by settings in GPOs linked to child containers. This
provides a way to force child containers to conform to a particular
policy.
■ Block Inheritance
You can configure the Block Inheritance option on a container to
prevent the container from inheriting GPO settings from its parent
containers. However, if a parent container has the No Override
option set, the child container cannot block inheritance from this
parent.
Q16. How to Redirect New User and Computer Accounts?
By default, new user and computer accounts are created in the
Users and Computers containers, respectively. You cannot link a
GPO to either of these built-in containers. Even though the built-in
containers inherit GPOs linked to the domain, you may have a
situation that requires user accounts and computer accounts to
be stored in an OU to which you can link a GPO. Windows Server
2003 includes two new tools that let you redirect the target
locationfor new user and computer accounts. You can use
redirusr.exe to redirect user accounts and redircomp.exe to
redirect computer accounts. Once you choose the OU for
redirection, new user and computer accounts are createddirectly
in the new target OU, where the appropriate GPOs are linked. For
example, you could create an OU named New Users, link an
appropriate GPO to the OU, and then redirect the creation of new-
users accounts to the New Users OU. Any new users created
would immediately be affected by the settings in the GPO.
Administrators could then move the new user accounts to a more
appropriate location later. You can find both of these tools in the
%windir%\system32 folder on any computer running Windows
Server 2003. You can learn more about using these tools in
Knowledge Base article 324949, “Redirecting the Users and
Computers Containers in Windows Server 2003 Domains,” in the
Microsoft Knowledge Base at http://support.microsoft.com

.
Q17. What permissions should a administrator have to
manage GPOs?
Editing GPOs linked to sites requires Enterprise Administrative
permissions.
Editing GPOs linked to domains requires Domain Administrative
Editing GPOs linked to OUs requires permissions for the OU.
Q18. What is the client requirement for supporting GPOs?
For client computers to accept Group Policy settings, they must
be members of Active Directory. Support for Group Policy for key
operating systems includes the following:
■ Windows 95/98/Me do not support Group Policy.
■ Windows NT 4.0 and earlier versions do not support Group
Policy.
■ Windows 2000 Professional and Server support many of the
Group Policy settings available in Windows Server 2003, but not
all. Unsupported settings are ignored.
■ Windows XP Professional, Windows XP 64-bit Edition, and
Windows Server 2003 fully support Group Policy
DUPLICATED:

Active directory,dns,fsmo,group policy questions

What Is Active Directory?

Active Directory consists of a series of components that constitute
both its logical structure and its physical structure. It provides a
way for organizations to centrally manage and store their user
objects, computer objects, group membership, and define
security boundaries in a logical database structure.
Purpose of Active Directory
Active Directory stores information about users, computers, and
network resources and makes the resources accessible to users
and applications. It provides a consistent way to name, describe,
locate, access, manage, and secure information about these
resources.

Functions of Active Directory

Active Directory provides the following functions:
●Centralizes control of network resources
By centralizing control of resources such as servers, shared files,
and printers, only authorized users can access resources in Active
Directory.
●Centralizes and decentralizes resource management
Administrators have Centralized Administration with the ability to
delegate administration of subsets of the network to a limited
number of individuals giving them greater granularity in resource
management.
●Store objects securely in a logical structure
Active Directory stores all of the resources as objects in a secure,
hierarchical logical structure.
●Optimizes network traffic
The physical structure of Active Directory enables you to use
network bandwidth more efficiently. For example, it ensures that,
when users log on to the network, the authentication authority
that is nearest to the user, authenticates them reducing the
amount of network traffic.
Sites within Active Directory
Sites are defined as groups of well-connected computers. When
you establish sites, domain controllers within a single site
communicate frequently. This communication minimizes the
latency within the site; that is, the time required for a change that
is made on one domain controller to be replicated to other
domain controllers. You create sites to optimize the use of
bandwidth between domain controllers that are in different
locations.
Operations Master Roles
When a change is made to a domain, the change is replicated
across all of the domain controllers in the domain. Some changes,
such as those made to the schema, are replicated across all of
the domains in the forest. This replication is called multimaster
replication.
During multimaster replication, a replication conflict can occur if
originating updates are performed concurrently on the same
object attribute on two domain controllers. To avoid replication
conflicts, Active Directory uses single master replication,
which designates one domain controller as the only domain
controller on which certain directory changes can be made. This
way, changes cannot occur at different places in the network at
the same time. Active Directory uses single master replication for
important changes, such as the addition of a new domain or a
change to the forest-wide schema.Operations that use single-
master replication are arranged together in specific roles in a
forest or domain. These roles are calledoperations master
roles. For each operations master role, only the domain controller
that holds that role can make the associated directory changes.
The domain controller that is responsible for a particular role is
called an operations master for that role. Active Directory stores
information about which domain controller holds a specific role.
Forest-wide Roles
Forest-wide roles are unique to a forest,forest-wide roles are:
●Schema masterControls all updates to the schema. The schema
contains the master list of object classes and attributes that are
used to create all Active Directory objects, such as users,
computers, and printers.
●Domain naming masterControls the addition or removal of
domains in the forest. When you add a new domain to the forest,
only the domain controller that holds the domain naming master
role can add the new domain.There is only one schema master
and one domain naming master in the entire forest.
Domain-wide Roles
Domain-wide roles are unique to each domain in a forest, the
domain-wide roles are:
●Primary domain controller emulator (PDC)
Acts as a Windows NT PDC to support any backup domain
controllers (BDCs) running Microsoft Windows® NT within a
mixed-mode domain. This type of domain has domain controllers
that run Windows NT 4.0. The PDC emulator is the first domain
controller that you create in a new domain.
●Relative identifier master (RID)
When a new object is created, the domain controller creates a
new security principal that represents the object and assigns the
object a unique security identifier (SID). This SID consists of a
domain SID, which is the same for all security principals created
in the domain, and a RID, which is unique for each security
principal created in the domain. The RID master allocates blocks
of RIDs to each domain controller in the domain. The domain
controller then assigns a RID to objects that are created from its
allocated block of RIDs.
●Infrastructure master
when objects are moved from one domain to another, the
infrastructure master updates object references in its domain that
point to the object in the other domain. The object reference
contains the object’s globally unique identifier (GUID),
distinguished name, and a SID. Active Directory periodically
updates the distinguished name and the SID on the object
reference to reflect changes made to the actual object, such as
moves within and between domains and the deletion of the
object.

The global catalog contains

●The attributes that are most frequently used in queries, such as
a user’s first name, last name, and logon name.
●The information that is necessary to determine the location of
any object in the directory.
●The access permissions for each object and attribute that is
stored in the global catalog. If you search for an object that you
do not have the appropriate permissions to view, the object will
not appear in the search results. Access permissions ensure that
users can find only objects to which they have been assigned
access.A global catalog server is a domain controller that, in
addition to its full, writable domain directory partition replica, also
stores a partial, read-only replica of all other domain directory
partitions in the forest. Taking a user object as an example, it
would by default have many different attributes such as first
name, last name, phone number, and many more. The GC will by
default only store the most common of those attributes that
would be used in search operations (such as a user’s first and last
names, or login name, for example). The partial attributes that it
has for that object would be enough to allow a search for that
object to be able to locate the full replica of the object in active
directory. This allows searches done against a local GC, and
reduces network traffic over the WAN in an attempt to locate
objects somewhere else in the network.
Domain Controllers always contain the full attribute list for objects
belonging to their domain. If the Domain Controller is also a GC, it
will also contain a partial replica of objects from all other domains
in the forest.
Active Directory uses DNS as the name resolution service to
identify domains and domain host computers during processes
such as logging on to the network
Similar to the way a Windows NT 4.0 client will query WINS for a
NetBIOS DOMAIN[1B] record to locate a PDC, or a NetBIOS
DOMAIN record for domain controllers, a Windows 2000, 2003, or
Windows XP client can query DNS to find a domain controller by
looking for SRV records.
Integration of DNS and Active Directory
The integration of DNS and Active Directory is essential because a
client computer in a Windows 2000 network must be able to
locate a domain controller so that users can log on to a domain or
use the services that Active Directory provides. Clients locate
domain controllers and services by using A resource records and
SRV records. The A resource record contains the FQDN and IP
address for the domain controller. TheSRV record contains the
FQDN of the domain controller and the name of the service that
the domain controller provides.
What Are Active Directory Integrated Zones?
One benefit of integrating DNS and Active Directory is the ability
to integrate DNS zones into an Active Directory database. A zone
is a portion of the domain namespace that has a logical grouping
of resource records, which allows zone transfers of these records
to operate as one unit.
Active Directory Integrated Zones
Microsoft DNS servers store information that is used to resolve
host names to IP addresses and IP addresses to host names in a
database file that has the extension .dns
for each zone.Active Directory integrated zones are primary zones
that are stored as objects in the Active Directory database. If zone
objects are stored in an Active Directory domain partition, they
are replicated to all domain controllers in the domain.
What Are DNS Zones?
A zone starts as a storage database for a single DNS domain
name. If other domains are added below the domain used to
create the zone, these domains can either be part of the same
zone or belong to another zone. Once a subdomain is added, it
can then either be:
●Managed and included as part of the original zone records, or
●Delegated away to another zone created to support the
subdomain
Types of Zones
There are two types of zones, forward lookup and reverse lookup.
Forward lookup zones contain information needed to resolve
names within the DNS domain. They must include SOA and NS
records and can include any type of resource record except the
PTR resource record. Reverse lookup zones contain information
needed to perform reverse lookups. They usually include SOA, NS,
PTR, and CNAME records.
With most queries, the client supplies a name and requests the IP
address that corresponds to that name. This type of query is
typically described as a forward lookup. Active Directory requires
forward lookup zones.
However, what if a client already has a computer's IP address and
wants to determine the DNS name for the computer? This is
important for programs that implement security based on the
connecting FQDN, and is used for TCP/IP network troubleshooting.
The DNS standard provides for this possibility through reverse
lookups.
Once you have installed Active Directory, you have two options
for storing your zones when operating the DNS server at the new
domain controller:
Standard Zone
Zones stored this way are located in .dns text files that are stored
in the %SystemRoot%\System32\Dns
folder on each computer operating a DNS server. Zone file names
correspond to the name you choose for the zone when creating it,
such as Example.microsoft.com.dns if the zone name was
example.microsoft.com
This type offers the choice of using either a Standard Primary
zone or a Standard Secondary zone.
Standard Primary Zone
For standard primary-type zones, only a single DNS server can
host and load the master copy of the zone. If you create a zone
and keep it as a standard primary zone, no additional primary
servers for the zone are permitted. Only one server is allowed to
accept dynamic updates, also known as DDNS, and process zone
changes. The standard primary model implies a single point of
failure.
Standard Secondary Zone
A secondary name server gets the data for its zones from another
name server (either a primary name server or another secondary
name server) for that zone across the network. The data in a
Secondary zone is Read only, and updated information must
come from additional zone transfers. The process of obtaining this
zone information (i.e., the database file) across the network is
referred to as a zone transfer. Zone transfers occur over TCP port
53. Secondary servers can provide a means to offload DNS query
traffic in areas of the network where a zone is heavily queried and
used. Additionally, if a primary server is down, a secondary server
can provide some name resolution in the zone until the primary
server is available.
Note
A Standard Primary zone will not replicate its information to any
other DNS servers, but may allow zone transfers to Secondary
zones. Win2003 also supports stub zones. A secondary or stub
zone cannot be hosted on a DNS server that hosts a primary zone
for the same domain name.
Directory-integrated Zone
Zones stored this way are located in the Active Directory tree
under the domain object container. Each directory-integrated
zone is stored in a dnsZone container object identified by the
name you choose for the zone when creating it. Active Directory
integrated zones will replicate this information to other domain
controllers in that domain.
Note
If DNS is running on a Windows 2000 server that is not a domain
controller, it will not be able to use an Active Directory integrated
zones, or replicate with other domain controllers since it does not
have Active Directory installed.
DNS Records
After you create a zone, additional resource records need to be
added to it. The most common resource records (RRs) to be
added are:Table 1. Record Types
Name Description
Host (A) For mapping a DNS domain name to an IP address used
by a computer.
Alias (CNAME) For mapping an alias DNS domain name to another
primary or
canonical name.
Mail Exchanger (MX) For mapping a DNS domain, name to the
name of a computer that exchange
for forwards mail
Pointer (PTR) For mapping a reverse DNS domain name based on
the IP address of a
computer that points to the forward DNS domain name of that
computer.
Service location (SRV) For mapping a DNS domain name to a
specified list of DNS host computers
that offer a specific type of service, such as Active Directory
domain controllers.
Technical Interview Questions – Active Directory
• What is Active Directory?
• What is LDAP?
• Can you connect Active Directory to other 3rd-party Directory Services? Name a few
options.
• Where is the AD database held? What other folders are related to AD?
• What is the SYSVOL folder?
• Name the AD NCs and replication issues for each NC
• What are application partitions? When do I use them
• How do you create a new application partition
• How do you view replication properties for AD partitions and DCs?
• What is the Global Catalog?
• How do you view all the GCs in the forest?
• Why not make all DCs in a large forest as GCs?
• Trying to look at the Schema, how can I do that?
• What are the Support Tools? Why do I need them?
• What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is
REPADMIN?
• What are sites? What are they used for?
• What's the difference between a site link's schedule and interval?
• What is the KCC?
• What is the ISTG? Who has that role by default?
• What are the requirements for installing AD on a new server?
• What can you do to promote a server to DC if you're in a remote location with slow
WAN link?
• How can you forcibly remove AD from a server, and what do you do later? • Can I get
user passwords from the AD database?
• What tool would I use to try to grab security related packets from the wire?
• Name some OU design considerations.
• What is tombstone lifetime attribute?
• What do you do to install a new Windows 2003 DC in a Windows 2000 AD?
• What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
• How would you find all users that have not logged on since last month?
• What are the DS* commands?
• What's the difference between LDIFDE and CSVDE? Usage considerations?
• What are the FSMO roles? Who has them by default? What happens when each one
fails?
• What FSMO placement considerations do you know of?
• I want to look at the RID allocation table for a DC. What do I do?
 • What's the difference between transferring a FSMO role and seizing one? Which one
should you NOT seize? Why?
• How do you configure a "stand-by operation master" for any of the roles?
• How do you backup AD?
• How do you restore AD?
• How do you change the DS Restore admin password?
• Why can't you restore a DC that was backed up 4 months ago?
• What are GPOs?
• What is the order in which GPOs are applied?
• Name a few benefits of using GPMC.
• What are the GPC and the GPT? Where can I find them?
• What are GPO links? What special things can I do to them?
• What can I do to prevent inheritance from above?
• How can I override blocking of inheritance?
• How can you determine what GPO was and was not applied for a user? Name a few
ways to do that.
• A user claims he did not receive a GPO, yet his user and computer accounts are in
the right OU, and everyone else there gets the GPO. What will you look for?
• Name a few differences in Vista GPOs
• Name some GPO settings in the computer and user parts.
• What are administrative templates?
• What's the difference between software publishing and assigning?
• Can I deploy non-MSI software with GPO?
• You want to standardize the desktop environments (wallpaper, My Documents, Start
menu, printers etc.) on the computers in one department. How would you do that?

RELATED TOPICS

• A Word about Working with GPOs and Terminal Servers

• Active Directory Client (dsclient) for Win98/NT
• Active Directory Installation Requirements
• Active Directory Migration Tool
• Active Directory Migration Tool Usage NT -> Windows 2000
• Active Directory Migration Tool Usage NT -> Windows 2003
• Active Directory Migration Tool Usage Windows 2000 -> Windows 2003
• Active Directory Offline Defragmentation
• Active Directory Restore Mode Trick
• Active Directory Search Limit
• Active Directory Sizer Tool
• Active Directory SRV Records
• Active Directory Training Labs
• Add Additional Attributes to the User Objects
• Add Unlock User Option to Active Directory Users and Computers
• Add User Account Information to Active Directory Users and Computers
• Adding New Administrative Templates to a GPO
• Administer Windows 2000/2003 Domain from Windows XP
• Anonymous LDAP operations in Windows 2003 AD
• Basic Active Directory Services Interface (ADSI) Scripting
• Change Recovery Console Password
• Change Directory Services Restore Mode Password
• Configure a New Global Catalog
• Control Active Directory Intrasite Replication Interval
• Controlling IE cache size via GPO
• Create Taskpads for Active Directory Operations
• Create Users for Testing Purposes
• Creating a trust relationship between two Small Business Server 2000/2003 domains
• Delete Failed DCs from Active Directory
• Determining FSMO Role Holders
• Disable Active Directory Circular Logging
• Disable Password Requirements in Windows Server 2003 Domains
• Editing Additional Attributes of User Objects
• Event logs archiving with GPO
• First DC in Domain Problem
• Fix an Unsuccessful DC Demotion
• Forcibly Removing Active Directory from a DC
• Groups in Active Directory - Hebrew
• How to Install Active Directory on Windows 2000
• How to Install Active Directory on Windows 2000 (for idiots)
• How to Install Active Directory on Windows 2003
• How to Install a Replica DC in an Existing AD Domain on Windows 2000
• How to Install a Replica DC in an Existing AD Domain on Windows Server 2003
• Import Saved Queries in Windows Server 2003 AD Users & Computers
• Install DC from Media in Windows Server 2003
• Joining a Domain in Windows XP Pro
 • LDAP Search Samples for Windows Server 2003 and Exchange 2000/2003
• List all Users and Groups in Domain
• Load Balancing on Windows 2000/2003 DC after Upgrading from NT
• MCSE and System Administrator Job Interview Questions - Part 2 - Active Directory
• Planning FSMO Roles in Active Directory
• Raise Domain Function Level in Windows Server 2003 Domains
• Raise Forest Function Level in Windows Server 2003 Active Directory
• Require Windows 98 Clients to Logon to the Domain
• Requirements when Joining a Domain
• Saved Queries in Windows Server 2003 AD Users & Computers
• Seizing FSMO Roles
• Transferring FSMO Roles
• Tracking Change Replications in AD using Repadmin.exe
• Troubleshooting Dcpromo Errors
• Unable to Logon to Windows 2003 Domain Due to Windows Cannot Connect to the
Domain Error
• Unattended Installation of Active Directory
• Understanding Active Directory Schema
• Understanding Administrative Templates in GPO
• Understanding FSMO Roles in Active Directory
• Understanding Function Levels in Windows Server 2003 Active Directory
• Upgrade Windows 2000 GPO with XP Features
• View Additional User Information in AD Users and Computers
• What's New in Windows Server 2003 Active Directory?
• Windows 2000 Domain Rename
• Windows 2003 ADPrep
• Windows 2003 ADPrep Fix for Exchange 2000
• Windows 2003 Domain Controller Rename
• Windows 2003 Domain Rename
• Working with Group Policy

DISTASTER RECOVERY

• Change Recovery Console Administrator Password on a Domain Controller

• Configure Recovery Console Auto Logon
• Delete the Recovery Console
• Deploy Recovery Console through RIS
 • Install Windows 2000/XP/2003 Recovery Console
• Last Known Good in Windows 2000/XP/2003
• Recovery and Troubleshooting Options in Windows XP
• Recovery Console Access to Other Partitions
• Recovery Console and Software RAID1 (Mirroring)
• Safe Mode in Windows 2000/XP/2003
• What's ASR in Windows XP/2003?
• What's System Restore in Windows XP?
• What's the Recovery Console?
• Windows Product Activation after System Repair

Disk Management Tips and Tricks

• Change a Drive Letter in Windows XP
• Change System Drive Letter in Windows XP
• Convert FAT16 to FAT32 in Windows 2000/XP/2003
• Create DOS Boot Floppy Disk in Windows XP
• Delete Undeletable Files
• Difference Between Basic and Dynamic Disks in Windows XP/2000/2003
• Disable Dynamic Disk Upgrade in Windows 2000
• Disable Writing to USB Disks in XP SP2
• Disable Writing to USB Disks with GPO
• Disable USB Disks
• Disable USB Disks with GPO
• DISKPART Command in Windows XP/2003
• Do Not Upgrade Disks from Custom MMC
• How to Use the Shadow Copy Client
• How to Write ISO Files to CD
• Quickly Format a Floppy Disk
• Recover a Deleted NTFS/FAT32 Volume in Windows XP/2003
• Schedule Disk Cleanup to Run Automatically in Windows XP/2003
• Schedule Disk Defragmenter to Run Automatically in Windows XP/2003
• Software Mirror (RAID1) in Windows XP
• What's Shadow Copy on Windows Server 2003?
• What's the Signature Parameter in Boot.ini?
Understanding Active Directory Schema?

Windows 2000 and Windows Server 2003 Active Directory uses a

database set of rules called "Schema". The Schema is defines as
the formal definition of all object classes, and the attributes that
make up those object classes, that can be stored in the directory.
As mentioned earlier, the Active Directory database includes a
default Schema, which defines many object classes, such as
users, groups, computers, domains, organizational units, and so
on. These objects are also known as "Classes". The Active
Directory Schema can be dynamically extensible, meaning that
you can modify the schema by defining new object types and
their attributes and by defining new attributes for existing
objects. You can do this either with the Schema Manager snap-in
tool included with Windows 2000/2003 Server, or
programmatically.

Understanding FSMO Roles in Active Directory?

Windows 2000/2003 Multi-Master Model

A multi-master enabled database, such as the Active Directory, provides the flexibility of
allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of
conflicts that can potentially lead to problems once the data is replicated to the rest of the
enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict
resolution algorithm handle discrepancies in values by resolving to the DC to which changes
were written last (that is, "the last writer wins"), while discarding the changes in all other DCs.
Although this resolution method may be acceptable in some cases, there are times when conflicts
are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to
prevent the conflict from occurring rather than to try to resolve it after the fact.
For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting
Active Directory updates from occurring.
Windows 2000/2003 Single-Master Model
To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to
certain objects in a single-master fashion.
In a single-master model, only one DC in the entire directory is allowed to process updates. This
is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows
(such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates
in a given domain.
In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The
five FSMO roles are:
Schema Master:
The schema master domain controller controls all updates and modifications to the schema. Once
the Schema update is complete, it is replicated from the schema master to all other DCs in the
directory. To update the schema of a forest, you must have access to the schema master. There
can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal of domains in the
forest. This DC is the only one that can add or remove a domain from the directory. It can also
add or remove cross references to domains in external directories. There can be only one domain
naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it represents
the reference by the GUID, the SID (for references to security principals), and the DN of the
object being referenced. The infrastructure FSMO role holder is the DC responsible for updating
an object's SID and distinguished name in a cross-domain object reference. At any one time,
there can be only one domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a
Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will
stop updating object information because it does not contain any references to objects that it does
not hold. This is because a Global Catalog server holds a partial replica of every object in the
forest. As a result, cross-domain object references in that domain will not be updated and a
warning to that effect will be logged on that DC's event log. If all the domain controllers in a
domain also host the global catalog, all the domain controllers have the current data, and it is not
important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers in a
particular domain. When a DC creates a security principal object such as a user or group, it
attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same
for all SIDs created in a domain), and a relative ID (RID) that is unique for each security
principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is
allowed to assign to the security principals it creates. When a DC's allocated RID pool falls
below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The
domain RID master responds to the request by retrieving RIDs from the domain's unallocated
RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only
one domain controller acting as the RID master in the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003
includes the W32Time (Windows Time) time service that is required by the Kerberos
authentication protocol. All Windows 2000/2003-based computers within an enterprise use a
common time. The purpose of the time service is to ensure that the Windows Time service uses a
hierarchical relationship that controls authority and does not permit loops to ensure appropriate
common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of
the forest becomes authoritative for the enterprise, and should be configured to gather the time
from an external source. All PDC FSMO role holders follow the hierarchy of domains in the
selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:
• Password changes performed by other DCs in the domain are replicated preferentially to
the PDC emulator.
• Authentication failures that occur at a given DC in a domain because of an incorrect
password are forwarded to the PDC emulator before a bad password failure message is
reported to the user.
• Account lockout is processed on the PDC emulator.
• Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy
found in the PDC Emulator's SYSVOL share, unless configured not to do so by the
administrator.
• The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0
Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers,
and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows
2000/2003. The PDC emulator still performs the other functions as described in a Windows
2000/2003 environment.
At any one time, there can be only one domain controller acting as the PDC emulator master in
each domain in the forest.

Understanding Function Levels in Windows Server 2003 Active Directory?

Functional levels are an extension of the mixed/native mode concept introduced in Windows
2000 to activate new Active Directory features after all the domain controllers in the domain or
forest are running the Windows Server 2003 operating system.
When a computer that is running Windows Server 2003 is installed and promoted to a domain
controller, new Active Directory features are activated by the Windows Server 2003 operating
system over its Windows 2000 counterparts. Additional Active Directory features are available
when all domain controllers in a domain or forest are running Windows Server 2003 and the
administrator activates the corresponding functional level in the domain or forest.
To activate the new domain features, all domain controllers in the domain must be running
Windows Server 2003. After this requirement is met, the administrator can raise the domain
functional level to Windows Server 2003 (read Raise Domain Function Level in Windows
Server 2003 Domains for more info).
To activate new forest-wide features, all domain controllers in the forest must be running
Windows Server 2003, and the current forest functional level must be at Windows 2000 native or
Windows Server 2003 domain level. After this requirement is met, the administrator can raise the
domain functional level (read Raise Forest Function Level in Windows Server 2003 Active
Directory for more info).
Note: Network clients can authenticate or access resources in the domain or forest without being
affected by the Windows Server 2003 domain or forest functional levels. These levels only affect
the way that domain controllers interact with each other.
Important
Raising the domain and forest functional levels to Windows Server 2003 is a
nonreversible task and prohibits the addition of Windows NT 4.0–based or
Windows 2000–based domain controllers to the environment. Any existing
Windows NT 4.0 or Windows 2000–based domain controllers in the
environment will no longer function. Before raising functional levels to take
advantage of advanced Windows Server 2003 features, ensure that you will
never need to install domain controllers running Windows NT 4.0 or
Windows 2000 in your environment.
When the first Windows Server 2003–based domain controller is deployed in a domain or forest,
a set of default Active Directory features becomes available. The following table summarizes the
Active Directory features that are available by default on any domain controller running
Windows Server 2003:
Feature Functionality
Allows you to modify common attributes of multiple user
Multiple selection of user objects
objects at one time.
Allows you to move Active Directory objects from
container to container by dragging one or more objects to
a location in the domain hierarchy. You can also add
Drag and drop functionality
objects to group membership lists by dragging one or
more objects (including other group objects) to the target
group.
Search functionality is object-oriented and provides an
Efficient search capabilities efficient search that minimizes network traffic associated
with browsing objects.
Allows you to save commonly used search parameters
Saved queries
for reuse in Active Directory Users and Computers
Allows you to run new directory service commands for
Active Directory command-line tools
administration scenarios.
The inetOrgPerson class has been added to the base
InetOrgPerson class schema as a security principal and can be used in the
same manner as the user class.
Allows you to configure the replication scope for
application-specific data among domain controllers. For
example, you can control the replication scope of
Application directory partitions
Domain Name System (DNS) zone data stored in Active
Directory so that only specific domain controllers in the
forest participate in DNS zone replication.
Ability to add additional domain Reduces the time it takes to add an additional domain
controllers by using backup media controller in an existing domain by using backup media.
Prevents the need to locate a global catalog across a wide
area network (WAN) when logging on by storing
Universal group membership caching
universal group membership information on an
authenticating domain controller.
Active Directory administrative tools sign and encrypt all
Secure Lightweight Directory Access LDAP traffic by default. Signing LDAP traffic
Protocol (LDAP) traffic guarantees that the packaged data comes from a known
source and that it has not been tampered with.
Provides improved replication of the global catalog when
Partial synchronization of the global schema changes add attributes to the global catalog
catalog partial attribute set. Only the new attributes are
replicated, not the entire global catalog.
Quotas can be specified in Active Directory to control
the number of objects a user, group, or computer can own
Active Directory quotas in a given directory partition. Members of the Domain
Administrators and Enterprise Administrators groups are
exempt from quotas.
When the first Windows Server 2003–based domain controller is deployed in a domain or forest,
the domain or forest operates by default at the lowest functional level that is possible in that
environment. This allows you to take advantage of the default Active Directory features while
running versions of Windows earlier than Windows Server 2003.
When you raise the functional level of a domain or forest, a set of advanced features becomes
available. For example, the Windows Server 2003 interim forest functional level supports more
features than the Windows 2000 forest functional level, but fewer features than the Windows
Server 2003 forest functional level supports. Windows Server 2003 is the highest functional level
that is available for a domain or forest. The Windows Server 2003 functional level supports the
most advanced Active Directory features; however, only Windows Server 2003 domain
controllers can operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot introduce any
domain controllers that are running versions of Windows earlier than Windows Server 2003 into
that domain. This applies to the forest functional level as well.
Domain Functional Level
Domain functionality activates features that affect the whole domain and that domain only. The
four domain functional levels, their corresponding features, and supported domain controllers are
as follows:
Windows 2000 mixed (Default)
• Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows
Server 2003
• Activated features: local and global groups, global catalog support
Windows 2000 native
 • Supported domain controllers: Windows 2000, Windows Server 2003
• Activated features: group nesting, universal groups, SidHistory, converting groups
between security groups and distribution groups, you can raise domain levels by
increasing the forest level settings
Windows Server 2003 interim
• Supported domain controllers: Windows NT 4.0, Windows Server 2003
• Supported features: There are no domain-wide features activated at this level. All
domains in a forest are automatically raised to this level when the forest level increases to
interim. This mode is only used when you upgrade domain controllers in Windows NT
4.0 domains to Windows Server 2003 domain controllers.
Windows Server 2003
• Supported domain controllers: Windows Server 2003
• Supported features: domain controller rename, logon timestamp attribute updated and
replicated. User password support on the InetOrgPerson objectClass. Constrained
delegation, you can redirect the Users and Computers containers.
Domains that are upgraded from Windows NT 4.0 or created by the promotion of a Windows
Server 2003-based computer operate at the Windows 2000 mixed functional level. Windows
2000 domains maintain their current domain functional level when Windows 2000 domain
controllers are upgraded to the Windows Server 2003 operating system. You can raise the
domain functional level to either Windows 2000 native or Windows Server 2003.
After the domain functional level is raised, domain controllers that are running earlier operating
systems cannot be introduced into the domain. For example, if you raise the domain functional
level to Windows Server 2003, domain controllers that are running Windows 2000 Server cannot
be added to that domain.
The following describes the domain functional level and the domain-wide features that are
activated for that level. Note that with each successive level increase, the feature set of the
previous level is included.
Forest Functional Level
Forest functionality activates features across all the domains in your forest. Three forest
functional levels, the corresponding features, and their supported domain controllers are listed
below.
Windows 2000 (default)
• Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server 2003
• New features: Partial list includes universal group caching, application partitions, install
from media, quotas, rapid global catalog demotion, Single Instance Store (SIS) for
System Access Control Lists (SACL) in the Jet Database Engine, Improved topology
generation event logging. No global catalog full sync when attributes are added to the
PAS Windows Server 2003 domain controller assumes the Intersite Topology Generator
(ISTG) role.
Windows Server 2003 interim
 • Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the
"Upgrade from a Windows NT 4.0 Domain" section of this article.
• Activated features: Windows 2000 features plus Efficient Group Member Replication
using Linked Value Replication, Improved Replication Topology Generation. ISTG
Aliveness no longer replicated. Attributes added to the global catalog. ms-DS-Trust-
Forest-Trust-Info. Trust-Direction, Trust-Attributes, Trust-Type, Trust-Partner, Security-
Identifier, ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source, Message
Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-Rate-Unit
Windows Server 2003
• Supported domain controllers: Windows Server 2003
• Activated features: all features in Interim Level, Defunct schema objects, Cross Forest
Trust, Domain Rename, Dynamic auxiliary classes, InetOrgPerson objectClass change,
Application Groups, 15-second intrasite replication frequency for Windows Server 2003
domain controllers upgraded from Windows 2000
After the forest functional level is raised, domain controllers that are running earlier operating
systems cannot be introduced into the forest. For example, if you raise forest functional levels to
Windows Server 2003, domain controllers that are running Windows NT 4.0 or Windows 2000
Server cannot be added to the forest.

Understanding Windows Server 2008 Active Directory Domain and Forest Functional
Levels?
In Windows Server 2003, functional levels were an extension of the older
mixed/native mode concept introduced in Windows 2000. In Windows Server 2008
this was further extended to include new features and benefits, and are used to
activate new Active Directory features after all the Domain Controllers (DCs) in the
domain or forest are running Windows Server 2008 operating systems. Functional
levels determine the features of Active Directory Domain Services (AD DS) that are
enabled in a domain or forest.
When the first Windows Server 2008–based Domain Controller is deployed in a domain or
forest, the domain or forest operates by default at the lowest functional level that is possible in
that environment, meaning Windows 2000 Native Mode. This allows you to take advantage of
the default Active Directory features while running versions of Windows earlier than Windows
Server 2008. When you raise the functional level of a domain or forest, a set of advanced
features becomes available.
After the domain functional level is raised, DCs that are running earlier operating systems cannot
be introduced into the domain. For example, if you raise the domain functional level to Windows
Server 2008, Domain Controllers that are running Windows Server 2003 cannot be added to that
domain.
Unless you still have old NT 4.0 BDCs there's no reason for staying in Mixed Mode, and as you
already know, Windows Server 2008 does not support NT 4.0 BDCs, so if you are still using
them and planning to upgrade your Active Directory to Windows Server 2008, re-think your
strategy.
As for Windows 2000 Native Mode, unless you still have Windows 2000 Domain Controllers,
again, there's no reason for staying in that function level. However, if you still do, remember that
Windows Server 2008 does only supports Windows 2000 SP4. Be sure to have SP4 on all your
Windows 2000 DCs.
You can read my "What are the domain and forest function levels in a Windows Server 2003-
based Active Directory?" article for more info about that.
Note: Network clients can authenticate or access resources in the domain or forest without being
affected by the Windows Server 2003 or Windows Server 2008 domain or forest functional
levels. These levels only affect the way that domain controllers interact with each other.
However, be aware of the fact that regardless of the domain or function level, servers running
Windows NT Server 4.0 are NOT supported by domain controllers that are running Windows
Server 2008, meaning you MUST have additional DCs running Windows 2000/2003 to support
older NT 4.0 servers.
For more information about Windows Server 2008 Active Directory requirements, please read
my "Active Directory on Windows Server 2008 Requirements" article.
Read my "Raising Windows Server 2008 Active Directory Domain and Forest Functional
Levels" article for information on how to actually raise the domain and forest function levels.
Domain Function Levels
To activate a new domain function level, all DCs in the domain must be running the right
operating system. After this requirement is met, the administrator can raise the domain functional
level. Here's a list of the available domain function levels available in Windows Server 2008:
Windows 2000 Native Mode
This is the default function level for new Windows Server 2008 Active Directory domains.
Supported Domain controllers – Windows 2000, Windows Server 2003, Windows Server
2008.
Features and benefits:
• Group nesting – Unlike Windows NT 4.0, allows placing of a group of one scope as a
member of another group of the same scope.
• Universal security groups – Allows usage of Universal security type groups.
• SidHistory – Enables usage of SidHistory when migrating objects between domains.
• Converting groups between security groups and distribution groups – Unlike
Windows NT 4.0, allows converting of a group type into another group type (with some
limitations).
Windows Server 2003 Mode
To activate the new domain features, all domain controllers in the domain must be running
Windows Server 2003. After this requirement is met, the administrator can raise the domain
functional level to Windows Server 2003. Read my "Raise Domain Function Level in Windows
Server 2003 Domains" article for more info about that.
Supported Domain controllers – Windows Server 2003, Windows Server 2008.
Features and benefits include all default Active Directory features, all features from the
Windows 2000 native domain functional level, plus:
• Universal group caching – Windows Server 2003 functional level supports Universal
group caching which eliminate the need for local global catalog server.
 • Domain Controller rename – By using the NETDOM command.
• Logon time stamp update – The lastLogonTimestamp attribute will be updated with the
last logon time of the user or computer. This attribute is replicated within the domain.
• Multivalued attribute replication improvements – Allows incremental membership
changes, which in turn enables having more than 5000 members in a group and better
replication capabilities.
• Lingering objects (zombies) detection – Windows Server 2003 has the ability to detect
zombies, or lingering objects.
• AD-integrated DNS zones in application partitions – This allows storing of DNS data
in AD application partition for more efficient replication.
• Users and Computers containers can be redirected – This allows the redirection of the
default location of new users and computers (by using the REDIRUSR and REDIRCMP
commands).
• Support for selective authentication – Makes it possible to specify the users and groups
from a trusted forest who are allowed to authenticate to resource servers in a trusting
forest.
Windows Server 2008 Mode
To activate the new domain features, all domain controllers in the domain must be running
Windows Server 2008. After this requirement is met, the administrator can raise the domain
functional level to Windows Server 2008.

Important

Raising the domain and forest functional levels to Windows Server 2008 is a
nonreversible task and prohibits the addition of Windows 2000–based or
Windows Server 2003–based Domain Controllers to the environment. Any
existing Windows 2000–based or Windows Server 2003–based Domain
Controllers in the environment will no longer function, and in fact, the
upgrading wizard will not allow you to continue with the operation. Before
raising functional levels to take advantage of advanced Windows Server
2008 features, ensure that you will never need to install domain controllers
running Windows 2000-based or Windows Server 2003–based Domain
Controllers in your environment.

Supported Domain controllers – Windows Server 2008.

Features and benefits include all default Active Directory features, all features from the
Windows Server 2003 domain functional level, plus:
• Fine-grained password policies – Allows multiple password polices to be applied to
different users in the same domain.
• Read-Only Domain Controllers – Allows implementation of domain controllers that
only host read-only copy of NTDS database.
• Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.
• Granular auditing – Allows history of object changes in Active Directory.
 • Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using
DFSR instead of older File Replication Service (FRS). It provides more robust and
detailed replication of SYSVOL contents.
• Last Interactive Logon Information – Displays the time of the last successful
interactive logon for a user, from what workstation, and the number of failed logon
attempts since the last logon.
Forest function levels
Forest functionality activates features across all the domains in your forest. To activate a new
forest function level, all the domain in the forest must be running the right operating system and
be set to the right domain function level. After this requirement is met, the administrator can
raise the forest functional level. Here's a list of the available forest function levels available in
Windows Server 2008:
Windows 2000 forest function level
This is the default setting for new Windows Server 2008 Active Directory forests.
Supported Domain controllers in all domains in the forest – Windows 2000, Windows Server
2003, Windows Server 2008.
Windows Server 2003 forest function level
To activate new forest-wide features, all domain controllers in the forest must be running
Windows Server 2003. Read my "Raise Forest Function Level in Windows Server 2003 Active
Directory" article for more info about that.
Supported Domain controllers in all domains in the forest – Windows Server 2003, Windows
Server 2008.
Features and benefits include all default Active Directory features, plus the following features:
• Forest trust.
• Domain rename.
• Linked-value replication – Changes in group membership to store and replicate values
for individual members instead of replicating the entire membership as a single unit.
• Deployment of an RODC.
• Intersite topology generator (ISTG) improvements – Supports a more efficient ISTG
algorithm allows support for extremely large numbers of sites.
• The ability to create instances of the dynamicObject dynamic auxiliary class.
• The ability to convert an inetOrgPerson object instance into a User object instance,
and the reverse.
• The ability to create instances of the new group types, called application basic
groups and Lightweight Directory Access Protocol (LDAP) query groups, to
support role-based authorization.
• Deactivation and redefinition of attributes and classes in the schema.
Windows Server 2008 forest function level
To activate new forest-wide features, all domain controllers in the forest must be running
Windows Server 2008. Read my "Raising Windows Server 2008 Active Directory Domain and
Forest Functional Levels" article for more info about that.
Supported Domain controllers in all domains in the forest – Windows Server 2008.
Features and benefits include all of the features that are available at the Windows Server 2003
forest functional level, but no additional features. All domains that are subsequently added to
the forest will operate at the Windows Server 2008 domain functional level by default.

What’s New in Windows Server 2003 Active Directory?

The Active Directory service is an essential and inseparable part of the Windows Server 2003
network architecture that provides a directory service designed for distributed networking
environments. Active Directory provides a single point of management for Windows-based user
accounts, clients, servers, and applications. It also helps organizations integrate systems not
using Windows with Windows-based applications and Windows-compatible devices, thus
consolidating directories and easing management of the entire network operating system.
Companies can also use Active Directory to extend systems securely to the Internet. Active
Directory thus increases the value of an organization's existing network investments and lowers
the overall costs of computing by making the Windows network operating system more
manageable, secure, and interoperable.
Active Directory plays such an important role in managing the network, that as you prepare to
move to Windows Server 2003, it is helpful to review the new features of the Active Directory
service.
New Active Directory Features
With the new Active Directory features in Standard Edition, Enterprise Edition, and Datacenter
Edition, more efficient administration of Active Directory is available to you.
New features can be divided into those available on any domain controller running Windows
Server 2003, and those available only when all domain controllers of a domain or forest are
running Windows Server 2003.
Features Available If Any Domain Controller Is Running
Windows Server 2003
The following list summarizes the Active Directory features that are enabled by default on any
domain controller running Windows Server 2003.
• Multiple selection of user objects. Modify common attributes of multiple user objects at
one time.
• Drag-and-drop functionality. Move Active Directory objects from container to
container by dragging and dropping one or more objects to a desired location in the
domain hierarchy. You can also add objects to group membership lists by dragging and
dropping one or more objects (including other group objects) onto the target group.
• Efficient search capabilities. Search functionality is object-oriented and provides an
efficient browse-less search that minimizes network traffic associated with browsing
objects.
 • Saved queries. Save commonly used search parameters for reuse in Active Directory
Users and Computers.
• Active Directory command-line tools. Run new directory service commands for
administration scenarios.
• Selective class creation. Create instances of specified classes in the base schema of a
Windows Server 2003 forest. You can create instances of several common classes,
including: country or region, person, organizationalPerson, groupOfNames, device, and
certificationAuthority.
• InetOrgPerson class. The inetOrgPerson class has been added to the base schema as a
security principal and can be used in the same manner as the user class. The
userPassword attribute can also be used to set the account password.
• Application directory partitions. Configure the replication scope for application-
specific data among domain controllers running Standard Edition, Enterprise Edition, and
Datacenter Edition. For example, you can control the replication scope of Domain Name
System (DNS) zone data stored in Active Directory so that only specific domain
controllers in the forest participate in DNS zone replication.
• Add additional domain controllers to existing domains using backup media. Reduce
the time it takes to add an additional domain controller in an existing domain by using
backup media.
• Universal group membership caching. Prevent the need to locate a global catalog
across a wide area network (WAN) during logons by storing user universal group
memberships on an authenticating domain controller.
Features Available When All Domain Controllers Are
Running Windows Server 2003
New domain- or forest-wide Active Directory features can be enabled only when all domain
controllers in a domain or forest are running Windows Server 2003 and the domain functionality
or forest functionality has been set to Windows Server 2003.
The following list summarizes the domain- and forest-wide Active Directory features that can be
enabled when either a domain or forest functional level has been raised to Windows Server 2003.
• Domain controller rename tool. Rename domain controllers without first demoting
them.
• Domain rename. Rename any domain running Windows Server 2003 domain
controllers. You can change the NetBIOS name or DNS name of any child, parent, tree-
or forest-root domain.
• Forest trusts. Create a forest trust to extend two-way transitivity beyond the scope of a
single forest to a second forest.
• Forest restructuring. Move existing domains to other locations in the domain hierarchy.
• Defunct schema objects. Deactivate unnecessary classes or attributes from the schema.
• Dynamic auxiliary classes. Provides support for dynamically linking auxiliary classes to
individual objects, and not just to entire classes of objects. In addition, auxiliary classes
that have been attached to an object instance can subsequently be removed from the
instance.
 • Global catalog replication tuning. Preserves the synchronization state of the global
catalog when an administrative action results in an extension of the partial attribute set.
This minimizes the work generated as a result of a partial attribute set extension by only
transmitting attributes that were added.
• Replication enhancements. Linked value replication allows individual group members
to be replicated across the network instead of treating the entire group membership as a
single unit of replication.
Raising Domain Functional Levels
Domains can operate at three functional levels: Windows 2000 mixed, the default setting (which
includes domain controllers running Windows 2000, Windows NT 4.0, and Windows Server
2003), Windows 2000 native (which includes domain controllers running Windows 2000 and
Windows Server 2003), and Windows Server 2003 (which only includes domain controllers
running Windows Server 2003).
Once all domain controllers are running on Windows Server 2003, you can raise the Domain and
Forest Functionality to Windows Server 2003 by opening Active Directory Domains and Trusts,
right clicking the domain for which you want to raise functionality, and then clicking Raise
Domain Functional Level.
Note that once you raise the domain functional level, domain controllers running earlier
operating systems cannot be introduced into the domain. For example, if you raise the domain
functional level to Windows Server 2003, domain controllers running Windows 2000 Server
cannot be added to that domain.
The following table describes the domain-wide features that are enabled for the corresponding
domain functional level:

Quick Links

• Knowledge Base
• Active Directory
• Cisco and Routing
• Windows Networking
• Exchange Server
• Virtualization
• Windows Server 2008
• Windows 7
• Windows Vista
• New Articles
[noil]
Popular Articles

• Repair PST Files

 • Forgot the Administrator's Password?
• Excel Password Recovery
• How to Write ISO Files
• How to Partition a Hard Drive
• Repairing DLL Errors
• How to Change the Serial in Windows XP
• Install Windows XP Pro
• Disable UAC in Windows Vista
• Install Active Directory on Windows 2003
• Home Network Setup
• Device Driver Updates
• How to Setup a VLAN on a Cisco Switch

• Download the Windows Server 2008 R2 Feature Components Poster

• Download Microsoft FAST Search Server 2010 for SharePoint Beta
• Share your Windows 7 Tips with TechNet Magazine
• Silverlight 4 Beta ready for developers
• The 2010 Betas are available
• Compose you R2 Haiku and win big
• Open Beta for IPD Guide Now Available for Download
Stay Connected
• Join our newsletter
Top of Form

Our biweekly emails will keep you up to date on our latest news and articles straight to
your inbox!
Sign Up Now !

E-mail Address:

Privacy Policy

Bottom of Form

• Follow on Twitter
• Subscribe via Rss
Author is a Microsoft Windows Server System - Exchange Server MVP

What’s New in Windows Server 2003 Active Directory?

by Daniel Petri - January 8, 2009

What's new in Windows Server 2003 Active Directory?

LANsurveyor: Map Your Network in Minutes!

Relax while LANsurveyor automatically maps your network.

LANsurveyor automatically discovers your LAN or WAN and produces comprehensive, easy-to-
view network diagrams that can be exported into Microsoft Office® Visio®.
You Have Got To Try This! Get the Download Here...

The Active Directory service is an essential and inseparable part of the Windows Server 2003
network architecture that provides a directory service designed for distributed networking
environments. Active Directory provides a single point of management for Windows-based user
accounts, clients, servers, and applications. It also helps organizations integrate systems not
using Windows with Windows-based applications and Windows-compatible devices, thus
consolidating directories and easing management of the entire network operating system.
Companies can also use Active Directory to extend systems securely to the Internet. Active
Directory thus increases the value of an organization's existing network investments and lowers
the overall costs of computing by making the Windows network operating system more
manageable, secure, and interoperable.
Active Directory plays such an important role in managing the network, that as you prepare to
move to Windows Server 2003, it is helpful to review the new features of the Active Directory
service.
New Active Directory Features
With the new Active Directory features in Standard Edition, Enterprise Edition, and Datacenter
Edition, more efficient administration of Active Directory is available to you.
New features can be divided into those available on any domain controller running Windows
Server 2003, and those available only when all domain controllers of a domain or forest are
running Windows Server 2003.
Features Available If Any Domain Controller Is Running
Windows Server 2003
The following list summarizes the Active Directory features that are enabled by default on any
domain controller running Windows Server 2003.
• Multiple selection of user objects. Modify common attributes of multiple
user objects at one time.
• Drag-and-drop functionality. Move Active Directory objects from container
to container by dragging and dropping one or more objects to a desired
location in the domain hierarchy. You can also add objects to group
membership lists by dragging and dropping one or more objects (including
other group objects) onto the target group.
• Efficient search capabilities. Search functionality is object-oriented and
provides an efficient browse-less search that minimizes network traffic
associated with browsing objects.
• Saved queries. Save commonly used search parameters for reuse in Active
Directory Users and Computers.
• Active Directory command-line tools. Run new directory service
commands for administration scenarios.
• Selective class creation. Create instances of specified classes in the base
schema of a Windows Server 2003 forest. You can create instances of several
common classes, including: country or region, person, organizationalPerson,
groupOfNames, device, and certificationAuthority.
• InetOrgPerson class. The inetOrgPerson class has been added to the base
schema as a security principal and can be used in the same manner as the
user class. The userPassword attribute can also be used to set the account
password.
• Application directory partitions. Configure the replication scope for
application-specific data among domain controllers running Standard Edition,
Enterprise Edition, and Datacenter Edition. For example, you can control the
replication scope of Domain Name System (DNS) zone data stored in Active
Directory so that only specific domain controllers in the forest participate in
DNS zone replication.
• Add additional domain controllers to existing domains using backup
media. Reduce the time it takes to add an additional domain controller in an
existing domain by using backup media.
• Universal group membership caching. Prevent the need to locate a
global catalog across a wide area network (WAN) during logons by storing
user universal group memberships on an authenticating domain controller.

Features Available When All Domain Controllers Are

Running Windows Server 2003
New domain- or forest-wide Active Directory features can be enabled only when all domain
controllers in a domain or forest are running Windows Server 2003 and the domain functionality
or forest functionality has been set to Windows Server 2003.
The following list summarizes the domain- and forest-wide Active Directory features that can be
enabled when either a domain or forest functional level has been raised to Windows Server 2003.
• Domain controller rename tool. Rename domain controllers without first
demoting them.
• Domain rename. Rename any domain running Windows Server 2003
domain controllers. You can change the NetBIOS name or DNS name of any
child, parent, tree- or forest-root domain.
• Forest trusts. Create a forest trust to extend two-way transitivity beyond
the scope of a single forest to a second forest.
• Forest restructuring. Move existing domains to other locations in the
domain hierarchy.
• Defunct schema objects. Deactivate unnecessary classes or attributes
from the schema.
• Dynamic auxiliary classes. Provides support for dynamically linking
auxiliary classes to individual objects, and not just to entire classes of
objects. In addition, auxiliary classes that have been attached to an object
instance can subsequently be removed from the instance.
• Global catalog replication tuning. Preserves the synchronization state of
the global catalog when an administrative action results in an extension of
the partial attribute set. This minimizes the work generated as a result of a
partial attribute set extension by only transmitting attributes that were
added.
• Replication enhancements. Linked value replication allows individual
group members to be replicated across the network instead of treating the
entire group membership as a single unit of replication.

Raising Domain Functional Levels

Domains can operate at three functional levels: Windows 2000 mixed, the default setting (which
includes domain controllers running Windows 2000, Windows NT 4.0, and Windows Server
2003), Windows 2000 native (which includes domain controllers running Windows 2000 and
Windows Server 2003), and Windows Server 2003 (which only includes domain controllers
running Windows Server 2003).
Once all domain controllers are running on Windows Server 2003, you can raise the Domain and
Forest Functionality to Windows Server 2003 by opening Active Directory Domains and Trusts,
right clicking the domain for which you want to raise functionality, and then clicking Raise
Domain Functional Level.
Note that once you raise the domain functional level, domain controllers running earlier
operating systems cannot be introduced into the domain. For example, if you raise the domain
functional level to Windows Server 2003, domain controllers running Windows 2000 Server
cannot be added to that domain.
The following table describes the domain-wide features that are enabled for the corresponding
domain functional level:
Domain Feature Windows 2000 mixed Windows 2000 native Windows Server 2003
Domain controller Disabled Disabled Enabled
rename tool
Update logon Disabled Disabled Enabled
timestamp
Kerberos KDC key Disabled Disabled Enabled
version numbers
User password on Disabled Disabled Enabled
InetOrgPerson object
Universal Groups Enabled for distribution Enabled Enabled
groups. Allows both security Allows both security
Disabled for security and distribution groups. and distribution groups.
groups.
Group Nesting Enabled for distribution Enabled Enabled
groups. Allows full group Allows full group
Disabled for security nesting. nesting.
groups, except for
domain local security
groups that can have
global groups as
members.
Converting Groups Disabled Enabled Enabled
No group conversions Allows conversion Allows conversion
allowed. between security groups between security groups
and distribution groups. and distribution groups.
SID History Disabled Enabled Enabled
Allows migration of Allows migration of
security principals from security principals from
one domain to another. one domain to another.

Raising Forest Functional Levels

Forest functionality enables features across all the domains within your forest. Two forest
functional levels are available: Windows 2000 (which supports domain controllers running
Windows NT 4.0, Windows 2000, and Windows Server 2003) and Windows Server 2003 (which
only supports domain controllers running Windows Server 2003). If you are upgrading your first
Windows NT domain so that it becomes the first domain in a new Windows Server 2003 forest,
there is an additional forest functional level that you can choose called Windows Server 2003
interim.
By default, forests operate at the Windows 2000 functional level. You can raise the forest
functional level to Windows Server 2003. Once forest functional level has been raised, domain
controllers running earlier operating systems cannot be introduced into the forest.
The following table describes the forest-wide features that are enabled for the corresponding
forest functional level:
Forest Feature Windows 2000 Windows Server 2003
Global catalog replication Disabled Enabled
tuning
Defunct schema objects Disabled Enabled
Forest trust Disabled Enabled
Linked value replication Disabled Enabled
Domain rename Disabled Enabled
Improved replication Disabled Enabled
algorithms
Dynamic auxiliary classes Disabled Enabled
InetOrgPerson objectClass
change

Raise Forest Fuction Level in Windows Server 2003 Active Directory?

How can I raise the forest function level in a Windows Server 2003-based Active
Directory?

Functional levels are an extension of the mixed/native mode concept introduced in Windows
2000 to activate new Active Directory features after all the domain controllers in the domain or
forest are running the Windows Server 2003 operating system.
When a computer that is running Windows Server 2003 is installed and promoted to a domain
controller, new Active Directory features are activated by the Windows Server 2003 operating
system over its Windows 2000 counterparts. Additional Active Directory features are available
when all domain controllers in a domain or forest are running Windows Server 2003 and the
administrator activates the corresponding functional level in the domain or forest (read
Understanding Function Levels in Windows Server 2003 Active Directory for more info).
To activate the new domain features, all domain controllers in the domain must be running
Windows Server 2003. After this requirement is met, the administrator can raise the domain
functional level to Windows Server 2003 (read Raise Domain Function Level in Windows
Server 2003 Domains for more info).
To activate new forest-wide features, all domain controllers in the forest must be running
Windows Server 2003, and the current forest functional level must be at Windows 2000 native or
Windows Server 2003 domain level. After this requirement is met, the administrator can raise the
domain functional level.
Note: Network clients can authenticate or access resources in the domain or forest without being
affected by the Windows Server 2003 domain or forest functional levels. These levels only affect
the way that domain controllers interact with each other.
Important
Do not raise the forest functional level if you have, or will have, any domain
controllers running Windows NT 4.0 or Windows 2000. As soon as the
forest functional level is raised to Windows Server 2003, it cannot be
changed back to the Windows 2000 forest functional level.
To raise the forest functional level, you must be a member of the Enterprise Admins group.
In order to raise the Forest Functional Level:
1. Log on to the PDC of the forest root domain with a user account that is a member of the
Enterprise Administrators group.
2. Open Active Directory Domains and Trusts, click Start, point to All Programs, point to
Administrative Tools, and then click Active Directory Domains and Trusts.
3. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise
Forest Functional Level.

1. Under Select an available forest functional level, click Windows Server 2003.

and then click Raise to raise the forest functional level to Windows Server 2003.
1. Read the warning message, and if you wish to perform the action, click Ok.
 1. You will receive an acknowledgement message telling you that the operation was
completed successfully. Click Ok.
1. You can check the function level by performing step 3 again and viewing the current
function level.

Note: To raise the forest functional level, you must upgrade (or demote) all existing Windows
2000 domain controllers in your forest.
If you cannot raise the forest functional level, you can click Save As in the Raise Forest
Functional Level dialog box to save a log file that specifies which domain controllers in the
forest still must be upgraded from Windows NT 4.0 or Windows 2000.
If you receive a message that indicates you cannot raise the forest functional level, use the report
generated by "Save As" to identify all domains and domain controllers that do not meet the
requirements for the requested increase.
The current forest functional level appears under Current forest functional level in the Raise
Forest Functional Level dialog box. After the forest level is successfully increased and replicated
to the PDCs in the domains, the PDCs for each domain automatically increase their domain level
to the current forest level. The level increase is performed on the Schema FSMO and requires
Enterprise Administrator credentials.

What DNS entries (SRV Records) does Windows 2000/2003 add when you create a
domain?

In order for Active Directory to function properly, DNS servers must provide support for Service
Location (SRV) resource records described in RFC 2052, A DNS RR for specifying the location
of services (DNS SRV). SRV resource records map the name of a service to the name of a server
offering that service. Active Directory clients and domain controllers use SRV records to
determine the IP addresses of domain controllers. Although not a technical requirement of Active
Directory, it is highly recommended that DNS servers provide support for DNS dynamic updates
described in RFC 2136, Observations on the use of Components of the Class A Address Space
within the Internet.
The Windows 2000 DNS service provides support for both SRV records and dynamic updates. If
a non-Windows 2000 DNS server is being used, verify that it at least supports the SRV resource
record. If not, it must be upgraded to a version that does support the use of the SRV resource
record. For example, Windows NT Server 4.0 DNS servers must be upgraded to Service Pack 4
or later to support SRV resource records. A DNS server that supports SRV records but does not
support dynamic update must be updated with the contents of the Netlogon.dns file created by
the Active Directory Installation wizard while promoting a Windows 2000 Server to a domain
controller. The Netlogon.dns file is described in the following section.
So now you understand that Windows 2000 domains rely heavily on DNS entries. If you enable
dynamic update on the relevant DNS zones, W2K creates these entries automatically:
• _ldap._tcp.<DNSDomainName>
Enables a client to locate a W2K domain controller in the domain named by
<DNSDomainName>. A client searching for a domain controller in the domain dpetri.net would
query the DNS server for _ldap._tcp.dpetri.net.
• _ldap._tcp.<SiteName>._sites.<DNSDomainName>
Enables a client to find a W2K domain controller in the domain and site specified (e.g.,
_ldap._tcp.lab._sites.dpetri.net for a domain controller in the Lab site of dpetri.net).
• _ldap._tcp.pdc._ms-dcs.<DNSDomainName>
Enables a client to find the PDC flexible single master object (FSMO) role holder of a mixed-
mode domain. Only the PDC of the domain registers this record.
• _ldap._tcp.gc._msdcs.<DNSTreeName>
Enables a client to find a Global Catalog (GC) server. Only domain controllers serving as GC
servers for the tree will register this name. If a server ceases to be a GC server, the server will
deregister the record.
• _ldap._tcp. ._sites.gc._msdcs.<DNSTreeName>
Enables a client to find a GC server in the specified site (e.g.,
_ldap._tcp.lab._sites.gc._msdcs.dpetri.net).
• _ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName>
Enables a client to find a domain controller in a domain based on the domain controller’s
globally unique ID. A GUID is a 128-bit (8 byte) number that generates automatically for
referencing Active Directory objects.
• <DNSDomainName>
Enables a client to find a domain controller through a normal Host record.
After running DCPROMO, A text file containing the appropriate DNS resource records for the
domain controller is created. The file called Netlogon.dns is created in the %systemroot
%\System32\config folder and contains all the records needed to register the resource records of
the domain controller. Netlogon.dns is used by the Windows 2000 NetLogon service and to
support Active Directory for non-Windows 2000 DNS servers.
If you are using a DNS server that supports the SRV resource record but does not support
dynamic updates (such as a UNIX-based DNS server or a Windows NT Server 4.0 DNS server),
you can import the records in Netlogon.dns into the appropriate primary zone file to manually
configure the primary zone on that server to support Active Directory.

Understanding server roles:

A network or network infrastructure is the grouping of hardware devices and software
components which are needed to connect devices within the organization, and to connect the
organization to other organizations and the Internet. The network infrastructure's physical
hardware and logical components are needed to provide a number of features for the network,
including connectivity, routing and switching capabilities, network security, and access control.
The network or network infrastructure has to exist before a number of servers needed to support
applications which are needed by your users
can be deployed into your networking
environment.

Therefore, when planning your network design and deciding on the computers for your network,
you must know what functions the computer will be performing. Understanding these functions
will put you in a good position to determine the hardware and software components needed for
your computers.

Windows Server 2003 itself provides a number of features and tools when you install it on a
computer. You though have to implement additional features and functionality on a server to
provide the services and capabilities required by the organization and its users. In fact, until these
additional features and functionality make certain services available, the computer cannot be
used as required by users.
Computers required on your network can be broadly grouped according to the following roles:
• Server roles: Servers can be configured to perform a number of roles. The
applications that the server is running specify the role of the particular
server. Server's typically need services and additional features installed to
perform its specific role. When compared to workstations, servers have more
disk space and memory, and faster processors. The hardware required by
servers is determined by the role being performed by the server. A few
common server roles are listed below:
○ Domain controller
○ Database server
○ Backup server
○ File server
○ Print server
○ Infrastructure server
○ Web server
○ E-mail server
• Desktop workstation roles: Desktop workstations differ to servers in that
desktop workstations are general purpose computers that can perform a
number of different types of functions.
• Portable workstation roles: Portable workstations are the solution to bringing
the features of a desktop computer to an off-site employee.
Windows Server 2003 introduced the concept of server roles. Server roles basically group
related administrative tasks, and are used to provide a specific capability or function to the
network design. With Windows Server 2003, if you configure a server for a certain server role,
then a number of additional services, features and tools are installed for the server. In this
manner, the server is set up to provide the required services to your users.
Windows Server 2003 provides a new tool for defining and managing server roles, namely, the
Manage Your Server utility. The actual Wizard for applying the server roles to computers is the
Configure Your Server Wizard. The Configure Your Server Wizard is included within the
Manage Your Server utility and is also managed through this utility.
For Windows Server 2003, there are 11 different server roles that you can configure using the
Configure Your Server Wizard:
• File server
• Print server
• Application server
• Mail server
• Terminal server
• Remote access server/VPN server
• Domain controllers
• DNS server
• WINS server
• DHCP server
• Streaming media server

Understanding the File Server Role

The file server role is a widely used role when configuring servers in Windows Server 2003
based networks. This is due to the file server role storing data for network users, and providing
access to files stored on the file server. The file server role is though not available in the
Windows Server 2003 Web Edition. A file stored on a file server volume can be accessed by
users that have the necessary rights to access the directories wherein the files are stored.
File servers provide the following functionality to users:
• Enables users to store files in a centralized location.
• " Enable a user to share files with another user.
A few characteristics and features of the file server role are listed:
• Files and folder resources can be shared between network users.
• Administrators can manage the following aspects of file servers:
○ Access to files and folders
○ Disk space
○ Disk quotas can be implemented to control the amount of space which
users can utilize.
 • For file servers that have NTFS volumes:
○ NTFS security can be used to protect files from users who are not
authorized to access the files and folders.
○ Encrypting File System (EFS) enables users to encrypt files and folders,
and entire data drives on NTFS formatted volumes. EFS secures
confidential corporate data from unauthorized access.
○ Distributed File System (Dfs) provides a single hierarchical file system
that assists in organizing shared folders on multiple computers in the
network. Dfs provides a single logical file system structure by
concealing the underlying file share structure within a virtual folder
structure. Users only see a single file structure even though there are
multiple folders located on different file servers within the
organization.
• The Offline files feature can be enabled if necessary. Offline Files make is
possible for a user to mirror server files to a local laptop, and ensures that
the laptop files and server files are in sync. For your laptop users, Offline Files
ensures that the user can access the server based files when they are not
connected to the network.

Understanding the Print Server Role

The print server role provides network printing capabilities for the network. Through the print
server role, you can configure a server to manage printing functions on the network. Users
typically connect to a network printer through a connection to a print server. The print server is
the computer where the print drivers are located that manage printing between printers and client
computers. With Windows NT, Windows 2000, Windows XP, and Windows Server 2003, the
print servers supply clients with the necessary printer drivers. The print servers also manage
communication between the printers and the client computers. The print servers manage the print
queues, and can also supply audit logs on jobs printed by users. A network interface printer is a
printer that connects to the network through a network card. The print server role is though not
available in the Windows Server 2003 Web Edition.
When deciding on a print server, ensure that the print server has sufficient disk space to store
print jobs waiting in the printer queue. It is recommended to use a dedicated, fast drive for the
print spooler. You should consider implementing a print server cluster if your enterprise needs
exceptional reliability and performance when it comes to printing.
A few characteristics of print servers are listed here:
• The Windows Management Instrumentation (WMI) a management application
program interface (API) can be used to manage printing on the network.
• Print servers can also be remotely managed.
• Administrators can control when printing devices can be utilized.
• Administrators can control access to printers
• Priorities can be defined for print jobs.
• Print jobs can be paused, resumed, and deleted and viewed.
• Printers can be published in Active Directory so that access to printers can be
controlled according to Active Directory accounts.
Understanding Web servers
The application server role makes Web applications and distributed applications available to
users. A Web server typically contains a copy of a World Wide Web site and can also host Web
based applications. When you install a Web server, users can utilize Web based applications and
download files as well.
When you add a Web server through the application server role, the following components are
installed:
• Internet Information Services 6.0
• The Application Server console
• The Distributed Transaction Coordinator (DTC)
• COM+, the extension of the Component Object Model (COM)
Internet Information Services 6.0 (IIS 6.0) is Microsoft's integrated Web server that enables you
to create and manage Web sites within your organization. Through IIS, you can create and
manage Web sites, and share and distribute information over the Internet or intranet. With the
introduction of Windows Server 2003, came the advent of Internet Information Services (IIS) 6.
IIS 6 is included with the 32-bit version and the 64-bit versions of the Windows Server 2003
Editions. IIS 6 include support for a number of protocols and management tools which enable
you to configure the server as a Web server, File Transfer Protocol (FTP) server or a Simple
Mail Transport Protocol (SMTP) server. The management tools included with Windows Server
2003 allows you to manage Internet Information Services on the Windows Server 2003 product
platforms.
Before you can deploy IIS 6 Web servers within your enterprise, you first need to install
Windows Server 2003 or upgrade to Windows Server 2003. Only after Windows Server 2003 is
deployed, are you able to install IIS 6 in your environment.
After Windows Server 2003 is installed, for all editions of Windows Server 2003 other than the
Web Edition, you can install IIS 6 from the Configure Your Server Wizard. When you first log
on after Windows Server 2003 is installed, the Manage Your Server Wizard is initiated. To start
the Configure Your Server Wizard, choose the Add Or Remove A Role link. You next have to
follow the prompts of the Configure Your Server Wizard to install the Application Server (IIS,
ASP.NET) option.
The protocols supported by IIS 6.0, the Microsoft integrated Web server, are listed here:
• Hypertext Transfer Protocol (HTTP) is a TCP/IP application layer protocol used
to connect to websites, and to create Web content. HTTP handles the
publishing of static and dynamic Web content. A HTTP session consists of a
connection, a HTTP request and a HTTP response
1. Port 80 is used for HTTP connections. The client establishes a TCP
connection to the server by using a TCP three way handshake.
2. After the connection is established, the client sends a HTTP GET
request message to the server.
3. The server sends the client the requested Web page.
4. HTTP Keep-Alives maintains the TCP connection between the client and
server if it is enabled, so that the client can request additional pages.
 5. If HTTP Keep-Alives is not enabled, the TCP connection is terminated
after the requested page is downloaded.
• File Transfer Protocol (FTP) is a TCP/IP application layer protocol used for
copying files to and from remote systems through the Transmission Control
Protocol (TCP). FTP makes it possible for clients to upload and download files
from a FTP server over an internetwork. Through IIS, you can create and
administer FTP servers. You need an FTP server and FTP client to use the
protocol. A FTP session has a connection, a request, and a response.
1. The client establishes a TCP connection to the FTP server through port
21.
2. A port number over 1023 is assigned to the client.
3. The client sends a FTP command to port 21.
4. If the client needs to receive data, another connection is created with
the client, to convey the data. This connection utilizes port 20.
5. The second connection remains in a TIME_WAIT state after the data is
transferred to the client. The TIME_WAIT state makes it possible for
additional data to be transferred. The TIME_WAIT state ends when the
connection timeout.
• Network News Transfer Protocol (NNTP) is a TCP/IP application layer protocol
used to send network news messages to NNTP servers and NNTP clients on
the Internet. NNTP is a client/server and server/server protocol. The NNTP
protocol enables a NNTP host to replicate its list of newsgroups and messages
with another host through newsfeeds, using a push method or a pull method.
A NNTP client can establish a connection with a NNTP host to download a list
of newsgroups, and read the messages contained in the newsgroups.
Through NNTP, you can implement private news servers to host discussion
groups, or you can implement public news servers to provide customer
support and help resources to Internet users. You can specify that users need
to be authenticated to both read and post items to newsgroups, or you can
allow access to everybody. The NNTP service can also integrate with the
Windows Indexing Service for the indexing of newsgroup content. It is also
fully integrated with event and performance monitoring of Windows Server
2003.
• Simple Mail Transfer Protocol (SMTP) is a TCP/IP application layer protocol
used for routing and transferring e-mail between SMTP hosts on the Internet.
SMTP enables IIS machines to operate as SMTP hosts to forward e-mail over
the Internet. IIS can be utilized instead of Sendmail. SMTP also enables IIS
machines to protect mail servers such as Microsoft Exchange servers from
malicious attacks by operating between these servers and Sendmail host at
the ISP of the organization. SMTP can be used to forward mail from one SMTP
host to another SMTP host. SMTP cannot deliver mail directly to the client.
Mail clients use POP3 or IMAP to receive e-mail. Windows Server 2003
includes the POP3 service for providing clients with mailboxes, and for
handling incoming e-mail. To use the SMTP as a component of IIS, you have
to install the SMTP service first if you are running a Windows Server 2003
Edition other than the Windows Server 2003 Web Edition. The SMTP service is
installed on the Windows Server 2003 Web Edition by default.
Understanding the Mail Server Role
The mail server role provides e-mail services for the network, by providing the functionality
needed for users to both send and receive e-mail messages. A mail server has to exist for users to
send e-mail to each other. When a mail server receives e-mail for a user, it stores the e-mail for
the intended user until that particular user retrieves it from the mail server.
The primary functions of mail servers are listed here:
• Store e-mail data.
• Process client requests
• Receive incoming e-mail from the Internet.
When you configure a server for the mail server role, the following TCP/IP based protocols are
installed:
• Simple Mail Transfer Protocol (SMTP): SMTP is a TCP/IP application layer
protocol used for routing and transferring e-mail between SMTP hosts on the
Internet. IIS 6 has to be installed to install both the SMTP service and the Post
Office Protocol 3 (POP3) service. The SMTP service has to be installed
because mail servers and clients utilize this service to send e-mail.
• Post Office Protocol 3 (POP3): Mail clients use the POP3 service or IMAP to
receive e-mail. Windows Server 2003 includes the POP3 service for providing
clients with mailboxes, and for handling incoming e-mail. The POP3 service
also enables clients to retrieve e-mail from the mail server.

Understanding the Terminal Server Role

Terminal Services have the ability to operate as an application server that remote clients can
connect to, and run sessions from. The Terminal Services server runs the applications. The data
response is transmitted back to the Terminal Services client. Clients can access Terminal
Services over a local area connection or a wide area connection. Terminal Services clients can be
MS-DOS based clients, Windows for Workgroups clients, (version 3.11), Windows based
terminals, and Macintosh clients.
When a user connects to a Windows Server 2003 server using Remote Desktop, the resources of
the server is used, and not that of the workstation. The terminal is only responsible for the
keyboard, mouse and the display. Every user has its own individual Terminal Services session.
Sessions are unique and do not affect one another. In this manner, a user connecting to a
Windows Server 2003 server through Remote Desktop functions as a terminal on that server.
Once a client establishes a connection to Terminal Services, it creates a Terminal Services
session for the client. All processing is handled by the Terminal Services server. Clients use
insignificant bandwidth on the underlying network when they establish a connection. Terminal
Services is therefore popular in WANs where bandwidth is limited. It is also suited for mobile
users who have to execute processor intensive applications over a dial-up connection. In this
case, the local machine only needs to handle the console. When applications need to be installed
or updated, a single instance of the application can be installed or updated on the Terminal
Services server. Users will have access to the application without you needing to install or update
the application on all machines.
Remote Desktop Protocol (RDP) is the protocol that manages communications between a
computer running Terminal Services, and a client computer running a Terminal Server client.
The connection can be established using Terminal Services on a terminal server. The RDC utility
can be used for complete terminal server client utilization, or it can be used for Remote
Administration. Remote Desktop Connection is by default installed with Windows XP and
Windows Server 2003. You can however install Remote Desktop Connection on the previous
Windows Operating Systems (OSs) such as Windows 2000, Windows NT, Windows ME,
Windows 98, and Windows 95. The RDC utility is backward compatible, and can therefore
interact with Terminal Services in Windows XP, Windows 2000 and Windows NT 4 Terminal
Server Edition.
Understanding the Remote Access and VPN Server Role
The Windows Server 2003 remote access and VPN server role can be used to provide remote
access to clients through either of the methods:
• Dial-up connections: Dial-up networking makes it possible for a remote
access client to establish a dial-up connection to a port on a remote access
server. The configuration of the dial-up networking server determines what
resources the remote user can access. Users that connect through a dial-up
networking server, connect to the network much like a standard LAN user
accessing network resources.
• Virtual private networks (VPNs): Virtual Private Networks (VPNs) provide
secure and advanced connections through a non-secure network by providing
data privacy. Private data is secure in a public environment. Remote access
VPNs provides a common environment where many different sources such as
intermediaries, clients and off-site employees can access through web
browsers or email. Many companies supply their own VPN connections via the
Internet. Through their ISPs, remote users running VPN client software are
assured private access in a publicly shared environment. By using analog,
ISDN, DSL, cable technology, dial and mobile IP; VPNs are implemented over
extensive shared infrastructures. Email, database and office applications use
these secure remote VPN connections.
A few features and capabilities provided by the RRAS server are listed here:
• LAN-to-LAN routing and LAN-to-WAN routing
• Virtual private network (VPN) routing
• Network Address Translation (NAT) routing: NAT, defined in RFC 1631
translates private addresses to Internet IP addresses that can be routed on
the Internet
• Routing features, including
○ IP multicasting
○ Packet filtering
○ Demand-dial routing
○ DHCP relay
• Assign DHCP addresses to RRAS clients
• Remote Access Policies (RAPs): RAPs are used to grant remote access
permissions.
 • Layer Two Tunneling Protocol (L2TP) combines Layer 2 Forwarding (L2F) of
Cisco with Point-to-Point Tunneling Protocol (PPTP) of Microsoft. L2TP is a
Data-link protocol that can be used to establish Virtual Private Networks
(VPNs).
• Internet Authentication Service (IAS), a Remote Authentication Dial-In User
Service (RADIUS) server, provides remote authentication, authorization and
accounting for users that are connecting to the network through a network
access server (NAS) such as Windows Routing and Remote Access.

Understanding the Domain Controllers Role

A domain controller is a server that stores a write copy of Active Directory, and maintains the
Active Directory data store. Active Directory was designed to provide a centralized repository of
information, or data store that could securely manage the resources of an organization. The
Active Directory directory services ensure that network resources are available to, and can be
accessed by users, applications and programs. Active Directory also makes it possible for
administrators to log on to a one network computer, and then manage Active Directory objects
on a different computer within the domain.
A domain controller is a computer running Windows 2000 or Windows Server 2003 that
contains a replica of the domain directory. Domain controllers in Active Directory maintain the
Active Directory data store and security policy of the domain. Domain controllers therefore also
provide security for the domain by authenticating user logon attempts.
The main functions of the domain controller role within Active Directory are listed here:
• Each domain controller in a domain stores and maintains a replica of the
Active Directory data store for the particular domain.
• Domain controllers in Active Directory utilize multimaster replication. What
this means is that no single domain controller is the master domain
controller. All domain controllers are considered peers.
• Domain controllers also automatically replicate directory information for
objects stored in the domain between one another.
• Updates that are considered important are replicated immediately to the
remainder of the domain controllers within the domain.
• Implementing multiple domain controllers within the domain provides fault
tolerance for the domain.
• In Active Directory, domain controllers can detect collisions. Collisions take
place when an attribute modified on one particular domain, is changed on a
different domain controller prior to the change on the initial domain controller
being fully propagated.
Certain master roles can be assigned to domain controllers within a domain and forest. Domain
controllers that are assigned special master roles are called Operations Masters. These domain
controllers host a master copy of specific data in Active Directory. They also copy data to the
remainder of the domain controllers. There are five different types of master roles that can be
defined for domain controllers. Two types of master roles, forestwide master roles, are assigned
to one domain controller in a forest. The other three master roles, domainwide master roles, are
applied to a domain controller in every domain.
The different types of master roles which can be configured on domain controllers are listed
here:
• The Schema Master is a forestwide master role applied to a domain controller
that manages all changes in the Active Directory schema.
• The Domain Naming Master is a forestwide master role applied to a domain
controller that manages changes to the forest, such as adding and removing
a domain. The domain controller serving this role also manages changes to
the domain namespace.
• The Relative ID (RID) Master is a domainwide master role applied to a domain
controller that creates unique ID numbers for domain controllers and
manages the allocation of these numbers.
• The PDC Emulator is a domainwide master role applied to a domain controller
that operates like a Windows NT primary domain controller. This role is
typically necessary when there are computers in your environment running
pre-Windows 2000 and XP operating systems.
• The Infrastructure Master is a domainwide master role applied to a domain
controller that manages changes made to group memberships.
A Global Catalog (GC) server(s) can also be installed on a domain controller. The global catalog
is a central information store on the Active Directory objects in a forest and domain, and is used
to improve performance when searching for objects in Active Directory. The first domain
controller installed in a domain is designated as the global catalog server by default. The global
catalog server stores a full replica of all objects in its host domain, and a partial replica of objects
for the remainder of the domains in the forest. The partial replica contains those objects which
are frequently searched for. It is generally recommended to configure a global catalog server for
each site in a domain.
The functions of the global catalog server are summarized below:
• Global catalog servers are crucial for Active Directory's UPN functionality
because they resolve user principal names (UPNs) when the domain
controller handling the authentication request is unable to authenticate the
user account because the user account actually exists in another domain.
Here, the GC server assists in locating the user account so that the
authenticating domain controller can proceed with the logon request for the
user.
• The global catalog server deals with all search requests of users searching for
information in Active Directory. It can find all Active Directory data
irrespective of the domain in which the data is held. The GC server deals with
requests for the entire forest.
• The global catalog server also makes it possible for users to provide Universal
Group membership information to the domain controller for network logon
requests.

Understanding the DNS Server Role

Domain Name Service (DNS) is a hierarchically distributed database that creates hierarchical
names that can be resolved to IP addresses. The IP addresses are then resolved to MAC
addresses. DNS provides the means for naming IP hosts, and for locating IP hosts when they are
queried for by name.
The DNS server role resolves IP addresses to domain names, and domain name to IP addresses.
In this way, DNS provides name resolution services to establish connections for those clients that
need to resolve to IP addresses. A Fully Qualified Domain Name (FQDN) is the DNS name that
is used to identify a computer on the network.
A DNS server is a computer running the DNS service or BIND; that provides domain name
services. The DNS server manages the DNS database that is located on it. The information in the
DNS database of a DNS server pertains to a portion of the DNS domain tree structure or
namespace. This information is used to provide responses to client requests for name resolution.
A DNS server is authoritative for the contiguous portion of the DNS namespace over which it
resides.
When a DNS server is queried for name resolution services it can do either of the following:
• Respond to the request directly by providing the requested information.
• Provide a pointer (referral) to another DNS server that can assist in resolving
the query.
• Respond that the information is unavailable.
• Respond that the information does not exist
You can configure different server roles for your DNS servers. The server role that you configure
for a DNS server affects the following operations of the server:
• The way in which the DNS server stores DNS data.
• The way in which the DNS server maintains data.
• Whether the DNS data in the database file can be directly edited.
The different DNS server roles which you can configure are listed here:
• Standard Primary DNS server: This DNS server owns the zones defined in its
DNS database, and can make changes to its zones. A standard primary DNS
server obtains zone data from the local DNS database. The primary DNS
server is authoritative for the zone data that it contains. When a change
needs to be made to the resource records of the zone, it has to be done on
the primary DNS server so that is can be included in the local zone database.
A DNS primary server is created when a new primary zone is added.
• Standard Secondary DNS server: This DNS server obtains a read-only copy of
zones through DNS zone transfers. A secondary DNS server cannot make any
changes to the information contained in its read-only copy. A secondary DNS
server can however resolve queries for name resolution. Secondary DNS
servers are usually implemented to provide fault tolerance, provide fast
access for clients in remote locations, and to distribute the DNS server
processing load evenly. If a secondary DNS server is implemented, that DNS
server can continue to handle queries when the primary DNS becomes
unavailable. Secondary DNS servers also assist in reducing the processing
load of the primary DNS server. It is recommended to install at least one
primary DNS server, and one secondary DNS server for each DNS zone.
• Caching-only DNS server: A caching-only DNS server only performs queries
and then stores the results of these queries. All information stored on the
 caching-only DNS server is therefore only that data which has been cached
while the server performed queries. Caching-only DNS servers only cache
information when the queries have been resolved. The information stored by
caching-only DNS servers is the name resolution data that it has collected
through name resolution queries. Caching-only DNS servers do not host
zones and are not authoritative for any DNS domain.
• Master DNS servers: The DNS servers from which secondary DNS servers
obtain zone information in the DNS hierarchy are called master DNS servers.
When a secondary DNS server is configured, you have to specify the master
server from whom it will obtain zone information. Zone transfer enables a
secondary DNS server to obtain zone information from its configured primary
DNS server. A secondary DNS server can also transfer its zone data to other
secondary DNS servers, who are beneath it in the DNS hierarchy. Here, the
secondary DNS server is regarded as the master server to the other
subordinate secondary DNS servers. A secondary DNS server initiates the
zone transfer process from its particular master server when it is brought
online.
• Dynamic DNS Servers: Windows 2000, Windows XP and Windows Server 2003
computers can dynamically update the resource records of a DNS server
when a client's IP addressing information is added, or renewed through
Dynamic Host Configuration Protocol (DHCP). Both DHCP and Dynamic DNS
(DDNS) updates make this possible. When dynamic DNS updates are
enabled, a client sends a message to the DNS server when changes are made
to its IP addressing data. This indicates to the DNS server that the A type
resource record of the client needs to be updated.

Understanding the WINS Server Role

The Windows Internet Name Service (WINS) server roles provide name resolution services for
clients that need to resolve IP addresses to NetBIOS names, and vice versa. A WINS server is an
enhanced NetBIOS name server (NBNS) designed by Microsoft to resolve NetBIOS computer
names to IP addresses. WINS can resolve NetBIOS names for local hosts and remote hosts.
WINS registers NetBIOS computer names, and stores these client name registrations in the
WINS database. The registrations are used when clients query for host name resolution and
service information and to resolve a NetBIOS name to an IP address. Clients that are configured
to utilize a WINS server as a NetBIOS name server (NBNS) are called WINS enabled clients. If
the WINS server resolves the NetBIOS name to an IP address, no broadcast traffic is sent over
the network. Broadcasts are only utilized if the WINS server is unable to resolve the NetBIOS
name. A WINS enabled client can communicate with a WINS server that is located anywhere on
the internetwork.
Since Windows 2000 was the first Windows operating system where NetBIOS naming was no
longer required, you might still need to provide support for NetBIOS naming if you have legacy
applications. Remember that all Windows operating system prior to Windows 2000 require
NetBIOS name support.
To implement WINS, you only need one WINS server for an internetwork. However,
implementing two WINS servers provides fault tolerance for name resolution. The secondary
WINS server would be used for name resolution if the primary WINS server is unavailable to
service WINS clients' requests.
A WINS server can cope with 1,500 name registrations and roughly 4,500 name queries per
minute. It is recommended to have one WINS server and a backup server for each 10,000 WINS
clients. When you configure the WINS server role, the WINS server must be statically assigned
with the following TCP/IP parameters: static IP address, subnet mask and default gateway.
Understanding the DHCP Server Role
DHCP is a service and protocol which runs on a Windows Server 2003 operating system. DHCP
functions at the application layer of the TCP/IP protocol stack. One of the primary tasks of the
protocol is to automatically assign IP addresses to DHCP clients.
A server running the DHCP service is called a DHCP server. The DHCP protocol automates the
configuration of TCP/IP clients because IP addressing occurs through the system. You can
configure a server as a DHCP server so that the DHCP server can automatically assign IP
addresses to DHCP clients, and with no manual intervention. IP addresses that are assigned
through a DHCP server are regarded as dynamically assigned IP addresses.
The DHCP server assigns IP addresses from a predetermined IP address range(s), called a scope.
A DHCP scope can be defined as a set of IP addresses which the DHCP server can allocate or
assign to DHCP clients. A scope contains specific configuration information for clients that have
IP addresses which are within the particular scope. Scope information for each DHCP server is
specific to that particular DHCP server only, and is not shared between DHCP servers. Scopes
for DHCP servers are configured by administrators.
The functions of the DHCP server are outlined below:
• Dynamically assign IP addresses to DHCP clients.
• Allocate the following TCP/IP configuration information to DHCP clients:
○ Subnet mask information
○ Default gateway IP addresses
○ Domain Name System (DNS) IP addresses
○ Windows Internet Naming Service (WINS) IP addresses
You can increase the availability of DHCP servers by using the 80/20 Rule if you have two
DHCP servers located on different subnets. The 80/20 Rule is applied as follows:
• Allocate 80 percent of the IP addresses to the DHCP server which resides on
the local subnet.
• Allocate 20 percent of the IP addresses to the DHCP Server on the remote
subnet.
If the DHCP server that is allocated with 80 percent of the IP addresses has a failure, the remote
DHCP server would resume assigning the DHCP clients with IP addresses.
With Windows Server 2003 DHCP, three options are available for registering IP addresses in
DNS. The options can be configured for the DHCP server, or for each individual scope. The
options which can be specified to enable/disable the DHCP service to dynamically update DNS
records on behalf the client are:
• The DHCP server can be configured to not register any IP address of the
DHCP clients when it assigns IP addresses to these clients.
 • The DHCP server can be configured to at all times register all IP address of
clients when they receive IP addresses from the DHCP server.
• The default option results in the DHCP server registering the IP addresses of
clients with the authoritative DNS server, based on the client's request for an
IP address.

Understanding the Streaming Media Server Role

The streaming media role provides media services so that clients can access streaming audio and
video. The Windows Media Services is used to provide media services to clients. The Windows
Media Services can be configured on server platforms, and on enterprise platforms.
The Windows Media Services is not available in the following edition of Windows Server 2003:
• Windows Server 2003 Web Edition
• Windows Server 2003 64-bit versions.

Understanding Certificate Authorities (CAs) Servers

A Certificate Authority is an entity that generates and validates digital certificates. The CA adds
its own signature to the public key of the client. By using the tools provided by Microsoft, you
can create an internal CA structure within your organization.
A digital certificate associates a public key with an owner. The certificate verifies the identity of
the owner. A certificate cannot be forged because the authority that issued the certificate digitally
signs the certificate. Certificates are issued for functions such as the encryption of data, code
signing, Web user and Web server authentication, and for securing e-mail. Certificates in
Windows XP and Windows Server 2003 are managed by the Data Protection API. When
certificates are issued to a client, it is stored in the Registry and in Active Directory. You can
also store certificates on smart cards. The information included in a certificate is determined by
the type of certificate being used.
Certificate Authorities (CAs) are servers which are configured to issue certificates to users,
computers, and services. CAs also manage certificates. An organization can have multiple CAs,
which are arranged in a logical manner. A CA can be a trusted third party entity such as VeriSign
or Thawte, or it can be an internal entity of the organization. An example of an internal CA entity
is Windows Server 2003 Certificate Services. Windows Server 2003 Certificate Services can be
used to create certificates for users and computers in Active Directory domains.
The functions performed by Certificate Authorities (CAs) are listed below:
• Accepts the request for a certificate from a user, computer, application, or
service.
• Authenticates the identity of the user, computer or service requesting the
certificate. The CA utilizes its policies, and incorporates the type of certificate
being requested; to verify the identity of the requestor.
• Creates the certificate for the requestor.
• Digitally signs the certificate using its own private key.
Windows Certificate Services is used to create a Certificate Authority on Windows Server 2003
servers. The first CA that is installed becomes the root CA. The common practice is to first
install the root CA, and then use the root CA to validate all the other CAs within the
organization. A root CA is the most trusted CA in a CA hierarchy. When a root CA issues
certificates to other CAs, these CAs become subordinate CAs of the root CA. When a root CA is
online, it is used to issue certificates to subordinate CAs. The root CA never usually directly
issues certificates to users, computers, applications or services.
A subordinate CA can also issue certificates to other subordinate CAs. These subordinate CAs
are called intermediate CAs. While an intermediate CA is subordinate to the root CA, it is
considered superior to those subordinate CAs to which it issued certificates. Subordinate CAs
which only issue certificates to users, and not to other subordinate CAs, are called leaf CAs.
The type of CAs which you can install:
• Enterprise root CA: This is the topmost CA in the CA hierarchy, and is the first
CA installed in the enterprise. Enterprise root CAs are reliant on Active
Directory. Enterprise root CAs issue certificates to subordinate CAs.
• Enterprise Subordinate CA: This CA also needs Active Directory, and is used
to issue certificates to users and computers.
• Stand-alone Root CA: A stand-alone root CA is the topmost CA in the
certificate chain. A stand-alone root CA is not however dependent on Active
Directory, and can be removed from the network. This makes a stand-alone
root CAs the solution for implementing a secure offline root CA.
• Stand-alone Subordinate CA: This type of CA is also not dependent on Active
Directory, and is used to issue certificates to users, computers, and other
CAs.

1. What is Active Directory schema?

2. What are the domain functional level in Windows Server 2003?

3. What are the forest functional level in Windows Server 2003?

4. What is global catalog server?

5. How we can raise domain functional & forest functional level in Windows Server 2003?

6. Which is the deafult protocol used in directory services?

7. What is IPv6?

8. What is the default domain functional level in Windows Server 2003?

9. What are the physical & logical components of ADS

10. In which domain functional level, we can rename domain name?

11. What is multimaster replication?

12. What is a site?

13. Which is the command used to remove active directory from a domain controler?

14. How we can create console, which contain schema?

15. What is trust?

16. What is the file that’s responsible for keep all Active Directory database?