Technical Interview Questions - Active Directory

Technical Interview Questions – Active Directory
1. What is Active Directory?
Ans:
An active directory is a directory structure used on Microsoft Windows based computers and
servers to store information and data about networks and domains. It is primarily used for
online information and was originally created in 1996. It was first used with Windows 2000.
Active Directory is a centralized and standardized system that automates network management
of user data, security, and distributed resources, and enables interoperation with other directories.
Active Directory is designed especially for distributed networking environments.
Active Directory features include:
 Support for the X.500 standard for global directories

 The capability for secure extension of network operations to the Web
 A hierarchical organization that provides a single point of access for system administration
(management of user accounts, clients, servers, and applications, for example) to reduce
redundancy and errors
 An object-oriented storage organization, which allows easier access to information
 Support for the Lightweight Directory Access Protocol (LDAP) to enable inter-directory
operability
 Designed to be both backward compatible and forward compatible
What is domain controller?
Ans
A Domain controller is a windows server machine that runs active directory domain
services
What is domain?
Ans
It a name space
2. What is LDAP?
3. Can you connect Active Directory to other 3rd-party Directory Services? Name a
few options.
Ans
1.Active Directory directory service provides the means to

manage the identities and relationships that make up
network environments.
2.Lightweight Directory access protocol. LDAP is a client-
server protocol for accessing a directory service.
3.Yes, NDS (Novell Directory services)
4.%System root%/NTDS/NTDS.DIT (DIT – Directory Information
Tree).
5.Policies and scripts saved in SYSVOL folder will be
replicated to all domain controllers in the domain. FRS
(File replication service) is responsible for replicating
all policies and scripts
6.Active directory is divided into three partitions
Configuration Partition—replicates entire forest
Schema Partition—replicates entire forest
Domain Partition—replicate only in domain
Application Partition (Only in Windows 2003)
7.Global Catalog-Global catalog is a role, which maintains
Indexes about objects. It contains full information of the
objects in its own domain and partial information of the
objects in other domains. Universal Group membership
information will be stored in global catalog servers and
replicate to all GC’s in the forest.
LDAP, Lightweight Directory Access Protocol, is an

Internet protocol that email and other programs use to look
up information from a server.
Ans 3.Yes you can Connect Active Directory to other 3rd -
party Directory Services such as dictonaries used by SAP,
Domino etc with the help of MIIS ( Microsoft Identity
Integration Server )
4. Where is the AD database held? What other folders are related to AD?
Ans
AD database held on %systemroot%ntds
other files related to AD
res1.log, res2.log, edb.chk n edb.log

5. What is the SYSVOL folder?
Ans
AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These
are the main files controlling the AD structure
 ntds.dit
 edb.log
 res1.log
 res2.log
 edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K records the
transaction in the log file (edb.log). Once written to the log file, the change is then written to the
AD database. System performance determines how fast the system writes the data to the AD
database from the log file. Any time the system is shut down, all transactions are saved to the
database.
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size
of each is 10MB. These files are used to ensure that changes can be written to disk should the
system run out of free disk space. The checkpoint file (edb.chk) records transactions committed
to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk
file. Then, during a reboot, AD determines that all transactions in the edb.log file have been
committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the
shutdown statement isn't present, AD will use the edb.log file to update the AD database.
6. Name the AD NCs and replication issues for each NC(Naming Context)
Ans
*Schema NC, *Configuration NC, * Domain NC

Schema NC This NC is replicated to every other domain controller in the forest. It contains information
about the Active Directory schema, which in turn defines the different object classes and attributes
within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide
configuration information pertaining to the physical layout of Active Directory, as well as information
about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the
NC that contains the most commonly-accessed Active Directory data: the actual users, groups,
computers, and other objects that reside within a particular Active Directory domain.
7. What are application partitions? When do I use them
Ans
Application Directory Partition is a partition space in Active Directory which an application

can use to store that application specific data. This partition is then replicated only to some
specific domain controllers.
The application directory partition can contain any type of data except security principles (users,
computers, groups).
An application directory partition is a directory partition that is replicated only to specific domain
controllers. A domain controller that participates in the replication of a particular application directory
partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can
host a replica of an application directory partition.
Application directory partitions are usually created by the applications that will use them to store
and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins
group can manually create or manage application directory partitions using the Ntdsutil
command-line tool.
One of the benefits of an application directory partition is that, for redundancy, availability, or
fault tolerance, the data in it can be replicated to different domain controllers in a forest.
8. How do you create a new application partition
Ans
The DnsCmd command is used to create a new application directory partition. Ex. to create a
partition named “NewPartition “ on the domain controller DC1.contoso.com, log on to the
domain controller and type following command.
DnsCmd DC1/createdirectorypartition NewPartition.contoso.com
9. How do you view replication properties for AD partitions and DCs?
Ans
All you need to do is open Active Driectory Sites and Services and expand the sites until you get
to NTDS Settings and then right click on the servers on the right and view and change the
replication properties from there.
or
By using replication monitor

go to start > run > type repadmin
go to start > run > type replmon
Install Replication Monitor from Support tools, run from command line with "replmon" command, add
DC and it will show you all partitions that DC holds and all replication partners for each partition.
10. What is the Global Catalog?
Ans
The global catalog is a distributed data repository that contains a searchable, partial
representation of every object in every domain in a multidomain Active Directory Domain
Services (AD DS) forest. The global catalog is stored on domain controllers that have been
designated as global catalog servers and is distributed through multimaster replication. Searches
that are directed to the global catalog are faster because they do not involve referrals to
different domain controllers.
The global catalog is a distributed data repository that contains a searchable, partial
representation of every object in every domain in a multidomain Active Directory forest. The
global catalog is stored on domain controllers that have been designated as global catalog servers
and is distributed through multimaster replication. Searches that are directed to the global catalog
are faster because they do not involve referrals to different domain controllers.
In addition to configuration and schema directory partition replicas, every domain controller in a
Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single
domain directory partition. Therefore, a domain controller can locate only the objects in its
domain. Locating an object in a different domain would require the user or application to provide
the domain of the requested object.
The global catalog provides the ability to locate objects from any domain without having to
know the domain name. A global catalog server is a domain controller that, in addition to its full,
writable domain directory partition replica, also stores a partial, read-only replica of all other
domain directory partitions in the forest. The additional domain directory partitions are partial
because only a limited set of attributes is included for each object. By including only the
attributes that are most used for searching, every object in every domain in even the largest forest
can be represented in the database of a single global catalog server.
11. How do you view all the GCs in the forest?
Ans
A: You would need script to make such query, but you can also check your DNS for SRV records
which contain _gc in their name.
12. How do I install a Replica Domain Controller from a previous backed-up media on my
Windows Server 2003 server? OR
13. What can you do to promote a server to DC, if you're in a remote location with slow WAN
link?
Ans
Install replica DC from backup
Install from Media
In Windows Server 2003 a new feature has been added, and this time it's one that will actually
make our lives easier... You can promote a domain controller using files backed up from a source
domain controller!!!
This feature is called "Install from Media" and it's available by running DCPROMO with the
/adv switch. It's not a replacement for network replication, we still need network connectivity,
but now we can use an old System State copy from another Windows Server 2003, copy it to our
future DC, and have the first and basic replication take place from the media, instead of across
the network, this saving valuable time and network resources.
What you basically have to do is to back up the systems data of an existing domain controller,
restore that backup to your replica candidate, use DCPromo /Adv to tell it to source from local
media, rather than a network source.
This also works for global catalogs. If we perform a backup of a global catalog server, then we
can create a new global catalog server by performing DCPromo from that restored media.
IFM Limitations
It only works for the same domain, so you cannot back up a domain controller in domain A and
create a new domain B using that media.
It's only useful up to the tombstone lifetime with a default of 60 days. So if you have an old
backup, then you cannot create a new domain controller using that, because you'll run into the
problem of reanimating deleted objects.
To backup the existing System State on an existing domain controller
1. To start Backup, click Start, point to All Programs, point to Accessories, point to System
Tools, and then click Backup.
2. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this
wizard or go to the next step to work in Advanced Mode.
3. Click the Advanced Mode link on the Backup or Restore Wizard.
4. Click the Backup tab, then click the box next to System State and any other items you
would like to backup.
To restore the System State on the future domain controller
1. Copy your backup-up System State file from the first DC to the server where you want to
perform the process. You can do this by copying the file via the network, burn it to CD
and copy it to the server, or if you want, just restore it on the original DC but point the
restore path to a mapped network drive that is actually a shared folder on the potential
new DC.
2. Run NTBACKUP from the Run menu. Click the Restore tab, then click the box next to
System State.
1. In the "Restore files to" box select "Alternate Location". In the "Alternate Location" type
your designated restore path. This could be a folder on one of your HD. I used
C:\Backup. Click Start Restore.
2. A warning window will appear. Click Ok.
1. A Confirm Restore window will appear. Click Ok.
1. A Restore Progress window will appear. Let it finish. Click Close.

14. Why not make all DCs in a large forest as GCs?
Ans
The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs would all have
to hold a reference to every object in the entire forest which could be quite large and quite a replication
burden.
For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor
WAN lines.
there only can be one global catalog server IN A FOREST(GCS)BY Default the first domain controller of
active directory forest act as GCS. It is used for communication in entire
forest. The Infrastructure master (operation master) is used to check for the updated AD information
with other DC's in the forest, for this it queries the Global catalog which has all the updated
(replicated)information. If GC is installed on all the DC's then the AD updates is not identified by the DC's
Infrastucture master as GC.by defaul schema manangment tools is not present in administrator tools we
have to install it through command line. At command promt run the following comm. "regsvr32
schmmgmt.dll"and after that go to run and type mmc.exe ->mmc wizard open ->file ->add/remove
snapin->add scehma managment tools ->ok and finish. and save it .the support
tools is used for diagnoses tool for network connectivity and many other function. we can install it from
2003 server cd ->support tools -> suptool.exe run it and replmon is
used for monitoring replication traffic.netdom is commandline tools for rename domain controller
name.its only work in windows 2003 server forestanddomain fuctional
level not in any other level.
15. What are the Support Tools? Why do I need them?
Ans
Support Tools are the tools that are used for performing the complicated tasks easily.
Here they are,
Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe
16. What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM?

What is REPADMIN?
Ans
What is LDP?
The Lightweight Directory Access Protocol, or LDAP is an

application protocol for querying and modifying directory
services running over TCP/IP.
A directory is a set of objects with attributes organized in
a logical and hierarchical manner. The most common example
is the telephone directory, which consists of a series of
names (either of persons or organizations) organized
alphabetically, with each name having an address and phone
number attached.
An LDAP directory tree often reflects various political,
geographic, and/or organizational boundaries, depending on
the model chosen. LDAP deployments today tend to use Domain
name system (DNS) names for structuring the topmost levels
of the hierarchy. Deeper inside the directory might appear
entries representing people, organizational units, printers,
documents, groups of people or anything else that represents
a given tree entry (or multiple entries).
Its current version is LDAPv3, which is specified in a
series of Internet Engineering Task Force (IETF) Standard
Track Requests for comments (RFCs) as detailed in RFC 4510.
LDAP means Light-Weight Directory Access Protocol. It
determines how an object in an Active directory should be
named. LDAP (Lightweight Directory Access Protocol) is a
proposed open standard for accessing global or local
directory services over a network and/or the Internet. A
directory, in this sense, is very much like a phone book.
LDAP can handle other information, but at present it is
typically used to associate names with phone numbers and
email addresses. LDAP directories are designed to support a
high volume of queries, but the data stored in the directory
does not change very often. It works on port no. 389. LDAP
is sometimes known as X.500 Lite. X.500 is an international
standard for directories and full-featured, but it is also
complex, requiring a lot of computing resources and the full
OSI stack. LDAP, in contrast, can run easily on a PC and
over TCP/IP. LDAP can access X.500 directories but does not
support every capability of X.500
What is REPLMON?
A: Replmon is the first tool you should use when

troubleshooting Active Directory replication issues. As it
is a graphical tool, replication issues are easy to see and
somewhat easier to diagnose than using its command line
counterparts. The purpose of this document is to guide you
in how to use it, list some common replication errors and
show some examples of when replication issues can stop other
network installation actions.
What is ADSIEDIT?
A: ADSIEdit is a Microsoft Management Console (MMC) snap-in

that acts as a low-level editor for Active Directory. It is
a Graphical User Interface (GUI) tool. Network
administrators can use it for common administrative tasks
such as adding, deleting, and moving objects with a
directory service. The attributes for each object can be
edited or deleted by using this tool. ADSIEdit uses the ADSI
application programming interfaces (APIs) to access Active
Directory. The following are the required files for using
this tool:
· ADSIEDIT.DLL
· ADSIEDIT.MSC
Regarding system requirements, a connection to an Active
Directory environment and Microsoft Management Console (MMC)
is necessary
What is NETDOM?
A: NETDOM is a command-line tool that allows management of

Windows domains and trust relationships. It is used for
batch management of trusts, joining computers to domains,
verifying trusts, and secure channels
Enables administrators to manage Active Directory domains

and trust relationships from the command prompt.
Netdom is a command-line tool that is built into Windows
Server 2008. It is available if you have the Active
Directory Domain Services (AD DS) server role installed. To
use netdom, you must run the netdom command from an elevated
command prompt. To open an elevated command prompt, click
Start, right-click Command Prompt, and then click Run as
administrator.
You can use netdom to:
Join a computer that runs Windows XP Professional or Windows

Vista to a Windows Server 2008 or Windows Server 2003 or
Windows 2000 or Windows NT 4.0 domain.
Provide an option to specify the organizational unit (OU)
for the computer account.
Generate a random computer password for an initial Join
operation.
Manage computer accounts for domain member workstations and
member servers. Management operations include:
Add, Remove, Query.
An option to specify the OU for the computer account.
An option to move an existing computer account for a member
workstation from one domain to another while maintaining the
security descriptor on the computer account.
Establish one-way or two-way trust relationships between
domains, including the following kinds of trust relationships:
From a Windows 2000 or Windows Server 2003 or Windows Server
2008 domain to a Windows NT 4.0 domain.
From a Windows 2000 or Windows Server 2003 or Windows Server
2008 domain to a Windows 2000 or Windows Server 2003 or
Windows Server 2008 domain in another enterprise.
Between two Windows 2000 or Windows Server 2003 or Windows
Server 2008 domains in an enterprise (a shortcut trust).
The Windows Server 2008 or Windows Server 2003 or Windows
2000 Server half of an interoperable Kerberos protocol realm.
Verify or reset the secure channel for the following
configurations:
Member workstations and servers.
Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
Specific Windows Server 2008 or Windows Server 2003 or
Windows 2000 replicas.
Manage trust relationships between domains, including the
following operations:
Enumerate trust relationships (direct and indirect).
View and change some attributes on a trust.
Syntax
Netdom uses the following general syntaxes:
NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>]

[<Options>]
NetDom help <Operation
17. What are sites? What are they used for?
Ans
One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to
configure Active Directory access and replication topology to take advantage of the physical network.
B: A Site object in Active Directory represents a physical geographic location that hosts
networks. Sites contain objects called Subnets.[3] Sites can be used to Assign Group Policy
Objects, facilitate the discovery of resources, manage active directory replication, and manage
network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a cost
value that represents the speed, reliability, availability, or other real property of a physical
resource. Site Links may also be assigned a schedule.
18. What's the difference between a site link's schedule and interval?
Ans
Schedule enables you to list weekdays or hours when the site link is available for replication to happen
in the given interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges
from 15 - 10,080 mins. The default interval is 180 mins.
Any time two networks are separated by links that are heavily used during parts of the day and are idle
during other parts of the day, put those networks into separate sites. You can use the ability to schedule
replication between sites to prevent replication traffic from competing with other traffic during high
usage hours.
In simple words you can define it as the time when you allow the replication to happen.
Interval is also a part of schedule but it takes cares of the replication polling frequency. In other
words in a said schedule of say 9:00 AM to 1 PM replication polling shuld occur in every 15
minutes.
Schedule here is 9:00 AM to 1 PM
Interval is every 15 minutes.
19. What is the KCC?
Ans
kcc stands for knowledge consistency checker.apart of the

ISTG<intersite topology generator> role in active
directory.the kcc checks and as am option, re creates
topology information for the active directory domain.
20. What is the ISTG? Who has that role by default?
Ans
Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default
Windows 2003 Forest level functionality has this role.
By Default the first Server has this role. If that server can no longer preform this role then the next
server with the highest GUID then takes over the role of ISTG.
21. What are the requirements for installing AD on a new server?
Ans
An NTFS partition with enough free space (250MB minimum)
· An Administrator's username and password
· The correct operating system version
· A NIC
· Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
· A network connection (to a hub or to another computer via a crossover cable)
· An operational DNS server (which can be installed on the DC itself)
· A Domain name that you want to use
· The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)
System requirements
The following are estimated system requirements for Windows Server 2008. If your computer
has less than the minimum requirements, you will not be able to install this product correctly.
Actual requirements will vary based on your system configuration and the applications and
features you install.
Processor
Processor performance depends not only on the clock frequency of the processor, but also on the
number of processor cores and the size of the processor cache. The following are the processor
requirements for this product:
 Minimum: 1 GHz (for x86 processors) or 1.4 GHz (for x64 processors)
 Recommended: 2 GHz or faster

Note
An Intel Itanium 2 processor is required for Windows Server 2008 for Itanium-Based Systems.
RAM
The following are the RAM requirements for this product:
 Minimum: 512 MB
 Recommended: 2 GB or more
 Maximum (32-bit systems): 4 GB (for Windows Server 2008 Standard) or 64 GB (for Windows
Server 2008 Enterprise or Windows Server 2008 Datacenter)
 Maximum (64-bit systems): 32 GB (for Windows Server 2008 Standard) or 1 TB (for Windows
Server 2008 Enterprise, Windows Server 2008 Datacenter) or 2 TB (for Windows Server 2008 for
Itanium-Based Systems)
Disk space requirements
The following are the approximate disk space requirements for the system partition. Itanium-
based and x64-based operating systems will vary from these estimates. Additional disk space
may be required if you install the system over a network. For more information, see
 Minimum: 10 GB
 Recommended: 40 GB or more
Note
Computers with more than 16 GB of RAM will require more disk space for paging, hibernation,
and dump files.
 DVD-ROM drive
 Super VGA (800 x 600) or higher-resolution monitor
 Keyboard and Microsoft® mouse (or other compatible pointing device)
22. What can you do to promote a server to DC if you're in a remote location with slow
WAN link?
Ans
First available in Windows 2003, you will create a copy of the system state from an existing DC and copy
it to the new remote server. Run "Dcpromo /adv". You will be prompted for the location of the system
state files
OR
Backup system state as;
1. Click Start, click Run, type ntbackup, and then click OK. (If the Backup utility starts in wizard
mode, click the Advanced Mode hyperlink.)
2. From the Backup tab, click to select the System State check box in the left pane. Do not back up
the file system part of the SYSVOL tree separately from the system state backup.
3. In the Backup media or file name box, specify the drive, path, and file name of the system state
backup.
name the file .bak (recommended and general)
Restore system stat as below on the target computer;
1. Log on to the Windows Server 2003-based computer that you want to promote. You must be a
member of the local administrators group on this computer.
2. Click Start, click Run, type ntbackup, and then click OK. (If the Backup utility starts in wizard
mode, click the Advanced Mode hyperlink.)
3. In the Backup utility, click the Restore and Manage Media tab. In the Tools menu, click Catalog
a backup file..., and then locate the .bkf file that you created earlier. Click OK.
4. Expand the contents of the .bkf file, and then click to select the System State check box.
5. In Restore files to:, click Alternate Location. To restore the system state, type the logical drive
and the path. We suggest that you type X:\Ntdsrestore. In this command, X is the logical drive
that will ultimately host the Active Directory database when the member computer is
promoted. The final location for the Active Directory database is selected when you run the
Active Directory Installation Wizard. This folder must be different from the folder that contains
the restored system state.
Now Last stage is Promoting an additional domain controller

1. Verify that the domain controller that is to be promoted has DNS name resolution and network
connectivity to existing domain controllers in the domain controller's target domain.
2. Click Start, click Run, type dcpromo /adv, and then click OK.
3. Click Next to bypass the Welcome to the Active Directory Installation Wizard and Operating
System Compatibility dialog boxes.
4. On the Domain Controller Type page, click Additional domain controller for an existing
domain, and then click Next.
5. On the Copying Domain Information page, click From these restored backup files:, and then
type the logical drive and the path of the alternative location where the system state backup
was restored. Click Next.
6. In Network Credentials, type the user name, the password, and the domain name of an account
that is a member of the domain administrators group for the domain that you are promoting in.
7. Continue with the remainder of the Active Directory Installation Wizard pages as you would with
the standard promotion of an additional domain controller.
8. After the SYSVOL tree has replicated in, and the SYSVOL share exists, delete any remaining
restored system files and folders.
23. How can you forcibly remove AD from a server, and what do you do later? • Can I
get user passwords from the AD database?
Ans
Demote the server using dcpromo /forceremoval, then remove the metadata from Active directory
using ndtsutil. There is no way to get user passwords from AD that I am aware of, but you should still be
able to change them.
Another way out too
Restart the DC is DSRM mode
a. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
b. In the right-pane, double-click ProductType.
c. Type ServerNT in the Value data box, and then click OK.
Restart the server in normal mode
its a member server now but AD entries are still there. Promote teh server to a fake domain say
ABC.com and then remove gracefully using DCpromo
help:
When you try to remove a domain controller from your Active Directory domain by using
Dcpromo.exe and fail, or when you began to promote a member server to be a Domain
Controller and failed (the reasons for your failure are not important for the scope of this article),
you will be left with remains of the DCs object in the Active Directory. As part of a successful
demotion process, the Dcpromo wizard removes the configuration data for the domain controller
from Active Directory, but as noted above, a failed Dcpromo attempt might leave these objects
in place.
The effects of leaving such remains inside the Active Directory may vary, but one thing is sure:
Whenever you'll try to re-install the server with the same computername and try to promote it to
become a Domain Controller, you will fail because the Dcpromo process will still find the old
object and therefore will refuse to re-create the objects for the new-old server.
In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe
utility to manually remove the NTDS Settings object.
If you give the new domain controller the same name as the failed computer, then you need
perform only the first procedure to clean up metadata, which removes the NTDS Settings object
of the failed domain controller. If you will give the new domain controller a different name, then
you need to perform all three procedures: clean up metadata, remove the failed server object
from the site, and remove the computer object from the domain controllers container.
You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active
Directory Users and Computers.
Also, make sure that you use an account that is a member of the Enterprise Admins universal
group.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active
Directory functionality.
To clean up metadata
1. At the command line, type Ntdsutil and press ENTER.
C:\WINDOWS>ntdsutil
ntdsutil:
1. At the Ntdsutil: prompt, type metadata cleanup and press Enter.
ntdsutil: metadata cleanup

metadata cleanup:
1. At the metadata cleanup: prompt, type connections and press Enter.
metadata cleanup: connections

server connections:
1. At the server connections: prompt, type connect to server <servername>, where
<servername> is the domain controller (any functional domain controller in the same
domain) from which you plan to clean up the metadata of the failed domain controller.
Press Enter.
server connections: connect to server server100

Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:
Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.
1. Type quit and press Enter to return you to the metadata cleanup: prompt.
server connections: q
metadata cleanup:
1. Type select operation target and press Enter.
metadata cleanup: Select operation target

select operation target:
1. Type list domains and press Enter. This lists all domains in the forest with a number
associated with each.
select operation target: list domains

Found 1 domain(s)
0 - DC=dpetri,DC=net
1. Type select domain <number>, where <number> is the number corresponding to the
domain in which the failed server was located. Press Enter.
select operation target: Select domain 0

No current site
Domain - DC=dpetri,DC=net
No current server
No current Naming Context
1. Type list sites and press Enter.
select operation target: List sites

Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
1. Type select site <number>, where <number> refers to the number of the site in which the
domain controller was a member. Press Enter.
select operation target: Select site 0

Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
No current server
1. Type list servers in site and press Enter. This will list all servers in that site with a
corresponding number.
select operation target: List servers in site

Found 2 server(s)
0 - CN=SERVER200,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
1 - CN=SERVER100,CN=Servers,CN=Default-First-Site-
1. Type select server <number> and press Enter, where <number> refers to the domain
controller to be removed.
select operation target: Select server 0

Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Server - CN=SERVER200,CN=Servers,CN=Default-First-Site-
DSA object - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-
DNS host name - server200.dpetri.net
Computer object - CN=SERVER200,OU=Domain Controllers,DC=dpetri,DC=net
1. Type quit and press Enter. The Metadata cleanup menu is displayed.
select operation target: q

metadata cleanup:
1. Type remove selected server and press Enter.
You will receive a warning message. Read it, and if you agree, press Yes.
24. What tool would I use to try to grab security related packets from the wire?
Ans
you must use sniffer-detecting tools to help stop the snoops. ...
A good packet sniffer would be "ethereal"
25. Name some OU design considerations.
Ans
OU design requires balancing requirements for delegating administrative rights - independent of Group
Policy needs - and the need to scope the application of Group Policy. The following OU design
recommendations address delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active Directory container to which you can
assign Group Policy settings.
Delegating administrative authority usually don't go more than 3 OU levels
26. What is tombstone lifetime attribute?
Ans
The number of days before a deleted object is removed from the directory services. This assists
in removing objects from replicated servers and preventing restores from reintroducing a deleted
object. This value is in the Directory Service object in the configuration NIC
by default 2000 (60 days)
2003 (180 days)
27. What do you do to install a new Windows 2003 DC in a Windows 2000 AD?
Ans
If you plan to install windows 2003 server domain controllers into an existing windows 2000
domain or upgrade a windows 2000 domain controllers to windows server 2003, you first need to
run the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema
master and infrastructure master roles. The adprep / forestprer command must first be issued on
the windows 2000 server holding schema master role in the forest root doman to prepare the
existing schema to support windows 2003 active directory. The adprep /domainprep command
must be issued on the sever holding the infrastructure master role in the domain where 2000
server will be deployed
28. What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
Ans
If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed,
you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display
the Windows 2003 R2 Continue Setup screen.
If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2
version (this is a minor change and mostly related to the new Dfs replication engine). To update
the schema, run the Adprep utility, which you'll find in the Cmpnents\r2\adprep folder on the
second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or
Windows 2000 with SP2 (or later). Here's a sample execution of the Adprep /forestprep
command:
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to
Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later).
QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain
controller corruption.
For more information about preparing your forest and domain see KB article Q3311 61 at
http://support.microsoft.com.
[User Action] If ALL your existing Windows 2000 domain controllers meet this requirement,
type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to
quit.
C Opened Connection to SAVDALDC01 SSPI Bind succeeded Current Schema Version is 30

Upgrading schema to version 31 Connecting to "SAVDALDC01" Logging in as current user
using SSPI Importing directory from file "C:\WINDOWS\system32\sch31.ldf" Loading
entries..................................................... ...................................................... 139 entries modified
successfully.
The command has completed successfully Adprep successfully updated the forest-wide
information.
After running Adprep, install R2 by performing these steps:
1. Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows.
2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click Next.
3. You'll be prompted to enter an R2 CD key (this is different from your existing Windows
2003 keys) if the underlying OS wasn't installed from R2 media (e.g., a regular Windows
2003 SP1 installation). Enter the R2 key and click Next. Note: The license key entered
for R2 must match the underlying OS type, which means if you installed Windows 2003
using a volume-license version key, then you can't use a retail or Microsoft Developer
Network (MSDN) R2 key.
4. You'll see the setup summary screen which confirms the actions to be performed (e.g.,
Copy files). Click Next.
5. After the installation is complete, you'll see a confirmation dialog box. Click Finish
29. How would you find all users that have not logged on since last month?
Ans
Using only native commands, JSILLD.bat produces a sorted/formated report of Users who have not
logged on since YYYYMMDD.
The report is sorted by UserName and list the user's full name and last logon date.
The syntax for using JSILLD.bat is:

JSILLD \Folder\OutputFile.Ext YYYYMMDD [/N]
where:
YYYYMMDD will report all users who have not logged on since this date.
/N is an optional parameter that will bypass users who have never logged on.
JSILLD.bat contains:
@echo off
setlocal
if {%2}=={} goto syntax
if "%3"=="" goto begin
if /i "%3"=="/n" goto begin
:syntax
@echo Syntax: JSILLD File yyyymmdd [/N]
endlocal
goto :EOF
:begin
if /i "%2"=="/n" goto syntax
set dte=%2
set XX=%dte:~0,4%
if "%XX%" LSS "1993" goto syntax
set XX=%dte:~4,2%
if "%XX%" GTR "12" goto syntax
set XX=%dte:~6,2%
if "%XX%" GTR "31" goto syntax
set never=X
if /i "%3"=="/n" set never=/n
set file=%1
if exist %file% del /q %file%
for /f "Skip=4 Tokens=*" %%i in ('net user /domain^|findstr /v /c:"----"^|findstr /v /i /c:"The
command completed"') do (
do call :parse "%%i"
)
endlocal
goto :EOF
:parse
set str=#%1#
set str=%str:#"=%
set str=%str:"#=%
set substr=%str:~0,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if "%substr%"=="" goto :EOF
for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i"
goto :EOF
:parse1
set ustr=%1
if %ustr%=="The command completed successfully." goto :EOF
set ustr=%ustr:"=%
if /i "%ustr:~0,9%"=="Full Name" set fullname=%ustr:~29,99%
if /i not "%ustr:~0,10%"=="Last logon" goto :EOF
set txt=%ustr:~29,99%
for /f "Tokens=1,2,3 Delims=/ " %%i in ('@echo %txt%') do set MM=%%i&set DD=%%j&set
YY=%%k
if /i "%MM%"=="Never" goto tstnvr
goto year
:tstnvr
if /i "%never%"=="/n" goto :EOF
goto report
:year
if "%YY%" GTR "1000" goto mmm
if "%YY%" GTR "92" goto Y19
set /a YY=100%YY%%%100
set YY=%YY% + 2000
goto mmm
:Y19
set YY=19%YY%
:mmm
set /a XX=100%MM%%%100
if %XX% LSS 10 set MM=0%XX%
set /a XX=100%DD%%%100
if %XX% LSS 10 set DD=0%XX%
set YMD=%YY%%MM%%DD%
if "%YMD%" GEQ "%dte%" goto :EOF
:report
set fullname=%fullname% #
set fullname=%fullname:~0,35%
set substr=%substr% #
set substr=%substr:~0,30%
@echo %substr% %fullname% %txt% >> %file%
30. What are the DS* commands?
Ans
New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003 Active
Directory
New DS built-in tools for Windows Server 2003

The DS (Directory Service) group of commands are split into two families. In one branch are
DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.
When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for
choice. The the DS family of built-in command line executables offer alternative strategies to
CSVDE, LDIFDE and VBScript.
Let me introduce you to the members of the DS family:
DSadd - add Active Directory users and groups

DSmod - modify Active Directory objects
DSrm - to delete Active Directory objects
DSmove - to relocate objects
DSQuery - to find objects that match your query attributes
DSget - list the properties of an object
DS Syntax
These DS tools have their own command structure which you can split into five parts:
12345
Tool object "DN" (as in LDAP distinguished name) -switch value For example:
DSadd user "cn=billy, ou=managers, dc=cp, dc=com" -pwd cX49pQba
This will add a user called Billy to the Managers OU and set the password to cx49Qba
Here are some of the common DS switches which work with DSadd and DSmod
-pwd (password) -upn (userPrincipalName) -fn (FirstName) -samid (Sam account name).
The best way to learn about this DS family is to logon at a domain controller and experiment
from the command line. I have prepared examples of the two most common programs. Try some
sample commands for DSadd.
Two most useful Tools: DSQuery and DSGet
The DSQuery and DSGet remind me of UNIX commands in that they operate at the command
line, use powerful verbs, and produce plenty of action. One pre-requisite for getting the most
from this DS family is a working knowledge of LDAP.
If you need to query users or computers from a range of OU's and then return information, for
example, office, department manager. Then DSQuery and DSGet would be your tools of choice.
Moreover, you can export the information into a text file
Or
If you've been working with Active Directory for any length of time, chances are good that at
some point you've wished there were a way toquickly and easily automate certain operations. Of
course, you could tap intoActive Directory Services Interface (ADSI) via Windows Script Host
and VBScriptand create or download scripts to automate those operations. However,
ifprogramming really isn't your strong point, you could end up spending more timefiguring out
the ADSI scripting environment than actually accomplishing yourgoals.
Fortunately, with Windows Server 2003, Microsoft has broughtthe task of automating Active
Directory operations within the grasp of everysystem administrator by including a complete suite
of directory service command-linetools. Now you won't have to delve into the advanced
intricacies of ADSI whenyou can use something that's as easy to create and use as a batch file.
Author's note
In this article, I'll introduce you to Windows Server 2003'sdirectory service command-line tools
and then get you started on the groundfloor. In future articles, I'll take an in-depth look at each
tool and show youhow to use them to your advantage when you need to automate certain
operations.
Why use the command line?
If you're using Windows Server 2003, you already know thatits Active Directory GUI tools offer
several new and improved features overthose in Windows 2000 Server. For example, you now
have drag-and-dropcapabilities, multiple-object selection, and the ability to save and
reusequeries. So why would you even want to use the directory service command-linetools?
To answer this question, let's begin by looking at a list ofthe available tools in the directory
service command-line suite, as shown in Table A. As you look at the list, keepin mind that there
are really only six main tools in the suite, but in thisparticular arrangement, I've expanded the list
to show the first four maincommands, along with the target object on which the command is
designed tooperate. The last two commands are designed to work on any target object.
Table A
Command
Description
Dsadd computer Adds objects to the

Dsadd contact directory
Dsadd group
Dsadd ou
Dsadd quota
Dsadd user
Dsget computer Displays properties of

Dsget contact objects in the directory
Dsget group
Dsget ou
Dsget partition
Dsget quota
Dsget server
Dsget site
Dsget subnet
Dsget user
Dsmod computer Modifies select attributes of

Dsmod contact an existing object in the
Dsmod group directory
Dsmod ou
Dsmod partition
Dsmod quota
Dsmod server
Dsmod user
Dsquery * Finds objects in the

Dsquery computer directory that match a
Dsquery contact specified search criterion
Dsquery group
Dsquery ou
Dsquery partition
Dsquery quota
Dsquery server
Dsquery site
Dsquery subnet
Dsquery user
Dsmove Moves any object from its

current location to a new
parent location or renames
any object without moving it
Dsrm Removes an object, the

complete subtree under an
object in the directory, or
both
Windows Server 2003's directory service command-line tools
We'll examine each tool later in this series, but the pointof showing you the complete list now is
to highlight the magnitude of the toolsin the suite and to help you get a feel for the types of
operations you canperform with them. Each tool is accompanied by a complete set of general
andcommand-specific parameters that allow you to further define the type ofoperation you want
to conduct.
Now, on first glance, you'll immediately see that there arecommand-line tools for just about
every operation you can execute from withinthe Active Directory GUI tools. However, once you
begin to delve deeper, you'lldiscover that, in some cases, it's easier to carry out certain types of
operationsfrom the command line than from the GUI. Dig even further, and you'll discoverthat
there are some tasks you can accomplish with the command-line tools thatjust aren't possible
with the GUI tools. Furthermore, once you have a betterunderstanding of how these tools work,
you'll discover that you can indeedautomate many common operations quite easily.
You won't want to completely abandon the GUI tools in favorof the command-line tools. Rather,
you'll use the command-line tools to complementthe GUI tools.
To take advantage of directory service command-line tools,you must have a good grasp of the
underlying structure of Active Directory.More specifically, you need to understand that every
object in Active Directorycan be referenced by several names, and that the command-line tools
rely on oneof those names -- the distinguished name -- tolocate and work with objects. The other
two names are the relative distinguished name and the canonical name.
When you create an object in Active Directory, the processcreates the relative distinguished
name and the canonical name. Thedistinguished name is then based on the relative distinguished
name and thenames of that object's parent containers, including the domains. Thedistinguished
name identifies the object as well as its location in a tree.
To specify this location, the distinguished name uses theLightweight Directory Access Protocol
(LDAP) attribute tags listed in TableB. For example, the distinguished name for my user
account, which exists inthe Writers organizational unit in the gcs.com domain, would be
CN=Greg Shultz,OU=Writers,DC=gcs,DC=com
Table B
LDAP attribute tag
Description
CN= Common name

The name given to the object at creation
OU= Organizational unit

The name of the container
DC= Domain component

The name of the domain
The LDAP attribute tags used in distinguished name
As you can see, the LDAP attribute tags are used to identifyeach component in the distinguished
name; they are separated by commas, and theorder in which the components appear goes from
the lowest level in the tree tothe highest level. The distinguished name tells you exactly where to
find theobject in the Active Directory data store.
There are a few rules you need to observe when working withthe distinguished name on the
command line:
1. You should get into the habit of enclosing the distinguished name in quotes. (This is really
necessary only if any of the names include spaces; however, making it a habit will save you time
and frustration if you forget.)
2. Do not put spaces between the commas and the object names.
3. While using uppercase letters for the LDAP attribute tags isnï¿?t necessary, it does help
delineate the components and make for easier reading.
4. The default Active Directory containers, such as Computers or Users, are essentially
organizational units but are referred to as a common name.
Using Dsquery to reveal distinguished names
Now that you understand how to use the distinguished name toidentify the location of the object
you want to work with, you can use thedirectory service command-line tools to automate your
most common ActiveDirectory management operations. You needn't worry about having to
figure outall the distinguished names on your own -- you can ask the Dsquery command
forassistance.
While I'll get into more detail on the more powerfulfeatures of the Dsquery command in a future
article, it's a good place to startbecoming more familiar with the distinguished names in your
Active Directorystructure. For example, to see the distinguished names for the user accounts
inActive Directory, open the command prompt and type
Dsquery user
To see the distinguished names for the organizational unitsin Active Directory, type the
command
Dsquery ou
You can try other basic Dsquery commands using the list oftarget objects shown in Table A.
However, as you do, keep in mind that bydefault the Dsquery command will display only 100
items. You can expand thenumber of items displayed by adding the -limit ### parameter and
specifying anupper limit.
31. What's the difference between LDIFDE and CSVDE? Usage considerations?
Ans
Ldifde
Ldifde creates, modifies, and deletes directory objects on computers running Windows Server
2003 operating systems or Windows XP Professional. You can also use Ldifde to extend the
schema, export Active Directory user and group information to other applications or services,
and populate Active Directory with data from other directory services.
The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format that may
be used for performing batch operations against directories that conform to the LDAP standards.
LDIF can be used to export and import data, allowing batch operations such as add, create, and
modify to be performed against the Active Directory. A utility program called LDIFDE is
included in Windows 2000 to support batch operations based on the LDIF file format standard.
This article is designed to help you better understand how the LDIFDE utility can be used to
migrate directories.
http://support.microsoft.com/kb/237677
Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using files that store
data in the comma-separated value (CSV) format. You can also support batch operations based
on the CSV file format standard.
Csvde is a command-line tool that is built into Windows Server 2008 in the/system32 folder. It
is available if you have the AD DS or Active Directory Lightweight Directory Services (AD
LDS) server role installed. To use csvde, you must run the csvde command from an elevated
command prompt. To open an elevated command prompt, click Start, right-click Command
DIFFERENCE USAGE WISE
Csvde.exe is a Microsoft Windows 2000 command-line utility that is located in the

SystemRoot\System32 folder after you install Windows 2000. Csvde.exe is similar to
Ldifde.exe, but it extracts information in a comma-separated value (CSV) format. You can use
Csvde to import and export Active Directory data that uses the comma-separated value format.
Use a spreadsheet program such as Microsoft Excel to open this .csv file and view the header and
value information. See Microsoft Excel Help for information about functions such as
Concatenate that can simplify the process of building a .csv file.
Note Although Csvde is similar to Ldifde, Csvde has a significant limitation: it can only import
and export Active Directory data by using a comma-separated format (.csv). Microsoft
recommends that you use the Ldifde utility for Modify or Delete operations. Additionally, the
distinguished name (also known as DN) of the item that you are trying to import must be in the
first column of the .csv file or the import will not work.
The source .csv file can come from an Exchange Server directory export. However, because of
the difference in attribute mappings between the Exchange Server directory and Active
Directory, you must make some modifications to the .csv file. For example, a directory export
from Exchange Server has a column that is named "obj-class" that you must rename to
"objectClass." You must also rename "Display Name" to "displayName."
32. What are the FSMO roles? Who has them by default? What happens when each one
fails?
Ans
FSMO stands for the Flexible single Master Operation
It nas five role :
Schema Master:
The schema master domain controller controls all updates and modifications to the schema.
Once the Schema update is complete, it is replicated from the schema master to all other DCs in
the directory. To update the schema of a forest, you must have access to the schema master.
There can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal of domains in
the forest. This DC is the only one that can add or remove a domain from the directory. It can
also add or remove cross references to domains in external directories. There can be only one
domain naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it represents
the reference by the GUID, the SID (for references to security principals), and the DN of the
object being referenced. The infrastructure FSMO role holder is the DC responsible for updating
an object's SID and distinguished name in a cross-domain object reference. At any one time,
there can be only one domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a
Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will
stop updating object information because it does not contain any references to objects that it
does not hold. This is because a Global Catalog server holds a partial replica of every object in
the forest. As a result, cross-domain object references in that domain will not be updated and a
warning to that effect will be logged on that DC's event log. If all the domain controllers in a
domain also host the global catalog, all the domain controllers have the current data, and it is
not important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers in a
particular domain. When a DC creates a security principal object such as a user or group, it
attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for
all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID
created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign
to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that
DC issues a request for additional RIDs to the domain's RID master. The domain RID master
responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns
them to the pool of the requesting DC. At any one time, there can be only one domain controller
acting as the RID master in the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003

includes the W32Time (Windows Time) time service that is required by the Kerberos
authentication protocol. All Windows 2000/2003-based computers within an enterprise use a
common time. The purpose of the time service is to ensure that the Windows Time service uses
a hierarchical relationship that controls authority and does not permit loops to ensure
appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of
the forest becomes authoritative for the enterprise, and should be configured to gather the time
from an external source. All PDC FSMO role holders follow the hierarchy of domains in the
selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the
PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect password

are forwarded to the PDC emulator before a bad password failure message is reported to the
user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the
PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-
based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member
servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to
Windows 2000/2003. The PDC emulator still performs the other functions as described in a
Windows 2000/2003 environment.
each one of them fails then below are the effects of the same:-
Schema Master - Schema updates are not available - These are generally planned changes and the first
step when doing a schema change is normally something like "make sure your environment is healthy".
There isn't any urgency if the schema master fails, having it offline is largely irrelevant until you want to
make a schema change.
Domain Naming Master - No new domains or application partitions can be added - This sort of falls into
the same "healthy environment" bucket as the schema master. When we upgraded the first DC to a beta
Server 2003 OS which included the code to create the DNS application partitions, we couldn't figure why
they weren't instantiated until we realized that the server hosting the DNM was offline (being upgraded)
at the same time. Infrastructure Master - No cross domain updates, can't run any domain preps -
Domain preps are planned (again). But no cross-domain updates. That could be important if you have a
multi-domain environment with a lot of changes occurring.
RID Master - New RID pools unable to be issued to DC's - This gets a bit more complicated, but let me
see if I can make it easy. Every DC is initially issued 500 RID's. When it gets down to 50% (250) it requests
a second pool of RID's from the RID master. So when the RID master goes offline, every DC has
anywhere between 250 and 750 RIDs available (depending on whether it's hit 50% and received the new
pool).
PDC - Time, logins, password changes, trusts - So we made it to the bottom of the list, and by this point
you've figured that the PDC has to be the most urgent FSMO role holder to get back online. The rest of
them can be offline for varying amounts of time with no impact at all. Users may see funky behavior if
they changed their password, but replication will probably have completed before they call the help
desk so nothing to worry about, and trust go back to that whole "healthy forest" thing again.
OR

Introduction
FSMO Roles
Failure of FSMO servers
Placing FSMO roles
FSMO tools
Useful Links
Introduction
In a Windows 2000 domain environment, all of the domain controllers are piers. There
are no PDCs and BDCs that you find in a Windows NT domain. All Windows 2000
domain controllers contain a writable replica (or copy) of the Active Directory
Database, and unlike the hierarchical server structure in a Windows NT domain (the
PDC with subordinate BDCs), all domain controllers are equal.
The ability of all domain controllers in a Windows 2000 domain to update Active
Directory, and then replicate it out to the other DCs, is referred to as Multimaster
Replication. Compare that to a Windows NT domain which uses Single Master
replication - the PDC has the only writable copy of the SAM and all updates can only
happen at the PDC.
(The SAM, Security Accounts Database, is replaced by the Active Directory Database
in Windows 2000.)
So why are there FSMO server roles? Since each DC in a Windows 2000 domain can
update the Active Directory, which then gets replicated to all othe DCs, what happens
if more than one person is making the same change to Active Directory at the same
time? There are certain rules that are followed to prevent conflicts in updating the AD
database, but some changes are to important to the domain to be left to these rules.
Because of this, Microsoft came up with the idea of the Flexible Single Master
Operations server roles. The servers that hold these FSMO roles are responsible for
updating certain aspects of Active Directory. By making designated servers
responsible for certain updates, instead of allowing every server to make all updates,
you prevent conflicts in Active Directory updates.
In a Windows 2000 Domain environment, there are 5 server roles that are necessary for
the proper functioning of the forest/domain (or Active Directory). These 5 server roles
are collectively known as the Flexible Single Master Operations Roles or FSMO roles.
All FSMO server roles exist on Domain Controllers. They do not exist on member
servers. Two of the server roles exist at the Forest level and 3 server roles exist at the
Domain level.
For example: If your Active Directory contains one forest and 1 domain, you would
have 5 FSMO role holders. If your AD contained one forest and 2 domains, you would
have 8 FSMO role holders - two at the forest level and 3 for each domain. Likewise,
for an AD with one forest and 3 domains, you would have 11 server roles - two at the
forest level and 3 for each domain.
FSMO Roles
The 5 FSMO server roles:

Schema Master Forest Level One per forest
Domain Naming Master Forest Level One per forest
PDC Emulator Domain Level One per domain
RID Master Domain Level One per domain
Infrastructure Master Domain Level One per domain
1. Schema Master (Forest level)
The schema master FSMO role holder is the Domain Controller responsible for
performing updates to the active directory schema. It contains the only writable
copy of the AD schema. This DC is the only one that can process updates to the
directory schema, and once the schema update is complete, it is replicated from
the schema master to all other DCs in the forest. There is only one schema master
in the forest.
2. Domain Naming Master (Forest level)
The domain naming master FSMO role holder is the DC responsible for making
changes to the forest-wide domain name space of the directory. This DC is the only
one that can add or remove a domain from the directory, and that is it's major
purpose. It can also add or remove cross references to domains in external
directories. There is only one domain naming master in the active directory or
forest.
3. PDC Emulator (Domain level)
In a Windows 2000 domain, the PDC emulator server role performs the following
functions:
Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator first.
Authentication failures that occur at a given DC in a domain because of an
incorrect password are forwarded to the PDC emulator for validation before a bad
password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Time synchronization for the domain.
Group Policy changes are preferentially written to the PDC emulator.
Additionally, if your domain is a mixed mode domain that contains Windows NT 4

BDCs, then the Windows 2000 domain controller, that is the PDC emulator, acts as
a Windows NT 4 PDC to the BDCs.
There is only one PDC emulator per domain.
Note: Some consider the PDC emulator to only be relevant in a mixed mode
domain. This is not true. Even after you have changed your domain to native mode
(no more NT 4 domain controllers), the PDC emulator is still necessary for the
reasons above.
4. RID Master (Domain level)
The RID master FSMO role holder is the single DC responsible for processing RID
Pool requests from all DCs within a given domain. It is also responsible for removing
an object from its domain and putting it in another domain during an object move.
When a DC creates a security principal object such as a user, group or

computer account, it attaches a unique Security ID (SID) to the object. This
SID consists of a domain SID (the same for all SIDs created in a domain),
and a relative ID (RID) that makes the object unique in a domain.
Each Windows 2000 DC in a domain is allocated a pool of RIDs that it

assigns to the security principals it creates. When a DC's allocated RID pool
falls below a threshold, that DC issues a request for additional RIDs to the
domain's RID master. The domain RID master responds to the request by
retrieving RIDs from the domain's unallocated RID pool and assigns them to
the pool of the requesting DC.
There is one RID master per domain in a directory.

5. Infrastructure Master (Domain level)
The DC that holds the Infrastructure Master FSMO role is responsible for cross
domain updates and lookups. When an object in one domain is referenced by
another object in another domain, it represents the reference by the GUID, the SID
(for references to security principals), and the distinguished name (DN) of the
object being referenced. The Infrastructure role holder is the DC responsible for
updating an object's SID and distinguished name in a cross-domain object
reference.
When a user in DomainA is added to a group in DomainB, then the Infrastructure

master is involved. Likewise, if that user in DomainA, who has been added to a
group in DomainB, then changes his username in DomainA, the Infrastructure
master must update the group membership(s) in DomainB with the name change.
There is only one Infrastructure master per domain.
What if a FSMO server fails?
Schema Master No updates to the Active Directory schema will be possible.

Since schema updates are rare (usually done by certain
applications and possibly an Administrator adding an attribute
to an object), then the malfunction of the server holding the
Schema Master role will not pose a critical problem.
Domain Naming Master The Domain Naming Master must be available when adding or
removing a domain from the forest (i.e. running DCPROMO). If
it is not, then the domain cannot be added or removed. It is
also needed when promoting or demoting a server to/from a
Domain Controller. Like the Schema Master, this functionality
is only used on occasion and is not critical unless you are
modifying your domain or forest structure.
PDC Emulator The server holding the PDC emulator role will cause the most
problems if it is unavailable. This would be most noticeable in
a mixed mode domain where you are still running NT 4 BDCs
and if you are using downlevel clients (NT and Win9x). Since
the PDC emulator acts as a NT 4 PDC, then any actions that
depend on the PDC would be affected (User Manager for
Domains, Server Manager, changing passwords, browsing and
BDC replication).
In a native mode domain the failure of the PDC emulator isn't
as critical because other domain controllers can assume most
of the responsibilities of the PDC emulator.
RID Master The RID Master provides RIDs for security principles (users,
groups, computer accounts). The failure of this FSMO server
would have little impact unless you are adding a very large
number of users or groups.
Each DC in the domain has a pool of RIDs already, and a
problem would occur only if the DC you adding the
users/groups on ran out of RIDs.
Infrastructure Master This FSMO server is only relevant in a multi-domain

environment. If you only have one domain, then the
Infrastructure Master is irrelevant. Failure of this server in a
multi-domain environment would be a problem if you are
trying to add objects from one domain to another.
Placing FSMO Server Roles
So where are these FSMO server roles found? Is there a one to one relationship
between the server roles and the number of servers that house them?
The first domain controller that is installed in a Windows 2000 domain, by default,
holds all five of the FSMO server roles. Then, as more domain controllers are added to
the domain, the FSMO roles can be moved to other domain controllers. Moving a
FSMO server role is a manual process, it does not happen automatically. But what if
you only have one domain controller in your domain? That is fine. If you have only
one domain controller in your organization then you have one forest, one domain, and
of course the one domain controller. All 5 FSMO server roles will exist on that DC.
There is no rule that says you have to have one server for each FSMO server role.
However, it is always a good idea to have more than one domain controller in a domain
for a number of reasons. Assuming you do have multiple domain controllers in your
domain, there are some best practices to follow for placing FSMO server roles.
The Schema Master and Domain Naming Master should reside on the same server,
and that machine should be a Global Catalog server. Since all three are, by default, on
the first domain controller installed in a forest, then you can leave them as they are.
Note: According to MS, the Domain Naming master needs to be on a Global Catalog
Server. If you are going to separate the Domain Naming master and Schema master,
just make sure they are both on Global Catalog servers.
The Infratructure Master should not be on the same server that acts as a Global
Catalog server.
The reason for this is the Global Catalog contains information about every object in the
forest. When the Infrastructure Master, which is responsible for updating Active
Directory information about cross domain object changes, needs information about
objects not in it's domain, it contacts the Global Catalog server for this information. If
they both reside on the same server, then the Infratructure Master will never think there
are changes to objects that reside in other domains because the Global Catalog will
keep it contantly updated. This would result in the Infrastructure Master never
replicating changes to other domain controllers in it's domain.
Note: In a single domain environment this is not an issue.
Microsoft also recommeds that the PDC Emulator and RID Master be on the same
server. This is not mandatory like the Infrastructure Master and the Global Catalog
server above, but is recommended. Also, since the PDC Emulator will receive more
traffic than any other FSMO role holder, it should be on a server that can handle the
load.
It is also recommended that all FSMO role holders be direct replication partners and
they have high bandwidth connections to one another as well as a Global Catalog
server.
FSMO Tools
How do find out what servers in your domain/forest hold what server roles? How do
you move a server role from one server to another? There are several tools that can be
used to find out this information.
Permissions
Before you can transfer a role, you must have the appropriate permissions depending
on which role you plan to transfer:
Schema Master member of the Schema Admins group
Domain Naming Master member of the Enterprise Admins group
member of the Domain Admins group

PDC Emulator
and/or the Enterprise Admins group
RID Master member of the Domain Admins group

member of the Domain Admins group

Infrastructure Master
Active Directory Users and Computers - use this snap-in to find out where the
domain level FSMO roles are located (PDC Emulator, RID Master, Infrastructure
Master), and also to change the location of one or more of these 3 FSMO roles.
Open Active Directory Users and Computers, right click on the domain you want to
view the FSMO roles for and click "Operations Masters". A dialog box (below) will
open with three tabs, one for each FSMO role. Click each tab to see what server that
role resides on. To change the server roles, you must first connect to the domain
controller you want to move it to. Do this by right clicking "Active Directory Users
and Computers" at the top of the Active Directory Users and Computers snap-in and
choose "Connect to Domain Controller". Once connected to the DC, go back into the
Operations Masters dialog box, choose a role to move and click the Change button.
When you do connect to another DC, you will notice the name of that DC will be in the
field below the Change button (not in this graphic).
Active Directory Domains and Trusts - use this snap-in to find out where the
Domain Naming Master FSMO role is and to change it's location.
The process is the same as it is when viewing and changing the Domain level FSMO
roles in Active Directory Users and Computers, except you use the Active Directory
Domains and Trusts snap-in. Open Active Directory Domains and Trusts, right click
"Active Directory Domains and Trusts" at the top of the tree, and choose "Operations
Master". When you do, you will see the dialog box below. Changing the server that
houses the Domain Naming Master requires that you first connect to the new domain
controller, then click the Change button. You can connect to another domain controller
by right clicking "Active Directory Domains and Trusts" at the top of the Active
Directory Domains and Trusts snap-in and choosing "Connect to Domain Controller".
Active Directory Schema - this snap-in is used to view and change the Schema Master
FSMO role. However... the Active Directory Schema snap-in is not part of the default
Windows 2000 administrative tools or installation. You first have to install the
Support Tools from the \Support directory on the Windows 2000 server CD or install
the Windows 2000 Server Resource Kit. Once you install the support tools you can
open up a blank Microsoft Management Console (start, run, mmc) and add the snap-in
to the console. Once the snap-in is open, right click "Active Directory Schema" at the
top of the tree and choose "Operations Masters". You will see the dialog box below.
Changing the server the Schema Master resides on requires you first connect to
another domain controller, and then click the Change button.
You can connect to another domain controller by right clicking "Active Directory
Schema" at the top of the Active Directory Schema snap-in and choosing "Connect to
Domain Controller".
More Tools
In addition to the tools mentioned above, there are other tools that can be used to view
the FSMO server roles. Perhaps the easiest and fastest way to find out what server
holds what FSMO role is by using the Netdom command line utility. Like the Active
Directory Schema snap-in, the Netdom utility is only available if you have installed the
Support Tools from the Windows 2000 CD or the Win2K Server Resource Kit.
To use Netdom to view the FSMO role holders, open a command prompt window and
type:
netdom query fsmo and press enter. You will see a list of the FSMO role servers:
Another tool that comes with the Support Tools is the Active Directory Relication
Monitor. Open this utility from Start, Programs, Windows 2000 Support Tools. Once
open, click Edit, Add Monitored Server and add the name of a Domain Controller.
Once added, right click the Server name and choose properties. Click the FSMO Roles
tab to view the servers holding the 5 FSMO roles (below). You cannot change roles
using Replication Monitor, but this tool has many other useful purposes in regard to
Active Directory information. It is something you should check out if you haven't
already.
Finally, you can use the Ntdsutil.exe utility to gather information about and change
servers for FSMO roles. Ntdsutil.exe, a command line utility that is installed with
Windows 2000 server, is rather complicated and beyond the scope of this document.
33. What FSMO placement considerations do you know of?
Ans
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot
(or actually, on the same DC) as has been configured by the Active Directory installation
process. However, there are scenarios where an administrator would want to move one or more
of the FSMO roles from the default holder DC to a different DC.
Single Domain Forest

In a single domain forest, leave all of the FSMO roles on the first domain controller in the forest.
You should also configure the entire domain controller as a Global Catalog server. This will
NOT place additional stress on the DCs, while allowing GC-related applications (such as
Exchange Server) to easily perform GC queries.
Multiple Domain Forest
In a multiple domain forest, use the following guidelines:
 In the forest root domain:

 If all domain controllers are also global catalog servers, leave all of the FSMO
roles on the first DC in the forest.
 If all domain controllers are not also global catalog servers, move all of the
FSMO roles to a DC that is not a global catalog server.
 In each child domain, leave the PDC emulator, RID master, and Infrastructure master
roles on the first DC in the domain, and ensure that this DC is never designated as a
global catalog server (unless the child domain only contains one DC, then you have no
choice but to leave it in place).
Configure a standby operations master - For each server that holds one or more operations
master roles, make another DC in the same domain available as a standby operations master.
Making a DC as a standby operation master involves the following actions:
 The standby operations master should not be a global catalog server except in a single
domain environment, where all domain controllers are also global catalog servers.
 The standby operations master should have a manually created replication connection to
the domain controller that it is the standby operations master for, and it should be in the
same site.
 Configure the RID master as a direct replication partner with the standby or backup RID
master. This configuration reduces the risk of losing data when you seize the role because
it minimizes replication latency.
To create a connection object on the current operations master:
1. In Active Directory Sites and Services snap-in, in the console tree in the left pane, expand
the Sites folder to see the list of available sites.
2. Expand the site name in which the current role holder is located to display the Servers
folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that is currently hosting the operations master role to
display NTDS Settings.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Domain Controllers dialog box, select the name of the standby operations
master then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the connection
object or accept the default name and click OK.
To create a connection object on the standby operations master perform the same procedure as
above, and point the connection to the current FSMO role holder.
Note regarding Windows 2000 Active Directory domains: If the forest is set to a functional
level of Windows 2000 native, you must locate the domain naming master on a server that hosts
the global catalog. If the forest is set to a functional level of Windows Server 2003, it is not
necessary for the domain naming master to be on a global catalog server.
Server performance and availability
Most FSMO roles require that the domain controller that holds the roles be:
Highly available server - FSMO functions require that the FSMO role holder is highly available
at all times. A highly available DC is one that uses computer hardware that enables it to remain
operational even during a hardware failure. For example, having a RAID1 or RAID5
configuration enables the server to keep running even if one hard disk fails.
Although most FSMO losses can be dealt with within a matter of hours (or even days at some
cases), some FSMO roles, such as the PDC Emulator role, should never be offline for more than
a few minutes at a time.
What will happen if you keep a FSMO role offline for a long period of time? This table has the info:
FSMO Role Loss implications

The schema cannot be extended. However, in the
short term no one will notice a missing Schema
Schema
Master unless you plan a schema upgrade during
that time.
Unless you are going to run DCPROMO, then you
Domain Naming
will not miss this FSMO role.
Chances are good that the existing DCs will have
enough unused RIDs to last some time, unless
RID
you're building hundreds of users or computer
object per week.
PDC Emulator Will be missed soon. NT 4.0 BDCs will not be
able to replicate, there will be no time
synchronization in the domain, you will probably
not be able to change or troubleshoot group
policies and password changes will become a
problem.
Group memberships may be incomplete. If you
Infrastructure only have one domain, then there will be no
impact.
Not necessarily high capacity server - A high-capacity domain controller is one that has
comparatively higher processing power than other domain controllers to accommodate the
additional work load of holding the operations master role. It has a faster CPU and possibly
additional memory and network bandwidth. FSMO roles usually do not place stress on the
server's hardware.
One exception is the performance of the PDC Emulator, mainly when used in Windows 2000
Mixed mode along with old NT 4.0 BDCs. That is why you should:
 Increase the size of the DC's processing power.

 Do not make the DC a global catalog server.
 Reduce the priority and the weight of the service (SRV) record in DNS to give preference
for authentication to other domain controllers in the site.
 Do not require that the standby domain controller be a direct replication partner (Seizing
the PDC emulator role does not result in lost data, so there is no need to reduce
replication latency for a seize operation).
 Centrally locate this DC near the majority of the domain users.
34. I want to look at the RID allocation table for a DC. What do I do?
Ans
1.install support tools from OS disk(OS Inst: Disk=>support=>tools=>suptools.msi)
2.In Command prompt type dcdiag /test:ridmanager /s:system1 /v (system1 is the name
of our DC)
35. What's the difference between transferring a FSMO role and seizing one? Which
one should you NOT seize? Why?
Ans
Seizing an FSMO can be a destructive process and should only be attempted if the existing server
with the FSMO is no longer available.
If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable, DO
NOT seize the Schema Master role.
If you are going to seize the Schema Master, you must permanently disconnect the current Schema
Master from the network.
If you seize the Schema Master role, the boot drive on the original Schema Master must be
completely reformatted and the operating system must be cleanly installed, if you intend to return
this computer to the network.
NOTE: The Boot Partition contains the system files (\System32). The System Partition is the partition
that contains the startup files, NTDetect.com, NTLDR, Boot.ini, and possibly Ntbootdd.sys.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain
controller in the forest root domain. The first domain controller in each new child or tree domain is
assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they
are reassigned by using one of the following methods:
 An administrator reassigns the role by using a GUI administrative tool.

 An administrator reassigns the role by using the ntdsutil /roles command.
 An administrator gracefully demotes a role-holding domain controller by using the Active

Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain
controller in the forest. Demotions that are performed by using the dcpromo /forceremoval
command leave FSMO roles in an invalid state until they are reassigned by an administrator.
We recommend that you transfer FSMO roles in the following scenarios:
 The current role holder is operational and can be accessed on the network by the new FSMO
owner.
 You are gracefully demoting a domain controller that currently owns FSMO roles that you want
to assign to a specific domain controller in your Active Directory forest.
 The domain controller that currently owns FSMO roles is being taken offline for scheduled
maintenance and you need specific FSMO roles to be assigned to a "live" domain controller. This
may be required to perform operations that connect to the FSMO owner. This would be
especially true for the PDC Emulator role but less true for the RID master role, the Domain
naming master role and the Schema master roles.
We recommend that you seize FSMO roles in the following scenarios:
 The current role holder is experiencing an operational error that prevents an FSMO-dependent
operation from completing successfully and that role cannot be transferred.
 A domain controller that owns an FSMO role is force-demoted by using the dcpromo
/forceremoval command.
 The operating system on the computer that originally owned a specific role no longer exists or
has been reinstalled.
As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge
of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the
best candidate domain controller is one that is in the appropriate domain that last inbound-
replicated, or recently inbound-replicated a writable copy of the "FSMO partition" from the
existing role holder. For example, the Schema master role-holder has a distinguished name path
of CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles reside in
and are replicated as part of the CN=schema partition. If the domain controller that holds the
Schema master role experiences a hardware or software failure, a good candidate role-holder
would be a domain controller in the root domain and in the same Active Directory site as the
current owner. Domain controllers in the same Active Directory site perform inbound replication
every 5 minutes or 15 seconds.
The partition for each FSMO role is in the following list:
Collapse this tableExpand this table FSMO role Partition Schema

CN=Schema,CN=configuration,DC=<forest root domain> Domain Naming Master
CN=configuration,DC=<forest root domain> PDC DC=<domain> RID DC=<domain> Infrastructure
DC=<domain>
A domain controller whose FSMO roles have been seized should not be permitted to
communicate with existing domain controllers in the forest. In this scenario, you should either
format the hard disk and reinstall the operating system on such domain controllers or forcibly
demote such domain controllers on a private network and then remove their metadata on a
surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The
risk of introducing a former FSMO role holder whose role has been seized into the forest is that
the original role holder may continue to operate as before until it inbound-replicates knowledge
of the role seizure. Known risks of two domain controllers owning the same FSMO roles include
creating security principals that have overlapping RID pools, and other problems.
Back to the top
Transfer FSMO roles

To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or

domain controller that is located in the forest where FSMO roles are being transferred. We
recommend that you log on to the domain controller that you are assigning FSMO roles to. The
logged-on user should be a member of the Enterprise Administrators group to transfer Schema
master or Domain naming master roles, or a member of the Domain Administrators group of the
domain where the PDC emulator, RID master and the Infrastructure master roles are being
transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.

Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?,
and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of
the domain controller you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you
can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of
roles at the start of this article. For example, to transfer the RID master role, type transfer rid
master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not
transfer pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil
prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Seize FSMO roles

To seize the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or

domain controller that is located in the forest where FSMO roles are being seized. We
recommend that you log on to the domain controller that you are assigning FSMO roles to. The
logged-on user should be a member of the Enterprise Administrators group to transfer schema
or domain naming master roles, or a member of the Domain Administrators group of the
domain where the PDC emulator, RID master and the Infrastructure master roles are being
transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of
the domain controller that you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type seize role, where role is the role that you want to seize. For a list of roles that you can
seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at
the start of this article. For example, to seize the RID master role, type seize rid master. The one
exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil
prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Notes
o Under typical conditions, all five roles must be assigned to "live" domain controllers in
the forest. If a domain controller that owns a FSMO role is taken out of service before its
roles are transferred, you must seize all roles to an appropriate and healthy domain
controller. We recommend that you only seize all roles when the other domain
controller is not returning to the domain. If it is possible, fix the broken domain
controller that is assigned the FSMO roles. You should determine which roles are to be
on which remaining domain controllers so that all five roles are assigned to a single
domain controller. For more information about FSMO role placement, click the
following article number to view the article in the Microsoft Knowledge Base: 223346
(http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on
Windows 2000 domain controllers
o If the domain controller that formerly held any FSMO role is not present in the domain
and if it has had its roles seized by using the steps in this article, remove it from the
Active Directory by following the procedure that is outlined in the following Microsoft
Knowledge Base article: 216498 (http://support.microsoft.com/kb/216498/ ) How to
remove data in active directory after an unsuccessful domain controller demotion
o Removing domain controller metadata with the Windows 2000 version or the Windows
Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not
relocate FSMO roles that are assigned to live domain controllers. The Windows Server
2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes
additional elements of domain controller metadata.
o Some customers prefer not to restore system state backups of FSMO role-holders in
case the role has been reassigned since the backup was made.
o Do not put the Infrastructure master role on the same domain controller as the global
catalog server. If the Infrastructure master runs on a global catalog server it stops
updating object information because it does not contain any references to objects that
it does not hold. This is because a global catalog server holds a partial replica of every
object in the forest.
To test whether a domain controller is also a global catalog server:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites
and Services.
2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-
name if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller's folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, view the Global Catalog check box to see if it is selected.
36. How do you configure a "stand-by operation master" for any of the roles?
Ans
1. Open Active Directory Sites and Services.

2. Expand the site name in which the standby operations master is located to display the Servers
folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that you want to be the standby operations master to display its
NTDS Settings.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Domain Controllers dialog box, select the name of the current role holder, and then
click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the Connection object
or accept the default name, and click OK.
37. How do you backup AD?

38. How do you restore AD?
windows 2008 server

backup
For 2000 and 2003 server
You can’t restore Active Directory (AD) to a domain controller (DC) while the Directory Service
(DS) is running. To restore AD, perform the following steps.
1. Reboot the computer.

2. At the boot menu, select Windows 2000 Server. Don’t press Enter. Instead, press F8 for
advanced options. You’ll see the following text.
OS Loader V5.0 
Windows NT Advanced Options Menu 
Please select an option: 
Safe Mode 
Safe Mode with Networking 
Safe Mode with Command Prompt 
Enable Boot Logging 
Enable VGA Mode 
Last Known Good Configuration 
Directory Services Restore Mode (Windows NT domain controllers only) 
Debugging Mode 
Use | and | to move the highlight to your choice. 
Press Enter to choose.
3. Scroll down, and select Directory Services Restore Mode (Windows NT domain
controllers only).
4. Press Enter.
5. When you return to the Windows 2000 Server boot menu, press Enter. At the bottom of
the screen, you’ll see in red text Directory Services Restore Mode (Windows NT domain
controllers only).
The computer will boot into a special safe mode and won’t start the DS. Be aware that during
this time the machine won’t act as a DC and won’t perform functions such as authentication.
1. Start NT Backup.
2. Select the Restore tab.
3. Select the backup media, and select System State.
4. Click Start Restore.
5. Click OK in the confirmation dialog box.
After you restore the backup, reboot the computer and start in normal mode to use the restored
information. The computer might hang after the restore completes; I’ve experienced a 30-minute
wait on some machines.
How to Restore Server 2008 Active Directory (non-authoritative)
1. On Server 2008 DC, open the command prompt on the server

2. run below commands to enter Directory Services Restore Mode (DSRM):
bcdedit /set safeboot dsrepair
shutdown –r –t 1
3. login using .\administrator and DSRM password
4. run below command ( note that d: is the drive letter of your backup), this will show you the
version identifier of the backup.
Wbadmin get versions –backuptarget:d:
5. run below command to start the restore.
Wbadmin start sysstaterecovery –version:01/01/2008-22:30 –backuptarget :d:
6. After the restore process is completed, run following commands to reboot.
Bcedit /deletevalue safeboot
Shutdown –t 0 -r
How to restore Server 2008 Active Directory if someone accidentally deletes an object.
(Authoritative Restore)
1. Restore Server 2008 Active Directory (non-authoritative), do not reboot the server
2. open command prompt, run following commands, where
CN=VIPuser,CN=Users,DC=MYDOMAIN,DC=NET is the object you wish to restore.
ntdsutil
activate instance NTDS
authoritative restore
restore object “CN=VIPuser,CN=Users,DC=MYDOMAIN,DC=NET”
3. Once it’s completed. Type quit

4. After the restore process is completed, run following commands to reboot.
Bcedit /deletevalue safeboot
Shutdown –t 0 -r
39. How do you change the DS Restore admin password?
Ans
To Reset the DSRM Administrator Password

1. Click, Start, click Run, type ntdsutil, and then click OK.
2. At the Ntdsutil command prompt, type set dsrm password.
3. At the DSRM command prompt, type one of the following lines:
o To reset the password on the server on which you are working, type reset password on
server null. The null variable assumes that the DSRM password is being reset on the
local computer. Type the new password when you are prompted. Note that no
characters appear while you type the password.
-or-
o To reset the password for another server, type reset password on server servername,
where servername is the DNS name for the server on which you are resetting the DSRM
password. Type the new password when you are prompted. Note that no characters
appear while you type the password.
4. At the DSRM command prompt, type q.
5. At the Ntdsutil command prompt, type q to exit.
40. Why can't you restore a DC that was backed up 4 months ago?
Ans
Because of the tombstone life which is set to only 60 days
What is tombstone life?

The tombstones are specific objects used by the active directory. When you deletes an object in the AD
actually it is not deleted. Instead of deleting the AD creates a tombstone object to cover your original
object. When the tombstone lifetime expires (default 60 days) both the object and the tombstone gets
deleted.
Why this mechanism is required?
The answer is: replication. When you the system creates a tombstone on any of the domain controllers
it replicates through the whole active directory. When the tombstone expires all of your DC-s deletes
both the object and its tombstone at the same tim. This process ensure the data integrity of the deleted
objects across your enterprise.
What is the consequence of the mechanism described above?
You should never switch back switched off domain controllers after the tombstone lifetime period. If you
do that already deleted objects can reapear in your AD and your data consistency is gone. It also true for
AD backups stored for longer period than the tombstone lifetime. Don't restore AD backup stored for
more than 60 days in a multi DC environment.
41. What are GPOs?
Ans
Group Policy gives you administrative control over users and computers in your network. By
using Group Policy, you can define the state of a user's work environment once, and then rely on
Windows Server 2003 to continually force the Group Policy settings that you apply across an
entire organization or to specific groups of users and computers.
Group Policy Advantages

You can assign group policy in domains, sites and organizational units.
All users and computers get reflected by group policy settings in domain, site and organizational
unit.
No one in network has rights to change the settings of Group policy; by default only
administrator has full privilege to change, so it is very secure.
Policy settings can be removed and can further rewrite the changes.
Where GPO's store Group Policy Information
Group Policy objects store their Group Policy information in two locations:
Group Policy Container: The GPC is an Active Directory object that contains GPO status,
version information, WMI filter information, and a list of components that have settings in the
GPO. Computers can access the GPC to locate Group Policy templates, and domain controller
does not have the most recent version of the GPO, replication occurs to obtain the latest version
of the GPO.
Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a
domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT
which contains all Group Policy settings and information, including administrative templates,
security, software installation, scripts, and folder redirection settings. Computers connect to the
SYSVOL folder to obtain the settings.
The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you
created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC.
The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol.
Managing GPOs
To avoid conflicts in replication, consider the selection of domain controller, especially because
the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two
independent replication techniques to replicate GPO data among all domain controllers in the
domain. If two administrator's changes can overwrite those made by other administrator, depends
on the replication latency. By default the Group Policy Management console uses the PDC
Emulator so that all administrators can work on the same domain controller.
WMI Filter
WMI filters is use to get the current scope of GPOs based on attributes of the user or computer.
In this way, you can increase the GPOs filtering capabilities beyond the security group filtering
mechanisms that were previously available.
Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination
computer, Active Directory evaluates the filter on the destination computer. A WMI filter has
few queries that active Directory evaluates in place of WMI repository of the destination
computer. If the set of queries is false, Active Directory does not apply the GPO. If set of queries
are true, Active Directory applies the GPO. You write the query by using the WMI Query
Language (WQL); this language is similar to querying SQL for WMI repository.
Planning a Group Policy Strategy for the Enterprise

When you plan an Active Directory structure, create a plan for GPO inheritance, administration,
and deployment that provides the most efficient Group Policy management for your
organization.
Also consider how you will implement Group Policy for the organization. Be sure to consider the
delegation of authority, separation of administrative duties, central versus decentralized
administration, and design flexibility so that your plan will provide for ease of use as well as
administration.
Planning GPOs
Create GPOs in way that provides for the simplest and most manageable design -- one in which
you can use inheritance and multiple links.
Guidelines for Planning GPOs

Apply GPO settings at the highest level: This way, you take advantage of Group Policy
inheritance. Determine what common GPO settings for the largest container are starting with the
domain and then link the GPO to this container.
Reduce the number of GPOs: You reduce the number by using multiple links instead of creating
multiple identical GPOs. Try to link a GPO to the broadest container possible level to avoid
creating multiple links of the same GPO at a deeper level.
Create specialized GPOs: Use these GPOs to apply unique settings when necessary. GPOs at a
higher level will not apply the settings in these specialized GPOs.
Disable computer or use configuration settings: When you create a GPO to contain settings for
only one of the two levels-user and computer-disable the logon and prevents accidental GPO
settings from being applied to the other area.
Microsoft Active Directory allows you to use group policies to define user or computer settings
for an entire group of users or computers at one time. The settings that you configure are stored
in a Group Policy Object (GPO), which is then associated with Active Directory objects such as
sites, domains, or organizational units.
Group policies cover many different aspects of the network, desktop, and software configuration
environment, including:
 Application deployment policies: These policies assign or publish applications to users

or computers, and affect the applications that users access on the network.
 File deployment policies: These policies allow an administrator to place files in special
folders on the user's computer, such as the desktop or My Documents areas.
 Script policies: Using a script policy, an administrator can specify scripts that should run
at specific times, such as login/logout or system startup/shutdown.
 Software policies: Administrators can use software policies to globally configure most
of the settings in user profiles, such as desktop settings, Start menu options, and
applications.
 Security policies: These policies allow an administrator to restrict user access to files
and folders, configure how many failed login attempts will lock an account, and control
user rights.
42. What is the order in which GPOs are applied?
Ans
Local, Site, Domain, OU
Group Policy settings are processed in the following order:
1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored
locally. This processes for both computer and user Group Policy processing.
2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed
next. Processing is in the order that is specified by the administrator, on the Linked Group Policy
Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the
lowest link order is processed last, and therefore has the highest precedence.
3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the

administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with
the lowest link order is processed last, and therefore has the highest precedence.
4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the
Active Directory hierarchy are processed first, then GPOs that are linked to its child
organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that
contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no
GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in
the order that is specified by the administrator, on the Linked Group Policy Objects tab for the
organizational unit in GPMC. The GPO with the lowest link order is processed last, and
therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the
organizational unit of which the computer or user is a direct member are processed last, which
overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the
earlier and later settings are merely aggregated.)
43. Name a few benefits of using GPMC.
Ans
Microsoft released the Group Policy Management Console (GPMC) years ago, which is an
amazing innovation in Group Policy management. The tool provides control over Group Policy
in the following manner:
 Easy administration of all GPOs across the entire Active Directory Forest
 View of all GPOs in one single list
 Reporting of GPO settings, security, filters, delegation, etc.
 Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering
 Delegation model
 Backup and restore of GPOs
 Migration of GPOs across different domains and forests
With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC
is needed and should be used by everyone for what it is ideal for. However, it does fall a bit short
when you want to protect the GPOs from the following:
 Role based delegation of GPO management

 Being edited in production, potentially causing damage to desktops and servers
 Forgetting to back up a GPO after it has been modified
 Change management of each modification to every GPO
44. What are the GPC and the GPT? Where can I find them?
Ans
Group Policy Container: The GPC is an Active Directory object that contains GPO status,
version information, WMI filter information, and a list of components that have settings in the
GPO. Computers can access the GPC to locate Group Policy templates, and domain controller
does not have the most recent version of the GPO, replication occurs to obtain the latest version
of the GPO.
Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a
domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT
which contains all Group Policy settings and information, including administrative templates,
security, software installation, scripts, and folder redirection settings. Computers connect to the
SYSVOL folder to obtain the settings.
The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you
created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC.
The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol.
Managing GPOs
To avoid conflicts in replication, consider the selection of domain controller, especially because
the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two
independent replication techniques to replicate GPO data among all domain controllers in the
domain. If two administrator's changes can overwrite those made by other administrator, depends
on the replication latency. By default the Group Policy Management console uses the PDC
Emulator so that all administrators can work on the same domain controller.
45. What are GPO links? What special things can I do to them?
Ans
Linking GPOs
To apply the settings of a GPO to the users and computers of a domain, site, or OU, you need to
add a link to that GPO. You can add one or more GPO links to each domain, site, or OU by using
GPMC. Keep in mind that creating and linking GPOs is a sensitive privilege that should be
delegated only to administrators who are trusted and understand Group Policy.
Linking GPOs to the Site
If you have a number of policy settings to apply to computers in a particular physical location
only - certain network or proxy configuration settings, for example - these settings might be
appropriate for inclusion in a site-based policy. Because domains and sites are independent, it is
possible that computers in the site might need to cross domains to link the GPO to the site. In this
case, make sure there is good connectivity.
If, however, the settings do not clearly correspond to computers in a single site, it is better to
assign the GPO to the domain or OU structure rather than to the site.
Linking GPOs to the Domain

Link GPOs to the domain if you want them to apply to all users and computers in the domain.
For example, security administrators often implement domain-based GPOs to enforce corporate
standards. They might want to create these GPOs with the GPMC Enforce option enabled to
guarantee that no other administrator can override these settings.
Important
 If you need to modify some of the settings contained in the Default Domain Policy GPO, it is
recommended that you create a new GPO for this purpose, link it to the domain, and set the
Enforce option. In general, do not modify this or the Default Domain Controller Policy GPO. If
you do, be sure to back up these and any other GPOs in your network by using GPMC to ensure
you can restore them.
As the name suggests, the Default Domain Policy GPO is also linked to the domain. The
Default Domain Policy GPO is created when the first domain controller in the domain is
installed and the administrator logs on for the first time. This GPO contains the domain-wide
account policy settings, Password Policy, Account Lockout Policy, and Kerberos Policy, which
is enforced by the domain controller computers in the domain. All domain controllers retrieve
the values of these account policy settings from the Default Domain Policy GPO. In order to
apply account policies to domain accounts, these policy settings must be deployed in a GPO
linked to the domain, and it is recommended that you set these settings in the Default Domain
Policy. If you set account policies at a lower level, such as an OU, the settings only affect local
accounts (non-domain accounts) on computers in that OU and its children.
Before making any changes to the default GPOs, be sure to back up the GPO using GPMC. If for
some reason there is a problem with the changes to the default GPOs and you cannot revert back
to the previous or initial states, you can use the Dcgpofix.exe tool to recreate the default policies
in their initial state.
Dcgpofix.exe is a command-line tool that completely restores the Default Domain Policy GPO
and Default Domain Controller GPO to their original states in the event of a disaster where you
cannot use GPMC. Dcgpofix.exe restores only the policy settings that are contained in the
default GPOs at the time they are generated. The only Group Policy extensions that include
policy settings in the default GPOs are RIS, Security, and EFS. Dcgpofix.exe does not restore
other GPOs that administrators create; it is only intended for disaster recovery of the default
GPOs.
Note that Dcgpofix.exe does not save any information created through applications, such as SMS
or Exchange. The Dcgpofix.exe tool is included with Windows Server 2003 and only works in a
Windows Server 2003 domain.
Dcgpofix.exe is located in the C:\Windows\Repair folder. The syntax for Dcgpofix.exe is as

follows:
Copy Code
DCGPOFix [/Target: Domain | DC | BOTH]

Table 2.1 describes the options you can use with the command line parameter /Target: when
using the Dcgpofix.exe tool.
Table 2.1 Dcgpofix.exe Options for Using the /Target Parameter
DOMAIN
Specifies that the Default Domain Policy should be recreated.
DC
Specifies that the Default Domain Controllers Policy should be

/Target Description of recreated.
option: option
BOTH
Specifies that both the Default Domain Policy and the Default Domain
Controllers Policy should be recreated.
For more information about Dcgpofix.exe, in Help and Support Center

for Windows Server 2003 click Tools, and then click Command-line
reference A-Z
Linking GPOs to the OU Structure
Most GPOs are normally linked to the OU structure because this provides the most flexibility
and manageability:
 You can move users and computers into and out of OUs.
 OUs can be rearranged if necessary.
 You can work with smaller groups of users who have common administrative requirements.
 You can organize users and computers based on which administrators manage them.
Organizing GPOs into user- and computer-oriented GPOs can help make your Group Policy
environment easier to understand and can simplify troubleshooting. However, separating the user
and computer components into separate GPOs might require more GPOs. You can compensate
for this by adjusting the GPO Status to disable the user or computer configuration portions of
the GPO that do not apply and to reduce the time required to apply a given GPO.
Changing the GPO Link Order
Within each domain, site, and OU, the link order controls the order in which GPOs are applied.
To change the precedence of a link, you can change the link order, moving each link up or down
in the list to the appropriate location. Links with the lowest number have higher precedence for a
given site, domain, or OU. For example, if you add six GPO links and later decide that you want
the last one that you added to have the highest precedence, you can adjust the link order of the
GPO link so it has link order of 1. To change the link order for GPO links for a domain, OU, or
site, use GPMC
46. What can I do to prevent inheritance from above?
Ans
You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents
GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the
child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block
inheritance. For example, if you want to apply a single set of policies to an entire domain except for one
organizational unit, you can link the required GPOs at the domain level (from which all organizational
units inherit policies by default), and then block inheritance only on the organizational unit to which the
policies should not be applied.
Note
that Enforced GPO links will always be inherited.
47. How can I override blocking of inheritance?
Ans
Enforced: This was previously referred to in Win2K as "No Override". The Enforced flag is set
on a GPO link using the GPMC. Essentially what is does is say, "If there are any conflicting
policy settings on downstream GPOs (GPOs processed after the enforced GPO), those settings
will always be overridden". Essentially how this works is that any GPO links that are marked as
Enforced, will be moved to the bottom of the Group Policy processing list. This ensures that the
enforced policy is always processed last, and thus "wins" over any downstream GPOs. Enforced
GPOs will override Block Inheritance (described next).
Block Inheritance: The block inheritance flag is set on a container object--specifically either an
OU or a domain. The purpose of Block Inheritance is to block upstream GPOs from being
processed (except for GPOs set with the Enforced flag). For example, if I have two OUs--
Marketing and East, and East is a child OU to Marketing, I can set the Block Inheritance flag on
the East OU and any GPOs linked to Marketing will be blocked--and won't apply to users and
computers in the East OU.
48. How can you determine what GPO was and was not applied for a user? Name a few
ways to do that.
Ans
 Group Policy Management Console (GPMC) can provide assistance when you need to
troubleshoot GPO behaviour. It allows you toexamine the settings of a specific GPO, and is can
also be used to determine how your GPOs are linked to sites, domains, and OUs. The Group
Policy Results report collects information on a computer and user, to list the policy settings
which are enabled. To create a Group Policy Results report, right-click Group Policy Results, and
select Group Policy Results Wizard on the shortcut menu. This launches the Group Policy Results
Wizard, which guides you through various pages to set parameters for the information that
should be displayed in the Group Policy Results report.
 Gpresult.exe Click Start > RUN > CMD > gpresult, this will also give you information of applied
group policies.
49. A user claims he did not receive a GPO, yet his user and computer accounts are in
the right OU, and everyone else there gets the GPO. What will you look for?
Ans
only 1 user dont get GP, so, problem may be in name

resolution or physical connectivity
Answer 2: Start Troubleshooting by running RSOP.MSC (Resultant Set of Policy) or gpresult /z to

verify whether relevant GPO actually apply to that user?.
This also can be a reason of slow network, you can change the default setting by using the Group
Policy MMC snap-in. This feature is enabled by default, but you can disable it by using the following
policy: Administrative Templates\System\Logon\Always wait for the network at computer startup
and logon.
Identify which GPOs they correspond to, verify that they are applicable to the computer/user (based
on the output of RSOP.MSC/gpresult) .
50. Name a few differences in Vista GPOs
Ans
It is not like Windows XP Professional Service Pack 2 added

enough settings to Group Policy, Vista is coming in with
even more new settings to Group Policy. There will be
approximately 2400 possible settings in a Group Policy
Object that is created for a Windows Vista computer. This
only adds about 800 settings, which is adding ½ again as
much settings compared to Windows XP Service Pack 2. Many
of the settings are being added in a response to customer
response, while others are there to support new features
that will be included in Vista. Some of the more important
additions include those listed under the following areas.
Power Management
By far the number one area of configuration that people
have wanted since the advent of Group Policy is the ability
to control Power Management. Finally, Microsoft has added
this capability in Windows Vista. The reasons for
controlling power can provide an immediate impact for
companies, since both Microsoft and the EPA have tested and
reported that you can save over $50 per computer, per year
by establishing power management settings on desktops. The
idea is simple: there is no reason to have the computer in
a full power state when the end user is not even at work.
Before Vista, companies had to look at products from
DesktopStandard and Full Armor to control power for Windows
2000 and XP.
Device Installation Controls
Most IT professionals that work in the area of security for
their company are very concerned about removable media
devices. These devices pose a looming threat to the desktop
and the network as a whole. Without control over the
installation and use of these devices, users can introduce
viruses, worms, and other malicious applications using
these media. Vista will include settings that will allow
control over the installation and use of USB drives, CD-RW,
DVD-RW, and other removable media.
Security Settings
In Vista, Microsoft has joined two security related
technologies together: Firewall and IPSec. This makes a lot
of sense to protect computes using IPSec within the
firewall. Protection can be gained for server-to-server
communications over the Internet, controlling which
resources a computer can access on the network based on the
computer health, and resource access based on some
regulatory requirement. As these security settings are
important to every computer, it only makes logical sense
that there are settings for them in Group Policy.
Printer Assignment Based on Location
Printer management is a nightmare for almost every company
and network admin. With most companies using a brigade of
laptop computers, printer management has become even more
complex as the users move from building to building or
campus to campus. Vista solves this issue by allowing
printers to be configured based on the current Active
Directory site the computer belongs to. Since Active
Directory sites typically map out the geographical or
physical network topology, it creates a perfect solution
for delivering printers as laptop users. Before Vista,
companies had to look at products from DesktopStandard and
Full Armor to control printers for Windows 2000 and XP.
Redesign of ADM Templates
If you administer Group Policy for your company, you have
most likely come face-to-face with an ADM template. These
ADM templates were first introduced with Windows NT4 using
markup language to define and implement changes to the
Registry. As Group Policy was introduced, the concept of
the ADM template did not change, although some new
capabilities did come along. ADM templates provide a needed
method to alter Registry values, but have their problems,
including:
• ADM bloat caused by the duplication of ADM
templates in every GPO
• ADM template version mismatches, many times caused
by the introduction of a service pack into the environment
on one or more computers
• Confusing “policies” or “preferences” settings,
depending on which portion of the Registry is being
modified
• Inability to control multi-string or binary
Registry values
Microsoft knows that ADM templates are really a stop gap
for your Registry “hacking” needs, but they had done a good
job until Vista. With Vista, the majority of these issues
are solved by the conversion of ADM templates into a new
XML-based format, as well as the introduction of a
repository for the templates. The new XML-based formatted
files will be called ADMX files, allowing for different
languages to be addressed in a single file. The ADMX files
will also take the large, bulky ADM templates and chop them
up into smaller, more manageable ADMX files.
One of my favorite features of Vista is the introduction of
the ADMX central store. This will provide a centralized
method for updating, storing, and managing ADMX files. ADMX
files will no longer need to be stored in each GPO.
Instead, each GPO will look to the central store for the
ADMX files. This will save space on domain controllers and
will allow for easier management of these files.
Network Location Awareness
Group Policy and the application of the settings in Group
Policy Objects rely heavily on the availability of the
network, as well as the connection speed of the network.
Vista takes a new approach to network awareness, allowing
faster boot times and more reliable application of policy.
The following areas of network awareness are tackled in
Windows Vista:
• When a computer is booting, the time that is spent
trying to apply policy even though the network is not yet
available can be daunting. Vista will provide indicators to
Group Policy application as to whether the NIC is enabled
or disabled, as well as indications as to when the network
is available.
• Vista will introduce the ability for a client to
detect when a domain controller is available or when one
becomes available again after a period of being offline.
This is ideal for remote access connections, such as dial-
up and VPNs.
• There will no longer be a reliance on ICMP (PING)
for determining the connection speed to the computer. This
was needed for slow network connections, but if ICMP was
disabled for security reasons, the computer would reject
the PING request, causing Group Policy application to fail.
Now network location awareness handles the bandwidth
determination, allowing policy refresh to succeed.
51. Name some GPO settings in the computer and user parts.
Ans
Group Policy Object (GPO) computer=Computer Configuration,

User=User ConfigurationName some GPO settings in the
computer and user parts
52. What are administrative templates?
Ans
The GPO settings is divided between the Computer settings and the User settings. In both parts
of the GPO you can clearly see a large section called Administrative Templates.
Administrative Templates are a large repository of registry-based changes (in fact, over
1300 individual settings) that can be found in any GPO on Windows 2000, Windows XP,
and Windows Server 2003.
By using the Administrative Template sections of the GPO you can deploy modifications
to machine (called HKEY_LOCAL_MACHINE in the registry) and user (called
HKEY_CURRENT_USER in the registry) portions of the Registry of computers that are
influenced by the GPO.
The Administrative Templates are Unicode-formatted text files with the extension .ADM
and are used to create the Administrative Templates portion of the user interface for the
GPO Editor.
In Windows 2000 and Windows Server 2003 Group Policy Objects (also known as GPO)
you may find hundreds of useful settings and configuration options, all nicely divided in to
specific sections. With GPO, you can create policies to centralize the management of user
and computer settings. Amongst the various settings that can be accomplished via GPO, you
can find the following options:
 Manage desktop environments and lock them down to reduce support calls and TCO (Total
Cost of Ownership)
 Install, update, repair, and remove software
 Manage security settings including account policies, auditing, EFS, and user rights
 Control running state of services
 Redirect My Documents folders
 Configure Internet Explorer options and security settings
 Automate administrative tasks using log-on, log-off, startup and shutdown scripts
and many many more.
These sections can be clearly seen in the following screenshot:

Note that the GPO settings is divided between the Computer settings and the User settings. In
both parts of the GPO you can clearly see a large section called Administrative Templates.
Administrative Templates are a large repository of registry-based changes (in fact, over 1300
individual settings) that can be found in any GPO on Windows 2000, Windows XP, and
Windows Server 2003.
By using the Administrative Template sections of the GPO you can deploy modifications to
machine (called HKEY_LOCAL_MACHINE in the registry) and user (called
HKEY_CURRENT_USER in the registry) portions of the Registry of computers that are
influenced by the GPO.
The Administrative Templates are Unicode-formatted text files with the extension .ADM and
are used to create the Administrative Templates portion of the user interface for the GPO
Editor.
Windows 2000/XP/2003 has some built-in default Administrative Templates:
Can be found on these

Administrative Template Name Description
Operating Systems
Contains settings for configuring

Conf.adm Windows 2000/XP/2003
NetMeeting

Inetres.adm Windows 2000/XP/2003
Internet Explorer

System.adm Windows 2000/XP/2003 core OS functions and GUI
settings

Wmplayer.adm Windows XP/2003
Windows Media Player

Windows 2000 SP3 or higher/XP
Wuau.adm Windows Update automatic
SP1 or higher/2003
updates
These .ADM files are located in the %SystemRoot%\inf folder, and are copied to the SYSVOL
folder whenever you create a new GPO (unless to manually configure it not to do so. See Links
section on an explanation on how to do this).
On top of these templates, Windows 2000/XP/2003 also has other .ADM files that can be used in
several scenarios:
Administrative Template Name Description
Contains settings that are in common with Windows 9x/NT (used

Common.adm
with the NT-based System Policy Editor)
Contains settings for configuring dial-up, language, and various

Inetcorp.adm
Internet Explorer settings
Contains additional policy settings for configuring Internet

Inetset.adm
Explorer
Windows.adm Contains settings specific to Windows 9x (used with the NT-based

System Policy Editor)
However there may be times when an administrator will need to add more options to a new or
existing GPO. Some examples of such additions are:
 Settings to disable mobile storage devices (USB, MP3 players, cameras and so on)
 Settings to control the functionality of specific Windows features
 Settings to control behavior of specific Windows services or drivers
 Settings that add or change registry keys
 Changes to the Windows security model
One method for an administrator to control such settings is by use of logon scripts and remote
registry tweaks. This process requires knowledge of scripting languages, but is highly
customizable and flexible, and is not restricted to GPO limitations (i.e. not working on pre-W2K
computers). However we will not cover this method in this article.
Another method for an administrator to add such extensions to the GPO is by adding new
settings to the Administrative Templates sections. This can be done by adding .ADM files to the
existing Administrative Templates section in GPO.
In order to add additional .ADM files to the existing Administrative Templates section in GPO
please follow the steps outlined in the Adding New Administrative Templates to a GPO article.
A great example of new .ADM files that can and should be used on a network is the set of
Administrative Templates extension files that is a part of the Office 2000/XP/2003 Resource Kit.
When installing the Resource Kit for the respective Office version, new .ADM files are copied to
the %SystemRoot%\inf folder of the machine on which the Resource Kit was installed. The
moment you edit an Active Directory-based GPO on that machine (the machine can be either a
Windows 2000/XP Pro machine, or a server-based machine) the used .ADM file(s) will be
copied to the SYSVOL folder on the target DC (typically the PDC Emulator), and from there
replicated throughout the domain.
The following screenshot shows the new .ADM files while importing one of them to a GPO
53. What's the difference between software publishing and assigning?
Ans
An administrator can either assign or publish software applications.

Assign Users
The software application is advertised when the user logs on. It is installed when the user clicks on
the software application icon via the start menu, or accesses a file that has been associated with the
software application.
Assign Computers
The software application is advertised and installed when it is safe to do so, such as when the
computer is next restarted.
Publish to users
The software application does not appear on the start menu or desktop. This means the user may
not know that the software is available. The software application is made available via the
Add/Remove Programs option in control panel, or by clicking on a file that has been associated with
the application. Published applications do not reinstall themselves in the event of accidental
deletion, and it is not possible to publish to computers.
54. Can I deploy non-MSI software with GPO?
Ans
yes ,you can. but first you have to convert this file to .msi format. there is many third
party software through which you can convert .exe file to .msi format.
No you cann't deploy Non MSI software with GPO?

55. You want to standardize the desktop environments (wallpaper, My Documents,
Start menu, printers etc.) on the computers in one department. How would you do
that?
Ans
Login on client as Domain Admin user change whatever you need add printers etc go to system-User
profiles copy this user profile to any location by select Everyone in permitted to use after copy
change ntuser.dat to ntuser.man and assgin this path under user profile
56. The main difference between 2003 and 2008?
Ans
The main difference between 2003 and 2008 is Visualisation, management.

In Windows Server 2008, Microsoft is introducing new features and technologies, some of which
were not available in Windows Server 2003 with Service Pack 1 (SP1), that will help to reduce
the power consumption of server and client operating systems, minimize environmental
byproducts and increase server efficiency.
Microsoft Windows Server 2008 has been designed with energy efficiency in mind, to provide
customers with ready and convenient access to a number of new power saving features. It
includes updated support for Advanced Configuration and Power Interface (ACPI) processor
power management (PPM) features, including support for processor performance states (P-
states) and processor idle sleep states on multiprocessor systems. These features simplify power
management in Windows Server 2008 (WS08) and can be managed easily across servers and
clients using Group Policies.
The comparison of windows 2003 and 2008

many features are updated such as security , IIS and RODC.
in security it enable outbound firewall as well as inbound, IIS 7 release and Read only Domain
controllers.
Examples
1. Virtualization
2. Server Core
provides the minimum installation required to carry out a specific server role, such as for a
DHCP, DNS or print server.
3. Better security
4. Role-based installation -
5. Read Only Domain Controllers (RODC)
6. Enhanced terminal services
7. Network Access Protection
Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a
firewall and in compliance with corporate security policies.
8. PowerShell
Microsoft's new(ish) command line shell and scripting language has proved popular with some
server administrators.
9. IIS
10. Bitlocker
System drive encryption can be a sensible security measure for servers located in remote branch
offices
The main difference between 2003 and 2008 is Virtualization, management.
2008 has more in-build components and updated third party drivers.
Microsoft introduces new feature with 2k8 that is Hyper-V
Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More
and more companies are seeing this as a way of reducing hardware costs by running several
'virtual' servers on one physical machine. If you like this exciting technology, make sure that you
buy an edition of Windows Server 2008 that includes Hyper-V, then launch the Server Manger,
add Roles.
Windows Server 2008, formerly codenamed Longhorn, is no leas than 45 times faster than its
predecessor, Windows Server 2003, in terms of network transfer speeds. Now whatever the
perspective is on Microsoft's last 32-bit server operating system, the fact of the matter is that
faster transfer speeds for of up to 45 times is quite an evolution compared to Windows Server
2003. Back in June 2007, Microsoft commissioned a study to the Tolly Group focused on the
networking performances of its latest Windows client and server operating system, which ended
up as the "Enhanced Network Performance with Microsoft Windows Vista and Windows Server
2008" white paper. The paper pointed to the fact that both Vista and Windows Server 2008
managed to offer "Dramatic network performance benefits".
Windows server 2008 has been more updated than windows server 2003.

Technical Interview Questions - Active Directory

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Technical Interview Questions - Active Directory

Uploaded by

Copyright:

Available Formats

Technical Interview Questions – Active Directory

1. What is Active Directory?

Active Directory features include:

 Support for the X.500 standard for global directories

 An object-oriented storage organization, which allows easier access to information

 Designed to be both backward compatible and forward compatible

What is domain controller?

1.Active Directory directory service provides the means to

LDAP, Lightweight Directory Access Protocol, is an

AD database held on %systemroot%ntds

other files related to AD

res1.log, res2.log, edb.chk n edb.log

*Schema NC, *Configuration NC, * Domain NC

7. What are application partitions? When do I use them

Application Directory Partition is a partition space in Active Directory which an application

DnsCmd DC1/createdirectorypartition NewPartition.contoso.com

9. How do you view replication properties for AD partitions and DCs?

By using replication monitor

go to start > run > type replmon

10. What is the Global Catalog?

11. How do you view all the GCs in the forest?

Install replica DC from backup

Install from Media

To backup the existing System State on an existing domain controller

To restore the System State on the future domain controller

1. A Confirm Restore window will appear. Click Ok.

1. A Restore Progress window will appear. Let it finish. Click Close.

Here they are,

16. What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM?

The Lightweight Directory Access Protocol, or LDAP is an

A: Replmon is the first tool you should use when

A: ADSIEdit is a Microsoft Management Console (MMC) snap-in

A: NETDOM is a command-line tool that allows management of

Enables administrators to manage Active Directory domains

Join a computer that runs Windows XP Professional or Windows

Netdom uses the following general syntaxes:

NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>]

Schedule here is 9:00 AM to 1 PM

Interval is every 15 minutes.

19. What is the KCC?

kcc stands for knowledge consistency checker.apart of the

21. What are the requirements for installing AD on a new server?

An NTFS partition with enough free space (250MB minimum)

· An Administrator's username and password

· The correct operating system version

· A network connection (to a hub or to another computer via a crossover cable)

· An operational DNS server (which can be installed on the DC itself)

· A Domain name that you want to use

 Minimum: 1 GHz (for x86 processors) or 1.4 GHz (for x64 processors)

 Recommended: 2 GHz or faster

The following are the RAM requirements for this product:

Disk space requirements

 Super VGA (800 x 600) or higher-resolution monitor

 Keyboard and Microsoft® mouse (or other compatible pointing device)

Backup system state as;

name the file .bak (recommended and general)

Restore system stat as below on the target computer;

Now Last stage is Promoting an additional domain controller

Another way out too

Restart the DC is DSRM mode

a. Locate the following registry subkey:

b. In the right-pane, double-click ProductType.

Restart the server in normal mode

Schema NC, Configuration NC, * Domain NC