Professional Documents
Culture Documents
Ans:
An active directory is a directory structure used on Microsoft Windows based computers and
servers to store information and data about networks and domains. It is primarily used for
online information and was originally created in 1996. It was first used with Windows 2000.
Active Directory is a centralized and standardized system that automates network management
of user data, security, and distributed resources, and enables interoperation with other directories.
Active Directory is designed especially for distributed networking environments.
A hierarchical organization that provides a single point of access for system administration
(management of user accounts, clients, servers, and applications, for example) to reduce
redundancy and errors
Support for the Lightweight Directory Access Protocol (LDAP) to enable inter-directory
operability
Ans
A Domain controller is a windows server machine that runs active directory domain
services
What is domain?
Ans
It a name space
2. What is LDAP?
3. Can you connect Active Directory to other 3rd-party Directory Services? Name a
few options.
Ans
Ans
Ans
AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These
are the main files controlling the AD structure
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K records the
transaction in the log file (edb.log). Once written to the log file, the change is then written to the
AD database. System performance determines how fast the system writes the data to the AD
database from the log file. Any time the system is shut down, all transactions are saved to the
database.
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size
of each is 10MB. These files are used to ensure that changes can be written to disk should the
system run out of free disk space. The checkpoint file (edb.chk) records transactions committed
to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk
file. Then, during a reboot, AD determines that all transactions in the edb.log file have been
committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the
shutdown statement isn't present, AD will use the edb.log file to update the AD database.
6. Name the AD NCs and replication issues for each NC(Naming Context)
Ans
Ans
The application directory partition can contain any type of data except security principles (users,
computers, groups).
An application directory partition is a directory partition that is replicated only to specific domain
controllers. A domain controller that participates in the replication of a particular application directory
partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can
host a replica of an application directory partition.
Application directory partitions are usually created by the applications that will use them to store
and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins
group can manually create or manage application directory partitions using the Ntdsutil
command-line tool.
One of the benefits of an application directory partition is that, for redundancy, availability, or
fault tolerance, the data in it can be replicated to different domain controllers in a forest.
8. How do you create a new application partition
Ans
The DnsCmd command is used to create a new application directory partition. Ex. to create a
partition named “NewPartition “ on the domain controller DC1.contoso.com, log on to the
domain controller and type following command.
Ans
All you need to do is open Active Driectory Sites and Services and expand the sites until you get
to NTDS Settings and then right click on the servers on the right and view and change the
replication properties from there.
or
Install Replication Monitor from Support tools, run from command line with "replmon" command, add
DC and it will show you all partitions that DC holds and all replication partners for each partition.
Ans
The global catalog is a distributed data repository that contains a searchable, partial
representation of every object in every domain in a multidomain Active Directory Domain
Services (AD DS) forest. The global catalog is stored on domain controllers that have been
designated as global catalog servers and is distributed through multimaster replication. Searches
that are directed to the global catalog are faster because they do not involve referrals to
different domain controllers.
The global catalog is a distributed data repository that contains a searchable, partial
representation of every object in every domain in a multidomain Active Directory forest. The
global catalog is stored on domain controllers that have been designated as global catalog servers
and is distributed through multimaster replication. Searches that are directed to the global catalog
are faster because they do not involve referrals to different domain controllers.
In addition to configuration and schema directory partition replicas, every domain controller in a
Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single
domain directory partition. Therefore, a domain controller can locate only the objects in its
domain. Locating an object in a different domain would require the user or application to provide
the domain of the requested object.
The global catalog provides the ability to locate objects from any domain without having to
know the domain name. A global catalog server is a domain controller that, in addition to its full,
writable domain directory partition replica, also stores a partial, read-only replica of all other
domain directory partitions in the forest. The additional domain directory partitions are partial
because only a limited set of attributes is included for each object. By including only the
attributes that are most used for searching, every object in every domain in even the largest forest
can be represented in the database of a single global catalog server.
Ans
A: You would need script to make such query, but you can also check your DNS for SRV records
which contain _gc in their name.
12. How do I install a Replica Domain Controller from a previous backed-up media on my
Windows Server 2003 server? OR
13. What can you do to promote a server to DC, if you're in a remote location with slow WAN
link?
Ans
In Windows Server 2003 a new feature has been added, and this time it's one that will actually
make our lives easier... You can promote a domain controller using files backed up from a source
domain controller!!!
This feature is called "Install from Media" and it's available by running DCPROMO with the
/adv switch. It's not a replacement for network replication, we still need network connectivity,
but now we can use an old System State copy from another Windows Server 2003, copy it to our
future DC, and have the first and basic replication take place from the media, instead of across
the network, this saving valuable time and network resources.
What you basically have to do is to back up the systems data of an existing domain controller,
restore that backup to your replica candidate, use DCPromo /Adv to tell it to source from local
media, rather than a network source.
This also works for global catalogs. If we perform a backup of a global catalog server, then we
can create a new global catalog server by performing DCPromo from that restored media.
IFM Limitations
It only works for the same domain, so you cannot back up a domain controller in domain A and
create a new domain B using that media.
It's only useful up to the tombstone lifetime with a default of 60 days. So if you have an old
backup, then you cannot create a new domain controller using that, because you'll run into the
problem of reanimating deleted objects.
1. To start Backup, click Start, point to All Programs, point to Accessories, point to System
Tools, and then click Backup.
2. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this
wizard or go to the next step to work in Advanced Mode.
3. Click the Advanced Mode link on the Backup or Restore Wizard.
4. Click the Backup tab, then click the box next to System State and any other items you
would like to backup.
1. Copy your backup-up System State file from the first DC to the server where you want to
perform the process. You can do this by copying the file via the network, burn it to CD
and copy it to the server, or if you want, just restore it on the original DC but point the
restore path to a mapped network drive that is actually a shared folder on the potential
new DC.
2. Run NTBACKUP from the Run menu. Click the Restore tab, then click the box next to
System State.
1. In the "Restore files to" box select "Alternate Location". In the "Alternate Location" type
your designated restore path. This could be a folder on one of your HD. I used
C:\Backup. Click Start Restore.
2. A warning window will appear. Click Ok.
Ans
The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs would all have
to hold a reference to every object in the entire forest which could be quite large and quite a replication
burden.
For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor
WAN lines.
there only can be one global catalog server IN A FOREST(GCS)BY Default the first domain controller of
active directory forest act as GCS. It is used for communication in entire
forest. The Infrastructure master (operation master) is used to check for the updated AD information
with other DC's in the forest, for this it queries the Global catalog which has all the updated
(replicated)information. If GC is installed on all the DC's then the AD updates is not identified by the DC's
Infrastucture master as GC.by defaul schema manangment tools is not present in administrator tools we
have to install it through command line. At command promt run the following comm. "regsvr32
schmmgmt.dll"and after that go to run and type mmc.exe ->mmc wizard open ->file ->add/remove
snapin->add scehma managment tools ->ok and finish. and save it .the support
tools is used for diagnoses tool for network connectivity and many other function. we can install it from
2003 server cd ->support tools -> suptool.exe run it and replmon is
used for monitoring replication traffic.netdom is commandline tools for rename domain controller
name.its only work in windows 2003 server forestanddomain fuctional
level not in any other level.
15. What are the Support Tools? Why do I need them?
Ans
Support Tools are the tools that are used for performing the complicated tasks easily.
Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe
Ans
What is LDP?
What is REPLMON?
What is ADSIEDIT?
What is NETDOM?
Syntax
Ans
One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to
configure Active Directory access and replication topology to take advantage of the physical network.
B: A Site object in Active Directory represents a physical geographic location that hosts
networks. Sites contain objects called Subnets.[3] Sites can be used to Assign Group Policy
Objects, facilitate the discovery of resources, manage active directory replication, and manage
network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a cost
value that represents the speed, reliability, availability, or other real property of a physical
resource. Site Links may also be assigned a schedule.
18. What's the difference between a site link's schedule and interval?
Ans
Schedule enables you to list weekdays or hours when the site link is available for replication to happen
in the given interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges
from 15 - 10,080 mins. The default interval is 180 mins.
Any time two networks are separated by links that are heavily used during parts of the day and are idle
during other parts of the day, put those networks into separate sites. You can use the ability to schedule
replication between sites to prevent replication traffic from competing with other traffic during high
usage hours.
In simple words you can define it as the time when you allow the replication to happen.
Interval is also a part of schedule but it takes cares of the replication polling frequency. In other
words in a said schedule of say 9:00 AM to 1 PM replication polling shuld occur in every 15
minutes.
Ans
Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default
Windows 2003 Forest level functionality has this role.
By Default the first Server has this role. If that server can no longer preform this role then the next
server with the highest GUID then takes over the role of ISTG.
Ans
· A NIC
· Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
· The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)
System requirements
The following are estimated system requirements for Windows Server 2008. If your computer
has less than the minimum requirements, you will not be able to install this product correctly.
Actual requirements will vary based on your system configuration and the applications and
features you install.
Processor
Processor performance depends not only on the clock frequency of the processor, but also on the
number of processor cores and the size of the processor cache. The following are the processor
requirements for this product:
An Intel Itanium 2 processor is required for Windows Server 2008 for Itanium-Based Systems.
RAM
Minimum: 512 MB
Recommended: 2 GB or more
Maximum (32-bit systems): 4 GB (for Windows Server 2008 Standard) or 64 GB (for Windows
Server 2008 Enterprise or Windows Server 2008 Datacenter)
Maximum (64-bit systems): 32 GB (for Windows Server 2008 Standard) or 1 TB (for Windows
Server 2008 Enterprise, Windows Server 2008 Datacenter) or 2 TB (for Windows Server 2008 for
Itanium-Based Systems)
The following are the approximate disk space requirements for the system partition. Itanium-
based and x64-based operating systems will vary from these estimates. Additional disk space
may be required if you install the system over a network. For more information, see
Minimum: 10 GB
Recommended: 40 GB or more
Note
Computers with more than 16 GB of RAM will require more disk space for paging, hibernation,
and dump files.
DVD-ROM drive
22. What can you do to promote a server to DC if you're in a remote location with slow
WAN link?
Ans
First available in Windows 2003, you will create a copy of the system state from an existing DC and copy
it to the new remote server. Run "Dcpromo /adv". You will be prompted for the location of the system
state files
OR
1. Click Start, click Run, type ntbackup, and then click OK. (If the Backup utility starts in wizard
mode, click the Advanced Mode hyperlink.)
2. From the Backup tab, click to select the System State check box in the left pane. Do not back up
the file system part of the SYSVOL tree separately from the system state backup.
3. In the Backup media or file name box, specify the drive, path, and file name of the system state
backup.
1. Log on to the Windows Server 2003-based computer that you want to promote. You must be a
member of the local administrators group on this computer.
2. Click Start, click Run, type ntbackup, and then click OK. (If the Backup utility starts in wizard
mode, click the Advanced Mode hyperlink.)
3. In the Backup utility, click the Restore and Manage Media tab. In the Tools menu, click Catalog
a backup file..., and then locate the .bkf file that you created earlier. Click OK.
4. Expand the contents of the .bkf file, and then click to select the System State check box.
5. In Restore files to:, click Alternate Location. To restore the system state, type the logical drive
and the path. We suggest that you type X:\Ntdsrestore. In this command, X is the logical drive
that will ultimately host the Active Directory database when the member computer is
promoted. The final location for the Active Directory database is selected when you run the
Active Directory Installation Wizard. This folder must be different from the folder that contains
the restored system state.
3. Click Next to bypass the Welcome to the Active Directory Installation Wizard and Operating
System Compatibility dialog boxes.
4. On the Domain Controller Type page, click Additional domain controller for an existing
domain, and then click Next.
5. On the Copying Domain Information page, click From these restored backup files:, and then
type the logical drive and the path of the alternative location where the system state backup
was restored. Click Next.
6. In Network Credentials, type the user name, the password, and the domain name of an account
that is a member of the domain administrators group for the domain that you are promoting in.
7. Continue with the remainder of the Active Directory Installation Wizard pages as you would with
the standard promotion of an additional domain controller.
8. After the SYSVOL tree has replicated in, and the SYSVOL share exists, delete any remaining
restored system files and folders.
23. How can you forcibly remove AD from a server, and what do you do later? • Can I
get user passwords from the AD database?
Ans
Demote the server using dcpromo /forceremoval, then remove the metadata from Active directory
using ndtsutil. There is no way to get user passwords from AD that I am aware of, but you should still be
able to change them.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
c. Type ServerNT in the Value data box, and then click OK.
its a member server now but AD entries are still there. Promote teh server to a fake domain say
ABC.com and then remove gracefully using DCpromo
help:
When you try to remove a domain controller from your Active Directory domain by using
Dcpromo.exe and fail, or when you began to promote a member server to be a Domain
Controller and failed (the reasons for your failure are not important for the scope of this article),
you will be left with remains of the DCs object in the Active Directory. As part of a successful
demotion process, the Dcpromo wizard removes the configuration data for the domain controller
from Active Directory, but as noted above, a failed Dcpromo attempt might leave these objects
in place.
The effects of leaving such remains inside the Active Directory may vary, but one thing is sure:
Whenever you'll try to re-install the server with the same computername and try to promote it to
become a Domain Controller, you will fail because the Dcpromo process will still find the old
object and therefore will refuse to re-create the objects for the new-old server.
In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe
utility to manually remove the NTDS Settings object.
If you give the new domain controller the same name as the failed computer, then you need
perform only the first procedure to clean up metadata, which removes the NTDS Settings object
of the failed domain controller. If you will give the new domain controller a different name, then
you need to perform all three procedures: clean up metadata, remove the failed server object
from the site, and remove the computer object from the domain controllers container.
You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active
Directory Users and Computers.
Also, make sure that you use an account that is a member of the Enterprise Admins universal
group.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active
Directory functionality.
To clean up metadata
C:\WINDOWS>ntdsutil
ntdsutil:
1. At the Ntdsutil: prompt, type metadata cleanup and press Enter.
Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.
1. Type quit and press Enter to return you to the metadata cleanup: prompt.
server connections: q
metadata cleanup:
1. Type select operation target and press Enter.
You will receive a warning message. Read it, and if you agree, press Yes.
24. What tool would I use to try to grab security related packets from the wire?
Ans
you must use sniffer-detecting tools to help stop the snoops. ...
A good packet sniffer would be "ethereal"
Ans
OU design requires balancing requirements for delegating administrative rights - independent of Group
Policy needs - and the need to scope the application of Group Policy. The following OU design
recommendations address delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active Directory container to which you can
assign Group Policy settings.
Ans
The number of days before a deleted object is removed from the directory services. This assists
in removing objects from replicated servers and preventing restores from reintroducing a deleted
object. This value is in the Directory Service object in the configuration NIC
27. What do you do to install a new Windows 2003 DC in a Windows 2000 AD?
Ans
If you plan to install windows 2003 server domain controllers into an existing windows 2000
domain or upgrade a windows 2000 domain controllers to windows server 2003, you first need to
run the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema
master and infrastructure master roles. The adprep / forestprer command must first be issued on
the windows 2000 server holding schema master role in the forest root doman to prepare the
existing schema to support windows 2003 active directory. The adprep /domainprep command
must be issued on the sever holding the infrastructure master role in the domain where 2000
server will be deployed
28. What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
Ans
If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed,
you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display
the Windows 2003 R2 Continue Setup screen.
If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2
version (this is a minor change and mostly related to the new Dfs replication engine). To update
the schema, run the Adprep utility, which you'll find in the Cmpnents\r2\adprep folder on the
second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or
Windows 2000 with SP2 (or later). Here's a sample execution of the Adprep /forestprep
command:
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to
Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later).
QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain
controller corruption.
For more information about preparing your forest and domain see KB article Q3311 61 at
http://support.microsoft.com.
[User Action] If ALL your existing Windows 2000 domain controllers meet this requirement,
type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to
quit.
The command has completed successfully Adprep successfully updated the forest-wide
information.
1. Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows.
2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click Next.
3. You'll be prompted to enter an R2 CD key (this is different from your existing Windows
2003 keys) if the underlying OS wasn't installed from R2 media (e.g., a regular Windows
2003 SP1 installation). Enter the R2 key and click Next. Note: The license key entered
for R2 must match the underlying OS type, which means if you installed Windows 2003
using a volume-license version key, then you can't use a retail or Microsoft Developer
Network (MSDN) R2 key.
4. You'll see the setup summary screen which confirms the actions to be performed (e.g.,
Copy files). Click Next.
5. After the installation is complete, you'll see a confirmation dialog box. Click Finish
29. How would you find all users that have not logged on since last month?
Ans
Using only native commands, JSILLD.bat produces a sorted/formated report of Users who have not
logged on since YYYYMMDD.
The report is sorted by UserName and list the user's full name and last logon date.
where:
YYYYMMDD will report all users who have not logged on since this date.
/N is an optional parameter that will bypass users who have never logged on.
JSILLD.bat contains:
@echo off
setlocal
if {%2}=={} goto syntax
if "%3"=="" goto begin
if /i "%3"=="/n" goto begin
:syntax
@echo Syntax: JSILLD File yyyymmdd [/N]
endlocal
goto :EOF
:begin
if /i "%2"=="/n" goto syntax
set dte=%2
set XX=%dte:~0,4%
if "%XX%" LSS "1993" goto syntax
set XX=%dte:~4,2%
if "%XX%" LSS "01" goto syntax
if "%XX%" GTR "12" goto syntax
set XX=%dte:~6,2%
if "%XX%" LSS "01" goto syntax
if "%XX%" GTR "31" goto syntax
set never=X
if /i "%3"=="/n" set never=/n
set file=%1
if exist %file% del /q %file%
for /f "Skip=4 Tokens=*" %%i in ('net user /domain^|findstr /v /c:"----"^|findstr /v /i /c:"The
command completed"') do (
do call :parse "%%i"
)
endlocal
goto :EOF
:parse
set str=#%1#
set str=%str:#"=%
set str=%str:"#=%
set substr=%str:~0,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if "%substr%"=="" goto :EOF
for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i"
set substr=%str:~25,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if "%substr%"=="" goto :EOF
for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i"
set substr=%str:~50,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if "%substr%"=="" goto :EOF
for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i"
goto :EOF
:parse1
set ustr=%1
if %ustr%=="The command completed successfully." goto :EOF
set ustr=%ustr:"=%
if /i "%ustr:~0,9%"=="Full Name" set fullname=%ustr:~29,99%
if /i not "%ustr:~0,10%"=="Last logon" goto :EOF
set txt=%ustr:~29,99%
for /f "Tokens=1,2,3 Delims=/ " %%i in ('@echo %txt%') do set MM=%%i&set DD=%%j&set
YY=%%k
if /i "%MM%"=="Never" goto tstnvr
goto year
:tstnvr
if /i "%never%"=="/n" goto :EOF
goto report
:year
if "%YY%" GTR "1000" goto mmm
if "%YY%" GTR "92" goto Y19
set /a YY=100%YY%%%100
set YY=%YY% + 2000
goto mmm
:Y19
set YY=19%YY%
:mmm
set /a XX=100%MM%%%100
if %XX% LSS 10 set MM=0%XX%
set /a XX=100%DD%%%100
if %XX% LSS 10 set DD=0%XX%
set YMD=%YY%%MM%%DD%
if "%YMD%" GEQ "%dte%" goto :EOF
:report
set fullname=%fullname% #
set fullname=%fullname:~0,35%
set substr=%substr% #
set substr=%substr:~0,30%
@echo %substr% %fullname% %txt% >> %file%
Ans
New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003 Active
Directory
When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for
choice. The the DS family of built-in command line executables offer alternative strategies to
CSVDE, LDIFDE and VBScript.
12345
Tool object "DN" (as in LDAP distinguished name) -switch value For example:
DSadd user "cn=billy, ou=managers, dc=cp, dc=com" -pwd cX49pQba
This will add a user called Billy to the Managers OU and set the password to cx49Qba
Here are some of the common DS switches which work with DSadd and DSmod
-pwd (password) -upn (userPrincipalName) -fn (FirstName) -samid (Sam account name).
The best way to learn about this DS family is to logon at a domain controller and experiment
from the command line. I have prepared examples of the two most common programs. Try some
sample commands for DSadd.
Two most useful Tools: DSQuery and DSGet
The DSQuery and DSGet remind me of UNIX commands in that they operate at the command
line, use powerful verbs, and produce plenty of action. One pre-requisite for getting the most
from this DS family is a working knowledge of LDAP.
If you need to query users or computers from a range of OU's and then return information, for
example, office, department manager. Then DSQuery and DSGet would be your tools of choice.
Moreover, you can export the information into a text file
Or
If you've been working with Active Directory for any length of time, chances are good that at
some point you've wished there were a way toquickly and easily automate certain operations. Of
course, you could tap intoActive Directory Services Interface (ADSI) via Windows Script Host
and VBScriptand create or download scripts to automate those operations. However,
ifprogramming really isn't your strong point, you could end up spending more timefiguring out
the ADSI scripting environment than actually accomplishing yourgoals.
Fortunately, with Windows Server 2003, Microsoft has broughtthe task of automating Active
Directory operations within the grasp of everysystem administrator by including a complete suite
of directory service command-linetools. Now you won't have to delve into the advanced
intricacies of ADSI whenyou can use something that's as easy to create and use as a batch file.
Author's note
In this article, I'll introduce you to Windows Server 2003'sdirectory service command-line tools
and then get you started on the groundfloor. In future articles, I'll take an in-depth look at each
tool and show youhow to use them to your advantage when you need to automate certain
operations.
If you're using Windows Server 2003, you already know thatits Active Directory GUI tools offer
several new and improved features overthose in Windows 2000 Server. For example, you now
have drag-and-dropcapabilities, multiple-object selection, and the ability to save and
reusequeries. So why would you even want to use the directory service command-linetools?
To answer this question, let's begin by looking at a list ofthe available tools in the directory
service command-line suite, as shown in Table A. As you look at the list, keepin mind that there
are really only six main tools in the suite, but in thisparticular arrangement, I've expanded the list
to show the first four maincommands, along with the target object on which the command is
designed tooperate. The last two commands are designed to work on any target object.
Table A
Command
Description
We'll examine each tool later in this series, but the pointof showing you the complete list now is
to highlight the magnitude of the toolsin the suite and to help you get a feel for the types of
operations you canperform with them. Each tool is accompanied by a complete set of general
andcommand-specific parameters that allow you to further define the type ofoperation you want
to conduct.
Now, on first glance, you'll immediately see that there arecommand-line tools for just about
every operation you can execute from withinthe Active Directory GUI tools. However, once you
begin to delve deeper, you'lldiscover that, in some cases, it's easier to carry out certain types of
operationsfrom the command line than from the GUI. Dig even further, and you'll discoverthat
there are some tasks you can accomplish with the command-line tools thatjust aren't possible
with the GUI tools. Furthermore, once you have a betterunderstanding of how these tools work,
you'll discover that you can indeedautomate many common operations quite easily.
You won't want to completely abandon the GUI tools in favorof the command-line tools. Rather,
you'll use the command-line tools to complementthe GUI tools.
To take advantage of directory service command-line tools,you must have a good grasp of the
underlying structure of Active Directory.More specifically, you need to understand that every
object in Active Directorycan be referenced by several names, and that the command-line tools
rely on oneof those names -- the distinguished name -- tolocate and work with objects. The other
two names are the relative distinguished name and the canonical name.
When you create an object in Active Directory, the processcreates the relative distinguished
name and the canonical name. Thedistinguished name is then based on the relative distinguished
name and thenames of that object's parent containers, including the domains. Thedistinguished
name identifies the object as well as its location in a tree.
To specify this location, the distinguished name uses theLightweight Directory Access Protocol
(LDAP) attribute tags listed in TableB. For example, the distinguished name for my user
account, which exists inthe Writers organizational unit in the gcs.com domain, would be
CN=Greg Shultz,OU=Writers,DC=gcs,DC=com
Table B
LDAP attribute tag
Description
As you can see, the LDAP attribute tags are used to identifyeach component in the distinguished
name; they are separated by commas, and theorder in which the components appear goes from
the lowest level in the tree tothe highest level. The distinguished name tells you exactly where to
find theobject in the Active Directory data store.
There are a few rules you need to observe when working withthe distinguished name on the
command line:
1. You should get into the habit of enclosing the distinguished name in quotes. (This is really
necessary only if any of the names include spaces; however, making it a habit will save you time
and frustration if you forget.)
2. Do not put spaces between the commas and the object names.
3. While using uppercase letters for the LDAP attribute tags isnï¿?t necessary, it does help
delineate the components and make for easier reading.
4. The default Active Directory containers, such as Computers or Users, are essentially
organizational units but are referred to as a common name.
Now that you understand how to use the distinguished name toidentify the location of the object
you want to work with, you can use thedirectory service command-line tools to automate your
most common ActiveDirectory management operations. You needn't worry about having to
figure outall the distinguished names on your own -- you can ask the Dsquery command
forassistance.
While I'll get into more detail on the more powerfulfeatures of the Dsquery command in a future
article, it's a good place to startbecoming more familiar with the distinguished names in your
Active Directorystructure. For example, to see the distinguished names for the user accounts
inActive Directory, open the command prompt and type
Dsquery user
To see the distinguished names for the organizational unitsin Active Directory, type the
command
Dsquery ou
You can try other basic Dsquery commands using the list oftarget objects shown in Table A.
However, as you do, keep in mind that bydefault the Dsquery command will display only 100
items. You can expand thenumber of items displayed by adding the -limit ### parameter and
specifying anupper limit.
31. What's the difference between LDIFDE and CSVDE? Usage considerations?
Ans
Ldifde
Ldifde creates, modifies, and deletes directory objects on computers running Windows Server
2003 operating systems or Windows XP Professional. You can also use Ldifde to extend the
schema, export Active Directory user and group information to other applications or services,
and populate Active Directory with data from other directory services.
The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format that may
be used for performing batch operations against directories that conform to the LDAP standards.
LDIF can be used to export and import data, allowing batch operations such as add, create, and
modify to be performed against the Active Directory. A utility program called LDIFDE is
included in Windows 2000 to support batch operations based on the LDIF file format standard.
This article is designed to help you better understand how the LDIFDE utility can be used to
migrate directories.
http://support.microsoft.com/kb/237677
Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using files that store
data in the comma-separated value (CSV) format. You can also support batch operations based
on the CSV file format standard.
Csvde is a command-line tool that is built into Windows Server 2008 in the/system32 folder. It
is available if you have the AD DS or Active Directory Lightweight Directory Services (AD
LDS) server role installed. To use csvde, you must run the csvde command from an elevated
command prompt. To open an elevated command prompt, click Start, right-click Command
Note Although Csvde is similar to Ldifde, Csvde has a significant limitation: it can only import
and export Active Directory data by using a comma-separated format (.csv). Microsoft
recommends that you use the Ldifde utility for Modify or Delete operations. Additionally, the
distinguished name (also known as DN) of the item that you are trying to import must be in the
first column of the .csv file or the import will not work.
The source .csv file can come from an Exchange Server directory export. However, because of
the difference in attribute mappings between the Exchange Server directory and Active
Directory, you must make some modifications to the .csv file. For example, a directory export
from Exchange Server has a column that is named "obj-class" that you must rename to
"objectClass." You must also rename "Display Name" to "displayName."
32. What are the FSMO roles? Who has them by default? What happens when each one
fails?
Ans
Schema Master:
The schema master domain controller controls all updates and modifications to the schema.
Once the Schema update is complete, it is replicated from the schema master to all other DCs in
the directory. To update the schema of a forest, you must have access to the schema master.
There can be only one schema master in the whole forest.
The domain naming master domain controller controls the addition or removal of domains in
the forest. This DC is the only one that can add or remove a domain from the directory. It can
also add or remove cross references to domains in external directories. There can be only one
domain naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it represents
the reference by the GUID, the SID (for references to security principals), and the DN of the
object being referenced. The infrastructure FSMO role holder is the DC responsible for updating
an object's SID and distinguished name in a cross-domain object reference. At any one time,
there can be only one domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a
Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will
stop updating object information because it does not contain any references to objects that it
does not hold. This is because a Global Catalog server holds a partial replica of every object in
the forest. As a result, cross-domain object references in that domain will not be updated and a
warning to that effect will be logged on that DC's event log. If all the domain controllers in a
domain also host the global catalog, all the domain controllers have the current data, and it is
not important which domain controller holds the infrastructure master role.
The RID master is responsible for processing RID pool requests from all domain controllers in a
particular domain. When a DC creates a security principal object such as a user or group, it
attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for
all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID
created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign
to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that
DC issues a request for additional RIDs to the domain's RID master. The domain RID master
responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns
them to the pool of the requesting DC. At any one time, there can be only one domain controller
acting as the RID master in the domain.
PDC Emulator:
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of
the forest becomes authoritative for the enterprise, and should be configured to gather the time
from an external source. All PDC FSMO role holders follow the hierarchy of domains in the
selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the
PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the
PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-
based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member
servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to
Windows 2000/2003. The PDC emulator still performs the other functions as described in a
Windows 2000/2003 environment.
each one of them fails then below are the effects of the same:-
Schema Master - Schema updates are not available - These are generally planned changes and the first
step when doing a schema change is normally something like "make sure your environment is healthy".
There isn't any urgency if the schema master fails, having it offline is largely irrelevant until you want to
make a schema change.
Domain Naming Master - No new domains or application partitions can be added - This sort of falls into
the same "healthy environment" bucket as the schema master. When we upgraded the first DC to a beta
Server 2003 OS which included the code to create the DNS application partitions, we couldn't figure why
they weren't instantiated until we realized that the server hosting the DNM was offline (being upgraded)
at the same time. Infrastructure Master - No cross domain updates, can't run any domain preps -
Domain preps are planned (again). But no cross-domain updates. That could be important if you have a
multi-domain environment with a lot of changes occurring.
RID Master - New RID pools unable to be issued to DC's - This gets a bit more complicated, but let me
see if I can make it easy. Every DC is initially issued 500 RID's. When it gets down to 50% (250) it requests
a second pool of RID's from the RID master. So when the RID master goes offline, every DC has
anywhere between 250 and 750 RIDs available (depending on whether it's hit 50% and received the new
pool).
PDC - Time, logins, password changes, trusts - So we made it to the bottom of the list, and by this point
you've figured that the PDC has to be the most urgent FSMO role holder to get back online. The rest of
them can be offline for varying amounts of time with no impact at all. Users may see funky behavior if
they changed their password, but replication will probably have completed before they call the help
desk so nothing to worry about, and trust go back to that whole "healthy forest" thing again.
OR
Introduction
FSMO Roles
FSMO tools
Useful Links
Introduction
In a Windows 2000 domain environment, all of the domain controllers are piers. There
are no PDCs and BDCs that you find in a Windows NT domain. All Windows 2000
domain controllers contain a writable replica (or copy) of the Active Directory
Database, and unlike the hierarchical server structure in a Windows NT domain (the
PDC with subordinate BDCs), all domain controllers are equal.
The ability of all domain controllers in a Windows 2000 domain to update Active
Directory, and then replicate it out to the other DCs, is referred to as Multimaster
Replication. Compare that to a Windows NT domain which uses Single Master
replication - the PDC has the only writable copy of the SAM and all updates can only
happen at the PDC.
(The SAM, Security Accounts Database, is replaced by the Active Directory Database
in Windows 2000.)
So why are there FSMO server roles? Since each DC in a Windows 2000 domain can
update the Active Directory, which then gets replicated to all othe DCs, what happens
if more than one person is making the same change to Active Directory at the same
time? There are certain rules that are followed to prevent conflicts in updating the AD
database, but some changes are to important to the domain to be left to these rules.
Because of this, Microsoft came up with the idea of the Flexible Single Master
Operations server roles. The servers that hold these FSMO roles are responsible for
updating certain aspects of Active Directory. By making designated servers
responsible for certain updates, instead of allowing every server to make all updates,
you prevent conflicts in Active Directory updates.
In a Windows 2000 Domain environment, there are 5 server roles that are necessary for
the proper functioning of the forest/domain (or Active Directory). These 5 server roles
are collectively known as the Flexible Single Master Operations Roles or FSMO roles.
All FSMO server roles exist on Domain Controllers. They do not exist on member
servers. Two of the server roles exist at the Forest level and 3 server roles exist at the
Domain level.
For example: If your Active Directory contains one forest and 1 domain, you would
have 5 FSMO role holders. If your AD contained one forest and 2 domains, you would
have 8 FSMO role holders - two at the forest level and 3 for each domain. Likewise,
for an AD with one forest and 3 domains, you would have 11 server roles - two at the
forest level and 3 for each domain.
FSMO Roles
The schema master FSMO role holder is the Domain Controller responsible for
performing updates to the active directory schema. It contains the only writable
copy of the AD schema. This DC is the only one that can process updates to the
directory schema, and once the schema update is complete, it is replicated from
the schema master to all other DCs in the forest. There is only one schema master
in the forest.
The domain naming master FSMO role holder is the DC responsible for making
changes to the forest-wide domain name space of the directory. This DC is the only
one that can add or remove a domain from the directory, and that is it's major
purpose. It can also add or remove cross references to domains in external
directories. There is only one domain naming master in the active directory or
forest.
In a Windows 2000 domain, the PDC emulator server role performs the following
functions:
Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator first.
Authentication failures that occur at a given DC in a domain because of an
incorrect password are forwarded to the PDC emulator for validation before a bad
password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Time synchronization for the domain.
Group Policy changes are preferentially written to the PDC emulator.
Note: Some consider the PDC emulator to only be relevant in a mixed mode
domain. This is not true. Even after you have changed your domain to native mode
(no more NT 4 domain controllers), the PDC emulator is still necessary for the
reasons above.
The RID master FSMO role holder is the single DC responsible for processing RID
Pool requests from all DCs within a given domain. It is also responsible for removing
an object from its domain and putting it in another domain during an object move.
The DC that holds the Infrastructure Master FSMO role is responsible for cross
domain updates and lookups. When an object in one domain is referenced by
another object in another domain, it represents the reference by the GUID, the SID
(for references to security principals), and the distinguished name (DN) of the
object being referenced. The Infrastructure role holder is the DC responsible for
updating an object's SID and distinguished name in a cross-domain object
reference.
Domain Naming Master The Domain Naming Master must be available when adding or
removing a domain from the forest (i.e. running DCPROMO). If
it is not, then the domain cannot be added or removed. It is
also needed when promoting or demoting a server to/from a
Domain Controller. Like the Schema Master, this functionality
is only used on occasion and is not critical unless you are
modifying your domain or forest structure.
PDC Emulator The server holding the PDC emulator role will cause the most
problems if it is unavailable. This would be most noticeable in
a mixed mode domain where you are still running NT 4 BDCs
and if you are using downlevel clients (NT and Win9x). Since
the PDC emulator acts as a NT 4 PDC, then any actions that
depend on the PDC would be affected (User Manager for
Domains, Server Manager, changing passwords, browsing and
BDC replication).
In a native mode domain the failure of the PDC emulator isn't
as critical because other domain controllers can assume most
of the responsibilities of the PDC emulator.
RID Master The RID Master provides RIDs for security principles (users,
groups, computer accounts). The failure of this FSMO server
would have little impact unless you are adding a very large
number of users or groups.
Each DC in the domain has a pool of RIDs already, and a
problem would occur only if the DC you adding the
users/groups on ran out of RIDs.
So where are these FSMO server roles found? Is there a one to one relationship
between the server roles and the number of servers that house them?
The first domain controller that is installed in a Windows 2000 domain, by default,
holds all five of the FSMO server roles. Then, as more domain controllers are added to
the domain, the FSMO roles can be moved to other domain controllers. Moving a
FSMO server role is a manual process, it does not happen automatically. But what if
you only have one domain controller in your domain? That is fine. If you have only
one domain controller in your organization then you have one forest, one domain, and
of course the one domain controller. All 5 FSMO server roles will exist on that DC.
There is no rule that says you have to have one server for each FSMO server role.
However, it is always a good idea to have more than one domain controller in a domain
for a number of reasons. Assuming you do have multiple domain controllers in your
domain, there are some best practices to follow for placing FSMO server roles.
The Schema Master and Domain Naming Master should reside on the same server,
and that machine should be a Global Catalog server. Since all three are, by default, on
the first domain controller installed in a forest, then you can leave them as they are.
Note: According to MS, the Domain Naming master needs to be on a Global Catalog
Server. If you are going to separate the Domain Naming master and Schema master,
just make sure they are both on Global Catalog servers.
The Infratructure Master should not be on the same server that acts as a Global
Catalog server.
The reason for this is the Global Catalog contains information about every object in the
forest. When the Infrastructure Master, which is responsible for updating Active
Directory information about cross domain object changes, needs information about
objects not in it's domain, it contacts the Global Catalog server for this information. If
they both reside on the same server, then the Infratructure Master will never think there
are changes to objects that reside in other domains because the Global Catalog will
keep it contantly updated. This would result in the Infrastructure Master never
replicating changes to other domain controllers in it's domain.
Note: In a single domain environment this is not an issue.
Microsoft also recommeds that the PDC Emulator and RID Master be on the same
server. This is not mandatory like the Infrastructure Master and the Global Catalog
server above, but is recommended. Also, since the PDC Emulator will receive more
traffic than any other FSMO role holder, it should be on a server that can handle the
load.
It is also recommended that all FSMO role holders be direct replication partners and
they have high bandwidth connections to one another as well as a Global Catalog
server.
FSMO Tools
How do find out what servers in your domain/forest hold what server roles? How do
you move a server role from one server to another? There are several tools that can be
used to find out this information.
Permissions
Before you can transfer a role, you must have the appropriate permissions depending
on which role you plan to transfer:
Active Directory Users and Computers - use this snap-in to find out where the
domain level FSMO roles are located (PDC Emulator, RID Master, Infrastructure
Master), and also to change the location of one or more of these 3 FSMO roles.
Open Active Directory Users and Computers, right click on the domain you want to
view the FSMO roles for and click "Operations Masters". A dialog box (below) will
open with three tabs, one for each FSMO role. Click each tab to see what server that
role resides on. To change the server roles, you must first connect to the domain
controller you want to move it to. Do this by right clicking "Active Directory Users
and Computers" at the top of the Active Directory Users and Computers snap-in and
choose "Connect to Domain Controller". Once connected to the DC, go back into the
Operations Masters dialog box, choose a role to move and click the Change button.
When you do connect to another DC, you will notice the name of that DC will be in the
field below the Change button (not in this graphic).
Active Directory Domains and Trusts - use this snap-in to find out where the
Domain Naming Master FSMO role is and to change it's location.
The process is the same as it is when viewing and changing the Domain level FSMO
roles in Active Directory Users and Computers, except you use the Active Directory
Domains and Trusts snap-in. Open Active Directory Domains and Trusts, right click
"Active Directory Domains and Trusts" at the top of the tree, and choose "Operations
Master". When you do, you will see the dialog box below. Changing the server that
houses the Domain Naming Master requires that you first connect to the new domain
controller, then click the Change button. You can connect to another domain controller
by right clicking "Active Directory Domains and Trusts" at the top of the Active
Directory Domains and Trusts snap-in and choosing "Connect to Domain Controller".
Active Directory Schema - this snap-in is used to view and change the Schema Master
FSMO role. However... the Active Directory Schema snap-in is not part of the default
Windows 2000 administrative tools or installation. You first have to install the
Support Tools from the \Support directory on the Windows 2000 server CD or install
the Windows 2000 Server Resource Kit. Once you install the support tools you can
open up a blank Microsoft Management Console (start, run, mmc) and add the snap-in
to the console. Once the snap-in is open, right click "Active Directory Schema" at the
top of the tree and choose "Operations Masters". You will see the dialog box below.
Changing the server the Schema Master resides on requires you first connect to
another domain controller, and then click the Change button.
You can connect to another domain controller by right clicking "Active Directory
Schema" at the top of the Active Directory Schema snap-in and choosing "Connect to
Domain Controller".
More Tools
In addition to the tools mentioned above, there are other tools that can be used to view
the FSMO server roles. Perhaps the easiest and fastest way to find out what server
holds what FSMO role is by using the Netdom command line utility. Like the Active
Directory Schema snap-in, the Netdom utility is only available if you have installed the
Support Tools from the Windows 2000 CD or the Win2K Server Resource Kit.
To use Netdom to view the FSMO role holders, open a command prompt window and
type:
netdom query fsmo and press enter. You will see a list of the FSMO role servers:
Another tool that comes with the Support Tools is the Active Directory Relication
Monitor. Open this utility from Start, Programs, Windows 2000 Support Tools. Once
open, click Edit, Add Monitored Server and add the name of a Domain Controller.
Once added, right click the Server name and choose properties. Click the FSMO Roles
tab to view the servers holding the 5 FSMO roles (below). You cannot change roles
using Replication Monitor, but this tool has many other useful purposes in regard to
Active Directory information. It is something you should check out if you haven't
already.
Finally, you can use the Ntdsutil.exe utility to gather information about and change
servers for FSMO roles. Ntdsutil.exe, a command line utility that is installed with
Windows 2000 server, is rather complicated and beyond the scope of this document.
Ans
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot
(or actually, on the same DC) as has been configured by the Active Directory installation
process. However, there are scenarios where an administrator would want to move one or more
of the FSMO roles from the default holder DC to a different DC.
You should also configure the entire domain controller as a Global Catalog server. This will
NOT place additional stress on the DCs, while allowing GC-related applications (such as
Exchange Server) to easily perform GC queries.
Configure a standby operations master - For each server that holds one or more operations
master roles, make another DC in the same domain available as a standby operations master.
Making a DC as a standby operation master involves the following actions:
The standby operations master should not be a global catalog server except in a single
domain environment, where all domain controllers are also global catalog servers.
The standby operations master should have a manually created replication connection to
the domain controller that it is the standby operations master for, and it should be in the
same site.
Configure the RID master as a direct replication partner with the standby or backup RID
master. This configuration reduces the risk of losing data when you seize the role because
it minimizes replication latency.
1. In Active Directory Sites and Services snap-in, in the console tree in the left pane, expand
the Sites folder to see the list of available sites.
2. Expand the site name in which the current role holder is located to display the Servers
folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that is currently hosting the operations master role to
display NTDS Settings.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Domain Controllers dialog box, select the name of the standby operations
master then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the connection
object or accept the default name and click OK.
To create a connection object on the standby operations master perform the same procedure as
above, and point the connection to the current FSMO role holder.
Note regarding Windows 2000 Active Directory domains: If the forest is set to a functional
level of Windows 2000 native, you must locate the domain naming master on a server that hosts
the global catalog. If the forest is set to a functional level of Windows Server 2003, it is not
necessary for the domain naming master to be on a global catalog server.
Most FSMO roles require that the domain controller that holds the roles be:
Highly available server - FSMO functions require that the FSMO role holder is highly available
at all times. A highly available DC is one that uses computer hardware that enables it to remain
operational even during a hardware failure. For example, having a RAID1 or RAID5
configuration enables the server to keep running even if one hard disk fails.
Although most FSMO losses can be dealt with within a matter of hours (or even days at some
cases), some FSMO roles, such as the PDC Emulator role, should never be offline for more than
a few minutes at a time.
What will happen if you keep a FSMO role offline for a long period of time? This table has the info:
Not necessarily high capacity server - A high-capacity domain controller is one that has
comparatively higher processing power than other domain controllers to accommodate the
additional work load of holding the operations master role. It has a faster CPU and possibly
additional memory and network bandwidth. FSMO roles usually do not place stress on the
server's hardware.
One exception is the performance of the PDC Emulator, mainly when used in Windows 2000
Mixed mode along with old NT 4.0 BDCs. That is why you should:
34. I want to look at the RID allocation table for a DC. What do I do?
Ans
2.In Command prompt type dcdiag /test:ridmanager /s:system1 /v (system1 is the name
of our DC)
35. What's the difference between transferring a FSMO role and seizing one? Which
one should you NOT seize? Why?
Ans
Seizing an FSMO can be a destructive process and should only be attempted if the existing server
with the FSMO is no longer available.
If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable, DO
NOT seize the Schema Master role.
If you are going to seize the Schema Master, you must permanently disconnect the current Schema
Master from the network.
If you seize the Schema Master role, the boot drive on the original Schema Master must be
completely reformatted and the operating system must be cleanly installed, if you intend to return
this computer to the network.
NOTE: The Boot Partition contains the system files (\System32). The System Partition is the partition
that contains the startup files, NTDetect.com, NTLDR, Boot.ini, and possibly Ntbootdd.sys.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain
controller in the forest root domain. The first domain controller in each new child or tree domain is
assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they
are reassigned by using one of the following methods:
The current role holder is operational and can be accessed on the network by the new FSMO
owner.
You are gracefully demoting a domain controller that currently owns FSMO roles that you want
to assign to a specific domain controller in your Active Directory forest.
The domain controller that currently owns FSMO roles is being taken offline for scheduled
maintenance and you need specific FSMO roles to be assigned to a "live" domain controller. This
may be required to perform operations that connect to the FSMO owner. This would be
especially true for the PDC Emulator role but less true for the RID master role, the Domain
naming master role and the Schema master roles.
The current role holder is experiencing an operational error that prevents an FSMO-dependent
operation from completing successfully and that role cannot be transferred.
A domain controller that owns an FSMO role is force-demoted by using the dcpromo
/forceremoval command.
The operating system on the computer that originally owned a specific role no longer exists or
has been reinstalled.
As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge
of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the
best candidate domain controller is one that is in the appropriate domain that last inbound-
replicated, or recently inbound-replicated a writable copy of the "FSMO partition" from the
existing role holder. For example, the Schema master role-holder has a distinguished name path
of CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles reside in
and are replicated as part of the CN=schema partition. If the domain controller that holds the
Schema master role experiences a hardware or software failure, a good candidate role-holder
would be a domain controller in the root domain and in the same Active Directory site as the
current owner. Domain controllers in the same Active Directory site perform inbound replication
every 5 minutes or 15 seconds.
A domain controller whose FSMO roles have been seized should not be permitted to
communicate with existing domain controllers in the forest. In this scenario, you should either
format the hard disk and reinstall the operating system on such domain controllers or forcibly
demote such domain controllers on a private network and then remove their metadata on a
surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The
risk of introducing a former FSMO role holder whose role has been seized into the forest is that
the original role holder may continue to operate as before until it inbound-replicates knowledge
of the role seizure. Known risks of two domain controllers owning the same FSMO roles include
creating security principals that have overlapping RID pools, and other problems.
Back to the top
5. Type connect to server servername, and then press ENTER, where servername is the name of
the domain controller you want to assign the FSMO role to.
7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you
can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of
roles at the start of this article. For example, to transfer the RID master role, type transfer rid
master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not
transfer pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil
prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
5. Type connect to server servername, and then press ENTER, where servername is the name of
the domain controller that you want to assign the FSMO role to.
7. Type seize role, where role is the role that you want to seize. For a list of roles that you can
seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at
the start of this article. For example, to seize the RID master role, type seize rid master. The one
exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil
prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
Notes
o Under typical conditions, all five roles must be assigned to "live" domain controllers in
the forest. If a domain controller that owns a FSMO role is taken out of service before its
roles are transferred, you must seize all roles to an appropriate and healthy domain
controller. We recommend that you only seize all roles when the other domain
controller is not returning to the domain. If it is possible, fix the broken domain
controller that is assigned the FSMO roles. You should determine which roles are to be
on which remaining domain controllers so that all five roles are assigned to a single
domain controller. For more information about FSMO role placement, click the
following article number to view the article in the Microsoft Knowledge Base: 223346
(http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on
Windows 2000 domain controllers
o If the domain controller that formerly held any FSMO role is not present in the domain
and if it has had its roles seized by using the steps in this article, remove it from the
Active Directory by following the procedure that is outlined in the following Microsoft
Knowledge Base article: 216498 (http://support.microsoft.com/kb/216498/ ) How to
remove data in active directory after an unsuccessful domain controller demotion
o Removing domain controller metadata with the Windows 2000 version or the Windows
Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not
relocate FSMO roles that are assigned to live domain controllers. The Windows Server
2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes
additional elements of domain controller metadata.
o Some customers prefer not to restore system state backups of FSMO role-holders in
case the role has been reassigned since the backup was made.
o Do not put the Infrastructure master role on the same domain controller as the global
catalog server. If the Infrastructure master runs on a global catalog server it stops
updating object information because it does not contain any references to objects that
it does not hold. This is because a global catalog server holds a partial replica of every
object in the forest.
3. Open the Servers folder, and then click the domain controller.
6. On the General tab, view the Global Catalog check box to see if it is selected.
36. How do you configure a "stand-by operation master" for any of the roles?
Ans
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that you want to be the standby operations master to display its
NTDS Settings.
6. In the Find Domain Controllers dialog box, select the name of the current role holder, and then
click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the Connection object
or accept the default name, and click OK.
You can’t restore Active Directory (AD) to a domain controller (DC) while the Directory Service
(DS) is running. To restore AD, perform the following steps.
OS Loader V5.0<br><br>
Windows NT Advanced Options Menu<br>
Please select an option:<br><br>
Safe Mode<br>
Safe Mode with Networking<br>
Safe Mode with Command Prompt<br><br>
Enable Boot Logging<br>
Enable VGA Mode<br>
Last Known Good Configuration<br>
Directory Services Restore Mode (Windows NT domain controllers only)<br>
Debugging Mode<br><br>
Use | and | to move the highlight to your choice.<br>
Press Enter to choose.
3. Scroll down, and select Directory Services Restore Mode (Windows NT domain
controllers only).
4. Press Enter.
5. When you return to the Windows 2000 Server boot menu, press Enter. At the bottom of
the screen, you’ll see in red text Directory Services Restore Mode (Windows NT domain
controllers only).
The computer will boot into a special safe mode and won’t start the DS. Be aware that during
this time the machine won’t act as a DC and won’t perform functions such as authentication.
1. Start NT Backup.
2. Select the Restore tab.
3. Select the backup media, and select System State.
4. Click Start Restore.
5. Click OK in the confirmation dialog box.
After you restore the backup, reboot the computer and start in normal mode to use the restored
information. The computer might hang after the restore completes; I’ve experienced a 30-minute
wait on some machines.
How to restore Server 2008 Active Directory if someone accidentally deletes an object.
(Authoritative Restore)
1. Restore Server 2008 Active Directory (non-authoritative), do not reboot the server
2. open command prompt, run following commands, where
CN=VIPuser,CN=Users,DC=MYDOMAIN,DC=NET is the object you wish to restore.
ntdsutil
activate instance NTDS
authoritative restore
restore object “CN=VIPuser,CN=Users,DC=MYDOMAIN,DC=NET”
Ans
o To reset the password on the server on which you are working, type reset password on
server null. The null variable assumes that the DSRM password is being reset on the
local computer. Type the new password when you are prompted. Note that no
characters appear while you type the password.
-or-
o To reset the password for another server, type reset password on server servername,
where servername is the DNS name for the server on which you are resetting the DSRM
password. Type the new password when you are prompted. Note that no characters
appear while you type the password.
40. Why can't you restore a DC that was backed up 4 months ago?
Ans
The answer is: replication. When you the system creates a tombstone on any of the domain controllers
it replicates through the whole active directory. When the tombstone expires all of your DC-s deletes
both the object and its tombstone at the same tim. This process ensure the data integrity of the deleted
objects across your enterprise.
What is the consequence of the mechanism described above?
You should never switch back switched off domain controllers after the tombstone lifetime period. If you
do that already deleted objects can reapear in your AD and your data consistency is gone. It also true for
AD backups stored for longer period than the tombstone lifetime. Don't restore AD backup stored for
more than 60 days in a multi DC environment.
41. What are GPOs?
Ans
Group Policy gives you administrative control over users and computers in your network. By
using Group Policy, you can define the state of a user's work environment once, and then rely on
Windows Server 2003 to continually force the Group Policy settings that you apply across an
entire organization or to specific groups of users and computers.
Group Policy Container: The GPC is an Active Directory object that contains GPO status,
version information, WMI filter information, and a list of components that have settings in the
GPO. Computers can access the GPC to locate Group Policy templates, and domain controller
does not have the most recent version of the GPO, replication occurs to obtain the latest version
of the GPO.
Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a
domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT
which contains all Group Policy settings and information, including administrative templates,
security, software installation, scripts, and folder redirection settings. Computers connect to the
SYSVOL folder to obtain the settings.
The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you
created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC.
The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol.
Managing GPOs
To avoid conflicts in replication, consider the selection of domain controller, especially because
the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two
independent replication techniques to replicate GPO data among all domain controllers in the
domain. If two administrator's changes can overwrite those made by other administrator, depends
on the replication latency. By default the Group Policy Management console uses the PDC
Emulator so that all administrators can work on the same domain controller.
WMI Filter
WMI filters is use to get the current scope of GPOs based on attributes of the user or computer.
In this way, you can increase the GPOs filtering capabilities beyond the security group filtering
mechanisms that were previously available.
Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination
computer, Active Directory evaluates the filter on the destination computer. A WMI filter has
few queries that active Directory evaluates in place of WMI repository of the destination
computer. If the set of queries is false, Active Directory does not apply the GPO. If set of queries
are true, Active Directory applies the GPO. You write the query by using the WMI Query
Language (WQL); this language is similar to querying SQL for WMI repository.
Also consider how you will implement Group Policy for the organization. Be sure to consider the
delegation of authority, separation of administrative duties, central versus decentralized
administration, and design flexibility so that your plan will provide for ease of use as well as
administration.
Planning GPOs
Create GPOs in way that provides for the simplest and most manageable design -- one in which
you can use inheritance and multiple links.
Microsoft Active Directory allows you to use group policies to define user or computer settings
for an entire group of users or computers at one time. The settings that you configure are stored
in a Group Policy Object (GPO), which is then associated with Active Directory objects such as
sites, domains, or organizational units.
Group policies cover many different aspects of the network, desktop, and software configuration
environment, including:
File deployment policies: These policies allow an administrator to place files in special
folders on the user's computer, such as the desktop or My Documents areas.
Script policies: Using a script policy, an administrator can specify scripts that should run
at specific times, such as login/logout or system startup/shutdown.
Software policies: Administrators can use software policies to globally configure most
of the settings in user profiles, such as desktop settings, Start menu options, and
applications.
Security policies: These policies allow an administrator to restrict user access to files
and folders, configure how many failed login attempts will lock an account, and control
user rights.
Ans
1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored
locally. This processes for both computer and user Group Policy processing.
2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed
next. Processing is in the order that is specified by the administrator, on the Linked Group Policy
Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the
lowest link order is processed last, and therefore has the highest precedence.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no
GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in
the order that is specified by the administrator, on the Linked Group Policy Objects tab for the
organizational unit in GPMC. The GPO with the lowest link order is processed last, and
therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the
organizational unit of which the computer or user is a direct member are processed last, which
overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the
earlier and later settings are merely aggregated.)
Ans
Microsoft released the Group Policy Management Console (GPMC) years ago, which is an
amazing innovation in Group Policy management. The tool provides control over Group Policy
in the following manner:
Easy administration of all GPOs across the entire Active Directory Forest
View of all GPOs in one single list
Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering
Delegation model
With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC
is needed and should be used by everyone for what it is ideal for. However, it does fall a bit short
when you want to protect the GPOs from the following:
44. What are the GPC and the GPT? Where can I find them?
Ans
Group Policy Container: The GPC is an Active Directory object that contains GPO status,
version information, WMI filter information, and a list of components that have settings in the
GPO. Computers can access the GPC to locate Group Policy templates, and domain controller
does not have the most recent version of the GPO, replication occurs to obtain the latest version
of the GPO.
Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a
domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT
which contains all Group Policy settings and information, including administrative templates,
security, software installation, scripts, and folder redirection settings. Computers connect to the
SYSVOL folder to obtain the settings.
The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you
created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC.
The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol.
Managing GPOs
To avoid conflicts in replication, consider the selection of domain controller, especially because
the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two
independent replication techniques to replicate GPO data among all domain controllers in the
domain. If two administrator's changes can overwrite those made by other administrator, depends
on the replication latency. By default the Group Policy Management console uses the PDC
Emulator so that all administrators can work on the same domain controller.
45. What are GPO links? What special things can I do to them?
Ans
Linking GPOs
To apply the settings of a GPO to the users and computers of a domain, site, or OU, you need to
add a link to that GPO. You can add one or more GPO links to each domain, site, or OU by using
GPMC. Keep in mind that creating and linking GPOs is a sensitive privilege that should be
delegated only to administrators who are trusted and understand Group Policy.
If you have a number of policy settings to apply to computers in a particular physical location
only - certain network or proxy configuration settings, for example - these settings might be
appropriate for inclusion in a site-based policy. Because domains and sites are independent, it is
possible that computers in the site might need to cross domains to link the GPO to the site. In this
case, make sure there is good connectivity.
If, however, the settings do not clearly correspond to computers in a single site, it is better to
assign the GPO to the domain or OU structure rather than to the site.
Important
If you need to modify some of the settings contained in the Default Domain Policy GPO, it is
recommended that you create a new GPO for this purpose, link it to the domain, and set the
Enforce option. In general, do not modify this or the Default Domain Controller Policy GPO. If
you do, be sure to back up these and any other GPOs in your network by using GPMC to ensure
you can restore them.
As the name suggests, the Default Domain Policy GPO is also linked to the domain. The
Default Domain Policy GPO is created when the first domain controller in the domain is
installed and the administrator logs on for the first time. This GPO contains the domain-wide
account policy settings, Password Policy, Account Lockout Policy, and Kerberos Policy, which
is enforced by the domain controller computers in the domain. All domain controllers retrieve
the values of these account policy settings from the Default Domain Policy GPO. In order to
apply account policies to domain accounts, these policy settings must be deployed in a GPO
linked to the domain, and it is recommended that you set these settings in the Default Domain
Policy. If you set account policies at a lower level, such as an OU, the settings only affect local
accounts (non-domain accounts) on computers in that OU and its children.
Before making any changes to the default GPOs, be sure to back up the GPO using GPMC. If for
some reason there is a problem with the changes to the default GPOs and you cannot revert back
to the previous or initial states, you can use the Dcgpofix.exe tool to recreate the default policies
in their initial state.
Dcgpofix.exe is a command-line tool that completely restores the Default Domain Policy GPO
and Default Domain Controller GPO to their original states in the event of a disaster where you
cannot use GPMC. Dcgpofix.exe restores only the policy settings that are contained in the
default GPOs at the time they are generated. The only Group Policy extensions that include
policy settings in the default GPOs are RIS, Security, and EFS. Dcgpofix.exe does not restore
other GPOs that administrators create; it is only intended for disaster recovery of the default
GPOs.
Note that Dcgpofix.exe does not save any information created through applications, such as SMS
or Exchange. The Dcgpofix.exe tool is included with Windows Server 2003 and only works in a
Windows Server 2003 domain.
Copy Code
DOMAIN
DC
Specifies that both the Default Domain Policy and the Default Domain
Controllers Policy should be recreated.
Most GPOs are normally linked to the OU structure because this provides the most flexibility
and manageability:
You can move users and computers into and out of OUs.
OUs can be rearranged if necessary.
You can work with smaller groups of users who have common administrative requirements.
You can organize users and computers based on which administrators manage them.
Organizing GPOs into user- and computer-oriented GPOs can help make your Group Policy
environment easier to understand and can simplify troubleshooting. However, separating the user
and computer components into separate GPOs might require more GPOs. You can compensate
for this by adjusting the GPO Status to disable the user or computer configuration portions of
the GPO that do not apply and to reduce the time required to apply a given GPO.
Within each domain, site, and OU, the link order controls the order in which GPOs are applied.
To change the precedence of a link, you can change the link order, moving each link up or down
in the list to the appropriate location. Links with the lowest number have higher precedence for a
given site, domain, or OU. For example, if you add six GPO links and later decide that you want
the last one that you added to have the highest precedence, you can adjust the link order of the
GPO link so it has link order of 1. To change the link order for GPO links for a domain, OU, or
site, use GPMC
Ans
You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents
GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the
child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block
inheritance. For example, if you want to apply a single set of policies to an entire domain except for one
organizational unit, you can link the required GPOs at the domain level (from which all organizational
units inherit policies by default), and then block inheritance only on the organizational unit to which the
policies should not be applied.
Note
that Enforced GPO links will always be inherited.
Ans
Enforced: This was previously referred to in Win2K as "No Override". The Enforced flag is set
on a GPO link using the GPMC. Essentially what is does is say, "If there are any conflicting
policy settings on downstream GPOs (GPOs processed after the enforced GPO), those settings
will always be overridden". Essentially how this works is that any GPO links that are marked as
Enforced, will be moved to the bottom of the Group Policy processing list. This ensures that the
enforced policy is always processed last, and thus "wins" over any downstream GPOs. Enforced
GPOs will override Block Inheritance (described next).
Block Inheritance: The block inheritance flag is set on a container object--specifically either an
OU or a domain. The purpose of Block Inheritance is to block upstream GPOs from being
processed (except for GPOs set with the Enforced flag). For example, if I have two OUs--
Marketing and East, and East is a child OU to Marketing, I can set the Block Inheritance flag on
the East OU and any GPOs linked to Marketing will be blocked--and won't apply to users and
computers in the East OU.
48. How can you determine what GPO was and was not applied for a user? Name a few
ways to do that.
Ans
Group Policy Management Console (GPMC) can provide assistance when you need to
troubleshoot GPO behaviour. It allows you toexamine the settings of a specific GPO, and is can
also be used to determine how your GPOs are linked to sites, domains, and OUs. The Group
Policy Results report collects information on a computer and user, to list the policy settings
which are enabled. To create a Group Policy Results report, right-click Group Policy Results, and
select Group Policy Results Wizard on the shortcut menu. This launches the Group Policy Results
Wizard, which guides you through various pages to set parameters for the information that
should be displayed in the Group Policy Results report.
Gpresult.exe Click Start > RUN > CMD > gpresult, this will also give you information of applied
group policies.
49. A user claims he did not receive a GPO, yet his user and computer accounts are in
the right OU, and everyone else there gets the GPO. What will you look for?
Ans
This also can be a reason of slow network, you can change the default setting by using the Group
Policy MMC snap-in. This feature is enabled by default, but you can disable it by using the following
policy: Administrative Templates\System\Logon\Always wait for the network at computer startup
and logon.
Identify which GPOs they correspond to, verify that they are applicable to the computer/user (based
on the output of RSOP.MSC/gpresult) .
Ans
51. Name some GPO settings in the computer and user parts.
Ans
Ans
The GPO settings is divided between the Computer settings and the User settings. In both parts
of the GPO you can clearly see a large section called Administrative Templates.
Administrative Templates are a large repository of registry-based changes (in fact, over
1300 individual settings) that can be found in any GPO on Windows 2000, Windows XP,
and Windows Server 2003.
By using the Administrative Template sections of the GPO you can deploy modifications
to machine (called HKEY_LOCAL_MACHINE in the registry) and user (called
HKEY_CURRENT_USER in the registry) portions of the Registry of computers that are
influenced by the GPO.
The Administrative Templates are Unicode-formatted text files with the extension .ADM
and are used to create the Administrative Templates portion of the user interface for the
GPO Editor.
In Windows 2000 and Windows Server 2003 Group Policy Objects (also known as GPO)
you may find hundreds of useful settings and configuration options, all nicely divided in to
specific sections. With GPO, you can create policies to centralize the management of user
and computer settings. Amongst the various settings that can be accomplished via GPO, you
can find the following options:
Manage desktop environments and lock them down to reduce support calls and TCO (Total
Cost of Ownership)
Install, update, repair, and remove software
Manage security settings including account policies, auditing, EFS, and user rights
Automate administrative tasks using log-on, log-off, startup and shutdown scripts
Administrative Templates are a large repository of registry-based changes (in fact, over 1300
individual settings) that can be found in any GPO on Windows 2000, Windows XP, and
Windows Server 2003.
By using the Administrative Template sections of the GPO you can deploy modifications to
machine (called HKEY_LOCAL_MACHINE in the registry) and user (called
HKEY_CURRENT_USER in the registry) portions of the Registry of computers that are
influenced by the GPO.
The Administrative Templates are Unicode-formatted text files with the extension .ADM and
are used to create the Administrative Templates portion of the user interface for the GPO
Editor.
Windows 2000/XP/2003 has some built-in default Administrative Templates:
These .ADM files are located in the %SystemRoot%\inf folder, and are copied to the SYSVOL
folder whenever you create a new GPO (unless to manually configure it not to do so. See Links
section on an explanation on how to do this).
On top of these templates, Windows 2000/XP/2003 also has other .ADM files that can be used in
several scenarios:
However there may be times when an administrator will need to add more options to a new or
existing GPO. Some examples of such additions are:
Settings to disable mobile storage devices (USB, MP3 players, cameras and so on)
Settings to control the functionality of specific Windows features
One method for an administrator to control such settings is by use of logon scripts and remote
registry tweaks. This process requires knowledge of scripting languages, but is highly
customizable and flexible, and is not restricted to GPO limitations (i.e. not working on pre-W2K
computers). However we will not cover this method in this article.
Another method for an administrator to add such extensions to the GPO is by adding new
settings to the Administrative Templates sections. This can be done by adding .ADM files to the
existing Administrative Templates section in GPO.
In order to add additional .ADM files to the existing Administrative Templates section in GPO
please follow the steps outlined in the Adding New Administrative Templates to a GPO article.
A great example of new .ADM files that can and should be used on a network is the set of
Administrative Templates extension files that is a part of the Office 2000/XP/2003 Resource Kit.
When installing the Resource Kit for the respective Office version, new .ADM files are copied to
the %SystemRoot%\inf folder of the machine on which the Resource Kit was installed. The
moment you edit an Active Directory-based GPO on that machine (the machine can be either a
Windows 2000/XP Pro machine, or a server-based machine) the used .ADM file(s) will be
copied to the SYSVOL folder on the target DC (typically the PDC Emulator), and from there
replicated throughout the domain.
The following screenshot shows the new .ADM files while importing one of them to a GPO
Ans
Ans
yes ,you can. but first you have to convert this file to .msi format. there is many third
party software through which you can convert .exe file to .msi format.
Ans
Login on client as Domain Admin user change whatever you need add printers etc go to system-User
profiles copy this user profile to any location by select Everyone in permitted to use after copy
change ntuser.dat to ntuser.man and assgin this path under user profile
Ans
Examples
1. Virtualization
2. Server Core
provides the minimum installation required to carry out a specific server role, such as for a
DHCP, DNS or print server.
3. Better security
4. Role-based installation -
5. Read Only Domain Controllers (RODC)
6. Enhanced terminal services
7. Network Access Protection
Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a
firewall and in compliance with corporate security policies.
8. PowerShell
Microsoft's new(ish) command line shell and scripting language has proved popular with some
server administrators.
9. IIS
10. Bitlocker
System drive encryption can be a sensible security measure for servers located in remote branch
offices
The main difference between 2003 and 2008 is Virtualization, management.
2008 has more in-build components and updated third party drivers.
Microsoft introduces new feature with 2k8 that is Hyper-V
Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More
and more companies are seeing this as a way of reducing hardware costs by running several
'virtual' servers on one physical machine. If you like this exciting technology, make sure that you
buy an edition of Windows Server 2008 that includes Hyper-V, then launch the Server Manger,
add Roles.
Windows Server 2008, formerly codenamed Longhorn, is no leas than 45 times faster than its
predecessor, Windows Server 2003, in terms of network transfer speeds. Now whatever the
perspective is on Microsoft's last 32-bit server operating system, the fact of the matter is that
faster transfer speeds for of up to 45 times is quite an evolution compared to Windows Server
2003. Back in June 2007, Microsoft commissioned a study to the Tolly Group focused on the
networking performances of its latest Windows client and server operating system, which ended
up as the "Enhanced Network Performance with Microsoft Windows Vista and Windows Server
2008" white paper. The paper pointed to the fact that both Vista and Windows Server 2008
managed to offer "Dramatic network performance benefits".
Windows server 2008 has been more updated than windows server 2003.