NT SAM database is a flat database. Where as in windows 2000 active directory database is a hierarchical database.

In windows NT only PDC is having writable copy of SAM database but the BDC is only read only database. In case of Windows 2000 both DC and ADC is having write copy of the database Windows NT will not support FAT32 file syste . Windows 2000 supports FAT32 !efault authentication protocol in NT is NT"M #NT "AN ana$er%. &n windows 2000 default authentication protocol is Kerberos V5. Windows 2000 depends and Integrated with DNS. NT user Netbios names Active Directory can be backed up easily with System state data 3.!ifference between 2000 ' 2003 Application Server mode is introduced in windows 2003 Possible to configure stub zones in windows 2003 DNS Volume shadow copy services is introduced Windows 2003 gives an option to replicate DNS data b/w all DNS servers in forest or All !NS servers in the do ain. (efer )uestion * for all +nhance ents ,.!ifference between -!. ' /!. PDC contains a write copy of SAM database where as BDC contains read only copy of SAM database. It is not possible to reset a password or create objects with out PDC in Windows NT. 0.!ifference between !. ' A!. There is no difference between in DC and ADC both contains write copy of AD. Both can also handles FSMO roles (If transfers from DC to ADC). It is just for identification. Functionality wise there is no difference. 1.What is !NS ' W&NS !NS is a !o ain Na in$ Syste 2 which resolves 3ost na es to &- addresses. &t uses fully 4ualified do ain na es. !NS is a &nternet standard used to resolve host na es W&NS is a Windows &nternet Na e Service2 which resolves Netbios na es to &Address. This is proprietary for Windows 5.Types of !NS Servers Primary DNS Secondary DNS Active Directory Integrated DNS

Forwarder Caching only DNS 6.&f !3.- is not available what happens to the client .lient will not $et &- and it cannot be participated in networ7 . &f client already $ot the &- and havin$ lease duration it use the &- till the lease duration e8pires. 9.what are the different types of trust relationships & plicit Trusts +8plicit Trusts:NT to Win27 or Forest to Forest *0.what is the process of !3.- for $ettin$ the &- address to the client There is a four way negotiation process b/w client and server DHCP Discover (Initiated by client) DHCP Offer (Initiated by server) DHCP Select (Initiated by client) !3.- Ac7nowled$e ent #&nitiated by Server% !3.- Ne$ative Ac7nowled$e ent #&nitiated by server if any issues after !3.offer% **.!ifference between FAT2NTFS ' NTFS;ersion0 NTFS ;ersion 0 features Encryption is possible We can enable Disk Quotas File compression is possible Sparse files Indexing Service NTFS change journal In FAT file system we can apply only share level security. File level protection is not possible. In NTFS we can apply both share level as well as file level security NTFS supports large partition sizes than FAT file systems NTFS supports long file names than FAT file systems *2.What are the port nu bers for FT-2 Telnet2 3TT-2 !NS

FT-<2*2 Telnet = 232 3TT-<602 !NS<032 >erberos<662 "!A-<369 *3.what are the different types of profiles in 2000 Local Profiles Roaming profiles Mandatory Profiles *,.what is the database files used for Active !irectory The 7ey A! database files:edb.lo$2 ntds.dit2 res*.lo$2 res2.lo$2 and edb.ch7:all of which reside in ?@syste root@?ntds on a do ain controller #!.% by default. !urin$

process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. The transferring method is described in the Transferring FSMO Roles article, while seizing the roles from a non-operational DC to a different DC is described in the Seizing FSMO Roles article. In order to better understand your AD infrastructure and to know the added value that each DC might possess, an AD administrator must have the exact knowledge of which one of the existing DCs is holding a FSMO role, and what role it holds. With that knowledge in hand, the administrator can make better arrangements in case of a scheduled shut-down of any given DC, and better prepare him or herself in case of a non-scheduled cease of operation from one of the DCs. 3ow to find out which !. is holdin$ which FSMA roleB Well2 one can acco plish this tas7 by any eans. This article will list a few of the available ethods. Method C*D >now the default settin$s The FSMA roles were assi$ned to one or ore !.s durin$ the !.-(AMA process. The followin$ table su ariEes the FSMA default locationsD FSMA (ole Nu ber of !.s holdin$ this role Ari$inal !. holdin$ the FSMA role Sche a Ane per forest !o ain Na in$ Ane per forest The first !. in the first do ain in the forest #i.e. the Forest (oot !o ain% (&! Ane per do ain -!. + ulator Ane per do ain &nfrastructure Ane per do ain The first DC in a domain (any domain, including the Forest Root Domain, any Tree Root Domain, or any Child Domain) Method C2D Fse the GF&

The FSMA role holders holders can be easily found by use of so e of the A! snap<ins. Fse this table to see which tool can be used for what FSMA roleD FSMA (ole Which snap<in should & useB Sche a Schema snap-in Domain Naming AD Domains and Trusts snap-in RID PDC Emulator Infrastructure A! Fsers and .o puters snap<in Findin$ the (&! Master2 -!. + ulator2 and &nfrastructure Masters via GF& To find out who currently holds the !o ain<Specific (&! Master2 -!. + ulator2 and &nfrastructure Master FSMA (olesD *. Apen the Active !irectory Fsers and .o puters snap<in fro the Ad inistrative Tools folder. 2. (i$ht<clic7 the Active !irectory Fsers and .o puters icon a$ain and press Aperation

Masters.

3. Select the appropriate tab for the role you wish to view.

4. When you're done click Close. Findin$ the !o ain Na in$ Master via GF& To find out who currently holds the !o ain Na in$ Master (oleD *. Apen the Active !irectory !o ains and Trusts snap<in fro the Ad inistrative Tools folder. 2. (i$ht<clic7 the Active !irectory !o ains and Trusts icon a$ain and press Aperation Masters. 3. When you're done click Close. Finding the Schema Master via GUI To find out who currently holds the Schema Master Role: *. (e$ister theSch $ t.dll library by pressin$ Start H (FN and typin$D 2. -ress A>. Iou should receive a success confir ation. 3. Fro the (un co and open an MM. .onsole by typin$MM..

4. On the Console menu, press Add/Remove Snap-in. 5. Press Add. Select Active Directory Schema. 6. Press Add and press Close. Press OK. 7. Click the Active Directory Schema icon. After it loads right-click it and press Aperation Masters. 6. -ress the .lose button. Method C3D Fse the Ntdsutil co and The FSMA role holders can be easily found by use of the Ntdsutil co and. .autionD Fsin$ the Ntdsutil utility incorrectly ay result in partial or co plete loss of Active !irectory functionality. *. An any do ain controller2 clic7 Start2 clic7 (un2 type Ntdsutil in the Apen bo82 and then clic7 A>. 2. Typero l e s2 and then press +NT+(. NoteD To see a list of available co ands at any of the pro pts in the Ntdsutil tool2 type B2 and then press +NT+(. 3. Typeconnections2 and then press +NT+(. ,. Type connect to server Jserverna eH2 whereJserverna eH is the na e of the server

you want to use, and then press ENTER.

5. At the server connections: prompt, type4, and then press ENTER again.

6. At the FSMO maintenance: prompt, type Select operation tar$et, and then press +NT+( a$ain. At the select operation tar$etD pro pt2 type "ist roles for connected server2 and then press ENTER again. select operation target: List roles for connected server Server "server100" knows about 5 roles Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=C onfiguration,DC=dpetri,DC=net Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-

Name,CN=Sites,CN=C onfiguration,DC=dpetri,DC=net PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteNa e2.NKSites2.NK.onf i$uration2!.Kdpetri2!.Knet

FSMA (ole Restrictions Schema Domain Naming RID Ari$inal ust be reinstalled -!. + ulator &nfrastructure .an transfer bac7 to ori$inal Another consideration before perfor in$ the seiEe operation is the ad inistratorLs $roup e bership2 as this table listsD FSMA (ole Ad inistrator ust be a e ber of Sche a Sche a Ad ins !o ain Na in$ +nterprise Ad ins RID PDC Emulator Infrastructure !o ain Ad ins To seiEe the FSMA roles by usin$ Ntdsutil2 follow these stepsD .autionD Fsin$ the Ntdsutil utility incorrectly ay result in partial or co plete loss of Active !irectory functionality.

*. An any do ain controller2 clic7 Start2 clic7 (un2 type Ntdsutil in the Apen bo82 and then clic7 A>. 2. Typero l e s2 and then press +NT+(. NoteD To see a list of available co ands at any of the pro pts in the Ntdsutil tool2 type B2 and then press +NT+(. 3. Typeconnections2 and then press +NT+(. ,. Type connect to server Jserverna eH2 whereJserverna eH is the na e of the server you want to use2 and then press +NT+(. 0. At the server connectionsD pro pt2 type42 and then press +NT+( a$ain. 1. Type seiEe JroleH2 whereJro l e H is the role you want to seiEe. For e8a ple2 to seiEe the (&! Master role2 you would type seiEe rid asterD Aptions areD 5. Iou will receive a warnin$ window as7in$ if you want to perfor the seiEe. .lic7 on Ies. fsmo maintenance: Seize infrastructure master Attempting safe transfer of infrastructure FSMO before seizure. ldap_modify_sW error 0x34(52 (Unavailable). Ldap extended error message is000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE) , data 1722 Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde r could not be contacted.) )Depending on the error code this may indicate a connection, ldap, or role transfer error. Transfer of infrastructure FSMO failed, proceeding with seizure ... Server "server100" knows about 5 roles Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-SiteNa e2.NKSites2.NK.onfi$uration2!.Kdpetri2!.Knet !o ain < .NKNT!S Settin$s2.NKS+(;+(*002.NKServers2.NK!efault<First<Site< Na e2.NKSites2.NK.onfi$uration2!.Kdpetri2!.Knet -!. < .NKNT!S Settin$s2.NKS+(;+(*002.NKServers2.NK!efault<First<Site<

Na e2.NKSites2.NK.onfi$uration2!.Kdpetri2!.Knet (&! < .NKNT!S Settin$s2.NKS+(;+(2002.NKServers2.NK!efault<First<Site< Na e2.NKSites2.NK.onfi$uration2!.Kdpetri2!.Knet &nfrastructure < .NKNT!S Settin$s2.NKS+(;+(*002.NKServers2.NK!efault<First<Site< Na e2.NKSites2.NK.onfi$uration2!.Kdpetri2!.Knet fs o aintenanceD
NoteD All five roles need to be in the forest. &f the first do ain controller is out of the forest then seiEe all roles. !eter ine which roles are to be on which re ainin$ do ain controllers so that all five roles are not on only one server. 6. (epeat steps 1 and 5 until youLve seiEed all the re4uired FSMA roles. 9. After you seiEe or transfer the roles2 type 42 and then press +NT+( until you 4uit the Ntdsutil tool. NoteD !o not put the &nfrastructure Master #&M% role on the sa e do ain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest. 0.What is the difference between authoritative and non<authoritative restore In authoritative restore, Objects that are restored will be replicated to all domain controllers in the domain. This can be used specifically when the entire OU is disturbed in all domain controllers or specifically restore a single object, which is disturbed in all DCs &n non<authoritative restore2 (estored directory infor ation will be updated by other do ain controllers based on the latest odification ti e. 1.what is Active !irectory !e<fra$ entation !e<fra$ entation of A! eans separatin$ used space and e pty space created by deleted obMects and reduces directory siEe #only in offline !e<fra$ entation% 5.!ifference between online and offline de<fra$ entation The size of NTDS.DIT will often be different sizes across the domain controllers in a domain. Remember that Active Directory is a multi-master independent model where updates are occurring in each of the domain controllers with the changes being replicated over time to the other domain controllers. The chan$ed data is replicated between do ain controllers2 not the database2 so there is no $uarantee that the files are $oin$ to be the sa e siEe across all do ain controllers. Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a directory online defragmentation every 12 hours by default as part of the garbage-collection process. This defragmentation only moves data around the database file (NTDS.DIT) and doesnt reduce the files size - the database file cannot be compacted while Active Directory is mounted.

Ability to add additional do ain controllers by usin$ bac7up edia Reduces the time it takes to add an additional domain controller in an existing domain by using backup media. Fniversal $roup e bership cachin$

Prevents the need to locate a global catalog across a wide area network (WAN) when logging on by storing universal group membership information on an authenticating domain controller. Secure "i$htwei$ht !irectory Access -rotocol #"!A-% traffic Active Directory administrative tools sign and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. -artial synchroniEation of the $lobal catalo$ Provides improved replication of the global catalog when schema changes add attributes to the global catalog partial attribute set. Only the new attributes are replicated, not the entire global catalog. Active !irectory 4uotas Quotas can be specified in Active Directory to control the number of objects a user, group, or computer can own in a given directory partition. Members of the !o ain Ad inistrators and +nterprise Ad inistrators $roups are e8e pt fro 4uotas. When the first Windows Server 2003=based do ain controller is deployed in a do ain or forest2 the do ain or forest operates by default at the lowest functional level that is possible in that environ ent. This allows you to ta7e advanta$e of the default Active !irectory features while runnin$ versions of Windows earlier than Windows Server 2003. When you raise the functional level of a domain or forest, a set of advanced features becomes available. For example, the Windows Server 2003 interim forest functional level supports more features than the Windows 2000 forest functional level, but fewer features than the Windows Server 2003 forest functional level supports. Windows Server 2003 is the highest functional level that is available for a domain or forest. The Windows Server 2003 functional level supports the most advanced Active Directory features; however, only Windows Server 2003 domain controllers can operate in that domain or forest. If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain controllers that are running versions of Windows earlier than Windows Server 2003 into that domain. This applies to the forest functional level as well. !o ain Functional "evel Domain functionality activates features that affect the whole domain and that domain only. The four domain functional levels, their corresponding features, and supported domain controllers are as follows: Windows 2000 i8ed #!efault%
N

Supported do ain controllersD Microsoft Windows NT ,.02 Windows 20002 Windows Server 2003
N

Activated featuresD local and $lobal $roups2 $lobal catalo$ support

Windows 2000 native

N

Supported do ain controllersD Windows 20002 Windows Server 2003

N

Activated features: group nesting, universal groups, SidHistory, converting groups between security groups and distribution groups, you can raise domain levels by increasing the forest level settings Windows Server 2003 interi
N

Supported do ain controllersD Windows NT ,.02 Windows Server 2003

N

Supported features: There are no domain-wide features activated at this level. All domains in a forest are automatically raised to this level when the forest level increases to interim. This mode is only used when you upgrade domain controllers in Windows NT 4.0 domains to Windows Server 2003 domain controllers. Windows Server 2003
N

Supported do ain controllersD Windows Server 2003

N

Supported features: domain controller rename, logon timestamp attribute updated and replicated. User password support on the InetOrgPerson objectClass. Constrained delegation, you can redirect the Users and Computers containers. !o ains that are up$raded fro Windows NT ,.0 or created by the pro otion of a Windows Server 2003<based co puter operate at the Windows 2000 i8ed functional level. Windows 2000 domains maintain their current domain functional level when Windows 2000 domain controllers are upgraded to the Windows Server 2003 operating system. You can raise the domain functional level to either Windows 2000 native or Windows Server 2003. After the domain functional level is raised, domain controllers that are running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain controllers that are running Windows 2000 Server cannot be added to that domain. The following describes the domain functional level and the domain-wide features that are activated for that level. Note that with each successive level increase, the feature set of the previous level is included. Forest Functional "evel Forest functionality activates features across all the domains in your forest. Three forest functional levels, the corresponding features, and their supported domain controllers are listed below. Windows 2000 #default%
N

Supported do ain controllersD Windows NT ,.02 Windows 20002 Windows Server 2003
N

New features: Partial list includes universal group caching, application partitions, install from media, quotas, rapid global catalog demotion, Single Instance Store (SIS) for System Access Control Lists (SACL) in the Jet Database Engine, Improved topology generation event logging. No global catalog full sync when attributes are added to the PAS Windows Server 2003 domain controller assumes the Intersite Topology Generator (ISTG) role. Windows Server 2003 interi
N

Supported do ain controllersD Windows NT ,.02 Windows Server 2003. See the OFp$rade fro a Windows NT ,.0 !o ainO section of this article.
N

Activated features: Windows 2000 features plus Efficient Group Member Replication using Linked Value Replication, Improved Replication Topology Generation. ISTG Aliveness no longer replicated. Attributes added to the global catalog. ms-DS-TrustForest-Trust-Info. Trust-Direction, Trust-Attributes, Trust-Type, Trust-Partner, Security-Identifier, ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-Rate-Unit Windows Server 2003
N

Supported do ain controllersD Windows Server 2003

N

Activated features: all features in Interim Level, Defunct schema objects, Cross Forest Trust, Domain Rename, Dynamic auxiliary classes, InetOrgPerson objectClass change, Application Groups, 15-second intrasite replication frequency for Windows Server 2003 domain controllers upgraded from Windows 2000 After the forest functional level is raised2 do ain controllers that are runnin$ earlier operatin$ syste s cannot be introduced into the forest. For e8a ple2 if you raise forest functional levels to Windows Server 20032 do ain controllers that are runnin$ Windows NT ,.0 or Windows 2000 Server cannot be added to the forest. Different Active Directory features are available at different functional levels. Raising domain and forest functional levels is required to enable certain new features as domain controllers are upgraded from Windows NT 4.0 and Windows 2000 to Windows Server 2003 !o ain Functional "evelsD Windows 2000 Mi8ed ode2 Windows 2000 Native ode2 Windows server 2003 and Windows server 2003 interi # Anly available when up$rades directly fro Windows NT ,.0 to Windows 2003% Forest Functional "evelsD Windows 2000 and Windows 2003 25.&psec usa$e and difference window 2000 ' 2003. Microsoft doesnt recommend Internet Protocol security (IPSec) network address translation (NAT) traversal (NAT-T) for Windows deployments that include VPN servers and that are located behind network address translators. When a server is behind a network address translator, and the server uses IPSec NAT-T, unintended side effects may occur because of the way that network address translators translate network traffic If you put a server behind a network address translator, you may experience connection problems because clients that connect to the server over the Internet require a public IP address. To reach servers that are located behind network address translators from the Internet, static mappings must be configured on the network address translator. For example, to reach a Windows Server 2003-based computer that is behind a network address translator from the Internet, configure the network address translator with the following static network address translator mappings: N -ublic &- addressPF!- port 000 to the serverLs private &- addressPF!- port 000. N -ublic &- addressPF!- port ,000 to the serverLs private &- addressPF!- port ,000.

These mappings are required so that all Internet Key Exchange (IKE) and IPSec NATT traffic that is sent to the public address of the network address translator is automatically translated and forwarded to the Windows Server 2003-based computer 26.3ow to create application partition windows 2003 and its usa$eB An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition. Applications and services can use application directory partitions to store application< specific data. Application directory partitions can contain any type of obMect2 e8cept