1. How do you know that the group policies are working fine?

A. 1.Click Start, click Help and Support Center.

2.Under Pick a Task, select Use Tools to view your computer information and diag
nose problems.
3.Click Advanced System Information, then click View Group Policy settings appli
ed.
On the client computer, at a cmd prompt run gpresult. This will tell you what GP
Os are applied and which ones are filtered out. Use the Group Policy Management
Console to see what the GPO entails.
--------------------------------------------------------------------------------
------------------------------------------------

2. How will you know that FSMO roles are not working.
A. Step #1: On any Domain Controller, click Start. In the Run command type CMD a
nd hit Enter. You will be taken to the good old command prompt window (DOS were
the days). Type ntdsutil and hit Enter.
Step #2: You shall see the screen with ntdsutil: prompt. Since we want to find o
ut the roles, type roles and hit Enter. Notice that the prompt now changes to sh
ow fsmo maintenance:. Now is a good time to get more HELP on the list of availab
le commands.
Step #3: On the fsmo maintenance: prompt, type ? and hit Enter. Right-click in t
he Window, mark and copy them. Paste the clipboard in to Notepad for easy refere
nce.
Step #4: Type connection and press Enter. This will show a prompt with server co
nnections:. Type connect to server <servername> (replace <servername with actual
name> and press Enter.
Step #5: Once we are connected to the Domain Controller, type q to return back t
o the fsmo maintenance prompt. Now type, select operation target and then press
Enter. Notice that the prompt changes to select operation target:.
Step #6: At the select operation target prompt, type list roles for connected se
rver and press Enter. This would list all the FSMO roles for that Domain Control
ler. To get out of the ntdsutil, type q until you are back to the good old DOS p
rompt.
Symptoms of FSMO Problems
I find that the first sign of a problem with a FSMO is that Active Directory Use
rs and Computers is slow to initialize. Moreover, if you try to even view Group
Policies, you get an error such as:
Inaccessible GPO - Access Denied or
Failed to open the Group Policy Object. You may not have appropriate rights.
The cause of these symptoms is that the FSMO master holding the PDC emulator is
unavailable. Fingers crossed it's a temporary problem, however the problem pers
ists then you need to investigate which Domain Controller holds, or held the PDC
emulator role.
Troubleshooting Toolkit
DCDiag - Not only does DCDiag have a routing to check the FSMOs but it also prov
ides information on Active Directory replication. As ever with troubleshooting,
 you want to get to the root cause not merely treat one of the symptoms.
NetDOM - It's a close call whether to run NetDOM before or after DCDiag, the ans
wer partly depends on whether NetDom is already installed or if you need to get
it from the Windows Server 2003 Support tools.
From the command line type netdom query fsmo. You should see a list of the of t
he 5 roles with the corresponding Domain Controller.
DNS - Excuse what may seem like a digression, but it never ceases to amaze me ho
w often faulty DNS configuration is the source of an Active Directory problem.
Therefore, head for the DNS snap-in and observe that all settings are as expecte
d. Remember the Monitor to tab. Make sure that each DNS server is registering
itself and registering with other DNS Servers.
DCPROMO - Rather drastic, but sometimes just running this program to demote a Do
main Controller creates error messages, which are handy additional sources of in
formation. If there are no error messages, you may just choose to cancel. Howe
ver, if you go ahead and run DCPROMO to demote a domain controller, watch out fo
r a check box that says 'This is the last domain controller in the domain'. If
that box is UNchecked the wizard will automatically move any FSMO roles to anoth
er domain controller.
NTDSUTIL - Powerful Command Line tool, note the Seize verb

--------------------------------------------------------------------------------
------------------------------------------------

3. Explain FSMO Roles

A. PDC Emulator
Infrastructure Master
Rid Master
Schema Master
Domain Naming Master
PDC Emulator
Of the 5 roles, this is the role that you will miss the soonest. Not only with
NT 4.0 BDC's complain, but also there will be no time synchronization. Another
problem is that you probably will not be able to change or troubleshoot group po
licies as the default setting is for the PDC emulator also to be the group polic
y master.
Implications for Duplicates
If the old PDC emulator returns, then it is not as serious as duplicates with so
me of the other roles. Quickly seize PDC role from another machine.
RID Master
One Domain Controller is responsible for giving all the rest of the Domain Contr
ollers a pack of unique numbers so that no two new objects have the same GUID (G
lobally Unique Identifier).
If you lose the RID master the chances are good that the existing Domain Control
lers will have enough unused RIDs to last a week or so do not be in a hurry to s
eize.
Implications for Duplicates
You must not allow two RID masters, as the possibility of two objects with the s
ame RID would be disastrous. So if the original is found it must be reformatte
d and reinstalled before re-joining the forest.
Infrastructure Master
The consequence for a missing Infrastructure master is that group memberships ma
y be incomplete. If you only have one domain, then there will be no impact as t
he Infrastructure Master is responsible for updating your user's membership in o
ther domains in the forest.
Implications for Duplicates
No damage occurs if the old Infrastructure master returns, just check out the Ro
les and decide which machine should hold the role.
Forest Wide Roles
Schema Master
If you lose the Schema Master, then long term it is serious because you cannot i
nstall Exchange 2003 or extend the schema. However, short term no-one will noti
ce a missing Schema Master, so try and repair the old one rather than seize the
role.
Implications for Duplicates
You must not allow two Schema Masters, so if the original is found or repaired,
it must be completely rebuilt rather than allowed into the forest.
Domain Naming Master
This is a forest wide role that is responsible for adding child domains and new
trees. Unless you are going to run DCPROMO, then you will not miss this FSMO r
ole, so wait rather than seize the role.
Implications for Duplicates
You must not allow the original Domain Naming Master to return, rebuild before y
ou let the machine back in the forest.
--------------------------------------------------------------------------------
----------------------------------------------
4. Roles Seizing and transfer
a. To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure
Master FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrat
ive Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, r
ight-click the icon next to Active Directory Users and Computers and press Conne
ct to Domain Controller.
3. Select the domain controller that will be the new role holder, the target,
and press OK.
4. Right-click the Active Directory Users and Computers icon again and press
Operation Masters.
5. Select the appropriate tab for the role you wish to transfer and press the
Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.
Transferring the Domain Naming Master via GUI
To Transfer the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrati
ve Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, r
ight-click the icon next to Active Directory Domains and Trusts and press Connec
t to Domain Controller.
3. Select the domain controller that will be the new role holder and press OK
.
4. Right-click the Active Directory Domains and Trusts icon again and press O
peration Masters.
5. Press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.
Transferring the Schema Master via GUI
To Transfer the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
regsvr32 schmmgmt.dll
1. Press OK. You should receive a success confirmation.
2. From the Run command open an MMC Console by typing MMC.
3. On the Console menu, press Add/Remove Snap-in.
4. Press Add. Select Active Directory Schema.
5. Press Add and press Close. Press OK.
6. If you are NOT logged onto the target domain controller, in the snap-in, r
ight-click the Active Directory Schema icon in the Console Root and press Change
Domain Controller.
7. Press Specify .... and type the name of the new role holder. Press OK.
8. Right-click right-click the Active Directory Schema icon again and press O
peration Masters.
9. Press the Change button.
10. Press OK all the way out.
Transferring the FSMO Roles via Ntdsutil
To transfer the FSMO roles from the Ntdsutil command:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complet
e loss of Active Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Ope
n box, and then click OK.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS>ntdsutil
ntdsutil:
1. Type roles, and then press ENTER.
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil
tool, type ?, and then press ENTER.
 1. Type connections, and then press ENTER.
fsmo maintenance: connections
server connections:
1. Type connect to server <servername>, where <servername> is the name of the
server you want to use, and then press ENTER.
server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:
1. At the server connections: prompt, type q, and then press ENTER again.
server connections: q
fsmo maintenance:
1. Type transfer <role>. where <role> is the role you want to transfer.
For example, to transfer the RID Master role, you would type transfer rid master
:
Options are:
Transfer domain naming master
Transfer infrastructure master
Transfer PDC
Transfer RID master
Transfer schema master
1. You will receive a warning window asking if you want to perform the transf
er. Click on Yes.
2. After you transfer the roles, type q and press ENTER until you quit Ntdsut
il.exe.
3. Restart the server and make sure you update your backup.

http://articles.techrepublic.com.com/5100-10878_11-5081138.html
--------------------------------------------------------------------------------
-----------------------------------
5. Authentication Protocol
A. * CHAP - Challenge Handshake Authentication Protocol is a three way hands
hake protocol which is considered more secure than PAP. Authentication Protocol.
* EAP - Extensible Authentication Protocol is used between a dial-in client
and server to determine what authentication protocol will be used.
* PAP - Password Authentification Protocol is a two way handshake protocol d
esigned for use with PPP. Authentication Protocol Password Authentication Protoc
ol is a plain text password used on older SLIP systems. It is not secure.
* SPAP - Shiva PAP. Only NT RAS server supports this for clients dialing in.
* DES - Data Encryption Standard for older clients and servers.
* RADIUS - Remote Authentication Dial-In User Service used to authenticate u
sers dialing in remotely to servers in a organization's network.
* S/Key - A one time password system, secure against replays. RFC 2289. Auth
entication Protocol.
* TACACS - Offers authentication, accounting, and authorization. Authenticat
ion Protocol.
* MS-CHAP (MD4) - Uses a Microsoft version of RSA message digest 4 challenge
and reply protocol. It only works on Microsoft systems and enables data encrypt
ion. Selecting this authentification method causes all data to be encrypted.
* SKID - SKID2 and SKID3 are vulnerable to a man in the middle attack.
* Kerberos - Its a network authentication protocol. It is designed to provid
e strong authentication for client/server applications by using secret-key crypt
ography. A free implementation of this protocol is available from the Massachuse
tts Institute of Technology. Kerberos is available in many commercial products a
s well.
--------------------------------------------------------------------------------
----------------------------------------
6. How will you do authentication in a system
A. Authentication tools provide the ability to determine the identity of a party
to an interaction and to ensure that a message came from who it claims to have
come from. Authentication is seldom used in isolation. Authentication is used as
the basis for authorization (determining whether a privilege will be granted to
a particular user or process), privacy (keeping information from becoming known
to non-participants), and non-repudiation (not being able to deny having done s
omething that was authorized to be done based on the authentication).
Authentication system also provide differing levels of functionality. At minimum
, they allow a recipient to verify that a message originated with a particular u
ser (or user's agent; e.g., a program). More powerful systems ensure that messag
es cannot be copied and replayed in the future, that a client can prove to a thi
rd party that a message originated with a particular user (non-repudiation), and
that require multiple users to validate a message (the equivalent to requiring
multiple signatures on a checking account).
Authentication Algorithms
There are three main algorithms for authentication: passwords, Needham and Schro
eder protocol (used in Kerberos), and public key encryption. In all of them, the
central issue is to never allow the secret information outside a secured enviro
nment, while at the same time allowing the recipient to verify that the secret w
as used.
The descriptions that appear below only give a flavor of the algorithms and disc
uss their advantages and disadvantages. For a more complete description of the a
lgorithms and their variants, see the references.
Passwords
Passwords are simply secrets that are provided by the user upon request by a rec
ipient. Passwords are often stored on a server in an encrypted form so that a pe
netration of the file system does not reveal password lists. The problem with pa
ssword-based systems is that the password becomes known to the recipient, who ca
n then impersonate the user. Even if the recipient is trusted not to do this, pa
sswords are dangerous in network environments since they are susceptible to inte
rception during transmission. In general, passwords are unacceptable security in
a network environment.
Needham and Schroeder Protocol
In the Needham/Schroeder protocol used in Kerberos, the secret information used
for verification is never transmitted in the clear and is never seen by a recipi
ent. Instead, an "authentication server" creates a collection of "session secret
s" (derived from its knowledge of the secrets of the sender and receiver in a pa
rticular interchange) that are used by the sender and receiver for authenticatio
n of messages during a particular interaction. Session information is good only
between session participants, and can be timestamped to protect against replayin
g of messages. New interactions (even between the same client and server) requir
e new session keys. The basic algorithm is given below; variants exist.
Each participant in an authentication realm possesses a secret encryption key kn
ow only to itself and an authentication server. This is its secret information.
This key is used only for communication with the authentication server, which is
presumed to be trusted and secure (i.e., it will neither misuse nor divulge the
keys). An interaction between a client and a server begins with a client reques
t to an authentication server for a "session encryption key" and an "authenticat
ion ticket" that will be used for client/server interactions. The session key wi
ll be used to encrypt messages between the client and server to protect the comm
unications from eavesdroppers. The authentication ticket, which is encrypted usi
ng the server's secret encryption key, is handled, but is not readable by the cl
ient. The authentication ticket is shipped along with client request to the serv
er in its encrypted form. Thus, a communication between a client and a server co
nsists of a request, encrypted using the session key, and a ticket, encrypted (b
y the authentication server) using the server's key. Upon receipt of an encrypte
d message, the server decrypts the ticket. Inside, it finds the session key, whi
ch it can use to decrypt the message, and also authentication information put th
ere by the authentication server verifying that the ticket is actually valid for
a session with the particular client. Timestamps are also contained in the tick
et to limit the time during which the session key will be considered valid.
Because session keys are known only to the client and server involved in a parti
cular session, conventional encryption can be used (see Encryption). This is adv
antageous, since conventional encryption is typically much faster than public ke
y encryption, which is necessary if an authentication server is not used to gene
rate verifiable session keys. The disadvantage of the Needham/Schroeder protocol
is the need for interactions with an authentication server, and the need to tru
st the authentication server.
Extensions exist to support hierarchical authentication servers across domain. B
asically what happens is that if an authentication server does not know the secr
et key of a server for which a ticket has been requested, it communicates via th
e same algorithm with a higher level authentication server in much the same way
that name servers do. Eventually, the collection of authentication servers produ
ce a session key and ticket, which are then used in the session as if they were
obtained from a single, global authentication server. Thus, the algorithm scales
well and matches to name server domains nicely.
Security of messages during a session requires them to be encrypted with the ses
sion key, which in turn requires that the applications be "Kerberos aware". For
a list of such software, see Kerberos Resources. Of course, all parties to a ses
sion must be Kerberos aware, else they cannot interpret the encrypted messages.
At least some projects to integrate DCE with the WWW use authentication based on
Kerberos, see OSF's DCE/Web.
Public Key Encryption
Public key encryption (see Encryption) can also be used for authentication using
"digital signatures". In public key encryption, each user, i, has both a public
key, Ei, which is made publicly available, and a private key, Di, which only us
er i knows. The keys are mathematically related, and both are generated by the u
ser. Thus, there is no need for anyone else to hold the private key, which enhan
ces security.
Public and private keys are inverses and are symmetrical, in the sense that for
a given message m, Ei(Di(m)) = Di(Ei(m)) = m. To preserve privacy, a user X will
obtain the public key Ey for user Y and compute Ey(m)). Since only Y knows Dy,
only Y can decrypt. A checksum or some other identifying pattern is embedded int
o m so that a valid decryption can be verified.
Digital signatures work similarly, except that when X wants to sign a message to
 Y, X uses his/her private key Dx and computes Dx(m). Upon receipt, Y computes E
x(Dx(m)) = m. Since only X had knowledge of Dx, only X could have signed the mes
sage. Privacy encryption can be combined with digital signatures by computing Ey
(Dx(m)), which is decrypted as Ex(Dy(Ey(Dx(m)))) = m.
The public key register of the Ei need not be read secure, since the Ei are give
n away freely. The registry must be protected against corruption, since that wou
ld allow fraudulent keys to be given out. The channel to the registry must be se
cure to prevent "spoofing" attacks, but this can be done using public key encryp
tion.
The disadvantage of public key encryption is that it is several orders of magnit
ude slower than conventional encryption because of the nature of the encryption
algorithms. Thus, for instances where a session involves many messages or where
high performance is required, a Kerberos-based system may be more appropriate.
Functionality
Both Needham/Schroeder and public key encryption can support different levels of
functionality. Without going into the details, more functionality or security r
equires more messages/encryptions or more frequent messages. Thus it is importan
t to balance the security required with the costs of obtaining it for a given ap
plication.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-

7. Restores
A.
Non-Authoritative Restoration
Used most commonly in cases when a DC because of a hardware or software related
reasons, this is the default directory services restore mode selection. In this
mode, the operating system restores the domain controller s contents from the back
up. After this, the domain controller then through replication receives all dire
ctory changes that have been made since the backup from the other domain control
lers in the network.
Authoritative Restoration
An authoritative restore is most commonly used in cases in which a change was ma
de within the directory that must be reversed, such as deleting an organization
unit by mistake. This process restores the DC from the backup and then replicate
s to and overwrites all other domain controllers in the network to match the res
tored DC. The especially valuable thing about this is that you can choose to onl
y make certain objects within the directory authoritative. For example, if you d
elete an OU by mistake you can choose to make it authoritative. This will replic
ate the deleted OU back to all of the other DC s in the network and then use all o
f the other information from these other DC s to update the newly restored server
back up to date.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
8. Child Domain
A.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
9. Stub Zone
A. A stub zone is a copy of a zone that contains only those resource records nec
essary to identify the authoritative Domain Name System (DNS) servers for that z
one. A stub zone is used to resolve names between separate DNS namespaces. This
type of resolution may be necessary when a corporate merger requires that the DN
S servers for two separate DNS namespaces resolve names for clients in both name
spaces.
A stub zone consists of:
* The start of authority (SOA) resource record, name server (NS) resource re
cords, and the glue A resource records for the delegated zone.
* The IP address of one or more master servers that can be used to update th
e stub zone.
The master servers for a stub zone are one or more DNS servers authoritative for
the child zone, usually the DNS server hosting the primary zone for the delegat
ed domain name.
A stub zone is a read-only copy of a zone, which obtains its resource records fr
om other name servers. It contains copies of only three types of resource record
s:
1. SOA record for the zone.
2. Name server (NS) records for all name servers authoritative for the zone.
3. Host (A) records for all name servers authoritative for the zone.
These resource records are necessary to identify the authoritative DNS server fo
r the zone. A stub zone is used to streamline name resolution, especially in a s
plit namespace scenario.
A DNS server that is hosting a stub zone is configured with the IP address of th
e authoritative server from which it loads. DNS servers can use stub zones for b
oth iterative and recursive queries. When a DNS server hosting a stub zone recei
ves a recursive query for a computer name in the zone to which the stub zone ref
ers, the DNS server uses the IP address to query the authoritative server, or, i
f the query is iterative, returns a referral to the DNS servers listed in the st
ub zone. A stub zone reduces the amount of DNS traffic on the network and makes
DNS more efficient especially over slow WAN links.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
10. DNS Records
A. Your domain name has a DNS zone which consists of the following records:
* NS - specifies which are the DNS servers for your domain;
* A - specifies IP addresses corresponding to your domain and its subdomains
;
* MX - specifies where the emails for your domain should be delivered;
* CNAME - specifies redirects from your domain's subdomains to other domains
/ subdomains;
* SPF - Sender Policy Framework (SPF) is an attempt to control forged e-mail
.
http://www.debianhelp.co.uk/dnsrecords.htm

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
11. Relay Agent in DHCP
A.
The DHCP (for Dynamic Host Configuration Protocol) relay agent is a Bootstrap Pr
otocol that relays DHCP messages between clients and servers for DHCP on differe
nt IP Networks. It can be a host or an IP router that listens to DHCP client messa
ges being broadcast on the subnet and relays them to the configured DHCP server.
The DHCP server would then send responses again using DHCP relay agent back to
the DHCP client. The DHCP relay agent saves the administrator the agony of insta
lling and running each DHCP server on each subnet. A DHCP server or a computer a
cting as a DHCP server is necessary for every IP network segment that has DHCP c
lients. These terms may sound a too wordy to some, so the definition of terms be
low may come as a relief.
DHCP-This is a client/server protocol that dynamically provides Internet Protoco
l (IP) addresses to hosts plus other configuration entries such as the Subway Ma
sk and Default Gateway. Microsoft Windows Server 2003 OS has DHCP server service
while Microsoft Windows 98, Millennium, NT, 2000, XP have DHCP client in their
TCP/IP. One of the advantages of DHCP is that IP addresses are assigned from one
central point minimizing the possibility of one IP being assigned to more than
one computer which would create conflict.
* DHCP Server- This is a computer running the DHCP server service that has infor
mation as to which IP addresses are available as well as configuration informati
on as defined by the administrator for DHCP.
* DHCP Client-This is a computer that receives its IP configuration information
using DHCP.
Add a DHCP Relay agent.
In order to add DHCP relay agent, follow these instructions.
1) Open Routing and Remote Access. You can do that by typing this command prompt
;
runas/user:[Domain/]UserName mmc%windir%\system32\rrasmgmt.msc. Note that the user
name must correspond to the administrators account.
2) On the console tree, click General . Follow this path: outing and Remote Access/
server name/IP Routing/General
3) Right click on General , and then click on new Routing Protocol .
4) In a dialogue box called, select Routing Protocol click on DHCP Relay Agent .
5) Finish the procedure by clicking Ok .
If you want to configure the DHCP Relay Agent, follow these instructions:
1) Open the router and remote access as explained earlier.
2) On the console tree, open the DHCP relay client by following this path;
Routing and Remote Access/server name/IP Routing/DHCP Relay Agent.
1) Proceed to right click on DHCP Relay Agent , and then click on properties .
2) Go to the General tab and then select Server address , and then type the DHCP serv
er address, and click Ok .
3) Repeat the previous step for each additional DHCP server that you add, and th
en click Ok .
If you wish to enable the DHCP Relay Agent on a routers interface, follow the fo
llowing steps:
1) Proceed to open the router and remote access.
2) Once you are on the console tree, click on the DHCP Relay Agent.
3) Right click DHCP Relay Agent and select New Interface .
4) Select the interface that you want and then click on Ok . A dialogue box for DHC
P relay Agent will appear, and on the General tab, you will verify that the Relay
DHCP Packets check box has been, checked.
5) If it is deemed necessary, click the arrows on Hop-count threshold and Boot t
hreshold (seconds) to modify the thresholds.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
12. EFS & NTFS
A. The Encrypting File System (EFS) provides the core file encryption technology
used to store encrypted files on NTFS volumes. EFS keeps files safe from intrud
ers who might gain unauthorized physical access to sensitive, stored data (for e
xample, by stealing a portable computer or external disk drive).
Users work with encrypted files and folders just as they do with any other files
and folders. Encryption is transparent to the user who encrypted the file; the
system automatically decrypts the file or folder when the user accesses. When th
e file is saved, encryption is reapplied. Users who are not authorized to access
the encrypted files or folders transparently receive an "Access denied" message
if they try to open, copy, move, or rename the encrypted file or folder. The ex
act message text may vary depending on application which tries to access the fil
e, because it is related not to user rights for file but to ability of EFS to de
crypt file using user's private key.
EFS has the following benefits over 3rd party encrypting applications:
1. It is transparent for user and any applications. There's no risk for user
to forget to encrypt file and leave data unprotected. Once file or folder is mar
ked as encrypted, it will be encrypted in background without interaction with us
er. User does not need to remember password to decrypt files.
2. Strong key security. In contrast to other solutions when keys are based on
user entered pass-phrase, EFS generates keys which are tolerant to dictionary b
ased attacks.
3. All encrypting/decrypting processes are performed in kernel mode, excludin
g the risk of leaving key in paging file, from where it could be possibly extrac
ted.
4. EFS provides data recovery mechanism which is valuable in business environ
ment, giving an organization an opportunity to restore data even if the employee
who encrypted it left the company.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
13. Mounting / Compression in a file system
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
14. Global Catalog
A. The global catalog is a distributed data repository that contains a searchabl
e, partial representation of every object in every domain in a multidomain Activ
e Directory Domain Services (AD DS) forest. The global catalog is stored on doma
in controllers that have been designated as global catalog servers and is distri
buted through multimaster replication. Searches that are directed to the global
catalog are faster because they do not involve referrals to different domain con
trollers.
http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work%28WS.
10%29.aspx
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
15. Round Robin
A. A load balancing technique in which balance power is placed in the DNS server
instead of a strictly dedicated machine as other load techniques do.
Round robin works on a rotating basis in that one server IP address is handed ou
t, then moves to the back of the list; the next server IP address is handed out,
and then it moves to the end of the list; and so on, depending on the number of
servers being used. This works in a looping fashion.
Round robin DNS is usually used for balancing the load of geographically distrib
uted Web servers. For example, a company has one domain name and three identical
home pages residing on three servers with three different IP addresses. When on
e user accesses the home page it will be sent to the first IP address. The secon
d user who accesses the home page will be sent to the next IP address, and the t
hird user will be sent to the third IP address. In each case, once the IP addres
s is given out, it goes to the end of the list. The fourth user, therefore, will
be sent to the first IP address, and so forth.
Although very easy to implement, round robin DNS has important drawbacks, such a
s those inherited from the DNS hierarchy itself and TTL times, which causes unde
sired address caching to be very difficult to manage. Moreover, its simplicity m
akes that remote servers that go unpredictably down inconsistent in the DNS tabl
es. However, this technique, together with other load balancing and clustering m
ethods, can produce good solutions for some situations.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
16. KCC
A. Windows NT has a single domain controller with an writeable directory, the PD
C. All changes took place on the PDC and were replicated to the read-only backup
domain controllers, BDCs. This is called single master replication. Any Windows
2000 domain controller can be modified. Since any domain controller can be modi
fied, maintaining consistency is complex. The replication process is called muli
ple master replication. W2K's knowledge consistency checker (KCC) creates connec
tions dynamically between the domain controllers and triggers replication.
As the number of domain controllers increases, replication consumes more and mor
e network bandwidth. The KCC balances the need for consistency against bandwidth
limitation using the timely contact rule. This means that no domain controller
is allowed to be more than 3 connections from any other domain controller. The K
CC maintains domain consistency automatically. It does mean that instead of ther
e being two versions of the directory as in Windows NT (the PDC's and the unrepl
icated BDC's), Windows 2000 can have multiple slightly different directories. Th
e process is automatic and is best left alone.
As in Windows NT, you can force replication. You can manually force the KCC to r
un immediately using the Replication Diagnostics Tool (Repadmin.exe) from the Wi
ndows 2000 Support Tools located in the support.cab file in \support\tools direc
tory on Windows 2000 CD. To force the KCC on the server named server1.mydomain.c
om, you would issue the following command.
Repadmin /kcc server1.mydomain.com
Intersite replication relaxes the timely contact rule since replication between
sites usually occurs over slower links. The KCC can be optimized for your partic
ular intersite replication needs. You can force replication between certain site
s to occur after hours and/or at an interval of your choice. The Sites and Servi
ces MMC snap-in allows you to control intersite replication. You use it to creat
e site link bridge objects and configure the replication patterns.
Bridgehead servers perform directory replication between two sites. Only two des
ignated domain controllers talk to each other. These domain controllers are call
ed bridgehead servers. If you have domain controllers from multiple domains, you
will have a bridgehead server for each domain.
Each Active Directory site also has one domain controller that takes the role of
Inter-Site Topology Generator (ISTG), which reviews and generates the connectio
n object for the bridgehead servers in each site. There is only one domain contr
oller with this role in each site, even if you have multiple domains. The first
domain controller in the site becomes the ISTG for the site by default. You can'
t controller which domain controller is the ISTG, but you can know which one is
the ISTG:
* Open the Active Directory Sites and Services console.
* Select the site object.
* In the right pane right-click the NTDS Site Settings object and select Pro
perties. The current role owner will appear in the Server box under Inter-Site T
opology Generator on the Site Settings tab.
If the domain controller holding the ISTG role is offline for more than 60 minut
es, another domain controller in the site will automatically take over this role
.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
17. Bridge Server
A. A bridgehead server is a domain controller in each site, which is used as a c
ontact point to receive and replicate data between sites. For intersite replicat
ion, KCC designates one of the domain controllers as a bridgehead server. In cas
e the server is down, KCC designates another one from the domain controller. Whe
n a bridgehead server receives replication updates from another site, it replica
tes the data to the other domain controllers within its site.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
18. Lingering Objects
A. When restoring a backup file, Active Directory generally requires that the b
ackup file be no more than 180 days old. (The limit is 60 days if the AD forest
was originally created with Windows Server 2000.) If attempt to you restore an b
ackup that is expired, you may encounter problems due to lingering objects .
What Are Lingering Objects?
A lingering object is a deleted AD object that re-appears ( lingers ) on the restore
d domain controller (DC) in its local copy of Active Directory. This can happen
if, after the backup was made, the object was deleted on another DC more than th
an 180 days ago.
When a DC deletes an object it replaces the object with a tombstone object. The
tombstone object is a placeholder that represents the deleted object. When repli
cation occurs, the tombstone object is transmitted to the other DCs, which cause
s them to delete the AD object as well.
Tombstone objects are kept for 180 days, after which they are garbage-collected
and removed.
If a DC is restored from a backup that contains an object deleted elsewhere, the
object will re-appear on the restored DC. Because the tombstone object on the o
ther DCs has been removed, the restored DC will not receive the tombstone object
(via replication), and so it will never be notified of the deletion. The delete
d object will linger in the restored local copy of Active Directory.
How to Remove Lingering Objects
Windows Server 2003 and 2008 have the ability to manually remove lingering objec
ts using the console utility console utility REPADMIN.EXE. REPADMIN.EXE can be f
ound in the Windows Server 2003 Support Tools, located on the Windows 2003 Serve
r CD/DVD. (It is standard on Windows Server 2008.) Use the option /removelingeri
ngobjects.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
19. WSUS
A. Windows Server Update Services (WSUS) enables information technology administ
rators to deploy the latest Microsoft product updates to computers that are runn
ing the Windows operating system. By using WSUS, administrators can fully manage
the distribution of updates that are released through Microsoft Update to compu
ters in their network.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
20. Garbage Process
A. Garbage collection is a housekeeping process that is designed to free space w
ithin the Active Directory database. In Windows 2000 and in the original release
version of Windows Server 2003, this process runs on every domain controller in
the enterprise with a default lifetime interval of 12 hours. You can change thi
s interval by modifying the garbageCollPeriod attribute in the enterprise-wide D
S configuration object (NTDS).
The path of the object in the Contoso.com domain would resemble the following:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=CONTOSO,DC=CO
M
Use an Active Directory editing tool to set the garbageCollPeriod attribute. Sup
ported tools include Adsiedit.msc, Ldp.exe, and Active Directory Service Interfa
ces (ADSI) scripts.
When an object is deleted, it is not removed from the Active Directory database.
Instead, the object is instead marked for deletion at a later date. This mark i
s then replicated to other domain controllers. Therefore, the garbage collection
process starts by removing the remains of previously deleted objects from the d
atabase. These objects are known as tombstones. Next, the garbage collection pro
cess deletes unnecessary log files. Finally, the process starts a defragmentatio
n thread to claim additional free space.
In addition, there are two methods to defragment the Active Directory database i
n Windows 2000 and in Windows Server 2003. One method is an online defragmentati
on operation that runs as part of the garbage collection process. The advantage
of this method is that the server does not have to be taken offline for the oper
ation to run. However, this method does not reduce the size of the Active Direct
ory database file (Ntds.dit). The other method takes the server offline and defr
agments the database by using the Ntdsutil.exe utility. This approach requires t
hat the database to start in repair mode. The advantage of this method is that t
he database is resized and unused space is removed. Therefore, and the size of t
he Ntds.dit file is reduced. To use this method, the domain controller must be t
aken offline.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
21. Backup Process
A.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
22. Dynamic Disk and Basic Disk
A. Microsoft Windows XP, Windows 2000 and Windows Server 2003 offer two types of
disk storage: basic and dynamic.
Basic Disk Storage
Basic storage uses normal partition tables supported by MS-DOS, Microsoft Window
s 95, Microsoft Windows 98, Microsoft Windows Millennium Edition (Me), Microsoft
 Windows NT, Microsoft Windows 2000, Windows Server 2003 and Windows XP. A disk
initialized for basic storage is called a basic disk. A basic disk contains basi
c volumes, such as primary partitions, extended partitions, and logical drives.
Additionally, basic volumes include multidisk volumes that are created by using
Windows NT 4.0 or earlier, such as volume sets, stripe sets, mirror sets, and st
ripe sets with parity. Windows XP does not support these multidisk basic volumes
. Any volume sets, stripe sets, mirror sets, or stripe sets with parity must be
backed up and deleted or converted to dynamic disks before you install Windows X
P Professional.
Dynamic Disk Storage
Dynamic storage is supported in Windows XP Professional, Windows 2000 and Window
s Server 2003. A disk initialized for dynamic storage is called a dynamic disk.
A dynamic disk contains dynamic volumes, such as simple volumes, spanned volumes
, striped volumes, mirrored volumes, and RAID-5 volumes. With dynamic storage, y
ou can perform disk and volume management without the need to restart Windows.
Note: Dynamic disks are not supported on portable computers or on Windows XP Hom
e Edition-based computers.
You cannot create mirrored volumes or RAID-5 volumes on Windows XP Home Edition,
Windows XP Professional, or Windows XP 64-Bit Edition-based computers. However,
you can use a Windows XP Professional-based computer to create a mirrored or RA
ID-5 volume on remote computers that are running Windows 2000 Server, Windows 20
00 Advanced Server, or Windows 2000 Datacenter Server, or the Standard, Enterpri
se and Data Center versions of Windows Server 2003.
Storage types are separate from the file system type. A basic or dynamic disk ca
n contain any combination of FAT16, FAT32, or NTFS partitions or volumes.
A disk system can contain any combination of storage types. However, all volumes
on the same disk must use the same storage type.
To convert a Basic Disk to a Dynamic Disk:
Use the Disk Management snap-in in Windows XP/2000/2003 to convert a basic disk
to a dynamic disk. To do this, follow these steps:
1. Log on as Administrator or as a member of the Administrators group.
2. Click Start, and then click Control Panel.
3. Click Performance and Maintenance, click Administrative Tools, and then do
uble-click Computer Management. You can also right-click My Computer and choose
Manage if you have My Computer displayed on your desktop.
4. In the left pane, click Disk Management.
5. In the lower-right pane, right-click the basic disk that you want to conve
rt, and then click Convert to Dynamic Disk. You must right-click the gray area t
hat contains the disk title on the left side of the Details pane.
1. Select the check box that is next to the disk that you want to convert (if
it is not already selected), and then click OK.
1. Click Details if you want to view the list of volumes in the disk. Click C
onvert.
1. Click Yes when you are prompted to convert the disk, and then click OK.
Warning: After you convert a basic disk to a dynamic disk, local access to the d
ynamic disk is limited to Windows XP Professional, Windows 2000 and Windows Serv
er 2003. Additionally, after you convert a basic disk to a dynamic disk, the dyn
amic volumes cannot be changed back to partitions. You must first delete all dyn
amic volumes on the disk and then convert the dynamic disk back to a basic disk.
 If you want to keep your data, you must first back up the data or move it to an
other volume.
Dynamic Storage Terms
A volume is a storage unit made from free space on one or more disks. It can be
formatted with a file system and assigned a drive letter. Volumes on dynamic dis
ks can have any of the following layouts: simple, spanned, mirrored, striped, or
RAID-5.
A simple volume uses free space from a single disk. It can be a single region on
a disk or consist of multiple, concatenated regions. A simple volume can be ext
ended within the same disk or onto additional disks. If a simple volume is exten
ded across multiple disks, it becomes a spanned volume.
A spanned volume is created from free disk space that is linked together from mu
ltiple disks. You can extend a spanned volume onto a maximum of 32 disks. A span
ned volume cannot be mirrored and is not fault-tolerant.
A striped volume is a volume whose data is interleaved across two or more physic
al disks. The data on this type of volume is allocated alternately and evenly to
each of the physical disks. A striped volume cannot be mirrored or extended and
is not fault-tolerant. Striping is also known as RAID-0.
A mirrored volume is a fault-tolerant volume whose data is duplicated on two phy
sical disks. All of the data on one volume is copied to another disk to provide
data redundancy. If one of the disks fails, the data can still be accessed from
the remaining disk. A mirrored volume cannot be extended. Mirroring is also know
n as RAID-1.
A RAID-5 volume is a fault-tolerant volume whose data is striped across an array
of three or more disks. Parity (a calculated value that can be used to reconstr
uct data after a failure) is also striped across the disk array. If a physical d
isk fails, the portion of the RAID-5 volume that was on that failed disk can be
re-created from the remaining data and the parity. A RAID-5 volume cannot be mir
rored or extended.
The system volume contains the hardware-specific files that are needed to load W
indows (for example, Ntldr, Boot.ini, and Ntdetect.com). The system volume can b
e, but does not have to be, the same as the boot volume.
The boot volume contains the Windows operating system files that are located in
the %Systemroot% and %Systemroot%'System32 folders. The boot volume can be, but
does not have to be, the same as the system volume.

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-
23. Open Manager(Dell) vs System Manager(HP)
A.