Technical Interview Questions Active Directory

1.

What is Active Directory? Ans:

An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996. It was first used with Windows 2000.

Active Directory is a centralized and standardized system that automates network management of user data, security, and distributed resources, and enables interoperation with other directories. Active Directory is designed especially for distributed networking environments. Active Directory features include:

Support for the X.500 standard for global directories The capability for secure extension of network operations to the Web A hierarchical organization that provides a single point of access for system administration (management of user accounts, clients, servers, and applications, for example) to reduce redundancy and errors An object-oriented storage organization, which allows easier access to information Support for the Lightweight Directory Access Protocol (LDAP) to enable interdirectory operability Designed to be both backward compatible and forward compatible

What is domain controller? Ans A Domain controller is a windows server machine that runs active directory domain services What is domain? Ans It a name space

2. 3.

What is LDAP? Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.

Ans Directory directory service provides the means to manage the identities and relationships that make up network environments. 2.Lightweight Directory access protocol. LDAP is a clientserver protocol for accessing a directory service. 3.Yes, NDS (Novell Directory services) 4.%System root%/NTDS/NTDS.DIT (DIT Directory Information Tree). 5.Policies and scripts saved in SYSVOL folder will be replicated to all domain controllers in the domain. FRS (File replication service) is responsible for replicating all policies and scripts 6.Active directory is divided into three partitions Configuration Partitionreplicates entire forest Schema Partitionreplicates entire forest Domain Partitionreplicate only in domain Application Partition (Only in Windows 2003) 7.Global Catalog-Global catalog is a role, which maintains Indexes about objects. It contains full information of the objects in its own domain and partial information of the objects in other domains. Universal Group membership information will be stored in global catalog servers and replicate to all GCs in the forest. LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs use to look up information from a server. Ans 3.Yes you can Connect Active Directory to other 3rd party Directory Services such as dictonaries used by SAP, Domino etc with the help of MIIS ( Microsoft Identity Integration Server )
1.Active

4.

Where is the AD database held? What other folders are related to AD? Ans
AD database held on %systemroot%ntds other files related to AD res1.log, res2.log, edb.chk n edb.log

5.

What is the SYSVOL folder? Ans

AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure

ntds.dit edb.log res1.log res2.log edb.chk

When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database. During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the shutdown statement isn't present, AD will use the edb.log file to update the AD database.

6.

Name the AD NCs and replication issues for each NC(Naming Context)
Ans

*Schema NC, *Configuration NC, * Domain NC Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory. Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas. Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.
7.

What are application partitions? When do I use them Ans

Application Directory Partition is a partition space in Active Directory which an application can use to store that application specific data. This partition is then replicated only to some specific domain controllers. The application directory partition can contain any type of data except security principles (users, computers, groups).
An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.

Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool. One of the benefits of an application directory partition is that, for redundancy, availability, or fault tolerance, the data in it can be replicated to different domain controllers in a forest.

8.

How do you create a new application partition Ans

The DnsCmd command is used to create a new application directory partition. Ex. to create a partition named NewPartition on the domain controller DC1.contoso.com, log on to the domain controller and type following command. DnsCmd DC1/createdirectorypartition NewPartition.contoso.com
9.

How do you view replication properties for AD partitions and DCs? Ans
All you need to do is open Active Driectory Sites and Services and expand the sites until you get to NTDS Settings and then right click on the servers on the right and view and change the replication properties from there. or

By using replication monitor go to start > run > type repadmin go to start > run > type replmon Install Replication Monitor from Support tools, run from command line with "replmon" command, add DC and it will show you all partitions that DC holds and all replication partners for each partition.
10.

What is the Global Catalog? Ans

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

In addition to configuration and schema directory partition replicas, every domain controller in a Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object. The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.
11. How do you view all the GCs in the forest?

Ans A: You would need script to make such query, but you can also check your DNS for SRV records which contain _gc in their name.
12. How do I install a Replica Domain Controller from a previous backed-

up media on my Windows Server 2003 server? OR 13. What can you do to promote a server to DC, if you're in a remote location with slow WAN link? Ans Install replica DC from backup Install from Media

In Windows Server 2003 a new feature has been added, and this time it's one that will actually make our lives easier... You can promote a domain controller using files backed up from a source domain controller!!! This feature is called "Install from Media" and it's available by running DCPROMO with the /adv switch. It's not a replacement for network replication, we still need network connectivity, but now we can use an old System State copy from another Windows Server 2003, copy it to our future DC, and have the first and basic replication take place from the media, instead of across the network, this saving valuable time and network resources. What you basically have to do is to back up the systems data of an existing domain controller, restore that backup to your replica candidate, use DCPromo /Adv to tell it to source from local media, rather than a network source. This also works for global catalogs. If we perform a backup of a global catalog server, then we can create a new global catalog server by performing DCPromo from that restored media.

IFM Limitations It only works for the same domain, so you cannot back up a domain controller in domain A and create a new domain B using that media. It's only useful up to the tombstone lifetime with a default of 60 days. So if you have an old backup, then you cannot create a new domain controller using that, because you'll run into the problem of reanimating deleted objects. To backup the existing System State on an existing domain controller 1. To start Backup, click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup. 2. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this wizard or go to the next step to work in Advanced Mode. 3. Click the Advanced Mode link on the Backup or Restore Wizard. 4. Click the Backup tab, then click the box next to System State and any other items you would like to backup. To restore the System State on the future domain controller 1. Copy your backup-up System State file from the first DC to the server where you want to perform the process. You can do this by copying the file via the network, burn it to CD and copy it to the server, or if you want, just restore it on the original DC but point the restore path to a mapped network drive that is actually a shared folder on the potential new DC. 2. Run NTBACKUP from the Run menu. Click the Restore tab, then click the box next to System State.

1. In the "Restore files to" box select "Alternate Location". In the "Alternate Location" type your designated restore path. This could be a folder on one of your HD. I used C:\Backup. Click Start Restore. 2. A warning window will appear. Click Ok.

1. A Confirm Restore window will appear. Click Ok.

1. A Restore Progress window will appear. Let it finish. Click Close.

14.

Why not make all DCs in a large forest as GCs? Ans

The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs would all have to hold a reference to every object in the entire forest which could be quite large and quite a replication burden. For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor WAN lines. there only can be one global catalog server IN A FOREST(GCS)BY Default the first domain controller of active directory forest act as GCS. It is used for communication in entire forest. The Infrastructure master (operation master) is used to check for the updated AD information with other DC's in the forest, for this it queries the Global catalog which has all the updated (replicated)information. If GC is installed on all the DC's then the AD updates is not identified by the DC's Infrastucture master as GC.by defaul schema manangment tools is not present in administrator tools we have to install it through command line. At command promt run the following comm. "regsvr32 schmmgmt.dll"and after that go to run and type mmc.exe ->mmc wizard open ->file ->add/remove snapin->add scehma managment tools ->ok and finish. and save it .the support tools is used for diagnoses tool for network connectivity and many other function. we can install it from 2003 server cd ->support tools -> suptool.exe run it and replmon is used for monitoring replication traffic.netdom is commandline tools for rename domain controller name.its only work in windows 2003 server forestanddomain fuctional level not in any other level.
15.

What are the Support Tools? Why do I need them? Ans

Support Tools are the tools that are used for performing the complicated tasks easily. Here they are, Acldiag.exe Adsiedit.msc Bitsadmin.exe Dcdiag.exe

Dfsutil.exe Dnslint.exe Dsacls.exe Iadstools.dll Ktpass.exe Ldp.exe Netdiag.exe Netdom.exe Ntfrsutl.exe Portqry.exe Repadmin.exe Replmon.exe Setspn.exe
16.

What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN? Ans

What is LDP? The Lightweight Directory Access Protocol, or LDAP is an application protocol for querying and modifying directory services running over TCP/IP. A directory is a set of objects with attributes organized in a logical and hierarchical manner. The most common example is the telephone directory, which consists of a series of names (either of persons or organizations) organized alphabetically, with each name having an address and phone number attached. An LDAP directory tree often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use Domain name system (DNS) names for structuring the topmost levels of the hierarchy. Deeper inside the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else that represents a given tree entry (or multiple entries). Its current version is LDAPv3, which is specified in a series of Internet Engineering Task Force (IETF) Standard Track Requests for comments (RFCs) as detailed in RFC 4510. LDAP means Light-Weight Directory Access Protocol. It determines how an object in an Active directory should be named. LDAP (Lightweight Directory Access Protocol) is a proposed open standard for accessing global or local directory services over a network and/or the Internet. A directory, in this sense, is very much like a phone book. LDAP can handle other information, but at present it is

typically used to associate names with phone numbers and email addresses. LDAP directories are designed to support a high volume of queries, but the data stored in the directory does not change very often. It works on port no. 389. LDAP is sometimes known as X.500 Lite. X.500 is an international standard for directories and full-featured, but it is also complex, requiring a lot of computing resources and the full OSI stack. LDAP, in contrast, can run easily on a PC and over TCP/IP. LDAP can access X.500 directories but does not support every capability of X.500 What is REPLMON? A: Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts. The purpose of this document is to guide you in how to use it, list some common replication errors and show some examples of when replication issues can stop other network installation actions. What is ADSIEDIT? A: ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.MSC Regarding system requirements, a connection to an Active Directory environment and Microsoft Management Console (MMC) is necessary What is NETDOM? A: NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels Enables administrators to manage Active Directory domains and trust relationships from the command prompt. Netdom is a command-line tool that is built into Windows

Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. You can use netdom to: Join a computer that runs Windows XP Professional or Windows Vista to a Windows Server 2008 or Windows Server 2003 or Windows 2000 or Windows NT 4.0 domain. Provide an option to specify the organizational unit (OU) for the computer account. Generate a random computer password for an initial Join operation. Manage computer accounts for domain member workstations and member servers. Management operations include: Add, Remove, Query. An option to specify the OU for the computer account. An option to move an existing computer account for a member workstation from one domain to another while maintaining the security descriptor on the computer account. Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships: From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows NT 4.0 domain. From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain in another enterprise. Between two Windows 2000 or Windows Server 2003 or Windows Server 2008 domains in an enterprise (a shortcut trust). The Windows Server 2008 or Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberos protocol realm. Verify or reset the secure channel for the following configurations: Member workstations and servers. Backup domain controllers (BDCs) in a Windows NT 4.0 domain. Specific Windows Server 2008 or Windows Server 2003 or Windows 2000 replicas. Manage trust relationships between domains, including the following operations: Enumerate trust relationships (direct and indirect). View and change some attributes on a trust. Syntax Netdom uses the following general syntaxes: NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>]

NetDom help <Operation

17.

What are sites? What are they used for? Ans

One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.

B: A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called Subnets.[3] Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule.
18.

What's the difference between a site link's schedule and interval? Ans

Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the given interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges from 15 - 10,080 mins. The default interval is 180 mins. Any time two networks are separated by links that are heavily used during parts of the day and are idle during other parts of the day, put those networks into separate sites. You can use the ability to schedule replication between sites to prevent replication traffic from competing with other traffic during high usage hours.

In simple words you can define it as the time when you allow the replication to happen. Interval is also a part of schedule but it takes cares of the replication polling frequency. In other words in a said schedule of say 9:00 AM to 1 PM replication polling shuld occur in every 15 minutes. Schedule here is 9:00 AM to 1 PM Interval is every 15 minutes.
19.

What is the KCC? Ans

kcc stands for knowledge consistency checker.apart of the

ISTG<intersite topology generator> role in active directory.the kcc checks and as am option, re creates topology information for the active directory domain.
20.

What is the ISTG? Who has that role by default? Ans

Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role. By Default the first Server has this role. If that server can no longer preform this role then the next server with the highest GUID then takes over the role of ISTG.
21.

What are the requirements for installing AD on a new server? Ans

An NTFS partition with enough free space (250MB minimum)

An Administrator's username and password The correct operating system version A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway) A network connection (to a hub or to another computer via a crossover cable) An operational DNS server (which can be installed on the DC itself) A Domain name that you want to use The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)
System requirements

The following are estimated system requirements for Windows Server 2008. If your computer has less than the minimum requirements, you will not be able to install this product correctly. Actual requirements will vary based on your system configuration and the applications and features you install.

Processor

Processor performance depends not only on the clock frequency of the processor, but also on the number of processor cores and the size of the processor cache. The following are the processor requirements for this product:

Minimum: 1 GHz (for x86 processors) or 1.4 GHz (for x64 processors) Recommended: 2 GHz or faster Note An Intel Itanium 2 processor is required for Windows Server 2008 for Itanium-Based Systems.

RAM

The following are the RAM requirements for this product:

Minimum: 512 MB Recommended: 2 GB or more Maximum (32-bit systems): 4 GB (for Windows Server 2008 Standard) or 64 GB (for Windows Server 2008 Enterprise or Windows Server 2008 Datacenter) Maximum (64-bit systems): 32 GB (for Windows Server 2008 Standard) or 1 TB (for Windows Server 2008 Enterprise, Windows Server 2008 Datacenter) or 2 TB (for Windows Server 2008 for Itanium-Based Systems)

Disk space requirements

The following are the approximate disk space requirements for the system partition. Itaniumbased and x64-based operating systems will vary from these estimates. Additional disk space may be required if you install the system over a network. For more information, see

Minimum: 10 GB Recommended: 40 GB or more Note Computers with more than 16 GB of RAM will require more disk space for paging, hibernation, and dump files.

DVD-ROM drive Super VGA (800 x 600) or higher-resolution monitor Keyboard and Microsoft mouse (or other compatible pointing device)

22.

What can you do to promote a server to DC if you're in a remote location with slow WAN link? Ans

First available in Windows 2003, you will create a copy of the system state from an existing DC and copy it to the new remote server. Run "Dcpromo /adv". You will be prompted for the location of the system state files OR Backup system state as; 1. Click Start, click Run, type ntbackup, and then click OK. (If the Backup utility starts in wizard mode, click the Advanced Mode hyperlink.) 2. From the Backup tab, click to select the System State check box in the left pane. Do not back up the file system part of the SYSVOL tree separately from the system state backup. 3. In the Backup media or file name box, specify the drive, path, and file name of the system state backup. name the file .bak (recommended and general) Restore system stat as below on the target computer; 1. Log on to the Windows Server 2003-based computer that you want to promote. You must be a member of the local administrators group on this computer. 2. Click Start, click Run, type ntbackup, and then click OK. (If the Backup utility starts in wizard mode, click the Advanced Mode hyperlink.) 3. In the Backup utility, click the Restore and Manage Media tab. In the Tools menu, click Catalog a backup file..., and then locate the .bkf file that you created earlier. Click OK. 4. Expand the contents of the .bkf file, and then click to select the System State check box. 5. In Restore files to:, click Alternate Location. To restore the system state, type the logical drive and the path. We suggest that you type X:\Ntdsrestore. In this command, X is the logical drive that will ultimately host the Active Directory database when the member computer is promoted. The final location for the Active Directory database is selected when you run the Active

Directory Installation Wizard. This folder must be different from the folder that contains the restored system state. Now Last stage is Promoting an additional domain controller 1. Verify that the domain controller that is to be promoted has DNS name resolution and network connectivity to existing domain controllers in the domain controller's target domain. 2. Click Start, click Run, type dcpromo /adv, and then click OK. 3. Click Next to bypass the Welcome to the Active Directory Installation Wizard and Operating System Compatibility dialog boxes. 4. On the Domain Controller Type page, click Additional domain controller for an existing domain, and then click Next. 5. On the Copying Domain Information page, click From these restored backup files:, and then type the logical drive and the path of the alternative location where the system state backup was restored. Click Next. 6. In Network Credentials, type the user name, the password, and the domain name of an account that is a member of the domain administrators group for the domain that you are promoting in. 7. Continue with the remainder of the Active Directory Installation Wizard pages as you would with the standard promotion of an additional domain controller. 8. After the SYSVOL tree has replicated in, and the SYSVOL share exists, delete any remaining restored system files and folders.
23.

How can you forcibly remove AD from a server, and what do you do later? Can I get user passwords from the AD database? Ans

Demote the server using dcpromo /forceremoval, then remove the metadata from Active directory using ndtsutil. There is no way to get user passwords from AD that I am aware of, but you should still be able to change them.

Another way out too Restart the DC is DSRM mode a. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions b. In the right-pane, double-click ProductType. c. Type ServerNT in the Value data box, and then click OK. Restart the server in normal mode

its a member server now but AD entries are still there. Promote teh server to a fake domain say ABC.com and then remove gracefully using DCpromo help: When you try to remove a domain controller from your Active Directory domain by using Dcpromo.exe and fail, or when you began to promote a member server to be a Domain Controller and failed (the reasons for your failure are not important for the scope of this article), you will be left with remains of the DCs object in the Active Directory. As part of a successful demotion process, the Dcpromo wizard removes the configuration data for the domain controller from Active Directory, but as noted above, a failed Dcpromo attempt might leave these objects in place. The effects of leaving such remains inside the Active Directory may vary, but one thing is sure: Whenever you'll try to re-install the server with the same computername and try to promote it to become a Domain Controller, you will fail because the Dcpromo process will still find the old object and therefore will refuse to re-create the objects for the new-old server. In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. If you give the new domain controller the same name as the failed computer, then you need perform only the first procedure to clean up metadata, which removes the NTDS Settings object of the failed domain controller. If you will give the new domain controller a different name, then you need to perform all three procedures: clean up metadata, remove the failed server object from the site, and remove the computer object from the domain controllers container. You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers. Also, make sure that you use an account that is a member of the Enterprise Admins universal group. Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. To clean up metadata 1. At the command line, type Ntdsutil and press ENTER.
C:\WINDOWS>ntdsutil ntdsutil:

1. At the Ntdsutil: prompt, type metadata cleanup and press Enter.

ntdsutil: metadata cleanup metadata cleanup:

1. At the metadata cleanup: prompt, type connections and press Enter.

metadata cleanup: connections server connections:

1. At the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.
server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. server connections:

Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step. 1. Type quit and press Enter to return you to the metadata cleanup: prompt.
server connections: q metadata cleanup:

1. Type select operation target and press Enter.

metadata cleanup: Select operation target select operation target:

1. Type list domains and press Enter. This lists all domains in the forest with a number associated with each.
select operation target: list domains Found 1 domain(s) 0 - DC=dpetri,DC=net select operation target:

1. Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter.
select operation target: Select domain 0 No current site Domain - DC=dpetri,DC=net No current server No current Naming Context select operation target:

1. Type list sites and press Enter.

select operation target: List sites Found 1 site(s) 0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net select operation target:

1. Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.
select operation target: Select site 0 Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net Domain - DC=dpetri,DC=net No current server No current Naming Context select operation target:

1. Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.
select operation target: List servers in site Found 2 server(s) 0 - CN=SERVER200,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net 1 - CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net select operation target:

1. Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.
select operation target: Select server 0 Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net Domain - DC=dpetri,DC=net Server - CN=SERVER200,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net DSA object - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net DNS host name - server200.dpetri.net Computer object - CN=SERVER200,OU=Domain Controllers,DC=dpetri,DC=net No current Naming Context select operation target:

1. Type quit and press Enter. The Metadata cleanup menu is displayed.
select operation target: q metadata cleanup:

1. Type remove selected server and press Enter. You will receive a warning message. Read it, and if you agree, press Yes.
24.

What tool would I use to try to grab security related packets from the wire? Ans
you must use sniffer-detecting tools to help stop the snoops. ... A good packet sniffer would be "ethereal"

25.

Name some OU design considerations. Ans

OU design requires balancing requirements for delegating administrative rights independent of Group Policy needs - and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues:

Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. Delegating administrative authority usually don't go more than 3 OU levels

26.

What is tombstone lifetime attribute? Ans

The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC by default 2000 (60 days) 2003 (180 days)
27.

What do you do to install a new Windows 2003 DC in a Windows 2000 AD? Ans

If you plan to install windows 2003 server domain controllers into an existing windows 2000 domain or upgrade a windows 2000 domain controllers to windows server 2003, you first need to run the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema master and infrastructure master roles. The adprep / forestprer command must first be issued on the windows 2000 server holding schema master role in the forest root doman to prepare the existing schema to support windows 2003 active directory. The adprep /domainprep command must be issued on the sever holding the infrastructure master role in the domain where 2000 server will be deployed

28.

What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD? Ans

If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen. If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which you'll find in the Cmpnents\r2\adprep folder on the second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later). Here's a sample execution of the Adprep /forestprep command: D:\CMPNENTS\R2\ADPREP>adprep /forestprep ADPREP WARNING: Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later). QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain controller corruption. For more information about preparing your forest and domain see KB article Q3311 61 at http://support.microsoft.com. [User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit. C Opened Connection to SAVDALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to version 31 Connecting to "SAVDALDC01" Logging in as current user using SSPI Importing directory from file "C:\WINDOWS\system32\sch31.ldf" Loading entries..................................................... ...................................................... 139 entries modified successfully. The command has completed successfully Adprep successfully updated the forest-wide information. After running Adprep, install R2 by performing these steps:
1. Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows.

2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click Next. 3. You'll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if the underlying OS wasn't installed from R2 media (e.g., a regular Windows 2003 SP1 installation). Enter the R2 key and click Next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003

using a volume-license version key, then you can't use a retail or Microsoft Developer Network (MSDN) R2 key. 4. You'll see the setup summary screen which confirms the actions to be performed (e.g., Copy files). Click Next. 5. After the installation is complete, you'll see a confirmation dialog box. Click Finish
29.

How would you find all users that have not logged on since last month? Ans

Using only native commands, JSILLD.bat produces a sorted/formated report of Users who have not logged on since YYYYMMDD.

The report is sorted by UserName and list the user's full name and last logon date. The syntax for using JSILLD.bat is: JSILLD \Folder\OutputFile.Ext YYYYMMDD [/N] where: YYYYMMDD will report all users who have not logged on since this date. /N is an optional parameter that will bypass users who have never logged on. JSILLD.bat contains: @echo off setlocal if {%2}=={} goto syntax if "%3"=="" goto begin if /i "%3"=="/n" goto begin :syntax @echo Syntax: JSILLD File yyyymmdd [/N] endlocal goto :EOF :begin if /i "%2"=="/n" goto syntax set dte=%2 set XX=%dte:~0,4% if "%XX%" LSS "1993" goto syntax set XX=%dte:~4,2% if "%XX%" LSS "01" goto syntax if "%XX%" GTR "12" goto syntax set XX=%dte:~6,2%

if "%XX%" LSS "01" goto syntax if "%XX%" GTR "31" goto syntax set never=X if /i "%3"=="/n" set never=/n set file=%1 if exist %file% del /q %file% for /f "Skip=4 Tokens=*" %%i in ('net user /domain^|findstr /v /c:"----"^|findstr /v /i /c:"The command completed"') do ( do call :parse "%%i" ) endlocal goto :EOF :parse set str=#%1# set str=%str:#"=% set str=%str:"#=% set substr=%str:~0,25%# set substr=%substr: =% set substr=%substr: #=% set substr=%substr:#=% if "%substr%"=="" goto :EOF for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i" set substr=%str:~25,25%# set substr=%substr: =% set substr=%substr: #=% set substr=%substr:#=% if "%substr%"=="" goto :EOF for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i" set substr=%str:~50,25%# set substr=%substr: =% set substr=%substr: #=% set substr=%substr:#=% if "%substr%"=="" goto :EOF for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i" goto :EOF :parse1 set ustr=%1 if %ustr%=="The command completed successfully." goto :EOF set ustr=%ustr:"=% if /i "%ustr:~0,9%"=="Full Name" set fullname=%ustr:~29,99% if /i not "%ustr:~0,10%"=="Last logon" goto :EOF set txt=%ustr:~29,99% for /f "Tokens=1,2,3 Delims=/ " %%i in ('@echo %txt%') do set MM=%%i&set DD=%%j&set YY=%%k if /i "%MM%"=="Never" goto tstnvr goto year

:tstnvr if /i "%never%"=="/n" goto :EOF goto report :year if "%YY%" GTR "1000" goto mmm if "%YY%" GTR "92" goto Y19 set /a YY=100%YY%%%100 set YY=%YY% + 2000 goto mmm :Y19 set YY=19%YY% :mmm set /a XX=100%MM%%%100 if %XX% LSS 10 set MM=0%XX% set /a XX=100%DD%%%100 if %XX% LSS 10 set DD=0%XX% set YMD=%YY%%MM%%DD% if "%YMD%" GEQ "%dte%" goto :EOF :report set fullname=%fullname% # set fullname=%fullname:~0,35% set substr=%substr% # set substr=%substr:~0,30% @echo %substr% %fullname% %txt% >> %file%
30.

What are the DS* commands? Ans

New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003 Active Directory

New DS built-in tools for Windows Server 2003 The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet. When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for choice. The the DS family of built-in command line executables offer alternative strategies to CSVDE, LDIFDE and VBScript. Let me introduce you to the members of the DS family: DSadd - add Active Directory users and groups DSmod - modify Active Directory objects DSrm - to delete Active Directory objects DSmove - to relocate objects

DSQuery - to find objects that match your query attributes DSget - list the properties of an object DS Syntax These DS tools have their own command structure which you can split into five parts: 12345 Tool object "DN" (as in LDAP distinguished name) -switch value For example: DSadd user "cn=billy, ou=managers, dc=cp, dc=com" -pwd cX49pQba This will add a user called Billy to the Managers OU and set the password to cx49Qba Here are some of the common DS switches which work with DSadd and DSmod -pwd (password) -upn (userPrincipalName) -fn (FirstName) -samid (Sam account name). The best way to learn about this DS family is to logon at a domain controller and experiment from the command line. I have prepared examples of the two most common programs. Try some sample commands for DSadd. Two most useful Tools: DSQuery and DSGet The DSQuery and DSGet remind me of UNIX commands in that they operate at the command line, use powerful verbs, and produce plenty of action. One pre-requisite for getting the most from this DS family is a working knowledge of LDAP. If you need to query users or computers from a range of OU's and then return information, for example, office, department manager. Then DSQuery and DSGet would be your tools of choice. Moreover, you can export the information into a text file

Or
If you've been working with Active Directory for any length of time, chances are good that at some point you've wished there were a way toquickly and easily automate certain operations. Of course, you could tap intoActive Directory Services Interface (ADSI) via Windows Script Host and VBScriptand create or download scripts to automate those operations. However, ifprogramming really isn't your strong point, you could end up spending more timefiguring out the ADSI scripting environment than actually accomplishing yourgoals. Fortunately, with Windows Server 2003, Microsoft has broughtthe task of automating Active Directory operations within the grasp of everysystem administrator by including a complete suite of directory service command-linetools. Now you won't have to delve into the advanced intricacies of ADSI whenyou can use something that's as easy to create and use as a batch file.
Author's note

In this article, I'll introduce you to Windows Server 2003'sdirectory service command-line tools and then get you started on the groundfloor. In future articles, I'll take an in-depth look at each

tool and show youhow to use them to your advantage when you need to automate certain operations.
Why use the command line?

If you're using Windows Server 2003, you already know thatits Active Directory GUI tools offer several new and improved features overthose in Windows 2000 Server. For example, you now have drag-and-dropcapabilities, multiple-object selection, and the ability to save and reusequeries. So why would you even want to use the directory service command-linetools? To answer this question, let's begin by looking at a list ofthe available tools in the directory service command-line suite, as shown in Table A. As you look at the list, keepin mind that there are really only six main tools in the suite, but in thisparticular arrangement, I've expanded the list to show the first four maincommands, along with the target object on which the command is designed tooperate. The last two commands are designed to work on any target object. Table A
Command Description Dsadd computer Dsadd contact Dsadd group Dsadd ou Dsadd quota Dsadd user Dsget computer Dsget contact Dsget group Dsget ou Dsget partition Dsget quota Dsget server Dsget site Dsget subnet Dsget user Dsmod computer Dsmod contact Dsmod group Dsmod ou Dsmod partition Dsmod quota Dsmod server Dsmod user Dsquery * Adds objects to the directory

Displays properties of objects in the directory

Modifies select attributes of an existing object in the directory

Finds objects in the

Dsquery computer Dsquery contact Dsquery group Dsquery ou Dsquery partition Dsquery quota Dsquery server Dsquery site Dsquery subnet Dsquery user Dsmove

directory that match a specified search criterion

Moves any object from its current location to a new parent location or renames any object without moving it Removes an object, the complete subtree under an object in the directory, or both

Dsrm

Windows Server 2003's directory service command-line tools

We'll examine each tool later in this series, but the pointof showing you the complete list now is to highlight the magnitude of the toolsin the suite and to help you get a feel for the types of operations you canperform with them. Each tool is accompanied by a complete set of general andcommand-specific parameters that allow you to further define the type ofoperation you want to conduct. Now, on first glance, you'll immediately see that there arecommand-line tools for just about every operation you can execute from withinthe Active Directory GUI tools. However, once you begin to delve deeper, you'lldiscover that, in some cases, it's easier to carry out certain types of operationsfrom the command line than from the GUI. Dig even further, and you'll discoverthat there are some tasks you can accomplish with the command-line tools thatjust aren't possible with the GUI tools. Furthermore, once you have a betterunderstanding of how these tools work, you'll discover that you can indeedautomate many common operations quite easily. You won't want to completely abandon the GUI tools in favorof the command-line tools. Rather, you'll use the command-line tools to complementthe GUI tools. To take advantage of directory service command-line tools,you must have a good grasp of the underlying structure of Active Directory.More specifically, you need to understand that every object in Active Directorycan be referenced by several names, and that the command-line tools rely on oneof those names -- the distinguished name -- tolocate and work with objects. The other two names are the relative distinguished name and the canonical name. When you create an object in Active Directory, the processcreates the relative distinguished name and the canonical name. Thedistinguished name is then based on the relative distinguished

name and thenames of that object's parent containers, including the domains. Thedistinguished name identifies the object as well as its location in a tree. To specify this location, the distinguished name uses theLightweight Directory Access Protocol (LDAP) attribute tags listed in TableB. For example, the distinguished name for my user account, which exists inthe Writers organizational unit in the gcs.com domain, would be
CN=Greg Shultz,OU=Writers,DC=gcs,DC=com

Table B
LDAP attribute tag Description CN= OU= DC= Common name The name given to the object at creation Organizational unit The name of the container Domain component The name of the domain

The LDAP attribute tags used in distinguished name

As you can see, the LDAP attribute tags are used to identifyeach component in the distinguished name; they are separated by commas, and theorder in which the components appear goes from the lowest level in the tree tothe highest level. The distinguished name tells you exactly where to find theobject in the Active Directory data store. There are a few rules you need to observe when working withthe distinguished name on the command line:
1. You should get into the habit of enclosing the distinguished name in quotes. (This is really necessary only if any of the names include spaces; however, making it a habit will save you time and frustration if you forget.) 2. Do not put spaces between the commas and the object names. 3. While using uppercase letters for the LDAP attribute tags isn?t necessary, it does help delineate the components and make for easier reading. 4. The default Active Directory containers, such as Computers or Users, are essentially organizational units but are referred to as a common name.
Using Dsquery to reveal distinguished names

Now that you understand how to use the distinguished name toidentify the location of the object you want to work with, you can use thedirectory service command-line tools to automate your

most common ActiveDirectory management operations. You needn't worry about having to figure outall the distinguished names on your own -- you can ask the Dsquery command forassistance. While I'll get into more detail on the more powerfulfeatures of the Dsquery command in a future article, it's a good place to startbecoming more familiar with the distinguished names in your Active Directorystructure. For example, to see the distinguished names for the user accounts inActive Directory, open the command prompt and type
Dsquery user

To see the distinguished names for the organizational unitsin Active Directory, type the command
Dsquery ou

You can try other basic Dsquery commands using the list oftarget objects shown in Table A. However, as you do, keep in mind that bydefault the Dsquery command will display only 100 items. You can expand thenumber of items displayed by adding the -limit ### parameter and specifying anupper limit.
31.

What's the difference between LDIFDE and CSVDE? Usage considerations? Ans

Ldifde Ldifde creates, modifies, and deletes directory objects on computers running Windows Server 2003 operating systems or Windows XP Professional. You can also use Ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services. The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format that may be used for performing batch operations against directories that conform to the LDAP standards. LDIF can be used to export and import data, allowing batch operations such as add, create, and modify to be performed against the Active Directory. A utility program called LDIFDE is included in Windows 2000 to support batch operations based on the LDIF file format standard. This article is designed to help you better understand how the LDIFDE utility can be used to migrate directories. http://support.microsoft.com/kb/237677 Csvde Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.

Csvde is a command-line tool that is built into Windows Server 2008 in the/system32 folder. It is available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use csvde, you must run the csvde command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command
DIFFERENCE USAGE WISE

Csvde.exe is a Microsoft Windows 2000 command-line utility that is located in the SystemRoot\System32 folder after you install Windows 2000. Csvde.exe is similar to Ldifde.exe, but it extracts information in a comma-separated value (CSV) format. You can use Csvde to import and export Active Directory data that uses the comma-separated value format. Use a spreadsheet program such as Microsoft Excel to open this .csv file and view the header and value information. See Microsoft Excel Help for information about functions such as Concatenate that can simplify the process of building a .csv file. Note Although Csvde is similar to Ldifde, Csvde has a significant limitation: it can only import and export Active Directory data by using a comma-separated format (.csv). Microsoft recommends that you use the Ldifde utility for Modify or Delete operations. Additionally, the distinguished name (also known as DN) of the item that you are trying to import must be in the first column of the .csv file or the import will not work. The source .csv file can come from an Exchange Server directory export. However, because of the difference in attribute mappings between the Exchange Server directory and Active Directory, you must make some modifications to the .csv file. For example, a directory export from Exchange Server has a column that is named "obj-class" that you must rename to "objectClass." You must also rename "Display Name" to "displayName."

32.

What are the FSMO roles? Who has them by default? What happens when each one fails? Ans
FSMO stands for the Flexible single Master Operation It nas five role : Schema Master:

The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest. Infrastructure Master: When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role. Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds

to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain. PDC Emulator: The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage. The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their inbound time partner. In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator. The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients. This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.

each one of them fails then below are the effects of the same:Schema Master - Schema updates are not available - These are generally planned changes and the first step when doing a schema change is normally something like "make sure your environment is healthy". There isn't any urgency if the schema master fails, having it offline is largely irrelevant until you want to make a schema change. Domain Naming Master - No new domains or application partitions can be added This sort of falls into the same "healthy environment" bucket as the schema master. When we upgraded the first DC to a beta Server 2003 OS which included the code to create the DNS application partitions, we couldn't figure why they weren't instantiated until we realized that the server hosting the DNM was offline (being upgraded) at the same time. Infrastructure Master - No cross domain updates, can't run any domain preps - Domain preps are planned (again). But no cross-domain updates. That could be important if you have a multi-domain environment with a lot of changes occurring. RID Master - New RID pools unable to be issued to DC's - This gets a bit more complicated, but let me see if I can make it easy. Every DC is initially issued 500 RID's. When it gets down to 50% (250) it requests a second pool of RID's from the RID master. So when the RID master goes offline, every DC has anywhere between 250 and 750 RIDs available (depending on whether it's hit 50% and received the new pool). PDC - Time, logins, password changes, trusts - So we made it to the bottom of the list, and by this point you've figured that the PDC has to be the most urgent FSMO role holder to get back online. The rest of them can be offline for varying amounts of time with no impact at all. Users may see funky behavior if they changed their password, but replication will probably have completed before they call the help desk so nothing to worry about, and trust go back to that whole "healthy forest" thing again.

OR

Introduction FSMO Roles Failure of FSMO servers Placing FSMO roles FSMO tools Useful Links

Introduction In a Windows 2000 domain environment, all of the domain controllers are piers. There are no PDCs and BDCs that you find in a Windows NT domain. All Windows 2000 domain controllers contain a writable replica (or copy) of the Active Directory Database, and unlike the hierarchical server structure in a Windows NT domain (the PDC with subordinate BDCs), all domain controllers are equal. The ability of all domain controllers in a Windows 2000 domain to update Active Directory, and then replicate it out to the other DCs, is referred to as Multimaster Replication. Compare that to a Windows NT domain which uses Single Master replication - the PDC has the only writable copy of the SAM and all updates can only happen at the PDC. (The SAM, Security Accounts Database, is replaced by the Active Directory Database in Windows 2000.) So why are there FSMO server roles? Since each DC in a Windows 2000 domain can update the Active Directory, which then gets replicated to all othe DCs, what happens

if more than one person is making the same change to Active Directory at the same time? There are certain rules that are followed to prevent conflicts in updating the AD database, but some changes are to important to the domain to be left to these rules. Because of this, Microsoft came up with the idea of the Flexible Single Master Operations server roles. The servers that hold these FSMO roles are responsible for updating certain aspects of Active Directory. By making designated servers responsible for certain updates, instead of allowing every server to make all updates, you prevent conflicts in Active Directory updates. In a Windows 2000 Domain environment, there are 5 server roles that are necessary for the proper functioning of the forest/domain (or Active Directory). These 5 server roles are collectively known as the Flexible Single Master Operations Roles or FSMO roles. All FSMO server roles exist on Domain Controllers. They do not exist on member servers. Two of the server roles exist at the Forest level and 3 server roles exist at the Domain level. For example: If your Active Directory contains one forest and 1 domain, you would have 5 FSMO role holders. If your AD contained one forest and 2 domains, you would have 8 FSMO role holders - two at the forest level and 3 for each domain. Likewise, for an AD with one forest and 3 domains, you would have 11 server roles - two at the forest level and 3 for each domain. FSMO Roles The 5 FSMO server roles:
Schema Master Domain Naming Master PDC Emulator RID Master Infrastructure Master Forest Level Forest Level Domain Level Domain Level Domain Level One per forest One per forest One per domain One per domain One per domain

1. Schema Master (Forest level) The schema master FSMO role holder is the Domain Controller responsible for performing updates to the active directory schema.

It contains the only writable copy of the AD schema. This DC is the only one that can process updates to the directory schema, and once the schema update is complete, it is replicated from the schema master to all other DCs in the forest. There is only one schema master in the forest. 2. Domain Naming Master (Forest level) The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. This DC is the only one that can add or remove a domain from the directory, and that is it's major purpose. It can also add or remove cross references to domains in external directories. There is only one domain naming master in the active directory or forest. 3. PDC Emulator (Domain level) In a Windows 2000 domain, the PDC emulator server role performs the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator first. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator for validation before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Time synchronization for the domain. Group Policy changes are preferentially written to the PDC emulator. Additionally, if your domain is a mixed mode domain that contains Windows NT 4 BDCs, then the Windows 2000 domain controller, that is the PDC emulator, acts as a Windows NT 4 PDC to the BDCs. There is only one PDC emulator per domain. Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. This is not true. Even after you have changed your domain to native mode (no more NT 4 domain controllers), the PDC emulator is still necessary for the reasons above. 4. RID Master (Domain level)

The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.

When a DC creates a security principal object such as a user, group or computer account, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that makes the object unique in a domain. Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. There is one RID master per domain in a directory.
5. Infrastructure Master (Domain level) The DC that holds the Infrastructure Master FSMO role is responsible for cross domain updates and lookups. When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the distinguished name (DN) of the object being referenced. The Infrastructure role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. When a user in DomainA is added to a group in DomainB, then the Infrastructure master is involved. Likewise, if that user in DomainA, who has been added to a group in DomainB, then changes his username in DomainA, the Infrastructure master must update the group membership(s) in DomainB with the name change. There is only one Infrastructure master per domain.

What if a FSMO server fails?

Schema Master No updates to the Active Directory schema will be possible. Since schema updates are rare (usually done by certain applications and possibly an Administrator adding an attribute to an object), then the malfunction of the server holding the Schema Master role will not pose a critical problem. The Domain Naming Master must be available when adding or removing a domain from the forest (i.e. running DCPROMO). If it is not, then the domain cannot be added or removed. It is also needed when promoting or demoting a server to/from a Domain Controller. Like the Schema Master, this functionality is only used on occasion and is not critical unless you are modifying your domain or forest structure. The server holding the PDC emulator role will cause the most problems if it is unavailable. This would be most noticeable in a mixed mode domain where you are still running NT 4 BDCs and if you are using downlevel clients (NT and Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions that depend on the PDC would be affected (User Manager for Domains, Server Manager, changing passwords, browsing and BDC replication). In a native mode domain the failure of the PDC emulator isn't as critical because other domain controllers can assume most of the responsibilities of the PDC emulator. The RID Master provides RIDs for security

Domain Naming Master

PDC Emulator

RID Master

principles (users, groups, computer accounts). The failure of this FSMO server would have little impact unless you are adding a very large number of users or groups. Each DC in the domain has a pool of RIDs already, and a problem would occur only if the DC you adding the users/groups on ran out of RIDs. Infrastructure Master This FSMO server is only relevant in a multi-domain environment. If you only have one domain, then the Infrastructure Master is irrelevant. Failure of this server in a multi-domain environment would be a problem if you are trying to add objects from one domain to another.

Placing FSMO Server Roles So where are these FSMO server roles found? Is there a one to one relationship between the server roles and the number of servers that house them? The first domain controller that is installed in a Windows 2000 domain, by default, holds all five of the FSMO server roles. Then, as more domain controllers are added to the domain, the FSMO roles can be moved to other domain controllers. Moving a FSMO server role is a manual process, it does not happen automatically. But what if you only have one domain controller in your domain? That is fine. If you have only one domain controller in your organization then you have one forest, one domain, and of course the one domain controller. All 5 FSMO server roles will exist on that DC. There is no rule that says you have to have one server for each FSMO server role. However, it is always a good idea to have more than one domain controller in a domain for a number of reasons. Assuming you do have multiple domain controllers in your domain, there are some best practices to follow for placing FSMO server roles. The Schema Master and Domain Naming Master should reside on the same server, and that machine should be a Global Catalog server. Since all three are, by default, on the first domain controller installed in a forest, then you can leave them as they are. Note: According to MS, the Domain Naming master needs to be on a Global Catalog Server. If you are going to separate the Domain Naming master and Schema master, just make sure they are both on Global Catalog servers. The Infratructure Master should not be on the same server that acts as a Global Catalog server.

The reason for this is the Global Catalog contains information about every object in the forest. When the Infrastructure Master, which is responsible for updating Active Directory information about cross domain object changes, needs information about objects not in it's domain, it contacts the Global Catalog server for this information. If they both reside on the same server, then the Infratructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it contantly updated. This would result in the Infrastructure Master never replicating changes to other domain controllers in it's domain. Note: In a single domain environment this is not an issue. Microsoft also recommeds that the PDC Emulator and RID Master be on the same server. This is not mandatory like the Infrastructure Master and the Global Catalog server above, but is recommended. Also, since the PDC Emulator will receive more traffic than any other FSMO role holder, it should be on a server that can handle the load. It is also recommended that all FSMO role holders be direct replication partners and they have high bandwidth connections to one another as well as a Global Catalog server. FSMO Tools How do find out what servers in your domain/forest hold what server roles? How do you move a server role from one server to another? There are several tools that can be used to find out this information. Permissions Before you can transfer a role, you must have the appropriate permissions depending on which role you plan to transfer:
Schema Master Domain Naming Master member of the Schema Admins group member of the Enterprise Admins group member of the Domain Admins group and/or the Enterprise Admins group member of the Domain Admins group and/or the Enterprise Admins

PDC Emulator

RID Master

group Infrastructure Master member of the Domain Admins group and/or the Enterprise Admins group

Active Directory Users and Computers - use this snap-in to find out where the domain level FSMO roles are located (PDC Emulator, RID Master, Infrastructure Master), and also to change the location of one or more of these 3 FSMO roles. Open Active Directory Users and Computers, right click on the domain you want to view the FSMO roles for and click "Operations Masters". A dialog box (below) will open with three tabs, one for each FSMO role. Click each tab to see what server that role resides on. To change the server roles, you must first connect to the domain controller you want to move it to. Do this by right clicking "Active Directory Users and Computers" at the top of the Active Directory Users and Computers snap-in and choose "Connect to Domain Controller". Once connected to the DC, go back into the Operations Masters dialog box, choose a role to move and click the Change button. When you do connect to another DC, you will notice the name of that DC will be in the field below the Change button (not in this graphic).

Active Directory Domains and Trusts - use this snap-in to find out where the Domain Naming Master FSMO role is and to change it's location. The process is the same as it is when viewing and changing the Domain level FSMO roles in Active Directory Users and Computers, except you use the Active Directory Domains and Trusts snap-in. Open Active Directory Domains and Trusts, right click "Active Directory Domains and Trusts" at the top of the tree, and choose "Operations Master". When you do, you will see the dialog box below. Changing the server that houses the Domain Naming Master requires that you first connect to the new domain controller, then click the Change button. You can connect to another domain controller by right clicking "Active Directory Domains and Trusts" at the top of the Active Directory Domains and Trusts snap-in and choosing "Connect to Domain Controller".

Active Directory Schema - this snap-in is used to view and change the Schema Master FSMO role. However... the Active Directory Schema snap-in is not part of the default Windows 2000 administrative tools or installation. You first have to install the Support Tools from the \Support directory on the Windows 2000 server CD or install the Windows 2000 Server Resource Kit. Once you install the support tools you can open up a blank Microsoft Management Console (start, run, mmc) and add the snap-in to the console. Once the snap-in is open, right click "Active Directory Schema" at the top of the tree and choose "Operations Masters". You will see the dialog box below. Changing the server the Schema Master resides on requires you first connect to another domain controller, and then click the Change button. You can connect to another domain controller by right clicking "Active Directory Schema" at the top of the Active Directory Schema snap-in and choosing "Connect to Domain Controller".

More Tools In addition to the tools mentioned above, there are other tools that can be used to view the FSMO server roles. Perhaps the easiest and fastest way to find out what server holds what FSMO role is by using the Netdom command line utility. Like the Active Directory Schema snap-in, the Netdom utility is only available if you have installed the Support Tools from the Windows 2000 CD or the Win2K Server Resource Kit. To use Netdom to view the FSMO role holders, open a command prompt window and type: netdom query fsmo and press enter. You will see a list of the FSMO role servers:

Another tool that comes with the Support Tools is the Active Directory Relication Monitor. Open this utility from Start, Programs, Windows 2000 Support Tools. Once open, click Edit, Add Monitored Server and add the name of a Domain Controller. Once added, right click the Server name and choose properties. Click the FSMO Roles tab to view the servers holding the 5 FSMO roles (below). You cannot change roles using Replication Monitor, but this tool has many other useful purposes in regard to Active Directory information. It is something you should check out if you haven't already.

Finally, you can use the Ntdsutil.exe utility to gather information about and change servers for FSMO roles. Ntdsutil.exe, a command line utility that is installed with Windows 2000 server, is rather complicated and beyond the scope of this document.

33.

What FSMO placement considerations do you know of? Ans

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Single Domain Forest

In a single domain forest, leave all of the FSMO roles on the first domain controller in the forest. You should also configure the entire domain controller as a Global Catalog server. This will NOT place additional stress on the DCs, while allowing GC-related applications (such as Exchange Server) to easily perform GC queries. Multiple Domain Forest In a multiple domain forest, use the following guidelines:

In the forest root domain: If all domain controllers are also global catalog servers, leave all of the FSMO roles on the first DC in the forest. If all domain controllers are not also global catalog servers, move all of the FSMO roles to a DC that is not a global catalog server. In each child domain, leave the PDC emulator, RID master, and Infrastructure master roles on the first DC in the domain, and ensure that this DC is never designated as a global catalog server (unless the child domain only contains one DC, then you have no choice but to leave it in place).

Configure a standby operations master - For each server that holds one or more operations master roles, make another DC in the same domain available as a standby operations master. Making a DC as a standby operation master involves the following actions:

The standby operations master should not be a global catalog server except in a single domain environment, where all domain controllers are also global catalog servers. The standby operations master should have a manually created replication connection to the domain controller that it is the standby operations master for, and it should be in the same site. Configure the RID master as a direct replication partner with the standby or backup RID master. This configuration reduces the risk of losing data when you seize the role because it minimizes replication latency.

To create a connection object on the current operations master: 1. In Active Directory Sites and Services snap-in, in the console tree in the left pane, expand the Sites folder to see the list of available sites. 2. Expand the site name in which the current role holder is located to display the Servers folder. 3. Expand the Servers folder to see a list of the servers in that site. 4. Expand the name of the server that is currently hosting the operations master role to display NTDS Settings. 5. Right-click NTDS Settings, click New, and then click Connection. 6. In the Find Domain Controllers dialog box, select the name of the standby operations master then click OK.

7. In the New Object-Connection dialog box, enter an appropriate name for the connection object or accept the default name and click OK. To create a connection object on the standby operations master perform the same procedure as above, and point the connection to the current FSMO role holder. Note regarding Windows 2000 Active Directory domains: If the forest is set to a functional level of Windows 2000 native, you must locate the domain naming master on a server that hosts the global catalog. If the forest is set to a functional level of Windows Server 2003, it is not necessary for the domain naming master to be on a global catalog server. Server performance and availability Most FSMO roles require that the domain controller that holds the roles be: Highly available server - FSMO functions require that the FSMO role holder is highly available at all times. A highly available DC is one that uses computer hardware that enables it to remain operational even during a hardware failure. For example, having a RAID1 or RAID5 configuration enables the server to keep running even if one hard disk fails. Although most FSMO losses can be dealt with within a matter of hours (or even days at some cases), some FSMO roles, such as the PDC Emulator role, should never be offline for more than a few minutes at a time. What will happen if you keep a FSMO role offline for a long period of time? This table has the info: FSMO Role Schema Loss implications The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time. Unless you are going to run DCPROMO, then you will not miss this FSMO role. Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week. Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem. Group memberships may be incomplete. If you only have one domain, then there will be no

Domain Naming

RID

PDC Emulator

Infrastructure

impact. Not necessarily high capacity server - A high-capacity domain controller is one that has comparatively higher processing power than other domain controllers to accommodate the additional work load of holding the operations master role. It has a faster CPU and possibly additional memory and network bandwidth. FSMO roles usually do not place stress on the server's hardware. One exception is the performance of the PDC Emulator, mainly when used in Windows 2000 Mixed mode along with old NT 4.0 BDCs. That is why you should:

34.

Increase the size of the DC's processing power. Do not make the DC a global catalog server. Reduce the priority and the weight of the service (SRV) record in DNS to give preference for authentication to other domain controllers in the site. Do not require that the standby domain controller be a direct replication partner (Seizing the PDC emulator role does not result in lost data, so there is no need to reduce replication latency for a seize operation). Centrally locate this DC near the majority of the domain users. I want to look at the RID allocation table for a DC. What do I do? Ans 1.install support tools from OS disk(OS Inst: Disk=>support=>tools=>suptools.msi) 2.In Command prompt type dcdiag /test:ridmanager /s:system1 /v (system1 is the name of our DC)

35.

What's the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why? Ans

Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available. If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable, DO NOT seize the Schema Master role. If you are going to seize the Schema Master, you must permanently disconnect the current Schema Master from the network. If you seize the Schema Master role, the boot drive on the original Schema

Master must be completely reformatted and the operating system must be cleanly installed, if you intend to return this computer to the network. NOTE: The Boot Partition contains the system files (\System32). The System Partition is the partition that contains the startup files, NTDetect.com, NTLDR, Boot.ini, and possibly Ntbootdd.sys. The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:

An administrator reassigns the role by using a GUI administrative tool. An administrator reassigns the role by using the ntdsutil /roles command. An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator. We recommend that you transfer FSMO roles in the following scenarios:

The current role holder is operational and can be accessed on the network by the new FSMO owner. You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest. The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a "live" domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles. We recommend that you seize FSMO roles in the following scenarios:

The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred. A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command. The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled. As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domain controller

is one that is in the appropriate domain that last inbound-replicated, or recently inbound-replicated a writable copy of the "FSMO partition" from the existing role holder. For example, the Schema master role-holder has a distinguished name path of CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles reside in and are replicated as part of the CN=schema partition. If the domain controller that holds the Schema master role experiences a hardware or software failure, a good candidate role-holder would be a domain controller in the root domain and in the same Active Directory site as the current owner. Domain controllers in the same Active Directory site perform inbound replication every 5 minutes or 15 seconds. The partition for each FSMO role is in the following list: Collapse this tableExpand this table FSMO role Partition Schema CN=Schema,CN=configuration,DC=<forest root domain> Domain Naming Master CN=configuration,DC=<forest root domain> PDC DC=<domain> RID DC=<domain> Infrastructure DC=<domain> A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems. Back to the top
Transfer FSMO roles

To transfer the FSMO roles by using the Ntdsutil utility, follow these steps: 1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred. 2. Click Start, click Run, type ntdsutil in the Open box, and then click OK. 3. Type roles, and then press ENTER.

4. 5. 6. 7.

8.

Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER. Type connections, and then press ENTER. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to. At the server connections prompt, type q, and then press ENTER. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Seize FSMO roles

To seize the FSMO roles by using the Ntdsutil utility, follow these steps: 1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred. 2. Click Start, click Run, type ntdsutil in the Open box, and then click OK. 3. Type roles, and then press ENTER. 4. Type connections, and then press ENTER. 5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to. 6. At the server connections prompt, type q, and then press ENTER. 7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator. 8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility. Notes
o

Under typical conditions, all five roles must be assigned to "live" domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller.

We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles. You should determine which roles are to be on which remaining domain controllers so that all five roles are assigned to a single domain controller. For more information about FSMO role placement, click the following article number to view the article in the Microsoft Knowledge Base: 223346 (http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on Windows 2000 domain controllers If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by using the steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article: 216498 (http://support.microsoft.com/kb/216498/ ) How to remove data in active directory after an unsuccessful domain controller demotion Removing domain controller metadata with the Windows 2000 version or the Windows Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes additional elements of domain controller metadata. Some customers prefer not to restore system state backups of FSMO role-holders in case the role has been reassigned since the backup was made. Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest.

To test whether a domain controller is also a global catalog server: 1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services. 2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available. 3. Open the Servers folder, and then click the domain controller. 4. In the domain controller's folder, double-click NTDS Settings. 5. On the Action menu, click Properties. 6. On the General tab, view the Global Catalog check box to see if it is selected.
36.

How do you configure a "stand-by operation master" for any of the roles? Ans

1. Open Active Directory Sites and Services.

2. Expand the site name in which the standby operations master is located to display the Servers folder. 3. Expand the Servers folder to see a list of the servers in that site. 4. Expand the name of the server that you want to be the standby operations master to display its NTDS Settings. 5. Right-click NTDS Settings, click New, and then click Connection. 6. In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK. 7. In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.
37. 38.

How do you backup AD? How do you restore AD?

windows 2008 server backup

For 2000 and 2003 server You cant restore Active Directory (AD) to a domain controller (DC) while the Directory Service (DS) is running. To restore AD, perform the following steps. 1. Reboot the computer. 2. At the boot menu, select Windows 2000 Server. Dont press Enter. Instead, press F8 for advanced options. Youll see the following text.
OS Loader V5.0<br><br> Windows NT Advanced Options Menu<br> Please select an option:<br><br> Safe Mode<br> Safe Mode with Networking<br> Safe Mode with Command Prompt<br><br> Enable Boot Logging<br> Enable VGA Mode<br> Last Known Good Configuration<br> Directory Services Restore Mode (Windows NT domain controllers only)<br> Debugging Mode<br><br> Use | and | to move the highlight to your choice.<br> Press Enter to choose.

3. Scroll down, and select Directory Services Restore Mode (Windows NT domain

controllers only). 4. Press Enter. 5. When you return to the Windows 2000 Server boot menu, press Enter. At the bottom of the screen, youll see in red text Directory Services Restore Mode (Windows NT domain controllers only).

The computer will boot into a special safe mode and wont start the DS. Be aware that during this time the machine wont act as a DC and wont perform functions such as authentication. 1. 2. 3. 4. 5. Start NT Backup. Select the Restore tab. Select the backup media, and select System State. Click Start Restore. Click OK in the confirmation dialog box.

After you restore the backup, reboot the computer and start in normal mode to use the restored information. The computer might hang after the restore completes; Ive experienced a 30-minute wait on some machines.
How to Restore Server 2008 Active Directory (non-authoritative)

1. On Server 2008 DC, open the command prompt on the server 2. run below commands to enter Directory Services Restore Mode (DSRM): bcdedit /set safeboot dsrepair shutdown r t 1 3. login using .\administrator and DSRM password 4. run below command ( note that d: is the drive letter of your backup), this will show you the version identifier of the backup. Wbadmin get versions backuptarget:d: 5. run below command to start the restore. Wbadmin start sysstaterecovery version:01/01/2008-22:30 backuptarget :d: 6. After the restore process is completed, run following commands to reboot. Bcedit /deletevalue safeboot Shutdown t 0 -r
How to restore Server 2008 Active Directory if someone accidentally deletes an object. (Authoritative Restore)

1. Restore Server 2008 Active Directory (non-authoritative), do not reboot the server 2. open command prompt, run following commands, where CN=VIPuser,CN=Users,DC=MYDOMAIN,DC=NET is the object you wish to restore. ntdsutil activate instance NTDS authoritative restore restore object CN=VIPuser,CN=Users,DC=MYDOMAIN,DC=NET 3. Once its completed. Type quit 4. After the restore process is completed, run following commands to reboot. Bcedit /deletevalue safeboot Shutdown t 0 -r
39.

How do you change the DS Restore admin password?

Ans
To Reset the DSRM Administrator Password

1. Click, Start, click Run, type ntdsutil, and then click OK. 2. At the Ntdsutil command prompt, type set dsrm password. 3. At the DSRM command prompt, type one of the following lines: o To reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password. -orTo reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password. 4. At the DSRM command prompt, type q. 5. At the Ntdsutil command prompt, type q to exit.
o

40.

Why can't you restore a DC that was backed up 4 months ago?

Ans Because of the tombstone life which is set to only 60 days

What is tombstone life? The tombstones are specific objects used by the active directory. When you deletes an object in the AD actually it is not deleted. Instead of deleting the AD creates a tombstone object to cover your original object. When the tombstone lifetime expires (default 60 days) both the object and the tombstone gets deleted. Why this mechanism is required? The answer is: replication. When you the system creates a tombstone on any of the domain controllers it replicates through the whole active directory. When the tombstone expires all of your DC-s deletes both the object and its tombstone at the same tim. This process ensure the data integrity of the deleted objects across your enterprise. What is the consequence of the mechanism described above? You should never switch back switched off domain controllers after the tombstone

lifetime period. If you do that already deleted objects can reapear in your AD and your data consistency is gone. It also true for AD backups stored for longer period than the tombstone lifetime. Don't restore AD backup stored for more than 60 days in a multi DC environment.
41.

What are GPOs? Ans

Group Policy gives you administrative control over users and computers in your network. By using Group Policy, you can define the state of a user's work environment once, and then rely on Windows Server 2003 to continually force the Group Policy settings that you apply across an entire organization or to specific groups of users and computers. Group Policy Advantages You can assign group policy in domains, sites and organizational units. All users and computers get reflected by group policy settings in domain, site and organizational unit. No one in network has rights to change the settings of Group policy; by default only administrator has full privilege to change, so it is very secure. Policy settings can be removed and can further rewrite the changes. Where GPO's store Group Policy Information Group Policy objects store their Group Policy information in two locations: Group Policy Container: The GPC is an Active Directory object that contains GPO status, version information, WMI filter information, and a list of components that have settings in the GPO. Computers can access the GPC to locate Group Policy templates, and domain controller does not have the most recent version of the GPO, replication occurs to obtain the latest version of the GPO. Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT which contains all Group Policy settings and information, including administrative templates, security, software installation, scripts, and folder redirection settings. Computers connect to the SYSVOL folder to obtain the settings. The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol. Managing GPOs To avoid conflicts in replication, consider the selection of domain controller, especially because the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two independent replication techniques to replicate GPO data among all domain controllers in the domain. If two administrator's changes can overwrite those made by other administrator, depends on the replication latency. By default the Group Policy Management console uses the PDC Emulator so that all administrators can work on the same domain controller.

WMI Filter WMI filters is use to get the current scope of GPOs based on attributes of the user or computer. In this way, you can increase the GPOs filtering capabilities beyond the security group filtering mechanisms that were previously available. Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination computer, Active Directory evaluates the filter on the destination computer. A WMI filter has few queries that active Directory evaluates in place of WMI repository of the destination computer. If the set of queries is false, Active Directory does not apply the GPO. If set of queries are true, Active Directory applies the GPO. You write the query by using the WMI Query Language (WQL); this language is similar to querying SQL for WMI repository. Planning a Group Policy Strategy for the Enterprise When you plan an Active Directory structure, create a plan for GPO inheritance, administration, and deployment that provides the most efficient Group Policy management for your organization. Also consider how you will implement Group Policy for the organization. Be sure to consider the delegation of authority, separation of administrative duties, central versus decentralized administration, and design flexibility so that your plan will provide for ease of use as well as administration. Planning GPOs Create GPOs in way that provides for the simplest and most manageable design -- one in which you can use inheritance and multiple links. Guidelines for Planning GPOs Apply GPO settings at the highest level: This way, you take advantage of Group Policy inheritance. Determine what common GPO settings for the largest container are starting with the domain and then link the GPO to this container. Reduce the number of GPOs: You reduce the number by using multiple links instead of creating multiple identical GPOs. Try to link a GPO to the broadest container possible level to avoid creating multiple links of the same GPO at a deeper level. Create specialized GPOs: Use these GPOs to apply unique settings when necessary. GPOs at a higher level will not apply the settings in these specialized GPOs. Disable computer or use configuration settings: When you create a GPO to contain settings for only one of the two levels-user and computer-disable the logon and prevents accidental GPO settings from being applied to the other area. Microsoft Active Directory allows you to use group policies to define user or computer settings for an entire group of users or computers at one time. The settings that you configure are stored in a Group Policy Object (GPO), which is then associated with Active Directory objects such as sites, domains, or organizational units. Group policies cover many different aspects of the network, desktop, and software configuration environment, including:

Application deployment policies: These policies assign or publish applications to users or computers, and affect the applications that users access on the network. File deployment policies: These policies allow an administrator to place files in special folders on the user's computer, such as the desktop or My Documents areas. Script policies: Using a script policy, an administrator can specify scripts that should run at specific times, such as login/logout or system startup/shutdown. Software policies: Administrators can use software policies to globally configure most of the settings in user profiles, such as desktop settings, Start menu options, and applications. Security policies: These policies allow an administrator to restrict user access to files and folders, configure how many failed login attempts will lock an account, and control user rights. What is the order in which GPOs are applied? Ans
Local, Site, Domain, OU

42.

Group Policy settings are processed in the following order: 1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing. 2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence. 3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence. 4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed. At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
43.

Name a few benefits of using GPMC. Ans

Microsoft released the Group Policy Management Console (GPMC) years ago, which is an amazing innovation in Group Policy management. The tool provides control over Group Policy in the following manner:

Easy administration of all GPOs across the entire Active Directory Forest View of all GPOs in one single list Reporting of GPO settings, security, filters, delegation, etc. Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering Delegation model Backup and restore of GPOs Migration of GPOs across different domains and forests

With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC is needed and should be used by everyone for what it is ideal for. However, it does fall a bit short when you want to protect the GPOs from the following:
44.

Role based delegation of GPO management Being edited in production, potentially causing damage to desktops and servers Forgetting to back up a GPO after it has been modified Change management of each modification to every GPO

What are the GPC and the GPT? Where can I find them? Ans

Group Policy Container: The GPC is an Active Directory object that contains GPO status, version information, WMI filter information, and a list of components that have settings in the GPO. Computers can access the GPC to locate Group Policy templates, and domain controller does not have the most recent version of the GPO, replication occurs to obtain the latest version of the GPO. Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT which contains all Group Policy settings and information, including administrative templates, security, software installation, scripts, and folder redirection settings. Computers connect to the SYSVOL folder to obtain the settings. The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you

created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol. Managing GPOs To avoid conflicts in replication, consider the selection of domain controller, especially because the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two independent replication techniques to replicate GPO data among all domain controllers in the domain. If two administrator's changes can overwrite those made by other administrator, depends on the replication latency. By default the Group Policy Management console uses the PDC Emulator so that all administrators can work on the same domain controller.
45.

What are GPO links? What special things can I do to them? Ans

Linking GPOs

To apply the settings of a GPO to the users and computers of a domain, site, or OU, you need to add a link to that GPO. You can add one or more GPO links to each domain, site, or OU by using GPMC. Keep in mind that creating and linking GPOs is a sensitive privilege that should be delegated only to administrators who are trusted and understand Group Policy.
Linking GPOs to the Site

If you have a number of policy settings to apply to computers in a particular physical location only - certain network or proxy configuration settings, for example - these settings might be appropriate for inclusion in a site-based policy. Because domains and sites are independent, it is possible that computers in the site might need to cross domains to link the GPO to the site. In this case, make sure there is good connectivity. If, however, the settings do not clearly correspond to computers in a single site, it is better to assign the GPO to the domain or OU structure rather than to the site.
Linking GPOs to the Domain

Link GPOs to the domain if you want them to apply to all users and computers in the domain. For example, security administrators often implement domain-based GPOs to enforce corporate standards. They might want to create these GPOs with the GPMC Enforce option enabled to guarantee that no other administrator can override these settings. Important

If you need to modify some of the settings contained in the Default Domain Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the domain, and set the Enforce option. In general, do not modify this or the Default Domain Controller Policy GPO. If you do, be sure to back up these and any other GPOs in your network by using GPMC to ensure you can restore them.

As the name suggests, the Default Domain Policy GPO is also linked to the domain. The Default Domain Policy GPO is created when the first domain controller in the domain is installed and the administrator logs on for the first time. This GPO contains the domain-wide account policy settings, Password Policy, Account Lockout Policy, and Kerberos Policy, which is enforced by the domain controller computers in the domain. All domain controllers retrieve the values of these account policy settings from the Default Domain Policy GPO. In order to apply account policies to domain accounts, these policy settings must be deployed in a GPO linked to the domain, and it is recommended that you set these settings in the Default Domain Policy. If you set account policies at a lower level, such as an OU, the settings only affect local accounts (non-domain accounts) on computers in that OU and its children. Before making any changes to the default GPOs, be sure to back up the GPO using GPMC. If for some reason there is a problem with the changes to the default GPOs and you cannot revert back to the previous or initial states, you can use the Dcgpofix.exe tool to recreate the default policies in their initial state. Dcgpofix.exe is a command-line tool that completely restores the Default Domain Policy GPO and Default Domain Controller GPO to their original states in the event of a disaster where you cannot use GPMC. Dcgpofix.exe restores only the policy settings that are contained in the default GPOs at the time they are generated. The only Group Policy extensions that include policy settings in the default GPOs are RIS, Security, and EFS. Dcgpofix.exe does not restore other GPOs that administrators create; it is only intended for disaster recovery of the default GPOs. Note that Dcgpofix.exe does not save any information created through applications, such as SMS or Exchange. The Dcgpofix.exe tool is included with Windows Server 2003 and only works in a Windows Server 2003 domain. Dcgpofix.exe is located in the C:\Windows\Repair folder. The syntax for Dcgpofix.exe is as follows:
Copy Code
DCGPOFix [/Target: Domain | DC | BOTH]

Table 2.1 describes the options you can use with the command line parameter /Target: when using the Dcgpofix.exe tool.
Table 2.1 Dcgpofix.exe Options for Using the /Target Parameter

/Target Description DOMAIN option: of option

Specifies that the Default Domain Policy should be recreated. DC Specifies that the Default Domain Controllers Policy should be

recreated. BOTH Specifies that both the Default Domain Policy and the Default Domain Controllers Policy should be recreated. For more information about Dcgpofix.exe, in Help and Support Center for Windows Server 2003 click Tools, and then click Command-line reference A-Z
Linking GPOs to the OU Structure

Most GPOs are normally linked to the OU structure because this provides the most flexibility and manageability:

You can move users and computers into and out of OUs. OUs can be rearranged if necessary. You can work with smaller groups of users who have common administrative requirements. You can organize users and computers based on which administrators manage them.

Organizing GPOs into user- and computer-oriented GPOs can help make your Group Policy environment easier to understand and can simplify troubleshooting. However, separating the user and computer components into separate GPOs might require more GPOs. You can compensate for this by adjusting the GPO Status to disable the user or computer configuration portions of the GPO that do not apply and to reduce the time required to apply a given GPO.
Changing the GPO Link Order

Within each domain, site, and OU, the link order controls the order in which GPOs are applied. To change the precedence of a link, you can change the link order, moving each link up or down in the list to the appropriate location. Links with the lowest number have higher precedence for a given site, domain, or OU. For example, if you add six GPO links and later decide that you want the last one that you added to have the highest precedence, you can adjust the link order of the GPO link so it has link order of 1. To change the link order for GPO links for a domain, OU, or site, use GPMC
46.

What can I do to prevent inheritance from above? Ans

You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all

GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies by default), and then block inheritance only on the organizational unit to which the policies should not be applied. Note that Enforced GPO links will always be inherited.

47.

How can I override blocking of inheritance? Ans

Enforced: This was previously referred to in Win2K as "No Override". The Enforced flag is set on a GPO link using the GPMC. Essentially what is does is say, "If there are any conflicting policy settings on downstream GPOs (GPOs processed after the enforced GPO), those settings will always be overridden". Essentially how this works is that any GPO links that are marked as Enforced, will be moved to the bottom of the Group Policy processing list. This ensures that the enforced policy is always processed last, and thus "wins" over any downstream GPOs. Enforced GPOs will override Block Inheritance (described next). Block Inheritance: The block inheritance flag is set on a container object--specifically either an OU or a domain. The purpose of Block Inheritance is to block upstream GPOs from being processed (except for GPOs set with the Enforced flag). For example, if I have two OUs-Marketing and East, and East is a child OU to Marketing, I can set the Block Inheritance flag on the East OU and any GPOs linked to Marketing will be blocked--and won't apply to users and computers in the East OU.
48.

How can you determine what GPO was and was not applied for a user? Name a few ways to do that. Ans
Group Policy Management Console (GPMC) can provide assistance when you need to troubleshoot GPO behaviour. It allows you toexamine the settings of a specific GPO, and is can also be used to determine how your GPOs are linked to sites, domains, and OUs. The Group Policy Results report collects information on a computer and user, to list the policy settings which are enabled. To create a Group Policy Results report, right-click Group Policy Results, and select Group Policy Results Wizard on the shortcut menu. This launches the Group Policy Results Wizard, which guides you through various pages to set parameters for the information that should be displayed in the Group Policy Results report.

 Gpresult.exe Click Start > RUN > CMD > gpresult, this will also give you information of applied group policies.
49. A

user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for?
Ans only 1 user dont get GP, so, problem may be in name resolution or physical connectivity

Answer 2: Start Troubleshooting by running RSOP.MSC (Resultant Set of Policy) or gpresult /z to verify whether relevant GPO actually apply to that user?. This also can be a reason of slow network, you can change the default setting by using the Group Policy MMC snap-in. This feature is enabled by default, but you can disable it by using the following policy: Administrative Templates\System\Logon\Always wait for the network at computer startup and logon. Identify which GPOs they correspond to, verify that they are applicable to the computer/user (based on the output of RSOP.MSC/gpresult) .

50.

Name a few differences in Vista GPOs Ans

It is not like Windows XP Professional Service Pack 2 added enough settings to Group Policy, Vista is coming in with even more new settings to Group Policy. There will be approximately 2400 possible settings in a Group Policy Object that is created for a Windows Vista computer. This only adds about 800 settings, which is adding again as much settings compared to Windows XP Service Pack 2. Many of the settings are being added in a response to customer response, while others are there to support new features that will be included in Vista. Some of the more important additions include those listed under the following areas. Power Management By far the number one area of configuration that people

have wanted since the advent of Group Policy is the ability to control Power Management. Finally, Microsoft has added this capability in Windows Vista. The reasons for controlling power can provide an immediate impact for companies, since both Microsoft and the EPA have tested and reported that you can save over $50 per computer, per year by establishing power management settings on desktops. The idea is simple: there is no reason to have the computer in a full power state when the end user is not even at work. Before Vista, companies had to look at products from DesktopStandard and Full Armor to control power for Windows 2000 and XP. Device Installation Controls Most IT professionals that work in the area of security for their company are very concerned about removable media devices. These devices pose a looming threat to the desktop and the network as a whole. Without control over the installation and use of these devices, users can introduce viruses, worms, and other malicious applications using these media. Vista will include settings that will allow control over the installation and use of USB drives, CD-RW, DVD-RW, and other removable media. Security Settings In Vista, Microsoft has joined two security related technologies together: Firewall and IPSec. This makes a lot of sense to protect computes using IPSec within the firewall. Protection can be gained for server-to-server communications over the Internet, controlling which resources a computer can access on the network based on the computer health, and resource access based on some regulatory requirement. As these security settings are important to every computer, it only makes logical sense that there are settings for them in Group Policy. Printer Assignment Based on Location Printer management is a nightmare for almost every company and network admin. With most companies using a brigade of laptop computers, printer management has become even more complex as the users move from building to building or campus to campus. Vista solves this issue by allowing printers to be configured based on the current Active Directory site the computer belongs to. Since Active Directory sites typically map out the geographical or physical network topology, it creates a perfect solution for delivering printers as laptop users. Before Vista, companies had to look at products from DesktopStandard and Full Armor to control printers for Windows 2000 and XP.

Redesign of ADM Templates If you administer Group Policy for your company, you have most likely come face-to-face with an ADM template. These ADM templates were first introduced with Windows NT4 using markup language to define and implement changes to the Registry. As Group Policy was introduced, the concept of the ADM template did not change, although some new capabilities did come along. ADM templates provide a needed method to alter Registry values, but have their problems, including: ADM bloat caused by the duplication of ADM templates in every GPO ADM template version mismatches, many times caused by the introduction of a service pack into the environment on one or more computers Confusing policies or preferences settings, depending on which portion of the Registry is being modified Inability to control multi-string or binary Registry values Microsoft knows that ADM templates are really a stop gap for your Registry hacking needs, but they had done a good job until Vista. With Vista, the majority of these issues are solved by the conversion of ADM templates into a new XML-based format, as well as the introduction of a repository for the templates. The new XML-based formatted files will be called ADMX files, allowing for different languages to be addressed in a single file. The ADMX files will also take the large, bulky ADM templates and chop them up into smaller, more manageable ADMX files. One of my favorite features of Vista is the introduction of the ADMX central store. This will provide a centralized method for updating, storing, and managing ADMX files. ADMX files will no longer need to be stored in each GPO. Instead, each GPO will look to the central store for the ADMX files. This will save space on domain controllers and will allow for easier management of these files. Network Location Awareness Group Policy and the application of the settings in Group Policy Objects rely heavily on the availability of the network, as well as the connection speed of the network. Vista takes a new approach to network awareness, allowing faster boot times and more reliable application of policy. The following areas of network awareness are tackled in Windows Vista: When a computer is booting, the time that is spent

trying to apply policy even though the network is not yet available can be daunting. Vista will provide indicators to Group Policy application as to whether the NIC is enabled or disabled, as well as indications as to when the network is available. Vista will introduce the ability for a client to detect when a domain controller is available or when one becomes available again after a period of being offline. This is ideal for remote access connections, such as dialup and VPNs. There will no longer be a reliance on ICMP (PING) for determining the connection speed to the computer. This was needed for slow network connections, but if ICMP was disabled for security reasons, the computer would reject the PING request, causing Group Policy application to fail. Now network location awareness handles the bandwidth determination, allowing policy refresh to succeed.

51.

Name some GPO settings in the computer and user parts. Ans Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some GPO settings in the computer and user parts

52.

What are administrative templates? Ans

The GPO settings is divided between the Computer settings and the User settings. In both parts of the GPO you can clearly see a large section called Administrative Templates.

Administrative Templates are a large repository of registry-based changes (in fact, over 1300 individual settings) that can be found in any GPO on Windows 2000, Windows XP, and Windows Server 2003. By using the Administrative Template sections of the GPO you can deploy modifications to machine (called HKEY_LOCAL_MACHINE in the registry) and user (called HKEY_CURRENT_USER in the registry) portions of the Registry of computers that are influenced by the GPO.

The Administrative Templates are Unicode-formatted text files with the extension .ADM and are used to create the Administrative Templates portion of the user interface for the GPO Editor.

In Windows 2000 and Windows Server 2003 Group Policy Objects (also known as GPO) you may find hundreds of useful settings and configuration options, all nicely divided in to specific sections. With GPO, you can create policies to centralize the management of user and computer settings. Amongst the various settings that can be accomplished via GPO, you can find the following options:
Manage desktop environments and lock them down to reduce support calls and TCO (Total Cost of Ownership) Install, update, repair, and remove software Manage security settings including account policies, auditing, EFS, and user rights Control running state of services Redirect My Documents folders Configure Internet Explorer options and security settings Automate administrative tasks using log-on, log-off, startup and shutdown scripts

and many many more. These sections can be clearly seen in the following screenshot:

Note that the GPO settings is divided between the Computer settings and the User settings. In both parts of the GPO you can clearly see a large section called Administrative Templates. Administrative Templates are a large repository of registry-based changes (in fact, over 1300 individual settings) that can be found in any GPO on Windows 2000, Windows XP, and Windows Server 2003. By using the Administrative Template sections of the GPO you can deploy modifications to machine (called HKEY_LOCAL_MACHINE in the registry) and user (called HKEY_CURRENT_USER in the registry) portions of the Registry of computers that are influenced by the GPO. The Administrative Templates are Unicode-formatted text files with the extension .ADM and are used to create the Administrative Templates portion of the user interface for the GPO Editor.

Windows 2000/XP/2003 has some built-in default Administrative Templates:

Administrative Template Name Conf.adm Can be found on these Operating Systems Windows 2000/XP/2003 Description Contains settings for configuring NetMeeting Contains settings for configuring Internet Explorer Contains settings for configuring core OS functions and GUI settings Contains settings for configuring Windows Media Player Contains settings for configuring Windows Update automatic updates

Inetres.adm

Windows 2000/XP/2003

System.adm

Windows 2000/XP/2003

Wmplayer.adm

Windows XP/2003

Wuau.adm

Windows 2000 SP3 or higher/XP SP1 or higher/2003

These .ADM files are located in the %SystemRoot%\inf folder, and are copied to the SYSVOL folder whenever you create a new GPO (unless to manually configure it not to do so. See Links section on an explanation on how to do this). On top of these templates, Windows 2000/XP/2003 also has other .ADM files that can be used in several scenarios:
Administrative Template Name Common.adm Description Contains settings that are in common with Windows 9x/NT (used with the NT-based System Policy Editor) Contains settings for configuring dial-up, language, and various Internet Explorer settings Contains additional policy settings for configuring Internet Explorer

Inetcorp.adm

Inetset.adm

Windows.adm

Contains settings specific to Windows 9x (used with the NT-based System Policy Editor)

However there may be times when an administrator will need to add more options to a new or existing GPO. Some examples of such additions are:

Settings to disable mobile storage devices (USB, MP3 players, cameras and so on) Settings to control the functionality of specific Windows features Settings to control behavior of specific Windows services or drivers Settings that add or change registry keys Changes to the Windows security model

One method for an administrator to control such settings is by use of logon scripts and remote registry tweaks. This process requires knowledge of scripting languages, but is highly customizable and flexible, and is not restricted to GPO limitations (i.e. not working on pre-W2K computers). However we will not cover this method in this article. Another method for an administrator to add such extensions to the GPO is by adding new settings to the Administrative Templates sections. This can be done by adding .ADM files to the existing Administrative Templates section in GPO. In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the steps outlined in the Adding New Administrative Templates to a GPO article. A great example of new .ADM files that can and should be used on a network is the set of Administrative Templates extension files that is a part of the Office 2000/XP/2003 Resource Kit. When installing the Resource Kit for the respective Office version, new .ADM files are copied to the %SystemRoot%\inf folder of the machine on which the Resource Kit was installed. The moment you edit an Active Directory-based GPO on that machine (the machine can be either a Windows 2000/XP Pro machine, or a server-based machine) the used .ADM file(s) will be copied to the SYSVOL folder on the target DC (typically the PDC Emulator), and from there replicated throughout the domain.

The following screenshot shows the new .ADM files while importing one of them to a GPO

53.

What's the difference between software publishing and assigning? Ans

An administrator can either assign or publish software applications. Assign Users The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application. Assign Computers The software application is advertised and installed when it is safe to do so, such as when the computer is next restarted. Publish to users The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application.

Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers.
54.

Can I deploy non-MSI software with GPO? Ans yes ,you can. but first you have to convert this file to .msi format. there is many third party software through which you can convert .exe file to .msi format. No you cann't deploy Non MSI software with GPO?

55.

You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that? Ans

Login on client as Domain Admin user change whatever you need add printers etc go to system-User profiles copy this user profile to any location by select Everyone in permitted to use after copy change ntuser.dat to ntuser.man and assgin this path under user profile
56. The main difference between 2003 and 2008?

Ans The main difference between 2003 and 2008 is Visualisation, management. In Windows Server 2008, Microsoft is introducing new features and technologies, some of which were not available in Windows Server 2003 with Service Pack 1 (SP1), that will help to reduce the power consumption of server and client operating systems, minimize environmental byproducts and increase server efficiency. Microsoft Windows Server 2008 has been designed with energy efficiency in mind, to provide customers with ready and convenient access to a number of new power saving features. It includes updated support for Advanced Configuration and Power Interface (ACPI) processor power management (PPM) features, including support for processor performance states (P-states) and processor idle sleep states on multiprocessor systems. These features simplify power management in Windows Server 2008 (WS08) and can be managed easily across servers and clients using Group Policies. The comparison of windows 2003 and 2008 many features are updated such as security , IIS and RODC. in security it enable outbound firewall as well as inbound, IIS 7 release and Read only Domain controllers.

Examples 1. Virtualization 2. Server Core provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server. 3. Better security 4. Role-based installation 5. Read Only Domain Controllers (RODC) 6. Enhanced terminal services 7. Network Access Protection Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies. 8. PowerShell Microsoft's new(ish) command line shell and scripting language has proved popular with some server administrators. 9. IIS 10. Bitlocker System drive encryption can be a sensible security measure for servers located in remote branch offices The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers. Microsoft introduces new feature with 2k8 that is Hyper-V Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several 'virtual' servers on one physical machine. If you like this exciting technology, make sure that you buy an edition of Windows Server 2008 that includes Hyper-V, then launch the Server Manger, add Roles. Windows Server 2008, formerly codenamed Longhorn, is no leas than 45 times faster than its predecessor, Windows Server 2003, in terms of network transfer speeds. Now whatever the perspective is on Microsoft's last 32-bit server operating system, the fact of the matter is that faster transfer speeds for of up to 45 times is quite an evolution compared to Windows Server 2003. Back in June 2007, Microsoft commissioned a study to the Tolly Group focused on the networking performances of its latest Windows client and server operating system, which ended up as the "Enhanced Network Performance with Microsoft Windows Vista and Windows Server 2008" white paper. The paper pointed to the fact that both Vista and Windows Server 2008 managed to offer "Dramatic network performance benefits". Windows server 2008 has been more updated than windows server 2003.