Windows Server 2008 Job Interview Preparation
Guide.
Question # 1
What are some of the new tools and features
provided by Windows Server 2008?
Answer:-
Windows Server 2008 now provides
a desktop environment similar to Microsoft Windows Vista and includes tools
also found in Vista, such as the new backup snap-in
and the BitLocker drive encryption feature. Windows Server 2008 also provides
the new IIS7 web server and the Windows Deployment Service.
Question # 2
What are the different editions of Windows Server
2008?
Answer:-
The entry-level version of
Windows Server 2008 is the Standard Edition. The Enterprise Edition provides a
platform for large enterprisewide networks. The Datacenter Edition provides
support for unlimited Hyper-V virtualization and advanced clustering services.
The Web Edition is a scaled-down version of Windows Server 2008 intended for
use as a dedicated web server. The Standard, Enterprise, and Datacenter Editions can be
purchased with or without the Hyper-V virtualization technology.
Question # 3
What two hardware considerations should be an
important part of the planning process for a Windows Server 2008 deployment?
Answer:-
Any server on which you will
install Windows Server 2008 should have at least the minimum hardware
requirement for running the network operating system. Server hardware should
also be on the Windows Server 2008 Hardware Compatibility List to avoid the
possibility of hardware and network operating system incompatibility.
Question # 4
How does the activation process differ on
Windows Server 2008 as compared to Windows Server 2003?
Answer:-
You can select to have activation
happen automatically when the Windows Server 2008 installation is complete.
Make sure that the Automatically Activate Windows When I’m Online check box is
selected on the Product Key page.
Question # 5
What are the options for installing Windows
Server 2008?
Answer:-
You can install Windows Server
2008 on a server not currently configured with NOS, or you can upgrade existing
servers running Windows 2000 Server and Windows Server 2003.
Question # 6
How do you configure and manage a Windows
Server 2008 core installation?
Answer:-
This stripped-down version of
Windows Server 2008 is managed from the command line.
Question # 7
Which Control Panel tool enables you to
automate the running of server utilities and other applications?
Answer:-
The Task Scheduler enables you to
schedule the launching of tools such as Windows Backup and Disk Defragmenter.
Question # 8
What are some of the items that can be accessed
via the System Properties dialog box?
Answer:-
You can access virtual memory
settings and the Device Manager via the System Properties dialog box.
Question # 9
Which Windows Server utility provides a common
interface for tools and utilities and provides access to server roles,
services, and monitoring and drive utilities?
Answer:-
The Server Manager provides both
the interface and access to a large number of the utilities and tools that you
will use as you manage your Windows server.
Question # 10
How are local user accounts and groups created?
Answer:-
Local user accounts and groups
are managed in the Local Users and Groups node in the Server Manager. Local
user accounts and groups are used to provide local access to a server.
Question # 11
When a child domain is created in the domain
tree, what type of trust relationship exists between the new child domain and
the trees root domain?
Answer:-
Child domains and the root domain
of a tree are assigned transitive trusts. This means that the root domain and
child domain trust each other and allow resources in any domain in the tree to
be accessed by users in any domain in the tree.
Question # 12
What is the primary function of domain
controllers?
Answer:-
The primary function of domain
controllers is to validate users to the network. However, domain controllers
also provide the catalog of Active Directory objects to users on the network.
Question # 13
What are some of the other roles that a server
running Windows Server 2008 could fill on the network?
Answer:-
A server running Windows Server
2008 can be configured as a domain controller, a file server, a print server, a
web server, or an application server. Windows servers can also have roles and
features that provide services such as DNS, DHCP, and Routing and Remote
Access.
Question # 14
Which Windows Server 2008 tools make it easy to
manage and configure a servers roles and features?
Answer:-
The Server Manager window enables
you to view the roles and features installed on a server and also to quickly
access the tools used to manage these various roles and features. The Server
Manager can be used to add and remove roles and features as needed.
Question # 15
What Windows Server 2008 service is used to
install client operating systems over the network?
Answer:-
Windows Deployment Services (WDS)
enables you to install client and server operating systems over the network to
any computer with a PXE-enabled network interface.
Question # 16
What domain services are necessary for you to
deploy the Windows Deployment Services on your network?
Answer:-
Windows Deployment Services requires that a DHCP server and a DNS
server be installed in the domain.
Question # 17
How is WDS configured and managed on a server
running Windows Server 2008?
Answer:-
The Windows Deployment Services snap-in enables you to configure the
WDS server and add boot and install images to the server.
Question # 18
What utility is provided by Windows Server 2008
for managing disk drives, partitions, and volumes?
Answer:-
The Disk Manager provides all the
tools for formatting, creating, and managing drive volumes and partitions.
Question # 19
What is the difference between a basic and
dynamic drive in the Windows Server 2008 environment?
Answer:-
A basic disk embraces the MS-DOS
disk structure; a basic disk can be divided into partitions (simple volumes).
Dynamic disks consist of a single
partition that can be divided into any number of volumes. Dynamic disks also
support Windows Server 2008 RAID implementations.
Question # 20
What is RAID in Windows Server 2008?
Answer:- RAID, or Redundant Array of Independent Disks, is a
strategy for building fault tolerance into your file servers. RAID enables you
to combine one or more volumes
on separate drives so that they
are accessed by a single drive letter. Windows Server 2008 enables you to
configure RAID 0 (a striped set), RAID 1 (a mirror set), and RAID 5 (disk
striping with parity).
Question # 21
What is the most foolproof strategy for
protecting data on the network?
Answer:-
Regular backups of network data
provides the best method of protecting you from data loss.
Question # 22
What conceptual model helps provide an
understanding of how network protocol stacks such as TCP/IP work?
Answer:-
The OSI model, consisting of the
application, presentation, session, transport, network, data link, and physical
layers, helps describe how data is sent and received on the network by protocol
stacks.
Question # 23
What protocol stack is installed by default
when you install Windows Server 2008 on a network server?
Answer:-
TCP/IP (v4 and v6) is the default
protocol for Windows Server 2008. It is required for Active Directory
implementations and provides for connectivity on heterogeneous networks.
Question # 24
When TCP/IP is configured on a Windows server (or
domain client), what information is required?
Answer:-
You must provide at least the IP
address and the subnet mask to configure a TCP/IP client for an IPv4 client,
unless that client obtains this information from a DHCP
server. For IPv6 clients, the interface
ID is generated automatically from the MAC hardware address on the network
adapter. IPv6 can also use DHCP as a method to configure IP clients on the
network.
Question # 25
What are two command-line utilities that can be
used to check TCP/IP configurations and IP connectivity, respectively?
Answer:-
The ipconfig command can be used
to check a computer’s IP configuration and also renew the client’s IP address
if it is provided by a DHCP server. ping can be used to check the connection
between the local computer and any computer on the network, using the
destination computer’s IP address.
Question # 26
What term is used to refer to the first domain
created in a new Active Directory tree?
Answer:-
The first domain created in a
tree is referred to as the root domain. Child domains created in the tree share
the same namespace as the root domain.
Question # 27
How is a server running Windows Server 2008
configured as a domain controller, such as the domain controller for the root
domain or a child domain?
Answer:-
Installing the Active Directory
on a server running Windows Server 2008 provides you with the option of
creating a root domain for a domain tree or of creating child domains in an
existing tree. Installing Active Directory on the server makes the server a
domain controller.
Question # 28
What are some of the tools used to manage
Active Directory objects in a Windows Server 2008 domain?
Answer:-
When the Active Directory is
installed on a server (making it a domain controller), a set of Active Directory
snap-ins is provided. The Active Directory Users and Computers snap-in is used
to manage Active Directory objects such as user accounts, computers, and
groups. The Active Directory Domains and Trusts snap-in enables you to manage
the trusts that are defined between domains. The Active Directory Sites and
Services snap-in provides for the management of domain sites and subnets.
Question # 29
How are domain user accounts created and
managed?
Answer:-
The Active Directory Users and
Computers snap-in provides the tools necessary for creating user accounts and
managing account properties. Properties for user accounts include settings
related to logon hours, the computers to which a user can log on, and the
settings related to the user’s password.
Question # 30
What type of Active Directory objects can be
contained in a group?
Answer:-
A group can contain users,
computers, contacts, and other nested groups.
Question # 31
What type of group is not available in a domain
that is running at the mixed-mode functional level?
Answer:-
Universal groups are not
available in a mixed-mode domain. The functional level must be raised to
Windows 2003 or Windows 2008 to make these groups available.
Question # 32
What types of Active Directory objects can be
contained in an Organizational Unit?
Answer:-
Organizational Units can hold
users, groups, computers, contacts, and other OUs. The Organizational Unit
provides you with a container directly below the domain level that enables you
to refine the logical hierarchy of how your users and other resources are
arranged in the Active Directory.
Question # 33
What are Active Directory sites in Windows
Server 2008?
Answer:-
Active Directory sites are
physical locations on the network’s physical topology. Each regional domain that
you create is assigned to a site. Sites typically represent one or more IP
subnets that are connected by IP routers. Because sites are separated from each
other by a router, the domain controllers on each site periodically replicate
the Active Directory to update the Global Catalog on each site segment.
Question # 34
How can client computer accounts be added to
the Active Directory?
Answer:-
Client computer accounts can be
added through the Active Directory Users and Computers snap-in. You can also create
client computer accounts via the client computer by joining it to the domain
via the System Properties dialog box. This requires a user account that has
administrative privileges, such as members of the Domain Administrator or
Enterprise Administrator groups.
Question # 35
What firewall setting is required to manage
client computers such as Vista clients and
Windows 2008 member servers?
Answer:-
The Windows Firewall must allow
remote administration for a computer to be managed remotely.
Question # 36
Can servers running Windows Server 2008 provide
services to clients when they are not part of a domain?
Answer:-
Servers running Windows Server
2008 can be configured to participate in a workgroup. The server can provide
some services to the workgroup peers but does not provide the security and
management tools provided to domain controllers.
Question # 37
What does the use of Group Policy provide you
as a network administrator?
Answer:-
Group Policy provides a method of
controlling user and computer configuration settings for Active Directory
containers such as sites, domains, and OUs. GPOs are linked to a particular
container, and then individual policies and administrative templates are
enabled to control the environment for the users or computers within that particular
container.
Question # 38
What tools are involved in managing and
deploying Group Policy?
Answer:-
GPOs and their settings, links,
and other information such as permissions can be viewed in the Group Policy
Management snap-in.
Question # 39
How do you deal with Group Policy inheritance
issues?
Answer:-
GPOs are inherited down through
the Active Directory tree by default. You can block the inheritance of settings
from upline GPOs (for a particular container such as an OU or a local computer)
by selecting Block Inheritance for that particular object. If you want to
enforce a higher-level GPO so that it overrides directly linked GPOs, you can
use the Enforce command on the inherited (or upline) GPO.
Question # 40
How can you make sure that network clients have
the most recent Windows updates installed and have other important security
features such as the Windows Firewall enabled before they can gain full network
access?
Answer:-
You can configure a Network
Policy Server (a service available in the Network Policy and Access Services
role). The Network Policy Server can be configured to compare desktop client
settings with health validators to determine the level of network access
afforded to the client.
Question # 41
What is the purpose of deploying local DNS
servers?
Answer:-
A domain DNS server provides for
the local mapping of fully qualified domain names to IP addresses. Because the
DNS is a distributed database, the local DNS servers can provide record
information to remote DNS servers to help resolve remote requests related to
fully qualified domain names on your network.
Question # 42
What types of zones would you want to create on
your DNS server so that both queries to resolve hostnames to IP addresses and
queries to resolve IP addresses to
hostnames are handled successfully?
Answer:-
You would create both a forward
lookup zone and a reverse lookup zone on your Windows Server 2008 DNS server.
Question # 43
What tool enables you to manage your Windows
Server 2008 DNS server?
Answer:-
The DNS snap-in enables you to
add or remove zones and to view the records in your DNS zones. You can also use
the snap-in to create records such as a DNS resource record.
Question # 44
In terms of DNS, what is a caching-only server?
Answer:-
A caching-only DNS server
supplies information related to queries based on the data it contains in its
DNS cache. Caching-only servers are often used as DNS forwarders. Because they
are not configured with any zones, they do not generate network traffic related
to zone transfers.
Question # 45
How is the range of IP addresses defined for a
Windows Server 2008 DHCP server?
Answer:-
The IP addresses supplied by the
DHCP server are held in a scope. A scope that contains more than one subnet of
IP addresses is called a superscope. IP addresses in a scope that you do not
want to lease can be included in an exclusion range.
Question # 46
What TCP/IP configuration parameters can be
provided to a DHCP client?
Answer:-
The DHCP server can supply a DHCP
client an IP address and subnet mask. It also can optionally include the
default gateway address, the DNS server address, and the WINS server address to
the client.
Question # 47
How can you configure the DHCP server so that
it provides certain devices with the same IP address each time the address is
renewed?
Answer:-
You can create a reservation for
the device (or create reservations for a number of devices). To create a
reservation, you need to know the MAC hardware address of the device. You can
use the ipconfig or nbstat command-line utilities to determine the MAC address
for a network device such as a computer or printer.
Question # 48
To negate rogue DHCP servers from running with
a domain, what is required for your DHCP server to function?
Answer:-
The DHCP server must be
authorized in the Active Directory before it can function in the domain.
=========================================================================
1) What is Active
Directory?
ACTIVE DIRECTORY IS A CENTRALIZED DATABASE …WHICH
IS USED IN DOMAIN FOR ADMINISTRATIVE PURPOSES…
An active directory is a directory structure used
on Microsoft Windows based computers and servers to store information and data
about networks and domains. It is primarily used for online information and was
originally created in 1996 and first used with Windows 2000.
An active directory (sometimes referred to as an
AD) does a variety of functions including the ability to provide information on
objects, helps organize these objects for easy retrieval and access, allows
access by end users and administrators and allows the administrator to set
security up for the directory.
An active directory can be defined as a
hierarchical structure and this structure is usually broken up into three main
categories, the resources which might include hardware such as printers,
services for end users such as web email servers and objects which are the main
functions of the domain and network.
It is interesting to note the framework for the
objects. Remember that an object can be a piece of hardware such as a printer,
end user or security settings set by the administrator. These objects can hold
other objects within their file structure. All objects have an ID, usually an
object name (folder name). In addition to these objects being able to hold
other objects, every object has its own attributes which allows it to be
characterized by the information which it contains. Most IT professionals call
these setting or characterizations schemas.
Depending on the type of schema created for a
folder, will ultimately determine how these objects are used. For instance,
some objects with certain schemas can not be deleted, they can only be
deactivated. Others types of schemas with certain attributes can be deleted
entirely. For instance, a user object can be deleted, but the administrator
object can not be deleted.
When understanding active directories, it is
important to know the framework that objects can be viewed at. In fact, an
active directory can be viewed at either one of three levels; these levels are
called forests, trees or domains. The highest structure is called the forest
because you can see all objects included within the active directory.
Within theForeststructure are trees, these
structures usually hold one or more domains, going further down the structure
of an active directory are single domains. To put the forest, trees and domains
into perspective, consider the following example.
A large organization has many dozens of users and
processes. The forest might be the entire network of end users and specific
computers at a set location. Within this forest directory are now trees that
hold information on specific objects such as domain controllers, program data,
system, etc. Within these objects are even more objects which can then be
controlled and categorized
Another
Answer
Active Directory in Windows Server 2003
The Active Directory is the one of the important
part of Windows Server 2003 networking .First need to know and understand
Active directory. How does it work? It makes information easy for the
administrator and the users. You can use the Active Directory to design an
organization’s structure according to the requirement. If you are using the
Active Directory then you can scale active directory from a single computer to
a single network or too many networks. In active directory you can include
every object server and domain in a network.
Logical Component
In the organization you set up in Windows Server
2003 and the organization you set up in Exchange Server 2003 are the same and
the same is the case with Windows 2000 and Exchange 2000 as well. Now I am
going to tell you its advantage one user administrator manage all aspects of
user configuration. These logical constructs which are described in the
following subsections allow you to define and group resources so that they can
be located and administered by the name rather than by physical location.
Objects
Object is the basic unit in the Active Directory.
It is an apocarpous named set of features that represents something adjective
such as a user, printer and the application. A user is also an object. In
Exchange a user’s features include its name and location, surrounded by other
things.
Organization Unit
Organization Unit is a persona in which you can
keep objects such as user accounts, groups, computer, and printer. Applications
and other (OU). In organization unit you can assign specific permission to the
users. Organization unit can also be used to create departmental limitation.
Domains
Domains is a group of computers and other
resources that are part of a network and share a common directory database
.Once a server has been installed, you can use the Active Directory Wizard to
install Active Directory in order to install Active directory on the first
server on the network, that server must have the access to a server running DNS
(Domain Name Service). If you don’t have installed this service on your server
then you will have to install this service during the Active Directory
installation…
2) What is
LDAP?
LDAP means Light-Weight Directory Access
Protocol. It determines how an object in an Active directory should be named.
LDAP (Lightweight Directory Access Protocol) is a proposed open standard for accessing
global or local directory services over a network and/or the Internet. A
directory, in this sense, is very much like a phone book. LDAP can handle other
information, but at present it is typically used to associate names with phone
numbers and email addresses. LDAP directories are designed to support a high
volume of queries, but the data stored in the directory does not change very
often. It works on port no. 389. LDAP is sometimes known as X.500 Lite. X.500
is an international standard for directories and full-featured, but it is also
complex, requiring a lot of computing resources and the full OSI stack. LDAP,
in contrast, can run easily on a PC and over TCP/IP. LDAP can access X.500
directories but does not support every capability of X.500
Another
answer:
The Lightweight Directory Access Protocol or LDAP
is an application protocol for querying and modifying directory services
running over TCP/IP. [1]A directory is a set of objects with attributes
organized in a logical and hierarchical manner. The most common example is the
telephone directory, which consists of a series of names (either of persons or
organizations) organized alphabetically, with each name having an address and
phone number attached.
An LDAP directory tree often reflects various
political, geographic, and/or organizational boundaries, depending on the model
chosen. LDAP deployments today tend to use Domain name system (DNS) names for
structuring the topmost levels of the hierarchy. Deeper inside the directory
might appear entries representing people, organizational units, printers,
documents, groups of people or anything else that represents a given tree entry
(or multiple entries).
Its current version is LDAPv3, which is specified
in a series of Internet Engineering Task Force (IETF) Standard Track Requests
for comments (RFCs) as detailed in RFC 4510.
3) Can you
connect Active Directory to other 3rd-party Directory Services? Name a few
options.
Yes, you can use dirXML or LDAP to connect to
other directories (ie. E-directory from Novell). Novell eDirectory, formerly
called Novell Directory Services (NDS)
4) Where is the
AD database held? What other folders are related to AD?
AD Database is saved in/ntds. You can see other
files also in this folder. These are the main files controlling the AD
structure •ntds.dit
•edb.log
•res1.log
•res2.log
•edb.chk
•SysVOl folder is also created which is used for
replication
When a change is made to the Win2K database,
triggering a write operation, Win2K records the transaction in the log file
(edb.log). Once written to the log file, the change is then written to the AD
database. System performance determines how fast the system writes the data to
the AD database from the log file. Any time the system is shut down; all
transactions are saved to the database.
During the installation of AD, Windows creates
two files: res1.log and res2.log. The initial size of each is 10MB. These files
are used to ensure that changes can be written to disk should the system run
out of free disk space. The checkpoint file (edb.chk) records transactions
committed to the AD database (ntds.dit). During shutdown, a “shutdown”
statement is written to the edb.chk file. Then, during a reboot, AD determines
that all transactions in the edb.log file have been committed to the AD database.
If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown
statement isn’t present, AD will use the edb.log file to update the AD
database.
The last file in our list of files to know is the
AD database itself, ntds.dit. By default, the file is located in\NTDS, along
with the other files we’ve discussed
5) What is the
SYSVOL folder?
All active directory data base security related information store in SYSVOL
folder and it’s only created on NTFS partition.
Another answer:
The Sysvol folder on a Windows domain controller is used to replicate
file-based data among domain controllers. Because junctions are used within the
Sysvol folder structure, Windows NT file system (NTFS) version 5.0 is required
on domain controllers throughout a Windows distributed file system (DFS)
forest.
This is a quote from Microsoft themselves; basically the domain controller
info stored in files like your group policy stuff is replicated through this
folder structure
6) Name the AD NCs and replication issues for
each NC
*Schema NC, *Configuration NC, * DomainNC
Schema NC This NC is replicated to every other domain
controller in the forest. It contains information about the Active Directory
schema, which in turn defines the different object classes and attributes
within Active Directory.
Configuration NC Also replicated to every other DC in the forest,
this NC contains forest-wide configuration information pertaining to the
physical layout of Active Directory, as well as information about display
specifies and forest-wide Active Directory quotas.
Domain NC
This NC is replicated to every other DC within a single Active Directory
domain. This is the NC that contains the most commonly-accessed Active
Directory data: the actual users, groups, computers, and other objects that
reside within a particular Active Directory domain.
7) What are
application partitions? When do I use them?
Application directory partitions: These are
specific to Windows Server 2003 domains.
An application directory partition is a directory
partition that is replicated only to specific domain controllers. A domain
controller that participates in the replication of a particular application
directory partition hosts a replica of that partition. Only Domain controllers
running Windows Server 2003 can host a replica of an application directory
partition.
8) How do you
create a new application partition?
When you create an application directory
partition, you are creating the first instance of this partition. You can
create an application directory partition by using the create nc option in the
domain management menu of Ntdsutil. When creating an application directory
partition using LDP or ADSI, provide a description in the description attribute
of the domain DNS object that indicates the specific application that will use
the partition. For example, if the application directory partition will be used
to store data for a Microsoft accounting program, the description could be
Microsoft accounting application. Ntdsutil does not facilitate the creation of
a description.
To create or delete an application directory partition
1. Open Command Prompt.
2. Type:
Ntdsutil
3. At the Ntdsutil command prompt, type:
Domain management
4. At the domain management command prompt, do one of the
following:
· To create an application directory partition, type:
Create ncApplicationDirectoryPartitionDomainController
Answer:
Start >> RUN>> CMD >> type there
“NTDSUTIL” Press Enter
Ntdsutil: domain management Press Enter
Domain Management: Create NC dc=, dc=, dc=com <>
ANSWER B
Create an application directory partition by using the
DnsCmd command
Use the DnsCmd command to create an application directory
partition. To do this, use the following syntax:
DnsCmd ServerName
/CreateDirectoryPartition FQDN of partition
To create an application directory partition that is named
CustomDNSPartition on a domain controller that is named DC-1, follow these
steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command, and then press ENTER:dnscmd
DC-1 /createdirectorypartition CustomDNSPartition.contoso.com
When the application directory partition has been
successfully created, the following information appears:
DNS Server DC-1 created directory partition:
CustomDNSPartition.contoso.com Command completed successfully.
Configure an additional domain controller DNS server to host
the application directory partition
Configure an additional domain controller that is acting as
a DNS server to host the new application directory partition that you created.
To do this, use the following syntax with the DnsCmd command:
DnsCmd ServerName /EnlistDirectoryPartition FQDN of
partition
To configure the example domain controller that is named
DC-2 to host this custom application directory partition, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command, and then press ENTER:dnscmd
DC-2 /enlistdirectorypartition CustomDNSPartition.contoso.com
The following information appears:
DNS Server DC-2 enlisted directory partition: CustomDNSPartition.contoso.com
Command completed successfully.
9) How do you
view replication properties for AD partitions and DCs?
By using replication monitor
go to start > run > type repadmin
go to start > run > type replmon
10) What is the
Global Catalog?
The global catalog contains a complete replica of
all objects in Active Directory for its Host domain, and contains a partial
replica of all objects in Active Directory for every other domain in the
forest.
ANSWER B:
The global catalog is a distributed data
repository that contains a searchable, partial representation of every object
in every domain in a multidomain Active Directory forest. The global catalog is
stored on domain controllers that have been designated as global catalog
servers and is distributed through multimaster replication. Searches that are
directed to the global catalog are faster because they do not involve referrals
to different domain controllers.
In addition to configuration and schema directory
partition replicas, every domain controller in a Windows 2000 Server or Windows
Server 2003 forest stores a full, writable replica of a single domain directory
partition. Therefore, a domain controller can locate only the objects in its
domain. Locating an object in a different domain would require the user or
application to provide the domain of the requested object.
The global catalog provides the ability to locate
objects from any domain without having to know the domain name. A global
catalog server is a domain controller that, in addition to its full, writable
domain directory partition replica, also stores a partial, read-only replica of
all other domain directory partitions in the forest. The additional domain
directory partitions are partial because only a limited set of attributes is included
for each object. By including only the attributes that are most used for
searching, every object in every domain in even the largest forest can be
represented in the database of a single global catalog server.
11) How do you
view all the GCs in the forest?
C:\>repadmin /showreps
domain_controller
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.
To find the in GC from the command line you can try using DSQUERY command.
dsquery server -isgc to find all the GC’s in the forest you can try dsquery
server -forest -isgc.
12) Why not make
all DCs in a large forest as GCs?
The reason that all DCs are not GCs to start is
that in large (or even Giant) forests the DCs would all have to hold a
reference to every object in the entire forest which could be quite large and
quite a replication burden.
For a few hundred, or a few thousand users even,
this not likely to matter unless you have really poor WAN lines.
13) Trying to
look at the Active Directory Schema, how can I do that?
Option to view the schema
Register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc –> add snapin –> add Active
directory schema
name it as schema.msc
Open administrative tool –> schema.msc
14) What are the
Support Tools? Why do I need them?
Support Tools are the tools that are used for performing the
complicated tasks easily. These can also be the third party tools. Some of the
Support tools include DebugViewer, DependencyViewer, RegistryMonitor, etc.
You need them because you cannot properly manage
an Active Directory network without them.
Here they are, it would do you well to familiarize yourself with all of
them.
Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe
15) What is LDP?
What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
What is LDP?
A:
The Lightweight Directory Access Protocol, or LDAP is an application protocol
for querying and modifying directory services running over TCP/IP.
[1] A directory is a set of objects with attributes organized in a logical
and hierarchical manner. The most common example is the telephone directory,
which consists of a series of names (either of persons or organizations)
organized alphabetically, with each name having an address and phone number
attached.
An LDAP directory tree often reflects various political, geographic, and/or
organizational boundaries, depending on the model chosen. LDAP deployments
today tend to use Domain name system (DNS) names for structuring the topmost
levels of the hierarchy. Deeper inside the directory might appear entries
representing people, organizational units, printers, documents, groups of
people or anything else that represents a given tree entry (or multiple
entries).
Its current version is LDAPv3, which is specified in a series of Internet
Engineering Task Force (IETF) Standard Track Requests for comments (RFCs) as
detailed in RFC 4510.
LDAP means Light-Weight Directory Access Protocol. It determines how an object
in an Active directory should be named. LDAP (Lightweight Directory Access
Protocol) is a proposed open standard for accessing global or local directory
services over a network and/or the Internet. A directory, in this sense, is
very much like a phone book. LDAP can handle other information, but at present
it is typically used to associate names with phone numbers and email addresses.
LDAP directories are designed to support a high volume of queries, but the data
stored in the directory does not change very often. It works on port no. 389.
LDAP is sometimes known as X.500 Lite. X.500 is an international standard for
directories and full-featured, but it is also complex, requiring a lot of
computing resources and the full OSI stack. LDAP, in contrast, can run easily
on a PC and over TCP/IP. LDAP can access X.500 directories but does not support
every capability of X.500
What is REPLMON?
A: Replmon is the first tool you should use when
troubleshooting Active Directory replication issues. As it is a graphical tool,
replication issues are easy to see and somewhat easier to diagnose than using
its command line counterparts. The purpose of this document is to guide you in
how to use it, list some common replication errors and show some examples of
when replication issues can stop other network installation actions.
What is ADSIEDIT?
A: Adsiedit.msc
is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor
for Active Directory. It is a Graphical User Interface (GUI) tool. Network
administrators can use it for common administrative tasks such as adding,
deleting, and moving objects with a directory service. The attributes for each
object can be edited or deleted by using this tool. Adsiedit.msc uses the ADSI
application programming interfaces (APIs) to access Active Directory. The
following are the required files for using this tool:
· ADSIEDIT.DLL
· ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory environment
and Microsoft Management Console (MMC) is necessary
What is NETDOM?
A: NETDOM is a command-line tool that allows management of
Windows domains and trust relationships. It is used for batch management of
trusts, joining computers to domains, verifying trusts, and secure channels
A:
Enables administrators to manage Active Directory domains and trust
relationships from the command prompt.
Netdom is a command-line tool that is built into Windows Server 2008. It is
available if you have the Active Directory Domain Services (AD DS) server role
installed. To use Netdom, you must run the Netdom command from an elevated
command prompt. To open an elevated command prompt, click Start, right-click
Command Prompt, and then click Run as administrator.
You can use
Netdom to:
Join a computer that runs Windows XP Professional or Windows
Vista to a Windows Server 2008 or Windows Server 2003 or Windows 2000 or
Windows NT 4.0 domain.
Provide an option to specify the organizational unit (OU) for the computer
account.
Generate a random computer password for an initial Join operation.
Manage computer accounts for domain member workstations and member servers.
Management operations include:
Add, Remove, Query.
An option to specify the OU for the computer account.
An option to move an existing computer account for a member workstation from
one domain to another while maintaining the security descriptor on the computer
account.
Establish one-way or two-way trust relationships between domains, including the
following kinds of trust relationships:
From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a
Windows NT 4.0 domain.
From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a
Windows 2000 or Windows Server 2003 or Windows Server 2008 domain in another
enterprise.
Between two Windows 2000 or Windows Server 2003 or Windows Server 2008 domains
in an enterprise (a shortcut trust).
The Windows Server 2008 or Windows Server 2003 or Windows 2000 Server half of an
interoperable Kerberos protocol realm.
Verify or reset the secure channel for the following configurations:
Member workstations and servers.
Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
Specific Windows Server 2008 or Windows Server 2003 or Windows 2000 replicas.
Manage trust relationships between domains, including the following operations:
Enumerate trust relationships (direct and indirect).
View and change some attributes on a trust.
16) What are sites? What are they used for?
One or more well-connected (highly reliable and fast) TCP/IP
subnets. A site allows administrators to configure Active Directory access and
replication topology to take advantage of the physical network.
B: A Site object in Active Directory represents a physical
geographic location that hosts networks. Sites contain objects called Subnets.
[3] Sites can be used to Assign Group Policy Objects, facilitate the discovery
of resources, manage active directory replication, and manage network link
traffic. Sites can be linked to other Sites. Site-linked objects may be
assigned a cost value that represents the speed, reliability, availability, or
other real property of a physical resource. Site Links may also be assigned a
schedule
17) What’s the difference between a site link’s schedule and
interval?
Schedule enables you to list weekdays or hours when the site
link is available for replication to happen in the give interval. Interval is
the re occurrence of the inter site replication in given minutes. It ranges
from 15 – 10,080 mins. The default interval is 180 mins.
18) What is the KCC?
Knowledge consistency checker- it generates the replication
topology by specifying what domain controllers will replicate to which other
domain controllers in the site. The KCC maintains a list of connections, called
a replication topology, to other domain controllers in the site. The KCC
ensures that changes to any object are replicated to all site domain
controllers and updates go through no more than three connections. Also an
administrator can configure connection objects.
19) What is the ISTG? Who has that role by default?
Intersite Topology Generator (ISTG), which is responsible
for the connections among the sites. By default Windows 2003 Forestlevel
functionality has this role.
By Default the first Server has this role. If that server can no longer perform
this role then the next server with the highest GUID then takes over the role
of ISTG.
20) What are the requirements for installing AD on a new
server?
· An NTFS partition with enough free space (250MB minimum)
· An Administrator’s username and password
· The correct operating system version
· A NIC
· Properly configured TCP/IP (IP address, subnet mask and –
optional – default gateway)
· A network connection (to a hub or to another computer via
a crossover cable)
· An operational DNS server (which can be installed on the
DC itself)
· A Domain name that you want to use
· The Windows 2000 or Windows Server 2003 CD media (or at
least the i386 folder)
20) What can you do to promote a server to DC if you’re in a
remote location with slow WAN link?
First available in Windows 2003, you will create a copy of
the system state from an existing DC and copy it to the new remote server. Run
“Dcpromo /adv”. You will be prompted for the location of the system state files
===================================
Answer B:
Backup system state as;
Click Start, click Run, type ntbackup,
and then click OK. (If the Backup utility starts in
wizard mode, click the Advanced Mode hyperlink.)
From the Backup tab, click to select the System State
check box in the left pane. Do not back up the file
system part of the SYSVOL tree separately from the
system state backup.
In the Backup media or file name box, specify
the drive, path, and file name of the system state
backup.
Name the file .bak (recommended and general)
Restore system stat as below on the target computer;
Log on to the Windows Server 2003-based computer that
you want to promote. You must be a member of the local
administrators group on this computer.
Click Start, click Run, type ntbackup,
and then click OK. (If the Backup utility starts in
wizard mode, click the Advanced Mode hyperlink.)
In the Backup utility, click the Restore and Manage
Media tab. In the Tools menu, click Catalog a backup
file…, and then locate the .bkf file that you created
earlier. Click OK.
Expand the contents of the .bkf file, and then click to
select the System State
check box.
In Restore files to: click Alternate Location.
To restore the system state, type the logical drive
and the path. We suggest that you type X:\Ntdsrestore.
In this command, X is the
logical drive that will ultimately host the Active Directory database
when the member computer is promoted. The final
location for the Active Directory database is selected
when you run the Active Directory Installation Wizard.
This folder must be different from the folder that
contains the restored system state.
Now Last stage is Promoting an additional domain controller.
Verify that the domain controller that is to be
promoted has DNS name resolution and network
connectivity to existing domain controllers in the
domain controller’s target domain.
Click Start, click Run, type dcpromo
/adv, and then click OK.
Click Next to bypass the Welcome to the
Active Directory Installation Wizard and Operating
System Compatibility dialog boxes.
On the Domain Controller Type page, click Additional
domain controller for an existing domain, and then
click next.
On the Copying Domain Information page, click from
these restored backup files: and then type the logical
drive and the path of the alternative location where
the system state backup was restored. Click Next.
In Network Credentials, type the user name, the
password, and the domain name of an account that is a
member of the domain administrators group for the
domain that you are promoting in.
Continue with the remainder of the Active Directory
Installation Wizard pages as you would with the
standard promotion of an additional domain controller.
After the SYSVOL tree has replicated in, and the SYSVOL
share exists, delete any remaining restored system
files and folders.
21) How can you forcibly remove AD from a server, and what do
you do later? • Can I get user passwords from the AD database?
Demote the server using dcpromo /forceremoval, and then
remove the metadata from Active directory using Ntdsutil. There is no way to
get user passwords from AD that I am aware of, but you should still be able to
change them.
Another way out too
Restart the DC is DSRM mode
a. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
b. In the right-pane, double-click ProductType.
c. Type ServerNT in the Value data box, and then click OK.
Restart the server in normal mode
it’s a member server now but AD entries are still there. Promote the server to
a fake domain say ABC.com and then remove gracefully using Dcpromo. Else after
restart you can also use Ntdsutil to do metadata as told in the earlier post
22) Name some OU design considerations
OU design requires balancing requirements for delegating
administrative rights – independent of Group Policy needs – and the need to
scope the application of Group Policy. The following OU design recommendations
address delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active
Directory container to which you can assign Group Policy settings.
Delegating administrative authority
Usually don’t go more than 3 OU levels
23) What is tombstone lifetime attribute?
The number of days before a deleted object is removed from
the directory services. This assists in removing objects from replicated
servers and preventing restores from reintroducing a deleted object. This value
is in the Directory Service object in the configuration NIC
By default 2000 (60 days)
2003 (180 days)
24) How would you find all users that have not logged on since
last month?
Using only native commands, JSILLD.bat produces a
sorted/formated report of Users who have not logged on since YYYYMMDD.
The report is sorted by UserName and list the user’s full
name and last logon date.
The syntax for using JSILLD.bat is:
JSILLD \Folder\OutputFile.Ext YYYYMMDD [/N]
where:
YYYYMMDD will report all users who have not logged on since
this date.
/N is an optional parameter that will bypass users who have
never logged on.
JSILLD.bat contains:
@echo off
setlocal
if {%2}=={} goto syntax
if “%3″==”" goto begin
if /i “%3″==”/n” goto begin
:syntax
@echo Syntax: JSILLD File yyyymmdd [/N]
endlocal
goto :EOF
:begin
if /i “%2″==”/n” goto syntax
set dte=%2
set XX=%dte:~0,4%
if “%XX%” LSS “1993″ goto syntax
set XX=%dte:~4,2%
if “%XX%” LSS “01″ goto syntax
if “%XX%” GTR “12″ goto syntax
set XX=%dte:~6,2%
if “%XX%” LSS “01″ goto syntax
if “%XX%” GTR “31″ goto syntax
set never=X
if /i “%3″==”/n” set never=/n
set file=%1
if exist %file% del /q %file%
for /f “Skip=4 Tokens=*” %%i in (‘net user /domain^|findstr /v /c:”—-”^|findstr
/v /i /c:”The command completed”‘) do (
do call :parse “%%i”
)
endlocal
goto :EOF
:parse
set str=#%1#
set str=%str:#”=%
set str=%str:”#=%
set substr=%str:~0,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if “%substr%”==”" goto :EOF
for /f “Skip=1 Tokens=*” %%i in (‘net user “%substr%” /domain’) do call :parse1
“%%i”
set substr=%str:~25,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if “%substr%”==”" goto :EOF
for /f “Skip=1 Tokens=*” %%i in (‘net user “%substr%” /domain’) do call :parse1
“%%i”
set substr=%str:~50,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if “%substr%”==”" goto :EOF
for /f “Skip=1 Tokens=*” %%i in (‘net user “%substr%” /domain’) do call :parse1
“%%i”
goto :EOF
:parse1
set ustr=%1
if %ustr%==”The command completed successfully.” goto :EOF
set ustr=%ustr:”=%
if /i “%ustr:~0,9%”==”Full Name” set fullname=%ustr:~29,99%
if /i not “%ustr:~0,10%”==”Last logon” goto :EOF
set txt=%ustr:~29,99%
for /f “Tokens=1,2,3 Delims=/ ” %%i in (‘@echo %txt%’) do set MM=%%i&set
DD=%%j&set YY=%%k
if /i “%MM%”==”Never” goto tstnvr
goto year
:tstnvr
if /i “%never%”==”/n” goto :EOF
goto report
:year
if “%YY%” GTR “1000″ goto mmm
if “%YY%” GTR “92″ goto Y19
set /a YY=100%YY%%%100
set YY=%YY% + 2000
goto mmm
:Y19
set YY=19%YY%
:mmm
set /a XX=100%MM%%%100
if %XX% LSS 10 set MM=0%XX%
set /a XX=100%DD%%%100
if %XX% LSS 10 set DD=0%XX%
set YMD=%YY%%MM%%DD%
if “%YMD%” GEQ “%dte%” goto :EOF
:report
set fullname=%fullname% #
set fullname=%fullname:~0,35%
set substr=%substr% #
set substr=%substr:~0,30%
@echo %substr% %fullname% %txt% >> %file%
25) What are the DS commands?
New DS (Directory Service) Family of built-in command line
utilities for Windows Server 2003 Active Directory
A:
New DS built-in tools for Windows Server 2003
The DS (Directory Service) group of commands are split into two families. In
one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are
DSQuery and DSGet.
When it comes to choosing a scripting tool for Active
Directory objects, you really are spoilt for choice. The DS family of built-in
command line executables offers alternative strategies to CSVDE, LDIFDE and
VBScript.
Let me introduce you to the members of the DS family:
DSadd – add Active Directory users and groups
DSmod – modify Active Directory objects
DSrm – to delete Active Directory objects
DSmove – to relocate objects
DSQuery – to find objects that match your query attributes
DSget – list the properties of an object
DS Syntax
These DS tools have their own command structure which you can split into five
parts:
1 2 3 4 5
Tool object “DN” (as in LDAP distinguished name) -switch value For example:
DSadd user “cn=billy, ou=managers, dc=cp, dc=com” -pwd cX49pQba
This will add a user called Billy to the Managers OU and set
the password to cx49Qba
Here are some of the common DS switches which work with
DSadd and DSmod
-pwd (password) -upn (userPrincipalName) -fn (FirstName) -samid (Sam account
name).
The best way to learn about this DS family is to logon at a
domain controller and experiment from the command line. I have prepared
examples of the two most common programs.
Try some sample commands for DSadd.˚
Two most useful Tools: DSQuery and DSGet
The DSQuery and DSGet remind me of UNIX commands in that they operate at the
command line, use powerful verbs, and produce plenty of action. One
pre-requisite for getting the most from this DS family is a working knowledge
of LDAP.
If you need to query users or computers from a range of OU’s
and then return information, for example, office, department manager. Then
DSQuery and DSGet would be your tools of choice. Moreover, you can export the
information into a text file
26) What is the difference between ldifde and csvde usage
considerations?
Ldifde
Ldifde creates, modifies, and deletes directory objects on
computers running Windows Server 2003 operating systems or Windows XP Professional.
You can also use Ldifde to extend the schema, export Active Directory user and
group information to other applications or services, and populate Active
Directory with data from other directory services.
The LDAP Data Interchange Format (LDIF) is a draft Internet
standard for a file format that may be used for performing batch operations
against directories that conform to the LDAP standards. LDIF can be used to
export and import data, allowing batch operations such as add, create, and
modify to be performed against the Active Directory. A utility program called
LDIFDE is included in Windows 2000 to support batch operations based on the
LDIF file format standard. This article is designed to help you better
understand how the LDIFDE utility can be used to migrate directories.
Csvde
Imports and exports data from Active Directory Domain
Services (AD DS) using files that store data in the comma-separated value (CSV)
format. You can also support batch operations based on the CSV file format
standard.
Csvde is a command-line tool that is built into Windows
Server 2008 in the/system32 folder. It is available if you have the AD DS or
Active Directory Lightweight Directory Services (AD LDS) server role installed.
To use csvde, you must run the csvde command from an elevated command prompt.
To open an elevated command prompt, click Start, right-click Command Prompt,
and then click Run as administrator.
DIFFERENCE USAGE WISE
Csvde.exe is a Microsoft Windows 2000 command-line utility
that is located in the SystemRoot\System32 folder after you install Windows
2000. Csvde.exe is similar to Ldifde.exe, but it extracts information in a
comma-separated value (CSV) format. You can use Csvde to import and export
Active Directory data that uses the comma-separated value format. Use a
spreadsheet program such as Microsoft Excel to open this .csv file and view the
header and value information. See Microsoft Excel Help for information about
functions such as Concatenate that can simplify the process of building a .csv
file.
Note Although Csvde is similar to Ldifde, Csvde has a
significant limitation: it can only import and export Active Directory data by
using a comma-separated format (.csv). Microsoft recommends that you use the
Ldifde utility for Modify or Delete operations. Additionally, the distinguished
name (also known as DN) of the item that you are trying to import must be in
the first column of the .csv file or the import will not work.
The source .csv file can come from an Exchange Server
directory export. However, because of the difference in attribute mappings
between the Exchange Server directory and Active Directory, you must make some
modifications to the .csv file. For example, a directory export from Exchange
Server has a column that is named “obj-class” that you must rename to
“objectClass.” You must also rename “Display Name” to “displayName.”
27) What are the FSMO roles that have them by default what
happens when each one fails?
FSMO stands for the Flexible single Master Operation
It has 5 Roles: -
Schema Master:
The schema master domain controller controls all updates and
modifications to the schema. Once the Schema update is complete, it is
replicated from the schema master to all other DCs in the directory. To update
the schema of a forest, you must have access to the schema master. There can be
only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the
addition or removal of domains in the forest. This DC is the only one that can
add or remove a domain from the directory. It can also add or remove cross
references to domains in external directories. There can be only one domain
naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object
in another domain, it represents the reference by the GUID, the SID (for
references to security principals), and the DN of the object being referenced.
The infrastructure FSMO role holder is the DC responsible for updating an
object’s SID and distinguished name in a cross-domain object reference. At any
one time, there can be only one domain controller acting as the infrastructure
master in each domain.
Note: The
Infrastructure Master (IM) role should be held by a domain controller that is
not a Global Catalog server (GC). If the Infrastructure Master runs on a Global
Catalog server it will stop updating object information because it does not
contain any references to objects that it does not hold. This is because a
Global Catalog server holds a partial replica of every object in the forest. As
a result, cross-domain object references in that domain will not be updated and
a warning to that effect will be logged on that DC’s event log. If all the
domain controllers in a domain also host the global catalog, all the domain
controllers have the current data, and it is not important which domain
controller holds the infrastructure master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool
requests from all domain controllers in a particular domain. When a DC creates
a security principal object such as a user or group, it attaches a unique
Security ID (SID) to the object. This SID consists of a domain SID (the same
for all SIDs created in a domain), and a relative ID (RID) that is unique for
each security principal SID created in a domain. Each DC in a domain is
allocated a pool of RIDs that it is allowed to assign to the security
principals it creates. When a DC’s allocated RID pool falls below a threshold,
that DC issues a request for additional RIDs to the domain’s RID master. The
domain RID master responds to the request by retrieving RIDs from the domain’s
unallocated RID pool and assigns them to the pool of the requesting DC. At any
one time, there can be only one domain controller acting as the RID master in
the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an
enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service
that is required by the Kerberos authentication protocol. All Windows
2000/2003-based computers within an enterprise use a common time. The purpose
of the time service is to ensure that the Windows Time service uses a
hierarchical relationship that controls authority and does not permit loops to
ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the
domain. The PDC emulator at the root of the forest becomes authoritative for
the enterprise, and should be configured to gather the time from an external
source. All PDC FSMO role holders follow the hierarchy of domains in the
selection of their in-bound time partner.
:: In a Windows 2000/2003 domain, the PDC emulator role
holder retains the following functions:
:: Password changes performed by other DCs in the domain are
replicated preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain
because of an incorrect password are forwarded to the PDC emulator before a bad
password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always
done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless
configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a
Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows
NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when
all workstations, member servers, and domain controllers that are running
Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC
emulator still performs the other functions as described in a Windows 2000/2003
environment.
28) What FSMO placement considerations do you know of?
Windows 2000/2003 Active Directory domains utilize a Single
Operation Master method called FSMO (Flexible Single Master Operation), as
described in Understanding FSMO Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them)
in the same spot (or actually, on the same DC) as has been configured by the
Active Directory installation process. However, there are scenarios where an
administrator would want to move one or more of the FSMO roles from the default
holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000
version when dealing with FSMO placement. In this article I will only deal with
Windows Server 2003 Active Directory, but you should bear in mind that most
considerations are also true when planning Windows 2000 AD FSMO roles
29) I want to look at the RID allocation table for a DC. What
do I do?
1.install support tools from OS disk(OS Inst:
Disk=>support=>tools=>suptools.msi)
2.In Command prompt type dcdiag /test:ridmanager /s:system1
/v (system1 is the name of our DC)
30) What’s the difference between transferring a FSMO role
and seizing one? Which one should you NOT seize? Why?
Seizing an FSMO can be a destructive process and should only
be attempted if the existing server with the FSMO is no longer available.
If the domain controller that is the Schema Master FSMO role holder is
temporarily unavailable, DO NOT seize the Schema Master role.
If you are going to seize the Schema Master, you must permanently disconnect
the current Schema Master from the network.
If you seize the Schema Master role, the boot drive on the original Schema
Master must be completely reformatted and the operating system must be cleanly
installed, if you intend to return this computer to the network.
NOTE: The Boot
Partition contains the system files (\System32). The System Partition is the
partition that contains the startup files, NTDetect.com, NTLDR, Boot.ini, and
possibly Ntbootdd.sys.
The Active Directory Installation Wizard (Dcpromo.exe)
assigns all 5 FSMO roles to the first domain controller in the forest root
domain. The first domain controller in each new child or tree domain is
assigned the three domain-wide roles.
31) How do you configure a “stand-by operation master” for
any of the roles?
Open Active Directory Sites and Services.
Expand the site name in which the standby operations
master is located to display the Servers folder.
Expand the Servers folder to see a list of the
servers in that site.
Expand the name of the server that you want to be the
standby operations master to display its NTDS
Settings.
Right-click NTDS Settings, click New, and
then click Connection.
In the Find Domain Controllers dialog box,
select the name of the current role holder, and then
click OK.
In the New Object-Connection dialog box, enter
an appropriate name for the Connection object or
accept the default name, and click OK.
32) How do you backup & restore AD.
Backing up Active Directory is essential to maintain an
Active Directory database. You can back up Active Directory by using the
Graphical User Interface (GUI) and command-line tools that the Windows Server
2003 family provides.
You frequently backup the system state data on domain controllers so that you
can restore the most current data. By establishing a regular backup schedule,
you have a better chance of recovering data when necessary.
To ensure a good backup includes at least the system state
data and contents of the system disk, you must be aware of the tombstone
lifetime. By default, the tombstone is 60 days. Any backup older than 60 days
is not a good backup. Plan to backup at least two domain controllers in each
domain, one of at least one backup to enable an authoritative restore of the
data when necessary.
SystemStateData
Several features in the windows server 2003 family make it easy to
backup Active Directory. You can backup Active Directory while the server is
online and other network function can continue to function.
System state data on a domain controller includes the
following components:
Active Directory system state data does not contain Active
Directory unless the server, on which you are backing up the system state data,
is a domain controller. Active Directory is present only on domain controllers.
The SYSVOL shared folder: This shared folder contains Group policy templates
and logon scripts. The SYSVOL shared folder is present only on domain
controllers.
The Registry: This database repository contains information about the
computer’s configuration.
System startup files: Windows Server 2003 requires these files during its
initial startup phase. They include the boot and system files that are under
windows file protection and used by windows to load, configure, and run the
operating system.
The COM+ Class Registration database: The Class registration is a database of
information about Component Services applications.
The Certificate Services database: This database contains certificates that a
server running Windows server 2003 uses to authenticate users. The Certificate
Services database is present only if the server is operating as a certificate
server.
System state data contains most elements of a system’s configuration, but it
may not include all of the information that you require recovering data from a
system failure. Therefore, be sure to backup all boot and system volumes,
including theSystemState, when you back up your server.
Restoring Active Directory
In Windows Server 2003 family, you can restore the Active Directory database if
it becomes corrupted or is destroyed because of hardware or software failures.
You must restore the Active Directory database when objects in Active Directory
are changed or deleted.
Active Directory restore can be performed in several ways.
Replication synchronizes the latest changes from every other replication
partner. Once the replication is finished each partner has an updated version
of Active Directory. There is another way to get these latest updates by Backup
utility to restore replicated data from a backup copy. For this restore you
don’t need to configure again your domain controller or no need to install the
operating system from scratch.
Active Directory Restore Methods
You can use one of the three methods to restore Active Directory
from backup media: primary restore, normal (non authoritative) restore, and
authoritative restore.
Primary restore: This method rebuilds the first domain
controller in a domain when there is no other way to rebuild the domain.
Perform a primary restore only when all the domain controllers in the domain
are lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on local
computer, or user should have been delegated with this responsibility to
perform restore. On a domain controller only Domain Admins can perform this
restore.
Normal restore: This method reinstates the Active Directory data to the state
before the backup, and then updates the data through the normal replication
process. Perform a normal restore for a single domain controller to a
previously known good state.
Authoritative restore: You perform this method in tandem with a normal restore.
An authoritative restore marks specific data as current and prevents the
replication from overwriting that data. The authoritative data is then
replicated through the domain.
Perform an authoritative restore individual object in a domain that has
multiple domain controllers. When you perform an authoritative restore, you
lose all changes to the restore object that occurred after the backup. Ntdsutil
is a command line utility to perform an authoritative restore along with
windows server 2003 system utilities. The Ntdsutil command-line tool is an
executable file that you use to mark Active Directory objects as authoritative
so that they receive a higher version recently changed data on other domain
controllers does not overwrite system state data during replication.
33) Why can’t you restore a DC that was backed up 4 months
ago?
Because of the tombstone life which is set to only 60 days
34) What are GPOs?
Group Policy Objects
35) What is the order in which GPOs are applied?
Local, Site, Domain, OU
Group Policy settings are processed in the following order:
1:- Local Group Policy object-each computer has exactly one
Group Policy object that is stored locally. This processes for both computer
and user Group Policy processing.
2:- Site-Any GPOs that have been linked to the site that the
computer belongs to are processed next. Processing is in the order that is
specified by the administrator, on the Linked Group Policy Objects tab for the
site in Group Policy Management Console (GPMC). The GPO with the lowest link
order is processed last, and therefore has the highest precedence.
3:- Domain-processing of multiple domain-linked GPOs is in
the order specified by the administrator, on the Linked Group Policy Objects
tab for the domain in GPMC. The GPO with the lowest link order is processed
last, and therefore has the highest precedence.
4:- Organizational units-GPOs that are linked to the organizational
unit that is highest in the Active Directory hierarchy are processed first,
then GPOs that are linked to its child organizational unit, and so on. Finally,
the GPOs that are linked to the organizational unit that contains the user or
computer are processed.
At the level of each organizational unit in the Active
Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are
linked to an organizational unit, their processing is in the order that is
specified by the administrator, on the Linked Group Policy Objects tab for the
organizational unit in GPMC. The GPO with the lowest link order is processed
last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and
GPOs that are linked to the organizational unit of which the computer or user
is a direct member are processed last, which overwrites settings in the earlier
GPOs if there are conflicts. (If there are no conflicts, then the earlier and
later settings are merely aggregated.)
36) Name a few benefits of using GPMC.
Easy administration of all GPOs across the
entireActiveDirectoryForest
View of all GPOs in one single list Reporting of GPO
settings, security, filters, delegation, etc.
Control of GPO inheritance with Block Inheritance,
Enforce, and Security Filtering
Delegation model
Backup and restore of GPOs
Migration of GPOs across different domains and forests
With all of these benefits, there are still negatives in
using the GPMC alone. Granted, the GPMC is needed and should be used by
everyone for what it is ideal for. However, it does fall a bit short when you
want to protect the GPOs from the following:
Role based delegation of GPO management
Being edited in production, potentially causing damage
to desktops and servers
Forgetting to back up a GPO after it has been modified
Change management of each modification to every GPO
37) What are the GPC and the GPT? Where can I find them?
A GPO is a collection of Group Policy settings, stored at
the domain level as a virtual object consisting of a Group Policy container
(GPC) and a Group Policy template (GPT).
The GPC, which contains information on the properties of a
GPO, is stored in Active Directory on each domain controller in the domain. The
GPT contains the data in a GPO and is stored in the Sysvol in the /Policies
sub-directory.
38) What are GPO links? What special things can I do to them?
Linking GPOs
To apply the settings of a GPO to the users and computers of
a domain, site, or OU, you need to add a link to that GPO. You can add one or
more GPO links to each domain, site, or OU by using GPMC. Keep in mind that
creating and linking GPOs is a sensitive privilege that should be delegated
only to administrators who are trusted and understand Group Policy.
Linking GPOs to the Site
If you have a number of policy settings to apply to
computers in a particular physical location only – certain network or proxy
configuration settings, for example – these settings might be appropriate for
inclusion in a site-based policy. Because domains and sites are independent, it
is possible that computers in the site might need to cross domains to link the
GPO to the site. In this case, make sure there is good connectivity.
If, however, the settings do not clearly correspond to
computers in a single site, it is better to assign the GPO to the domain or OU
structure rather than to the site.
Linking GPOs to the Domain
Link GPOs to the domain if you want them to apply to all
users and computers in the domain. For example, security administrators often
implement domain-based GPOs to enforce corporate standards. They might want to
create these GPOs with the GPMC Enforce option enabled to guarantee that no
other administrator can override these settings.
Important
If you need to modify some of the settings
contained in the Default Domain Policy GPO, it is
recommended that you create a new GPO for this
purpose, link it to the domain, and set the Enforce
option. In general, do not modify this or the Default Domain Controller
Policy GPO. If you do, be sure to back up these and
any other GPOs in your network by using GPMC to ensure
you can restore them.
As the name suggests, the Default Domain Policy GPO is also
linked to the domain. The Default Domain Policy GPO is created when the first
domain controller in the domain is installed and the administrator logs on for
the first time. This GPO contains the domain-wide account policy settings,
Password Policy, Account Lockout Policy, and Kerberos Policy, which is enforced
by the domain controller computers in the domain. All domain controllers
retrieve the values of these account policy settings from the Default Domain
Policy GPO. In order to apply account policies to domain accounts, these policy
settings must be deployed in a GPO linked to the domain, and it is recommended
that you set these settings in the Default Domain Policy. If you set account
policies at a lower level, such as an OU, the settings only affect local
accounts (non-domain accounts) on computers in that OU and its children.
Before making any changes to the default GPOs, be sure to
back up the GPO using GPMC. If for some reason there is a problem with the
changes to the default GPOs and you cannot revert back to the previous or
initial states, you can use the Dcgpofix.exe tool to recreate the default
policies in their initial state.
Dcgpofix.exe is a command-line tool that completely restores
the Default Domain Policy GPO and Default Domain Controller GPO to their
original states in the event of a disaster where you cannot use GPMC.
Dcgpofix.exe restores only the policy settings that are contained in the
default GPOs at the time they are generated. The only Group Policy extensions
that include policy settings in the default GPOs are RIS, Security, and EFS.
Dcgpofix.exe does not restore other GPOs that administrators create; it is only
intended for disaster recovery of the default GPOs.
Note that
Dcgpofix.exe does not save any information created through applications, such
as SMS or Exchange. The Dcgpofix.exe tool is included with Windows Server 2003
and only works in a Windows Server 2003 domain.
Dcgpofix.exe is located in the C:\Windows\Repair folder. The
syntax for Dcgpofix.exe is as follows:
Copy Code
DCGPOFix [/Target: Domain | DC | BOTH]
Table 2.1 describes the options you can use with the command
line parameter /Target: when using the Dcgpofix.exe tool.
Table 2.1 Dcgpofix.exe Options for Using the /Target
Parameter
/Target option:
|
Description of option
|
DOMAINSpecifies that the Default Domain Policy
should be recreated.DCSpecifies that the Default Domain Controllers
Policy should be recreated.BOTHSpecifies that both the Default Domain
Policy and the Default Domain Controllers Policy should be
recreated.For more information about Dcgpofix.exe, in Help and Support
Centerfor Windows Server 2003 click Tools, and then click Command-line
reference A-Z
|
Linking GPOs to the OU Structure
Most GPOs are normally linked to the OU structure because
this provides the most flexibility and manageability:
You can move users and computers into and out of OUs.
OUs can be rearranged if necessary.
You can work with smaller groups of users who have
common administrative requirements.
You can organize users and computers based on which
administrators manage them.
Organizing GPOs into user- and computer-oriented GPOs can
help make your Group Policy environment easier to understand and can simplify
troubleshooting. However, separating the user and computer components into
separate GPOs might require more GPOs. You can compensate for this by adjusting
the GPO Status to disable the user or computer configuration portions of the
GPO that do not apply and to reduce the time required to apply a given GPO.
Changing the GPO Link Order
Within each domain, site, and OU, the link order controls
the order in which GPOs are applied. To change the precedence of a link, you
can change the link order, moving each link up or down in the list to the
appropriate location. Links with the lowest number have higher precedence for a
given site, domain, or OU. For example, if you add six GPO links and later
decide that you want the last one that you added to have the highest
precedence, you can adjust the link order of the GPO link so it has link order
of 1. To change the link order for GPO links for a domain, OU, or site, use
GPMC
39) What can I do to prevent inheritance from above?
You can block policy inheritance for a domain or
organizational unit. Using block inheritance prevents GPOs linked to higher
sites, domains, or organizational units from being automatically inherited by
the child-level. By default, children inherit all GPOs from the parent, but it
is sometimes useful to block inheritance. For example, if you want to apply a
single set of policies to an entire domain except for one organizational unit,
you can link the required GPOs at the domain level (from which all
organizational units inherit policies by default), and then block inheritance
only on the organizational unit to which the policies should not be applied.
40) How can I override blocking of inheritance?
A. Group Policies can be applied at multiple levels (Sites,
domains, organizational Units) and multiple GP’s for each level. Obviously it
may be that some policy settings conflict hence the application order of Site –
Domain – Organization Unit and within each layer you set order for all defined
policies but you may want to force some polices to never be overridden (No
Override) and you may want some containers to not inherit settings from a
parent container (Block Inheritance).
A good definition of each is as follows:
No Override – This prevents child containers from overriding
policies set at higher levels
Block Inheritance – Stops containers inheriting policies
from parent containers
No Override takes precedence over Block Inheritance so if a
child container has Block Inheritance set but on the parent a group policy has
No Override set then it will get applied.
Also the highest No Override takes precedence over lower No
Override’s set.
To block inheritance perform the following:
Start the Active Directory Users and Computer
snap-in (Start – Programs – Administrative Tools –
Active Directory Users and Computers)
Right click on the container you wish to stop
inheriting settings from its parent and select Properties
Select the ‘Group Policy’ tab
Check the ‘Block Policy inheritance’ option
Click Apply then OK
To set a policy to never be overridden performs the
following:
Start the Active Directory Users and Computer snap-in
(Start – Programs – Administrative Tools – Active
Directory Users and Computers)
Right click on the container you wish to set a Group
Policy to not be overridden and select Properties
Select the ‘Group Policy’ tab
Click Options
Check the ‘No Override’ option
Click OK
Click Apply then OK
41) How can you determine what GPO was and was not applied
for a user? Name a few ways to do that.
Group Policy Management Console (GPMC) can provide
assistance when you need to troubleshoot GPO behavior.
It allows you to examine the settings of a specific
GPO, and is can also be used to determine how your
GPOs are linked to sites, domains, and OUs. The Group Policy Results
report collects information on a computer and user, to
list the policy settings which are enabled. To create
a Group Policy Results report, right-click Group
Policy Results, and select Group Policy Results Wizard
on the shortcut menu. This launches the Group Policy Results Wizard, which
guides you through various pages to set parameters for
the information that should be displayed in the Group
Policy Results report.
Gpresult.exe Click Start > RUN > CMD
> gpresult, this will also give you information of
applied group policies.
3. RSOP.MSC
42) A user claims he did not receive a GPO, yet his user and
computer accounts are in the right OU, and everyone else there gets the GPO.
What will you look for?
Here interviewer want to know
the troubleshooting steps
what GPOs is applying?
If it applying in all user and computer?
What GPOs are implemented on ou?
Make sure user not is member of loopback policy as in loopback policy it
doesn’t affect user settings only computer policy will applicable.
If he is member of GPOs filter grp or not?
You may also want to check the computers event logs. If you
find event ID 1085 then you may want to download the patch to fix this and
reboot the computer.
===============================================
Answer 2: Start troubleshooting by running RSOP.MSC (Resultant Set of Policy)
or gpresult /z to verify whether relevant GPO actually applies to that user?
This also can be a reason of slow network; you can change
the default setting by using the Group Policy MMC snap-in. This feature is
enabled by default, but you can disable it by using the following policy:
Administrative Templates\System\Logon\Always wait for the network at computer
startup and logon.
Identify which GPOs they correspond to; verify that they are
applicable to the computer/user (based on the output of RSOP.MSC/gpresult)
43) What are administrative templates?
The GPO settings are divided between the Computer settings
and the User settings. In both parts of the GPO you can clearly see a large
section called Administrative Templates.
Administrative Templates are a large repository of registry-based
changes (in fact, over 1300 individual settings) that can be found in any GPO
on Windows 2000, Windows XP, and Windows Server 2003.
By using the Administrative Template sections of the GPO you
can deploy modifications to machine (called HKEY_LOCAL_MACHINE in the registry)
and user (called HKEY_CURRENT_USER in the registry) portions of the Registry of
computers that are influenced by the GPO.
The Administrative Templates are Unicode-formatted text
files with the extension .ADM and are used to create the Administrative
Templates portion of the user interface for the GPO Editor.
44) What’s the difference between software publishing and
assigning?
An administrator can either assign or publish software
applications.
Assign Users
the software application is advertised when the user logs on. It is installed
when the user clicks on the software application icon via the start menu, or
accesses a file that has been associated with the software application.
Assign
Computers
The software application is advertised and installed when it is safe to do so,
such as when the computer is next restarted.
Publish to
users
the software application does not appear on the start menu or desktop. This
means the user may not know that the software is available. The software
application is made available via the Add/Remove Programs option in control
panel, or by clicking on a file that has been associated with the application.
Published applications do not reinstall themselves in the event of accidental
deletion, and it is not possible to publish to computers.
45) You want to standardize the desktop environments
(wallpaper, My Documents, Start menu, printers etc.) on the computers in one
department. How would you do that?
Yes… Through Group Policy
