windows 2003 key question ans

7/27/2019 Windows 2003 Key Question ANS

1/44

What Is Active Directory?

Active directory is a directory Service that stores information about objects on a network and makes thisinformation available to users and network administrators.

Active Directory gives network users access to permitted resources anywhere on the network

using a single logon process.

It provides network administrators with hierarchical view of the network and a single point of

administration for all network objects

a. Active Directory is a technology created by Microsoft, Introduce with windows 2000

b. Active Directory is Multimaster replication. Which lets us update the directory at any

domain controllers

b. Active Driectory is a centralized hierarchical Directory Database. A directory service stores

information about network resources and make the resources accessible to users and computers.

c.It helps to centrally manage, organize and control access to resources. AD objects include users,

groups, computers, printers, etc. Servers, domains and sites are also consideredas AD objects

d.AD is a searchable Database.

e.Active Directory uses DNS for its namespace.

f. Active Directory uses LADP. Protocol for its client server commnuctaion.

Lightweight Directory Access ProtocolLDAP is the industry standard directory access protocol,making Active Directory widely accessible to management and query applications. Active Directory

supports LDAPv3 and LDAPv2

Lightweight Directory Access Protocol (LDAP) An access protocol that defines howusers canaccess or update directory service objects

Lightweight Directory Access Protocol

Active Directory is an LDAP version 3 directory (with version 2 compatibility), not an X.500 directoryLDAP provides a standard mechanism for naming

objects stored in a directory for

Location in a hierarchyAddition

Removal

Modification
http://en.wikipedia.org/wiki/Technologyhttp://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocolhttp://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocolhttp://en.wikipedia.org/wiki/Technologyhttp://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol


2/44

Major requirements for Active Directory

Windows Server 2003 Standard or Enterprise editions

NTFS file system

DNS Server

Active Directory partition

A contiguous subtree of the directory that forms a unit of replication. A given replica is always a replica

of some directory partition. The directory always has at least three directory partitions:

The schema, which defines the object classes and attributes contained in Active directory.

The configuration, which identifies the domain controllers, replication topology and other

related information about the domain controllers within a specific implementation of

Active directory.

One or more domains that contain the actual Active directory. object data.

A domain controller always stores the partitions for the schema, configuration, and its own (and no other)

domain. The schema and configuration are replicated to every domain controller in the domain tree or

forest. The domain is replicated only to domain controllers for that domain. A subset of the attributes forall domain objects is replicated to the global catalog.

.

.Note: In a lay man language Active Directory is some thing like Yellow Pages

Domain Controller (D.C.)

A server where A.D. is installed is called D.C.

Features of A.D.:

1. Fully integrated security system with the help of Kerberos.2. Easy administration using group policy.

3. Scalable to any size n/w

4. Flexible (install/uninstall)5. Extensible (modify the schema)

New features in 2003

6. Rename computer name & Domain names.


3/44

7. Cross forest trust relationship.

8. Site-to-Site replication is faster.

What is a DomainA group of computers under common security and administrative boundary

What is a Domain Controller

A Domain controller is system using which we can control access to the resoucres and implement

security on users and computers in the domain

What is DNS, WINS and DHCP

Soln : DNS : Domain Name Service is a name resolution service that translates a

domain name to an IP address and vice versa.

WINS : Its used to resolve netbios names to IP Addresses.

DHCP : Dynamic Host Control Protocol is a protocol for automatically assigningIP addresses to hosts joining a network.

ARP :Address Resolution Protocol is a protocol that maps IP addresses to network cardMAC addresses

Protocol :A formal specification of a means of computer communication

VPN :A Virtual Private Network, a network connected together via securely encrypted

communication tunnels over a public network, such as the global Internet.

How does a PDC act when in Mixed mode and Native mode.

DOMAIN FUNCTIONAL LEVEL

WINDOWS 2000 MIXED FUNCTIONAL LEVEL

Domain controllers THAT WILL BE RUNNING IN THIS MODE AREWindows NT Server 4.0

Windows 2000 ServerWindows Server 2003 So the PDC emulator will have below responsebiltiesSince windows NT server is already there in domain it will be responsible forauthentication and time synchornization FOR WINDOWS 98,NTWORKSTATIONS

Soln : In Mixed mode the PDC acts

1. Account Lockouts
http://windows2003-tips-tricks.blogspot.com/2010/03/what-is-domain.htmlhttp://windows2003-tips-tricks.blogspot.com/2010/03/what-is-domain.html


4/44

2. Password changes

In Native Mode:

1. Its used for Authentication.2. Account Lockouts

3. Password changes

4. Time Synchronization

Forest Functional LevelsThe letter THREE contains TRE and Forest contains also TRE

1. Windows 2000 (default) Windows NT 4, Windows 2000, Windows Server 2003 family2. Windows Server 2003 Interim ---- Windows NT 4, Windows Server 2003 family3. Windows Server 2003 Family ----- Windows Server 2003 family

Domain Functional Levels1. Windows 2000 Mixed Mode --- Windows NT 4, Windows 2000 orWindows Server 2003 DCs2. Windows 2000 Native Mode --- Windows 2000,Windows Server 2003 DCs3. Windows Server 2003 InterimNo 2000 DCs--- Windows NT 4, Windows Server 2003 DCs

4. Windows Server 2003 LevelAll Windows Server 2003 DCs

What is Kereboros Authentication

Soln : Kerberos V5 is the primary security protocol for authentication withina

domain.The Kerberos V5 protocol verfies both the identity of theuser and network services. This dual verification is

known as mutual authentication

What is the difference between Domain Tree and Forest.

Soln :Domain TREE will have contiguous namespace. That parent doamin namespace willinhereted to child domain namespace

Forest : will havemultiple domain trees can have a noncontiguous namespaceA forest consists of multiple domain trees. The domain tress in a forest do not form a

contiguous namespace but share a common schema and GC


5/44

Features of Active Directory in windows 2003

Understanding the Structure of Active Directory

What are the boot files.

Soln : NTLDR, BOOT.INI, NTDETECT.COM, BOOTSECT.DOS

What are the prequisite for installation of Exchange Server ?

The pre requsite are

IIS

SMTPWWW service

NNTP

.NET FrameworkASP.NET

Then run Forestprep

The run domainprep

What are the content of System State backup ?

The cotents are

Boot fles,system filesActive directory (if its done on DC)

Sysvol folder(if it done on DC)Cerficate service ( on a CA server)

Cluster database ( on a clsture server)

registryPerformance couter configuration information

Component services class registration database

What are the roles must be on the same server?

Soln:Domain Naming Master and Global catalogue

What are the roles those must not be on the same Domain Controller?

Infrastructure Master and Global Catalogue

Note: If you have only one domain then you wont get any problem even if you have bothof them in the same server.

If you have two or more domains in a forest then they shouldnt be in the same server.


6/44

Flexible Single Master Operation Roles(D.R.I.P.S)

1. Domain Naming Master Forest Wide Roles

2. Schema Master Forest Wide Roles3. RID Master Domain Wide Roles

4. PDC Emulator Domain Wide Roles

5. Infrastructure Master Domain Wide Roles

RID MASTER: Allocates RIDs to other domain controllers and Used whensecurity principals or object are created{ RID makes the individual security principal security identifier (SID) uniquewithin a domainBuilt-in RIDs are consistent between domains, for example, Built-inAdministrator has a RID of 500 RID master gives other domain controllers RIDs to use whennew objects are created }

PDC EMULATOR: Provides backward compatibilityfor windows 2000 per versions in the domain

Acts as a central manager for user password changes, replication, andaccount lockoutsHandles time synchronization

Infrastructure Master:This domain controller records changes madeconcerningobjects in a domain. All changes are reported to the Infrastructure Masterfirst,and then they are replicated out to the other domain controllers. TheInfrastructureMaster deals with groups and group memberships for all domain objects. It isalso an Infrastructure Master's role to update other domains with changes

thathave been made to objects

Manages user and group references for objects between domainsUpdates ACLs and group memberships as requiredQueries the global catalog to ensure that references are currentRole should not be assigned to a global catalog server


7/44

Exception 1: There is only a single domain in the forestException 2: All domain controllers are also global catalog servers

Domain Naming Master: palys the role of adding or removing of domains.

{ Ensures domain names are unique in the forest.

Domains cannot be added or removed if the domain naming master is not available.Enterprise Admins level access is required in order to add and remove domains }

Schema Master: is responsible for any update or change in the active directory SCHEMA

In Windows 2000 there are mainly 3 zones

1.Standard Primary zone information writes in Txt file

2.Standard Secondary copy of Primary

3.Active Directory Integrated Information stores in Active Directory

in win2k3 one more zone is added that is Stub zone

STUB ZONE : Is like secondary but it contains only copy of SOA records, copy of NS

records, copy of A records for that zone. No copy of MX, SRV records etc.,With this Stub zone DNS traffic will be low

In Raid 5,Suppose i have 5 HDD of 10-10 GB, After configuring the Raid how

much space do i have for utilise.

A) -1 out of the total (eg- if u r using 5 u will get only 4 because 1 goes for

parity).

How to synchronize manually a client computer to a domain controller?

Windows 2000 (Win2K) and later computers in a domain should automatically

synchronize time with a domain controller. But some times you may get a situation tosynchronize manually.

To manually synchronize time, open a command-line window, and run

Net stop w32time

Run

w32time update

Run

Net start w32time


8/44

Manually verify the synchronization between the client computer and a domain

controller. Also check the System event log to ensure that the W32Time service has not

logged additional error messages.

What are the commands do we use for DNS?Nslookup (and all interactive mode commands)

Ipconfig /fulshdns

Ipconfig /registerdns

What is the difference between Primary zone and Secondary zone?

Primary zone has read and write permissions, where as Secondary zone has read only

permission.

Note: Secondary zone is used for Backup and Load balancing.

How to check whether DNS is working or not?

Type the command nslookup at command promptThen it gives the DNS server name and its IP address

What is Dynamic Updates in DNS?

Generally we need to create a host record for newly joined computer (either client or

Member server or Domain controller). If you enable dynamic Update option, then DNS it

self creates associated host record for newly joined computers

What is an iterative query?

This is the query which been queried by a client system to DNS server. If the DNS server as answer

for that query it will answer. Other wise it repaly with no resource records found

The query that has been sent to the DNS server from a Client is called iterative query

What is Recursive query?

Now your DNS server requests the root level DNS server for specific IP address. NowDNS server says that I dont know but I can give the address other person who can help

you in finding IP address

What is the structure and purpose of a directory service?

A directory service consists of a database that stores information about network

resources, such as computer and printers, and the services that make this information

available to users and applications.


9/44

What is a forest?

Collection of one or more domain trees that do not form a contiguous namespace. Forests

allow organizations to group divisions that operate independently but still need tocommunicate with one another.

All trees in a forest share common Schema, configuration partitions and Global Catalog.

All trees in a give forest trust each other with two way transitive trust relations.

Tool Description

GPResult.exe

Displays Group Policy settings and

Resultant Set of Policy (RSoP) for a

user or a computer

Uses new WMI-based RSoP provider

to show policy status

GPUpdate.exe

Refreshes local and Active DirectoryGroup Policy settings, including

security settings

Supersedes now obsolete /refreshpolicy

option for secedit command

HOSTNAME Displays the computer name of the localsystem.

IPCONFIG Displays the TCP/IP properties for networkadapters installed on the system. You can also use it torenew and release DHCP information.

NBTSTAT Displays statistics and current connectionsfor NetBIOS over TCP/IP.

NET Displays a family of useful networkingcommands.

NETSH Displays and manages the networkconfiguration of local and Remote computers.


10/44

NETSTAT Displays current TCP/IP connections andprotocol statistics.

NSLOOKUP Checks the status of a host or IP addresswhen used with DNS.

PATHPINGTraces network paths and displays packetloss information.

PINGTests the connection to a remote host.

ROUTE Manages the routing tables on the system.

TRACERT During testing, determines the networkpath taken to a remote host.

To learn how to use these command-line tools, type the

name at a command prompt followed by /?.Windows Server 2003 then provides an overview of

howthe command is used (in most cases).

Using NET Tools

You can more easily manage most of the tasksperformed with the NET commands by using graphicaladministrative tools and Control Panel utilities.However, some of the NET tools are very useful forperforming tasks quickly or for obtaining information,


11/44

especially during telnet sessions to remote systems.These commandsinclude

NET SEND Sends messages to users logged in to aparticular system NET START Starts a service on the system NET STOP Stops a service on the system NET TIME Displays the current system time orsynchronizes the system time with another computer NET USE Connects and disconnects from a sharedresource NET VIEW Displays a list of network resourcesavailable to the systemTo learn how to use any of the NET command-line tools,type NET HELP followedby the command name, such as NET HELP SEND.Windows Server 2003 then provides an overview ofhow the command is used.

42.What is the similarities if I have 4 to 5 Domain Tress.

Soln : common schema and may have common DNS root namespace

32. What is AD Replication

Soln : A Process of copying information updates from one Domain ControllerTo another.

29. Can a DHCP Server be integrated with DNS.

Soln : YES

30. Can we restore the system state data on different servers. Soln : No. But if we have the same Hardware it is possible

Recommended Not to do so.


12/44

26. What is sysvol, and explain the same

Soln : It contains Public Files of All DCs in a Domain

It user FRS for Replication

It contains Group Policy Information

It contains Netlogon share for Client logon requestIt contains the policy folder shared as netlogon.

23. How to change schema master and what is the basic requirement?

Soln: To change schema master one of the Primary FSMO role ,the user should be

the member of SCHEMA ADMINS group and run the below command to

register Schmmgmt.dll dynamic-link in order to make the Schema toolavailable as an MMC snap-in.

Then run MMC and add the snap in and right click properties and change it into the required

DC.

Active Directory and DNSName resolution

Resolve names of servers/clients to IP addresses andvice versa (possibly)

Namespace definition

An Active Directory domains name mustbe representedin DNSActive Directory requires DNSDNS does not require Active Directory

Locating the physical components of Active Directory

Client computers query DNS to locate domain controllers

running specific services, such as global catalog (GC),Kerberos, LDAP, and so on

LDAP


13/44

Lightweight Directory Access Protocol

Active Directory is an LDAP version 3 directory (with

version 2 compatibility), not an X.500 directory

LDAP provides a standard mechanism for namingobjects stored in a directory for

Location in a hierarchy

Addition

Removal

Modification

What is a SID?

Security IDentifier

Variable-length number that is used to identify security

Principals Used in ACLs to identify security principals that are

granted/denied access to objects in Active Directory and

file system resources

When a security principal is moved from one domain to

another in Windows Server 2003, the objects SID

changes

.When a security principal is moved within a domain, its

SID does not change


14/44

What is a RID?Relative IDentifier

When a security principal is created in a Windows Server 2003domain, the principals SID iscomprised of two concatenated values:

The SID of the domain in which the principal is beingcreated

A relative identifier that is unique within that domainWhen a security principal is moved to another domain, itreceives a new SID, which is comprised of the SID of thedestination domain and a RID that is unique within thethat domain

Moves within a domain do not change SIDs/RIDs

What is a GUID?

Globally Unique IDentifier128-bit number generated at the time an object is createdin the directory Never changes Travels with an object

When an object is moved, even between domains in aforest, its GUID does not changeUsed by domain controllers to identify objects inActive Directory for purposes of replication

Not used to identify security principals i

Schema


15/44

Schema is a formal definitiona set of rules. The schema governs the structure of the directory,including how various objects in the directory fit into the directorys hierarchical structure.The schema is what makes Active Directory extensible. As organizations change, it may benecessary to add or modify object attributes, or even to create new classes. The use of certainapplications, in particular, may require these kinds of modifications. Microsoft anticipates thatapplication vendors will provide the means to modify the schema when necessary to support theirapplications specific requirements.

Global CatalogGlobal catalog is a role, which maintains Indexes about objects. It contains full information of the objects

in its own domain and partial information of the objects in other domains.

Universal Group membership information will be stored in global catalog servers and replicate to all

GCs in the forest

.

FSMO Roles

The 5 FSMO server roles:

Schema Master Forest Level One per forest

Domain Naming Master Forest Level One per forestPDC Emulator Domain Level One per domain

RID Master Domain Level One per domain

Infrastructure Master Domain Level One per domain

1. Schema Master (Forest level)

The schema master FSMO role holder is the Domain Controller responsiblefor performing updates to the active directory schema. It contains the only

writable copy of the AD schema. This DC is the only one that can process

updates to the directory schema, and once the schema update is complete,it is replicated from the schema master to all other DCs in the forest. There

is only one schema master in the forest.

2. Domain Naming Master (Forest level)
http://www.svrops.com/svrops/documents/


16/44

The domain naming master FSMO role holder is the DC responsible formaking changes to the forest-wide domain name space of the directory.

This DC is the only one that can add or remove a domain from the

directory, and that is it's major purpose. It can also add or remove crossreferences to domains in external directories. There is only one domain

naming master in the active directory or forest.

3. PDC Emulator (Domain level)

In a Windows 2000 domain, the PDC emulator server role performs the

following functions:Password changes performed by other DCs in the domain are replicated

preferentially to the PDC emulator first.

Authentication failures that occur at a given DC in a domain because of anincorrect password are forwarded to the PDC emulator for validation before

a bad password failure message is reported to the user.Account lockout is processed on the PDC emulator.

Time synchronization for the domain.Group Policy changes are preferentially written to the PDC emulator.

Additionally, if your domain is a mixed mode domain that contains WindowsNT 4 BDCs, then the Windows 2000 domain controller, that is the PDC

emulator, acts as a Windows NT 4 PDC to the BDCs.

There is only one PDC emulator per domain.

Note: Some consider the PDC emulator to only be relevant in a mixed

mode domain. This is not true. Even after you have changed your domainto native mode (no more NT 4 domain controllers), the PDC emulator is stillnecessary for the reasons above.

4. RID Master (Domain level)

The RID master FSMO role holder is the single DC responsible forprocessing RID Pool requests from all DCs within a given domain. It is also

responsible for removing an object from its domain and putting it inanother domain during an object move.

When a DC creates a security principal object such as a user, group or

computer account, it attaches a unique Security ID (SID) to the object.This SID consists of a domain SID (the same for all SIDs created in a

domain), and a relative ID (RID) that makes the object unique in a domain.

Each Windows 2000 DC in a domain is allocated a pool of RIDs that itassigns to the security principals it creates. When a DC's allocated RID pool

falls below a threshold, that DC issues a request for additional RIDs to the


17/44

domain's RID master. The domain RID master responds to the request by

retrieving RIDs from the domain's unallocated RID pool and assigns themto the pool of the requesting DC.

There is one RID master per domain in a directory.

5. Infrastructure Master (Domain level)

The DC that holds the Infrastructure Master FSMO role is responsible forcross domain updates and lookups. When an object in one domain is

referenced by another object in another domain, it represents the reference

by the GUID, the SID (for references to security principals), and thedistinguished name (DN) of the object being referenced. The Infrastructure

role holder is the DC responsible for updating an object's SID anddistinguished name in a cross-domain object reference.

When a user in DomainA is added to a group in DomainB, then theInfrastructure master is involved. Likewise, if that user in DomainA, who

has been added to a group in DomainB, then changes his username inDomainA, the Infrastructure master must update the group membership(s)

in DomainB with the name change.

There is only one Infrastructure master per domain.

What if a FSMO server fails?

Schema Master No updates to the Active Directory schema will bepossible. Since schema updates are rare (usually done by

certain applications and possibly an Administrator adding

an attribute to an object), then the malfunction of theserver holding the Schema Master role will not pose a

critical problem.

Domain Naming

Master

The Domain Naming Master must be available when

adding or removing a domain from the forest (i.e.running DCPROMO). If it is not, then the domain cannot

be added or removed. It is also needed when promotingor demoting a server to/from a Domain Controller. Like

the Schema Master, this functionality is only used on

occasion and is not critical unless you are modifying yourdomain or forest structure.


18/44

PDC Emulator The server holding the PDC emulator role will cause the

most problems if it is unavailable. This would be mostnoticeable in a mixed mode domain where you are still

running NT 4 BDCs and if you are using downlevel clients

(NT and Win9x). Since the PDC emulator acts as a NT 4PDC, then any actions that depend on the PDC would be

affected (User Manager for Domains, Server Manager,changing passwords, browsing and BDC replication).

In a native mode domain the failure of the PDC emulatorisn't as critical because other domain controllers can

assume most of the responsibilities of the PDC emulator.

RID Master The RID Master provides RIDs for security principles

(users, groups, computer accounts). The failure of this

FSMO server would have little impact unless you areadding a very large number of users or groups.

Each DC in the domain has a pool of RIDs already, and aproblem would occur only if the DC you adding the

users/groups on ran out of RIDs.

Infrastructure Master This FSMO server is only relevant in a multi-domain

environment. If you only have one domain, then theInfrastructure Master is irrelevant. Failure of this server

in a multi-domain environment would be a problem ifyou are trying to add objects from one domain to

another.

Placing FSMO Server Roles

So where are these FSMO server roles found? Is there a one to one relationshipbetween the server roles and the number of servers that house them?

The first domain controller that is installed in a Windows 2000 domain, by default,

holds all five of the FSMO server roles. Then, as more domain controllers are

added to the domain, the FSMO roles can be moved to other domain controllers.Moving a FSMO server role is a manual process, it does not happen automatically.

But what if you only have one domain controller in your domain? That is fine. Ifyou have only one domain controller in your organization then you have one forest,

one domain, and of course the one domain controller. All 5 FSMO server roles will

exist on that DC. There is no rule that says you have to have one server for eachFSMO server role.


19/44

However, it is always a good idea to have more than one domain controller in adomain for a number of reasons. Assuming you do have multiple domain

controllers in your domain, there are some best practices to follow for placingFSMO server roles.

The Schema Master and Domain Naming Master should reside on the same server,and that machine should be a Global Catalog server. Since all three are, bydefault, on the first domain controller installed in a forest, then you can leave them

as they are.

Note: According to MS, the Domain Naming master needs to be on a GlobalCatalog Server. If you are going to separate the Domain Naming master and

Schema master, just make sure they are both on Global Catalog servers.

The Infratructure Master should not be on the same server that acts as a GlobalCatalog server.

The reason for this is the Global Catalog contains information about every object in

the forest. When the Infrastructure Master, which is responsible for updating ActiveDirectory information about cross domain object changes, needs information about

objects not in it's domain, it contacts the Global Catalog server for this information.If they both reside on the same server, then the Infratructure Master will never

think there are changes to objects that reside in other domains because the Global

Catalog will keep it constantly updated. This would result in the InfrastructureMaster never replicating changes to other domain controllers in it's domain.

Note: In a single domain environment this is not an issue.

Microsoft also recommeds that the PDC Emulator and RID Master must be on the

same server. This is not mandatory like the Infrastructure Master and the GlobalCatalog server above, but is recommended. Also, since the PDC Emulator will

receive more traffic than any other FSMO role holder, it should be on a server thatcan handle the load.

It is also recommended that all FSMO role holders be direct replication partnersand they have high bandwidth connections to one another as well as a Global

Catalog server.

FSMO Tools

How do find out what servers in your domain/forest hold what server roles? Howdo you move a server role from one server to another? There are several tools

that can be used to find out this information.

Permissions


20/44

Before you can transfer a role, you must have the appropriate permissionsdepending on which role you plan to transfer:

Schema Master member of the Schema Admins group

Domain NamingMaster member of the Enterprise Admins group

PDC Emulatormember of the Domain Admins groupand/or the Enterprise Admins group

RID Mastermember of the Domain Admins groupand/or the Enterprise Admins group

Infrastructure Mastermember of the Domain Admins group

and/or the Enterprise Admins group

Active Directory Users and Computers - use this snap-in to find out where thedomain level FSMO roles are located (PDC Emulator, RID Master, Infrastructure

Master), and also to change the location of one or more of these 3 FSMO roles.

Open Active Directory Users and Computers, right click on the domain you want to

view the FSMO roles for and click "Operations Masters". A dialog box (below) willopen with three tabs, one for each FSMO role. Click each tab to see what server

that role resides on. To change the server roles, you must first connect to thedomain controller you want to move it to. Do this by right clicking "Active

Directory Users and Computers" at the top of the Active Directory Users and

Computers snap-in and choose "Connect to Domain Controller". Once connected tothe DC, go back into the Operations Masters dialog box, choose a role to move and

click the Change button.When you do connect to another DC, you will notice the name of that DC will be in

the field below the Change button (not in this graphic).


21/44

Active Directory Domains and Trusts - use this snap-in to find out where theDomain Naming Master FSMO role is and to change it's location.

The process is the same as it is when viewing and changing the Domain level FSMO

roles in Active Directory Users and Computers, except you use the Active DirectoryDomains and Trusts snap-in. Open Active Directory Domains and Trusts, right click

"Active Directory Domains and Trusts" at the top of the tree, and choose

"Operations Master". When you do, you will see the dialog box below. Changingthe server that houses the Domain Naming Master requires that you first connect

to the new domain controller, then click the Change button. You can connect to

another domain controller by right clicking "Active Directory Domains and Trusts"at the top of the Active Directory Domains and Trusts snap-in and choosing

"Connect to Domain Controller".


22/44

Active Directory Schema - this snap-in is used to view and change the SchemaMaster FSMO role. However... the Active Directory Schema snap-in is not part ofthe default Windows 2000 administrative tools or installation. You first have to

install the Support Tools from the \Support directory on the Windows 2000 serverCD or install the Windows 2000 Server Resource Kit. Once you install the support

tools you can open up a blank Microsoft Management Console (start, run, mmc)

and add the snap-in to the console. Once the snap-in is open, right click "ActiveDirectory Schema" at the top of the tree and choose "Operations Masters". You

will see the dialog box below. Changing the server the Schema Master resides onrequires you first connect to another domain controller, and then click the Change

button.

You can connect to another domain controller by right clicking "Active DirectorySchema" at the top of the Active Directory Schema snap-in and choosing "Connect

to Domain Controller".


23/44

More Tools

In addition to the tools mentioned above, there are other tools that can be used to

view the FSMO server roles. Perhaps the easiest and fastest way to find out whatserver holds what FSMO role is by using the Netdom command line utility. Like

the Active Directory Schema snap-in, the Netdom utility is only available if youhave installed the Support Tools from the Windows 2000 CD or the Win2K Server

Resource Kit.

To use Netdom to view the FSMO role holders, open a command prompt window

and type:netdom query fsmo and press enter. You will see a list of the FSMO role servers:


24/44

Another tool that comes with the Support Tools is the Active DirectoryRelication Monitor. Open this utility from Start, Programs, Windows 2000

Support Tools. Once open, click Edit, Add Monitored Server and add the name of a

Domain Controller. Once added, right click the Server name and chooseproperties. Click the FSMO Roles tab to view the servers holding the 5 FSMO roles

(below). You cannot change roles using Replication Monitor, but this tool has manyother useful purposes in regard to Active Directory information. It is something

you should check out if you haven't already.


25/44

Finally, you can use the Ntdsutil.exe utility to gather information about and

change servers for FSMO roles. Ntdsutil.exe, a command line utility that isinstalled with Windows 2000 server, is rather complicated and beyond the scope of

this document.

FIVE FSMO ROLES(DRIPS)

D-Domain naming master ( FORSET WIDE )

R-Relative identifier (RID) master (DOMAIN WIDE)

I-Infrastructure master(DOMAIN WIDE)

P-Primary Domain Controller (PDC) emulator(DOMAIN WIDE)


26/44

S-Schema master( FORSET WIDE )

8. If DHCP is not available what happens to the client

Client will not get IP and it cannot be participated in network . If client already gotthe IP and having lease duration it use the IP till the lease duration expires

3. Difference between 2000 & 2003

In windows 2000 we cannot rename domain. Where as in Windows 2003 we can rename Domain

In 2000 it supports of 8 processors and 64 GB RAM (In 2000 Advance Server) whereas in 2003

supports up to 64 processors and max of 512GB RAM.

Win 2000 Supports IIS 5.0 and 2003 Supports IIS6.0

Win 2000 doesnt support Dot net whereas 2003 Supports Microsoft .NET 2.0

Win 2000 doesnt have any 64 bit server operating system whereas 2003 has 64 bit server

operating systems (Windows Server 2003 X64 Std and Enterprise Edition)

In 2003 we have concept of Volume shadow copy service

In 2000 we have cross domain trust relation ship and 2003 we have Cross forest trust elationship.

Win 2000 supports IPV4 whereas 2003 supports IPV4 and IPV6.

We can drag-and-drop the objects

DNS Stub zone has introduced in win2k3


27/44

Domains can be renamed or moved to a different level in an AD tree

Schema attributes can be deleted as well as added

Volume shadow copy services is introduced

New command-line tools

Windows Server 2003 includes a number of built-in command-line tools that were not available inWindows 2000, including:

dsadd-- allows you to create objects from the command line

dsmove -- moves an object from one OU or container to another within the same domain dsrm -- will delete an object from Active Directory dsquery -- will return an object or list of objects that matches criteria that you specify dsget-- will return one or more attributes of a particular Active Directory object

DNS Stub zone has introduced

windows 2k - IIS 5 and windows 2k3 - II6

In 2000 we dont have end user policy management,

whereas in 2003 we have a End user policy management which

is done in GPMC (Group policy management console).

Difference Between windows 2008 & 2003

2008 is combination of vista and windows 2003r2. Some new services are introduced in it1. RODC one new domain controller introduced in it

[Read-only Domain controllers.]2. WDS (windows deployment services) instead of RIS in 2003 server3. shadow copy for each and every folders4.boot sequence is changed5.installation is 32 bit where as 2003 it is 16 as well as 32 bit, thats why installation of 2008 is


28/44

faster6.services are known as role in it7. Group policy editor is a separate option in ads8) The main difference between 2003 and 2008 is Virtualization, management.

2008 has more inbuilt components and updated third party drivers Microsoft introduces newfeature with 2k8 that is Hyper-V Windows Server 2008 introduces Hyper-V (V for Virtualization)but only on 64bit versions. More and more companies are seeing this as a way of reducinghardware costs by running several 'virtual' servers on one physical machine. If you like thisexciting technology, make sure that you buy an edition of Windows Server 2008 that includesHyper-V, then launch the Server Manger, add Roles

What is the Global Catalog

Global catalog is a role, which maintains Indexes about objects. It contains full information of the objects

in its own domain and partial information of the objects in other domains.

Universal Group membership information will be stored in global catalog servers and replicate to all

GCs in the forest

Where is the AD database held?

.%System root%/NTDS/NTDS.DIT (DIT Directory Information

Tree).

What is LDAP?

Lightweight Directory access protocol. LDAP is a client-server protocol for

accessing a directory service

What is Site?

what is kcc?

kcc stands for knowledge consistency checker.apart of the

ISTG role in active

directory.the kcc checks and as am option, re creates

topology information for the active directory domain

What is WSUS server? Basci requirement of installing? difference between WSUS ans SUS? benifits

of both?


29/44

WSUS - Windows Software Update Server.All the updates are

downloaded into WSUS,then directed to the client PC's during

the idle time of client PC's.

To Configure WSUS Server

1)Run set up of WSUS server in win 2003 server with IIS

runnig.No antivirus is required.

2)set the ip addr of proxy server in the set up wizard

3)set the synchronizing time.

4)approve the updates

Finish..........

difference b/w SUS and WSUS

SUS did a great job of keeping Windows up to date, but WUS

will be able to update other products such as Microsoft

Office, Exchange Server, and ISA Server. Eventually, WUS

will be able to keep all current Microsoft server productsup to date

5. Difference between DC & ADC

There is no difference between in DC and ADC both contains write copy ofAD. Both can also handles FSMO roles (If transfers from DC to ADC). It is justfor identification. Functionality wise there is no difference.

7. Types of DNS Servers

Primary DNS

Secondary DNS

Active Directory Integrated DNS

Forwarder

Caching only DNS

10. what is the process of DHCP for getting the IP address to the client

There is a four way negotiation process b/w client and server

DHCP Discover (Initiated by client)


30/44

DHCP Offer (Initiated by server)

DHCP Select (Initiated by client)

DHCP Acknowledgement (Initiated by Server)

DHCP Negative Acknowledgement (Initiated by server if any issues afterDHCP offer)

12. What are the port numbers for FTP, Telnet, HTTP, DNS

FTP-21, Telnet 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389

How dow you check whether Active Directory has been installed properly or not?

1.By checking SRV Records In DNS Server.

After Active Diretory is installed, DC will register SRV

records in DNS.

2. Verify SYSVOL Folder

3. Verify Database and Log files

NTDS.DIT,edb.*,Res*.log

TERMSActive Directory schema Contains the definition of all object classes and attributes used in the

Active Directory database

.attributes Used to define the characteristics of an object class within Active Directory

.

distinguished name (DN) An LDAP component used to uniquely identify an object throughoutthe entire LDAP hierarchy by referring to the relative distinguished name, domain name, and the

container holding the object.

domain A logically structured organization of objects, such as users, computers, groups, and printers,

that are part of a network and share a common directory database. Domains are defined by an administrator and

administered as a unit with common rules and procedures.

Domain Name System (DNS) A hierarchical name resolution system that resolves host names and

fully qualified domain names (FQDNs) into IP addresses and vice versa. It is a method for maintaining

domain naming structure and locating network resources.

forest A collection of Active Directory trees that do not necessarily share a contiguous DNS naming

convention but do share a common global catalog and schema.

forest root domain The first domain created within the Active Directory structure.

global catalog An index of the objects and attributes used throughout the Active Directory structure.


31/44

It contains a partial replica of every Windows Server 2003 domain within Active Directory,

enabling users to find any object in the directory.

Group Policy The Windows Server 2003 feature that allows for policy creation that affects domain

users and computers. Policies can be anything from desktop settings to application assignment tosecurity settings and more.

Internet connection sharing (ICS) A Windows Server 2003 service that allows the use of a single, live

Internet IP address to be shared among multiple clients. DHCP and DNS cannot be configured.

Lightweight Directory Access Protocol (LDAP) An access protocol that defines how users can

access or update directory service objects

.

Management Saved Console (MSC) The filename extension of a console saved using the MMC.

Microsoft Management Console (MMC) A customizable management interface that can contain

a number of management tools to provide a single, unified application for network administration.

multi-master replication A replication model in which any domain controller accepts and replicatesdirectory changes to any other domain controller. This differs from other replication models in

which one computer stores the single modifiable copy of the directory and other computers store

back-up copies.

network address translation (NAT) The process of converting between IP addresses used within an

intranet or other private network (called a stub domain) and Internet IP addresses.This approach makes it

possible to use a large number of addresses within the stub domain without depleting the limited number

of available numeric Internet IP addresses. Also, the network is protected when NAT replaces the source

internal address and ports of all outgoing packets with a single public IP address.

object A collection of attributes that represent items within Active Directory, such as users, groups,

computers, and printers.

object classes Define which types of objects can be created within Active Directory, such as users,

groups, and printers.

organizational unit (OU) An Active Directory logical container used to organize objects within a

single domain. Objects such as users, groups, computers, and other OUs can be stored in an OUcontainer

.

relative distinguished name (RDN) An LDAP component used to identify an object within the

objects container.

Routing and Remote Access Services (RRAS) A Windows Server 2003 service that allows usersto access a company network or access the Internet through a variety of ways such as dial-up,VPN,

or NAT services.

site A combination of one or more Internet Protocol (IP) subnets connected by a high-speed connection

.

site link A low-bandwidth or unreliable/occasional connection between sites. The site links can be

adjusted for replication availability, bandwidth costs, and replication frequency.They enable control

over replication and logon traffic


32/44

.

snap-ins The management tools that are added to an MMC interface.

taskpad Allows you to simplify administrative procedures by providing a graphical representation of

the tasks that can be performed in an MMC.

transitive trust The ability for domains or forests to trust one another, even though they do nothave a direct explicit trust between them.

tree A hierarchical collection of domains that share a contiguous DNS namespace.

user principal name A user-account naming convention that includes both the user name and

domain name in the format [email protected].

virtual private networking (VPN) A Windows Server 2003 service that allows a private and

secure connection with a company network over the Internet.

Event Logging and Viewing

Event logs provide historical information that can help you track down system and security problems.The Event Log service controls whether events are tracked on Windows Server 2003 systems. When this

service is started, you can track user actions and system resource usage events with the following event

logs:

Application Log

Records events logged by applications, such as the failure of Microsoft SQL Server to access a

database. Default location is: %SystemRoot%\system32\config\AppEvent.Evt.

Directory Service

Records events logged by Active Directory directory service and its related services. Default

location is: %SystemRoot%\system32\config\NTDS.Evt.

DNS Server

Records DNS queries, responses, and other DNS activities. Default location is: %SystemRoot

%\system32\config\DNSEvent.Evt.

File Replication Service

Records file replication activities on the system. Default location is: %SystemRoot

%\system32\config\NtFrs.Evt.

Security Log
mailto:[email protected]:[email protected]


33/44

Records events you've set for auditing with local or global group policies. Default location is:

%SystemRoot%\system32\config\SecEvent.Evt.

Windows Time and Windows Server 2003

Stand-alone and member servers are configured to synchronize with a time server automatically. Thistime server is referred to as the authoritative time server. The way Windows Time works depends on

whether the system is part of a workgroup or a domain.

Here's a basic overview of how Windows Time works in workgroups:

Systems are configured to synchronize with an Internet time server automatically. This time

server is referred to as the authoritative time server. The default time server is time.windows.com.

You can also select other servers, such as time.nist.gov, as the authoritative time server.

The Windows Time service uses the Simple Network Time Protocol (SNTP) to poll theauthoritative time server every four hours by default. The registry values MinPollInterval andMaxPollInterval under \HKEY_LOCAL_MACHINE\System\

CurrentControlSet\Services\W32Time\Config control the exact rates.

If there are differences in time between the time server and the system, the Windows Time

service slowly corrects the time. The registry values UpdateInterval and FrequencyCorrectRateunder \HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Services\W32Time\Config

control the exact correction rate.

Note

The SNTP defaults to using User Datagram Protocol (UDP) port 123. If this port isn't open to theInternet, you can't synchronize the system with an Internet time server.

In domains, a domain controller is chosen automatically as the reliable time source for the domain, and

other computers in the domain sync time with this server. Should this server be unavailable to provide

time services, another domain controller takes over. You cannot, however, change the Windows Timeconfiguration. If you want to better manage Windows Time in a domain, you should install the

appropriate components. The two key components are:

Windows NTP Client

Installs Windows Time and allows the system to synchronize its clock with designated time

servers. The client is much more configurable than the standard time service that comes withWindows XP. You have precise control through Group Policy of every feature of the time

service.


34/44

Windows NTP Server

Installs Windows Time and configures the system to be a time server. Windows NTP clients,

which can be Windows XP or Windows Server 2003 systems, can then synchronize time with thiscomputer. As with NTP clients, you have precise control through Group Policy of every feature

of the time service.

Active Directory Command-Line Tools

Several tools are provided to let you manage Active Directory from the command line. You can use:

DSADD

Adds computers, contacts, groups, organizational units, and users to Active Directory. Typedsadd objectname /? at the command line to display help information on using the command,

such as dsadd computer /?.

DSGET

Displays properties of computers, contacts, groups, organizational units, users, sites, subnets, andservers registered in Active Directory. Type dsget objectname /? at the command line to display

help information on using the command, such as dsget subnet /?.

DSMOD

Modifies properties of computers, contacts, groups, organizational units, users, and servers that

already exist in Active Directory. Type dsmod objectname /? at the command line to display help

information on using the command, such as dsmod server /?.

DSMOVE

Moves a single object to a new location within a single domain or renames the object without

moving it. Type dsmove /? at the command line to display help information on using the

command.

DSQUERY

Finds computers, contacts, groups, organizational units, users, sites, subnets, and servers in

Active Directory using search criteria. Type dsquery /? at the command line to display helpinformation on using the command.

DSRM

Removes objects from Active Directory. Type dsrm /? at the command line to display helpinformation on using the command.


35/44

NTDSUTIL

To view site, domain, and server information, manage operations masters, and perform database

maintenance of Active Directory. Type ntdsutil /? at the command line to display helpinformation on using the command.

Active Directory Support Tools

Many Active Directory tools are provided in the support toolkit. A list of some of the most useful support

tools you can use to configure, manage, and troubleshoot Active Directory is shown in Table 7-1.

Table 7-1. Quick Reference for Active Directory Support Tools

Support Tool Executable

Name

Description

Active Directory

Administration Tool

Ldp.exe Performs Lightweight Directory Access Protocol

(LDAP) operations on Active Directory

Active Directory Replication

Monitor

Replmon.exe Manages and monitors replication using a graphical

user interface (GUI)

Directory Services Access

Control Lists Utility

Dsacls.exe Manages access control lists for objects in Active

Directory

Distributed File System Utility Dfsutil.exe Manages the Distributed File System (DFS) and

displays DFS information

DNS Server TroubleshootingTool

Dnscmd.exe Manages properties of Domain Name System (DNS)servers, zones, and resource records

Move Tree Movetree.exe Moves objects from one domain to another

Replication Diagnostics Tool Repadmin.exe Manages and monitors replication using thecommand line

Security Descriptor Check

Utility

Sdcheck.exe Checks access control list propagation, replication,

and inheritance


36/44

Table 7-1. Quick Reference for Active Directory Support Tools

Support Tool Executable

Name

Description

Security ID Checker Sidwalker.exe Sets access control lists on objects previously ownedby moved, deleted, or orphaned accounts

Windows Domain Manager Netdom.exe Allows domain and trust relationships managementfrom the command line

Table 12-2. Windows Server 2003 Support for RAID

RAID

Level

RAID

Type

Description Major Advantages

0 Disk

striping

Two or more volumes, each on a separate

drive, are configured as a striped set. Data isbroken into blocks, called stripes, and then

written sequentially to all drives in the striped

set.

Speed/performance.

1 Disk

mirroring

Two volumes on two drives are configured

identically. Data is written to both drives. Ifone drive fails, there's no data loss because the

other drive contains the data. (Doesn't include

disk striping.)

Redundancy. Better write

performance than disk stripingwith parity.

5 Disk

stripingwith parity

Uses three or more volumes, each on a

separate drive, to create a striped set withparity error checking. In the case of failure,

data can be recovered.

Fault tolerance with less overhead

than mirroring. Better readperformance than disk mirroring.

Understanding Scopes

Scopes are pools of IP addresses that you can assign to clients through leases and reservations. A

reservation differs from a lease in that an IP address is assigned to a particular computer until you


37/44

remove the reservation. This allows you to set semipermanent addresses for a limited number of DHCP

clients.

You'll create scopes to specify IP address ranges that are available for DHCP clients. For example, youcould assign the IP address range 192.168.12.2 192.168.12.250 to a scope called Enterprise Primary.

Scopes can use public or private IP addresses on

PUBLIC IP NETWORK NUMBER

Class A Network 1-126 1.0.0.0-

126.255.255.255

Class B Network 128-191 128.0.0.0-

191.255.255.255

Class C Network 192-223 192.0.0.0-

223.255.255.255

Class D Network 224-239 224.0.0.0-

239.255.255.255

The IP address 127.0.0.1 is used for local loopback.

PRIVATE IP NETWORK NUMBER

Class A Network 10.0.0.0 10.255.255.255

Class B Network 172.16.0.0 172.31.255.255

Class C Network 192.168.0.0 192.168.255.255

A single DHCP server can manage multiple scopes. Three types of scopes are available:

Normal scopes


38/44

Used to assign IP address pools for class A, B, and C networks.

Multicast scopes

Used to assign IP address pools for class D networks. Computers use multicast IP addresses as

secondary IP addresses in addition to a standard IP address assigned from a class A, B, or Cnetwork.

Superscopes

These are containers for other scopes and are used to simplify management of multiple scopes.

Tip

Although you can create scopes on multiple network segments, you'll usually want these segments to be

in the same network class, such as all class C IP addresses. Don't forget that you must configure DHCP

relays to relay DHCP broadcast requests between network segments. You can configure relay agents withthe Routing and Remote Access Service (RRAS) and the DHCP Relay Agent Service. You can also

configure some routers as relay agents

Changing the Log Usage

DHCP Server has a self-monitoring system that checks disk space usage. By default, the maximum size

of all DHCP server logs is 70 MB, with each individual log being limited to one-seventh of this space. If

the server reaches the 70 MB limit or an individual log grows beyond the allocated space, logging ofDHCP activity stops until log files are cleared out or space is otherwise made available. Normally, this

happens when a new day is reached and the server clears out the previous week's log file.

Registry keys that control the log usage and other DHCP settings are located in the folder

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\ Parameters.

Installing DNS Servers

You can configure any Windows Server 2003 system as a DNS server. Four types of DNS servers are

available:

Active Directoryintegrated primary server

A DNS server that's fully integrated with Active Directory. All DNS data is stored directly inActive Directory.

Primary server

The main DNS server for a domain that uses partial integration with Active Directory. This server

stores a master copy of DNS records and the domain's configuration files. These files are stored

as text with the .dns extension.


39/44

Secondary server

A DNS server that provides backup services for the domain. This server stores a copy of DNS

records obtained from a primary server and relies on zone transfers for updates. Secondaryservers obtain their DNS information from a primary server when they're started, and they

maintain this information until the information is refreshed or expired.

Forwarding-only server

A server that caches DNS information after lookups and always passes requests to other servers.

These servers maintain DNS information until it's refreshed or expired or until the server isrestarted. Unlike secondary servers, forwarding-only servers don't request full copies of a zone's

database files. This means that when you start a forwarding-only server, its database contains no

information.

Before you configure a DNS server, you must install the DNS Server service. Afterward, you can

configure the server to provide integrated, primary, secondary, or forwarding-only DNS services.

Active directory does not support deletion of schema objects; however, objects can be marked as

deactivated providing many of the benefits of deletion

Hardware RAID Versus Software RAID

RAID is usually implemented using a RAID disk controller and disk controllers are expensive. Software RAID is usually implemented at the disk partition level rather than the physical disk

level as in hardware RAID.

The drawback to software RAID is that it requires the network server processor to perform thework usually done by the RAID controller in hardware RAID.

Software-based RAID does have one advantage over hardware-based RAID. In software-basedRAID, the RAID implementation can be based on disk partitions rather than entire disk drives.

RAID 1 Configuration

RAID 1 has two different implementations: disk mirroring and disk duplexing. In disk mirroring, everything written to one disk is also written to a second disk.

Disk duplexing eliminates the single point of failure that exists in disk mirroring.

Level 10


40/44

RAID level 10 is known as mirroring with striping. This level uses a striped array of disks, which are

then mirrored to another identical set of striped disks. RAID level 10 provides the performance benefits

of disk striping (level 0) with the disk redundancy of mirroring (level 1). RAID 10 provides the highestread/write performance of any of the Hybrid RAID levels, but uses twice as many disks.

What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog?

SMTP--25, POP3--110, IMAP4-143, RPC-135, LDAP - 389, Global Catalog 3268

List of important port numbers

15 - Netstat

21 - FTP

23 - Telnet25 - SMTP

42 - WINS

53 - DNS67 - Bootp

68 - DHCP

80 - HTTP88 - Kerberos

101 - HOSTNAME

110 - POP3

119 - NNTP123 - NTP (Network time protocol)

139 - NetBIOS

161 - SNMP

180 - RIS389 - LDAP (Lightweight Directory Access Protocol)

443 - HTTPS (HTTP over SSL/TLS)520 - RIP

79 - FINGER

37 - Time

3389 - Terminal services443 - SSL (https) (http protocol over TLS/SSL)

220 - IMAP3

3268 - AD Global Catalog3269 - AD Global Catalog over SSL

500 - Internet Key Exchange, IKE (IPSec) (UDP 500)

What is difference between scope and superscope

Scope in dhcp, where u can specify a range of IP Address which will be leased tothe dhcp clients.

Superscope is the combination of multiple scopes.
http://windows2003-tips-tricks.blogspot.com/2010/03/list-of-important-port-numbers.htmlhttp://windows2003-tips-tricks.blogspot.com/2010/03/what-is-difference-between-scope-and.htmlhttp://windows2003-tips-tricks.blogspot.com/2010/03/list-of-important-port-numbers.htmlhttp://windows2003-tips-tricks.blogspot.com/2010/03/what-is-difference-between-scope-and.html


41/44

1.Default lease Length is 8days in the DHCP server

DHCP.mdb is the DHCP assigned IP address database file

In windows NT the SAM database is limited in size to approximately 40MB(40,000 objects)

Windows NT uses a flat namespace meaning that the name of the domain does not reflect a hierarchical

naming structure, Windows NT uses WINS FOR ITS name resolution Active directory uses DNS for its

naming resolution

A RELATIVE DISTINGUISHED NAME IS the name that is assigned to the object by the administrator

when the object is created for example when I create a user named ALANC the RDN is the Simplest ofthe three Active Directory name types and is sometimes called the common name of the object

A DISTINGUISHED NAME CONSISTS OF an objects RDN, plus the objects location in Active

directory . The DN supplies the complete path on the object. An objects DN includes its RDN. The name

of the organizational unit that contains the objects(if any) and the FQDN of the domain for Examplesuppose that. I create a user named ALANC in an organizational unit called US in a domain named

exportsinc.com the DN of this user would be:[email protected]

A name that uniquely identifies an object by using the relative distinguished name for the object, plus the

names of container objects and domains that contain the object. The distinguished name identifies theobject as well as its location in a tree. Every object in Active Directory has a distinguished name. A

typical distinguished name might be

CN=MyName,CN=Users,DC=Microsoft,DC=Com

This identifies the MyName user object in the microsoft.com domain

A user principal name is a shortened version of the DN that is typically used for logon and e-mail

purposes a UPN consists of the RDN plus the FQDN of the domain using my pervious Example the UPN

for the user named alanc would be:[email protected]

WHAT IS ZONE ?

Zones are delegated portions of the DNS namespace

A zone is a collection of hierarchical domain names

A zone is essentially a collection of resource records
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


42/44

Zone is a contiguous portion of the domain namespace for which a

DNS server has authority to resolve DNS Queries

Global Catalog

A global catalog is used primarily for four main functions:

Enables users to find Active Directory information from anywhere in the forest.

Provides universal group membership information to facilitate logging on to the network.

Supplies authentication services when a user from another domain logs on using a user

principal name (UPN) (A UPN is a representation of a users logon credentials in the form

[email protected] a UPN is used, a domain name does not need to be explicitly specifiedin the Log on to drop-down box.)

Responds to directory lookup requests from Exchange 2000 and other applications.

The first domain controller in Active Directory automatically becomes a global catalog server.To provide

redundancy, additional domain controllers can easily be configured to also be global catalog servers.

Multiple global catalogs can improve user query and logon authentication performance, especially in

Active Directory environments that include geographically distant sites connected by WAN links.Microsoft recommends that each Active Directory site be configured with at least one domain controller

acting as a global catalog server.

What is the difference between LDAPv2 and LDAPv3?

LDAPv3 was developed in the late 1990's to replace LDAPv2. LDAPv3 adds thefollowing features to LDAP:

o Strong Authentication via SASL

o Integrity and Confidentiality Protection via TLS (SSL)

o Internationalization through the use of Unicode

o Referrals and Continuations

o Schema Discovery

o Extensibility (controls, extended operations, and more)

LDAPv2 is considered historical. As deploying both LDAPv2 and LDAPv3

simultaneously can be quite problematic, LDAPv2 should be avoided. LDAPv2 isdisabled by default.

Types of Server ClustersThere are three types of server clusters, based on how the cluster systems, callednodes, are connected to the devices that store the cluster configuration and state


43/44

data. This data must be stored in a way that allows each active node to obtain thedata even if one or more nodes are down. The data is stored on a resource calledthe quorum resource. The data on the quorum resource includes a set of clusterconfiguration information plus records (sometimes called checkpoints) of the mostrecent changes made to that configuration. A node coming online after an outage

can use the quorum resource as the definitive source for recent changes in theconfiguration.The sections that follow describe the three different types of server clusters:

Single quorum device cluster, also called a standard quorum cluster

Majority node set cluster

Local quorum cluster, also called a single node cluster

Event ID for sudden restart or shut down on windows 2003 is 6008

Types of system memory dumps:

Small Dump: Also known as Minidump (64K) containing minimal debugging information (stop code,parameters, stack, drivers).

Kernel Dump: Medium size dump containing kernel data structures, drivers and current process &thread information. Very useful.

Complete Dump: Large memory dump containing complete contents of memory. Can take considerable

time to dump memory.1. How do you delete a lingering object? Windows Server 2003 provides a command called

Repadmin that provides the ability to delete lingering objects in the Active Directory.

Share permissions Share permissions are Full Control, Read, and Change. Least restrictive permission is the users effective permission.A denied permission always overrides an allowed permission When NTFS and Share permissions are applied to a folder the most restrictive will be applied when

we access the folder over the network

37.What is the difference between seize and Transfer?

Soln : Seize : 1. When we decommission the server

5. When we dont bring up the server on the network.


44/44

Transfer : Transfer the roles using GUI. Normal transfer.

Active directoryLogical Structure DOTDomainsOrganizational units

TreesForests

Physical Structure SDSitesDomain controllers

windows 2003 key question ans

Documents