Active Directory Questions And Answers

January 30, 2018

Active Directory Questions And Answers

>What is Active Directory ?

Active Directory is a Meta Data. Active Directory is a data base which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administor the complite Network which connect with AD.

> What is Active Directory Domain Services ?

In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to AD DS, but the information is also applicable to Active Directory.

>What is domain ?

A domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The 'domain' is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469.

>What is domain controller ?

A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

>What is LDAP ?

Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.

>What is KCC ?

KCC ( knowledge consistency checker ) - It generates the replication topology by specifying what domain controllers will replicate to which other domain controllers in the site. The KCC maintains a list of connections, called a replication topology, to other domain controllers in the site. The KCC ensures that changes to any object are replicated to all site domain controllers and updates go through no more than three connections. Also an administrator can configure connection objects..

>Where is the AD database held ? What other folders are related to AD?

By default AD data base is stored in c:\windows\ntds\NTDS.DIT. SYSVOL & NETLOGON are other folders related to AD DS.

>What is the SYSVOL folder?

System Volume (Sysvol) is a shared directory that stores the server copy of the domain's public files that must be shared for common access and replication throughout a domain. The term SYSVOL refers to a set of files and folders that reside on the local hard disk of each domain controller in a domain and that are replicated by the File Replication service (FRS). Network clients access the contents of the SYSVOL tree by using the NETLOGON and SYSVOL shared folders. Sysvol uses junction points-a physical location on a hard disk that points to data that is located elsewhere on your disk or other storage device-to manage a single instance store.

> What is the Netlogon folder in AD DS and What is it used for?

The NETLOGON share is pointing to %SystemRoot%\sysvol\sysvol\{DOMAIN}\scripts folder on DC, and it's main purpose is for storing logon scripts.

By default %SystemRoot%\sysvol\sysvol\{DOMAIN}\scripts is empty. When we are deployed any script via GPO that is the default location for storing the script.

By default sysvol includes 2 folders, the scripts folder is shared with the name NETLOGON

1.Policies - (Default location - %SystemRoot%\Sysvol\Sysvol\domain_name\Policies)

2.Scripts - (Default lcation - %SystemRoot%\Sysvol\Sysvol\domain_name\Scripts)

>What are the difference between Enterprise Admins and Domain Admins groups in AD ?

Enterprise Admins : Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution.

Domain Admins : Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.

>Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003 ?

The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.

>I am trying to create a new universal user group. Why can’t I ?

Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

>What is LSDOU ?

It’s group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units.

>Why doesn’t LSDOU work under Windows NT ?

If the NTConfig.pol file exist, it has the highest priority among the numerous policies.

>What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.

> What’s the difference between guest accounts in Server 2003 and other editions?

More restrictive in Windows Server 2003.

> How many passwords by default are remembered when you check "Enforce Password History Remembered"?

User’s last 6 passwords.

> Can GC Server and Infrastructure place in single server If not explain why ?

As a general rule, the infrastructure master should be located on a nonglobal catalog domain controller that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold.

But there are exceptions to this “general rule”. Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are:

Single domain forest:

In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.

Multidomain forest where every domain controller in a domain holds the global catalog:

If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.

> What Intrasite and Intersite Replication ?

Intrasite is the replication with in the same site & intersite the replication between sites.

> What is lost & found folder in ADS ?

It’s the folder where you can find the objects missed due to conflict.

Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.

> What is Garbage collection ?

Garbage collection is a housekeeping process that is designed to free space within the Active Directory database. In Windows 2000 and in the original release version of Windows Server 2003, this process runs on every domain controller in the enterprise with a default lifetime interval of 12 hours. You can change this interval by modifying the garbageCollPeriod attribute in the enterprise-wide DS configuration object (NTDS).

> What System State data contains ?

Contains Startup files,

Registry

Com + Registration Database

Memory Page file

System files

AD information

Cluster Service information

SYSVOL Folder

> What is the Recommended Maximum Number of Domains in a Forest ?

For Windows 2000 Server, the recommended maximum number of domains in a forest is 800. For Windows Server 2003, the recommended maximum number of domains when the forest functional level is set to Windows Server 2003 (also known as forest functional level 2) is 1,200. This restriction is a limitation of multivalued, nonlinked attributes in Windows Server 2003.

> What is the Recommended Maximum Number of Domain Controllers in a Domain ?

To ensure reliable recovery of SYSVOL, we recommend a limit of 1200 domain controllers per domain.

> Active Directory Replication Topology Options

The Active Directory replication topologies typically utilized are:

Ring Topology: With intrasite replication, the KCC creates a ring topology that defines the replication paths within a site. In a ring topology, each domain controller in a site has two inbound and outbound replication partners. The KCC creates the ring so that there is no greater than three hops between domain controllers in a site.

Full Mesh Topology: This topology is typically utilized in small organizations where redundancy is extremely important and the number of sites is quite small. A full mesh topology is quite expensive to manage and is not scalable.

Hub And Spoke Topology: This topology is typically implemented in large organizations where scalability is important and redundancy is less important. In this topology, one or multiple hub sites exist that have slower WAN connections to multiple spoke sites. The hub sites are usually connected to each other through high speed WAN connections.

Hybrid Topology: The hybrid topology is a combination of any of the above topologies.

> What is SPN ?

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. services.

> What is AD Certificate Services ?

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.

> What is Active Directory Federation Services ?

Active Directory Federation Services (AD FS) simplifies access to systems and applications using a claims-based access (CBA) authorization mechanism to maintain application security. AD FS supports Web single-sign-on (SSO) technologies that help information technology (IT) organizations collaborate across organizational boundaries.

AD FS 2.0 is a downloadable Windows Server 2008 update that is the successor to AD FS 1.0, which was first delivered in Windows Server 2003 R2, and AD FS 1.1, which was made available as a server role in Windows Server 2008 and Windows Server 2008 R2. Previous versions of AD FS are referred to collectively as AD FS 1.x.

> What is the Active Directory Management Gateway Service ?

Windows Server 2008 R2 introduces a web service interface for application accessibility to Active Directory (AD), and the Windows Server 2008 R2 AD PowerShell cmdlets use this service.

ADMGS provides this web service interface for Windows Server 2003 SP2 and Windows Server 2008 domain controllers (DCs). The service lets Server 2008 R2 AD PowerShell cmdlets and other applications work against the DCs with ADMGS installed.

> What is Offline Domain Join ?

Windows Server 2008 R2 domain controllers include a new feature named Offline Domain Join. A new utility named Djoin.exe lets you join a computer to a domain, without contacting a domain controller while completing the domain join operation, by obtaining a blob from a Windows Server 2008 R2 domain controller at an earlier point in time. The computer is domain-joined when it first starts, so no restart is needed as with a normal domain join.

> What is AD Administrative Center ?

Active Directory Administrative Center provides network administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI). Administrators can use Active Directory Administrative Center to perform common Active Directory object management tasks (such as user, computer, group, and organization units management) through both data-driven and task-oriented navigation.

Administrators can use the enhanced Active Directory Administrative Center GUI to customize Active Directory Administrative Center to suite their particular directory service administering requirements.

> What is AD DS Best Practices Analyzer ?

Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) is a server management tool that can help you implement best practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your Windows Server 2008 R2 domain controllers, and it reports best practice violations.

You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface.

> What is the Recommended Maximum Number of Users in a Group ?

For Windows 2000 Active Directory environments, the recommended maximum number of members in a group is 5,000. This recommendation is based on the number of concurrent atomic changes that can be committed in a single database transaction.

Starting with Windows Server 2003, the ability to replicate discrete changes to linked multivalued properties was introduced as a technology called Linked Value Replication (LVR). To enable LVR, you must increase the forest functional level to at least Windows Server 2003 interim. Increasing the forest functional level changes the way that group membership (and other linked multivalued attributes) is stored in the database and replicated between domain controllers. This allows the number of group memberships to exceed the former recommended limit of 5,000 for Windows 2000 or Windows Server 2003 at a forest functional level of Windows 2000.

So far, testing in this area has yet to reveal any new recommended limits to the number of members in a group or any other linked multivalued attribute. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.

>What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003?

Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain. Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy - you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference.

ADS stands for Automated Deployment Services, and is used to quickly roll out identically-configured servers in large-scale enterprise environments. You can get more information from the ADS homepage.

>I want to setup a DNS server and Active Directory domain. What do I do first? If I install the DNS service first and name the zone 'name.org' can I name the AD domain 'name.org' too?

Not only can you have a DNS zone and an Active Directory domain with the same name, it's actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.

>How do I determine if user accounts have local administrative access?

You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong.

>What is the ISTG? Who has that role by default?

The Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).

Simply the Intersite Topology Generator (ISTG) is the domain controller in each site that is responsible for generating the intersite topology.

>What is difference between Server 2003 vs 2008?

1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several 'virtual' servers on one physical machine.)

2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server)

3. Better security.

4. Role-based installation.

5. Read Only Domain Controllers (RODC).

6. Enhanced terminal services.

7. Network Access Protection - Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies.

8. PowerShell - Microsoft's command line shell and scripting language has proved popular with some server administrators.

9. IIS 7 .

10. Bitlocker - System drive encryption can be a sensible security measure for servers located in remote branch offices. >br> The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers.

11. Windows Aero.

>What are the requirements for installing AD on a new server?

1 The Domain structure.

2 The Domain Name .

3 storage location of the database and log file.

4 Location of the shared system volume folder.

5 DNS config Methode.

6 DNS configuration.

>What are the default Active Directory Built in groups ?

Groups in the Builtin container

- Account Operators

- Administrators

- Backup Operators

- Guests

- Incoming Forest Trust Builders

- Network Configuration Operators

- Performance Monitor Users

- Performance Log Users

- Pre-Windows 2000 Compatible Access

- Print Operators

- Remote Desktop Users

- Replicator

- Server Operators

- Users

Groups in the Users container

- Cert Publishers

- DnsAdmins (If installed with DNS)

- DnsUpdateProxy (If installed with DNS)

- Domain Admins

- Domain Computers

- Domain Controllers

- Domain Guests

- Domain Users

- Enterprise Admins (only appears in the forest root domain)

- Group Policy Creator Owners

- IIS_WPG (installed with IIS)

- RAS and IAS Servers

- Schema Admins (only appears in the forest root domain)

>What is LDP?

LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network.

> What are the new AD features in Windows Server 2008 ?

AD DS includes many new features that are not available in previous versions of Windows Server Active Directory. These new features make it possible for organizations to deploy AD DS more simply and securely and to administer it more efficiently.

- AD DS: Auditing

- AD DS: Fine-Grained Password Policies

- AD DS: Read-Only Domain Controllers

- AD DS: Restartable Active Directory Domain Services

- AD DS: Database Mounting Tool (Snapshot Viewer or Snapshot Browser)

- AD DS: User Interface Improvements

- AD DS: Owner Rights

> What are the new AD features in Windows Server 2008 R2 ?

Active Directory Domain Services in the Windows Server 2008 R2 operating system includes many new features that help improve Active Directory manageability, supportability, and performance.

- Active Directory Recycle Bin

- Active Directory module for Windows PowerShell and Windows PowerShell cmdlets

- Active Directory Administrative Center

- Active Directory Best Practices Analyzer

- Active Directory Web Services

- Authentication mechanism assurance

- Offline domain join

- Managed Service Accounts

- Active Directory Management Pack

- Bridgehead Server Selection

> What are the new AD features in Windows Server 2012 ?

You can use Active Directory Domain Services in Windows Server 2012 to more rapidly and easily deploy domain controllers (on-premises and in the cloud), increase flexibility when auditing and authorizing access to files, and more easily perform administrative tasks at scale (locally or remotely) through consistent graphical and scripted management experiences.

- Virtualization that just works->Rapid deployment with cloning & Safer virtualization of domain controllers.

- Simplified deployment and upgrade preparation -> Using AD DS Configuration Wizard.

- Simplified management -> Dynamic Access Control,DirectAccess Offline Domain Join,AD FS,Windows PowerShell History Viewer,Active Directory Recycle Bin User Interface,Fine-Grained Password Policy User Interface,Active Directory Replication and Topology Windows PowerShell cmdlets,Active Directory Based Activation & Group Managed Service Accounts.

- AD DS Platform Changes -> AD DS Claims in AD FS,Relative ID Improvements,Deferred Index Creation & Kerberos Enhancements.

>Why we need netlogon Service ?

It maintains a secure channel between the cumputer and the domain controller for authenticating users and services. If this service is stopped the computer may not authenticate users and services, and the domain controller cant register DNS records.

> Where is the NETLOGON logs stored ?

The NETLOGON logs are stored in C:\Windows\Debug\Netlogon.Log. By default the size of log file is 20MB.

>Briefly explain how Active Directory authentication works ?

When a user logs into the network, the user provides a username and password. The computer sends this username and password to the KDC which contains the master list of unique long term keys for each user. The KDC creates a session key and a ticket granting ticket. This data is sent to the user’s computer. The user’s computer runs the data through a one-way hashing function that converts the data into the user’s master key, which in turn enables the computer to communicate with the KDC, to access the resources of the domain.

>What are the Groups types available in active directory ?

Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.

Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups.

>Explain about the groups scope in AD ?

Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.

Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.

Universal Group Scope: These groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.

>What is REPLMON ?

The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication.

>What is ADSIEDIT ?

ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.

>What is NETDOM ?

NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.

>What is REPADMIN?

This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.

>How to take backup of AD ?

For taking backup of active directory you have to do this : first go START -> PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC.

>What are the DS* commands ?

The following DS commands: the DS family built in utility .

DSmod - modify Active Directory attributes.

DSrm - to delete Active Directory objects.

DSmove - to relocate objects

DSadd - create new accounts

DSquery - to find objects that match your query attributes.

DSget - list the properties of an object

>What is ad ds replication ?

Active Directory database is replicated between domain controllers. The data replicated between controllers called "data" are also called "naming context". Only the changes are replicated, once a domain controller has been established. Active Directory uses a multimaster model which means changes can be made on any controller and the changes are sent to all other controllers. The replication path in Active Directory forms a ring which adds reliability to the replication.

>What Intrasite and Intersite Replication ?

Intrasite is the replication with in the same site & intersite the replication between sites.

> What are the roles of global catalog ?

1. Finds objects

2. Supplies user principal name authentication

3. Supplies universal group membership information in a multiple domain environment

4. Validates object references within a forest :- validate references to objects of other domains in the forest.

>What are the requirements for installing AD on a new server?

An NTFS partition with enough free space.

An Administrator's username and password.

The correct operating system version.

A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway).

A network connection (to a hub or to another computer via a crossover cable) .

An operational DNS server (which can be installed on the DC itself) .

A Domain name that you want to use .

The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) .

>Explain about Trust in AD ?

To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created.

Communication between domains occurs through trusts. Trusts are authentication pipelines that must be present in order for users in one domain to access resources in another domain. Two default trusts are created when using the Active Directory Installation Wizard. There are four other types of trusts that can be created using the New Trust Wizard or the Netdom command-line tool.

> Explain types of trust in AD ?

- Default trusts:

By default, two-way, transitive trusts are automatically created when a new domain is added to a domain

tree or forest root domain using the Active Directory Installation Wizard.

1. Parent and child

2. Tree-root

- Other trusts:

Four other types of trusts can be created using the New Trust Wizard or the Netdom command-line tool:

1. External

2. Realm

3. Forest

4. Shortcut

>Difference between LDIFDE and CSVDE?

CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users. Consult your help file for more info.

LDIFDE is a command that can be used to import and export objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor, however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects.

> What is metadata cleanup in AD DS ?

Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD

DS). You perform metadata cleanup on a domain controller in the domain of the domain controller that

you forcibly removed.

>What is tombstone lifetime attribute ?

The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object.

Its default value depends on the server OS version of the first DC in the forest and is either 60 or 180 days. For domain controllers upgraded to Windows Server 2008 that use a tombstone lifetime of 60 days, Microsoft recommends manually setting the value to 180 days.

>What are application partitions? When do I use them ?

AN application diretcory partition is a directory partition that is replicated only to specific domain controller.Only domain controller running windows Server 2003 can host a replica of application directory partition. Using an application directory partition provides redundany,availability or fault tolerance by replicating data to specific domain controller pr any set of domain controllers anywhere in the forest.

>How do you create a new application partition ?

Use the DnsCmd command to create an application directory partition.

To do this, use the following syntax:

DnsCmd ServerName /CreateDirectoryPartition FQDN of partition

>How do you view all the GCs in the forest?

DSQUERY server can be used to locate global catalogs.

To search the entire forest

dsquery server -forest -isgc

To locate global catalogs in your current (logon) domain

dsquery server –isgc

To locate global catalogs in a specific domain

dsquery server -domain tech.techiebird.com -isgc

Here, you search for global catalog servers in the tech.techiebird.com domain.

You can also search for global catalog servers by site, but to do this, you must know the full site name, and cannot use wildcards. For example, if you wanted to find all the global catalog servers for Default-First-Site-Name, you would have to type

dsquery server –site Default-First-Site-Name

The resulting output is a list of DNs for global catalogs, such as

"CN=TECHSVR02,CN=Servers,CN=Default-First-Site-

Name,CN=Sites,CN=Configuration,DC=techiebird,DC=com"

>Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.

Yes, you can use dirXML or LDAP to connect to other directories.

In Novell you can use E-directory.

>What is IPSec Policy ?

IPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec Policy can be deployed via Group policy to the Windows Domain controllers.

>What is RsOP ?

One challenge of Group Policy administration is to understand the cumulative effect of a number of Group Policy objects (GPOs) on any given computer or user, or how changes to Group Policy, such as reordering the precedence of GPOs or moving a computer or user to a different organizational unit (OU) in the directory, might affect the network.

The Resultant Set of Policy (RSoP) snap-in offers administrators one solution. Administrators use the RSoP snap-in to see how multiple Group Policy objects affect various combinations of users and computers, or to predict the effect of Group Policy settings on the network.

>What is the System Startup process ?

Windows 2K boot process on a Intel architecture.

1. Power-On Self Tests (POST) are run.

2. The boot device is found, the Master Boot Record (MBR) is loaded into memory, and its program is run.

3. The active partition is located, and the boot sector is loaded.

4. The Windows 2000 loader (NTLDR) is then loaded.

The boot sequence executes the following steps:

1. The Windows 2000 loader switches the processor to the 32-bit flat memory model.

2. The Windows 2000 loader starts a mini-file system.

3. The Windows 2000 loader reads the BOOT.INI file and displays the operating system selections (boot loader menu).

4. The Windows 2000 loader loads the operating system selected by the user. If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other operating systems, NTLDR loads BOOTSECT.DOS and gives it control.

5. NTDETECT.COM scans the hardware installed in the computer, and reports the list to NTLDR for inclusion in the Registry under the HKEY_LOCAL_MACHINE_HARDWARE hive.

6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information collected by NTDETECT.COM. Windows NT enters the Windows load phases.

>How do you change the DS Restore admin password ?

In Windows 2000 Server, you used to have to boot the computer whose password you wanted to change in Directory Restore mode, then use either the Microsoft Management Console (MMC) Local User and Groups snap-in or the command net user administrator * to change the Administrator password.

Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you reset the Directory Service Restore Mode password without having to reboot the computer. (Microsoft refreshed Setpwd in SP4 to improve the utility?s scripting options.)

In Windows Server 2003, you use the Ntdsutil utility to modify the Directory Service Restore Mode Administrator password.

To do so, follow these steps:

1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe).

2. Start the Directory Service Restore Mode Administrator password-reset utility by entering the argument ?set dsrm password? at the ntdsutil prompt: ntdsutil: set dsrm password.

3. Run the Reset Password command, passing the name of the server on which to change the password, or use the null argument to specify the local machine.

For example, to reset the password on server testing, enter the following argument at the Reset DSRM Administrator Password prompt: Reset DSRM Administrator Password: reset password on server testing

To reset the password on the local machine, specify null as the server name:

Reset DSRM Administrator Password: reset password on server null

4. You?ll be prompted twice to enter the new password. You?ll see the following messages:

5. Please type password for DS Restore Mode Administrator Account:

6. Please confirm new password:

Password has been set successfully.

7. Exit the password-reset utility by typing ?quit? at the following prompts:

8. Reset DSRM Administrator Password: quit

ntdsutil: quit

>I am upgrading from NT to 2003. The only things that are NT are the PDC and BDCs; everything else is 2000 or 2003 member servers. My question is, when I upgrade my NT domain controllers to 2003, will I need to do anything else to my Windows 2000/2003 member servers that were in the NT domain?

Your existing member servers, regardless of operating system, will simply become member servers in your upgraded AD domain. If you will be using Organizational Units and Group Policy (and I hope you are), you'll probably want to move them to a specific OU for administration and policy application, since they'll be in the default "Computers" container immediately following the upgrade.

>How do I use Registry keys to remove a user from a group?

In Windows Server 2003, you can use the dsmod command-line utility with the -delmbr switch to remove a group member from the command line. You should also look into the freeware utilities available from www.joeware.net . ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory.

>Difference between KCC and ISTG?

KCC (Knowledge consistency checker) is responsible for generating site replication toplolgies between domain controllers. KCC runs in each DC of a domain and creates a connection object for each DC in AD. It is responsible for all intra-site replication.

In case of an inter-site scenario, there will be a bridge-head server to manage site-site replication. Here, the connection objects for the bridge-head servers are created in a seperate way. ISTG (Inter-Site Topology Generator) is responsible for creating connection objects in bridge-head servers. ISTG is nothing but a KCC server(DC), which is responsible for reviewing the inter-site topology and creating inbound replication connection objects as necessary for bridgehead servers in the site in which it resides.The domain controller holding this role may not necessarily also be a bridgehead server.

> What Are Active Directory Functional Levels?

In Active Directory Domain Services (AD DS), domain controllers can run different versions of Windows Server operating systems. The functional level of a domain or forest depends on which versions of Windows Server operating systems are running on the domain controllers in the domain or forest. The functional level of a domain or forest controls which advanced features are available in the domain or forest.

Ideally, all servers in an organization could run the latest version of Windows and take advantage of all the advanced features that are available with the newest software. But organizations often have a mixture of systems, generally running different versions of operating systems, which are migrated to the latest version only as organizational requirements demand additional functionality, either for the entire organization or for a specific area of the organization.

AD DS supports phased implementation of new versions of Windows Server and advanced features on domain controllers by providing multiple functional levels, each of which is specific to the versions of Windows Server operating systems that are running on the domain controllers in the environment. These functional levels provide configuration support for the AD DS features and ensure compatibility with domain controllers running earlier versions of Windows Server.

AD DS does not automatically enable advanced features, even if all domain controllers within a forest are running the same version of Windows Server. Instead, an administrator raises a domain or forest to a specific functional level to safely enable advanced features when all domain controllers in the domain or forest are running an appropriate version of Windows Server. When an administrator attempts to raise the functional level, AD DS checks whether all domain controllers are running an appropriate Windows Server operating system to ensure the proper environment for enabling new Active Directory features.

> Domain functional level.

Six domain functional levels are available:

- Windows 2000 native

- Windows Server 2003

- Windows Server 2008

- Windows Server 2008 R2

- Windows Server 2012

- Windows Server 2012 R2

> Forest functional level.

Six forest functional levels are available:

- Windows 2000

- Windows Server 2003

- Windows Server 2008

- Windows Server 2008 R2

- Windows Server 2012

- Windows Server 2012 R2

> What Is FRS ?

File Replication service (FRS) is a technology that replicates files and folders stored in the SYSVOL shared folder on domain controllers and Distributed File System (DFS) shared folders. When FRS detects that a change has been made to a file or folder within a replicated shared folder, FRS replicates the updated file or folder to other servers. Because FRS is a multimaster replication service, any server that participates in replication can generate changes. In addition, FRS can resolve file and folder conflicts to make data consistent among servers.

> What is DFS-R ?

The Distributed File System Replication (DFSR) service is a state-based, multimaster replication engine that supports replication scheduling and bandwidth throttling. DFSR uses a compression algorithm known as remote differential compression (RDC). RDC is a "diff-over-the wire" client/server protocol that can be used to efficiently update files over a limited-bandwidth network. RDC detects insertions, removals, and rearrangements of data in files, enabling DFSR to replicate only the changed file blocks when files are updated.

>How to add your first Windows 2003 DC to an existing Windows 2000 domain ?

The first step is to install Windows 2003 on your new DC. This is a straighforward process, so we aren?t going to discuss that here.

Because significant changes have been made to the Active Directory schema in Windows 2003, we need to make our Windows 2000 Active Directory compatible with the new version. If you already have Windows 2003 DCs running with Windows 2000 DCs, then you can skip down to the part about DNS.

Before you attempt this step, you should make sure that you have service pack 4 installed on your Windows 2000 DC. Next, make sure that you are logged in as a user that is a member of the Schema Admin and Enterprise Admin groups.

Next, insert the Windows 2003 Server installation CD into the Windows 2000 Server.

Bring up a command line and change directories to the I386 directory on the installation CD. At the command prompt, type: Code :

adprep /forestprep After running this command, make sure that the updates have been replicated to all existing Windows 2000 DCs in the forest. Next, we need to run the following command: Code : adprep /domainprep

The above command must be run on the Infrastructure Master of the domain by someone who is a member of the Domain Admins group.

Once this is complete, we move back to the Windows 2003 Server. Click ?start? then ?run? - type in dcpromo and click OK. During the ensuing wizard, make sure that you select that you are adding this DC to an existing domain.

After this process is complete, the server will reboot. When it comes back online, check and make sure that the AD database has been replicated to your new server.

Next, you will want to check and make sure that DNS was installed on your new server.

If not, go to the control panel,

click on ?Add or Remove Programs?, and click the ?Add/Remove Windows Components? button.

In the Windows Components screen, click on ?Networking Services? and click the details button.

In the new window check ?Domain Name System (DNS)? and then click the OK button. Click ?Next? in the Windows Components screen.

This will install DNS and the server will reboot. After reboot, pull up the DNS Management window and make sure that your DNS settings have replicated from the Windows 2000 Server. You will need to re-enter any forwarders or other properties you had set up, but the DNS records should replicate on their own.

The next 2 items, global catalog and FSMO roles, are important if you plan on decomissioning your Windows 2000 server(s). If this is the case, you need to tansfer the global catalog from the old server to the new one.

First, let?s create a global catalog on our new server. Here are the steps:

1. On the domain controller where you want the new global catalog, start the Active Directory Sites and Services snap-in.

To start the snap-in, click ?Start?, point to ?Programs?, point to ?Administrative Tools?, and then click ?Active Directory Sites and Services?.

2. In the console tree, double-click ?Sites?, and then double-click ?sitename?.

3. Double-click ?Servers?, click your domain controller, right-click ?NTDS Settings?, and then click ?Properties?.

4. On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server.

5. Restart the domain controller.

Make sure you allow sufficient time for the account and the schema information to replicate to the new global catalog server before you remove the global catalog from the original DC or take the DC offline.

After this is complete, you will want to transfer or seize the FSMO roles for your new server.

For instructions, read Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller.

After this step is complete, we can now run DCPROMO on the Windows 2000 Servers in order to demote them.

Once this is complete, copy over any files you need to your new server and you should have successfully replaced your Windows 2000 server(s) with a new Windows 2003 server.

> What is DSRM in AD ?

Directory Services Restore Mode (DSRM) is a safe mode boot option for Windows Server domain controllers. DSRM allows an administrator to repair or recover to repair or restore an Active Directory database.When Active Directory is installed, the install wizard prompts the administrator to choose a DSRM

password. This password provides the administrator with a back door to the database in case something goes wrong later on, but it does not provide access to the domain or to any services. In the event a DSRM password is forgotten, it can be changed by using the command-line tool NTDSUtil.

> Why dns is important for active directory ?

Active Directory is dependent on DNS as a domain controller location mechanism and uses DNS domain naming conventions in the architecture of Active Directory domains. There are three components in the dependency of Active Directory on DNS:

1. Domain controller locator (Locator)

2. Active Directory domain names in DNS

3. Active Directory DNS objects

> What is group policy in active directory ?

Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy objects (GPOs), which are linked to the following Active Directory directory service containers: sites, domains, or organizational units (OUs).

> What is tree in active directory ?

A tree is a group of domains that have the same DNS name; for example, abc.com (the top domain), sales.abc.com and support.abc.com (the child domains).

> What is forest in active directory ?

A forest is a collection of multiple trees that share a common global catalog, directory schema, logical structure, and directory configuration. Forest has automatic two way transitive trust relationships. The very first domain created in the forest is called the forest root domain.Forests allow organizations to group their divisions that use different naming schemes and may need to operate independently. But as an organization, they want to communicate with the entire organization via transitive trusts and share the same schema and configuration container.

>How do you view replication properties for AD partitions and DCs?

By using replication monitor

go to start > run > type repadmin

go to start > run > type replmon

>Why can't you restore a DC that was backed up 4 months ago?

Because of the tombstone life which is set to only 60 days.

>Different modes of AD restore ?

A nonauthoritative restore is the default method for restoring Active Directory. To perform a nonauthoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller.

An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. If you do not want to replicate the changes that have been made subsequent to the last backup operation, you must perform an authoritative restore. In this one needs to stop the inbound replication first before performing the An authoritative restore.

>How do you configure a stand-by operation master for any of the roles?

# Open Active Directory Sites and Services.

# Expand the site name in which the standby operations master is located to display the Servers folder.

# Expand the Servers folder to see a list of the servers in that site.

# Expand the name of the server that you want to be the standby operations master to display its NTDS Settings.

# Right-click NTDS Settings, click New, and then click Connection.

# In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK.

# In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.

>What's the difference between transferring a FSMO role and seizing ?

Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available.

If you perform a seizure of the FSMO roles from a DC, you need to ensure two things:

the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you'll have a problem.

An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another live DC During the process, the current DC holding the role(s) is updated, so it becomes aware it is no longer the role holder

>I want to look at the RID allocation table for a DC. What do I do?

dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)

>What is BridgeHead Server in AD ?

A bridgehead server is a domain controller in each site, which is used as a contact point to receive and replicate data between sites. For intersite replication, KCC designates one of the domain controllers as a bridgehead server. In case the server is down, KCC designates another one from the domain controller. When a bridgehead server receives replication updates from another site, it replicates the data to the other domain controllers within its site.

> What are the data partitions in AD DS ?

Each Domain Controller has a copy of the Active Directory database store in a file called NTDS.DIT. The

data in this file is divided into partitions. The partition type determines how it will be replicated

throughout the forest.

1. Domain Partition

2. Global Catalog Partition

3. Schema Partition

4. Configuration Partition

5. Application Partition

> What is Site Link Bridges in AD DS ?

When more than two sites are linked for replication and use the same transport, all of the site links are "bridged" in terms of cost by default, assuming that the site links have common sites. When site links are bridged, they are transitive. That is, all site links for a specific transport implicitly belong to a single site link bridge for that transport. So in the common case of a fully routed IP network (in which all sites can communicate with each other by IP), administrators do not have to configure any site link bridges.

If the IP network is not fully routed, the transitive site link feature can be turned off for the IP transport (the Bridge all site links option on the General tab in the IP transport object property sheet or SMTP transport object property sheet). In this case, all IP site links are considered intransitive, and site link bridges are configured. A site link bridge is the equivalent of a disjoint network; all site links within the bridge can route transitively, but they do not route outside the bridge.

> What is subnets in AD DS ?

Computers on TCP/IP networks are assigned to sites based on their location in a subnet or a set of subnets. Subnets group computers in a way that identifies their physical proximity on the network. Subnet information is used during the process of domain controller location to find a domain controller in the same site as the computer that is logging on. This information also is used during Active Directory replication to determine the best routes between domain controllers.

>What is the default size of ntds.dit ?

10 MB in Server 2000 and 12 MB in Server 2003 .

>Where is the AD database held and What are other folders related to AD ?

AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure.

ntds.dit

edb.log

res1.log

res2.log

edb.chk

When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.

During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk file.

Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the shutdown statement isn't present, AD will use the edb.log file to update the AD database. The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we've discussed

>What FSMO placement considerations do you know of ?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process.

However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement.

In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles

>What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?

If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM.

Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen. If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine).

To update the schema, run the Adprep utility, which you'll find in the Components\r2\adprep folder on the second CD-ROM.

Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later).

Here's a sample execution of the Adprep /forestprep

command:

D:\CMPNENTS\R2\ADPREP>adprep /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later).

QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain controller corruption.

[User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit.

C Opened Connection to SAV

DALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to version 31 Connecting to "SAVDALDC01" Logging in as current user using SSPI Importing directory from file "C:\WINDOWS\system32\sch31.ldf" Loading entries... 139 entries modified successfully.

The command has completed successfully Adprep successfully updated the forest-wide information.

After running Adprep, install R2 by performing these steps:

1. Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows.

2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click Next.

3. You'll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if the underlying OS wasn't installed from R2 media (e.g., a regular Windows 2003 SP1 installation).

Enter the R2 key and click Next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003 using a volume-license version key, then you can't use a retail or Microsoft Developer Network (MSDN) R2 key.

4. You'll see the setup summary screen which confirms the actions to be performed (e.g., Copy files). Click Next.

5. After the installation is complete, you'll see a confirmation dialog box. Click Finish

>What is OU ?

Organization Unit is a container object in which you can keep objects such as user accounts, groups, computer, printer . applications and other (OU). In organization unit you can assign specific permission to the user's. organization unit can also be used to create departmental limitation.

>Name some OU design considerations ?

OU design requires balancing requirements for delegating administrative rights - independent of Group Policy needs - and the need to scope the application of Group Policy.

The following OU design recommendations address delegation and scope issues:

Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. Delegating administrative authority usually don't go more than 3 OU levels.

>What is sites ? What are they used for ?

One or more well-connected (highly reliable and fast) TCP/IP subnets.

A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.

A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called Subnets.

Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network link traffic.

Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule.

>Trying to look at the Schema, how can I do that ?

c:\windows\system32>regsvr32 schmmgmt.dll

Open mmc --> add snapin --> add Active directory schema

name it as schema.msc

Open administrative tool --> schema.msc

>What is the port no of Kerberos ?

>What is Kerberos & Kerberos Authentication?

Kerberos provides secure user authentication with an industry standard that permits interoperability. The Active Directory domain controller maintains user account and log-in information to support the Kerberos service.

The Kerberos version 5 authentication protocol provides a mechanism for authentication — and mutual authentication — between a client and a server, or between one server and another server.

>What is the port no of Global catalog ?

3268

>What Is the Global Catalog ?

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

>What is the port no of LDAP ?

389

>What is LDAP ?

The Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.

>Explain Active Directory Schema ?

Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called "Schema". The Schema is defines as the formal definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory. As mentioned earlier, the Active Directory database includes a default Schema, which defines many object classes, such as users, groups, computers, domains, organizational units, and so on.

These objects are also known as "Classes". The Active Directory Schema can be dynamically extensible, meaning that you can modify the schema by defining new object types and their attributes and by defining new attributes for existing objects. You can do this either with the Schema Manager snap-in tool included with Windows 2000/2003 Server, or programmatically.

>How can you forcibly remove AD from a server, and what do you do later? ? Can I get user passwords from the AD database?

Dcpromo /forceremoval , an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest. Reboot the server then After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command.

In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers

>What are the FSMO roles? Who has them by default? What happens when each one fails?

Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles:

Schema master

Domain naming master

RID master

PDC emulator

Infrastructure master

>What is domain tree ?

Domain Trees: A domain tree comprises several domains that share a common schema and configuration, forming a contiguous namespace. Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees.

Trees can be viewed two ways. One view is the trust relationships between domains. The other view is the namespace of the domain tree.

>What is forests ?

A collection of one or more domain trees with a common schema and implicit trust relationships between them. This arrangement would be used if you have multiple root DNS addresses.

>How to Select the Appropriate Restore Method ?

You select the appropriate restore method by considering:

Circumstances and characteristics of the failure. The two major categories of failure, From an Active Directory perspective, are Active Directory data corruption and hardware failure.

Active Directory data corruption occurs when the directory contains corrupt data that has been replicated to all domain controllers or when a large portion of the Active Directory hierarchy has been changed accidentally (such as deletion of an OU) and this change has replicated to other domain controllers.

>Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?

The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.

>What is Global Catalog?

The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.

>How long does it take for security changes to be replicated among the domain controllers?

Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).

>When should you create a forest?

Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.

>Describe the process of working with an external domain name ?

If it is not possible for you to configure your internal domain as a subdomain of your external domain, use a stand-alone internal domain. This way, your internal and external domain names are unrelated. For example, an organization that uses the domain name contoso.com for their external namespace uses the name corp.internal for their internal namespace.

The advantage to this approach is that it provides you with a unique internal domain name. The disadvantage is that this configuration requires you to manage two separate namespaces. Also, using a stand-alone internal domain that is unrelated to your external domain might create confusion for users because the namespaces do not reflect a relationship between resources within and outside of your network.

In addition, you might have to register two DNS names with an Internet name authority if you want to make the internal domain publicly accessible.

> Difference between KCC and ISTG?

> What is lingering objects in active directory ?

Lingering objects can occur if a domain controller does not replicate for an interval of time that is longer than the tombstone lifetime (TSL). The domain controller then reconnects to the replication topology. Objects that are deleted from the Active Directory directory service when the domain controller is offline can remain on the domain controller as lingering objects.

> What is KDC in Active Directory ?

The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each

domain controller as part of Active Directory Domain Services.

> What are the physical components of Active Directory ?

Domain controllers and Sites. Domain controllers are physical computers which is running Windows Server operating system and Active Directory data base. Sites are a network segment based on geographical location and which contains multiple domain controllers in each site.

> What are the logical components of Active Directory ?

Domains, Organizational Units, trees and forests are logical components of Active Directory.

> What are the Active Directory Partitions ?

Active Directory database is divided into different partitions such as Schema partition, Domain partition, and Configuration partition. Apart from these partitions, we can create Application partition based on the requirement.

> What is group nesting ?

Adding one group as a member of another group is called 'group nesting'. This will help for easy administration and reduced replication traffic.

> What is the feature of Domain Local Group ?

Domain local groups are mainly used for granting access to network resources.A Domain local group can contain accounts from any domain, global groups from any domain and universal groups from any domain. For example, if you want to grant permission to a printer located at Domain A, to 10 users from Domain B, then create a Global group in Domain B and add all 10 users into that Global group. Then, create a Domain local group at Domain A, and add Global group of Domain B to Domain local group of Domain A, then, add Domain local group of Domain A to the printer(of Domain A) security ACL.

>How will you take Active Directory backup ?

Active Directory is backed up along with System State data. System state data includes Local registry, COM+, Boot files, NTDS.DIT and SYSVOL folder. System state can be backed up either using Microsoft's default NTBACKUP tool or third party tools such as Symantech NetBackup, IBM Tivoli Storage Manager etc.

> What is Lost and Found Container ?

In multimaster replication method, replication conflicts can happen. Objects with replication conflicts will be stored in a container called 'Lost and Found' container. This container also used to store orphaned user accounts and other objects.

> Do we use clustering in Active Directory ? Why ?

No one installs Active Directory in a cluster. There is no need of clustering a domain controller. Because Active Directory provides total redundancy with two or more servers.

> What is Active Directory Recycle Bin ?

Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to restore accidentally deleted Active Directory objects without using a backed up AD database, rebooting domain controller or restarting any services.

> What is RODC ? Why do we configure RODC ?

Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System. RODC is a read only copy of Active Directory database and it can be deployed in a remote branch office where physical security cannot be guaranteed. RODC provides more improved security and faster log on time for the branch office.

> How do you check currently forest and domain functional levels? Say both GUI and Command line.

To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain name and take properties. Both domain and forest functional levels will be listed there. TO find out forest and domain functional levels, you can use DSQUERY command.

> Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory ?

All versions of Windows Server Active Directory use Kerberos 5.

> Name few port numbers related to Active Directory ?

Kerberos 88, LDAP 389, DNS 53, SMB 445

> What is an FQDN ?

FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of a domain name system which points to a device in the domain at its left most end. For example in system.

> Have you heard of ADAC ?

ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2, which provides enhanced data management experience to the admin. ADAC helps administrators to perform common Active Directory object management task across multiple domains with the same ADAC instance.

> How many objects can be created in Active Directory? (both 2003 and 2008)

As per Microsoft, a single AD domain controller can create around 2.15 billion objects during its lifetime.

> explain the process between a user providing his Domain credential to his workstation and the desktop being loaded? Or how the AD authentication works ?

When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm. The KDC looks up the user's master key (KA), which is based on the user's password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows. The client computer receives the information from the KDC and runs the user's password through a one-way hashing function, which converts the password into the user's KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.

> What Is Urgent Replication And When Is It Used ?

You probably know how Active Directory core replication works. When there’s an object changed, the source DC, the one that serviced the change request, notifies it’s direct replication neighbours that there was a change to some object. The neighbors then start the replication process by requesting the changes made since the last replication.

Important to know is, that there is a “notification delay” between the actual change to the objects in the directory and the notification sent to the replication partners. Server 2003 DCs waitÂ 15 seconds before they fire out the change notification. This delay is there to only sendÂ one change notification once the change transaction to the object is done. If there are multiple changes made to an object, let’s say the phone number, the home town and the employeeID of a user and the changes were made inÂ 1 second delay each, we only send one change notification for those three changes. If there was no notification delay and we waitedÂ a second between the changes to a user’s attributes, the source DC were sending three change notifications to its partners. Too much traffic there! Note that the default change notificaction delay in Windows 2000 wasÂ 5 minutes (the numbers may differ depending on installation type (upgrade from 2000 to 2003, forest functional level, …).

Given that fact, one can think of several scenarios which may lead to “problem” since the change to the directory is not replicated right away: user Password changes, user lockout, Password Policy changed,…

For this reason, there’s urgent replication. Urgent replication works in the same way “normal” replication does, but has no notification delay of a few seconds/minutes. That makes “urgent” changes that need to be distributed thrughout the sites and DCs to get more quickly to all edges. Urgent replication takes place in the following cases:

The Password Policy or account lockout policy of a domain has changed

The LSA secret has changed (that’s used for the “secure channels” between machines and DCs and trusts)

a user or computer is locked out due to a failed logon attempt (in this case, the urgent replication is used to notify the DC with the PDC emulator role first and then to all others)

the RID master has changed

So — if one of the mentionedÂ events take place, urgent replication takes place and there’s no notification delay prior to change notification of neighbour DCs.

> Which FSMO role directly impacting the consistency of Group Policy ?

PDC Emulator.

> I want to promote a new additional Domain Controller in an existing domain. Which are the groups I should be a member of ?

You should be a member of Enterprise Admins group or the Domain Admins group. Also you should be member of local Administrators group of the member server which you are going to promote as additional Domain Controller.

> Tell me one easiest way to check all the 5 FSMO roles ?

Use netdom query /domain:YourDomain FSMO command. It will list all the FSMO role handling domain controllers.

>What is Realm trust ?

Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and an Active Directory domain.

> Name few Active Directory Built in groups

SID: S-1-5-32-544 - Name: Administrators - Description: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.

SID: S-1-5-32-548 - Name: Account Operators - Description: A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.

SID: S-1-5-32-549 - Name: Server Operators - Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.

SID: S-1-5-32-550 - Name: Print Operators - Description: A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.

SID: S-1-5-32-551 - Name: Backup Operators - Description: A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.

In a domain environment these groups are present, and are used for administrative purposes.

SID: S-1-5-21domain-512 - Name: Domain Admins - Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.

SID: S-1-5-21root domain-518 - Name: Schema Admins - Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.

SID: S-1-5-21root domain-519 - Name: Enterprise Admins - Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.

SID: S-1-5-21domain-520 - Name: Group Policy Creator Owners - Description: A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.

Search This Blog

Body building

Active Directory Questions And Answers

Comments

Post a Comment

Popular Posts

Apache Server Interview Questions And Answers for linux admin

Basic Linux Commands