Friday, March 11, 2022

All About Active Directory

 

ACTIVE DIRECTORY

 

Explain the Group Scopes in Windows 2003 AD

 

Group scope

Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. The boundary, or reach, of a group scope is also determined by the domain functional level setting of the domain in which it resides. There are three group scopes: universal, global, and domain local.

 

The following table describes the differences between the scopes of each group.

 

Group scope

Group can include as members…

Group can be assigned permissions in…

Group scope can be converted to…

Universal

Accounts from any domain within the forest in which this Universal Group resides

Global groups from any domain within the forest in which this Universal Group resides

Universal groups from any domain within the forest in which this Universal Group resides

Any domain or forest

Domain local

Global (as long as no other universal groups exist as members)

Global

Accounts from the same domain as the parent global group

Global groups from the same domain as the parent global group

Member permissions can be assigned in any domain

Universal (as long as it is not a member of any other global groups)

Domain local

Accounts from any domain

Global groups from any domain

Universal groups from any domain

Domain local groups but only from the same domain as the parent domain local group

Member permissions can be assigned only within the same domain as the parent domain local group

Universal (as long as no other domain local groups exist as members)

 

 

Explain the Types of AD Groups that can created in Windows 2003 AD

 

Group types

 

Groups are used to collect user accounts, computer accounts, and other group accounts into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration.

 

There are two types of groups in Active Directory: distribution groups and security groups. You can use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources.

 

Distributions groups: Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to collections of users. Distribution groups are not security-enabled, which means that they cannot be listed in discretionary access control lists (DACLs). If you need a group for controlling access to shared resources, create a security group.

 

Security groups: Used with care, security groups provide an efficient way to assign access to resources on your network. Using security groups, you can assign user rights to security groups in Active Directory and assign permissions to security groups on resources

 

I am trying to create a new universal user group. Why can’t I?

 

Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

 

What is a Creator Owner Account in Windows?

 

Creator Owner includes the user account for a user who created or took ownership of a resource. If a member of the Administrators group creates a resource, the Administrators group is the owner of the resource. This group is created for each sharable resource on Windows 2000 Server or Professional. A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object's creator.

 

What is the difference between Enterprise Admins & Domain Admins account in Active Directory?

 

Domain Admins group is only available on Windows 2000/2003 servers acting as Domain Controllers. Its members are allowed administrative privileges for the entire domain. By default, this group has the local Administrator account on the Domain Controller as its member.

 

Enterprise Admins Group exists only in the root domain of an Active Directory forest of domains. It is a universal group if the domain is in native-mode, a global group if the domain is in mixed-mode. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, providing complete access to the configuration of all domain controllers. This group can modify the membership of all administrative groups. Its own membership can be modified only by the default service administrator groups in the root domain. This account is considered a service administrator.

 

What are the differences between Group Policy, Registry-based policy, and Security policy?

 

Group Policy is an infrastructure in which IT administrators can implement standard computing environments for groups of users and computers and includes both Registry-based and Security Policy. Registry-based policy is one of the many features of Group Policy that uses Administrative templates to modify the registry settings for policy-enabled components included in Windows. Security Policy, another feature delivered by Group Policy, includes a variety of security-related settings for Microsoft Windows

 

Is there a maximum number of Group Policy objects that I can store in a domain?

 

Creating a Group Policy object will create a Group Policy container object, stored in Active Directory, and a Group Policy template, stored on the Sysvol of the domain controller. Both are limited only to the amount of free disk space.

 

What is the maximum number of Group Policy objects a user or computer can process?

 

A user or computer cannot process more than 999 Group Policy objects. Windows Vista writes a Windows-Group Policy error event with an event ID of 1088 to the system event log when a user or computer attempts to process more than 999 Group Policy objects.

 

Can I apply a Group Policy object directly to a security group?

 

You cannot apply a Group Policy object directly to a security group. However, you can use security filtering to refine which users or computers will receive and apply Group Policy settings. The Group Policy Management Console (GPMC) is the tool to manage security filtering. For more information about security filtering, see the Core Group Policy Technical Reference.

 

Explain GPMC & RSOP in windows 2003?

 

GPMC is tool which will be used for managing group policies and will display information like how many policies applied, on which OU’s the policies applied, What are the settings enabled in each policy, Who are the users effecting by these polices, who is managing these policies. GPMC will display all the above information.

 

RSoP provides details about all policy settings that are configured by an Administrator, including Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and Group Policy Software Installation.

When policies are applied on multiple levels (for example, site, domain, domain controller, and organizational unit), the results can conflict. RSoP can help you determine a set of applied policies and their precedence (the order in which policies are applied).

 

What is the difference between Assign and Publish Application through GPO?

 

Software Installation (SI) Policy is designed to allow you to deploy (Assign / Publish) Windows Installer packages (.msi files) to users and computers within an AD domain. SI Policy supports two types of installation methods:

 

Publishing: Publishing is only available per-user and provides you with a way of publishing applications to the Add/Remove Programs control panel. Users can then optional install an application from there.

 

Assignment: Assignment is available per-user or per-computer. Per-computer assignment lets you deploy an application to a computer--that application is automatically installed at the next computer restart. Per-user assignment lets you deploy an application at user logon. If you choose the Install-on-first-use option (available in Win2K and Win2K3/XP), then the full application is not installed, but rather only shortcuts and file extensions that are registered by that application. When the user clicks on one of these registered "entry-points" the application is installed at that time--hence the term "install-on-first-use". In Win2K3 and XP, you have the option of installing the full application at user logon time, which takes longer but ensures that the application is fully ready when the user's desktop appears.

 

Explain the Loopback Processing feature of Group Policy

 

Loopback processing is a feature that allows a more precise level of control over user policy settings for a targeted machine. Usually, user policy settingsare derived entirely from the GPOs associated with the user account (based on its location in the Active Directory). With loopback processing, however, the user policy settings in the GPOs associated with the machine are applied.

 

A common use of loopback is on Terminal Services machines. In this scenario, it is common for the Group Policy administrator to set specific user policy settings for the server to ensure that all users using the machine receive a defined set of user policy settings.

 

Two modes options when applying loopback processing:

·         Replace Mode: The user policy is defined entirely from the GPOs associated with the machine. Any GPOs associated with the user are ignored.

·         Merge Mode: The user policy settings applied are the combination of those included in both the machine and user GPOs. Where conflicts exist, the machine GPOs "win".

 

Loopback Setting Technical Details:

In order to define the Loopback Processing setting, the following steps should be followed.

1.       Open the Group Policy Object editor (gpedit.msc). See Create/Edit GPOs for details.

2.       Expand the Computer Configuration node. Under Computer Configuration, expand the Administrative Templates node.

3.       Within the Administrative Templates node, expand the System node, and then the Group Policy node.

4.       Locate the setting "User Group Policy loopback processing mode". Double click this setting, and define the setting as needed.

 

When the loopback setting is enabled on a machine (either via local policy or domain policy), the behavior of group policy application changes in one of two ways, depending on the selected mode. It should be noted that while the setting affects the behavior of application of user policies, the setting itself is applied to the machine the user logs on to.

 

What permissions are necessary for Group Policy to apply to a user or computer?

 

Group Policy can apply to any user or computer with access control entry for Read and Apply Group Policy.

 

Where are group policies stored?

%SystemRoot%System32\GroupPolicy

 

Where is GPT stored?

%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID

 

What’s contained in administrative template conf.adm?

Microsoft NetMeeting policies

 

Explain the Enforce and Block Inheritance features available when managing GPO precedence.

 

Enforced: This was previously referred to in Win2K as "No Override". The Enforced flag is set on a GPO link using the GPMC. Essentially what is does is say, "If there are any conflicting policy settings on downstream GPOs (GPOs processed after the enforced GPO), those settings will always be overridden". Essentially how this works is that any GPO links that are marked as Enforced, will be moved to the bottom of the Group Policy processing list. This ensures that the enforced policy is always processed last, and thus "wins" over any downstream GPOs. Enforced GPOs will override Block Inheritance (described next).

 

Block Inheritance: The block inheritance flag is set on a container object--specifically either an OU or a domain. The purpose of Block Inheritance is to block upstream GPOs from being processed (except for GPOs set with the Enforced flag). For example, if I have two OUs--Marketing and East, and East is a child OU to Marketing, I can set the Block Inheritance flag on the East OU and any GPOs linked to Marketing will be blocked--and won't apply to users and computers in the East OU.

 

What is the significance of SYSVOL directory in AD?

 

The Windows Server 2003 System Volume (SYSVOL) is a shared directory that stores the server copy of the domain's public files, which are replicated among all domain controllers in the domain. SYSVOL is a collection of folders and reparse points in the file systems that exist on each domain controller in a domain. SYSVOL provides a standard location to store important elements of Group Policy objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them to other domain controllers within that domain.

 

List out the important ports used in AD communications

 

88 - Kerberos

135 - Remote procedure call (RPC) endpoint mapper

53 - Domain Name System (DNS)

137 - NetBIOS name server

139 - NetBIOS session service

389 - LDAP query

445 - Server Message Blocks (SMBs)

636 - Secure LDAP (LDAP over SSL)

3268 - GC LDAP

3269 - Secure GC (LDAP over SSL)

 

What is a site?

 

Site is a location on the physical network that contains AD servers. A site is defined as one or more well-connected Transmission Control Protocol/Internet Protocol (TCP/IP) subnets.

 

Differentiate between Intra-site replication can be done between the domain controllers in the same site.

 

Inter-site replication can be done between two different sites over WAN links. BHS (Bridge Head Servers) is responsible for initiating replication between the sites. Inter-site replication can be done B/w BHS in one site and BHS in another site.

 

What are lingering objects in AD

 

A lingering object is an object that is present on one replica, but on another replica it has been deleted and removed from the directory by the garbage collection process.

 

This condition can occur for a variety of reasons including:

·         Prolonged misconfigurations (such as those that cause event ID 1311 messages)

·         Prolonged errors in name resolution, authentication or the replication engine that block inbound replication.

·         Bringing a domain controller online after it has been offline for a period greater than the TombStone Lifetime (TSL).

·         Advancing system time or reducing TSL values in an attempt to accelerate garbage collection before end-to-end replication has taken place for all naming contexts in the forest.

 

Symptoms that you may have lingering objects:

·         Active Directory replication is prevented from occurring.

·         A user account that no longer exists still appears in the Global Address list for E-mail clients.

·         A universal group that no longer exists still appears in a user’s access token.

·         E-mail messages cannot be delivered due to duplicate e-mail address on two different user objects.

 

Regardless of the reason, a deleted object can remain on a domain controller in either of the following circumstances:

·         A domain controller goes offline immediately prior to the deletion of an object on another domain controller, and remains offline for a period that exceeds the tombstone lifetime.

·         A domain controller goes offline immediately following the deletion of an object on another domain controller but prior to receiving replication of the tombstone, and remains offline for a period that exceeds the tombstone lifetime.

 

What to do with a lingering object?

Determining what to do with a lingering object depends on whether or not it was intended.

 

Action

Explanation

Unintended

Use repadmin to delete the lingering object on a domain controller that is running Windows Server 2003.

Intended

Change the replication consistency on the inbound domain controller (DC). The object will be re-animated on this DC. See strict and loose replication consistency below

 

Strict and loose replication consistency

 

If the attributes of a lingering object never change, the object is never considered for replication. However, if an attribute changes, the attribute is considered for outbound replication. The problem with an attribute update for a lingering object is that the receiving domain controller does not hold the object for the attribute being replicated. An update cannot be performed because the entire object does not exist on the receiving domain controller. What happens next depends on the replication consistency set on the domain controller.

 

Replication consistency

Explanation

Loose

When replication consistency is set to loose, the receiving domain controller detects that it does not have the object for the attribute that is being replicated. The inbound partner requests the entire object from the outbound partner, and reanimates the object on its copy of the directory. The same process repeats on all domain controllers that do not have a copy of the object. This mechanism can be used to cause lingering objects to “reanimate” across the entire forest. If a lingering object is discovered and its presence is intended, then perform any update to the object. As long as replication consistency is set to loose on all domain controllers, the object will be reanimated as it replicates around the forest. “Loose replication consistency” is the default for Windows 2000 domain controllers, with the exception of domain controllers that have the MS01-044 security rollup package installed. For more information about the MS01-044 security rollup package, see article 297860 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122508).

Strict

The default behavior for domain controllers that run Windows Server 2003 (and domain controllers that are upgraded from Windows NT 4.0) is to block inbound replication for each naming context when a domain controller receives an update to an object that it does not have. Replication is halted in the naming context for the object until the lingering object is removed or the replication mode is set to “loose.”

 

Storage for Consistency Setting

The setting for replication consistency is in the registry on each domain controller.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Entry name: Strict Replication Consistency

Data type: REG_DWORD

Values: 1 for enabled; 0 for disabled

Default: 1 (enabled)

Note

There was a post-SP2 hotfix (also included in the security rollup package from November 2001) that used a different registry value. A setting of 0 will not recreate the missing object (strict), and a setting of 1 will create the missing object. This value is only needed with the November version of the hotfix.

Value Name: Correct Missing Objects

Data type: REG_DWORD

Value data: 1

 

The repadmin /removelingeringobjects command does the following:

Designates an up-to-date domain controller as the authority. Compares the Active Directory database objects on the authoritative server with the objects that are on the suspected domain controller that contains the lingering objects.

With /advisory_mode, the subcommand logs the potential deletions to the Directory Service log.

Without /advisory_mode, the subcommand removes the lingering objects.

Syntax

Repadmin /removelingeringobjects<Dest_DC_LIST><Source DC GUID><NC> [/ADVISORY_MODE]

 

Parameter

Description

<Dest_DC_LIST>

The domain controller that is suspected to have lingering objects.

<Source DC GUID>

Source domain controller GUID used to compare with the suspected domain controller.

<NC>

Specifies the distinguished name of the directory partition.

/ADVISORY_MODE

Read-only mode.

 

Note

During lingering object removal, Event ID 1937 is logged to the Directory Service log. This information includes the source domain controller, the objects that are removed, and a total count of all the objects that are removed.

 

 

What is USN with reference to Active Directory?

 

Update Sequence Numbers (USNs). A USN is a 64-bit counter that is associated with each object. It increments each time a change is initiated, and then it’s associated with the change. To view the USN of an object, use the following: command at a command prompt:

REPADMIN /showmeta<object DN>

 

What is KCC?

 

The KCC is a built-in process that runs on all domain controllers. The KCC generates and maintains the replication topology for replication within sites and between sites.

The KCC has two major functions:

 

·         Configures replication connections (connection objects) between domain controllers. Each connection object defines incoming replication from a replication partner. Within a site, each KCC generates its own connections. For replication between sites, a single KCC per site generates all connections between sites.

·         Converts the connection objects that represent inbound replication to the local domain controller into the replication agreements that are actually used by the replication engine.

 

By default, the KCC reviews and makes modifications to the Active Directory replication topology every 15 minutes to ensure propagation of data, either directly or transitively, by creating and deleting connection objects as needed. The KCC recognizes changes that occur in the environment and ensures that domain controllers are not orphaned in the replication topology.

 

What are the protocols used by Active Directory for replication?

 

Active Directory uses remote procedure call (RPC) over Internet Protocol (IP) to transfer replication data between domain controllers. RPC over IP is used for both inter-site and intra-site replication. To keep data secure while in transit, RPC over IP replication uses both authentication (using the Kerberos V5 authentication protocol) and data encryption.

 

When a direct or reliable IP connection is not available, replication between sites can be configured to use the Simple Mail Transfer Protocol (SMTP). However, SMTP replication functionality is limited, and requires an enterprise certification authority (CA). SMTP can only be used to replicate the configuration, schema and application directory partitions, and does not support the replication of domain directory partitions

 

Explain the Active Directory Partitions

 

In Active Directory, a directory partition is a portion of the directory namespace. Each directory partition contains a hierarchy (sub-tree) of directory objects in the directory tree. The same directory partition can be stored as copies (replicas) on many domain controllers, and the copies are updated through directory replication.

 

Every domain controller contains the following three directory partitions:

 

Configuration    Contains the Configuration container, which stores configuration objects for the entire forest in cn=configuration,dc= forestRootDomain . Updates to this container are replicated to all domain controllers in the forest. Configuration objects store information about sites, services, and directory partitions. You can view the contents of the Configuration container by using ADSI Edit.

 

Schema    Contains the Schema container, which stores class and attribute definitions for all existing and possible Active Directory objects in cn=schema,cn=configuration,dc= forestRootDomain . Updates to this container are replicated to all domain controllers in the forest. You can view the contents of the Schema container in the Active Directory Schema console.

 

Domain    Contains a <domain> container (for example, the Reskit.com container), which stores users, computers, groups, and other objects for a specific Windows 2000 domain (for example, the Reskit.com domain). Updates to the <domain> container are replicated to only domain controllers within the domain and to Global Catalog servers if the update is made to an attribute that is marked for replication to the Global Catalog. The <domain> container is displayed in the Active Directory Users and Computers console. The hierarchy of domain directory partitions can be viewed in the Active Directory Domains and Trusts console, where trust relationships between domains can be managed.

 

Application Partition Windows 2003 AD comes with a new partition called Application Partition An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.

 

What is the name of AD Database and what is the default location of AD Database?

 

NTDS.DIT—the main database file, ntds.dit grows as the database fills with objects and attributes. However, the log files have a fixed size of 10 megabytes (MB). Any changes made to the database are also made to the current log file and to the DIT file in the cache. Eventually the cache is flushed. If a computer failure occurs before the cache is flushed, ESE uses the log file to complete the update to the DIT file.

 

By default, the AD database is stored in <DRIVE>\WINNT\NTDS\NTDS.DIT. The log files for the directory database are stored in the same directory by default. Their purpose is to track the changes in the directory database, and they can grow to be quite large. Give all the room you can to the log files; for example, you can place the log files on different disk drives than the database file to reduce disk contention on a single drive.

 

EDB.LOG and EDBXXXXX.LOGEDB.LOG is the current log file for AD. When a change is made to the database, it’s written to this file. When EDB.LOG becomes full of database transactions, it’s renamed to EDBXXXXX.LOG, where XXXXX starts at 00001 and continues to increment using hexadecimal notation. AD uses circular logging, which constantly deletes old log files. If you view the directory files at any time, you’ll notice the EDB.LOG file and at least one or more EDBXXXXX.LOG files.

 

EDB.CHK—Stores the database checkpoint, which identifies the point at which the database engine needs to replay the logs. This file is typically used during recovery and initialization.

 

RES1.LOG and RES2.LOG—Placeholders designed to reserve the last 20MB of disk space on the disk drive. Saving disk space gives the log files sufficient room to shut down gracefully if other disk space is consumed.

What are FSMO roles and brief them all.

 

Windows 2000/2003 Multi-Master Model

 

A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.

 

For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring.

 

Windows 2000/2003 Single-Master Model

 

To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain.

 

In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:

·         Flexible single master operation (FSMO) roles are

·         Domain Naming Master

·         Schema Master

·         PDC Emulator

·         Infrastructure Master

·         RID Master

 

Schema Master:

The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.

 

Domain naming master:

The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

 

Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

 

Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

 

Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security Principal SID created in a domain.  Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.

 

PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.

 

In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:

·         Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.

·         Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.

·         Account lockout is processed on the PDC emulator.

·         Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.

·         The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.

At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

 

What is a Global Catalog?

 

Global Catalog contains index of all objects in the forest and a small, most commonly used, subset (about 60 out of 1500) of their attributes. This eliminates most of the time the need for requester's searches through other domains in a forest (unless one of non-typical attributes is searched for). The number of attributes stored on each Global Catalog server can be modified by using Schema Management snap-in (by selecting "Replicate this attribute to the Global Catalog" option for selected attributes of an object)

 

What is universal group membership cache in windows 2003?

 

Universal Group Membership caching prevents the need to locate a global catalog across a wide area network (WAN) when logging on by storing universal group membership information on an authenticating domain controller.

Information is stored locally once this option is enabled and a user attempts to log on for the first time.

 

The domain controller obtains the universal group membership for that user from a global catalog. Once the universal group membership information is obtained, it is cached on the domain controller for that site indefinitely and is periodically refreshed. The next time that user attempts to log on, the authenticating domain controller running Windows Server 2003 will obtain the universal group membership information from its local cache without the need to contact a global catalog. By default, the universal group membership information contained in the cache of each domain controller will be refreshed every 8 hours.

 

Can I place Global Catalog and Infrastructure Master Role on the same server? Justify your answer.

 

Global Catalog should not be placed on the same server as infrastructure master. The role of infrastructure master is to update references from objects in its own domain to objects in other domains. This is done by comparing its data with that of a global catalog. If the infrastructure master finds out that its data is outdated, it requests the update from the global catalog and then sends the updates to other domain controllers in the domain.- if they happen to be the same server, the infrastructure master would never be able to find that the data is out of date and update other domain controllers in the domain. However, it is recommended to place the infrastructure master in the same site as a Global Catalog server.

 

Give the names of few standard commands / tools from MS to troubleshoot AD related issues?

 

NSLOOKUP / DNSCMD – To troubleshoot DNS related issues with reference to AD

 

DSASTAT – The utility compare directory information on domain controllers or directory partitions detects and examines the differences among a user-defined scope of objects on two domain controllers. It retrieves capacity statistics such as megabytes per server, objects per server, and megabytes per object class. DSASTAT determines whether domain controllers in a domain have a consistent and accurate image of their own domain.

 

DCDIAG - The Domain Controller Diagnostic (DCDIAG) utility allows you to analyze the current state of the domain controllers in a domain or forest. It automatically performs the analysis and reports any problems with a domain controller. DCDIAG consists of a set of tests that you can use to verify and report on the functional components of AD on the computer

 

NTDSUTIL - The Directory Services Management utility (NTDSUTIL.EXE) is a command-line utility included in Windows that you can use to troubleshoot and repair AD. NTDSUTIL allows you to troubleshoot and maintain various internal components of AD. For example, you can manage the directory store or database and clean up orphaned data objects that were improperly removed.

You can also maintain the directory service database, prepare for new domain creations, managethe control of the FSMOs, purge meta data left behind by abandoned domain controllers (thoseremoved from the forest without being uninstalled), and clean up objects and attributes ofdecommissioned or demoted servers.

 

NLTEST - You can test the status of secure channels and trust-relationship links using the resource Kit’s NLTEST command-line utility. You can run the NLTEST utility on the trusting domain controller to break and re-initialize a secure channel (for example, when the secure-channel password was last changed) and obtain information about an existing trust relationship. You can also use NLTEST to restart the discovery process for a new trusted domain controller.

 

REPADMIN - You can also use the Replication Administration (REPADMIN) utility to monitor and troubleshoot AD replication related issues.

 

What types of trust relationships are supported in Windows 2003

 

Trust types

Communication between domains occurs through trusts. Trusts are authentication pipelines that must be present in order for users in one domain to access resources in another domain. Two default trusts are created when using the Active Directory Installation Wizard. There are four other types of trusts that can be created using the New Trust Wizard or the Netdom command-line tool.

 

Default trusts

By default, two-way, transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain using the Active Directory Installation Wizard. The two default trust types are defined in the following table.

 Trust type

Transitivity

Direction

Description

Parent and child

Transitive

Two-way

By default, when a new child domain is added to an existing domain tree, a new parent and child trust is established. Authentication requests made from subordinate domains flow upward through their parent to the trusting domain

Tree-root

Transitive

Two-way

By default, when a new domain tree is created in an existing forest, a new tree-root trust is established.

 

Other trusts

Four other types of trusts can be created using the New Trust Wizard or the Netdom command-line tool: external, realm, forest, and shortcut trusts. These trusts are defined in the following table.

 

Trust type

Transitivity

Direction

Description

External

Non-transitive

One-way or two-way

Use external trusts to provide access to resources located on a Windows NT 4.0 domain or a domain located in a separate forest that is not joined by a forest trust.

Realm

Transitive or non-transitive

One-way or two-way

Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2003 domain..

Forest

Transitive

One-way or two-way

Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests made in either forest can reach the other forest

Shortcut

Transitive

One-way or two-way

Use shortcut trusts to improve user logon times between two domains within a Windows Server 2003 forest. This is useful when two domains are separated by two domain trees.

 

When creating external, shortcut, realm, or forest trusts, you have the option to create each side of the trust separately or both sides of a trust simultaneously.

 

If you choose to create each side of the trust separately, then you will need to run the New Trust Wizard twice--once for each domain. When creating trusts using the method, you will need to supply the same trust password for each domain. As a security best practice, all trust passwords should be strong passwords. If you choose to create both sides of the trust simultaneously, you will need to run the New Trust Wizard once. When you choose this option, a strong trust password is automatically generated for you.

 

Can we establish trust relationship between two forests? If so how?

 

In Windows 2000 it is not possible. In Windows 2003 it is possible.

 

Follow these steps to create a forest level trust relationship:

 

1. Open active directory domains and trusts from administrative tools.

 

2. In the console tree pane, select and right-click the domain node for the forest root for which you want to create a trust.

 

3. Select properties.

 

4. Select the trusts tab in the properties dialog box.

 

5. Click new trust and click next (skip the welcome screen).

 

6. On the trust name page, enter the dns name of the target domain for your trust (for our example, it is cogswellcogs.com) and click next.

 

7. Select forest trust on the trust type page and click next. (if the forest trust option is missing, you may have omitted one of the prerequisites. In that case, double-check the dns forwarders tab and the forest functional level of all the domains in both forests.)

 

8. Choose a direction for the trust relationship: two-way, one-way incoming or one-way outgoing.

Two-way: all users in both forests will be able to access all resources in both forests.

One-way incoming: all users in this forest will be able to access all resources in the other forest but not vice versa.

One-way outgoing: all users in the target forest will be able to access all resources in this forest but not vice versa.

After you’ve chosen, click next.

 

9. Resource access is still governed by permissions in the domain where the resource exists. The trust direction provides access to all resources where permissions allow access. Select the sides of the trust relationship: this domain only or both this domain and the target domain.

This domain only: creates the trust relationship in this domain only; an administrator on the other end will have to complete the other trust.

Both this domain and the target domain: requires sufficient access in the remote domain and will allow you to complete the trust setup.

 

10. Select the appropriate path, depending on the choices you made in the previous two steps.

 

If you chose two-way or one-way outgoing in step 8 and this domain only in step 9, you will need to select a trust authentication level. Domain-wide authentication will authenticate all users in the remote forest for all resources in the local forest. Choosing selective authentication will allow you to specify which users in the remote domain have access to local resources. Click next. Enter a password for the trust and click next.

 

If you chose one-way incoming in step 8 and this domain only in step 9, enter the password for the trust in the trust password and confirm password boxes. Click next.

 

If you selected both domains (this domain and the selected domain) in step 9, a username and password box will appear to allow you to enter the username and password of an administrator account in the target forest. Click next.

 

11. On the next screen, verify all of your selections. When you click next, the wizard creates the trust. Verify the settings of the new trust.

 

12. Confirm the outgoing trust. Select yes if you created both sides of the trust; select no if you did not.

 

13. Click finish in the creating the trust wizard.

The new trust will appear on the trusts tab in the properties dialog box for the domain.

Now you know how to create forests trusts, which can save your organization administration time and effort trying to improve collaboration on projects or between business partners.

 

Is it possible to do implicit transitive forest to forest trust relationship in windows 2003?

 

Implicit Transitive trust will not be possible in windows 2003. Between forests we can create explicit trust

Two-way trust

One-way: incoming

One-way: Outgoing

 

What are “Lingering Objects” in Active Directory?

When restoring a backup file, Active Directory generally requires that the backup file be no more than 60 days old. (The limit is 180 days if the AD forest was originally created with Windows Server 2003 or Windows Server 2008.) If attempt to you restore an backup that is expired, you may encounter problems due to “lingering objects”.

What Are Lingering Objects?

When you restore AD from an expired backup, a lingering object is a deleted AD object that re-appears (“lingers”) on the restored domain controller (DC) in its local copy of Active Directory. This can happen if, after the backup was made, the object was deleted on another DC more than than 60 (or 180) days ago.

When a DC deletes an object it replaces the object with a tombstone object. The tombstone object is a placeholder that represents the deleted object. When replication occurs, the tombstone object is transmitted to the other DCs, which causes them to delete the AD object as well.

Tombstone objects are kept for 60 (or 180) days, after which they are garbage-collected and removed.

If a DC is restored from a backup that contains an object deleted elsewhere, the object will re-appear on the restored DC. Because the tombstone object on the other DCs has been removed, the restored DC will not receive the tombstone object (via replication), and so it will never be notified of the deletion. The deleted object will “linger” in the restored local copy of Active Directory.

How to Remove Lingering Objects?

repadmin /removelingeringobjects

For more information please refer tohttp://support.microsoft.com/kb/870695

NETWORK SERVICES

 

Why do you have to point my domain controller to itself for DNS?

 

The Netlogon service on the domain controller registers a number of records in DNS that enable other domain controllers and computers to find Active Directory-related information. If the domain controller is pointing to the Internet service provider's (ISP) DNS server, Netlogon does not register the correct records for Active Directory, and errors are generated in Event Viewer. In Windows Server 2003, the recommended DNS configuration is to configure the DNS client settings on all DNS servers to use themselves as their own primary DNS server, and to use a different domain controller in the same domain as their alternative DNS server, preferably another domain controller in the same site. This process also works around the DNS "Island" problem in Windows 2000. You must always configure the DNS client settings on each domain controller's network interface to use the alternative DNS server addresses in addition to the primary DNS server address.

 

What records does a domain controller register in DNS?

 

The Netlogon service registers all the SRV records for that domain controller. These records are displayed as the _msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your domain name. Other computers look for these records to find Active Directory-related information

 

What is the "." zone in my forward lookup zone?

 

This setting designates the Windows 2000 or Windows Server 2003 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet.

 

Why can't I use WINS for name resolution like it is used in Microsoft Windows NT 4.0?

 

A Windows 2000 or Windows Server 2003 domain controller does not register Active Directory-related information with a WINS server; it only registers this information with a DNS server that supports dynamic updates such as a Windows 2000 or Windows Server 2003 DNS server. Other Windows 2000-based and Windows Server 2003-based computers do not query WINS to find Active Directory-related information.

 

Explain few important types of DNS Records

 

A (address) Maps a host name to an IP address. When a computer has multiple adapter cards or IP addresses, or both, it should have multiple address records.

CNAME (canonical name) sets an alias for a host name. For example, using this record, zeta.microsoft.com can have an alias as www.microsoft.com.

MX (mail exchange) specifies a mail exchange server for the domain, which allows mail to be delivered to the correct mail servers in the domain.

NS (name server) specifies a name server for the domain, which allows DNS lookups within various zones. Each primary and secondary name server should be declared through this record.

PTR (pointer) Creates a pointer that maps an IP address to a host name for reverse lookups.

SOA (start of authority)declares the host that's the most authoritative for the zone and, as such, is the best source of DNS information for the zone. Each zone file must have an SOA record (which is created automatically when you add a zone).

 

12/03/2021 - Uploaded

 

What's the DNS _msdcs zone for the forest root domain used for?

 

Active Directory (AD) uses DNS as its locator service to support the various types of services that AD offers, such as Global Catalog (GC), Kerberos, and Lightweight Directory Access Protocol (LDAP). Other non-Microsoft services can be advertised in the DNS, including--but not restricted to--non-Microsoft implementations of LDAP and GC. However, sometimes clients might need to contact a Microsoft-hosted service. For that reason, each domain in DNS has an _msdcs subdomain that hosts only DNS SRV records that are registered by Microsoft-based services. The Netlogon process dynamically creates these records on each domain controller (DC). The _msdcs subdomain also includes the globally unique identifier (GUID) for all domains in the forest and a list of GC servers.

 

If you install a new forest on a system that runs Windows Server 2003 and let the Dcpromo wizard configure DNS, Dcpromo will actually create a separate zone called _msdcs.<forest name> on the DNS server. This zone is configured to store its records in a forest-wide application directory partition, ForestDNSZones, which is replicated to every DC in the forest that runs the DNS service. This replication makes the zone highly available anywhere in the forest.

 

 

What are SRV records and why they are important for proper functioning of Active Directory?

 

Windows 200X Active Directory (AD) uses the service-location mechanism that the Internet Engineering Task Force (IETF) Request for Comments (RFC) 2782 specifies. This RFC shows how clients can use DNS SRV records to locate network services on the network.

 

The SRV Records of a domain controller in the domain plays an important role in Active Directory. Active Directory cannot work without a DNS server. The DNS server in Active Directory is used to locate Domain Controllers in the forest or domain with the help of SRV records. Service Records or SRV records are registered specifically for domain controllers when you promote a member server to domain controller. The Netlogon service on domain controller is responsible to register SRV records.

So now you understand that Windows 200x domains rely heavily on DNS entries. Let us see some of the important SRV records created by Netlogon service for a DC.

 

_ldap._tcp.<DNSDomainName>

Enables a client to locate a W2K domain controller in the domain named by <DNSDomainName>. A client searching for a domain controller in the domain dpetri.net would query the DNS server for _ldap._tcp.dpetri.net.

 

_ldap._tcp.<SiteName>._sites.<DNSDomainName>

Enables a client to find a W2K domain controller in the domain and site specified (e.g., _ldap._tcp.lab._sites.dpetri.net for a domain controller in the Lab site of dpetri.net).

 

_ldap._tcp.pdc._ms-dcs.<DNSDomainName>

Enables a client to find the PDC flexible single master object (FSMO) role holder of a mixed-mode domain. Only the PDC of the domain registers this record.

 

_ldap._tcp.gc._msdcs.<DNSTreeName>

Enables a client to find a Global Catalog (GC) server. Only domain controllers serving as GC servers for the tree will register this name. If a server ceases to be a GC server, the server will deregister the record.

 

_ldap._tcp. ._sites.gc._msdcs.<DNSTreeName>

Enables a client to find a GC server in the specified site (e.g., _ldap._tcp.lab._sites.gc._msdcs.dpetri.net).

 

_ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName>

Enables a client to find a domain controller in a domain based on the domain controller’s globally unique ID. A GUID is a 128-bit (8 byte) number that generates automatically for referencing Active Directory objects.

 

<DNSDomainName>

Enables a client to find a domain controller through a normal Host record.

After running DCPROMO, A text file containing the appropriate DNS resource records for the domain controller is created. The file called Netlogon.dns is created in the %systemroot%\System32\config folder and contains all the records needed to register the resource records of the domain controller. Netlogon.dns is used by the Windows 2000 NetLogon service and to support Active Directory for non-Windows 2000 DNS servers.

 

Explain the structure of an SRV record

 

Defined in RFC 2782. The SRV RR identifies the host(s) that will support particular services. The MX RR is a specialised example of service discovery while the SRV RR is a general purpose RR to discover any service. The SRV RR allows control over prioritisation of delivery and usage. It is not widely supported except notably by OpenLDAP and increasingly by VoIP systems in conjunction with the NAPTR RR. Ugly format may not be helping!

The theory behind SRV is that given a domain name, for instance, example.com, and a service name, for example, web (http) which runs on a protocol (tcp in the web case case), a DNS query may be issued to find the host name that provides such a service for the domain - and which may, or may not, be within the domain - see example 2 below.

SRV Syntax

srvce.prot.name  ttl  classrrpri  weight port target
_http._tcp.example.com. IN      SRV 0    5      80   www.example.com.

Field

Description

srvce

Defines the symbolic service name (see IANA port-numbers) prepended with a '_' (underscore). Case insensitive. Common values are:

  • _http - web service
  • _ftp - file transfer service
  • _ldap - LDAP service
  • _imap - IMAP mail service
  • _PKIXREP - PKIX Repository (X.509 certificates)

prot

Defines the protocol name (see IANA service-names) prepended with a '_' (underscore). Case insensitive. Common values are

  • _tcp - TCP protocol
  • _udp - UDP protocol

Notes: Use of SRV in PKIX (X.509) handing. RFC 4210 defines service names of certificates, crls, pgpkeys, pgprevokations all with a protocol of tcp to indicate the use of the CMP protocol over HTTP/HTTPS. Thus a certificate store supporting CMP may be discovered for the domain exmple.com by a query for _certificates._tcp.example.com. In a slightly bizarre variation, RFC 4386 (INFORMATIONAL status), also defines the use of the _PKIXREP service for discovery of X.509 certificate repositories and other PKIX services, the protocol field, contains what other users of the SRV define as the service name. Thus for the service name _PKIXREP the protocol values would be:

  • _ldap - The certificate respository server uses LDAP
  • _http - The certificate respository server uses HTTP
  • _ocsp - The server provides an Online Certificate Status Protocol service

One assumes that additional values such as _cmp, _svcp or _crl (X.509/PKIX protocols) could also be used to describe alternative PKIX services even though these are not mentioned in RFC 4386. Finally OCSP (RFC 2560) suggests the service can run over many transport protocols such as LDAP, HTTP or SMTP and thus the SVR definition proposed for PKIXREQ service would not contain enough information - because it does not differentiate between a number of possible transports - to allow true service discovery. Altogether a strange RFC.

name

Incomprehensible description in RFC 2782. This RR obeys the normal name rules such that leaving the entry blank (without a dot) will substitute the current the zone root (or the current $ORIGIN), or you can explicitly add it as in the above _http._tcp.example.com. (with a dot).

ttl

Optional. Standard TTL parameter. For more information about TTL values.

class

Optional. Standard CLASS parameter. Normally IN for Internet class. For more information.

pri

The relative Priority of this service (range 0 - 65535). Lowest is highest priority, usage is the same as the MXpref field.

weight

Used when more than one service has the same priority. A 16 bit unsigned integer in the range 0 - 65535. The value 0 indicates no weighting should be applied. If the weight is 1 or greater it is a relative number in which the highest is most frequently delivered, that is, given two SRV records both with Priority = 0, one with weight = 1 the other weight = 6, the one with weight 6 will have its RR delivered first 6 times out of 7 by the name server.

port

Normally the port number assigned to the symbolic service but this is not a requirement, for instance, it is permissible to define a _http service with a port number of 8100 rather than the more normal port 80.

target

The name of the host that will provide this service. Does not have to be in the same zone (domain). May be just a host name or a FQDN.

 

 

Explain the difference between Iterative and Recursive DNS queries

 

With a recursive name query, the DNS client requires that the DNS server respond to the client with either the requested resource record or an error message stating that the record or domain name does not exist. The DNS server cannot just refer the DNS client to a different DNS server.

 

Thus, if a DNS server does not have the requested information when it receives a recursive query; it queries other servers until it gets the information, or until the name query fails.

 

Recursive name queries are generally made by a DNS client to a DNS server, or by a DNS server that is configured to pass unresolved name queries to another DNS server, in the case of a DNS server configured to use a forwarder.

 

An iterative name query is one in which a DNS client allows the DNS server to return the best answer it can give based on its cache or zone data. If the queried DNS server does not have an exact match for the queried name, the best possible information it can return is a referral (that is, a pointer to a DNS server authoritative for a lower level of the domain namespace). The DNS client can then query the DNS server for which it obtained a referral. It continues this process until it locates a DNS server that is authoritative for the queried name, or until an error or time-out condition is met.

This process is sometimes referred to as "walking the tree," and this type of query is typically initiated by a DNS server that attempts to resolve a recursive name query for a DNS client.

 

What is the difference between a secondary zone and a stub zone?

 

A secondary zone is a read-only copy of the primary zone. A stub zone is a read-only copy of the primary zone that contains only the resource records that identify the DNS servers that are authoritative for a DNS domain name.

 

Explain Active Directory Integrated Zones?

 

DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone transfers, because all zone data is replicated automatically by means of Active Directory replication. This simplifies the process of deploying DNS and provides the following advantages:

 

Multiple masters are created for DNS replication. Therefore any domain controller in the domain running the DNS server service can write updates to the Active Directory–integrated zones for the domain name for which they are authoritative. A separate DNS zone transfer topology is not needed.

Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control which computers update which names, and prevent unauthorized computers from overwriting existing names in DNS.

 

Windows Server 2003 DNS Active Directory stores zone data in application directory partitions. The domain partition was the only Active Directory storage option in Windows 2000 Server, and it is available in Windows Server 2003 DNS for backward compatibility. The following DNS-specific application directory partitions are created during Active Directory installation:

 

A forest-wide application directory partition, called ForestDnsZones.

Domain-wide application directory partitions for each domain in the forest, named DomainDnsZones.

 

 

What is a stub zone?

 

A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.

 

A stub zone consists of:

 

The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone.

 

The IP address of one or more master servers that can be used to update the stub zone.The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary zone for the delegated domain name.

 

You can use stub zones to:

 

·         Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the Domain Name System (DNS) server that hosts both the parent zone and the stub zone maintains a current list of authoritative DNS servers for the child zone.

 

·         Improve name resolution. Stub zones enable a DNS server to perform recursion by using the stub zone's list of name servers, without needing to query the Internet or the internal root server for the DNS namespace.

 

·         Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not a valid alternative to secondary zones with regard to redundancy and load sharing.

 

When a DNS server loads a stub zone, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone. The list of master servers may contain a single server or multiple servers, and the list can be changed anytime.

 

 

Explain the ways of partitioning a DNS database / Explain Zone Delegation

A DNS database can be partitioned into multiple zones. A zone is a portion of the DNS database that contains the resource records with the owner names that belong to the contiguous portion of the DNS namespace. Zone files are maintained on DNS servers. A single DNS server can be configured to host zero, one or multiple zones.

Each zone is anchored at a specific domain name referred to as the zone’s root domain. A zone contains information about all names that end with the zone’s root domain name. A DNS server is considered authoritative for a name if it loads the zone containing that name. The first record in any zone file is a Start of Authority (SOA) RR. The SOA RR identifies a primary DNS name server for the zone as the best source of information for the data within that zone and as an entity processing the updates for the zone.

A name within a zone can also be delegated to a different zone that is hosted on a different DNS server. Delegation is a process of assigning responsibility for a portion of a DNS namespace to a DNS server owned by a separate entity. This separate entity could be another organization, department or workgroup within your company. Such delegation is represented by the NS resource record that specifies the delegated zone and the DNS name of the server authoritative for that zone. Delegating across multiple zones was part of the original design goal of DNS.

The primary reasons to delegate a DNS namespace include:

·         A need to delegate management of a DNS domain to a number of organizations or departments within an organization.

·         A need to distribute the load of maintaining one large DNS database among multiple DNS servers to improve the name resolution performance as well as create a DNS fault tolerant environment.

·         A need to allow for a host’s organizational affiliation by including them in appropriate domains.

The name server (NS) RRs facilitate delegation by identifying DNS servers for each zone and the NS RRs appear in all zones. Whenever a DNS server needs to cross a delegation in order to resolve a name, it will refer to the NS RRs for DNS servers in the target zone.

What is the process of DHCP for getting the IP address to the client?

 

There is a four way negotiation process b/w client and server

DHCP Discover (Initiated by client)

DHCP Offer (Initiated by server)

DHCP Select (Initiated by client)

DHCP Acknowledgement (Initiated by Server)

DHCP Negative Acknowledgement (Initiated by server if any issues after DHCP offer)

 

What is a DHCP Lease?

 

DHCP lease is the amount of time that the DHCP server grants to the DHCP client permission to use a particular IP address. A typical server allows its administrator to set the lease time.

 

We’ve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP leases off of it. What could be the reason?

The server must be authorized first with the Active Directory.

 

Explain the Licenses that can be managed by TS Licensing server in Windows 2003

 

To use Terminal Server in your organization, you are required to have a Windows Server 2003 license for every terminal server that you deploy in your organization as well as Terminal Server Client Access Licenses (CALs) for devices that access the terminal servers. For terminal servers that are running Windows Server 2003, there are two types of Terminal Server CALs:

 

Per Device

Per User

 

Which CAL you choose depends on how you plan to use Terminal Server. By default, Terminal Server is configured in Per Device mode, but it can be switched to Per User mode using the Terminal Services Connection Configuration (TSCC) tool or by using Windows Management Instrumentation (WMI)

 

Per Device Licensing Mode: A Per Device CAL provides each client computer the right to access a terminal server that is running Windows Server 2003. The Per Device CAL is stored locally and presented to the terminal server each time the client computer connects to the server.

 

Per Device licensing is a good choice for:

·         Hosting a user’s primary desktop for devices the customer owns or controls.

·         Thin clients or computers that connect to a terminal server for a large percentage of the working day.

·         Hosting line-of-business applications that are used for the bulk of your users’ work.

 

This type of licensing is a poor choice if you do not control the device accessing the server, for example computers in an Internet café, or if you have a business partner who connects to your terminal server from outside your network.

 

Per User Licensing Mode: In Per User licensing mode you must have one license for every user. With Per User licensing, one user can access a terminal server from an unlimited number of devices and only needs one CAL rather than a CAL for each device.

 

Per User licensing is a good choice in the following situations:

·         Providing access for roaming users.

·         Providing access for users who use more than one computer, for example, a portable and a desktop computer.

·         Providing ease of management for organizations that track access to the network by user, rather than by computer.

 

In general, if your organization has more computers than users, Per User licensing might be a cost-effective way to deploy Terminal Server because you only pay for the user to access Terminal Server, rather than paying for every device from which the user accesses Terminal Server. Check the end-user license agreement for the applications that you plan to host to determine if they support per user licensing.

 

How can you override the license server discovery process and set your preferred license servers?

 

When Terminal Services is started, the server attempts to locate terminal server license servers using a predefined discovery process. The method used is dependent on the server environment and the mode in which the licensing server is configured to run.

 

You can override the discovery process by modifying the registry to point to a specific license server or servers. Under Win2K, you can specify only a single license server in the registry, whereas WS2K3 lets you list multiple preferred license servers. To override the discovery process, add subkeys to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters\LicenseServers subkey. Each subkey should be named with the hostname of the license server that you want the terminal server to use

 

Name few Terminal Services utilities available in the Windows Resource Kit.

 

Appsec: Used to restrict non-administrative users' execution access to a limited set of authorized programs.

Drive Share: Used to share and connect to local drives during Terminal Services client session initialization.

File Copy: Provides copy/paste file transfer between a Terminal Services client session and a local desktop.

Lsreport: Used to connect to Terminal Services License servers and display information about the license key packs installed on the servers.

Lsview: Used to display the name and type of currently available License servers in a domain.

Roboclient: A Terminal Services capacity-planning tool.

Simclient: A Terminal Services capacity-planning tool.

Tsreg: A graphic utility to change client registry settings relating to bitmap caching, glyph caching, and so on.

Tsver: Used for allowing or disallowing client connections based on the client version.

Winsta: Used for monitoring Terminal Services client sessions.

 

 

Explain the terminal services modes available in W2k /W2k3

 

There are two different Terminal Services Modes available in Windows Server 2k/2k3.

 

Remote Administration Mode: Terminal Services Remote Administration mode allows any server running Windows 2000Server, for instance, a domain controller, or BackOffice Server, to be administered remotelywith full access to all the built-in graphical user interface-based (GUI-based) administrative tools, as if the administrator was sitting right at the server. Within Windows Server 2003,remote administration mode is built-in and does not need to be installed. This ability to administer the server can be made available from any client device, including a legacy version of Windows, or even non-Windows-based clients. This server management feature is an invaluable tool for quick and easy administration of large- and small-scale networks. TerminalServices has two built-in per-server connections specifically for remote administration. ATerminal Services Client Access License (CAL) is not required to connect to Terminal Services in remote administration mode.


Application Server Mode: In Application Server mode, applications can be deployed and managed from a central location, saving administrators initial development and deployment time as well as the time and effort required for maintenance and upgrades. Once an application is deployed using Terminal Services, many clients can connect whether through a remote access connection,local area network (LAN), or wide area network (WAN). The clients can still be Windows-based,Windows CE-based, or even non-Windows-based.Licensing is required when deploying a Terminal Services-enabled server as an application server.


You can install Windows 2003 Server Terminal Services in either of two modes: Remote Administration or Application Server. Remote Administration mode installs only the remote access components of Terminal Services and performs with very little overhead, so it's ideal for mission-critical servers. Terminal Services in Remote Administration mode permits a maximum of two concurrent remote administration connections. No additional licensing is required for those two connections, and you don't need to run the Terminal Services license server.

 

Application Server mode installs the application-sharing components of Terminal Services in addition to the remote access components. This mode lets users run applications remotely. However, running Terminal Services in Application Server mode requires you to purchase licenses and set up a Terminal Services licensing server within 120 days of installation. For administration purposes, you should install Terminal Services in Remote Administration mode. Remote Administration mode minimizes the impact on server performance while still facilitating remote administration.

 

When I try to log on, why do I get the error message: Unable to log you on because of an account restriction?

 

This message can appear because a user trying to log on is not in the Remote Desktop Users group, or because an account has no password. Starting with Windows XP, accessing network resources such as Remote Desktop and file shares requires that you have a password associated with an account.

 

When I attempt to update terminal services using Windows update, I receive an error stating that I should be in install mode. How do I activate install mode so that I can install available updates?

 

You must use the command prompt to activate install mode. At the prompt, type:

change user /install

 

This command performs the upgrade. When the upgrade is complete, type:

change user /execute

 

Can I use my current Windows 2000 License Server and CALs for Windows 2003 Terminal Servers?

 

 No, the Windows Server 2003 needs a new version of CALs. You need a Windows Server 2003 License Server, which can serve both Windows 2000 terminal servers and Windows Server 2003 terminal servers.

 

How do I connect more than two users to Windows 2000 Server or Windows Server 2003? How do I connect more than one user to Windows XP Professional?

 

If you are running Remote Administration mode on Windows 2000 or Windows Server 2003, no more than two concurrent users are allowed and there is no way to increase this unless you change it to Application Server mode. Application Server mode requires client access licenses and a licensing server. If you are using Windows XP Professional this number is limited to 1 remote connection and there is no way to increase this number.

 

What port does RDP use ?

By default, RDP uses port 3389 for all of its traffic

 

 

 

Windows Administrator Level 1 Interview Question & Answers

 Windows Administrator Level 1 Interview Question & Answers What is an active directory?  An Active Directory (AD) is a directory ...