ACTIVE
DIRECTORY 
 
Explain the Group Scopes in Windows
2003 AD
 
Group scope
Any group, whether it is a security group or a distribution group,
is characterized by a scope that identifies the extent to which the group is
applied in the domain tree or forest. The boundary, or reach, of a group scope
is also determined by the domain functional level setting of the domain in
which it resides. There are three group scopes: universal, global, and domain
local.
 
The following table describes the differences between the scopes
of each group.
 
 
  | Group
  scope | Group
  can include as members… | Group
  can be assigned permissions in… | Group
  scope can be converted to… | 
 
  | Universal | Accounts from any domain within the forest in which this
  Universal Group resides Global groups from any domain within the forest in which this
  Universal Group resides Universal groups from any domain within the forest in which this
  Universal Group resides | Any domain or forest | Domain local Global (as long as no other universal groups exist as members) | 
 
  | Global | Accounts from the same domain as the parent global group Global groups from the same domain as the parent global group | Member permissions can be assigned in any domain | Universal (as long as it is not a member of any other global
  groups) | 
 
  | Domain local | Accounts from any domain Global groups from any domain Universal groups from any domain Domain local groups but only from the same domain as the parent
  domain local group | Member permissions can be assigned only within the same domain
  as the parent domain local group | Universal (as long as no other domain local groups exist as
  members) | 
 
Explain the Types of AD Groups that
can created in Windows 2003 AD
 
Group types
 
Groups are used to collect user accounts, computer accounts, and
other group accounts into manageable units. Working with groups instead of with
individual users helps simplify network maintenance and administration. 
 
There are two types of groups in Active Directory: distribution
groups and security groups. You can use distribution groups to create e-mail
distribution lists and security groups to assign permissions to shared
resources.
 
Distributions
groups:
Distribution groups can be
used only with e-mail applications (such as Exchange) to send e-mail to
collections of users. Distribution groups are not security-enabled, which means
that they cannot be listed in discretionary access control lists (DACLs). If
you need a group for controlling access to shared resources, create a security
group.
 
Security
groups:
Used with care, security
groups provide an efficient way to assign access to resources on your network.
Using security groups, you can assign user rights to security groups in Active
Directory and assign permissions to security groups on resources
 
 
I am trying to create a new
universal user group. Why can’t I?
 
Universal groups are allowed only in native-mode
Windows Server 2003 environments. Native mode requires that all domain
controllers be promoted to Windows Server 2003 Active Directory.
 
 
What is a Creator Owner Account in
Windows?
 
Creator Owner includes the user account for a user who created or took
ownership of a resource. If a member of the Administrators group creates a
resource, the Administrators group is the owner of the resource. This group is
created for each sharable resource on Windows 2000 Server or Professional. A
placeholder in an inheritable access control entry (ACE). When the ACE is
inherited, the system replaces this SID with the SID for the object's creator.
 
 
What is the difference between
Enterprise Admins & Domain Admins account in Active Directory?
 
Domain Admins group is only available on Windows 2000/2003 servers
acting as Domain Controllers. Its members are allowed administrative privileges
for the entire domain. By default, this group has the local Administrator
account on the Domain Controller as its member.
 
Enterprise Admins Group exists
only in the root domain of an Active Directory forest of domains. It is a
universal group if the domain is in native-mode, a global group if the domain
is in mixed-mode. The group is authorized to make forest-wide changes in Active
Directory, such as adding child domains. By default, the only member of the
group is the Administrator account for the forest root domain. This group is
automatically added to the Administrators group in every domain in the forest,
providing complete access to the configuration of all domain controllers. This
group can modify the membership of all administrative groups. Its own
membership can be modified only by the default service administrator groups in
the root domain. This account is considered a service administrator.
 
 
What are the differences between
Group Policy, Registry-based policy, and Security policy?
 
Group Policy is an infrastructure in which IT
administrators can implement standard computing environments for groups of
users and computers and includes both Registry-based and Security Policy.
Registry-based policy is one of the many features of Group Policy that uses
Administrative templates to modify the registry settings for policy-enabled
components included in Windows. Security Policy, another feature delivered by
Group Policy, includes a variety of security-related settings for Microsoft
Windows
 
 
Is there a maximum number of Group
Policy objects that I can store in a domain?
 
Creating a Group Policy object will create a
Group Policy container object, stored in Active Directory, and a Group Policy
template, stored on the Sysvol of the domain controller. Both are limited only
to the amount of free disk space.
 
 
What is the maximum number of Group
Policy objects a user or computer can process?
 
A user or computer cannot process more than 999
Group Policy objects. Windows Vista writes a Windows-Group Policy error event
with an event ID of 1088 to the system event log when a user or computer
attempts to process more than 999 Group Policy objects.
 
 
Can I apply a Group Policy object
directly to a security group?
 
You cannot apply a Group Policy object directly
to a security group. However, you can use security filtering to refine which
users or computers will receive and apply Group Policy settings. The Group
Policy Management Console (GPMC) is the tool to manage security filtering. For
more information about security filtering, see the Core Group Policy Technical
Reference.
 
 
Explain GPMC & RSOP in windows
2003?
 
GPMC is
tool which will be used for managing group policies and will display
information like how many policies applied, on which OU’s the policies applied,
What are the settings enabled in each policy, Who are the users effecting by
these polices, who is managing these policies. GPMC will display all the above
information. 
 
RSoP
provides details about all policy settings that are configured by an
Administrator, including Administrative Templates, Folder Redirection, Internet
Explorer Maintenance, Security Settings, Scripts, and Group Policy Software
Installation.
When policies are applied on multiple levels
(for example, site, domain, domain controller, and organizational unit), the
results can conflict. RSoP can help you determine a set of applied policies and
their precedence (the order in which policies are applied).
 
 
What is the difference between
Assign and Publish Application through GPO?
 
Software Installation (SI) Policy is
designed to allow you to deploy (Assign / Publish) Windows Installer packages (.msi
files) to users and computers within an AD domain. SI Policy supports two types
of installation methods:
 
Publishing: Publishing is only available per-user and
provides you with a way of publishing applications to the Add/Remove Programs
control panel. Users can then optional install an application from there. 
 
Assignment: Assignment is available per-user or
per-computer. Per-computer assignment lets you deploy an application to a
computer--that application is automatically installed at the next computer
restart. Per-user assignment lets you deploy an application at user logon. If
you choose the Install-on-first-use option (available in Win2K and Win2K3/XP),
then the full application is not installed, but rather only shortcuts and file
extensions that are registered by that application. When the user clicks on one
of these registered "entry-points" the application is installed at
that time--hence the term "install-on-first-use". In Win2K3 and XP,
you have the option of installing the full application at user logon time,
which takes longer but ensures that the application is fully ready when the
user's desktop appears.
 
 
Explain the Loopback Processing
feature of Group Policy
 
Loopback processing is a
feature that allows a more precise level of control over user policy
settings for a targeted machine. Usually, user policy settingsare
derived entirely from the GPOs associated with the user account (based on its
location in the Active Directory). With loopback processing, however, the user
policy settings in the GPOs associated with the machine are applied.
 
A
common use of loopback is on Terminal Services machines. In this scenario, it
is common for the Group Policy administrator to set specific user policy
settings for the server to ensure that all users using the machine receive a
defined set of user policy settings.
 
Two
modes options when applying loopback processing:
·        
Replace Mode: The user policy is defined
entirely from the GPOs associated with the machine. Any GPOs associated with
the user are ignored. 
·        
Merge Mode: The user policy settings
applied are the combination of those included in both the machine and user
GPOs. Where conflicts exist, the machine GPOs "win".
 
Loopback
Setting Technical Details:
In
order to define the Loopback Processing setting, the following steps should be
followed.
1.      
Open the Group Policy Object
editor (gpedit.msc). See Create/Edit GPOs for details. 
2.      
Expand the Computer
Configuration node. Under Computer Configuration, expand the Administrative
Templates node. 
3.      
Within the Administrative
Templates node, expand the System node, and then the Group Policy node. 
4.      
Locate the setting "User
Group Policy loopback processing mode". Double click this setting, and
define the setting as needed. 
 
When the loopback setting is enabled on a machine (either via local
policy or domain policy), the behavior of group policy application changes in
one of two ways, depending on the selected mode. It should be noted that while
the setting affects the behavior of application of user policies, the setting
itself is applied to the machine the user logs on to. 
 
 
What permissions are necessary for
Group Policy to apply to a user or computer?
 
Group Policy can apply to any user or computer
with access control entry for Read and Apply Group Policy.
 
 
Where are group policies stored?
%SystemRoot%System32\GroupPolicy
 
 
Where is GPT stored? 
%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
 
 
What’s contained in administrative
template conf.adm? 
Microsoft NetMeeting policies 
 
 
Explain the Enforce and Block
Inheritance features available when managing GPO precedence.
 
Enforced: This
was previously referred to in Win2K as "No Override". The Enforced
flag is set on a GPO link using the GPMC. Essentially what is does is say,
"If there are any conflicting policy settings on downstream GPOs (GPOs
processed after the enforced GPO), those settings will always be
overridden". Essentially how this works is that any GPO links that are
marked as Enforced, will be moved to the bottom of the Group Policy processing
list. This ensures that the enforced policy is always processed last, and thus
"wins" over any downstream GPOs. Enforced GPOs will override Block
Inheritance (described next).
 
Block Inheritance: The block inheritance flag is set on a
container object--specifically either an OU or a domain. The purpose of Block
Inheritance is to block upstream GPOs from being processed (except for GPOs set
with the Enforced flag). For example, if I have two OUs--Marketing and East,
and East is a child OU to Marketing, I can set the Block Inheritance flag on
the East OU and any GPOs linked to Marketing will be blocked--and won't apply
to users and computers in the East OU. 
 
 
What is the significance of SYSVOL
directory in AD?
 
The Windows Server 2003 System Volume
(SYSVOL) is a shared directory that stores the server copy of the domain's
public files, which are replicated among all domain controllers in the domain.
SYSVOL is a collection of folders and reparse points in the file systems that
exist on each domain controller in a domain. SYSVOL provides a standard
location to store important elements of Group Policy objects (GPOs) and scripts
so that the File Replication service (FRS) can distribute them to other domain
controllers within that domain. 
 
 
List out the important ports used in
AD communications
 
88 - Kerberos
135 - Remote procedure call (RPC) endpoint mapper
53 - Domain Name System (DNS)
137 - NetBIOS name server
139 - NetBIOS session service
389 - LDAP query
445 - Server Message Blocks (SMBs)
636 - Secure LDAP (LDAP over SSL)
3268 - GC LDAP
3269 - Secure GC (LDAP over SSL)
 
 
What is a site?
 
Site is a location on the physical network that contains AD servers.
A site is defined as one or more well-connected Transmission Control
Protocol/Internet Protocol (TCP/IP) subnets.
 
 
Differentiate between Intra-site
replication can be done between the domain controllers in the same site. 
 
Inter-site replication can be done between two different sites over
WAN links. BHS (Bridge Head Servers) is responsible for initiating replication
between the sites. Inter-site replication can be done B/w BHS in one site and
BHS in another site.
 
 
What are lingering objects in AD 
 
A
lingering object is an object that is present on one replica, but on another
replica it has been deleted and removed from the directory by the garbage
collection process.
 
This condition can occur for a variety of reasons including:
·        
Prolonged misconfigurations
(such as those that cause event ID 1311 messages)
·        
Prolonged errors in name
resolution, authentication or the replication engine that block inbound
replication.
·        
Bringing a domain controller
online after it has been offline for a period greater than the TombStone
Lifetime (TSL).
·        
Advancing system time or
reducing TSL values in an attempt to accelerate garbage collection before
end-to-end replication has taken place for all naming contexts in the forest.
 
Symptoms that you may have lingering objects:
·        
Active Directory
replication is prevented from occurring.
·        
A user account that no longer
exists still appears in the Global Address list for E-mail clients.
·        
A universal group that no
longer exists still appears in a user’s access token.
·        
E-mail messages cannot be
delivered due to duplicate e-mail address on two different user objects.
 
Regardless
of the reason, a deleted object can remain on a domain controller in either of the
following circumstances:
·        
A domain controller goes
offline immediately prior to the deletion of an object on another domain
controller, and remains offline for a period that exceeds the tombstone
lifetime.
·        
A domain controller goes
offline immediately following the deletion of an object on another domain
controller but prior to receiving replication of the tombstone, and remains
offline for a period that exceeds the tombstone lifetime.
 
What to do with a lingering object?
Determining
what to do with a lingering object depends on whether or not it was intended.
 
 
  | Action | Explanation | 
 
  | Unintended | Use
  repadmin to delete the lingering object on a domain controller that is
  running Windows Server 2003. | 
 
  | Intended | Change
  the replication consistency on the inbound domain controller (DC). The object
  will be re-animated on this DC. See strict and loose replication consistency
  below | 
 
Strict and loose replication consistency
 
If
the attributes of a lingering object never change, the object is never
considered for replication. However, if an attribute changes, the attribute is
considered for outbound replication. The problem with an attribute update for a
lingering object is that the receiving domain controller does not hold the
object for the attribute being replicated. An update cannot be performed
because the entire object does not exist on the receiving domain controller.
What happens next depends on the replication consistency set on the domain
controller.
 
 
  | Replication
  consistency | Explanation | 
 
  | Loose | When
  replication consistency is set to loose, the receiving domain controller
  detects that it does not have the object for the attribute that is being
  replicated. The inbound partner requests the entire object from the outbound
  partner, and reanimates the object on its copy of the directory. The same
  process repeats on all domain controllers that do not have a copy of the
  object. This mechanism can be used to cause lingering objects to “reanimate”
  across the entire forest. If a lingering object is discovered and its
  presence is intended, then perform any update to the object. As long as
  replication consistency is set to loose on all domain controllers, the object
  will be reanimated as it replicates around the forest. “Loose replication
  consistency” is the default for Windows 2000 domain controllers, with
  the exception of domain controllers that have the MS01-044 security rollup
  package installed. For more information about the MS01-044 security rollup
  package, see article 297860 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122508). | 
 
  | Strict | The
  default behavior for domain controllers that run
  Windows Server 2003 (and domain controllers that are upgraded from
  Windows NT 4.0) is to block inbound replication for each naming
  context when a domain controller receives an update to an object that it does
  not have. Replication is halted in the naming context for the object until
  the lingering object is removed or the replication mode is set to “loose.” | 
 
Storage
for Consistency Setting
The
setting for replication consistency is in the registry on each domain
controller. 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Entry
name: Strict Replication Consistency
Data type:
REG_DWORD
Values:
1 for enabled; 0 for disabled
Default:
1 (enabled)
 
  | 
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
   
  
   
  Note  | 
 
  | There
  was a post-SP2 hotfix (also included in the security rollup package from
  November 2001) that used a different registry value. A setting of 0 will
  not recreate the missing object (strict), and a setting of 1 will create the
  missing object. This value is only needed with the November version of the
  hotfix.  Value
  Name: Correct Missing Objects Data
  type: REG_DWORD Value
  data: 1 | 
 
The repadmin /removelingeringobjects
command does the following:
Designates
an up-to-date domain controller as the authority. Compares the
Active Directory database objects on the authoritative server with the
objects that are on the suspected domain controller that contains the lingering
objects.
With /advisory_mode,
the subcommand logs the potential deletions to the Directory Service log.
Without
/advisory_mode, the subcommand removes the lingering objects.
Syntax
Repadmin
/removelingeringobjects<Dest_DC_LIST><Source DC GUID><NC>
[/ADVISORY_MODE] 
 
 
  | Parameter | Description | 
 
  | <Dest_DC_LIST> | The
  domain controller that is suspected to have lingering objects. | 
 
  | <Source
  DC GUID> | Source
  domain controller GUID used to compare with the suspected domain controller. | 
 
  | <NC> | Specifies
  the distinguished name of the directory partition. | 
 
  | /ADVISORY_MODE | Read-only
  mode. | 
 
 
  | 
   
  Note  | 
 
  | During
  lingering object removal, Event ID 1937 is logged to the Directory Service
  log. This information includes the source domain controller, the objects that
  are removed, and a total count of all the objects that are removed.  | 
 
What is USN with reference to Active
Directory?
 
Update Sequence
Numbers (USNs). A USN is a 64-bit counter that
is associated with each object. It increments each time a change is initiated,
and then it’s associated with the change. To view the USN of an object, use the
following: command at a command prompt:
REPADMIN /showmeta<object DN>
 
 
What is KCC?
 
The KCC is a built-in process that runs on all domain
controllers. The KCC generates and maintains the replication topology for
replication within sites and between sites.
The KCC has two major functions:
 
·        
Configures
replication connections (connection objects) between domain controllers. Each
connection object defines incoming replication from a replication partner.
Within a site, each KCC generates its own connections. For replication between
sites, a single KCC per site generates all connections between sites.
·        
Converts
the connection objects that represent inbound replication to the local domain
controller into the replication agreements that are actually used by the replication
engine.
 
By default, the KCC reviews and makes
modifications to the Active Directory replication topology every
15 minutes to ensure propagation of data, either directly or transitively,
by creating and deleting connection objects as needed. The KCC recognizes
changes that occur in the environment and ensures that domain controllers are
not orphaned in the replication topology.
 
 
What are the protocols used by
Active Directory for replication?
 
Active Directory uses remote procedure call (RPC) over Internet
Protocol (IP) to transfer replication data between domain controllers. RPC over
IP is used for both inter-site and intra-site replication. To keep data secure
while in transit, RPC over IP replication uses both authentication (using the
Kerberos V5 authentication protocol) and data encryption.
 
When a direct or reliable IP connection is not
available, replication between sites can be configured to use the Simple Mail
Transfer Protocol (SMTP). However, SMTP replication functionality is limited,
and requires an enterprise certification authority (CA). SMTP can only be used
to replicate the configuration, schema and application directory partitions,
and does not support the replication of domain directory partitions
 
 
Explain the Active Directory Partitions
 
In Active Directory, a directory partition is a portion of
the directory namespace. Each directory partition contains a hierarchy (sub-tree)
of directory objects in the directory tree. The same directory partition can be
stored as copies (replicas) on many domain controllers, and the copies are
updated through directory replication.
 
Every domain controller contains the following three
directory partitions:
 
Configuration    Contains the Configuration
container, which stores configuration objects for the entire forest in
cn=configuration,dc= forestRootDomain
. Updates to this container are replicated to all domain controllers in the
forest. Configuration objects store information about sites, services, and
directory partitions. You can view the contents of the Configuration container
by using ADSI Edit.
 
Schema    Contains the Schema
container, which stores class and attribute definitions for all existing and
possible Active Directory objects in cn=schema,cn=configuration,dc= forestRootDomain . Updates to this container are replicated to
all domain controllers in the forest. You can view the contents of the Schema
container in the Active Directory Schema console.
 
Domain    Contains a <domain> container (for example, the Reskit.com
container), which stores users, computers, groups, and other objects for a
specific Windows 2000 domain (for example, the Reskit.com domain). Updates
to the <domain>
container are replicated to only domain controllers within the domain and to
Global Catalog servers if the update is made to an attribute that is marked for
replication to the Global Catalog. The <domain> container is displayed in the Active Directory Users
and Computers console. The hierarchy of domain directory partitions can be
viewed in the Active Directory Domains and Trusts console, where trust
relationships between domains can be managed.
 
Application
Partition Windows 2003 AD comes
with a new partition called Application Partition An application directory
partition is a directory partition that is replicated only to specific domain
controllers. A domain controller that participates in the replication of a
particular application directory partition hosts a replica of that partition.
Only domain controllers running Windows Server 2003 can host a replica of
an application directory partition.
 
 
What is the name of AD Database and
what is the default location of AD Database?
 
NTDS.DIT—the main
database file, ntds.dit grows as the database fills with objects and
attributes. However, the log files have a fixed size of 10 megabytes (MB). Any
changes made to the database are also made to the current log file and to the
DIT file in the cache. Eventually the cache is flushed. If a computer failure
occurs before the cache is flushed, ESE uses the log file to complete the
update to the DIT file.
 
By default, the AD database is stored in
<DRIVE>\WINNT\NTDS\NTDS.DIT. The log files for the directory database are
stored in the same directory by default. Their purpose is to track the changes
in the directory database, and they can grow to be quite large. Give all the
room you can to the log files; for example, you can place the log files on
different disk drives than the database file to reduce disk contention on a
single drive.
 
EDB.LOG and EDBXXXXX.LOG—EDB.LOG is the current log file for AD.
When a change is made to the database, it’s written to this file. When EDB.LOG
becomes full of database transactions, it’s renamed to EDBXXXXX.LOG, where
XXXXX starts at 00001 and continues to increment using hexadecimal notation. AD
uses circular logging, which constantly deletes old log files. If you view the
directory files at any time, you’ll notice the EDB.LOG file and at least one or
more EDBXXXXX.LOG files.
 
EDB.CHK—Stores the database checkpoint, which
identifies the point at which the database engine needs to replay the logs.
This file is typically used during recovery and initialization.
 
RES1.LOG and RES2.LOG—Placeholders
designed to reserve the last 20MB of disk space on the disk drive. Saving disk
space gives the log files sufficient room to shut down gracefully if other disk
space is consumed.
 
What are FSMO roles and brief them
all.
 
Windows 2000/2003 Multi-Master Model
 
A multi-master enabled database, such as the Active Directory,
provides the flexibility of allowing changes to occur at any DC in the
enterprise, but it also introduces the possibility of conflicts that can
potentially lead to problems once the data is replicated to the rest of the
enterprise. One way Windows 2000/2003 deals with conflicting updates is by
having a conflict resolution algorithm handle discrepancies in values by
resolving to the DC to which changes were written last (that is, "the last
writer wins"), while discarding the changes in all other DCs. Although
this resolution method may be acceptable in some cases, there are times when
conflicts are just too difficult to resolve using the "last writer
wins" approach. In such cases, it is best to prevent the conflict from
occurring rather than to try to resolve it after the fact. 
 
For certain types of changes, Windows 2000/2003 incorporates
methods to prevent conflicting Active Directory updates from occurring. 
 
Windows 2000/2003 Single-Master Model
 
To prevent conflicting updates in Windows 2000/2003, the Active
Directory performs updates to certain objects in a single-master fashion. In a
single-master model, only one DC in the entire directory is allowed to process
updates. This is similar to the role given to a primary domain controller (PDC)
in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the
PDC is responsible for processing all updates in a given domain. 
 
In a forest, there are five FSMO roles that are assigned to one or
more domain controllers. The five FSMO roles are: 
·        
Flexible
single master operation (FSMO) roles are 
·        
Domain
Naming Master
·        
Schema
Master
·        
PDC
Emulator
·        
Infrastructure
Master
·        
RID
Master
 
Schema Master: 
The schema master domain controller controls all updates and
modifications to the schema. Once the Schema update is complete, it is
replicated from the schema master to all other DCs in the directory. To update
the schema of a forest, you must have access to the schema master. There can be
only one schema master in the whole forest. 
 
Domain naming master: 
The domain naming master domain controller controls the addition
or removal of domains in the forest. This DC is the only one that can add or
remove a domain from the directory. It can also add or remove cross references
to domains in external directories. There can be only one domain naming master
in the whole forest. 
 
Infrastructure Master: 
When an object in one domain is referenced by another object in
another domain, it represents the reference by the GUID, the SID (for
references to security principals), and the DN of the object being referenced.
The infrastructure FSMO role holder is the DC responsible for updating an
object's SID and distinguished name in a cross-domain object reference. At any
one time, there can be only one domain controller acting as the infrastructure
master in each domain. 
 
Note: The
Infrastructure Master (IM) role should be held by a domain controller that is
not a Global Catalog server (GC). If the Infrastructure Master runs on a Global
Catalog server it will stop updating object information because it does not
contain any references to objects that it does not hold. This is because a
Global Catalog server holds a partial replica of every object in the forest. As
a result, cross-domain object references in that domain will not be updated and
a warning to that effect will be logged on that DC's event log. If all the
domain controllers in a domain also host the global catalog, all the domain
controllers have the current data, and it is not important which domain
controller holds the infrastructure master role.
 
Relative ID (RID) Master: 
The RID master is responsible for processing RID pool requests
from all domain controllers in a particular domain. When a DC creates a
security principal object such as a user or group, it attaches a unique
Security ID (SID) to the object. This SID consists of a domain SID (the same
for all SIDs created in a domain), and a relative ID (RID) that is unique for
each security Principal SID created in a domain.  Each DC in a domain is allocated a pool of
RIDs that it is allowed to assign to the security principals it creates. When a
DC's allocated RID pool falls below a threshold, that DC issues a request for
additional RIDs to the domain's RID master. The domain RID master responds to
the request by retrieving RIDs from the domain's unallocated RID pool and
assigns them to the pool of the requesting DC. At any one time, there can be
only one domain controller acting as the RID master in the domain. 
 
PDC Emulator: 
The PDC emulator is necessary to synchronize time in an
enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service
that is required by the Kerberos authentication protocol. All Windows
2000/2003-based computers within an enterprise use a common time. The purpose
of the time service is to ensure that the Windows Time service uses a
hierarchical relationship that controls authority and does not permit loops to
ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The
PDC emulator at the root of the forest becomes authoritative for the
enterprise, and should be configured to gather the time from an external
source. All PDC FSMO role holders follow the hierarchy of domains in the
selection of their in-bound time partner. 
 
In a Windows 2000/2003 domain, the PDC emulator role holder
retains the following functions: 
·        
Password
changes performed by other DCs in the domain are replicated preferentially to
the PDC emulator.
·        
Authentication
failures that occur at a given DC in a domain because of an incorrect password
are forwarded to the PDC emulator before a bad password failure message is
reported to the user. 
·        
Account
lockout is processed on the PDC emulator. 
·        
Editing
or creation of Group Policy Objects (GPO) is always done from the GPO copy
found in the PDC Emulator's SYSVOL share, unless configured not to do so by the
administrator.
·        
The PDC
emulator performs all of the functionality that a Microsoft Windows NT 4.0
Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier
clients. 
This part of the PDC emulator role becomes unnecessary when all
workstations, member servers, and domain controllers that are running Windows
NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still
performs the other functions as described in a Windows 2000/2003 environment. 
At any one time, there can be only one domain
controller acting as the PDC emulator master in each domain in the forest. 
 
 
What is a Global Catalog?
 
Global Catalog contains index of
all objects in the forest and a small, most commonly used, subset (about 60 out
of 1500) of their attributes. This eliminates most of the time the need for
requester's searches through other domains in a forest (unless one of
non-typical attributes is searched for). The number of attributes stored on
each Global Catalog server can be modified by using Schema Management snap-in
(by selecting "Replicate this attribute to the Global Catalog" option
for selected attributes of an object)
 
 
What is universal group membership
cache in windows 2003?
 
Universal
Group Membership caching prevents the need to locate a
global catalog across a wide area network (WAN) when logging on by storing
universal group membership information on an authenticating domain controller.
Information is stored locally once this option is enabled and a user
attempts to log on for the first time. 
 
The domain controller obtains the universal group membership for that
user from a global catalog. Once the universal group membership information is
obtained, it is cached on the domain controller for that site indefinitely and
is periodically refreshed. The next time that user attempts to log on, the
authenticating domain controller running Windows Server 2003 will obtain
the universal group membership information from its local cache without the
need to contact a global catalog. By default, the universal group membership
information contained in the cache of each domain controller will be refreshed
every 8 hours.
 
 
Can I place Global Catalog and
Infrastructure Master Role on the same server? Justify your answer.
 
Global Catalog should not be
placed on the same server as infrastructure master. The role of infrastructure
master is to update references from objects in its own domain to objects in
other domains. This is done by comparing its data with that of a global
catalog. If the infrastructure master finds out that its data is outdated, it
requests the update from the global catalog and then sends the updates to other
domain controllers in the domain.- if they happen to be the same server, the
infrastructure master would never be able to find that the data is out of date
and update other domain controllers in the domain. However, it is recommended
to place the infrastructure master in the same site as a Global Catalog server.
 
 
Give the names of few standard
commands / tools from MS to troubleshoot AD related issues?
 
NSLOOKUP / DNSCMD – To
troubleshoot DNS related issues with reference to AD
 
DSASTAT – The
utility compare directory information on domain controllers or directory
partitions detects and examines the differences among a user-defined scope of
objects on two domain controllers. It retrieves capacity statistics such as
megabytes per server, objects per server, and megabytes per object class.
DSASTAT determines whether domain controllers in a domain have a consistent and
accurate image of their own domain.
 
DCDIAG - The Domain Controller Diagnostic (DCDIAG)
utility allows you to analyze the current state of the domain controllers in a
domain or forest. It automatically performs the analysis and reports any
problems with a domain controller. DCDIAG consists of a set of tests that you
can use to verify and report on the functional components of AD on the computer
 
NTDSUTIL - The
Directory Services Management utility (NTDSUTIL.EXE) is a command-line utility
included in Windows that you can use to troubleshoot and repair AD. NTDSUTIL
allows you to troubleshoot and maintain various internal components of AD. For
example, you can manage the directory store or database and clean up orphaned
data objects that were improperly removed.
You can also maintain the directory service database, prepare for
new domain creations, managethe control of the FSMOs, purge meta data left
behind by abandoned domain controllers (thoseremoved from the forest without
being uninstalled), and clean up objects and attributes ofdecommissioned or
demoted servers.
 
NLTEST - You
can test the status of secure channels and trust-relationship links using the
resource Kit’s NLTEST command-line utility. You can run the NLTEST utility on
the trusting domain controller to break and re-initialize a secure channel (for
example, when the secure-channel password was last changed) and obtain information
about an existing trust relationship. You can also use NLTEST to restart the
discovery process for a new trusted domain controller.
 
REPADMIN - You can also use the Replication Administration (REPADMIN)
utility to monitor and troubleshoot AD replication related issues.
 
 
What types of trust relationships
are supported in Windows 2003
 
Trust types
Communication between domains occurs through trusts. Trusts
are authentication pipelines that must be present in order for users in one
domain to access resources in another domain. Two default trusts are created
when using the Active Directory Installation Wizard. There are four other types
of trusts that can be created using the New Trust Wizard or the Netdom
command-line tool.
 
Default trusts
By default, two-way, transitive trusts are automatically
created when a new domain is added to a domain tree or forest root domain using
the Active Directory Installation Wizard. The two default trust types are
defined in the following table. 
 
  |  Trust type  | Transitivity  | Direction  | Description  | 
 
  | Parent and child | Transitive  | Two-way  | By default, when a new child domain is added to an
  existing domain tree, a new parent and child trust is established.
  Authentication requests made from subordinate domains flow upward through
  their parent to the trusting domain | 
 
  | Tree-root | Transitive  | Two-way  | By default, when a new domain tree is created in an
  existing forest, a new tree-root trust is established. | 
 
Other trusts
Four other types of trusts can be created using the New
Trust Wizard or the Netdom command-line tool: external, realm, forest, and
shortcut trusts. These trusts are defined in the following table.
 
 
  | Trust type  | Transitivity  | Direction  | Description  | 
 
  | External | Non-transitive  | One-way or two-way | Use external trusts to provide access to resources
  located on a Windows NT 4.0 domain or a domain located in a separate
  forest that is not joined by a forest trust.  | 
 
  | Realm | Transitive or non-transitive | One-way or two-way | Use realm trusts to form a trust relationship between a
  non-Windows Kerberos realm and a Windows Server 2003 domain.. | 
 
  | Forest | Transitive  | One-way or two-way | Use forest trusts to share resources between forests. If
  a forest trust is a two-way trust, authentication requests made in either forest
  can reach the other forest | 
 
  | Shortcut | Transitive  | One-way or two-way | Use shortcut trusts to improve user logon times between
  two domains within a Windows Server 2003 forest. This is useful when two
  domains are separated by two domain trees. | 
 
When creating external, shortcut, realm, or forest trusts,
you have the option to create each side of the trust separately or both sides
of a trust simultaneously. 
 
If you choose to create each side of the trust
separately, then you will need to run the New Trust Wizard twice--once for each
domain. When creating trusts using the method, you will need to supply the same
trust password for each domain. As a security best practice, all trust
passwords should be strong passwords. If you choose to create both sides of the
trust simultaneously, you will need to run the New Trust Wizard once. When you
choose this option, a strong trust password is automatically generated for you.
 
 
Can we establish trust relationship
between two forests? If so how?
 
In Windows 2000 it is not possible. In Windows 2003 it is
possible.
 
Follow these
steps to create a forest level trust relationship:
 
1. Open active
directory domains and trusts from administrative tools.
 
2. In the
console tree pane, select and right-click the domain node for the forest root
for which you want to create a trust.
 
3. Select
properties.
 
4. Select the
trusts tab in the properties dialog box.
 
5. Click new
trust and click next (skip the welcome screen).
 
6. On the trust
name page, enter the dns name of the target domain for your trust (for our
example, it is cogswellcogs.com) and click next.
 
7. Select
forest trust on the trust type page and click next. (if the forest trust option
is missing, you may have omitted one of the prerequisites. In that case, double-check
the dns forwarders tab and the forest functional level of all the domains in
both forests.)
 
8. Choose a
direction for the trust relationship: two-way, one-way incoming or one-way
outgoing.
Two-way: all users in both forests will be able to access all resources in
both forests. 
One-way incoming: all users in this forest
will be able to access all resources in the other forest but not vice versa. 
One-way outgoing: all users in the target
forest will be able to access all resources in this forest but not vice versa. 
After you’ve
chosen, click next.
 
9. Resource
access is still governed by permissions in the domain where the resource
exists. The trust direction provides access to all resources where permissions
allow access. Select the sides of the trust relationship: this domain only or
both this domain and the target domain.
This domain only: creates the trust
relationship in this domain only; an administrator on the other end will have
to complete the other trust. 
Both this domain and the target domain: requires sufficient access in the
remote domain and will allow you to complete the trust setup. 
 
10. Select the
appropriate path, depending on the choices you made in the previous two steps.
 
If you chose
two-way or one-way outgoing in step 8 and this domain only in step 9, you will
need to select a trust authentication level. Domain-wide authentication will
authenticate all users in the remote forest for all resources in the local
forest. Choosing selective authentication will allow you to specify which users
in the remote domain have access to local resources. Click next. Enter a
password for the trust and click next. 
 
If you chose
one-way incoming in step 8 and this domain only in step 9, enter the password
for the trust in the trust password and confirm password boxes. Click next. 
 
If you selected
both domains (this domain and the selected domain) in step 9, a username and
password box will appear to allow you to enter the username and password of an
administrator account in the target forest. Click next. 
 
11. On the next
screen, verify all of your selections. When you click next, the wizard creates
the trust. Verify the settings of the new trust.
 
12. Confirm the
outgoing trust. Select yes if you created both sides of the trust; select no if
you did not.
 
13. Click
finish in the creating the trust wizard.
The new trust
will appear on the trusts tab in the properties dialog box for the domain.
Now you know how to create forests trusts, which can save your
organization administration time and effort trying to improve collaboration on
projects or between business partners.
 
 
Is it possible to do implicit
transitive forest to forest trust relationship in windows 2003?
 
Implicit Transitive trust will not be possible in windows
2003. Between forests we can create explicit trust
Two-way trust 
One-way: incoming
 
What are “Lingering Objects” in
Active Directory?
When restoring a backup file,
Active Directory generally requires that the backup file be no more than 60
days old. (The limit is 180 days if the AD forest was originally created with
Windows Server 2003 or Windows Server 2008.) If attempt to you restore an
backup that is expired, you may encounter problems due to
“lingering objects”. 
What Are Lingering Objects?
When you restore AD from an expired backup, a lingering object
is a deleted AD object that re-appears (“lingers”) on the restored domain
controller (DC) in its local copy of Active Directory. This can happen if,
after the backup was made, the object was deleted on another DC more than than 60
(or 180) days ago.
When a DC deletes an object
it replaces the object with a tombstone object. The tombstone object is a
placeholder that represents the deleted object. When replication occurs, the
tombstone object is transmitted to the other DCs, which causes them to delete
the AD object as well.
Tombstone objects are kept
for 60 (or 180) days, after which they are garbage-collected and removed.
If a DC is restored from a
backup that contains an object deleted elsewhere, the object will re-appear on
the restored DC. Because the tombstone object on the other DCs has been
removed, the restored DC will not receive the tombstone object (via
replication), and so it will never be notified of the deletion. The deleted
object will “linger” in the restored local copy of Active Directory.
NETWORK SERVICES
 
Why do you have to point my domain
controller to itself for DNS?
 
The Netlogon service on the domain controller
registers a number of records in DNS that enable other domain controllers and
computers to find Active Directory-related information. If the domain
controller is pointing to the Internet service provider's (ISP) DNS server,
Netlogon does not register the correct records for Active Directory, and errors
are generated in Event Viewer. In Windows Server 2003, the recommended DNS
configuration is to configure the DNS client settings on all DNS servers to use
themselves as their own primary DNS server, and to use a different domain
controller in the same domain as their alternative DNS server, preferably
another domain controller in the same site. This process also works around the
DNS "Island" problem in Windows 2000. You must always configure the
DNS client settings on each domain controller's network interface to use the
alternative DNS server addresses in addition to the primary DNS server address.
 
 
What records does a domain
controller register in DNS?
 
The Netlogon service registers all the SRV
records for that domain controller. These records are displayed as the _msdcs,
_sites, _tcp, and _udp folders in the forward lookup zone that matches your
domain name. Other computers look for these records to find Active
Directory-related information
 
 
What is the "." zone in
my forward lookup zone?
 
This setting designates the Windows 2000 or
Windows Server 2003 DNS server to be a root hint server and is usually deleted.
If you do not delete this setting, you may not be able to perform external name
resolution to the root hint servers on the Internet.
 
 
Why can't I use WINS for name
resolution like it is used in Microsoft Windows NT 4.0?
 
A Windows 2000 or Windows Server 2003 domain
controller does not register Active Directory-related information with a WINS
server; it only registers this information with a DNS server that supports
dynamic updates such as a Windows 2000 or Windows Server 2003 DNS server. Other
Windows 2000-based and Windows Server 2003-based computers do not query WINS to
find Active Directory-related information.
 
 
Explain few important types of DNS
Records
 
A (address) Maps a host name to an IP address. When a
computer has multiple adapter cards or IP addresses, or both, it should have
multiple address records.
CNAME (canonical
name) sets an alias for a
host name. For example, using this record, zeta.microsoft.com can have an alias
as www.microsoft.com.
MX (mail
exchange) specifies a mail
exchange server for the domain, which allows mail to be delivered to the
correct mail servers in the domain.
NS (name server) specifies a name server for the domain, which
allows DNS lookups within various zones. Each primary and secondary name server
should be declared through this record.
PTR (pointer) Creates a pointer that maps an IP address to a
host name for reverse lookups.
SOA (start of
authority)declares the
host that's the most authoritative for the zone and, as such, is the best
source of DNS information for the zone. Each zone file must have an SOA record
(which is created automatically when you add a zone).
 
12/03/2021 - Uploaded
 
 
What's the DNS
_msdcs zone for the forest root domain used for?
 
Active Directory
(AD) uses DNS as its locator service to support the various types of services
that AD offers, such as Global Catalog (GC), Kerberos, and Lightweight
Directory Access Protocol (LDAP). Other non-Microsoft services can be
advertised in the DNS, including--but not restricted to--non-Microsoft
implementations of LDAP and GC. However, sometimes clients might need to
contact a Microsoft-hosted service. For that reason, each domain in DNS has an
_msdcs subdomain that hosts only DNS SRV records that are registered by
Microsoft-based services. The Netlogon process dynamically creates these
records on each domain controller (DC). The _msdcs subdomain also includes the
globally unique identifier (GUID) for all domains in the forest and a list of
GC servers.
 
If you install a
new forest on a system that runs Windows Server 2003 and let the Dcpromo wizard
configure DNS, Dcpromo will actually create a separate zone called
_msdcs.<forest name> on the DNS server. This zone is configured to store
its records in a forest-wide application directory partition, ForestDNSZones,
which is replicated to every DC in the forest that runs the DNS service. This
replication makes the zone highly available anywhere in the forest.
 
 
What are SRV
records and why they are important for proper functioning of Active Directory?
 
Windows 200X Active Directory (AD) uses the
service-location mechanism that the Internet Engineering Task Force (IETF) Request for Comments (RFC)
2782 specifies. This RFC shows how clients can use DNS SRV records to locate
network services on the network.
 
The SRV Records of a domain controller in the domain plays
an important role in Active Directory. Active Directory cannot work without a
DNS server. The DNS server in Active Directory is used to locate Domain
Controllers in the forest or domain with the help of SRV records. Service
Records or SRV records are registered specifically for domain controllers when
you promote a member server to domain controller. The Netlogon service on
domain controller is responsible to register SRV records.
So now you understand that Windows 200x domains rely
heavily on DNS entries. Let us see some of the important SRV records created by
Netlogon service for a DC.
 
_ldap._tcp.<DNSDomainName>
Enables a client to locate a W2K domain controller in the
domain named by <DNSDomainName>. A client searching for a domain
controller in the domain dpetri.net would query the DNS server for
_ldap._tcp.dpetri.net.
 
_ldap._tcp.<SiteName>._sites.<DNSDomainName>
Enables a client to find a W2K domain controller in the
domain and site specified (e.g., _ldap._tcp.lab._sites.dpetri.net for a domain
controller in the Lab site of dpetri.net).
 
_ldap._tcp.pdc._ms-dcs.<DNSDomainName>
Enables a client to find the PDC flexible single master
object (FSMO) role holder of a mixed-mode domain. Only the PDC of the domain
registers this record.
 
_ldap._tcp.gc._msdcs.<DNSTreeName>
Enables a client to find a Global Catalog (GC) server. Only
domain controllers serving as GC servers for the tree will register this name.
If a server ceases to be a GC server, the server will deregister the record.
 
_ldap._tcp. ._sites.gc._msdcs.<DNSTreeName>
Enables a client to find a GC server in the specified site
(e.g., _ldap._tcp.lab._sites.gc._msdcs.dpetri.net).
 
_ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName>
Enables a client to find a domain controller in a domain
based on the domain controller’s globally unique ID. A GUID is a 128-bit (8
byte) number that generates automatically for referencing Active Directory
objects.
 
<DNSDomainName>
Enables a client to find a domain controller through a
normal Host record. 
After running DCPROMO, A text file containing
the appropriate DNS resource records for the domain controller is created. The
file called Netlogon.dns is created in the %systemroot%\System32\config folder
and contains all the records needed to register the resource records of the
domain controller. Netlogon.dns is used by the Windows 2000 NetLogon service
and to support Active Directory for non-Windows 2000 DNS servers. 
 
 
Explain the structure of an SRV record
 
Defined in RFC 2782. The
SRV RR identifies the host(s) that will support particular services. The MX RR is a specialised example of service discovery while the SRV RR
is a general purpose RR to discover any service. The SRV RR allows control over
prioritisation of delivery and usage. It is not widely supported except notably
by OpenLDAP and increasingly by VoIP systems in conjunction with the NAPTR RR. Ugly format may not be helping!
The theory behind SRV is that given a domain name, for instance,
example.com, and a service name, for example, web (http) which runs on a
protocol (tcp in the web case case), a DNS query may be issued to find the host
name that provides such a service for the domain - and which may, or may not,
be within the domain - see example 2 below.
SRV
Syntax
srvce.prot.name  ttl  classrrpri  weight port target
_http._tcp.example.com. IN      SRV 0    5      80   www.example.com.
 
  | Field | Description | 
 
  | srvce | Defines the symbolic service
  name (see IANA port-numbers) prepended with a '_' (underscore). Case insensitive. Common
  values are:  
   _http
       - web service _ftp
       - file transfer service _ldap
       - LDAP service _imap
       - IMAP mail service _PKIXREP
       - PKIX Repository (X.509 certificates)  | 
 
  | prot | Defines the protocol name (see IANA
  service-names) prepended
  with a '_' (underscore). Case insensitive. Common values are  
   _tcp - TCP
       protocol _udp - UDP
       protocol  Notes: Use of SRV in PKIX (X.509) handing. RFC 4210 defines service
  names of certificates, crls, pgpkeys, pgprevokations all with a protocol of
  tcp to indicate the use of the CMP protocol over HTTP/HTTPS. Thus a
  certificate store supporting CMP may be discovered for the domain exmple.com
  by a query for _certificates._tcp.example.com. In a slightly bizarre
  variation, RFC 4386 (INFORMATIONAL status), also defines the use of the
  _PKIXREP service for discovery of X.509 certificate repositories and other
  PKIX services, the protocol field, contains what other users of the SRV
  define as the service name. Thus for the service name _PKIXREP the protocol
  values would be:  
   _ldap - The
       certificate respository server uses LDAP _http - The
       certificate respository server uses HTTP _ocsp - The
       server provides an Online Certificate Status Protocol service  One assumes that additional values such as _cmp, _svcp or _crl
  (X.509/PKIX protocols) could also be used to describe alternative PKIX
  services even though these are not mentioned in RFC 4386. Finally OCSP (RFC
  2560) suggests the service can run over many transport protocols such as
  LDAP, HTTP or SMTP and thus the SVR definition proposed for PKIXREQ service
  would not contain enough information - because it does not differentiate
  between a number of possible transports - to allow true service discovery.
  Altogether a strange RFC.  | 
 
  | name | Incomprehensible description in RFC 2782. This RR obeys the
  normal name rules such that leaving the entry blank (without a dot) will
  substitute the current the zone root (or the current $ORIGIN), or you can
  explicitly add it as in the above _http._tcp.example.com. (with
  a dot). | 
 
  | ttl | Optional. Standard TTL
  parameter. For more
  information about TTL values. | 
 
  | class | Optional. Standard CLASS
  parameter. Normally IN for Internet class. For
  more information. | 
 
  | pri | The relative Priority of this service (range 0 - 65535). Lowest
  is highest priority, usage is the same as the MXpref field. | 
 
  | weight | Used when more than one service has the same priority. A 16 bit
  unsigned integer in the range 0 - 65535. The value 0 indicates no weighting
  should be applied. If the weight is 1 or greater it is a relative number in
  which the highest is most frequently delivered, that is, given two SRV
  records both with Priority = 0, one with weight = 1 the other weight = 6, the
  one with weight 6 will have its RR delivered first 6 times out of 7 by the
  name server. | 
 
  | port | Normally the port number assigned to the symbolic service but
  this is not a requirement, for instance, it is permissible to define a _http
  service with a port number of 8100 rather than the more normal port 80. | 
 
  | target | The name of the host that will provide this service. Does not
  have to be in the same zone (domain). May be just a host name or a FQDN. | 
 
Explain the difference between Iterative and Recursive DNS queries
 
With a recursive name
query, the DNS client
requires that the DNS server respond to the client with either the requested
resource record or an error message stating that the record or domain name does
not exist. The DNS server cannot just refer the DNS client to a different DNS
server. 
 
Thus, if a DNS server does not have the requested
information when it receives a recursive query; it queries other servers until
it gets the information, or until the name query fails.
 
Recursive name queries are generally made by a DNS client
to a DNS server, or by a DNS server that is configured to pass unresolved name
queries to another DNS server, in the case of a DNS server configured to use a
forwarder.
 
An iterative name
query is one in which a
DNS client allows the DNS server to return the best answer it can give based on
its cache or zone data. If the queried DNS server does not have an exact match
for the queried name, the best possible information it can return is a referral (that is, a pointer to a DNS server
authoritative for a lower level of the domain namespace). The DNS client can
then query the DNS server for which it obtained a referral. It continues this
process until it locates a DNS server that is authoritative for the queried
name, or until an error or time-out condition is met. 
This process is sometimes referred to as
"walking the tree," and this type of query is typically initiated by
a DNS server that attempts to resolve a recursive name query for a DNS client.
 
 
What is the difference between a secondary zone and a stub
zone?
 
A secondary zone is a read-only copy of the primary zone. A stub
zone is a read-only copy of the primary zone that contains only the resource
records that identify the DNS servers that are authoritative for a DNS domain name.
 
 
Explain Active Directory Integrated Zones?
 
DNS servers running on domain controllers can store their zones in
Active Directory. In this way, it is not necessary to configure a separate DNS
replication topology that uses ordinary DNS zone transfers, because all zone
data is replicated automatically by means of Active Directory replication. This
simplifies the process of deploying DNS and provides the following advantages:
 
Multiple masters are created for DNS replication. Therefore any
domain controller in the domain running the DNS server service can write
updates to the Active Directory–integrated zones for the domain name for which
they are authoritative. A separate DNS zone transfer topology is not needed.
Secure dynamic updates are supported. Secure dynamic updates allow
an administrator to control which computers update which names, and prevent
unauthorized computers from overwriting existing names in DNS.
 
Windows Server 2003 DNS Active Directory stores zone data in
application directory partitions. The domain partition was the only Active
Directory storage option in Windows 2000 Server, and it is available
in Windows Server 2003 DNS for backward compatibility. The following
DNS-specific application directory partitions are created during Active Directory
installation:
 
A forest-wide application directory partition, called
ForestDnsZones.
Domain-wide application directory partitions for
each domain in the forest, named DomainDnsZones.
 
 
 
What is a stub
zone?
 
A stub
zone is a copy of a zone that contains only those resource records
necessary to identify the authoritative Domain Name System (DNS) servers for
that zone. A stub zone is used to resolve names between separate DNS
namespaces. This type of resolution may be necessary when a corporate merger
requires that the DNS servers for two separate DNS namespaces resolve names for
clients in both namespaces.
 
A
stub zone consists of:
 
The
start of authority (SOA) resource record, name server (NS) resource records,
and the glue A resource records for the delegated zone.
 
The
IP address of one or more master servers that can be used to update the stub
zone.The master servers for a stub zone are one or more DNS servers
authoritative for the child zone, usually the DNS server hosting the primary
zone for the delegated domain name.
 
You
can use stub zones to:
 
·        
Keep delegated zone information current.
By updating a stub zone for one of its child zones regularly, the Domain Name
System (DNS) server that hosts both the parent zone and the stub zone maintains
a current list of authoritative DNS servers for the child zone.
 
·        
Improve name resolution. Stub zones
enable a DNS server to perform recursion by using the stub zone's list of name
servers, without needing to query the Internet or the internal root server for
the DNS namespace.
 
·        
Simplify DNS administration. By using
stub zones throughout your DNS infrastructure, you can distribute a list of the
authoritative DNS servers for a zone without using secondary zones. However,
stub zones do not serve the same purpose as secondary zones, and they are not a
valid alternative to secondary zones with regard to redundancy and load
sharing.
 
When
a DNS server loads a stub zone, it queries the master servers, which can be in
different locations, for the necessary resource records of the authoritative
servers for the zone. The list of master servers may contain a single server or
multiple servers, and the list can be changed anytime.
 
Explain the ways of partitioning a DNS database /
Explain Zone Delegation
A DNS database can be partitioned into
multiple zones. A
zone is a portion of the DNS database that contains the resource records with
the owner names that belong to the contiguous portion of the DNS namespace.
Zone files are maintained on DNS servers. A single DNS server can be configured
to host zero, one or multiple zones.
Each zone is anchored at a specific domain
name referred to as the zone’s root domain. A zone contains information about all
names that end with the zone’s root domain name. A DNS server is
considered authoritative for a name if it loads the zone containing that name.
The first record in any zone file is a Start of Authority (SOA) RR. The SOA RR
identifies a primary DNS name server for the zone as the best source of
information for the data within that zone and as an entity processing the
updates for the zone.
A name within a zone can also be delegated
to a different zone that is hosted on a different DNS server. Delegation
is a process of assigning responsibility for a portion of a DNS namespace to a
DNS server owned by a separate entity. This separate entity could be
another organization, department or workgroup within your company. Such delegation
is represented by the NS resource record that specifies the delegated zone and
the DNS name of the server authoritative for that zone. Delegating across
multiple zones was part of the original design goal of DNS.
The primary reasons to delegate a DNS
namespace include:
·        
A need to delegate management
of a DNS domain to a number of organizations or departments within an
organization.
·        
A need to distribute the load
of maintaining one large DNS database among multiple DNS servers to improve the
name resolution performance as well as create a DNS fault tolerant environment.
·        
A need to allow for a host’s
organizational affiliation by including them in appropriate domains.
The name server
(NS) RRs facilitate delegation by identifying DNS servers for each zone and the
NS RRs appear in all zones. Whenever a DNS server needs to cross a delegation
in order to resolve a name, it will refer to the NS RRs for DNS servers in the
target zone.
 
What is the
process of DHCP for getting the IP address to the client?
 
There
is a four way negotiation process b/w client and server
DHCP
Discover (Initiated by client)
DHCP
Offer (Initiated by server)
DHCP
Select (Initiated by client)
DHCP
Acknowledgement (Initiated by Server)
DHCP Negative Acknowledgement (Initiated by server if any issues
after DHCP offer)
 
 
What is a DHCP
Lease?
 
DHCP
lease is the amount of time that the DHCP server grants to the DHCP client
permission to use a particular IP address. A typical server allows its
administrator to set the lease time.
 
We’ve
installed a new Windows-based DHCP server, however, the users do not seem to be
getting DHCP leases off of it. What could be the reason?
The server must be authorized first with the Active Directory.
 
 
Explain the Licenses that
can be managed by TS Licensing server in Windows 2003
 
To use Terminal Server in your organization, you are required to
have a Windows Server 2003 license for every terminal server that you
deploy in your organization as well as Terminal Server Client Access Licenses
(CALs) for devices that access the terminal servers. For terminal servers that
are running Windows Server 2003, there are two types of Terminal Server
CALs:
 
Per Device
Per User
 
Which CAL you choose depends on how you plan to use Terminal
Server. By default, Terminal Server is configured in Per Device mode, but it
can be switched to Per User mode using the Terminal Services Connection
Configuration (TSCC) tool or by using Windows Management Instrumentation (WMI)
 
Per Device Licensing Mode: A Per Device CAL provides each client computer the right to access
a terminal server that is running Windows Server 2003. The Per Device CAL
is stored locally and presented to the terminal server each time the client
computer connects to the server.
 
Per Device licensing is a good choice for:
·        
Hosting a
user’s primary desktop for devices the customer owns or controls.
·        
Thin
clients or computers that connect to a terminal server for a large percentage
of the working day.
·        
Hosting
line-of-business applications that are used for the bulk of your users’ work.
 
This type of licensing is a poor choice if you do not control the
device accessing the server, for example computers in an Internet café, or if
you have a business partner who connects to your terminal server from outside
your network.
 
Per User Licensing Mode: In Per User licensing mode you must have one
license for every user. With Per User licensing, one user can access a terminal
server from an unlimited number of devices and only needs one CAL rather than a
CAL for each device.
 
Per User licensing is a good choice in the following situations:
·        
Providing
access for roaming users.
·        
Providing
access for users who use more than one computer, for example, a portable and a
desktop computer.
·        
Providing
ease of management for organizations that track access to the network by user,
rather than by computer.
 
In general, if your organization has more
computers than users, Per User licensing might be a cost-effective way to
deploy Terminal Server because you only pay for the user to access Terminal
Server, rather than paying for every device from which the user accesses
Terminal Server. Check the end-user license agreement for the applications that
you plan to host to determine if they support per user licensing.
 
 
How can you override the
license server discovery process and set your preferred license servers?
 
When Terminal Services is started, the server attempts to locate
terminal server license servers using a predefined discovery process. The
method used is dependent on the server environment and the mode in which the
licensing server is configured to run. 
 
You can override the discovery process by
modifying the registry to point to a specific license server or servers. Under
Win2K, you can specify only a single license server in the registry, whereas
WS2K3 lets you list multiple preferred license servers. To override the
discovery process, add subkeys to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters\LicenseServers
subkey. Each subkey should be named with the hostname of the license server
that you want the terminal server to use
 
 
Name few Terminal Services
utilities available in the Windows Resource Kit. 
 
Appsec: Used to
restrict non-administrative users' execution access to a limited set of
authorized programs. 
Drive Share: Used to
share and connect to local drives during Terminal Services client session
initialization. 
File Copy:
Provides copy/paste file transfer between a Terminal Services client session
and a local desktop. 
Lsreport: Used to
connect to Terminal Services License servers and display information about the
license key packs installed on the servers. 
Lsview: Used to
display the name and type of currently available License servers in a domain. 
Roboclient: A
Terminal Services capacity-planning tool. 
Simclient: A
Terminal Services capacity-planning tool. 
Tsreg: A
graphic utility to change client registry settings relating to bitmap caching,
glyph caching, and so on. 
Tsver: Used
for allowing or disallowing client connections based on the client version. 
Winsta: Used
for monitoring Terminal Services client sessions.
 
Explain the terminal
services modes available in W2k /W2k3
 
There are two different Terminal Services Modes available in
Windows Server 2k/2k3. 
 
Remote Administration Mode: Terminal Services Remote Administration mode
allows any server running Windows 2000Server, for instance, a domain
controller, or BackOffice Server, to be administered remotelywith full access
to all the built-in graphical user interface-based (GUI-based) administrative
tools, as if the administrator was sitting right at the server. Within Windows
Server 2003,remote administration mode is built-in and does not need to be
installed. This ability to administer the server can be made available from any
client device, including a legacy version of Windows, or even non-Windows-based
clients. This server management feature is an invaluable tool for quick and
easy administration of large- and small-scale networks. TerminalServices has
two built-in per-server connections specifically for remote administration.
ATerminal Services Client Access License (CAL) is not required to connect to
Terminal Services in remote administration mode.
Application
Server Mode: In Application Server mode, applications can be deployed
and managed from a central location, saving administrators initial development
and deployment time as well as the time and effort required for maintenance and
upgrades. Once an application is deployed using Terminal Services, many clients
can connect whether through a remote access connection,local area network
(LAN), or wide area network (WAN). The clients can still be
Windows-based,Windows CE-based, or even non-Windows-based.Licensing is required
when deploying a Terminal Services-enabled server as an application server.
You can install Windows 2003 Server Terminal Services in either of two modes:
Remote Administration or Application Server. Remote Administration mode
installs only the remote access components of Terminal Services and performs
with very little overhead, so it's ideal for mission-critical servers. Terminal
Services in Remote Administration mode permits a maximum of two concurrent
remote administration connections. No additional licensing is required for
those two connections, and you don't need to run the Terminal Services license
server.
 
Application Server mode installs the
application-sharing components of Terminal Services in addition to the remote
access components. This mode lets users run applications remotely. However,
running Terminal Services in Application Server mode requires you to purchase
licenses and set up a Terminal Services licensing server within 120 days of
installation. For administration purposes, you should install Terminal Services
in Remote Administration mode. Remote Administration mode minimizes the impact
on server performance while still facilitating remote administration.
 
 
When I try to log on, why
do I get the error message: Unable to log you on because of an account
restriction? 
 
This message can appear because a user trying to log on is not in
the Remote Desktop Users group, or because an account has no password. Starting
with Windows XP, accessing network resources such as Remote Desktop and file
shares requires that you have a password associated with an account.
 
When I attempt to update terminal services using Windows update, I
receive an error stating that I should be in install mode. How do I activate
install mode so that I can install available updates? 
 
You must use the command prompt to activate install mode. At the
prompt, type:
change
user /install
 
This command performs the upgrade. When the upgrade is complete,
type:
 
Can I use my current
Windows 2000 License Server and CALs for Windows 2003 Terminal Servers? 
 
 No, the
Windows Server 2003 needs a new version of CALs. You need a Windows Server 2003
License Server, which can serve both Windows 2000 terminal servers and Windows
Server 2003 terminal servers.
 
 
How do I connect more than
two users to Windows 2000 Server or Windows Server 2003? How do I connect more
than one user to Windows XP Professional? 
 
If you are running Remote Administration mode on
Windows 2000 or Windows Server 2003, no more than two concurrent users are
allowed and there is no way to increase this unless you change it to
Application Server mode. Application Server mode requires client access
licenses and a licensing server. If you are using Windows XP Professional this
number is limited to 1 remote connection and there is no way to increase this
number.
 
 
What port does RDP use ?
By default, RDP uses port 3389 for all of its traffic