>What is Active Directory ? Active Directory is 2 Meta Data. Active Directory is a data base which store 2 data base like your user information, computer information and also other network object info. It has capabilities to manage and administor the complite Network which connect with AD. > What is Active Directory Domain Services ? In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to AD DS, but the information is also applicable to Active Directory. >What is domain ? ‘A domain is @ set of network resources (applications, printers, and so forth) for @ group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The ‘domain’ is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469. >What is domain controller ? A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single usemame and password combination. >What is LDAP ? Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory ‘supports LDAPV3 and LDAPV2. >What is KCC? KCC ( knowledge consistency checker ) - It generates the replication topology by specifying what domain controllers will replicate to which other domain controllers in the site. The KCC maintains a list of connections, called a replication topology, to other domain controllers in the site. The KCC ensures that changes to any object are replicated to all site domain controllers and updates go through no more than three connections. Also an administrator can configure connection objects. >Where is the AD database held ? What other folders are related to AD? By default AD data base is stored in c:\windows\ntds\NTDS.DIT. SYSVOL & NETLOGON are other folders related to AD DS. >What is the SYSVOL folder? System Volume (Sysvol) is a shared directory that stores the server copy of the domain's public files that must be shared for common access and replication throughout a domain. The term SYSVOL refers to a set of files and folders that reside on the local hard disk of each domain controller in a domain and that are replicated by the File Replication service (FRS). Network clients access the contents of the SYSVOL tree by using the NETLOGON and SYSVOL shared folders. Sysvol uses junction points-a physical location on a hard disk that points to data that is located elsewhere on your disk or other storage device-to manage a single instance store, > What is the Netlogon folder in AD DS and What is it used for? The NETLOGON share is pointing to %SystemRoot%\sysvol\sysvoll{ DOMAIN} scripts folder on DC, and it's main purpose is for storing logon scripts. By default %SystemRoot%\sysvol\sysvol\{DOMAIN}'\scripts is empty. When we are deployed any script via GPO that is the default location for storing the script. By default sysvol includes 2 folders, the scripts folder is shared with the name NETLOGON 4 Policies - (Default location - %SystemRoot%\Sysvol\Sysvol\domain_name\Policies) 2.Scripts - (Default Ication - %SystemRoot%\Sysvol\Sysvol\domain_name\Scripts)rence between Enterprise Admins and Domain Admins groups in AD ? Enterprise Admins : Members of this group have full control of all domains in the forest. By default, this ‘group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add Users with caution, Domain Admins : Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution. >Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003 ? The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and ‘write relationship that hosts copies of the Active Directory. >Lam trying to create a new universal user group. Why can’t I ? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory. >What is LSDOU ? It's group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units. >Why doesn’t LSDOU work under Windows NT? If the MUTConfig,pol file exist, it has the highest priority among the numerous policies. >What's the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it's the Administrator account, not any account that’s part of the Administrators ‘group. > What's the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003. > How many passwords by default are remembered when you check “Enforce Password History Remembered"? User's last 6 passwords. > Can GC Server and Infrastructure place in single server If not explain why ? ‘As a general rule, the infrastructure master should be located on @ nonglobal catalog domain controller that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold. But there are exceptions to this “general rule”. Two exceptions to the “do not place the infrastructure master on a global catelog server" rule are: gle domain forest: In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not. Multidomain forest where every domain controller in a domain holds the global catalog: If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put ‘on any domain controller in that domain. > What Intrasite and Intersite Replication ? Intrasite is the replication with in the same site & intersite the replication between sites.> What is the Recommended Maximum Number of Domains in a Forest ? For Windows 2000 Server, the recommended maximum number of domains in a forest is 800. For Windows Server 2003, the recommended maximum number of domains when the forest functional level is set to Windows Server 2003 (also known as forest functional level 2) is 1,200. This restriction is a limitation of multivalued, nonlinked attributes in Windows Server 2003. > What is the Recommended Maximum Number of Domain Controllers in a Domain ? To ensure reliable recovery of SYSVOL, we recommend a limit of 1200 domain controllers per domain. > Active Directory Replication Topology Options The Active Directory replication topologies typically utilized are: Ring Topology: With intrasite replication, the KCC creates a ring topology that defines the replication paths within a site. In a ring topology, each domain controller in a site has two inbound and outbound replication partners. The KCC creates the ring so that there is no greater than three hops between domain controllers in a site. Full Mesh Topology: This topology is typically utilized in small organizations where redundancy is ‘extremely important and the number of sites is quite small. A full mesh topology is quite expensive to manage and is not scalable. Hub And Spoke Topology: This topology is typically implemented in large organizations where scalability is important and redundancy is less important. In this topology, one or multiple hub sites exist that have slower WAN connections to multiple spoke sites. The hub sites are usually connected to each other through high speed WAN connections. Hybrid Topology: The hybrid topology is a combination of any of the above topologies. > What is SPN ? A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. IF ‘you install multiple instances of a service on computers throughout a forest, each instance must have its ‘own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer an which the service instance is running, so @ service instance might register an SPN for each name or alias of its host. services. > What is AD Certificate Services ? Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies. > What is Active Directory Federation Services ? Active Directory Federation Services (AD FS) simplifies access to systems and applications using a claims- based access (CBA) authorization mechanism to maintain application security. AD FS supports Web single- sign-on (SSO) technologies that help information technology (IT) organizations collaborate across organizational bounderies. AD FS 2.0 is a downloadable Windows Server 2008 update that is the successor to AD FS 1.0, which was first delivered in Windows Server 2003 R2, and AD FS 1.1, which was made available as a server role in Windows Server 2008 and Windows Server 2008 R2. Previous versions of AD FS are referred to collectively as AD FS 1.x. > What is the Active Directory Management Gateway Service ? Windows Server 2008 R2 introduces a web service interface for application accessibility to Active Directory (AD), and the Windows Server 2008 R2 AD PowerShell cmdlets use this service ADMGS provides this web service interface for Windows Server 2003 SP2 and Windows Server 2008 domain controllers (DCs). The service lets Server 2008 R2 AD PowerShell cmdlets and other applications work against the DCs with ADMGS installed.> What is Offline Domain Join 2 Windows Server 2008 R2 domain controllers include @ new feature named Offline Domain Join. A new utility named Djoin.exe lets you join a computer to a domain, without contacting a domain controller while ‘completing the domain join operation, by obtaining a blob from a Windows Server 2008 R2 domain controller at an earlier point in time. The computer is domain-joined when it first starts, so no restart is needed as with a normal domain joi > What is AD Administrative Center ? Active Directory Administrative Center provides network administrators with an enhanced Active Directory data management experience and 2 rich graphical user interface (GUI). Administrators can use Active Directory Administrative Center to perform common Active Directory object management tasks (such as user, computer, group, and organization units management) through both data-driven and task-oriented navigation. ‘Administrators can use the enhanced Active Directory Administrative Center GUI to customize Active Directory Administrative Center to suite their particular directory service administering requirements. > What is AD DS Best Practices Analyzer ? Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) is @ server management tool that can help you implement best practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your Windows Server 2008 R2 domain controllers, ‘and it reports best practice violations. ‘You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface. > What is the Recommended Maximum Number of Users in a Group ? For Windows 2000 Active Directory environments, the recommended maximum number of members in a group is 5,000. This recommendation is based on the number of concurrent atomic changes that can be ‘committed in 2 single database transaction. Starting with Windows Server 2003, the ability to replicate discrete changes to linked multivalued properties was introduced as a technology called Linked Value Replication (LVR). To enable LVR, you must increase the forest functional level to at least Windows Server 2003 interim. Increasing the forest functional level changes the way that group membership (and other linked multivalued attributes) is stored in the database and replicated between domain controllers. This allows the number of group memberships to exceed the former recommended limit of 5,000 for Windows 2000 or Windows Server 2003 at a forest functional level of Windows 2000. So far, testing in this area has yet to reveal any new recommended limits to the number of members in a ‘group or any other linked multivalued attribute. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members. > What is lost & found folder in ADS 7 It’s the folder where you can find the objects missed due to conflict. Ex: you created user in OU which ia deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder. > What is Garbage collection ? Garbage collection is a housekeeping process that is designed to free space within the Active Directory database. In Windows 2000 and in the original release version of Windows Server 2003, this process runs ‘on every domain controller in the enterprise with a default lifetime interval of 12 hours. You can change this interval by modifying the garbageCollPeriod attribute in the enterprise-wide DS configuration object «NTDS). > What System State data contains ? Contains Startup files, Registry Com ~ Registration Database Memory Page file System files AD information luster Service information SYSVOL Folder>What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Ts there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003? Windows 2003 Active Directory introduced a number of new secunty features, as well as convenience features such as the ability to rename 2 domain controller and even an entire domain. Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy - you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference. ADS stands for Automated Deployment Services, and is used to quickly roll out identically-configured servers in large-scale enterprise environments. You can get more information from the ADS homepage. >I want to setup a DNS server and Active Directory domain. What do I do first? If 1 install the DNS service first and name the zone ‘name.org’ can I name the AD domain ‘name.org' too? Not only can you have a DNS zone and an Active Directory domain with the same name, it's actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background. >How do T determine if user accounts have local administrative access? You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Altemately, youl can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong. >What is the ISTG? Who has that role by default? The Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG). Simply the Intersite Topology Generator (ISTG) is the domain controller in each site that is responsible for generating the intersite topology. >What is difference between Server 2003 vs 2008? 4. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several ‘virtual’ servers on one physical machine.) 2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server) 3. Better security. 4. Role-based installation. 5. Read Only Domain Controllers (RODC).. 6. Enhanced terminal services. 7. Network Access Protection - Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies. 8. PowerShell - Microsoft's command line shell and scripting language has proved popular with some server administrators. 9.1157. 10. Bitlocker - System drive encryption can be a sensible security measure for servers located in remote branch offices. >br> The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers. 11. Windows Aera.>What are the requirements for installing AD on a new server? 1 The Domain structure. 2 The Domain Name . 3 storage location of the database and log file. 4 Location of the shared system volume folder. 5 DNS config Methode. 6 DNS configuration. >What are the default Active Directory Built in groups ? Groups in the Builtin container ~ Account Operators ~ Administrators, Backup Operators ~ Guests ~ Incoming Forest Trust Builders - Network Configuration Operators - Performance Monitor Users - Performance Log Users ~ Pre-Windows 2000 Compatible Access - Print Operators - Remote Desktop Users ~ Replicator = Server Operators - Users Groups in the Users container - Cert Publishers = DnsAdmins (If installed with DNS) - DnsUpdateProxy (If installed with DNS) - Domain Admins ~ Domain Computers - Domain Controllers Domain Guests - Domain Users - Enterprise Admins (only appears in the forest root domain) - Group Policy Creator Owners - IIS_WPG (installed with 11S) - RAS and IAS Servers ~ Schema Admins (only appears in the forest root domain) >What is LDP? LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network.What is group policy in active directory ? What are Group Policy objects (GPOs)? Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template. The Group Policy container is an Active Directory container that stores GPO properties, including information on version, GPO status, and a list of components that have settings in the GPO. The Group Policy template is a folder structure within the file system that stores Administrative Template- based policies, security settings, script files, and information regarding applications that are available for Group Policy Software Installation. The Group Policy template is located in the system volume folder (Sysvol) in the \Policies subfolder for its domain, What is the order in which GPOs are applied ? Group Policy settings are processed in the following order: L.Local Group Policy object : Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing. ite : Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence, 3.Domain: Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence, 4.Organizational_units : GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then POs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed. At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. ‘The GPO with the lowest link order is processed last, and therefore has the highest precedence. This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overmrites settings in the earlier GPOs if there are conflicts. (IF there are no conflicts, then the earlier and later settings are merely aggregated.) How to backup/restore Group Policy objects ? Begin the process by logging on to 2 Windows Server 2008 domain controller, and opening the Group Policy Management console. Now, navigate through the console tree to Group Policy Management | Forest: | Domains | | Group Policy Objects. When you do, the details pane should display all of the group policy objects that are associated with the domain. In Figure A there are only two group policy objects, but in a production environment you may have many more. The Group Policy Objects container stores all of the croup policy objects for the domain. Now, right-click on the Group Policy Objects container, and choose the Back Up All command from the shortcut menu. When you do, Windows will open the Back Up Group Policy Object dialog box. As you can see in Figure B, this dialog box requires you to provide the path to which you want to store the backup files. You can either store the backups in a dedicated folder on a local drive, or you can place them in a folder on a mapped network drive. The dialog box also contains a Description field that you can use to provide a description of the backup that you are creating.You must provide the path to which you want to store your backup of the group policy objects. To initiate the backup process, just click the Back Up button. When the backup process completes, you should see a dialog box that tells you how many group policy objects were successfully backed up. Click OK to close the dialog box, and you're all done. When it comes to restoring a backup of any Group Policy Object, you have two options. The first option is to right-click on the Group Policy Object, and choose the Restore From Backup command from the shortcut menu. When you do this, Windows will remove all of the individual settings from the Group Policy Object, and then implement the settings found in the backup. Your other option is to right-click on the Group Policy Object you want to restore, and choose the Import Settings option. This option works more like a merge than a restore. Any settings that presently reside within the Group Policy Object are retained unless there is a contradictory settings within the file that is being imported. You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that? go to Start->programs->Administrative toals->Active Directory Users and Computers Right Click on Domain->click on preoperties. (On New windows Click on Group Policy Select Default Policy->click on Edit on group Policy console go to User Configuration->Administrative Template->Start menu and Taskbar Select each property you want to modify and do the same. What is the difference between software publishing and assigning? Assign Users :The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application. Assign Computers :The software application is advertised and installed when it is safe to do so, such as when the computer is next restarted. Publish to users : The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the ‘Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application, Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers. What are administrative templates? Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment. Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines. An ADM file is a text file with a specific syntax which describes both the interface and the registry values which will be changed if the policy is enabled or disabled. ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged into @ unified "namespace" in GPEdit and presented to the administrator under the Administrative Templates node (for both machine and user policy). Can T deploy non-MST software with GPO? create the fille in .zap extension.Name some GPO settings in the computer and user parts ? Group Policy Object (GPO) computer=Computer Configuration, Use settings in the computer and user parts. Iser ConfigurationName some GPO A.user claims he did not receive a GPO, yet his user and computer accounts are OU, and everyone else there gets the GPO. What will you look for? make sure user not be member of loopback policy as in loopback policy it doesn't effect user settings only computer policy will applicable. if he is member of gpo filter orp or nat? You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer. How can I override blocking of inheritance ? You can set No Override on 2 specific Group Policy object link so that Group Policy objects linked at a lower-level of Active Directory — closer to the recipient user or computer account — cannot override that policy. If you do this, Group Policy objects linked at the same level, but not as No Override , are also prevented from overriding. If you have several links set to No Override , at the same level of Active Directory, then you need to prioritize them. Links higher in the list have priority on all Configured (that is, Enabled or Disabled ) settings. If you have linked a specific Group Policy object to a domain, and set the Group Policy object link to No Override , then the configured Group Policy settings that the Group Policy object contains apply to all organizational units under that domain. Group Policy objects linked to organizational units cannot override that domain-linked Group Policy object. You can also block inheritance of Group Policy from above in Active Directory. This is done by checking Block Policy inheritance on the Group Policy tab of the Properties sheet of the domain or organizational unit. This option does not exist for a site Some important facts about No Override and Block Policy are listed below: # No Override is set on a link, not on a site, domain, organizational unit, or Group Policy object. # Block Policy Inheritance is set on a domain or organizational unit, and therefore applies to all Group Policy objects linked at that level or higher in Active Directory which can be overnidden. +# No Override takes precedence over Block Policy Inheritance if the two are in conflict, What can I do to prevent inheritance from above? You can block policy inhenttance for a domain or organizational unit. Using block inhentance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child- level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies by default), and then block inheritance only on the organizational unit to which the policies should not be applied. Name a few benefits of using GPMC. Microsoft released the Group Policy Management Console (GPMC) years ago, which is an amazing innovation in Group Policy management. The tool provides control over Group Policy in the following manner: # Easy administration of all GPOs across the entire Active Directory Forest # View of all GPOs in one single list # Reporting of GPO settings, security, filters, delegation, etc. # Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering # Delegation model # Backup and restore of GPOs # Migration of GPOs across different domains and forests,With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC is needed and should be used by everyone for what itis ideal for. However, it does fall a bit short when you want to protect the GPOs from the following: 4# Role based delegation of GPO management 4# Being edited in production, potentially causing damage to desktops and servers + Forgetting to back up a GPO after it has been modified # Change management of each modification to every GPO >What is dhep ? Dynamic Host Configuration Protocol (DHCP) is 2 network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i,e., a scope) configured for a given network. >What is the dhep process for client machine? 1. A.user turns on a computer with a DHCP client. 2. The client computer sends a broadcast request (called a DISCOVER or DHCPDISCOVER), looking for a DHCP server to answer. 3. The router directs the DISCOVER packet to the correct DHCP server. 4, The server receives the DISCOVER packet. Based on availability and usage policies set on the server, the server determines an appropriate address (if any) to give to the client. The server then temporarily reserves that address for the client and sends back to the client an OFFER (or DHCPOFFER) packet, with that address information. The server also configures the client's DNS servers, WINS servers, NTP servers, and sometimes other services as well. 5. The client sends a REQUEST (or DHCPREQUEST) packet, letting the server know that it intends to use the address. 6. The server sends an ACK (or DHCPACK) packet, confirming that the client has a been given a lease on the address for a server-specified period of time. >What is dhep scope ? DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients. >Types of scopes in windows dhcp ? Normal Scope - Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet. Multicast Scope - Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options. Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination). Superscope - Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity. >What is Authorizing DHCP Servers in Active Directory ? If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized. This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console of at the command prompt using the netsh tool. If the DHCP server was not authorized during installation, invoke the DHCP console (Start -> All Programs -> Administrative Tools -> DHCP), right click on the DHCP to be authorized and select Authorize. To achieve the same result from the ‘command prompt, enter the following command: netsh dhep server serveriD initiate auth In the above command syntax, serverlD is replaced by the IP address or full UNC name of system on which the DHCP server is installed.> What is DNS ? The Domain Name System (DNS) is a hierarchical distributed naming system for computers. The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses by designating authoritative name servers for each domain. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains. >What is the main purpose of a DNS server? DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa. >What is the port no of dns ? 53. >What is a Forward Lookup? Resolving Host Names to IP Addresses. >What is Reverse Lookup? Reverse DNS tums an IP address into a hostname. Example, it might tum 192.1.2.25 into host.example.com. >What is a Resource Record? It is 2 record provides the information about the resources available in the N/W infrastructure, >What is a Zone? A DNS zone is the contiguous portion of the DNS domain name space over which a DNS server has authority. A zone is @ portion of a namespace. A zone contains the resource records for all of the names within the particular zone. Zone files are used if DNS data if not integrated with Active Directory. The zone files contain the DNS database resource records that define the zone. If DNS and Active Directory are integrated, then DNS data is stored in Active Directory. > What are the different types of Zones in DNS ? ‘The DNS Server service provides for three types of zones 4. Primary zone 2. Secondary zone 3. Stub zone 4, Active Directory-integrated zone > Explai A primary zone is the only zone type that can be edited or updated because the data in the zone is the original source of the data for all domains in the zone. Updates made to the primary zone are made by the DNS server that is authoritative for the specific primary zone. > Explain Secondary zone ? A secondary zone is a read-only copy of the zone that was copied from the master server during zone transfer. In fact, a secondary zone can only be updated through zone transfer. > Explain Stub zone ? Stub zones only contain those resource records necessary to identify the authoritative DNS servers for the master zone. Stub zones therefore contain only @ copy ofa zone, and are used to resolve recursive and iterative queries. > Explain Active Directory-integrated zone ? An Active Directory-integrated zone is a zone that stores its data in Active Directory. DNS zone files are not needed. This type of zone is an authoritative primary zone. An Active Directory-integrated zone's zone data is replicated during the Active Directory replication process, Active Directory-integrated zones also enjoy the Active Directory’s security features. >Secure services in your network require reverse name resolution to make it more difficult to launch successful attacks against the services. To set this up, you configure a reverse lookup zone and proceed to add records. Which record types do you need to create? PTR Records>SOA records must be included in every zone. What are they used for? SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone, SOA records contain the current serial number of the zone, which is used in zone transfers. >By default, if the name is not found in the cache or local hosts file, what is the first step the client takes to resolve the FQDN name into an IP address ? Performs a recursive search through the primary DNS server based on the network interface configuration . > On which port DNS server works ? DNS servers use port 53 by default. Incoming and outgoing packets should be allowed on port 53. Also allow connections on port 924 if you configure a lightweight resolver server. The DNS control utility, rndc, connects to the DNS server with TCP port 953 by default. If you are running mdc on the name server, connections on this TCP part from localhost should be allowed. If you are running ide on additional systems, allow connections to port 953 (or whatever port you have chosen to configure) from these additional systems. > What is round robin DNS? Round robin DNS is usually used for balancing the load of geographically distributed Web servers. For example, a company has one domain name and three identical home pages residing on three servers with three different IP addresses. When one user accesses the home page it will be sent to the first IP address. ‘The second user who accesses the home page will be sent to the next IP address, and the third user will be sent to the third IP address. In each case, once the IP address is given out, it goes to the end of the list. ‘The fourth user, therefore, will be sent to the first IP address, and so forth.>What new attributes support the RODC Password Replication Policy? Password Replication Policy is the mechanism for determining whether a user or computer’s credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running SERVER 2008. The following attributes have been added to the Active Directory schema to expedite the functionality that is required for RODC caching operations: + msDS-Reveal-OnDemandGroup. This attribute points to the distinguished name (DN) of the Allowed List. The credentials of the members of the Allowed List are permitted to replicate to the RODC. + msDS-NeverRevealGroup. This attribute points to the distinguished names of security principals whose credentials are denied replication to the RODC. This has no impact on the ability of these security principals to authenticate using the RODC. The RODC never caches the credentials of the members of the Denied List. A default list of security principals whose credentials are denied replication to the RODC is provided. This improves the security of RODCs that are deployed with default settings. + msDS-RevealedList. This attribute is a list of security principals whose current passwords have been replicated to the RODC. + msDS-AuthenticatedToAccountList. This attribute contains a list of security principals in the local domain that have authenticated to the RODC. The purpose of the attribute is to help an administrator determine which computers and users are using the RODC for logon. This enables the administrator to refine the Password Replication Policy for the RODC. >How can you clear a password that is cached on an RODC? There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches. Inthe branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle, at which time its value that is stored on the RODC will be changed to Null. The new password will be cached only after the user authenticates with it—or the new password is prepopulated on the RODC—and if the PRP has not been changed.In the event that an RODC is compromised, you should reset the passwords for all accounts that have cached passwords and then rebuild the RODC. >Can an RODC replicate to other RODCs? No, an RODC can only replicate from a writable Windows Server 2008 domain controller. In addition, two RODCs for the same domain in the same site do not share cached credentials. You can deploy multiple RODCs for the same domain in the same site, but it can lead to inconsistent logon experiences for users if the WAN to the writeable domain controller ina hub site is offline. This is because the credentials for a user might be cached on one RODC but not the other. If the WAN to writable domain controller is offline and the user tries to authenticate with an RODC that does not have the user's credentials cached, then the logon attempt will fail. >What operations fail if the WAN is offline, but the RODC is online in the branch office? If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail: Password changes Attempts to join a computer to a domain Computer rename. Authentication attempts for accounts whose credentials are not cached on the RODC Group Policy updates that an administrator might attempt by running the gpupdate /force command.>Will RODC support my Active Directory- {OD supports an Active Directory ytegrated applica’ integrated application if the application conforms to the following + If the application performs write operations, it must support referrals (enabled by default on clients). * The application must tolerate Write outages when the hub is offline, >Does an RODC contai contains? Yes, an RODC contains all the objects that a writable domain controller contains. If you compare the LDAP store on a writable domain controller to the LDAP store of an RODC, they are identical, except that the RODC does nat contain all of the credentials or attributes that are defined in the RODC filtered attribute set. all of the objects and attributes that a writable domain controller >Why does the RODC not have a relative ID (RID) pool? All writable domain controllers can allocate RIDs fram their respective RID pools to create security principals as needed. Because an RODC cannot create security principals, it cannot provide any RIDs, and itis never allocated a RIDpool. >Can I list the krbtgt account that is used by each RODC in the domai Yes. To list the krbtat account that is used by each RODC in the domain, type the following command at a ‘command line, and then press ENTER: Repadmin /showattr How does the client DNS update referral mechanism work? Because the DNS server that runs on an RODC cannot directly register client updates, it has to refer the client to a DNS server that hosts a primary or Active Directory-integrated copy of the zone file. This server 1s sometimes referred to as a “writable DNS server.” When a client presents a Find Authoritative Query, which is the precursor to an update request, the DNS server on the RODC uses the domain controller Locator to find domain controllers in the closest site The RODC then compares the list of domain controllers that is returned with the list of name server (NS) resource records that it has. The RODC returns to the client the NS resource record of a writable DNS server that the client can use to perform the update. The client can then perform its update. If no domain controller in the closest site matches an entry in the list of NS records for the zone, the RODC attempts to discover any domain controller in the forest that matches an entry in the list. ‘Suppose that a new client is introduced to a site that has a DNS server running only on an RODC. In this case, the RODC DNS server tries to replicate the DNS record that the client has tried to update on the writable DNS server. This occurs approximately five minutes after the RODC provides a response to the original Find Authoritative Query. If the DNS client on the RODC attempts a DNS update, a writable domain controller running Windows Server 2008 is returned so that the RODC can perform the update. wtition> Jsubtree ak >Why doesn’t the KCC on writable domain controllers try to build connections from an RODC? To build the replication topology, the Knoviledge Consistency Checker (KCC) examines the following: * All the sites that contain domain controllers * The directory partitions that each domain controller holds + The cost that is associated with the site links to build a least-cost spanning tree The KCC determines if there is a domain controller in a site by querying AD DS for objects of the NTDS- DSA category—the objectcategory attribute value of the NTDS Settings object. The NTDS Settings objects for RODCs do not have this object category. Instead, they support a new objectcategory value named NTDS-DSA-RO. ‘As a result, the KCCs on writable domain controllers never consider an RODC as part of the replication topology. This is because the NTDS Settings objects are not returned in the query. However, the KCC on an RODC also needs to consider the local domain controller (itself) to be part of the replication topology to build inbound connection objects. This is achieved by 2 minor logic change to the algorithm that the KCC uses on all domain controllers running Windows Server 2008 that forces it to add the NTDS Settings object of the local domain controller to the list of potential domain controllers in the topology. This makes it possible for the KCC on an RODC to add itself to the topology. However, the KOC on an RODE does not add any other RODCs to the list of domain controllers that it generates.>How does the KCC bui to be read-only? ‘An RODC is completely read-only from the perspective of external clients, but it can internally originate changes for a limited set of objects. It permits replicated write operations and a limited set of originating write operations. inbound connections locally on an RODC when the RODC is supposed Both the KCC and the replication engine are special “writers” on an RODC. The replication engine performs replicated write operations on an RODC in exactly the same way as it does on the read-only partitions of a global catalog server that runs Windows Server 2003. The KCC is permitted to perform originating write operations of the objects that are required to perform Active Directory replication, such as connection objects. >Why does an RODC have two inbound connection objects? This is because File Replication Service (FRS) requires its own pair of connection objects in order to function correctly. In previous versions of Windows Server, FRS was able to utilize the existing connection objects between two domain controllers to support its replication of SYSVOL content. However, because an RODC only performs inbound replication of Active Directory data, a reciprocal connection object on the writable replication partner is not needed. Consequently, the Active Directory Domain Services Installation Wizard generates a special pair of connection objects to support FRS replication of SYSVOL when you install an RODC. The FRS connection objects are not required by DFS Replication. >How does RODC connection failover work? If the bridgehead replication partner of an RODC becomes unavailable, the KCC on the RODC builds a connection to another partner. By default, this happens after about two hours, which is the same for a writable domain controller. However, the FRS connection object on an RODC must use the same target as the connection object that the KCC generates on the RODC for Active Directory replication. To achieve this, the fromServer value on the two connections is synchronized. However, the trigger for changing the fromServer value on the FRS connection object is not the creation of the new connection; instead, it is the removal of the old connection. The removal step happens some hours after the new connection object is created. Consequently, the fromServer value continues to reference the original partner until the old connection is removed by the KCC. A side effect of this is that while Active Directory replication works successfully against the new partner, FRS replication fails during this period. The additional delay is by design—it avoids causing FRS to perform an expensive VVJoin operation against the new partner, which is unnecessary if the outage of the original partner is only temporary. >How can an administrator delete a connection object locally on an RODC? The KCC on an RODC will build inbound connection abjects for Active Directory replication. These objects cannot be seen on other writeable domain controllers because they are not replicated from the RODC. You cannot use the Active Directory Sites and Services snap-in to remove these connection objects, but you can use Ldp.exe or Adsiedit.msc. The KCC on the RODC will then rebuild a connection. This way, you can trigger redistnbution of connection objects across a set of RODCs that have site links to a single hub site that has multiple bridgehead servers. >How can an administrator trigger replication to an RODC? You can use the following methods: 4. By running the repadmin /replicate or repadmin /syncall operations. 2. By using the Active Directory Sites and Services snap-in. In this case, you can right-click the connection abject and click Replicate Now. 3. You can use Active Directory Sites and Services on a writable domain controller to create an inbound replication connection object on any domain controller, including an RODC, even if no inbound connection exists on the domain controller.This is similar to running a repadmin /add operation.>How are writable directory partitions differentiated from read-only directory partitions? This comes from an attribute on the directory partition head called instancetype. This is a bit mask. IF bit 3 (04) is set, the directory partition is writable. If the bit is not set, the directory partition is read only. >Why can an RODC only replicate the domain directory partition from a domain controller run 1g Windows Server 2008 in the same domain? This is how the filtering of secrets is enforced during inbound replication to an RODC. A domain controller running Windows Server 2008 is programmed not to send secret material to an RODC during replication, unless the Password Replication Policy permits it. Because a domain controller running Windows Server 2003 has no concept of the Password Replication Policy, it sends all secrets, regardless of whether they are permitted. >How does the KCC differentiate between domain controllers running Windows Server 2003 and domain controllers running Windows Server 2008? The NTDS-DSA object has an msDS-Behavior-Version attribute. A value of 2 indicates that the domain controller is running Windows Server 2003. A value of 3 indicates that it is running Windows Server 2008. >Why are built-in groups such as Account Operators and Server Operators specified separately in the Denied List attribute, but not in the Denied RODC Password Replication Group? The Allowed RODC Password Replication Group and the Denied RODC Password Replication Group are domain local groups. Domain local groups cannot contain built-in groups. >What actually happens when you add a user to an Administrator Role Separation role? The configuration adds entries to the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM \CurrentContralSet\control\Isa\rodcroles * Data type: REG_MULTI_SZ + Value: S-1-5-21-760266474-1386482297-4237089879-1107 The role is denoted by the entry name—544, for example, is the well known RID for the builtin\administrators group. Then, each value represents the security identifier (SID) of a user who has been assigned to the role. >How can an administrator determine the closest site for any given site? * Look at the site link costs that appear in Active Directory Sites and Services.-or- * after an RODC is installed successfully in an Active Directory site, run the nltest command against the RODC. The following example shows the command and the results: C:\>nltest /dsgetdcirodc /servertrodc-dc-02 /try_next_closest_site /avoidself DC: \\HUB-DC-01 Address: \\2001:4898:28:4:5e: Dom Guid: 00¢80237-c5ce-4143-b0b8-cfa5c83a5654 Dom Name: RODC Forest Name: rodc.nttest.contoso.com Dc Site Name: Hub Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET The command completed successfully>Why does %logonserver% have the name of a domain controller in my hub site rather than the RODC in my site? If your user account password cannot be replicated to the RODC in your site or if the RODC does not currently have your password, the Kerberos AS_REQ is forwarded to a hub domain controller that provides your TGT. The process that updates the environment variables uses the hub domain controller as the logon server for the environment variable. The %logonserver% environment variable is not updated for the duration of that logon session, even though the user is forced to reauthenticate against the RODC. >Password changes are not always “chained” by an RODC. Why? Some password-change operations, such as a user initiating a password-change request by pressing Ctrl+Alt+Del, specifically require a writable domain controller. When the client computer detects that the RODC is not writable, it locates a writable domain controller instead. Other password-change operations, such as a user's password expiring and when the user is prompted ta change it at logon, do not specifically require a writable domain contraller. >How does a hub domain controller recognize that a request to rej from an RODC? The RODC does a bind and calls the “replicate single object” application programming interface (API). The binding handle shows that it is an RODC account. fe a password is coming >Why does an RODC replicate in a cached password both by RSO operation and normal replication? When a single object is replicated to the RODC in the branch site, the update sequence number (USN) and the high-water mark are not updated. As a result, the object is replicated to the branch site again at a later time. >Does an RODC perform password validation forwarding even when it has a password for a user? Yes, in the case where a user presents a password that does not match what the RODC has stored locally, the RODC will forward the authentication request. The RODC forwards the request to the writable Windows Server 2008 domain controller that is its replication partner, which in tum forwards the request to the PDC emulator if required. If the authentication is validated at the writable Windows Server 2008 domain controller or the PDC emulator, the RODC will purge the currently stored password and replicate the new password by RSO operation. >Can you remove the last domain controller in a domai RODC accounts in the domain? As for all previous versions of Windows Server, it is a requirement that all other domain controllers have been removed from the domain before you can remove the last domain controller. For Windows Server 2008, this requirement includes the removal of all RODCs and the removal of any precreated but unused RODC accounts. if there are unoccupied (or disabled)>What relevant RODC event log entries are there? If an RODC attempts a Replicate Single Object (RSO) operation to cache a password that the Password Replication Policy prevents from replicating to the RODG, the hub domain controller that the RODC contacts logs event ID 1699. The details for event ID 1699 include: Log Name: Directory Service Source: NTDS Replication Date: 5/2/2006 2:37:39 PM Event 1D: 1699 Task Category: Replication Level: Error Keywords: Classic User: RODC\RODC-DC-02$ ‘Computer: HUB-DC-01 Descriptiot This directory service failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send change requests to the directory service at the following network address. Directory partition: ‘CN=test10, OU=Branch1 ,OU=Branches,DC=rode,DC=nttest,DC=contoso,DC=com Network address: c6ef8d14-f015-4cd0-94cc-c7f5c9c834ba._msdcs.rode.nttest.contoso.com Extended request code: 7 Additional Data Error value: 8453 Replication access was denied. A successful logon logs event ID 4768 on the hub domain controller and on the RODC. The details of event [0 4768 on the hub domain controller include the following: Log Name: Security Source: Microsoft-Windows-Security-Auciting Date: 5/2/2006 3:58:05 PM Event ID: 4768 Task Category: Kerberos Ticket Events Level: Information Keywords: Audit Success User: N/A ‘Computer: hub-de-01 .rode.nttest.contoso.com Descriptiot Authentication Ticket Request: ‘Account Name: testi0 Supplied Realm Name: RODC User 1D: S-1-5-21-3503915162-2421288034-2003080229-1128 Service Name: krbtat Service ID: $-1-5-21-3503915162-2421288034-2003080229-502 Ticket Options: 0x40810010 Result Code: 0x0, Ticket Encryption Type: 0x17 Pre-Authentication Type: 2 Client Address: 2001:489% Client Port: 55763 Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: ‘At the default Event log settings, no replication event shows that the password has replicated to the RODC. 182:4acd:65¢9: 2832