Where is the AD database held?

What other folders are related to

AD?

The AD data base is store in c:\windows\ntds\NTDS.DIT.

What is the use of SYSVOL folder?

The SYSVOL folder stores the server's copy of the domain's public files.
The contents such as group policy, users etc of the SYSVOL folder are
replicated to all domain controllers in the domain.

What is lost & found folder in ADS ?

It’s the folder where you can find the objects missed due to conflict. Ex:
you created a user in OU which is deleted in other DC & when
replication happed ADS didn’t find the OU then it will put that in Lost &
Found Folder.

What is Garbage collection ?

Garbage collection is the process of the online defragmentation of

active directory. It happens every 12 Hours.

What System State data contains ?

1. Contains Startup files,

2. Registry
3. Com + Registration Database
4. Memory Page file
5. System files
6. AD information
7. Cluster Service information
8. SYSVOL Folder
What is the use of LDAP ?

LDAP is designed to allow for the transfer of information between

domain controllers and to allow users to query information about
objects within the directory.

What is global catalog ?

The Global Catalog is a database that contains all of the information

pertaining to objects within all domains in the Active Directory
environment.

What is DNS Zones ?

A DNS zone is a portion of the DNS namespace over which a specific

DNS server has authority.

What is a site ?

one or more well-connected highly reliable and fast TCP/IP subnets. A

site allows administrator to configure active directory access and
replication topology to take advantage of the physical network.

What is Active Directory Schema ?

The Active Directory schema contains formal definitions of every object

class that can be created in an Active Directory forest. it also contains
formal definitions of every attribute that can exist in an Active Directory
Object.

What are the benefits of AD integrated DNS ?

1. A few advantages that Active Directory-integrated zone

implementations have over standard primary zone
implementation are :
 2. Active Directory replication is faster, which means that the
time needed to transfer zone data between zones is far less.
3. The Active Directory replication topology is used for Active
Directory replication, and for Active Directory- integrated zone
replication. There is no longer a need for DNS replication when
DNS and Active Directory are integrated.

What is File Replication Service (FRS?)

File Replication Service is a Microsoft service which replicates folders
stored in sysvol shared folders on domain controllers and distributed
file system shared folders. This service is a part of Microsoft's Active
Directory Service.

Explain different zone involved in DNS Server?

DNS has two different Zones Forward Lookup Zone and Reverse Lookup
Zone. There two Zones are categorized into three zones and are as
follows:

Primary zone: It contains the read and writable copy of the DNS
Database.

Secondary Zone: It acts as a backup for the primary zone and contains
the read only copy of the DNS database.

Stub zone: It is also read-only like a secondary zone; stub zone contains
only SOA, copies of NS and A records for all name servers authoritative
for the zone

What is the difference between local, global and universal groups ?

Domain local groups assign access permissions to global domain groups

for local domain resources. Global groups provide access to resources
in other trusted domains. Universal groups grant access to resoures in
all trusted domains.

What is RPC protocol ?

A protocol RPC (Remote Procedure Call) used to allow communications

between system process on remote computers. The RPC protocol is
used by the Active Directory for intrasite replication.

.
What is Resource Record ?

Resource Record (RR) is a DNS entry that specifies the availability of

specific DNS services.For Example, an MX record specifies the IP
address of a mail server, and Host (A) records specify the IP addresses
of workstations on the network.

What is a Tree ?

A set of Active Directory domains that share a common namespace and

are connected by a transitive two-way trust. Resources can be shared
between the domains in an Active Directory.

What is REPADMIN ?

This command-line tool assists administrators in diagnosing replication

problems between windows domain conrollers. Administrators can use
Repadmin to view the replication topology as seen from the
perspective of each domain contrsoller.

Talk about all the AD-related roles in Windows Server 2008/R2.

Windows Server 2008 has five Active directory related roles. below are
the list
  Active Directory Domain Services (Identity): AD DS it provides
the functionality of an identity and access (IDA) solution for
enterprise networks. It also provides the mechanisms to
support, manage, and configure resources in distribution
network environments.
 Active Directory Lightweight Directory Services (Applications):
AD LDS formerly known as Active directory application mode
(ADAM), provides support for directory-enabled applications.
 Active Directory Certificate Services (Trust): AD CS to set up a
certificate authority for issuing digital certificates as a part of a
public key infrastructure (PKI) that binds the identity of a
person, device or service to corresponding private key.
Certificates can be used to authenticate users and computers,
provide web-based authentication, support smart card
authentication, and support application, including secure
wireless n/w, vpn, Ipsec, EFS, and more.
 Active Directory Rights management Services (Integrity): AD
RMS is an information-protection technology that enables you
to implement persistent usage policy templates (for
documents) that define allowed and unauthorized use
whether online, offline, inside, or outside the firewall.
 Active Directory Federation Services (Partnership): AD FS
enable an organization to extend IDA across multiple
platforms, including both window and non-windows
environments, and to project identity and access rights across
security boundaries to trusted partners.
 What are application directory partitions?
 Application Directory Partition is a partition space in Active
Directory which an application can use to store that application
specific data. This partition is then replicated only to some
specific domain controllers. The application directory partition
can contain any type of data except security principles (users,
computers, groups).
How do you create a new application directory partition?

Use the DnsCmd command to create an application directory partition.

To do this, use the following syntax:

DnsCmd ServerName /CreateDirectoryPartition FQDN of partition

To create an application directory partition that is named

CustomDNSPartition on a domain controller that is named DC-1, follow
these steps:

 Click Start, click Run, type cmd, and then click OK.
 Type the following command, and then press ENTER:

dnscmd DC-1 /createdirectorypartition

CustomDNSPartition.contoso.com When the application directory
partition has been successfully created, the following information
appears: DNS Server DC-1 created directory partition:
CustomDNSPartition.contoso.com Command completed successfully.

How do you view replication properties for AD partitions and DCs?

By using replication monitor

go to start > run > type repadmin
go to start > run > type replmon

How do you view all the GCs in the forest?

C:\>repadmin /showreps
domain_controller
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.
To find the GC from the command line you can try using DSQUERY
command.
dsquery server -isgc to find all the gc's in the forest
you can try dsquery server -forest -isgc.

Why not make all DCs in a large forest as GCs?

The reason that all DCs are not GCs to start is that in large (or even
Giant) forests the DCs would all have to hold a reference to every
object in the entire forest which could be quite large and quite a
replication burden.
For a few hundred, or a few thousand users even, this not likely to
matter unless you have really poor WAN lines.

What is ADSIEDIT?

Active Directory® Service Interfaces Editor (ADSI Edit) is a Lightweight

Directory Access Protocol (LDAP) editor that you can use to manage
objects and attributes in Active Directory Domain Services (AD DS). ADSI
Edit (adsiedit.msc) provides a view of every object and attribute in an
Active Directory forest. You can use ADSI Edit to query, view, and edit
attributes that are not exposed through other AD DS Microsoft
Management Console (MMC) snap-ins: Active Directory Users and
Computers, Active Directory Sites and Services, Active Directory
Domains and Trusts, and Active Directory Schema.

What is NETDOM?

NETDOM is a command-line tool that allows management of Windows

domains and trust relationships. It is used for batch management of
trusts, joining computers to domains, verifying trusts, and secure
channels.

What is REPADMIN?

Repadmin.exe command-line tool assists administrators in diagnosing

replication problems between Windows domain controllers. You can
use Repadmin to view the replication status of each domain controller.
In addition, Repadmin can be used to manually create the replication to
force replication events between domain controllers, and to view both
the replication metadata and up-to-dateness vectors. Repadmin.exe
can also be used for monitoring the relative health of an Active
Directory forest.

What is DCDIAG? When would you use it?

It is a command-line tool analyzes the state of domain controllers in a

forest or enterprise and reports any problems to assist in
troubleshooting. As an end-user reporting program, Dcdiag
encapsulates detailed knowledge of how to identify abnormal behavior
in the system. Dcdiag displays command output at the command line.
Dcdiag consists of a framework for executing tests and a series of tests
to verify different functional areas of the system. This framework
selects which domain controllers are tested according to scope
directives from the user, such as enterprise, site, or single server

What are sites? What are they used for?

Site is a collection of well-connected TCP/IP subnets. Sites are used for

defining the topology of Active Directory replication.

What's the difference between a site link's schedule and interval?

Schedule enables you to list weekdays or hours when the site link is
available for replication to happen in the give interval. Interval is the re
occurrence of the inter site replication in given minutes. It ranges from
15 - 10,080 mins. The default interval is 180 mins.

What is the KCC?

The KCC(Knowledge Consistency Checker) is a built-in process that runs

on all domain controllers and generates replication topology for the
Active Directory forest. The KCC creates separate replication topologies
depending on whether replication is occurring within a site (intrasite) or
between sites (intersite). The KCC also dynamically adjusts the topology
to accommodate new domain controllers, domain controllers moved to
and from sites, changing costs and schedules, and domain controllers
that are temporarily unavailable.

What is the ISTG? Who has that role by default?

Intersite Topology Generator (ISTG), which is responsible for the

connections among the sites. By default Windows 2003 Forest level
functionality has this role.
By Default the first Server has this role. If that server can no longer
preform this role then the next server with the highest GUID then takes
over the role of ISTG.

Name some of the major changes in GPO in Windows Server 2008 r2

The following changes are available in Windows Server® 2008 R2 and in
Windows® 7 with Remote Server Administration Tools (RSAT):

 Windows PowerShell Cmdlets for Group Policy: Ability to

manage Group Policy from the Windows PowerShell?
 command line and to run PowerShell scripts during logon and
startup
 Group Policy Preferences: Additional types of preference items
 Starter Group Policy Objects: Improvements to Starter GPOs
 Administrative Template Functionality: Improved user
interface
 Administrative Template Settings: New and changed policy
settings

What are GPO Preferences?

Group Policy Preferences are a heap of new Group Policy settings that
were released with Windows Server 2008 that allows IT administrators
to pretty much do anything they want to configured computers in an
corporate environment. Preferences only require a Windows 2000
Active Directory and they need to be managed from a minimum of
Windows Vista/2008 however they can be applied to Windows XP
Service Pack 2 (or greater) workstations.

What are the major changes in AD in Windows Server 2008 R2?

The following changes are available in Windows Server 2008 R2:

 Active Directory Recycle Bin

 Active Directory module for Windows PowerShell and
Windows PowerShell? cmdlets
 Active Directory Administrative Center
 Active Directory Best Practices Analyzer
 Active Directory Web Services
 Authentication mechanism assurance
 Offline domain join
 Managed Service Accounts
  Active Directory Management Pack
 Bridgehead Server Selection

What is the AD Recycle Bin? How do you use it?

Active Directory Recycle Bin helps minimize directory service downtime

by enhancing your ability to preserve and restore accidentally deleted
Active Directory objects without restoring Active Directory data from
backups. By default, Active Directory Recycle Bin in Windows Server
2008 R2 is disabled. To enable Active Directory Recycle Bin, your
environment must meet the requirements to completed scenario.

What is tombstone lifetime attribute?

The tombstone lifetime in an Active Directory forest determines how

long a deleted object - aka a 'tombstone' - is retained in Active
Directory. The tombstone lifetime is determined by the value of the
tombstone Lifetime attribute on the Directory Service object in the
configuration directory partition.
Tombstone Lifetime assists in removing objects from replicated servers
and preventing restores from reintroducing a deleted object. Actually
when an object is deleted from Active Directory, it is not physically
removed from the Active Directory for some days. Instead, the Active
Directory sets the 'isDeleted' attribute of the deleted object to TRUE
and move it to a special container called 'Tombstone'.

What are AD Snapshots? How do you use them?

Snapshots are a feature of Active Directory introduced in Windows

Server 2008. In order to use them you don't have to have your domain
running in Windows Server 2008 mode but you do need at least one
Windows Server 2008 or Windows Server 2008 R2 domain controller.
Snapshots are created and manipulated using the ntdsutil.exe
command line utility. Once you have an Active Directory snapshot you
can export it using dsamain.exe (otherwise known as the Active
Directory database mounting tool), and you can then interact with it
using any Active Directory or LDAP tool.

What is Offline Domain Join? How do you use it?

Offline domain join is a new process that computers that run Windows
7 or Windows Server 2008 R2 can use to join a domain without
contacting a domain controller. This makes it possible to join computers
to a domain in locations where there is no connectivity to a corporate
network.
First the computer account is created or provisioned on the domain
controller and the resulting information is stored in the metadata, and
then this information is transferred to the joining computer. The
workstation then performs the joining part without having the
connectivity with the domain controller.
You need to use Djoin.exe on the domain controller to accomplish
above. Please use Djoin.exe /? to see the syntaxes.
An example is given below:
Djoin.exe /provision /domain Name_Of_the_Domain_To_Be_Joined
/machine Client_Computer_Name /savefile File_Name.txt

What are Fine-Grained Passwords? How do you use them?

Windows Server 2008 Active Directory is a feature called fine grained

password policies (FGPPs).In Server 2000 and 2003.

Active Directory domains, you could apply only one password and
account lockout policy to all users in the domain, so if you wanted
different password and account lockout settings for different sets of
users, you had to either create a password filter or deploy multiple
domains. In Windows Server 2008 you can use fine grained password
policies to specify multiple password policies, apply different password
restrictions and account lockout policies to different sets of users within
a single domain. FGPPs become available once the domain has been
promoted to Windows Server 2008 Domain Functional Level.

To store fine grained password policies, Windows Server 2008 includes

two new object classes in the Active Directory Domain Services schema
Password Settings Container and Password Settings. The Password
Settings Container object class is created by default under the System
container in the domain. It stores the Password Settings objects (PSOs)
for that domain. You cannot rename, move, or delete this container.
Policies you create are represented by Password Setting Objects within
Active Directory. To manage PSOs you need to use ADSI Edit or an LDIF
file.

Talk about Restartable Active Directory Domain Services in Windows

Server 2008/R2. What is this feature good for?

Restart able AD DS is a feature in Windows Server 2008 that you can

use to perform routine maintenance tasks on a domain controller, such
as applying updates or performing offline defragmentation, without
restarting the server.

While AD DS is running, a domain controller running Windows Server

2008 behaves the same way as a domain controller running Microsoft®
Windows® 2000 Server or Windows Server 2003.

While AD DS is stopped, you can continue to log on to the domain by

using a domain account if other domain controllers are available to
service the logon request. You can also log on to the domain with a
domain account while the domain controller is started in Directory
Services Restore Mode (DSRM) if other domain controllers are available
to service the logon request.

What are the changes in auditing in Windows Server 2008/R2?

 Global Object Access Auditing.

 Reason for access" reporting.
 Advanced audit policy settings.

How can you forcibly remove AD from a server, and what do you do
later?

Demote the server using dcpromo /forceremoval, then remove the

metadata from Active directory using ndtsutil. There is no way to get
user passwords from AD that I am aware of, but you should still be able
to change them.
Another way out too
Restart the DC is DSRM mode
a. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
ProductOptions
b. In the right-pane, double-click ProductType.
c. Type ServerNT in the Value data box, and then click OK.
Restart the server in normal mode
its a member server now but AD entries are still there. Promote the
server to a fake domain say ABC.com and then remove gracefully using
DCpromo. after you use the dcpromo /forceremoval command, all the
remaining metadata for the demoted DC is not deleted on the surviving
domain controllers, and therefore you must manually remove it by
using the NTDSUTIL command .

Can I get user passwords from the AD database?

The passwords in AD are not stored encrypted by default, so they
cannot be decrypted. They are hashed. The only way to recover the
data from a hash is with some sort of a hacking algorithm that attempts
to crack the hash (such tools exist).

What's NTDSUTIL? When do you use it?

NTDSutil is a Windows utility for configuring the heart of Active

Directory. Ntdsutil.exe is a command-line tool that provides
management facilities for Active Directory .Use Ntdsutil to perform
database maintenance of Active Directory, to manage and control
single master operations, and to remove metadata left behind by
domain controllers that were removed from the network without being
properly uninstalled. By default, Ntdsutil is installed in the Winnt\
System32 folder.

What are RODCs?

RODCs are additional domain controllers for a domain that host

complete, read-only copies of the partitions of the Active Directory
database and a read-only copy of the SYSVOL folder contents. By
selectively caching credentials, RODCs address some of the challenges
that enterprises can encounter in branch offices and perimeter
networks (also known as DMZs) that may lack the physical security that
is commonly found in datacenters and hub sites. RODCs also offer a
number of manageability improvements that are described in this
guide. This section describes how RODCs work with the rest of the
Active Directory environment, the main differences between RODCs
and writable domain controllers, and the RODC features that can help
resolve a number of security or manageability issues.
What are the major benefits of using RODCs?

The following benefits:

 Improved security
 Faster logon times
 More efficient access to resources