ACTIVE DIRECTORY REVISION

Suman Das
 Questions & Answers

Q1. What is Delegation in AD?

Ans.: Delegation is the act of allowing a service to impersonate a user account or computer
account in order to access resources throughout the network. When a service is trusted for
delegation, that service can impersonate a user to use other network services.

Q2. What are the Domain Function Level and Forest Functional Level in 200/2003 server?

Ans.: Domain and forest functionality, introduced in Windows Server 2003 Active Directory,
provides a way to enable domain- or forest-wide Active Directory features within your network
environment. Different levels of domain functionality and forest functionality are available
depending on your environment.
If all domain controllers in your domain or forest are running Windows Server 2003 and the
functional level is set to Windows Server 2003, all domain- and forest-wide features are
available. When Windows NT 4.0 or Windows 2000 domain controllers are included in your
domain or forest with domain controllers running Windows Server 2003, Active Directory
features are limited.
Q3. What is Mixed Mode and Native Mode?

Ans.: Mixed mode in Windows 2000 means that your Windows 2000 server functions in a
manner that allows it to work with older versions of Windows NT. Specifically, in mixed mode,
Windows 2000 can operate with Windows NT 4.0 servers and Windows NT 4, Windows 9x, and
Windows 3.x workstations. When Windows 2000 is running in mixed mode, it behaves and
communicates in a way that earlier versions of Windows NT understand. As far as they’re
concerned, the Windows 2000 server looks just like a regular Windows NT 4 Primary Domain
Controller (PDC).

Native mode, it can no longer replicate changes to and from Windows NT BDCs. Nor can you
add any additional Windows NT servers to your network. Any Windows NT Workstation or 9x
clients you have will have to use the Active Directory client to access files on the Windows 2000
server.

Q4. How AD and DNS is integrated?

Ans.:

Q5. What are Sites?

Ans.: Sites in Active Directory represent the physical structure, or topology, of your network.
Active Directory uses topology information, stored as site and site link objects in the directory, to
build the most efficient replication topology. You use Active Directory Sites and Services to
define sites and site links. A site is a set of well-connected subnets. Sites differ from domains;
sites represent the physical structure of your network, while domains represent the logical
structure of your organization.

Q6. What is the difference between Additional Domain Controller and Child Domain
Controller?

Ans.: An additional domain controller would be just that, a new DC added to

an existing Domain.

A child DC would be either the first or an additional DC added to a child domain, i.e., a domain
that has a parent domain in the same
forest

Q8. What is LDAP? How AD supports LDAP?

Ans.: LDAP is a communication protocol designed for use on TCP/IP networks. LDAP defines
how a directory client can access a directory server and how the client can perform directory
operations and share directory data. LDAP standards are established by working groups of the
Internet Engineering Task Force (IETF). Active Directory implements the LDAP attribute draft
specifications and the IETF standards for LDAP versions 2 and 3.

09. What is Global Catalogue?

Ans.: A global catalog is a domain controller that stores a copy of all Active Directory objects in
a forest. The global catalog stores a full copy of all objects in the directory for its host domain
and a partial copy of all objects for all other domains in the forest.

Q10. What is Universal Group Caching?

Ans.:

Q11. In native mode what does PDC emulator do?

Ans.: In mixed mode, PDC emulators do:

* Time sync for the domain/forest

* Primary source for GPO edits
* Pwd change for legacy clients without the directory services client
 * Central repository for passwords when another DC needs to check the
password when a user provided a wrong password against that DC.
* Participates in immediate replication for certain events through an RPC call.
* Provides directory updates to DFS root servers when Root calability
is disabled

Q12. What is Trust Relationship? What are the trust types supported by Win 2003?

Ans.: A trust Relationship is a relationship established between domains that enable users in one
domain to be authenticated by a domain controller in the other domain. Trust relationships in
Windows NT are different than in Windows 2000 and Windows Server 2003 operating systems.

Q13. What are AD groups?

Ans.: Groups are containers that contain user and computer objects within them as members.
When security permissions are set for a group in the Access Control List on a resource, all
members of that group receive those permissions. Domain Groups enable centralized
administration in a domain. All domain groups are created on a domain controller.

Q14. What are the Group Types and Scopes?

Ans.: Group Types:

 Security groups: Use Security groups for granting permissions to gain access to
resources. Sending an e-mail message to a group sends the message to all members of the
group. Therefore security groups share the capabilities of distribution groups.
 Distribution groups: Distribution groups are used for sending e-main messages to
groups of users. You cannot grant permissions to security groups. Even though security
groups have all the capabilities of distribution groups, distribution groups still requires,
because some applications can only read distribution groups.
Group Scopes:
Group scope normally describe which type of users should be clubbed together in a way which is
easy for there administration. Therefore, in domain, groups play an important part. One group
can be a member of other group(s) which is normally known as Group nesting. One or more
groups can be member of any group in the entire domain(s) within a forest.
 Domain Local Group: Use this scope to grant permissions to domain resources that are
located in the same domain in which you created the domain local group. Domain local
groups can exist in all mixed, native and interim functional level of domains and forests.
Domain local group memberships are not limited as you can add members as user
 accounts, universal and global groups from any domain. Just to remember, nesting cannot
be done in domain local group. A domain local group will not be a member of another
Domain Local or any other groups in the same domain.
 Global Group: Users with similar function can be grouped under global scope and can
be given permission to access a resource (like a printer or shared folder and files)
available in local or another domain in same forest. To say in simple words, Global
groups can be use to grant permissions to gain access to resources which are located in
any domain but in a single forest as their memberships are limited. User accounts and
global groups can be added only from the domain in which global group is created.
Nesting is possible in Global groups within other groups as you can add a global group
into another global group from any domain. Finally to provide permission to domain
specific resources (like printers and published folder), they can be members of a Domain
Local group. Global groups exist in all mixed, native and interim functional level of
domains and forests.
 Universal Group Scope: these groups are precisely used for email distribution and can
be granted access to resources in all trusted domain as these groups can only be used as a
security principal (security group type) in a windows 2000 native or windows server
2003 domain functional level domain. Universal group memberships are not limited like
global groups. All domain user accounts and groups can be a member of universal group.
Universal groups can be nested under a global or Domain Local group in any domain.

Q15. What is Universal Group?

Ans.:

Q16. Why Infrastructure Master and Global Catalogue should not be placed in the same
domain?

Ans.: Infrastructure Master and Global Catalogue should not be placed in the same domain
because, the infrastructure master finds data out-of-date and then requests update data from the
global catalogue server. If both roles reside on the same domain controller, then the infrastructure
master will not be able to function because it’ll never find any out-of-date data since the global
catalogue is always up-to-date.

Q17. Why do we need Active Directory?

Ans.: We need Active directory to stores information about objects on a network and make this
information available to users and network administrators.

Q18. What is Active Directory Services?

Ans.: Active Directory service is used to store information about the network resources across a
domain and also centralize the network.

Q19. What is Schema?

Ans.: Schema is a collection of database objects. A schema is owned by a database user and has
the same name as that user. Schema objects are logical structures created by
users to contain, or reference, their data. Schema objects include structures like tables, views,
and indexes.

Q20. What is Active Directory Schema?

Ans.: The Active Directory schema contains the definitions for all objects in the directory. Every
new directory object you create is validated against the appropriate object definition in the
schema before being written to the directory. The schema is made up of object classes and
attributes. The base (or default) schema contains a rich set of object classes and attributes to meet
the needs of most organizations, and is modeled after the International Standards Organization
(ISO) X.500 standard for directory services. Because it is extensible, you can modify and add
classes and attributes to the base schema.
Q21. What is Active Directory Partition?
Ans.: The Active Directory database is logically separated into directory partitions:
 Schema partition
 Configuration partition
 Domain partition
 Application partition
Each partition is a unit of replication, and each partition has its own replication topology.
Replication occurs between replicas of directory partition. Minimum two directory partitions are
common among all domain controllers in the same forest: the schema and configuration
partitions. All domain controllers which are in the same domain, in addition, share a common
domain partition.
Schema Partition:
Only one schema partition exists per forest. The schema partition is stored on all domain
controllers in a forest. The schema partition contains definitions of all objects and attributes that
you can create in the directory, and the rules for creating and manipulating them. Schema
information is replicated to all domain controllers in the attribute definitions.
Configuration Partition:
There is only one configuration partition per forest. Second on all domain controllers in a forest,
the configuration partition contains information about the forest-wide active directory structure
including what domains and sites exist, which domain controllers exist in each forest, and which
services are available. Configuration information is replicated to all domain controllers in a
forest.
Domain Partition:
Many domain partitions can exist per forest. Domain partitions are stored on each domain
controller in a given domain. A domain partition contains information about users, groups,
computers and organizational units. The domain partition is replicated to all domain controllers
of that domain. All objects in every domain partition in a forest are stored in the global catalog
with only a subset of their attribute values.
Application Partition:
Application partitions store information about application in Active Directory. Each application
determines how it stores, categorizes, and uses application specific information. To prevent
unnecessary replication to specific application partitions, you can designate which domain
controllers in a forest host specific application partitions. Unlike a domain partitions, an
application partition cannot store security principal objects, such as user accounts. In addition,
the data in an application partition is not stored in the global catalog.
Q22. How many table does Active Directory contains?
Ans.:

Q23. What is DFS? What is the difference between Stand Alone DFS and Domain DFS?
Ans.: With Distributed File System (DFS), system administrators can make it easy for users to
access and manage files that are physically distributed across a network. With DFS, you can
make files distributed across multiple servers appear to users as if they reside in one place on the
network. Users no longer need to know and specify the actual physical location of files in order
to access them.
Q24. What are the FMSO roles?
Ans.: Flexible Single Master of Operation (FSMO), or just single master operation or operations
master, is a feature of Microsoft's Active Directory (AD). As of 2005, the term FSMO has been
deprecated in favor of operations masters.

Q25. Why are the called flexible and why single master?
Ans.: FSMOs are specialized domain controller (DC) tasks, used where standard data transfer
and update methods are inadequate. AD normally relies on multiple peer DCs, each with a copy
of the AD database, being synchronized by multi-master replication. The tasks which are not
suited to multi-master replication, and are viable only with a single-master database, are the
FSMOs.
Q26. What is the basic difference between Additional Domain Controller and Backup
Domain Controller?
Ans.:

Q27. What is Replication?

Ans.:

Q28. What is Active Directory Replication?

Ans.: Active Directory replication is the process by which the changes that originate on one
domain controller are automatically transferred to other domain controllers that store the same
data.
Q29. What information is replicated during Active Directory Replication?
Ans. Four types of data is replicated:
 Schema Partition
 Domain Partition
 Configuration Partition
 Application Partition
Q30. What do you mean by Multimaster Replication scenario in AD replication?
Ans.: Multimaster Replication a replication model in which any domain controller accepts and
replicates directory changes to any other domain controller. This differs from other replication
models in which one computer stores the single modifiable copy of the directory and other
computers store backup copies.
Q31. What is Propagation Dampening?
Ans.: Propagation dampening occurs through the use of two vectors. Vectors are made up of
pairs of data that combine a GUID (globally unique identifier) and a USN. The two vectors are
called the Up-to-Date Vector and the High Watermark Vector. The Up-to-Date Vector contains
server USN pairs, and represents the highest originating update. The High Watermark Vector
holds the USN numbers for attributes that were added or modified in the directory and are stored
in the replication metadata (which is simply "data about data") for that attribute. Through both
vectors, propagation dampening can occur and unnecessary Active Directory updates can be
avoided. Propagation dampening is an internal process that is invisible to administrators.
Q32. What is job of KCC?
Ans.: The Knowledge Consistency Checker (KCC) (running on all domain controllers) generates
the replication topology by specifying what domain controllers will replicate to which other
domain controllers in the site. The KCC maintains a list of connections, called a replication
topology, to other domain controllers in the site. The KCC ensures that changes to any object are
replicated to all site domain controllers and updates go through no more than three connections.
Also an administrator can configure connection objects.
The KCC uses information provided by the administrator about sites and subnets to
automatically build the Active Directory replication topology.
Q33. What is the need for AD Migration?
Ans.:
Q34. What are Administrative Templates?
Ans.: Administrative Templates are a feature of Group Policy, a Microsoft technology for
centralised management of machines and users in an Active Directory environment.
Administrative Templates facilitate the management of registry-based policy. An ADM file is
used to describe both the user interface presented to the Group Policy administrator and the
registry keys that should be updated on the target machines. An ADM file is a text file with a
specific syntax which describes both the interface and the registry values which will be changed
if the policy is enabled or disabled.
ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service
Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and
wuau.adm). These are merged into a unified "namespace" in GPEdit and presented to the
administrator under the Administrative Templates node (for both machine and user policy).
Q35. What is RIS?
Ans.: Remote Installation Service (RIS) is a feature included in Microsoft's Windows 2000/2003
server that allows network administrators to install the Windows 2000/2003 operating system
and its upgrades to any number of client computers at one time from a centralized location. If the
client computer is connected to the server through a local area network (LAN), the computer's
hardware will find the RIS server and request a copy of the operating system. The network
administrator can use the RISrep imaging option to copy several versions, or images, of a
company's desktop configuration to the server so that if a request is made, the server can issue an
"image" for a particular computer or user. Microsoft promotes the use of RIS as a way to
configure new computers right out of the box and to restore the operating system on a computer
that has failed.
Q36. What are the requisites for RIS at the server and client ends?
Ans.: Server end requisition:
o Dynamic Host Configuration Protocol (DHCP) is installed and activated.

o Active Directory is installed.

 o Domain Name System (DNS) is installed.

Client end requisition:

1. Boot ROM
2. NIC enabled
3. PXE enabled
Q37. What do you understand by Roaming User Profile?
Ans.: A server-based user profile that is downloaded to the local computer when a user logs on
and that is updated both locally and on the server when the user logs off. A roaming user profile
is available from the server when logging on to a workstation or server computer. When logging
on, the user can use the local user profile if it is more current than the copy on the server. A
server-based user profile that is downloaded to the local computer when a user logs on and that is
updated both locally and on the server when the user logs off. A roaming user profile is available
from the server when logging on to a workstation or server computer. When logging on, the user
can use the local user profile if it is more current than the copy on the server.
Q38.What is Mandatory Roaming User Profile?
Ans.: A user profile that is not updated when the user logs off. It is downloaded to the user's
desktop each time the user logs on, and is created by an administrator and assigned to one or
more users to create consistent or job-specific user profiles. Only members of the Administrators
group can change profiles.
Q39. What is the important of sysvol folder in AD?
Ans.: A shared directory that stores the server copy of the domain's public files, which are
replicated among all domain controllers in the domain.
Q40. What is Netlogon?
Ans.: The Net Logon service verifies logon requests, and it registers, authenticates, and locates
domain controllers. Also, to maintain backward compatibility, Net Logon manages replication of
the user account database to back up domain controllers running Windows NT 4.0 and earlier.
Q41. What is authoritative and non-authoritative restore in AD?
Ans. Authoritative Restore: In Backup, a type of restore operation performed on an Active
Directory domain controller in which the objects in the restored directory are treated as
authoritative, replacing (through replication) all existing copies of those objects. Authoritative
restore is applicable only to replicated system state data such as Active Directory data and File
Replication service data. Use the Ntdsutil.exe utility to perform an authoritative restore.
Non-Authoritative restore: A restore of a backup copy of a Windows domain controller in
which the objects in the restored directory are not treated as authoritative. The restored objects
are updated with changes held in other replicas of the restored domain.
Special Notes -Active directory and DNS

Active Directory and DNS

Created 2000-03-18 by Rainer Gerhards.
Updated 2001-03-13 by Rainer Gerhards.

Microsoft's Active Directory relies heavily on DNS. DNS is used to find important resources
like domain controllers. Because these in turn are needed to authenticate users, Windows 2000,
XP or 2003 will not work properly without a correctly configured DNS.
Unfortunately, Microsoft has decided to use very new standards in it's DNS. The Windows
2000/XP/2003 environment relies on options like dynamic DNS and - to some degree - Unicode
characters in DNS records. While most of this are open standards, they are only seldom used
outside of the Microsoft environment. So in reality, only the Microsoft DNS server will ensure
proper and hassle-free DNS operation. And if I say Microsoft DNS I mean the one that comes
with Windows 2000 or newer operating systems - the Windows NT 4 DNS server won't help
much.
This article describes Microsoft's approach, the issues with that and how to work around them.

Why needs Windows 2000 DNS?

Microsoft has decided to build Active Directory on top of open standards. DNS is *the* Internet
standard for resource location. However, so far it was mostly used to resolve host names to IP
addresses. Typically, it is used to get the IP address of the host with name e.g. www.windows-
expert.net so that a browser can technically connect to that machine.
However, DNS is more than an IP address resolver. DNS is a distributed database of so-called
resource records. There are many resources besides IP addresses, most notable name servers or
mail exchangers (a.k.a. mail servers). A relatively new record is the so-called service (SRV)
record. That one is used to describe services residing on machine - for example a domain
controller service. SRV records are an open standard. It is not only supported by Microsoft but
also other vendors. However, other vendor's support is limited and only available in current
releases. The widespread used BIND (Berkley Internet Name Daemon) DNS server - the de-
facto standard under Unix - must have at least version 8.1.2. If it is an older version, problems
will arise almost instantly.
Active Directory uses SRV records to locate any and all services. Not only is the domain
controller detected by SRV records, they also point to global catalog servers and other important
services. Windows 2000 must be able to resolve references to these services. Otherwise it will
fail. Correct DNS records are of uttermost importance for a healthy Active Directory.

What is DDNS?
So how do these (numerous) entries find their way to the DNS database. The typical answer so
far was: a system administrator has manually entered them into it. If you have a look at the
number of entries that Active Directory depends on - and their change rate - not a really practical
answer. Especially if you take a look at all clients (e. g. Windows 2000 Professional or Windows
XP Professional) that of course need to be registered in DNS, too.
Clearly, a solution needs to be found to do it automatically. Fortunately, there is DDNS, the
"dynamic" DNS. That standard enables systems to automatically enter their DNS records into the
server's database themselves. For example, a newly installed Windows 2000/2003 server
registers it's IP addresses into DDNS as well as the SRV-records for any services running on it.
Manual entries need not to be made.
Sound like a perfect solution? Well, what on this world is perfect... First of all, the number of
DNS servers supporting DDNS is limited (especially the number of these ones working well...).
Secondly, and that is even harder, DDNS has a number of security weaknesses. So you are
typically limited in you options and will carefully evaluate if you would like to have DDNS
running as your Internet (external) DNS server.
But beware - DDNS is really a life-safer in the Active Directory context and its problems can be
worked around. Practically, we recommend using the Windows 2000 DDNS server instead of
any third party product. Fortunately that server can neatly be integrated into existing DNS
infrastructures. Just ensure that Windows 2000, XP, 2003 or other Active Directory systems only
use DDNS servers. Theoretically, you can also use a non-dynamic DNS server (that ones with
the manual database entries). But we recommend this option only if you absolutely do not know
how to fill all of that spare time...

So what does this mean in Reality?

Active Directory dependence on DDNS has some clear results: A Windows 2000 server without
Active Directory can be used with any DNS server without any problems. For example, you can
use your ISP's DNS server (as often done). However, if on that very same machine Active
Directory is installed, you should point it to one of the Active Directory domain's DDNS servers.
Except, again, you have lots of spare time...
Unfortunately in many cases the previous DNS settings is preserved. This most often happens
during an upgrade from NT 4 DC to Windows 2000. Because the previous DNS server does not
support DDNS, the upgraded Windows 2000 domain controller can not register itself into it. If
that is the case, the Active Directory DC logs an error message to the Windows event log.
However, most users (and even most admins) do either not see that message or can not interpret
it correctly (it is a bit cryptic if you don't know the exact specifics).
Once this DNS problem has persisted, the real trouble begins. Active Directory is unable to
function correctly due to missing DNS records and as such vital resources. Unfortunately,
Windows 2000 falls back to pre-Active Directory methods for e. g. authentication, so the systems
works to a certain degree. However, all pure Active Directory functions fail, the Windows event
log rapidly fills with more and more additional error messages. If you try to install an additional
AD DC in this situation, it will fail - once again with a very cryptic and hard to understand error
message. In fact, the error says that the domain does not exist - but the wizard itself displays the
domain to be present. Sounds like you would be puzzled? I bet you will!
Messages like that are a clear indication of an incorrectly configured DNS or missing entries. In
most cases, a missing DDNS is the root cause of all this errors. In the authors personal
experience, missing DDNS or otherwise misconfigured DNS is the number 1 trouble spot in
Active Directory installations.
To avoid this, follow our #1 rule for Active Directory: Before installing your first Active
Directory server, a working DDNS needs to be installed. It's easy: add a Microsoft DNS
server to the first Windows 2000 server that is being installed. It's just a matter of minutes if you
follow the wizard. Most wizards will also automatically install the DNS server if you don't
oppose it. Once the DNS server is set up, the DNS zone for Active Directory needs to be created.
Easily done with DNS manager (under "Forward-Looking Zones).
But having the DNS server and DNS zone in place is not sufficient: It needs to be used by your
systems! Once again, here very often a mistake occurs. Most people tend to use their provider's
DNS server, because that is what they did all the time. But this is not an option for Active
Directory! So you want to make sure you use your own (D)DNS server. Manually, this is done
via the network card's properties:

The screenshot shows a typical Active Directory server setup: that server is working as a DDNS
server as well and its preferred DNS server points to itself. So it will be able to register its DNS
records and query them successfully. By the way: all dialogs say "DNS" - read it as "DDNS" and
you will have less trouble.
In many scenarios, people even have tried this setup but than lost Internet name resolution - and
then switched back to their provider's DNS server. Don't let fool you: the setup here is correct. If
you can't resolve Internet names after doing so, please read our related article on how to fix that!
Important: if you install other Windows 2000/XP/2003 servers and workstations (Windows
Professional), make sure that these systems do use your own DDNS server as well. Otherwise,
they won't see the vital Active Directory information and as such will not work properly.
Also, ensure that you apply "old style" best DNS practices. Specifically, have at least two DNS
servers available. If you operate a single server and that server fails (or is just rebooted), no DNS
resolution is available at all. During such periods, network operation is seriously affected. If you
have at least two servers, that won't happen to you. In case the first one fails, the client
automatically switches to the second one. So the screenshot above is not really an ideal
configuration - the alternate DNS server is missing.

Smooth Active Directory Installation

Once the DNS system has correctly been installed, Active Directory installation can be carried
out. Typically, this is now a painless process. If you still experience any unexpected error
messages, the server may not already have registered all of its records into the DDNS. In this
case, open up a commend prompt and type "ipconfig /registerdns". Then wait another 15 minutes
before continuing. It is also a good idea to check the event log if there are any errors.
Please note that for all actions described here no reboot is necessary. Microsoft has really
reached its goal to reduce the number of reboots in this area.
By the way: most of the things described in this article are done automatically when you run the
Active Directory wizards with default settings. However, many people see a need to modify
these settings. The most common trouble cause is Internet name resolution, which might not
work correctly when the wizards are run with the defaults. Please see our related article if you
experience any problems in that area.
Even if you run the wizards and accept default settings - checking to ensure the wizard
configured the system correctly does not harm. Instead it can be your life-saver...

Active Directory must be carefully designed!

I would like to drop one important reminder. I have written this article after seeing numerous
questions on active directory DNS issues. Active directory is a great tool with enhanced
capabilities - but it is also very complex. If someone just wants to try it on a home PC - or a lab
machine - try and error may work (but will also cause lots of frustration).
If active directory is to be setup in an corporate environment - no matter how small or how large
- try and error is definitely not an option! Active directory requires careful design. For a small
biz its an easy task to do so - as long as you exactly know what you are talking about. So if in
doubt, I recommend going out and asking someone who knows how to do it.

refer -http://www.adiscon.com/common/en/articles/active-directory-and-dns.php