Low Level
1. Features of windows2003
ACTIVE DIRECTORY
Easier Deployment and Management
ADMT version 2.0—migrates password from NT4 to 2000 to 20003 or
from 2000 to 2003
Domain Rename--- supports changing Domain Name System and/or NetBios name
Schema Redefine--- Allows deactivation of attributes and class
definitions in the Active directory schema
AD/AM--- Active directory in application mode is a new capability of
AD that addresses certain deployment scenarios related to directory
enabled applications
Group Policy Improvements----introduced GPMC tool to manage group policy
UI—Enhanced User Interface
Grater Security
Cross-forest Authentication
Cross-forest Authorization
Cross-certification Enhancements
IAS and Cross-forest authentication
Credential Manager
Software Restriction Policies
Improved Performance and Dependability
Easier logon for remote offices
Group Membership replication enhancements
Application Directory Partitions
Install Replica from media
Dependability Improvements--- updated Inter-Site Topology Generator
(ISTG) that scales better by supporting forests with a greater number
of sites than Windows 2000.
FILE AND PRINT SERVICES
Volume shadow copy service
NTFS journaling file system
EFS
Improved CHDSK Performance
Enhanced DFS and FRS
Shadow copy of shared folders
Enhanced folder redirection
Remote document sharing (WEBDAV)
IIS
Fault-tolerant process architecture----- The IIS 6.0 fault-tolerant
process architecture isolates Web sites and applications into
self-contained units called application pools
Health Monitoring---- IIS 6.0 periodically checks the status of an
application pool with automatic restart on failure of the Web sites
and applications within that application pool, increasing application
availability. IIS 6.0 protects the server, and other applications, by
automatically disabling Web sites and applications that fail too often
within a short amount of time
Automatic Process Recycling--- IIS 6.0 automatically stops and
restarts faulty Web sites and applications based on a flexible set of
criteria, including CPU utilization and memory consumption, while
queuing requests
---- If an application fails too often within a
short amount of time, IIS 6.0 will automatically disable it and return
a "503 Service Unavailable" error message to any new or queued
requests to the application
Edit-While-Running
http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/default.mspx
2. Difference between NT & 2000
NT SAM database is a flat database. Where as in windows 2000 active
directory database is a hierarchical database.
In windows NT only PDC is having writable copy of SAM database but the
BDC is only read only database. In case of Windows 2000 both DC and
ADC is having write copy of the database
Windows NT will not support FAT32 file system. Windows 2000 supports FAT32
Default authentication protocol in NT is NTLM (NT LAN manager). In
windows 2000 default authentication protocol is Kerberos V5.
Windows 2000 depends and Integrated with DNS. NT user Netbios names
Active Directory can be backed up easily with System state data
3. Difference between 2000 & 2003
Application Server mode is introduced in windows 2003
Possible to configure stub zones in windows 2003 DNS
Volume shadow copy services is introduced
Windows 2003 gives an option to replicate DNS data b/w all DNS servers
in forest or All DNS servers in the domain.
Refer Question 1 for all Enhancements
4. Difference between PDC & BDC
PDC contains a write copy of SAM database where as BDC contains read
only copy of SAM database. It is not possible to reset a password or
create objects with out PDC in Windows NT.
5. Difference between DC & ADC
There is no difference between in DC and ADC both contains write copy
of AD. Both can also handles FSMO roles (If transfers from DC to ADC).
It is just for identification. Functionality wise there is no
difference.
6. What is DNS & WINS
DNS is a Domain Naming System, which resolves Host names to IP
addresses. It uses fully qualified domain names. DNS is a Internet
standard used to resolve host names
WINS is a Windows Internet Name Service, which resolves Netbios names
to IP Address. This is proprietary for Windows
7. Types of DNS Servers
Primary DNS
Secondary DNS
Active Directory Integrated DNS
Forwarder
Caching only DNS
8. If DHCP is not available what happens to the client
Client will not get IP and it cannot be participated in network . If
client already got the IP and having lease duration it use the IP till
the lease duration expires.
9. what are the different types of trust relationships
Implicit Trusts
Explicit Trusts—NT to Win2k or Forest to Forest
10. what is the process of DHCP for getting the IP address to the client
There is a four way negotiation process b/w client and server
DHCP Discover (Initiated by client)
DHCP Offer (Initiated by server)
DHCP Select (Initiated by client)
DHCP Acknowledgement (Initiated by Server)
DHCP Negative Acknowledgement (Initiated by server if any issues after
DHCP offer)
11. Difference between FAT,NTFS & NTFSVersion5
NTFS Version 5 features
Encryption is possible
We can enable Disk Quotas
File compression is possible
Sparse files
Indexing Service
NTFS change journal
In FAT file system we can apply only share level security. File level
protection is not possible. In NTFS we can apply both share level as
well as file level security
NTFS supports large partition sizes than FAT file systems
NTFS supports long file names than FAT file systems
12. What are the port numbers for FTP, Telnet, HTTP, DNS
FTP-21, Telnet – 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389
13. what are the different types of profiles in 2000
Local Profiles
Roaming profiles
Mandatory Profiles
14. what is the database files used for Active Directory
The key AD database files—edb.log, ntds.dit, res1.log, res2.log, and
edb.chk—all of which reside in \%systemroot%\ntds on a domain
controller (DC) by default. During AD installation, Dcpromo lets you
specify alternative locations for these log files and database files
NTDS.DIT
15. What is the location of AD Database
%System root%/NTDS/NTDS>DIT
16. What is the authentication protocol used in NT
NTLM (NT LAN Manager)
17. What is subnetting and supernetting
Subnetting is the process of borrowing bits from the host portion of
an address to provide bits for identifying additional sub-networks
Supernetting merges several smaller blocks of IP addresses (networks)
that are continuous into one larger block of addresses. Borrowing
network bits to combine several smaller networks into one larger
network does supernetting
18. what is the use of terminal services
Terminal services can be used as Remote Administration mode to
administer remotely as well as Application Server Mode to run the
application in one server and users can login to that server to user
that application.
19. what is the protocol used for terminal services
RDP
20. what is the port number for RDP
3389
Medium Level
1. what is the difference between Authorized DHCP and Non Authorized DHCP
To avoid problems in the network causing by mis-configured DHCP
servers, server in windows 2000 must be validate by AD before starting
service to clients. If an authorized DHCP finds any DHCP server in the
network it stop serving the clients
2. Difference between inter-site and intra-site replication. Protocols
using for replication.
Intra-site replication can be done between the domain controllers in
the same site. Inter-site replication can be done between two
different sites over WAN links
BHS (Bridge Head Servers) is responsible for initiating replication
between the sites. Inter-site replication can be done B/w BHS in one
site and BHS in another site.
We can use RPC over IP or SMTP as a replication protocols where as
Domain partition is not possible to replicate using SMTP
3. How to monitor replication
We can use Replmon tool from support tools
4. Brief explanation of RAID Levels
Microsoft Windows XP, Windows 2000 and Windows Server 2003 offer two
types of disk storage: basic and dynamic.
Basic Disk Storage
Basic storage uses normal partition tables supported by MS-DOS,
Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows
Millennium Edition (Me), Microsoft Windows NT, Microsoft Windows 2000,
Windows Server 2003 and Windows XP. A disk initialized for basic
storage is called a basic disk. A basic disk contains basic volumes,
such as primary partitions, extended partitions, and logical drives.
Additionally, basic volumes include multidisk volumes that are created
by using Windows NT 4.0 or earlier, such as volume sets, stripe sets,
mirror sets, and stripe sets with parity. Windows XP does not support
these multidisk basic volumes. Any volume sets, stripe sets, mirror
sets, or stripe sets with parity must be backed up and deleted or
converted to dynamic disks before you install Windows XP Professional.
Dynamic Disk Storage
Dynamic storage is supported in Windows XP Professional, Windows 2000
and Windows Server 2003. A disk initialized for dynamic storage is
called a dynamic disk. A dynamic disk contains dynamic volumes, such
as simple volumes, spanned volumes, striped volumes, mirrored volumes,
and RAID-5 volumes. With dynamic storage, you can perform disk and
volume management without the need to restart Windows.
Note: Dynamic disks are not supported on portable computers or on
Windows XP Home Edition-based computers.
You cannot create mirrored volumes or RAID-5 volumes on Windows XP
Home Edition, Windows XP Professional, or Windows XP 64-Bit
Edition-based computers. However, you can use a Windows XP
Professional-based computer to create a mirrored or RAID-5 volume on
remote computers that are running Windows 2000 Server, Windows 2000
Advanced Server, or Windows 2000 Datacenter Server, or the Standard,
Enterprise and Data Center versions of Windows Server 2003.
Storage types are separate from the file system type. A basic or
dynamic disk can contain any combination of FAT16, FAT32, or NTFS
partitions or volumes.
A disk system can contain any combination of storage types. However,
all volumes on the same disk must use the same storage type.
To convert a Basic Disk to a Dynamic Disk:
Use the Disk Management snap-in in Windows XP/2000/2003 to convert a
basic disk to a dynamic disk. To do this, follow these steps:
1. Log on as Administrator or as a member of the Administrators group.
2. Click Start, and then click Control Panel.
3. Click Performance and Maintenance, click Administrative Tools, and
then double-click Computer Management. You can also right-click My
Computer and choose Manage if you have My Computer displayed on your
desktop.
4. In the left pane, click Disk Management.
5. In the lower-right pane, right-click the basic disk that you want
to convert, and then click Convert to Dynamic Disk. You must
right-click the gray area that contains the disk title on the left
side of the Details pane.
6. Select the check box that is next to the disk that you want to
convert (if it is not already selected), and then click OK.
7. Click Details if you want to view the list of volumes in the disk.
Click Convert.
8. Click Yes when you are prompted to convert the disk, and then click OK.
Warning: After you convert a basic disk to a dynamic disk, local
access to the dynamic disk is limited to Windows XP Professional,
Windows 2000 and Windows Server 2003. Additionally, after you convert
a basic disk to a dynamic disk, the dynamic volumes cannot be changed
back to partitions. You must first delete all dynamic volumes on the
disk and then convert the dynamic disk back to a basic disk. If you
want to keep your data, you must first back up the data or move it to
another volume.
Dynamic Storage Terms
A volume is a storage unit made from free space on one or more disks.
It can be formatted with a file system and assigned a drive letter.
Volumes on dynamic disks can have any of the following layouts:
simple, spanned, mirrored, striped, or RAID-5.
A simple volume uses free space from a single disk. It can be a single
region on a disk or consist of multiple, concatenated regions. A
simple volume can be extended within the same disk or onto additional
disks. If a simple volume is extended across multiple disks, it
becomes a spanned volume.
A spanned volume is created from free disk space that is linked
together from multiple disks. You can extend a spanned volume onto a
maximum of 32 disks. A spanned volume cannot be mirrored and is not
fault-tolerant.
A striped volume is a volume whose data is interleaved across two or
more physical disks. The data on this type of volume is allocated
alternately and evenly to each of the physical disks. A striped volume
cannot be mirrored or extended and is not fault-tolerant. Striping is
also known as RAID-0.
A mirrored volume is a fault-tolerant volume whose data is duplicated
on two physical disks. All of the data on one volume is copied to
another disk to provide data redundancy. If one of the disks fails,
the data can still be accessed from the remaining disk. A mirrored
volume cannot be extended. Mirroring is also known as RAID-1.
A RAID-5 volume is a fault-tolerant volume whose data is striped
across an array of three or more disks. Parity (a calculated value
that can be used to reconstruct data after a failure) is also striped
across the disk array. If a physical disk fails, the portion of the
RAID-5 volume that was on that failed disk can be re-created from the
remaining data and the parity. A RAID-5 volume cannot be mirrored or
extended.
The system volume contains the hardware-specific files that are needed
to load Windows (for example, Ntldr, Boot.ini, and Ntdetect.com). The
system volume can be, but does not have to be, the same as the boot
volume.
The boot volume contains the Windows operating system files that are
located in the %Systemroot% and %Systemroot%\System32 folders. The
boot volume can be, but does not have to be, the same as the system
volume.
RAID 0 – Striping
RAID 1- Mirroring (minimum 2 HDD required)
RAID 5 – Striping With Parity (Minimum 3 HDD required)
RAID levels 1 and 5 only gives redundancy
5. What are the different backup strategies are available
Normal Backup
Incremental Backup
Differential Backup
Daily Backup
Copy Backup
6. What is a global catalog
Global catalog is a role, which maintains Indexes about objects. It
contains full information of the objects in its own domain and partial
information of the objects in other domains. Universal Group
membership information will be stored in global catalog servers and
replicate to all GC’s in the forest.
7. What is Active Directory and what is the use of it
Active directory is a directory service, which maintains the relation
ship between resources and enabling them to work together. Because of
AD hierarchal structure windows 2000 is more scalable, reliable.
Active directory is derived from X.500 standards where information is
stored is hierarchal tree like structure. Active directory depends on
two Internet standards one is DNS and other is LDAP. Information in
Active directory can be queried by using LDAP protocol
8. what is the physical and logical structure of AD
Active directory physical structure is a hierarchal structure which
fallows Forests—Trees—Domains—Child Domains—Grand Child—etc
Active directory is logically divided into 3 partitions
1.Configuration partition 2. Schema Partition 3. Domain partition 4.
Application Partition (only in windows 2003 not available in windows
2000)
Out of these Configuration, Schema partitions can be replicated
between the domain controllers in the in the entire forest. Where as
Domain partition can be replicated between the domain controllers in
the same domain
9. What is the process of user authentication (Kerberos V5) in windows 2000
After giving logon credentials an encryption key will be generated
which is used to encrypt the time stamp of the client machine. User
name and encrypted timestamp information will be provided to domain
controller for authentication. Then Domain controller based on the
password information stored in AD for that user it decrypts the
encrypted time stamp information. If produces time stamp matches to
its time stamp. It will provide logon session key and Ticket granting
ticket to client in an encryption format. Again client decrypts and if
produced time stamp information is matching then it will use logon
session key to logon to the domain. Ticket granting ticket will be
used to generate service granting ticket when accessing network
resources
10. what are the port numbers for Kerberos, LDAP and Global catalog
Kerberos – 88, LDAP – 389, Global Catalog – 3268
11. what is the use of LDAP (X.500 standard?)
LDAP is a directory access protocol, which is used to exchange
directory information from server to clients or from server to servers
12. what are the problems that are generally come across DHCP
Scope is full with IP addresses no IP’s available for new machines
If scope options are not configured properly eg default gateway
Incorrect creation of scopes etc
13. what is the role responsible for time synchronization
PDC Emulator is responsible for time synchronization. Time
synchronization is important because Kerberos authentication depends
on time stamp information
14. what is TTL & how to set TTL time in DNS
TTL is Time to Live setting used for the amount of time that the
record should remain in cache when name resolution happened.
We can set TTL in SOA (start of authority record) of DNS
15. How to take DNS and WINS,DHCP backup
%System root%/system32/dns
%System root%/system32/WINS
%System root%/system32/DHCP
16. What is recovery console
Recovery console is a utility used to recover the system when it is
not booting properly or not at all booting. We can perform following
operations from recovery console
We can copy, rename, or replace operating system files and folders
Enable or disable service or device startup the next time that start computer
Repair the file system boot sector or the Master Boot Record
Create and format partitions on drives
17. what is DFS & its usage
DFS is a distributed file system used to provide common environment
for users to access files and folders even when they are shared in
different servers physically.
There are two types of DFS domain DFS and Stand alone DFS. We cannot
provide redundancy for stand alone DFS in case of failure. Domain DFS
is used in a domain environment which can be accessed by /domain
name/root1 (root 1 is DFS root name). Stand alone DFS can be used in
workgroup environment which can be accessed through /server name/root1
(root 1 is DFS root name). Both the cases we need to create DFS root (
Which appears like a shared folder for end users) and DFS links ( A
logical link which is pointing to the server where the folder is
physically shared)
The maximum number of Dfs roots per server is 1.
The maximum numbers of Dfs root replicas are 31.
The maximum number of Dfs roots per domain is unlimited.
The maximum number of Dfs links or shared folders in a Dfs root is 1,000
18. what is RIS and what are its requirements
RIS is a remote installation service, which is used to install
operation system remotely.
Client requirements
PXE DHCP-based boot ROM version 1.00 or later NIC, or a network
adapter that is supported by the RIS boot disk.
Should meet minimum operating system requirements
Software Requirements
Below network services must be active on RIS server or any server in the network
Domain Name System (DNS Service)
Dynamic Host Configuration Protocol (DHCP)
Active directory “Directory” service
19. How many root replicas can be created in DFS
31
20. What is the difference between Domain DFS and Standalone DFS
Refer question 17.
High Level
1. Can we establish trust relationship between two forests
In Windows 2000 it is not possible. In Windows 2003 it is possible
2. What is FSMO Roles
Flexible single master operation (FSMO) roles are
Domain Naming Master
Schema Master
PDC Emulator
Infrastructure Master
RID Master
3. Brief all the FSMO Roles
Windows 2000/2003 Multi-Master Model
A multi-master enabled database, such as the Active Directory,
provides the flexibility of allowing changes to occur at any DC in the
enterprise, but it also introduces the possibility of conflicts that
can potentially lead to problems once the data is replicated to the
rest of the enterprise. One way Windows 2000/2003 deals with
conflicting updates is by having a conflict resolution algorithm
handle discrepancies in values by resolving to the DC to which changes
were written last (that is, "the last writer wins"), while discarding
the changes in all other DCs. Although this resolution method may be
acceptable in some cases, there are times when conflicts are just too
difficult to resolve using the "last writer wins" approach. In such
cases, it is best to prevent the conflict from occurring rather than
to try to resolve it after the fact.
For certain types of changes, Windows 2000/2003 incorporates methods
to prevent conflicting Active Directory updates from occurring.
Windows 2000/2003 Single-Master Model
To prevent conflicting updates in Windows 2000/2003, the Active
Directory performs updates to certain objects in a single-master
fashion.
In a single-master model, only one DC in the entire directory is
allowed to process updates. This is similar to the role given to a
primary domain controller (PDC) in earlier versions of Windows (such
as Microsoft Windows NT 4.0), in which the PDC is responsible for
processing all updates in a given domain.
In a forest, there are five FSMO roles that are assigned to one or
more domain controllers. The five FSMO roles are:
Schema Master:
The schema master domain controller controls all updates and
modifications to the schema. Once the Schema update is complete, it is
replicated from the schema master to all other DCs in the directory.
To update the schema of a forest, you must have access to the schema
master. There can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the addition or
removal of domains in the forest. This DC is the only one that can add
or remove a domain from the directory. It can also add or remove cross
references to domains in external directories. There can be only one
domain naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in
another domain, it represents the reference by the GUID, the SID (for
references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible
for updating an object's SID and distinguished name in a cross-domain
object reference. At any one time, there can be only one domain
controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain
controller that is not a Global Catalog server (GC). If the
Infrastructure Master runs on a Global Catalog server it will stop
updating object information because it does not contain any references
to objects that it does not hold. This is because a Global Catalog
server holds a partial replica of every object in the forest. As a
result, cross-domain object references in that domain will not be
updated and a warning to that effect will be logged on that DC's event
log. If all the domain controllers in a domain also host the global
catalog, all the domain controllers have the current data, and it is
not important which domain controller holds the infrastructure master
role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from
all domain controllers in a particular domain. When a DC creates a
security principal object such as a user or group, it attaches a
unique Security ID (SID) to the object. This SID consists of a domain
SID (the same for all SIDs created in a domain), and a relative ID
(RID) that is unique for each security principal SID created in a
domain. Each DC in a domain is allocated a pool of RIDs that it is
allowed to assign to the security principals it creates. When a DC's
allocated RID pool falls below a threshold, that DC issues a request
for additional RIDs to the domain's RID master. The domain RID master
responds to the request by retrieving RIDs from the domain's
unallocated RID pool and assigns them to the pool of the requesting
C. At any one time, there can be only one domain controller acting as
the RID master in the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise.
Windows 2000/2003 includes the W32Time (Windows Time) time service
that is required by the Kerberos authentication protocol. All Windows
2000/2003-based computers within an enterprise use a common time. The
purpose of the time service is to ensure that the Windows Time service
uses a hierarchical relationship that controls authority and does not
permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC
emulator at the root of the forest becomes authoritative for the
enterprise, and should be configured to gather the time from an
external source. All PDC FSMO role holders follow the hierarchy of
domains in the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains
the following functions:
Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain because
of an incorrect password are forwarded to the PDC emulator before a
bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done from
the GPO copy found in the PDC Emulator's SYSVOL share, unless
configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft
Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT
4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all
workstations, member servers, and domain controllers that are running
Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The
PDC emulator still performs the other functions as described in a
Windows 2000/2003 environment.
At any one time, there can be only one domain controller acting as the
PDC emulator master in each domain in the forest.
4. How to manually configure FSMO Roles to separate DC’s
How can I determine who are the current FSMO Roles holders in my domain/forest?
Windows 2000/2003 Active Directory domains utilize a Single Operation
Master method called FSMO (Flexible Single Master Operation), as
described in Understanding FSMO Roles in Active Directory.
The five FSMO roles are:
• Schema master - Forest-wide and one per forest.
• Domain naming master - Forest-wide and one per forest.
• RID master - Domain-specific and one for each domain.
• PDC - PDC Emulator is domain-specific and one for each domain.
• Infrastructure master - Domain-specific and one for each domain.
In most cases an administrator can keep the FSMO role holders (all 5
of them) in the same spot (or actually, on the same DC) as has been
configured by the Active Directory installation process. However,
there are scenarios where an administrator would want to move one or
more of the FSMO roles from the default holder DC to a different DC.
The transferring method is described in the Transferring FSMO Roles
article, while seizing the roles from a non-operational DC to a
different DC is described in the Seizing FSMO Roles article.
In order to better understand your AD infrastructure and to know the
added value that each DC might possess, an AD administrator must have
the exact knowledge of which one of the existing DCs is holding a FSMO
role, and what role it holds. With that knowledge in hand, the
administrator can make better arrangements in case of a scheduled
shut-down of any given DC, and better prepare him or herself in case
of a non-scheduled cease of operation from one of the DCs.
How to find out which DC is holding which FSMO role? Well, one can
accomplish this task by many means. This article will list a few of
the available methods.
Method #1: Know the default settings
The FSMO roles were assigned to one or more DCs during the DCPROMO
process. The following table summarizes the FSMO default locations:
FSMO Role Number of DCs holding this role Original DC holding the FSMO role
Schema One per forest The first DC in the first domain in the forest
(i.e. the Forest Root Domain)
Domain Naming One per forest
RID One per domain The first DC in a domain (any domain, including the
Forest Root Domain, any Tree Root Domain, or any Child Domain)
PDC Emulator One per domain
Infrastructure One per domain
Method #2: Use the GUI
The FSMO role holders can be easily found by use of some of the AD
snap-ins. Use this table to see which tool can be used for what FSMO
role:
FSMO Role Which snap-in should I use?
Schema Schema snap-in
Domain Naming AD Domains and Trusts snap-in
RID AD Users and Computers snap-in
PDC Emulator
Infrastructure
Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To find out who currently holds the Domain-Specific RID Master, PDC
Emulator, and Infrastructure Master FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the
Administrative Tools folder.
2. Right-click the Active Directory Users and Computers icon again and
press Operation Masters.
3. Select the appropriate tab for the role you wish to view.
4. When you're done click Close.
Finding the Domain Naming Master via GUI
To find out who currently holds the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the
Administrative Tools folder.
2. Right-click the Active Directory Domains and Trusts icon again and
press Operation Masters.
3. When you're done click Close.
Finding the Schema Master via GUI
To find out who currently holds the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
2. Press OK. You should receive a success confirmation.
3. From the Run command open an MMC Console by typing MMC.
4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. Click the Active Directory Schema icon. After it loads right-click
it and press Operation Masters.
8. Press the Close button.
Method #3: Use the Ntdsutil command
The FSMO role holders can be easily found by use of the Ntdsutil command.
Caution: Using the Ntdsutil utility incorrectly may result in partial
or complete loss of Active Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in
the Open box, and then click OK.
2. Type roles, and then press ENTER.
Note: To see a list of available commands at any of the prompts in the
Ntdsutil tool, type ?, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server <servername>, where <servername> is the name
of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. At the FSMO maintenance: prompt, type Select operation target, and
then press ENTER again.
At the select operation target: prompt, type List roles for connected
server, and then press ENTER again.
select operation target: List roles for connected server
Server "server100" knows about 5 roles
Schema - CN=NTDS
Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
Domain - CN=NTDS
Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
Infrastructure - CN=NTDS
Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=dpetri,DC=net
select operation target:
8. Type q 3 times to exit the Ntdsutil prompt.
Note: You can download THIS nice batch file that will do all this for you (1kb).
Another Note: Microsoft has a nice tool called Dumpfsmos.cmd, found in
the Windows 2000 Resource Kit (and can be downloaded here: Download
Free Windows 2000 Resource Kit Tools). This tool is basically a
one-click Ntdsutil script that performs the same operation described
above.
Method #4: Use the Netdom command
The FSMO role holders can be easily found by use of the Netdom command.
Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You
must either download it separately (from here Download Free Windows
2000 Resource Kit Tools) or by obtaining the correct Support Tools
pack for your operating system. The Support Tools pack can be found in
the \Support\Tools folder on your installation CD (or you can Download
Windows 2000 SP4 Support Tools, Download Windows XP SP1 Deploy Tools).
1. On any domain controller, click Start, click Run, type CMD in the
Open box, and then click OK.
2. In the Command Prompt window, type netdom query /domain:<domain>
fsmo (where <domain> is the name of YOUR domain).
Close the CMD window.
Note: You can download THIS nice batch file that will do all this for you (1kb).
Method #5: Use the Replmon tool
The FSMO role holders can be easily found by use of the Netdom command.
Just like Netdom, Replmon.exe is a part of the Windows 2000/XP/2003
Support Tools. Replmon can be used for a wide verity of tasks, mostly
with those that are related with AD replication. But Replmon can also
provide valuable information about the AD, about any DC, and also
about other objects and settings, such as GPOs and FSMO roles. Install
the package before attempting to use the tool.
1. On any domain controller, click Start, click Run, type REPLMON in
the Open box, and then click OK.
2. Right-click Monitored servers and select Add Monitored Server.
3. In the Add Server to Monitor window, select the Search the
Directory for the server to add. Make sure your AD domain name is
listed in the drop-down list.
4. In the site list select your site, expand it, and click to select
the server you want to query. Click Finish.
5. Right-click the server that is now listed in the left-pane, and
select Properties.
6. Click on the FSMO Roles tab and read the results.
7. Click Ok when you're done.
How can I forcibly transfer (seize) some or all of the FSMO Roles from
one DC to another?
Windows 2000/2003 Active Directory domains utilize a Single Operation
Master method called FSMO (Flexible Single Master Operation), as
described in Understanding FSMO Roles in Active Directory.
The five FSMO roles are:
• Schema master - Forest-wide and one per forest.
• Domain naming master - Forest-wide and one per forest.
• RID master - Domain-specific and one for each domain.
• PDC - PDC Emulator is domain-specific and one for each domain.
• Infrastructure master - Domain-specific and one for each domain.
In most cases an administrator can keep the FSMO role holders (all 5
of them) in the same spot (or actually, on the same DC) as has been
configured by the Active Directory installation process. However,
there are scenarios where an administrator would want to move one or
more of the FSMO roles from the default holder DC to a different DC.
Moving the FSMO roles while both the original FSMO role holder and the
future FSMO role holder are online and operational is called
Transferring, and is described in the Transferring FSMO Roles article.
However, when the original FSMO role holder went offline or became non
operational for a long period of time, the administrator might
consider moving the FSMO role from the original, non-operational
holder, to a different DC. The process of moving the FSMO role from a
non-operational role holder to a different DC is called Seizing, and
is described in this article.
If a DC holding a FSMO role fails, the best thing to do is to try and
get the server online again. Since none of the FSMO roles are
immediately critical (well, almost none, the loss of the PDC Emulator
FSMO role might become a problem unless you fix it in a reasonable
amount of time), so it is not a problem to them to be unavailable for
hours or even days.
If a DC becomes unreliable, try to get it back on line, and transfer
the FSMO roles to a reliable computer. Administrators should use
extreme caution in seizing FSMO roles. This operation, in most cases,
should be performed only if the original FSMO role owner will not be
brought back into the environment. Only seize a FSMO role if
absolutely necessary when the original role holder is not connected to
the network.
What will happen if you do not perform the seize in time? This table
has the info:
FSMO Role Loss implications
Schema The schema cannot be extended. However, in the short term no
one will notice a missing Schema Master unless you plan a schema
upgrade during that time.
Domain Naming Unless you are going to run DCPROMO, then you will not
miss this FSMO role.
RID Chances are good that the existing DCs will have enough unused
RIDs to last some time, unless you're building hundreds of users or
computer object per week.
PDC Emulator Will be missed soon. NT 4.0 BDCs will not be able to
replicate, there will be no time synchronization in the domain, you
will probably not be able to change or troubleshoot group policies and
password changes will become a problem.
Infrastructure Group memberships may be incomplete. If you only have
one domain, then there will be no impact.
Important: If the RID, Schema, or Domain Naming FSMOs are seized, then
the original domain controller must not be activated in the forest
again. It is necessary to reinstall Windows if these servers are to be
used again.
The following table summarizes the FSMO seizing restrictions:
FSMO Role Restrictions
Schema Original must be reinstalled
Domain Naming
RID
PDC Emulator Can transfer back to original
Infrastructure
Another consideration before performing the seize operation is the
administrator's group membership, as this table lists:
FSMO Role Administrator must be a member of
Schema Schema Admins
Domain Naming Enterprise Admins
RID Domain Admins
PDC Emulator
Infrastructure
To seize the FSMO roles by using Ntdsutil, follow these steps:
Caution: Using the Ntdsutil utility incorrectly may result in partial
or complete loss of Active Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in
the Open box, and then click OK.
2. Type roles, and then press ENTER.
Note: To see a list of available commands at any of the prompts in the
Ntdsutil tool, type ?, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server <servername>, where <servername> is the name
of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. Type seize <role>, where <role> is the role you want to seize. For
example, to seize the RID Master role, you would type seize rid
master:
Options are:
7. You will receive a warning window asking if you want to perform the
seize. Click on Yes.
fsmo maintenance: Seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300,
problem 5002 (UNAVAILABLE)
, data 1722
Win32 error returned is 0x20af(The requested FSMO operation failed.
The current FSMO holde
r could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "server100" knows about 5 roles
Schema - CN=NTDS
Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - CN=NTDS
Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Infrastructure - CN=NTDS
Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
fsmo maintenance:
Note: All five roles need to be in the forest. If the first domain
controller is out of the forest then seize all roles. Determine which
roles are to be on which remaining domain controllers so that all five
roles are not on only one server.
8. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
9. After you seize or transfer the roles, type q, and then press ENTER
until you quit the Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same
domain controller as the Global Catalog server. If the Infrastructure
Master runs on a GC server it will stop updating object information
because it does not contain any references to objects that it does not
hold. This is because a GC server holds a partial replica of every
object in the forest.
5. What is the difference between authoritative and non-authoritative restore
In authoritative restore, Objects that are restored will be replicated
to all domain controllers in the domain. This can be used specifically
when the entire OU is disturbed in all domain controllers or
specifically restore a single object, which is disturbed in all DC’s
In non-authoritative restore, Restored directory information will be
updated by other domain controllers based on the latest modification
time.
6. what is Active Directory De-fragmentation
De-fragmentation of AD means separating used space and empty space
created by deleted objects and reduces directory size (only in offline
De-fragmentation)
7. Difference between online and offline de-fragmentation
The size of NTDS.DIT will often be different sizes across the domain
controllers in a domain. Remember that Active Directory is a
multi-master independent model where updates are occurring in each of
the domain controllers with the changes being replicated over time to
the other domain controllers.
The changed data is replicated between domain controllers, not the
database, so there is no guarantee that the files are going to be the
same size across all domain controllers.
Windows 2000 and Windows Server 2003 servers running Directory
Services (DS) perform a directory online defragmentation every 12
hours by default as part of the garbage-collection process. This
defragmentation only moves data around the database file (NTDS.DIT)
and doesn’t reduce the file’s size - the database file cannot be
compacted while Active Directory is mounted.
Active Directory routinely performs online database defragmentation,
but this is limited to the disposal of tombstoned objects. The
database file cannot be compacted while Active Directory is mounted
(or online).
An NTDS.DIT file that has been defragmented offline (compacted), can
be much smaller than the NTDS.DIT file on its peers.
However, defragmenting the NTDS.DIT file isn’t something you should
really need to do. Normally, the database self-tunes and automatically
tombstoning the records then sweeping them away when the tombstone
lifetime has passed to make that space available for additional
records.
Defragging the NTDS.DIT file probably won’t help your AD queries go
any faster in the long run.
So why defrag it in the first place?
One reason you might want to defrag your NTDS.DIT file is to save
space, for example if you deleted a large number of records at one
time.
To create a new, smaller NTDS.DIT file and to enable offline
defragmentation, perform the following steps:
Back up Active Directory (AD).
Reboot the server, select the OS option, and press F8 for advanced options.
Select the Directory Services Restore Mode option, and press Enter. Press
Enter again to start the OS.
W2K will start in safe mode, with no DS running.
Use the local SAM’s administrator account and password to log on.
You’ll see a dialog box that says you’re in safe mode. Click OK.
From the Start menu, select Run and type cmd.exe
In the command window, you’ll see the following text. (Enter the
commands in bold.)
C:\> ntdsutil
ntdsutil: files
file maintenance:info
....
file maintenance:compact to c:\temp
You’ll see the defragmentation process. If the process was successful,
enter quit to return to the command prompt.
Then, replace the old NTDS.DIT file with the new, compressed version.
(Enter the commands in bold.)
C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit
Restart the computer, and boot as normal.
8. What is tombstone period
Tombstones are nothing but objects marked for deletion. After deleting
an object in AD the objects will not be deleted permanently. It will
be remain 60 days by default (which can be configurable) it adds an
entry as marked for deletion on the object and replicates to all DC’s.
After 60 days object will be deleted permanently from all Dc’s.
9. what is white space and Garbage collection
refer question 7
10. what are the monitoring tools used for Server and Network Heath.
How to define alert mechanism
Spot Light , SNMP Need to enable .
11. How to deploy the patches and what are the softwares used for this process
Using SUS (Software update services) server we can deploy patches to
all clients in the network. We need to configure an option called
“Synchronize with Microsoft software update server” option and
schedule time to synchronize in server. We need to approve new update
based on the requirement. Then approved update will be deployed to
clients
We can configure clients by changing the registry manually or through
Group policy by adding WUAU administrative template in group policy
12. What is Clustering. Briefly define & explain it
Clustering is a technology, which is used to provide High Availability
for mission critical applications. We can configure cluster by
installing MCS (Microsoft cluster service) component from Add remove
programs, which can only available in Enterprise Edition and Data
center edition.
In Windows we can configure two types of clusters
NLB (network load balancing) cluster for balancing load between
servers. This cluster will not provide any high availability. Usually
preferable at edge servers like web or proxy.
Server Cluster: This provides High availability by configuring
active-active or active-passive cluster. In 2 node active-passive
cluster one node will be active and one node will be stand by. When
active server fails the application will FAILOVER to stand by server
automatically. When the original server backs we need to FAILBACK the
application
Quorum: A shared storage need to provide for all servers which keeps
information about clustered application and session state and is
useful in FAILOVER situation. This is very important if Quorum disk
fails entire cluster will fails
Heartbeat: Heartbeat is a private connectivity between the servers in
the cluster, which is used to identify the status of other servers in
cluster.
13. How to configure SNMP
SNMP can be configured by installing SNMP from Monitoring and
Management tools from Add and Remove programs.
For SNMP programs to communicate we need to configure common community
name for those machines where SNMP programs (eg DELL OPEN MANAGER)
running. This can be configured from services.msc--- SNMP service --
Security
14. Is it possible to rename the Domain name & how?
In Windows 2000 it is not possible. In windows 2003 it is possible. On
Domain controller by going to MYCOMPUTER properties we can change.
15. What is SOA Record
SOA is a Start Of Authority record, which is a first record in DNS,
which controls the startup behavior of DNS. We can configure TTL,
refresh, and retry intervals in this record.
16. What is a Stub zone and what is the use of it.
Stub zones are a new feature of DNS in Windows Server 2003 that can be
used to streamline name resolution, especially in a split namespace
scenario. They also help reduce the amount of DNS traffic on your
network, making DNS more efficient especially over slow WAN links.
17. What are the different types of partitions present in AD
Active directory is divided into three partitions
Configuration Partition—replicates entire forest
Schema Partition—replicates entire forest
Domain Partition—replicate only in domain
Application Partition (Only in Windows 2003)
18. What are the (two) services required for replication
File Replication Service (FRS)
Knowledge Consistency Checker (KCC)
19. Can we use a Linux DNS Sever in 2000 Domain
We can use, But the BIND version should be 8 or greater
20. What is the difference between IIS Version 5 and IIS Version 6
Refer Question 1
21. What is ASR (Automated System Recovery) and how to implement it
ASR is a two-part system; it includes ASR backup and ASR restore. The
ASR Wizard, located in Backup, does the backup portion. The wizard
backs up the system state, system services, and all the disks that are
associated with the operating system components. ASR also creates a
file that contains information about the backup, the disk
configurations (including basic and dynamic volumes), and how to
perform a restore.
You can access the restore portion by pressing F2 when prompted in the
text-mode portion of setup. ASR reads the disk configurations from the
file that it creates. It restores all the disk signatures, volumes,
and partitions on (at a minimum) the disks that you need to start the
computer.
ASR will try to restore all the disk configurations, but
under some circumstances it might not be able to. ASR then installs a
simple installation of Windows and automatically starts a restoration
using the backup created by the ASR Wizard.
22. What are the different levels that we can apply Group Policy
We can apply group policy at SITE level---Domain Level---OU level
23. What is Domain Policy, Domain controller policy, Local policy and
Group policy
Domain Policy will apply to all computers in the domain, because by
default it will be associated with domain GPO, Where as Domain
controller policy will be applied only on domain controller. By
default domain controller security policy will be associated with
domain controller GPO. Local policy will be applied to that particular
machine only and effects to that computer only.
24. What is the use of SYSVOL folder
Policies and scripts saved in SYSVOL folder will be replicated to all
domain controllers in the domain. FRS (File replication service) is
responsible for replicating all policies and scripts
25. What is folder redirection?
Folder Redirection is a User group policy. Once you create the group
policy and link it to the appropriate folder object, an administrator
can designate which folders to redirect and where To do this, the
administrator needs to navigate to the following location in the Group
Policy Object:
User Configuration\Windows Settings\Folder Redirection
In the Properties of the folder, you can choose Basic or Advanced
folder redirection, and you can designate the server file system path
to which the folder should be redirected.
The %USERNAME% variable may be used as part of the redirection path,
thus allowing the system to dynamically create a newly redirected
folder for each user to whom the policy object applies.
26. What different modes in windows 2003 (Mixed, native & intrim….etc)
What are the domain and forest function levels in a Windows Server
2003-basedActive Directory?
Functional levels are an extension of the mixed/native mode concept
introduced in Windows 2000 to activate new Active Directory features
after all the domain controllers in the domain or forest are running
the Windows Server 2003 operating system.
When a computer that is running Windows Server 2003 is installed and
promoted to a domain controller, new Active Directory features are
activated by the Windows Server 2003 operating system over its Windows
2000 counterparts. Additional Active Directory features are available
when all domain controllers in a domain or forest are running Windows
Server 2003 and the administrator activates the corresponding
functional level in the domain or forest.
To activate the new domain features, all domain controllers in the
domain must be running Windows Server 2003. After this requirement is
met, the administrator can raise the domain functional level to
Windows Server 2003 (read Raise Domain Function Level in Windows
Server 2003 Domains for more info).
To activate new forest-wide features, all domain controllers in the
forest must be running Windows Server 2003, and the current forest
functional level must be at Windows 2000 native or Windows Server 2003
domain level. After this requirement is met, the administrator can
raise the domain functional level (read Raise Forest Function Level in
Windows Server 2003 Active Directory for more info).
Note: Network clients can authenticate or access resources in the
domain or forest without being affected by the Windows Server 2003
domain or forest functional levels. These levels only affect the way
that domain controllers interact with each other.
Important
Raising the domain and forest functional levels to Windows Server 2003
is a nonreversible task and prohibits the addition of Windows NT
4.0–based or Windows 2000–based domain controllers to the environment.
Any existing Windows NT 4.0 or Windows 2000–based domain controllers
in the environment will no longer function. Before raising functional
levels to take advantage of advanced Windows Server 2003 features,
ensure that you will never need to install domain controllers running
Windows NT 4.0 or Windows 2000 in your environment.
When the first Windows Server 2003–based domain controller is deployed
in a domain or forest, a set of default Active Directory features
becomes available. The following table summarizes the Active Directory
features that are available by default on any domain controller
running Windows Server 2003:
Feature Functionality
Multiple selection of user objects Allows you to modify common
attributes of multiple user objects at one time.
Drag and drop functionality Allows you to move Active Directory
objects from container to container by dragging one or more objects to
a location in the domain hierarchy. You can also add objects to group
membership lists by dragging one or more objects (including other
group objects) to the target group.
Efficient search capabilities Search functionality is object-oriented
and provides an efficient search that minimizes network traffic
associated with browsing objects.
Saved queries Allows you to save commonly used search parameters for
reuse in Active Directory Users and Computers
Active Directory command-line tools Allows you to run new directory
service commands for administration scenarios.
InetOrgPerson class The inetOrgPerson class has been added to the base
schema as a security principal and can be used in the same manner as
the user class.
Application directory partitions Allows you to configure the
replication scope for application-specific data among domain
controllers. For example, you can control the replication scope of
Domain Name System (DNS) zone data stored in Active Directory so that
only specific domain controllers in the forest participate in DNS zone
replication.
Ability to add additional domain controllers by using backup
media Reduces the time it takes to add an additional domain controller
in an existing domain by using backup media.
Universal group membership caching Prevents the need to locate a
global catalog across a wide area network (WAN) when logging on by
storing universal group membership information on an authenticating
domain controller.
Secure Lightweight Directory Access Protocol (LDAP) traffic Active
Directory administrative tools sign and encrypt all LDAP traffic by
default. Signing LDAP traffic guarantees that the packaged data comes
from a known source and that it has not been tampered with.
Partial synchronization of the global catalog Provides improved
replication of the global catalog when schema changes add attributes
to the global catalog partial attribute set. Only the new attributes
are replicated, not the entire global catalog.
Active Directory quotas Quotas can be specified in Active Directory to
control the number of objects a user, group, or computer can own in a
given directory partition. Members of the Domain Administrators and
Enterprise Administrators groups are exempt from quotas.
When the first Windows Server 2003–based domain controller is deployed
in a domain or forest, the domain or forest operates by default at the
lowest functional level that is possible in that environment. This
allows you to take advantage of the default Active Directory features
while running versions of Windows earlier than Windows Server 2003.
When you raise the functional level of a domain or forest, a set of
advanced features becomes available. For example, the Windows Server
2003 interim forest functional level supports more features than the
Windows 2000 forest functional level, but fewer features than the
Windows Server 2003 forest functional level supports. Windows Server
2003 is the highest functional level that is available for a domain or
forest. The Windows Server 2003 functional level supports the most
advanced Active Directory features; however, only Windows Server 2003
domain controllers can operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you
cannot introduce any domain controllers that are running versions of
Windows earlier than Windows Server 2003 into that domain. This
applies to the forest functional level as well.
Domain Functional Level
Domain functionality activates features that affect the whole domain
and that domain only. The four domain functional levels, their
corresponding features, and supported domain controllers are as
follows:
Windows 2000 mixed (Default)
• Supported domain controllers: Microsoft Windows NT 4.0, Windows
2000, Windows Server 2003
• Activated features: local and global groups, global catalog support
Windows 2000 native
• Supported domain controllers: Windows 2000, Windows Server 2003
• Activated features: group nesting, universal groups, SidHistory,
converting groups between security groups and distribution groups, you
can raise domain levels by increasing the forest level settings
Windows Server 2003 interim
• Supported domain controllers: Windows NT 4.0, Windows Server 2003
• Supported features: There are no domain-wide features activated at
this level. All domains in a forest are automatically raised to this
level when the forest level increases to interim. This mode is only
used when you upgrade domain controllers in Windows NT 4.0 domains to
Windows Server 2003 domain controllers.
Windows Server 2003
• Supported domain controllers: Windows Server 2003
• Supported features: domain controller rename, logon timestamp
attribute updated and replicated. User password support on the
InetOrgPerson objectClass. Constrained delegation, you can redirect
the Users and Computers containers.
Domains that are upgraded from Windows NT 4.0 or created by the
promotion of a Windows Server 2003-based computer operate at the
Windows 2000 mixed functional level. Windows 2000 domains maintain
their current domain functional level when Windows 2000 domain
controllers are upgraded to the Windows Server 2003 operating system.
You can raise the domain functional level to either Windows 2000
native or Windows Server 2003.
After the domain functional level is raised, domain controllers that
are running earlier operating systems cannot be introduced into the
domain. For example, if you raise the domain functional level to
Windows Server 2003, domain controllers that are running Windows 2000
Server cannot be added to that domain.
The following describes the domain functional level and the
domain-wide features that are activated for that level. Note that with
each successive level increase, the feature set of the previous level
is included.
Forest Functional Level
Forest functionality activates features across all the domains in your
forest. Three forest functional levels, the corresponding features,
and their supported domain controllers are listed below.
Windows 2000 (default)
• Supported domain controllers: Windows NT 4.0, Windows 2000, Windows
Server 2003
• New features: Partial list includes universal group caching,
application partitions, install from media, quotas, rapid global
catalog demotion, Single Instance Store (SIS) for System Access
Control Lists (SACL) in the Jet Database Engine, Improved topology
generation event logging. No global catalog full sync when attributes
are added to the PAS Windows Server 2003 domain controller assumes the
Intersite Topology Generator (ISTG) role.
Windows Server 2003 interim
• Supported domain controllers: Windows NT 4.0, Windows Server 2003.
See the "Upgrade from a Windows NT 4.0 Domain" section of this
article.
• Activated features: Windows 2000 features plus Efficient Group
Member Replication using Linked Value Replication, Improved
Replication Topology Generation. ISTG Aliveness no longer replicated.
Attributes added to the global catalog. ms-DS-Trust-Forest-Trust-Info.
Trust-Direction, Trust-Attributes, Trust-Type, Trust-Partner,
Security-Identifier, ms-DS-Entry-Time-To-Die, Message
Queuing-Secured-Source, Message Queuing-Multicast-Address,
Print-Memory, Print-Rate, Print-Rate-Unit
Windows Server 2003
• Supported domain controllers: Windows Server 2003
• Activated features: all features in Interim Level, Defunct schema
objects, Cross Forest Trust, Domain Rename, Dynamic auxiliary classes,
InetOrgPerson objectClass change, Application Groups, 15-second
intrasite replication frequency for Windows Server 2003 domain
controllers upgraded from Windows 2000
After the forest functional level is raised, domain controllers that
are running earlier operating systems cannot be introduced into the
forest. For example, if you raise forest functional levels to Windows
Server 2003, domain controllers that are running Windows NT 4.0 or
Windows 2000 Server cannot be added to the forest.
Different Active Directory features are available at different
functional levels. Raising domain and forest functional levels is
required to enable certain new features as domain controllers are
upgraded from Windows NT 4.0 and Windows 2000 to Windows Server 2003
Domain Functional Levels: Windows 2000 Mixed mode, Windows 2000 Native
mode, Windows server 2003 and Windows server 2003 interim ( Only
available when upgrades directly from Windows NT 4.0 to Windows 2003)
Forest Functional Levels: Windows 2000 and Windows 2003
27. Ipsec usage and difference window 2000 & 2003.
Microsoft doesn’t recommend Internet Protocol security (IPSec) network
address translation (NAT) traversal (NAT-T) for Windows deployments
that include VPN servers and that are located behind network address
translators. When a server is behind a network address translator, and
the server uses IPSec NAT-T, unintended side effects may occur because
of the way that network address translators translate network traffic
If you put a server behind a network address translator, you may
experience connection problems because clients that connect to the
server over the Internet require a public IP address. To reach servers
that are located behind network address translators from the Internet,
static mappings must be configured on the network address translator.
For example, to reach a Windows Server 2003-based computer that is
behind a network address translator from the Internet, configure the
network address translator with the following static network address
translator mappings:
• Public IP address/UDP port 500 to the server's private IP
address/UDP port 500.
• Public IP address/UDP port 4500 to the server's private IP
address/UDP port 4500.
These mappings are required so that all Internet Key Exchange (IKE)
and IPSec NAT-T traffic that is sent to the public address of the
network address translator is automatically translated and forwarded
to the Windows Server 2003-based computer
28. How to create application partition windows 2003 and its usage?
An application directory partition is a directory partition that is
replicated only to specific domain controllers. A domain controller
that participates in the replication of a particular application
directory partition hosts a replica of that partition. Only domain
controllers running Windows Server 2003 can host a replica of an
application directory partition.
Applications and services can use application directory partitions to
store application-specific data. Application directory partitions can
contain any type of object, except security principals. TAPI is an
example of a service that stores its application-specific data in an
application directory partition.
Application directory partitions are usually created by the
applications that will use them to store and replicate data. For
testing and troubleshooting purposes, members of the Enterprise Admins
group can manually create or manage application directory partitions
using the Ntdsutil command-line tool.
29. Is it possible to do implicit transitive forest to forest trust
relation ship in windows 2003?
Implicit Transitive trust will not be possible in windows 2003.
Between forests we can create explicit trust
Two-way trust
One-way: incoming
One-way: Outgoing
30. What is universal group membership cache in windows 2003.
Information is stored locally once this option is enabled and a user
attempts to log on for the first time. The domain controller obtains
the universal group membership for that user from a global catalog.
Once the universal group membership information is obtained, it is
cached on the domain controller for that site indefinitely and is
periodically refreshed. The next time that user attempts to log on,
the authenticating domain controller running Windows Server 2003 will
obtain the universal group membership information from its local cache
without the need to contact a global catalog.
By default, the universal group membership information contained in
the cache of each domain controller will be refreshed every 8 hours.
31. GPMC & RSOP in windows 2003?
GPMC is tool which will be used for managing group policies and will
display information like how many policies applied, on which OU’s the
policies applied, What are the settings enabled in each policy, Who
are the users effecting by these polices, who is managing these
policies. GPMC will display all the above information.
RSoP provides details about all policy settings that are configured by
an Administrator, including Administrative Templates, Folder
Redirection, Internet Explorer Maintenance, Security Settings,
Scripts, and Group Policy Software Installation.
When policies are applied on multiple levels (for example, site,
domain, domain controller, and organizational unit), the results can
conflict. RSoP can help you determine a set of applied policies and
their precedence (the order in which policies are applied).
32. Assign & Publish the applications in GP & how?
Through Group policy you can Assign and Publish the applications by
creating .msi package for that application
With Assign option you can apply policy for both user and computer. If
it is applied to computer then the policy will apply to user who logs
on to that computer. If it is applied on user it will apply where ever
he logs on to the domain. It will be appear in Start menu—Programs.
Once user click the shortcut or open any document having that
extension then the application install into the local machine. If any
application program files missing it will automatically repair.
With Publish option you can apply only on users. It will not install
automatically when any application program files are corrupted or
deleted.
33. DFS in windows 2003?
Refer Question 17 on level 2
34. How to use recovery console?
The Windows 2000 Recovery Console is a command-line console that you
can start from the Windows 2000 Setup program. Using the Recovery
Console, you can start and stop services, format drives, read and
write data on a local drive (including drives formatted to use NTFS),
and perform many other administrative tasks. The Recovery Console is
particularly useful if you need to repair your system by copying a
file from a floppy disk or CD-ROM to your hard drive, or if you need
to reconfigure a service that is preventing your computer from
starting properly. Because the Recovery Console is quite powerful, it
should only be used by advanced users who have a thorough knowledge of
Windows 2000. In addition, you must be an administrator to use the
Recovery Console.
There are two ways to start the Recovery Console:
If you are unable to start your computer, you can run the Recovery
Console from your Windows 2000 Setup disks or from the Windows 2000
Professional CD (if you can start your computer from your CD-ROM
drive).
As an alternative, you can install the Recovery Console on your
computer to make it available in case you are unable to restart
Windows 2000. You can then select the Recovery Console option from the
list of available operating systems
35. PPTP protocol for VPN in windows 2003?
Point-to-Point-Tunneling Protocol (PPTP) is a networking technology
that supports multiprotocol virtual private networks (VPN), enableing
remote users to access corporate networks securely across the
Microsoft Windows NT® Workstation, Windows® 95, and Windows 98
operating systems and other point-to-point protocol (PPP)-enabled
systems to dial into a local Internet service provider to connect
securely to their corporate network through the Internet
Netdom.exe is domain management tool to rename domain controller
SID history
• What is Bridge Head Server?
• Crisis Management?
• Mail flow in Exchange Server.
• DMZ concept in Firewalls.
• Is NAT uses Port Number if so what is the Port number?
• Difference between Schema Master and Global Catlog?
• Difference Between Incremental and Differential Backup? Which is
best backup Microsoft has recommended? (depends on the volume of data)
• How DNS and DHCP are integrated?
• If RID master fails what happens?
• tool used for FSMO?
• Difference between Assigning and Publishing through Group Policy?
Netdom.exe is domain management tool to rename domain controller
Second level
• What are the services installed when RIS is installed. Read about RIS.
• How to trouble shoot if a DHCP client won’t get IP from DHCP Server?
• What is online and offline fragmentations?
• Garbage collections and white spaces?
• Tell me one example when Infracture master and Global catalog will
be on one DC, what is the issue if both resides on same system?
• When you require a Infrastructure Master.
• What are Windows 2003 modes?
• What are FSMO roles and explain then?
• Stress on PDC emulator?
• 2003 advantages?
• About migration?(W2k to W2k3 and NT to W2k3).
How to Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration:
Before you upgrade a Windows NT 4.0 domain to a Windows Server
2003-based domain, the following domain and security configurations
are required.
Note: This article assumes that the source domain is running Windows
NT 4.0 Service Pack 4 (SP4) or later with 128-Bit encryption, and that
the target domain is a Windows Server 2003-based domain in native
mode. Also, the Windows Server 2003 must have 128-Bit encryption
(which comes as a default setting in Windows 2003).
Trusts
Configure the source domain to trust the target domain.
Configure the target domain to trust the source domain.
Groups
Add the Domain Admins global group from the source domain to the
Administrators local group in the target domain.
Add the Domain Admins global group from the target domain to the
Administrators local group in the source domain.
Create a new local group in the source domain called Source Domain$$$.
Note: There must be no members in this group.
Auditing
Enable auditing for the success and failure of user and group
management on the source domain.
Enable auditing for the success and failure of Audit account
management on the target domain in the Default Domain Controllers
policy.
Registry
On the PDC in the source domain, add the
TcpipClientSupport:REG_DWORD:0x1 value to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA
Administrative Shares
Administrative shares must exist on the domain controller in the
target domain on which you run ADMT, and on any computers on which an
agent must be dispatched.
User Rights
You must log on to the computer on which you run ADMT with an account
that has the following permissions:
Domain Administrator rights in the target domain.
A member of the Administrators group in the source domain.
Administrator rights on each computer that you migrate.
Administrator rights on each computer on which you translate security.
You will have the appropriate rights when you log on to the PDC that
is the FSMO role holder in the target domain with the Source
Domain\Administrator account, assuming that the Source Domain\Domain
Administrators group is a member of the Administrators group on each
computer.
How to Set Up ADMT for a Windows 2000 to Windows Server 2003 Migration
You can install the Active Directory Migration Tool version 2 (ADMTv2)
on any computer that is running Windows 2000 or later, including:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows XP Professional
Microsoft Windows Server 2003
The computer on which you install ADMTv2 must be a member of either
the source or the target domain.
Intraforest Migration
Intraforest migration does not require any special domain
configuration. The account you use to run ADMT must have enough
permissions to perform the actions that are requested by ADMT. For
example, the account must have the right to delete accounts in the
source domain, and to create accounts in the target domain.
Intraforest migration is a move operation instead of a copy operation.
These migrations are said to be destructive because after the move,
the migrated objects no longer exist in the source domain. Because the
object is moved instead of copied, some actions that are optional in
interforest migrations occur automatically. Specifically, the
sIDHistory and password are automatically migrated during all
intraforest migrations.
Interforest Migration
ADMT requires the following permissions to run properly:
Administrator rights in the source domain.
Administrator rights on each computer that you migrate.
Administrator rights on each computer on which you translate security.
Before you migrate a Windows 2000-based domain to a Windows Server
2003-based domain, you must make some domain and security
configurations. Computer migration and security translation do not
require any special domain configuration. However, each computer you
want to migrate must have the administrative shares, C$ and ADMIN$.
The account you use to run ADMT must have enough permissions to
complete the required tasks. The account must have permission to
create computer accounts in the target domain and organizational unit,
and must be a member of the local Administrators group on each
computer to be migrated.
User and Group Migration
You must configure the source domain to trust the target domain.
Optionally, the target may be configured to trust the source domain.
While this may ease configuration, it is not required to finish the
ADMT migration.
Requirements for Optional Migration Tasks
You can complete the following tasks automatically by running the User
Migration Wizard in Test mode and selecting the migrate sIDHistory
option. The user account you use to run ADMT must be an Administrator
in both the source and the target domains for the automatic
configuration to succeed.
Create a new local group in the source domain that is named
%sourcedomain%$$$. There must be no members in this group.
Turn on auditing for the success and failure of Audit account
management on both domains in the Default Domain Controllers policy.
Configure the source domain to allow RPC access to the SAM by
configuring the following registry entry on the PDC Emulator in the
source domain with a DWORD value of 1:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\TcpipClientSupport
You must restart the PDC Emulator after you make this change.
Note: For Windows 2000 domains, the account you use to run ADMTv2 must
have domain administrator permissions in both the source and target
domains. For Windows Server 2003 target domains, the 'Migrate
sIDHistory' may be delegated. For more information, see Windows Server
2003 Help & Support.
You can turn on interforest password migration by installing a DLL
that runs in the context of LSA. By running in this protected context,
passwords are shielded from being viewed in cleartext, even by the
operating system. The installation of the DLL is protected by a secret
key that is created by ADMTv2, and must be installed by an
administrator.
To install the password migration DLL:
Log on as an administrator or equivalent to the computer on which
ADMTv2 is installed.
At a command prompt, run the ADMT KEY sourcedomainpath [* | password]
command to create the password export key file (.pes). In this
example, sourcedomain is the NetBIOS name of the source domain and
path is the file path where the key will be created. The path must be
local, but can point to removable media such as a floppy disk drive,
ZIP drive, or writable CD media. If you type the optional password at
the end of the command, ADMT protects the .pes file with the password.
If you type the asterisk (*), ADMT prompts for a password, and the
system will not echo it as it is typed.
Move the .pes file you created in step 2 to the designated Password
Export Server in the source domain. This can be any domain controller,
but make sure it has a fast, reliable link to the computer that is
running ADMT.
Install the Password Migration DLL on the Password Export Server by
running the Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT
folder on the Windows Server 2003 installation media, or the folder to
which you downloaded ADMTv2 from the Internet.
When you are prompted to do so, specify the path to the .pes file that
you created in step 2. This must be a local file path.
After the installation completes, you must restart the server.
If you are ready to migrate passwords, modify the following registry
key to have a DWORD value of 1. For maximum security, do not complete
this step until you are ready to migrate.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\AllowPasswordExport
The Active Directory Migration Tool v2 is included in the I386\Admt
folder on the Windows Server 2003 CD.
The Active Directory Migration Tool provides an easy, secure, and fast
way to migrate to Windows 2000 Active Directory service. As a system
administrator, you can use this tool to diagnose any possible problems
before starting migration operations to Windows 2000 Server Active
Directory. You can then use the task-based wizard to migrate users,
groups, and computers; set correct file permissions; and migrate
Microsoft Exchange Server mailboxes. The tool's reporting feature
allows you to assess the impact of the migration, both before and
after move operations.
In many cases, if there is a problem, you can use the rollback
features to automatically restore previous structures. The tool also
provides support for parallel domains, so you can maintain your
existing Windows NT 4.0 domains while you deploy Windows 2000.
Note: To successfully run the AD Migration Tool the source domain must
be running Windows NT 4.0 Service Pack 4 or later, and the target
domain will be a Windows 2000-based domain in Native mode.
Version 2.0 of ADMT is from Windows Server 2003 and has many new features:
Scripting and Command line interface
Password Migration
Sid Mapping Files for Security
Translation
Windows 2000 Attribute Exclusion
Agent Credentials
Migration Log
Skip Membership Restoration
• Question on System State data Backup?
• Diff types of DNS roles and Zones?
• What are the steps you follow when you are promoting a server as ADC
in windows 2003?
• What are the two parameters you run before upgrading the server to
an ADC(/forestprep, /domainprep).
• What is the authentication process?
• What is the role of GC in authentication process?
• What happens if DNS server fails. Can a user is able to login if the
DNS server fails(if you have only one DNS Server).
• How do you promote a server to a domain controller(in windows 2003)
over a slow wan links.
A) Take the backup of systemstate from the DC and restore it in the
server where you are promoting using “dcpromo /adv” and select restore
from backup.
Working with Group Policy
This article deals with the mechanism of deploying and verifying GPO
deployment. It will not deal in the GPO itself and the settings inside
it (these settings and configurations will be discussed in different
articles).
Group Policy is a one of the most useful tools found in the Windows
2000/2003 Active Directory infrastructure. Group Policy can help you
do the following:
1. Configure user's desktops
2. Configure local security on computers
3. Install applications
4. Run start-up/shut-down or logon/logoff scripts
5. Configure Internet Explorer settings
6. Redirect special folders
In fact, you can configure any aspect of the computer behavior with
it. Although it is a cool toy; working with it without proper
attention can cause unexpected behavior.
Here are some basic terms you need to be familiar with before drilling
down into Group Policy:
Local policy - Refers to the policy that configures the local computer
or server, and is not inherited from the domain. You can set local
policy by running gpedit.msc from the Run command, or you can add
"Group Policy Object Editor" snap-in to MMC. Local Policies also exist
in the Active Directory environment, but have many fewer configuration
options that the full-fledged Group Policy in AD.
GPO - Group Policy Object - Refers to the policy that is configured at
the Active Directory level and is inherited by the domain member
computers. You can configure a GPO – Group Policy Object - at the site
level, domain level or OU level.
GPC – Group Policy Container - The GPC is the store of the GPOs; The
GPC is where the GPO stores all the AD-related configuration. Any GPO
that is created is not effective until it is linked to an OU, Domain
or a Site. The GPOs are replicated among the Domain Controllers of the
Domain through replication of the Active Directory.
GPT - Group Policy Templates - The GPT is where the GPO stores the
actual settings. The GPT is located within the Netlogon share on the
DCs.
Netlogon share - A share located only on Domain Controllers and
contains GPOs, scripts and .POL files for policy of Windows NT/98. The
Netlogon share replicates among all DCs in the Domain, and is
accessible for read only for the Everyone group, and Full Control for
the Domain Admins group. The Netlogon's real location is:
C:\WINDOWS\SYSVOL\sysvol\domain.com\SCRIPTS
When a domain member computer boots up, it finds the DC and looks for
the Netlogon share in it.
To see what DC the computer used when it booted, you can go to the Run
command and type %logonserver%\Netlogon. The content of the Netlogon
share should be the same on all DCs in the domain.
GPO behavior
Group Policy is processed in the following order:
Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO
and so on.
GPOs inherited from the Active Directory are always stronger than
local policy. When you configure a Site policy it is being overridden
by Domain policy, and Domain policy is being overridden by OU policy.
If there is an OU under the previous OU, its GPO is stronger the
previous one.
The rule is simple, as more you get closer to the object that is being
configured, the GPO is stronger.
What does it mean "stronger"? If you configure a GPO and linke it to
"Organization" OU, and in it you configure Printer installation –
allowed and then at the "Dallas" OU you configured other GPO but do
not allow printer installation, then the Dallas GPO is more powerful
and the computers in it will not allow installation of printers.
The example above is true when you have different GPOs that have
similar configuration, configured with opposite settings. When you
apply couple of GPOs at different levels and every GPO has its own
settings, all settings from all GPOs are merged and inherited by the
computers or users.
Group Policy sections. Each GPO is built from 2 sections:
• Computer configuration contains the settings that configure the
computer prior to the user logon combo-box.
• User configuration contains the settings that configure the user
after the logon. You cannot choose to apply the setting on a single
user, all users, including administrator, are affected by the
settings.
Within these two section you can find more sub-folders:
• Software settings and Windows settings both of computer and user are
settings that configure local DLL files on the machine.
• Administrative templates are settings that configure the local
registry of the machine. You can add more options to administrative
templates by right clicking it and choose .ADM files. Many programs
that are installed on the computer add their .ADM files to
%systemroot%\inf folder so you can add them to the Administrative
Templates.
You can download .ADM files for the Microsoft operating systems
Tools used to configure GPO
You can configure GPOs with these set of tools from Microsoft (other
3rd-party tools exist but we will discuss these in a different
article):
1. Group Policy Object Editor snap-in in MMC - or - use gpedit.msc
from the Run command.
2. Active Directory Users and Computers snap in - or dsa.msc – to
invoke the Group Policy tab on every OU or on the Domain.
3. Active Directory Sites and Services - or dssite.msc – to invoke the
Group Policy tab on a site.
4. Group Policy Management Console - or gpmc.msc - this utility is NOT
included in Windows 2003 server and needs to be separately installed.
You can download it from HERE
Note that if you'd like to use the GPMC tool on Windows XP, you need
to install it on computers running Windows XP SP2. Installing it on
computers without SP2 will generate errors due to unsupported and
newer .ADM files.
GPMC utility - Creating a GPO
When you create a GPO it is stored in the GPO container. After
creation you should link the GPO to an OU that you choose.
Linking a GPO.
To link a GPO simply right click an OU and choose Link an existing GPO
or you can create and link a GPO in the same time. You can also drag
and drop a GPO from the Group Policy Objects folder to the appropriate
Site, Domain or OU.
When you right-click a link you can:
Edit a GPO - This will open the GPO window so you can configure settings.
Link/Unlink a GPO - This setting allows you to temporarily disable a
link if you need to add settings to it or if you will activate it
later.
Enabling/disabling computer or user settings
GPO has computer and user settings but if you create a GPO that
contains only computer settings, you might want to disable the user
settings in that GPO, this will reduce the amount of settings
replicated and can also be used for testing.
To disable one of the configurations simply choose the GPO link and go
to Details tab:
How do I know what are the settings in a GPO?
Prior to the use of GPMC, an administrator who wanted to find out
which one of the hundreds of settings of a GPO were actually
configured - had to open each GPO and manually comb through each and
every node of the GPO sections. Now, with GPMC, you can simply see
what the configurations of any GPO are if you point on that GPO and go
to the Settings tab. There you can use the drop-down menus to see
computer or user settings.
Block/Enforce inheritance
You can block policy inheritance to an OU if you don’t want the
settings from upper GPOs to configure your OU.
To block GPO inheritance, simply right click your OU and choose "Block
Inheritance". Blocking inheritance will block all upper GPOs.
In case you need one of the upper GPOs to configure all downstream OUs
and overcome Block inheritance, use the Enforce option of a link.
Enforcing a GPO is a powerful option and rarely should be used.
You can see in this example that when you look at Computers OU, three
different GPOs are inherited to it.
In this example you can see that choosing "Block inheritance" will
reject all upper GPOs.
Now, if we configure the "Default domain policy" with the Enforce
option, it will overcome the inheritance blocking.
Link order
When linking more than one GPO to an OU, there could be a problem when
two or more GPOs have the same settings but with opposite
configuration, like, GPO1 have Allow printer installation among other
settings but GPO2 is configured to prevent printer installation among
other settings. Because the two GPOs are at the same level, there is a
link order which can be changed.
The GPO with the lowest link order is processed last, and therefore
has the highest precedence.
Security Filtering
Filtering let you choose the user, group or computer that the GPO will
apply onto. If you configured "Computers" OU with a GPO but you only
want to configure Win XP stations with that GPO and exclude Win 2000
stations, you can easily create a group of Win XP computers and apply
the GPO only to that group.
This option save you from creating complicated OU tree with each type
of computer in it.
A user or a group that you configure in the filtering field have by
default the "Read" and "Apply" permission. By default when you create
a GPO link, you can see that "Authenticated users" are listed.
In the above example, Office 2K3 will be installed on all computers
that are part of the two listed groups.
If we still were using Authenticated users, the installation of the
Office suite could have followed the user to any computer that he logs
onto, like servers or other machines. Using filtering narrows the
installation options.
If you want to configure these permissions with higher resolution, you
can go to Delegation tab and see the permissions. Going to the
Advanced Tab will let you configure the ACL permission with the
highest resolution.
How the GPO is updated on the computers
GPO inherited from AD is refreshed on the computers by several ways:
1. Logon to computer (If the settings are of "user settings" in GPO)
2. Restart of the computer (If the settings are of "computer settings" in GPO)
3. Every 60 to 90 minutes, the computers query their DC for updates.
4. Manually by using gpupdate command. You can add the /force switch
to force all settings and not only the delta.
Note: Windows 2000 doesn't support the Gpupdate command so you need
run a different command instead:
for computer settings.
for user settings.
In both commands you can use the /enforce that is similar to the
/force in gpupdate.
If any configuration change requires a logoff or a restart message will appear:
You can force logoff or reboot using gpupdate switches.
How to check that the GPO was deployed
To be sure that GPO was deployed correctly, you can use several ways.
The term for the results is called RSoP – Resultant Sets of Policies.
1. Use gpresult command in the command prompt.
The default result is for the logged on user on that machine. You can
also choose to check what is the results for other users on to that
machine. If you use /v or /z switches you will get very detailed
information.
You can see what GPOs were applied and what GPOs were filtered out and
the reason for not being deployed.
2. Resultant Set of Policy snap-in in MMC.
The snap-in has two modes:
Logging mode which tells you what are the real settings that were
deployed on the machine
Planning mode which tells you what will be the results if you choose
some options.
This option is not so compatible because you need to browse in the
RSoP data to find the settings.
3. Group Policy Results in GPMC.
This is the most comfortable option that let you check the RSoP data
on every computer or user from a central location. This option also
displays the summary of the RSoP and Detailed RSoP data in HTML
format.
In the example above example you can see the summary of applied or non
applied GPOs both of computer and user settings.
When looking at the Settings tab we can see what settings did applied
on the computer and see which is the "Winning GPO" that actually
configured the computer with the particular setting.
No comments:
Post a Comment