1. What is Active Directory?

2. What is LDAP?

3. What is DNS?

4. What are types of records in DNS?

5. What is WINS?

6. What is DHCP?

7. How clients use servers?

8. How servers provide optional data?

9. What are DHCP options?

10. How options are applied?

11. How the Lease Process Works

12. What are DHCP Client States in the Lease Process?

13. What are tombstone objects?

14. What is Global Catalog and Global Catalog Server?

15. What is Active Directory schema?

16. What are Active Directory Objects?

17. What are Active Directory Components?

18. What is Active Directory Replication?

19. What are the different partitions in AD?

20. What are types of Active Directory Trust Relationships?

21. In Active Directory, what are the differences between universal, global, and domain local groups?

22. What are Forward Lookup Zones and Reverse Lookup Zones?

23. What are Operations Master Roles?

24. What are Forest-Wide Operations Master Roles?

25. What are Domain-Wide Operations Master Roles?

26. How to Plan the Placement of the FSMOs?

27. How to Manage Operations Master Roles?

28. How to view the existing Schema Master Role assignment?

29. How to view the existing Domain Naming Master role assignment?

30. How to view the existing RID Master role, PDC Emulator, and Infrastructure Master Role assignments?

31. How to transfer the Schema Master role to another domain controller?

32. How to transfer the Domain Naming Master role to another domain controller?

33. How to transfer the RID Master role, PDC Emulator role, or Infrastructure Master Role to another domain controller?

34. How to seize an Operations Master role?

35. How to perform a metadata cleanup?

36. What is "tattooing" the Registry?

37. What’s the major difference between FAT and NTFS on a local machine?

38. What is LSDOU?

39. What is "tattooing" the Registry?

40. What is boot processing computer?

41. What do you mean by deadlock?

42. What is Distributed File System

43. What are the domain functional levels in Windows Server 2003?

44. How we can raise domain functional & forest functional level in Windows Server 2003?

45. What is the default domain functional level in Windows Server 2003?

46. What is multi-master replication?

47. Which is the command used to remove active directory from a domain controller?

48. What Exchange process is responsible for communication with AD?

49. What is DSACCESS?

50. Explain APIPA?

51. Where is GPT stored?

52. What hidden shares exist on Windows Server 2003 installation?

53. What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations?

54. When should you create a forest?

55. How can you authenticate between forests?

56. What is an incremental backup?

57. What is Differential Backup?

58. What is Multilevel Incremental Backup?

59. What is reverse Incremental Backup?

60. What is Synthetic full backup?

61. What is RAID?

62. What is concatenation?

63. What is striping/RAID-0?

64. What is RAID 0+1? Why is it better than 0?

65. What is RAID-5?

66. What are types of Backups?

67. What is Incremental Backup?

68. What is Differential Backup

69. What is Full Backup?

70.

1. What is Active Directory?

An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996 and first used with Windows 2000.

An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory.

An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.

2. What is LDAP?

LDAP (Lightweight Directory Access Protocol) is a protocol for communications between LDAP servers and LDAP clients. LDAP servers store "directories" which are access by LDAP clients.

LDAP is called lightweight because it is a smaller and easier protocol which was derived from the X.500 DAP (Directory Access Protocol) defined in the OSI network protocol stack.

LDAP servers store a hierarchical directory of information.

3. What is DNS?

Domain Name System (DNS) is one of the industry-standard suite of protocols that comprise TCP/IP. Microsoft Windows Server 2003. DNS is implemented using two software components: the DNS server and the DNS client (or resolver). Both components are run as background service applications.

Network resources are identified by numeric IP addresses, but these IP addresses are difficult for network users to remember. The DNS database contains records that map user-friendly alphanumeric names for network resources to the IP address used by those resources for communication. In this way, DNS acts as a mnemonic device, making network resources easier to remember for network users.

The Windows Server 2003 DNS Server and Client services use the DNS protocol that is included in the TCP/IP protocol suite. DNS is part of the application layer of the TCP/IP reference model

4. What are types of records in DNS?

'A' Record: Points a hostname to an IP Addressing

NS Record: Shows the Authoritative DNS for the zone

SOA Record : Start of Authority Record which shows the crucial information like SERIAL number, which is monitor by other name servers for change, which indicates to them a change in information for a zone, REFRESH which tell how often a secondary name server should check for a change in the serial number, RETRY is to inform a secondary server how long it should use it current entry if it is unable to perform a refresh and MINIMUM is how long the other name servers should hold these information.

CNAME Record: Canonical Naming Record Which allows a node to be address using more than one host name

MX Record: which is used for message routing where there are multiple mail exchange hosts an A Record is needed for every MX Record Set

PTR Records: These are reverse of 'A-Record' it points IP Address to a Host name

HINFO record: Indicates CPU and operating system types for mapping to specific host names

TXT Records: Provides a descriptive text associated with host name

5. What is WINS?

WINS name resolution means successfully mapping a NetBIOS name to an IP address. A NetBIOS name is a 16-byte address that is used to identify a NetBIOS resource on the network. A NetBIOS name is either a unique (exclusive) or group (nonexclusive) name. When a NetBIOS process is communicating with a specific process on a specific computer, a unique name is used. When a NetBIOS process is communicating with multiple processes on multiple computers, a group name is used.

The exact mechanism by which NetBIOS names are resolved to IP addresses depends on the NetBIOS node type that is configured for the node. RFC 1001, “Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Concepts and Methods,” defines the NetBIOS node types, as listed in the following table.

NetBIOS Node Types

Node Type Description

B-node (broadcast)

B-node uses broadcast NetBIOS name queries for name registration and resolution. B-node has two major limitations: (1) Broadcasts disturb every node on the network, and (2) Routers typically do not forward broadcasts, so only NetBIOS names on the local network can be resolved.

P-node (peer-peer)

P-node uses a NetBIOS name server (NBNS), such as a WINS server, to resolve NetBIOS names. P-node does not use broadcasts; instead, it queries the name server directly.

M-node (mixed) M-node is a combination of B-node and P-node. By default, an M-node functions as a B-node. If an M-node is unable to resolve a name by broadcast, it queries a NBNS using P-node.

H-node(hybrid) H-node is a combination of P-node and B-node. By default, an H-node functions as a P-node. If an H-node is unable to resolve a name through the NBNS, it uses a B-node to resolve the name.

Computers running Windows Server 2003 operating systems are B-node by default and become H-node when they are configured with a WINS server. Those computers can also use a local database file called Lmhosts to resolve remote NetBIOS names. The Lmhosts file is stored in the systemroot\System32\Drivers\Etc folder.

Typically, Windows-based computers are configured with the IP address of a WINS server so remote NetBIOS names can be resolved. Active Directory-based computers, such as Windows XP Professional, Microsoft Windows 2000 and Windows Server 2003 operating systems, must be configured with the IP address of a WINS server if they are to communicate with computers running Microsoft Windows NT, Windows 95, Windows 98, or Windows Millennium Edition that are not Active Directory-based.

6. What is DHCP?

Dynamic Host Configuration Protocol (DHCP) is an IP standard for simplifying management of host IP configuration. The DHCP standard provides for the use of DHCP servers as a way to manage dynamic allocation of IP addresses and other related configuration details for DHCP-enabled clients on your network.

Every computer on a TCP/IP network must have a unique IP address. The IP address (together with its related subnet mask) identifies both the host computer and the subnet to which it is attached. When you move a computer to a different subnet, the IP address must be changed. DHCP allows you to dynamically assign an IP address to a client from a DHCP server IP address database on your local network:

For TCP/IP-based networks, DHCP reduces the complexity and amount of administrative work involved in reconfiguring computers.

The Microsoft® Windows Server 2003 family provides an RFC-compliant DHCP service you can use to manage IP client configuration and automate IP address assignment on your network.

DHCP servers

Configuring DHCP servers for a network provides the following benefits:

• The administrator can assign and specify global and subnet-specific TCP/IP parameters centrally for use throughout the entire network.

• Client computers do not require manual TCP/IP configuration.

• When a client computer moves between subnets, its old IP address is freed for reuse. The client reconfigures its TCP/IP settings automatically when the computer is restarted in its new location.

• Most routers can forward DHCP and BOOTP configuration requests, so DHCP servers are not required on every subnet in the network.

7. How clients use servers?

A computer running Windows XP becomes a DHCP client if Obtain an IP address automatically is selected in its TCP/IP properties. When a client computer is set to use DHCP, it accepts a lease offer and can receive from the server the following:

• Temporary use of an IP address known to be valid for the network it is joining.

• Additional TCP/IP configuration parameters for the client to use in the form of options data.

Also, if conflict detection is configured, the DHCP server attempts to ping each available address it intends to offer prior to presenting the address in a lease offer to a client. This ensures that each IP address offered to clients is not already in use by another non-DHCP computer that uses manual TCP/IP configuration.

8. How servers provide optional data?

In addition to an IP address, DHCP servers can be configured to provide optional data to fully configure TCP/IP for clients. Some of the most common DHCP option types configured and distributed by the DHCP server during leases include:

• Default gateways (routers), which are used to connect a network segment to other network segments.

• Other optional configuration parameters to assign to DHCP clients, such as IP addresses for the DNS servers or WINS servers that the client can use in resolving network host names.

9. What are DHCP options?

DHCP provides an internal framework for passing configuration information on to clients on your network. Configuration parameters and other control information are carried in tagged data items stored within protocol messages exchanged between the DHCP server and its clients. These data items are called options.

Most standard DHCP options are currently defined in Request for Comments (RFCs) published by the Internet Engineering Task Force (IETF). The full set of standard DHCP options are described specifically in RFC 2132, "DHCP Options and BOOTP Vendor Extensions."

All DHCP options mentioned in RFC 2132 are predefined for you to configure and use at any DHCP server running Windows Server 2003 . If needed, you can also use the DHCP console to define new DHCP options at each server.

Even though most DHCP servers can assign many options, most DHCP clients are typically designed to request or support only a subset of the full RFC-specified standard options set.

10. How options are applied?

Options can be managed using different levels assigned for each managed DHCP server, including:

• Server options: These options are applied for all scopes defined at a DHCP server.

• Scope options: These options are applied specifically to all clients that obtain a lease within a particular scope.

• Class options: These options are applied only to clients that are identified as members of a specified user or vendor class when obtaining a lease.

• Reservation options: These options apply only for a single reserved client computer and require a reservation to be used in an active scope.

11. How the Lease Process Works

The first time a DHCP-enabled client starts and attempts to join the network, it automatically follows an initialization process to obtain a lease from a DHCP server. Figure 4.2 shows the lease process.

Figure 4.2 The DHCP Lease Process

1.The DHCP client requests an IP address by broadcasting a DHCPDiscover message to the local subnet.

2.The client is offered an address when a DHCP server responds with a DHCPOffer message containing an IP address and configuration information for lease to the client. If no DHCP server responds to the client request, the client can proceed in two ways:

• If it is a Windows 2000–based client, and IP auto-configuration has not been disabled, the client self-configures an IP address for its interface.

• If the client is not a Windows 2000–based client, or IP auto-configuration has been disabled, the client network initialization fails. The client continues to resend DHCPDiscover messages in the background (four times, every 5 minutes) until it receives a DHCPOffer message from a DHCP server.

3.The client indicates acceptance of the offer by selecting the offered address and replying to the server with a DHCPRequest message.

4.The client is assigned the address and the DHCP server sends a DHCPAck message, approving the lease. Other DHCP option information might be included in the message.

5.Once the client receives acknowledgment, it configures its TCP/IP properties using any DHCP option information in the reply, and joins the network.

In rare cases, a DHCP server might return a negative acknowledgment to the client. This can happen if a client requests an invalid or duplicate address. If a client receives a negative acknowledgment (DHCPNak), the client must begin the entire lease process again.

Restarting a DHCP Client

When a client that previously leased an IP address restarts, it broadcasts a DHCPRequest message instead of a DHCPDiscover message. The DHCPRequest message contains a request for the previously assigned IP address.

If the requested IP address can be used by the client, the DHCP server responds with a DHCPAck message.

If the IP address cannot be used by the client because it is no longer valid, is now used by another client, or is invalid because the client has been physically moved to a different subnet, the DHCP server responds with a DHCPNak message. If this occurs, the client restarts the lease process.

If the client fails to locate a DHCP server during the renewal process, it attempts to ping the default gateway listed in the current lease, with the following results:

• If a ping of the default gateway succeeds, the DHCP client assumes it is still located on the same network where it obtained its current lease, and the client continues to use the current lease. By default, the client attempts, in the background, to renew its current lease when 50 percent of its assigned lease time has expired.

• If a ping of the default gateway fails, the DHCP client assumes that it has been moved to a different network, where DHCP services are not available (such as a home network). By default, the client auto-configures its IP address as described previously, and continues (every five minutes in the background) trying to locate a DHCP server and obtain a lease.

Lease Renewals

The renewal process occurs when a client already has a lease, and needs to renew that lease with the server. To ensure that addresses are not left in an assigned state when they are no longer needed, the DHCP server places an administrator-defined time limit, known as a lease duration, on the address assignment.

Halfway through the lease period, the DHCP client requests a lease renewal, and the DHCP server extends the lease. If a computer stops using its assigned IP address (for example, if a computer is moved to another network segment or is removed), the lease expires and the address becomes available for reassignment.

The renewal process occurs as follows:

1.The client sends a request to the DHCP server, asking for a renewal and extension of its current address lease. The client sends a directed request to the DHCP server, with a maximum of three retries at 4, 8, and 16 seconds.

• If the DHCP server can be located, it typically sends a DHCP acknowledgment message to the client. This renews the lease.

• If the client is unable to communicate with its original DHCP server, the client waits until 87.5 percent of its lease time elapses. Then the client enters a rebinding state, broadcasting (with a maximum of three retries at 4, 8, and 16 seconds) a DHCPDiscover message to any available DHCP server to update its current IP address lease.

2.If a server responds with a DHCPOffer message to update the client's current lease, the client renews its lease based on the offering server and continues operation.

3.If the lease expires and no server has been contacted, the client must immediately discontinue using its leased IP address. The client then proceeds to follow the same process used during its initial startup to obtain a new IP address lease.

Managing Lease Durations

When a scope is created, the default lease duration is set to eight days, which works well in most cases. However, because lease renewal is an ongoing process that can affect the performance of DHCP clients and your network, it might be useful to change the lease duration. Use the following guidelines to decide how best to modify lease duration settings for improving DHCP performance on your network:

• If you have a large number of IP addresses available and configurations that rarely change on your network, increase the lease duration to reduce the frequency of lease renewal queries between clients and the DHCP server. This reduces network traffic.

• If there are a limited number of IP addresses available and if client configurations change frequently or clients move often on the network, reduce the lease duration. This increases the rate at which addresses are returned to the available address pool for reassignment.

• Consider the ratio between connected computers and available IP addresses. For example, if there are 40 systems sharing a Class C address (with 254 available addresses), the demand for reusing addresses is low. A long lease time, such as two months, would be appropriate in such a situation. However, if 230 computers share the same address pool, demand for available addresses is greater, and a lease time of a few days or weeks is more appropriate.

• Use infinite lease durations with caution. Even in a relatively stable environment, there is a certain amount of turnover among clients. At a minimum, roving computers might be added and removed, desktop computers might be moved from one office to another, and network adapter cards might be replaced. If a client with an infinite lease is removed from the network, the DHCP server is not notified, and the IP address cannot be reused. A better option is a very long lease duration, such as six months. This ensures that addresses are ultimately recovered.

12. What are DHCP Client States in the Lease Process?

DHCP clients cycle through six different states during the DHCP lease process, as illustrated in Figures 4.3 and 4.4. Figure 4.4 illustrates the DHCP lease process for clients that are renewing a lease.

Figure 4.3 DHCP Client States During the Lease Process

Figure 4.4 DHCP Client States During the Lease Renewal Process

When the DHCP client and DHCP server are on the same subnet, the DHCPDiscover, DHCPOffer, DHCPRequest, and DHCPAck messages are sent via media access control and IP-level broadcasts.

In order for DHCP clients to communicate with a DHCP server on a remote network, the connecting router or routers must support the forwarding of DHCP messages between the DHCP client and the DHCP server using a BOOTP/DHCP Relay Agent. For more information, see "Supporting BOOTP Clients" and "Managing Relay Agents" later in this chapter.

Initializing

This state occurs the first time the TCP/IP protocol stack is initialized on the DHCP client computer. The client does not yet have an IP address to request from the DHCP servers. This state also occurs if the client is denied the IP address it is requesting or the IP address it previously had was released. Figure 4.5 shows the Initialization state.

Figure 4.5 The Initialization State

When the DHCP client is in this state, its IP address is 0.0.0.0. To obtain a valid address, the client broadcasts a DHCPDiscover message from UDP port 68 to UDP port 67, with a source address of 0.0.0.0 and a destination of 255.255.255.255 (the client does not yet know the address of any DHCP servers). The DHCPDiscover message contains the DHCP client's media access control address and computer name.

Selecting

Next, the client moves into the Selecting state, where it chooses a DHCPOffer. All DHCP servers that receive a DHCPDiscover message and have a valid IP address to offer the DHCP client respond with a DHCPOffer message sent from UDP port 68 to UDP port 67. The DHCPOffer is sent via the media access control and IP broadcast because the DHCP client does not yet have a valid IP address that can be used as a destination. The DHCP server reserves the IP address to prevent it from being offered to another DHCP client.

The DHCPOffer message contains an IP address and matching subnet mask, a DHCP server identifier (the IP address of the offering DHCP server), and a lease duration. Figure 4.6 shows the Selecting state.

Figure 4.6 The Selecting State

The DHCP client waits for a DHCPOffer message. If a DHCP client does not receive a DHCPOffer message from a DHCP server on startup, it will retry four times (at intervals of 2, 4, 8, and 16 seconds, plus a random amount of time between 0 and 1,000 milliseconds). If a DHCP client does not receive a DHCPOffer after four attempts, it waits 5 minutes, then retries at 5-minute intervals.

Requesting

After a DHCP client has received a DHCPOffer message from a DHCP server, the client moves into the Requesting state. The DHCP client knows the IP address it wants to lease, so it broadcasts a DHCPRequest message to all DHCP servers. The client must use a broadcast because it still does not have an assigned IP address. Figure 4.7 shows the Requesting state.

Figure 4.7 The Requesting State

If the IP address of the client was known (that is, the computer restarted and is trying to lease its previous address), the broadcast is looked at by all of the DHCP servers. The DHCP server that can lease the requested IP address responds with either a successful acknowledgment (DHCPAck) or an unsuccessful acknowledgment (DHCPNak). The DHCPNak message occurs when the IP address requested is not available or the client has been physically moved to a different subnet that requires a different IP address. After receiving a DHCPNak message, the client returns to the Initializing state and begins the lease process again.

If the IP address of the client was just obtained with a DHCPDiscover or DHCPOffer exchange with a DHCP server, the client puts the IP address of that DHCP server in the DHCPRequest. The specified DHCP server responds to the request, and any other

DHCP servers retract their DHCPOffer. This ensures that the IP addresses that were offered by the other DHCP servers go back to an available state for another DHCP client.

Binding

The DHCP server responds to a DHCPRequest message with a DHCPAck message. This message contains a valid lease for the negotiated IP address, and any DHCP options configured by the DHCP administrator. Figure 4.8 shows the Binding state.

Figure 4.8 The Binding State

The DHCPAck message is sent by the DHCP server using an IP broadcast. When the DHCP client receives the DHCPAck message, it completes initialization of the TCP/IP stack. It is now considered a bound DHCP client that can use TCP/IP to communicate on the network.

The IP address remains allocated to the client until the client manually releases the address, or until the lease time expires and the DHCP server cancels the lease.

Renewing

IP addressing information is leased to a client, and the client is responsible for renewing the lease. By default, DHCP clients try to renew their lease when 50 percent of the lease time has expired. To renew its lease, a DHCP client sends a DHCPRequest message to the DHCP server from which it originally obtained the lease.

The DHCP server automatically renews the lease by responding with a DHCPAck message. This DHCPAck message contains the new lease as well as any DHCP option parameters. This ensures that the DHCP client can update its TCP/IP settings in case the network administrator has updated any settings on the DHCP server. Figure 4.9 illustrates the Renewing state.

Figure 4.9 The Renewing State

Once the DHCP client has renewed its lease, it returns to the Bound state. Renewal messages (DHCPRequest and DHCPAck) are sent by media access control and IP-level unicast traffic.

Rebinding

If the DHCP client is unable to communicate with the DHCP server from which it obtained its lease, and 87.5 percent of its lease time has expired, it will attempt to contact any available DHCP server by broadcasting DHCPRequest messages. Any DHCP server can respond with a DHCPAck message, renewing the lease, or a DHCPNak message, forcing the DHCP client to initialize and restart the lease process. Figure 4.10 shows the Rebinding state.

Figure 4.10 The Rebinding State

If the lease expires or a DHCPNak message is received, the DHCP client must immediately discontinue using its current IP address. If this occurs, communication over TCP/IP stops until a new IP address is obtained by the client.

13. What are tombstone objects?

Because of Windows 2000’s and Active Directory’s (AD’s) complex replication, if you simply delete an object, Win2K’s replication algorithm might recreate the object at the next replication interval. Thus, AD marks deleted objects with tombstones.

Win2K deletes tombstone objects 60 days after their original tombstone status setting. To change this default time (which I don’t recommend), modify the tombstone lifetime setting under the cd=DirectoryServices,cn=WindowsNT,cn=Services,cn=Configuration,dc=DomainName parameter

14. What is Global Catalog and Global Catalog Server?

Domains and Forests can also share resources available in active directory. These resources are searched by Global Catalog across domains and forests and this search is transparent to user. For example, if you make a search for all of the printers in a forest, this search goes to global catalog server for its query and then global catalog returns the results. Without a global catalog server this query needs to go to every domain in the forest of its result.

It is important to have a global catalog on at least one domain controller because many applications use port 3268 for searching. For example, if you do not have any global catalog servers in your network, the Search command on the Start menu of Windows 2000/2003 cannot locate objects in Active Directory.

The global catalog is a domain controller that contains attributes for every object in the Active Directory. By default, only the members of the Schema Admins group have rights to change which attributes stored in the global catalog, according to organization's requirements.

The global catalog contains:

• The commonly used attributes need in queries, such as a user's first and last name, and logon name.

• All the information or records which are important to determine the location of any object in the directory.

• A default subset of attributes for each object type.

• All the access related permissions for every object and attribute that is stored in the global catalog. Say, without permission you can't access or view the objects. If you are searching for an object where you do not have the appropriate permissions to view, the object will not appear in the search results. These access permissions ensure that users can find only objects to which they have been assigned access.

A global catalog server is a domain controller that contains full and writable replica of its domain directory, and a partial, read-only replica of all other domain directory partitions in the forest. Let's take an example of a user object; by default user objects have lot of attributes such as first name, last name, address, phone number, and many more. The Global Catalog will store only the main attributes of user objects in search operations like a user's first name and last name, or login name. This partial attributes of that user object which is stored would be enough to allow a search for that object to be able to locate the full replica of the object in active directory. If a search comes to locate objects, then first it goes to local global catalog and reduces network traffic over the WAN.

Domain Controllers always contain the full attribute list for objects belonging to their domain. If the Domain Controller is also a GC, it will also contain a partial replica of objects from all other domains in the forest.

It is always recommended to have a global catalog server for every active directory site in an enterprise network.

15. What is Active Directory schema?

The Active Directory data store is the database that holds all the directory information such as information on users, computer, groups, other objects, and information on the objects which users can access. It also includes other network components. Another name used to refer to the Active Directory data store is the directory. The Active Directory data store or directory is stored on the hard disk of the server by means of the Ntds.dit file. The file has to be stored on a drive that is

formatted with the NTFS file system. The Ntds.dit file is placed in the Ntds folder in the systemroot. When changes are made to the directory, these changes are saved to the Ntds.dit file. Because all the data in Active Directory is stored in one distributed data store, the availability of data is improved. A centralized data store means less duplication, and also needs less administration.

Because domain controllers are utilized to manage domains, each domain controller within the domain hosts a write copy of the Active Directory directory. This means is that if one domain controller is unavailable; users, computers and programs would still able to still access the Active Directory data store hosted on a different domain controller in the particular domain. When changes are made to the data store on one domain controller, these changes are replicated to the remainder of the domain controllers within the domain. Because of Active Directory replication, domain controllers in a domain remain synchronized with one another. Active Directory replication occurs automatically. Only domain data, configuration data and schema data is replicated.

Information stored in Active Directory is not all placed in the identical location. The different locations wherein data is stored is called directory partitions. The domain partition holds information about the domain such as users, and resources in the domain. The configuration partition contains information on the Active Directory structure such as the configuration of the domains, domain trees and forests. The schema partition stores information on object classes and attributes.

16. What are Active Directory Objects?

All information on users, groups, computers, servers and security policies in Active Directory are organized and categorized into different Active Directory objects. An Active Directory object can be defined as a group of attributes that represents a resource in the network. Each object has a unique name or unique identifier called a distinguished name. Objects can also contain other objects. These objects are known as containers. In the Active Directory Users and Computers console, the default object types created in a new domain in Active Directory are:

• Domain, Organizational Unit, User, Computer, Contact, Group, Shared Folder and Shared Printer

17. What are Active Directory Components?

Domains, organizational units (OUs), domain trees and forests are considered logical structures. Sites and domain controllers are considered physical structures.

• Domains are the main logical structure in Active Directory because they contain Active Directory objects. Network objects such as users, printers, shared resources, and more, are all stored in domains. Domains are also security boundaries. Access to objects in the domain is controlled by access control lists (ACLs). You can use the domain functional level to enable additional Active Directory features. You do this by raising the domain functional level of the domain controllers within the domain. In Windows 2000, the domain mode concept was used and not the domain functional level. The domain functional levels that can be specified are Windows 2000 Mixed, Windows 2000 Native, Windows Server 2003 Interim and Windows Server 2003.

• Organizational Unit (OU): An OU is a container that enables you to organize objects such as users, computers and even other OUs in a domain to form a logical administrative group. An OU is the smallest Active Directory component to which you can delegate administrative authority. A domain can have it own unique OU hierarchy.

• Domain Trees: When you group multiple domains into a hierarchical structure by adding child domains to a parent domain, you are basically forming a domain tree. Domains are regarded as being part of the same domain tree when they have a contiguous naming structure. A two-way transitive trust relationship is automatically created between the parent domain and child domains when you create the child domain.

• Forests: A forest is the grouping of multiple domain trees into a hierarchical structure. Domain trees in a forest have a common schema, configuration, and global catalog. Domains within the forest are linked by two-way transitive trust. Through the forest functional level, you can enable additional forest wide Active Directory features. The forest functional levels that can be set are Windows 2000, Windows Server 2003 Interim, and Windows Server 2003.

• Sites: In Active Directory, sites are formed through the grouping of multiple subnets. Sites are typically defined as locations in which network access is highly reliable, fast and not very expensive.

• Domain Controllers (DCs): A domain controller is a server that stores a write copy of Active Directory. They maintain the Active Directory data store. Certain master roles can be assigned to domain controllers within a domain and forest. Domain controllers that are assigned special master roles are called Operations Masters. These domain controllers host a master copy of particular data in Active Directory. They also copy data to the remainder of the domain controllers. There are five different types of master roles that can be defined for domain controllers. Two types of master roles, forestwide master roles, are assigned to one domain controller in a forest. The other three master roles, domainwide master roles, are applied to a domain controller in every domain.

o The Schema Master is a forestwide master role applied to a domain controller that manages all changes in the Active Directory schema.

o The Domain Naming Master is a forestwide master role applied to a domain controller that manages changes to the forest, such as adding and removing a domain. The domain controller serving this role also manages changes to the domain namespace.

o The Relative ID (RID) Master is a domainwide master role applied to a domain controller that creates unique ID numbers for domain controllers and manages the allocation of these numbers.

o The PDC Emulator is a domainwide master role applied to a domain controller that operates like a Windows NT primary domain controller. This role is typically necessary when there are computers in your environment running pre-Windows 2000 and XP operating systems.

o The Infrastructure Master is a domainwide master role applied to a domain controller that manages changes made to group memberships.

Active Directory Schema

The Active Directory schema defines what types of objects can be stored in Active Directory. It also defines what the attributes of these objects are. The schema is defined by the following two types of schema objects or metadata:

• Schema class objects, also known as schema classes: Define the objects that can be created and stored in Active Directory. The schema attributes store information on the schema class object when you create a new class. A schema class is therefore merely a set of schema attribute objects.

• Schema attribute objects, also known as schema attributes: Schema attributes provide information on object classes. The attributes of an object is also called the object's properties.

Although Active Directory includes a large number of object classes, you can create additional object classes if necessary. These additions are known as extensions to the schema. Extensions can only be performed on the domain controller acting the Schema Master role.

The object classes that can be used on access control lists (ACLs) to protect security objects are User, Computer, and Group. These object classes are called security principals. A security principal has a Security Identifier (SID) which is a unique number. A security principal's SID consists of the security principal's domain and a Relative ID (RID). The RID is a unique suffix.

A few other concepts associated with the Active Directory schema are:

• Class Derivations: Set a way for forming new object classes using existing object classes.

• Schema Rules: The Active Directory directory service implements a set of rules into the Active Directory schema that control the manner in which classes and attributes are utilized, and what values classes and attributes can include. Schema rules are organized into Structure Rules, Syntax Rules, and Content Rules

• Structure Rules: The structure rule in Active Directory is that an object class can have only specific classes directly on top of it. These specific classes are called Possible Superiors. Structure rules prevent you from placing an object class in an inappropriate container.

• Syntax Rules: These rules define the types of values and ranges allowed for attributes.

• Content Rules dictate what attributes can be associated with a particular class.

Global Catalog

The global catalog is a central information store on the objects in a forest and domain, and is used to improve performance when searching for objects in Active Directory. The first domain controller installed in a domain is designated as the global catalog server by default. The global catalog server stores a full replica of all objects in its host domain, and a partial replica of objects for the remainder of the domains in the forest. The partial replica contains those objects which are frequently searched for. It is generally recommended to configure a global catalog server for each site in a domain. You can use the Active Directory Sites and Services console to set up additional global catalog servers.

Group Policies and Active Directory

Active Directory enables you to perform policy based administration through Group Policy. Through group policies, you can deploy applications and configure scripts to execute at startup, shutdown, logon, or logoff. You can also implement password security, control certain desktop settings, and redirect folders. When you create new group policies in Active Directory, the policy is stored as Group Policy Objects (GPOs). In Active directory, you can apply a GPO to a domain, site or Organizational Unit.

Active Directory Object Naming Schemes

Each object in the Active Directory data store must have a unique name. Active Directory supports a number of object naming schemes for naming objects:

• Distinguished name (DN): Each object has a DN. The DN uniquely identifies a particular object and uniquely identify where the object is stored. The components that make up the DN of an object are:

o CN - common name

o OU - organizational unit

o DC - domain component

• A canonical name is merely a different manner of depicting the object's DN in a method that is simpler to interpret.

• Relative distinguished name (RDN): The RDN identifies a particular object within a parent container or OU.

• Globally unique identifier (GUID): A GUID is a unique hexadecimal number that is assigned to an object at the time that the object is created. The GUID of an object never changes.

• User principal name (UPN): The UPN is made up of the user account name of the user, and a domain name that identifies the domain that contains the user account.

18. What is Active Directory Replication?

In Active Directory, replication ensures that any changes made to a domain controller within a domain are replicated to all the other domain controllers in the domain. Active Directory utilizes multimaster replication to replicate changes in the Active Directory data store to the domain controllers. With multimaster replication, domains are considered peers to one another.

With Windows Server 2003, the Knowledge Consistency Checker (KCC) is used to create a replication topology of the forest, to ensure that the changes are replicated efficiently to the domain controllers. A replication topology reflects the physical connections utilized by domain controllers to replicate the Active Directory directory to domain controllers in a site, or in different sites. Intra-site replication occurs when the Active Directory directory is replicated within a site. When replication occurs between sites, it is known inter-site replication. Since the bandwidth between sites are typically slow, information on site link objects is utilized to identify the most favourable link that should be used for moving replication data between sites in Active Directory.

19. What are the different partitions in AD?

Active Directory objects are stored in the Directory Information Tree (DIT) which is broken into the following partitions:

Schema partition - Defines rules for object creation and modification for all objects in the forest Replicated to all domain controllers in the forest. Replicated to all domain controllers in the forest, it is known as an enterprise partition.

Configuration partition - Information about the forest directory structure is defined including trees, domains, domain trust relationships, and sites (TCP/IP subnet group). Replicated to all domain controllers in the forest, it is known as an enterprise partition.

Domain partition - Has complete information about all domain objects (Objects that are part of the domain including OUs, groups, users and others). Replicated only to domain controllers in the same domain.

Partial domain directory partition - Has a list of all objects in the directory with a partial list of attributes for each object.

The DIT holds a subset of Active Directory information and stores enough information to start and run the Active Directory service.

20. What are types of Active Directory Trust Relationships?

In Active Directory, when two domains trust each other or a trust relationship exists between the domains, the users and computers in one domain can access resources residing in the other domain. The trust relationships supported in Windows Server 2003 are summarized below:

• Parent/Child trust: A parent/child trust relationship exists between two domains in Active Directory that have a common contiguous DNS namespace, and who belong to the identical forest. This trust relationship is established when a child domain is created in a domain tree.

• Tree Root trust: A tree root trust relationship can be configured between root domains in the same forest. The root domains do not have a common DNS namespace. This trust relationship is established when a new tree root domain is added to a forest.

• Shortcut trust: This trust relationship can be configured between two domains in different domain trees but within the same forest. Shortcut trust is typically utilized to improve user logon times.

• External trust: External trust relationships are created between an Active Directory domain and a Windows NT4 domain.

• Realm trust: A realm trust relationship exists between an Active Directory domain and a non-Windows Kerberos realm.

• Forest trust: Forest trust can be created between two Active Directory forests.

21. In Active Directory, what are the differences between universal, global, and domain local groups?

Domain local, global, and universal are group scopes, which allow you to use groups in different ways to assign permissions. The scope of a group determines from where in the network you can assign permissions to the group.

Domain local groups: - Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group.

The domain local scope can contain user accounts, universal groups, and global groups from any domain.

In addition, the scope can both contain and be a member of domain local groups from the same domain.

Global groups : - Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created.

A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.

Note: Groups created in the Active Directory at Indiana University should be global groups. Since there is a single ADS Domain at IU, this is the most appropriate group to use.

Universal groups: - Universal security groups are most often used to assign permissions to related resources in multiple domains. Members from any domain may be added. Also, you can use a universal

group to assign permissions for access to resources in any domain. Universal security groups are not available in mixed mode. The full feature set of Windows 2000 and later Microsoft NT-based operating systems is available only in native mode. The universal scope can contain user accounts, universal groups, and global groups from any domain. The scope can be a member of domain local or universal groups in any domain.

22. What are Forward Lookup Zones and Reverse Lookup Zones?

DNS plays an important role in creating an effective Windows 2000 Active Directory (AD) implementation. AD requires DNS and uses it for name resolution and, with the help of a new Resource Record (RR) type called SRV Records, for service location. Because AD relies on DNS for these services, Win2K offers a more scalable and efficient solution than Windows NT 4.0, which uses WINS. A DNS database known as a zone file contains RRs to link host names with their corresponding IP addresses. Win2K DNS supports two kinds of zone files, standard and AD integrated.

Standard Zone Files Standard zone files are traditional DNS zone files. To use standard zone files, you create a zone on the DNS server that you plan to use to perform DNS database administration. This server becomes the primary zone server where all updates, such as RR additions or deletions, occur. When you create a DNS server to function as a secondary zone server, you specify the name or IP address of the primary zone server that will provide a copy of the zone file. You can use secondary zone servers to provide load balancing and a certain degree of fault tolerance. Secondary zone servers provide only limited fault tolerance because they continue to respond to DNS queries; secondary zone servers can’t perform any updates because they only have a read-only copy of the zone file. The primary zone server periodically replicates its zone file to the secondary zone server to ensure that the secondary zone server's copy is current. With earlier versions of Microsoft DNS, the primary zone server transfers a full copy of the zone file and overwrites the existing zone file on the secondary zone server. Win2K DNS supports Incremental Zone Transfers, which means that the primary zone server sends only changes that have occurred to the zone file since the last replication. . . .

23. What are Operations Master Roles?

Active Directory operates in a multi-master replication manner. What this means is that each domain controller in the domain holds a readable, writable replica of the Active Directory data store. In multi-master replication, any domain controller is able to change objects within Active Directory. Multi-master replication is ideal for the majority of information located in Active Directory. However, certain Active Directory functions or operations are not managed in a multi-master manner because they cannot be shared without causing some data uniformity issues. These functions are called Flexible Single Master Operations (FSMOs).

There are five Operations Master (OM) roles which are automatically installed when you install the first domain controller. These five OMs are installed on the domain controller. Two of these OM roles apply to the entire Active Directory forest. The roles that apply to the forest are the Schema Master role and the Domain Naming Master role. The other three OM roles apply to each domain. The roles that apply to a domain are the Relative identifier (RID)/relative ID Master role, the Primary Domain Controller (PDC) Emulator role, and the Infrastructure Master role. When a domain controller is assigned a FSMO, that domain controller becomes a role master.

The particular domain controller that is assigned these roles performs single-master replication within the Active Directory environment.

Because domain controllers generally contain the same Active Directory information, when one domain controller is unavailable, the remainder of the domain controllers are able to provide access to Active Directory objects. However, if the domain controller that is lost has one of these OM roles installed, you could find that no new objects can be added to the domain.

24. What are Forest-Wide Operations Master Roles?

Each Forest-wide OM role can exist on only one domain controller in the entire forest. What this means is that these roles have to be unique in the entire forest. The two forest-wide OM roles are:

• Schema Master role: Because the objects that exist in the in the schema directory partition define the Active Directory structure for a forest, great control is placed on who can add objects to this partition. Since each domain controller in an Active Directory environment have a common schema, the information in the schema has to be consistent on each domain controller. It is the domain controller that is assigned the Schema Master role that controls which objects are added, changed, or removed from the schema. The domain controller with the Schema Master role is the only domain controller in the entire Active Directory forest that can perform any changes to the schema. You can use the Active Directory Schema MMC snap-in to make changes to the schema, and only if you are a member of the Schema Admins group. Any changes made to the schema would affect each domain controller within the Active Directory forest. You can transfer the Schema Master role to a different domain controller within the forest. You can also seize the role if the existing domain controller holding the role had a failure and cannot be recovered.

• Domain Naming Master role: As is the case with the Schema Master role, only one Domain Naming Master role is allowed in the entire forest. The domain controller that is assigned the Domain Naming Master role is responsible for tracking all the domains within the entire Active Directory forest to ensure that duplicate domain names are not created. The domain controller with the Domain Naming Master role is accessed when new domains are created for a tree or forest. This ensures that domains are not simultaneously created within the forest. The default configuration is that the first domain controller promoted in a forest, is assigned this role. You can however transfer the Domain Naming Master role to a different domain controller within the forest.

25. What are Domain-Wide Operations Master Roles?

The three domain-wide OM roles have to unique in each domain within a forest. What this means is that there should be one of each of these roles in each domain. The three domain-wide OM roles are:

• Relative identifier (RID) Master role: When a security object is created within Active Directory, it is allocated a security ID. The security ID is made up of the domain security ID and a relative ID. The domain security ID is exactly the same for each security ID created in the particular domain. The relative ID on the other hand is unique to each security ID created within the domain. Because each relative ID has to be unique, the domain controller that is assigned the RID Master role is responsible for tracking and for assigning unique relative IDs to domain controllers whenever new objects are created. To ensure efficiency when assigning relative IDs to domain controllers, the domain controller assigned the RID Master role actually generates a set of

500 relative IDs to allocate to domain controllers. As the number of available relative IDs decreases, the RID Master generates more relative IDs to maintain the number of relative IDs available as 500. The default configuration is that the RID Master role and PDC Emulator role is assigned to the identical domain controller. You can however transfer the RID Master role to a different domain controller within the domain.

• PDC Emulator role: In domains that contain Windows NT Backup Domain Controllers (BDCs), the domain controller which is assigned the PDC Emulator role functions as the Windows NT Primary Domain Controller (PDC). The PDC Emulator role has importance when it comes to replication – BDCs only replicate from a Primary Domain Controller! Objects that are security principles can only be created and replicated by the PDC Emulator. Security principles are Users, Computers, and Groups. It is therefore the PDC Emulator that enables down-level operating systems to co-exist in Windows 2000 and Windows Server 2003 Active Directory environments. After the domain is operating in the Windows Server 2003 functional level, the domain controller assigned the PDC Emulator role continues to perform other operations for the domain. These additional functions include the following:

o All password changes and account lockout requests are forwarded to the PDC Emulator. A domain controller within a domain checks first with the PDC Emulator to verify whether a bad password provided by a user was a recently changed password, and is therefore a valid password.

o Group policies consist of a Group Policy Container (GPC) in Active Directory, and a Group Policy Template (GPT) in the SYSVOL folder. Because these two items can become out of sync due to multi-master replication, the Group Policy Editor is by default set to the PDC Emulator. This prevents group policy changes from being made on all domain controllers within the domain.

• Infrastructure Master role: The domain controller assigned the Infrastructure Master role has the following functions within the domain:

o Updates the group-to-user references when the members of groups are changed. These updates are sent by the Infrastructure Master to the remainder of the domain controllers within the domain via multi-master replication.

o Deletes any stale or invalid group-to-user references within the domain. To do this, the Infrastructure Master role checks with the Global Catalog for stale group-to-user references.

26. How to Plan the Placement of the FSMOs ?

A mentioned previously, all the OM roles are by default automatically assigned to the first domain controller created for the first domain in a new Active directory forest. Then, when you create either a root domain of a new tree in a forest, or a new child domain, the three domain specific OM roles are assigned to the first domain controller in that domain. In cases where a domain has only one domain controller, each domain specific OM role has to exist on that single domain controller. The two forest specific OM roles stay on the initial domain controller for the first domain created within the forest.

OM roles are usually transferred to other domain controllers when you need to perform maintenance activities, or load balance the existing load of the domain

controllers, or simply move the particular OM role to a better equipped domain controller.

In instances where multiple domain controllers exist for a particular domain, consider the following recommendations when placing your Operations Master roles within the domain:

• Where you have two domain controllers that are direct replication partners and are well-connected, assign the RID Master role, PDC Emulator role and Infrastructure Master role to one domain controller. This particular domain controller would become the OM domain controller for the domain. The remaining domain controller would become the designated standby OM domain controller.

• It is generally recommended to assign the PDC Emulator and RID Master roles to the same domain controller.

• However, if the domain which you are placing FSMO roles for is large in size, consider locating the RID Master role and PDC Emulator role on two different domain controllers. Each of these domain controllers should be well-connected to the domain controller designated as the standby OM domain controller for these two roles. This strategy is usually implemented to reduce the load on the domain controller assigned the PDC Emulator.

• You should place the Schema Master role and the Domain Naming Master role on the same domain controller.

• You should refrain from assigning the Infrastructure Master role to a domain controller that contains the Global Catalog. The domain controller assigned the Infrastructure Master role should be well-connected to the Global Catalog server. The Infrastructure Master would not operate correctly if the Global Catalog is hosted on the identical domain controller.

27. How to Manage Operations Master Roles?

Since only one or a few domain controllers are assigned the Operations Master roles, it is important that these specific domain controllers remain functioning in the Active Directory environment. There are essentially two processes involved in the management of FSMOs. These management tasks are outlined below:

• Because the FSMOs are automatically created when the first domain controller is installed, you might need to transfer OM roles to a more robust server. You would also need to transfer OM roles to a different server before demoting the domain controller hosting them.

• When a lost domain controller cannot be recovered, you would to need any seize OM roles assigned to the particular domain controller.

Transferring an Operations Master role, involves moving it from one server to a different server. To transfer the Schema Master role, you need to have Schema Admins rights, and to transfer the Domain Naming Master role, you need to have Enterprise Admin rights.

You can use an Active Directory console or a command-line utility to transfer OM roles. The Active Directory MMC consoles that can be utilized to transfer the different FSMOs are outlined below:

• Active Directory Schema MMC snap-in: For transferring the Schema Master role

• Active Directory Domains and Trusts console: For transferring the Domain Naming Master role

• Active Directory Users and Computers console: For transferring the RID Master role, PDC Emulator role, and Infrastructure Master role.

When you seize an OM role, you do it without the cooperation of the existing domain controller that is assigned with the particular OM role. When an OM role is seized, it is basically reassigned to a different domain controller. Before you attempt to seize any OM roles, first try to determine what the reason is for the failure of the existing domain controller which is assigned with the particular OM role. Certain network issues which are likely to be corrected in short time fames are well worth enduring through. Before you seize OM roles, first ensure that the domain controller you are planning to shift these roles to; is indeed powerful enough to uphold these roles. In summary, you should only really seize an OM role if the existing OM cannot be recovered again. You would need to use the Ntdsutil tool command-line tool to seize OM roles.

The Consequences of FSMOs Failing

The following section looks at what actually happens when each FSMO role fails:

• A Schema Master failure is basically only evident when an Administrator attempts to change the Active Directory schema. What this means is that a Schema Master failure is invisible to your standard network users. You should only seize this role to the domain controller designated as the standby schema master if the existing Schema Master can in fact never be recovered.

• As is the case with a Schema Master failure, Domain Naming Master failure is only evident if an Administrator is attempting to add a domain to the forest, or remove a domain from the forest. A Domain Naming Master failure can generally not be perceived by your standard network users. You should only seize this role to the domain controller designated as its standby when the existing Domain Naming Master would never be operational again.

• A RID Master failure is only evident to Administrators if they are attempting to add new Active Directory objects in the particular domain where the RID Master failed. When this happens, the RID Master is unable to allocate relative IDs to the domain controllers on which the new Active Directory objects are being created. A RID Master failure cannot be detected by your conventional network users. You should also generally only seize this OM role when the existing domain controller assigned with the RID Master role would never recover from the failure.

• An Infrastructure Master failure is also not visible to your standard network users. The failure only impacts Administrators that are attempting to move user accounts, or rename them. Consider moving the role to the designated standby domain controller if the existing domain controller assigned with the Infrastructure Master is to be unavailable for a reasonably extended period of time, and the changes that need to be made are pertinent.

• Unlike the OM role failures previously described that are not evident to your standard network users, a PDC Emulator failure does impact network users. It is important to immediately seize this role to its designated standby domain controller if the domain contains any Windows NT backup domain controllers. You can always return this role to its previous domain controller when it is recovered and online again.

28. How to view the existing Schema Master role assignment?

1. Open a command prompt, and enter regsvr32 schmmgmt.dll to register the schmmgmt.dll on the computer.

2. Click Start, Run, and enter mmc in the Run dialog box. Click OK.

3. From the File menu, select Add/Remove Snap-in and then select Add.

4. In the list of available snap-ins, double-click Active Directory Schema.

5. Click Close. Click OK.

6. Open the Active Directory Schema snap-in.

7. In the console tree, right-click Active Directory Schema and select Operations Masters from the shortcut menu.

8. The Change Schema Master dialog box opens.

9. You can view the name of the existing Schema Master in the Current Schema Master (Online) box.

10. Click Close.

29. How to view the existing Domain Naming Master role assignment?

1. Open the Active Directory Domains And Trusts console from the Administrative Tools menu.

2. In the console tree, right-click Active Directory Domains And Trusts and select Operations Masters from the shortcut menu.

3. The Change Operations Master dialog box opens.

4. You can view the name of the existing Domain Naming Master in the Domain Naming Operations Master box.

5. Click Close.

30. How to view the existing RID Master role, PDC Emulator, and Infrastructure Master role assignments?

1. Open the Active Directory Users And Computers console from the Administrative Tools menu.

2. In the console tree, right-click Active Directory Users And Computers and click All Tasks, and then Operations Masters from the shortcut menu.

3. The Operations Masters dialog box contains the following tabs:

o RID tab: The name of the existing RID Master is displayed in the Operations Master box of this tab.

o PDC tab: In the Operations Master box of the PDC tab, you can view the name of the existing PDC Emulator.

o Infrastructure tab: The existing Infrastructure Master's name is displayed in the Operations Master box.

4. Click Close.

31. How to transfer the Schema Master role to another domain controller?

Before you can transfer the Schema Master role to another domain controller, ensure that you have the required Schema Admins rights, and that both domain controllers you are planning to work with are available. Before you can use the Active Directory Schema MMC snap-in, you first have to add it to a MMC.

To add the Active Directory Schema snap-in to a MMC,

1. Open a command prompt, and enter regsvr32 schmmgmt.dll to register the schmmgmt.dll on the computer.

2. Click Start, Run, and enter mmc in the Run dialog box. Click OK.

3. From the File menu, select Add/Remove Snap-in and then select Add.

4. In the list of available snap-ins, double-click Active Directory Schema.

5. Click Close. Click OK

To transfer the Schema Master role,

1. Open the Active Directory Schema snap-in.

2. Right-click Active Directory Schema in the console tree, and select Change Domain Controller from the shortcut menu.

3. The options available when the Change Domain Controller dialog box opens are

o Any DC: If this option is selected, Active Directory will select a new domain controller for the Schema Master role.

o Specify Name: If this option is enabled, you have to enter the name of the new location for the Schema Master Role.

4. Click OK

5. Right-click Active Directory Schema in the console tree again, and choose Operations Master from the shortcut menu.

6. When the Change Schema Master dialog box opens, click Change.

7. Click OK when a message appears prompting for verification of the OM role transfer you want to perform.

8. Click OK to exit the Change Schema Master dialog box.

32. How to transfer the Domain Naming Master role to another domain controller?

You have to be a member of the Enterprise Admin group to transfer the Domain Naming Master role to another domain controller.

1. Open the Active Directory Domains And Trusts console from the Administrative Tools menu.

2. In the console tree, right-click Active Directory Domains And Trusts and select Connect To Domain Controller from the shortcut menu.

3. The Connect To Domain Controller dialog box opens. This is where you specify the name of the new domain controller that should be assigned the Domain Naming Master role.

4. Click OK

5. In the console tree, right-click Active Directory Domains And Trusts and select Operations Masters from the shortcut menu.

6. When the Change Operations Master dialog box opens, click Change

7. Click Close

33. How to transfer the RID Master role, PDC Emulator role, or Infrastructure Master role to another domain controller?

1. Open the Active Directory Users And Computers console from the Administrative Tools menu.

2. In the console tree, right-click Active Directory Users And Computers and click Connect To Domain from the shortcut menu.

3. When the Connect To Domain dialog box opens, enter the domain name that you want to work with.

4. Click OK

5. In the console tree, right-click Active Directory Users And Computers and click Connect To Domain Controller from the shortcut menu.

6. When the Connect To Domain Controller dialog box opens, specify the new domain controller for the OM role that you are transferring.

7. Click OK

8. In the console tree, right-click Active Directory Users And Computers and click All Tasks, and then click Operations Masters from the shortcut menu.

9. The Operations Masters dialog box opens. On one of the following tabs,

o RID tab: Click Change to change the location of the RID Master

o PDC tab: Click Change to change the location of the PDC Emulator

o Infrastructure tab: Click Change to change the location of the Infrastructure Master.

10. Click Yes to verify that you want to transfer the particular OM role to a different domain controller.

11. Click OK. Click Close.

34. How to seize an Operations Master role?

When you seize an OM role, you need to perform the following tasks:

• Verify that the new domain controller for the role is completely updated with changes performed on the existing domain controller of the particular role. You can use the Replication Diagnostics command-line utility for this verification. Repadmin.exe is included with the Windows Support Tools on the Windows Server 2003 CD-ROM.

• You would not use the Ntdsutil tool to seize the particular OM role. The Ntdsutil tool first attempts to transfer the role before it actually proceeds to seize the role.

However, if you need to seize the PDC Emulator or Infrastructure FSMOs, you can use the Active Directory Users and Computers console. The Ntdsutil tool has to though be used to seize the other FSMOs – Schema Master role, Domain Naming Master role, and RID Master role. You can however also use the Ntdsutil tool to seize the PDC Emulator role or Infrastructure Master role.

To seize the PDC Emulator or Infrastructure FSMOs using the Active Directory Users and Computers console,

1. Open the Active Directory Users and Computers console

2. In the console tree, right-click the domain object, and choose Connect to Domain Controller from the shortcut menu.

3. Enter the name of the other domain controller. Click OK

4. To perform the seizure of the role, right-click the domain object and choose Operations Masters from the shortcut menu.

5. Click either the PDC tab, or the Infrastructure tab

6. You will notice that the particular OM role is indicated as being offline.

7. Click Change.

8. Click OK to verify that you want to transfer the OM role.

9. Click Yes when prompted to verify that you want to perform a forced transfer.

To seize any OM roles using the Ntdsutil tool,

1. Click Start, Command Prompt.

2. Enter the following at the command prompt: ntdsutil. Press Enter

3. Enter the following at the ntdsutil prompt: roles. Press Enter

4. Enter the following at the fsmo maintenance prompt: connections. Press Enter

5. Enter the following at the server connections prompt: connect to server, and the fully qualified domain name (FQDN). Press Enter

6. Enter the following at the server connections prompt: quit. Press Enter.

7. Enter one of the following at the fsmo maintenance prompt:

o seize schema master. Press Enter

o seize domain naming master. Press Enter

o seize RID master. Press Enter

o seize PDC. Press Enter

o seize infrastructure master. Press Enter

8. Enter quit at the fsmo maintenance prompt. Press Enter

9. Enter quit at the ntdsutil prompt.

35. How to perform a metadata cleanup?

The class objects and attribute objects of the schema are referred to as metadata. A metadata cleanup is usually performed when you are unable to restore a failed domain controller. The cleanup removes any references to the failed domain controller in Active Directory.

To perform the metadata cleanup,

1. From the command prompt, enter ntdsutil and press Enter.

2. Enter the following at the ntdsutil prompt: metadata cleanup. Press Enter

3. Enter the following at the metadata cleanup prompt: connections. Press Enter

4. Enter the following at the server connections prompt: connect to server, followed by the server name. Press Enter

5. Enter quit, and press Enter

6. Enter the following at the metadata cleanup prompt: select operation target. Press Enter

7. Enter list domains. Press Enter

8. Enter select domain, followed by the number of the domain that holds the server that you want to remove. Press Enter

9. Enter list sites. Press Enter

10. Enter select site, followed by the number of the site that holds the server that you want to remove. Press Enter

11. Enter list servers in site. Press Enter

12. Enter select server, followed by the number of the server that you want to remove. Press Enter.

13. Enter quit and press Enter to return to the metadata cleanup prompt.

14. Enter remove selected server, and press Enter.

15. When a message box appears prompting you to verify whether the server should be removed, click Yes

16. Quit from Ntdsutil.

36. What is "tattooing" the Registry?

The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry.

37. What’s the major difference between FAT and NTFS on a local machine?

FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.

38. What is LSDOU?

It is group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.

39. What is "tattooing" the Registry?

The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry.

40. what is boot processing computer?

As soon as the CPU is turned on, it initializes itself and looks for ROM BIOS for the first instruction which is the Power On Self-Test (POST). This process checks the BIOS chip and then the CMOS RAM. After checking everything and detecting no power failure, it checks the hardware devices and the storage device. Then CMOS looks through the boot sequence of drives to find the OS. The boot sequence is the sequence of drives which the CMOS scans to find OS and load it. Generally, OS is stored in C drive. If it is not found there, the next drive to scan is A drive that is the floppy drive. Hence on finding the OS, it is loaded. Its files are copied to main memory by BIOS, and from here, the Os takes the charge of boot process like loading device drivers etc.

41. What do you mean by deadlock?

Deadlock is a situation where a group of processes are all blocked and none of them can become unblocked until one of the other becomes unblocked.

The simplest deadlock is two processes each of which is waiting for a message from the other.

42. What is Distributed File System

DFS, or the distrbuted file system, was a feature originally found in the NT 4 product but underutilized. The distributed file system allows you to organize shared folders on the network into a single logical hierarchy, while maintaining data on different physical servers. To the user, data which is actually distributed appears to fall under an organized, structured hierarchy. This allows you to not only manipulate how users see the data (you can use different share names for existing folders), but also how they access it (you can create whatever hierarchy will best suit the needs of the users). For example, data might be physically distributed, as outlined below: Sales data files \\server13\salesdata Sales quota files \\server2\s-quotainfo Sales report files \\server1\rpt Using DFS, we could create a DFS root called Sales using an empty shared folder on Server1 called Sales, and create a the following hierarchy: \\Server1\Sales

\Data

\Quotas

\Reports

We would simply map a drive for users to the Sales folder on Server1, and they would automatically be redirected to the appropriate folder of the appropriate server as they accessed the subfolders. Note that DFS maintains and does not change any of the permissions associated with the actual folders. Whatever level of access users had to the folders before DFS will be the same level of access after DFS has been configured. In Windows 2000, two types of DFS structures exist – standalone DFS, and domain-based DFS. Note that while a domain can host multiple DFS roots, any server can host only a single DFS root, regardless of type (stand-alone or domain-based). Standalone DFS structures can be created on any server running Windows 2000 with DFS installed (it is installed by default). With standalone DFS, Active Directory is not required. Creating a DFS structure begins with a server hosting the ‘root’ of DFS. This is the shared folder that will first be connected to by clients. With Standalone DFS, this root can only be hosted on a single server. As such, if this server fails, users will not be able to gain access to the DFS tree (of course, they will still be able to access resources that exist on other physical servers if they knew the location of those folders). Standalone DFS does not support having replicas of the root, although you can configure replicas of folders beneath the root. This would allow users to be load-balanced between folders that exist of different servers, but contain identical information. Note that in a standalone DFS setup, the replication of data between replicas does not happen automatically – you must somehow make replication happen between the replicas (using a tool such a robo copy, for instance). Domain-based DFS takes advantage of Active Directory by storing DFS topology information in Active Directory. This type of DFS supports the ability to have root replicas, which provide both load-balancing and fault-tolerance. For example, if multiple root-replicas were created and a replica is taken offline, a user can still access the DFS structure, simply by being redirected to another replica. On top of this, replicas of shared folders can also be created, and replication can take place

automatically using the file replication service (FRS) – up to 32 replicas are supported. In the case of domain-based DFS, the root points not to a server, but instead to the domain – an example of a DFS root might be \\win2000trainer.com\dfsroot. Using site information stored in Active Directory, a user attempting to access the DFS root would be redirected to the root replica in their own site, for example, instead of accessing the root from over the WAN. Note that in order to access domain-based DFS, a client running Windows 9x, or Windows NT 4 needs to have the Active Directory client software installed.

43. What are the domain functional levels in Windows Server 2003?

Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000 to activate new Active Directory features after all the domain controllers in the domain or forest are running the Windows Server 2003 operating system.

When a computer that is running Windows Server 2003 is installed and promoted to a domain controller, new Active Directory features are activated by the Windows Server 2003 operating system over its Windows 2000 counterparts. Additional Active Directory features are available when all domain controllers in a domain or forest are running Windows Server 2003 and the administrator activates the corresponding functional level in the domain or forest.

To activate the new domain features, all domain controllers in the domain must be running Windows Server 2003. After this requirement is met, the administrator can raise the domain functional level to Windows Server 2003 To activate new forest-wide features, all domain controllers in the forest must be running Windows Server 2003, and the current forest functional level must be at Windows 2000 native or Windows Server 2003 domain level. After this requirement is met, the administrator can raise the domain functional level Note: Network clients can authenticate or access resources in the domain or forest without being affected by the Windows Server 2003 domain or forest functional levels. These levels only affect the way that domain controllers interact with each other.

When the first Windows Server 2003–based domain controller is deployed in a domain or forest, a set of default Active Directory features becomes available. The following table summarizes the Active Directory features that are available by default on any domain controller running Windows Server 2003:

Feature Functionality

Multiple selection of user objects

Allows you to modify common attributes of multiple user objects at one time.

Drag and drop functionality

Allows you to move Active Directory objects from container to container by dragging one or more objects to a location in the domain hierarchy. You can also add objects to group membership lists by dragging one or more objects (including other group objects) to the target group.

Efficient search capabilities

Search functionality is object-oriented and provides an efficient search that minimizes network traffic associated with browsing objects.

Saved queries Allows you to save commonly used search parameters for reuse in Active Directory Users and Computers

Active Directory command-line tools

Allows you to run new directory service commands for administration scenarios.

InetOrgPerson class

The inetOrgPerson class has been added to the base schema as a security principal and can be used in the same manner as the user class.

Application directory partitions

Allows you to configure the replication scope for application-specific data among domain controllers. For example, you can control the replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication.

Ability to add additional domain controllers by using backup media

Reduces the time it takes to add an additional domain controller in an existing domain by using backup media.

Universal group membership caching

Prevents the need to locate a global catalog across a wide area network (WAN) when logging on by storing universal group membership information on an authenticating domain controller.

Secure Lightweight Directory Access Protocol (LDAP) traffic

Active Directory administrative tools sign and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with.

Partial synchronization of the global catalog

Provides improved replication of the global catalog when schema changes add attributes to the global catalog partial attribute set. Only the new attributes are replicated, not the entire global catalog.

Active Directory quotas

Quotas can be specified in Active Directory to control the number of objects a user, group, or computer can own in a given directory partition. Members of the Domain Administrators and Enterprise Administrators groups are exempt from quotas.

When the first Windows Server 2003–based domain controller is deployed in a domain or forest, the domain or forest operates by default at the lowest functional level that is possible in that environment. This allows you to take advantage of the default Active Directory features while running versions of Windows earlier than Windows Server 2003.

When you raise the functional level of a domain or forest, a set of advanced features becomes available. For example, the Windows Server 2003 interim forest functional level supports more features than the Windows 2000 forest functional level, but fewer features than the Windows Server 2003 forest functional level supports. Windows Server 2003 is the highest functional level that is available for a domain or forest. The Windows Server 2003 functional level supports the most advanced Active Directory features; however, only Windows Server 2003 domain controllers can operate in that domain or forest.

If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain controllers that are running versions of Windows earlier than Windows Server 2003 into that domain. This applies to the forest functional level as well.

Domain Functional Level

Domain functionality activates features that affect the whole domain and that domain only. The four domain functional levels, their corresponding features, and supported domain controllers are as follows:

Windows 2000 mixed (Default)

• Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows Server 2003

• Activated features: local and global groups, global catalog support

Windows 2000 native

• Supported domain controllers: Windows 2000, Windows Server 2003

• Activated features: group nesting, universal groups, SidHistory, converting groups between security groups and distribution groups, you can raise domain levels by increasing the forest level settings

Windows Server 2003 interim

• Supported domain controllers: Windows NT 4.0, Windows Server 2003

• Supported features: There are no domain-wide features activated at this level. All domains in a forest are automatically raised to this level when the forest level increases to interim. This mode is only used when you upgrade domain controllers in Windows NT 4.0 domains to Windows Server 2003 domain controllers.

Windows Server 2003

• Supported domain controllers: Windows Server 2003

• Supported features: domain controller rename, logon timestamp attribute updated and replicated. User password support on the InetOrgPerson objectClass. Constrained delegation, you can redirect the Users and Computers containers.

Domains that are upgraded from Windows NT 4.0 or created by the promotion of a Windows Server 2003-based computer operate at the Windows 2000 mixed functional level. Windows 2000 domains maintain their current domain functional level when Windows 2000 domain controllers are upgraded to the Windows Server 2003 operating system. You can raise the domain functional level to either Windows 2000 native or Windows Server 2003.

After the domain functional level is raised, domain controllers that are running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain

controllers that are running Windows 2000 Server cannot be added to that domain.

The following describes the domain functional level and the domain-wide features that are activated for that level. Note that with each successive level increase, the feature set of the previous level is included.

Forest Functional Level

Forest functionality activates features across all the domains in your forest. Three forest functional levels, the corresponding features, and their supported domain controllers are listed below.

Windows 2000 (default)

• Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server 2003

• New features: Partial list includes universal group caching, application partitions, install from media, quotas, rapid global catalog demotion, Single Instance Store (SIS) for System Access Control Lists (SACL) in the Jet Database Engine, Improved topology generation event logging. No global catalog full sync when attributes are added to the PAS Windows Server 2003 domain controller assumes the Intersite Topology Generator (ISTG) role.

Windows Server 2003 interim

• Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the "Upgrade from a Windows NT 4.0 Domain" section of this article.

• Activated features: Windows 2000 features plus Efficient Group Member Replication using Linked Value Replication, Improved Replication Topology Generation. ISTG Aliveness no longer replicated. Attributes added to the global catalog. ms-DS-Trust-Forest-Trust-Info. Trust-Direction, Trust-Attributes, Trust-Type, Trust-Partner, Security-Identifier, ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-Rate-Unit

Windows Server 2003

• Supported domain controllers: Windows Server 2003

• Activated features: all features in Interim Level, Defunct schema objects, Cross Forest Trust, Domain Rename, Dynamic auxiliary classes, InetOrgPerson objectClass change, Application Groups, 15-second intrasite replication frequency for Windows Server 2003 domain controllers upgraded from Windows 2000

After the forest functional level is raised, domain controllers that are running earlier operating systems cannot be introduced into the forest. For example, if you raise forest functional levels to Windows Server 2003, domain controllers that are running Windows NT 4.0 or Windows 2000 Server cannot be added to the forest.

44. How we can raise domain functional & forest functional level in Windows Server 2003?

Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000 to activate new Active Directory features after all the domain controllers in the domain or forest are running the Windows Server 2003 operating system.

When a computer that is running Windows Server 2003 is installed and promoted to a domain controller, new Active Directory features are activated by the Windows Server 2003 operating system over its Windows 2000 counterparts. Additional Active Directory features are available when all domain controllers in a domain or forest are running Windows Server 2003 and the administrator activates the corresponding functional level in the domain or forest

To activate the new domain features, all domain controllers in the domain must be running Windows Server 2003. After this requirement is met, the administrator can raise the domain functional level to Windows Server 2003.

To activate new forest-wide features, all domain controllers in the forest must be running Windows Server 2003, and the current forest functional level must be at Windows 2000 native or Windows Server 2003 domain level. After this requirement is met, the administrator can raise the domain functional level

Note: Network clients can authenticate or access resources in the domain or forest without being affected by the Windows Server 2003 domain or forest functional levels. These levels only affect the way that domain controllers interact with each other.

To raise the domain functional level, you must be a member of the Domain Administrators group.

In order to raise the Domain Functional Level:

1. Log on the PDC of the domain with domain administrator credentials.

2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers (you can also perform this action from the Active Directory Domains and Trusts snap-in).

3. In the console tree, right-click the domain node and then click Raise Domain Functional Level.

4. Under Select an available domain functional level, do one of the following:

Click Windows 2000 native, and then click Raise to raise the domain functional level to Windows 2000 native.

or

Click Windows Server 2003

and then click Raise to raise the domain functional level to Windows Server 2003.

5. Read the warning message, and if you wish to perform the action, click Ok.

You will receive an acknowledgement message telling you that the operation was completed successfully. Click Ok.

You can check the function level by performing step 3 again and viewing the current function level.

To raise the forest functional level, you must be a member of the Enterprise Admins group.

In order to raise the Forest Functional Level:

1. Log on to the PDC of the forest root domain with a user account that is a member of the Enterprise Administrators group.

2. Open Active Directory Domains and Trusts, click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.

3. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.

4. Under Select an available forest functional level, click Windows Server

2003. and then click Raise to raise the forest functional level to Windows Server 2003.

5. Read the warning message, and if you wish to perform the action, click Ok.

6. You will receive an acknowledgement message telling you that the

operation was completed successfully. Click Ok.

7. You can check the function level by performing step 3 again and viewing the current function level.

45. Which is the deafult protocol used in directory services?

LDAP

46. What is multimaster replication?

In a Windows 2000 domain, all domain controllers (DCs) are equal. Thus, you can make changes on any DC. Servers’ complete domain directories are kept up-to-date with one another through a process of multimaster replication.

Each time you make a change to Active Directory (AD), the servers’ update sequence number (USN), where the change implements, increases by one. AD then stores the new USN, as well as the change. These changes must replicate to all the DCs in the domain; the USN provides the key to multimaster replication.

USN increments are atomic in operation, which means that the increment to the USN and the actual change occur simultaneously. If one part fails, the whole change fails.

A change can’t occur without the USN being incremented; therefore, changes can’t be lost. Each DC keeps track of the highest USNs of the DCs it replicates with. This procedure lets a DC calculate which changes must replicate on a replication cycle.

At the start of a replication cycle, each server checks its USN table and queries the DCs it replicates with for the DCs’ latest USNs. Below is an example USN table for Server A.

Domain Controller B

Domain Controller C

Domain Controller D

54 23 53

Server A queries the DCs for their current USNs and gets the following information.

Domain Controller B

Domain Controller C

Domain Controller D

58 23 64

From this information, Server A can calculate the changes it needs from each server, as follows.

Domain Controller B

Domain Controller C

Domain Controller D

55-58 None 54-64

Server A then queries each DC for the necessary changes.

Multiple changes to an object’s property can occur. Every property has a property version number, which helps detect collisions. Property version numbers work like USNs: Each time you modify a property, the property version number increases by one.

If you try to modify an object’s property multiple times, the change with the highest property version number takes precedence. A collision occurs when the property version numbers are the same for two or more property updates. When two property version numbers match, the timestamp helps resolve the conflict. Because every change has a timestamp, DCs must be accurate with one another. In the unlikely event that the property version numbers match and the timestamps match, a binary buffer comparison occurs; the larger buffer size change takes precedence. Property version numbers increase only on original writes (not on replication writes, as USNs do) and aren’t server specific. Instead, a property version number travels with a property.

A propagation-dampening scheme prevents changes repeatedly going to other servers. Each server keeps a table of up-to-date vectors, which are the highest originating writes received from each controller. The vectors take the following form.

,,

For example,

DCs send this information with the USNs so that they can calculate whether they already have the change the other DCs are trying to replicate.

47. Which is the command used to remove active directory from a domain controler?

Dcpromo is the Windows 2000 and Windows Server 2003 GUI interface for promoting a server to the role of being a Domain Controller, and if is already a DC,

then dcpromo will be the tool to use to demote it back to being a member server. Dcpromo has a specific set of checks it performs before allowing the process to continue. These requirements change based on whether the server is being promoted or demoted. In this article we will deal with demoting issues. Dcpromo might fail when trying to demote a Domain Controller in some cases. These scenarios include, for example:

• There are no domain controllers currently available in the parent domain when you try to demote the last domain controller in a child domain.

• Dcpromo cannot complete because there is a name resolution, authentication, replication engine, or AD object dependency that you cannot resolve.

• A DC has not replicated incoming Active Directory changes in Tombstone Lifetime (Default Tombstone Lifetime is 60 days for Windows 2000 and Windows Server 2003 DCs, and 180 days for Windows Server 2003 SP1 and R2 DCs) number of days for one or more naming contexts.

If you run Dcpromo on an existing DC to demote it and it fails because of one of the above scenarios the best thing you should do is to try to resolve the problem and then restart Dcpromo. However, if Dcpromo still fails you can still demote the DC by running Dcpromo with the /forceremoval switch, which tells the process to ignore errors. Note that the /forceremoval demotion causes the loss of any locally held changes and should be considered a last resort that you should use and only when absolutely necessary.

With /forceremoval, an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest. Note: The /forceremoval switch is only supported on Windows 2000 Servers that either have SP2 with Q332199 hotfix installed on them, or with SP4, and on Windows Server 2003 servers.

Windows Server 2003 SP1 enhances the /forceremoval process. When it is run it checks to determine whether the DC hosts an operations master role, is a Domain Name System (DNS) server, or is a global catalog server. For each of these roles, the administrator receives a popup warning that advises the administrator to take appropriate action.

RID Master warning:

PDC Emulator warning:

Infrastructure Master warning:

Naming Master warning:

Schema Master warning:

DNS Server warning:

Global Catalog Server warning:

When you force the demotion of a DC, you return the operating system to a state that is the same as the successful demotion of the last domain controller in a domain (service start values, installed services, use of a registry based SAM for the account database, computer is a member of a workgroup). Note: In Windows 2000, the System event log identifies forcibly demoted DCs and instances of the /forceremoval operation by event ID 29234. In Windows Server 2003 the System event log identifies forcibly demoted DCs by event ID 29239.

1. Click Start, click Run, and then type the following command:

dcpromo /forceremoval

At the Welcome to the Active Directory Installation Wizard page, click Next.

At the Force the Removal of Active Directory page, click Next.

In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.

In Summary, click Next.

When Dcpromo finishes it will prompt you to click Finish.

Restart the server.

After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command.

48. What Exchange process is responsible for communication with AD?

DSACCESS

49. What is DSACCESS?

DSAccess implements a directory access cache that stores recently accessed information for a configurable length of time. This reduces the number of queries made to global catalog

50. Explain APIPA?

Auto Private IP Addressing (APIPA) takes effect on Windows 2000 Professional computers if no DHCP server can be contacted. APIPA assigns the computer an IP address within the range of 169.254.0.0 through 169.254.255.254 with a subnet mask of 255.255.0.0.

51. Where is GPT stored?

%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID

52. What hidden shares exist on Windows Server 2003 installation?

Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

53. What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations?

The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders

54. When should you create a forest?

Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.

55. How can you authenticate between forests?

Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials.

56. What is an incremental backup?

A "normal" incremental backup will only back up files that have been changed since the last backup of any type. This provides the quickest means of backup, since it only makes copies of files that have not yet been backed up. For instance, following our full backup on Friday, Monday’s tape will contain only those files changed since Friday. Tuesday’s tape contains only those files changed since Monday, and so on. The downside to this is obviously that in order to perform a full restore, you need to restore the last full backup first, followed by each of the subsequent incremental backups to the present day in the correct order. Should any one of these backup copies be damaged (particularly the full backup), the restore will be incomplete.

57. What is Differential Backup?

A cumulative backup of all changes made after the last full backup. The advantage to this is the quicker recovery time, requiring only a full backup and the latest differential backup to restore the system. The disadvantage is that for each day elapsed since the last full backup, more data needs to be backed up, especially if a majority of the data has been changed.

58. What is Multilevel Incremental Backup?

A more sophisticated incremental backup scheme involves multiple numbered backup levels. A full backup is level 0. A level n backup will back up everything since the most recent level n-1 backup. Assume a level 0 backup was taken on a Sunday. A level 1 backup taken on Monday would only include changes made since Sunday. A level 2 backup taken on Tuesday would only include changes made since Monday. A level 3 backup taken on Wednesday would only include changes made since Tuesday. If a level 2 backup was taken on Thursday, it would include all changes made since Monday because Monday was the most recent level n-1 backup.

59. What is reverse Incremental Backup?

An incremental backup of the changes made between two instances of a mirror is called a reverse incremental. By applying a reverse incremental to a mirror, the result will be a previous version of the mirror.

60. What is Synthetic full backup?

A synthetic backup is a form of an incremental backup that is possible when there is a separate computer that manages the backups. The backup server takes a typical incremental backup of the system in question and combines this data with the previous backups to generate a new synthetic backup. This new synthetic backup is indistinguishable from a normal full backup and shares all the advantages, such as faster restore times.

61. What is RAID?

RAID-Redundant Array of Inexpensive Discs, It is a technique that was developed to provide speed, reliability, and increased storage capacity using multiple disks, rather than single disk solutions. RAID basically takes multiple hard drives and allows them to be used as one large hard drive with benefits depending on the scheme or level of RAID being used.

62. What is Raid-Concatenation? Concatenations are also known as "Simple" RAIDs. A Concatenation is a collection of disks that are "welded" together. Data in a concatenation is layed across the disks in a linear fashion from on disk to the next. So if we've got 3 9G (gig) disks that are made into a Simple RAID, we'll end up with a single 27G virtual disk (volume). When you write data to the disk you'll write to the first disk, and you'll keep writing your data to the first disk until it's full, then you'll start writing to the second disk, and so on. All this is done by the Volume Manager, which is "keeper of the RAID". Concatenation is the cornerstone of RAID. Now, do you see the problem with this type of RAID? Because we're writing data linearly across the disks, if we only have 7G of data on our RAID we're only using the first disk! The 2 other disks are just sitting there bored and useless. This sucks. We got the big disk we wanted, but it's not any better than a normal disk drive you can buy off the shelves in terms of performance. There has got to be a better way..........

63. What is Striping/RAID-0? Striping is similar to Concatenation because it will turn a bunch of little disks into a big single virtual disk (volume), but the difference here is that when we write data we write it across ALL the disks. So, when we need to read or write data we're moving really fast, in fact faster than any one disk could move. There are 2 things to know about RAID-0, they are: stripe width, and columns. If we're going to read and write across multiple disks in our RAID we need an organized way to go about it. First, we'll have to agree on how much data should be written to a disk before moving to the next; we call that our "stripe width". Then we'll need far cooler term for each disk, a term that allows us to visualize our new RAID better..... "Column" sounds cool! Alright, so each disk is a "column" and the amount of data we put on each "column" before moving to the next is our "stripe width" 64. What is Mirroring/RAID-1? Mirroring is a concept where you are creating same mirror of RAID, i.e. in order to create 27 G disk if you are using 3 X 9 G Disks to form a simple RAID(RAID-0), then for Mirroring/RAID-1 you have to use 6 X 9 G Disks. This is because the first 27 G will form a simple RAID and the remaining 27 G will become the Mirror of First one. What ever data that is being written into the first one will be replicated into second one, such that if the first RAID Fails then automatically the second will come to existence.

65. What is RAID 0+1? Why is it better than 0?

Raid 0 is using striping technology which means in case of failure of any one of the disks in the Raid then the data will be lost. But in case of RAID 0+1 both the striping and mirroring technologies were used. What ever data is on striped volume the same will be mirrored hence recovery will be easier and secure.

66. What is RAID-5? 67. What are the types of backups? Normal Backups: A normal backup is the first step to any backup plan. When the Normal backup option is selected; all the selected files and folders are backed up and the archive attribute of all files are cleared. Normal backups are the most time consuming process but prove more efficient at the time of restoration than other backup types. Copy Backups: A copy backup option is not considered as a planned schedule backup, all the selected files and folders are backed up. Archive attributes of the files are not cleared while this option is selected.

Incremental Backups: Incremental backups are the fastest backup process. An incremental backup backs up the files and folders which were last created or modified or changed since last normal or incremental backup. An incremental backup backs up files that are created or changed since the last normal or incremental backup. After the backup is performed the archive attributes of the files are cleared. Restoration of data from an incremental backup requires the last normal backup and all the following incremental backups. These backups need to be restored in the same manner as they were created. Note: If any media in the incremental backup set is damaged or data becomes corrupt, the data backed up after corruption cannot be restored.

Differential Backups: Differential backups back up those files which were created or changed since the last normal backup. Archive attributes of the files does not get cleared after taking the backup with the differential backup method. The restoration process of files from differential backup is more efficient than an incremental backup.

Daily Backups: All the selected files and folders which have been changed during a day are backed up with Daily Backups option. The data is backed up by using the modified date of the files and the archive attributes are also does not get cleared with this option.

68. What is a Full Backup?

A full backup is a backup of every file on a file system, whether that file has changed or not. A full backup takes longer to accomplish and requires the most storage space on the backup media, but it also provides the quickest restore times. A full backup should be performed weekly or monthly on production systems, along with daily differential backups. A full backup should also be performed before any major planned changes to a system.

69. What is Incremental Backup? An incremental backup is a backup of every file on a file system which has changed since the last backup. An incremental backup is the fastest backup and requires the least storage space on the backup media. However, incremental backups also require the longest time and the most tapes to restore. Incremental backups should be used only in environments where backup time or backup storage media are extremely constrained. For most environments, a weekly full backup and a daily differential backup represent a better plan. If you perform a full backup on Sunday along with incremental backups every night and the system crashes on Thursday, you will need to restore the full backup from Sunday along with the incremental backups from Monday, Tuesday, and Wednesday. In contrast, if you perform a full backup on Sunday and a differential every night, when the system crashes on Thursday you will only need to restore the full backup from Sunday and the differential backup from Wednesday.

70. What is Differential Backup? A differential backup is a backup of every file on a file system which has changed since the last full backup. A differential backup can be an optimal middle-ground between a full backup and an incremental backup. A differential backup is not as fast as an incremental backup, but it is faster than a full backup. A differential backup requires more storage space than an incremental backup, but less than a full backup. A differential backup requires more time to restore than a full backup, but not as much time to restore as an incremental backup. If you perform a full backup on Sunday and a differential every night, and the system crashes on Thursday, you will only need to restore the full backup from Sunday and the differential backup from Wednesday. In contrast, if you perform a full backup on Sunday and incremental backups every night, when the system crashes on Thursday, you will

need to restore the full backup from Sunday along with the incremental backups from Monday, Tuesday, and Wednesday. A differential backup should be performed daily on production systems.

71. What are Cold Backups and Hot Backups? Cold Backup and Hot Backup terms are used by Oracle.

Cold Backup: Takes the Database offline and copy database files to different loction is called cold backup in Oracle.

Hot Backup: Taking the Database backup when the Database is online.

72. How can I prohibit users from using the Internet by using Group Policy in a Windows 2000 server?

There is not a direct Group Policy setting that disables IE. There are three ways that I can think of to disable it from functioning to connect to the Internet.

The first is using the IE policies. This method breaks IE, but does not prohibit it from running. This solution configures the Proxy Settings incorrectly. Give it a Proxy server name or address that does not exist, or a wrong port to use for the proxy. You can configure this setting under User Configuration->Windows Settings->Internet Explorer Maintenance->Connection->Proxy Settings. IE will look for a Proxy server, but always fail.

The other two ways target the IE application directly. First, you can configure the Don't Run Specified Windows Applications policy, which is located under User Configuration->Administrative Templates->System. Just add in Iexplore.exe to deny IE from running. The second way is to use a Software Restriction policy for Iexplore.exe. You could use a path rule here, but I would suggest using a hash rule, to ensure the file can't be moved or renamed.