No Override as Compared to Block Policy Inheritance
You can set No Override on a specific Group Policy object link so that Group Policy objects linked at a lower-level of Active Directory — closer to the recipient user or computer account — cannot override that policy. If you do this, Group Policy objects linked at the same level, but not as No Override , are also prevented from overriding. If you have several links set to No Override , at the same level of Active Directory, then you need to prioritize them. Links higher in the list have priority on all Configured (that is, Enabled or Disabled ) settings.
If you have linked a specific Group Policy object to a domain, and set the Group Policy object link to No Override , then the configured Group Policy settings that the Group Policy object contains apply to all organizational units under that domain. Group Policy objects linked to organizational units cannot override that domain-linked Group Policy object.
You can also block inheritance of Group Policy from above in Active Directory. This is done by checking Block Policy inheritance on the Group Policy tab of the Properties sheet of the domain or organizational unit. This option does not exist for a site.
Some important facts about No Override and Block Policy are listed below:
• No Override is set on a link, not on a site, domain, organizational unit, or Group Policy object.
• Block Policy Inheritance is set on a domain or organizational unit, and therefore applies to all Group Policy objects linked at that level or higher in Active Directory which can be overridden.
• No Override takes precedence over Block Policy Inheritance if the two are in conflict.
If you want to see what a Group Policy object is linked to, open it in the Group Policy console , right-click the root node, click Properties , and then click the Links tab. Click Find Now after setting the domain on the drop-down menu.
Tuesday, April 20, 2010
MCSE Interview Questions
1. What is Active Directory?
Active Directory is Microsoft's trademarked directory service. Like other directory services, such as Novell Directory Services (NDS), Active Directory is a centralized and standardized system that automates network management of user data, security, and distributed resources, and enables interoperation with other directories.
2. What is X.500 Directory Service?
A standard way to develop an electronic directory of people in an organization so that it can be part of a global directory available to anyone in the world with Internet access. The idea is to be able to look up people in a user-friendly way by name, department, or organization. Many enterprises and institutions have created an X.500 directory. Because these directories are organized as part of a single global directory, you can search for hundreds of thousands of people from a single place on the World Wide Web.,,,
3. What is LDAP?
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of X.500. LDAP originated at the University of Michigan and has been endorsed by at least 40 companies.
4. Explain AD’s Logical and Physical Components
The logical structure consists of OUs, domains, trees, and forests. The logical structure helps you design a network hierarchy that suits your organizational needs.
The physical structure consists of sites and domain controllers. The physical structure helps you optimize network traffic by customizing the network configuration.
Domain
The core component of AD’s logical structure is the domain. A domain is a unit of replication—all domain controllers in a domain replicate information to each other and contain a complete copy of directory information for their domain. Domains also act as security boundaries.
Organization Unit (OU)
You use OUs to organize objects within a domain and to delegate authority to individuals or groups who need to manage those objects. For example, if the finance department wants to manage its own resources, you can create an OU container called Finance, create objects (e.g., users, computers, printers) within that container, and assign someone from the finance department to manage these resources (known as delegating the authority).
Tree
Multiple Domains form a Tree. All domains in a tree maintains contiguous name space.
Ex:- Microsoft .com, Support. Microsoft .com, US. Microsoft .com etc
Forest
A forest is one or more trees that don't share a contiguous namespace. We can have two trees in a forest representing two namespaces in one organization. A forest will share a common configuration (e.g., information about domains, computers, and trust relationships), schema (e.g., classes and attributes), and a Global Catalog.
Physical structure - Sites and domain controllers.
Site - is one or more well-connected IP subnets, controls replication traffic between domain controllers and lets users authenticate with a domain controller within their site. This functionality helps you optimize network traffic and logon authentication in large enterprises.
Domain controller - Domain controller, which is a Win2K server running AD, contains a complete replica of the domain database. In Win2K, no single domain controller acts as a master domain controllern. All domain controllers use a multimaster replication model and are peers.
5. What are FSMO Roles?
Though Windows 2K/2K3 domain models are multimaster, there are certain roles performed only by a single server. These are known as Flexible Single Master Operations. There are five FSMO roles: Domain naming Master, Schema Master, RID Master, PDC Emulator and Infrastructure Master. There must be a domain controller that owns each one of those roles.
1.Domain naming Master: The machine which hasDomain Naming mastershould be available for adding and removing a domain the roll is forest wide
2.Schema Master: this is permits the extention of schema. the schema to be extented the schema master should be on line
the roll is forest wide
3.RID Master: Relative ID will alocate the pool of RIDs to domain cotrolers. the roll is Domain wide
4.PDC Emulator: Primary Domain Controler Emulats as a PDC for backword compactability.the roll is Domain wide
5.Infrastructure Master: This will initiate replication of group membership changes .the roll is Domain wide
6. What is Authoritative Restore and how it is performed?
An authoritative restore replicates all objects that are marked authoritative to every domain controller hosting the naming contexts that the objects are in. To perform an authoritative restore on the computer, you must use the Ntdsutil.exe tool to make the necessary USN changes to the Active Directory database.
7. What is the Volume Shadow Copy Service?
The Volume Shadow Copy service, or VSS for short, is a new feature in Windows 2003 server that allows you to maintain multiple views of how files, folders and shares on a Windows 2003 server appeared in the past. Shadow copy will allow you to restore a deleted or modified file.
8. What is DFS?
The Distributed File System is used to build a hierarchical view of multiple file servers and shares on the network. Instead of having to think of a specific machine name for each set of files, the user will only have to remember one name; which will be the 'key' to a list of shares found on multiple servers on the network.
9. What is Kerberos?
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.
10. What are the well known ports?
Netstat - 15
FTP – 20 (data) and 21(Control)
SSH -22
Telnet – 23
SMTP -25
Wins - 42
DNS -53
DHCP – server 67 & clint 68
TFTP – 69
HTTP – 80 Secure 81
Kerbros - 88 *
POP3 – 110
NNTP - 119
Net bios - 139
SNMP - 161
IMAP3 – 220
LDAP - 389
SSL - Secuer socket leyar - 443
RIP - 520
MS Sql - 1433
NFS - 2049
RDP - Remote Desk top Protocals - 3389
X Windows - 6000
11. What is network Monitor and which is the protocol used for Network Monitor?
Network Monitor is a protocol analyzer used to capture inbound and outbound frames. The protocol used is SNMP.
12. What’s the difference between local, global and universal groups?
Domain local groups assign access permissions to global/domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.
13. I am trying to create a new universal user group. Why can’t I?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
14. What is LSDOU?
It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.
15. Where are group policies stored?
%SystemRoot%System32\GroupPolicy
16. What is GPT and GPC?
Group policy template and group policy container.
17. Where is GPT stored?
%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
18. You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority?
The computer settings take priority.
19. How can you restrict running certain applications on a machine?
Via group policy, security settings for the group, then Software Restriction Policies.
20. You need to automatically install an app, but MSI file is not available. What do you do?
A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.
21. What’s the difference between Software Installer and Windows Installer?
The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.
22. What is loop back address and its purpose?
127.0.0.1. The Loop back address is used to check the drivers of the TCP/IP protocol.
23. What can be restricted on Windows Server 2003 that wasn’t there in previous products?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.
24. How frequently is the client policy refreshed?
90 minutes.
25. Where is secedit?
It’s now gpupdate.
26. You want to create a new group policy but do not wish to inherit.
Make sure you check Block inheritance among the options when creating the policy.
27. What does IntelliMirror do?
IntelliMirror intelligently mirror user settings. It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.
28. What are private IP addresses?
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets (local networks):
10.0.0.1 - 10.255.255.254
172.16.0.1 - 172.31.255.254
192.168.0.1 - 192.168.255.254
29. What are the IP Classes?
Class A 1-126.x.x.x, hosts supported 16777214, with mask 255.0.0.0
Class B 128-191.x.x.x, hosts supported 65534, with mask 255.255.0.0
Class C 192-223.x.x.x, hosts supported 254, with mask 255.255.255.0
Class D 224-239.x.x.x, reserved for multicast addressing
Class E 240-254.x.x.x, reserved for experimental use
30. What is CIDR?
This is a shorthand notation for a subnet mask, classless interdomain routing (CIDR) notation. It counts the number of 1's in the subnet masks binary representation and is displayed after the ip address, for example 192.168.2.12/24 means that the subnet mask is 255.255.255.0 since we have 24 1's in the subnet mask.
31. How many name resolution for windows?
There are Two (1) NetBIOS (2) DNS
32. What is DNS?
Domain Naming System. To resolve Host name to IP Address
33. What’s the difference between forward lookup and reverse lookup in DNS?
Forward lookup is name-to-address, the reverse lookup is address-to-name.
34. Types of Zones
Primary, Secondary and STUB Zone
35. What is Primary Zone?
Primary zones, which store their zone information in a writable text file on the name server.
36. What is Secondary Zone?
Secondary zones, which store their zone information in a read-only text file on the name server.
37. What is Stub Zone?
Stub zone is a new feature in windows 2003. It is like a secondary zone. But there are certain differences. The differences are while secondary zones contain copies of all the resource records in the corresponding zone on the master name server, stub zones contain only three kinds of resource records:
(1) Copy of the SOA record for the zone.
(2) Copies of NS records for all name servers authoritative for the zone.
(3) Copies of A records for all name servers authoritative for the zone.
38. What are the common Resource Records
A, NS, SOA, MX, SRV, Cname, PTR
39. What is Conditional Forwarding
Conditional forwarding is a new feature of DNS in Windows Server 2003. Conditional forwarding can be used to speed up the DNS name resolution process by directing queries for specific domains to specific name servers.
40. What is LMHOSTS file?
It’s a file stored on a host machine that is used to resolve NetBIOS to specific IP addresses.
41. What is HOSTS file?
It’s a file stored on a host machine that is used to resolve Host name to specific IP addresses.
42. What is DHCP?
DHCP stands for "Dynamic Host Configuration Protocol". DHCP allows for dynamic allocation of network addresses and configurations newly attached hosts.
43. Describe how the DHCP lease is obtained.
It’s a four-step process consisting of (a) DHCP Discover, (b) DHCP Offer, © DHCP Request (d) DHCP Acknowledgement.
44. Can a BOOTP client boot from a DHCP server?
Only if the DHCP server is specifically written to also handle BOOTP queries.
45. What is DHCP Scope?
Scope - A range of IP addresses that the DHCP server can assign to clients that are on one subnet.
46. What is Supersocpe?
Superscope is a range of IP addresses that span several subnets. The DHCP server can assign these addresses to clients that are on several subnets.
47. What is Client Reservation?
Client Reservation is used to be sure a computer gets the same IP address all the time. Therefore since DHCP IP address assignments use MAC addresses to control assignments.
48. What is Exclusion range?
Exclusion range is used to reserve a bank of IP addresses so computers with static IP addresses, such as servers may use the assigned addresses in this range. These addresses are not assigned by the DHCP server.
49. Which utility is used to compact DHCP Database?
JETPACK
50. What is Scope Options?
Scope options are IP configuration settings for a particular subnet including the IP address of the router (default gateway), DNS Server, Domain Name, WINS Server etc.
51. Why we need DHCP Relay Agent?
When you have clients on different Subnets, you either need to have multiple DHCP Servers, or a DHCP Relay Agent. All DHCP packets are broadcast packets. When there is a DHCP broadcast the router will not forward the broadcast packets. To allocate IP address for the clients which are on a network other than DHCP server, you need to configure DHCP relay agent on Router. The DHCP Relay Agent allows you to place DHCP Clients and DHCP Servers on different networks.
52. I can’t seem to access to the corporate network and on ipconfig my address is 169.254.X.X. What happened?
The 169.254.x.x netmask is assigned to Windows machines running 98/2000/XP if the DHCP server is not available. The name for the technology is APIPA (Automatic Private Internet Protocol Addressing)
53. We’ve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP lease for the Server. Reason out why the lease is not available?
The server must be authorized first with the Active Directory.
54. How can you force the client to give up the dhcp lease if you have access to the client PC?
ipconfig /release
55. What are the occasion a client renew IP address from DHCP server
1) Every restart 2) 50% of lease duration 3) ipconfig /renew
56. What authentication options do Windows 2003 Servers have for remote clients?
PAP, SPAP, CHAP, MS-CHAP, MS-CHAP v2 and EAP.
57. What is data link layer in the OSI reference model responsible for?
Data link layer is located above the physical layer, but below the network layer. Taking raw data bits and packaging them into frames. The network layer will be responsible for addressing the frames, while the physical layer is responsible for retrieving and sending raw data bits.
58. What is Routing?
Routing is the process of transferring packets from one network to other network. Windows 2003 can be configured as router.
59. What are the features available with Windows 2003 Routing and Remote Access Server (RRAS)?
We can configure a windows 2003 machine as Router, Remote Access Server, NAT Server, Demand Dial Router, and VPN Server.
60. Differentiate Routed Protocol and Routing Protocol
Routed protocol: Any network protocol that provides enough information in its network layer address to allow a packet to be forwarded from one host to another host based on the addressing scheme. x: IP/IPX
Routing protocols: facilitate the exchange of routing information between networks, allowing routers to build routing tables dynamically. Ex: RIP, OSPF
61. Explain Distance Vector and link state protocol
Routing protocols fall into two main categories, Distance Vector or Link State. Distance Vector protocols determine best path by counting number of HOPS. Hops are devices. Link State protocols are capable of using more sophisticated methods taking into consideration link variables, such as bandwidth, delay, reliability and load.
62. Give examples of Distance Vector and Link State Protocol
Distance Vector
RIP, IGRP
Link State
OSPF, EIGRP
63. Which are the routing protocol supported by windows 2003?
RIP and OSPF
64. What is METRIC?
Metrics are values routing protocols use to determine the best path to a destination, when multiple paths exist.
65. What is RADIUS?
Remote Authentication and Dial In Service (RADIUS) is a server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations.
66. Which is Microsoft Implementation of RADISU? And when it is required?
MS Implementation of RADIUS is Internet Authentication Service (IAS). IAS need to be configured when the set up needs to centrally manage Authentication, Authorization and Accounting.
67. What is Remote Access Policy?
Remote access policies are an ordered set of rules that define how connections are either authorized or rejected. For each rule, there are one or more conditions, a set of profile settings, and a remote access permission setting.
68. What are the Remote Access Policy Elements and how they are evaluated?
The three policy elements are evaluated in the following order:
Conditions
Permissions
Profile
69. Explain about Routing table?
There are three types of routes that one finds inside a routing table:
Default route - there is a single entry for this route in the table, the address provided is used as a destination for packets whose address doesn't match any other entry in the routing table. This route is indicated by both address and network mask of 0.0.0.0
Host route - provides route to a specific host or a broadcast address, this type of routes is marked by network mask of 255.255.255.255
Network route - provides route to a specific network, this type of routes can have a subnet mask between 0.0.0.0 and 255.255.255.255
70. What is binding order?
The order by which the network protocols are used for client-server communications. The most frequently used protocols should be at the top.
71. What’s the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.
72. How do FAT and NTFS differ in approach to user shares?
They don’t, both have support for sharing.
73. What is CIFS?
The protocol used for File and print sharing in windows network. Common Internet File System (CIFS) is an extension of the SMB protocol that is used with basic file sharing. One of the advantages of CIFS over SMB is the ability to operate directly over DNS without the use of NetBIOS.
74. What are the types of Backup in windows?
There are five types.
Normal – Takes the full backup, Will not see the Archive bit but uncheck the bit after backup
Incremental – Backs up only the files whose archive bit is on and uncheck the bit after backup
Differential - Backs up only the files whose archive bit is on and will not uncheck the bit after backup
Copy – Just like normal. Will not do anything with Archive bit.
Daily - Back up all the files which are created/modified on scheduled date.
75. Explain the List Folder Contents permission on the folder in NTFS.
Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.
76. I have a file to which the user has access, but he has no folder permission to read it. Can he access it?
It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.
77. For a user in several groups, are Allow permissions restrictive or permissive?
Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.
78. For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.
79. What hidden shares exist on Windows Server 2003 installation?
Admin$, Drive$, IPC$, print$.
80. What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations?
The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.
81. We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box.
Use the UNC path, not all client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
82. Where exactly do fault-tolerant DFS shares store information in Active Directory?
In Partition Knowledge Table, which is then replicated to other domain controllers.
83. Is Kerberos encryption symmetric or asymmetric?
Symmetric.
84. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?
Time stamp is attached to the initial client request, encrypted with the shared key.
85. What hashing algorithms are used in Windows 2003 Server?
RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
86. Which are the four domain functional levels in windows 2003?
Mixed, Native, NT Interim and Windows 2003.
87. What’s the number of permitted unsuccessful logons on Administrator account?
Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.
88. What’s the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003.
89. If you uninstall Windows Server 2003, which operating systems can you revert to?
Win ME and Win 98.
90. What is ICF?
Internet Connection Firewall (ICF) is firewall software that is used to set restrictions on what traffic is allowed to enter your network from the Internet. ICF protects your network against external threats by allowing safe network traffic to pass through the firewall into your network, while denying the entrance of unsafe traffic.
91. What are the Windows Server 2003 keyboard shortcuts?
Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.
92. Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
93. How long does it take for security changes to be replicated among the domain controllers?
Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).
94. What’s new in Windows Server 2003 regarding the DNS management?
When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard.
95. When should you create a forest?
Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.
96. How can you authenticate between forests?
Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials.
97. What snap-in administrative tools are available for Active Directory?
Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak)
98. What is Global Catalog?
The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.
99. How is user account security established in Windows Server 2003?
When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user account’s security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access.
100. If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same?
No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different.
101. What remote access options does Windows Server 2003 support?
Dial-in, VPN, dial-in with callback.
102. Where are the documents and settings for the roaming profile stored?
All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.
103. Where are the settings for all the users stored on a given machine?
Document and Settings\All Users
104. What languages can you use for log-on scripts?
JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe)
105. What is presentation layer responsible for in the OSI model?
The presentation layer establishes the data format prior to passing it along to the network application’s interface. TCP/IP networks perform this task at the application layer.
106. Does Windows Server 2003 support IPv6?
Yes.
107. What’s the difference between the basic disk and dynamic disk?
The basic type contains partitions, extended partitions, logical drivers, and an assortment of static volumes; the dynamic type does not use partitions but dynamically manages volumes and provides advanced storage options
108. How do you install recovery console?
C:\i386\win32 /cmdcons, assuming that your Win server installation is on drive C.
109. What’s new in Terminal Services for Windows 2003 Server?
Supports audio transmissions as well, although prepare for heavy network load.
110. What’s the name of the user who connects to the Web site anonymously?
IUSR_computername
111. What’s the relation between SSL and TLS?
Transport Layer Security (TLS) extends SSL by providing cryptographic authentication.
112. What’s a heartbeat?
Communication processes between the nodes designed to ensure node’s health.
113. Which service do you use to set up various alerts?
MOM (Microsoft Operations Manager).
114. What is KCC?
115. How AD offline defragmentation carried out?
116. What is Metta data cleener?
117. Networking Moniter protocal? and tools ?
118. Service responsable for SYSVOL relication ?
119. Define the following :
GPT:(Group policy Templet)
GPC:(Group policy Container)
GPO:(Group policy Object)
120.
Active Directory is Microsoft's trademarked directory service. Like other directory services, such as Novell Directory Services (NDS), Active Directory is a centralized and standardized system that automates network management of user data, security, and distributed resources, and enables interoperation with other directories.
2. What is X.500 Directory Service?
A standard way to develop an electronic directory of people in an organization so that it can be part of a global directory available to anyone in the world with Internet access. The idea is to be able to look up people in a user-friendly way by name, department, or organization. Many enterprises and institutions have created an X.500 directory. Because these directories are organized as part of a single global directory, you can search for hundreds of thousands of people from a single place on the World Wide Web.,,,
3. What is LDAP?
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of X.500. LDAP originated at the University of Michigan and has been endorsed by at least 40 companies.
4. Explain AD’s Logical and Physical Components
The logical structure consists of OUs, domains, trees, and forests. The logical structure helps you design a network hierarchy that suits your organizational needs.
The physical structure consists of sites and domain controllers. The physical structure helps you optimize network traffic by customizing the network configuration.
Domain
The core component of AD’s logical structure is the domain. A domain is a unit of replication—all domain controllers in a domain replicate information to each other and contain a complete copy of directory information for their domain. Domains also act as security boundaries.
Organization Unit (OU)
You use OUs to organize objects within a domain and to delegate authority to individuals or groups who need to manage those objects. For example, if the finance department wants to manage its own resources, you can create an OU container called Finance, create objects (e.g., users, computers, printers) within that container, and assign someone from the finance department to manage these resources (known as delegating the authority).
Tree
Multiple Domains form a Tree. All domains in a tree maintains contiguous name space.
Ex:- Microsoft .com, Support. Microsoft .com, US. Microsoft .com etc
Forest
A forest is one or more trees that don't share a contiguous namespace. We can have two trees in a forest representing two namespaces in one organization. A forest will share a common configuration (e.g., information about domains, computers, and trust relationships), schema (e.g., classes and attributes), and a Global Catalog.
Physical structure - Sites and domain controllers.
Site - is one or more well-connected IP subnets, controls replication traffic between domain controllers and lets users authenticate with a domain controller within their site. This functionality helps you optimize network traffic and logon authentication in large enterprises.
Domain controller - Domain controller, which is a Win2K server running AD, contains a complete replica of the domain database. In Win2K, no single domain controller acts as a master domain controllern. All domain controllers use a multimaster replication model and are peers.
5. What are FSMO Roles?
Though Windows 2K/2K3 domain models are multimaster, there are certain roles performed only by a single server. These are known as Flexible Single Master Operations. There are five FSMO roles: Domain naming Master, Schema Master, RID Master, PDC Emulator and Infrastructure Master. There must be a domain controller that owns each one of those roles.
1.Domain naming Master: The machine which hasDomain Naming mastershould be available for adding and removing a domain the roll is forest wide
2.Schema Master: this is permits the extention of schema. the schema to be extented the schema master should be on line
the roll is forest wide
3.RID Master: Relative ID will alocate the pool of RIDs to domain cotrolers. the roll is Domain wide
4.PDC Emulator: Primary Domain Controler Emulats as a PDC for backword compactability.the roll is Domain wide
5.Infrastructure Master: This will initiate replication of group membership changes .the roll is Domain wide
6. What is Authoritative Restore and how it is performed?
An authoritative restore replicates all objects that are marked authoritative to every domain controller hosting the naming contexts that the objects are in. To perform an authoritative restore on the computer, you must use the Ntdsutil.exe tool to make the necessary USN changes to the Active Directory database.
7. What is the Volume Shadow Copy Service?
The Volume Shadow Copy service, or VSS for short, is a new feature in Windows 2003 server that allows you to maintain multiple views of how files, folders and shares on a Windows 2003 server appeared in the past. Shadow copy will allow you to restore a deleted or modified file.
8. What is DFS?
The Distributed File System is used to build a hierarchical view of multiple file servers and shares on the network. Instead of having to think of a specific machine name for each set of files, the user will only have to remember one name; which will be the 'key' to a list of shares found on multiple servers on the network.
9. What is Kerberos?
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.
10. What are the well known ports?
Netstat - 15
FTP – 20 (data) and 21(Control)
SSH -22
Telnet – 23
SMTP -25
Wins - 42
DNS -53
DHCP – server 67 & clint 68
TFTP – 69
HTTP – 80 Secure 81
Kerbros - 88 *
POP3 – 110
NNTP - 119
Net bios - 139
SNMP - 161
IMAP3 – 220
LDAP - 389
SSL - Secuer socket leyar - 443
RIP - 520
MS Sql - 1433
NFS - 2049
RDP - Remote Desk top Protocals - 3389
X Windows - 6000
11. What is network Monitor and which is the protocol used for Network Monitor?
Network Monitor is a protocol analyzer used to capture inbound and outbound frames. The protocol used is SNMP.
12. What’s the difference between local, global and universal groups?
Domain local groups assign access permissions to global/domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.
13. I am trying to create a new universal user group. Why can’t I?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
14. What is LSDOU?
It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.
15. Where are group policies stored?
%SystemRoot%System32\GroupPolicy
16. What is GPT and GPC?
Group policy template and group policy container.
17. Where is GPT stored?
%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
18. You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority?
The computer settings take priority.
19. How can you restrict running certain applications on a machine?
Via group policy, security settings for the group, then Software Restriction Policies.
20. You need to automatically install an app, but MSI file is not available. What do you do?
A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.
21. What’s the difference between Software Installer and Windows Installer?
The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.
22. What is loop back address and its purpose?
127.0.0.1. The Loop back address is used to check the drivers of the TCP/IP protocol.
23. What can be restricted on Windows Server 2003 that wasn’t there in previous products?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.
24. How frequently is the client policy refreshed?
90 minutes.
25. Where is secedit?
It’s now gpupdate.
26. You want to create a new group policy but do not wish to inherit.
Make sure you check Block inheritance among the options when creating the policy.
27. What does IntelliMirror do?
IntelliMirror intelligently mirror user settings. It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.
28. What are private IP addresses?
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets (local networks):
10.0.0.1 - 10.255.255.254
172.16.0.1 - 172.31.255.254
192.168.0.1 - 192.168.255.254
29. What are the IP Classes?
Class A 1-126.x.x.x, hosts supported 16777214, with mask 255.0.0.0
Class B 128-191.x.x.x, hosts supported 65534, with mask 255.255.0.0
Class C 192-223.x.x.x, hosts supported 254, with mask 255.255.255.0
Class D 224-239.x.x.x, reserved for multicast addressing
Class E 240-254.x.x.x, reserved for experimental use
30. What is CIDR?
This is a shorthand notation for a subnet mask, classless interdomain routing (CIDR) notation. It counts the number of 1's in the subnet masks binary representation and is displayed after the ip address, for example 192.168.2.12/24 means that the subnet mask is 255.255.255.0 since we have 24 1's in the subnet mask.
31. How many name resolution for windows?
There are Two (1) NetBIOS (2) DNS
32. What is DNS?
Domain Naming System. To resolve Host name to IP Address
33. What’s the difference between forward lookup and reverse lookup in DNS?
Forward lookup is name-to-address, the reverse lookup is address-to-name.
34. Types of Zones
Primary, Secondary and STUB Zone
35. What is Primary Zone?
Primary zones, which store their zone information in a writable text file on the name server.
36. What is Secondary Zone?
Secondary zones, which store their zone information in a read-only text file on the name server.
37. What is Stub Zone?
Stub zone is a new feature in windows 2003. It is like a secondary zone. But there are certain differences. The differences are while secondary zones contain copies of all the resource records in the corresponding zone on the master name server, stub zones contain only three kinds of resource records:
(1) Copy of the SOA record for the zone.
(2) Copies of NS records for all name servers authoritative for the zone.
(3) Copies of A records for all name servers authoritative for the zone.
38. What are the common Resource Records
A, NS, SOA, MX, SRV, Cname, PTR
39. What is Conditional Forwarding
Conditional forwarding is a new feature of DNS in Windows Server 2003. Conditional forwarding can be used to speed up the DNS name resolution process by directing queries for specific domains to specific name servers.
40. What is LMHOSTS file?
It’s a file stored on a host machine that is used to resolve NetBIOS to specific IP addresses.
41. What is HOSTS file?
It’s a file stored on a host machine that is used to resolve Host name to specific IP addresses.
42. What is DHCP?
DHCP stands for "Dynamic Host Configuration Protocol". DHCP allows for dynamic allocation of network addresses and configurations newly attached hosts.
43. Describe how the DHCP lease is obtained.
It’s a four-step process consisting of (a) DHCP Discover, (b) DHCP Offer, © DHCP Request (d) DHCP Acknowledgement.
44. Can a BOOTP client boot from a DHCP server?
Only if the DHCP server is specifically written to also handle BOOTP queries.
45. What is DHCP Scope?
Scope - A range of IP addresses that the DHCP server can assign to clients that are on one subnet.
46. What is Supersocpe?
Superscope is a range of IP addresses that span several subnets. The DHCP server can assign these addresses to clients that are on several subnets.
47. What is Client Reservation?
Client Reservation is used to be sure a computer gets the same IP address all the time. Therefore since DHCP IP address assignments use MAC addresses to control assignments.
48. What is Exclusion range?
Exclusion range is used to reserve a bank of IP addresses so computers with static IP addresses, such as servers may use the assigned addresses in this range. These addresses are not assigned by the DHCP server.
49. Which utility is used to compact DHCP Database?
JETPACK
50. What is Scope Options?
Scope options are IP configuration settings for a particular subnet including the IP address of the router (default gateway), DNS Server, Domain Name, WINS Server etc.
51. Why we need DHCP Relay Agent?
When you have clients on different Subnets, you either need to have multiple DHCP Servers, or a DHCP Relay Agent. All DHCP packets are broadcast packets. When there is a DHCP broadcast the router will not forward the broadcast packets. To allocate IP address for the clients which are on a network other than DHCP server, you need to configure DHCP relay agent on Router. The DHCP Relay Agent allows you to place DHCP Clients and DHCP Servers on different networks.
52. I can’t seem to access to the corporate network and on ipconfig my address is 169.254.X.X. What happened?
The 169.254.x.x netmask is assigned to Windows machines running 98/2000/XP if the DHCP server is not available. The name for the technology is APIPA (Automatic Private Internet Protocol Addressing)
53. We’ve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP lease for the Server. Reason out why the lease is not available?
The server must be authorized first with the Active Directory.
54. How can you force the client to give up the dhcp lease if you have access to the client PC?
ipconfig /release
55. What are the occasion a client renew IP address from DHCP server
1) Every restart 2) 50% of lease duration 3) ipconfig /renew
56. What authentication options do Windows 2003 Servers have for remote clients?
PAP, SPAP, CHAP, MS-CHAP, MS-CHAP v2 and EAP.
57. What is data link layer in the OSI reference model responsible for?
Data link layer is located above the physical layer, but below the network layer. Taking raw data bits and packaging them into frames. The network layer will be responsible for addressing the frames, while the physical layer is responsible for retrieving and sending raw data bits.
58. What is Routing?
Routing is the process of transferring packets from one network to other network. Windows 2003 can be configured as router.
59. What are the features available with Windows 2003 Routing and Remote Access Server (RRAS)?
We can configure a windows 2003 machine as Router, Remote Access Server, NAT Server, Demand Dial Router, and VPN Server.
60. Differentiate Routed Protocol and Routing Protocol
Routed protocol: Any network protocol that provides enough information in its network layer address to allow a packet to be forwarded from one host to another host based on the addressing scheme. x: IP/IPX
Routing protocols: facilitate the exchange of routing information between networks, allowing routers to build routing tables dynamically. Ex: RIP, OSPF
61. Explain Distance Vector and link state protocol
Routing protocols fall into two main categories, Distance Vector or Link State. Distance Vector protocols determine best path by counting number of HOPS. Hops are devices. Link State protocols are capable of using more sophisticated methods taking into consideration link variables, such as bandwidth, delay, reliability and load.
62. Give examples of Distance Vector and Link State Protocol
Distance Vector
RIP, IGRP
Link State
OSPF, EIGRP
63. Which are the routing protocol supported by windows 2003?
RIP and OSPF
64. What is METRIC?
Metrics are values routing protocols use to determine the best path to a destination, when multiple paths exist.
65. What is RADIUS?
Remote Authentication and Dial In Service (RADIUS) is a server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations.
66. Which is Microsoft Implementation of RADISU? And when it is required?
MS Implementation of RADIUS is Internet Authentication Service (IAS). IAS need to be configured when the set up needs to centrally manage Authentication, Authorization and Accounting.
67. What is Remote Access Policy?
Remote access policies are an ordered set of rules that define how connections are either authorized or rejected. For each rule, there are one or more conditions, a set of profile settings, and a remote access permission setting.
68. What are the Remote Access Policy Elements and how they are evaluated?
The three policy elements are evaluated in the following order:
Conditions
Permissions
Profile
69. Explain about Routing table?
There are three types of routes that one finds inside a routing table:
Default route - there is a single entry for this route in the table, the address provided is used as a destination for packets whose address doesn't match any other entry in the routing table. This route is indicated by both address and network mask of 0.0.0.0
Host route - provides route to a specific host or a broadcast address, this type of routes is marked by network mask of 255.255.255.255
Network route - provides route to a specific network, this type of routes can have a subnet mask between 0.0.0.0 and 255.255.255.255
70. What is binding order?
The order by which the network protocols are used for client-server communications. The most frequently used protocols should be at the top.
71. What’s the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.
72. How do FAT and NTFS differ in approach to user shares?
They don’t, both have support for sharing.
73. What is CIFS?
The protocol used for File and print sharing in windows network. Common Internet File System (CIFS) is an extension of the SMB protocol that is used with basic file sharing. One of the advantages of CIFS over SMB is the ability to operate directly over DNS without the use of NetBIOS.
74. What are the types of Backup in windows?
There are five types.
Normal – Takes the full backup, Will not see the Archive bit but uncheck the bit after backup
Incremental – Backs up only the files whose archive bit is on and uncheck the bit after backup
Differential - Backs up only the files whose archive bit is on and will not uncheck the bit after backup
Copy – Just like normal. Will not do anything with Archive bit.
Daily - Back up all the files which are created/modified on scheduled date.
75. Explain the List Folder Contents permission on the folder in NTFS.
Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.
76. I have a file to which the user has access, but he has no folder permission to read it. Can he access it?
It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.
77. For a user in several groups, are Allow permissions restrictive or permissive?
Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.
78. For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.
79. What hidden shares exist on Windows Server 2003 installation?
Admin$, Drive$, IPC$, print$.
80. What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations?
The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.
81. We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box.
Use the UNC path, not all client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
82. Where exactly do fault-tolerant DFS shares store information in Active Directory?
In Partition Knowledge Table, which is then replicated to other domain controllers.
83. Is Kerberos encryption symmetric or asymmetric?
Symmetric.
84. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?
Time stamp is attached to the initial client request, encrypted with the shared key.
85. What hashing algorithms are used in Windows 2003 Server?
RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
86. Which are the four domain functional levels in windows 2003?
Mixed, Native, NT Interim and Windows 2003.
87. What’s the number of permitted unsuccessful logons on Administrator account?
Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.
88. What’s the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003.
89. If you uninstall Windows Server 2003, which operating systems can you revert to?
Win ME and Win 98.
90. What is ICF?
Internet Connection Firewall (ICF) is firewall software that is used to set restrictions on what traffic is allowed to enter your network from the Internet. ICF protects your network against external threats by allowing safe network traffic to pass through the firewall into your network, while denying the entrance of unsafe traffic.
91. What are the Windows Server 2003 keyboard shortcuts?
Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.
92. Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
93. How long does it take for security changes to be replicated among the domain controllers?
Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).
94. What’s new in Windows Server 2003 regarding the DNS management?
When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard.
95. When should you create a forest?
Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.
96. How can you authenticate between forests?
Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials.
97. What snap-in administrative tools are available for Active Directory?
Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak)
98. What is Global Catalog?
The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.
99. How is user account security established in Windows Server 2003?
When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user account’s security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access.
100. If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same?
No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different.
101. What remote access options does Windows Server 2003 support?
Dial-in, VPN, dial-in with callback.
102. Where are the documents and settings for the roaming profile stored?
All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.
103. Where are the settings for all the users stored on a given machine?
Document and Settings\All Users
104. What languages can you use for log-on scripts?
JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe)
105. What is presentation layer responsible for in the OSI model?
The presentation layer establishes the data format prior to passing it along to the network application’s interface. TCP/IP networks perform this task at the application layer.
106. Does Windows Server 2003 support IPv6?
Yes.
107. What’s the difference between the basic disk and dynamic disk?
The basic type contains partitions, extended partitions, logical drivers, and an assortment of static volumes; the dynamic type does not use partitions but dynamically manages volumes and provides advanced storage options
108. How do you install recovery console?
C:\i386\win32 /cmdcons, assuming that your Win server installation is on drive C.
109. What’s new in Terminal Services for Windows 2003 Server?
Supports audio transmissions as well, although prepare for heavy network load.
110. What’s the name of the user who connects to the Web site anonymously?
IUSR_computername
111. What’s the relation between SSL and TLS?
Transport Layer Security (TLS) extends SSL by providing cryptographic authentication.
112. What’s a heartbeat?
Communication processes between the nodes designed to ensure node’s health.
113. Which service do you use to set up various alerts?
MOM (Microsoft Operations Manager).
114. What is KCC?
115. How AD offline defragmentation carried out?
116. What is Metta data cleener?
117. Networking Moniter protocal? and tools ?
118. Service responsable for SYSVOL relication ?
119. Define the following :
GPT:(Group policy Templet)
GPC:(Group policy Container)
GPO:(Group policy Object)
120.
FSMO Roles
Introduction
In a Windows 2000 domain environment, all of the domain controllers are piers. There are no PDCs and BDCs that you find in a Windows NT domain. All Windows 2000 domain controllers contain a writable replica (or copy) of the Active Directory Database, and unlike the hierarchical server structure in a Windows NT domain (the PDC with subordinate BDCs), all domain controllers are equal.
The ability of all domain controllers in a Windows 2000 domain to update Active Directory, and then replicate it out to the other DCs, is referred to as Multimaster Replication. Compare that to a Windows NT domain which uses Single Master replication - the PDC has the only writable copy of the SAM and all updates can only happen at the PDC.
(The SAM, Security Accounts Database, is replaced by the Active Directory Database in Windows 2000.)
So why are there FSMO server roles? Since each DC in a Windows 2000 domain can update the Active Directory, which then gets replicated to all othe DCs, what happens if more than one person is making the same change to Active Directory at the same time? There are certain rules that are followed to prevent conflicts in updating the AD database, but some changes are to important to the domain to be left to these rules. Because of this, Microsoft came up with the idea of the Flexible Single Master Operations server roles. The servers that hold these FSMO roles are responsible for updating certain aspects of Active Directory. By making designated servers responsible for certain updates, instead of allowing every server to make all updates, you prevent conflicts in Active Directory updates.
In a Windows 2000 Domain environment, there are 5 server roles that are necessary for the proper functioning of the forest/domain (or Active Directory). These 5 server roles are collectively known as the Flexible Single Master Operations Roles or FSMO roles. All FSMO server roles exist on Domain Controllers. They do not exist on member servers. Two of the server roles exist at the Forest level and 3 server roles exist at the Domain level.
For example: If your Active Directory contains one forest and 1 domain, you would have 5 FSMO role holders. If your AD contained one forest and 2 domains, you would have 8 FSMO role holders - two at the forest level and 3 for each domain. Likewise, for an AD with one forest and 3 domains, you would have 11 server roles - two at the forest level and 3 for each domain.
FSMO Roles
The 5 FSMO server roles:
Schema Master Forest Level One per forest
Domain Naming Master Forest Level One per forest
PDC Emulator Domain Level One per domain
RID Master Domain Level One per domain
Infrastructure Master Domain Level One per domain
1. Schema Master (Forest level)
The schema master FSMO role holder is the Domain Controller responsible for performing updates to the active directory schema. It contains the only writable copy of the AD schema. This DC is the only one that can process updates to the directory schema, and once the schema update is complete, it is replicated from the schema master to all other DCs in the forest. There is only one schema master in the forest.
2. Domain Naming Master (Forest level)
The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. This DC is the only one that can add or remove a domain from the directory, and that is it's major purpose. It can also add or remove cross references to domains in external directories. There is only one domain naming master in the active directory or forest.
3. PDC Emulator (Domain level)
In a Windows 2000 domain, the PDC emulator server role performs the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator first.
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator for validation before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Time synchronization for the domain.
Group Policy changes are preferentially written to the PDC emulator.
Additionally, if your domain is a mixed mode domain that contains Windows NT 4 BDCs, then the Windows 2000 domain controller, that is the PDC emulator, acts as a Windows NT 4 PDC to the BDCs.
There is only one PDC emulator per domain.
Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. This is not true. Even after you have changed your domain to native mode (no more NT 4 domain controllers), the PDC emulator is still necessary for the reasons above.
4. RID Master (Domain level)
The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.
When a DC creates a security principal object such as a user, group or computer account, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that makes the object unique in a domain.
Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC.
There is one RID master per domain in a directory.
5. Infrastructure Master (Domain level)
The DC that holds the Infrastructure Master FSMO role is responsible for cross domain updates and lookups. When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the distinguished name (DN) of the object being referenced. The Infrastructure role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.
When a user in DomainA is added to a group in DomainB, then the Infrastructure master is involved. Likewise, if that user in DomainA, who has been added to a group in DomainB, then changes his username in DomainA, the Infrastructure master must update the group membership(s) in DomainB with the name change.
There is only one Infrastructure master per domain.
In a Windows 2000 domain environment, all of the domain controllers are piers. There are no PDCs and BDCs that you find in a Windows NT domain. All Windows 2000 domain controllers contain a writable replica (or copy) of the Active Directory Database, and unlike the hierarchical server structure in a Windows NT domain (the PDC with subordinate BDCs), all domain controllers are equal.
The ability of all domain controllers in a Windows 2000 domain to update Active Directory, and then replicate it out to the other DCs, is referred to as Multimaster Replication. Compare that to a Windows NT domain which uses Single Master replication - the PDC has the only writable copy of the SAM and all updates can only happen at the PDC.
(The SAM, Security Accounts Database, is replaced by the Active Directory Database in Windows 2000.)
So why are there FSMO server roles? Since each DC in a Windows 2000 domain can update the Active Directory, which then gets replicated to all othe DCs, what happens if more than one person is making the same change to Active Directory at the same time? There are certain rules that are followed to prevent conflicts in updating the AD database, but some changes are to important to the domain to be left to these rules. Because of this, Microsoft came up with the idea of the Flexible Single Master Operations server roles. The servers that hold these FSMO roles are responsible for updating certain aspects of Active Directory. By making designated servers responsible for certain updates, instead of allowing every server to make all updates, you prevent conflicts in Active Directory updates.
In a Windows 2000 Domain environment, there are 5 server roles that are necessary for the proper functioning of the forest/domain (or Active Directory). These 5 server roles are collectively known as the Flexible Single Master Operations Roles or FSMO roles. All FSMO server roles exist on Domain Controllers. They do not exist on member servers. Two of the server roles exist at the Forest level and 3 server roles exist at the Domain level.
For example: If your Active Directory contains one forest and 1 domain, you would have 5 FSMO role holders. If your AD contained one forest and 2 domains, you would have 8 FSMO role holders - two at the forest level and 3 for each domain. Likewise, for an AD with one forest and 3 domains, you would have 11 server roles - two at the forest level and 3 for each domain.
FSMO Roles
The 5 FSMO server roles:
Schema Master Forest Level One per forest
Domain Naming Master Forest Level One per forest
PDC Emulator Domain Level One per domain
RID Master Domain Level One per domain
Infrastructure Master Domain Level One per domain
1. Schema Master (Forest level)
The schema master FSMO role holder is the Domain Controller responsible for performing updates to the active directory schema. It contains the only writable copy of the AD schema. This DC is the only one that can process updates to the directory schema, and once the schema update is complete, it is replicated from the schema master to all other DCs in the forest. There is only one schema master in the forest.
2. Domain Naming Master (Forest level)
The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. This DC is the only one that can add or remove a domain from the directory, and that is it's major purpose. It can also add or remove cross references to domains in external directories. There is only one domain naming master in the active directory or forest.
3. PDC Emulator (Domain level)
In a Windows 2000 domain, the PDC emulator server role performs the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator first.
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator for validation before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Time synchronization for the domain.
Group Policy changes are preferentially written to the PDC emulator.
Additionally, if your domain is a mixed mode domain that contains Windows NT 4 BDCs, then the Windows 2000 domain controller, that is the PDC emulator, acts as a Windows NT 4 PDC to the BDCs.
There is only one PDC emulator per domain.
Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. This is not true. Even after you have changed your domain to native mode (no more NT 4 domain controllers), the PDC emulator is still necessary for the reasons above.
4. RID Master (Domain level)
The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.
When a DC creates a security principal object such as a user, group or computer account, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that makes the object unique in a domain.
Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC.
There is one RID master per domain in a directory.
5. Infrastructure Master (Domain level)
The DC that holds the Infrastructure Master FSMO role is responsible for cross domain updates and lookups. When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the distinguished name (DN) of the object being referenced. The Infrastructure role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.
When a user in DomainA is added to a group in DomainB, then the Infrastructure master is involved. Likewise, if that user in DomainA, who has been added to a group in DomainB, then changes his username in DomainA, the Infrastructure master must update the group membership(s) in DomainB with the name change.
There is only one Infrastructure master per domain.
How DHCP relay agents work
How DHCP relay agents work
A relay agent relays DHCP/BOOTP messages that are broadcast on one of its connected physical interfaces, such as a network adapter, to other remote subnets to which it is connected by other physical interfaces. The following illustration shows how client C on Subnet 2 obtains a DHCP address lease from DHCP server 1 on Subnet 1.
1. DHCP client C broadcasts a DHCP/BOOTP discover message (DHCPDISCOVER) on Subnet 2, as a User Datagram Protocol (UDP) datagram using the well-known UDP server port of 67 (the port number reserved and shared for BOOTP and DHCP server communication).
2. The relay agent, in this case a DHCP/BOOTP relay-enabled router, examines the gateway IP address field in the DHCP/BOOTP message header. If the field has an IP address of 0.0.0.0, the agent fills it with the relay agent or router's IP address and forwards the message to the remote Subnet 1 where the DHCP server is located.
3. When DHCP server 1 on remote Subnet 1 receives the message, it examines the gateway IP address field for a DHCP scope that can be used by the DHCP server to supply an IP address lease.
4. If DHCP server 1 has multiple DHCP scopes, the address in the gateway IP address field (GIADDR) identifies the DHCP scope from which to offer an IP address lease.
For example, if the gateway IP address (GIADDR) field has an IP address of 10.0.0.2, the DHCP server checks its available set of address scopes for a scope range of addresses that matches the class A IP network that includes the gateway address as a host. In this case, the DHCP server would make a check for a scope of addresses between 10.0.0.1 and 10.0.0.254. If a matching scope exists, the DHCP server selects an available address from the matched scope to use in an IP address lease offer response to the client.
5. When DHCP server 1 receives the DHCPDISCOVER message, it processes and sends an IP address lease offer (DHCPOFFER) directly to the relay agent identified in the gateway IP address (GIADDR) field.
6. The router then relays the address lease offer (DHCPOFFER) to the DHCP client.
The client IP address is still unknown, so it has to be broadcast on the local subnet. Similarly, a DHCPREQUEST message is relayed from client to server, and a DHCPACK message is relayed from server to client, according to RFC 1542.
A relay agent relays DHCP/BOOTP messages that are broadcast on one of its connected physical interfaces, such as a network adapter, to other remote subnets to which it is connected by other physical interfaces. The following illustration shows how client C on Subnet 2 obtains a DHCP address lease from DHCP server 1 on Subnet 1.
1. DHCP client C broadcasts a DHCP/BOOTP discover message (DHCPDISCOVER) on Subnet 2, as a User Datagram Protocol (UDP) datagram using the well-known UDP server port of 67 (the port number reserved and shared for BOOTP and DHCP server communication).
2. The relay agent, in this case a DHCP/BOOTP relay-enabled router, examines the gateway IP address field in the DHCP/BOOTP message header. If the field has an IP address of 0.0.0.0, the agent fills it with the relay agent or router's IP address and forwards the message to the remote Subnet 1 where the DHCP server is located.
3. When DHCP server 1 on remote Subnet 1 receives the message, it examines the gateway IP address field for a DHCP scope that can be used by the DHCP server to supply an IP address lease.
4. If DHCP server 1 has multiple DHCP scopes, the address in the gateway IP address field (GIADDR) identifies the DHCP scope from which to offer an IP address lease.
For example, if the gateway IP address (GIADDR) field has an IP address of 10.0.0.2, the DHCP server checks its available set of address scopes for a scope range of addresses that matches the class A IP network that includes the gateway address as a host. In this case, the DHCP server would make a check for a scope of addresses between 10.0.0.1 and 10.0.0.254. If a matching scope exists, the DHCP server selects an available address from the matched scope to use in an IP address lease offer response to the client.
5. When DHCP server 1 receives the DHCPDISCOVER message, it processes and sends an IP address lease offer (DHCPOFFER) directly to the relay agent identified in the gateway IP address (GIADDR) field.
6. The router then relays the address lease offer (DHCPOFFER) to the DHCP client.
The client IP address is still unknown, so it has to be broadcast on the local subnet. Similarly, a DHCPREQUEST message is relayed from client to server, and a DHCPACK message is relayed from server to client, according to RFC 1542.
Delegate permission for AD user
To allow an ordinary user, or group, to add a computer to a domain, you can use either of the following:
• Assign rights using the Default Domain Group policy.
• Delegate rights using Active Directory Users and Computers.
Assign rights using the Default Domain Group policy:
1. Open the Default Domain Group policy.
2. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.
3. Expand User Rights Assignment.
4. Double-click Add workstations to Domain.
5. Check the Define these policy settings box.
6. Press the Add User or Group button.
7. Complete the dialog to add the user or group.
8. Press Apply and OK.
Delegate rights using Active Directory Users and Computers:
1. Open the Active Directory Users and Computers snap-in.
2. Right-click the container under which you want the computers added, and press Delegate Control.
3. Press Next.
4. Press Add.
5. After adding all the users and/or groups, press Next.
6. Select Create custom task to delegate and press Next.
7. Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and press Next.
8. Check the Create all child object box and press Next.
9. Press Finish.
• Assign rights using the Default Domain Group policy.
• Delegate rights using Active Directory Users and Computers.
Assign rights using the Default Domain Group policy:
1. Open the Default Domain Group policy.
2. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.
3. Expand User Rights Assignment.
4. Double-click Add workstations to Domain.
5. Check the Define these policy settings box.
6. Press the Add User or Group button.
7. Complete the dialog to add the user or group.
8. Press Apply and OK.
Delegate rights using Active Directory Users and Computers:
1. Open the Active Directory Users and Computers snap-in.
2. Right-click the container under which you want the computers added, and press Delegate Control.
3. Press Next.
4. Press Add.
5. After adding all the users and/or groups, press Next.
6. Select Create custom task to delegate and press Next.
7. Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and press Next.
8. Check the Create all child object box and press Next.
9. Press Finish.
Active Directory partiotions
The Active Directory database is logically separated into directory partitions:
• Schema partition
• Configuration partition
• Domain partition
• Application partition
Each partition is a unit of replication, and each partition has its own replication topology. Replication occurs between replicas of directory partition. Minimum two directory partitions are common among all domain controllers in the same forest: the schema and configuration partitions. All domain controllers which are in the same domain, in addition, share a common domain partition.
Schema Partition
Only one schema partition exists per forest. The schema partition is stored on all domain controllers in a forest. The schema partition contains definitions of all objects and attributes that you can create in the directory, and the rules for creating and manipulating them. Schema information is replicated to all domain controllers in the attribute definitions.
Configuration Partition
There is only one configuration partition per forest. Second on all domain controllers in a forest, the configuration partition contains information about the forest-wide active directory structure including what domains and sites exist, which domain controllers exist in each forest, and which services are available. Configuration information is replicated to all domain controllers in a forest.
Domain Partition
Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in a given domain. A domain partition contains information about users, groups, computers and organizational units. The domain partition is replicated to all domain controllers of that domain. All objects in every domain partition in a forest are stored in the global catalog with only a subset of their attribute values.
Application Partition
Application partitions store information about application in Active Directory. Each application determines how it stores, categorizes, and uses application specific information. To prevent unnecessary replication to specific application partitions, you can designate which domain controllers in a forest host specific application partitions. Unlike a domain partitions, an application partition cannot store security principal objects, such as user accounts. In addition, the data in an application partition is not stored in the global catalog.
As an example of application partition, if you use a Domain Name System (DNS) that is integrated with Active Directory you have two application partitions for DNS zones -- ForestDNSZones and DomainDNSZones:
• ForestDNSZones is part of a forest. All domain controllers and DNS servers in a forest receive a replica of this partition. A forest-wide application partition stores the forest zone data.
• DomainDNSZones is unique for each domain. All domain controllers that are DNS servers in that domain receive a replica of this partition. The application partitions store the domain DNS zone in the DomainDNSZones.
Each domain has a DomainDNSZones partition, but there is only one ForestDNSZones partition. No DNS data is replicated to the global catalog server.
• Schema partition
• Configuration partition
• Domain partition
• Application partition
Each partition is a unit of replication, and each partition has its own replication topology. Replication occurs between replicas of directory partition. Minimum two directory partitions are common among all domain controllers in the same forest: the schema and configuration partitions. All domain controllers which are in the same domain, in addition, share a common domain partition.
Schema Partition
Only one schema partition exists per forest. The schema partition is stored on all domain controllers in a forest. The schema partition contains definitions of all objects and attributes that you can create in the directory, and the rules for creating and manipulating them. Schema information is replicated to all domain controllers in the attribute definitions.
Configuration Partition
There is only one configuration partition per forest. Second on all domain controllers in a forest, the configuration partition contains information about the forest-wide active directory structure including what domains and sites exist, which domain controllers exist in each forest, and which services are available. Configuration information is replicated to all domain controllers in a forest.
Domain Partition
Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in a given domain. A domain partition contains information about users, groups, computers and organizational units. The domain partition is replicated to all domain controllers of that domain. All objects in every domain partition in a forest are stored in the global catalog with only a subset of their attribute values.
Application Partition
Application partitions store information about application in Active Directory. Each application determines how it stores, categorizes, and uses application specific information. To prevent unnecessary replication to specific application partitions, you can designate which domain controllers in a forest host specific application partitions. Unlike a domain partitions, an application partition cannot store security principal objects, such as user accounts. In addition, the data in an application partition is not stored in the global catalog.
As an example of application partition, if you use a Domain Name System (DNS) that is integrated with Active Directory you have two application partitions for DNS zones -- ForestDNSZones and DomainDNSZones:
• ForestDNSZones is part of a forest. All domain controllers and DNS servers in a forest receive a replica of this partition. A forest-wide application partition stores the forest zone data.
• DomainDNSZones is unique for each domain. All domain controllers that are DNS servers in that domain receive a replica of this partition. The application partitions store the domain DNS zone in the DomainDNSZones.
Each domain has a DomainDNSZones partition, but there is only one ForestDNSZones partition. No DNS data is replicated to the global catalog server.
Active Directory Groups
Active Directory Groups
There are two main groups in Active Directory: Distribution Groups and Security Groups.
• Distribution Groups are used to gather a specific set of users for non-security-related functions. Sending e-mail messages to a distribution group is the primary example of this. You cannot use distribution groups to assign rights and permissions. That is the function of a Security Group.
• Security Groups are used to gather a specific set of users for the specific reason of assigning access rights and permissions via the group rather than individually to each user object.
Active Directory uses a subset of both of these groups, as outlined below.
• Security Domain local groups are where permissions are set to grant user access to network resources, such as files, folders, or printers in a single domain.
• Distribution Domain local groups allow the non-security-related function (e.g., e-mail) for group members of the single domain.
Domain Local Groups in a Mixed Mode Domain can contain users, global groups and universal groups from any domain in the forest. In Native Mode, they can also contain domain local groups from their own domain as well as be a member of another domain local group from within its own domain.
Security Domain Local Groups can be assigned permissions for any resource in the domain where the domain local group resides.
Security Global Groups organize domain user objects across domains. Distribution Global Groups would allow the non-security-related function (e.g., e-mail) for group members across domains.
Global Groups in a Mixed Mode Domain can contain user accounts from the group's local domain. In Native Mode they can contain other global groups (called Group Nesting) from the local domain.
Global Groups in a Mixed Mode Domain can be members of Domain local groups in any domain in the forest. In Native Mode they can be a member of another global (nested in another Global Group) in its own domain.
Security Global Groups can be assigned permissions for all of the domains in the forest.
Security Universal Groups are used to group users and grant permissions across an entire forest.
Distribution Universal Groups allow the non-security-related function (e.g., e-mail) for group members across the entire forest.
A Windows 2000 domain must be in native mode to create Universal Security Groups. In Mixed Mode only Universal Distribution Groups are available.
Universal Groups can contain user accounts, global groups and universal groups from any domain in the forest and can be a member of Domain local groups and other universal groups in any domain in the forest.
Universal Groups can be assigned permissions for all domains in the forest and should be used to nest global groups so that permissions can be more easily assigned to related resources in multiple domains. Individual users should not be added singly to universal groups, and you should keep membership changes in Universal Groups to a minimum, as these changes must be replicated throughout the forest.
When setting up access to any server it is important to remember that:
• Authentication determines the identity of a user
• Permissions determine what a valid user can access once authenticated
here are predefined global groups created to group common types of user accounts on Windows 2000 domain controllers.
By default, Windows 2000 automatically adds specific members to some predefined global groups. System administrators can add user objects to these predefined groups to provide additional users with the privileges and permissions assigned to the group.
Domain Admins: Windows 2000 automatically adds Domain Admins to the Administrators built-in domain local group so that members of Domain Admins can perform administrative tasks on any computer anywhere in the domain. By default, the Administrator account is a member. Also, any computer that joins the domain automatically places the Domain Admins group in the Administrators local group.
Domain Guests: Windows 2000 automatically adds Domain Guests to the Guests built-in domain local group. By default, the Guest account is a member.
Domain Users: Windows 2000 automatically adds Domain Users to the Users built-in domain local group. By default, the Administrator, Guest, IUSR_computername, IWAM_ computername, Krbtgt, and TsInternetUser accounts are initially members, and each new domain user account is automatically made a member.
Enterprise Admins: Windows 2000 allows you to add user accounts to Enterprise Admins for users who require administrative control for the entire network, and then adds Enterprise Admins to the Administrators domain local group in each domain. By default, the Administrator account is a member.
Windows 2000 also creates built-in domain local groups in each Active Directory domain. These groups provide all included users with specific user rights and permissions to perform tasks and are set up with predefined rights and permissions.
The most commonly used built-in domain local groups and their default properties are as follows:
• Account Operators: Members of the built-in Account Operators domain local group are allowed by default to create, delete, and modify user and group objects; members cannot modify the Administrators group or any of the operators groups.
• Administrators: Members of the built-in Administrators domain local group are allowed by default to perform all administrative tasks on all domain controllers and on the domain itself. By default, the Administrator user object and the Domain Admins and Enterprise Admins predefined global groups are members.
• Backup Operators: Members of the built-in Backup Operators domain local group are allowed by default to backup and restore all domain controllers using Windows Backup.
• Guests: Members of the built-in Guest domain local group can by default perform only tasks for which you have granted rights; members can gain access only to resources for which you have assigned permissions. Members cannot make permanent changes to their desktop environment. By default, the Guest, IUSR_computername, IWAM_computername, and TsInternetUser user accounts and the Domain Guests predefined global group are members.
• Pre-Windows 2000 Compatible Access: This built-in domain local group is a backward-compatibility group that provides read access for all users and groups in the domain. When you select the Permissions Compatible With Pre-Windows 2000 Servers option in the Active Directory Installation Wizard, the Everyone pre-Windows 2000 system group is made a member.
• Print Operators: Members of the built-in Print Operators domain local group are allowed by default to set up and manage network printers on domain controllers.
• Replicator: This built-in domain local group supports directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add the accounts of actual users to this group.
• Server Operators: Members of the built-in Server Operators domain local group are allowed by default to share disk resources and back up and restore files on a domain controller.
• Users: Mmbers of the built-in Users domain local group are allowed by default to perform only tasks for which you have granted rights, and they can access only the resources for which you have assigned permissions. By default, the Authenticated Users and Interactive pre-Windows 2000 groups, and the Domain Users predefined global group are members. Use this group to assign permissions and rights that every user with an account in your domain should have.
Windows 2000 stand-alone servers, member servers, and computers running the Windows 2000 Professional and Windows XP Professional desktop operating systems all have built-in local groups that give users the rights to perform specific preconfigured system tasks on the local system. Built-in local groups are located in the \Groups folder in the Local Users and Groups snap-in by default as part of the Computer Management console on every computer running Windows 2000 and Windows XP, and all Windows 2000 stand-alone and member servers.
The most commonly used built-in local groups and their default properties are as follows:
• Administrators: Members of the built-in Administrators local group are allowed by default to perform all administrative tasks on the computer. By default, the built-in Administrator user account for the computer is a member. When a member server or computer running Microsoft Windows 2000 Workstation joins a domain, Windows 2000 adds the Domain Admins predefined global group to the local Administrators group.
• Backup Operators: Members of the built-in Backup Operators local group are allowed by default to use Windows Backup to backup and restore the local system.
• Guests: Members of the built-in Guests local group are allowed by default to perform only tasks for which you have specifically granted rights and can access only resources for which you have assigned permissions; members cannot make permanent changes to their desktop environment. By default, the built-in Guest account for the computer is a member. When a member server or a computer running Windows 2000 Workstation joins a domain, Windows 2000 adds the Domain Guests predefined global group to the local guests group.
• Power Users: Members of the built-in Power Users local group are allowed by default to create and modify user accounts on the local system and share resources on the local system.
• Replicator: This built-in local group supports directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add the accounts of actual users t
o this group.
• Users: Members of the built-in Users local group are allowed by default to perform only tasks for which you have specifically granted rights and can access only resources for which you have assigned permissions. By default, Windows 2000 adds to the Users group local user accounts that you create on the computer. When a member server or a computer running Windows 2000 Professional joins a domain, Windows 2000 adds the Domain Users predefined global group to the local Users group.
Special identity groups do not have specific memberships that Administrators directly modify, but they represent different users at different times, depending on how a user accesses a given system or resource on that system. Special identity groups are not found in the Local Computers and Users or Active Directory Users and Computers MMC (Microsoft Management Console) snap-ins for direct administration, but these groups are available for use when you assign rights and permissions to resources.
The most commonly used special identity groups and their default properties are as follows:
• Anonymous Logon special identity group includes any user account that Windows 2000 did not authenticate to the local system, such as an anonymous FTP user.
• Authenticated Users special identity group includes all users with a valid user account on the computer or in Active Directory service. Use the Authenticated Users group instead of the Everyone group to prevent anonymous access to a resource.
• Creator Owner special identity group includes the user account for the user who created or took ownership of a resource. If a member of the Administrators group creates a resource, the Administrators group is owner of the resource.
• Dialup special identity group includes any user who currently has a dial-up connection to the local system.
• Everyone special identity group includes all users who access the computer. Be careful if you assign permissions to the Everyone group and enable the Guest account. Windows 2000 authenticates as Guest a user who does not have a valid user account. The user automatically gets all rights and permissions that you have assigned to the Everyone group. The Everyone group is assigned full control to many resources by default.
• Interactive special identity group includes the user account for the user who is logged on at the local system console. Members of the Interactive group gain access to resources on the computer at which they are physically located.
• Network special identity group includes any user with a current connection from another computer on the network to a shared resource on the computer.
There are two main groups in Active Directory: Distribution Groups and Security Groups.
• Distribution Groups are used to gather a specific set of users for non-security-related functions. Sending e-mail messages to a distribution group is the primary example of this. You cannot use distribution groups to assign rights and permissions. That is the function of a Security Group.
• Security Groups are used to gather a specific set of users for the specific reason of assigning access rights and permissions via the group rather than individually to each user object.
Active Directory uses a subset of both of these groups, as outlined below.
• Security Domain local groups are where permissions are set to grant user access to network resources, such as files, folders, or printers in a single domain.
• Distribution Domain local groups allow the non-security-related function (e.g., e-mail) for group members of the single domain.
Domain Local Groups in a Mixed Mode Domain can contain users, global groups and universal groups from any domain in the forest. In Native Mode, they can also contain domain local groups from their own domain as well as be a member of another domain local group from within its own domain.
Security Domain Local Groups can be assigned permissions for any resource in the domain where the domain local group resides.
Security Global Groups organize domain user objects across domains. Distribution Global Groups would allow the non-security-related function (e.g., e-mail) for group members across domains.
Global Groups in a Mixed Mode Domain can contain user accounts from the group's local domain. In Native Mode they can contain other global groups (called Group Nesting) from the local domain.
Global Groups in a Mixed Mode Domain can be members of Domain local groups in any domain in the forest. In Native Mode they can be a member of another global (nested in another Global Group) in its own domain.
Security Global Groups can be assigned permissions for all of the domains in the forest.
Security Universal Groups are used to group users and grant permissions across an entire forest.
Distribution Universal Groups allow the non-security-related function (e.g., e-mail) for group members across the entire forest.
A Windows 2000 domain must be in native mode to create Universal Security Groups. In Mixed Mode only Universal Distribution Groups are available.
Universal Groups can contain user accounts, global groups and universal groups from any domain in the forest and can be a member of Domain local groups and other universal groups in any domain in the forest.
Universal Groups can be assigned permissions for all domains in the forest and should be used to nest global groups so that permissions can be more easily assigned to related resources in multiple domains. Individual users should not be added singly to universal groups, and you should keep membership changes in Universal Groups to a minimum, as these changes must be replicated throughout the forest.
When setting up access to any server it is important to remember that:
• Authentication determines the identity of a user
• Permissions determine what a valid user can access once authenticated
here are predefined global groups created to group common types of user accounts on Windows 2000 domain controllers.
By default, Windows 2000 automatically adds specific members to some predefined global groups. System administrators can add user objects to these predefined groups to provide additional users with the privileges and permissions assigned to the group.
Domain Admins: Windows 2000 automatically adds Domain Admins to the Administrators built-in domain local group so that members of Domain Admins can perform administrative tasks on any computer anywhere in the domain. By default, the Administrator account is a member. Also, any computer that joins the domain automatically places the Domain Admins group in the Administrators local group.
Domain Guests: Windows 2000 automatically adds Domain Guests to the Guests built-in domain local group. By default, the Guest account is a member.
Domain Users: Windows 2000 automatically adds Domain Users to the Users built-in domain local group. By default, the Administrator, Guest, IUSR_computername, IWAM_ computername, Krbtgt, and TsInternetUser accounts are initially members, and each new domain user account is automatically made a member.
Enterprise Admins: Windows 2000 allows you to add user accounts to Enterprise Admins for users who require administrative control for the entire network, and then adds Enterprise Admins to the Administrators domain local group in each domain. By default, the Administrator account is a member.
Windows 2000 also creates built-in domain local groups in each Active Directory domain. These groups provide all included users with specific user rights and permissions to perform tasks and are set up with predefined rights and permissions.
The most commonly used built-in domain local groups and their default properties are as follows:
• Account Operators: Members of the built-in Account Operators domain local group are allowed by default to create, delete, and modify user and group objects; members cannot modify the Administrators group or any of the operators groups.
• Administrators: Members of the built-in Administrators domain local group are allowed by default to perform all administrative tasks on all domain controllers and on the domain itself. By default, the Administrator user object and the Domain Admins and Enterprise Admins predefined global groups are members.
• Backup Operators: Members of the built-in Backup Operators domain local group are allowed by default to backup and restore all domain controllers using Windows Backup.
• Guests: Members of the built-in Guest domain local group can by default perform only tasks for which you have granted rights; members can gain access only to resources for which you have assigned permissions. Members cannot make permanent changes to their desktop environment. By default, the Guest, IUSR_computername, IWAM_computername, and TsInternetUser user accounts and the Domain Guests predefined global group are members.
• Pre-Windows 2000 Compatible Access: This built-in domain local group is a backward-compatibility group that provides read access for all users and groups in the domain. When you select the Permissions Compatible With Pre-Windows 2000 Servers option in the Active Directory Installation Wizard, the Everyone pre-Windows 2000 system group is made a member.
• Print Operators: Members of the built-in Print Operators domain local group are allowed by default to set up and manage network printers on domain controllers.
• Replicator: This built-in domain local group supports directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add the accounts of actual users to this group.
• Server Operators: Members of the built-in Server Operators domain local group are allowed by default to share disk resources and back up and restore files on a domain controller.
• Users: Mmbers of the built-in Users domain local group are allowed by default to perform only tasks for which you have granted rights, and they can access only the resources for which you have assigned permissions. By default, the Authenticated Users and Interactive pre-Windows 2000 groups, and the Domain Users predefined global group are members. Use this group to assign permissions and rights that every user with an account in your domain should have.
Windows 2000 stand-alone servers, member servers, and computers running the Windows 2000 Professional and Windows XP Professional desktop operating systems all have built-in local groups that give users the rights to perform specific preconfigured system tasks on the local system. Built-in local groups are located in the \Groups folder in the Local Users and Groups snap-in by default as part of the Computer Management console on every computer running Windows 2000 and Windows XP, and all Windows 2000 stand-alone and member servers.
The most commonly used built-in local groups and their default properties are as follows:
• Administrators: Members of the built-in Administrators local group are allowed by default to perform all administrative tasks on the computer. By default, the built-in Administrator user account for the computer is a member. When a member server or computer running Microsoft Windows 2000 Workstation joins a domain, Windows 2000 adds the Domain Admins predefined global group to the local Administrators group.
• Backup Operators: Members of the built-in Backup Operators local group are allowed by default to use Windows Backup to backup and restore the local system.
• Guests: Members of the built-in Guests local group are allowed by default to perform only tasks for which you have specifically granted rights and can access only resources for which you have assigned permissions; members cannot make permanent changes to their desktop environment. By default, the built-in Guest account for the computer is a member. When a member server or a computer running Windows 2000 Workstation joins a domain, Windows 2000 adds the Domain Guests predefined global group to the local guests group.
• Power Users: Members of the built-in Power Users local group are allowed by default to create and modify user accounts on the local system and share resources on the local system.
• Replicator: This built-in local group supports directory replication functions. The only member should be a domain user account used to log on to the Replicator services of the domain controller. Do not add the accounts of actual users t
o this group.
• Users: Members of the built-in Users local group are allowed by default to perform only tasks for which you have specifically granted rights and can access only resources for which you have assigned permissions. By default, Windows 2000 adds to the Users group local user accounts that you create on the computer. When a member server or a computer running Windows 2000 Professional joins a domain, Windows 2000 adds the Domain Users predefined global group to the local Users group.
Special identity groups do not have specific memberships that Administrators directly modify, but they represent different users at different times, depending on how a user accesses a given system or resource on that system. Special identity groups are not found in the Local Computers and Users or Active Directory Users and Computers MMC (Microsoft Management Console) snap-ins for direct administration, but these groups are available for use when you assign rights and permissions to resources.
The most commonly used special identity groups and their default properties are as follows:
• Anonymous Logon special identity group includes any user account that Windows 2000 did not authenticate to the local system, such as an anonymous FTP user.
• Authenticated Users special identity group includes all users with a valid user account on the computer or in Active Directory service. Use the Authenticated Users group instead of the Everyone group to prevent anonymous access to a resource.
• Creator Owner special identity group includes the user account for the user who created or took ownership of a resource. If a member of the Administrators group creates a resource, the Administrators group is owner of the resource.
• Dialup special identity group includes any user who currently has a dial-up connection to the local system.
• Everyone special identity group includes all users who access the computer. Be careful if you assign permissions to the Everyone group and enable the Guest account. Windows 2000 authenticates as Guest a user who does not have a valid user account. The user automatically gets all rights and permissions that you have assigned to the Everyone group. The Everyone group is assigned full control to many resources by default.
• Interactive special identity group includes the user account for the user who is logged on at the local system console. Members of the Interactive group gain access to resources on the computer at which they are physically located.
• Network special identity group includes any user with a current connection from another computer on the network to a shared resource on the computer.
How do I remove a domain controller from Active Directory after an unsuccessful demotion?
The DCPROMO (Dcpromo.exe) utility is used for promoting a server to a domain
controller and demoting a domain controller to a member server (or to a
standalone server in a workgroup if the domain controller is the last in the
domain). As part of the demotion process, the DCPROMO utility removes the
configuration data for the domain controller from the Active Directory. This data
takes the form of an "NTDS Settings" object, which exists as a child to the server
object in the Active Directory Sites and Services Manager .
The information is in the following location in the Active Directory:
CN=NTDS
Settings,CN=,CN=Servers,CN=,CN=Sites,CN=Configu
ration,DC=...
The attributes of the NTDS Settings object include data representing how the
domain controller is identified in respect to its replication partners, the naming
contexts that are maintained on the machine, whether or not the domain
controller is a Global Catalog server, and the default query policy. The NTDS
Settings object is also a container that may have child objects that represent the
domain controller's direct replication partners. This data is required for the
domain controller to operate within the environment, but is retired upon demotion.
In the event that the NTDS Settings object is not removed properly (for example,
the NTDS Settings object is not properly removed from a demotion attempt), the
administrator can use the Ntdsutil.exe utility to manually remove the NTDS
Settings object. The following steps list the procedure for removing the NTDS
Settings object in the Active Directory for a given domain controller. At each
NTDSUTIL menu, the administrator can type help for more information about the
available options.
CAUTION : The administrator should also check that replication has occurred
since the demotion before manually removing the NTDS Settings object for any
server. Using the NTDSUTIL utility improperly can result in partial or complete
loss of Active Directory functionality.
1. Click Start , point to Programs , point to Accessories , and then click Command
Prompt .
2. At the command prompt, type ntdsutil .
3. Type metadata cleanup , and then press ENTER. Based on the options given, the
administrator can perform the removal, but additional configuration parameters
need to be specified before the removal can occur.
4. Type connections and press ENTER. This menu is used to connect to the specific
server on which the changes occur. If the currently logged on user does not have
administrative permissions, alternate credentials can be supplied by specifying the
credentials to use before making the connection. To do so, type set creds domain
name username password and press ENTER. For a null password, type null for
the password parameter.
5. Type connect to server servername , and then press ENTER. You should receive
confirmation that the connection is successfully established. If an error occurs,
verify that the domain controller being used in the connection is available and the
credentials you supplied have administrative permissions on the server.
NOTE : If you attempt to connect to the same server that you want to delete,
when you attempt to delete the server referred to in step 15, you may receive the
following error message:
Error 2094. The DSA Object cannot be deleted0x2094
6. Type quit and press ENTER. The Metadata Cleanup menu is displayed.
7. Type select operation target and press ENTER.
8. Type list domains and press ENTER. A list of domains in the forest is displayed,
each with an associated number.
9. Type select domain number and press ENTER, where number is the number
associated with the domain to which the server you are removing is a member.
The domain you select is used to determine if the server being removed is the last
domain controller of that domain.
10. Type list sites and press ENTER. A list of sites, each with an associated number,
is displayed.
11. Type select site number and press ENTER, where number is the number
associated with the site to which the server you are removing is a member. You
should receive a confirmation listing the site and domain you chose.
12. Type list servers in site and press ENTER. A list of servers in the site, each with
an associated number, is displayed.
13. Type select server number , where number is the number associated with the
server you want to remove. You receive a confirmation listing the selected server,
its Domain Name Server (DNS) host name, and the location of the server's
computer account you want to remove.
14. Type quit and press ENTER. The Metadata Cleanup menu is displayed.
15. Type remove selected server and press ENTER. You should receive
confirmation that the removal completed successfully. If you receive the
following error message:
Error 8419 (0x20E3)
The DSA object could not be found
the NTDS Settings object may already be removed from the Active Directory as
the result of another administrator removing the NTDS Settings object, or
replication of the successful removal of the object after running the DCPROMO
utility.
NOTE : You may also see this error when you attempt to bind to the domain
controller that is going to be removed. Ntdsutil needs to bind to a domain
controller other than the one that is going to be removed with metadata cleanup.
16. Type quit at each menu to quit the NTDSUTIL utility. You should receive
confirmation that the connection disconnected successfully.
17. Remove the cname record in the _msdcs. root domain of forest zone in DNS.
Assuming that DC is going to be reinstalled and re-promoted, a new NTDS
settings object is created with a new globally unique identifier (GUID) and a
matching cname record in DNS. You do not want the DC's that exist to use the
old cname record.
As best practice you should delete the hostname and other DNS records. If the
lease time that remains on Dynamic Host Configuration Protocol (DHCP) address
assigned to offline server is exceeded then another client can obtain the IP address
of the problem DC.
Now that the NTDS setting object has been deleted we can now delete the following
objects:
1. Use ADSIEdit to delete the computer account in the OU=Domain
Controllers,DC=domain...
NOTE : The FRS subscriber object is deleted when the computer object is
deleted, since it is a child of the computer account.
2. Use ADSIEdit to delete the FRS member object in CN=Domain System Volume
(SYSVOL share),CN=file replication service,CN=system....
3. In the DNS console, use the DNS MMC to delete the cname (also known as the
Alias) record in the _msdcs container.
4. In the DNS console, use the DNS MMC to delete the A (also known as the Host)
record in DNS.
5. If the deleted computer was the last domain controller in a child domain and the
child domain was also deleted, use ADSIEdit to delete the trustDomain object for
the child in CN=System, DC=domain, DC=domain, Domain NC.
Subscribe to:
Posts (Atom)