1) What is
Active Directory?
Active Directory (AD) is a directory
service created by Microsoft for Windows
domain networks. It is centralized control for objects like users,
contacts, computers, groups, organization units, Domain controllers…etc.
2) What is
LDAP?
The Lightweight Directory Access
Protocol (LDAP) is an application protocol for querying and modifying data of
directory services. Lightweight
Directory Access Protocol (LDAP)
is a directory service protocol that runs directly over the TCP/IP stack.
3) Can you
connect Active Directory to other 3rd-party Directory Services? Name a few
options.
Yes, you can Connect Active Directory to
other 3rd -party Directory Services such as dictionaries used by SAP, Domino
etc with the help of MIIS (Microsoft Identity Integration Server)
4) Where is
the AD database held? What other folders are related to AD?
The
Active Directory Database is Stored in %SYSTEM ROOT%\NDTS folder. The active directory uses the sysvol folder as
well. The file is called as ntds.dit. Along with this file there are
other files also present in this folder. The files are created when you run dcpromo.
The list of files and use of those files are listed below
1. ntds.dit: This is the main database file for active directory.
2. Edb.log: When a transaction performed to add database, like writing some data first, the data will be stored to this file. And after that it will be sent to database. So the system performance will be depends on how this data from edb.log file will be written to ntds.dit
3. res1.log: Used as reserve space in the case when drive had low space. It is basically 10MB in size and created when we run dcpromo.
4. Res2.log: Same as res1.log. It is also 10MB in size and the purpose also same.
5. Edb.chk: This file records the transactions committed to add database. During shutdown, shutdown statement is written to this file. If it is not found when the system rebooted, the ad database tries to check with edb.log for the updated information.
Edb corruption or Edb active directory corruption is really serious. However you can get this repaired by using edb repair tool.
The Active Directory Database is Stored in %SYSTEM ROOT%\NDTS folder.
The active directory uses the sysvol folder as well to replicate.
1. ntds.dit: This is the main database file for active directory.
2. Edb.log: When a transaction performed to add database, like writing some data first, the data will be stored to this file. And after that it will be sent to database. So the system performance will be depends on how this data from edb.log file will be written to ntds.dit
3. res1.log: Used as reserve space in the case when drive had low space. It is basically 10MB in size and created when we run dcpromo.
4. Res2.log: Same as res1.log. It is also 10MB in size and the purpose also same.
5. Edb.chk: This file records the transactions committed to add database. During shutdown, shutdown statement is written to this file. If it is not found when the system rebooted, the ad database tries to check with edb.log for the updated information.
Edb corruption or Edb active directory corruption is really serious. However you can get this repaired by using edb repair tool.
The Active Directory Database is Stored in %SYSTEM ROOT%\NDTS folder.
The active directory uses the sysvol folder as well to replicate.
5) What is
the SYSVOL folder?
Every domain controller has a shared
folder in its local file system that is the file system component of Active
Directory. This shared folder, named SYSVOL, contains files and folders that
must be available and synchronized between domain controllers in a domain,
including:
The
NETLOGON shared folder, which includes system policies and user-based logon and
logoff scripts for non-Windows Server 2003 and non-Windows 2000
network clients, such as clients running Windows 95, Windows 98, and
Windows NT 4.0.
Windows Server 2003 and Windows 2000 system
policies
When you add,
remove, or modify the contents in the SYSVOL shared folder, FRS replicates the
changed contents to the SYSVOL shared folders on all other domain controllers
in the domain.
6) Name the
AD NCs and replication issues for each NC
*Schema NC
*Configuration NC
* Domain NC
Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifies and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.
Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifies and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.
7) What are
application partitions? When do I use them
An application directory
partition is a directory partition that is replicated only to specific domain
controllers. A domain controller that participates in the replication of a
particular application directory partition hosts a replica of that partition. Only
domain controllers running Windows Server 2003 can host a replica of an
application directory partition.
Application
directory partitions are usually created by the applications that will use them
to store and replicate data. For testing and troubleshooting purposes, members
of the Enterprise Admins group can manually create or manage application
directory partitions using the Ntdsutil command-line tool.
One
of the benefits of an application directory partition is that, for redundancy,
availability, or fault tolerance, the data in it can be replicated to different
domain controllers in a forest
8) How do you
create a new application partition
The creation of the application partition can be
done by using NTDSUTIL or DNSCMD command line tools.
To
create or delete an application directory partition
·
Open Command Prompt.
·
Type:
ntdsutil
ntdsutil
·
At the ntdsutil command prompt, type:
domain management
domain management
·
At the domain management command prompt, type:
connection
connection
·
At the server connections command prompt, type:
connect to server ServerName
connect to server ServerName
·
At the server connections command prompt, type:
quit
quit
·
At the domain management command prompt, do one
of the following:
o
To create an application directory partition,
type:
create nc ApplicationDirectoryPartition DomainController
create nc ApplicationDirectoryPartition DomainController
o
To delete an application directory partition,
type:
delete nc ApplicationDirectoryPartition
delete nc ApplicationDirectoryPartition
9) How do you
view replication properties for AD partitions and DCs?
By using replication monitor
go to start > run > type repadmin
go to start > run > type replmon
go to start > run > type repadmin
go to start > run > type replmon
10) What is
the Global Catalog?
The Global Catalog (GC) contains an entry
for every object in an enterprise forest but only a few properties for each
object.
11) How do you view all the GCs in the forest?
C:\>repadmin /showreps domain_controller
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.
To find the in GC from the command line you can try using DSQUERY command.
dsquery server -isgc to find all the gc's in the forest
you can try dsquery server -forest -isgc.
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.
To find the in GC from the command line you can try using DSQUERY command.
dsquery server -isgc to find all the gc's in the forest
you can try dsquery server -forest -isgc.
12) Why not make all DCs in a large forest as
GCs?
The reason that all DCs are not GCs to start is that in large (or
even Giant) forests the DCs would all have to hold a reference to every object
in the entire forest which could be quite large and quite a replication burden.
For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor WAN lines.
For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor WAN lines.
13) Trying
to look at the Schema, how can I do that?
I believe this question is referring to the Active Directory schema, in which case, adsiedit.exe is a good place to start.
Option to view the schema
Register schmmgmt.dll using this command
C:\windows\system32>regsvr32 schmmgmt.dll
Open mmc --> add snapin --> add Active directory schema
Name it as schema.msc
Open administrative tool --> schema.msc
14) What are the Support Tools? Why do I need them?
I believe this question is referring to the Active Directory schema, in which case, adsiedit.exe is a good place to start.
Option to view the schema
Register schmmgmt.dll using this command
C:\windows\system32>regsvr32 schmmgmt.dll
Open mmc --> add snapin --> add Active directory schema
Name it as schema.msc
Open administrative tool --> schema.msc
14) What are the Support Tools? Why do I need them?
Support Tools are the tools that are used for performing the
complicated tasks easily. These can also be the third party tools. Some of the
Support tools include DebugViewer, DependencyViewer, RegistryMonitor, etc.
-edit by Casquehead
I believe this question is reffering to the Windows Server 2003 Support Tools, which are included with Microsoft Windows Server 2003 Service Pack 2. They are also available for download here:
http://www.Microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-9A772EA2DF90&displaylang=en
-edit by Casquehead
I believe this question is reffering to the Windows Server 2003 Support Tools, which are included with Microsoft Windows Server 2003 Service Pack 2. They are also available for download here:
http://www.Microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-9A772EA2DF90&displaylang=en
You need them because you cannot properly manage an Active
Directory network without them.
Here they are, it would do you well to familiarize yourself with all of them.
Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe
Here they are, it would do you well to familiarize yourself with all of them.
Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe
15) What is
LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
LDP:
The Lightweight
Directory Access Protocol, or LDAP is an application protocol for querying and
modifying directory services running over TCP/IP.[1]
REPLMON: Replmon is the first tool
you should use when troubleshooting Active Directory replication issues. As it
is a graphical tool, replication issues are easy to see and somewhat easier to
diagnose than using its command line counterparts. The purpose of this document
is to guide you in how to use it, list some common replication errors and show
some examples of when replication issues can stop other network installation
actions.
for more go to http://www.techtutorials.net/articles/replmon_howto_a.html
for more go to http://www.techtutorials.net/articles/replmon_howto_a.html
ADSIEDIT: ADSIEdit is a Microsoft
Management Console (MMC) snap-in that acts as a low-level editor for Active
Directory. It is a Graphical User Interface (GUI) tool. Network administrators
can use it for common administrative tasks such as adding, deleting, and moving
objects with a directory service. The attributes for each object can be edited
or deleted by using this tool. ADSIEdit uses the ADSI application programming
interfaces (APIs) to access Active Directory. The following are the required
files for using this tool:
· ADSIEDIT.DLL
· ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory environment and Microsoft Management Console (MMC) is necessary
NETDOM: NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secures channels
A:
Enables administrators to manage Active Directory domains and trust relationships from the command prompt.
Netdom is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
You can use netdom to:
Join a computer that runs Windows XP Professional or Windows Vista to a Windows Server 2008 or Windows Server 2003 or Windows 2000 or Windows NT 4.0 domain.
Provide an option to specify the organizational unit (OU) for the computer account.
Generate a random computer password for an initial Join operation.
Manage computer accounts for domain member workstations and member servers. Management operations include: Add, Remove, Query. An option to specify the OU for the computer account.
An option to move an existing computer account for a member workstation from one domain to another while maintaining the security descriptor on the computer account.
Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships:
From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows NT 4.0 domain.
From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain in another enterprise.
Between two Windows 2000 or Windows Server 2003 or Windows Server 2008 domains in an enterprise (a shortcut trust).
The Windows Server 2008 or Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberos protocol realm.
Verify or reset the secure channel for the following configurations:
Member workstations and servers.
Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
Specific Windows Server 2008 or Windows Server 2003 or Windows 2000 replicas.
Manage trust relationships between domains, including the following operations:
Enumerate trust relationships (direct and indirect).
View and change some attributes on a trust.
· ADSIEDIT.DLL
· ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory environment and Microsoft Management Console (MMC) is necessary
NETDOM: NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secures channels
A:
Enables administrators to manage Active Directory domains and trust relationships from the command prompt.
Netdom is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
You can use netdom to:
Join a computer that runs Windows XP Professional or Windows Vista to a Windows Server 2008 or Windows Server 2003 or Windows 2000 or Windows NT 4.0 domain.
Provide an option to specify the organizational unit (OU) for the computer account.
Generate a random computer password for an initial Join operation.
Manage computer accounts for domain member workstations and member servers. Management operations include: Add, Remove, Query. An option to specify the OU for the computer account.
An option to move an existing computer account for a member workstation from one domain to another while maintaining the security descriptor on the computer account.
Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships:
From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows NT 4.0 domain.
From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain in another enterprise.
Between two Windows 2000 or Windows Server 2003 or Windows Server 2008 domains in an enterprise (a shortcut trust).
The Windows Server 2008 or Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberos protocol realm.
Verify or reset the secure channel for the following configurations:
Member workstations and servers.
Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
Specific Windows Server 2008 or Windows Server 2003 or Windows 2000 replicas.
Manage trust relationships between domains, including the following operations:
Enumerate trust relationships (direct and indirect).
View and change some attributes on a trust.
16) What are
sites? What are they used for?
Active Directory sites, which consist of well-connected networks
defined by IP subnets that help define the physical structure of your AD, give you much better control over
replication traffic and authentication traffic than the control you get with Windows NT 4.0 domains.
Using Active Directory, the network and its objects are organized by constructs such as domains, trees, forests, trust relationships, organizational units (OUs), and sites.
Using Active Directory, the network and its objects are organized by constructs such as domains, trees, forests, trust relationships, organizational units (OUs), and sites.
17) What's the
difference between a site link's schedule and interval?
Schedule enables you to list weekdays or hours when the site
link is available for replication to happen in the give interval. Interval is
the re occurrence of the inter site replication in given minutes. It ranges
from 15 ? 10,080 mins. The default interval is 180 mins
18) What is
the KCC?
Knowledge Consistency Checker: The KCC is a built-in process that runs on
all domain controllers. It is a dynamic-link library that modifies data in the
local directory in response to system wide changes, which are made known to the
KCC by changes to the data within Active Directory. The KCC generates and
maintains the replication topology for replication within sites and between
sites.
19) What is
the ISTG? Who has that role by default?
Inter-Site Topology Generator:
Inter-site
Topology Generator (ISTG), which is responsible for the connections among the
sites. By default Windows 2003 Forest level functionality has this role.
Windows 2000 Domain controllers each
create Active Directory Replication connection objects representing inbound
replication from intra-site replication partners. For inter-site replication,
one domain controller per site has the responsibility of evaluating the
inter-site replication topology and creating Active Directory Replication
Connection objects for appropriate bridgehead servers within its site. The
domain controller in each site that owns this role is referred to as the
Inter-Site Topology Generator (ISTG).
20) What are
the requirements for installing AD on a new server?
· An NTFS partition with enough free space (250MB minimum)
· An Administrator's username and password
· The correct operating system version
· A NIC
· Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
· A network connection (to a hub or to another computer via a crossover cable)
· An operational DNS server (which can be installed on the DC itself)
· A Domain name that you want to use
· The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)
· An Administrator's username and password
· The correct operating system version
· A NIC
· Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
· A network connection (to a hub or to another computer via a crossover cable)
· An operational DNS server (which can be installed on the DC itself)
· A Domain name that you want to use
· The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)
21) What can
you do to promote a server to DC if you're in a remote location with slow WAN
link?
Take the system state backup
of current Global Catalog server
Write / burn it on the CD
Send the CD to the destination (remote location)
On the new server which needs to be promoted to be DC
type dcpromo/adv on run then follow the steps.
Write / burn it on the CD
Send the CD to the destination (remote location)
On the new server which needs to be promoted to be DC
type dcpromo/adv on run then follow the steps.
· click Run, type dcpromo /adv
to open the Active Directory Installation Wizard with the option to create an
additional domain controller from restored backup files.
· On the Domain Controller Type page, click Additional domain controller for an existing domain, and then click Next.
· On the Copying Domain
Information page, can do any of the following steps:
o Click From these restored
backup files, and type or Browse to locate the restored files, and then click
Next.
· On the Network Credentials
page, type the user name, password, and user domain of the user account you
want to use for this operation, and then click Next.
The user account must be a member of the Domain Admins group for the target domain.
The user account must be a member of the Domain Admins group for the target domain.
· On the Database and Log
Folders page, type the location in which you want to install the database and
log folders, or click Browse to choose a location, and then click Next.
· On the Shared System Volume
page, type the location in which you want to install the Sysvol folder, or
click Browse to choose a location, and then click Next.
· On the Directory Services
Restore Mode Administrator Password page, type and confirm the password that
you want to assign to the Administrator account for this server, and then click
Next. Use this password when starting
the computer in Directory Services Restore Mode.
Restart the computer.
22) How can
you forcibly remove AD from a server, and what do you do later? • Can I get
user passwords from the AD database?
Demote the server using dcpromo /forceremoval, then remove the
metadata from Active directory using ndtsutil. There is no way to get user
passwords from AD that I am aware of, but you should still be able to change
them.
Another way out too
Restart the DC is DSRM mode
a. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
b. In the right-pane, double-click ProductType.
c. Type ServerNT in the Value data box, and then click OK.
Restart the server in normal mode
its a member server now but AD entries are still there. Promote the server to a fake domain say ABC.com and then remove gracefully using DCpromo. Else after restart you can also use ntdsutil to do metadata as told in the earlier post
Another way out too
Restart the DC is DSRM mode
a. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
b. In the right-pane, double-click ProductType.
c. Type ServerNT in the Value data box, and then click OK.
Restart the server in normal mode
its a member server now but AD entries are still there. Promote the server to a fake domain say ABC.com and then remove gracefully using DCpromo. Else after restart you can also use ntdsutil to do metadata as told in the earlier post
23) What tool
would I use to try to grab security related packets from the wire?
You must use sniffer-detecting tools to help
stop the snoops. ...
A good packet sniffer would be "ethereal"
A good packet sniffer would be "ethereal"
24) Name some
OU design considerations.
OU design requires balancing
requirements for delegating administrative rights - independent of Group Policy
needs - and the need to scope the application of Group Policy. The following OU
design recommendations address delegation and scope issues:
Applying Group Policy An OU
is the lowest-level Active Directory container to which you can assign Group Policy
settings.
Delegating administrative
authority
Usually don't go more than 3 OU
levels
25) What is
tombstone lifetime attribute?
The number of days before a
deleted object is removed from the directory services. This assists in removing
objects from replicated servers and preventing restores from reintroducing a
deleted object. This value is in the Directory Service object in the
configuration NIC
by default in Windows Server
2000 (60 days).
Windows Server 2003 (180 days).
26) What do
you do to install a new Windows 2003 DC in a Windows 2000 AD?
If you plan to install windows 2003
server domain controllers into an existing windows 2000 domain or upgrade a
windows 2000 domain controllers to windows server 2003, you first need to run
the Adprep.exe utility on the windows 2000 domain controllers currently holding
the schema master and infrastructure master roles. The adprep / forestprer
command must first be issued on the windows 2000 server holding schema master
role in the forest root doman to prepare the existing schema to support windows
2003 active directory. The adprep /domainprep command must be issued on the
sever holding the infrastructure master role in the domain where 2000 server
will be deployed.
27) What do
you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
If you're installing Windows
2003 R2 on an existing Windows 2003 server with SP1 installed, you require only
the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the
Windows 2003 R2 Continue Setup screen.
If you're installing R2 on a
domain controller (DC), you must first upgrade the schema to the R2 version
(this is a minor change and mostly related to the new Dfs replication engine).
To update the schema, run the Adprep utility, which you'll find in the
Cmpnents\r2\adprep folder on the second CD-ROM. Before running this command,
ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later).
Here's a sample execution of the Adprep /forestprep command:
D:\CMPNENTS\R2\ADPREP>adprep
/forestprep
ADPREP WARNING:
Before running adprep, all
Windows 2000 domain controllers in the forest should be upgraded to Windows
2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later).
QFE 265089 (included in Windows
2000 SP2 and later) is required to prevent potential domain controller
corruption.
For more information about
preparing your forest and domain see KB article Q3311 61 at
http://support.microsoft.com.
[User Action] If ALL your
existing Windows 2000 domain controllers meet this requirement, type C and then
press ENTER to continue. Otherwise, type any other key and press ENT ER to
quit.
C Opened Connection to
SAVDALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to
version 31 Connecting to "SAVDALDC01" Logging in as current user
using SSPI Importing directory from file
"C:\WINDOWS\system32\sch31.ldf" Loading
entries.....................................................
...................................................... 139 entries modified
successfully.
The command has completed
successfully Adprep successfully updated the forest-wide information.
After running Adprep, install
R2 by performing these steps:
1.
Click the "Continue Windows Server 2003 R2 Setup" link,
as the figureshows.
2.
At the "Welcome to the Windows Server 2003 R2 Setup
Wizard" screen, click Next.
3.
You'll be prompted to enter an R2 CD key (this is different from
your existing Windows 2003 keys) if the underlying OS wasn't installed from R2
media (e.g., a regular Windows 2003 SP1 installation). Enter the R2 key and click
Next. Note: The license key entered for R2 must match the underlying OS type,
which means if you installed Windows 2003 using a volume-license version key,
then you can't use a retail or Microsoft Developer Network (MSDN) R2 key.
4.
You'll see the setup summary screen which confirms the actions to
be performed (e.g., Copy files). Click Next.
5.
After the installation is complete, you'll see a confirmation
dialog box. Click Finish
28) How would
you find all users that have not logged on since last month?
Dsquery is a command-line tool that is built into Windows Server
2008. It is available if you have the Active Directory Domain Services (AD DS)
server role installed. To use dsquery, you must run the dsquery command from an
elevated command prompt. To open an elevated command prompt, click Start,
right-click Command Prompt, and then click Run as administrator
dsquery -inactive < NumberOfWeeks> will give you the answer
dsquery -inactive < NumberOfWeeks> will give you the answer
29) What are
the DS* commands?
New DS (Directory
Service) Family of built-in command line utilities for Windows Server
2003 Active Directory
New DS built-in tools for
Windows Server 2003
The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.
The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.
When it comes to choosing a
scripting tool for Active Directory objects, you really are spoilt for choice.
The the DS family of built-in command line executables offer alternative
strategies to CSVDE, LDIFDE and VBScript.
Let me introduce you to the
members of the DS family:
DSadd - add Active Directory
users and groups
DSmod - modify Active Directory objects
DSrm - to delete Active Directory objects
DSmove - to relocate objects
DSQuery - to find objects that match your query attributes
DSget - list the properties of an object
DS Syntax
These DS tools have their own command structure which you can split into five parts:
DSmod - modify Active Directory objects
DSrm - to delete Active Directory objects
DSmove - to relocate objects
DSQuery - to find objects that match your query attributes
DSget - list the properties of an object
DS Syntax
These DS tools have their own command structure which you can split into five parts:
1 2 3 4 5
Tool object "DN" (as in LDAP distinguished name) -switch value For example:
DSadd user "cn=billy, ou=managers, dc=cp, dc=com" -pwd cX49pQba
Tool object "DN" (as in LDAP distinguished name) -switch value For example:
DSadd user "cn=billy, ou=managers, dc=cp, dc=com" -pwd cX49pQba
This will add a user called
Billy to the Managers OU and set the password to cx49Qba
Here are some of the common DS switches which work with DSadd and DSmod
-pwd (password) -upn (userPrincipalName) -fn (FirstName) -samid (Sam account name).
The best way to learn about
this DS family is to logon at a domain controller and experiment from the
command line. I have prepared examples of the two most common programs. Try
some sample commands for DSadd.
Two most useful Tools: DSQuery
and DSGet
The DSQuery and DSGet remind me of UNIX commands in that they operate at the command line, use powerful verbs, and produce plenty of action. One pre-requisite for getting the most from this DS family is a working knowledge of LDAP.
The DSQuery and DSGet remind me of UNIX commands in that they operate at the command line, use powerful verbs, and produce plenty of action. One pre-requisite for getting the most from this DS family is a working knowledge of LDAP.
If you need to query users or
computers from a range of OU's and then return information, for example,
office, department manager. Then DSQuery and DSGet would be your tools of
choice. Moreover, you can export the information into a text file
30) What's the
difference between LDIFDE and CSVDE? Usage considerations?
Ldifde
Ldifde creates, modifies, and
deletes directory objects on computers running Windows Server 2003 operating
systems or Windows XP Professional. You can also use Ldifde to
extend the schema, export Active Directory user and group information to other
applications or services, and populate Active Directory with data from
other directory services.
The LDAP Data Interchange
Format (LDIF) is a draft Internet standard for a file format that may be used
for performing batch operations against directories that conform to the LDAP
standards. LDIF can be used to export and import data, allowing batch
operations such as add, create, and modify to be performed against the Active Directory.
A utility program called LDIFDE is included in Windows 2000 to support batch
operations based on the LDIF file format standard. This article is designed to
help you better understand how the LDIFDE utility can be used to migrate
directories.
Csvde
Imports and exports data from
Active Directory Domain Services (AD DS) using files that store data in the
comma-separated value (CSV) format. You can also support batch operations based
on the CSV file format standard.
Csvde is a
command-line tool that is built into Windows Server 2008 in the/system32
folder. It is available if you have the AD DS or Active Directory Lightweight
Directory Services (AD LDS) server role installed. To use csvde, you
must run the csvde command from an elevated command prompt. To open an
elevated command prompt, click Start, right-click Command Prompt,
and then click Run as administrator.
DIFFERENCE
USAGE WISE
Csvde.exe is a Microsoft
Windows 2000 command-line utility that is located in the SystemRoot\System32 folder
after you install Windows 2000. Csvde.exe is similar to Ldifde.exe, but it
extracts information in a comma-separated value (CSV) format. You can use Csvde
to import and export Active Directory data that uses the comma-separated value
format. Use a spreadsheet program such as Microsoft Excel to open this .csv
file and view the header and value information. See Microsoft Excel Help for
information about functions such as Concatenate that can simplify the
process of building a .csv file.
Note Although Csvde is similar to Ldifde, Csvde has a significant limitation: it can only import and export Active Directory data by using a comma-separated format (.csv). Microsoft recommends that you use the Ldifde utility for Modify or Delete operations. Additionally, the distinguished name (also known as DN) of the item that you are trying to import must be in the first column of the .csv file or the import will not work.
The source .csv file can come from an Exchange Server directory export. However, because of the difference in attribute mappings between the Exchange Server directory and Active Directory, you must make some modifications to the .csv file. For example, a directory export from Exchange Server has a column that is named "obj-class" that you must rename to "objectClass." You must also rename "Display Name" to "displayName."
Note Although Csvde is similar to Ldifde, Csvde has a significant limitation: it can only import and export Active Directory data by using a comma-separated format (.csv). Microsoft recommends that you use the Ldifde utility for Modify or Delete operations. Additionally, the distinguished name (also known as DN) of the item that you are trying to import must be in the first column of the .csv file or the import will not work.
The source .csv file can come from an Exchange Server directory export. However, because of the difference in attribute mappings between the Exchange Server directory and Active Directory, you must make some modifications to the .csv file. For example, a directory export from Exchange Server has a column that is named "obj-class" that you must rename to "objectClass." You must also rename "Display Name" to "displayName."
31) What are
the FSMO roles? Who has them by default? What happens when each one fails?
FSMO stands for the Flexible
single Master Operation
The 5 FSMO server
roles:
Schema Master
|
Forest Level
|
One per forest
|
Domain Naming Master
|
Forest Level
|
One per forest
|
PDC Emulator
|
Domain Level
|
One per domain
|
RID Master
|
Domain Level
|
One per domain
|
Infrastructure Master
|
Domain Level
|
One per domain
|
Schema Master (Forest level):
The schema master domain controller controls all updates and
modifications to the schema. Once the Schema update is complete, it is replicated from the
schema master to all other DCs in the directory. To update the schema of a
forest, you must have access to the schema master. There can be only one schema
master in the whole forest.
Domain naming master (Forest
level):
The domain naming master domain controller controls the addition
or removal of domains in the forest. This DC is the only one that can add or remove a domain
from the directory. It can also add or remove cross references to domains in
external directories. There can be only one domain naming master in the whole
forest.
Infrastructure Master (Domain
level):
When an object in one domain
is referenced by another object in another domain, it represents the reference
by the GUID, the SID (for references to security principals), and the DN of the
object being referenced. The
infrastructure FSMO role holder is the DC responsible for updating an object's
SID and distinguished name in a cross-domain object reference. At any one
time, there can be only one domain controller acting as the infrastructure
master in each domain.
Note: The Infrastructure
Master (IM) role should be held by a domain controller that is not a Global
Catalog server (GC). If the Infrastructure Master runs on a Global Catalog
server it will stop updating object information because it does not contain any
references to objects that it does not hold. This is because a Global Catalog server
holds a partial replica of every object in the forest. As a result,
cross-domain object references in that domain will not be updated and a warning
to that effect will be logged on that DC's event log. If all the domain
controllers in a domain also host the global catalog, all the domain
controllers have the current data, and it is not important which domain
controller holds the infrastructure master role.
Relative ID (RID) Master (Domain
level):
The RID master is responsible for processing RID pool requests
from all domain controllers in a particular domain. When a DC creates a security
principal object such as a user or group, it
attaches a unique Security ID (SID) to the object. This SID consists of a
domain SID (the same for all SIDs created in a domain), and a relative ID (RID)
that is unique for each security Principal SID created in a domain. Each DC in
a domain is allocated a pool of RIDs that it is allowed to assign to the
security principals it creates. When a DC's allocated RID pool falls below a
threshold, that DC issues a request for additional RIDs to the domain's RID
master. The domain RID master responds to the request by retrieving RIDs from
the domain's unallocated RID pool and assigns them to the pool of the
requesting DC. At any one time, there can be only one domain controller acting
as the RID master in the domain.
PDC Emulator (Domain level):
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes
the W32Time (Windows Time) time service that is required by the Kerberos
authentication protocol. All Windows 2000/2003-based computers within an
enterprise use a common time. The purpose of the time service is to ensure that
the Windows Time service uses a hierarchical relationship that controls authority
and does not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain
is authoritative for the domain. The PDC emulator at the root of the forest
becomes authoritative for the enterprise, and should be configured to gather the
time from an external source. All PDC FSMO role holders follow the hierarchy of
domains in the selection of their in-bound time partner.
:: In a Windows 2000/2003
domain, the PDC emulator role holder retains the following functions:
:: Password changes performed
by other DCs in the domain are replicated preferentially to the PDC emulator.
Authentication failures that
occur at a given DC in a domain because of an incorrect password are forwarded
to the PDC emulator before a bad password failure message is reported to the
user.
Account lockout is processed
on the PDC emulator.
Editing or creation of Group
Policy Objects (GPO) is always done from the GPO copy found in the PDC
Emulator's SYSVOL share, unless configured not to do so by the administrator.
The PDC emulator performs all
of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or
earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator
role becomes unnecessary when all workstations, member servers, and domain
controllers that are running Windows NT 4.0 or earlier are all upgraded to
Windows 2000/2003. The PDC emulator still performs the other functions as
described in a Windows 2000/2003 environment.
32) What FSMO
placement considerations do you know of?
Windows 2000/2003 Active
Directory domains utilize a Single Operation Master method called FSMO
(Flexible Single Master Operation), as described in Understanding FSMO Roles in
Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles
33) I want to
look at the RID allocation table for a DC. What do I do?
1. Install support tools from
OS disk (OS Inst: Disk=>support=>tools=>suptools.msi)
2. In Command prompt type dcdiag /test:ridmanager /s:system1 /v
(system1 is the name of our DC)
34) What's the
difference between transferring a FSMO role and seizing one? Which one should
you NOT seize? Why?
Seizing an FSMO can be a destructive process and should only be
attempted if the existing server with the FSMO is no longer available.
If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable, DO NOT seizes the Schema Master role.
If you are going to seize the Schema Master, you must permanently disconnect the current Schema Master from the network.
If you seize the Schema Master role, the boot drive on the original Schema Master must be completely reformatted and the operating system must be cleanly installed, if you intend to return this computer to the network.
NOTE: The Boot Partition contains the system files (\System32). The System Partition is the partition that contains the startup files, NTDetect.com, NTLDR, Boot.ini, and possibly Ntbootdd.sys.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:
If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable, DO NOT seizes the Schema Master role.
If you are going to seize the Schema Master, you must permanently disconnect the current Schema Master from the network.
If you seize the Schema Master role, the boot drive on the original Schema Master must be completely reformatted and the operating system must be cleanly installed, if you intend to return this computer to the network.
NOTE: The Boot Partition contains the system files (\System32). The System Partition is the partition that contains the startup files, NTDetect.com, NTLDR, Boot.ini, and possibly Ntbootdd.sys.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:
35) How do you
configure a "stand-by operation master" for any of the roles?
·
Open Active Directory Sites
and Services.
·
Expand the site name in which the standby operations master is
located to display the Servers folder.
·
Expand the Servers folder to see a list of the servers in that
site.
·
Expand the name of the server that you want to be the standby
operations master to display its NTDS Settings.
·
Right-click NTDS Settings, click New, and then click Connection.
·
In the Find Domain Controllers dialog box, select the name of the
current role holder, and then click OK.
·
In the New Object-Connection dialog box, enter an appropriate name
for the Connection object or accept the default name, and click OK.
36) How do you
backup AD?
Ø
Backing up Active Directory is essential to maintain an Active
Directory database. You can back up Active Directory by using the Graphical
User Interface (GUI) and command-line tools that the Windows Server 2003 family
provides.
Ø You frequently backup the
system state data on domain controllers so that you can restore the most
current data. By establishing a regular backup schedule, you have a better
chance of recovering data when necessary.
Ø To ensure a good backup
includes at least the system state data and contents of the system disk, you
must be aware of the tombstone lifetime. By default, the tombstone is 60 days.
Any backup older than 60 days is not a good backup. Plan to backup at least two
domain controllers in each domain, one of at least one backup to enable an
authoritative restore of the data when necessary.
Ø System State Data
Several features in the windows server 2003 family make it easy to backup Active Directory. You can backup Active Directory while the server is online and other network function can continue to function.
Several features in the windows server 2003 family make it easy to backup Active Directory. You can backup Active Directory while the server is online and other network function can continue to function.
Ø System state data on a domain
controller includes the following components:
Ø Active Directory system state
data does not contain Active Directory unless the server, on which you are
backing up the system state data, is a domain controller. Active Directory is
present only on domain controllers.
Ø The SYSVOL shared folder: This
shared folder contains Group policy templates and logon scripts. The SYSVOL
shared folder is present only on domain controllers.
The Registry: This database repository contains information about the computer's configuration.
The Registry: This database repository contains information about the computer's configuration.
Ø System startup files: Windows
Server 2003 requires these files during its initial startup phase. They include
the boot and system files that are under windows file protection and used by
windows to load, configure, and run the operating system.
The COM+ Class Registration database: The Class registration is a database of information about Component Services applications.
The COM+ Class Registration database: The Class registration is a database of information about Component Services applications.
Ø The Certificate Services
database: This database contains certificates that a server running Windows
server 2003 uses to authenticate users. The Certificate Services database is
present only if the server is operating as a certificate server.
Ø System state data contains
most elements of a system's configuration, but it may not include all of the
information that you require recovering data from a system failure. Therefore,
be sure to backup all boot and system volumes, including the System State, when
you back up your server.
37) How do you
restore AD?
Restoring Active Directory
Ø
In Windows
Server 2003 family, you can restore the Active Directory database if it becomes
corrupted or is destroyed because of hardware or software failures. You must
restore the Active Directory database when objects in Active Directory are
changed or deleted.
Ø
Active
Directory restore can be performed in several ways. Replication synchronizes
the latest changes from every other replication partner. Once the replication
is finished each partner has an updated version of Active Directory. There is
another way to get these latest updates by Backup utility to restore replicated
data from a backup copy. For this restore you don't need to configure again your
domain controller or no need to install the operating system from scratch.
Ø
Active
Directory Restore Methods
You can use one of the three methods to restore Active Directory from backup media: primary restore, normal (non authoritative) restore, and authoritative restore.
You can use one of the three methods to restore Active Directory from backup media: primary restore, normal (non authoritative) restore, and authoritative restore.
Ø
Primary
restore: This method rebuilds the first domain controller in a domain when
there is no other way to rebuild the domain. Perform a primary restore only
when all the domain controllers in the domain are lost, and you want to rebuild
the domain from the backup.
Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore.
Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore.
Ø
Normal
restore: This method reinstates the Active Directory data to the state before
the backup, and then updates the data through the normal replication process.
Perform a normal restore for a single domain controller to a previously known
good state.
Ø
Authoritative
restore: You perform this method in tandem with a normal restore. An
authoritative restore marks specific data as current and prevents the
replication from overwriting that data. The authoritative data is then replicated
through the domain.
Ø
Perform an
authoritative restore individual object in a domain that has multiple domain
controllers. When you perform an authoritative restore, you lose all changes to
the restore object that occurred after the backup. Ntdsutil is a command line
utility to perform an authoritative restore along with windows server 2003
system utilities. The Ntdsutil command-line tool is an executable file that you
use to mark Active Directory objects as authoritative so that they receive a
higher version recently changed data on other domain controllers does not
overwrite system state data during replication.
38) How do you
change the DS Restore admin password?
·
To Reset the
DSRM Administrator Password
·
Click, Start,
click Run, type ntdsutil, and then click OK.
·
At the Ntdsutil
command prompt, type set dsrm password.
·
At the DSRM
command prompt, type one of the following lines:
o To reset the password on the server on
which you are working, type reset password on server null. The null
variable assumes that the DSRM password is being reset on the local computer.
Type the new password when you are prompted. Note that no characters appear
while you type the password.
-or-
-or-
o
To reset the
password for another server, type reset password on server servername,
where servername is the DNS name for the server on which you are
resetting the DSRM password. Type the new password when you are prompted. Note
that no characters appear while you type the password.
·
At the DSRM
command prompt, type q.
·
At the
Ntdsutil command prompt, type q to exit.
39) Why can't
you restore a DC that was backed up 4 months ago?
- Because of the tombstone life which is set to only 60
days
40) What are
GPOs?
- Policy, you can define
the state of a user's work environment once, and then rely on Windows
Server 2003 to continually force the Group Policy settings that you apply
across an entire organization or to specific groups of users and
computers.
41) What is
the order in which GPOs are applied?
Group
Policy settings are processed in the following order:
Ø Local Group Policy object--Each computer has exactly one Group Policy object that
is stored locally.
Ø Site--Any
Group Policy objects that have been linked to the site are processed next.
Processing is synchronous and in an order that is specified by the
administrator.
Ø Domain--Processing
of multiple domain-linked Group Policy objects is synchronous and in an order
specified by the administrator.
Ø Organizational units--Group Policy objects that are linked to the
organizational unit that is highest in the Active Directory hierarchy are
processed first, then Group Policy objects that are linked to its child
organizational unit, and so on. Finally, the Group Policy objects that are
linked to the organizational unit that contains the user or computer are
processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no Group Policy objects can be linked. If several Group Policy objects are linked to an organizational unit, their processing is synchronous and in an order that is specified by the administrator.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no Group Policy objects can be linked. If several Group Policy objects are linked to an organizational unit, their processing is synchronous and in an order that is specified by the administrator.
42) Name a few
benefits of using GPMC.
Microsoft
released the Group Policy Management Console (GPMC) years ago, which is an
amazing innovation in Group Policy management. The tool provides control over
Group Policy in the following manner:
·
Easy administration of
all GPOs across the entire Active Directory Forest
·
View of all GPOs in one
single list
·
Reporting of GPO
settings, security, filters, delegation, etc.
·
Control of GPO
inheritance with Block Inheritance, Enforce, and Security Filtering
·
Delegation model
·
Backup and restore of
GPOs
·
Migration of GPOs across
different domains and forests
With
all of these benefits, there are still negatives in using the GPMC alone.
Granted, the GPMC is needed and should be used by everyone for what it is ideal
for. However, it does fall a bit short when you want to protect the GPOs from
the following:
·
Role based delegation of
GPO management
·
Being edited in
production, potentially causing damage to desktops and servers
·
Forgetting to back up a
GPO after it has been modified
·
Change management of each
modification to every GPO
43) What are
the GPC and the GPT? Where can I find them?
*
Collapse/Expand Answer of Question Explain What are the GPC and the GPT? Where
can we find them?
GPOs store group policy settings in two locations: a Group Policy container (GPC) (preferred) and a Group Policy template (GPT). The GPC is an Active Directory object that stores version information, status information, and other policy information (for example, application objects).
The GPT is used for file-based data and stores software policy, script, and deployment information. The GPT is located on the system volume folder of the domain controller. A GPO can be associated with one or more Active Directory containers, such as a site, domain, or organizational unit. Multiple containers can be associated with the same GPO, and a single container can have more than one associated GPO.
GPOs store group policy settings in two locations: a Group Policy container (GPC) (preferred) and a Group Policy template (GPT). The GPC is an Active Directory object that stores version information, status information, and other policy information (for example, application objects).
The GPT is used for file-based data and stores software policy, script, and deployment information. The GPT is located on the system volume folder of the domain controller. A GPO can be associated with one or more Active Directory containers, such as a site, domain, or organizational unit. Multiple containers can be associated with the same GPO, and a single container can have more than one associated GPO.
44) What are
GPO links? What special things can I do to them?
To apply the settings of a GPO to the users and
computers of a domain, site, or OU, you need to add a link to that GPO. You can
add one or more GPO links to each domain, site, or OU by using GPMC. Keep in
mind that creating and linking GPOs is a sensitive privilege that should be
delegated only to administrators who are trusted and understand Group Policy.
45) What can I
do to prevent inheritance from above?
You can block policy inheritance for a domain or
organizational unit. Using block inheritance prevents GPOs linked to higher
sites, domains, or organizational units from being automatically inherited by
the child-level. By default, children inherit all GPOs from the parent, but it
is sometimes useful to block inheritance. For example, if you want to apply a
single set of policies to an entire domain except for one organizational unit,
you can link the required GPOs at the domain level (from which all
organizational units inherit policies by default), and then block inheritance
only on the organizational unit to which the policies should not be applied.
46) How can
you determine what GPO was and was not applied for a user? Name a few ways to
do that.
Answer1:
Simply
use the Group Policy Management Console created by MS for that very purpose,
allows you to run simulated policies on computers or users to determine what
policies are enforced. Link in sources
Answer2:
Group Policy Management Console (GPMC) can provide assistance when you need to troubleshoot GPO behaviour. It allows you toexamine the settings of a specific GPO, and is can also be used to determine how your GPOs are linked to sites, domains, and OUs. The Group Policy Results report collects information on a computer and user, to list the policy settings which are enabled. To create a Group Policy Results report, right-click Group Policy Results, and select Group Policy Results Wizard on the shortcut menu. This launches the Group Policy Results Wizard, which guides you through various pages to set parameters for the information that should be displayed in the Group Policy Results report.
Group Policy Management Console (GPMC) can provide assistance when you need to troubleshoot GPO behaviour. It allows you toexamine the settings of a specific GPO, and is can also be used to determine how your GPOs are linked to sites, domains, and OUs. The Group Policy Results report collects information on a computer and user, to list the policy settings which are enabled. To create a Group Policy Results report, right-click Group Policy Results, and select Group Policy Results Wizard on the shortcut menu. This launches the Group Policy Results Wizard, which guides you through various pages to set parameters for the information that should be displayed in the Group Policy Results report.
Gpresult.exe
Click Start > RUN > CMD > gpresult, this will also give you
information of applied group policies.
47) A user
claims he did not receive a GPO, yet his user and computer accounts are in the
right OU, and everyone else there gets the GPO. What will you look for?
Here interviewer
want to know the troubleshooting steps
what gpo is applying?
If it applying in all user and computer?
What gpo are implemented on ou?
Make sure user not is member of loopback policy as in loopback policy it doesn't affect user settings only computer policy will applicable.
If he is member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer.
===============================================
Answer 2: Start Troubleshooting by running RSOP.MSC (Resultant Set of Policy) or gpresult /z to verify whether relevant GPO actually apply to that user?.
This also can be a reason of slow network; you can change the default setting by using the Group Policy MMC snap-in. This feature is enabled by default, but you can disable it by using the following policy: Administrative Templates\System\Logon\Always wait for the network at computer startup and logon.
Identify which GPOs they correspond to; verify that they are applicable to the computer/user (based on the output of RSOP.MSC/gpresult)
what gpo is applying?
If it applying in all user and computer?
What gpo are implemented on ou?
Make sure user not is member of loopback policy as in loopback policy it doesn't affect user settings only computer policy will applicable.
If he is member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer.
===============================================
Answer 2: Start Troubleshooting by running RSOP.MSC (Resultant Set of Policy) or gpresult /z to verify whether relevant GPO actually apply to that user?.
This also can be a reason of slow network; you can change the default setting by using the Group Policy MMC snap-in. This feature is enabled by default, but you can disable it by using the following policy: Administrative Templates\System\Logon\Always wait for the network at computer startup and logon.
Identify which GPOs they correspond to; verify that they are applicable to the computer/user (based on the output of RSOP.MSC/gpresult)
48) Name some
GPO settings in the computer and user parts.
Group Policy
Object (GPO) computer=Computer Configuration, User=User ConfigurationName some
GPO settings in the computer and user parts
49) What are
administrative templates?
The GPO settings
are divided between the Computer settings and the User settings. In both parts
of the GPO you can clearly see a large section called Administrative Templates.
Administrative
Templates are a large repository of registry-based changes (in fact, over 1300
individual settings) that can be found in any GPO on Windows 2000, Windows XP,
and Windows Server 2003.
By using the
Administrative Template sections of the GPO you can deploy modifications to
machine (called HKEY_LOCAL_MACHINE in the registry) and user (called
HKEY_CURRENT_USER in the registry) portions of the Registry of computers that
are influenced by the GPO.
The
Administrative Templates are Unicode-formatted text files with the extension
.ADM and are used to create the Administrative Templates portion of the user
interface for the GPO Editor.
50) What's the
difference between software publishing and assigning?
ANS An administrator can either assign or publish software
applications.
Assign Users:
Assign Users:
The software application is advertised when the user logs on. It is installed
when the user clicks on the software application icon via the start menu, or
accesses a file that has been associated with the software application.
Assign Computers:
Assign Computers:
The software application is advertised and installed when it is safe to do so,
such as when the computer is next restarted.
Publish to users:
The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application. Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers
The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application. Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers
51) Can I
deploy non-MSI software with GPO?
Yes, via .zap
packages - although you won't get full benefits provided by MSI technology. Another option is to create your own .msi with an older
peace of software delivered with Windows 2000 server: http://technet.microsoft.com/en-us/library/bb742609.aspx
52) You want
to standardize the desktop environments (wallpaper, My Documents, Start menu,
printers etc.) on the computers in one department. How would you do that?
Answer1:
You can achieve this with the help of "user
profile". First modify any user's profile first, then copy this location
to any particular location and share it. Then define the "profile
path" from "ad user and computers".
Answer2:
If one wants to standardize the desktop environment then profiles
play a key role. If the user is assigned with Mandatory profiles then whatever
changes user makes to desktop settings will not be stored on server and will be
lost for every refresh. If user is assigned with Roaming profiles permissions
then what ever changes user makes to desktop or files or folders will be stored
on Server and user desktop.
Login on client as Domain Admin user change whatever you
need add printers etc… go to system-User profiles copy this user profile to any
location by select everyone in permitted to use after copy change ntuser.dat to
ntuser.man and assign this path under user profile
53) List some
imported Port Numbers?
DNS (Domain Naming Service) --------------- 53
IP (Internet Protocol) --------------------------- 0
TCP (Transmission Control Protocol) ------- 1
FTP (File Transfer Protocol) ------------------- 21
SSH (Secure Shell) ------------------------------ 22
Telnet --------------------------------------------- 23
SMTP (Simple Mail Transfer Protocol) ---- 25
DHCP (Dynamic Host Configuration Protocol) – 68
HTTP (Hypertext Transfer Protocol) --- 80
Kerberos --------------------------------------
88
SFTP (Secure FTP) ---------------------------
115
NTP (Network Time Protocol)
----------- 123
NNTP (Network News Transfer Protocol) -
119
IMAP (Internet Message Access
Protocol) -------- 143
SNMP (Simple Network Management
Protocol) -161
IMAP (Internet Message Access Protocol
V3) ---- 220
LDAP (Lightweight Directory Access Protocol)
--- 389
HTTPS (Secure HTTP) -----------------------------------
443
RPC (Remote Procedure Call)
------------------------- 530
NNTPS (NNTP over TLS/SSL) ---------------------------
563
IMAPS (Internet Message Access
Protocol over SSL) - 993
POP2 (Post Office Version-2) -------------------------------
109
POP3 (Post Office Version-3) -------------------------------
110
54) What is
the difference between windows 2003 and 2008 OS?
A.
The Windows Server
2008 is combination of vista and windows 2003r2. Some new services are
introduced in it
a. RODC one new domain controller introduced in it.
b. WDS (Windows Deployment Services) instead of RIS in 2003
server.
c. Shadow copy for each and every folders.
d. Boot sequence is changed.
e. Installation is 32 bit whereas 2003 it is 16 as well as 32
bit, that are why installation of 2008 is faster.
f.
Services are known
as Role in it.
g. Group policy editor is a separate option in ADS.
B.
The main difference
between 2003 and 2008 is Virtualization, management. 2008 has more inbuilt
components and updated third party drivers Microsoft introduces new feature
with 2k8 that are Hyper-V Windows Server 2008 introduces Hyper-V (V for
Virtualization) but only on 64bit versions. More and more companies are seeing
this as a way of reducing hardware costs by running several 'virtual' servers
on one physical machine. If you like this exciting technology, make sure that
you buy an edition of Windows Server 2008 that includes Hyper-V, then launch
the Server Manager, add Roles.
C.
In Windows Server 2008,
Microsoft is introducing new features and technologies, some of which were not
available in Windows Server 2003 with Service Pack 1 (SP1), that will help to
reduce the power consumption of server and client operating systems, minimize
environmental byproducts, and increase server efficiency.
Microsoft Windows Server 2008 has been designed with energy efficiency in mind, to provide customers with ready and convenient access to a number of new power-saving features. It includes updated support for Advanced Configuration and Power Interface (ACPI) processor power management (PPM) features, including support for processor performance states (P-states) and processor idle sleep states on multiprocessor systems. These features simplify power management in Windows Server 2008 (WS08) and can be managed easily across servers and clients using Group Policies.
55) What is
the difference between windows 2003 and 2008 AD?Microsoft Windows Server 2008 has been designed with energy efficiency in mind, to provide customers with ready and convenient access to a number of new power-saving features. It includes updated support for Advanced Configuration and Power Interface (ACPI) processor power management (PPM) features, including support for processor performance states (P-states) and processor idle sleep states on multiprocessor systems. These features simplify power management in Windows Server 2008 (WS08) and can be managed easily across servers and clients using Group Policies.
There are 10 major differences are available in 2008 AD.
- Active Directory Recycle Bin: Information Technology (IT) professionals can use Active Directory
Recycle Bin to undo an accidental deletion of an Active Directory object.
Accidental object deletion causes business downtime. See What's
New in AD DS: Active Directory Recycle Bin.
- Active Directory module for Windows
PowerShell and Windows PowerShell™ cmdlets:
The Active Directory module for Windows PowerShell provides command-line scripting for administrative, configuration, and diagnostic tasks, with a consistent vocabulary and syntax, see What's New in AD DS: Active Directory Module for Windows PowerShell. - Active Directory Administrative Center:
The Active Directory Administrative
Center has a task-oriented administration model, with support for larger
datasets. The Active Directory Administrative Center can help increase
the productivity of IT professionals by providing a scalable, task-oriented
user experience for managing AD DS, see What's
New in AD DS: Active Directory Administrative Center.
- Active Directory Best Practices
Analyzer: The Active Directory Best Practices Analyzer (BPA)
identifies deviations from best practices to help IT professionals better
manage their Active Directory deployments. BPA uses Windows PowerShell
cmdlets to gather run-time data, see What's
New in AD DS: Active Directory Best Practices Analyzer.
- Active Directory Web Services: Active
Directory Web Services (ADWS) provides a Web service interface to Active
Directory domains and AD LDS instances, including snapshots, that are
running on the same Windows Server 2008 R2 server as ADWS. For more
information, see What's
New in AD DS: Active Directory Web Services.
- Authentication Mechanism Assurance: Authentication
Mechanism Assurance makes it possible for applications to control resource
access based on authentication strength and method. Administrators can map
various properties, including authentication type and authentication strength,
to an identity. Based on information that is obtained during
authentication, these identities are added to Kerberos tickets for use by
applications. For more information, see What's
New in AD DS: Authentication Mechanism Assurance.
- Offline Domain Join: Offline
domain join makes provisioning of computers easier in a datacenter. You
can use offline domain join to join computers to a domain without
contacting a domain controller over the network. You can join computers to
the domain when they first start up after an operating system
installation. It provides the ability to preprovision computer accounts in
the domain to prepare operating system images for mass deployment.
Computers are joined to the domain when they first start. This reduces the
steps and time necessary to deploy computers in a datacenter. For more
information, see What's
New in AD DS: Offline Domain Join.
- Managed Service Accounts: Managed
Service Accounts provide simple management of service accounts. At the
Windows Server 2008 R2 domain functional level, this feature provides
better management of service principal names (SPNs). Managed Service
Accounts help lower total cost of ownership (TCO) by reducing service
outages (for manual password resets and related issues). You can run one Managed
Service Account for each service that is running on a server, without any
human intervention for password management. For more information, see the
Service Accounts Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=134695).
- Active Directory Management Pack: The
Active Directory Management Pack enables proactive monitoring of
availability and performance of AD DS. It discovers and detects computer
and software states, and it is aligned with the health state definitions.
The Active Directory Management Pack works with Windows Server 2008 and
Windows Server 2008 R2 and Microsoft® Systems Center Operations Manager
2007.
- Bridgehead Server Selection: The
bridgehead server selection process enables domain controllers to load
balance incoming connections. The new logic for bridgehead server
selection allows for even distribution of workload among bridgehead
servers
56) GPO
default refresh interval time?
Administrators can change the default refresh
policy interval setting by using one of these policy settings: Group
Policy Refresh Interval for Computers,Group Policy Refresh Interval for Domain
Controllers, or Group Policy refresh Interval for
Users. By using these settings, you can stipulate an update
rate from zero to 64,800 minutes (45 days). You can also set the policy to Turn
off background refresh of Group Policy.
Group
Policy Refresh Interval for Computers: This setting specifies how often
Group Policy for computers is updated in the background. It specifies a
background update rate only for Group Policy settings under Computer
Configuration. Computer Group Policy is updated in the background every 90
minutes by default, with a random offset of 0 to 30 minutes. In addition to
background updates, computer Group Policy is always updated when the system
starts. This policy setting is available in the Group Policy Object Editor
under Computer Configuration\Administrative Templates\System\Group
Policy.
Group
Policy Refresh Interval for Domain Controllers: This setting specifies how
often Group Policy is updated in the background on domain controllers. By
default, Group Policy on domain controllers is updated every five minutes. This
policy setting is available in the Group Policy Object Editor under Computer
Configuration\Administrative Templates\System\Group Policy.
Group
Policy Refresh Interval for Users: This setting specifies how frequently
Group Policy is updated in the background only for the Group Policy settings in
the User Configuration folder. In addition to background updates, Group Policy
for users is always updated when users log on. This policy is in the User
Configuration\Administrative Templates\System\Group Policy
item.
Turn
off background refresh of Group Policy: This policy prevents Group Policy
settings from being updated while the computer is in use. It applies to Group
Policy for computers, users, and domain controllers. This policy setting is
available in Computer Configuration\Administrative
Templates\System\Group Policy item.
All the Best.....
Srinivas.