Vous êtes sur la page 1sur 50

Low Level

1. Features of windows2003

ACTIVE DIRECTORY

Easier Deployment and Management

ADMT version 2.0—migrates password from NT4 to 2000 to 20003


or from 2000 to 2003

Domain Rename--- supports changing Domain Name System and/or NetBios


name

Schema Redefine--- Allows deactivation of attributes and class definitions in


the Active directory schema

AD/AM--- Active directory in application mode is a new capability of AD that


addresses certain deployment scenarios related to directory enabled
applications

Group Policy Improvements----introduced GPMC tool to manage group policy

UI—Enhanced User Interface

Grater Security

Cross-forest Authentication

Cross-forest Authorization

Cross-certification Enhancements

IAS and Cross-forest authentication

Credential Manager

Software Restriction Policies

Improved Performance and Dependability

Easier logon for remote offices

Group Membership replication enhancements

Application Directory Partitions

Install Replica from media


Dependability Improvements--- updated Inter-Site Topology Generator (ISTG)
that scales better by supporting forests with a greater number of sites than Windows
2000.

FILE AND PRINT SERVICES

Volume shadow copy service

NTFS journaling file system

EFS

Improved CHDSK Performance

Enhanced DFS and FRS

Shadow copy of shared folders

Enhanced folder redirection

Remote document sharing (WEBDAV)

IIS

Fault-tolerant process architecture----- The IIS 6.0 fault-tolerant process


architecture isolates Web sites and applications into self-contained units called
application pools

Health Monitoring---- IIS 6.0 periodically checks the status of an application pool
with automatic restart on failure of the Web sites and applications within that
application pool, increasing application availability. IIS 6.0 protects the server, and
other applications, by automatically disabling Web sites and applications that fail too
often within a short amount of time

Automatic Process Recycling--- IIS 6.0 automatically stops and restarts faulty
Web sites and applications based on a flexible set of criteria, including CPU
utilization and memory consumption, while queuing requests

Rapid-fail Protection---- If an application fails too often within a short amount of


time, IIS 6.0 will automatically disable it and return a "503 Service Unavailable" error
message to any new or queued requests to the application

Edit-While-Running

http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/defa
ult.mspx

2. Difference between NT & 2000


NT SAM database is a flat database. Where as in windows 2000 active directory
database is a hierarchical database.

In windows NT only PDC is having writable copy of SAM database but the BDC is
only read only database. In case of Windows 2000 both DC and ADC is having write
copy of the database

Windows NT will not support FAT32 file system. Windows 2000 supports FAT32

Default authentication protocol in NT is NTLM (NT LAN manager). In windows 2000


default authentication protocol is Kerberos V5.

Windows 2000 depends and Integrated with DNS. NT user Netbios names

Active Directory can be backed up easily with System state data

3. Difference between 2000 & 2003

Application Server mode is introduced in windows 2003

Possible to configure stub zones in windows 2003 DNS

Volume shadow copy services is introduced

Windows 2003 gives an option to replicate DNS data b/w all DNS servers in forest or
All DNS servers in the domain.

Refer Question 1 for all Enhancements

4. Difference between PDC & BDC

PDC contains a write copy of SAM database where as BDC contains read only copy
of SAM database. It is not possible to reset a password or create objects with out PDC
in Windows NT.

5. Difference between DC & ADC

There is no difference between in DC and ADC both contains write copy of AD. Both
can also handles FSMO roles (If transfers from DC to ADC). It is just for
identification. Functionality wise there is no difference.
6. What is DNS & WINS

DNS is a Domain Naming System, which resolves Host names to IP addresses. It uses
fully qualified domain names. DNS is a Internet standard used to resolve host names

WINS is a Windows Internet Name Service, which resolves Netbios names to IP


Address. This is proprietary for Windows

7. Types of DNS Servers

Primary DNS

Secondary DNS

Active Directory Integrated DNS

Forwarder

Caching only DNS

8. If DHCP is not available what happens to the client

Client will not get IP and it cannot be participated in network . If client already got
the IP and having lease duration it use the IP till the lease duration expires.

9. what are the different types of trust relationships

Implicit Trusts

Explicit Trusts—NT to Win2k or Forest to Forest

10. what is the process of DHCP for getting the IP address to the client

There is a four way negotiation process b/w client and server

DHCP Discover (Initiated by client)

DHCP Offer (Initiated by server)

DHCP Select (Initiated by client)


DHCP Acknowledgement (Initiated by Server)

DHCP Negative Acknowledgement (Initiated by server if any issues after DHCP


offer)

11. Difference between FAT,NTFS & NTFSVersion5

NTFS Version 5 features

Encryption is possible

We can enable Disk Quotas

File compression is possible

Sparse files

Indexing Service

NTFS change journal

In FAT file system we can apply only share level security. File level protection is not
possible. In NTFS we can apply both share level as well as file level security

NTFS supports large partition sizes than FAT file systems

NTFS supports long file names than FAT file systems

12. What are the port numbers for FTP, Telnet, HTTP, DNS

FTP-21, Telnet – 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389

13. what are the different types of profiles in 2000

Local Profiles

Roaming profiles

Mandatory Profiles

14. what is the database files used for Active Directory

The key AD database files—edb.log, ntds.dit, res1.log, res2.log, and edb.chk—all of


which reside in \%systemroot%\ntds on a domain controller (DC) by default. During
AD installation, Dcpromo lets you specify alternative locations for these log files and
database files

NTDS.DIT

15. What is the location of AD Database

%System root%/NTDS/NTDS>DIT

16. What is the authentication protocol used in NT

NTLM (NT LAN Manager)

17. What is subnetting and supernetting

Subnetting is the process of borrowing bits from the host portion of an address to
provide bits for identifying additional sub-networks

Supernetting merges several smaller blocks of IP addresses (networks) that are


continuous into one larger block of addresses. Borrowing network bits to combine
several smaller networks into one larger network does supernetting

18. what is the use of terminal services

Terminal services can be used as Remote Administration mode to administer remotely


as well as Application Server Mode to run the application in one server and users can
login to that server to user that application.

19. what is the protocol used for terminal services

RDP

20. what is the port number for RDP

3389

Medium Level
1. what is the difference between Authorized DHCP and Non Authorized DHCP

To avoid problems in the network causing by mis-configured DHCP servers, server in


windows 2000 must be validate by AD before starting service to clients. If an
authorized DHCP finds any DHCP server in the network it stop serving the clients

2. Difference between inter-site and intra-site replication. Protocols using for


replication.

Intra-site replication can be done between the domain controllers in the same site.
Inter-site replication can be done between two different sites over WAN links

BHS (Bridge Head Servers) is responsible for initiating replication between the sites.
Inter-site replication can be done B/w BHS in one site and BHS in another site.

We can use RPC over IP or SMTP as a replication protocols where as Domain


partition is not possible to replicate using SMTP

3. How to monitor replication

We can user Replmon tool from support tools

4. Brief explanation of RAID Levels

Microsoft Windows XP, Windows 2000 and Windows Server 2003 offer two types of disk
storage: basic and dynamic.

Basic Disk Storage

Basic storage uses normal partition tables supported by MS-DOS, Microsoft Windows 95,
Microsoft Windows 98, Microsoft Windows Millennium Edition (Me), Microsoft Windows
NT, Microsoft Windows 2000, Windows Server 2003 and Windows XP. A disk initialized for
basic storage is called a basic disk. A basic disk contains basic volumes, such as primary
partitions, extended partitions, and logical drives. Additionally, basic volumes include
multidisk volumes that are created by using Windows NT 4.0 or earlier, such as volume sets,
stripe sets, mirror sets, and stripe sets with parity. Windows XP does not support these
multidisk basic volumes. Any volume sets, stripe sets, mirror sets, or stripe sets with parity
must be backed up and deleted or converted to dynamic disks before you install Windows XP
Professional.

Dynamic Disk Storage


Dynamic storage is supported in Windows XP Professional, Windows 2000 and Windows
Server 2003. A disk initialized for dynamic storage is called a dynamic disk. A dynamic disk
contains dynamic volumes, such as simple volumes, spanned volumes, striped volumes,
mirrored volumes, and RAID-5 volumes. With dynamic storage, you can perform disk and
volume management without the need to restart Windows.

Note: Dynamic disks are not supported on portable computers or on Windows XP Home
Edition-based computers.

You cannot create mirrored volumes or RAID-5 volumes on Windows XP Home Edition,
Windows XP Professional, or Windows XP 64-Bit Edition-based computers. However, you
can use a Windows XP Professional-based computer to create a mirrored or RAID-5 volume
on remote computers that are running Windows 2000 Server, Windows 2000 Advanced
Server, or Windows 2000 Datacenter Server, or the Standard, Enterprise and Data Center
versions of Windows Server 2003.

Storage types are separate from the file system type. A basic or dynamic disk can contain any
combination of FAT16, FAT32, or NTFS partitions or volumes.

A disk system can contain any combination of storage types. However, all volumes on the
same disk must use the same storage type.

To convert a Basic Disk to a Dynamic Disk:

Use the Disk Management snap-in in Windows XP/2000/2003 to convert a basic disk to a
dynamic disk. To do this, follow these steps:

1. Log on as Administrator or as a member of the Administrators group.


2. Click Start, and then click Control Panel.
3. Click Performance and Maintenance, click Administrative Tools, and then double-
click Computer Management. You can also right-click My Computer and choose
Manage if you have My Computer displayed on your desktop.
4. In the left pane, click Disk Management.
5. In the lower-right pane, right-click the basic disk that you want to convert, and then
click Convert to Dynamic Disk. You must right-click the gray area that contains the
disk title on the left side of the Details pane.

6. Select the check box that is next to the disk that you want to convert (if it is not
already selected), and then click OK.

7. Click Details if you want to view the list of volumes in the disk. Click Convert.

8. Click Yes when you are prompted to convert the disk, and then click OK.
Warning: After you convert a basic disk to a dynamic disk, local access to the dynamic disk
is limited to Windows XP Professional, Windows 2000 and Windows Server 2003.
Additionally, after you convert a basic disk to a dynamic disk, the dynamic volumes cannot be
changed back to partitions. You must first delete all dynamic volumes on the disk and then
convert the dynamic disk back to a basic disk. If you want to keep your data, you must first
back up the data or move it to another volume.

Dynamic Storage Terms

A volume is a storage unit made from free space on one or more disks. It can be formatted
with a file system and assigned a drive letter. Volumes on dynamic disks can have any of the
following layouts: simple, spanned, mirrored, striped, or RAID-5.

A simple volume uses free space from a single disk. It can be a single region on a disk or
consist of multiple, concatenated regions. A simple volume can be extended within the same
disk or onto additional disks. If a simple volume is extended across multiple disks, it becomes
a spanned volume.

A spanned volume is created from free disk space that is linked together from multiple disks.
You can extend a spanned volume onto a maximum of 32 disks. A spanned volume cannot be
mirrored and is not fault-tolerant.

A striped volume is a volume whose data is interleaved across two or more physical disks.
The data on this type of volume is allocated alternately and evenly to each of the physical
disks. A striped volume cannot be mirrored or extended and is not fault-tolerant. Striping is
also known as RAID-0.

A mirrored volume is a fault-tolerant volume whose data is duplicated on two physical disks.
All of the data on one volume is copied to another disk to provide data redundancy. If one of
the disks fails, the data can still be accessed from the remaining disk. A mirrored volume
cannot be extended. Mirroring is also known as RAID-1.

A RAID-5 volume is a fault-tolerant volume whose data is striped across an array of three or
more disks. Parity (a calculated value that can be used to reconstruct data after a failure) is
also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume
that was on that failed disk can be re-created from the remaining data and the parity. A RAID-
5 volume cannot be mirrored or extended.

The system volume contains the hardware-specific files that are needed to load Windows (for
example, Ntldr, Boot.ini, and Ntdetect.com). The system volume can be, but does not have to
be, the same as the boot volume.

The boot volume contains the Windows operating system files that are located in the
%Systemroot% and %Systemroot%\System32 folders. The boot volume can be, but does not
have to be, the same as the system volume.

RAID 0 – Striping

RAID 1- Mirroring (minimum 2 HDD required)

RAID 5 – Striping With Parity (Minimum 3 HDD required)


RAID levels 1 and 5 only gives redundancy

5. What are the different backup strategies are available

Normal Backup

Incremental Backup

Differential Backup

Daily Backup

Copy Backup

6. What is a global catalog

Global catalog is a role, which maintains Indexes about objects. It contains full
information of the objects in its own domain and partial information of the objects in
other domains. Universal Group membership information will be stored in global
catalog servers and replicate to all GC’s in the forest.

7. What is Active Directory and what is the use of it

Active directory is a directory service, which maintains the relation ship between
resources and enabling them to work together. Because of AD hierarchal structure
windows 2000 is more scalable, reliable. Active directory is derived from X.500
standards where information is stored is hierarchal tree like structure. Active directory
depends on two Internet standards one is DNS and other is LDAP. Information in
Active directory can be queried by using LDAP protocol

8. what is the physical and logical structure of AD

Active directory physical structure is a hierarchal structure which fallows Forests—


Trees—Domains—Child Domains—Grand Child—etc

Active directory is logically divided into 3 partitions

1.Configuration partition 2. Schema Partition 3. Domain partition 4. Application


Partition (only in windows 2003 not available in windows 2000)

Out of these Configuration, Schema partitions can be replicated between the domain
controllers in the in the entire forest. Where as Domain partition can be replicated
between the domain controllers in the same domain
9. What is the process of user authentication (Kerberos V5) in windows 2000

After giving logon credentials an encryption key will be generated which is used to
encrypt the time stamp of the client machine. User name and encrypted timestamp
information will be provided to domain controller for authentication. Then Domain
controller based on the password information stored in AD for that user it decrypts the
encrypted time stamp information. If produces time stamp matches to its time stamp. It
will provide logon session key and Ticket granting ticket to client in an encryption
format. Again client decrypts and if produced time stamp information is matching then
it will use logon session key to logon to the domain. Ticket granting ticket will be used
to generate service granting ticket when accessing network resources

10. what are the port numbers for Kerberos, LDAP and Global catalog

Kerberos – 88, LDAP – 389, Global Catalog – 3268

11. what is the use of LDAP (X.500 standard?)

LDAP is a directory access protocol, which is used to exchange directory information


from server to clients or from server to servers

12. what are the problems that are generally come across DHCP

Scope is full with IP addresses no IP’s available for new machines

If scope options are not configured properly eg default gateway

Incorrect creation of scopes etc

13. what is the role responsible for time synchronization

PDC Emulator is responsible for time synchronization. Time synchronization is


important because Kerberos authentication depends on time stamp information

14. what is TTL & how to set TTL time in DNS

TTL is Time to Live setting used for the amount of time that the record should remain
in cache when name resolution happened.
We can set TTL in SOA (start of authority record) of DNS

15. How to take DNS and WINS,DHCP backup

%System root%/system32/dns

%System root%/system32/WINS

%System root%/system32/DHCP

16. What is recovery console

Recovery console is a utility used to recover the system when it is not booting
properly or not at all booting. We can perform fallowing operations from recovery
console

We can copy, rename, or replace operating system files and folders

Enable or disable service or device startup the next time that start computer

Repair the file system boot sector or the Master Boot Record

Create and format partitions on drives

17. what is DFS & its usage

DFS is a distributed file system used to provide common environment for users to
access files and folders even when they are shared in different servers physically.

There are two types of DFS domain DFS and Stand alone DFS. We cannot provide
redundancy for stand alone DFS in case of failure. Domain DFS is used in a domain
environment which can be accessed by /domain name/root1 (root 1 is DFS root name).
Stand alone DFS can be used in workgroup environment which can be accessed
through /server name/root1 (root 1 is DFS root name). Both the cases we need to
create DFS root ( Which appears like a shared folder for end users) and DFS links ( A
logical link which is pointing to the server where the folder is physically shared)

The maximum number of Dfs roots per server is 1.

The maximum numbers of Dfs root replicas are 31.

The maximum number of Dfs roots per domain is unlimited.

The maximum number of Dfs links or shared folders in a Dfs root is 1,000
18. what is RIS and what are its requirements

RIS is a remote installation service, which is used to install operation system remotely.

Client requirements

PXE DHCP-based boot ROM version 1.00 or later NIC, or a network adapter that is
supported by the RIS boot disk.

Should meet minimum operating system requirements

Software Requirements

Below network services must be active on RIS server or any server in the network

Domain Name System (DNS Service)

Dynamic Host Configuration Protocol (DHCP)

Active directory “Directory” service

19. How many root replicas can be created in DFS

31

20. What is the difference between Domain DFS and Standalone DFS

Refer question 17.

High Level

1. Can we establish trust relationship between two forests

In Windows 2000 it is not possible. In Windows 2003 it is possible

2. What is FSMO Roles

Flexible single master operation (FSMO) roles are


Domain Naming Master

Schema Master

PDC Emulator

Infrastructure Master

RID Master

3. Brief all the FSMO Roles

Windows 2000/2003 Multi-Master Model

A multi-master enabled database, such as the Active Directory, provides the flexibility
of allowing changes to occur at any DC in the enterprise, but it also introduces the
possibility of conflicts that can potentially lead to problems once the data is replicated
to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting
updates is by having a conflict resolution algorithm handle discrepancies in values by
resolving to the DC to which changes were written last (that is, "the last writer wins"),
while discarding the changes in all other DCs. Although this resolution method may be
acceptable in some cases, there are times when conflicts are just too difficult to resolve
using the "last writer wins" approach. In such cases, it is best to prevent the conflict
from occurring rather than to try to resolve it after the fact.

For certain types of changes, Windows 2000/2003 incorporates methods to prevent


conflicting Active Directory updates from occurring.

Windows 2000/2003 Single-Master Model

To prevent conflicting updates in Windows 2000/2003, the Active Directory performs


updates to certain objects in a single-master fashion.

In a single-master model, only one DC in the entire directory is allowed to process


updates. This is similar to the role given to a primary domain controller (PDC) in
earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC
is responsible for processing all updates in a given domain.

In a forest, there are five FSMO roles that are assigned to one or more domain
controllers. The five FSMO roles are:

Schema Master:

The schema master domain controller controls all updates and modifications to the
schema. Once the Schema update is complete, it is replicated from the schema master
to all other DCs in the directory. To update the schema of a forest, you must have
access to the schema master. There can be only one schema master in the whole forest.
Domain naming master:

The domain naming master domain controller controls the addition or removal of
domains in the forest. This DC is the only one that can add or remove a domain from
the directory. It can also add or remove cross references to domains in external
directories. There can be only one domain naming master in the whole forest.

Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it


represents the reference by the GUID, the SID (for references to security principals),
and the DN of the object being referenced. The infrastructure FSMO role holder is the
DC responsible for updating an object's SID and distinguished name in a cross-domain
object reference. At any one time, there can be only one domain controller acting as
the infrastructure master in each domain.

Note: The Infrastructure Master (IM) role should be held by a domain controller that is
not a Global Catalog server (GC). If the Infrastructure Master runs on a Global
Catalog server it will stop updating object information because it does not contain any
references to objects that it does not hold. This is because a Global Catalog server
holds a partial replica of every object in the forest. As a result, cross-domain object
references in that domain will not be updated and a warning to that effect will be
logged on that DC's event log. If all the domain controllers in a domain also host the
global catalog, all the domain controllers have the current data, and it is not important
which domain controller holds the infrastructure master role.

Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain
controllers in a particular domain. When a DC creates a security principal object such
as a user or group, it attaches a unique Security ID (SID) to the object. This SID
consists of a domain SID (the same for all SIDs created in a domain), and a relative ID
(RID) that is unique for each security principal SID created in a domain. Each DC in
a domain is allocated a pool of RIDs that it is allowed to assign to the security
principals it creates. When a DC's allocated RID pool falls below a threshold, that DC
issues a request for additional RIDs to the domain's RID master. The domain RID
master responds to the request by retrieving RIDs from the domain's unallocated RID
pool and assigns them to the pool of the requesting DC. At any one time, there can be
only one domain controller acting as the RID master in the domain.

PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows


2000/2003 includes the W32Time (Windows Time) time service that is required by the
Kerberos authentication protocol. All Windows 2000/2003-based computers within an
enterprise use a common time. The purpose of the time service is to ensure that the
Windows Time service uses a hierarchical relationship that controls authority and does
not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at
the root of the forest becomes authoritative for the enterprise, and should be
configured to gather the time from an external source. All PDC FSMO role holders
follow the hierarchy of domains in the selection of their in-bound time partner.

In a Windows 2000/2003 domain, the PDC emulator role holder retains the following
functions:

Password changes performed by other DCs in the domain are replicated preferentially
to the PDC emulator.

Authentication failures that occur at a given DC in a domain because of an incorrect


password are forwarded to the PDC emulator before a bad password failure message is
reported to the user.

Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy
found in the PDC Emulator's SYSVOL share, unless configured not to do so by the
administrator.

The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0
Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier
clients.

This part of the PDC emulator role becomes unnecessary when all workstations,
member servers, and domain controllers that are running Windows NT 4.0 or earlier
are all upgraded to Windows 2000/2003. The PDC emulator still performs the other
functions as described in a Windows 2000/2003 environment.

At any one time, there can be only one domain controller acting as the PDC emulator
master in each domain in the forest.

4. How to manually configure FSMO Roles to separate DC’s

How can I determine who are the current FSMO Roles holders in my domain/forest?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method
called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles
in Active Directory.

The five FSMO roles are:

• Schema master - Forest-wide and one per forest.


• Domain naming master - Forest-wide and one per forest.
• RID master - Domain-specific and one for each domain.
• PDC - PDC Emulator is domain-specific and one for each domain.
• Infrastructure master - Domain-specific and one for each domain.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same
spot (or actually, on the same DC) as has been configured by the Active Directory installation
process. However, there are scenarios where an administrator would want to move one or
more of the FSMO roles from the default holder DC to a different DC. The transferring
method is described in the Transferring FSMO Roles article, while seizing the roles from a
non-operational DC to a different DC is described in the Seizing FSMO Roles article.

In order to better understand your AD infrastructure and to know the added value that each
DC might possess, an AD administrator must have the exact knowledge of which one of the
existing DCs is holding a FSMO role, and what role it holds. With that knowledge in hand,
the administrator can make better arrangements in case of a scheduled shut-down of any given
DC, and better prepare him or herself in case of a non-scheduled cease of operation from one
of the DCs.

How to find out which DC is holding which FSMO role? Well, one can accomplish this task
by many means. This article will list a few of the available methods.

Method #1: Know the default settings

The FSMO roles were assigned to one or more DCs during the DCPROMO process. The
following table summarizes the FSMO default locations:

FSMO Role Number of DCs holding Original DC holding the FSMO role
this role
Schema One per forest The first DC in the first domain in the
Domain Naming One per forest forest (i.e. the Forest Root Domain)
RID One per domain The first DC in a domain (any domain,
PDC Emulator One per domain including the Forest Root Domain, any
Infrastructure One per domain Tree Root Domain, or any Child
Domain)

Method #2: Use the GUI

The FSMO role holders can be easily found by use of some of the AD snap-ins. Use this table
to see which tool can be used for what FSMO role:

FSMO Role Which snap-in should I use?


Schema Schema snap-in
Domain Naming AD Domains and Trusts snap-in
RID AD Users and Computers snap-in
PDC Emulator
Infrastructure

Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI

To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and
Infrastructure Master FSMO Roles:

1. Open the Active Directory Users and Computers snap-in from the Administrative
Tools folder.
2. Right-click the Active Directory Users and Computers icon again and press Operation
Masters.

3. Select the appropriate tab for the role you wish to view.

4. When you're done click Close.

Finding the Domain Naming Master via GUI

To find out who currently holds the Domain Naming Master Role:

1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools
folder.
2. Right-click the Active Directory Domains and Trusts icon again and press Operation
Masters.

3. When you're done click Close.

Finding the Schema Master via GUI

To find out who currently holds the Schema Master Role:

1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:

2. Press OK. You should receive a success confirmation.


3. From the Run command open an MMC Console by typing MMC.
4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. Click the Active Directory Schema icon. After it loads right-click it and press
Operation Masters.

8. Press the Close button.

Method #3: Use the Ntdsutil command

The FSMO role holders can be easily found by use of the Ntdsutil command.

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active
Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and
then click OK.

2. Type roles, and then press ENTER.

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?,
and then press ENTER.

3. Type connections, and then press ENTER.

4. Type connect to server <servername>, where <servername> is the name of the server
you want to use, and then press ENTER.

5. At the server connections: prompt, type q, and then press ENTER again.

6. At the FSMO maintenance: prompt, type Select operation target, and then press
ENTER again.

At the select operation target: prompt, type List roles for connected server, and then press
ENTER again.

select operation target: List roles for connected server

Server "server100" knows about 5 roles

Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-


Name,CN=Sites,CN=C

onfiguration,DC=dpetri,DC=net

Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-


Name,CN=Sites,CN=C

onfiguration,DC=dpetri,DC=net

PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-


Name,CN=Sites,CN=Conf

iguration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Conf

iguration,DC=dpetri,DC=net

Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-


Name,CN=Si

tes,CN=Configuration,DC=dpetri,DC=net

select operation target:

8. Type q 3 times to exit the Ntdsutil prompt.

Note: You can download THIS nice batch file that will do all this for you (1kb).

Another Note: Microsoft has a nice tool called Dumpfsmos.cmd, found in the Windows 2000
Resource Kit (and can be downloaded here: Download Free Windows 2000 Resource Kit
Tools). This tool is basically a one-click Ntdsutil script that performs the same operation
described above.

Method #4: Use the Netdom command

The FSMO role holders can be easily found by use of the Netdom command.

Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You must either download
it separately (from here Download Free Windows 2000 Resource Kit Tools) or by obtaining
the correct Support Tools pack for your operating system. The Support Tools pack can be
found in the \Support\Tools folder on your installation CD (or you can Download Windows
2000 SP4 Support Tools, Download Windows XP SP1 Deploy Tools).

1. On any domain controller, click Start, click Run, type CMD in the Open box, and then
click OK.
2. In the Command Prompt window, type netdom query /domain:<domain> fsmo (where
<domain> is the name of YOUR domain).

Close the CMD window.

Note: You can download THIS nice batch file that will do all this for you (1kb).

Method #5: Use the Replmon tool

The FSMO role holders can be easily found by use of the Netdom command.

Just like Netdom, Replmon.exe is a part of the Windows 2000/XP/2003 Support Tools.
Replmon can be used for a wide verity of tasks, mostly with those that are related with AD
replication. But Replmon can also provide valuable information about the AD, about any DC,
and also about other objects and settings, such as GPOs and FSMO roles. Install the package
before attempting to use the tool.
1. On any domain controller, click Start, click Run, type REPLMON in the Open box,
and then click OK.
2. Right-click Monitored servers and select Add Monitored Server.

3. In the Add Server to Monitor window, select the Search the Directory for the server to
add. Make sure your AD domain name is listed in the drop-down list.

4. In the site list select your site, expand it, and click to select the server you want to
query. Click Finish.

5. Right-click the server that is now listed in the left-pane, and select Properties.

6. Click on the FSMO Roles tab and read the results.

7. Click Ok when you're done.

How can I forcibly transfer (seize) some or all of the FSMO Roles from one DC to another?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method
called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles
in Active Directory.

The five FSMO roles are:

• Schema master - Forest-wide and one per forest.


• Domain naming master - Forest-wide and one per forest.
• RID master - Domain-specific and one for each domain.
• PDC - PDC Emulator is domain-specific and one for each domain.
• Infrastructure master - Domain-specific and one for each domain.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same
spot (or actually, on the same DC) as has been configured by the Active Directory installation
process. However, there are scenarios where an administrator would want to move one or
more of the FSMO roles from the default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role
holder are online and operational is called Transferring, and is described in the Transferring
FSMO Roles article.
However, when the original FSMO role holder went offline or became non operational for a
long period of time, the administrator might consider moving the FSMO role from the
original, non-operational holder, to a different DC. The process of moving the FSMO role
from a non-operational role holder to a different DC is called Seizing, and is described in this
article.

If a DC holding a FSMO role fails, the best thing to do is to try and get the server online
again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of
the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable
amount of time), so it is not a problem to them to be unavailable for hours or even days.

If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a
reliable computer. Administrators should use extreme caution in seizing FSMO roles. This
operation, in most cases, should be performed only if the original FSMO role owner will not
be brought back into the environment. Only seize a FSMO role if absolutely necessary when
the original role holder is not connected to the network.

What will happen if you do not perform the seize in time? This table has the info:

FSMO Role Loss implications


Schema The schema cannot be extended. However, in
the short term no one will notice a missing
Schema Master unless you plan a schema
upgrade during that time.
Domain Naming Unless you are going to run DCPROMO, then
you will not miss this FSMO role.
RID Chances are good that the existing DCs will
have enough unused RIDs to last some time,
unless you're building hundreds of users or
computer object per week.
PDC Emulator Will be missed soon. NT 4.0 BDCs will not be
able to replicate, there will be no time
synchronization in the domain, you will
probably not be able to change or troubleshoot
group policies and password changes will
become a problem.
Infrastructure Group memberships may be incomplete. If
you only have one domain, then there will be
no impact.

Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original
domain controller must not be activated in the forest again. It is necessary to reinstall
Windows if these servers are to be used again.

The following table summarizes the FSMO seizing restrictions:


FSMO Role Restrictions
Schema Original must be reinstalled
Domain Naming
RID
PDC Emulator Can transfer back to original
Infrastructure

Another consideration before performing the seize operation is the administrator's group
membership, as this table lists:

FSMO Role Administrator must be a member of


Schema Schema Admins
Domain Naming Enterprise Admins
RID Domain Admins
PDC Emulator
Infrastructure

To seize the FSMO roles by using Ntdsutil, follow these steps:

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active
Directory functionality.

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and
then click OK.

2. Type roles, and then press ENTER.

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?,
and then press ENTER.

3. Type connections, and then press ENTER.

4. Type connect to server <servername>, where <servername> is the name of the server
you want to use, and then press ENTER.

5. At the server connections: prompt, type q, and then press ENTER again.
6. Type seize <role>, where <role> is the role you want to seize. For example, to seize
the RID Master role, you would type seize rid master:

Options are:

7. You will receive a warning window asking if you want to perform the seize. Click on
Yes.

fsmo maintenance: Seize infrastructure master

Attempting safe transfer of infrastructure FSMO before seizure.

ldap_modify_sW error 0x34(52 (Unavailable).

Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002


(UNAVAILABLE)

, data 1722

Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO
holde

r could not be contacted.)

Depending on the error code this may indicate a connection,

ldap, or role transfer error.

Transfer of infrastructure FSMO failed, proceeding with seizure ...

Server "server100" knows about 5 roles

Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-


Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-


Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-


Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-


Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-


Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

fsmo maintenance:
Note: All five roles need to be in the forest. If the first domain controller is out of the forest
then seize all roles. Determine which roles are to be on which remaining domain controllers
so that all five roles are not on only one server.

8. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
9. After you seize or transfer the roles, type q, and then press ENTER until you quit the
Ntdsutil tool.

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the
Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating
object information because it does not contain any references to objects that it does not hold.
This is because a GC server holds a partial replica of every object in the forest.

5. What is the difference between authoritative and non-authoritative restore

In authoritative restore, Objects that are restored will be replicated to all domain
controllers in the domain. This can be used specifically when the entire OU is
disturbed in all domain controllers or specifically restore a single object, which is
disturbed in all DC’s

In non-authoritative restore, Restored directory information will be updated by other


domain controllers based on the latest modification time.

6. what is Active Directory De-fragmentation

De-fragmentation of AD means separating used space and empty space created by


deleted objects and reduces directory size (only in offline De-fragmentation)

7. Difference between online and offline de-fragmentation

The size of NTDS.DIT will often be different sizes across the domain controllers in a domain.
Remember that Active Directory is a multi-master independent model where updates are
occurring in each of the domain controllers with the changes being replicated over time to the
other domain controllers.

The changed data is replicated between domain controllers, not the database, so there is no
guarantee that the files are going to be the same size across all domain controllers.

Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a
directory online defragmentation every 12 hours by default as part of the garbage-collection
process. This defragmentation only moves data around the database file (NTDS.DIT) and
doesn’t reduce the file’s size - the database file cannot be compacted while Active Directory is
mounted.
Active Directory routinely performs online database defragmentation, but this is limited to the
disposal of tombstoned objects. The database file cannot be compacted while Active Directory
is mounted (or online).

An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller than
the NTDS.DIT file on its peers.

However, defragmenting the NTDS.DIT file isn’t something you should really need to do.
Normally, the database self-tunes and automatically tombstoning the records then sweeping
them away when the tombstone lifetime has passed to make that space available for additional
records.

Defragging the NTDS.DIT file probably won’t help your AD queries go any faster in the long
run.

So why defrag it in the first place?

One reason you might want to defrag your NTDS.DIT file is to save space, for example if you
deleted a large number of records at one time.

To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the
following steps:

Back up Active Directory (AD).

Reboot the server, select the OS option, and press F8 for advanced options.

Select the Directory Services Restore Mode option, and press Enter. Press

Enter again to start the OS.

W2K will start in safe mode, with no DS running.

Use the local SAM’s administrator account and password to log on.

You’ll see a dialog box that says you’re in safe mode. Click OK.

From the Start menu, select Run and type cmd.exe

In the command window, you’ll see the following text. (Enter the commands in bold.)

C:\> ntdsutil

ntdsutil: files

file maintenance:info

....

file maintenance:compact to c:\temp


You’ll see the defragmentation process. If the process was successful, enter quit to return to
the command prompt.

Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the commands
in bold.)

C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit

Restart the computer, and boot as normal.

8. What is tombstone period

Tombstones are nothing but objects marked for deletion. After deleting an object in
AD the objects will not be deleted permanently. It will be remain 60 days by default
(which can be configurable) it adds an entry as marked for deletion on the object and
replicates to all DC’s. After 60 days object will be deleted permanently from all Dc’s.

9. what is white space and Garbage collection

refer question 7

10. what are the monitoring tools used for Server and Network Heath. How to define
alert mechanism

Spot Light , SNMP Need to enable .

11. How to deploy the patches and what are the softwares used for this process

Using SUS (Software update services) server we can deploy patches to all clients in
the network. We need to configure an option called “Synchronize with Microsoft
software update server” option and schedule time to synchronize in server. We need to
approve new update based on the requirement. Then approved update will be deployed
to clients

We can configure clients by changing the registry manually or through Group policy
by adding WUAU administrative template in group policy

12. What is Clustering. Briefly define & explain it

Clustering is a technology, which is used to provide High Availability for mission


critical applications. We can configure cluster by installing MCS (Microsoft cluster
service) component from Add remove programs, which can only available in
Enterprise Edition and Data center edition.
In Windows we can configure two types of clusters

NLB (network load balancing) cluster for balancing load between servers. This
cluster will not provide any high availability. Usually preferable at edge servers like
web or proxy.

Server Cluster: This provides High availability by configuring active-active or


active-passive cluster. In 2 node active-passive cluster one node will be active and one
node will be stand by. When active server fails the application will FAILOVER to
stand by server automatically. When the original server backs we need to FAILBACK
the application

Quorum: A shared storage need to provide for all servers which keeps information
about clustered application and session state and is useful in FAILOVER situation.
This is very important if Quorum disk fails entire cluster will fails

Heartbeat: Heartbeat is a private connectivity between the servers in the cluster,


which is used to identify the status of other servers in cluster.

13. How to configure SNMP

SNMP can be configured by installing SNMP from Monitoring and Management tools
from Add and Remove programs.

For SNMP programs to communicate we need to configure common community name


for those machines where SNMP programs (eg DELL OPEN MANAGER) running.
This can be configured from services.msc--- SNMP service -- Security

14. Is it possible to rename the Domain name & how?

In Windows 2000 it is not possible. In windows 2003 it is possible. On Domain


controller by going to MYCOMPUTER properties we can change.

15. What is SOA Record

SOA is a Start Of Authority record, which is a first record in DNS, which controls the
startup behavior of DNS. We can configure TTL, refresh, and retry intervals in this
record.

16. What is a Stub zone and what is the use of it.

Stub zones are a new feature of DNS in Windows Server 2003 that can be used to
streamline name resolution, especially in a split namespace scenario. They also help
reduce the amount of DNS traffic on your network, making DNS more efficient
especially over slow WAN links.

17. What are the different types of partitions present in AD

Active directory is divided into three partitions

Configuration Partition—replicates entire forest

Schema Partition—replicates entire forest

Domain Partition—replicate only in domain

Application Partition (Only in Windows 2003)

18. What are the (two) services required for replication

File Replication Service (FRS)

Knowledge Consistency Checker (KCC)

19. Can we use a Linux DNS Sever in 2000 Domain

We can use, But the BIND version should be 8 or greater

20. What is the difference between IIS Version 5 and IIS Version 6

Refer Question 1

21. What is ASR (Automated System Recovery) and how to implement it

ASR is a two-part system; it includes ASR backup and ASR restore. The ASR Wizard,
located in Backup, does the backup portion. The wizard backs up the system state,
system services, and all the disks that are associated with the operating system
components. ASR also creates a file that contains information about the backup, the
disk configurations (including basic and dynamic volumes), and how to perform a
restore.

You can access the restore portion by pressing F2 when prompted in the text-mode
portion of setup. ASR reads the disk configurations from the file that it creates. It
restores all the disk signatures, volumes, and partitions on (at a minimum) the disks
that you need to start the computer. ASR will try to restore all the disk configurations,
but under some circumstances it might not be able to. ASR then installs a simple
installation of Windows and automatically starts a restoration using the backup created
by the ASR Wizard.

22. What are the different levels that we can apply Group Policy

We can apply group policy at SITE level---Domain Level---OU level

23. What is Domain Policy, Domain controller policy, Local policy and Group policy

Domain Policy will apply to all computers in the domain, because by default it will be
associated with domain GPO, Where as Domain controller policy will be applied only
on domain controller. By default domain controller security policy will be associated
with domain controller GPO. Local policy will be applied to that particular machine
only and effects to that computer only.

24. What is the use of SYSVOL folder

Policies and scripts saved in SYSVOL folder will be replicated to all domain
controllers in the domain. FRS (File replication service) is responsible for replicating
all policies and scripts

25. What is folder redirection?

Folder Redirection is a User group policy. Once you create the group policy and link it
to the appropriate folder object, an administrator can designate which folders to
redirect and where To do this, the administrator needs to navigate to the following
location in the Group Policy Object:

User Configuration\Windows Settings\Folder Redirection

In the Properties of the folder, you can choose Basic or Advanced folder redirection,
and you can designate the server file system path to which the folder should be
redirected.

The %USERNAME% variable may be used as part of the redirection path, thus
allowing the system to dynamically create a newly redirected folder for each user to
whom the policy object applies.

26. What different modes in windows 2003 (Mixed, native & intrim….etc)
What are the domain and forest function levels in a Windows Server 2003-basedActive
Directory?

Functional levels are an extension of the mixed/native mode concept introduced in Windows
2000 to activate new Active Directory features after all the domain controllers in the domain
or forest are running the Windows Server 2003 operating system.

When a computer that is running Windows Server 2003 is installed and promoted to a domain
controller, new Active Directory features are activated by the Windows Server 2003 operating
system over its Windows 2000 counterparts. Additional Active Directory features are
available when all domain controllers in a domain or forest are running Windows Server 2003
and the administrator activates the corresponding functional level in the domain or forest.

To activate the new domain features, all domain controllers in the domain must be running
Windows Server 2003. After this requirement is met, the administrator can raise the domain
functional level to Windows Server 2003 (read Raise Domain Function Level in Windows
Server 2003 Domains for more info).

To activate new forest-wide features, all domain controllers in the forest must be running
Windows Server 2003, and the current forest functional level must be at Windows 2000 native
or Windows Server 2003 domain level. After this requirement is met, the administrator can
raise the domain functional level (read Raise Forest Function Level in Windows Server 2003
Active Directory for more info).

Note: Network clients can authenticate or access resources in the domain or forest without
being affected by the Windows Server 2003 domain or forest functional levels. These levels
only affect the way that domain controllers interact with each other.

Important
Raising the domain and forest functional levels to Windows Server
2003 is a nonreversible task and prohibits the addition of Windows NT
4.0–based or Windows 2000–based domain controllers to the
environment. Any existing Windows NT 4.0 or Windows 2000–based
domain controllers in the environment will no longer function. Before
raising functional levels to take advantage of advanced Windows Server
2003 features, ensure that you will never need to install domain
controllers running Windows NT 4.0 or Windows 2000 in your
environment.

When the first Windows Server 2003–based domain controller is deployed in a domain or
forest, a set of default Active Directory features becomes available. The following table
summarizes the Active Directory features that are available by default on any domain
controller running Windows Server 2003:
Feature Functionality
Multiple selection of user objectsAllows you to modify common attributes of multiple
user objects at one time.
Drag and drop functionality Allows you to move Active Directory objects from
container to container by dragging one or more
objects to a location in the domain hierarchy. You can
also add objects to group membership lists by
dragging one or more objects (including other group
objects) to the target group.
Efficient search capabilities Search functionality is object-oriented and provides
an efficient search that minimizes network traffic
associated with browsing objects.
Saved queries Allows you to save commonly used search
parameters for reuse in Active Directory Users and
Computers
Active Directory command-line Allows you to run new directory service commands
tools for administration scenarios.
InetOrgPerson class The inetOrgPerson class has been added to the base
schema as a security principal and can be used in the
same manner as the user class.
Application directory partitions Allows you to configure the replication scope for
application-specific data among domain controllers.
For example, you can control the replication scope of
Domain Name System (DNS) zone data stored in
Active Directory so that only specific domain
controllers in the forest participate in DNS zone
replication.
Ability to add additional domain Reduces the time it takes to add an additional domain
controllers by using backup media controller in an existing domain by using backup
media.
Universal group membership Prevents the need to locate a global catalog across a
caching wide area network (WAN) when logging on by
storing universal group membership information on
an authenticating domain controller.
Secure Lightweight Directory Active Directory administrative tools sign and
Access Protocol (LDAP) traffic encrypt all LDAP traffic by default. Signing LDAP
traffic guarantees that the packaged data comes from
a known source and that it has not been tampered
with.
Partial synchronization of the Provides improved replication of the global catalog
global catalog when schema changes add attributes to the global
catalog partial attribute set. Only the new attributes
are replicated, not the entire global catalog.
Active Directory quotas Quotas can be specified in Active Directory to control
the number of objects a user, group, or computer can
own in a given directory partition. Members of the
Domain Administrators and Enterprise Administrators
groups are exempt from quotas.

When the first Windows Server 2003–based domain controller is deployed in a domain or
forest, the domain or forest operates by default at the lowest functional level that is possible in
that environment. This allows you to take advantage of the default Active Directory features
while running versions of Windows earlier than Windows Server 2003.

When you raise the functional level of a domain or forest, a set of advanced features becomes
available. For example, the Windows Server 2003 interim forest functional level supports
more features than the Windows 2000 forest functional level, but fewer features than the
Windows Server 2003 forest functional level supports. Windows Server 2003 is the highest
functional level that is available for a domain or forest. The Windows Server 2003 functional
level supports the most advanced Active Directory features; however, only Windows Server
2003 domain controllers can operate in that domain or forest.

If you raise the domain functional level to Windows Server 2003, you cannot introduce any
domain controllers that are running versions of Windows earlier than Windows Server 2003
into that domain. This applies to the forest functional level as well.

Domain Functional Level

Domain functionality activates features that affect the whole domain and that domain only.
The four domain functional levels, their corresponding features, and supported domain
controllers are as follows:

Windows 2000 mixed (Default)

• Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows


Server 2003
• Activated features: local and global groups, global catalog support

Windows 2000 native

• Supported domain controllers: Windows 2000, Windows Server 2003


• Activated features: group nesting, universal groups, SidHistory, converting groups
between security groups and distribution groups, you can raise domain levels by
increasing the forest level settings

Windows Server 2003 interim

• Supported domain controllers: Windows NT 4.0, Windows Server 2003


• Supported features: There are no domain-wide features activated at this level. All
domains in a forest are automatically raised to this level when the forest level
increases to interim. This mode is only used when you upgrade domain controllers in
Windows NT 4.0 domains to Windows Server 2003 domain controllers.

Windows Server 2003

• Supported domain controllers: Windows Server 2003


• Supported features: domain controller rename, logon timestamp attribute updated and
replicated. User password support on the InetOrgPerson objectClass. Constrained
delegation, you can redirect the Users and Computers containers.

Domains that are upgraded from Windows NT 4.0 or created by the promotion of a Windows
Server 2003-based computer operate at the Windows 2000 mixed functional level. Windows
2000 domains maintain their current domain functional level when Windows 2000 domain
controllers are upgraded to the Windows Server 2003 operating system. You can raise the
domain functional level to either Windows 2000 native or Windows Server 2003.

After the domain functional level is raised, domain controllers that are running earlier
operating systems cannot be introduced into the domain. For example, if you raise the domain
functional level to Windows Server 2003, domain controllers that are running Windows 2000
Server cannot be added to that domain.

The following describes the domain functional level and the domain-wide features that are
activated for that level. Note that with each successive level increase, the feature set of the
previous level is included.

Forest Functional Level

Forest functionality activates features across all the domains in your forest. Three forest
functional levels, the corresponding features, and their supported domain controllers are listed
below.

Windows 2000 (default)

• Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server


2003
• New features: Partial list includes universal group caching, application partitions,
install from media, quotas, rapid global catalog demotion, Single Instance Store (SIS)
for System Access Control Lists (SACL) in the Jet Database Engine, Improved
topology generation event logging. No global catalog full sync when attributes are
added to the PAS Windows Server 2003 domain controller assumes the Intersite
Topology Generator (ISTG) role.

Windows Server 2003 interim

• Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the
"Upgrade from a Windows NT 4.0 Domain" section of this article.
• Activated features: Windows 2000 features plus Efficient Group Member Replication
using Linked Value Replication, Improved Replication Topology Generation. ISTG
Aliveness no longer replicated. Attributes added to the global catalog. ms-DS-Trust-
Forest-Trust-Info. Trust-Direction, Trust-Attributes, Trust-Type, Trust-Partner,
Security-Identifier, ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source,
Message Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-Rate-Unit

Windows Server 2003

• Supported domain controllers: Windows Server 2003


• Activated features: all features in Interim Level, Defunct schema objects, Cross Forest
Trust, Domain Rename, Dynamic auxiliary classes, InetOrgPerson objectClass
change, Application Groups, 15-second intrasite replication frequency for Windows
Server 2003 domain controllers upgraded from Windows 2000

After the forest functional level is raised, domain controllers that are running earlier operating
systems cannot be introduced into the forest. For example, if you raise forest functional levels
to Windows Server 2003, domain controllers that are running Windows NT 4.0 or Windows
2000 Server cannot be added to the forest.

Different Active Directory features are available at different functional levels. Raising
domain and forest functional levels is required to enable certain new features as
domain controllers are upgraded from Windows NT 4.0 and Windows 2000 to
Windows Server 2003

Domain Functional Levels: Windows 2000 Mixed mode, Windows 2000 Native
mode, Windows server 2003 and Windows server 2003 interim ( Only available when
upgrades directly from Windows NT 4.0 to Windows 2003)

Forest Functional Levels: Windows 2000 and Windows 2003

27. Ipsec usage and difference window 2000 & 2003.

Microsoft doesn’t recommend Internet Protocol security (IPSec) network address


translation (NAT) traversal (NAT-T) for Windows deployments that include VPN
servers and that are located behind network address translators. When a server is
behind a network address translator, and the server uses IPSec NAT-T, unintended side
effects may occur because of the way that network address translators translate
network traffic

If you put a server behind a network address translator, you may experience
connection problems because clients that connect to the server over the Internet
require a public IP address. To reach servers that are located behind network address
translators from the Internet, static mappings must be configured on the network
address translator. For example, to reach a Windows Server 2003-based computer that
is behind a network address translator from the Internet, configure the network address
translator with the following static network address translator mappings:

• Public IP address/UDP port 500 to the server's private IP address/UDP port 500.
• Public IP address/UDP port 4500 to the server's private IP address/UDP port 4500.

These mappings are required so that all Internet Key Exchange (IKE) and IPSec NAT-
T traffic that is sent to the public address of the network address translator is
automatically translated and forwarded to the Windows Server 2003-based computer

28. How to create application partition windows 2003 and its usage?

An application directory partition is a directory partition that is replicated only to


specific domain controllers. A domain controller that participates in the replication of a
particular application directory partition hosts a replica of that partition. Only domain
controllers running Windows Server 2003 can host a replica of an application
directory partition.

Applications and services can use application directory partitions to store application-
specific data. Application directory partitions can contain any type of object, except
security principals. TAPI is an example of a service that stores its application-specific
data in an application directory partition.

Application directory partitions are usually created by the applications that will use
them to store and replicate data. For testing and troubleshooting purposes, members of
the Enterprise Admins group can manually create or manage application directory
partitions using the Ntdsutil command-line tool.

29. Is it possible to do implicit transitive forest to forest trust relation ship in


windows 2003?

Implicit Transitive trust will not be possible in windows 2003. Between forests we can
create explicit trust

Two-way trust

One-way: incoming

One-way: Outgoing

30. What is universal group membership cache in windows 2003.

Information is stored locally once this option is enabled and a user attempts to log on
for the first time. The domain controller obtains the universal group membership for
that user from a global catalog. Once the universal group membership information is
obtained, it is cached on the domain controller for that site indefinitely and is
periodically refreshed. The next time that user attempts to log on, the authenticating
domain controller running Windows Server 2003 will obtain the universal group
membership information from its local cache without the need to contact a global
catalog.

By default, the universal group membership information contained in the cache of


each domain controller will be refreshed every 8 hours.

31. GPMC & RSOP in windows 2003?

GPMC is tool which will be used for managing group policies and will display
information like how many policies applied, on which OU’s the policies applied, What
are the settings enabled in each policy, Who are the users effecting by these polices,
who is managing these policies. GPMC will display all the above information.
RSoP provides details about all policy settings that are configured by an
Administrator, including Administrative Templates, Folder Redirection, Internet
Explorer Maintenance, Security Settings, Scripts, and Group Policy Software
Installation.

When policies are applied on multiple levels (for example, site, domain, domain
controller, and organizational unit), the results can conflict. RSoP can help you
determine a set of applied policies and their precedence (the order in which policies
are applied).

32. Assign & Publish the applications in GP & how?

Through Group policy you can Assign and Publish the applications by creating .msi
package for that application

With Assign option you can apply policy for both user and computer. If it is applied to
computer then the policy will apply to user who logs on to that computer. If it is
applied on user it will apply where ever he logs on to the domain. It will be appear in
Start menu—Programs. Once user click the shortcut or open any document having that
extension then the application install into the local machine. If any application
program files missing it will automatically repair.

With Publish option you can apply only on users. It will not install automatically when
any application program files are corrupted or deleted.

33. DFS in windows 2003?

Refer Question 17 on level 2

34. How to use recovery console?

The Windows 2000 Recovery Console is a command-line console that you can start
from the Windows 2000 Setup program. Using the Recovery Console, you can start
and stop services, format drives, read and write data on a local drive (including drives
formatted to use NTFS), and perform many other administrative tasks. The Recovery
Console is particularly useful if you need to repair your system by copying a file from
a floppy disk or CD-ROM to your hard drive, or if you need to reconfigure a service
that is preventing your computer from starting properly. Because the Recovery
Console is quite powerful, it should only be used by advanced users who have a
thorough knowledge of Windows 2000. In addition, you must be an administrator to
use the Recovery Console.

There are two ways to start the Recovery Console:


If you are unable to start your computer, you can run the Recovery Console from your
Windows 2000 Setup disks or from the Windows 2000 Professional CD (if you can
start your computer from your CD-ROM drive).

As an alternative, you can install the Recovery Console on your computer to make it
available in case you are unable to restart Windows 2000. You can then select the
Recovery Console option from the list of available operating systems

35. PPTP protocol for VPN in windows 2003?

Point-to-Point-Tunneling Protocol (PPTP) is a networking technology that supports


multiprotocol virtual private networks (VPN), enableing remote users to access
corporate networks securely across the Microsoft Windows NT® Workstation,
Windows® 95, and Windows 98 operating systems and other point-to-point protocol
(PPP)-enabled systems to dial into a local Internet service provider to connect securely
to their corporate network through the Internet

Netdom.exe is domain management tool to rename domain controller

SID history

• What is Bridge Head Server?

• Crisis Management?

• Mail flow in Exchange Server.

• DMZ concept in Firewalls.

• Is NAT uses Port Number if so what is the Port number?

• Difference between Schema Master and Global Catlog?


• Difference Between Incremental and Differential Backup? Which is best backup
Microsoft has recommended? (depends on the volume of data)

• How DNS and DHCP are integrated?

• If RID master fails what happens?


• tool used for FSMO?

• Difference between Assigning and Publishing through Group Policy?

Netdom.exe is domain management tool to rename domain controller

Second level

• What are the services installed when RIS is installed. Read about RIS.

• How to trouble shoot if a DHCP client won’t get IP from DHCP Server?

• What is online and offline fragmentations?

• Garbage collections and white spaces?

• Tell me one example when Infracture master and Global catalog will be on one
DC, what is the issue if both resides on same system?

• When you require a Infrastructure Master.


• What are Windows 2003 modes?

• What are FSMO roles and explain then?


• Stress on PDC emulator?
• 2003 advantages?

• About migration?(W2k to W2k3 and NT to W2k3).

How to Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration:

Before you upgrade a Windows NT 4.0 domain to a Windows Server 2003-based


domain, the following domain and security configurations are required.

Note: This article assumes that the source domain is running Windows NT 4.0 Service
Pack 4 (SP4) or later with 128-Bit encryption, and that the target domain is a Windows
Server 2003-based domain in native mode. Also, the Windows Server 2003 must have
128-Bit encryption (which comes as a default setting in Windows 2003).

Trusts

Configure the source domain to trust the target domain.

Configure the target domain to trust the source domain.

Groups

Add the Domain Admins global group from the source domain to the Administrators
local group in the target domain.

Add the Domain Admins global group from the target domain to the Administrators
local group in the source domain.

Create a new local group in the source domain called Source Domain$$$.

Note: There must be no members in this group.

Auditing

Enable auditing for the success and failure of user and group management on the
source domain.

Enable auditing for the success and failure of Audit account management on the target
domain in the Default Domain Controllers policy.

Registry
On the PDC in the source domain, add the TcpipClientSupport:REG_DWORD:0x1
value to the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\

Control\LSA

Administrative Shares

Administrative shares must exist on the domain controller in the target domain on
which you run ADMT, and on any computers on which an agent must be dispatched.

User Rights

You must log on to the computer on which you run ADMT with an account that has
the following permissions:

Domain Administrator rights in the target domain.

A member of the Administrators group in the source domain.

Administrator rights on each computer that you migrate.

Administrator rights on each computer on which you translate security.

You will have the appropriate rights when you log on to the PDC that is the FSMO
role holder in the target domain with the Source Domain\Administrator account,
assuming that the Source Domain\Domain Administrators group is a member of the
Administrators group on each computer.

How to set up ADMT for a Windows 2000 to Windows Server 2003 migration

How to Set Up ADMT for a Windows 2000 to Windows Server 2003 Migration

You can install the Active Directory Migration Tool version 2 (ADMTv2) on any computer
that is running Windows 2000 or later, including:

Microsoft Windows 2000 Professional

Microsoft Windows 2000 Server

Microsoft Windows XP Professional

Microsoft Windows Server 2003

The computer on which you install ADMTv2 must be a member of either the source or the
target domain.

Intraforest Migration
Intraforest migration does not require any special domain configuration. The account you use
to run ADMT must have enough permissions to perform the actions that are requested by
ADMT. For example, the account must have the right to delete accounts in the source domain,
and to create accounts in the target domain.

Intraforest migration is a move operation instead of a copy operation. These migrations are
said to be destructive because after the move, the migrated objects no longer exist in the
source domain. Because the object is moved instead of copied, some actions that are optional
in interforest migrations occur automatically. Specifically, the sIDHistory and password are
automatically migrated during all intraforest migrations.

Interforest Migration

ADMT requires the following permissions to run properly:

Administrator rights in the source domain.

Administrator rights on each computer that you migrate.

Administrator rights on each computer on which you translate security.

Before you migrate a Windows 2000-based domain to a Windows Server 2003-based domain,
you must make some domain and security configurations. Computer migration and security
translation do not require any special domain configuration. However, each computer you
want to migrate must have the administrative shares, C$ and ADMIN$.

The account you use to run ADMT must have enough permissions to complete the required
tasks. The account must have permission to create computer accounts in the target domain and
organizational unit, and must be a member of the local Administrators group on each
computer to be migrated.

User and Group Migration

You must configure the source domain to trust the target domain. Optionally, the target may
be configured to trust the source domain. While this may ease configuration, it is not required
to finish the ADMT migration.

Requirements for Optional Migration Tasks

You can complete the following tasks automatically by running the User Migration Wizard in
Test mode and selecting the migrate sIDHistory option. The user account you use to run
ADMT must be an Administrator in both the source and the target domains for the automatic
configuration to succeed.

Create a new local group in the source domain that is named %sourcedomain%$$$. There
must be no members in this group.

Turn on auditing for the success and failure of Audit account management on both domains in
the Default Domain Controllers policy.
Configure the source domain to allow RPC access to the SAM by configuring the following
registry entry on the PDC Emulator in the source domain with a DWORD value of 1:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\

Control\LSA\TcpipClientSupport

You must restart the PDC Emulator after you make this change.

Note: For Windows 2000 domains, the account you use to run ADMTv2 must have domain
administrator permissions in both the source and target domains. For Windows Server 2003
target domains, the 'Migrate sIDHistory' may be delegated. For more information, see
Windows Server 2003 Help & Support.

You can turn on interforest password migration by installing a DLL that runs in the context of
LSA. By running in this protected context, passwords are shielded from being viewed in
cleartext, even by the operating system. The installation of the DLL is protected by a secret
key that is created by ADMTv2, and must be installed by an administrator.

To install the password migration DLL:

Log on as an administrator or equivalent to the computer on which ADMTv2 is installed.

At a command prompt, run the ADMT KEY sourcedomainpath [* | password] command to


create the password export key file (.pes). In this example, sourcedomain is the NetBIOS
name of the source domain and path is the file path where the key will be created. The path
must be local, but can point to removable media such as a floppy disk drive, ZIP drive, or
writable CD media. If you type the optional password at the end of the command, ADMT
protects the .pes file with the password. If you type the asterisk (*), ADMT prompts for a
password, and the system will not echo it as it is typed.

Move the .pes file you created in step 2 to the designated Password Export Server in the
source domain. This can be any domain controller, but make sure it has a fast, reliable link to
the computer that is running ADMT.

Install the Password Migration DLL on the Password Export Server by running the
Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT folder on the Windows Server 2003
installation media, or the folder to which you downloaded ADMTv2 from the Internet.

When you are prompted to do so, specify the path to the .pes file that you created in step 2.
This must be a local file path.

After the installation completes, you must restart the server.

If you are ready to migrate passwords, modify the following registry key to have a DWORD
value of 1. For maximum security, do not complete this step until you are ready to migrate.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\

Control\LSA\AllowPasswordExport
The Active Directory Migration Tool v2 is included in the I386\Admt folder on the Windows
Server 2003 CD.

The Active Directory Migration Tool provides an easy, secure, and fast way to migrate to
Windows 2000 Active Directory service. As a system administrator, you can use this tool to
diagnose any possible problems before starting migration operations to Windows 2000 Server
Active Directory. You can then use the task-based wizard to migrate users, groups, and
computers; set correct file permissions; and migrate Microsoft Exchange Server mailboxes.
The tool's reporting feature allows you to assess the impact of the migration, both before and
after move operations.

In many cases, if there is a problem, you can use the rollback features to automatically restore
previous structures. The tool also provides support for parallel domains, so you can maintain
your existing Windows NT 4.0 domains while you deploy Windows 2000.

Note: To successfully run the AD Migration Tool the source domain must be running
Windows NT 4.0 Service Pack 4 or later, and the target domain will be a Windows 2000-
based domain in Native mode.

Version 2.0 of ADMT is from Windows Server 2003 and has many new features:

Scripting and Command line interface

Password Migration

Sid Mapping Files for Security

Translation

Windows 2000 Attribute Exclusion

Agent Credentials

Migration Log

Skip Membership Restoration

• Question on System State data Backup?

• Diff types of DNS roles and Zones?

• What are the steps you follow when you are promoting a server as ADC in
windows 2003?
• What are the two parameters you run before upgrading the server to an
ADC(/forestprep, /domainprep).
• What is the authentication process?

• What is the role of GC in authentication process?

• What happens if DNS server fails. Can a user is able to login if the DNS server
fails(if you have only one DNS Server).

• How do you promote a server to a domain controller(in windows 2003) over a


slow wan links.

A. Take the backup of systemstate from the DC and restore it in the server where you are
promoting using “dcpromo /adv” and select restore from backup.

Working with Group Policy


This article deals with the mechanism of deploying and verifying GPO deployment. It will
not deal in the GPO itself and the settings inside it (these settings and configurations will
be discussed in different articles).

Group Policy is a one of the most useful tools found in the Windows 2000/2003 Active
Directory infrastructure. Group Policy can help you do the following:

1. Configure user's desktops


2. Configure local security on computers
3. Install applications
4. Run start-up/shut-down or logon/logoff scripts
5. Configure Internet Explorer settings
6. Redirect special folders

In fact, you can configure any aspect of the computer behavior with it. Although it is a
cool toy; working with it without proper attention can cause unexpected behavior.

Here are some basic terms you need to be familiar with before drilling down into Group
Policy:

Local policy - Refers to the policy that configures the local computer or server, and is
not inherited from the domain. You can set local policy by running gpedit.msc from the
Run command, or you can add "Group Policy Object Editor" snap-in to MMC. Local Policies
also exist in the Active Directory environment, but have many fewer configuration options
that the full-fledged Group Policy in AD.
GPO - Group Policy Object - Refers to the policy that is configured at the Active
Directory level and is inherited by the domain member computers. You can configure a
GPO – Group Policy Object - at the site level, domain level or OU level.

GPC – Group Policy Container - The GPC is the store of the GPOs; The GPC is where
the GPO stores all the AD-related configuration. Any GPO that is created is not effective
until it is linked to an OU, Domain or a Site. The GPOs are replicated among the Domain
Controllers of the Domain through replication of the Active Directory.

GPT - Group Policy Templates - The GPT is where the GPO stores the actual settings.
The GPT is located within the Netlogon share on the DCs.

Netlogon share - A share located only on Domain Controllers and contains GPOs, scripts
and .POL files for policy of Windows NT/98. The Netlogon share replicates among all DCs
in the Domain, and is accessible for read only for the Everyone group, and Full Control for
the Domain Admins group. The Netlogon's real location is:

C:\WINDOWS\SYSVOL\sysvol\domain.com\SCRIPTS

When a domain member computer boots up, it finds the DC and looks for the Netlogon
share in it.

To see what DC the computer used when it booted, you can go to the Run command and
type %logonserver%\Netlogon. The content of the Netlogon share should be the same on
all DCs in the domain.

GPO behavior

Group Policy is processed in the following order:

Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO

and so on.

GPOs inherited from the Active Directory are always stronger than local policy. When you
configure a Site policy it is being overridden by Domain policy, and Domain policy is being
overridden by OU policy. If there is an OU under the previous OU, its GPO is stronger the
previous one.

The rule is simple, as more you get closer to the object that is being configured, the GPO
is stronger.

What does it mean "stronger"? If you configure a GPO and linke it to "Organization" OU,
and in it you configure Printer installation – allowed and then at the "Dallas" OU you
configured other GPO but do not allow printer installation, then the Dallas GPO is more
powerful and the computers in it will not allow installation of printers.

The example above is true when you have different GPOs that have similar configuration,
configured with opposite settings. When you apply couple of GPOs at different levels and
every GPO has its own settings, all settings from all GPOs are merged and inherited by
the computers or users.

Group Policy sections

Each GPO is built from 2 sections:


• Computer configuration contains the settings that configure the computer prior
to the user logon combo-box.
• User configuration contains the settings that configure the user after the logon.
You cannot choose to apply the setting on a single user, all users, including
administrator, are affected by the settings.

Within these two section you can find more sub-folders:

• Software settings and Windows settings both of computer and user are
settings that configure local DLL files on the machine.
• Administrative templates are settings that configure the local registry of the
machine. You can add more options to administrative templates by right clicking it
and choose .ADM files. Many programs that are installed on the computer add
their .ADM files to %systemroot%\inf folder so you can add them to the
Administrative Templates.

You can download .ADM files for the Microsoft operating systems

Tools used to configure GPO

You can configure GPOs with these set of tools from Microsoft (other 3rd-party tools exist
but we will discuss these in a different article):

1. Group Policy Object Editor snap-in in MMC - or - use gpedit.msc from the Run
command.
2. Active Directory Users and Computers snap in - or dsa.msc – to invoke the Group
Policy tab on every OU or on the Domain.
3. Active Directory Sites and Services - or dssite.msc – to invoke the Group Policy
tab on a site.
4. Group Policy Management Console - or gpmc.msc - this utility is NOT included in
Windows 2003 server and needs to be separately installed. You can download it
from HERE

Note that if you'd like to use the GPMC tool on Windows XP, you need to install it on
computers running Windows XP SP2. Installing it on computers without SP2 will generate
errors due to unsupported and newer .ADM files.

GPMC utility - Creating a GPO

When you create a GPO it is stored in the GPO container. After creation you should link
the GPO to an OU that you choose.

Linking a GPO

To link a GPO simply right click an OU and choose Link an existing GPO or you can create
and link a GPO in the same time. You can also drag and drop a GPO from the Group
Policy Objects folder to the appropriate Site, Domain or OU.

When you right-click a link you can:

Edit a GPO - This will open the GPO window so you can configure settings.

Link/Unlink a GPO - This setting allows you to temporarily disable a link if you need to
add settings to it or if you will activate it later.
Enabling/disabling computer or user settings

GPO has computer and user settings but if you create a GPO that contains only computer
settings, you might want to disable the user settings in that GPO, this will reduce the
amount of settings replicated and can also be used for testing.

To disable one of the configurations simply choose the GPO link and go to Details tab:

How do I know what are the settings in a GPO?

Prior to the use of GPMC, an administrator who wanted to find out which one of the
hundreds of settings of a GPO were actually configured - had to open each GPO and
manually comb through each and every node of the GPO sections. Now, with GPMC, you
can simply see what the configurations of any GPO are if you point on that GPO and go to
the Settings tab. There you can use the drop-down menus to see computer or user
settings.

Block/Enforce inheritance

You can block policy inheritance to an OU if you don’t want the settings from upper GPOs
to configure your OU.

To block GPO inheritance, simply right click your OU and choose "Block Inheritance".
Blocking inheritance will block all upper GPOs.

In case you need one of the upper GPOs to configure all downstream OUs and overcome
Block inheritance, use the Enforce option of a link. Enforcing a GPO is a powerful option
and rarely should be used.

You can see in this example that when you look at Computers OU, three different GPOs
are inherited to it.

In this example you can see that choosing "Block inheritance" will reject all upper GPOs.

Now, if we configure the "Default domain policy" with the Enforce option, it will overcome
the inheritance blocking.

Link order

When linking more than one GPO to an OU, there could be a problem when two or more
GPOs have the same settings but with opposite configuration, like, GPO1 have Allow
printer installation among other settings but GPO2 is configured to prevent printer
installation among other settings. Because the two GPOs are at the same level, there is a
link order which can be changed.

The GPO with the lowest link order is processed last, and therefore has the highest
precedence.

Security Filtering

Filtering let you choose the user, group or computer that the GPO will apply onto. If you
configured "Computers" OU with a GPO but you only want to configure Win XP stations
with that GPO and exclude Win 2000 stations, you can easily create a group of Win XP
computers and apply the GPO only to that group.
This option save you from creating complicated OU tree with each type of computer in it.

A user or a group that you configure in the filtering field have by default the "Read" and
"Apply" permission. By default when you create a GPO link, you can see that
"Authenticated users" are listed.

In the above example, Office 2K3 will be installed on all computers that are part of the
two listed groups.

If we still were using Authenticated users, the installation of the Office suite could have
followed the user to any computer that he logs onto, like servers or other machines.
Using filtering narrows the installation options.

If you want to configure these permissions with higher resolution, you can go to
Delegation tab and see the permissions. Going to the Advanced Tab will let you configure
the ACL permission with the highest resolution.

How the GPO is updated on the computers

GPO inherited from AD is refreshed on the computers by several ways:

1. Logon to computer (If the settings are of "user settings" in GPO)


2. Restart of the computer (If the settings are of "computer settings" in GPO)
3. Every 60 to 90 minutes, the computers query their DC for updates.
4. Manually by using gpupdate command. You can add the /force switch to force all
settings and not only the delta.

Note: Windows 2000 doesn't support the Gpupdate command so you need run a
different command instead:

for computer settings.

for user settings.

In both commands you can use the /enforce that is similar to the /force in gpupdate.

If any configuration change requires a logoff or a restart message will appear:

You can force logoff or reboot using gpupdate switches.

How to check that the GPO was deployed

To be sure that GPO was deployed correctly, you can use several ways. The term for the
results is called RSoP – Resultant Sets of Policies.

1. Use gpresult command in the command prompt.

The default result is for the logged on user on that machine. You can also choose to
check what is the results for other users on to that machine. If you use /v or /z switches
you will get very detailed information.

You can see what GPOs were applied and what GPOs were filtered out and the reason for
not being deployed.
2. Resultant Set of Policy snap-in in MMC.

The snap-in has two modes:

Logging mode which tells you what are the real settings that were deployed on the
machine

Planning mode which tells you what will be the results if you choose some options.

This option is not so compatible because you need to browse in the RSoP data to find the
settings.

1. Group Policy Results in GPMC.

This is the most comfortable option that let you check the RSoP data on every computer
or user from a central location. This option also displays the summary of the RSoP and
Detailed RSoP data in HTML format.

In the example above example you can see the summary of applied or non applied GPOs
both of computer and user settings.

When looking at the Settings tab we can see what settings did applied on the computer
and see which is the "Winning GPO" that actually configured the computer with the
particular setting.