Technical Interview Questions - Windows Server 2008/R2

Active Directory
What is Active Directory?
Active Directory provides the means to manage the identities and relationships that make
up your organization's network. Integrated with Windows Server, Active Directory gives
you out-of-the-box functionality needed to centrally configure and administer system,
user, and application settings.
What is LDAP?
The Lightweight Directory Access Protocol is an application protocol for accessing and
maintaining distributed directory information services over an Internet Protocol (IP)
network. LDAP is defined in terms of ASN.1 and transmitted using BER.
A client starts an LDAP session by connecting to an LDAP server, called a Directory
System Agent (DSA), by default on TCP port 389. The client then sends an operation
request to the server, and the server sends responses in return. With some exceptions, the
client does not need to wait for a response before sending the next request, and the server
may send the responses in any order.

Where is the AD database held? What other folders are related to AD?
AD database held on %systemroot%\ntds
Other files related to AD
res1.log, res2.log, edb.chk n edb.log
Talk about all the AD-related roles in Windows Server 2008/R2.

What is the SYSVOL folder?
System Volume (SYSVOL) is a shared directory that stores the server copy of the
domain public files (Policies and scripts) that must be shared for common access and
replication throughout a domain. It must be located in NTFS volume (because junctions
are used within the SYSVOL folder structure)

The Sysvol folder on a Windows domain controller is used to replicate file-based data
among domain controllers. Because junctions are used within the Sysvol folder structure,
Windows NT file system (NTFS) version 5.0 is required on domain controllers
throughout a Windows distributed file system (DFS) forest.
This is a quote from microsoft themselves, basically the domain controller info stored in
files like your group policy stuff is replicated through this folder structure

What are the new Domain and Forest Functional Levels in Windows Server 2008/R2?
Domain Function Levels
To activate a new domain function level, all DCs in the domain must be running the right
operating system. After this requirement is met, the administrator can raise the domain functional
level. Here's a list of the available domain function levels available in Windows Server 2008:
Windows 2000 Native Mode
This is the default function level for new Windows Server 2008 Active Directory domains.
Supported Domain controllers Windows 2000, Windows Server 2003, Windows Server 2008.
Features and benefits:
Group nesting Unlike Windows NT 4.0, allows placing of a group of one scope as a member
of another group of the same scope.
Universal security groups Allows usage of Universal security type groups.
SidHistory Enables usage of SidHistory when migrating objects between domains.
Converting groups between security groups and distribution groups Unlike Windows NT
4.0, allows converting of a group type into another group type (with some limitations).
Windows Server 2003 Mode
To activate the new domain features, all domain controllers in the domain must be running
Windows Server 2003. After this requirement is met, the administrator can raise the domain
functional level to Windows Server 2003. Read my "Raise Domain Function Level in Windows
Server 2003 Domains" article for more info about that.
Supported Domain controllers Windows Server 2003, Windows Server 2008.
Features and benefits include all default Active Directory features, all features from the Windows
2000 native domain functional level, plus:
Universal group caching Windows Server 2003 functional level supports Universal group
caching which eliminate the need for local global catalog server.
Domain Controller rename By using the NETDOM command.
Logon time stamp update The lastLogonTimestamp attribute will be updated with the last
logon time of the user or computer. This attribute is replicated within the domain.
Multivalued attribute replication improvements Allows incremental membership changes,
which in turn enables having more than 5000 members in a group and better replication
capabilities.
Lingering objects (zombies) detection Windows Server 2003 has the ability to detect zombies,
or lingering objects.
AD-integrated DNS zones in application partitions This allows storing of DNS data in AD
application partition for more efficient replication.
Users and Computers containers can be redirected This allows the redirection of the default
location of new users and computers (by using the REDIRUSR and REDIRCMP commands).
Support for selective authentication Makes it possible to specify the users and groups from a
trusted forest who are allowed to authenticate to resource servers in a trusting forest.
Windows Server 2008 Mode

What are the AD naming contexts (partitions)s and replication issues for each NC?
There are three predefined Naming Contexts (NC)
1. Domain Naming Context - One per domain. The domain naming context stores
users, computers, groups, and other objects for that domain. All domain
controllers that are joined to the domain share a full writeable copy of the domain
directory partition. Additionally, all domain controllers in the forest that host the
global catalog also host a partial read-only copy of every other domain naming
context in the forest.
2. Configuration Naming Context - One per forest. It stores forest-wide
configuration data that is required for the proper functioning of Active Directory
as a directory service. Information that Active Directory uses to construct the
directory tree hierarchy is also stored in the configuration directory partition, as is
network-wide, service-specific information that applications use to connect to
instances of services in the forest. Every domain controller has one fully writeable
copy of the configuration directory partition.
3. Schema Naming Context - One per forest. The schema naming context contains
the definitions of all objects that can be instantiated in Active Directory. It also
stores the definitions of all attributes that can be a part of objects in Active
Directory. Every domain controller has one fully writeable copy of the schema
directory partition, although schema updates are allowed only on the domain
controller that is the schema operations master.
You can also define your own naming context in Windows 2003 and later -- called
Application Partitions. Replication issues are not specific to a naming context.


Name the Active Directory Partition and explain?
Directory Partitions
The Active Directory database is logically separated into directory partitions:
Schema partition
Configuration partition
Domain partition
Application partition
Each partition is a unit of replication, and each partition has its own replication topology. Replication
occurs between replicas of directory partition. Minimum two directory partitions are common among all
domains controllers in the same forest: the schema and configuration partitions. All domain controllers
which are in the same domain, in addition, share a common domain partition.
Schema Partition
Only one schema partition exists per forest. The schema partition is stored on all domain controllers in a
forest. The schema partition contains definitions of all objects and attributes that you can create in the
directory, and the rules for creating and manipulating them. Schema information is replicated to all
domain controllers in the attribute definitions.
Configuration Partition
There is only one configuration partition per forest. Second on all domain controllers in a forest, the
configuration partition contains information about the forest-wide active directory structure including
what domains and sites exist, which domain controllers exist in each forest, and which services are
available. Configuration information is replicated to all domain controllers in a forest.
Domain Partition
Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in a
given domain. A domain partition contains information about users, groups, computers and organizational
units. The domain partition is replicated to all domain controllers of that domain. All objects in every
domain partition in a forest are stored in the global catalog with only a subset of their attribute values.
Application Partition
Application partitions store information about application in Active Directory. Each application
determines how it stores, categorizes, and uses application specific information. To prevent unnecessary
replication to specific application partitions, you can designate which domain controllers in a forest host
specific application partitions. Unlike a domain partitions, an application partition cannot store security
principal objects, such as user accounts. In addition, the data in an application partition is not stored in the
global catalog.
As an example of application partition, if you use a Domain Name System (DNS) that is integrated with
Active Directory you have two application partitions for DNS zones ForestDNSZones and
DomainDNSZones:
ForestDNSZones is part of a forest. All domain controllers and DNS servers in a forest receive a
replica of this partition. A forest-wide application partition stores the forest zone data.
DomainDNSZones is unique for each domain. All domain controllers that are DNS servers in that
domain receive a replica of this partition. The application partitions store the domain DNS zone
in the DomainDNSZones<domain name>.
Each domain has a DomainDNSZones partition, but there is only one ForestDNSZones partition. No
DNS data is replicated to the global catalog server.


What are application partitions?
An application directory partition is a directory partition that is replicated only to specific
domain controllers. A domain controller that participates in the replication of a particular
application directory partition hosts a replica of that partition. Only domain controllers
running Windows Server 2003 can host a replica of an application directory partition.
Application directory partitions are usually created by the applications that will use them
to store and replicate data. TAPI is an example it. For testing and troubleshooting
purposes, members of the Enterprise Admins group can manually create or manage
application directory partitions using the Ntdsutil command-line tool.
Application directory partitions can contain any type of object, except security principals.
The data in it can be replicated to different domain controllers in a forest (for redundancy,
availability, or fault tolerance).

What applications or services use AD application partitions? Name a couple.

How do you create a new application partition?
You can create an application directory partition by using the create nc option in the domain
management (partition management in windows 2008) menu of Ntdsutil. When creating an
application directory partition using LDP or ADSI, provide a description in the description
attribute of the domain DNS object that indicates the specific application that will use the
partition. For example, if the application directory partition will be used to store data for a
Microsoft accounting program, the description could be Microsoft accounting application.
Ntdsutil does not facilitate the creation of a description.
To create or delete an application directory partition
The sample commands below were written for Windows Server 2008. If you're using Windows
2003, you dont need to include the ACTIVE INSTANCE NTDS command, and you would use
DOMAIN MANAGEMENT instead of PARTITION MANAGEMENT.
ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: partition management
partition management: connections
Connected to \\server1.contoso.com using credentials of locally logged on user.
server connections: connect to server server1.contoso.com
Disconnecting from \\ server1.contoso.com...
Binding to server1.contoso.com ...
Connected to server1.contoso.com using credentials of locally logged on user.
server connections: quit
partition management: list
Note: Directory partition names with International/Unicode characters will only display
correctly if appropriate fonts and language support are loaded Found 5 Naming Context(s)
0 - CN=Configuration,DC= contoso,DC=com
1 - CN=Schema,CN=Configuration,DC= contoso,DC=com
2 - DC=contoso,DC=com
3 - DC=DomainDnsZones,DC=contoso,DC=com
4 - DC=ForestDnsZones,DC=contoso,DC=com
partition management: create nc dc=app1,dc=contoso,dc=com
server1.contoso.com
adding object dc=app1,dc=contoso,dc=com
partition management: list
Note: Directory partition names with International/Unicode characters will only display
correctly if appropriate fonts and language support are loaded Found 5 Naming Context(s)
0 - CN=Configuration,DC= contoso,DC=com
1 - CN=Schema,CN=Configuration,DC= contoso,DC=com
2 - DC=contoso,DC=com
3 - DC=DomainDnsZones,DC=contoso,DC=com
4 - DC=ForestDnsZones,DC=contoso,DC=com
5 - DC=app1,DC=contoso,DC=com
Create an application directory partition by using the DnsCmd command
Use the following syntax:
DnsCmd ServerName /CreateDirectoryPartition FQDN of partition
To create an application directory partition that is named CustomDNSPartition on a domain
controller that is named DC-1, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command, and then press ENTER: dnscmd DC-1 /createdirectorypartition
CustomDNSPartition.contoso.com
When the application directory partition has been successfully created, the following information
appears:
DNS Server DC-1 created directory partition: CustomDNSPartition.contoso.com Command
completed successfully.
Configure an additional domain controller DNS server to host the application directory
partition
Configure an additional domain controller that is acting as a DNS server to host the new
application directory partition that you created. To do this, use the following syntax with the
DnsCmd command:
DnsCmd ServerName /EnlistDirectoryPartition FQDN of partition
To configure the example domain controller that is named DC-2 to host this custom application
directory partition, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command, and then press ENTER: dnscmd DC-2 /enlistdirectorypartition
CustomDNSPartition.contoso.com
DNS Server DC-2 enlisted directory partition: CustomDNSPartition.contoso.com Command
completed successfully.

What are the requirements for installing AD on a new server?
Requirements for Installing AD DS
Preinstalled Windows Server 2008 or Windows Server 2008 R2.
Administrative rights on server
Domain Name System (DNS) infrastructure is in place. When you install AD DS, you
can include DNS server installation, if it is needed. When you create a new domain, a
DNS delegation is created automatically during the installation process.
A NIC
Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
A network connection (to a hub or to another computer via a crossover cable, loopback
will also work)
In order to install a read-only domain controller (RODC), there must be a writable
domain controller running Windows Server 2008 or Windows Server 2008 R2 in the
domain.
The drives that store the database, log files, and SYSVOL folder for Active Directory
Domain Services (AD DS) must be placed on a local fixed volume. SYSVOL must be
placed on a volume that is formatted with the NTFS file system.
Windows Server 2008 or Windows Server 2008 R2 media

What can you do to promote a server to DC if you're in a remote location with slow
WAN link?
Best solution in this scenario is to install DC from media, a new feature introduced with
windows 2003 server. You have to take the system state backup of current Global
Catalog server, burn it on the CD/DVD and send it to the destination (remote location).
On the remote server which needs to be promoted to be DC restore files to Alternate
Location and Run, type dcpromo /adv.

How do you view replication properties for AD partitions and DCs?
Install Replication Monitor from Support tools, run from command line with "replmon"
command, and add DC and it will show you all partitions that DC holds and all
replication partners for each partition.

What is the Global Catalog?
The global catalog is a distributed data repository that contains a searchable, partial
representation of every object in every domain in a multidomain Active Directory
Domain Services (AD DS) forest. The global catalog is stored on domain controllers that
have been designated as global catalog servers and is distributed through multimaster
replication. Searches that are directed to the global catalog are faster because they do not
involve referrals to different domain controllers.


How do you view all the GCs in the forest?
DSQUERY server can be used to locate global catalogs
To search the entire forest
dsquery server -forest -isgc
To locate global catalogs in your current (logon) domain
dsquery server isgc.
To locate global catalogs in a specific domain
dsquery server -domain tech.cpandl.com -isgc
Here, you search for global catalog servers in the tech.cpandl.com domain.
You can also search for global catalog servers by site, but to do this, you must know the
full site name, and cannot use wildcards. For example, if you wanted to find all the global
catalog servers for Default-First-Site-Name, you would have to type
dsquery server site Default-First-Site-Name.
The resulting output is a list of DNs for global catalogs, such as
"CN=CORPSVR02,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=cpandl,DC=com"

Why not make all DCs in a large forest as GCs?
Unless you have some really bad connections that may not be able to handle the extra
traffic, you should make every DC a GC. In ANY single domain forest, it is
recommended and beneficial to make all DCs GCs since it has no replication impact and
serves to better distribute query load.

Talk about GCs and Universal Groups.
Describe the time synchronization mechanism in AD.
http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx

What is ADSIEDI T? What is NETDOM? What is REPADMI N?
ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level
editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network
administrators can use it for common administrative tasks such as adding, deleting, and
moving objects with a directory service. The attributes for each object can be edited or
deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces
(APIs) to access Active Directory. The following are the required files for using this tool:
? ADSIEDIT.DLL
? ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory environment and
Microsoft Management Console (MMC) is necessary
A: Replmon is the first tool you should use when troubleshooting Active Directory
replication issues. As it is a graphical tool, replication issues are easy to see and
somewhat easier to diagnose than using its command line counterparts. The purpose of
this document is to guide you in how to use it, list some common replication errors and
show some examples of when replication issues can stop other network installation
actions.
for more go to http://www.techtutorials.net/articles/replmon_howto_a.html
NETDOM is a command-line tool that allows management of Windows domains and
trust relationships. It is used for batch management of trusts, joining computers to
domains, verifying trusts, and secure channels
A:Enables administrators to manage Active Directory domains and trust relationships
from the command prompt.
Netdom is a command-line tool that is built into Windows Server 2008. It is available if
you have the Active Directory Domain Services (AD DS) server role installed. To use
netdom, you must run the netdom command from an elevated command prompt. To open
an elevated command prompt, click Start, right-click Command Prompt, and then click
Run as administrator.
REPADMIN.EXE is a command line tool used to monitor and troubleshoot replication
on a computer running Windows. This is a command line tool that allows you to view the
replication topology as seen from the perspective of each domain controller.
REPADMIN is a built-in Windows diagnostic command-line utility that works at the
Active Directory level. Although specific to Windows, it is also useful for diagnosing
some Exchange replication problems, since Exchange Server is Active Directory based.
REPADMIN doesn?t actually fix replication problems for you. But, you can use it to help
determine the source of a malfunction.

What is DCDI AG? When would you use it?
This command-line tool analyzes the state of one or all domain controllers in a forest and
reports any problems to assist in troubleshooting. DCDiag.exe consists of a variety of
tests that can be run individually or as part of a suite to verify domain controller health.
What are sites? What are they used for?
Sites in Active Directory represent the physical structure, or topology, of your network.
Active Directory uses topology information, stored as site and site link objects in the
directory, to build the most efficient replication topology. You use Active Directory Sites
and Services to define sites and site links. A site is a set of well-connected subnets. Sites
differ from domains; sites represent the physical structure of your network, while
domains represent the logical structure of your organization.

What's the difference between a site link's schedule and interval?
Schedule enables you to list weekdays or hours when the site link is available for
replication to happen in the give interval. Interval is the re occurrence of the inter site
replication in given minutes. It ranges from 15 - 10,080 mins. The default interval is 180
mins.

What is the KCC?
The Knowledge Consistency Checker (KCC) is an Active Directory component that is
responsible for the generation of the replication topology between domain controllers.
The KCC creates separate replication topologies depending on whether replication is
occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically
adjusts the topology to accommodate new domain controllers, domain controllers moved
to and from sites, changing costs and schedules, and domain controllers that are
temporarily unavailable.


What is the I STG? Who has that role by default?
For inter-site replication, one domain controller per site has the responsibility of
evaluating the inter-site replication topology and creating Active Directory Replication
Connection objects for appropriate bridgehead servers within its site. The domain
controller in each site that owns this role is referred to as the Inter-Site Topology
Generator (ISTG).
By Default the first Server has this role. If that server can no longer perform this role then
the next server with the highest GUID takes over the role of ISTG.

Talk about sites and GCs.
Talk about sites and Exchange Server 2007/2010.

What is GPO?
In the Windows operating system, a Group Policy Object (GPO) is a collection of
settings that define what a system will look like and how it will behave for a defined
group of users. Microsoft provides a program snap-in that allows you to use the Group
Policy Microsoft Management Console (MMC). The selections result in a Group Policy
Object. The GPO is associated with selected Active Directory containers, such as sites,
domains, or organizational units (OUs). The MMC allows you to create a GPO that
defines registry-based polices, security options, software installation and maintenance
options, scripts options, and folder redirection options.

Describe the way GPO is applied throughout the domain.

What can you do to prevent inheritance from above?
You can block policy inheritance for a domain or organizational unit. Using block inheritance
prevents GPOs linked to higher sites, domains, or organizational units from being automatically
inherited by the child-level. By default, children inherit all GPOs from the parent, but it is
sometimes useful to block inheritance. For example, if you want to apply a single set of policies
to an entire domain except for one organizational unit, you can link the required GPOs at the
domain level (from which all organizational units inherit policies by default), and then block
inheritance only on the organizational unit to which the policies should not be applied.
Block Inheritance the ability to prevent an OU or domain from inheriting GPOs from any of its
parent container. Note that Enforced GPO links will always be inherited.


How can you override blocking of inheritance?

Name some of the major changes in GPO in Windows Server 2008.
The following changes are available in Windows Server 2008 R2 and in Windows 7 with
Remote Server Administration Tools (RSAT):
Windows PowerShell Cmdlets for Group Policy: Ability to manage Group Policy from the
Windows PowerShell command line and to run PowerShell scripts during logon and startup
Group Policy Preferences: Additional types of preference items
Starter Group Policy Objects: Improvements to Starter GPOs
Administrative Template Functionality: Improved user interface
Administrative Template Settings: New and changed policy settings

What does Group Policy do?
Group Policy provides an infrastructure for centralized configuration management of the
operating system and applications that run on the operating system.
What are ADM files? What replaced them in Windows Server 2008?

What's the GPO repository? How do you use it?

What are GPO Preferences? Which client OSs can use GPO Preferences?
Group Policy Preferences are a heap of new Group Policy settings that were released with
Windows Server 2008 that allows IT administrators to pretty much do anything they want
to configure computers in a corporate environment. Preferences only require a Windows
2000 Active Directory and they need to be managed from a minimum of Windows
Vista/2008 however they can be applied to Windows XP Service Pack 2 (or greater)
workstations.

What are GPO Templates?
What are WMI Filters?
WMI filters get the current scope of GPOs based the user or computers attributes. In this
way, the GPOs filtering capabilities can be increased beyond the security group filtering
mechanisms that were previously available.
A WMI filter can be linked to a GPO. When a GPO is applied to the destination
computer, Active Directory evaluates the filter on the destination computer. A WMI filter
has few queries that active Directory evaluates in place of the destination computers
WMI repository. If the set of queries is false, Active Directory does not apply the GPO. If
set of queries is true, Active Directory applies the GPO. The query is written with the
WMI Query Language (WQL). This language is similar to querying SQL for WMI
repository.

What is the concept behind GPO Filtering?
How can you determine what GPO was and was not applied for a user? Name a few
ways to do that.
A user claims he did not receive a GPO, yet his user and computer accounts are in the
right OU, and everyone else there gets the GPO. What will you look for?
You want to standardize the desktop environments (wallpaper, My Documents, Start
menu, printers etc.) on the computers in one department. How would you do that?
...
What are the major changes in AD in Windows Server 2008?
What are the major changes in AD in Windows Server 2008 R2?
What is the AD Recycle Bin? How do you use it?
What is tombstone lifetime attribute?
What are AD Snapshots? How do you use them?
What is Offline Domain J oin? How do you use it?
What are Fine-Grained Passwords? How do you use them?
Talk about Restartable Active Directory Domain Services in Windows Server 2008/R2.
What is this feature good for?
What are the changes in auditing in Windows Server 2008/R2?
...
How can you forcibly remove AD from a server, and what do you do later?
Can I get user passwords from the AD database?
What tool would I use to try to grab security related packets from the wire?
Talk about PowerShell and AD.
...
How do you backup AD?
How do you restore AD?
Talk about Windows Backup and AD backups.
How do you change the DS Restore admin password?
Why can't you restore a DC that was backed up 7 months ago?
What's NTDSUTI L? When do you use it?
...
What are RODCs?
What are the major benefits of using RODCs?
How do you install an RODC?
Talk about RODCs and passwords.
What is Read Only DNS?
What happens when a remote site with an RODC loses connectivity to the main site?
...
Talk about Server Core and AD.
How do you promote a Server Core to DC?
...
What are the FSMO roles? Who has them by default? What happens when each one
fails?
How can you tell who holds each FSMO role? Name a 2-3 of methods.
What FSMO placement considerations do you know of?
You want to look at the RI D allocation table for a DC. What do you need to do?
What's the difference between transferring a FSMO role and seizing one? Which one
should you NOT seize? Why?





















What is Active Directory?
An active directory is a directory structure used on Microsoft Windows based computers and
servers to store information and data about networks and domains. It is primarily used for online
information and was originally created in 1996. It was first used with Windows 2000.
An active directory (sometimes referred to as an AD) does a variety of functions including the
ability to rovide information on objects, helps organize these objects for easy retrieval and
access, allows access by end users and administrators and allows the administrator to set security
up for the directory.
Active Directory is a hierarchical collection of network resources that can contain users,
computers, printers, and other Active Directories. Active Directory Services (ADS) allow
administrators to handle and maintain all network resources from a single location . Active
Directory stores information and settings in a central database
What is LDAP?
The Lightweight Directory Access Protocol, or LDAP , is an application protocol for querying
and modifying directory services running over TCP/IP. Although not yet widely implemented,
LDAP should eventually make it possible for almost any application running on virtually any
computer platform to obtain directory information, such as email addresses and public keys.
Because LDAP is an open protocol, applications need not worry about the type of server hosting
the directory.
Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.
-Yes you can connect other vendors Directory Services with Microsofts version.
-Yes, you can use dirXML or LDAP to connect to other directories (ie. E-directory from Novell
or NDS (Novel directory System).
-Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictonaries
used by SAP, Domino etc with the help of MIIS ( Microsoft Identity Integration Server )
Where is the AD database held? What other folders are related to AD?
AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These
are the main files controlling the AD structure
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K records the
transaction in the log file (edb.log). Once written to the log file, the change is then written to the
AD database. System performance determines how fast the system writes the data to the AD
database from the log file. Any time the system is shut down, all transactions are saved to the
database.
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size
of each is 10MB. These files are used to ensure that changes can be written to disk should the
system run out of free disk space. The checkpoint file (edb.chk) records transactions committed
to the AD database (ntds.dit). During shutdown, a shutdown statement is written to the edb.chk
file. Then, during a reboot, AD determines that all transactions in the edb.log file have been
committed to the AD database. If, for some reason, the edb.chk file doesnt exist on reboot or the
shutdown statement isnt present, AD will use the edb.log file to update the AD database.
The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is
located in\NTDS, along with the other files weve discussed
What is the SYSVOL folder?
- All active directory data base security related information store in SYSVOL folder and its only
created on NTFS partition.
- The Sysvol folder on a Windows domain controller is used to replicate file-based data among
domain controllers. Because junctions are used within the Sysvol folder structure, Windows NT
file system (NTFS) version 5.0 is required on domain controllers throughout a Windows
distributed file system (DFS) forest.
This is a quote from microsoft themselves, basically the domain controller info stored in files
like your group policy stuff is replicated through this folder structure
Name the AD NCs and replication issues for each NC
*Schema NC, *Configuration NC, Domain NC
Schema NC This NC is replicated to every other domain controller in the forest. It contains
information about the Active Directory schema, which in turn defines the different object classes
and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide
configuration information pertaining to the physical layout of Active Directory, as well as
information about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain.
This is the NC that contains the most commonly-accessed Active Directory data: the actual
users, groups, computers, and other objects that reside within a particular Active Directory
domain.
What are application partitions? When do I use them
Application directory partitions: These are specific to Windows Server 2003 domains.
An application directory partition is a directory partition that is replicated only to specific
domain controllers. A domain controller that participates in the replication of a particular
application directory partition hosts a replica of that partition. Only Domain controllers running
Windows Server 2003 can host a replica of an application directory partition.
How do you create a new application partition
http://wiki.answers.com/Q/How_do_you_create_a_new_application_partition
How do you view replication properties for AD partitions and DCs?
By using replication monitor
go to start > run > type replmon
What is the Global Catalog?
The global catalog contains a complete replica of all objects in Active Directory for its Host
domain, and contains a partial replica of all objects in Active Directory for every other domain in
the forest.
The global catalog is a distributed data repository that contains a searchable, partial
representation of every object in every domain in a multidomain Active Directory forest. The
global catalog is stored on domain controllers that have been designated as global catalog servers
and is distributed through multimaster replication. Searches that are directed to the global catalog
are faster because they do not involve referrals to different domain controllers.
In addition to configuration and schema directory partition replicas, every domain controller in a
Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single
domain directory partition. Therefore, a domain controller can locate only the objects in its
domain. Locating an object in a different domain would require the user or application to provide
the domain of the requested object.
The global catalog provides the ability to locate objects from any domain without having to
know the domain name. A global catalog server is a domain controller that, in addition to its full,
writable domain directory partition replica, also stores a partial, read-only replica of all other
domain directory partitions in the forest. The additional domain directory partitions are partial
because only a limited set of attributes is included for each object. By including only the
attributes that are most used for searching, every object in every domain in even the largest forest
can be represented in the database of a single global catalog server.
How do you view all the GCs in the forest?
C:\>repadmin/showreps
domain_controller
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%
Why not make all DCs in a large forest as GCs?
The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs would
all have to hold a reference to every object in the entire forest which could be quite large and
quite a replication burden.
For a few hundred, or a few thousand users even, this not likely to matter unless you have really
poor WAN lines.
Trying to look at the Schema, how can I do that?
adsiedit.exe
option to view the schema
register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc > add snapin > add Active directory schema
name it as schema.msc
Open administrative tool > schema.msc
What are the Support Tools? Why do I need them?
Support Tools are the tools that are used for performing the complicated tasks easily. These can
also be the third party tools. Some of the Support tools include DebugViewer,
DependencyViewer, RegistryMonitor, etc. -edit by Casquehead I beleive this question is
reffering to the Windows Server 2003 Support Tools, which are included with Microsoft
Windows Server 2003 Service Pack 2. They are also available for download here:
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-
A772EA2DF90&displaylang=en
You need them because you cannot properly manage an Active Directory network without them.
Here they are, it would do you well to familiarize yourself with all of them.
Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe
> What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for
Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it
for common administrative tasks such as adding, deleting, and moving objects with a directory
service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses
the ADSI application programming interfaces (APIs) to access Active Directory. The following
are the required files for using this tool:
ADSIEDIT.DLL
ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory environment and Microsoft
Management Console (MMC) is necessary

A: Replmon is the first tool you should use when troubleshooting Active Directory replication
issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to
diagnose than using its command line counterparts. The purpose of this document is to guide you
in how to use it, list some common replication errors and show some examples of when
replication issues can stop other network installation actions.
for more go to http://www.techtutorials.net/articles/replmon_howto_a.html
NETDOM is a command-line tool that allows management of Windows domains and trust
relationships. It is used for batch management of trusts, joining computers to domains, verifying
trusts, and secure channels
A:
Enables administrators to manage Active Directory domains and trust relationships from the
command prompt.
Netdom is a command-line tool that is built into Windows Server 2008. It is available if you
have the Active Directory Domain Services (AD DS) server role installed. To use netdom, you
must run the netdom command from an elevated command prompt. To open an elevated
command prompt, click Start, right-click Command Prompt, and then click Run as
administrator.
REPADMIN.EXE is a command line tool used to monitor and troubleshoot replication on a
computer running Windows. This is a command line tool that allows you to view the replication
topology as seen from the perspective of each domain controller.
REPADMIN is a built-in Windows diagnostic command-line utility that works at the Active
Directory level. Although specific to Windows, it is also useful for diagnosing some Exchange
replication problems, since Exchange Server is Active Directory based.
REPADMIN doesnt actually fix replication problems for you. But, you can use it to help
determine the source of a malfunction.
What are sites? What are they used for?
Active directory sites, which consist of well-connected networks defined by IP subnets that help
define the physical structure of your AD, give you much better control over replication traffic
and authentication traffic than the control you get with Windows NT 4.0 domains.
Using Active Directory, the network and its objects are organized by constructs such as domains,
trees, forests, trust relationships, organizational units (OUs), and sites.
Whats the difference between a site links schedule and interval?
Schedule enables you to list weekdays or hours when the site link is available for replication to
happen in the give interval. Interval is the re occurrence of the inter site replication in given
minutes. It ranges from 15 10,080 mins. The default interval is 180 mins.
What is the KCC?
The KCC is a built-in process that runs on all domain controllers and generates replication
topology for the Active Directory forest. The KCC creates separate replication topologies
depending on whether replication is occurring within a site (intrasite) or between sites (intersite).
The KCC also dynamically adjusts the topology to accommodate new domain controllers,
domain controllers moved to and from sites, changing costs and schedules, and domain
controllers that are temporarily unavailable.
What is the ISTG? Who has that role by default?
Intersite Topology Generator (ISTG), which is responsible for the connections among the sites.
By default Windows 2003 Forest level functionality has this role. By Default the first Server has
this role. If that server can no longer preform this role then the next server with the highest
GUID then takes over the role of ISTG.

What are the requirements for installing AD on a new server?
An NTFS partition with enough free space (250MB minimum)
An Administrators username and password
The correct operating system version
A NIC
Properly configured TCP/IP (IP address, subnet mask and optional default gateway)
A network connection (to a hub or to another computer via a crossover cable)
An operational DNS server (which can be installed on the DC itself)
A Domain name that you want to use
The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)
From the Petri IT Knowledge base. For more info, follow this link:
http://www.petri.co.il/active_directory_installation_requirements.htm
What can you do to promote a server to DC if youre in a remote location with slow WAN link?
First available in Windows 2003, you will create a copy of the system state from an existing DC
and copy it to the new remote server. Run Dcpromo /adv. You will be prompted for the
location of the system state files
How can you forcibly remove AD from a server, and what do you do later? Can I get user passwords
from the AD database?
Demote the server using dcpromo /forceremoval, then remove the metadata from Active
directory using ndtsutil. There is no way to get user passwords from AD that I am aware of, but
you should still be able to change them.
Another way out too
Restart the DC is DSRM mode
a. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
b. In the right-pane, double-click ProductType.
c. Type ServerNT in the Value data box, and then click OK.
Restart the server in normal mode
its a member server now but AD entries are still there. Promote teh server to a fake domain say
ABC.com and then remove gracefully using DCpromo. Else after restart you can also use
ntdsutil to do metadata as told in teh earlier post
What tool would I use to try to grab security related packets from the wire?
you must use sniffer-detecting tools to help stop the snoops. A good packet sniffer would be
ethereal
www.ethereal.com
Name some OU design considerations ?
OU design requires balancing requirements for delegating administrative rights independent of
Group Policy needs and the need to scope the application of Group Policy. The following OU
design recommendations address delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active Directory container to which you can
assign Group Policy settings.
Delegating administrative authority
usually dont go more than 3 OU levels
What is tombstone lifetime attribute?
The number of days before a deleted object is removed from the directory services. This assists
in removing objects from replicated servers and preventing restores from reintroducing a deleted
object. This value is in the Directory Service object in the configuration NIC by default 2000 (60
days) 2003 (180 days)

What do you do to install a new Windows 2003 DC in a Windows 2000 AD?
If you plan to install windows 2003 server domain controllers into an existing windows 2000
domain or upgrade a windows 2000 domain controllers to windows server 2003, you first need to
run the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema
master and infrastructure master roles. The adprep / forestprer command must first be issued on
the windows 2000 server holding schema master role in the forest root doman to prepare the
existing schema to support windows 2003 active directory. The adprep /domainprep command
must be issued on the sever holding the infrastructure master role in the domain where 2000
server will be deployed.
What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
A. If youre installing Windows 2003 R2 on an existing Windows 2003 server with SP1
installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will
display the Windows 2003 R2 Continue Setup screen.
If youre installing R2 on a domain controller (DC), you must first upgrade the schema to the R2
version (this is a minor change and mostly related to the new Dfs replication engine). To update
the schema, run the Adprep utility, which youll find in the Cmpnents\r2\adprep folder on the
second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or
Windows 2000 with SP2 (or later)
How would you find all users that have not logged on since last month?
http://wiki.answers.com/Q/How_would_you_find_all_users_that_have_not_logged_on_since_last_month
What are the DScommands?
New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003
Active Directory
New DS built-in tools for Windows Server 2003
The DS (Directory Service) group of commands are split into two families. In one branch are
DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.
When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for
choice. The the DS family of built-in command line executables offer alternative strategies to
CSVDE, LDIFDE and VBScript.
Let me introduce you to the members of the DS family:
DSadd add Active Directory users and groups
DSmod modify Active Directory objects
DSrm to delete Active Directory objects
DSmove to relocate objects
DSQuery to find objects that match your query attributes
DSget list the properties of an object
What are the FSMO roles? Who has them by default? What happens when each one fails?
FSMO stands for the Flexible single Master Operation
It has 5 Roles: -
Schema Master:
The schema master domain controller controls all updates and modifications to the schema. Once
the Schema update is complete, it is replicated from the schema master to all other DCs in the
directory. To update the schema of a forest, you must have access to the schema master. There
can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal of domains in the
forest. This DC is the only one that can add or remove a domain from the directory. It can also
add or remove cross references to domains in external directories. There can be only one domain
naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it represents
the reference by the GUID, the SID (for references to security principals), and the DN of the
object being referenced. The infrastructure FSMO role holder is the DC responsible for updating
an objects SID and distinguished name in a cross-domain object reference. At any one time,
there can be only one domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a
Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will
stop updating object information because it does not contain any references to objects that it does
not hold. This is because a Global Catalog server holds a partial replica of every object in the
forest. As a result, cross-domain object references in that domain will not be updated and a
warning to that effect will be logged on that DCs event log. If all the domain controllers in a
domain also host the global catalog, all the domain controllers have the current data, and it is not
important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers in a
particular domain. When a DC creates a security principal object such as a user or group, it
attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same
for all SIDs created in a domain), and a relative ID (RID) that is unique for each security
principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is
allowed to assign to the security principals it creates. When a DCs allocated RID pool falls
below a threshold, that DC issues a request for additional RIDs to the domains RID master. The
domain RID master responds to the request by retrieving RIDs from the domains unallocated
RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only
one domain controller acting as the RID master in the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003
includes the W32Time (Windows Time) time service that is required by the Kerberos
authentication protocol. All Windows 2000/2003-based computers within an enterprise use a
common time. The purpose of the time service is to ensure that the Windows Time service uses a
hierarchical relationship that controls authority and does not permit loops to ensure appropriate
common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of
the forest becomes authoritative for the enterprise, and should be configured to gather the time
from an external source. All PDC FSMO role holders follow the hierarchy of domains in the
selection of their in-bound time partner.
:: In a Windows 2000/2003 domain, the PDC emulator role holder retains the following
functions:
:: Password changes performed by other DCs in the domain are replicated preferentially to the
PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect password
are forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in
the PDC Emulators SYSVOL share, unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-
based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers,
and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows
2000/2003. The PDC emulator still performs the other functions as described in a Windows
2000/2003 environment.
What FSMO placement considerations do you know of?
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called
FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in
Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot
(or actually, on the same DC) as has been configured by the Active Directory installation
process. However, there are scenarios where an administrator would want to move one or more
of the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when
dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active
Directory, but you should bear in mind that most considerations are also true when planning
Windows 2000 AD FSMO roles
Whats the difference between transferring a FSMO role and seizing one? Which one should you NOT
seize? Why?
Certain domain and enterprise-wide operations that are not good for multi-master updates are
performed by a single domain controller in an Active Directory domain or forest. The domain
controllers that are assigned to perform these unique operations are called operations masters or
FSMO role holders.
The following list describes the 5 unique FSMO roles in an Active Directory forest and the
dependent operations that they perform:
Schema master The Schema master role is forest-wide and there is one for each forest. This role is
required to extend the schema of an Active Directory forest or to run the adprep /domainprep
command.
Domain naming master The Domain naming master role is forest-wide and there is one for each
forest. This role is required to add or remove domains or application partitions to or from a forest.
RID master The RID master role is domain-wide and there is one for each domain. This role is required
to allocate the RID pool so that new or existing domain controllers can create user accounts, computer
accounts or security groups.
PDC emulator The PDC emulator role is domain-wide and there is one for each domain. This role is
required for the domain controller that sends database updates to Windows NT backup domain
controllers. The domain controller that owns this role is also targeted by certain administration tools
and updates to user account and computer account passwords.
Infrastructure master The Infrastructure master role is domain-wide and there is one for each domain.
This role is required for domain controllers to run the adprep /forestprep command successfully and to
update SID attributes and distinguished name attributes for objects that are referenced across domains.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first
domain controller in the forest root domain. The first domain controller in each new child or tree
domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO
roles until they are reassigned by using one of the following methods:
An administrator reassigns the role by using a GUI administrative tool.
An administrator reassigns the role by using the ntdsutil /roles command.
An administrator gracefully demotes a role-holding domain controller by using the Active Directory
Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the
forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles
in an invalid state until they are reassigned by an administrator.
We recommend that you transfer FSMO roles in the following scenarios:
The current role holder is operational and can be accessed on the network by the new FSMO owner.
You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign
to a specific domain controller in your Active Directory forest.
The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance
and you need specific FSMO roles to be assigned to a live domain controller. This may be required to
perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator
role but less true for the RID master role, the Domain naming master role and the Schema master roles.
We recommend that you seize FSMO roles in the following scenarios:
The current role holder is experiencing an operational error that prevents an FSMO-dependent
operation from completing successfully and that role cannot be transferred.
A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval
command.
The operating system on the computer that originally owned a specific role no longer exists or has been
reinstalled.
As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge
of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the
best candidate domain controller is one that is in the appropriate domain that last inbound-
replicated, or recently inbound-replicated a writable copy of the FSMO partition from the
existing role holder. For example, the Schema master role-holder has a distinguished name path
of CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles reside in
and are replicated as part of the CN=schema partition. If the domain controller that holds the
Schema master role experiences a hardware or software failure, a good candidate role-holder
would be a domain controller in the root domain and in the same Active Directory site as the
current owner. Domain controllers in the same Active Directory site perform inbound replication
every 5 minutes or 15 seconds.
A domain controller whose FSMO roles have been seized should not be permitted to
communicate with existing domain controllers in the forest. In this scenario, you should either
format the hard disk and reinstall the operating system on such domain controllers or forcibly
demote such domain controllers on a private network and then remove their metadata on a
surviving domain controller in the forest by using the ntdsutil /metadata cleanup command.
The risk of introducing a former FSMO role holder whose role has been seized into the forest is
that the original role holder may continue to operate as before until it inbound-replicates
knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO
roles include creating security principals that have overlapping RID pools, and other problems.
Transfer FSMO roles
To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain
controller that is located in the forest where FSMO roles are being transferred. We recommend that you
log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a
member of the Enterprise Administrators group to transfer Schema master or Domain naming master
roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID
master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.Note To see a list of available commands at any one of the prompts in
the Ntdsutil utility, type ?, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of the domain
controller you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can
transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the
start of this article. For example, to transfer the RID master role, type transfer rid master. The one
exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.
Type q, and then press ENTER to quit the Ntdsutil utility.
Seize FSMO roles
To seize the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain
controller that is located in the forest where FSMO roles are being seized. We recommend that you log
on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a
member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a
member of the Domain Administrators group of the domain where the PDC emulator, RID master and
the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of the domain
controller that you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ?
at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this
article. For example, to seize the RID master role, type seize rid master. The one exception is for the
PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.
Type q, and then press ENTER to quit the Ntdsutil utility.Notes
o Under typical conditions, all five roles must be assigned to live domain controllers in the
forest. If a domain controller that owns a FSMO role is taken out of service before its roles are
transferred, you must seize all roles to an appropriate and healthy domain controller. We
recommend that you only seize all roles when the other domain controller is not returning to
the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles.
You should determine which roles are to be on which remaining domain controllers so that all
five roles are assigned to a single domain controller. For more information about FSMO role
placement, click the following article number to view the article in the Microsoft Knowledge
Base: 223346 (http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization
on Windows 2000 domain controllers
o If the domain controller that formerly held any FSMO role is not present in the domain and if it
has had its roles seized by using the steps in this article, remove it from the Active Directory by
following the procedure that is outlined in the following Microsoft Knowledge Base article:
216498 (http://support.microsoft.com/kb/216498/ ) How to remove data in active directory
after an unsuccessful domain controller demotion
o Removing domain controller metadata with the Windows 2000 version or the Windows Server
2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO
roles that are assigned to live domain controllers. The Windows Server 2003 Service Pack 1
(SP1) version of the Ntdsutil utility automates this task and removes additional elements of
domain controller metadata.
o Some customers prefer not to restore system state backups of FSMO role-holders in case the
role has been reassigned since the backup was made.
o Do not put the Infrastructure master role on the same domain controller as the global catalog
server. If the Infrastructure master runs on a global catalog server it stops updating object
information because it does not contain any references to objects that it does not hold. This is
because a global catalog server holds a partial replica of every object in the forest.
To test whether a domain controller is also a global catalog server:
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and
Services.
2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name
if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controllers folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, view the Global Catalog check box to see if it is selected.
For more information about FSMO roles, click the following article numbers to view the articles
in the Microsoft Knowledge Base:
How do you configure a stand-by operation master for any of the roles?
1. Open Active Directory Sites and Services.
2. Expand the site name in which the standby operations master is located to display the Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that you want to be the standby operations master to display its NTDS
Settings.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the Connection object or
accept the default name, and click OK.
How do you backup AD?
Backing up Active Directory is essential to maintain an Active Directory database. You can back
up Active Directory by using the Graphical User Interface (GUI) and command-line tools that
the Windows Server 2003 family provides.
You frequently backup the system state data on domain controllers so that you can restore the
most current data. By establishing a regular backup schedule, you have a better chance of
recovering data when necessary.
To ensure a good backup includes at least the system state data and contents of the system disk,
you must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backup
older than 60 days is not a good backup. Plan to backup at least two domain controllers in each
domain, one of at least one backup to enable an authoritative restore of the data when necessary.
System State Data
Several features in the windows server 2003 family make it easy to backup Active Directory.
You can backup Active Directory while the server is online and other network function can
continue to function.
System state data on a domain controller includes the following components:
Active Directory system state data does not contain Active Directory unless the server, on which
you are backing up the system state data, is a domain controller. Active Directory is present only
on domain controllers.
The SYSVOL shared folder: This shared folder contains Group policy templates and logon
scripts. The SYSVOL shared folder is present only on domain controllers.
The Registry: This database repository contains information about the computers configuration.
System startup files: Windows Server 2003 requires these files during its initial startup phase.
They include the boot and system files that are under windows file protection and used by
windows to load, configure, and run the operating system.
The COM+ Class Registration database: The Class registration is a database of information
about Component Services applications.
The Certificate Services database: This database contains certificates that a server running
Windows server 2003 uses to authenticate users. The Certificate Services database is present
only if the server is operating as a certificate server.
System state data contains most elements of a systems configuration, but it may not include all
of the information that you require recovering data from a system failure. Therefore, be sure to
backup all boot and system volumes, including the System State, when you back up your server.
Restoring Active Directory
In Windows Server 2003 family, you can restore the Active Directory database if it becomes
corrupted or is destroyed because of hardware or software failures. You must restore the Active
Directory database when objects in Active Directory are changed or deleted.
Active Directory restore can be performed in several ways. Replication synchronizes the latest
changes from every other replication partner. Once the replication is finished each partner has an
updated version of Active Directory. There is another way to get these latest updates by Backup
utility to restore replicated data from a backup copy. For this restore you dont need to configure
again your domain controller or no need to install the operating system from scratch.
Active Directory Restore Methods
You can use one of the three methods to restore Active Directory from backup media: primary
restore, normal (non authoritative) restore, and authoritative restore.
Primary restore: This method rebuilds the first domain controller in a domain when there is no
other way to rebuild the domain. Perform a primary restore only when all the domain controllers
in the domain are lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on local computer, or user
should have been delegated with this responsibility to perform restore. On a domain controller
only Domain Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the state before the backup,
and then updates the data through the normal replication process. Perform a normal restore for a
single domain controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a normal restore. An authoritative
restore marks specific data as current and prevents the replication from overwriting that data.
The authoritative data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has multiple domain
controllers. When you perform an authoritative restore, you lose all changes to the restore object
that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative
restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an
executable file that you use to mark Active Directory objects as authoritative so that they receive
a higher version recently changed data on other domain controllers does not overwrite system
state data during replication.
How do you restore AD?

Restoring Active Directory :
In Windows Server 2003 family, you can restore the Active Directory database if it becomes
corrupted or is destroyed because of hardware or software failures. You must restore the Active
Directory database when objects in Active Directory are changed or deleted.
Active Directory restore can be performed in several ways. Replication synchronizes the latest
changes from every other replication partner. Once the replication is finished each partner has an
updated version of Active Directory. There is another way to get these latest updates by Backup
utility to restore replicated data from a backup copy. For this restore you dont need to configure
again your domain controller or no need to install the operating system from scratch.
Active Directory Restore Methods
You can use one of the three methods to restore Active Directory from backup media: primary
restore, normal (non authoritative) restore, and authoritative restore.
Primary restore: This method rebuilds the first domain controller in a domain when there is no
other way to rebuild the domain. Perform a primary restore only when all the domain controllers
in the domain are lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on local computer, or user
should have been delegated with this responsibility to perform restore. On a domain controller
only Domain Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the state before the backup,
and then updates the data through the normal replication process. Perform a normal restore for a
single domain controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a normal restore. An
authoritative restore marks specific data as current and prevents the replication from overwriting
that data. The authoritative data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has multiple domain
controllers. When you perform an authoritative restore, you lose all changes to the restore object
that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative
restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an
executable file that you use to mark Active Directory objects as authoritative so that they receive
a higher version recently changed data on other domain controllers does not overwrite system
state data during replication.
METHOD
A.
You cant restore Active Directory (AD) to a domain controller (DC) while the Directory Service
(DS) is running. To restore AD, perform the following steps.
Reboot the computer.
At the boot menu, select Windows 2000 Server. Dont press Enter. Instead, press F8 for
advanced options. Youll see the following text. OS Loader V5.0
Windows NT Advanced Options Menu
Please select an option:
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Enable Boot Logging
Enable VGA Mode
Last Known Good Configuration
Directory Services Restore Mode (Windows NT domain controllers only)
Debugging Mode
Use | and | to move the highlight to your choice.
Press Enter to choose.
Scroll down, and select Directory Services Restore Mode (Windows NT domain controllers
only).
Press Enter.
When you return to the Windows 2000 Server boot menu, press Enter. At the bottom of the
screen, youll see in red text Directory Services Restore Mode (Windows NT domain controllers
only).
The computer will boot into a special safe mode and wont start the DS. Be aware that during
this time the machine wont act as a DC and wont perform functions such as authentication.
Start NT Backup.
Select the Restore tab.
Select the backup media, and select System State.
Click Start Restore.
Click OK in the confirmation dialog box.
After you restore the backup, reboot the computer and start in normal mode to use the restored
information. The computer might hang after the restore completes; Sometimes it takes a 30-
minute wait on some machines.
How do you change the DS Restore admin password?
When you promote a Windows 2000 Server-based computer to a domain controller, you are
prompted to type a Directory Service Restore Mode Administrator password. This password is
also used by Recovery Console, and is separate from the Administrator password that is stored in
Active Directory after a completed promotion.
The Administrator password that you use when you start Recovery Console or when you press
F8 to start Directory Service Restore Mode is stored in the registry-based Security Accounts
Manager (SAM) on the local computer. The SAM is located in the\System32\Config folder. The
SAM-based account and password are computer specific and they are not replicated to other
domain controllers in the domain.
For ease of administration of domain controllers or for additional security measures, you can
change the Administrator password for the local SAM. To change the local Administrator
password that you use when you start Recovery Console or when you start Directory Service
Restore Mode, use the following method.
1. Log on to the computer as the administrator or a user who is a member of the Administrators
group. 2. Shut down the domain controller on which you want to change the password. 3. Restart
the computer. When the selection menu screen is displayed during restar, press F8 to view
advanced startup options. 4. Click the Directory Service Restore Mode option. 5. After you log
on, use one of the following methods to change the local Administrator password: At a
command prompt, type the following command:
net user administrator
Use the Local User and Groups snap-in (Lusrmgr.msc) to change the Administrator password.
6. Shut down and restart the computer. You can now use the Administrator account to log on to
Recovery Console or Directory Services Restore Mode using the new password.
Why cant you restore a DC that was backed up 4 months ago?
Because of the tombstone life which is set to only 60 days
What are GPOs?
Group Policy gives you administrative control over users and computers in your network. By
using Group Policy, you can define the state of a users work environment once, and then rely on
Windows Server 2003 to continually force the Group Policy settings that you apply across an
entire organization or to specific groups of users and computers.
Group Policy Advantages
You can assign group policy in domains, sites and organizational units.
All users and computers get reflected by group policy settings in domain, site and organizational
unit.
No one in network has rights to change the settings of Group policy; by default only
administrator has full privilege to change, so it is very secure.
Policy settings can be removed and can further rewrite the changes.
Where GPOs store Group Policy Information
Group Policy objects store their Group Policy information in two locations:
Group Policy Container: The GPC is an Active Directory object that contains GPO status,
version information, WMI filter information, and a list of components that have settings in the
GPO. Computers can access the GPC to locate Group Policy templates, and domain controller
does not have the most recent version of the GPO, replication occurs to obtain the latest version
of the GPO.
Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a
domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT
which contains all Group Policy settings and information, including administrative templates,
security, software installation, scripts, and folder redirection settings. Computers connect to the
SYSVOL folder to obtain the settings.
The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you
created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC.
The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol.
Managing GPOs
To avoid conflicts in replication, consider the selection of domain controller, especially because
the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two
independent replication techniques to replicate GPO data among all domain controllers in the
domain. If two administrators changes can overwrite those made by other administrator,
depends on the replication latency. By default the Group Policy Management console uses the
PDC Emulator so that all administrators can work on the same domain controller.
WMI Filter
WMI filters is use to get the current scope of GPOs based on attributes of the user or computer.
In this way, you can increase the GPOs filtering capabilities beyond the security group filtering
mechanisms that were previously available.
Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination
computer, Active Directory evaluates the filter on the destination computer. A WMI filter has
few queries that active Directory evaluates in place of WMI repository of the destination
computer. If the set of queries is false, Active Directory does not apply the GPO. If set of queries
are true, Active Directory applies the GPO. You write the query by using the WMI Query
Language (WQL); this language is similar to querying SQL for WMI repository.
Planning a Group Policy Strategy for the Enterprise
When you plan an Active Directory structure, create a plan for GPO inheritance, administration,
and deployment that provides the most efficient Group Policy management for your
organization.
Also consider how you will implement Group Policy for the organization. Be sure to consider the
delegation of authority, separation of administrative duties, central versus decentralized
administration, and design flexibility so that your plan will provide for ease of use as well as
administration.
Planning GPOs
Create GPOs in way that provides for the simplest and most manageable design one in which
you can use inheritance and multiple links.
Guidelines for Planning GPOs
Apply GPO settings at the highest level: This way, you take advantage of Group Policy
inheritance. Determine what common GPO settings for the largest container are starting with the
domain and then link the GPO to this container.
Reduce the number of GPOs: You reduce the number by using multiple links instead of creating
multiple identical GPOs. Try to link a GPO to the broadest container possible level to avoid
creating multiple links of the same GPO at a deeper level.
Create specialized GPOs: Use these GPOs to apply unique settings when necessary. GPOs at a
higher level will not apply the settings in these specialized GPOs.
Disable computer or use configuration settings: When you create a GPO to contain settings for
only one of the two levels-user and computer-disable the logon and prevents accidental GPO
settings from being applied to the other area.
What is the order in which GPOs are applied?
Local, Site, Domain, OU
Group Policy settings are processed in the following order:
1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored
locally. This processes for both computer and user Group Policy processing.
2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed
next. Processing is in the order that is specified by the administrator, on the Linked Group Policy
Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the
lowest link order is processed last, and therefore has the highest precedence.
3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the
administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with
the lowest link order is processed last, and therefore has the highest precedence.
4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the
Active Directory hierarchy are processed first, then GPOs that are linked to its child
organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that
contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no
GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in
the order that is specified by the administrator, on the Linked Group Policy Objects tab for the
organizational unit in GPMC. The GPO with the lowest link order is processed last, and
therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the
organizational unit of which the computer or user is a direct member are processed last, which
overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the
earlier and later settings are merely aggregated.)
Name a few benefits of using GPMC.
Microsoft released the Group Policy Management Console (GPMC) years ago, which is an
amazing innovation in Group Policy management. The tool provides control over Group Policy
in the following manner:
Easy administration of all GPOs across the entire Active Directory Forest
View of all GPOs in one single list
Reporting of GPO settings, security, filters, delegation, etc.
Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering
Delegation model
Backup and restore of GPOs
Migration of GPOs across different domains and forests
With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC
is needed and should be used by everyone for what it is ideal for. However, it does fall a bit short
when you want to protect the GPOs from the following:
Role based delegation of GPO management
Being edited in production, potentially causing damage to desktops and servers
Forgetting to back up a GPO after it has been modified
Change management of each modification to every GPO
How can you determine what GPO was and was not applied for a user? Name a few ways to do that.
Simply use the Group Policy Management Console created by MS for that very purpose, allows
you to run simulated policies on computers or users to determine what policies are enforced.
Link in sources
What are administrative templates?
Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised
management of machines and users in an Active Directory environment.
Administrative Templates facilitate the management of registry-based policy. An ADM file is
used to describe both the user interface presented to the Group Policy administrator and the
registry keys that should be updated on the target machines. An ADM file is a text file with a
specific syntax which describes both the interface and the registry values which will be changed
if the policy is enabled or disabled.
ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service
Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and
wuau.adm). These are merged into a unified namespace in GPEdit and presented to the
administrator under the Administrative Templates node (for both machine and user policy).
Whats the difference between software publishing and assigning?
ANS An administrator can either assign or publish software applications.
Assign Users
The software application is advertised when the user logs on. It is installed when the user clicks
on the software application icon via the start menu, or accesses a file that has been associated
with the software application.
Assign Computers
The software application is advertised and installed when it is safe to do so, such as when the
computer is next restarted.
Publish to users
The software application does not appear on the start menu or desktop. This means the user may
not know that the software is available. The software application is made available via the
Add/Remove Programs option in control panel, or by clicking on a file that has been associated
with the application. Published applications do not reinstall themselves in the event of accidental
deletion, and it is not possible to publish to computers.
Can I deploy non-MSI software with GPO?
How to create a third-party Microsoft Installer package
http://support.microsoft.com/kb/257718/
You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.)
on the computers in one department. How would you do that?
Login on client as Domain Admin user change whatever you need add printers etc go to system-
User profiles copy this user profile to any location by select Everyone in permitted to use after
copy change ntuser.dat to ntuser.man and assgin this path under user profile