Good Question /Answer for Active Directory

1. What is Global Catalog Server?

Global Catalog server is the server which keeps the stores the details of each object created in the forest. Global
Catalog is the master searchable index to all objects in forest
2. Can GC Server and Infrastructure place in single server? If not explain why?
No, As Infrastructure master does the same job as the GC. It does not work together.
3. What is the size of log file which created before updating into ntds.dit and the total number of files?
Three Log files Names
Edb.log
Res1.log
Res2.log
Each initially 10 MB
4. What does SYSVOL contains?
SysVol Folder contains the public information of the domain & the information for replication
Ex: Group policy object & scripts can be found in this directory.
5. Which is service in your windows is responsible for replication of Domain controller to another domain
controller.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.
6. How data will travel between sites in ADS replication?
As determined in the site connectors
7. What is the port number for SMTP, Kerberos, rdp, LDAP, and GC Server??
SMTP 25, Kerberos 88, GC 3268, LDAP 389
Rdp 3389.
8. What Intrasite and Intersite Replication?
Intrasite is the replication within the same site & Intersite the replication between sites
9. What is lost & found folder in ADS?
It's the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn't find the OU then
it will put that in Lost & Found Folder.
10. What is Garbage collection?
Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours.
11. What System State data contains?
Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder

12. How do you restore a particular OU which got deleted by accident?

Go authoritative restore
13. What is IPSec Policy?
IPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or
Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode.
IPSec Policy can be deployed via Group policy to the Windows Domain controllers 7 Servers.
14. What are different types of Group Policy?
I don't think there are types of group policies????
15. What is the order of applying Group Policy?
Local Policy.
Site Policy.
Domain Policy.
OU Policy.
16. What are the new features in Windows 2003 related to ADS, Replication, and Trust?
ADS: Can more than 5000 users in the groups
17. How to edit the Schema in ADS?
ADSI Edit
18. What is Domain Local, Global Group, Universal group?
Domain Local Only Users with in Domain
Global groups are used to grant permissions to objects in any domain in the domain tree or forest. Members of
global groups can include only accounts and groups from the domain in which they are defined.
Universal groups are used to grant permissions on a wide scale throughout a domain tree or forest. Members of
global groups include accounts and groups from any domain in the domain tree or forest.
19. Diff between Global & Universal group?
Check the answer above.
20. What are the different types of Terminal Services?
User Mode & Application Mode
21. What does mean by root DNS servers?
Public DNS servers Hosted in the Internet which registers the DNS
22. What are the different records in DNS?
A Address record
MX Mail Server Record
NS Name Server
CNAME Canonical name / Alias
SOA Start of authority
23. What is a SOA record?
Start of authority authorized DNS in the domain
24. How does the down-level clients register it names with DNS server?
Enable the WINS integration with DNS.
25. What is RsOP?

RsOP is the resultant set of policy applied on the object (Group Policy)
26. What is default lease period for DHCP Server?
8 days Default
27. What is the process of DHCP clients for getting the ip address?
Discover Order Receive - Acknowledge
28. What is multicast?
Multicast scopes enable you to lease Class D IP addresses to clients for participation in multicast transmissions, such
as streaming video and audio transmissions.
29. What is superscope?
Superscope enables you to group several standard DHCP scopes into a single administrative group without causing
any service disruption to network clients.
30. What is the System Startup process?
Windows 2K boot process on Intel architecture.
1. Power-On Self Tests (POST) is run.
2. The boot device is found, the Master Boot Record (MBR) is loaded into memory, and its program is run.
3. The active partition is located, and the boot sector is loaded.
4. The Windows 2000 loader (NTLDR) is then loaded.
The boot sequence executes the following steps:
1. The Windows 2000 loader switches the processor to the 32-bit flat memory model.
2. The Windows 2000 loader starts a mini-file system.
3. The Windows 2000 loader reads the BOOT.INI file and displays the operating system selections (boot loader
menu).
4. The Windows 2000 loader loads the operating system selected by the user. If Windows 2000 is selected, NTLDR
runs NTDETECT.COM. For other operating systems, NTLDR loads BOOTSECT.DOS and gives it control.
5. NTDETECT.COM scans the hardware installed in the computer, and reports the list to NTLDR for inclusion in
the Registry under the HKEY_LOCAL_MACHINE_HARDWARE hive.
6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information collected by NTDETECT.COM.
Windows NT enters the Windows load phases.
31. What is WINS hybrid & mixed mode?
Systems that are configured to use WINS are normally configured as a hybrid (H-node) client, meaning they attempt
to resolve NetBIOS names via a WINS server and then try a broadcast (B-node) if WINS is unsuccessful. Most
systems can be configured to resolve NetBIOS names in one of four modes:
Broadcast (B-node)Clients use a broadcast only to resolve names. An enhanced B-node setting has the client use
an LMHOST file as well. The hex value for this setting is 0x1.
Peer-to-Peer (P-node)Clients use WINS only to resolve names. The hex value for this setting is 0x2.
Mixed (M-node)Clients first use a broadcast in an attempt to resolve NetBIOS names. If this fails, they attempt the
resolution via the WINS server. The hex value for this setting is 0x4.
Hybrid (H-node)Clients first use the WINS service in an attempt to resolve NetBIOS names. If this fails, they
attempt the resolution via broadcast. The hex value for this setting is 0x8.
32. What is Disk Quota?
Disk Quota is the specifying the limits of usage on the disks.

1) What is different Editions of Windows 2003 server?

i)Standard Edition
ii)Web Edition
iii)Enterprise Edition

iv)Datacenter Edition
2) What is active directory?
Active Directory is the directory service included in the Windows Server 2003 family. Active Directory includes the
directory, which stores information about network resources, as well as all the services that make the information
available and useful. Active Directory is also the directory service included in Windows 2000.
3)What is the active directory database name and where it is located?
Name : NTDS.Dit located in c:\windows\ntds\
4)What is the expansion of .Dit ? Scalable size of NTDS in 2k3?
.Dit Directory Information Tree. It is scalable up to 70 TB.
5) What is schema in AD?
The Active Directory schema defines objects that can be stored in Active Directory. The schema is a list of
definitions that determines the kinds of objects and the types of information about those objects that can be stored in
Active Directory. Because the schema definitions themselves are stored as objects, they can be administered in the
same manner as the rest of the objects in Active Directory. Normally called schema object or metadata.
6) Structure of AD in 2kX?
1) Physical structure
Sites, Domain Controllers
2) Logical structures
Forest, Tree, Domain, OU, object
7) What are the domain functional levels in 2k3?
1) Mixed mode
2) Native mode
3) Interim mode
8) What is Global catalog and GC server?
The global catalog is the central repository of information about objects in a tree or forest. By default, a global
catalog is created automatically on the initial domain controller in the first domain in the forest. A domain controller
that holds a copy of the global catalog is called a global catalog server.
9) What are the functions of GC?
A) It enables a user to log on to a network by providing universal group membership information to a domain
controller when a logon process is initiated.
B) It enables finding directory information regardless of which domain in the forest actually contains the data.
10) What is the active directory database engine name?
ESE (Extensible Storage Engine)
11) What are the partitions available in AD?
i) Schema partition
ii) Configuration Partition
iii) Domain Partition
IV) Application Partition
12) What are the two types of replications?
Inter-site (Site to site) and Intra-site (With in site) replications.
13) What is KCC? What is the function of the KCC?
The KCC is a built-in process that runs on all domain controllers. The KCC configures connection objects between
domain controllers. Within a site, each KCC generates its own connections. For replication between sites, a single
KCC per site generates all connections between sites.

14) What is the two trust protocols 2k3 using?

Kerberos V5 and NTLM
15) What are the trust relations available in 2k3?
Tree-Root, Parent- Child, Shortcut, Realm, Forest trust, External trust
16) What is the hierarchy of applying GPO in 2k3?
It is applied from parent level to child level in AD.
i) Local GPO
ii) GPOs linked to sites
iii) GPOs linked to domains
iv) GPOs linked to OUs
17) What are the protocols used on replication?
RPC over IP (Used for synchronies transfer) , SMTP over IP (Asynchronies transfer)
18) What is the default time delay on replication?
Intra site 15 min (KCC automatically create the topology for Replication)
Inter-site 1 hrs.
Security related changes replicated immediately across sites.
19) What Different tables available in NTDS database?
i) Schema table
Ii) Link Table
iii) Data table
IV) Configuration Table
19) Where is the FRS logs stored in and what is the database engine name?
c:\windows\ntfrs\jet\log, The engine used is jet database engine. Ntfrs.jdb.
20) What is tombstone object in AD? What is its life time?
Any objects deleted from Active directory will not removed from Database immediately. That object is called
tombstone object. The default life time for that object is 60 days. For win 2k3 SP1 180 days
21) FSMO Roles
In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO
roles are
Schema Master:
The schema master domain controller controls all updates and modifications to the schema. To update the schema of
a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
Domain naming master
The domain naming master domain controller controls the addition or removal of domains in the forest. There can
be only one domain naming master in the whole forest.
Infrastructure Master:
The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At
any one time, there can be only one domain controller acting as the infrastructure master in each domain.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain.
At any one time, there can be only one domain controller acting as the RID master in the domain.
PDC Emulator

The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to
workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if
the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows
2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master
acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any
one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest
Quicker Q&A
1. What are the required components of Windows Server 2003 for installing
Exchange 2003? - ASP.NET, SMTP, NNTP, W3SVC
2. What must be done to an AD forest before Exchange can be deployed? Setup /forestprep
3. What Exchange process is responsible for communication with AD? DSACCESS
4. What 3 types of domain controller does Exchange access? - Normal Domain
Controller, Global Catalog, Configuration Domain Controller
5. What connector type would you use to connect to the Internet, and what
are the two methods of sending mail over that connector? - SMTP Connector:
Forward to smart host or use DNS to route to each address
6. How would you optimize Exchange 2003 memory usage on a Windows
Server 2003 server with more than 1Gb of memory? - Add /3Gb switch to
boot.ini
7. What would a rise in remote queue length generally indicate? - This means
mail is not being sent to other servers. This can be explained by outages or
performance issues with the network or remote servers.
8. What would a rise in the Local Delivery queue generally mean? - This
indicates a performance issue or outage on the local server. Reasons could be
slowness in consulting AD, slowness in handing messages off to local delivery or
SMTP delivery. It could also be databases being dismounted or a lack of disk space.
9. What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and
Global Catalog? - SMTP 25, POP3 110, IMAP4 143, RPC 135, LDAP
389, Global Catalog - 3268
10. Name the process names for the following: System Attendant? MAD.EXE,
Information Store STORE.EXE, SMTP/POP/IMAP/OWA INETINFO.EXE
11. What is the maximum amount of databases that can be hosted on Exchange
2003 Enterprise? - 20 databases. 4 SGs x 5 DBs.
12. What are the disadvantages of circular logging? - In the event of a corrupt
database, data can only be restored to the last backup.
1. What are the Default shares in Windows Server 2003?
By default, Windows automatically creates special hidden administrative shares that administrators, programs, and
services can use to manage the computer environment or network. These special shared resources are not visible in
Windows Explorer or in My Computer, but you can use the Shared Folders tool in Computer Management to view

them. Depending on the configuration of your computer, you may see some or all the following special shared
resources listed in the Shares folder in Shared Folders:
DriveLetter$: Root partitions and volumes are shared as the drive letter name
appended with the $ character. For example, drive letters C and D are shared as C$
and D$.
ADMIN$: A resource that is used during remote administration of a computer.
IPC$: A resource that shares the named pipes that you must have for communication
between programs. Note that this resource cannot be deleted.
NETLOGON: A resource that is used on domain controllers.
SYSVOL: A resources that is used on domain controllers.
PRINT$: A resource that is used during the remote administration of printers.
FAX$: A shared folder on a server that is used by fax clients during fax transmission.
Note NETLOGON and SYSVOL are not hidden shares but are instead special administrative shares.
Generally, Microsoft recommends that you do not modify these special shared resources. However, if you want to
remove the special shared resources and prevent them from being created automatically, you can do this by editing
the registry.

1.
Q) Can I changed password if my machines connectivity to DC who holds PDC emulator role has
been fails?
A) No you cant the password.
Q) I have been asked if there is set of 30 harddisk configured for raid 5 if two harddisk failed what about
data
A) It depends how u had configured ur RAID its only Raid5 or with with spare if its only raid 5 then in
raid5 if ur 2 nos of HDD goes then ur raid is gone.
Q) How can I Deploy the Latest Patched in Pc through G.P. without having the Admin Right in Pc.
A) Create a batch file and place all the patches in the Net logon, and deploy the batch file through GP to all
the pcs so the same should take affect after restarting the pc.
Q) In Raid 5,Suppose i have 5 HDD of 10-10 GB, After configuring the Raid how much space do i have for
utilise.
A) -1 out of the total (eg- if u r using 5 u will get only 4 because 1 goes for parity).
Q) How Can i Resolve the Svr name through Nslookup
A) what exactly u want to do, nslookup command will let u know through which server u r getting routed,
(eg- c:\nslookup then u will get ur domain name to which u r getting routed. and if u want to get the name
of the pc/server with the ip address then u have to give the command c:\nbtstat -a ip xx-xx-xx-xx)
1. DHCP relay agent where to place it?
Ans: DHCP Relay agent u need to place in Software Router.

Question: How many Zones in Windows 2000 server and Windows 2003 Server ?
Ans: In Windows 2000 there are mainly 3 zones
Standard Primary zone information is written in Txt file
Standard Secondary copy of Primary
Active Directory Integrated Information stores in Active Directory
In Win2k3 one more zone is added that is Stub zone
Stub is like secondary but it contains only copy of SOA records, copy of NS records, copy of A records
for that zone. No copy of MX, SRV records etc.,
With this Stub zone DNS traffic will be low

Question: What is Kerberos? Which version is currently used by Windows? How does Kerberos work?
Answer: Kerberos is the user authentication used in Win2000 and Win2003 Active Directory servers
Kerberos version in 5.0
Port is: 88
It's more secure and encrypted than NTLM (NT authentication)

1.

Which protocol is used for Public Folder?

ANS: SMTP
What is the use of NNTP with exchange?
ANS: This protocol is used the news group in exchange.

1.

What is the content of System State backup?

The contents are:

Boot files, system files
Active directory (if it's done on DC)
SysVol folder(if it done on DC)
Certificate service ( on a CA server)
Cluster database ( on a cluster server)
registry
Performance counter configuration information
Component services class registration database

Q: What are the perquisites for installation of Exchange Server?

The prerequisite are
IIS
SMTP
WWW service
NNTP
.NET Framework
ASP.NET
Then run Forestprep
Then run domainprep
Question: What is Multi Master Replication?
Answer: Multi-master replication is a method of replication employed by databases to transfer data or changes to
data across multiple computers within a group. Multi-master replication can be contrasted with a master-slave
method (also known as single-master replication).
DFS? DFS Namespace ?
1.
DFS Replication. New state-based, multimaster replication engine that is optimized for WAN
environments. DFS Replication supports replication scheduling, bandwidth throttling, and a new byte-level
compression algorithm known as remote differential compression (RDC).
DFS Namespaces. Technology that helps administrators group shared folders located on different servers
and present them to users as a virtual tree of folders known as a namespace. DFS Namespaces was formerly
known as Distributed File System in Windows 2000 Server and Windows Server 2003.
What are the four domain functional levels?
Windows 2000 Mixed
Windows 2000 Native
Windows Server 2003 Interim
Windows Server 2003
Windows 2000 Mixed
When you configure a new Windows Server 2003 domain, the default domain functional level is Windows
2000 mixed.
Under this domain functional level, Windows NT, 2000, and 2003 domain controllers are supported.
However,
certain features such as group nesting, universal groups, and so on are not available.
Windows 2000 Native

Upgrading the functional level of a domain to Windows 2000 Native should only be done if there are
no Windows NT domain controllers remaining on the network. By upgrading to Windows 2000 Native
functional level,
additional features become available including: group nesting, universal groups, SID History, and the

ability to convert
security groups and distribution groups.
Windows Server 2003 Interim

The third functional level is Windows Server 2003 Interim and it is often used when upgrading from
Windows NT to Windows Server 2003. Upgrading to this domain functional level provides support for
Windows NT and Windows Server 2003 domain controllers. However, like Windows 2000 Mixed, it does
not provide new features.
Windows Server 2003

The last functional level is Windows Server 2003. This domain functional level only provides support for
Windows Server 2003 domain controllers. If you want to take advantage of all the features included with
Windows Server 2003, you must implement this functional level. One of the most important features
introduced
at this functional level is the ability to rename domain controllers

Q1.Which is the FIVE FSMO roles?

Schema Master

Forest Level

One per forest

Domain Naming Master

Forest Level

One per forest

PDC Emulator

Domain Level

One per domain

RID Master

Domain Level

One per domain

Infrastructure Master

Domain Level

One per domain

Q2. What are their functions?

1. Schema Master (Forest level)
The schema master FSMO role holder is the Domain Controller responsible for
performing updates to the active directory schema. It contains the only writable
copy of the AD schema. This DC is the only one that can process updates to the
directory schema, and once the schema update is complete, it is replicated from
the schema master to all other DCs in the forest. There is only one schema master
in the forest.
2. Domain Naming Master (Forest level)
The domain naming master FSMO role holder is the DC responsible for making
changes to the forest-wide domain name space of the directory. This DC is the only
one that can add or remove a domain from the directory, and that is it's major
purpose. It can also add or remove cross references to domains in external
directories. There is only one domain naming master in the active directory or
forest.
3. PDC Emulator (Domain level)

In a Windows 2000 domain, the PDC emulator server role performs the following
functions:
Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator first.
Authentication failures that occur at a given DC in a domain because of an incorrect
password are forwarded to the PDC emulator for validation before a bad password
failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Time synchronization for the domain.
Group Policy changes are preferentially written to the PDC emulator.
Additionally, if your domain is a mixed mode domain that contains Windows NT 4
BDCs, then the Windows 2000 domain controller, that is the PDC emulator, acts as
a Windows NT 4 PDC to the BDCs.
There is only one PDC emulator per domain.
Note: Some consider the PDC emulator to only be relevant in a mixed mode
domain. This is not true. Even after you have changed your domain to native mode
(no more NT 4 domain controllers), the PDC emulator is still necessary for the
reasons above.
4. RID Master (Domain level)
The RID master FSMO role holder is the single DC responsible for processing RID
Pool requests from all DCs within a given domain. It is also responsible for
removing an object from its domain and putting it in another domain during an
object move.
When a DC creates a security principal object such as a user, group or computer
account, it attaches a unique Security ID (SID) to the object. This SID consists of a
domain SID (the same for all SIDs created in a domain), and a relative ID (RID)
that makes the object unique in a domain.
Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the
security principals it creates. When a DC's allocated RID pool falls below a
threshold, that DC issues a request for additional RIDs to the domain's RID master.
The domain RID master responds to the request by retrieving RIDs from the
domain's unallocated RID pool and assigns them to the pool of the requesting DC.
There is one RID master per domain in a directory.
5. Infrastructure Master (Domain level)
The DC that holds the Infrastructure Master FSMO role is responsible for cross
domain updates and lookups. When an object in one domain is referenced by
another object in another domain, it represents the reference by the GUID, the SID
(for references to security principals), and the distinguished name (DN) of the
object being referenced. The Infrastructure role holder is the DC responsible for
updating an object's SID and distinguished name in a cross-domain object
reference.
When a user in DomainA is added to a group in DomainB, then the Infrastructure
master is involved. Likewise, if that user in DomainA, who has been added to a
group in DomainB, then changes his username in DomainA, the Infrastructure
master must update the group membership(s) in DomainB with the name change.

There is only one Infrastructure master per domain.

Q3. What if a FSMO server fails?

If Schema Master

No updates to the Active Directory schema will be possible.

Since schema updates are rare (usually done by certain
applications and possibly an Administrator adding an attribute to
an object), then the malfunction of the server holding the
Schema Master role will not pose a critical problem.

If Domain Naming
Master

The Domain Naming Master must be available when adding or

removing a domain from the forest (i.e. running DCPROMO). If
it is not, then the domain cannot be added or removed. It is
also needed when promoting or demoting a server to/from a
Domain Controller. Like the Schema Master, this functionality is
only used on occasion and is not critical unless you are
modifying your domain or forest structure.

If PDC Emulator

The server holding the PDC emulator role will cause the most
problems if it is unavailable. This would be most noticeable in a
mixed mode domain where you are still running NT 4 BDCs and
if you are using downlevel clients (NT and Win9x). Since the
PDC emulator acts as a NT 4 PDC, then any actions that depend
on the PDC would be affected (User Manager for Domains,
Server Manager, changing passwords, browsing and BDC
replication).
In a native mode domain the failure of the PDC emulator isn't as
critical because other domain controllers can assume most of
the responsibilities of the PDC emulator.

If RID Master

The RID Master provides RIDs for security principles (users,

groups, computer accounts). The failure of this FSMO server
would have little impact unless you are adding a very large
number of users or groups.
Each DC in the domain has a pool of RIDs already, and a
problem would occur only if the DC you adding the users/groups
on ran out of RIDs.

If Infrastructure Master This FSMO server is only relevant in a multi-domain

environment. If you only have one domain, then the
Infrastructure Master is irrelevant. Failure of this server in a
multi-domain environment would be a problem if you are trying
to add objects from one domain to another.

Q4. Where are these FSMO server roles found?

The first domain controller that is installed in a Windows 2000 domain, by default, holds all
five of the FSMO server roles. Then, as more domain controllers are added to the domain,
the FSMO roles can be moved to other domain controllers.

Q5. Can you Move FSMO roles?

Yes, moving a FSMO server role is a manual process, it does not happen automatically. But
what if you only have one domain controller in your domain? That is fine. If you have only
one domain controller in your organization then you have one forest, one domain, and of
course the one domain controller. All 5 FSMO server roles will exist on that DC. There is no
rule that says you have to have one server for each FSMO server role.
Q6. Where to place the FSMO roles?
Assuming you do have multiple domain controllers in your domain, there are some best
practices to follow for placing FSMO server roles.
The Schema Master and Domain Naming Master should reside on the same server, and that
machine should be a Global Catalog server. Since all three are, by default, on the first
domain controller installed in a forest, then you can leave them as they are.
Note: According to MS, the Domain Naming master needs to be on a Global Catalog Server.
If you are going to separate the Domain Naming master and Schema master, just make
sure they are both on Global Catalog servers.
IMP:- Why Infrastructure Master should not be on the same server that acts as a
Global Catalog server?
The Infrastructure Master should not be on the same server that acts as a Global Catalog
server.
The reason for this is the Global Catalog contains information about every object in the
forest. When the Infrastructure Master, which is responsible for updating Active Directory
information about cross domain object changes, needs information about objects not in it's
domain, it contacts the Global Catalog server for this information. If they both reside on the
same server, then the Infrastructure Master will never think there are changes to objects
that reside in other domains because the Global Catalog will keep it constantly updated.
This would result in the Infrastructure Master never replicating changes to other domain
controllers in its domain.
Note: In a single domain environment this is not an issue.
Microsoft also recommends that the PDC Emulator and RID Master be on the same server.
This is not mandatory like the Infrastructure Master and the Global Catalog server above,
but is recommended. Also, since the PDC Emulator will receive more traffic than any other
FSMO role holder, it should be on a server that can handle the load.
It is also recommended that all FSMO role holders be direct replication partners and they
have high bandwidth connections to one another as well as a Global Catalog server.
Q7.What permissions you should have in order to transfer a FSMO role?
Before you can transfer a role, you must have the appropriate permissions depending on
which role you plan to transfer:
Schema Master

member of the Schema Admins group

Domain Naming Master

member of the Enterprise Admins group

PDC Emulator

member of the Domain Admins group and/or

the Enterprise Admins group

RID Master

member of the Domain Admins group and/or

the Enterprise Admins group

Infrastructure Master

member of the Domain Admins group and/or

the Enterprise Admins group

FSMO TOOLS
Q8. Tools to find out what servers in your domain/forest hold what server roles?
1. Active Directory Users and Computers:- use this snap-in to find out where the
domain level FSMO roles are located (PDC Emulator, RID Master, Infrastructure Master), and
also to change the location of one or more of these 3 FSMO roles.
Open Active Directory Users and Computers, right click on the domain you want to view the
FSMO roles for and click "Operations Masters". A dialog box (below) will open with three
tabs, one for each FSMO role. Click each tab to see what server that role resides on. To
change the server roles, you must first connect to the domain controller you want to move
it to. Do this by right clicking "Active Directory Users and Computers" at the top of the
Active Directory Users and Computers snap-in and choose "Connect to Domain Controller".
Once connected to the DC, go back into the Operations Masters dialog box, choose a role to
move and click the Change button.
When you do connect to another DC, you will notice the name of that DC will be in the field
below the Change button (not in this graphic).
2. Active Directory Domains and Trusts - use this snap-in to find out where the Domain
Naming Master FSMO role is and to change it's location.
The process is the same as it is when viewing and changing the Domain level FSMO roles in
Active Directory Users and Computers, except you use the Active Directory Domains and
Trusts snap-in. Open Active Directory Domains and Trusts, right click "Active Directory
Domains and Trusts" at the top of the tree, and choose "Operations Master". When you do,
you will see the dialog box below. Changing the server that houses the Domain Naming
Master requires that you first connect to the new domain controller, then click the Change
button. You can connect to another domain controller by right clicking "Active Directory
Domains and Trusts" at the top of the Active Directory Domains and Trusts snap-in and
choosing "Connect to Domain Controller".
3. Active Directory Schema - this snap-in is used to view and change the Schema Master
FSMO role. However... the Active Directory Schema snap-in is not part of the default
Windows 2000 administrative tools or installation. You first have to install the Support Tools
from the \Support directory on the Windows 2000 server CD or install the Windows 2000
Server Resource Kit. Once you install the support tools you can open up a blank Microsoft
Management Console (start, run, mmc) and add the snap-in to the console. Once the snapin is open, right click "Active Directory Schema" at the top of the tree and choose
"Operations Masters". You will see the dialog box below. Changing the server the Schema
Master resides on requires you first connect to another domain controller, and then click the
Change button.
You can connect to another domain controller by right clicking "Active Directory Schema" at
the top of the Active Directory Schema snap-in and choosing "Connect to Domain

Controller".
4.Netdom
The easiest and fastest way to find out what server holds what FSMO role is by using the
Netdom command line utility. Like the Active Directory Schema snap-in, the Netdom utility
is only available if you have installed the Support Tools from the Windows 2000 CD or the
Win2K Server Resource Kit.
To use Netdom to view the FSMO role holders, open a command prompt window and type:
netdom query fsmo and press enter. You will see a list of the FSMO role servers:

5. Active Directory Replication Monitor

Another tool that comes with the Support Tools is the Active Directory Replication
Monitor. Open this utility from Start, Programs, Windows 2000 Support Tools. Once open,
click Edit, Add Monitored Server and add the name of a Domain Controller. Once added,
right click the Server name and choose properties. Click the FSMO Roles tab to view the
servers holding the 5 FSMO roles (below). You cannot change roles using Replication
Monitor, but this tool has many other useful purposes in regard to Active Directory
information. It is something you should check out if you haven't already.

Finally, you can use the Ntdsutil.exe utility to gather information about and change
servers for FSMO roles. Ntdsutil.exe, a command line utility that is installed with Windows
2000 server, is rather complicated and beyond the scope of this document.
6. DUMPFSMOS
Command-line tool to query for the current FSMO role holders
Part of the Microsoft Windows 2000 Server Resource Kit
Downloadable from http://www.microsoft.com/windows2000
/techinfo/reskit/default.asp
Prints to the screen, the current FSMO holders
Calls NTDSUTIL to get this information
7. NLTEST
Command-line tool to perform common network administrative tasks
Type "nltest /?" for syntax and switches
Common uses
Get a list of all DCs in the domain
Get the name of the PDC emulator
Query or reset the secure channel for a server
Call DsGetDCName to query for an available domain controller
8. Adcheck (470k) (3rd party)
A simple utility to view information about AD and FSMO roles
http://www.svrops.com/svrops/downloads/zipfiles/ADcheck.msi

Q9. How to Transfer and Seize a FSMO Role

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q255504
++++++++++++++++++++++
DNS is a distributed file system stands for domain naming system. Resolves name to IP address n vice
versa.
There are three types of queries that a client can make to a DNS server.
1. Recursive
2. Iterative
3. Inverse.
There r two types of lookup
1. Forward lookup- resolves name to IP address.
2. Reverse lookup- resolves address to name.
There r three types of zones
1. AD integrated zone
2. Standard primary zone
3. Standard secondary zone
Protocols & Port No for DNS
DNS uses both UDP & TCP
Normal resource records lookups are done with UDP.
Ordinary DNS requests can be made with TCP, though convention dictates the use of UDP for normal
operation.
TCP used for zone transfers.
DNS will use 53 port number.
Sequence to RESOLVE a query
To resolve query it following sequence
1.NetBIOS name cache
2.WINS, broadcast
3.LMHOSTS
4.HOSTS
5.Domain Name System (DNS) cache
6.DNS Server Which configured on sys.
Zone Database Transfer Type :
1. AXFR --All zone database trans
2. IXFR -- Incremental database trans
It is always inititated by client side
1.In ACtive Directory Integrated Zones , DNS zonefiles are stored in the ACtive directory database, So
zone files replicate when replication happens between Domain Controllers.
An Active Directory-integrated zone is an available option when the DNS server is installed on an Active
Directory domain controller. When a DNS zone is installed as an Active Directory zone, the DNS
information is automatically updated on other server AD domain controllers with DNS by using Active
Directory's multimaster update techniques. Zone information stored in the Active Directory allows DNS
zone transfers to be part of the Active Directory replication process secured by Kerberos authentication
A Standard primary DNS holds a master copy of a zone and can replicate it to all configured secondary
zones in standard text format. Any changes that must be made to the zone are made on the copy stored
on the primary.On the Other hand , A standard secondary zone holds a read-only copy of the zone
information in standard text format. Secondary zones are created to increase performance and resilience
of the DNS configuration. Information is transferred from the primary zone to the secondary zones.
STUB ZONE

A stub zone is a read-only copy of a zone that contains only those resource records necessary to identify
the authoritative DNS servers for the actual zone. A stub zone is used to keep a parent zone aware of the
authoritative DNS servers for a delegated zone and thereby maintain DNS name resolution efficiency.
For example, a customer who is running Windows 2000 (that has both a parent and child domain) will
typically create a delegation record in the parent zone for the child domain, thus enabling the child DNS
server to host the primary zone for the child domain. As new DNS servers are added to the child domain,
the delegation record must be updated manually on the parent DNS server to reflect those new child DNS
servers.
Alternatively, with stub zones, the parent DNS server can host a stub zone for the child domain and
become aware of new child DNS servers automatically when the stub zone is loaded or reloaded.
Stub zones are not limited to use in a parent-child domain topology; they also can be used to resolve
resource records in other domains in the forest and, theoretically, for other forests as well.
The administrator cannot modify a stub zone's resource records. Any changes the administrator wants to
make to the resource records in a stub zone must be made in the original, primary zone from which the
stub zone is derived. Unlike secondary zones, stub zones can be stored in Active Directory.
A stub zone is composed of:
The start-of-authority (SOA) resource record, name server (NS) resource records, and the glue A
resource records for the delegated zone.
The IP address of one or more master servers that can be used to update the stub zone.
In short about stub zone
1) Allow a parent domain to automatically identify the DNS servers in a child domain.
2)Only contain the SOA, NS, and A records.
3)The DNS server is able to query NS directly instead of through recursion with root hints.
4)Changes to zones are made when the master zone is updated or loaded.
The local list of master zones define physically local servers from which to transfer.
Using the Local List of Masters
Using the Local List of Masters
Master servers are DNS servers that the stub zone will contact to retrieve the necessary resource
records. It is comparable to the list of servers defined when creating a secondary zone ( i.e.. the list of
servers from which the zone is transferred). When more than one server appears in the list and a zone
update is requested, the list of master servers is used and the servers are prioritized by the order in which
they appear in the list.
When Active Directory-integrated stub zones are replicated into different physical sites, it is recommended
that they be updated using a local list of master servers in each site. For example, an Active Directoryintegrated stub zone, widgets.microsoft.com, was loaded in a site in Seattle and replicated to a site in
Boston. Master servers for the stub zone exist in each of these sites.
When the stub zone in Boston is updated, the domain controller may contact both master servers for
resource records in widgets.microsoft.com. However, because of network traffic, the administrator may
want the domain controller in Boston to use only the master server in Boston and not the master server in
Seattle. To force the domain controller in Boston to use only the master server in Boston, the
administrator can specify that the stub zone in Boston be updated using a local list of master servers.
Master server list in the stub zone properties dialog box
To use a local list of masters, enable the checkbox "Use the list above as a local list of master" on the
General tab of the stub zone properties. This option will only be available if the zone is stored in Active
Directory. Stub zones that are not stored in active directory will only use the list of masters that are
specified in the stub zone properties.

New Registry Keys

Name: LocalMasterServers
Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\<zonename>
Type: REG_SZ
Valid Range: space-separated, IP list of masters to be used by this DNS server
Conditional forwarding
Conditional forwarding allows a DNS server to forward queries to other DNS servers based on the DNS
domain names in the queries. With conditional forwarding, a DNS server could be configured to forward
all the queries it receives for names ending with widgets.microsoft.com to a specific DNS server's IP
address, or to the IP addresses of multiple DNS servers.
For example, when two companies ( example1.com and example2.com) merge or collaborate, they may
want to allow clients from the internal namespace of one company to resolve the names of the clients
from the internal namespace of another company.
The administrators from one organization (e.g., example1.com) may inform the administrators of the other
organization (e.g., example2.com) about the set of DNS servers that they can use to send DNS queries to
for the name resolution within the internal namespace of the first organization. In this case the DNS
servers within the example2.com organization will be configured to forward all queries for names ending
with "example1.com." to the designated DNS servers.
NoteAuthoritative DNS servers cannot forward queries according to domain names for which they are
authoritative. For example, the authoritative DNS server for the zone widgets.microsoft.com cannot
forward queries according to the domain name widgets.microsoft.com. If the DNS server were allowed to
do this, it would nullify the server's ability to respond to queries for the domain name
widgets.microsoft.com. The DNS server authoritative for widgets.microsoft.com can forward queries for
DNS names that end with hr.widgets.microsoft.com, if hr.widgets.microsoft.com is delegated to another
DNS server.
Forwarders tab in DNS server properties.
The conditional forwarder setting consists of the following:
The domain names for which the DNS server will forward queries
One or more DNS server IP addresses for each domain name specified
Forwarding Sequence
Forwarding Sequence
Each domain name used for forwarding on a DNS server is associated with the IP addresses of one or
more DNS servers. A DNS server configured for forwarding will use its forwarders list after it has
determined that it cannot resolve a query using its authoritative data (primary or secondary zone data) or
cached data. If the server cannot resolve a query using forwarders, it may attempt recursion to the root
hint servers.
The order of the IP addresses listed determines the sequence in which the IP addresses are used. After
the DNS server forwards the query to the forwarder with the first IP address associated with the domain
name, it waits a short period for an answer from that forwarder (according to the DNS server's time out
setting) before resuming the forwarding operation with the next IP address associated with the domain
name. It continues this process until it receives an affirmative answer from a forwarder.
Unlike conventional client resolution, where a roundtrip time (RTT) is associated with each server, the IP
addresses in the forwarders list are not ordered according to roundtrip time and must be reordered
manually to change preference.
Domain Name Length
When a DNS server configured to use conditional forwarding receives a query for a domain name, it will
compare that domain name with its list of domain name conditions and use the longest domain name
condition that corresponds to the domain name in the query. For example (using Figure 3), the DNS
server receives a query for www.testcenter.research.example.com.
It compares that domain name with both example.com and research.example.com.
The DNS server determines that research.example.com is the domain name that more closely matches
the domain name query.

The DNS server forwards the query to the DNS server with the IP address 192.168.200.1, which is
associated with research.example.com.
Forward-only Server
Forward-only Server
A DNS server can be configured to not perform recursion after the forwarders fail; if it does not get a
successful query response from any of the servers configured as forwarders, then it sends a negative
response to the DNS client.
The option to prevent recursion can be set for each conditional forwarder in Windows .NET Server. For
example, a DNS server can be configured to perform recursion for the domain name
research.example.com, but not to perform recursion for the domain name example.com.
Warning If you disable recursion on the Advance tab in DNS server properties, you will not be able to use
forwarders on the same server.
New Registry Keys
This key toggles recursion for a particular domain:
Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\<zone name>
Name: ForwarderSlave
Type: REG_DWORD
Valid Range: 0x0 (recursion) and 0x1 (no recursion)
This key sets the forwarder timeout for a particular domain:
Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\<zone name>
Name: ForwarderTimeout
Type: REG_DWORD
Valid Range: any number (seconds)
This key lists the order of forwarders a domain will use:
Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\<zone name>
Name: MasterServers
Type: REG_SZ
Valid Range: spaced list of IP addresses used in order
DNS Group Policies in the Default Domain Policy
1. Primary DNS suffix
Allows you specify a primary DNS suffix for a group of computers and prevents users, including
administrators, from changing it.
2. Dynamic update
Determines if dynamic update is enabled.
3. DNS suffix search list
When this setting is enabled, if a user submits a query for a single-label name, such as widgets, a local
DNS client attaches a suffix, such as microsoft.com, resulting in the query widgets.microsoft.com before
sending the query to a DNS server.
4.Primary DNS suffix devolution
Determines whether the DNS client performs primary DNS suffix devolution in a name resolution process.
5. Register PTR records
Determines whether the registration of PTR resource records is enabled for the computers to which this
policy is applied.
6. Registration refresh interval
Specifies the registration refresh interval of A and PTR resource records for computers to which
this setting is applied. This setting may be applied to computers using dynamic update only.
7. Replace addresses in conflicts

Determines whether a DNS client that attempts to register its A resource record should overwrite
an existing A resource record containing conflicting IP addresses.
8. Register DNS records with connection-specific DNS suffix
Determines if a computer performing dynamic registration may register its A and PTR resource
records with a concatenation of its computer name and a connection-specific DNS suffix.
9. TTL set in the A and PTR records
Specifies the value for the Time-To-Live (TTL) field in A and PTR resource records registered in
the computers to which this setting is applied.
10. Update security level
Specifies whether the computers to which this setting is applied use secure dynamic update or
standard dynamic update to register DNS records.
11. Update top-level domain zones
Specifies whether the computers to which this policy is applied may send dynamic updates to the
zones named with a single label name--also known as top-level domain zones, for example, com.