Académique Documents
Professionnel Documents
Culture Documents
● What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic
engineering is not required. It establishes LSPs that follow the existing IP routing, and is
particularly well suited for establishing a full mesh of LSPs between all of the routers on
the network.
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-
level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network
administrators can use it for common administrative tasks such as adding, deleting, and
moving objects with a directory service. The attributes for each object can be edited
or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces
(APIs) to access Active Directory. The following are the required files for using this tool:
ADSIEDIT.DLL ADSIEDIT.MSC
Install from Media In Windows Server 2003 a new feature has been added, and this time it's
one that will actually make our lives easier... You can promote a domain controller using
files backed up from a source domain controller!!!
This feature is called "Install from Media" and it's available by running DCPROMO with
the /adv switch. It's not a replacement for network replication, we still need network
connectivity, but now we can use an old System State copy from another Windows
Server 2003, copy it to our future DC, and have the first and basic replication take
place from the media, instead of across the network, this saving valuable time and
network resources.
What you basically have to do is to back up the systems data of an existing domain
controller, restore that backup to your replica candidate, use DCPromo /Adv to tell it
to source from local media, rather than a network source.
This also works for global catalogs. If we perform a backup of a global catalog server,
then we can create a new global catalog server by performing DCPromo from that
restored media.
IFM Limitations
It only works for the same domain, so you cannot back up a domain controller in
domain A and create a new domain B using that media.
It's only useful up to the tombstone lifetime with a default of 60 days. So if you have
an old backup, then you cannot create a new domain controller using that, because
you'll run into the problem of reanimating deleted objects.
Answer Link:http://www.petri.co.il/
install_dc_from_media_in_windows_server_2003.htm
● How can you forcibly remove AD from a server, and what do you do later?
Demoting Windows Server 2003 DCs: DCPROMO (Active Directory Installation Wizard) is a
toggle switch, which allows you to either install or remove Active Directory DCs. To forcibly
demote a Windows Server 2003 DC, run the following command either at the Start, Run, or
at the command prompt:
dcpromo /forceremoval
Note: If you're running Certificate Services on the DC, you must first remove Certificate
Services before continuing. If you specify the /forceremoval switch on a server that doesn't
have Active Directory installed, the switch is ignored and the wizard pretends that you
want to install Active Directory on that server.
Once the wizard starts, you will be prompted for the Administrator password that you want
to assign to the local administrator in the SAM database. If you have Windows Server 2003
Service Pack 1 installed on the DC, you'll benefit from a few enhancements. The wizard
will automatically run certain checks and will prompt you to take appropriate actions. For
example, if the DC is a Global Catalog server or a DNS server, you will be prompted. You
will also be prompted to take an action if your DC is hosting any of the operations master
roles.
Demoting Windows 2000 DCs: On a Windows 2000 domain controller, forced demotion
is supported with Service Pack 2 and later. The rest of the procedure is similar to the
procedure I described for Windows Server 2003. Just make sure that while running the
wizard, you clear the "This server is the last domain controller in the domain" check box.
On Windows 2000 Servers you won't benefit from the enhancements in Windows Server 2003
SP1, so if the DC you are demoting is a Global Catalog server, you may have to manually
promote some other DC to a Global Catalog server.
Cleaning the Metadata on a Surviving DC : Once you've successfully demoted the DC, your
job is not quite done yet. Now you must clean up the Active Directory metadata. You may
be wondering why I need to clean the metadata manually. The metadata for the demoted
DC is not deleted from the surviving DCs because you forced the demotion. When you force
a demotion, Active Directory basically ignores other DCs and does its own thing. Because
the other DCs are not aware that you removed the demoted DC from the domain, the
references to the demoted DC need to be removed from the domain.
Although Active Directory has made numerous improvements over the years, one of the
biggest criticisms of Active Directory is that it doesn't clean up the mess very well. This is
obvious in most cases but, in other cases, you won't know it unless you start digging deep
into Active Directory database.
To clean up the metadata you use NTDSUTIL. The following procedure describes how to
clean up metadata on a Windows Server 2003 SP1. According to Microsoft, the version of
NTDSUTIL in SP1 has been enhanced considerably and does a much better job of clean-
up, which obviously means that the earlier versions didn't do a very good job. For Windows
2000 DCs, you might want to check out Microsoft Knowledge Base article 216498, "How to
remove data in Active Directory after an unsuccessful domain controller demotion."
Here’s the step-by-step procedure for cleaning metadata on Windows Server 2003 DCs:
1. Logon to the DC as a Domain Administrator.
2. At the command prompt, type ntdsutil.
3. Type metadata cleanup.
4. Type connections.
5. Type connect to server servername, where servername is the name of the server you
want to connect to.
6. Type quit or q to go one level up. You should be at the Metadata Cleanup prompt.
7. Type select operation target.
8. Type list domains. You will see a list of domains in the forest, each with a different
number.
9. Type select domain number, where number is the number associated with the domain
of your server
10. Type list sites.
11. Type select site number, where number is the number associated with the site of your
server.
12. Type list servers in site.
13. Type select server number, where number is the number associated with the server you
want to remove.
14. Type quit to go to Metadata Cleanup prompt.
15. Type remove selected server. You should see a confirmation that the removal
completed successfully.
16. Type quit to exit ntdsutil.
You might also want to cleanup DNS database by deleting all DNS records related to the
server.
In general, you will have better luck using forced promotion on Windows Server 2003,
because the naming contexts and other objects don't get cleaned as quickly on Windows
2000 Global Catalog servers, especially servers running Windows 2000 SP3 or earlier. Due to
the nature of forced demotion and the fact that it's meant to be used only as a last resort,
there are additional things that you should know about forced demotion.
Even after you've used NTDSUTIL to clean the metadata, you may still need to do additional
cleaning manually using ADSIEdit or other such tools. You might want to check out
Microsoft’s Knowledge Base article 332199, "Domain controllers do not demote gracefully
when you use the Active Directory Installation Wizard to force demotion in Windows Server
2003 and in Windows 2000 Server," for more information
Read original full answer at http://redmondmag.com/columns/print.asp?EditorialsID=1352
And best read this also http://www.petri.co.il/
forcibly_removing_active_directoy_from_dc.htm
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should be
upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2
(or later).
QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent poten
tial domain controller corruption.
For more information about preparing your forest and domain see KB article Q3311
61 at http://support.microsoft.com.
[User Action]
If ALL your existing Windows 2000 domain controllers meet this requirement, type
C and then press ENTER to continue. Otherwise, type any other key and press ENT
ER to quit.
C
Opened Connection to SAVDALDC01
SSPI Bind succeeded
Current Schema Version is 30
Upgrading schema to version 31
Connecting to "SAVDALDC01"
Logging in as current user using SSPI
Importing directory from file "C:\WINDOWS\system32\sch31.ldf"
Loading entries.....................................................
......................................................
139 entries modified successfully.
DSmod
Adding objects is great, but there are times in Windows 2003 when you need to change the
Active Directory properties.
Scenario, you wish to quickly change a user's password. This is task you are going to have
to do regularly, and you would like to able to do it quickly from the command line. Let us
now modify the the user's password with DSmod
Introduction to DSadd
DSadd is the most important member of this DS scripting family. The primary use of DSadd
is to quickly add user accounts to Windows Server 2003 Active Directory. However, you can
also use this method to create OUs computers, groups, or even contacts.
Example 2 Employing DSadd to Create a User. (Assumes you have completed Example 1)
The purpose of this example is to create a new user in an OU called guyds.
Preparation:
Logon to your domain controller.
Examine the script below. Decide if cn= or ou= or dc= need editing.
Run, CMD then copy your script and paste into the command window. Alternatively type it
starting with dsadd user .........
DS Error Messages
DS has its own family of error messages. I found that they are specific and varied, just
remember to pay attention to detail. READ ERROR MESSAGES SLOWLY.
New DS built-in tools for Windows Server 2003
At last I have found a real useful member of the DS family of utilities. If I need to find a
user quickly from the command prompt, i call for DSQuery.
Learning Points
Note 1: dc does NOT mean domain controller, it means domain context.
Note 2: The dc commands are not case sensitive, but they dislike spaces.
dc=mydom, dc=com will draw an error.
Note 3: If you haven't got any OUs (Organizational Units), I seriously suggest that you
create some to organize your users.
Note 4: Best of all, in this scenario, you can substitute domainroot for dc=cp.
Example 2 - To find all users in the default Users folder with DSQuery
In this example we just want to trawl the users folder and find out who is in that container.
Commands: dsquery user cn=users,dc=cp,dc=com
Learning Points
Note 1: The default users' folder is actually a container object called cn=users. My point is
if you try ou=users, the command fails.
Note 2: I queried users, however dsquery requires the singular user, not userS. Other
objects that you can query are computer (not computers!), group or even contact.
Challenge 1: Substitute OU=xyz for cn=users, where xyz is the name of your OU.
Unfortunately, cn=users domainroot does not work.
Challenge 2: Substitute computer for user
Learning Points
Note 1: Amazingly, dsquery server, the simplest command get the job done.
Note 2: I thank Jim D for pointing out that we want here is the singular 'server'.
Learning Points
Note 1: The command is -hasfsmo not ?hasfsmo as in some documents.
Example 5 - DSQuery to find all users whose name begins with smith*
This DSQuery example shows two ways to filter your output and so home in on what you are
looking for. Let us pretend that we know the user's name but have no idea which OU they
are to be found. Moreover, we are not sure whether their name is spelt Smith, Smithy or
Smithye.
Commands :
dsquery user domainroot -name smith*
or
dsquery user dc=cp,dc=com -name smith* d
or plain
dsquery user smith*
Learning Points
Note 1: Remember to type the singular user.
Note 2: Probably no need to introduce *, you probably realize it's a wildcard.
Note 3: -name is but one of a family of filters. -desc or -disabled are others.
Learning Points
Note 1: o is the letter oh (not a number). In my minds eye o stands for output.
Note 2: There is a switch -o dn, but this is not a switch I use.
Summary - DSQuery
Knowledge is power. The DS family in general and DSQuery in particular, are handy
commands for interrogating Active Directory from the command line. Perhaps the day will
come when you need to find a user, computer or group without calling for the Active Users
and Computers GUI.
DSGet
DSGet is a logical progression from DSQuery. The idea is that when DSQuery returns a list
of objects, DSGet can interrogate those objects for extra properties such as, description,
manager or department. Naturally this pre-supposes you entered the relevant information
in the user's properties sheet!
Introduction to DSGet
My assumption is that you are comfortable with DSQuery, if this is not the case take the
time to have a refresher
Next a reminder to pay close attention to DS syntax. In this instance what we need is a
pipe symbol ( | ) to join DSQuery with DSGet. Just to be clear, you type this pipe (|) with
the shift key and the key next to the Z. (A colon : would produce an error).
Example 1 To Check that DSQuery is working
Let build a solid foundation with a DSQuery (Only found on a Windows Server 2003 DC)
Commands:
dsquery user domainroot -name smith*
or
dsquery user -name smith*
Learning Points
Note 1: You need a Windows Server 2003 machine. Perhaps you could remote desktop into
such a server?
Note 2: Feel free to change smith* to one of your users. Better still, create a test account
and start filling in those user properties.
Note 3: This example is just to build a foundation. Now let us move on to DSGet.
Learning Points
Note 1: To read the file type, notepad dsget.txt
Note 2: I am impressed by the column format of the output
I would like to leave you with a few more DSGet object that you can interrogate or
experiment with. In addition to user, there are the following DSGet commands :
Computer, also Server - meaning DC, OU, Group, even Site and Subnet.
Note. There are also two commands called partition and quota, however, in the context
of DSGet, partition and quota refer to Active Directory, not disk. For example, the
application partition in Active Directory. Tell the truth, it was a big disappointment
that DSGet did not return the disk information, but on reflection I was expecting the
impossible. DSGet partition means Active Directory partition.
Summary - DSGet
As far as DSGet is concerned, I have come from Philistine to champion. Now I really enjoy
the challenge of DSGet and appreciate the way it works hand in glove with DSQuery. It also
reminds of that old truism the more you know the easier it gets.
● What's the difference between LDIFDE and CSVDE? Usage considerations?
CSVDE is a command that can be used to import and export objects to and from the AD into
a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel.
I will not go to length into this powerful command, but I will show you some basic samples
of how to import a large number of users into your AD. Of course, as with the DSADD
command, CSVDE can do more than just import users. Consult your help file for more info.
Like CSVDE, LDIFDE is a command that can be used to import and export objects to and
from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a
file easily readable in any text editor; however it is not readable in programs like Excel.
The major difference between CSVDE and LDIFDE (besides the file format) is the fact that
LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can
only import and export objects.
● What are the FSMO roles? Who has them by default? What happens when each one fails?
*****
Number of DCs
FSMO Role Original DC holding the FSMO role
holding this role
The first DC in the first domain
Schema One per forest in the forest (i.e. the Forest Root
Domain)
Domain
One per forest
Naming
PDC Emulator
Infrastructure
Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and
Infrastructure Master FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrative
Tools folder.
2. Right-click the Active Directory Users and Computers icon again and press
Operation Masters.
3. Select the appropriate tab for the role you wish to view.
4. When you're done click Close.
Finding the Domain Naming Master via GUI
To find out who currently holds the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative
Tools folder.
2. Right-click the Active Directory Domains and Trusts icon again and press Operation
Masters.
3. When you're done click Close.
Finding the Schema Master via GUI
To find out who currently holds the Schema Master Role:
1.
Register the Schmmgmt.dll library by pressing Start > RUN and typing: regsvr32
schmmgmt.dll
2. Press OK. You should receive a success confirmation.
3. From the Run command open an MMC Console by typing MMC.
4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. Click the Active Directory Schema icon. After it loads right-click it and press
Operation Masters.
8. Press the Close button.
● I want to look at the RID allocation table for a DC. What do I do?
● What's the difference between transferring a FSMO role and seizing one?
Transferring FSMO Role
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method
called FSMO (Flexible Single Master Operation), as described in Understanding FSMO
Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in
the same spot (or actually, on the same DC) as has been configured by the Active
Directory installation process. However, there are scenarios where an administrator
would want to move one or more of the FSMO roles from the default holder DC to a
different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO
role holder are online and operational is called Transferring, and is described in this
article.
The transfer of an FSMO role is the suggested form of moving a FSMO role between
domain controllers and can be initiated by the administrator or by demoting a
domain controller. However, the transfer process is not initiated automatically by
the operating system, for example a server in a shut-down state. FSMO roles are
not automatically relocated during the shutdown process - this must be considered
when shutting down a domain controller that has an FSMO role for maintenance, for
example.
In a graceful transfer of an FSMO role between two domain controllers, a
synchronization of the data that is maintained by the FSMO role owner to the server
receiving the FSMO role is performed prior to transferring the role to ensure that any
changes have been recorded before the role change.
However, when the original FSMO role holder went offline or became non operational
for a long period of time, the administrator might consider moving the FSMO role from
the original, non-operational holder, to a different DC. The process of moving the
FSMO role from a non-operational role holder to a different DC is called Seizing, and is
described in the Seizing FSMO Roles article.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using
an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can
use one of the following three MMC snap-in tools:
● Active Directory Schema snap-in
● Active Directory Domains and Trusts snap-in
● Active Directory Users and Computers snap-in
To transfer the FSMO role the administrator must be a member of the following group:
PDC Emulator
Infrastructure
Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master
FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrative
Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click
the icon next to Active Directory Users and Computers and press Connect to Domain
Controller.
3. Select the domain controller that will be the new role holder, the target, and press
OK.
4. Right-click the Active Directory Users and Computers icon again and press Operation
Masters.
5. Select the appropriate tab for the role you wish to transfer and press the Change
button.
6. Press OK to confirm the change.
7. Press OK all the way out.
Transferring the Domain Naming Master via GUI
To Transfer the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative
Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click
the icon next to Active Directory Domains and Trusts and press Connect to Domain
Controller.
3. Select the domain controller that will be the new role holder and press OK.
4. Right-click the Active Directory Domains and Trusts icon again and press Operation
Masters.
5. Press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.
Transferring the Schema Master via GUI
To Transfer the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool,
type ?, and then press ENTER.
1. Type connections, and then press ENTER.
2. Type connect to server <servername>, where <servername> is the name of the
server you want to use, and then press ENTER.
1. At the server connections: prompt, type q, and then press ENTER again.
1. Type transfer <role>. where <role> is the role you want to transfer.
For example, to transfer the RID Master role, you would type transfer rid master:
Options are:
1.
You will receive a warning window asking if you want to perform the transfer.
Click on Yes.
2. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.
3. Restart the server and make sure you update your backup.
Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original
domain controller must not be activated in the forest again. It is necessary to reinstall
Windows if these servers are to be used again.
The following table summarizes the FSMO seizing restrictions:
Domain Naming
RID
Infrastructure
Another consideration before performing the seize operation is the administrator's group membership,
as this table lists:
PDC Emulator
Infrastructure
Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize
all roles. Determine which roles are to be on which remaining domain controllers so that all five roles
are not on only one server.
1. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
2. After you seize or transfer the roles, type q, and then press ENTER until you quit the
Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global
Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object
information because it does not contain any references to objects that it does not hold. This is because
a GC server holds a partial replica of every object in the forest.
Better look of this answer can be found at
http://www.petri.co.il/seizing_fsmo_roles.htm
● Which FSMO role should you NOT seize? Why?
● How do you configure a "stand-by operation master" for any of the roles?
● How do you backup AD?
● How do you restore AD?
● How do you change the DS Restore admin password?
● Why can't you restore a DC that was backed up 4 months ago?
● What are GPOs?
● What is the order in which GPOs are applied?
● Name a few benefits of using GPMC.
● What are the GPC and the GPT? Where can I find them?
● What are GPO links? What special things can I do to them?
● What can I do to prevent inheritance from above?
● How can I override blocking of inheritance?
● How can you determine what GPO was and was not applied for a user? Name a few
ways to do that.
● A user claims he did not receive a GPO, yet his user and computer accounts are in the
right OU, and everyone else there gets the GPO. What will you look for?
● Name a few differences in Vista GPOs
● Name some GPO settings in the computer and user parts.
● What are administrative templates?
● What's the difference between software publishing and assigning?
● Can I deploy non-MSI software with GPO?
● You want to standardize the desktop environments (wallpaper, My Documents, Start
menu, printers etc.) on the computers in one department. How would you do that?
Source : http://www.petri.co.il/
mcse_system_administrator_active_directory_interview_questions.htm
Windows Server 2003 Active Directory and Security questions
What’s the difference between local, global and universal groups?
Domain local groups assign access permissions to global domain groups for local domain
resources. Global groups provide access to resources in other trusted domains. Universal groups
grant access to resources in all trusted domains.
What is LSDOU?
It’s group policy inheritance model, where the policies are applied to Local machines, Sites,
Domains and Organizational Units.
You change the group policies, and now the computer and user settings are in conflict. Which
one has the highest priority?
The computer settings take priority.
You want to set up remote installation procedure, but do not want the user to gain access over
it. What do you do?
gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice
Options is your friend.
You need to automatically install an app, but MSI file is not available. What do you do?
A .zap text file can be used to add applications using the Software Installer, rather than the
Windows Installer.
What can be restricted on Windows Server 2003 that wasn’t there in previous products?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up
TCP/IP properties. Users may be selectively restricted from modifying their IP address and
other network configuration parameters.
Where is secedit?
It’s now gpupdate.
You want to create a new group policy but do not wish to inherit. Make sure you check Block
inheritance among the options when creating the policy.
What’s the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides
extensive permission control on both remote and local files.
I have a file to which the user has access, but he has no folder permission to read it. Can he
access it?
It is possible for a user to navigate to a file for which he does not have folder permission. This
involves simply knowing the path of the file object. Even if the user can’t drill down the file/
folder tree using My Computer, he can still gain access to the file using the Universal Naming
Convention (UNC). The best way to start would be to type the full path of a file into Run…
window.
What’s the difference between standalone and fault-tolerant DFS (Distributed File System)
installations?
The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a
shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the
shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory,
which is replicated to other domain controllers. Thus, redundant root nodes may include
multiple connections to the same data residing in different shared folders.
We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the
UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a
standalone one.
How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?
Time stamp is attached to the initial client request, encrypted with the shared key.
What third-party certificate exchange protocols are used by Windows 2003 Server?
Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7
certificate response to exchange CA certificates with third-party certificate authorities.
If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it
possible to attack the password lists, specifically the ones using NTLMv1?
A cracker would launch a dictionary attack by hashing every imaginable term used for password
and then compare the hashes.
What’s the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003.
How many passwords by default are remembered when you check "Enforce Password History
Remembered"?
User’s last 6 passwords.
Active Directory stores and retrieves information from a wide variety of applications and
services.
What is Global Catalog Server?
A global catalog server is a domain controller it is a master searchable database that contains
information about every object in every domain in a forest. The global catalog contains a
complete replica of all objects in Active Directory for its host domain, and contains a partial
replica of all objects in Active Directory for every other domain in the forest. It have two
important functions:
● Provides group membership information during logon and authentication
● Helps users locate resources in Active Directory
What is the ntds.tit file default size?
40 MB
What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog?
SMTP – 25, POP3 – 110, IMAP4 – 143, RPC – 135, LDAP – 389, Global Catalog - 3268
What is IPv6? Internet Protocol version 6 (IPv6) is a network layer IP standard used by
electronic devices to exchange data across a packet-switched internetwork. It follows IPv4 as
the second version of the Internet Protocol to be formally adopted for general use. ip v6 it is
a 128 bit size address. This is total 8 octants each octant size is 16 bits separated with “:”, it is
in hexa decimal format. These 3 types:
1. unicast address
2. multicast address
3. anycast address
loopback address of ip v6 is ::1
How do you double-boot a Win 2003 server box?
The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To
change the Boot.ini timeout and default settings, use the System option in Control Panel from
the Advanced tab and select Startup.
If you uninstall Windows Server 2003, which operating systems can you revert to?
Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and 98 to Windows
Server 2003.
Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller
(BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-
peer read and write relationship that hosts copies of the Active Directory.
How long does it take for security changes to be replicated among the domain controllers?
Security-related modifications are replicated within a site immediately. These changes
include account and individual user lockout policies, changes to password policies, changes to
computer account passwords, and modifications to the Local Security Authority (LSA).
If I delete a user and then create a new account with the same username and password, would
the SID and permissions stay the same?
No. If you delete a user account and attempt to recreate it with the same user name and
password, the SID will be different.
What do you do with secure sign-ons in an organization with many roaming users?
Credential Management feature of Windows Server 2003 provides a consistent single sign-
on experience for users. This can be useful for roaming users who move between computer
systems. The Credential Management feature provides a secure store of user credentials that
includes passwords and X.509 certificates.
Anything special you should do when adding a user that has a Mac?
"Save password as encrypted clear text" must be selected on User Properties Account Tab
Options, since the Macs only store their passwords that way.
Where are the documents and settings for the roaming profile stored?
All the documents and environmental settings for the roaming user are stored locally on the
system, and, when the user logs off, all changes to the locally stored profile are copied to
the shared server folder. Therefore, the first time a roaming user logs on to a new system the
logon process may take some time, depending on how large his profile folder is.
Where are the settings for all the users stored on a given machine?
\Document and Settings\All Users
What languages can you use for log-on scripts?
JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe)
What are the differences between a site-to-site VPN and a VPN client connecting to a
VPN server? What protocols are used for these?
>
EXPERT RESPONSE
Site-to-site VPNs connect entire networks to each other -- for example, connecting a
branch office network to a company headquarters network. In a site-to-site VPN, hosts
do not have VPN client software; they send and receive normal TCP/IP traffic through
a VPN gateway. The VPN gateway is responsible for encapsulating and encrypting
outbound traffic, sending it through a VPN tunnel over the Internet, to a peer VPN
gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts
the content, and relays the packet towards the target host inside its private network.
Remote access VPNs connect individual hosts to private networks -- for example,
travelers and teleworkers who need to access their company's network securely over the
Internet. In a remote access VPN, every host must have VPN client software (more on
this in a minute). Whenever the host tries to send any traffic, the VPN client software
encapsulates and encrypts that traffic before sending it over the Internet to the VPN
gateway at the edge of the target network. Upon receipt, that VPN gateway behaves as
described above for site-to-site VPNs. If the target host inside the private network returns
a response, the VPN gateway performs the reverse process to send an encrypted response
back to the VPN client over the Internet.
The most common secure tunneling protocol used in site-to-site VPNs is the IPsec
Encapsulating Security Payload (ESP), an extension to the standard IP protocol used by
the Internet and most corporate networks today. Most routers and firewalls now support
IPsec and so can be used as a VPN gateway for the private network behind them. Another
site-to-site VPN protocol is Multi-Protocol Label Switching (MPLS), although MPLS
does not provide encryption.
Remote access VPN protocols are more varied. The Point to Point Tunneling Protocol
(PPTP) has been included in every Windows operating system since Windows 95. The
Layer 2 Tunneling Protocol (L2TP) over IPsec is present in Windows 2000 and XP and is
more secure than PPTP. Many VPN gateways use IPsec alone (without L2TP) to deliver
remote access VPN services. All of these approaches require VPN client software on
every host, and a VPN gateway that supports the same protocol and options/extensions for
remote access.
Over the past few years, many vendors have released secure remote access products
that use SSL and ordinary web browsers as an alternative to IPsec/L2TP/PPTP VPNs.
These "SSL VPNs" are often referred to as "clientless," but it is more accurate to say
that they use web browsers as VPN clients, usually in combination with dynamically-
downloaded software (Java applet, ActiveX control, or temporary Win32 program that
is removed when the session ends). Also, unlike PPTP, L2TP, and IPsec VPNs, which
connect remote hosts to an entire private network, SSL VPNs tend to connect users to
specific applications protected by the SSL VPN gateway.
To learn more about VPN protocols and topologies, watch my New directions in VPN
searchSecurity webcast, or read this InfoSec Magazine article on SSL VPNs.