Académique Documents
Professionnel Documents
Culture Documents
Domain local groups assign access permissions to global domain groups for local domain resources.
Universal groups are allowed only in native-mode Windows Server 2003 environments.
Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
3. What is LSDOU?
It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and
Organizational Units.
4. Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest
priority among the numerous policies.
5. Where are group policies stored? %SystemRoot%System32\GroupPolicy
6. What is GPT and GPC? Group policy template and group policy container.
7. Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
8. You change the group policies, and now the computer and user settings are in conflict. Which
one has the highest priority? The computer settings take priority.
9. You want to set up remote installation procedure, but do not want the user to gain access
over it. What do you do? gponame–> User Configuration–> Windows Settings–> Remote Installation
Services–> Choice Options is your friend.
10. What’s contained in administrative template conf.adm? Microsoft NetMeeting policies
11.How can you restrict running certain applications on a machine? Via group policy, security
settings for the group, then Software Restriction Policies.
12. You need to automatically install an app, but MSI file is not available. What do you do? A
.zap text file can be used to add applications using the Software Installer, rather than the Windows
Installer.
13. What’s the difference between Software Installer and Windows Installer? The former has
fewer privileges and will probably require user intervention. Plus, it uses .zap files.
14. What can be restricted on Windows Server 2003 that wasn’t there in previous products?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP
properties. Users may be selectively restricted from modifying their IP address and other network
configuration parameters.
15. How frequently is the client policy refreshed? 90 minutes give or take.
16. Where is secedit? It’s now gpupdate.
17. You want to create a new group policy but do not wish to inherit. Make sure you check Block
inheritance among the options when creating the policy.
18. What is "tattooing" the Registry? The user can view and modify user preferences that are not stored
in maintained portions of the Registry. If the group policy is removed or changed, the user preference will
persist in the Registry.
19. How do you fight tattooing in NT/2000 installations? You can’t.
20. How do you fight tattooing in 2003 installations? User Configuration - Administrative Templates -
System - Group Policy - enable - Enforce Show Policies Only.
21. What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for
users, particularly those who move between workstations or those who must periodically work offline.
22. What’s the major difference between FAT and NTFS on a local machine? FAT and FAT32
provide no security over locally logged-on users. Only native NTFS provides extensive permission control
on both remote and local files.
23. How do FAT and NTFS differ in approach to user shares? They don’t, both have support for
sharing.
24. Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but
not inherited by files within a folder. However, newly created subfolders will inherit this permission.
25. I have a file to which the user has access, but he has no folder permission to read it. Can he
access it? It is possible for a user to navigate to a file for which he does not have folder permission. This
involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree
using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The
best way to start would be to type the full path of a file into Run… window.
26. For a user in several groups, are Allow permissions restrictive or permissive? Permissive, if at
least one group has Allow permission for the file/folder, user will have the same permission.
27. For a user in several groups, are Deny permissions restrictive or permissive? Restrictive, if at
least one group has Deny permission for the file/folder, user will be denied access, regardless of other
group permissions.
28. What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$,
NETLOGON, print$ and SYSVOL.
29. What’s the difference between standalone and fault-tolerant DFS (Distributed File System)
installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a
shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared
resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to
other domain controllers. Thus, redundant root nodes may include multiple connections to the same data
residing in different shared folders.
30. We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use
the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
31. Where exactly do fault-tolerant DFS shares store information in Active Directory? In
Partition Knowledge Table, which is then replicated to other domain controllers.
32. Can you use Start->Search with DFS shares? Yes.
33. What problems can you have with DFS installed? Two users opening the redundant copies of the
file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one
file will be propagated through DFS.
34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a
standalone one.
35. Is Kerberos encryption symmetric or asymmetric? Symmetric.
36. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time
stamp is attached to the initial client request, encrypted with the shared key.
37. What hashing algorithms are used in Windows 2003 Server? RSA Data Security’s Message
Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit
hash.
38. What third-party certificate exchange protocols are used by Windows 2003 Server? Windows
Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to
exchange CA certificates with third-party certificate authorities.
39. What’s the number of permitted unsuccessful logons on Administrator account? Unlimited.
Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators
group.
40. If hashing is one-way function and Windows Server uses hashing for storing passwords,
how is it possible to attack the password lists, specifically the ones using NTLMv1? A cracker
would launch a dictionary attack by hashing every imaginable term used for password and then compare
the hashes.
41. What’s the difference between guest accounts in Server 2003 and other editions? More
restrictive in Windows Server 2003.
42. How many passwords by default are remembered when you check "Enforce Password
History Remembered"? User’s last 6 passwords.
What is LDAP?
LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and
other programs use to look up information from a server
Can you connect Active Directory to other 3rd-party Directory Services? Name a few
options.
Yes, you can use dirXML or LDAP to connect to other directories (ie. E-
directory from Novell).
Where is the AD database held? What other folders are related to AD?
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K
records the transaction in the log file (edb.log). Once written to the log file, the change is
then written to the AD database. System performance determines how fast the system
writes the data to the AD database from the log file. Any time the system is shut down, all
transactions are saved to the database.
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial
size of each is 10MB. These files are used to ensure that changes can be written to disk
should the system run out of free disk space. The checkpoint file (edb.chk) records
transactions committed to the AD database (ntds.dit). During shutdown, a "shutdown"
statement is written to the edb.chk file. Then, during a reboot, AD determines that all
transactions in the edb.log file have been committed to the AD database. If, for some
reason, the edb.chk file doesn't exist on reboot or the shutdown statement isn't present, AD
will use the edb.log file to update the AD database.
The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file
is located in\NTDS, along with the other files we've discussed
The Sysvol folder on a Windows domain controller is used to replicate file-based data
among domain controllers. Because junctions are used within the Sysvol folder structure,
Windows NT file system (NTFS) version 5.0 is required on domain controllers throughout
a Windows distributed file system (DFS) forest.
This is a quote from microsoft themselves, basically the domain controller info stored in
files like your group policy stuff is replicated through this folder structure
Schema NC This NC is replicated to every other domain controller in the forest. It contains
information about the Active Directory schema, which in turn defines the different object
classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-
wide configuration information pertaining to the physical layout of Active Directory, as
well as information about display specifiers and forest-wide Active Directory quotas.
Application directory partitions are usually created by the applications that will use them
to store and replicate data. For testing and troubleshooting purposes, members of the
Enterprise Admins group can manually create or manage application directory partitions
using the Ntdsutil command-line tool.
When you create an application directory partition, you are creating the first instance of
this partition. You can create an application directory partition by using the create nc
option in the domain management menu of Ntdsutil. When creating an application
directory partition using LDP or ADSI, provide a description in the description attribute of
the domain DNS object that indicates the specific application that will use the partition.
For example, if the application directory partition will be used to store data for a Microsoft
accounting program, the description could be Microsoft accounting application. Ntdsutil
does not facilitate the creation of a description.
The global catalog is a distributed data repository that contains a searchable, partial
representation of every object in every domain in a multidomain Active Directory forest.
The global catalog is stored on domain controllers that have been designated as global
catalog servers and is distributed through multimaster replication. Searches that are
directed to the global catalog are faster because they do not involve referrals to different
domain controllers.
The global catalog provides the ability to locate objects from any domain without having to
know the domain name. A global catalog server is a domain controller that, in addition to
its full, writable domain directory partition replica, also stores a partial, read-only replica
of all other domain directory partitions in the forest. The additional domain directory
partitions are partial because only a limited set of attributes is included for each object. By
including only the attributes that are most used for searching, every object in every domain
in even the largest forest can be represented in the database of a single global catalog
server.
How do you view all the GCs in the forest?
C:\>repadmin /showreps
domain_controller
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%
With too many DCs are configured to become the GC servers, it will cause the replication
overhead between the DCs across the forest.
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc --> add snapin --> add Active directory schema
name it as schema.msc
· ADSIEDIT.MSC
REPADMIN
A Site object in Active Directory represents a physical geographic location that hosts networks.
Sites contain objects called Subnets.[3] Sites can be used to Assign Group Policy Objects, facilitate
the discovery of resources, manage active directory replication, and manage network link traffic.
Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents
the speed, reliability, availability, or other real property of a physical resource. Site Links may also
be assigned a schedule.
The KCC analyzes the replication topology within a site every 15 minute to ensure that it
still works. If you add or remove a domain controller from the network or a site, the KCC
reconfigures the topology to relect the change.
Windows 2000 Domain controllers each create Active Directory Replication connection objects
representing inbound replication from intra-site replication partners. For inter-site replication,
one domain controller per site has the responsibility of evaluating the inter-site replication
topology and creating Active Directory Replication Connection objects for appropriate bridgehead
servers within its site. The domain controller in each site that owns this role is referred to as the
Inter-Site Topology Generator (ISTG).
· A NIC
· Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
· The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)
What can you do to promote a server to DC if you're in a remote location with slow WAN
link?
First available in Windows 2003, you will create a copy of the system state from an existing DC
and copy it to the new remote server. Run "Dcpromo /adv". You will be prompted for the location
of the system state files
How can you forcibly remove AD from a server, and what do you do later? • Can I get user
passwords from the AD database?
Demote the server using dcpromo /forceremoval, then remove the metadata from Active
directory using ndtsutil. There is no way to get user passwords from AD that I am aware
of, but you should still be able to change them.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
c. Type ServerNT in the Value data box, and then click OK.
its a member server now but AD entries are still there. Promote teh server to a fake domain
say ABC.com and then remove gracefully using DCpromo. Else after restart you can also
use ntdsutil to do metadata as told in teh earlier post
What tool would I use to try to grab security related packets from the wire?
sniffer-detecting tools
Applying Group Policy An OU is the lowest-level Active Directory container to which you
can assign Group Policy settings.
The number of days before a deleted object is removed from the directory services. This
assists in removing objects from replicated servers and preventing restores from
reintroducing a deleted object. This value is in the Directory Service object in the
configuration NIC
If you plan to install windows 2003 server domain controllers into an existing windows
2000 domain or upgrade a windows 2000 domain controllers to windows server 2003, you
first need to run the Adprep.exe utility on the windows 2000 domain controllers currently
holding the schema master and infrastructure master roles. The adprep / forestprer
command must first be issued on the windows 2000 server holding schema master role in
the forest root doman to prepare the existing schema to support windows 2003 active
directory. The adprep /domainprep command must be issued on the sever holding the
infrastructure master role in the domain where 2000 server will be deployed
If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1
installed, you require only the second R2 CD-ROM. Insert the second CD and the
r2auto.exe will display the Windows 2003 R2 Continue Setup screen.
If you're installing R2 on a domain controller (DC), you must first upgrade the schema to
the R2 version (this is a minor change and mostly related to the new Dfs replication
engine). To update the schema, run the Adprep utility, which you'll find in the
Cmpnents\r2\adprep folder on the second CD-ROM. Before running this command, ensure
all DCs are running Windows 2003 or Windows 2000 with SP2 (or later). Here's a sample
execution of the Adprep /forestprep command:
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should be
upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000
SP2 (or later).
QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential
domain controller corruption.
For more information about preparing your forest and domain see KB article Q3311 61 at
http://support.microsoft.com.
[User Action] If ALL your existing Windows 2000 domain controllers meet this
requirement, type C and then press ENTER to continue. Otherwise, type any other key and
press ENT ER to quit.
The command has completed successfully Adprep successfully updated the forest-wide
information.
1. Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows.
2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click Next.
3. You'll be prompted to enter an R2 CD key (this is different from your existing
Windows 2003 keys) if the underlying OS wasn't installed from R2 media (e.g., a
regular Windows 2003 SP1 installation). Enter the R2 key and click Next. Note: The
license key entered for R2 must match the underlying OS type, which means if you
installed Windows 2003 using a volume-license version key, then you can't use a
retail or Microsoft Developer Network (MSDN) R2 key.
4. You'll see the setup summary screen which confirms the actions to be performed
(e.g., Copy files). Click Next.
5. After the installation is complete, you'll see a confirmation dialog box. Click Finish
When it comes to choosing a scripting tool for Active Directory objects, you really are
spoilt for choice. The the DS family of built-in command line executables offer alternative
strategies to CSVDE, LDIFDE and VBScript.
12345
Tool object "DN" (as in LDAP distinguished name) -switch value For example:
DSadd user "cn=billy, ou=managers, dc=cp, dc=com" -pwd cX49pQba
This will add a user called Billy to the Managers OU and set the password to cx49Qba
Here are some of the common DS switches which work with DSadd and DSmod
-pwd (password) -upn (userPrincipalName) -fn (FirstName) -samid (Sam account name).
The best way to learn about this DS family is to logon at a domain controller and
experiment from the command line. I have prepared examples of the two most common
programs. Try some sample commands for DSadd.
Ldifde
Ldifde creates, modifies, and deletes directory objects on computers running Windows
Server 2003 operating systems or Windows XP Professional. You can also use Ldifde to
extend the schema, export Active Directory user and group information to other
applications or services, and populate Active Directory with data from other directory
services.
The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format
that may be used for performing batch operations against directories that conform to the
LDAP standards. LDIF can be used to export and import data, allowing batch operations
such as add, create, and modify to be performed against the Active Directory. A utility
program called LDIFDE is included in Windows 2000 to support batch operations based
on the LDIF file format standard. This article is designed to help you better understand
how the LDIFDE utility can be used to migrate directories.
http://support.microsoft.com/kb/237677
Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using files that
store data in the comma-separated value (CSV) format. You can also support batch
operations based on the CSV file format standard.
Csvde is a command-line tool that is built into Windows Server 2008 in the/system32
folder. It is available if you have the AD DS or Active Directory Lightweight Directory
Services (AD LDS) server role installed. To use csvde, you must run the csvde command
from an elevated command prompt. To open an elevated command prompt, click Start,
right-click Command Prompt, and then click Run as administrator.
What are the FSMO roles? Who has them by default? What happens when each one fails?
It has 5 Roles: -
Schema Master:
The schema master domain controller controls all updates and modifications to the
schema. Once the Schema update is complete, it is replicated from the schema
master to all other DCs in the directory. To update the schema of a forest, you must
have access to the schema master. There can be only one schema master in the
whole forest.
The domain naming master domain controller controls the addition or removal of
domains in the forest. This DC is the only one that can add or remove a domain
from the directory. It can also add or remove cross references to domains in
external directories. There can be only one domain naming master in the whole
forest.
Infrastructure Master:
The RID master is responsible for processing RID pool requests from all domain
controllers in a particular domain. When a DC creates a security principal object
such as a user or group, it attaches a unique Security ID (SID) to the object. This
SID consists of a domain SID (the same for all SIDs created in a domain), and a
relative ID (RID) that is unique for each security principal SID created in a domain.
Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the
security principals it creates. When a DC's allocated RID pool falls below a
threshold, that DC issues a request for additional RIDs to the domain's RID master.
The domain RID master responds to the request by retrieving RIDs from the
domain's unallocated RID pool and assigns them to the pool of the requesting DC.
At any one time, there can be only one domain controller acting as the RID master
in the domain.
PDC Emulator:
I want to look at the RID allocation table for a DC. What do I do?
What's the difference between transferring a FSMO role and seizing one? Which one should
you NOT seize? Why?
How do you configure a "stand-by operation master" for any of the roles?
What are the GPC and the GPT? Where can I find them?
How can you determine what GPO was and was not applied for a user? Name a few ways to
do that.
A user claims he did not receive a GPO, yet his user and computer accounts are in the right
OU, and everyone else there gets the GPO. What will you look for?
You want to standardize the desktop environments (wallpaper, My Documents, Start menu,
printers etc.) on the computers in one department. How would you do that?
1. How do you double-boot a Win 2003 server box? The Boot.ini file is set as read-only,
system, and hidden to prevent unwanted editing. To change the Boot.ini timeout and
default settings, use the System option in Control Panel from the Advanced tab and select
Startup.
2. What do you do if earlier application doesn’t run on Windows Server 2003? When
an application that ran on an earlier legacy version of Windows cannot be loaded during
the setup function or if it later malfunctions, you must run the compatibility mode
function. This is accomplished by right-clicking the application or setup program and
selecting Properties –> Compatibility –> selecting the previously supported operating
system
1. What snap-in administrative tools are available for Active Directory? Active Directory
Domains and Trusts Manager, Active Directory Sites and Services Manager, Active
Directory Users and Group Manager, Active Directory Replication (optional, available from
the Resource Kit), Active Directory Schema Manager (optional, available from adminpak)
2. What types of classes exist in Windows Server 2003 Active Directory?
o Structural class. The structural class is important to the system administrator in that
it is the only type from which new Active Directory objects are created. Structural
classes are developed from either the modification of an existing structural type or the
use of one or more abstract classes.
1. What is presentation layer responsible for in the OSI model? The presentation layer
establishes the data format prior to passing it along to the network application’s interface.
TCP/IP networks perform this task at the application layer.
2. Does Windows Server 2003 support IPv6? Yes, run ipv6.exe from command line to
disable it.
3. Can Windows Server 2003 function as a bridge? Yes, and it’s a new feature for the
2003 product. You can combine several networks and devices connected via several
adapters by enabling IP routing.
Every forest starts with a single domain. The maximum number of users that a single domain forest can contain is
based on the slowest link that must accommodate replication between domain controllers and the available
bandwidth that you want to allocate to Active Directory. Table 2.4 lists the maximum recommended number of
users that a domain can contain based on a single domain forest, the speed of the slowest link and the percentage
of bandwidth you want to reserve for replication. This information applies to forests that contain a maximum of
100,000 users and that have a connectivity of 28.8 Kilobits per second (Kbps) or higher.
Note
For recommendations that apply to forests that contain more than 100,000 users or connectivity of less
than 28.8 Kbps, consult an experienced Active Directory designer.
Table 2.4 Maximum Number of Users in a Single Domain
1. In the Slowest Link Connecting a Domain Controller column, locate the value that matches the speed of
the slowest link across which Active Directory will replicate in your domain.
2. In the row that corresponds to your slowest link speed, locate the column that represents the percentage
bandwidth you want to allocate to Active Directory. The value at that location is the maximum number of
users that the domain in a single domain forest can contain.
The values in Table 2.4 are based on the replication traffic generated in an environment that has the following
characteristics: