What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory?

Is there any difference in 2000 GroupPolices and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003?

Windows 2003 Active Directory introduced a number of new security features, as well asconvenience features such as the ability to rename a domain controller and even an entire domain ? see Microsoft's website for more details. Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy ? you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference. ADS stands for Automated Deployment Services, and is used to quickly roll out identically-configured servers in large-scale enterprise environments. You can get more information from the ADS homepage.

What is difference between ADS and domain controller?

ADS is the Automated Deployment Service, which is used to quickly image, deploy, and administer servers and domain controllers on a large scale. You can find more information at the ADS Technology Center.

ADS is the Automated Deployment Service, which is used to quickly image, deploy, and administer servers and domain controllers on a large scale. You can find more information at the ADS Technology Center.

How do I design two Active Directory domains in a client network?

For Windows Server 2003, your best bet is going to be the Deployment Kit. The section on "Deploying Network Services" will assist you in designing and installing your DNS servers, and the section on "Designing and Deploying Directory and Security Services" will assist you with deployingActive Directory and configuring trust relationships.

What is the best way to migrate Exchange 2000 mailboxes to Exchange 2003?

The nice folks at MSExchange.org have put together a pretty detailed tutorial on how to migrate from Exchange 2000 to Exchange 2003 on new hardware. The MSExchange site also hosts online forums that are frequented by Exchange MVPs who can help you with any specific errors that you run into along the way.

I want to setup a DNS server and Active Directory domain. What do I do first? If I install the DNS service first and name the zone 'name.org' can I name the AD domain 'name.org' too?

Not only can you have a DNS zone and an Active Directory domain with the same name, it's actually the preferred way to go if at all possible. You can install and configure DNS before installingActive Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself installDNS on your server in the background

Back to group policy for a moment... I understand distributing software packages via the AD infrastructure is also supported. What are the possible deployment targets? Only OUs, or can these packages be targeted at single users or computers, or the entire domain?"

Group Policy can be applies at 3 levels. Sites, Domains, or OU's. When planning softwaredeployments generally we deploy them to the OU level. It is possible to filter group policies so that only a single user or group of users receive the software you are deploying.

"Is the extention .com required or necessary in AD naming? Is .you or .org allowable? .com implies an HTTP protocol, doesn't it?"

There are several schools of thought on this. The reality of it is that there is no restriction on what you use for your AD domain names. Many companies use their DNS namespace as a part of their AD domain name root. For example, Contoso might have Contoso.com as their external domain space for their WWW site and other applications, but internally they may have "corp.Contoso.com" as the root of their Active Directory namespace.

"So we might have objects that reside both in OU's and Containers or can they be present only in one of these at any point in time ?"

Object can only reside in ONE OU or container at any time. It can't exist in both places.

Explain Active Directory schema?

The Active Directory schema is the set of definitions that defines the kinds of objects, and the types of information about those objects, that can be stored in Active Directory. The definitions are themselves stored as objects so that Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory. There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata. Attributes are defined separately from classes. Each attribute is defined only once and can be used in multiple classes. For example, the Description attribute is used in many classes, but is defined once in the schema, assuring consistency.

The Active Directory schema is the set of definitions that defines the kinds of objects, and the types of information about those objects, that can be stored in Active Directory. The definitions are themselves stored as objects so that Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory. There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata. Attributes are defined separately from classes. Each attribute is defined only once and can be used in multiple classes. For example, the Description attribute is used in many classes, but is defined once in the schema, assuring consistency.

How will you verify whether the AD installation is proper?

1. Verify SRV Resource Records After AD is installed, the DC will register SRV records in DNS when it restarts. We can

check this using DNS MMC or nslookup command. Using MMC If the SRV records are registered, the following folders will be there in the domain folder in Forward Lookup Zone. ? ? ? ? msdes sites tcp adp

Using nslookup >nslookup >ls ?t SRV Domain If the SRV records are properly created, they will be listed. 2. Verifying SYSVOL If SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO, etc will not be replicated between DCs. First verify the following folder structure is created in SYSVOL Domain Staging Staging areas Sysvol Then verify necessary shares are created. >net share It should show two shares, NETLOGON and SYSVOL 3. Verifying Database and Log files Make sure that the following files are there at %systemroot%ntds Ntds.dit, Edb.*, Res*.log

Minimum Requirement for Installing AD?

1. 2. 3. 4. 5.

Windows Server, Advanced Server, Datacenter Server Minimum Disk space of 200MB for AD and 50MB for log files NTFS partition TCP/IP Installed and Configured to use DNS Administrative privilege for creating a domain in existing network

1. 2. 3. 4.

Windows Server, Advanced Server, Datacenter Server Minimum Disk space of 200MB for AD and 50MB for log files NTFS partition TCP/IP Installed and Configured to use DNS

5. Administrative privilege for creating a domain in existing network

What is LDAP?

LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths are used to access AD objects and include the following: ? Distinguished names ? Relative Distinguished names

What is Native Mode?

When all the domain controllers in a given domain are running Windows 2000 Server. This mode allows organizations to take advantage of new Active Directory features such as Universal groups, nested group membership, and inter-domain group membership.

What is Mixed Mode?

Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NTServer are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by default. In mixed mode the domain may have Windows NT4.0 backup domain controllers present. Nested groups are not supported in mixed mode.

What is Empty Root Domain?

The "empty root domain" is an AD design element that has become increasingly popular at organizations with decentralized IT authority such as universities. The empty root domain acts as a placeholder for the root of Active Directory, and does not typically contain any users or resources that are not required to fulfill this roll [sic]. [...] Only those privileges that have tree or forest-wide scope are restricted to the empty root domain administrators. Departmental administrators can work independently of other departments. This politically neutral root domain provides a central source of authority and policy enforcement, and provides a single schema and global catalog that allows users to find resources anywhere in the university/district/state system. Individual IT

departments retain a significant degree of independence and can control their own users and resources without having to worry that actions by administrators in other departments will disrupt their domain.

What is the Group Policy?

Group Policy is one of the most exciting -- and potentially complex -- mechanisms that the Active Directory enables. Group policy allows a bundle of system and user settings (called a "Group Policy Object" or GPO) to be created by an administrator of a domain or OU and have it automatically pushed down to designated systems. Group Policy can control everything from user interface settings such as screen background imagesto deep control settings in the client such as its TCP/IP configuration and authentication settings. There are currently over 500 controllable settings. Microsoft has provided some templates as well to provide a starting point for creating policy objects. A significant advantage of group policy over the old NT-style policies is that the changes they make are reversed when the policy no longer applies to a system. In NT 4, once a policy was applied to a system, removing that policy did not by itself roll back the settings that it imposed on the client. With Windows 2000, when a specified policy no longer applies to a system it will revert to its previous state without administrative interference. Multiple policies from different sources can be applied to the same object. For example, a domain might have one or more domain-wide policies that apply to all systems in the domain. Below that, systems in an OU can also have policy objects applied to it, and the OU can even be further divided into sub-OU's with their own policies. This can create a very complex web of settings so administrators must be very careful when creating these multiple layers of policy to make sure the end result -- which is the union of all of the applicable policies with the "closest" policy taking priority in most cases -- is correct for that system. In addition, because Group policy is checked and applied during the system boot process for machine settings and again during logon for user settings, it is recommended that GPO's be applied to a computer from no more than five "layers" in the AD to keep reboot and/or login times from becoming unacceptably long.

What is Organizational Units?

OU's have many of the attributes of an NT 4 domain. However, instead of requiring server resources to create and support, they are a logical construct within the Active Directory so an OU does not have to support and maintain a domain controller. OU's are created by an administrator of an AD domain and can be freely named (and

renamed). The OU can then be populated objects of many types including computers, groups, printers, users and other sub-OU's. The real power of an OU is that once it is established, the administrator of its "parent" can delegateadministrative authority -- in total or in part -- to any user or group that is in the AD. When this happens, the designated user/group gains complete administrative authority over allobjects in their OU and thus has all of the rights and abilities that a Windows NT domain administrator would have as well as some new ones such as the ability to further segment their OU into sub-OU's and delegate authority over those sub-elements as they see fit.

OU's have many of the attributes of an NT 4 domain. However, instead of requiring server resources to create and support, they are a logical construct within the Active Directory so an OU does not have to support and maintain a domain controller. OU's are created by an administrator of an AD domain and can be freely named (and renamed). The OU can then be populated objects of many types including computers, groups, printers, users and other sub-OU's. The real power of an OU is that once it is established, the administrator of its "parent" can delegateadministrative authority -- in total or in part -- to any user or group that is in the AD. When this happens, the designated user/group gains complete administrative authority over allobjects in their OU and thus has all of the rights and abilities that a Windows NT domain administrator would have as well as some new ones such as the ability to further segment their OU into sub-OU's and delegate authority over those sub-elements as they see fit.

What is Domains in Active Directory?

In Windows 2000, a domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network. A domain is anadministrative boundary because administrative privileges do not extend to other domains. It is a security boundary because each domain has a security policy that extends to all security accounts within the domain. Active Directory stores information about objects in one or more domains. Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also can be the parent of one or more child domains, as shown below.

In Windows 2000, a domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network. A domain is anadministrative boundary because administrative privileges do not extend to other domains. It is a security boundary because each domain has a security policy that extends to all security accounts within the domain. Active Directory stores information about objects in one or more domains. Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also can be the parent of one or more child domains, as shown below.

What is Forest?

The term "forest" is used to describe a collection of AD domains that share a single schema for the AD. All DC's in the forest share this schema and it is replicated in a hierarchical fashion among them. The preferred model for Windows 2000 AD is to have an organization use a single forest that spans an entire enterprise. While not an administrative block by themselves, forests are a major boundary in that only limited communication is available between forests. For example, it is difficult for a user in one forest to access a resource in another forest. It is very difficult to integrate forests at this time because of potential problems reconciling schema differences between two forests.

Explain Active Directory?

"Active Directory is the directory service used in Windows 2000 Server and is the foundation ofWindows 2000 distributed networks." The core of Active Directory is a combination of an LDAP server and MIT Kerberos 5 KDC running ona Windows 2000 server acting as a domain controller that work as a unit to provide authentication ("Who are you?") and authorization ("What are you allowed to do?") information within a group of interlinked systems. Above and beyond that, the LDAP "face" of this structure behaves as an enterprise-wide distributed database that not only contains Windows-specific information but can be extended to incorporate user-defined data as well.

The AD is held together by DNS, which is used not only to locate specific machines within the AD but also to locate which functions of the AD are running on which domain controllers.

"Is there a way to assign static IPs to workstations through AD or GPOs?"?

No, how would the machine be able to get GPO if is didnt already have an IP address? You need to do this using DHCP. Another option, though a bit odd (not sure why you would need to do this) would be to use a WMI script - maybe as part of the startup or login script. You can use WMI commands to configure the NIC. But.. again, the first time it's run you'd have to first have it dynamically get an address, then the script could launch to reset it to a static address.

How to manage MS cluster?

As per my knowledge 1. Ensure all the resources in a cluster should be online. 2. Frequently Perform a test by failing over and failback to make sure the cluster availability. 3. Go through the cluster log everyday to find if there are any errors or exceptions. 4. Keep in touch with storage admin to confirm the Backup/Raid of a cluster Shared disk and Quorum are going on fine. 5. Managing the cluster is depending on how you configure cluster resource dependencies. 6. Think about the backup plan if in case major number of nodes failure. (Ofcouse the chance of failing all the nodes is less. 7. Make sure the heartbeat is working fine (Private Network). In case of NIC failure the resources keep on failing over and forth.

What is Root ?

Root is defined a the highest or uppermost level in a hierarchically organized set of information. The root is the point from which further subsets are branched in a logical sequence that moves from a broad or general focus to narrower perspectives. On a hard disk drive designated as the C: drive, the Root (or parent) directory would be C: in Microsoft Windows.

If I am trying to create a new universal user group then why can?t it is possible?

Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

How many passwords by default are remembered when you check "Enforce Password History Remembered"?

User?s last 6 passwords.

What third-party certificate exchange protocols are used by Windows 2003 Server?

Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS7 certificate response to exchange CA certificates with third-party certificate authorities.

How does Windows 2003 Server try to prevent a middle-man attack onencrypted line?

Time stamp is attached to the initial client request, encrypted with the shared key.

What problems can you have with DFS installed?

Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.

Where exactly do fault-tolerant DFS shares store information in Active Directory?

In Partition Knowledge Table, which is then replicated to other domain controllers.

We?re using the DFS fault-tolerant installation, but cannot access it from a Win98 box?

Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 faulttolerant shares.

What?s the difference between standalone and fault-tolerant DFS (Distributed File System) installations?

The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.

What hidden shares exist on Windows Server 2003 installation?

Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

Write Active Directory Restore Methods?

You can use one of the three methods to restore Active Directory from backup media: primaryrestore, normal (non authoritative) restore, and authoritative restore. Primary restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup. Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore. Normal restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state. Authoritative restore: You perform this method in tandem with a normal restore. An authoritativerestore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain. Perform an authoritative restore individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative restorealong with windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects as authoritative so that they receive a higher version recently changed

data on other domain controllers does not overwrite system state data during replication.

What is Restoring Active Directory?

In Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. You must restore the Active Directory database when objects in Active Directory are changed or deleted. Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from every other replication partner. Once the replication is finished each partner has an updated version of Active Directory. There is another way to get these latest updates by Backup utility to restore replicated data from a backup copy. For this restore you don?t need to configureagain your domain controller or no need to install the operating system from scratch.

What do you mean by System startup files?

Windows Server 2003 requires these files during its initial startup phase. They include the boot and system files that are under windows file protection and used by windows to load, configure, and run the operating system

What is The SYSVOL shared folder?

This shared folder contains Group policy templates and logon scripts. The SYSVOL shared folder is present only on domain controllers.

What is System State Data?

Several features in the windows server 2003 family make it easy to backup Active Directory. You can backup Active Directory while the server is online and other network function can continue to function. System state data on a domain controller includes the following components: Active Directory system state data does not contain Active Directory unless the server, on which you are backing up the system state data, is a domain controller. Active Directory is present only on domain controllers.

How do you configure a ?stand-by operation master? for any of the roles?

Open Active Directory Sites and Services. Expand the site name in which the standby operations master is located to display the Servers folder. Expand the Servers folder to see a list of the servers in that site. Expand the name of the server that you want to be the standby operations master to display its NTDS Settings. Right-click NTDS Settings, click New, and then click Connection. In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK. In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.

How do you backup AD?

Backing up Active Directory is essential to maintain an Active Directory database. You can back upActive Directory by using the Graphical User Interface (GUI) and commandline tools that the Windows Server 2003 family provides. You frequently backup the system state data on domain controllers so that you can restore the most current data. By establishing a regular backup schedule, you have a better chance of recovering data when necessary. To ensure a good backup includes at least the system state data and contents of the system disk, you must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backupolder than 60 days is not a good backup. Plan to backup at least two domain controllers in each domain, one of at least one backup to enable an authoritative restore of the data when necessary.

What FSMO placement considerations do you know of?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planningWindows 2000 AD FSMO roles.

What?s the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?

Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domaincontrollers that are assigned to perform these unique operations are called operations masters or FSMO role holders. The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform: Schema master ? The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command. Domain naming master ? The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest. RID master ? The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups. PDC emulator ? The PDC emulator role is domain-wide and there is one for each domain. This role is required for the domain controller that sends database updates to Windows NT backup domaincontrollers. The domain controller that owns this role is also targeted by certain administration toolsand updates to user account and computer account passwords. Infrastructure master ? The Infrastructure master role is domain-wide and there is one for each domain. This role is required for domain controllers to run the adprep /forestprep command successfully and to update SID attributes and distinguished name attributes for objects that are referenced across domains.

What is the ISTG? Who has that role by default?

Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role. By Default the first Server has this role. If that server can no longer preform this role then the next server with the highest GUID then takes over the role of ISTG.

What?s the difference between a site link?s schedule and interval?

Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges from 15 ? 10,080 mins. The default interval is 180 mins

What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?

ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor forActive Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ? ADSIEDIT.DLL ? ADSIEDIT.MSC Regarding system requirements, a connection to an Active Directory environment and MicrosoftManagement Console (MMC) is necessary A: Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts. The purpose of this document is to guide you in how to use it, list some common replication errors and show some examples of when replication issues can stop other network installation actions. for more go to http://www.techtutorials.net/articles/replmon_howto_a.html NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels A: Enables administrators to manage Active Directory domains and trust relationships from thecommand prompt. Netdom is a command-line tool that is built into Windows Server 2008. It is available if you have theActive Directory Domain Services (AD DS) server role installed. To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. REPADMIN.EXE is a command line tool used to monitor and troubleshoot replication on a computer running Windows. This is a command line tool that allows you to view the replication topology as seen from the perspective of each domain controller. REPADMIN is a built-in Windows diagnostic command-line utility that works at the Active Directorylevel. Although specific to Windows, it is also useful for diagnosing some Exchange replication problems, since Exchange Server is Active Directory based. REPADMIN doesn?t actually fix replication problems for you. But, you can use it to help determine the source of a malfunction.

Why not make all DCs in a large forest as GCs?

The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs would all have to hold a reference to every object in the entire forest which could be quite large and quite a replication burden. For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor WAN lines.

How do you view all the GCs in the forest?

C:>repadmin/showreps domain_controller OR You can use Replmon.exe for the same purpose. OR AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%

What is Active Directory Domain Services 2008?

Active Directory Domain Services (AD DS), formerly known as Active Directory Directory Services, is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location.

"There's a minimal number of DNS server that I must have in my infraestructure, or only one by domain is the recommended ?"

The minimum number of DNS servers necessary to allow active directory to function is 1. Depending on the structure and connectivity of your organization you might implement any number of strategies to supply DNS resolution for Active Directory. There is no specific rule on number of DNS servers per domain.

"I just missed the part of how to create the active directory, can you give the direction?"

Active directory can be installed by using the "dcpromo" command from a command line.

"Where can I download the GPMC?" 1. 2. Click the Download link to start the download, or choose a different language from the drop-down list and click Go. Do one of the following:

y y

To start the installation immediately, click Open or Run this program from its current location. To copy the download to your computer for installation at a later time, click Save or Save this program to disk.

3.

To install the GPMC, run the gpmc.msi package. After you accept the End User License Agreement (EULA), all necessary files are installed to the %Program Files%\GPMC folder. Prior to starting and using the GPMC, please be sure to read the release notes RelNotes.rtf, which is located in the %Program Files%\GPMC" folder. After installation of the GPMC, you can open the snap-in using either of the following methods:

4. 5.

You can open the pre-configured GPMC.msc file. To do this, click Start, click Run, type GPMC.msc and then choose OK. Alternatively, click the Group Policy Management shortcut in the Administrative Tools folder from the Control Panel. You can create a custom MMC console that contains the GPMC snap-in. To do this:

y o o o o
6.

Open MMC, by clicking Start, clicking Run, typing MMC, and then clicking OK. From the File menu, choose Add/Remove Snap-in, and then click Add. In the Add Standalone Snap-in dialog box, select Group Policy Management and click Add. Click Close, and then OK.

GPMC includes several sample scripts. These are installed in the %ProgramFiles%\GPMC\Scripts folder. You should use cscript.exe to execute all of the sample scripts. For more details on scripts, see the ScriptingReadMe.rtf file in the scripts folder. For instructions and usage information for each script, run each script with the /? parameter.

"What are the differences between OU's and Containers?"

An organizational unit is a heirarchical object component of Active Directory while a container is simply a holding area for objects until we decide which OU they should be a part of. Another benefit of OUs over Containers is that OUs can have policy (Group Policy) applied to them;containers can not. And you can delegate administration to OUs, but not to containers.

Where are the documents and settings for the roaming profile stored?

All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.

Anything special you should do when adding a user that has a Mac?

"Save password as encrypted clear text" must be selected on User Properties Account Tab Options, since the Macs only store their passwords that way.

What do you do with secure sign-ons in an organization with many roaming users?

Credential Management feature of Windows Server 2003 provides a consistent single signon experience for users. This can be useful for roaming users who move between computer systems. The Credential Management feature provides a secure store of user credentials that includes passwords and X.509 certificates.

How do you delete a lingering object?

Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory.

How is user account security established in Windows Server 2003?

When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user accounts security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access.

What types of classes exist in Windows Server 2003 Active Directory?

Structural class. The structural class is important to the system administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes. Abstract class. Abstract classes are so named because they take the form of templates that actually create other templates (abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for the defining objects. Auxiliary class. The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural class, it provides a streamlined alternative by applying a combination of attributes with a single include action. 88 class. The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the development of objects in Windows Server 2003 environments.

When should you create a forest?

Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.