Boot.ini:The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.

ini timeout and default settings, use the System option in Control Panel from the advanced tab and select Startup. How do you double-boot a Win 2003 server box?

Whats the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003.

How many passwords by default are remembered when you check "Enforce Password History Remembered"? Users last 6 passwords. Can GC Server and Infrastructure place in single server If not explain why? No, as a general rule, the infrastructure master should be located on a nonglobal catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold. The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog." If you have two domains with two domain controllers each (A&B and C&D) where B and D are GC/IM you have to figure out how to get things like group membership to reflect the proper information on domain controllers A and C. If you change a user in domain A (say a name change due to marriage) group membership read from domain controller C may not reflect that information properly because the only domains that are keeping themselves up to date are the GCs. But there are exceptions to this general rule, Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are: Single domain forest: In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.

Multidomain forest where every domain controller in a domain holds the global catalog:

If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain. Please read this article carefully:
http://support.microsoft.com/kb/223346

Which is service in your windows is responsible for replication of Domain controller to another domain controller. DFS supports the replication of data between the servers, using File Replication Service (FRS) in server versions up to Server 2003, and using "DFS Replication" (DFSR) in Server 2003 R2, Server 2008, and later versions. KCC generates the replication topology. Use SMTP / RPC to replicate changes. FRS has been replaced in Windows Server 2008 R2 by DFS Replication for replicating DFS folders and for replicating the SYSVOL folder. To manage a Distributed File System namespace that uses FRS to replicate content, open the Distributed File System snap-in on a computer running Windows Server 2003 or Windows 2000 Server. Important: In Windows Server 2008 R2, FRS can be used only to replicate the SYSVOL folder on domain controllers in domains that use the Windows Server 2003 or Windows 2000 domain functional levels. All other replication tasks that were performed by FRS are now performed by DFS Replication. FRS replicas are disabled on servers that have been upgraded to Windows Server 2008 R2 http://social.technet.microsoft.com/Forums/en/winserverfiles/thread/6fd7546ccdac-4f50-9c7a-d71591428aeb

What is lost & found folder in ADS? Its the folder where you can find the objects missed due to conflict. Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didnt find the OU then it will put that in Lost & Found Folder. What is Garbage collection?

 Garbage collection is the process of the online defragmentation of active directory. The garbage collection process used by AD to clear out orphaned objects from AD Data (ntds.dit). A garbage collection service runs every 12 hours to 1) Delete tombstones whose lifetime has expired, 2) Delete unnecessary log files, 3) Start online defragmentation. Garbage collection attributes are tombstoneLifetime and garbageCollPeriod.

What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003?

Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy - you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference. ADS stands for Automated Deployment Services, and is used to quickly roll out identically-configured servers in large-scale enterprise environments. You can get more information from the ADS homepage.
I want to setup a DNS server and Active Directory domain. What do I do first? If I install the DNS service first and name the zone 'name.org' can I name the AD domain 'name.org' too? Not only can you have a DNS zone and an Active Directory domain with the same name, it's actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background. How do I determine if user accounts have local administrative access? You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong.

Why am I having trouble printing with XP domain users? In most cases, the inability to print or access resources in situations like this one will boil down to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients' wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie.

What is the ISTG? Who has that role by default? Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intrasite replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG). What is difference between Server 2003 vs. 2008? 1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several 'virtual' servers on one physical machine.) 2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server) 3. Better security. 4. Role-based installation. 5. Read Only Domain Controllers (RODC). 6. Enhanced terminal services. 7. Network Access Protection - Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies. 8. PowerShell - Microsoft's command line shell and scripting language has proved popular with some server administrators. 9. IIS 7. 10. Bitlocker - System drive encryption can be a sensible security measure for servers located in remote branch offices. >br> the main difference between 2003 and 2008 is Virtualization, management. 2008 has more inbuild components and updated third party drivers. 11. Windows Aero. What are the requirements for installing AD on a new server? 1 The Domain structure. 2 The Domain Name. 3 storage location of the database and log file. 4 Location of the shared system volume folder.

5 DNS config Methode. 6 DNS configuration.

What are the Groups types available in active directory ? Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups. Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups. Explain about the groups scope in AD ? Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain. Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests. Universal Group Scope: These groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.

What is REPLMON ? The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication. What is ADSIEDIT ? ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT. What is NETDOM ? NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels. What is REPADMIN? This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors. How to take backup of AD ? For taking backup of active directory you have to do this : first go START -> PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC. What are the DS* commands ? The following DS commands: the DS family built in utility . DSmod - modify Active Directory attributes. DSrm - to delete Active Directory objects. DSmove - to relocate objects DSadd - create new accounts

DSquery - to find objects that match your query attributes. DSget - list the properties of an object What are the requirements for installing AD on a new server? An NTFS partition with enough free space. An Administrator's username and password. The correct operating system version. A NIC Properly configured TCP/IP (IP address, subnet mask and - optional default gateway). A network connection (to a hub or to another computer via a crossover cable) . An operational DNS server (which can be installed on the DC itself) . A Domain name that you want to use. The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder). Explain about Trust in AD ? To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, oneor two-way) in order to connect to other forests or non-AD domains. Trusts in Windows 2000 (native mode) One-way trust One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. Two-way trust Two domains allow access to users on both domains. Trusting domain The domain that allows access to users from a trusted domain. Trusted domain The domain that is trusted; whose users have access to the trusting domain. Transitive trust A trust that can extend beyond two domains to other trusted domains in the forest. Intransitive trust A one way trust that does not extend beyond two domains. Explicit trust A trust that an admin creates. It is not transitive and is one way only. Cross-link trust An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains. Windows 2000 Server supports the following types of trusts: Two-way transitive trusts.

One-way intransitive trusts. Additional trusts can be created by administrators. These trusts can be: Shortcut Windows Server 2003 offers a new trust type the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive. Difference between LDIFDE and CSVDE? CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users. Consult your help file for more info. LDIFDE is a command that can be used to import and export objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor, however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects. What is tombstone lifetime attribute ? The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC. What are application partitions? When do I use them ? AN application diretcory partition is a directory partition that is replicated only to specific domain controller.Only domain controller running windows Server 2003 can host a replica of application directory partition. Using an application directory partition provides redundany,availability or fault tolerance by replicating data to specific domain controller pr any set of domain controllers anywhere in the forest. How do you create a new application partition ? Use the DnsCmd command to create an application directory partition. To do this, use the following syntax: DnsCmd ServerName /CreateDirectoryPartition FQDN of partition How do you view all the GCs in the forest? C:\>repadmin /showreps domain_controller where domain_controller is the DC

you want to query to determine whether it?s a GC. The output will include the text DSA Options: IS_GC if the DC is a GC. Can you connect Active Directory to other 3rd-party Directory Services? Name a few options. Yes, you can use dirXML or LDAP to connect to other directories. In Novell you can use E-directory. What is IPSec Policy IPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec Policy can be deployed via Group policy to the Windows Domain controllers 7 Servers. What are the different types of Terminal Services ? User Mode & Application Mode. What is RsOP RsOP is the resultant set of policy applied on the object (Group Policy). What is the System Startup process ? Windows 2K boot process on a Intel architecture. 1. Power-On Self Tests (POST) are run. 2. The boot device is found, the Master Boot Record (MBR) is loaded into memory, and its program is run. 3. The active partition is located, and the boot sector is loaded. 4. The Windows 2000 loader (NTLDR) is then loaded. The boot sequence executes the following steps: 1. The Windows 2000 loader switches the processor to the 32-bit flat memory model. 2. The Windows 2000 loader starts a mini-file system. 3. The Windows 2000 loader reads the BOOT.INI file and displays the operating system selections (boot loader menu). 4. The Windows 2000 loader loads the operating system selected by the user. If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other operating systems, NTLDR loads BOOTSECT.DOS and gives it control.

5. NTDETECT.COM scans the hardware installed in the computer, and reports the list to NTLDR for inclusion in the Registry under the HKEY_LOCAL_MACHINE_HARDWARE hive. 6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information collected by NTDETECT.COM. Windows NT enters the Windows load phases. How do you change the DS Restore admin password ? In Windows 2000 Server, you used to have to boot the computer whose password you wanted to change in Directory Restore mode, then use either the Microsoft Management Console (MMC) Local User and Groups snap-in or the command net user administrator * to change the Administrator password. Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you reset the Directory Service Restore Mode password without having to reboot the computer. (Microsoft refreshed Setpwd in SP4 to improve the utility?s scripting options.) In Windows Server 2003, you use the Ntdsutil utility to modify the Directory Service Restore Mode Administrator password. To do so, follow these steps: 1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe). 2. Start the Directory Service Restore Mode Administrator password-reset utility by entering the argument ?set dsrm password? at the ntdsutil prompt: ntdsutil: set dsrm password. 3. Run the Reset Password command, passing the name of the server on which to change the password, or use the null argument to specify the local machine. For example, to reset the password on server testing, enter the following argument at the Reset DSRM Administrator Password prompt: Reset DSRM Administrator Password: reset password on server testing To reset the password on the local machine, specify null as the server name: Reset DSRM Administrator Password: reset password on server null 4. You?ll be prompted twice to enter the new password. You?ll see the following messages: 5. Please type password for DS Restore Mode Administrator Account: 6. Please confirm new password: Password has been set successfully. 7. Exit the password-reset utility by typing ?quit? at the following prompts: 8. Reset DSRM Administrator Password: quit ntdsutil: quit I am upgrading from NT to 2003. The only things that are NT are the PDC and BDCs; everything else is 2000 or 2003 member servers. My

question is, when I upgrade my NT domain controllers to 2003, will I need to do anything else to my Windows 2000/2003 member servers that were in the NT domain? Your existing member servers, regardless of operating system, will simply become member servers in your upgraded AD domain. If you will be using Organizational Units and Group Policy (and I hope you are), you'll probably want to move them to a specific OU for administration and policy application, since they'll be in the default "Computers" container immediately following the upgrade. How do I use Registry keys to remove a user from a group? In Windows Server 2003, you can use the dsmod command-line utility with the -delmbr switch to remove a group member from the command line. You should also look into the freeware utilities available from www.joeware.net . ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory. Why are my NT4 clients failing to connect to the Windows 2000 domain? Since NT4 relies on NetBIOS for name resolution, verify that your WINS server (you do have a WINS server running, yes?) contains the records that you expect for the 2000 domain controller, and that your clients have the correct address configured for the WINS server. How to add your first Windows 2003 DC to an existing Windows 2000 domain ? The first step is to install Windows 2003 on your new DC. This is a straighforward process, so we aren?t going to discuss that here. Because significant changes have been made to the Active Directory schema in Windows 2003, we need to make our Windows 2000 Active Directory compatible with the new version. If you already have Windows 2003 DCs running with Windows 2000 DCs, then you can skip down to the part about DNS. Before you attempt this step, you should make sure that you have service pack 4 installed on your Windows 2000 DC. Next, make sure that you are logged in as a user that is a member of the Schema Admin and Enterprise Admin groups. Next, insert the Windows 2003 Server installation CD into the Windows 2000 Server. Bring up a command line and change directories to the I386 directory on the installation CD. At the command prompt, type: Code : adprep /forestprep After running this command, make sure that the updates have been replicated to all existing Windows 2000 DCs in the forest. Next, we need to run the following command: Code : adprep /domainprep

The above command must be run on the Infrastructure Master of the domain by someone who is a member of the Domain Admins group. Once this is complete, we move back to the Windows 2003 Server. Click ?start? then ?run? - type in dcpromo and click OK. During the ensuing wizard, make sure that you select that you are adding this DC to an existing domain. After this process is complete, the server will reboot. When it comes back online, check and make sure that the AD database has been replicated to your new server. Next, you will want to check and make sure that DNS was installed on your new server. If not, go to the control panel, click on ?Add or Remove Programs?, and click the ?Add/Remove Windows Components? button. In the Windows Components screen, click on ?Networking Services? and click the details button. In the new window check ?Domain Name System (DNS)? and then click the OK button. Click ?Next? in the Windows Components screen. This will install DNS and the server will reboot. After reboot, pull up the DNS Management window and make sure that your DNS settings have replicated from the Windows 2000 Server. You will need to re-enter any forwarders or other properties you had set up, but the DNS records should replicate on their own. The next 2 items, global catalog and FSMO roles, are important if you plan on decomissioning your Windows 2000 server(s). If this is the case, you need to tansfer the global catalog from the old server to the new one. First, let?s create a global catalog on our new server. Here are the steps: 1. On the domain controller where you want the new global catalog, start the Active Directory Sites and Services snap-in. To start the snap-in, click ?Start?, point to ?Programs?, point to ?Administrative Tools?, and then click ?Active Directory Sites and Services?. 2. In the console tree, double-click ?Sites?, and then double-click ?sitename?. 3. Double-click ?Servers?, click your domain controller, right-click ?NTDS Settings?, and then click ?Properties?. 4. On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server. 5. Restart the domain controller. Make sure you allow sufficient time for the account and the schema information to replicate to the new global catalog server before you remove the global catalog from the original DC or take the DC offline.

After this is complete, you will want to transfer or seize the FSMO roles for your new server. For instructions, read Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller. After this step is complete, we can now run DCPROMO on the Windows 2000 Servers in order to demote them. Once this is complete, copy over any files you need to your new server and you should have successfully replaced your Windows 2000 server(s) with a new Windows 2003 server. How do you view replication properties for AD partitions and DCs? By using replication monitor go to start > run > type repadmin go to start > run > type replmon Why can't you restore a DC that was backed up 4 months ago? Because of the tombstone life which is set to only 60 days. Different modes of AD restore ? A nonauthoritative restore is the default method for restoring Active Directory. To perform a nonauthoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller. An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. If you do not want to replicate the changes that have been made subsequent to the last backup operation, you must perform an authoritative restore. In this one needs to stop the inbound replication first before performing the An authoritative restore. How do you configure a stand-by operation master for any of the roles? # Open Active Directory Sites and Services. # Expand the site name in which the standby operations master is located to display the Servers folder. # Expand the Servers folder to see a list of the servers in that site. # Expand the name of the server that you want to be the standby operations master to display its NTDS Settings. # Right-click NTDS Settings, click New, and then click Connection. # In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK. # In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.

What's the difference between transferring a FSMO role and seizing ? Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available. If you perform a seizure of the FSMO roles from a DC, you need to ensure two things: the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you'll have a problem. An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another live DC During the process, the current DC holding the role(s) is updated, so it becomes aware it is no longer the role holder I want to look at the RID allocation table for a DC. What do I do? dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC) What is BridgeHead Server in AD ? A bridgehead server is a domain controller in each site, which is used as a contact point to receive and replicate data between sites. For intersite replication, KCC designates one of the domain controllers as a bridgehead server. In case the server is down, KCC designates another one from the domain controller. When a bridgehead server receives replication updates from another site, it replicates the data to the other domain controllers within its site. What is the default size of ntds.dit ? 10 MB in Server 2000 and 12 MB in Server 2003 . Where is the AD database held and What are other folders related to AD ? AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure. ntds.dit edb.log res1.log res2.log edb.chk When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.

During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the shutdown statement isn't present, AD will use the edb.log file to update the AD database. The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we've discussed What FSMO placement considerations do you know of ? Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD? If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen. If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which you'll find in the Components\r2\adprep folder on the second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later).

Here's a sample execution of the Adprep /forestprep command: D:\CMPNENTS\R2\ADPREP>adprep /forestprep ADPREP WARNING: Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later). QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain controller corruption. [User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit. C Opened Connection to SAV DALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to version 31 Connecting to "SAVDALDC01" Logging in as current user using SSPI Importing directory from file "C:\WINDOWS\system32\sch31.ldf" Loading entries... 139 entries modified successfully. The command has completed successfully Adprep successfully updated the forest-wide information. After running Adprep, install R2 by performing these steps: 1. Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows. 2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click Next. 3. You'll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if the underlying OS wasn't installed from R2 media (e.g., a regular Windows 2003 SP1 installation). Enter the R2 key and click Next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003 using a volume-license version key, then you can't use a retail or Microsoft Developer Network (MSDN) R2 key. 4. You'll see the setup summary screen which confirms the actions to be performed (e.g., Copy files). Click Next. 5. After the installation is complete, you'll see a confirmation dialog box. Click Finish What is OU ? Organization Unit is a container object in which you can keep objects such as user accounts, groups, computer, printer . applications and other (OU). In organization unit you can assign specific permission to the user's. organization unit can also be used to create departmental limitation.

Name some OU design considerations? OU design requires balancing requirements for delegating administrative rights independent of Group Policy needs - and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues: Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. Delegating administrative authority usually don't go more than 3 OU levels What is sites ? What are they used for ? One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network. A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called Subnets. Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule. Trying to look at the Schema, how can I do that ? register schmmgmt.dll using this command c:\windows\system32>regsvr32 schmmgmt.dll Open mmc --> add snapin --> add Active directory schema name it as schema.msc Open administrative tool --> schema.msc What is the port no of Kerbrose ? 88 What is the port no of Global catalog ? 3268 What is the port no of LDAP ? 389 Explain Active Directory Schema? Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called "Schema". The Schema is defines as the formal definition of all object classes, and the attributes that make up those object classes, that can

be stored in the directory. As mentioned earlier, the Active Directory database includes a default Schema, which defines many object classes, such as users, groups, computers, domains, organizational units, and so on. These objects are also known as "Classes". The Active Directory Schema can be dynamically extensible, meaning that you can modify the schema by defining new object types and their attributes and by defining new attributes for existing objects. You can do this either with the Schema Manager snap-in tool included with Windows 2000/2003 Server, or programmatically. How can you forcibly remove AD from a server, and what do you do later? ? Can I get user passwords from the AD database? Dcpromo /forceremoval , an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest. Reboot the server then After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command. In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers What are the FSMO roles? Who has them by default? What happens when each one fails? Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles: Schema master Domain naming master RID master PDC emulator Infrastructure master What is domain tree ? Domain Trees: A domain tree comprises several domains that share a common schema and configuration, forming a contiguous namespace. Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees. Trees can be viewed two ways. One view is the trust relationships between domains. The other view is the namespace of the domain tree. What is forests? A collection of one or more domain trees with a common schema and implicit trust relationships between them. This arrangement would be used if you have multiple root DNS addresses.

How to Select the Appropriate Restore Method? You select the appropriate restore method by considering: Circumstances and characteristics of the failure. The two major categories of failure, From an Active Directory perspective, are Active Directory data corruption and hardware failure. Active Directory data corruption occurs when the directory contains corrupt data that has been replicated to all domain controllers or when a large portion of the Active Directory hierarchy has been changed accidentally (such as deletion of an OU) and this change has replicated to other domain controllers. Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003? The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.

What is Global Catalog? The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.

How long does it take for security changes to be replicated among the domain controllers? Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).

When should you create a forest? Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions. Describe the process of working with an external domain name? If it is not possible for you to configure your internal domain as a subdomain of

your external domain, use a stand-alone internal domain. This way, your internal and external domain names are unrelated. For example, an organization that uses the domain name contoso.com for their external namespace uses the name corp.internal for their internal namespace. The advantage to this approach is that it provides you with a unique internal domain name. The disadvantage is that this configuration requires you to manage two separate namespaces. Also, using a stand-alone internal domain that is unrelated to your external domain might create confusion for users because the namespaces do not reflect a relationship between resources within and outside of your network. In addition, you might have to register two DNS names with an Internet name authority if you want to make the internal domain publicly accessible. Hardware RAID Levels RAID Minimum Description Strengths Weaknesses Level Number of Drives RAID 02 Data striping Highest performance No data protection; without One drive fails, all data redundancy is lost RAID 12 Disk Very high performance; High redundancy cost mirroring Very high data overhead; Because all protection; Very minimal data is duplicated, penalty on write twice the storage performance capacity is required RAID 2Not used No practical Previously used for RAM No practical use; Same in LAN use error environments performance can be correction (known as achieved by RAID 3 at Hamming Code ) and in lower cost disk drives before the use of embedded error correction RAID 33 Byte-level Excellent performance Not well-suited for data striping for large, sequential transaction-oriented with data requests network applications; dedicated Single parity drive does parity drive not support multiple, simultaneous read and write requests RAID 43 (Not Block-level Data striping supports Write requests suffer widely data striping multiple simultaneous from same single

used)

with dedicated parity drive

read requests

RAID 53

Block-level data striping with distributed parity

RAID 4 0/1

Combination of RAID 0 (data striping) and RAID 1 (mirroring)

RAID 4 1/0

Combination of RAID 1 (mirroring) and RAID 0 (data striping)

parity-drive bottleneck as RAID 3; RAID 5 offers equal data protection and better performance at same cost Best cost/performance Write performance is for transaction-oriented slower than RAID 0 or networks; Very high RAID 1 performance, very high data protection; Supports multiple simultaneous reads and writes; Can also be optimized for large, sequential requests Highest performance, High redundancy cost highest data protection overhead; Because all (can tolerate multiple data is duplicated, drive failures) twice the storage capacity is required; Requires minimum of four drives Shares the same fault High redundancy cost tolerance as RAID 1 (the overhead; Because all basic mirror), but data is duplicated, compliments said fault twice the storage tolerance with a striping capacity is required; mechanism that can Requires minimum of yield very high read four drives rates

RAID 0

RAID 1

RAID 5

Windows DNS Server Interview Questions !

What is the main purpose of a DNS server? DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa. What is the port no of dns ? 53. What is a Forward Lookup? Resolving Host Names to IP Addresses. What is Reverse Lookup? It?s a file contains host names to IP mapping information. What is a Resource Record? It is a record provides the information about the resources available in the N/W infrastructure. What are the diff. DNS Roles? Standard Primary, Standard Secondary, & AD Integrated. What is a Zone? Zone is a sub tree of DNS database.

Secure services in your network require reverse name resolution to make it more difficult to launch successful attacks against the services. To set this up, you configure a reverse lookup zone and proceed to add records. Which record types do you need to create? PTR Records SOA records must be included in every zone. What are they used for? SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers. By default, if the name is not found in the cache or local hosts file, what is the first step the client takes to resolve the FQDN name into an IP address? Performs a recursive search through the primary DNS server based on the network interface configuration What is primary, Secondary, stub & AD Integrated Zone? Primary Zone: - zone which is saved as normal text file with filename (.dns) in DBS folder. Maintains a read, write copy of zone database. Secondary Zone: - maintains a read only copy of zone database on another DNS server. Provides fault tolerance and load balancing by acting as backup server to primary server. Stub zone: - contains a copy of name server and SOA records used for reducing the DNS search orders. Provides fault tolerance and load balancing. How do you manually create SRV records in DNS? This is on windows server go to run ---> dnsmgmt.msc rightclick on the zone you want to add srv record to and choose "other new record" and choose service location(srv). What is the main purpose of SRV records ? SRV records are used in locating hosts that provide certain network services. Before installing your first domain controller in the network, you installed a DNS server and created a zone, naming it as you would name your AD domain. However, after the installation of the domain controller, you are unable to locate infrastructure SRV records anywhere in the zone. What is the most likely cause of this failure ?

The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates. Which of the following conditions must be satisfied to configure dynamic DNS updates for legacy clients ? The zone to be used for dynamic updates must be configured to allow dynamic updates. The DHCP server must support, and be configured to allow, dynamic updates for legacy clients. At some point during the name resolution process, the requesting party received authoritative reply. Which further actions are likely to be taken after this reply ? After receiving the authoritative reply, the resolution process is effectively over. Name 3 benefits of using AD-integrated zones. Active Directory integrated DNS enables Active Directory storage and replication of DNS zone databases. Windows 2000 DNS server, the DNS server that is included with Windows 2000 Server, accommodates storing zone data in Active Directory. When you configure a computer as a DNS server, zones are usually stored as text files on name servers that is, all of the zones required by DNS are stored in a text file on the server computer. These text files must be synchronized among DNS name servers by using a system that requires a separate replication topology and schedule called a zone transfer However, if you use Active Directory integrated DNS when you configure a domain controller as a DNS name server, zone data is stored as an Active Directory object and is replicated as part of domain replication. Your company uses ten domain controllers, three of which are also used as DNS servers. You have one companywide AD-integrated zone, which contains several thousand resource records. This zone also allows dynamic updates, and it is critical to keep this zone up-to-date. Replication between domain controllers takes up a significant amount of bandwidth. You are looking to cut bandwidth usage for the purpose of replication. What should you do? Change the replication scope to all DNS servers in the domain. You are administering a network connected to the Internet. Your users complain that everything is slow. Preliminary research of the problem indicates that it takes a considerable amount of time to resolve names of resources on the Internet. What is the most likely reason for this?

DNS servers are not caching replies.. Local client computers are not caching replies The cache.dns file may have been corrupted on the server. What are the benefits of using Windows 2003 DNS when using ADintegrated zones? If your DNS topology includes Active Directory, use Active Directory integrated zones. Active Directory integrated zones enable you to store zone data in the Active Directory database.Zone information about any primary DNS server within an Active Directory integrated zone is always replicated. Because DNS replication is single-master, a primary DNS server in a standard primary DNS zone can be a single point of failure. In an Active Directory integrated zone, a primary DNS server cannot be a single point of failure because Active Directory uses multimaster replication. Updates that are made to any domain controller are replicated to all domain controllers and the zone information about any primary DNS server within an Active Directory integrated zone is always replicated. Active Directory integrated zones: Enable you to secure zones by using secure dynamic update. Provide increased fault tolerance. Every Active Directory integrated zone can be replicated to all domain controllers within the Active Directory domain or forest. All DNS servers running on these domain controllers can act as primary servers for the zone and accept dynamic updates. Enable replication that propagates changed data only, compresses replicated data, and reduces network traffic. If you have an Active Directory infrastructure, you can only use Active Directory integrated zones on Active Directory domain controllers.If you are using Active Directory integrated zones, you must decide whether or not to store Active Directory integrated zones in the application directory partition. You can combine Active Directory integrated zones and file-based zones in the same design. For example, if the DNS server that is authoritative for the private root zone is running on an operating system other than Windows Server 2003 or Windows 2000, it cannot act as an Active Directory domain controller. Therefore, you must use file-based zones on that server. However, you can delegate this zone to any domain controller running either Windows Server 2003 or Windows 2000.
You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS. Name a few possible causes.

The machine cannot be configured with DNS client her own . The DNS service cannot be run. What are the benefits and scenarios of using Stub zones? Understanding stub zones A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces. A stub zone consists of: ? The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone. The IP address of one or more master servers that can be used to update the stub zone. The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary zone for the delegated domain name. Use stub zones to: ? Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server hosting both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone. ? Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers without needing to query the Internet or internal root server for the DNS namespace. ? Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones and are not an alternative when considering redundancy and load sharing. There are two lists of DNS servers involved in the loading and maintenance of a stub zone: ? The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone. ? The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS) resource records. When a DNS server loads a stub zone, such as widgets.example.com, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone widgets.example.com. The list of master servers may contain a single server or multiplex` servers and can be changed anytime

What are the benefits and scenarios of using Conditional Forwarding? Rather than having a DNS server forward all queries it cannot resolve to forwarders, the DNS server can forward queries for different domain names to different DNS servers according to the specific domain names that are contained in the queries. Forwarding according to these domain-name conditions improves conventional forwarding by adding a second condition to the forwarding process. A conditional forwarder setting consists of a domain name and the IP address of one or more DNS servers. To configure a DNS server for conditional forwarding, a list of domain names is set up on the Windows Server 2003-based DNS server along with the DNS server IP address. When a DNS client or server performs a query operation against a Windows Server 2003- based DNS server that is configured for forwarding, the DNS server looks to see if the query can be resolved by using its own zone data or the zone data that is stored in its cache, and then, if the DNS server is configured to forward for the domain name that is designated in the query (a match), the query is forwarded to the IP address of a DNS Server that is associated with the domain name. If the DNS server has no domain name listed for the name that is designated in the query, it attempts to resolve the query by using standard recursion.

What is the 224.0.1.24 address used for? WINS server group address. Used to support auto discovery and dynamic configuration of replication for WINS servers. For more information, see WINS replication overview WINS server group address. Used to support auto discovery and dynamic configuration of replication for WINS servers. Describe the importance of DNS to AD ? When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority. Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet. While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher. When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority.

Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet. While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher. What is the "in-addr.arpa" zone used for? In a Domain Name System (DNS) environment, it is common for a user or an application to request a Reverse Lookup of a host name, given the IP address. This article explains this process. The following is quoted from RFC 1035: "The Internet uses a special domain to support gateway location and Internet address to host mapping. Other classes may employ a similar strategy in other domains. The intent of this domain is to provide a guaranteed method to perform host address to host name mapping, and to facilitate queries to locate all gateways on a particular network on the Internet. "The domain begins at IN-ADDR.ARPA and has a substructure which follows the Internet addressing structure. "Domain names in the IN-ADDR.ARPA domain are defined to have up to four labels in addition to the IN-ADDR.ARPA suffix. Each label represents one octet of an Internet address, and is expressed as a character string for a decimal value in the range 0-255 (with leading zeros omitted except in the case of a zero octet which is represented by a single zero). "Host addresses are represented by domain names that have all four labels specified." Reverse Lookup files use the structure specified in RFC 1035. For example, if you have a network which is 150.10.0.0, then the Reverse Lookup file for this network would be 10.150.IN-ADDR.ARPA. Any hosts with IP addresses in the 150.10.0.0 network will have a PTR (or 'Pointer') entry in 10.150.IN- ADDR.ARPA referencing the host name for that IP address. A single IN- ADDR.ARPA file may contain entries for hosts in many domains. Consider the following scenario. There is a Reverse Lookup file 10.150.IN-ADDR.ARPA with the following contents: Exp : 1.20 IN PTR WS1.ACME.COM. What are the requirements from DNS to support AD? When you install Active Directory on a member server, the member server is promoted to a domain controller. Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain

IP addresses of domain controllers. During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS, which are necessary for the successful functionality of the domain controller locator (Locator) mechanism. To find domain controllers in a domain or forest, a client queries DNS for the SRV and A DNS resource records of the domain controller, which provide the client with the names and IP addresses of the domain controllers. In this context, the SRV and A resource records are referred to as Locator DNS resource records. When adding a domain controller to a forest, you are updating a DNS zone hosted on a DNS server with the Locator DNS resource records and identifying the domain controller. For this reason, the DNS zone must allow dynamic updates (RFC 2136) and the DNS server hosting that zone must support the SRV resource records (RFC 2782) to advertise the Active Directory directory service. For more information about RFCs, see DNS RFCs. If the DNS server hosting the authoritative DNS zone is not a server running Windows 2000 or Windows Server 2003, contact your DNS administrator to determine if the DNS server supports the required standards. If the server does not support the required standards, or the authoritative DNS zone cannot be configured to allow dynamic updates, then modification is required to your existing DNS infrastructure. For more information, see Checklist: Verifying DNS before installing Active Directory and Using the Active Directory Installation Wizard. Important The DNS server used to support Active Directory must support SRV resource records for the Locator mechanism to function. For more information, see Managing resource records. It is recommended that the DNS infrastructure allows dynamic updates of Locator DNS resource records (SRV and A) before installing Active Directory, but your DNS administrator may add these resource records manually after installation. After installing Active Directory, these records can be found on the domain controller in the following location: systemroot\System32\Config\Netlogon.dns . What are the requirements from DNS to support AD? When you install Active Directory on a member server, the member server is promoted to a domain controller. Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain IP addresses of domain controllers. During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS, which are necessary for the successful functionality of the domain controller locator (Locator) mechanism. To find domain controllers in a domain or forest, a client queries DNS for the SRV and A DNS resource records of the domain controller, which provide the

client with the names and IP addresses of the domain controllers. In this context, the SRV and A resource records are referred to as Locator DNS resource records. When adding a domain controller to a forest, you are updating a DNS zone hosted on a DNS server with the Locator DNS resource records and identifying the domain controller. For this reason, the DNS zone must allow dynamic updates (RFC 2136) and the DNS server hosting that zone must support the SRV resource records (RFC 2782) to advertise the Active Directory directory service. For more information about RFCs, see DNS RFCs. If the DNS server hosting the authoritative DNS zone is not a server running Windows 2000 or Windows Server 2003, contact your DNS administrator to determine if the DNS server supports the required standards. If the server does not support the required standards, or the authoritative DNS zone cannot be configured to allow dynamic updates, then modification is required to your existing DNS infrastructure. For more information, see Checklist: Verifying DNS before installing Active Directory and Using the Active Directory Installation Wizard. Important The DNS server used to support Active Directory must support SRV resource records for the Locator mechanism to function. For more information, see Managing resource records. It is recommended that the DNS infrastructure allows dynamic updates of Locator DNS resource records (SRV and A) before installing Active Directory, but your DNS administrator may add these resource records manually after installation. After installing Active Directory, these records can be found on the domain controller in the following location: systemroot\System32\Config\Netlogon.dns . What does a zone consist of & why do we require a zone? Zone consists of resource records and we require zone for representing sites. What is Caching Only Server? When we install 2000 & 2003 server it is configured as caching only server where it maintains the frequently accessed sites information and again when we access the same site for next time it is obtain from cached information instead of going to the actual site. What is forwarder? When one DNS server can?t receive the query it can be forwarded to another DNS once configured as forwarder. What is secondary DNS Server? It is backup for primary DNS where it maintains a read only copy of DNS database.

How to enable Dynamic updates in DNS? Start>Program>Admin tools> DNS >Zone properties. What are the properties of DNS server? INTERFACES, FORWARDERS, ADVANCED, ROUTINGS, SECURITY, MONITORING, LOGGING, DEBUG LOGGING. Properties of a Zone ? General, SOA, NAMESERVER, WINS, Security, and ZONE Transfer. What is scavenging? Finding and deleting unwanted records. What are SRV records? SRV are the service records, there are 6 service records. They are useful for locating the services.

What are the types of SRV records? MSDCS:Contains DCs information. TCP:Contains Global Catalog, Kerberos & LDAP information. UDP:Contains Sites information. Sites:Contains Sites information. Domain DNS Zone:Conations domain?s DNS specific information. Forest DNS zone:Contains Forest?s Specific Information. Where does a Host File Reside? c:\windows\system32\drivers\etc. What is SOA? Start of Authority: useful when a zone starts. Provides the zone startup information. What is a query? A request made by the DNS client to provide the name server information. What are the diff. types of Queries? Recursion, iteration. Tools for troubleshooting DNS? DNS Console, NSLOOKUP, DNSCMD, IPCONFIG, Logs. What is WINS server? where we use WINS server? difference between DNS and WINS? WINS is windows internet name service used to resolve the NetBIOS(computer

name)name to IP address.This is proprietary for Windows.You can use in LAN.DNS is a Domain Naming System, which resolves Host names to IP addresses. It uses fully qualified domain names. DNS is an Internet standard used to resolve host names. What is new in Windows Server 2003 regarding the DNS management? When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard. SOA records must be included in every zone. What are they used for? SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers. By default, if the name is not found in the cache or local hosts file, what is the first step the client takes to resolve the FQDN name into an IP address? Performs a recursive search through the primary DNS server based on the network interface configuration. How do I clear the DNS cache on the DNS server? Go to cmd prompt and type ipconfig /flushdns . What is the main purpose of SRV records? SRV records are used in locating hosts that provide certain network services. Before installing your first domain controller in the network, you installed a DNS server and created a zone, naming it as you would name your AD domain. However, after the installation of the domain controller, you are unable to locate infrastructure SRV records anywhere in the zone. What is the most likely cause of this failure? The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates. What is the "." zone in my forward lookup zone? This setting designates the Windows 2000 or Windows Server 2003 DNS server to be a root hint server and is usually deleted. If you do not delete this setting,

you may not be able to perform external name resolution to the root hint servers on the Internet. Do I need to configure forwarders in DNS? No. By default, Windows 2000 DNS uses the root hint servers on the Internet; however, you can configure forwarders to send DNS queries directly to your ISP's DNS server or other DNS servers. Most of the time, when you configure forwarders, DNS performance and efficiency increases, but this configuration can also introduce a point of failure if the forwarding DNS server is experiencing problems. The root hint server can provide a level of redundancy in exchange for slightly increased DNS traffic on your Internet connection. Windows Server 2003 DNS will query root hints servers if it cannot query the forwarders. Should I point the other Windows 2000-based and Windows Server 2003-based computers on my LAN to my ISP's DNS servers? No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the domain controller in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 domain controller running DNS. If you are using DHCP, make sure that you view scope option #15 for the correct DNS server settings for your LAN. Do I need to point computers that are running Windows NT 4.0 or Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows 98 Second Edition to the Windows 2000 or Windows Server 2003 DNS server? Legacy operating systems continue to use NetBIOS for name resolution to find a domain controller; however it is recommended that you point all computers to the Windows 2000 or Windows Server 2003 DNS server for name resolution. What if my Windows 2000 or Windows Server 2003 DNS server is behind a proxy server or firewall? If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall. What should I do if the domain controller points to itself for DNS, but the SRV records still do not appear in the zone? Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools from the Windows 2000 Server or Windows Server 2003 CD-ROM to run Netdiag.exe.

How do I set up DNS for a child domain? To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server. Note Windows Server 2003 has additional types of zones, such as Stub Zones and forest-level integrated Active Directory zones, that may be a better fit for your environment. Set the child domain controller to point to itself first. As soon as an additional domain controller is available, set the child domain controller to point to this domain controller in the child domain as its secondary. What is dhcp ? Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network.

What is the dhcp process for client machine? 1. A user turns on a computer with a DHCP client. 2. The client computer sends a broadcast request (called a DISCOVER or DHCPDISCOVER), looking for a DHCP server to answer. 3. The router directs the DISCOVER packet to the correct DHCP server. 4. The server receives the DISCOVER packet. Based on availability and usage policies set on the server, the server determines an appropriate address (if any) to give to the client. The server then temporarily reserves that address for the client and sends back to the client an OFFER (or DHCPOFFER) packet, with that address information. The server also configures the client's DNS servers, WINS servers, NTP servers, and sometimes other services as well. 5. The client sends a REQUEST (or DHCPREQUEST) packet, letting the server know that it intends to use the address. 6. The server sends an ACK (or DHCPACK) packet, confirming that the client has a been given a lease on the address for a server-specified period of time.

What is dhcp scope ? DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients. Types of scopes in windows dhcp ? Normal Scope - Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet. Multicast Scope - Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP

options. Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination). Superscope - Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity. What is Authorizing DHCP Servers in Active Directory ? If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized. This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console or at the command prompt using the netsh tool. If the DHCP server was not authorized during installation, invoke the DHCP console (Start -> All Programs -> Administrative Tools -> DHCP), right click on the DHCP to be authorized and select Authorize. To achieve the same result from the command prompt, enter the following command: netsh dhcp server serverID initiate auth In the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed. What ports are used by DHCP and the DHCP clients ? Requests are on UDP port 68, Server replies on UDP 67 . Benefits of using DHCP DHCP provides the following benefits for administering your TCP/IP-based network: Safe and reliable configuration.DHCP avoids configuration errors caused by the need to manually type in values at each computer. Also, DHCP helps prevent address conflicts caused by a previously assigned IP address being reused to configure a new computer on the network. Reduces configuration management. Using DHCP servers can greatly decrease time spent to configuring and reconfiguring computers on your network. Servers can be configured to supply a full range of additional configuration values when assigning address leases. These values are assigned using DHCP options. Also, the DHCP lease renewal process helps assure that where client configurations need to be updated often (such as users with mobile or portable computers who change locations frequently), these changes can be made efficiently and automatically by clients communicating directly with DHCP servers. The following section covers issues that affect the use of the DHCP Server service with other services or network configurations. Using DNS servers with DHCP Using Routing and Remote Access servers with DHCP Multihomed DHCP servers.

Describe the process of installing a DHCP server in an AD infrastructure ? Open Windows Components Wizard. Under Components , scroll to and click Networking Services. Click Details . Under Subcomponents of Networking Services , click Dynamic Host Configuration Protocol (DHCP) and then click OK . Click Next . If prompted, type the full path to the Windows Server 2003 distribution files, and then click Next. Required files are copied to your hard disk.

How to authorize a DHCP server in Active Directory Open DHCP ?. In the console tree, click DHCP . On the Action menu, click Manage authorized servers. . The Manage Authorized Servers dialog box appears. Click Authorize. . When prompted, type the name or IP address of the DHCP server to be authorized, and then click OK. What is DHCPINFORM? DHCPInform is a DHCP message used by DHCP clients to obtain DHCP options. While PPP remote access clients do not use DHCP to obtain IP addresses for the remote access connection, Windows 2000 and Windows 98 remote access clients use the DHCPInform message to obtain DNS server IP addresses, WINS server IP addresses, and a DNS domain name. The DHCPInform message is sent after the IPCP negotiation is concluded. The DHCPInform message received by the remote access server is then forwarded to a DHCP server. The remote access server forwards DHCPInform messages only if it has been configured with the DHCP Relay Agent. Describe the integration between DHCP and DNS? Traditionally, DNS and DHCP servers have been configured and managed one at a time. Similarly, changing authorization rights for a particular user on a group of devices has meant visiting each one and making configuration changes. DHCP integration with DNS allows the aggregation of these tasks across devices, enabling a company's network services to scale in step with the growth of network users, devices, and policies, while reducing administrative operations and costs. This integration provides practical operational efficiencies that lower total cost of ownership. Creating a DHCP network automatically creates an associated DNS zone, for example, reducing the number of tasks required of network administrators. And integration of DNS and DHCP in the same database instance provides

unmatched consistency between service and management views of IP addresscentric network services data.

DNS Interview Questions and Answer 1. Secure services in your network require reverse name resolution to make it more difficult to launch successful attacks against the services. To set this up, you configure a reverse lookup zone and proceed to add records. Which record types do you need to create? 2. What is the main purpose of a DNS server? 3. SOA records must be included in every zone. What are they used for? 4. By default, if the name is not found in the cache or local hosts file, what is the first step the client takes to resolve the FQDN name into an IP address? 5. What is the main purpose of SRV records? 6. Before installing your first domain controller in the network, you installed a DNS server and created a zone, naming it as you would name your AD domain. However, after the installation of the domain controller, you are unable to locate infrastructure SRV records anywhere in the zone. What is the most likely cause of this failure? 7. Which of the following conditions must be satisfied to configure dynamic DNS updates for legacy clients? 8. At some point during the name resolution process, the requesting party received authoritative reply. Which further actions are likely to be taken after this reply? 9. Your company uses ten domain controllers, three of which are also used as DNS servers. You have one companywide AD-integrated zone, which contains several thousand resource records. This zone also allows dynamic updates, and it is critical to keep this zone up-to-date. Replication between domain controllers takes up a significant amount of bandwidth. You are looking to cut bandwidth usage for the purpose of replication. What should you do? 10. You are administering a network connected to the Internet. Your users complain that everything is slow. Preliminary research of the problem indicates that it takes a considerable amount of time to resolve names of resources on the Internet. What is the most likely reason for this? Answers. 1. PTR Records 2. DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa 3. SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers. 4. Performs a recursive search through the primary DNS server based on the network interface configuration 5. SRV records are used in locating hosts that provide certain network services. 6. The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates.

7. The zone to be used for dynamic updates must be configured to allow dynamic updates. The DHCP server must support, and be configured to allow, dynamic updates for legacy clients. 8. After receiving the authoritative reply, the resolution process is effectively over. 9. Change the replication scope to all DNS servers in the domain. 10. DNS servers are not caching replies.. Local client computers are not caching replies The cache.dns file may have been corrupted on the server
What is Active Directory Domain Services 2008? Active Directory Domain Services (AD DS), formerly known as Active Directory Directory Services, is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location. What is the SYSVOL folder? The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain controllers. Because junctions are used within the Sysvol folder structure, Windows NT file system (NTFS) version 5.0 is required on domain controllers throughout a Windows distributed file system (DFS) forest. This is a quote from microsoft themselves, basically the domain controller info stored in files like your group policy stuff is replicated through this folder structure Whats New in Windows Server 2008 Active Directory Domain Services? Active Directory Domain Services in Windows Server 2008 provides a number of enhancements over previous versions, including these: AuditingAD DS auditing has been enhanced significantly in Windows Server 2008. The enhancements provide more granular auditing capabilities through four new auditing categories: Directory Services Access, Directory Services Changes, Directory Services Replication, and Detailed Directory Services Replication. Additionally, auditing now provides the capability to log old and new values of an attribute when a successful change is made to that attribute. Fine-Grained Password PoliciesAD DS in Windows Server 2008 now provides the capability to create different password and account lockout policies for different sets of users in a domain. User and group password and account lockout policies are defined and applied via a Password Setting Object (PSO). A PSO has attributes for all the settings that can be defined in the Default Domain Policy, except Kerberos settings. PSOs can be applied to both users and groups. Read-Only Domain ControllersAD DS in Windows Server 2008 introduces a new type of domain controller called a read-only domain controller (RODC). RODCs contain a read-only copy of the AD DS database. RODCs are covered in more detail in Chapter 6, Manage Sites and Replication. Restartable Active Directory Domain ServicesAD DS in Windows Server 2008 can now be stopped and restarted through MMC snap-ins and the command line. The restartable AD DS service reduces the time required to perform certain maintenance and restore operations. Additionally, other services running on the server remain available to satisfy client requests while AD DS is stopped.

AD DS Database Mounting ToolAD DS in Windows Server 2008 comes with a AD DS database mounting tool, which provides a means to compare data as it exists in snapshots or backups taken at different times. The AD DS database mounting eliminates the need to restore multiple backups to compare the AD data that they contain and provides the capability to examine any change made to data stored in AD DS. What is the Global Catalog? A global catalog server is a domain controller. It is a master searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. It has two important functions: Provides group membership information during logon and authentication Helps users locate resources in Active Directory What are RODCs? And what are the major benefits of using RODCs? A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory Domain Services (AD DS) database. Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller. Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of time that is required to log on. It can also hamper access to network resources. Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result, users in this situation can receive the following benefits: * Improved security * Faster logon times * More efficient access to resources on the network What does an RODC do? Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller. However, your organization may also choose to deploy an RODC for special administrative requirements. For example, a line-of-business (LOB) application may run successfully only if it is installed on a domain controller. Or, the domain controller might be the only server in the branch office, and it may have to host server applications.

In such cases, the LOB application owner must often log on to the domain controller interactively or use Terminal Services to configure and manage the application. This situation creates a security risk that may be unacceptable on a writable domain controller. An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant a nonadministrative domain user the right to log on to an RODC while minimizing the security risk to the Active Directory forest. You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a primary threat, for example, in an extranet or application-facing role. What is REPADMIN? Repadmin.exe: Replication Diagnostics Tool This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers. Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors. Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest. The operations replsummary, showrepl, showrepl /csv, and showvector /latency can be used to check for replication problems. What is NETDOM? NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels

KCC The KCC is a built-in process that runs on all domain controllers and generates replication topology for the Active Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable. How do you view replication properties for AD? By using Active Directory Replication Monitor. Start> Run> Replmon What are sites What are they used for? One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows

administrators to configure Active Directory access and replication topology to take advantage of the physical network. Name some OU design considerations? OU design requires balancing requirements for delegating administrative rights independent of Group Policy needs and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues: Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. Delegating administrative authority usually dont go more than 3 OU levels http://technet.microsoft.com/en-us/library/cc783140.aspx What are FMSO Roles? List them. Fsmo roles are server roles in a Forest There are five types of FSMO roles 1-Schema master 2-Domain naming master 3-Rid master 4-PDC Emullator 5-Infrastructure master Logical Diagram of Active Directory ?, What is the difference between child domain & additional domain Server? Well, if you know what a domain is then you have half the answer. Say you have the domain Microsoft.com. Now microsoft has a server named server1 in that domain, which happens to the be parent domain. So its FQDN is server1.microsoft.com. If you add an additional domain server and name it server2, then its FQDN is server2.microsoft.com. Now Microsoft is big so it has offices in Europe and Asia. So they make child domains for them and their FQDN would look like this: europe.microsoft.com & asia.microsoft.com. Now lets say each of them have a server in those child domains named server1. Their FQDN would then look like this: server1.europe.microsoft.com & server1.asia.microsoft.com.. What are Active Directory Groups? Groups are containers that contain user and computer objects within them as members. When security permissions are set for a group in the Access Control List on a resource, all members of that group receive those permissions. Domain Groups enable centralized administration in a domain. All domain groups are created on a domain controller. In a domain, Active Directory provides support for different types of groups and group scopes. The group type determines the type of task that you manage with the group. The group scope determines whether the group can have members from multiple domains or a single domain. Group Types * Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.

* Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups. Group Scopes Group scope normally describe which type of users should be clubbed together in a way which is easy for there administration. Therefore, in domain, groups play an important part. One group can be a member of other group(s) which is normally known as Group nesting. One or more groups can be member of any group in the entire domain(s) within a forest. * Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain. * Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests. * Universal Group Scope: these groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain. What are the types of backup? Explain each? Incremental A normal incremental backup will only back up files that have been changed since the last backup of any type. This provides the quickest means of backup, since it only makes copies of files that have not yet been backed up. For instance, following our full backup on Friday, Mondays tape will contain only those files changed since Friday. Tuesdays tape contains only those files changed since Monday, and so on. The downside to this is obviously that in order to perform a full restore, you need to restore the last full backup first, followed by each of the subsequent incremental backups to the present day in the correct order. Should any one of these backup copies be damaged (particularly the full backup), the restore will be incomplete.

Differential A cumulative backup of all changes made after the last full backup. The advantage to this is the quicker recovery time, requiring only a full backup and the latest differential backup to restore the system. The disadvantage is that for each day elapsed since the last full backup, more data needs to be backed up, especially if a majority of the data has been changed. What is the SYSVOL folder? The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and reparse points in the file systems that exist on each domain controller in a domain. SYSVOL provides a standard location to store important elements of Group Policy objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them to other domain controllers within that domain. You can go to SYSVOL folder by typing : %systemroot%/sysvol What is the ISTG Who has that role by default? The first server in the site becomes the ISTG for the site, The domain controller holding this role may not necessarily also be a bridgehead server. What is the order in which GPOs are applied? Local, Site, Domain, OU What are some of the new tools and features provided by Windows Server 2008? Windows Server 2008 now provides a desktop environment similar to Microsoft Windows Vista and includes tools also found in Vista, such as the new backup snap-in and the BitLocker drive encryption feature. Windows Server 2008 also provides the new IIS7 web server and the Windows Deployment Service. What are the different editions of Windows Server 2008? The entry-level version of Windows Server 2008 is the Standard Edition. The Enterprise Edition provides a platform for large enterprisewide networks. The Datacenter Edition provides support for unlimited Hyper-V virtualization and advanced clustering services. The Web Edition is a scaled-down version of Windows Server 2008 intended for use as a dedicated web server. The Standard, Enterprise, and Datacenter Editions can be purchased with or without the Hyper-V virtualization technology. What two hardware considerations should be an important part of the planning process for a Windows Server 2008 deployment? Any server on which you will install Windows Server 2008 should have at least the minimum hardware requirement for running the network operating system. Server hardware should also be on the Windows Server 2008 Hardware Compatibility List to avoid the possibility of hardware and network operating system incompatibility. What are the options for installing Windows Server 2008?

You can install Windows Server 2008 on a server not currently configured with NOS, or you can upgrade existing servers running Windows 2000 Server and Windows Server 2003. How do you configure and manage a Windows Server 2008 core installation? This stripped-down version of Windows Server 2008 is managed from the command line. Which Control Panel tool enables you to automate the running of server utilities and other applications? The Task Scheduler enables you to schedule the launching of tools such as Windows Backup and Disk Defragmenter. What are some of the items that can be accessed via the System Properties dialog box? You can access virtual memory settings and the Device Manager via the System Properties dialog box. When a child domain is created in the domain tree, what type of trust relationship exists between the new child domain and the trees root domain? Child domains and the root domain of a tree are assigned transitive trusts. This means that the root domain and child domain trust each other and allow resources in any domain in the tree to be accessed by users in any domain in the tree. What is the primary function of domain controllers? The primary function of domain controllers is to validate users to the network. However, domain controllers also provide the catalog of Active Directory objects to users on the network. What are some of the other roles that a server running Windows Server 2008 could fill on the network? A server running Windows Server 2008 can be configured as a domain controller, a file server, a print server, a web server, or an application server. Windows servers can also have roles and features that provide services such as DNS, DHCP, and Routing and Remote Access. Which Windows Server 2008 tools make it easy to manage and configure a servers roles and features? The Server Manager window enables you to view the roles and features installed on a server and also to quickly access the tools used to manage these various roles and features. The Server Manager can be used to add and remove roles and features as needed. What Windows Server 2008 service is used to install client operating systems over the network?

Windows Deployment Services (WDS) enables you to install client and server operating systems over the network to any computer with a PXE-enabled network interface. What domain services are necessary for you to deploy the Windows Deployment Services on your network? Windows Deployment Services requires that a DHCP server and a DNS server be installed in the domain How is WDS configured and managed on a server running Windows Server 2008? The Windows Deployment Services snap-in enables you to configure the WDS server and add boot and install images to the server. What is the difference between a basic and dynamic drive in the Windows Server 2008 environment? A basic disk embraces the MS-DOS disk structure; a basic disk can be divided into partitions (simple volumes). Dynamic disks consist of a single partition that can be divided into any number of volumes. Dynamic disks also support Windows Server 2008 RAID implementations. What is RAID in Windows Server 2008? RAID, or Redundant Array of Independent Disks, is a strategy for building fault tolerance into your file servers. RAID enables you to combine one or more volumes on separate drives so that they are accessed by a single drive letter. Windows Server 2008 enables you to configure RAID 0 (a striped set), RAID 1 (a mirror set), and RAID 5 (disk striping with parity). What conceptual model helps provide an understanding of how network protocol stacks such as TCP/IP work? The OSI model, consisting of the application, presentation, session, transport, network, data link, and physical layers, helps describe how data is sent and received on the network by protocol stacks. What protocol stack is installed by default when you install Windows Server 2008 on a network server? TCP/IP (v4 and v6) is the default protocol for Windows Server 2008. It is required for Active Directory implementations and provides for connectivity on heterogeneous networks. How is a server running Windows Server 2008 configured as a domain controller, such as the domain controller for the root domain or a child domain?

Installing the Active Directory on a server running Windows Server 2008 provides you with the option of creating a root domain for a domain tree or of creating child domains in an existing tree. Installing Active Directory on the server makes the server a domain controller. What are some of the tools used to manage Active Directory objects in a Windows Server 2008 domain? When the Active Directory is installed on a server (making it a domain controller), a set of Active Directory snap-ins is provided. The Active Directory Users and Computers snap-in is used to manage Active Directory objects such as user accounts, computers, and groups. The Active Directory Domains and Trusts snap-in enables you to manage the trusts that are defined between domains. The Active Directory Sites and Services snap-in provides for the management of domain sites and subnets. How are domain user accounts created and managed? The Active Directory Users and Computers snap-in provides the tools necessary for creating user accounts and managing account properties. Properties for user accounts include settings related to logon hours, the computers to which a user can log on, and the settings related to the users password. What type of Active Directory objects can be contained in a group? A group can contain users, computers, contacts, and other nested groups. What type of group is not available in a domain that is running at the mixed-mode functional level? Universal groups are not available in a mixed-mode domain. The functional level must be raised to Windows 2003 or Windows 2008 to make these groups available. What types of Active Directory objects can be contained in an Organizational Unit? Organizational Units can hold users, groups, computers, contacts, and other OUs. The Organizational Unit provides you with a container directly below the domain level that enables you to refine the logical hierarchy of how your users and other resources are arranged in the Active Directory. What are Active Directory sites in Windows Server 2008? Active Directory sites are physical locations on the networks physical topology. Each regional domain that you create is assigned to a site. Sites typically represent one or more IP subnets that are connected by IP routers. Because sites are separated from each other by a router, the domain controllers on each site periodically replicate the Active Directory to update the Global Catalog on each site segment.

Can servers running Windows Server 2008 provide services to clients when they are not part of a domain? Servers running Windows Server 2008 can be configured to participate in a workgroup. The server can provide some services to the workgroup peers but does not provide the security and management tools provided to domain controllers. What does the use of Group Policy provide you as a network administrator? Group Policy provides a method of controlling user and computer configuration settings for Active Directory containers such as sites, domains, and OUs. GPOs are linked to a particular container, and then individual policies and administrative templates are enabled to control the environment for the users or computers within that particular container. What tools are involved in managing and deploying Group Policy? GPOs and their settings, links, and other information such as permissions can be viewed in the Group Policy Management snap-in. How do you deal with Group Policy inheritance issues? GPOs are inherited down through the Active Directory tree by default. You can block the inheritance of settings from upline GPOs (for a particular container such as an OU or a local computer) by selecting Block Inheritance for that particular object. If you want to enforce a higher-level GPO so that it overrides directly linked GPOs, you can use the Enforce command on the inherited (or upline) GPO. How can you make sure that network clients have the most recent Windows updates installed and have other important security features such as the Windows Firewall enabled before they can gain full network access? You can configure a Network Policy Server (a service available in the Network Policy and Access Services role). The Network Policy Server can be configured to compare desktop client settings with health validators to determine the level of network access afforded to the client. What is the purpose of deploying local DNS servers? A domain DNS server provides for the local mapping of fully qualified domain names to IP addresses. Because the DNS is a distributed database, the local DNS servers can provide record information to remote DNS servers to help resolve remote requests related to fully qualified domain names on your network. In terms of DNS, what is a caching-only server?

A caching-only DNS server supplies information related to queries based on the data it contains in its DNS cache. Caching-only servers are often used as DNS forwarders. Because they are not configured with any zones, they do not generate network traffic related to zone transfers. How the range of IP addresses is defined for a Windows Server 2008 DHCP server? The IP addresses supplied by the DHCP server are held in a scope. A scope that contains more than one subnet of IP addresses is called a superscope. IP addresses in a scope that you do not want to lease can be included in an exclusion range. What is DHCPs purpose? DHCPs purpose is to enable individual computers on an IP network to extract their configurations from a server (the DHCP server) or servers, in particular, servers that have no exact information about the individual computers until they request the information. The overall purpose of this is to reduce the work necessary to administer a large IP network. The most significant piece of information distributed in this manner is the IP address. What protocol and port does DHCP use? DHCP, like BOOTP runs over UDP, utilizing ports 67 and 68. What is Global Catalog? The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network. What is Stub Zone in DNS Server? A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces. A stub zone consists of:

The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone. The IP address of one or more master servers that can be used to update the stub zone.

The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary zone for the delegated domain name. Where is the file of Active Directory data file stored?

Active Directory data store in %SystemRoot%\ntds\NTDS.DIT. The ntds.dit file is the heart of Active Directory including user accounts What are the types of records in DNS? To see the records of DNS Server checks this path - DNS Records What is DHCP and at which port DHCP work? Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network. DHCP assigns an IP address when a system is started DHCP client uses port 67 and the DHCP server uses port 68. What is DORA process in DHCP and How it works? DHCP (D)iscover DHCP (O)ffer DHCP (R)equest DHCP (A)cknowledge 1) Client makes a UDP Broadcast to the server about the DHCP discovery. 2) DHCP offers to the client. 3) In response to the offer Client requests the server. 4) Server responds all the Ip Add/mask/gty/dns/wins info along with the acknowledgement packet. What is Super Scope in DHCP? A superscope allows a DHCP server to provide leases from more than one scope to clients on a single physical network. Before you can create a superscope, you must use DHCP Manager to define all scopes to be included in the superscope. Scopes added to a superscope are called member scopes. Superscopes can resolve DHCP service issues in several different ways; these issues include situations in which:

Support is needed for DHCP clients on a single physical network segmentsuch as a single Ethernet LAN segmentwhere multiple logical IP networks are used. When more than one logical IP network is used on a physical network, these configurations are also known as multinets. The available address pool for a currently active scope is nearly depleted and more computers need to be added to the physical network segment. Clients need to be migrated to a new scope.

Support is needed for DHCP clients on the other side of BOOTP relay agents, where the network on the other side of the relay agent has multiple logical subnets on one physical network. For more information, see Supporting BOOTP Clients later in this chapter. A standard network with one DHCP server on a single physical subnet is limited to leasing addresses to clients on the physical subnet.

What is Stub zone DNS? A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces. A stub zone consists of:

The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone. The IP address of one or more master servers that can be used to update the stub zone.

The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary zone for the delegated domain name What is Active Directory? Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups. An underlying principle of the Active Directory is that everything is considered an object people, servers, workstations, printers, documents, and devices. Each object has certain attributes and its own security access control list (ACL). Whats the difference between forward lookup zone and reverse lookup zone in DNS? Forward lookup is name-to-IP address; the reverse lookup is IP address-to-name. How to transfer roles in Active Directory? Using Ntdsutil.exe we can transfer roles in Active Directory. To know more regarding role transfer click this link. How to backup Active Directory and which main file you take in backing of Active Directory? We can take backup with Ntbackup utility. Active Directory is backed up as part of system state, a collection of system components that depend on each other. You must backup and restore system state components together.

Components that comprise the system state on a domain controller include:

System Start-up Files (boot files). These are the files required for Windows 2000 Server to start. System registry. Class registration database of Component Services. The Component Object Model (COM) is a binary standard for writing component software in a distributed systems environment. SYSVOL. The system volume provides a default Active Directory location for files that must be shared for common access throughout a domain. The SYSVOL folder on a domain controller contains: o NETLOGON shared folders. These usually host user logon scripts and Group Policy objects (GPOs) for non-Windows 2000based network clients. o User logon scripts for Windows 2000 Professionalbased clients and clients that are running Windows 95, Windows 98, or Windows NT 4.0. o Windows 2000 GPOs. o File system junctions. o File Replication service (FRS) staging directories and files that are required to be available and synchronized between domain controllers. Active Directory. Active Directory includes: o Ntds.dit: The Active Directory database. o Edb.chk: The checkpoint file. o Edb*.log: The transaction logs, each 10 megabytes (MB) in size. o Res1.log and Res2.log: Reserved transaction logs.

Check my previous articles regarding system administrator questionnaire

Windows Server 2003 - NTDSutil Guide

NTDSutil is a Windows utility for configuring the heart of Active Directory. Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory .Use Ntdsutil to perform database maintenance of Active Directory, to manage and control single master operations, and to remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. By default, Ntdsutil is installed in the Winnt\System32 folder. Preparation for NTDSutil Begin by logging on at a Windows Server 2003 or 2008. We suggest that you create a new folder to hold any logs that NTDSutil creates, for example D:\ ntdsutil. Run a CMD prompt change directory to D: \ntdsutil and at the prompt type, ntdsutil. Unsurprisingly, the actual executable is called ntdsutil.exe and is found in the %systemroot%\system32 folder.

Key NTDSutil command When you are experimenting with NTDSutil, if you get stuck remember these four little words, they will make the difference between success and frustration: Connect to Server Server3 (Substitute your server for Server3) Don't shorten the command to: Connect Server3 (Remember the words 'to' and 'server'). Tip: NTDSutil help tip If ever you are stuck in NTDSutil, simply type help. Variety of NTDSutil tasks Authoritative Restore - Major project, needs careful planning. Configurable Settings - Not very interesting. Domain Management - Specialist area. Create Naming Contexts and add replicas to the Application Directory Partition of DNS. Files - Available only if you boot the server into Directory Restore Mode. Checks the integrity of NTDS.DIT and moves associated databases. Roles = FSMO Maintenance. Which Domain Controller has which Single Operations Master? Seize roles such as PDC Emulator. Good news, for once you do get a message detailing the transfer you are about to make. My advice is to use Roles in conjunction with netdom or the Active Directory Snap-ins. My point is I could not find a way of displaying who holds which FSMO role with NTDSutil. Reset DSRM password. If you don't know the server's Directory Service account password, then here is your change to reset to a password that you will remember. Security Account Management. Check for duplicate SIDs Example 1: Security Account Management (Maintenance) Let us start gently and check for duplicate SIDs. This experiment is more for gaining experience of the NTDSutil interface than the probability of finding any duplicate SIDs. This is what I typed at the command prompt, my commands are in bold: E:\ntdsutil>ntdsutil ntdsutil: security account management Security Account Maintenance: connect to server Server3 Security Account Maintenance: check duplicate sid ...

Duplicate SID check completed successfully. Check dupsid.log for any duplicates Security Account Maintenance: 1) In the above session I typed the full command security accounts management. However you can shorten commands thus: 'sec acc man' Incidentally, I am inventing these shorthand commands in the sense that NTDSutil also understands: sec ac ma or even 'secu a m'. NTDSutil's brain works by analysing your letters and if there is only one possible interpretation then it fills in the gaps and returns the service that you asked for. For example plain, 'se' will not work because there is another command which begins with se, Semantic.... 2) When the command prompt shows, Security Accounts Maintenance: Here is where you must type: 'connect to server Server3'. Be aware that even though I am sitting at Server3's console, I must remember this command : connect to server xyz. 3) When I type the instruction, 'Check Duplicate SID', don't ask me why, but you cannot shorten the command to 'chk dup sd'. Please just accept you need the full words here. 4) As ever, read the screen and take note of dupsid.log. However, you have to quit NTDSutil, or use Explorer before you can attempt to read dupsid.log. My point is that you cannot issue a command : 'notepad dupsid.log' from within NTDSutil. Example 2: Reset password for DSRM (Directory Services Restore Mode) Here is where I challenge you to perform a real task. Once upon a time, when your Windows server 2003 was first installed, setup asked the installer for a separate directory service restore mode password. 90% of administrators ignored the box or forgot the password. 50% of Administrator's don't realize that this Directory Services Restore Mode password is different from the normal Administrator password. The two can get out of synch because they are stored in separate databases. Now is your chance to reset the password that will be required if ever you need to restart the server in Active Directory Restore Mode. In many ways, this is such an insignificant job, in other ways it saves frustration of being thwarted by not having the administrative password for this context.

E:\ntdsutil>ntdsutil ntdsutil: set dsrm password

Reset DSRM Administrator Password: reset password on server Server3 Please type password for DS Restore Mode Administrator Account: ******** Please confirm new password: ******** Password has been set successfully. Reset DSRM Administrator Password: quit ntdsutil: quit E:\ntdsutil> 1) The key command type: 'reset password on Server3' If NTDSutil replies with: 'Please type password for DS Restore Mode', then you know you are in the correct place. 2) To escape from NTDSutil you need just type quit, possibly 2 or three times to get back to the command prompt. How to Install Windows Server 2003 IIS 6.0 Step by Step Internet Information Services (IIS) 6.0 is a powerful Web server that provides a highly reliable, manageable, and scalable Web application infrastructure for all versions of Windows Server 2003.IIS helps organizations increase Web site and application availability while lowering system administration costs. IIS 6.0 supports the Microsoft Dynamic Systems Initiative (DSI) with automated health monitoring, process isolation, and improved management capabilities.

Perform the following steps to install IIS 6.0 on the Windows Server 2003 computer . The machine can be a standalone server, a member server in an Active Directory domain, or even a domain controller. Click Start, point to Control Panel and click Add or Remove Programs.

Click the Add/Remove Windows Components button in the Add or Remove Programs.

On the Windows Components window, click on the Application Server entry and click the Details button.

On the Application Server page, click on the Internet Information Services (IIS) entry and click the Details button.

In the Internet Information Service (IIS) dialog box, put a check mark in the World Wide Web Service check box and click OK.

Click OK on the Application Server dialog box.

Click Next on the Windows Components dialog box.

IIS Server Installation in progress.

Click Finish on the Completing the Windows Components Wizard page.

Forest and Domain Functional Levels

Overview of Domain and Forest Functional levels Domain and forest functional levels provides the means by which you can enable additional domain-wide and forest-wide Active Directory features, remove outdated backward compatibility within your environment, and improve Active Directory performance and security. In Windows 2000, the terminology used to refer to domain functional levels was domain modes. Forests in Windows 2000 have one mode and domains can have the domain mode set as either mixed mode or native mode. With Windows Server 2003 Active Directory came the introduction of the Windows Server 2003 interimfunctional level and Windows Server 2003 functional level for both domains and forests. The four domain functional levels that can be set for domain controllers are Windows 2000 mixed, Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. The default domain functional level is Windows 2000 mixed. The three forest functional levels are Windows 2000, Windows Server 2003 interim, and Windows Server 2003. The default forest functional level is Windows 2000. When the Windows Server 2003 functional level is enabled in your environment, additional Active Directory domain-wide and forest-wide features are automatically enabled. Windows Server 2003functional level is enabled in your

environment when all domain controllers are running WindowsServer 2003. The Active Directory Domains And Trusts console is used to raise the functional levels of domains and forests in Active Directory. Domain Functional Levels When raising the domain functional level from Windows mixed to Windows 2000 native or the Windows Server 2003 functional level, domain controllers are regarded as peers to each other. What this essentially means is that the domain master concept no longer exists. It also means that pre-Windows 2000 replication no longer exists. If you are considering raising the domain functional level within your environment to Windows Server 2003, you should remember that after the domain functional level is raised, you cannot add any Windows 2000 server to the particular domain. Windows 2000 Mixed Domain Functional Level Any newly installed domain controller operates in Windows 2000 mixed domain functional level for the domain by default. This makes the Windows 2000 mixed domain functional level the default functional level for all Windows Server 2003 domains. Windows 2000 mixed domain functional level enables the Windows Server 2003 domain controller to operate together with Windows NT 4, Windows 2000, and Windows Server 2003 domain controllers. The only Windows NT domain controllers supported are Windows NT backup domain controllers (BDCs). Windows NT primary domain controllers do not exist in Active Directory. In Active Directory, domain controllers act as peers to one another. Windows 2000 mixed domain functional level is usually used to migrate domain controllers from Windows NT to Windows 2000 domain controllers. You can raise Windows 2000 mixed domain functional level to

Windows 2000 native domain functional level Windows Server 2003 domain functional level

The Active Directory domain features that are available in Windows 2000 mixed domain functional level are listed below:

Local and Global groups Distribution Groups Distribution Group nesting Global Catalog support Up to 40,000 domain objects are supported

The Active Directory domain features that are not supported in Windows 2000 mixed domain functional level are listed below:

Renaming domain controllers Universal Groups Security group nesting SID History Update logon timestamp Group conversion between Security Groups and Distribution Groups Users/Computers container redirection Constrained delegation User password support on the InetOrgPerson object

windows 2000 Native Domain Functional Level

The Windows 2000 native domain functional level enables Windows Server 2003 domain controllers to operate with Windows 2000 domain controllers and Windows Server 2003 domain controllers. This domain functional level is typically used to support domain controller upgrades from Windows 2000 to Windows Server 2003. Windows NT 4.0 backup domain controllers are not supported in the Windows 2000 native domain functional level. Windows 2000 native cannot be lowered again to the Windows 2000 mixed domain functional level. You can raise the Windows 2000 native domain functional level to

Windows Server 2003 domain functional level.

The Active Directory domain features that are available in Windows 2000 native domain functional level are listed below:

Local and Global groups Distribution Groups Distribution group nesting Security group nesting Universal Groups Group conversion between Security Groups and Distribution Groups Global Catalog support SID History Up to 1,000,000 domain objects are supported

The Active Directory domain features that are not supported in Windows 2000 native domain functional level are listed below:

Renaming domain controllers Update logon timestamp Users/Computers container redirection Constrained delegation User password support on the InetOrgPerson object

Windows Server 2003 Interim Domain Functional Level

Windows Server 2003 interim domain functional level enable domain controllers running WindowsServer 2003 to function in a domain containing both Windows NT 4.0 domain controllers and Windows Server 2003 domain controllers. Domain controllers running Windows 2000 are not supported in this domain functional level. You can only set this domain functional level when upgrading from Windows NT to Windows Server 2003. In fact, the Windows Server 2003 interimdomain functional level can only be raised to Windows Server 2003 domain functional level. WindowsServer 2003 interim domain functional level is also typically used when you are not going to immediately upgrade your Windows NT 4.0 backup domain controllers to Windows Server 2003, and when your existing Windows NT domain has groups consisting of over 5,000 members. The Active Directory domain features that are available in Windows Server 2003 interim domain functional level are listed below:

Local and Global groups Distribution groups Distribution group nesting Global Catalog support Up to 40,000 domain objects are supported

The Active Directory domain features that are not supported in Windows Server 2003 interim domain functional level are listed below:

Renaming domain controllers Universal Groups Security group nesting SID History Update logon timestamp Group conversion between Security Groups and Distribution Groups Users/Computers container redirection Constrained delegation User password support on the InetOrgPerson object

Windows Server 2003 Domain Functional Level

Windows Server 2003 domain functional level is the highest level that can be specified for a domain.All domain controllers in the domain are running Windows Server 2003. This basically means thatWindows NT 4 and Windows 2000 domain controllers are not supported these domains. Once the domain level is set as Windows Server 2003 domain functional level, it cannot be lowered to any of the previous domain functional levels.

All Active Directory domain features are available in Windows Server 2003 domain functional level:

Local and Global groups Distribution Groups Distribution group nesting Security group nesting universal Groups Group conversion between Security Groups and Distribution Groups Global Catalog support SID History Up to 1,000,000 domain objects are supported Renaming domain controllers Update logon timestamp Users/Computers container redirection Constrained delegation User password support on the InetOrgPerson object How to check which domain function level is set for the

domain 1. Open the Active Directory Domains And Trusts console 2. Right-click the particular domain whose functional level you want verify, and select Raise Domain Functional Level from the shortcut menu. 3. The Raise Domain Functional Level dialog box opens 4. You can view the existing domain functional level for the domain in Current domain functional level. How to raise the domain functional level to the Windows 2000 native domain functional level or Windows Server 2003 domain functional level Before you can raise the domain functional level to Windows Server 2003 domain functional level, each domain controller in the domain has to running Windows Server 2003. To raise the domain functional level for a domain, 1. Open the Active Directory Domains And Trusts console 2. Right-click the particular domain whose functional level you want to raise, and select Raise Domain Functional Level from the shortcut menu. 3. The Raise Domain Functional Level dialog box opens. 4. Use the Select An Available Domain Functional Level list to choose the domain functional level for the domain. 5. Click Raise 6. Click OK

Forest Functional Levels

While Window 2000 has only one forest functional level, Windows Server 2003 has three forest functional levels. Through the forest functional levels, you can enable forest-wide Active Directory features in your Active Directory environment. The forest functional levels are actually very much like the domain functional levels. Windows 2000 Forest Functional Level This is the default forest functional level, which means that all newly created Windows Server 2003 forests have this level when initially created. The Windows 2000 forest functional level supports Windows NT 4, Windows 2000 and Windows Server 2003 domain controllers. The Active Directory forest features that are available in Windows 2000 forest functional level are listed below:

Universal Group caching Application directory partitions Global Catalog replication enhancements Installations from backups The Active Directory quota feature SIS for system access control lists (SACL)

The Active Directory forest features that are not supported in Windows 2000 forest functional level are listed below:

Domain renaming Forest Trust Defunct schema objects Linked value replication Dynamic auxiliary classes Improved Knowledge Consistency Checker (KCC) replication algorithms Application groups InetOrgPerson objectClass NTDS.DIT size reduction

Windows Server 2003 Interim Forest Functional Level Domain controllers in a domain running Windows NT 4 and Windows Server 2003 are supported in the Windows Server 2003 interim forest functional level. This level is used to when upgrading from Windows NT 4 to Windows Server 2003. The functional level is also configured when you are not planning to immediately upgrade your existing Windows NT 4 backup domain controllers, or your existing Windows NT 4.0 domain has groups consisting of over 5,000

members. No Windows 2000 domain controllers can exist if the Windows Server 2003 interim forest functional level is set for the forest. The Windows Server 2003 interim forest functional level can only be raised to the Windows Server 2003 forest functional level. The Active Directory forest-wide features that are available in Windows Server 2003 interim forest functional level are listed below:

Universal Group caching Application directory partitions Global Catalog replication enhancements Installations from backups The Active Directory quota feature SIS for system access control lists (SACL) Improved Knowledge Consistency Checker (KCC) replication algorithms Linked value replication

The Active Directory forest features that are not supported in Windows Server 2003 interim forest functional level are listed below:

Domain renaming Forest Trust Defunct schema objects Dynamic auxiliary classes Application groups InetOrgPerson objectClass NTDS.DIT size reduction

Windows Server 2003 Forest Functional Level All domain controllers in the forest have to be running Windows Server 2003 in order for the forest functional level to be raised to the Windows Server 2003 forest functional level. What this means is that no domain controllers in the Active Directory forest can be running Windows NT 4 and Windows 2000. In the Windows Server 2003 forest functional level, all forest-wide Active Directory features are available, including the following:

Domain renaming Forest Trust Defunct schema objects Dynamic auxiliary classes Application groups Universal Group caching Application directory partitions Global Catalog replication enhancements Installations from backups

The Active Directory quota feature SIS for system access control lists (SACL) Improved Knowledge Consistency Checker (KCC) replication algorithms Linked value replication InetOrgPerson objectClass NTDS.DIT size reduction

How to check which forest functional level is set for the forest 1. Open the Active Directory Domains And Trusts console 2. Right-click Active Directory Domains and Trusts in the console tree, and select Raise Forest Functional Level from the shortcut menu. 3. The Raise Forest Functional Level dialog box opens 4. You can view the existing domain functional level for the domain in Current forest functional level. How to raise the forest functional level to Windows Server 2003 forest functional level Each domain controller in the forest has to be running Windows Server 2003 before you can change the forest functional level to Windows Server 2003. When you raise the forest functional level, all domains in the forest will automatically have their domain functional level raised to Windows Server 2003. To raise the forest functional level for a forest, 1. Open the Active Directory Domains And Trusts console 2. Right-click Active Directory Domains And Trusts in the console tree, and select Raise forest Functional Level from the shortcut menu. 3. The Raise Domain Functional Level dialog box opens 4. Click Raise 5. Click OK Approaches for Raising Functional Levels You can use one of the following approaches to move from Windows 2000 mixed and Windows 2000 native functional levels to the Windows Server 2003 functional level for the entire forest. These are:

Windows 2000 native route: This approach involves raising the domain functional level to Windows native, and then raising the forest functional level to Windows Server 2003. Windows Server 2003 route: This approach involves raising the domain functional level to Windows native, and then to the Windows Server 2003

functional level. The forest functional level has to lastly be changed to Windows Server 2003.

History Of Active Directory

Active Directory was introduced to the world in the mid-1990s by Microsoft as a replacement for Windows NT-style user authentication. Windows NT included a flat and non-extensible domain model which did not scale well for large corporations. Active Directory, on the other hand, was created as a true directory service versus a flat user-management service that NT had. Though it was introduced in the 1990s, it did not become a part of the Operating System until Windows 2000 Server was released in 2000. Since then, Windows Server 2003 and Server 2008 have been introduced and Active Directory has gone under some expansion. This tutorial is based on Windows Server 2003 as it is currently the most widely installed version of the Windows network Operating System (NOS), though in the future we will release versions forWindows Server 2008 and future Windows releases as it becomes necessary. Though this tutorial is not focused on Windows Server 2008, much of the basic knowledge and instruction relates to either OS. LDAP Active Directory is based loosely on LDAP ? Lightweight Directory Access Protocol ? an application protocol for querying and modifying directory services developed at the University of Michigan in the early 1990s. An LDAP directory tree is a hierarchical structure of organizations, domains, trees, groups, and individual units. Active Directory is a Directory Sometimes, it?s easy to get lost in all of the technology and functions that are provided with AD and forget that Active Directory is a directory. It is a directory in both the common use of the term like a white pages (you can add in a person?s first name, last name, phone number, address, email address, etc) and a directory of information for use by applications and services (such as Microsoft Exchange for email). AD is functionally a place to store information about people, things (computers, printers, etc), applications, domains, services, security access permissions, and more. Applications and services then use the directory to perform a function. For example, Microsoft Windows uses Active Directory information to allow a user to login to their computer and provide access to the security rights assigned in Active Directory. Windows is accessing the directory and then providing rights based on what it finds. If a user account is disabled in Active

Directory, the directory itself is just setting a flag which Windows uses to disallow a user from logging in. We mentioned in the introduction that administrators use Active Directory to deploy software ? this is an incomplete description. Administrators can set policies and information that a certain software application should be deployed to a certain user ? AD itself does not deploy the software, but a Windows service reads the information from Active Directory and then installs the software.

Step By Step Guide for Windows Server 2003 Domain Controller and DNS Server Setup
Windows Server 2003 includes all the functionality customers expect from a mission critical Windows Server operating system, such as security, reliability, availability, and scalability. In addition, Microsoft has improved and extended the Windows server product family to enable organizations to experience the benefits of Microsoft .NETa set of software for connecting information, people, systems, and devices. This tutorial will explain how to create a first domain controller(DC) in your network or company includes DNS server setup in windows server 2003 .You have to install DNS server for DC without DNS the client computers wouldnt know which one is DC.You can host DNS on a different server than DC. Before Starting the DC installation process you need to make sure the following points

You have installed Basic windows server 2003 installation Make sure you have assigned a static ip address to your server

Now start DC and DNS Setup process First you need to go to Start>All Programs>Administrative Tools>Manage Your Server

Here you need to select Add or remove a role

Verify the following steps click on Next

Select Server Role as Domain Controller option click on Next

Summary of Your Selections click on Next

Active Directory Installation Wizard click on Next

Click Next on the compatibility window

Next window select the default option of Domain Controller for a new domain and click Next

In this tutorial we will create a domain in a new forest, because it is the first DC, so keep that option selected

Now we have to think of a name for our domain. If you have a domain like windowsreference.com, you can use it, but it isnt suggested because computers nside of your domain may not be able to reach the company website. Active directory domains dont need to be real domains like the one above they can be anything you wish. So i will create windowsreference.int.

Now in order to keep things simple, we will use windowsreferenc, which is the default selection, as the NetBIOS name of the domain.

The next dialog suggests storing the AD database and log on separate hard disks and you can just leave the default settings.

The SYSVOL folder is a public share, where things like .MSI software packages can be kept when you will distribute packages and you can just leave the default settings or you can change the path.

Next Screen basically says that you will need a DNS server in order for everything to work the way we want it (i.e., our windowsreference.int to be reachable).we will install the DNS server on this machine or if you want you can installed else where select Install and Configure and click next.

Here you need to select the permissions for win 2000 or win 2003 server if you have any NT4 select first option otherwise select second option and click next

The restore mode password is the single password that all administrators hope to never use, however they should also never forget it because this is the single password that might save a failed server.click next

Now we will see a summary of what will happen click next

Active directory installation process started this can take several minutes. Its likely that you will be prompted for your Windows Server 2003 CD (for DNS) so have it handy.

Active directory Installation finish screen click Finish.

Now you need to select Restart Now option to reboot your server.

After rebooting you can see new option for logon

After logging in you can see similar to the following screen saying your server is now domain controller.

Thats it now your server is configured as domain controller and DNS server.

If you want Step by step guide how to install windows server 2008 check here

How to install Active Directory on Windows Server 2003

1. Click Start, click Run, type dcpromo, and then click OK. 2. On the first page of the Active Directory Installation Wizard, click Next. 3. On the next page of the Active Directory Installation Wizard, click Next. 4. On the Domain Controller Type page, click Domain Controller for a new domain, and then click Next. 5. On the Create New Domain page, click Domain in a new forest, and then click Next. 6. On the New Domain Name page, in the Full DNS name for new domain box, type Testdc.com, and then click Next. 7. On the Database and Log Folders page, accept the defaults in the Database folder box and the Log folder box, and then click Next. 8. On the Shared System Volume page, accept the default in theFolder location box, and then click Next. 9. On the DNS Registration Diagnostics page, click Install and configure the DNS server on this computer and set this computer to use this DNS server as its preferred DNS Server, and then click Next. 10. On the Permissions page, click Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems, and then click Next. 11. On the Directory Services Restore Mode Administrator Password page, enter a password in the Restore Mode Password box, retype the password to confirm it in the Confirm password box, and then click Next. 12. On the Summary page, confirm the information is correct, and then click Next. 13. When prompted to restart the computer, click Restart now. After the computer restarts, log on to testdc as a member of the Administrators group.

How to setup an Additional Domain Controller in Windows Server 2003

The Windows Server 2003 operating system supports multi-master replicationall of a domain's domain controllers can receive changes made to objects and can replicate those changes to all other domain controllers in that domain. By default, the first domain controller created in a forest is a global catalog server, which contains a full replica of all objects in the directory for its domain and a partial replica of all objects stored in the directory of every other domain in the forest. Replicating Active Directory data among domain controllers provides benefits for information availability, fault tolerance, load balancing, and performance. In this step-by-step guide, you can take advantage of the greater fault tolerance provided in the multi-master model by installing multiple domain controllers. In the event a domain controller stops working, the availability of Active Directory is not compromised. If you want to create an additional domain controller in win server 2003 follow this procedure Note:-Before doing this procedure you need to make sure you have domain controller setup in your win server 2003 with DNS and you need to install DNS server and dont configure anything where you are going to add an additional domain controller. Click Start, click Run, and then type dcpromo click ok If you want to open the Active Directory Installation Wizard with the option to create an additional domain controller from restored backup files. dcpromo /adv On the Operating System Compatibility page, read the information and then click Next. If this is the first time you have installed Active Directory on a server running Windows Server 2003, click Compatibility Help for more information. On the Domain Controller Type page, click Additional domain controller for an existing domain, and then click Next. On the Copying Domain Information page, do one of the following: #Click Over the network, and then click Next.

#Click From these restored backup files, and type the location of the restored backup files, or click Browse to locate the restored files, and then click Next. On the Network Credentials page, type the user name, password and user domain of the user account you want to use for this operation, and then click Next. The user account must be a member of the Domain Admins group for the target domain. On the Database and Log Folders page, type the location in which you want to install the database and log folders, or click Browse to choose a location, and then click Next. On the Shared System Volume page, type the location in which you want to install the Sysvol folder, or click Browse to choose a location, and then click Next. On the Directory Services Restore Mode Administrator Password page, type and confirm the password that you want to assign to the Administrator account for this server, and then click Next. Use this password when starting the computer in Directory Services Restore Mode. Review the Summary page, and then click Next to begin the installation. Restart your server now.

How do client computers locate a domain controller

One of the first major tasks a domain member computer has to do when it starts is to locate adomain controller. Generally, this task requires the use of a Domain Name System (DNS) server, which contains records for each domain controller in the domain, and the Locator, a remote procedure call to the computer's local Netlogon service. Starting Up When the client computer starts, its Netlogon service starts automatically (in the default configuration). This service implements the DsGetDcName application programming interface (API), which is used to locate a domain controller The client begins by collecting a number of pieces of information that will be used to locate a domain controller. This information includes the client's local IP address, which is used to determine the client?s Active Directory site membership, the desired domain name, and a DNS server address. Finding the Domain Controllers Netlogon then queries the configured DNS server. Netlogon retrieves the service resource (SRV) records and host (A) records from DNS that correspond to the

domain controllers for the desired domain. The general form for the queried SRV records is _service._protocol.domainname, where service is the domain service, protocol is the TCP/IP protocol, and domainname is the desired Active Directory fully qualified domain name (FQDN). For example, because Active Directory is a Lightweight Directory Access Protocol (LDAP)-compliant directory service, clients query for _ldap._tcp.domainname (or or _ldap._tcp.dc._msdcs.domainname when locating the nearestdomain controller). Each domain controller in a domain will register its host name with the SRV record, so the client's query results will be a list of domain controller host names. The client also retrieves the associated A records, providing the client with the IP address of every domain controller in the domain. The client then sends an LDAP search query, via the User Datagram Protocol (UDP), to each domain controller. Selecting a Domain Controller After the client locates a domain controller, the client uses LDAP to access Active Directory on a domain controller, preferably one in the client?s own subnet. The domain controller uses the client's IP address to identify the client's Active Directory site. If the domain controller is not in the closest site, then the domain controller returns the name of the client's site, and the client tries to find a domain controller in that site by querying DNS. If the client has already attempted to find a domain controller in that site, then the client will continue using the current, nonoptimal domain controller. Once the client finds a domain controller it likes, it caches that domain controllers information,and the client will continue to use that domain controller for future contacts (unless the domain controller becomes unavailable).

Windows Active directory Groups !

Groups in AD Groups are containers that contain user and computer objects within them as members. When security permissions are set for a group in the Access Control List on a resource, all members of that group receive those permissions. Domain Groups enable centralized administration in a domain. All domain groups are created on a domain controller. In a domain, Active Directory provides support for different types of groups and group scopes. The group type determines the type of task that you manage with the group. The group scope determines whether the group can have members from multiple domains or a single domain.

Group Types

Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups. Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups.

Group Scopes Group scope normally describe which type of users should be clubbed together in a way which is easy for there administration. Therefore, in domain, groups play an important part. One group can be a member of other group(s) which is normally known as Group nesting. One or more groups can be member of any group in the entire domain(s) within a forest.

Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain. Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests. Universal Group Scope: these groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group

type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.

Monitoring and Troubleshooting the DHCP Server

You can use the Event Viewer tool, located in the Administrative Tools folder, to monitor DHCP activity. Event Viewer stores events that are logged in the system log, application log, and security log. The system log contains events that are associated with the operating system. The application log stores events that pertain to applications running on the computer. Events that are associated with auditing activities are logged in the security log. All events that are DHCPspecific are logged in the System log. The DHCP system event log contains events that are associated with activities of the DHCP service and DHCP server, such as when the DHCP server started and stopped, when DHCP leases are close to being depleted, and when the DHCP database is corrupt. A few DHCP system event log IDs are listed below:

Event ID 1037 (Information): Indicates that the DHCP server has begun to clean up the DHCP database. Event ID 1038 (Information): Indicates that the DHCP server cleaned up the DHCP database for unicast addresses: 0 IP address leases were recovered. 0 records were deleted. Event ID 1039 (Information): Indicates that the DHCP server cleaned up the DHCP database for multicast addresses:
o o o

0 IP address leases were recovered. 0 records were deleted. Event ID 1044 (Information): Indicates that the DHCP server has concluded that it is authorized to start, and is currently servicing DHCP client requests for IP addresses. Event ID 1042 (Warning): Indicates that the DHCP service running on the server has detected the following servers on the network.
o o

Event ID 1056 (Warning): Indicates that the DHCP service has determined that it is running on a domain controller, and no credentials are configured for DDNS registrations. Event ID 1046 (Error): Indicates that the DHCP service running on the server has determined that it is not authorized to start to service DHCP clients.
Using System Monitor to Monitor DHCP Activity

The System Monitor utility is the main tool for monitoring system performance. System Monitor can track various processes on the Windows system in real time. The utility uses a graphical display that you can use to view current data, or log data. You can specify specific elements or components that should be tracked on the local computer and remote computers. You can determine resource usage by monitoring trends. System Monitor can be displayed in a graph, histogram, or report format. System Monitor uses objects, counters and instances to monitor the system System Monitor is a valuable tool when you need to monitor and troubleshooting DHCP traffic being passed between the DHCP server and DHCP clients. Through System Monitor, you can set counters to monitor:

The DHCP lease process. The DHCP queue length Duplicate IP address discards DHCP server-side conflict attempts

To start System Monitor, 1. 1. Click Start, Administrative Tools, and then click Performance. 2. When the Performance console opens, open System Monitor The DHCP performance counters that you can monitor to track DHCP traffic are:

Acks/sec indicates the rate at which DHCPACK messages are sent by the DHCP server. Active Queue Length indicates how many packets are in the DHCP queue for processing by the DHCP server. Conflict Check Queue Length indicates how many packets are in the DHCP queue that are waiting for conflict detection.

Declines/sec indicates the rate at which the DHCP server receives DHCPDECLINE messages. Discovers/sec indicates the rate at which the DHCP server receives DHCPDISCOVER messages. Duplicaed Dropped/sec indicates the rate at which duplicated packets are being received by the DHCP server. Informs/sec indicates the rate at which the DHCP server receives DHCPINFORM messages. Milliseconds per packet (Avg.) indicates the average time which the DHCP server takes to send a response. Nacks/sec indicates the rate at which DHCPNACK messages are sent by the DHCP server. Packets Expired/sec indicates the rate at which packets are expired while waiting in the DHCP server queue. Packets Received/sec indicates the rate that the DHCP server is receiving packets. Releases/sec indicates the rate at which DHCPRELEASE messages are received by the DHCP server. Requests/sec indicates the rate at which DHCPREQUEST messages are received by the DHCP server.

Using Network Monitor to Monitor DHCP Lease Traffic

You can use Network Monitor to monitor network traffic, and to troubleshoot network issues or problems. Network Monitor shipped with Windows Server 2003 allow you to monitor network activity and use the gathered information to manage and optimize traffic, identify unnecessary protocols, and to detect problems with network applications and services. In order to capture frames, you have to install the Network Monitor application and the Network Monitor driver on the server where you are going to run Network Monitor. The Network Monitor driver makes it possible for Network Monitor to receive frames from the network adapter. The two versions of Network Monitor are:

The Network Monitor version included with Windows Server 2003: With this version of Network Monitor, you can monitor network activity only on the local computer running Network Monitor. The Network Monitor version (full) included with Microsoft Systems Management Server (SMS): With this version, you can monitor network activity on all devices on a network segment. You can capture frames from a remote computer, resolve device names to MAC addresses, and determine the user and protocol that is consuming the most bandwidth.

Because of these features, you can use Network Monitor to monitor and troubleshoot DHCP lease traffic. You can use the Network Monitor version included in Windows Server 2003 to capture and analyze the traffic being received by the DHCP server. Before you can use Network Monitor to monitor DHCP lease traffic, you first have to install it. The Network Monitor driver is automatically installed when you install Network Monitor. How to install Network Monitor 1. 1. Click Start, and then click Control Panel. 2. Click Add Or Remove Programs to open the Add Or Remove programs dialog box. 3. Click Add/Remove Windows Components. 4. Select Management and Monitoring Tools and click the Details button. 5. On the Management and Monitoring Tools dialog box, select the Network Monitor Tools checkbox and click OK. 6. Click Next when you are returned to the Windows Components Wizard. 7. If prompted during the installation process for additional files, place the Windows Server 2003 CD-ROM into the CD-ROM drive. 8. Click Finish on the Completing the Windows Components Wizard page. Capture filters disregard frames that you do not want to capture before they are stored in the capture buffer. When you create a capture filter, you define settings that can be used to detect the frames that you do want to capture. You can design capture filters in the Capture Window to only capture specific DHCP traffic, by selecting Filter from the Capture menu. You can also create a display filter after you have captured data. A display filter enables you to decide what is displayed. How to start a capture of DHCP lease traffic in Network Monitor 1. 1. Open Network Monitor. 2. Use the Tools menu to click Capture, and then click Start. 3. If you want to examine captured data during he capture, select Stop And View from the Capture menu.
Understanding DHCP Server log Files

DHCP server log files are comma-delimited text files. Each log entry represents one line of text. Through DHCP logging, you can log many different events. A few of these events are listed below:

DHCP server events DHCP client events DHCP leasing DHCP rogue server detection events Active Directory authorization

The DHCP server log file format is depicted below. Each log file entry has the fields listed below, and in this particular order as well:

ID: This is the DHCP server event ID code. Event codes are used to describe information on the activity which is being logged. Date: The date when the particular log file entry was logged on your DHCP server. Time: The time when the particular log file entry was logged on your DHCP server. Description: This is a description of the particular DHCP server event. IP Address: This is the IP address of the DHCP client. Host Name: This is the host name of the DHCP client. MAC Address: This is the MAC address used by the DHCP client's network adapter.

DHCP server log files use reserved event ID codes. These event ID codes describe information on the activities being logged. The actual log file only describes event ID codes which are lower than 50. A few common DHCP server log event ID codes are listed below:

00 indicates the log was started. 01 indicates the log was stopped. 02 indicates the log was temporarily paused due to low disk space. 10 indicates a new IP address was leased to a client. 11 indicates a lease was renewed by a client. 12 indicates a lease was released by a client 13 indicates an IP address was detected to be in use on the network. 14 indicates a lease request could not be satisfied due to the scope's address pool being exhausted. 15 indicates a lease was denied. 16 indicates a lease was deleted 17 indicates a lease was expired 20 indicates a BootP address was leased to a client.

21 indicates a dynamic BOOTP address was leased to a client. 22 indicates a BOOTP request could not be satisfied due to the address pool of the scope for BOOTP being exhausted. 23 indicates a BOOTP IP address was deleted after confirming it was not being used. 24 indicates an IP address cleanup operation has started. 25 indicates IP address cleanup statistics. 30 indicates a DNS update request. 31 indicates DNS update failed. 32 indicates DNS update successful.

The following DHCP server log event ID codes are not described in the DHCP log file. TheseDHCP server log event ID codes relate to the DHCP server's Active Directory authorization status:

50 Unreachable domain: The DHCP server could not locate the applicable domain for its Active Directory installation. 51 Authorization succeeded: The DHCP server was authorized to start on the network. 52 Upgraded to a Windows Server 2003 operating system: The DHCP server was recently upgraded to a Windows Server 2003 OS, therefore, the unauthorized DHCP server detection feature (used to determine whether the server has been authorized in Active Directory) was disabled. 53 Cached authorization: The DHCP server was authorized to start using previously cached information. Active Directory was not visible at the time the server was started on the network. 54 Authorization failed: The DHCP server was not authorized to start on the network. When this even occurs, it is likely followed by the server being stopped. 55 Authorization (servicing): The DHCP server was successfully authorized to start on the network 56 Authorization failure: The DHCP server was not authorized to start on the network and was shut down by Windows Server 2003 OS. You must first authorize the server in the directory before starting it again. 57 Server found in domain: Another DHCP server exists and is authorized for service in the same Active Directory domain. 58 Server could not find domain: The DHCP server could not locate the specified Active Directory domain. 59 Network failure: A network-related failure prevented the server from determining if it is authorized. 60 No DC is DS enabled: No Active Directory DC was located. For detecting whether the server is authorized, a domain controller that is enabled for Active Directory is needed

61 Server found that belongs to DS domain: Another DHCP server that belongs to the Active Directory domain was found on the network. 62 Another server found: Another DHCP server was found on the network. 63 Restarting rogue detection: The DHCP server is trying once more to determine whether it is authorized to start and provide service on the network. 64 No DHCP enabled interfaces: The DHCP server has its service bindings or network connections configured so that it is not enabled to provide service.

How to change DHCP log files location 1. 1. Open the DHCP console. 2. Right-click the DHCP server node and select Properties from the shortcut menu. 3. The DHCP Server Properties dialog box opens. 4. Click the Advanced tab. 5. Change the audit log file location in the Audit Log File Path text box. 6. Click OK. How to disable DHCP logging 1. 1. Open the DHCP console. 2. Right-click the DHCP server node and select Properties from the shortcut menu. 3. The DHCP Server Properties dialog box opens. 4. On the General tab, clear the Enable DHCP Audit Logging checkbox to disable DHCP server logging. 5. Click OK.
Troubleshooting the DHCP Client Configuration

A DHCP failure usually exists when the following events occur:

A DHCP client cannot contact the DHCP server. A DHCP client loses connectivity.

When these events occur, one of the first tasks you need to perform is to determine whether the connectivity issues occurred because of the actual DHCP

client configuration, or whether it occurred because of some other network issue. You do this by determining the address type of the IP address of the DHCP client. To determine the address type, 1. 1. Use the Ipconfig command to determine if the client received an IP addresses lease from the DHCP server. 2. The client received an IP address from the DHCP server if the Ipconfig /all output displays: The DHCP server as being enabled The IP address is displayed as IP Address. It should not be displayed as Autoconfiguration IP Address. You can also use the status dialog box for the network connection to determine the IP address type for the client. To view this information, double-click the appropriate network connection in the Network Connections dialog box. Click the Support tab. The IP address type should be displayed as being Assigned By DHCP.
o o o

3. 4. 5. 6.

If after the above checks, you can conclude that the IP address was assigned to the client by the DHCP server, some other network issue is the cause of the DHCP server connectivity issues being experienced. The issue is not due to an IP addressing issue on the client. When clients have the incorrect IP address, it was probably due o the computer not being able to contact the DHCP server. When this occurs, the computer assigns its own IP address through Automatic Private IP Addressing (APIPA). Computers could be unable to contact the DHCP server for a number of reasons:

A problem might exist with the hardware or software of the DHCP server. A data-link protocol issue could be preventing the computer from communicating with the network. The DHCP server and the client are on different LANs and there is no DHCP Relay Agent. A DHCP Relay Agent enables a DHCP server to handle IP address requests of clients that are located on a different LAN.

When a DHCP client is assigned an IP address that is currently being used by another client, then an address conflict has occurred.

The process that occurs to detect duplicate IP addresses is illustrated below: 1. 1. When the computer starts, the system checks for any duplicate IP addresses. 2. The TCP/IP protocol stack is disabled on the computer when the system detects duplicate IP addresses. 3. An error message is shown that indicates the hardware address of the other system that this computer is in conflict with. 4. The computer that initially owned the duplicate IP address experiences no interruptions, and operates as normally. 5. You have to reconfigure the conflicting computer with a unique IP address so that the TCP/IP protocol stack can be enabled on that particular computer again. When address conflicts exist, a warning message is displayed:

A warning is displayed in the system tray A warning message is displayed in the System log, which you can view in Event Viewer.

Addresses conflicts usually occur under the following circumstances:

You have competing DHCP servers in your environment: You can use the Dhcploc.exe utility to locate any rogue DHCP servers. The Dhcploc.exe utility is included with the Windows Support Tools. To solve the competing DHCP server issue, you have to locate the rogue DHCP servers, remove the necessary rogue DHCP servers, and then check that no two DHCP servers can allocate IP address leases from the same IP address range. A scope redeployment has occurred: You can recover from a scope redeployment through the following strategy:
o o o

Increase the conflict attempts on the DHCP server. Renew your DHCP client leases

One of the following methods can be used to renew your DHCP client leases:

Use the Ipconfig /renew command

o o

The Repair button of the status dialog box (Support tab) of the connection can be used to renew the DHCP client lease.

When you click the Repair button of the status dialog box (Support tab) of the connection to renew the DHCP client lease, the following process occurs: 1. 1. A DHCPREQUEST message is broadcast on the network to renew your DHCP clients' IP address leases. 2. The ARP cache is flushed. 3. The NetBIOS cache is flushed. 4. The DNS cache is flushed. 5. The NetBIOS name and IP address of the client is registered again with the WINS server. 6. The computer name and IP address of the client is registered again with the DNS server. You can enable server-side conflict detection through the following process 1. 1. Open the DHCP console 2. Right-click the DHCP server in the console tree, and select Properties from the shortcut menu. 3. When the Server Properties dialog box opens, click the Advanced tab. 4. Set the number of times that the DHCP server should run conflict detection prior to it leasing an IP address to a client. 5. Click OK. A few troubleshooting strtegies which you can use when a DHCP client cannot obtain an IP address from the DHCP server, are summarized below:

Use the Ipconfig /renew command or the Repair button of the status dialog box (Support tab) of the connection to refresh the IP configuration of the client. Following the above, verify that the DHCP server is enabled, and that a configured DHCP Relay Agent exists in the broadcast range.

If the client still cannot obtain an IP address from the DHCP server, check that the actual physical connection to the DHCP server, or DHCP Relay Agent is operating correctly and is not broken. Verify the status of the DHCP server and DHCP Relay Agent. If the issue still persists after all the above checks have been performed, you might have an issue at the DHCP server or a scope issue might exist. When troubleshooting the DHCP server: Check that the DHCP server is installed and enabled. Check that the DHCP server is correctly configured Verify that the DHCP server is authorized. when troubleshooting the scope configured for the DHCP server: o heck that the scope is enabled. o heck whether all the available IP leases have already been assigned to clients
o o o o

A few troubleshooting strategies which you can use when a DHCP client obtains an IP address from the incorrect scope are summarized below:

First determine whether competing DHCP servers exist on your network. Use the Dhcploc.exe utility, included with the Windows Support Tools to locate rogue DHCP servers that are allocating IP addresses to clients. If no rogue DHCP servers are located through the Dhcploc.exe utility, your next step is to verify that each DHCP server is allocating IP address leases from unique scopes. There should be no overlapping of the address space. If you have multiple scopes on your DHCP server, and the DHCP server is assigning IP addresses to clients on remote subnets, verify that a DHCP Relay Agent that is used to enable communication with the DHCP server has the correct address

Troubleshooting the DHCP Server Configuration

If you have clients that cannot obtain IP addresses from the DHCP server, even though they can contact the DHCP server, verify the following:

Verify that the DHCP Server service is running on the particular server. Check the actual TCP/IP configuration settings on the DHCP server. If you are using the Active Directory directory service, verify that the DHCP server is authorized. The DHCP server could be configured with the incorrect scope. Check that the scope is correct on the DHCP server, and verify that it is active.

When you need to verify the configuration of the DHCP server, use the following process:

First check that the DHCP server is configured with the correct IP address. The network ID of the address being used must be the same for the subnet for which the DHCP server is expected to assign IP addresses to client. Verify the network bindings of the DHCP server. The DHCP server must be bound to the particular subnet. To check this, 1. 2. Open the DHCP console 3. Right-click the DHCP server in the console tree, and select Properties from the shortcut menu. 4. When the Server Properties dialog box opens, click the Advanced tab. 5. Click the Bindings button. Check that the DHCP server is authorized in Active Directory. You have to authorize the DHCP server in Active Directory so that it can provide IP addresses to your DHCP clients. To authorize the DHCP server: 1. 2. Open the DHCP console. 3. In the console tree, expand the DHCP server node. 4. Click the DHCP server that you want to authorize. 5. Click the action menu, and then select Authorize. Verify the scope configuration associated with the DHCP server:

Check that the scope is activated. To activate a scope, 1. 2. Open the DHCP console 3. Right-click the scope in the console tree, and select Activate from the shortcut menu. Verify that the scope is configured with the correct IP address range. Verify that there are available IP address leases which can be assigned to your DHCP clients. Verify the exclusions which are specified in the address pool. Confirm that all exclusions are valid and necessary. You need to verify that no IP addresses are being unnecessarily excluded. Verify the reservations which are specified. If you have a client that cannot obtain a reserved IP address, check whether the same address is also defined as an exclusion in the address pool. All reserved IP addresses must fall within the address range of the scope. Check too that the MAC

addresses were successfully registered for all IP addresses that are reserved If you have DHCP servers that contain multiple scopes, check that each of these scopes is configured correctly.

Troubleshooting DHCP Database Issues

The DHCP service uses a number of database files to maintain DHCP-specific data or information on IP addresses leases, scopes, superscopes, and DHCP options. The DHCP database files that are located in the systemrootSystem32DHCP folder are listed below. These files remain open while the DHCP service is running on the server. You should therefore not change any of these files while the DHCP service is running.

Dhcp.mdb: This is considered the main DHCP database file because it contains all scope information. Dhcp.tmp: This file contains a backup copy of the database file which was created during re-indexing of the DHCP database. J50.log: This log file contains changes prior to it being written to the DHCP database. J50.chk: This checkpoint file informs DHCP on those log files that still have to be recovered.

If you need to change the role of the DHCP server, and move its functions to another server, it is recommended that you migrate the DHCP database to the new DHCP server. This strategy prevents errors that occur when you manually attempt to recreate information in the DHCP database of the destination DHCP server. To migrate an existing DHCP database to a new DHCP server, 1. 1. Open the DHCP console. 2. Right-click the DHCP server whose database you want to move to a different server, and select Backup from the shortcut menu. 3. When the Browse For Folder dialog box opens, select the folder to which the DHCP database should be backed up. Click OK. 4. To prevent the DHCP server from allocating new IP addresses to clients once the DHCP server database is backed up, you have to stop the DHCP server. 5. Open the Services console. 6. Double-click the DHCP server.

7. When the DHCP Server Properties dialog box opens, select Disable from the Startup Type drop down list. 1. 1. Proceed to copy the folder which contains the backup to the new DHCP server. You now have to restore the DHCP backup at the destination DHCP server. 2. Open the DHCP console. 3. Right-click the destination DHCP server for which you want to restore the DHCP database, and select Restore from the shortcut menu. 4. When the Browse For Folder dialog box opens, select the folder that contains the back up of the database that you want to restore. Click OK. 5. Click Yes when prompted to restore the database, and to stop and restart the DHCP service. If your lease information in the DHCP database does not correspond to the actual IP addresses leased to clients on the network, you can delete your existing database files, and commence with a clean (new) database. To do this, 1. 1. Stop the DHCP service. 2. Remove all the DHCP database files from the systemrootsystem32DHCP folder. 3. Restart the DHCP service. 4. You can rebuild the contents of the database by reconciling the DHCP scopes. The DHCP console is used for this. When DHCP database information is inconsistent with what is on the network, corrupt, or when information is missing, you can reconcile DHCP data for the scopes to recover the database. The DHCP service stores IP addresses lease data as follows:

Detailed IP address lease information is stored in the DHCP database. Summary IP address lease information is stored in the DHCP database

These sets of information are compared when scopes are reconciled. Before you can reconcile the DHCP server's scopes, you first have to stop the DHCP service running on the server. You can repair any inconsistencies which are detected by the comparison between the contents of the DHCP database, and the contents of the Registry.

How to reconcile the DHCP database

1. 1. Open the DHCP console 2. Right-click the DHCP server for which you want to reconcile the DHCP database, and then select Reconcile All Scopes from the shortcut menu. The Reconcile All Scopes command also appears as an Action menu item. 3. When the Reconcile All Scopes dialog box opens, click Verify to start the DHCP database reconciliation process. 4. When no inconsistencies are reported, click OK. 5. When inconsistencies are detected, select the addresses which need to be reconciled, and then click Reconcile. 6. The inconsistencies are repaired.
How to reconcile a single scope

1. 1. Open the DHCP console 2. In the console tree, expand the DHCP server node that contains the scope which you want to reconcile. 3. Right-click the scope and then select Reconcile from the shortcut menu. 4. When the Reconcile All Scopes dialog box opens, click Verify to start the scope reconciliation process. 5. When no inconsistencies are detected, click OK. 6. When inconsistencies are detected, select the addresses which need to be reconciled, and then click Reconcile. 7. The inconsistencies are repaired.

Flexible Single Master Operations (FSMO in AD)

Windows 2000/2003 Multi-Master Model A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.

For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring. Windows 2000/2003 Single-Master Model To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain. In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are: Schema Master: The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest. Infrastructure Master: When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does

not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role. Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain. PDC Emulator: The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage. The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:

Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator. The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients. This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

Responding to Operations Master Failures

The first step in responding to the unavailability of a domain controller that is an operations master role owner is to determine the anticipated duration of the outage. If the outage is expected to be brief, the recommended response is simply to wait for the role owner to become available before performing a rolerelated function. If the outage is longer, the correct response might be to seize the operations master role from a domain controller. To seize a role is to move it without the cooperation of its current owner. It is best to avoid seizing roles. The decision to seize an operations master role depends upon the role and the expected length of the outage. Primary Domain Controller Emulator Failures The loss of a domain controller that is the primary domain controller emulator role can be visible to any user, either users or administrators. Specifically, an end user running Windows NT Workstation3.51, or Windows NT 4.0, Windows 95, or Windows 98 without the Active Directory client, cannot change their password without communicating with the primary domain controller emulator. If the users password has expired, the user is not able to log on.

Therefore, you might need to repair a primary domain controller emulator failure quickly.If the primary domain controller emulator is offline for a significant period of time and the domain has users running Windows NT Workstation 3.51, or Windows NT 4.0, Windows 95, or Windows 98 without the Active Directory client, or domain controllers running earlier versions of Windows NT, you should seize the primary domain controller emulator role to the Standby operations masterdomain controller. The user interface for this seizure is similar to that of a normal operations master role transfer, except it requires an extra confirmation from you. Agree to the confirmation only if you know the current primary domain controller emulator will be offline for a significant period. Later, when the original primary domain controller emulator domain controller comes back online, transfer the role back to the original role owner. Infrastructure Master Failures Temporary loss of a domains infrastructure master is not visible to end users, and is not visible to you, as an administrator, unless you recently moved or renamed a large number of accounts. Therefore, in most cases, a temporary loss of the infrastructure master is not a problem worth fixing. If you anticipate a long outage of a domains infrastructure master and you need to repair it, first select a domain controller that is not a Global Catalog server and that has good network connectivity to a Global Catalog server located in any domain. Ideally, the domain controller you have chosen should be within the same site as a Global Catalog server. It is not important that the new infrastructure master be near the previous one. When you have selected the domain controller, seize the infrastructure master role to this domain controller. The user interface for this seizure is similar to that of a normal operations master role transfer, except it requires an extra confirmation from you. Agree to the confirmation only if you know that the current infrastructure master will be offline for a very long period. Later, when the original infrastructure master comes back online, transfer the role back to the original role owner. Other Operations Master Failures Temporary loss of the schema master, domain naming master, or RID master is ordinarily not visible to end users, and does not usually inhibit your work as an administrator. Therefore, this is usually not a problem worth fixing. However, if you anticipate an extremely long outage of the domain controller holding one of these roles, you can seize that role to the Standby operations master domain controller. But, seizing any of these roles is a drastic step; one that you would take only when the outage is permanent, as in the case when a domain controller is physically destroyed and cannot be restored from backup media. A domain controller whose schema master, domain naming master, or RID master role is seized must never come back online. Before proceeding with the role seizure,

you must ensure that the outage of this domain controller is permanent by physically disconnecting the domain controller from the network. The domain controller that seizes the role should be fully up-to-date with respect to updates performed on the previous role owner. Because of replication latency, it is possible that the domain controllermight not be up-to-date. To check the status of updates for a domain controller, you can use the Repadmin command-line tool. The Repadmin command-line tool is a Resource Kit tool that performs replication diagnostics. It is available on the Microsoft Windows 2000 Server installation CD. Repadmin can determine whether a domain controller has the most current updates. For more information about using the Repadmin tool, see Windows 2000 Support Tools Help, which is included on the Windows 2000 Server CD and Active Directory Diagnostics, Troubleshooting, and Recovery in this book. For example, to make sure a domain controller is fully up-to-date, suppose that server05 is the RID master of the domain reskit.com, server10 is the Standby operations master domain controller, and server12 is the only other domain controller in the reskit.com domain. Using the Repadmin tool, you would issue the following commands: C:\> repadmin /showvector dc=reskit,dc=com server10.reskit.com New-York\server05 @ USN 2604 San-Francisco\server12 @ USN 2706 C:\> repadmin /showvector dc=reskit,dc=com server12.reskit.com New-York\server05 @ USN 2590 Chicago\server10 @ USN 3110 Note In the previous example, user input is in bold type. Ignore all output lines except those for server05. Server10s up-to-date status value with respect to server05 (server05 @ USN 2604) is larger than server12s up-to-date status value with respect to server05 (server05 @ USN 2590), making it is safe for server10 to seize the RID master role formerly held by server05. If the up-to-date status value for server10 was less than the value for server12, you would wait for normal replication to update server10, or use the Repadmin tools /sync/force commands to make the replication happen immediately. After you have determined that the role owner is fully up-to-date, you can seize the operations master role using the Ntdsutil tool as in the following example: C:\> ntdsutil ntdsutil: roles fsmo maintenance: connections

server connections: connect to server10.reskit.com binding to server10.reskit.com Connected to server10.reskit.com using credentials of locally logged on user server connections: quit fsmo maintenance: seize RID master Server server10.reskit.com knows about 5 roles Schema CN=NTDS Settings,CN=server04,CN=Servers, CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com Domain CN=NTDS Settings,CN=server04,CN=Servers, CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com PDC CN=NTDS Settings,CN=server10,CN=Servers, CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com RID CN=NTDS Settings,CN=server10,CN=Servers, CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com Infrastructure CN=NTDS Settings,CN=server12,CN=Servers, CN=San-Francisco,CN=Sites,CN=Configuration,DC=reskit,DC=com fsmo maintenance: quit ntdsutil: quit C:\> Note In the previous example, user input is in bold type. For more information about specific procedures for using the Ntdsutil commandline tool, see Windows 2000 Support Tools Help, which is included on the Windows 2000 Server installation CD. Using the Ntdsutil Tool for Role Placement The Ntdsutil tool allows you to transfer and seize operations master roles. The Ntdsutil tool might be more convenient for operations master transfers and seizures than the graphical user interface tools, because it is simpler and quicker to enter commands than to use multiple windows. To perform seizures of the schema master, domain naming master, and RID master roles, the Ntdsutil tool is the required method. When you use the Ntdsutil command-line tool to seize an operations master role, the tool attempts a transfer from the current role owner first. Then, if the existing operations master is unavailable, it performs the seizure. The Ntdsutil tool provides help information when you type a question mark (?). The following is an example showing the transfer of the domain naming master role (with user input shown in bold type): C:\> ntdsutil ntdsutil: ? ? Print this help information

Authoritative restore Authoritatively restore the DIT database Domain management Prepare for new domain creation Files Manage NTDS database files Help Print this help information IPDeny List Manage LDAP IP Deny List LDAP policies Manage LDAP protocol policies Metadata cleanup Clean up objects of decommissioned servers Popups %s (en/dis)able popups with on or off Quit Quit the utility Roles Manage NTDS role owner tokens Security account management Manage Security Account Database Duplicate SID Cleanup Semantic database analysis Semantic Checker ntdsutil: roles fsmo maintenance: ? ? Print this help information Connections Connect to a specific domain controller Help Print this help information Quit Return to the prior menu Seize Seize Seize Seize Seize domain naming master Overwrite domain role on connected server infrastructure master Overwrite infrastructure role on connected server PDC Overwrite PDC role on connected server RID master Overwrite RID role on connected server schema master Overwrite schema role on connected server

Select operation target Select sites, servers, domains, roles and Naming Contexts Transfer master Transfer master Transfer Transfer Transfer domain naming master Make connected server the domain naming infrastructure master Make connected server the infrastructure PDC Make connected server the PDC RID master Make connected server the RID master schema master Make connected server the schema master

fsmo maintenance: connections server connections: ? ? Print this help information Clear creds Clear prior connection credentials Connect to domain %s Connect to DNS domain name Connect to server %s Connect to server, DNS name or IP address Help Print this help information Info Show connection information Quit Return to the prior menu

Set creds %s %s %s Set connection creds as domain, user, pwd Use NULL for null password server connections: connect to server reskit1 Binding to reskit1 Connected to reskit1 using credentials of locally logged on user server connections: quit fsmo maintenance: transfer domain naming master Server reskit1 knows about 5 roles Schema CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration ,DC=reskit,DC=com Domain CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration ,DC=reskit,DC=com PDC CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration ,DC=reskit,DC=com RID CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration ,DC=reskit,DC=com Infrastructure CN=NTDS Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration ,DC=reskit,DC=com fsmo maintenance: quit ntdsutil: quit Disconnecting from reskit1 C:\> In the previous example, the available Ntdsutil tool commands display after entering a question mark (?). To transfer an operations master role, the roles command is entered, which displays the fsmo maintenance menu. Entering a question mark (?) displays the subcommands within the fsmo maintenance menu. Before transferring the operations master role, you must connect to the domain controller that will receive the role (reskit1 in the example above) by entering the connect to server subcommand. Then, after leaving the server connections mode by entering quit, issue the transfer domain naming master command. A confirmation pop-up window (not shown) displays for the transfer domain naming master operation. Note You must have sufficient permissions to execute commands using the Ntdsutil tool. For more information about controlling access to operations master role placements, see Controlling Access to Role Placements later in this chapter. It is also possible to view the current operations master role owner using the Ntdsutil command-line tool from the Select Operation Target menu located

under the Roles option. By using the List roles for connected server command, a list displays of all of the current operations master role owners. For more information about using the Ntdsutil command-line tool, see Windows 2000 Support Tools Help, which is included on the Windows 2000 Server installation CD.

Active Directory Trust Relationships

In Active Directory, when two domains trust each other or a trust relationship exists between the domains, the users and computers in one domain can access resources residing in the other domain. The trust relationships supported in Windows Server 2003 are summarized below: The characteristics of Windows Server 2003 trusts are outlined below:

Trusts can be nontransitive or transitive: o Transitive trusts: With transitive trusts, trust is applicable for each trusted domain. What this means is where Domain1 trusts Domain2, and Domain2 trusts Domain3; Domain1 would also trust Domain3. o Nontransitive trust: The defined trust relationship ends with the two domains between which the particular trust is created. Trusts can be one-way or two-way trusts: o One-way trusts: Based on the direction of the trust, one-way trust can further be broken into either incoming trust or outgoing trusts. One way trust can be transitive or nontransitive: Incoming Trust: With incoming trust, the trust is created in the trusted domain, and users in the trusted domain are able to access network resources in the trusting domain or other domain. Users in the other domain cannot however access network resources in the trusted domain. Outgoing Trust: In this case, users in the other domain able to access network resources in the initiating domain. Users in the initiating domain are not able to access any resources in the other domain. o Two-way trusts: A two-way trust relationship means that where Domain1 trusts Domain2, then Domain2 trusts Domain1. The trust basically works both ways, and users in each domain are able to access network resources in eitherone of the dolmans. A two-way, transitive trust relationship is the trust that exists between parent domains and child domains in a domain tree. In two-way transitive trust, where Domain1 trusts Domain2 and Domain2 trusts Domain3, then Domain1 would trust Domain3 and Domain3 would trust Domain1.Two-way, transitive trust is the default trust

relationship between domains in a tree. It is automatically created and exists between top-level domains in a forest. Trusts can be implicit or explicit trusts: o Implicit: Automatically created trust relationships are called implicit trust. An example of implicit trust is the two-way, transitive trust relationship that Active Directory creates between a parent and child domains. o Explicit: Manually created trust relationships are referred to as explicit trust.

Types of Active Directory Trust Relationships

Parent/Child trust: A parent/child trust relationship exists between two domains in Active Directory that have a common contiguous DNS namespace, and who belong to the identical forest. This trust relationship is established when a child domain is created in a domain tree. Tree Root trust: A tree root trust relationship can be configured between root domains in the same forest. The root domains do not have a common DNS namespace. This trust relationship is established when a new tree root domain is added to a forest. Shortcut trust: This trust relationship can be configured between two domains in different domain trees but within the same forest. Shortcut trust is typically utilized to improve user logon times. External trust: External trust relationships are created between an Active Directory domain and a Windows NT4 domain. Realm trust: A realm trust relationship exists between an Active Directory domain and a non-Windows Kerberos realm. Forest trust: Forest trust can be created between two Active Directory forests.

Understanding Windows Group Policy !

Introduction
This document is part of a set of step-by-step guides that introduce IT managers and system administrators to the features of the Windows 2000 operating system. This document presents a brief overview of Group Policy, and shows how to use the Group Policy snap-in to specify policy settings for groups of users and of computers. It includes information on:

Configuring the Group Policy snap-in. Creating and managing Group Policy objects. Setting options for registry-based policy, scripts, and loopback policy. Using security groups with Group Policy. Linking multiple Group Policy Objects. Blocking and enforcing Group Policy.

Group Policy and the Active Directory

In Windows 2000, administrators use Group Policy to enhance and control users' desktops. To simplify the process, administrators can create a specific desktop configuration that is applied to groups of users and computers. The Windows 2000 Active Directory service enables Group Policy. The policy information is stored in Group Policy objects (GPOs), which are linked to selected Active Directory containers: sites, domains, and organizational units (OUs). A GPO can be used to filter objects based on security group membership, which allows administrators to manage computers and users in either a centralized or a de-centralized manner. To do this, administrators can use filtering based on security groups to define the scope of Group Policy management, so that Group Policy can be applied centrally at the domain level, or in a decentralized manner at the OU level, and can then be filtered again by security groups. Administrators can use security groups in Group Policy to:

Filter the scope of a GPO. This defines which groups of users and computers a GPO affects. Delegate control of a GPO. There are two aspects to managing and delegating Group Policy: managing the group policy links and managing who can create and edit GPOs.

Administrators use the Group Policy Microsoft Management Console (MMC) snap-in to manage policy settings. Group Policy includes various features for managing these policy settings. In addition, third parties can extend Group Policy to host other policy settings. The data generated by Group Policy is stored in a Group Policy object (GPO), which is replicated in all domain controllers within a single domain. The Group Policy snap-in includes several MMC snap-in extensions, which constitute the main nodes in the Group Policy snap-in. The extensions are as follows:

Administrative templates. These include registry-based Group Policy, which you use to mandate registry settings that govern the behavior and appearance of the desktop, including the operating system components and applications.

Security settings. You use the Security Settings extension to set security options for computers and users within the scope of a Group Policy object. You can define local computer, domain, and network security settings. Software installation. You can use the Software Installation snap-in to centrally manage software in your organization. You can assign and publish software to users and assign software to computers. Scripts. You can use scripts to automate computer startup and shutdown and user logon and logoff. You can use any language supported by Windows Script Host. These include the Microsoft Visual Basic development system, Scripting Edition (VBScript); JavaScript; PERL; and MS-DOS-style batch files (.bat and .cmd). Remote Installation Services. You use Remote Installation Services (RIS) to control the behavior of the Remote Operating System Installation feature as displayed to client computers. Internet Explorer maintenance. You use Internet Explorer Maintenance to manage and customize Microsoft Internet Explorer on Windows 2000-based computers. Folder redirection. You use Folder Redirection to redirect Windows 2000 special folders from their default user profile location to an alternate location on the network. These special folders include My Documents, Application Data, Desktop, and the Start Menu.

Figure 1 below shows how Group Policy objects use the Active Directory hierarchy for deploying Group Policy.

Figure 1: The Hierarchy of Group Policy and the Active Directory Group Policy objects are linked to site, domain, and OU containers in the Active Directory. The default order of precedence follows the hierarchical nature of the Active Directory: sites are first, then domains, and then each OU. A GPO can be associated with more than one Active Directory container or multiple containers can be linked to a single GPO.

Prerequisites and Initial Configuration

Prerequisites
This Software Installation and Maintenance document is based on Step-by-Step to a Common Infrastructure for Windows 2000 Server Deployment http://www.microsoft.com/windows2000/techinfo/planning/server/ serversteps.asp Before using this guide, you need to build the common infrastructure as described in the document above. This infrastructure specifies a particular hardware and software configuration. If you are not using the common infrastructure, you must take this into account when using the guide.

Group Policy Scenarios

Note that this document does not describe all of the possible Group Policy scenarios. Please use this instruction set to begin to understand how Group Policy works and begin to think about how your organization might use Group Policy to reduce its TCO. Other Windows 2000 features, including Security Settings and Software Installation and Maintenance, are built on Group Policy. To learn how to use Group Policy in those specific scenarios, refer to the white papers and Windows 2000 Server online help on Windows 2000 Security and Software Installation and Maintenance, which are available on the Windows 2000 Web site.

Important Notes
The example company, organization, products, people, and events depicted in this guide are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred. This common infrastructure is designed for use on a private network. The fictitious company name and DNS name used in the common infrastructure are not registered for use on the Internet. Please do not use this name on a public network or Internet. The Active Directory service structure for this common infrastructure is designed to show how Windows 2000 Change and Configuration Management works and functions with Active Directory. It was not designed as a model for configuring an Active Directory service for any organizationfor such information see the Active Directory documentation.

Group Policy Snap-in Configuration

Group Policy is tied to the Active Directory service. The Group Policy snap-in extends the Active Directory management tools using the Microsoft Management Console (MMC) snap-in extension mechanism. The Active Directory snap-ins set the scope of management for Group Policy. The most common way to access Group Policy is by using the Active Directory User and Computers snap-in, for setting the scope of management to domain and organizational units (OUs). You can also use the Active Directory Sites and Services snap-in to set the scope of management to a site. These two tools can be accessed from the Administrative Tools program group; the Group Policy snap-in extension is enabled in both tools. Alternatively, you can create a custom MMC console, as described in the next section.

Configuring a Custom Console

The examples in this document use the custom MMC console that you can create by following the procedure in this section. You need to create this custom console before attempting the remaining procedures in this document. Note: If you want more experience building MMC consoles, run through the procedures outlined in "Step-by-Step Guide to Microsoft Management Console" To configure a custom console

Log on to the HQ-RES-DC-01 domain controller server as an administrator. Click Start, click Run, type mmc, and then click OK. On the Console menu, click Add/Remove Snap-in. In the Add/Remove Snap-in dialog box, click Add. In the Add Standalone Snap-in dialog box, in the Available standalone snap-ins list box, click Active directory users and computers, and then click Add. Double-click Active directory sites and services snap-in from the Available standalone snap-ins list box. In the Available standalone snap-ins list box, double-click Group Policy. In the Select Group Policy object dialog box, Local computer is selected under Group Policy object. ClickFinish to edit the local Group Policy object. Click Close in the Add standalone snap-in dialog box. In the Add/Remove Snap-in dialog box, click the Extensions tab. Ensure that the Add all extensions check box is checked for each primary extension added to the MMC console (these are checked by default). Click OK.

To save console changes

In the MMC console, on the Console menu, click Save. In the Save As dialog box, in the File name text box, type GPWalkthrough, and then click Save.

The console should appear as in Figure 2 below:

Figure 2: Group Policy MMC Console

Accessing Group Policy

You can use the appropriate Active Directory tools to access Group Policy while focused on any site, domain, or OU. To open Group Policy from Active Directory Sites and Services

In the GPWalkthrough MMC console, in the console tree, click the + next to Active Directory Sites and Services. In the console tree, right-click the site for which to access Group Policy. Click Properties, and click Group Policy.

To open Group Policy from Active Directory Users and Computers

In the console tree in the GPWalkthrough MMC console, click the + next to Active Directory Users and Computers. In the console tree, right-click either the reskit domain or the OU for which to access Group Policy. Click Properties, and click Group Policy.

To access Group Policy scoped to a specific computer (or the local computer), you must load the Group Policy snap-in into the MMC console namespace targeted at the specific computer (or local computer). There are two major reasons for these differences:

Sites, domains, and OUs can have multiple GPOs linked to them; these GPOs require an intermediate property page to manage them. A GPO for a specific computer is stored on that computer and not in the Active Directory.

Scoping a Domain or OU
To scope the domain or OU, use the GPWalkthrough MMC console that you saved earlier. To scope Group Policy for a domain or OU

Click Start, point to Programs, click Administrative Tools, and click GPWalkthrough to open the MMC console you created earlier. Click the + next to Active Directory Users and Computers to expand the tree. Click the + next to reskit.com to expand the tree. Right-click either the domain (reskit.com) or an OU, and click Properties. Click the Group Policy tab as shown in Figure 3 below.

This displays a property page where the GPOs associated with the selected Active Directory container can be managed. You use this property page to add, edit, delete (or remove), and disable GPOs; to specify No Override options; and to change the order of the associated GPOs. Selecting Edit starts the Group Policy snap-in. More information on using the Group Policy property page and the Group Policy snap-in can be found later in this document. Note: The Computers and Users containers are not organizational units; therefore, you cannot apply Group Policy directly to them. Users or computers in these containers receive policies from GPOs scoped to the domain and site objects only. The domain controller container is an OU, and Group Policy can be applied directly to it.

Figure 3: Group Policy Link Management

Scoping Local or Remote Computers

To access Group Policy for a local or a remote computer, you add the Group Policy snap-in to the MMC console, and focus it on a remote or local computer. To access Group Policy for the local computer, use the GPWalkthrough console created earlier in this document, and choose the Local Computer Policy node. You can add other computers to the console namespace by adding another Group Policy snap-in to the GPWalkthrough console, and clicking the Browsebutton when the Select Group Policy object dialog box is displayed. Note: Some of the Group Policy extensions are not loaded when Group Policy is run against a local GPO.

Creating a Group Policy Object

The Group Policy settings you create are contained in a Group Policy Object (GPO) that is in turn associated with selected Active Directory objects, such as sites, domains, or organizational units (OUs). To create a Group Policy Object (GPO)

Open the GPWalkthrough MMC console. Click the + next to Active Directory Users and Computers, and click the reskit.com domain. Click the + next to Accounts to expand the tree. Right-click Headquarters, and select Properties from the context menu. In the Headquarters Properties page, click the Group Policy tab. Click New, and type HQ Policy.

The Headquarters Properties page should appear as in Figure 4 below:

Figure 4: Headquarters Properties At this point you could add another GPO for the Headquarters OU, giving each one that you create a meaningful name, or you could edit the HQ Policy GPO, which starts the Group Policy snap-in for that GPO. All Group Policy functionality is derived from the snap-in extensions. In this exercise, all of these extensions are enabled. It is possibleusing standard MMC methodsto restrict the extension snap-ins that are loaded for any given snap-in. For information on this capability, see the Windows 2000 Server Online Help for Microsoft Management Console. There is also a Group Policy that you can use to restrict the use of MMC snap-in extensions. To access this policy, navigate to the System\Group Policy node under Administrative Templates. Use the Explain tab to learn more about the use of these policies. If you have more than one GPO associated with an Active Directory folder, verify the GPO order; a GPO that is higher in the list has the highest precedence. Note that GPOs higher in the list are processed last (this is what gives them a higher precedence). GPOs in the list are objects; they have context menus that you use to view the properties of each GPO. You can use the context menus to obtain and modify general information about a GPO. This information includes Discretionary Access Control Lists (DACLs, which are covered in the Security Group Filtering section of this document), and lists the other site, domain, or OUs to which this GPO is linked.

Click Close

Best Practice You can further refine a GPO by using user or computer membership in security groups and then setting DACLs based on that membership. This is covered in the Security Group Filtering section below.

Managing Group Policy

To manage Group Policy, you need to access the context menu of a site, domain, or OU, select Properties, and then select the Group Policy tab. This displays the Group Policy Properties page. Please note the following:

This page displays any GPOs that have been associated with the currently selected site, domain, or OU. The links are objects; they have a context menu that you can access by right-clicking the object. (Right-clicking the white space displays a context menu for creating a new link, adding a link, or refreshing the list.) This page also shows an ordered GPO list, with the highest priority GPO at the top of the list. You can change the list order by selecting a GPO and then using the Up or Down buttons. To associate (link) a new GPO, click the Add button. To edit an existing GPO in the list, select the GPO and click the Edit button, or just double-click the GPO. This starts the Group Policy snap-in, which is how the GPO is modified. This is described in more detail later in this document. To permanently delete a GPO from the list, select it from the list and click the Delete button. Then, when prompted, select Remove the link and delete the Group Policy object permanently. Be careful when deleting an object, because the GPO may be associated with another site, domain, or OU. If you want to remove a GPO from the list, select the GPO from the links list, click Delete, and then when prompted, select Remove the link from the list. To determine what other sites, domains, or OUs are associated with a given GPO, right-click the GPO, selectProperties from the context menu, and then click the Links tab in the GPO Properties page. The No override check column marks the selected GPO as one whose policies cannot be overridden by another GPO.

Note: You can enable the No Override property on more than one GPO. All GPOs that are marked as No override will take precedence over all other GPOs not marked. Of those GPOs marked as No override, the GPO with the highest priority will be applied after all the other similarly marked GPOs.

The Disabled check box simply disables (deactivates) the GPO without removing it from the list. To remove a GPO from the list, select the GPO from the links list, click Delete, and then select Remove the link from the list in the Delete dialog box.

It is also possible to disable only the User or Computer portion of the GPO. To do this, right-click the GPO, clickProperties, click either Disable computer configuration settings or Disable user configuration settings, and then click OK. These options are available on the GPO Properties page, on the General tab. The Block policy inheritance check box has the effect of negating all GPOs that exist higher in the hierarchy. However, it cannot block any GPOs that are enforced by using the No override check box; those GPOs are always applied.

Note: Policy settings contained within the local GPO that are not specifically overridden by domain-based policy settings are also always applied. Block Policy Inheritance at any level will not remove local policy.

Editing a Group Policy Object

You can use the custom console to edit a GPO. You will need to log on to the HQ-RES-DC-01 server as an Administrator, if you have not already done so. To edit a Group Policy Object (GPO)

Click Start, point to Programs, click Administrative Tools, and then select GPWalkthrough. Click the + next to Active Directory Users and Computers, click the reskit.com domain, and then click theAccounts OU. Right-click Headquarters, select Properties, and then click the Group Policy tab. HQ Policy in the Group Policy object links list box should be highlighted. Double-click the HQ Policy GPO (or click Edit).

This opens the Group Policy snap-in focused on a GPO named HQ Policy, which is linked to the OU named Headquarters. It should appear as in Figure 5 below:

Figure 5: HQ Policy

Adding or Browsing a Group Policy Object

The Add a Group Policy Object Link dialog box shows GPOs currently associated with domains, OUs, sites, or all GPOs without regard to their current associations (links). The Add a Group Policy Object Link dialog box is shown in Figure 6 below.

Figure 6: Add a Group Policy Object Link

GPOs are stored in each domain. The Look In drop-down box allows you to select a different domain to view. In the Domains/OUs tab, the list box displays the sub-OUs and GPOs for the currently selected domain or OU. To navigate the hierarchy, doubleclick a sub-OU or use the Up one level toolbar button. To add a GPO to the currently selected domain or OU, either double-click the object, or select it and click OK. Alternatively, you can create a new GPO by clicking the All tab, rightclicking in the open space, and selectingNew on the context menu, or by using the Create New GPO toolbar button. The Create New GPO toolbar button is only active in the All tab. To create a new GPO and link it to a particular site, domain, or OU, use the New button on the Group Policy Property page.

Note: It is possible to create two or more GPOs with the same name. This is by design and is because the GPOs are actually stored as GUIDs and the name shown is a friendly name stored in the Active Directory.

In the Sites tab, all GPOs associated with the selected site are displayed. Use the drop-down list to select another site. There is no hierarchy of sites. The All tab shows a flat list of all GPOs that are stored in the selected domain. This is useful when you want to select a GPO that you know by

name, rather than where it is currently associated. This is also the only place to create a GPO that does not have a link to a site, domain, or OU. To create an unlinked GPO, access the Add a Group Policy Link dialog box from any site, domain, or OU. Click the All tab, select the toolbar button or right-click the white space, and select New. Name the new GPO, and clickEnter, and then click Canceldo not click OK . Clicking OK links the new GPO to the current site, domain, or OU. Clicking Cancel creates an unlinked GPO.

Registry-based Policies
The user interface for registry-based policies is controlled by using Administrative Template (.adm) files. These files describe the user interface that is displayed in the Administrative Templates node of the Group Policy snapin. These files are format-compatible with the .adm files used by the System Policy Editor tool (poledit.exe) in Microsoft Windows NT 4.0. With Windows 2000, the available options have been expanded. Note: Although it is possible to add any .adm file to the namespace, if you use an .adm file from a previous version of Windows, the registry keys are unlikely to have an effect on Windows 2000, or they actually set preference settings and mark the registry with these settings; that is, the registry settings persist. By default, only those policy settings defined in the loaded .adm files that exist in the approved Group Policy trees are displayed; these settings are referred to as true policies. This means that the Group Policy snap-in does not display any items described in the .adm file that set registry keys outside of the Group Policy trees; such items are referred to as Group Policy preferences. The approved Group Policy trees are:
\Software\Policies \Software\Microsoft\Windows\CurrentVersion\Policies

A Group Policy called Enforce Show Policies Only is available in User Configuration\Administrative Templates, under the System\Group Policy nodes. If you set this policy to Enabled, the Show policies only command is turned on and administrators cannot turn it off, and the Group Policy snap-in displays only true policies. If you set this policy to Disabled or Not configured, the Show policies only command is turned on by default; however, you can view preferences by turning off the Show policies only command. To view preferences, you must turn off the Show policies only command, which you access by selecting the Administrative Templates node (under either User Configuration or Computer Configuration nodes), and then clicking the View menu on the Group Policy console and clearing the Show policies only check box. Note that it is not possible for the selected state for this policy to persist; that is, there is no

preference for this policy setting. In Group Policy, preferences are indicated by a red icon to distinguish them from true policies, which are indicated by a blue icon. Use of non-policies within the Group Policy infrastructure is strongly discouraged because of the persistent registry settings behavior mentioned previously. To set registry policies on Windows NT 4.0, and Windows 95 and Windows 98 clients, use the Windows NT 4.0 System Policy Editor tool, Poledit.exe. By default the System.adm, Inetres.adm, and Conf.adm files are loaded and present this namespace as shown in Figure 7 below:

Figure 7: User Configuration The .adm files include the following settings:

System.adm: Operating system settings Inetres.adm: Internet Explorer restrictions Conf.adm: NetMeeting settings

Adding Administrative Templates

The .adm file consists of a hierarchy of categories and subcategories that together define how options are organized in the Group Policy user interface. To add administrative templates (.adm files)

In the Group Policy console double-click Active Directory Users and Computers, select the domain or OU for which you want to set policy, click Properties, and then click Group Policy. In the Group Policy properties page, select the Group Policy Object you want to edit from the Group Policy objects links list, and click Edit to open the Group Policy snap-in. In the Group Policy console, click the plus sign (+) next to either User Configuration or Computer Configuration. The .adm file defines which of these locations the policy is displayed in, so it doesn't matter which node you choose. Right-click Administrative Templates, and select Add/Remove Templates. This shows a list of the currently active templates files for this Active Directory container. Click Add. This shows a list of the available .adm files in the %systemroot%\inf directory of the computer where Group Policy is being run. You can choose an .adm file from another location. Once chosen, the .adm file is copied into the GPO.

To set registry-based settings using administrative templates

o

o o o o o

In the GPWalkthrough console, double-click Active Directory Users and Computers, double-click thereskit.com domain, double-click Accounts, right-click the Headquarters OU, and then click Properties. In the Headquarters Properties dialog box, click Group Policy. Double-click the HQ Policy GPO from the Group Policy object links list to edit the HQ Policy GPO. In the Group Policy console, under the User Configuration node, click the plus sign (+) next toAdministrative Templates. Click Start Menu & Taskbar. Note that the details pane shows all the policies as Not configured. In the details pane, double-click the Remove Run menu from Start menu policy. This displays a dialog box for the policy as shown in Figure 8 below.

Figure 8: Remove Run menu from Start Menu

o

In the Remove Run menu from Start menu dialog box, click Enabled.

Note the Previous Policy and Next Policy buttons in the dialog box. You can use these buttons to navigate the details pane to set the state of other policies. You can also leave the dialog box open and click another policy in the details pane of the Group Policy snap-in. After the details pane has the focus, you can use the Up and Downarrow keys on the keyboard and press Enter to quickly browse through the settings (or Explain tabs) for each policy in the selected node.
o

Click OK. Note the change in state in the Setting column, in the details pane. This change is immediate; it has been saved to the GPO. If you are in a replicated domain controller (DC) environment, this action sets a flag that triggers a replication cycle.

If you log on to a workstation in the reskit.com domain with a user from the Headquarters OU, you will note that theRun menu has been removed. At this point, you may want to experiment with the other available policies. Look at the text in the Explain tab for information about each policy.

Scripts
You can set up scripts to run when users log on or log off, or when the system starts up or shuts down. All scripts are Windows Script Host (WSH)-enabled. As such, they may include Java Scripts or VB Scripts, as well as .bat and .cmd files. Links to more information on the Windows

Script Host are located in the More Information section at the end of this document.

Setting up a Logon Script

Use this procedure to add a script that runs when a user logs on. Note: This procedure uses the Welcome2000.js script described in Appendix A of this document, which includes instructions for creating and saving the script file. Before performing the procedure for setting up logon scripts, you need to create the Welcome2000.js script file and copy it to the HQ-RES-DC-01 domain controller. To set up logon scripts
o

In the GPWalkthrough console, double-click Active Directory Users and Computers, right-click thereskit.com domain, click Properties, and then click Group Policy. In the Group Policy properties page, select the Default Domain Policy GPO from the Group Policy objects links list, and click Edit to open the Group Policy snap-in. In the Group Policy snap-in, under User Configuration, click the + next to Windows Settings, and then click the Scripts (Logon/Logoff) node.

In the details pane, double-click Logon.

The Logon Properties dialog box displays the list of scripts that run when affected users log on. This is an ordered list, with the script that is to run first appearing at the top of the list. You can change the order by selecting a script and then using the Up or Down buttons. To add a new script to the list, click the Add button. This displays the Add a Script dialog box. Browsing from this dialog allows you to specify the name of an existing script located in the current GPO or to browse to another location and select it for use in this GPO. The script file must be accessible to the user at logon or it does not run. Scripts in the current GPO are automatically available to the user. You can create a new script by right-clicking the empty space and selecting New, then selecting a new file.

Note: If the View Folder Options for this folder are set to Hide file extensions for known file types, the file may have an unwanted extension that prevents it from being run.

o o

To edit the name or the parameters of an existing script in the list, select it and click the Edit button. This button does not allow the script itself to be edited. That can be done through the Show Files button. To remove a script from the list, select it and click Remove. The Show Files button displays an Explorer view of the scripts for the GPO. This allows quick access to these files or to the place to copy support files to if the script files require them. If you change a script file name from this location, you must also use the Edit button to change the file name, or the script cannot execute. Click on the Start menu, click Programs, click Accessories, click Windows Explorer, navigate to theWelcome2000.js file (use Appendix A to create the file), and then right-click the file and select Copy. Close Windows Explorer. In the Logon Properties dialog box, click the Show Files button, and paste the Welcome2000.js script into the default file location. It should appear as in Figure 9 below:

Figure 9: Welcome2000.js
o o o o o

Close the Logon window. Click the Add button in the Logon Properties dialog box. In the Add a Script dialog box, click Browse, and then in the Browse dialog box, double-click theWelcome2000.js file. Click Open. In the Add a Script dialog box, click OK (no script parameters are needed), and then click OK again.

You can then logon to a client workstation that has a user in the Headquarters OU, and verify that the script is run when the user logs on.

Setting Up a Logoff or Computer Startup or Shutdown Script

You can use the same procedure outlined in the preceding section to set up scripts that run when a user logs off or when a computer starts up or is shut down. For logoff scripts, you would select Logoff in step 4.

Other Script Considerations

By default, Group Policy scripts that run in a command window (such as .bat or .cmd files) run hidden, and legacy scripts (those defined in the user object) are by default visible as they are processed (as was the case for Windows NT 4.0), although there is a Group Policy that allows this visibility to be changed. The policy for users is called Run logon scripts visible or Run logoff scripts visible, and is accessed in the User Configuration\Administrative Templates node, under System\Logon/Logoff. For computers, the policy is Run startup scripts visible and can be accessed in the Computer Configuration\Administrative Templates node, under System\Logon.

Security Group Filtering

You can refine the effects of any GPO by modifying the computer or user membership in a security group. To do this, you use the Security tab to set Discretionary Access Control Lists (DACLs) for the properties of a GPO. DACLs are used for performance reasons, the details of which are contained in the Group Policy technical paper referenced earlier in this document. This feature allows for tremendous flexibility in designing and deploying GPOs and the policies they contain. By default, all GPOs affect all users and machines that are contained in the linked site, domain, or OU. By using DACLs, the effect of any GPO can be modified to exclude or include the members of any security group. You can modify a DACL using the standard Windows 2000 Security tab, which is accessed from the Properties page of any GPO. To access a GPO Properties page from the Group Policy Properties page of a Domain, or OU
o

In the GPWalkthrough console, double-click Active Directory Users and Computers, double-click thereskit.com domain, double-click Accounts, right-click the Headquarters OU, and then click Properties. In the Headquarters Properties dialog, click Group Policy.

o o

Right-click the HQ Policy GPO from the Group Policy Object Links list, and select Properties from the context menu. In the Properties page, click the Security tab. This displays the standard Security properties page.

You will see security groups and users based on the Common Infrastructure. For more information, see the Windows 2000 step-by-step guide, A Common Infrastructure for Change and Configuration Management. Make sure that you have completed the appropriate steps in that document before continuing.
o o

In the Security property page, click Add. In the Select Users, Computers, and Groups dialog box, select the Management group from the list, clickAdd, and click OK to close the dialog. In the Security tab of the HQ Policy Properties page, select the Management group, and view the permissions. By default, only the Read Access Control Entry (ACE) is set to Allow for the Management group. This means that the members of the Management group do not have this GPO applied to them unless they are also members of another group (by default, they are also Authenticated Users) that has the Apply Group PolicyACE selected.

At this point, everyone in the Authenticated Users group has this GPO applied, regardless of having added the Management group to the list, as shown in Figure 10 below..

Figure 10: Authenticated Users

o

Configure the GPO so that it applies to the members of the Management group only. Select Allow for the Apply Group Policy ACE for the Management group, and then remove the Allow Group Policy ACE from the Authenticated Users group.

By changing the ACEs that are applied to different groups, administrators can customize how a GPO affects the users or computers that are subject to that GPO. Write access is required for modifications to be made; Readand Allow Group Policy ACEs are required for a policy to affect a group (for the policy to apply to the group). Use the Deny ACE with caution. A Deny ACE setting for any group has precedence over any Allow ACE given to a user or computer because of membership in another group. Details of this interaction may be found in the Windows 2000 Server online Help by searching on Security Group. Figure 11 belows shows an example of the security settings that allow everyone to be affected by this GPO exceptthe members of the Management group, who were explicitly denied permission to the GPO by setting the Apply Group Policy ACE to Deny. Note that if a member of the Management group were also a member of a group that had an explicit Allow setting for the Apply Group Policy ACE, the Deny would take precedence and the GPO would not affect the user.

Figure 11: Security Settings Variations on the above may include:

o o

Adding additional GPOs with different sets of policies and having them apply only to groups other than the Management group. Creating another group with members of the existing groups in them, and then using those groups as filters for a GPO.

Note: You can use these same types of security options with the Logon scripts you set up in the preceding section. You can set a script to run only for members of a particular group or for everyone except the members of a specific group. Security group filtering has two functions: the first is to modify which group is affected by a particular GPO, and the second is to delegate which group of administrators can modify the contents of the GPO by restricting Full Control to a limited set of administrators (by a group). This is recommended because it limits the chance of multiple administrators making changes at any one time.

Blocking Inheritance and No Override

The Block inheritance and No override features allow you to have control over the default inheritance rules. In this procedure, you set up a GPO in the Accounts OU, which applies by default to the users (and computers) in the Headquarters, Production, and Marketing OUs. You then establish another GPO in the Accounts OU and set it as No

override. These settings apply to the children OUs, even if you set up a contrary setting in a GPO scoped to that OU. You then use the Block inheritance feature to prevent Group policies set in a parent site, domain, or OU (in this case, the Accounts OU) from being applied to the Production OU. A description of how to disable portions of a GPO to improve performance is also included.

Setting Up the Environment

You must first set up the environment for the procedures in this section. To set up the GPO environment
o o o o o o

Open the saved MMC GP console GPWalkthrough, and then open the Active Directory User and Computersnode. Double-click the reskit.com domain, and then double-click the Accounts OU. Right-click the Accounts OU, and select Properties from the context menu, and click the Group Policy tab. Click New to create a new GPO called Default User Policies. Click New to create a new GPO called Enforced User Policies. Select the Enforced Users Policies GPO, and click the Up button to move it to the top of the list. The Enforced Users Policies GPO should have the highest precedence. Note that this step only serves to demonstrate the functionality of the Up button; an enforced GPO always takes precedence over those that are not enforced. Select the No override setting for the Enforced User Policies GPO by double-clicking the No overridecolumn or using the Options button. The Accounts Properties page should now appear as in Figure 12 below:

Figure 12: Enforced User Policies

o o

Double-click the Enforced User Policies GPO to start the Group Policy snap-in. In the Group Policy snap-in, under User Configuration, click Administrative Templates, click System, and then click Logon/Logoff. In the details pane, double-click the Disable Task Manager policy, click Enabled in the Disable Task Manager dialog box, and then click OK. For information on the policy, click the Explain tab. Note that the setting is now Enabled as in Figure 13 below.

Figure 13: Task Manager

o

Click the Close button to exit the Group Policy snap-in.

o o

In the Accounts Properties dialog box, on the Group Policy tab, double-click the Default User Policies GPO from the Group Policy objects links list. In the Group Policy snap-in, in the User Configuration node, under Administrative Templates, click theDesktop node, click the Active Desktop folder, and then double-click the Disable Active Desktop policy on the details pane. Click Enabled, click OK, and click Close. In the Accounts Properties dialog box, click Close.

You can now log on to a client workstation as any user in any of the OUs under the Accounts OU. Note that you cannot run the Task Managerthe tab is unavailable from both CTRL+SHIFT+ESC and CTRL+ALT+DEL. In addition, the Active Desktop cannot be enabled. When you right-click on Desktop and select Properties, you will see that the Web tab is missing. As an extra step, you can reverse the setting of the Disable Task Manager policy in a GPO that is linked to any of the child OUs of the Accounts OU (Headquarters, Production, Marketing). To do this, change the radio button for that policy. Note: Doing this has no effect while the Enforced User Policies GPO is enabled in the Accounts OU.

Disabling Portions of a GPO

Because these GPOs are used solely for user configuration, the computer portion of the GPO can be turned off. Doing so reduces the computer startup time, because the Computer GPOs do not have to be evaluated to determine if any policies exist. In this procedure, no computers are affected by these GPOs. Therefore, disabling a portion of the GPO has no immediate benefit. However, since these GPOs could later be linked to a different OU that may include computers, you may want to disable the computer side of these GPOs. To disable the Computer portion of a GPO

Open the saved MMC console GPWalkthrough, and then double-click the Active Directory User and Computers node. Double-click the reskit.com domain. Right-click the Accounts OU, select Properties from the context menu, and click the Group Policy tab. Policy tab, right-click the Enforced User PoliciesGPO, and select Properties.

1 In the Accounts Properties dialog box, click the Group 1

1 In the Enforced User Policies Properties dialog box, select 1

the General tab, and then select the Disable computer configuration settings check box. In the Confirm Disable dialog box click Yes. Note that the General properties page includes two check boxes for disabling a portion of the GPO.
1 1

Repeat steps 4 and 5 for the Default Users Policies GPO.

Blocking Inheritance
You can block inheritance so that one GPO does not inherit policy from another GPO in the hierarchy. After you block inheritance, only those settings in the Enforced User Policies affect the users in this OU. This is simpler than reversing each individual policy in a GPO scoped at this OU. To block inheritance of Group Policy for the Production OU Open the saved MMC console GPWalkthrough, and then double-click the Active Directory User and Computers node. 1 Double-click the reskit.com domain, and then double-click 1 the Accounts OU. 1 Right-click the Production OU, select Properties from the 1 context menu, and then click the Group Policy tab. 1 Select the Block policy inheritance check box, and 1 click OK.
1 1

To verify that inherited settings are now blocked, you can logon as any user in the Production OU. Notice that the Web tab is present in the Display setting properties page. Also, note that the task manager is still disabled, as it was set to No Override in the parent OU.

Linking a GPO to Multiple Sites, Domains, and OUs

This section demonstrates how you can link a GPO to more than one container (site, domain, or OU) in the Active Directory. Depending on the exact OU configuration, you can use other methods to achieve similar Group Policy effects; for example, you can use security group filtering or you can block inheritance. In some cases, however, those methods do not have the desired affects. Whenever you need to explicitly state which sites, domains, or OUs need the same set of policies, use the method outlined

below: To link a GPO to multiple sites, domains, and OUs Open the saved MMC console GPWalkthrough, and then double-click the Active Directory User and Computers node. 1 Double-click the reskit.com domain, and double-click 1 the Accounts OU. 1 Right-click the Headquarters OU, select Properties from 11 the context menu, and then click the Group Policytab.
1 1

In the Headquarters Properties dialog box, on the Group Policy tab, click New to create a new GPO namedLinked Policies. 111 Select the Linked Policies GPO, and click the Edit button. 111 In the Group Policy snap-in, in the User Configuration node, under Administrative Templates node, clickControl Panel, and then click Display. 111 On the details pane, click the Disable Changing Wallpaper policy, and then click Enabled in the Disable Changing Wallpaper dialog box and click OK. 111 Click Close to exit the Group Policy snap-in. 111 In the Headquarters Properties page, click Close.
111

Next you will link the Linked Policies GPO to another OU.
111 In the GPWalkthrough console, double-click the Active Directory User

and Computers node, double-click thereskit.com domain, and then doubleclick the Accounts OU. 111 Right-click the Production OU, click Properties on the context menu, and then click the Group Policy tab on the Production Properties dialog box. 111 Click the Add button, or right-click the blank area of the Group Policy objects links list, and select Add on the context menu. 111 In the Add a Group Policy Object Link dialog box, click the down arrow on the Look in box, and select theAccounts.reskit.com OU. 111 Double-click the Headquarters.Accounts.reskit.com OU from the Domains, OUs, and linked Group Policy objects list. 111 Click the Linked Policies GPO, and then click OK. You have now linked a single GPO to two OUs. Changes made to the GPO in either location result in a change for both OUs. You can

test this by changing some policies in the Linked Policies GPO, and then logging onto a client in each of the affected OUs, Headquarters and Production.

Loopback Processing
This section demonstrates how to use the loopback processing policy to enable a different set of user type Group Policies based on the Computer being logged onto. This policy is useful when you need to have user type policies applied to users of specific computers. There are two methods for doing this. One allows for the policies applied to the user to be processed, but to also apply user policies based on the computer that the user has logged onto. The second method does not apply the user's settings based on where the user object is, but only processes the policies based on the computer's list of GPOs. Details on this method can be found in the Group Policy white paper referred to earlier. To use the Loopback processing policy In the GPWalkthrough console, double-click the Active Directory User and Computers node, double-click thereskit.com domain, and then double-click the Resources OU.

Right-click the Desktop OU, click Properties on the context menu, and then click the Group Policy tab on theDesktop Properties dialog box. Click New to create a new GPO named Loopback Policies. Select the Loopback Policies GPO, and click Edit. In the Group Policy snap-in, under the Computer Configuration node, click Administrative Templates, clickSystem, and then click Group Policy. In the details pane, double-click the User Group Policy loopback processing mode policy. Click Enabled in the User Group Policy loopback processing mode dialog box, select Replace in the Modedrop-down box, and then click OK to exit the property page.

11

Next, you will set several User Configuration policies by using the Next Policy navigation buttons in the policy dialog boxes.

In the Group Policy snap-in, under the User Configuration node, click Administrative Templates, and clickStart Menu & Taskbar. 11 In the details pane, double-click the Remove user's folders from the Start menu policy, and then clickEnabled in the Remove user's folders from the Start menu dialog box. 11 Click Apply to apply the policy, and click the Next Policy button to go on to the next policy, Disable and remove links to Windows update. 11 In the Disable and Remove Links to Windows Update dialog box, click Enabled, click Apply, and then click the Next Policy button. 11 In each of the following policies' dialog boxes, set the state of the policies as indicated on the list below:
11

Policy Remove common program groups from Start Menu

Setting Enabled

Remove Documents from Start Enabled Menu Disable programs on Settings Menu Remove Network & Dial-up Connections from Start menu Remove Favorites Menu from Start menu Enabled

Enabled

Enabled

Remove Search Menu from StartEnabled menu Remove Help Menu from Start menu Enabled

Remove Run Menu from Start menu Add Logoff on the Start Menu Disable Logoff on the Start Menu Disable and remove the Shut Down command Disable drag-and-drop context menus on the Start Menu

Enabled

Enabled Not configured

Not configured

Enabled

Disable changes to Taskbar and Enabled Start Menu Settings Disable Context menus for the taskbar Enabled

Do not keep history of recently Enabled opened documents Clear history of recently opened Enabled documents on exit Click OK when you have set the last policy from the list in step 5. 11 In the Group Policy console tree, navigate to the Desktops node under User Configuration\Administrative Templates, and set the following policies to Enabled:
11

Policy

Setting

Hide Remove My Documents from Enabled

Start Menu Hide My Network Places icon on desktop Hide Internet Explorer icon on desktop Prohibit user from changing My Documents path Enabled

Enabled

Enabled

Disable adding, dragging, Enabled dropping and closing the Taskbar's toolbars Disable adjusting desktop toolbars Enabled Don't save settings at exit
11

Enabled

Click OK when you have set the last policy from the list in step 7. 111 In the Group Policy console tree, navigate to the Active Desktop node under User Configuration\Administrative Templates\Desktops, set the Disable Active Desktop policy to Enabled, and then click OK. 111 In the Group Policy console tree, navigate to the Control Panel node under User Configuration\Administrative Templates, click the Add/Remove Programs node, double-click theDisable Add/Remove Programs policy, set it to Enabled, and then click OK. 111 In the Group Policy console tree, navigate to the Control Panel node under User Configuration\Administrative Templates, click the Display node, double click the Disable display in control panel policy, set it to Enabled, and then click OK. 111 In the Group Policy snap-in, click Close.

111

In the Desktops Properties dialog box, click Close.

At this point, all users who log on to computers in the Desktops OU have no policies that would normally be applied to them; instead, they have the user policies set in the Loopback Policies GPO. You may want to use the procedures outlined in the section on Security Group Filtering to restrict this behavior to specific groups of computers, or you may want to move some computers to another OU. For the following example, a security group called No Loopback is created. To do this, use the Active Directory Users and Computers snap-in, click the Groups container, click New, and create this global security group. In this example, computers that are in the NoLoopback security group are excluded from this loopback policy, if the following steps are taken:
111 In the GPWalkthrough console, double-click Active Directory Users and

Computers, double-clickreskit.com, double-click Resources, rightclick Desktop, and then select Properties. 111 In the Desktop Properties dialog box, click Group Policy, right-click the Loopback Policies GPO, and then select Properties. 111 In the Loopback Policies Properties page, click Security, and select Allow for the Apply Group Policy ACE for the Authenticated Users group. 111 Add the No Loopback group to the Name list. To do this, click Add, select the No Loopback group, and clickOK. 111 Select Deny for the Apply Group Policy ACE for the No Loopback group, and click OK. 111 Click OK in the Loopback Policies Properties page. 111 Click Close in the Desktop Properties dialog box 111 In the GPWalkthrough console, click Save on the Console menu. Source : http://technet.microsoft.com/enus/library/bb742376.aspx

Hardware RAID Levels

RAID Minimum Description Strengths Weaknesses Level Number of Drives RAID 02 Data striping Highest performance No data protection; without One drive fails, all data redundancy is lost RAID 12 Disk Very high performance; High redundancy cost mirroring Very high data overhead; Because all protection; Very minimal data is duplicated, penalty on write twice the storage performance capacity is required RAID 2Not used No practical Previously used for RAM No practical use; Same in LAN use error environments performance can be correction (known as achieved by RAID 3 at Hamming Code ) and in lower cost disk drives before the use of embedded error correction RAID 33 Byte-level Excellent performance Not well-suited for data striping for large, sequential transaction-oriented with data requests network applications; dedicated Single parity drive does parity drive not support multiple, simultaneous read and write requests RAID 43 (Not Block-level Data striping supports Write requests suffer widely data striping multiple simultaneous from same single used) with read requests parity-drive bottleneck dedicated as RAID 3; RAID 5 parity drive offers equal data protection and better performance at same cost RAID 53 Block-level Best cost/performance Write performance is data striping for transaction-oriented slower than RAID 0 or with networks; Very high RAID 1 distributed performance, very high parity data protection; Supports multiple simultaneous reads and writes; Can also be optimized for large, sequential requests RAID 4 Combination Highest performance, High redundancy cost

0/1

of RAID 0 highest data protection (data (can tolerate multiple striping) and drive failures) RAID 1 (mirroring)

overhead; Because all data is duplicated, twice the storage capacity is required; Requires minimum of four drives

RAID 4 1/0

Combination of RAID 1 (mirroring) and RAID 0 (data striping)

Shares the same fault High redundancy cost tolerance as RAID 1 (the overhead; Because all basic mirror), but data is duplicated, compliments said fault twice the storage tolerance with a striping capacity is required; mechanism that can Requires minimum of yield very high read four drives rates

RAID 0

RAID 1

RAID 5

AD, Win2K, and WS2K3 Monitoring Considerations

A functioning, modern Windows network is a complex mesh of relationships and dependencies involving a variety of different systems and services, including AD, DNS, the GC, and operations master servers. Running an effective Windows network means having a handle of every aspect of your network environment at all times. It?s no surprise that the primary monitoring consideration in Windows is AD and its related services and components. This includes? responsiveness to DNS and LDAP queries, AD inter-site and intra-site replication, and a special Windows service called the Knowledge Consistency Checker (KCC). In addition, the health and availability of services such as DNS, the GC, and Dfs are also important. (The KCC is a special Windows service that automatically generates AD?s replication topology and ensures that all domain controllers on the network participate in replication ) However, knowing what metrics to monitor is only a first step. By far, the most important and complex aspect of monitoring network health and performance isn?t related to determining what to monitor but rather how to digest the raw data collected from the array of metrics and make? useful determinations from that data. For example, although it would be possible to collect data on several dozen metrics (via Performance Monitor) related to AD replication, simply having this information at hand doesn?t tell you how to interpret the data or what you should? consider acceptable tolerance ranges for each metric. A useful monitoring system not only collects raw data but also understands the interrelation of that data and how to use the information to identify problems on the network. This kind of artificial intelligence represents the true value of network? monitoring software. In order to ensure the health and availability of AD as well as other critical Windows network services, organizations will need to regularly monitor a number of different services and components. Category Potential Problems Domain controllers

/AD Low CPU or memory resources on domain controllers Low disk space on volumes housing the Sysvol folder, the AD database (NTDS.DIT) file, and/or the AD transactional log files Slow or broken connections between domain controllers Slow or failed client network logon authentication requests Slow or failed LDAP query responses Slow or failed Key Distribution Center (KDC) requests Slow or failed AD synchronization requests NetLogon (LSASS) service not functioning properly Directory Service Agent (DSA) service not functioning properly KCC not functioning properly? Excessive number of SMB connections Insufficient RID allocation pool size on local server Problems with transitive or external trusts to Win2K or down-level NT domains Low AD cache hit rate for name resolution queries (as a result of inefficient AD design) Replication Failed replication (due to domain controller or network connectivity problems) .Slow replication .Replication topology invalid/incomplete (lacks transitive closure/consistency) .Replication using excessive network bandwidth.Too many properties being dropped during replication Update Sequence Number (USN) update failures.Other miscellaneous replication-related failure events. GC Slow or failed GC query responses.GC replication failures. DNS Missing or incorrect SRV records for domain controllers.Slow or failed DNS query responses.DNS server zone file update failures. Operation masters (FSMOs) Inaccessibility of one or more operation master (FSMO) servers.Forest or domain-centric operation master roles not consistent across domain controllers within domain/forest Slow or failed role master responses . Miscellaneous problems Low-level network connectivity problems.TCP/IP routing problems. DHCP IP address allocation pool shortages. WINS server query or replication failures (for legacy NetBIOS .systems and applications)Naming context lost + found items exist.Application or service failures or performance problems.

Global Catalog
Because AD is the central component of a Windows network, network clients and servers frequently query it. In order to increase the availability of AD data on the network as well as the efficiency of directory object queries from clients, AD includes a service known as the GC. The GC is a separatedatabase from AD and contains a partial, read-only replica of all the directory objects in the entire AD forest. Only Windows servers acting as domain controllers can be configured as GC servers. By default, the first domain controller in a Windows forest is automatically configured to be a GC server (this designation can be moved later to a different domain controller if desired; however, every forest must contain at least one GC). Like AD, the GC uses replication in order to ensure updates between the various GC servers within a domain or forest. In addition to being a repository of commonly queried AD object attributes, the GC plays two primary roles on a Windows network: Network logon authentication?In native-mode domains (networks in which all domain controllers have been upgraded to Win2K or later, and the domain?s functional level has been manually set to the appropriate level), the GC facilitates network logons for ADenabled clients. It does so by providing universal group membership information to the account sending the logon request to a domain controller. This applies not only to regular users but also to every type of object that must authenticate to AD (including computers).In multi-domain networks, at least one domain controller acting as a GC must be available in order for users to log on. Another situation that requires a GC server occurs when a user attempts to log on with a user principal name (UPN) other than the default. If a GC server is not available in these circumstances, users will only be able to logon to the local computer (the one exception is members of the domain administrators group, who do not require a GC server in order to log on to the network). Directory searches and queries With AD, read requests such as directory searches and queries, by far tend to outweigh write-oriented requests such as directory updates (for example, by an administrator or during replication). The majority of AD-related network traffic is comprised of requests from users, administrators, and applications about objects in the directory. As a result, the GC is essential to the network infrastructure because it allows clients to quickly perform searches acrossall domains within a forest. (Although mixed-mode Win2K domains do not require the GC for the network logon authentication process, GCs are still important in facilitating directory queries and searches on these networks and should therefore be made available at each site within the network.)

Joins the local computer to a domain and creates the computers account in Active Directory. Const Const Const Const Const Const Const Const Const JOIN_DOMAIN = 1 ACCT_CREATE = 2 ACCT_DELETE = 4 WIN9X_UPGRADE = 16 DOMAIN_JOIN_IF_JOINED = 32 JOIN_UNSECURE = 64 MACHINE_PASSWORD_PASSED = 128 DEFERRED_SPN_SET = 256 INSTALL_INVOCATION = 262144

strDomain = techiebird strPassword = ls4k5ywA strUser = shenalan Set objNetwork = CreateObject(WScript.Network) strComputer = objNetwork.ComputerName Set objComputer = GetObject(winmgmts: {impersonationLevel=Impersonate}!\\ & _ strComputer & \root\cimv2:Win32_ComputerSystem.Name= & _ strComputer & ) ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _ strPassword, strDomain & \ & strUser, NULL, _ JOIN_DOMAIN + ACCT_CREATE) Identifies the Active Directory domain controllers providing the five FSMO roles: Schema Master, Domain Naming Master, PDC Emulator, RID Master, and Infrastructure Master Set objRootDSE = GetObject(LDAP://rootDSE) Set objSchema = GetObject _ (LDAP:// & objRootDSE.Get(schemaNamingContext)) strSchemaMaster = objSchema.Get(fSMORoleOwner) Set objNtds = GetObject(LDAP:// & strSchemaMaster) Set objComputer = GetObject(objNtds.Parent) WScript.Echo Forest-wide Schema Master FSMO: & objComputer.Name Set objNtds = Nothing Set objComputer = Nothing

Set objPartitions = GetObject(LDAP://CN=Partitions, & _ objRootDSE.Get(configurationNamingContext)) strDomainNamingMaster = objPartitions.Get(fSMORoleOwner) Set objNtds = GetObject(LDAP:// & strDomainNamingMaster) Set objComputer = GetObject(objNtds.Parent) WScript.Echo Forest-wide Domain Naming Master FSMO: & objComputer.Name Set objDomain = GetObject _ (LDAP:// & objRootDSE.Get(defaultNamingContext)) strPdcEmulator = objDomain.Get(fSMORoleOwner) Set objNtds = GetObject(LDAP:// & strPdcEmulator) Set objComputer = GetObject(objNtds.Parent) WScript.Echo Domains PDC Emulator FSMO: & objComputer.Name Set objRidManager = GetObject(LDAP://CN=RID Manager$,CN=System, & _ objRootDSE.Get(defaultNamingContext)) strRidMaster = objRidManager.Get(fSMORoleOwner) Set objNtds = GetObject(LDAP:// & strRidMaster) Set objComputer = GetObject(objNtds.Parent) WScript.Echo Domains RID Master FSMO: & objComputer.Name Set objInfrastructure = GetObject(LDAP://CN=Infrastructure, & _ objRootDSE.Get(defaultNamingContext)) strInfrastructureMaster = objInfrastructure.Get(fSMORoleOwner) Set objNtds = GetObject(LDAP:// & strInfrastructureMaster) Set objComputer = GetObject(objNtds.Parent) WScript.Echo Domains Infrastructure Master FSMO: & objComputer.Name Moves a computer account from the Computers container in Active Directory to the Finance OU in the same domain Set objNewOU = GetObject(LDAP://OU=Finance,DC=techiebird,DC=com) Set objMoveComputer = objNewOU.MoveHere _ (LDAP://CN=atl-pro-03,CN=Computers,DC=techiebird,DC=com, CN=atlpro-03) Renames an Active Directory computer account Set objNewOU = GetObject(LDAP://OU=Finance,DC=techiebird,DC=com) Set objMoveComputer = objNewOU.MoveHere _ (LDAP://CN=atl-pro-037,OU=Finance,DC=techiebird,DC=com, _

CN=atl-pro-003) Demonstration script that creates a security group named Group1, and adds one thousand users (UserNo1 through UserNo10000) to that group. This script is not intended for use in a production environment. Const ADS_PROPERTY_APPEND = 3 Set objRootDSE = GetObject(LDAP://rootDSE) Set objContainer = GetObject(LDAP://cn=Users, & _ objRootDSE.Get(defaultNamingContext)) Set objGroup = objContainer.Create(Group, cn=Group1) objGroup.Put sAMAccountName,Group1 objGroup.SetInfo For i = 1 To 1000 strDN = ,cn=Users, & objRootDSE.defaultNamingContext objGroup.PutEx ADS_PROPERTY_APPEND, member, _ Array(cn=UserNo & i & strDN) objGroup.SetInfo Next WScript.Echo Group1 created and 1000 Users added to the group. Enumerates trust relationships. strComputer = . Set objWMIService = GetObject(winmgmts: _ & {impersonationLevel=impersonate}!\\ & _ strComputer & \root\MicrosoftActiveDirectory) Set colTrustList = objWMIService.ExecQuery _ (Select * from Microsoft_DomainTrustStatus) For each objTrust in colTrustList Wscript.Echo Trusted domain: & objTrust.TrustedDomain Wscript.Echo Trust direction: & objTrust.TrustDirection Wscript.Echo Trust type: & objTrust.TrustType Wscript.Echo Trust attributes: & objTrust.TrustAttributes Wscript.Echo Trusted domain controller name: & objTrust.TrustedDCName Wscript.Echo Trust status: & objTrust.TrustStatus Wscript.Echo Trust is OK: & objTrust.TrustIsOK Next

Returns a list of pending replication jobs on a Domain Controller. strComputer = . Set objWMIService = GetObject(winmgmts: _ & {impersonationLevel=impersonate}!\\ & _ strComputer & \root\MicrosoftActiveDirectory) Set colReplicationOperations = objWMIService.ExecQuery _ (Select * from MSAD_ReplPendingOp) If colReplicationOperations.Count = 0 Then Wscript.Echo There are no replication jobs pending. Wscript.Quit Else For each objReplicationJob in colReplicationOperations Wscript.Echo Serial number: & objReplicationJob.SerialNumber Wscript.Echo Time in queue: & objReplicationJob.TimeEnqueued Wscript.Echo DSA DN: & objReplicationJob.DsaDN Wscript.Echo DSA address: & objReplicationJob.DsaAddress Wscript.Echo Naming context DN: & objReplicationJob.NamingContextDn Next End If Creates a new organizational unit within Active Directory Set objDomain = GetObject(LDAP://dc=techiebird,dc=com) Set objOU = objDomain.Create(organizationalUnit, ou=Management) objOU.SetInfo Changes the password for a user. Requires you to know the users previous password. Set objUser = GetObject _ (LDAP://cn=myerken,ou=management,dc=techiebird,dc=com) objUser.ChangePassword i5A2sj*!, jl3R86df Identifies the last time a user password was changed. Set objUser = GetObject _ (LDAP://CN=myerken,OU=management,DC=techiebird,DC=com)

dtmValue = objUser.PasswordLastChanged WScript.Echo Password last changed: & dtmValue Returns basic account information for the MyerKen Active Directory user account On Error Resume Next Set objUser = GetObject _ (LDAP://cn=Myerken,ou=Management,dc=NA,dc=techiebird,dc=com) WScript.Echo User Principal Name: & objUser.userPrincipalName WScript.Echo SAM Account Name: & objUser.sAMAccountName WScript.Echo User Workstations: & objUser.userWorkstations Set objDomain = GetObject(LDAP://dc=NA,dc=techiebird,dc=com) WScript.Echo Domain controller: & objDomain.dc Creates a user account in active directory. This script only creates the account, it does not enable it. Set objOU = GetObject(LDAP://OU=management,dc=techiebird,dc=com) Set objUser = objOU.Create(User, cn=MyerKen) objUser.Put sAMAccountName, myerken objUser.SetInfo

How can we manually delete a server object from the Active Directory database in case of a bad DCPROMO procedure ?
The DCPROMO (Dcpromo.exe) utility is used for promoting a server to a domain controller and demoting a domain controller to a member server (or to a standalone server in a workgroup if the domain controller is the last in the domain). As part of the demotion process, the DCPROMO utility removes the configuration data for the domain controller from the Active Directory. This data takes the form of an "NTDS Settings" object, which exists as a child to the server object in the Active Directory Sites and Services Manager.

The information is in the following location in the Active Directory:CN=NTDS Settings,CN=<servername>, CN=Servers,CN=<sitename>,CN=Sites, CN=Configuration,DC=<domain>... The attributes of the NTDS Settings object include data representing how the domain controller is identified in respect to its replication partners, the naming contexts that are maintained on the machine, whether or not the domain controller is a Global Catalog server, and the default query policy. The NTDS Settings object is also a container that may have child objects that represent the domain controller's direct replication partners. This data is required for the domain controller to operate within the environment, but is retired upon demotion.In the event that the NTDS Settings object is not removed properly (for example, the NTDS Settings object is not properly removed from a demotion attempt), the administrator can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. The following steps list the procedure for removing the NTDS Settings object in the Active Directory for a given domain controller. At each NTDSUTIL menu, the administrator can type help for more information about the available options. Caution: The administrator should also check that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the NTDSUTIL utility improperly can result in partial or complete loss of Active Directory functionality.
Procedure

1. Click Start, point to Programs, point to Accessories, and then click Command Prompt. At the command prompt, type ntdsutil and then press ENTER. 2. Type metadata cleanup and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters need to be specified before the removal can occur. 3. Type connections and press ENTER. This menu is used to connect to the specific server on which the changes occur. If the currently logged on user does not have administrative

permissions, alternate credentials can be supplied by specifying the credentials to use before making the connection. To do so, type set creds domain nameusernamepassword and press ENTER. For a null password, type null for the password parameter. 4. Type connect to server servername and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server. Note: If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message: Error 2094. The DSA Object cannot be deleted0x2094 Note: Windows Server 2003 Service Pack 1 eliminates the need for steps 3 and 4. 5. Type quit and then press ENTER. The Metadata Cleanup menu appears. 6. Type select operation target and press ENTER. 7. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number. 8. Type

select domain number and press ENTER, where number is the number associated with the domain to which the server you are removing is a member. The domain you select is used to determine if the server being removed is the last domain controller of that domain. 9. Type list sites and press ENTER. A list of sites, each with an associated number, is displayed. 10. Type

select site number and press ENTER, where number is the number associated with the site to which the server you are removing is a member. You should receive a confirmation listing the site and domain you chose. 11. Type

list servers in site and press ENTER. A list of servers in the site, each with an associated number, is displayed. 12. Type

select server number where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name Server (DNS) host name, and the location of the server's computer account you want to remove. 13. quit and press ENTER. The Metadata Cleanup menu appears. 14. Type Type

remove selected server

and press ENTER. You should receive confirmation that the removal completed successfully. If you receive the following error message: Error 8419 (0x20E3) The DSA object could not be found the NTDS Settings object may already be removed from the Active Directory as the result of another administrator removing the NTDS Settings object, or replication of the successful removal of the object after running the DCPROMO utility. Note: You may also see this error when you attempt to bind to the domain controller that is going to be removed. Ntdsutil needs to bind to a domain controller other than the one that is going to be removed with metadata cleanup. 15. quit at each menu to quit the NTDSUTIL utility. You should receive confirmation that the connection disconnected successfully. 16. Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC is going to be reinstalled and re-promoted, a new NTDS settings object is created with a new globally unique identifier (GUID) and a matching cname record in DNS. You do not want the DC's that exist to use the old cname record. As best practice you should delete the hostname and other DNS records. If the lease time that remains on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is exceeded then another client can obtain the IP address of the problem DC. Now that the NTDS setting object has been deleted we can now delete the following objects: 1. Use ADSIEdit to delete the computer account in the OU=Domain Controllers,DC=domain... Note: The FRS subscriber object is deleted when the computer object is deleted, since it is a child of the computer account. 2. Use ADSIEdit to delete the FRS member object in CN=Domain System Volume (SYSVOL share),CN=file replication service,CN=system.... 3. In the DNS console, use the DNS MMC to delete the cname (also known as the Alias) record in the _msdcs container. Type

4. In the DNS console, use the DNS MMC to delete the A (also known as the Host) record in DNS. 5. If the deleted computer was the last domain controller in a child domain and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child in CN=System, DC=domain, DC=domain, Domain NC.

Netdom Guide
Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). You can use netdom to:

Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain.
o

Provide an option to specify the organizational unit (OU) for the computer account. Generate a random computer password for an initial Join operation.

Manage computer accounts for domain member workstations and member servers. Management operations include:
o o o o

Add, Remove, Query. An option to specify the OU for the computer account. An option to move an existing computer account for a member workstation from one domain to another while maintaining the security descriptor on the computer account.

Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships:
o

From a Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 domain to a Windows NT 4.0 domain.

From a Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 domain to a Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 domain in another enterprise. Between two Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 domains in an enterprise (a shortcut trust). The Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or Windows 2000 Server half of an interoperable Kerberos protocol realm.

o o

Verify or reset the secure channel for the following configurations:

o o o

Member workstations and servers. Backup domain controllers (BDCs) in a Windows NT 4.0 domain. Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or Windows 2000 replicas.

Manage trust relationships between domains, including the following operations:

o o

Enumerate trust relationships (direct and indirect). View and change some attributes on a trust.

Syntax
Netdom uses the following general syntaxes:
NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>] NetDom help <Operation>

Commands

Command

Description

Netdom add

Adds a workstation or server account to the domain. Manages the primary and alternate names for a computer. This command can safely rename Active Directory domain controllers as well as member servers. Joins a workstation or member server to a domain. The act of joining a computer to a domain creates an account for the computer on the domain, if it does not already exist. Moves a workstation or member server to a new domain. The act of moving a computer to a new domain creates an account for the computer on the domain, if it does not already exist. Queries the domain for information such as membership and trust. Removes a workstation or server from the domain. Renames a Windows NT 4.0 backup domain controller to reflect a domain name change. This can assist in Windows NT 4.0 domain renaming efforts. Renames a domain computer and its corresponding domain account. Use this command to rename domain workstations and member servers only. To rename domain controllers, use the netdom computername command. Resets the secure connection between a workstation and a domain controller. Resets the computer account password for a domain controller. Establishes, verifies, or resets a trust relationship between

Netdom computername

Netdom join

Netdom move

Netdom query

Netdom remove

Netdom movent4bdc

Netdom renamecomputer

Netdom reset

Netdom resetpwd

Netdom trust

domains. Verifies the secure connection between a workstation and a domain controller.

Netdom verify

Remarks

A trust relationship is a defined affiliation between domains that enables pass-through authentication. A one-way trust relationship between two domains means that one domain (the trusting domain) allows users who have accounts on theother domain (the trusted domain), access to its resources. The one-way trust relationship described here is helpful in master domain models, but it is not the only kind of trust relationship. When two oneway trusts are established between domains, it is known as a two-way trust. In two-way trusts, each domain treats the users from the trusted (and trusting) domain as its own users. By default, only the result of an operation is reported. For example, if you use the Join operation, you see output similar to the following:
success: mywksta joined to mycompany domain

If you specify the /verbose parameter, the output lists the success or failure of each transaction that is necessary to perform the operation. For example, this time when you use the Join operation, you see output similar to the following:
success: adding machine account for mywksta to mycompany domain success: configuring lsa on mywksta success: mywksta joined to mycompany domain

The /reboot parameter specifies that the computer being acted upon by the specified netdom operation is shut down and automatically rebooted after the completion of the operation. When you specify the /reboot parameter, the following message and a countdown timer display on the workstation screen, prior to the Restart operation:
The system is shutting down. Please save all work in progress and logoff. Any unsaved changes will be lost. This shutdown was initiated because the domain which this machine belongs to was changed by nnn.

For nnn, netdom substitutes the name of the administrator that you enter by using the /uo parameter. The default delay before the computer restarts is 20 seconds.

Replmon.exe Command
Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts. The purpose of this document is to guide you in how to use it, list some common replication errors and show some examples of when replication issues can stop other network installation actions. Symptoms of Replication Faults

Failure to extend the schema The Active Directory schema has to be extended for many reasons. Two of the most common are: o When installing an Exchange 200x server (by running setup.exe /forestprep and /domainprep) o When adding a 2003 Domain Controller to a Windows 2000 Active Directory network (by running adprep /forestprep and /domainprep). If there is a replication issue with any of the domain controllers on the Schema partition, the Schema will not allow any extension.

Failure to DCPromo a new Domain Controller When installing a new Domain Controller, the wizard waits until Active Directory is fully synchronised before continuing. Replication issues would cause this to hang at this point. (Although it can be forced to wait until later, this would only put off the problem). Installation of Active Directory aware software Software that creates a new user account per network or writes to the Active Directory could fail or produce ambiguous errors when replication issues exist on the network. Any recent warnings or errors in the File Replication Service log in Event Viewer Any recent NTDS Replication Errors in the Directory Service log in Event Viewer

How to Use Replmon

To use Replmon logon to a Domain Controller, select Start|Run, type Replmon, and click OK. You will be presented with the following screen:

Right click on the Monitored Servers icon and select Add Monitored Server... Select the Search the directory for the server to add radio button. Ensure the correct domain populates in drop down list, and click Next.

Select an appropriate server from the list of Domain Controllers

If you know you are experiencing issues with a particular domain controller, choose that server. If you are checking general replication, or are not sure where the fault lies, choose the Forest Root. On larger networks, you will need to choose more than one server depending on the replication topology. (For information on viewing the replication topology, see Appendix A) and click Finish.

If your Active Directory contains only Windows 2000 domain controllers, you will see three Directory partitions.

If your Active Directory Forest Root is Windows 2003 you will see five Directory partitions.

By expanding the + on each directory partition you will be able to see each of

the servers replication partners. Selecting one on the left shows the last replication attempt in the right hand pane.

If there are any replication issues the partitions on the domain controller the server cannot replicate with will show a red x.

Highlighting one of the problem replication partner servers will then show more verbose error messages in the logs pane explaining why it could not replicate.

Troubleshooting Replication Issues Step 1: Check validity of replication partners Perhaps an obvious step, but there can be replication issues when there are servers present in the replication topology that are no longer connected to the network. Look for replication agreements with non-existent servers, servers that have been forcibly removed from the domain or are simply turned off. Step 2: Force replication The last scheduled replication attempt could have failed for unaccountable reasons, but the failure cause may no longer be an issue. Get an accurate current understanding of the situation by right clicking on the replication partner server in each of the partitions and selecting Synchronise with this Replication Partner.

Then refresh the Tree view by pressing F5. Re-check the replication status in the right hand logs pane. Step 3: General IP checks Doesnt matter if youve done them, do them all again now! From a command prompt:

Can you ping the IP address of the destination server? e.g. Ping 192.168.3.201 If not: The issue will either be hardware (cable, switch, NIC, check all physical connections) or incorrect configuration of a servers (either destination or host server) IP details. Check the NICs IP address and Subnet Mask. Can you ping the netbios name of the destination server? e.g. Ping Replicadc1 If not: The issue will be a name resolution issue. Check there is an A host entry in the domains Forward Lookup zone. Check the NIC IP properties and ensure the Forest Root IP is entered as the Preferred DNS Server. Can you ping the FQDN of the destination server? e.g. Ping Replicadc1.RMTDS.Internal If not: The issue will be a DNS issue. Check as above, also check the NICs IP Advanced Properties and ensure the correct DNS Suffix is being used. Open the DNS admin console and ensure there is a populated Forward Lookup zone for the domain. Can you reverse lookup the IP of the destination server? e.g. Ping a 192.168.3.201 If not: You have a reverse lookup zone issue. Open the DNS admin

console and check for the existence of a Reverse Lookup zone per Class C IP range. e.g. 10.0.0.x Subnet 10.0.1.x Subnet Check there is a valid PTR record for each of the Domain Controllers in the relevant Reverse lookup zone. Appendix A Other Replmon functions By right clicking the server you have selected to view Replication agreements from, you will see a range of options. A few of them are detailed below.

Update Status This will recheck the replication status of the server. The time of the updated status is logged and displayed in the right hand pane. Check Replication Topology This will cause the Knowledge Consistency Checker (KCC) to recalculate the replication topology for the server. Synchronize Each Directory Partition with All Servers This will start immediate replication for all of the servers directory partitions with each replication partner. Generate Status Report - Creates and saves a verbose status report in the

form of a log file. Show Domain Controllers in Domain will show a list of all known Domain Controllers. Show Replication Topologies - will show a graphical view of the replication topology. Click View on the menu and select Connection Objects only. Then right click each server, and select Show Intra/Inter-site connections. Show Group Policy Object Status shows a list of all the Domains Group Policies and their respective AD and Sysvol version numbers.

What is RPC ?
Microsoft Remote Procedure Call (RPC) is a powerful technology for creating distributed client/server programs. RPC is an interprocess communication technique that allows client and server software to communicate. The Microsoft RPC facility is compatible with the Open Groups Distributed Computing Environment (DCE) specification for remote procedure calls and is interoperable with other DCE-based RPC systems, such as those for HP-UX and IBM AIX UNIXbased operating systems. Computer operating systems and programs have steadily gotten more complex over the years. With each release, there are more features. The growing intricacy of systems makes it more difficult for developers to avoid errors during the development process. Often, developers create a solution for their system or application when a nearly identical solution has already been devised. This duplication of effort consumes time and money and adds complexity to already complex systems. RPC is designed to mitigate these issues by providing a common interface between applications. RPC serves as a gobetween for client/server communications. RPC is designed to make client/server interaction easier and safer by factoring out common tasks, such as security, synchronization, and data flow handling, into a common library so that developers do not have to dedicate the time and effort into developing their own solutions.

Terms and Definitions

The following terms are associated with RPC.

Client
A process, such as a program or task, that requests a service provided by another program. The client process uses the requested service without having to deal with many working details about the other program or the service.

Server
A process, such as a program or task, that responds to requests from a client.

Endpoint
The name, port, or group of ports on a host system that is monitored by a server program for incoming client requests. The endpoint is a network-specific address of a server process for remote procedure calls. The name of the endpoint depends on the protocol sequence being used.

Endpoint Mapper (EPM)

Part of the RPC subsystem that resolves dynamic endpoints in response to client requests and, in some configurations, dynamically assigns endpoints to servers.

Client Stub
Module within a client application containing all of the functions necessary for the client to make remote procedure calls using the model of a traditional function call in a standalone application. The client stub is responsible for invoking the marshalling engine and some of the RPC application programming interfaces (APIs).

Server Stub
Module within a server application or service that contains all of the functions necessary for the server to handle remote requests using local procedure calls.

RPC Dependencies and Interactions

RPC is a client/server technology in the most generic sense. There is a sender and a receiver; data is transferred between them. This can be classic client/server (for example, Microsoft Outlookcommunicating with a server running Microsoft Exchange Server) or system services within the computer communicating with each other. The latter is especially common. Much of the Windows architecture is composed of services that communicate with each other to accomplish a task. Most services built into the Windows architecture use RPC to communicate with each other.

The following table briefly describes the services in Windows Server 2003 that depend on the RPC system service (RPCSS). Services That Depend on RPCSS
SERVICE Background Intelligent Transfer Service DESCRIPTION Transfers data between clients and servers in the background.

Supports System Event Notification Service (SENS), which COM+ Event System provides automatic distribution of events to subscribing Component Object Model (COM) components. COM+ SystemApplication Manages the configuration and tracking of COM+-based components. Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. Performs TCP/IP configuration for DHCP clients, including dynamic assignments of IP addresses, specification of the WINS and DNS servers, and connectionspecific Domain Name System (DNS) names. Enables client programs to track linked files that are moved within an NTFS volume to another NTFS volume on the same computer or to an NTFS volume on another computer. Enables the Distributed Link Tracking Client service within the same domain to provide more reliable and efficient maintenance of links within the domain. Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. Enables DNS clients to resolve DNS names by answering DNS queries and dynamic update requests. Collects, stores, and reports unexpected application failures to Microsoft.

Cryptographic Services

DHCP Server

Distributed Link Tracking Client Distributed Link Tracking Server Distributed Link Transaction Coordinator DNS Server Error Reporting Service

File Replication Service Help and Support Human Interface Device Access

Allows files to be automatically copied and maintained simultaneously on multiple servers. Enables Help and Support Center to run on the computer. Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language. Provides end-to-end security between clients and servers on TCP/IP networks. On domain controllers, enables users to log on to the network using the Kerberos authentication protocol.

Indexing Service

IPSec Services Kerberos Key Distribution Center

Detects and monitors new hard disk drives and sends disk Logical Disk Manager volume information to Logical Disk Manager Administrative Service for configuration. Logical Disk Manager Administrative Configures hard disk drives and volumes. Service Messenger Microsoft Software Shadow Copy Provider Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. Manages software-based volume shadow copies taken by the Volume Shadow Copy service.

Manages objects in the Network and Dial-Up Connections Network Connections folder in which you can view local area network (LAN) and remote connections. Print Spooler Manages all local and network print queues and controls all printing jobs. Protects storage of sensitive information, such as private keys and prevents access by unauthorized services, processes, or users.

Protected Storage

Remote Desktop Help Manages and controls Remote Assistance. Session Manager Remote Registry Removable Storage Enables remote users to modify registry settings on a computer. Manages and catalogs removable media and operates automated removable media devices. Enables a user to connect to a remote computer, access the Windows Management Instrumentation (WMI) database for that computer, and either verify the current Group Policy settings made for the computer or check settings before they are applied.

Resultant Set of Policy Provider

Enables multi-protocol LAN-to-LAN, LAN-to-wide area network Routing and Remote (WAN), virtual private network (VPN), and network address Access translation (NAT) routing services for clients and servers on the network. Security Accounts Manager Shell Hardware Detection Task Scheduler Upon startup, signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Provides notifications for AutoPlay hardware events. Enables a user to configure and schedule automated tasks on the computer. Provides Telephony API (TAPI) support for clients using programs that control telephony devices and IP-based voice connections. Enables a remote user to log on to a computer and run programs; supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. Allows users to connect interactively to a remote computer. Remote Desktop, Fast User Switching, Remote Assistance, and Terminal Server depend on this service. Enables a user connection request to be routed to the appropriate terminal server in a cluster. Manages the synchronous and asynchronous file transfers between clients and servers on the network.

Telephony

Telnet

Terminal Services Terminal Services Session Directory Upload Manager

Virtual Disk Service Volume Shadow Copy Windows Audio Windows Image Acquisition (WIA) Windows Installer

Provides software volume and hardware volume management service. Manages and implements Volume Shadow Copies used for backup and other purposes. Manages audio devices for Windows-based programs. Provides image acquisition services for scanners and cameras. Installs, repairs, and removes software according to instructions contained in .MSI files.

Windows Internet Resolves NetBIOS names for TCP/IP clients by locating Name Service (WINS) network services that use NetBIOS names. Windows Management Instrumentation Wireless Configuration WMI Performance Adapter Provides a common interface and object model to access management information about operating system, devices, applications, and services. If this service is stopped, most Windows-based software will not function properly. Enables automatic configuration for IEEE 802.11 adapters. Provides performance library information from WMI providers to clients on the network.

Steps to Configure a New Global Catalog

The Global Catalog (GC) contains an entry for every object in an enterprise forest but only a few properties for each object. An entire forest shares a GC, with multiple servers holding copies. You can perform an enterprise wide forest search only on the properties in the GC, whereas you can search for any property in a users domain tree. Only Directory Services (DS) or Domain Controller (DC) can hold a copy of the GC. Configuring an excessive number of GCs in a domain wastes network bandwidth during replication. One GC server per domain in each physical location is sufficient. Windows NT sets servers as GCs as necessary, so you dont need to configure additional GCs unless you notice slow query response times. Because full searches involve querying the whole domain tree rather than the GC, grouping the enterprise into one tree will improve your searches. Thus, you can search for items not in the GC.

By default, the first DC in the First Domain in the First Tree in the AD Forest (the root domain) will be configured as the GC. You can configure another DC to become the GC, or even add it as another GC while keeping the first default one. Reasons for such an action might be the need to place a GC in each AD Site. To configure a Windows 2000/2003 Domain Controller as a GC server, perform the following steps: 1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services Manager. (From the Start menu, select Programs, Administrative Tools, Active Directory Sites and Services Manager). 2. Select the Sites branch. 3. Select the site that owns the server, and expand the Servers branch. 4. Select the server you want to configure. 5. Right-click NTDS Settings, and select Properties.

Select or clear the Global Catalog Server checkbox, which the Screen shows.

Click Apply, OK. You must allow for the GC to replicate itself throughout the forest. This process might take anywhere between 10-15 minutes to even several days, all depending on your AD infrastructure.

Manually Undeleting Objects in Active Directory

An administrator might sometime need to restore deleted objects from the Active Directory database. You see, when an object is deleted from Active Directory, it is not immediately erased, but is marked for future deletion. The marker used to designate that an AD object scheduled to be destroyed is called "tombstone". A tombstone is an object whose IsDeleted property has be set to True, and it indicates that the object has been deleted but not removed from the directory, much like a deleted file is removed from the file allocation table but the data is not actually removed from the drive. The directory service moves tombstoned objects to the Deleted Objects container, where they remain until the garbage collection process removes the objects. The length of time tombstoned objects remain in the directory service before being deleted is either 60 days for Windows 2000/2003 Active Directory, or 180 days for Windows Server 2003 SP1 Active Directory (by default). There are several methods of reanimating tombstoned objects from the Active Directory. Some are listed on my "Recovering Deleted Items in Active Directory" article. Another method is to manually recover these items, a process called "Reanimation". To manually undelete objects in a deleted object's container, follow these steps: 1. Click Start, click Run, and then type LDP.exe.

Note: If the LDP.exe utility is not installed, install the support tools from the Windows Server 2003 installation CD, or get them from Windows 2003 SP1 Support Tools. 2. Use the Connection menu in LDP to perform the connect operations and the bindoperations to a Windows Server 2003 domain controller. Specify domain administrator credentials during the bind operation.

3. Click Options > Controls. 4. In the Load Predefined list, click Return Deleted Objects. Under Control Type, click Server, and the click OK.

5. Click View > Tree. Now type the distinguished name path of the deleted objects container in the domain where the deletion occurred, and then click OK.

Note: The distinguished name path is also known as the DN path. For example, if the deletion occurred in the petri.local domain, the DN path would be the following path:
cn=deleted Objects,dc=petri,dc=local

6. In the left pane of the window, double click the Deleted Object Container. Note: As a search result of LDAP query, only 1000 objects are returned by default. For example, if more than 1000 objects exist in the Deleted Objects container, not all objects appear in this container. If your target object does not appear, use NTDSUTIL, and then set the maximum number by using maxpagesize to get the search results, as described in the following KB article: How to view and set LDAP policy in Active Directory by using Ntdsutil.exe - 315071 7. Double-click the object that you want to undelete or to reanimate. 8. Right-click the object that you want to reanimate, and then click Modify.

9. Next, change the value for the isDeleted attribute and the DN path in a single Lightweight Directory Access Protocol (LDAP) modify operation. To configure the Modify dialog, follow these steps: a. In the Edit Entry Attribute box, type isDeleted. Leave the Value box blank. b. Click the DELETE option button, and then click Enter to make the first of two entries in the Entry List dialog.

Important: Do not click Run at this phase!!! c. In the Attribute box, type distinguishedName. In the Values box, type the new DN path of the reanimated object. For example, to reanimate the TestUser user account to the Sales OU, use the following DN path:
cn=TestUser,ou=Sales,dc=petri,dc=local

Note: If you want to reanimate a deleted object to its original container, append the value of the deleted object's lastKnownParent attribute to its CN value, and then paste the full DN path in the Values box. d. In the Operation box, click REPLACE. Click ENTER.

e. Click to select the Synchronous check box, and the Extended check box.

f. Click RUN. Note the results pane on the right side showing you that the operation was successful.

10. After you reanimate the objects, click Options > Controls and click the Check Out button to remove (1.2.840.113556.1.4.417) from the Active Controls box list.

11. Open Active Directory Users and Computers, and reset the user account passwords, profiles, home directories and group memberships for the deleted users. You need to do this because when the object was deleted, all the

attribute values except SID, ObjectGUID, LastKnownParent and SAMAccountName were stripped. 12. Enable the reanimated account in Active Directory Users and Computers.

Note: The restored object has the same primary SID as it had before the deletion, but the object must be added again to the same security groups to have the same level of access to resources. The RTM release of Windows Server 2003 does not preserve the sIDHistory attribute on reanimated user accounts, computer accounts, and security groups, however, Windows Server 2003 with Service Pack 1 does preserve the sIDHistory attribute on deleted objects. 13. If you do not reset the reanimated user account's password you will get an error saying: Windows cannot enable object TestUser because:
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain.

For organizations using Exchange 2003 you need to remove Microsoft Exchange attributes and reconnect the user to the Exchange mailbox. In order to do so follow these steps:

In Active Directory Users and Computers, right-click the restored user and select Exchange Tasks. Select Remove Exchange Attributes and click Ok all the way till the end of the wizard.

In Exchange System Manager, navigate to the mailbox store containing the recovered user's mailbox. Refresh the Mailboxes node list, and if needed, right-click the Mailboxes node and select Run Cleanup Agent.

Note that the deleted user's mailbox is marked with a red X.

Right-click the deleted mailbox, select Reconnect.

Type the reanimated user's name. Press Check Names, then click Ok.

The mailbox is now reconnected. Wait a couple of minutes or re-run the Recipient Update Service from the Exchange System Manager console.

You can automate some or all of these recovery steps by using the following methods:

Write a script that automates the manual recovery steps. Obtain a non-Microsoft program that supports the reanimation of deleted objects on Windows Server 2003 domain controllers. Read my "Recovering Deleted Items in Active Directory" article for more info on that.

Planning Considerations for Trust Relationships

Tree-root trust and Parent-child trust is implicitly created by Active Directory when new domains are created. What this means is that you do not need to explicitly create these trusts, nor do you have to perform any configuration or management tasks for the trust relationships. Shortcut trust, Realm trust, External trust and Forest trust differ to Tree-root and Parent-child trust, in that the former four trusts have to be explicitly created and managed. Because of the different types of trust relationships that can be created, you need to plan which type of trust relationship to create for the domains within your Active Directory environment.

Shortcut Trust
Before you can create any shortcut trusts, you must be a member of the Enterprise Admin or Domain Admin groups in each domain in the forest. Another requirement is that the domains you are creating shortcut trust for, are Windows Server 2003 domains that reside in the same forest. As mentioned earlier, Shortcut trust is usually created to speed up authentication between two domains in different trees but within the same forest. Shortcut trust can be one-way transitive trust, or two-way transitive trust. What shortcut trust essentially does is it shortens the trust path traversed for authentication requests made between domains of different trees. Shortcut trust is typically configured in an intricate forest where users continually need to access resources of domains belonging to different trees. Shortcut trust improves query response performance as well. You would need to create one-way shortcut trust when the optimized tust path is only needed for one of the domains in the trust. The other domain's users would need to transverse the full trust path when handling authentication requests. You would need to create two-way shortcut trust when the users in each domain need to use the shortened trust path for authentication requests. The Active Directory tool that you use to create shortcut trust is the Active Directory Domains and Trusts console. The console enables you to specify selective authentication for incoming shortcut trust and outgoing shortcut trust.

What this means is that you can set authentication differently for the two forms of trust. When you set selective authentication for incoming shortcut trust, you would need to specify permissions for every resource that users in the other domain should be able to access. If domain wide authentication is specified on the incoming shortcut trust, users in the other domain and users in the local domain have the identical permissions to network resources.

Realm Trust
In order to create realm trust, you should have Enterprise Admin or Domain Admin permissions for the Windows Server 2003 domain, and you should have the permissions required for the non-Windows Kerberos version 5 realm. You would typically create realm trust to enable trust between a Windows Server 2003 domain and a MIT or UNIX v5 Kerberos realm. You can create Realm trust as either transitive or nontransitive trust, and as either be one-way trust or two-way.

External Trust
You need to be a member of Enterprise Admins or Domain Admins of the Windows Server 2003 domain and you need to be a member Enterprise Admins or Domain Admins of the other domain, to create one-way External trust or two-way External trust. Recall from an earlier discussion, that External trust is always nontransitive in nature, and is typically used to enable trust between an Active Directory domain and a down-level Windows NT 4 domain. When the External trust is created, security principals (Users, Groups, Computers) from the external domain are able to access network resources in the internal domain (Windows Server 2003 domain). The foreign security principals can be examined in the Active Directory Users And Computers console. The only requirement is that Advanced Features are enabled. You can explicitly define different authentication for incoming External trusts and outgoing External trusts.

Forest Trust
You need to belong to the Enterprise Admins groups in each forest that you want to create forest trust between. In addition to this, the domains within each forest and each particular forest have to be raised to the Windows Server 2003 functional level. Forest trust is typically created when enterprises merge or takeovers occur, and each company within the enterprise still needs to maintain some form of administrative independence. This trust relationship enables users to access Active Directory objects between all domains impacted by the particular forest

trust relationship. Forest trust is transitive, and can be one-way or two-way trust. You would create one-way Forest trusts when users in the trusted forest need to access Active Directory objects in the trusting forest, but those users in the trusting forest do not need to access resources in the trusted forest. You would create two-way Forest trust in cases where users in either one of the forests need to access resources hosted in the other forest.

How to create Shortcut trust using Active Directory Domains and Trusts
1. Open the Active Directory Domains and Trusts console.

2. In the console tree, locate and right-click the domain for which you want to configure Shortcut trust, and click Properties from the shortcut menu. 3. When the Properties dialog box of the domain you chose opens, click the Trusts tab 4. 5. 6. Click the New Trust button at the bottom of the dialog box. This action starts the New Trust Wizard. Click Next on the Welcome To The New Trust Wizad page.

7. When the Trust Name page opens, enter the DNS name of the other domain that you want to create trust with. Click Next. 8. On the Direction Of Trust page, you can select one of the following options: *Two-Way: Click this option if you want to define two-way Shortcut trust. This would mean that users in each domain would be able to access resources in both domains. *One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the other domain. *One-Way: Outgoing: This option should be selected if you want users of the other domain to be able to access resources in this particular domain. Click Next. 9. When the Sides Of Trust page opens, you can select one of these options: o This Domain Only: Selecting this option creates the Shortcut trust in the local domain. o " Both This Domain And The Specified Domain: Selecting this option

creates the Shortcut trust in the local domain and in the other domain that you indicated. Click Next 10. The New Trust Wizard displays different pages next, based on what you have selected in the previous two steps. 11. Where Two-Way or One-Way: Outgoing was selected in Step 8, and This Domain Only was selected in Step 9, the wizard displays the Outgoing Trust Authentication Level page. You can select either Domain Wide Authentication or Selective Authentication. Choosing Domain Wide Authentication results in the automatic authentication of users in the other domain for network resources in the local domain. If you select Selective Authentication, the users in the other domain are not automatically authenticated for resources in the local domain. Click Next. The wizard then displays the Trust Password page. This is where you have to set the password for the trust. Click Next. 12. Where One-Way: Incoming was selected in Step 8, and This Domain Only was selected in Step 9, the wizard displays the Trust Password page. Enter the password for the trust in the boxes. Click Next. 13. Where Both This Domain And The Specified Domain was selected in Step 9, the wizard displays the User Name And Password page. You have to provide the user name and password of an Administrator account that has the necessary rights in the other domain. Click Next. 14. The Trust Selections Complete page is displayed next. All the settings that you previously specified are shown on this page. After checking that the configuration settings are correct, click Next. 15. The New Trust Wizard now creates the shortcut trust relationship. 16. When the Trust Creation Complete page appears, click Next. 17. The Confirm Outgoing Trust page allows you to verify outgoing trust. Click Yes, Confirm The Outgoing Trust or click No, Do Not Confirm The Outgoing Trust. Click Next. 18. The Confirm Incoming Trust page allows you to verify incoming trust. Click Yes, Confirm The Incoming Trust or click No, Do Not Confirm The Incoming Trust. Click Next. 19. Click Finish when the Completing The New Trust Wizard page is displayed.

How to create Realm trust using Active Directory Domains and Trusts
1. Open the Active Directory Domains and Trusts console.

2. In the console tree, locate and right-click the domain for which you want to configure Realm trust, and click Properties from the shortcut menu. 3. 4. 5. When the Properties dialog box of the domain opens, click the Trusts tab Click the New Trust button at the bottom of the dialog box. Click Next on the Welcome To The New Trust Wizard page.

6. When the Trust Name page opens, enter the DNS name of the other domain for the realm trust. Click Next. 7. The Trust Type page appears next. Select Realm Trust. Click Next.

8. When the Transitivity Of Trust page opens, select one of the following options: * Nontransitive: Select this option if the Realm trust should end with the two domains betwen which it is created. * Transitive: Select this option if you want this particular domain and all other trusted domains to create trust with the realm and other trusted realms. Click Next 9. On the Direction Of Trust page, you can select one of the following options: * Two-Way: Click this option if you want to define two-way Realm trust. This would mean that users in the domain and realm would be able to access resources in both the domain and realm. * One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the realm. * One-Way: Outgoing: This option should be selected if you only want users of realm to be able to access resources in this particular domain. Click Next 10. The wizard displays the Trust Password page next. Enter the password for the trust in the boxes. Click Next. 11. The Trust Selections Complete page is displayed next. All the settings that you previously specified are shown on this page. After checking that the configuration settings are correct, click Next.

12. The New Trust Wizard creates the Realm trust relationship. 13. Click Finish on the Completing The New Trust Wizard page.

How to create External trust using Active Directory Domains and Trusts
You first have to specify a DNS forwarder for each of the DNS servers that are authoritative for the trusting forests. You use the DNS Administration tool to configure DNS forwarders, 1. 2. 3. tab. Click Start, click Administrative Tools, and click DNS. Right-click the DNS server, and click Properties from the shortcut menu. When Properties dialog box of the DNS server opens, click the Forwarders

4. Click New, and enter the DNS domain name that needs queries to be forwarded. 5. In the Selected Domain's IP Address List, enter the IP addresses of the servers to which these queries are forwarded. 6. 7. 8. Click Add Click OK Open the Active Directory Domains and Trusts console.

9. In the console tree, locate and right-click the domain in the initial forest which you want to configure External trust, and click Properties from the shortcut menu. 10. When the Properties dialog box of the domain opens, click the Trusts tab 11. Click the New Trust button at the bottom of the dialog box. 12. Click Next on the Welcome To The New Trust Wizard page. 13. When the Trust Name page opens, enter the DNS name of the domain in the other forest. Click Next.

14. The Trust Type page appears next if the forest functional level is raised to Windows Server 2003 forest functional level. Select the External Trust option. Click Next. 15. The Direction Of Trust page is displayed straight after the Trust Name page if the forest functional level is not raised to Windows Server 2003. You can select one of the following options: * Two-Way: Click this option if you want to define two-way External trust. This would mean that users in each domain would be able to access resources in both domains. * One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the other domain. * One-Way: Outgoing: This option should be selected if you only want users of the other domain to be able to access resources in this particular domain. Click Next 16. When the Sides Of Trust opens, you can select one of these options: * This Domain Only: Selecting this option creates the trust in the local domain * Both This Domain And The Specified Domain: Selecting this option creates the trust in the local domain and in the other domain. Click Next 17. The New Trust Wizard displays different pages next, based on what you selected in the previous two steps. 18. Where Two-Way or One-Way: Outgoing was selected in Step 8, and This Domain Only was selected in Step 9, the wizad displays the Outgoing Trust Authentication Level page. You can select either Domain Wide Authentication or Selective Authentication. Choosing Domain Wide Authentication results in the automatic authentication of users in the other domain for network resources in the local domain. If you select Selective Authentication, the users in the other domain are not automatically authenticated for resources in the local domain. Click Next. The wizard then displays the Trust Password page. This is where you have to set the password for the trust. Click Next. 19. Where One-Way: Incoming was selected in Step 8, and This Domain Only was selected in Step 9, the wizard displays the Trust Password page. Enter the password for the trust. Click Next. 20. Where Both This Domain And The Specified Domain was selected in Step 9, the wizard displays the User Name And Password page. You have to provide the user name and password of an Administrator account that has the necessary rights. Click Next.

21. When the Trust Selections Complete page is displayed, the settings that you previously specified are shown. After checking that the configuration settings are correct, click Next. 22. The New Trust Wizard now creates the External trust. 23. When the Trust Creation Complete page appears, click Next. 24. The Confirm Outgoing Trust page allows you to verify outgoing trust. Click Yes, Confirm The Outgoing Trust or click No, Do Not Confirm The Outgoing Trust. Click Next. 25. The Confirm Incoming Trust page allows you to verify incoming trust. Click Yes, Confirm The Incoming Trust or click No, Do Not Confirm The Incoming Trust. Click Next. 26. Click Finish.

How to create Forest trust using Active Directory Domains and Trusts
You first have to specify a DNS forwarder for each of the DNS servers that are authoritative for the trusting forests before you can use the Active Directory Domains and Trusts console to create Forest trust relationships. Use the DNS Administration Tool to configure the necessary DNS forwarder. In addition to this, ensure that the forest functional level for each forest is set to Windows Server 2003 forest functional level. 1. Open the Active Directory Domains and Trusts console.

2. In the console tree, locate and right-click the domain in the initial forest which you want to configure Forest trust for, and click Properties from the shortcut menu. 3. When the Properties dialog box of the domain opens, click the Trusts tab and then click the New Trust button. 4. In the Welcome To The New Trust Wizard page, click Next

5. Enter the DNS name of the domain in the other forest on the Trust Name page. Click Next. 6. In the Trust Type page, select the Forest Trust option. Click Next.

7.

On the Direction Of Trust page select one of the following options: * Two-Way: Click this option if you want to define two-way Forest trust. This would mean that users in each forest would be able to access resources in both forests. * One-Way: Incoming: This option should be enabled if you only want users of this particular forest to be able to access resources in the other forest. * One-Way: Outgoing: This option should be selected if you only want users of the other forest to be able to access resources in this particular forest. Click Next 8. When the Sides Of Trust opens, you can select one of these options: * This Domain Only: Selecting this option creates the trust in the local forest. * Both This Domain And The Specified Domain: Selecting this option creates the trust in the local forest and in the other forest. Click Next 9. Where Two-Way or One-Way: Outgoing was selected in Step 7, and This Domain Only was selected in Step 8, the wizard displays the Outgoing Trust Authentication Level page. You can select either Domain Wide Authentication or Selective Authentication. Choosing Domain Wide Authentication results in the automatic authenticationof users in the other forest for network resources in the local forest. If you specify Selective Authentication, the users in the other forest are not automatically authenticated for resources in the local forest. Click Next. The wizard then displays the Trust Password page. This is where you have to set the password for the trust. Click Next. 10. Where One-Way: Incoming was selected in Step 7, and This Domain Only was selected in Step 8, the wizard displays the Trust Password page. Enter the password for the trust. Click Next. 11. Where Both This Domain And The Specified Domain was selected in Step 8, the wizard displays the User Name And Password page. You have to provide the user name and password of an Administrator account that has the necessary rights. Click Next. 12. When the Trust Selections Complete page is displayed, the settings that you previously specified are shown. After checking that the configuration settings are correct, click Next. 13. The New Trust Wizard now creates the Forest trust. 14. When the Trust Creation Complete page appears, click Next.

15. The Confirm Outgoing Trust page allows you to verify outgoing trust. Click Yes, Confirm The Outgoing Trust or click No, Do Not Confirm The Outgoing Trust. Click Next. 16. The Confirm Incoming Trust page allows you to verify incoming trust. Click Yes, Confirm The Incoming Trust or click No, Do Not Confirm The Incoming Trust. Click Next. 17. Click Finish on the Completing The New Trust Wizard page.

How to remove existing Active Directory trust relationships

1. pen the Active Directory Domains And Trusts console.

2. In the console tree, right-click a domain that is specified in the trust relationship which you want to remove, and select Properties from the shortcut menu. 3. Click the Trusts tab.

4. Use the Domains Trusted By This Domain (Outgoing Trusts) box to select the trust you want to remove. 5. Click the Remove button alongside the box.

6. If you want to remove the trust from the local domain only, click the No, Remove The Trust From The Local Domain Only option, and click OK 7. If you want to remove the trust from the local domain and the other domain, click the Yes, Remove The Trust From Both The Local Domain And The Other Domain option. Enter the appropriate user name and password combination in the User Name and Password boxes and click OK. 8. Click Yes to verify that you want to remove the trust relationship.

9. Use the Domains That Trust This Domain (Incoming Trusts) box to select the trust you want to remove. 10. Choose the appropriate option in the Active Directory dialog box, and then click OK 11. Click Yes to verify that you want to remove the trust relationship.

How to validate existing Active Directory trust relationships

1. Open the Active Directory Domains And Trusts console

2. In the console tree, right-click a domain that is defined in the trust relationship which you want to validate, and select Properties from the shortcut menu. 3. Click the Trusts tab

4. You can select the trust you want to examine in one of the following boxes: * Domains Trusted By This Domain (Outgoing Trusts) box * Domains That Trust This Domain (Incoming Trusts) box 5. After you have selected the trust, click the Properties button.

6. When the Properties dialog box of the trust opens, click the Validate button. 7. If you only want to verify outgoing trust, click the No, Do Not Validate The Incoming Trust option and click OK. 8. If you want to verify incoming trust and outgoing trust, click Yes, Validate The Incoming Trust option. Enter the appropriate user name and password combination in the User Name and Password boxes and click OK 9. After the trust is validated, a message is displayed indicating this.

10. Click OK.

How to create and manage trust relationships using the Windows Domain Manager Command-lineTool
You can use the Windows Domain Manager command line tool to create and manage Active Directory trusts. Netdom.exe is included with the Windows Support Tools available on the Windows Server 2003 Setup CD-ROM.

The netdom trust command is used to create and manage trusts: netdom trust TrustingDomainName /d: TrustedDomainName [/ud: [Domain]User] [/pd:{Password|*}] [/uo: User] [/po:{Password|*}] [/verify] [/reset] [/passwordt: NewRealmTrustPassword] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]] [/verbose] TrustingDomainName, indicates the name of the trusting domain.

Windows Server 2008 Editions, Features and System Requirements

Before embarking on the installation of Windows Server 2008, it is important to first gain an understanding of the different editions available and the corresponding hardware requirements. It is also important to be aware of the upgrade options available with each edition. With this objective in mind, this chapter will focus on providing an overview of both the different Windows Server 2008 editions and the recommended hardware requirements. 1. 2. 3. 4. 5. Windows Windows Windows Windows Windows Server 2008 Standard Edition. Server 2008 Enterprise Edition. Server 2008 Datacenter Edition. Web Server 2008. Server 2008 for Itanium Based Systems.

Windows Server 2008 Standard Edition Windows Server 2008 Standard is one of Microsoft's entry level server offerings (alongside Windows Web Server 2008) and is one of the least expensive of the various editions available. Both 32-bit and 64-bit versions are available, and in terms of hardware Standard Edition supports up to 4GB of RAM and 4 processors. Windows Server 2008 is primarily targeted and small and mid-sized businesses (SMBs) and is ideal for providing domain, web, DNS, remote access, print, file and application services. Support for clustering, however, is notably absent from this edition.An upgrade path to Windows Server 2008 Standard is available from Windows 2000 Server and Windows Server 2003 Standard Edition. Windows Server 2008 Enterprise Edition Windows Server 2008 Enterprise Edition provides greater functionality and scalability than the Standard Edition. As with Standard Edition both 32-bit and 64-bit versions are available. Enhancements include support for as many as 8

processors and up to 64GB of RAM on 32-bit systems and 2TB of RAM on 64-bit systems. Additional features of the Enterprise edition include support for clusters of up to 8 nodes and Active Directory Federated Services (AD FS). Windows Server 2000, Windows 2000 Advanced Server, Windows Server 2003 Standard Edition and Windows Server 2003 Enterprise Edition may all be upgraded to Windows Server 2008 Enterprise Edition. Windows Server 2008 Datacenter Edition The Datacenter edition represents the top end of the Windows Server 2008 product range and is targeted at mission critical enterprises requiring stability and high uptime levels. Windows Server 2008 Datacenter edition is tied closely to the underlying hardware through the implementation of custom Hardware Abstraction Layers (HAL). As such, it is currently only possible to obtain Datacenter edition as part of a hardware purchase. As with other versions, the Datacenter edition is available in 32-bit and 64-bit versions and supports 64GB of RAM on 32-bit systems and up to 2TB of RAM on 64-bit systems. In addition, this edition supports a minimum of 8 processors up to a maximum of 64. Upgrade paths to Windows Server 2008 Datacenter Edition are available from the Datacenter editions of Windows 2000 and 2003. Windows Web Server 2008 Windows Web Server 2008 is essentially a version of Windows Server 2008 designed primarily for the purpose of providing web services. It includes Internet Information Services (IIS) 7.0 along with associated services such as Simple Mail Transfer Protocol (SMTP) and Telnet. It is available in 32-bit and 64-bit versions and supports up to 4 processors. RAM is limited to 4GB and 32GB on 32-bit and 64-bit systems respectively. Windows Web Server 2008 lacks many of the features present in other editions such as clustering, BitLocker drive encryption, multipath I/O, Windows Internet Naming Service (WINS), Removable Storage Management and SAN Management.

Features Now that we have covered in general terms the various different editions of Windows Server 2008 we can now look in a little more detail at a feature by feature comparison of the four different editions. This is outlined in the following feature matrix:

Feature

Enterprise Datacenter Standard Web Itanium Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes No No No No

ADFS Web Agent Directory uIDM Desktop Experience Windows Clustering Windows Server Backup Windows Network Load Balancing (WNLB) Simple TCP/IP Services SMTP Subsystem for UnixBased Applications (SUA) Telnet Client Telnet Server

Yes No No Yes

Yes Yes

Yes

Yes

Yes

Yes Yes

Yes Yes

Yes Yes

Yes Yes

No

Yes

Yes No

Yes

Yes

Yes

No

Yes

Yes Yes

Yes Yes

Yes Yes

Yes Yes Yes Yes

Microsoft Message Queuing Yes (MSMQ) RPC Over HTTP Proxy Yes

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Windows Internet Naming Service (WINS) Wireless Client

Yes

Yes

Yes

No

No

Yes

Yes

Yes

No

No

Windows System Resource Yes Manager (WSRM) Simple SAN Management LPR Port Monitor The Windows Foundation Components for WinFX BITS Server Extensions iSNS Server Service BitLocker Drive Encryption Multipath IO Removable Storage Management TFTP SNMP Server Admin Pack Yes Yes

Yes

Yes

Yes Yes

Yes Yes

Yes Yes

No No

No No

Yes

Yes

Yes

Yes Yes

Yes Yes Yes Yes

Yes Yes Yes Yes

Yes Yes Yes Yes

No

Yes

Yes No No No Yes Yes

Yes

Yes

Yes

No

Yes

Yes Yes Yes

Yes Yes Yes

Yes Yes Yes

No

Yes

Yes Yes Yes No

RDC Peer-to-Peer Name Resolution Protocol Recovery Disk Windows PowerShell

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes Yes

Yes Yes

Yes Yes

Yes Yes

Yes Yes Yes Yes

System Requirements Before investing time and resources into downloading and installing Windows Server 2008, the first step is to gain an appreciation of the hardware requirements necessary to effectively run the operating system. The following table provides an overview of Microsoft's recommended minimum hardware:

Category

Minimum / Recommended Requirements Minimum: 1GHz (x86 processor) or 1.4GHz (x64 processor) Recommended: 2GHz or faster Note: For Itanium based systems an Intel Itanium 2 processor is required. Minimum: 512MB RAM Recommended: 2GB RAM or greater Maximum (32-bit systems): 4GB (Standard) or 64GB (Enterprise and Datacenter) Maximum (64-bit systems): 32GB (Standard) or 2TB (Enterprise, Datacenter and Itanium-Based Systems)

Processor

Memory

Available Disk Minimum: 10GB Space Recommended: 40GB or greater Note: Systems with RAM in excess of 16GB will require greater amounts of disk space to accommodate paging, hibernation, and dump files

Drive Display and Peripherals

DVD-ROM drive Super VGA or greater-resolution monitor (800x600) Keyboard Microsoft Mouse or compatible pointing device

As with the specified system requirements for all Windows systems it is best to aim for the Recommended values rather than the Minimumvalues to ensure acceptable levels of performance. For example, whilst it is possible to run Windows Server 2008 in 512Mb of RAM it is unlikely that performance levels will be optimal with such a configuration. How to Install Windows Server 2008 Step by Step Installing Windows Server 2008 is like installing Windows Vista.

Hardware requirements for installing Windows Server 2008:

Component Requirement Minimum: 1GHz (x86 processor) or 1.4GHz (x64 processor) Recommended: 2GHz or faster Note: An Intel Itanium 2 processor is required for Windows Server 2008 for Itaniumbased Systems Minimum: 512MB RAM Recommended: 2GB RAM or Memory greater Maximum (32-bit systems): 4GB (Standard) or 64GB (Enterprise and Datacenter) Maximum (64-bit systems): 32GB (Standard) or 2TB (Enterprise, Datacenter and Itaniumbased Systems) Minimum: 10GB Recommended: 40GB or greater Note: Available Disk Computers with more than 16GB of RAM will require more disk Space space for paging, hibernation, and dump files Processor Drive DVD-ROM drive

Follow the steps to install Windows Server 2008:

1. Insert the appropriate Windows Server 2008 installation media into your DVD drive. If you don't have an installation DVD for Windows Server 2008, you can download one for free from Microsoft's Windows 2008 Server Trial website. 2. Reboot the computer and select Boot From CD/DVD option.

3. When prompted for an installation language and other regional options, make your selection and press Next.

4. Next, press Install Now to begin the installation process.

5. Now y ou will be prompted to select your correct version in the next screen.

6. If you did provide the right Product ID, select the Full version of the right Windows version you're prompted, and click Next.

7. Read and accept the license terms by clicking to select the checkbox and pressing Next.

8. In the "Which type of installation do you want?" window, click the only available option Custom (Advanced).

9. In the "Where do you want to install Windows?", if you're installing the server on a regular IDE hard disk, click to select the first disk, usually Disk 0, and click Next.

You can also click Drive Options and manually create a partition on the destination hard disk. 10. The installation now begins and start copying the setup files from the DVD to the hard drive only takes about one minute. However, extracting and uncompressing the files takes a good deal longer. After 20 minutes, the operating system is installed. The exact time it takes to install server core depends upon your hardware specifications. Faster disks will perform much faster installs Windows Server 2008 takes up approximately 10 GB of hard drive space.

The installation process will reboot your computer. 11. Then the server reboots you'll be prompted with the new Windows Server 2008 type of login screen. Press CTRL+ALT+DEL to log in.

12. Click on Other User.

13. The default Administrator is blank, so just type Administrator and press Enter.

14. You will be prompted to change the user's password. You have no choice but to press Ok.

15. In the password changing dialog box, leave the default password blank (duh, read step #15), and enter a new, complex, at-least-7-characterslong new password twice.

16.Now you'll be prompted to accept the fact that the password had been changed. Press Ok.

17. Finally, the desktop appears and that's it, you're logged on and can begin working. You will be greeted by an assistant for the initial server configuration, and after performing some initial configuration tasks, you will be able to start working.

Understanding Windows Server 2008 Server Core

A Server Core installation provides a minimal environment for running specific server roles, which reduces the maintenance and management requirements and the attack surface for those server roles. A server running a Server Core installation supports the following server roles:

Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Services (AD LDS) DHCP Server DNS Server File Services Print Services Streaming Media Services Internet Information Services (IIS) Windows Virtualization

In Windows Server 2008, Server Core installation does not include the traditional full graphical user interface (GUI). You can read more about how to

locally and remotely manage Server Core machines by reading the list of articles available below.

This is, in a way, revolutionizing the way Microsoft is looking at GUI-based administration, a step enforced by other means such as Windows PowerShell and Microsoft Exchange Server 2007, all allowing strong command line management capabilities. There are, alas, some GUI tools you might want to use in Server Core. Some of these include: Task Manager:

Notepad (stripped down):

Time, Date, and Time Zone Control Panel applet:

Regional Settings Control Panel applet:

What's new in the Server Core installation option?

The Server Core installation option of Windows Server 2008 requires initial configuration at a command prompt. A Server Core installation does not include the traditional full graphical user interface. Once you have configured the server, you can manage it locally at a command prompt or remotely using a Terminal Server connection. You can also manage the server remotely using the Microsoft Management Console (MMC) or command-line tools that support remote use.

Benefits of a Server Core installation

The Server Core installation option of Windows Server 2008 provides the following benefits:

Reduced maintenance - Because the Server Core installation option installs only what is required to have a manageable server for the AD DS, AD LDS, DHCP Server, DNS Server, File Services, Print Services, and Streaming Media Services roles, less maintenance is required than on a full installation of Windows Server 2008. Reduced attack surface - Because Server Core installations are minimal, there are fewer applications running on the server, which decreases the attack surface. Reduced management - Because fewer applications and services are installed on a server running the Server Core installation, there is less to manage. Less disk space required - A Server Core installation requires only about 1 gigabyte (GB) of disk space to install and approximately 2 GB for operations after the installation. Lower risk of bugs - Reducing the amount of code can help reduce the amount of bugs.

Issues with Server Core installation and upgrading from previous versions
Since Server Core is a special installation of Windows Server 2008, the following limitations are present:

There is no way to upgrade from a previous version of the Windows Server operating system to a Server Core installation. Only a clean installation is supported. There is no way to upgrade from a full installation of Windows Server 2008 to a Server Core installation. Only a clean installation is supported. There is no way to upgrade from a Server Core installation to a full installation of Windows Server 2008. If you need the Windows user interface or a server role that is not supported in a Server Core installation, you will need to install a full installation of Windows Server 2008.

Server Core versions

Server Core comes in Standard, Enterprise and Datacenter editions for i386 and x64 platforms. Most companies will probably go for the Standard edition because most of the differences found in the Enterprise and Datacenter editions of Windows Server 2008 won't be present in Server Core. The Enterprise Server

Core will, however, allow you to utilize more processor and memory support, as well as clustering. Datacenter adds the whole Datacenter hardware program and 99.999 percent reliability.

Windows Server Core Installation

Server Core Prerequisites

Before installing Server Core you will need the following:

The original Windows Server 2008 or 2008 R2 installation media. If you are using Windows Server 2008 you will need a valid product key (installation can be completed on Windows Server 2008 R2 without a product key). A machine for the clean Server Core installation (note that there is currently no upgrade option for Server Core only a new clean installation is available). There is no way to upgrade from a . Only a clean installation is supported. There is no way to upgrade from a Server Core installation to a full installation of Windows Server 2008. If you need the Windows user interface or a server role that is not supported in a Server Core installation, you will need to install a full installation of Windows Server 2008.

Note that the only option for installing Server Core is a new clean installation, it is not possible to upgrade from a full installation of Windows Server 2008 to a Server Core installation nor is it possible to upgrade from any previous version of Windows Server to Server Core.

Installation Method 1 Manually Install Server Core.

Follow the below procedure to install Server Core: 1. 2. 3. 4. Insert the Windows Server 2008 installation media in the DVD drive. The auto-run dialog will appear, click Install Now. Follow the stepped instructions to complete the Server Core Setup. When Setup has completed, hit CTRL+ALT+DELETE, click Other User, then type Administrator with a blank password, and hit ENTER. You will then be prompted to create a password for the Administrator account, and the installation will then be complete.

In Windows Server 2008 R2the setup procedure no longer prompts you for a product key. You should enter a product key using slmgr.vbs prior to activating the installation.

Installation Method 2 - Use a Unattend File for Installing Server Core.

The manual install is a simple process, but using an unattend file for the Server Core installation allows you to do a lot of the initial configuration tasks during the setup. An unattended Server Core installation has the following benefits:

No need to perform the initial configuration by subsequently using command-line tools. The settings to enable remote administration can be included in the unattend file in the unattend file. Settings which cannot be easily changed such as the display resolution can be set.

Follow the below procedure to install Server Core using an unattend file: 1. Create an .xml file named Unattend.xml using a simple text editor or Windows System Image Manager. 2. Copy your Unattend.xml file to a local drive or a shared network drive. 3. Boot the machine to Windows Preinstallation Environment (Windows PE), Windows Server 2003, or Windows XP. 4. Insert the disk with the Server Core installation of Windows Server 2008 or 2008 R2 into the drive. (just hit Cancel is the auto-run Setup window opens). 5. In the command prompt, change to the drive containing the installation disk. 6. Enter the below command at the command prompt: setup /unattend:<path>\unattend.xml where path is the path to theUnattend.xml file. 7. Allow the Setup process to complete.

Windows Server 2008 Command Line Tools

Windows Server 2008 provides the user with the option to execute commands from a command-prompt window. This chapter of Windows Server 2008 Essentials is intended to provide an overview of the different commands currently provided in the command-prompt. Command Line Tools Summary

Command

Description Display and modify the IP to physical address translation tables used by the Address Resolution Protocol (ARP). Display and modify file extension associations. Display and change file attributes. Configure extended Ctrl-C checking. Configure properties in name database to control boot loading. Display or modify access control lists of files. Call a script or script label as a procedure. Display the name of or changes the current directory. Display or set the active code page number. Check a disk for errors and display a report. Display the status of volumes. Set or exclude volumes from automatic system checking during system boot. Create a selection list from which users can select a choice in batch scripts. Clear the console window.

Arp

Assoc Attrib Break Bcdedit Cacls Call CD/Chdir Chcp Chkdsk

Chkntfs

Choice

Cls

Cmd Color Comp Compact Convert Copy Date Del Dir Diskcomp Diskcopy

Start a new instance of the Windows command shell. Set the colors of the command-shell window. Compare the contents of two files or sets of files. Display or modify the compression of files or sets of files. Convert FAT volumes to NTFS. Copy or combine files. Display or set the system date. Delete one or more files. Display a list of files and subdirectories within a directory. Compare the contents of two floppy disks. Copy the contents of one floppy disk to another. Invoke a text-mode command interpreter so that you can manage disks, partitions, and volumes using a separate command prompt and commands that are internal to Diskpart. Edit command lines, recall Windows commands, and create macros. Display the current device driver properties and status.

Diskpart

Doskey

Driverquery

Echo Endlocal Erase Exit Expand FC Find/Findstr For Format

Display messages, or turns command echoing on or off. End localization of environment changes in a batch file. See Del. Exit the command interpreter. Uncompress files. Compare two files and display the differences between them. Search for a text string in files. Run a specified command for each file in a set of files. Format a floppy disk or hard drive. File system utility - displays and configures file system properties. Transfer files. Display or modify file types used in file extension associations Direct the Windows command interpreter to a labeled line in a script. Display Group Policy information for a machine or user. Enable Windows to display extended character sets in graphics

Fsutil

Ftp Ftype

Goto

Gpresult Graftabl

mode. Help Hostname Display Help information for Windows commands. Display the computer name. Display, modify, backup, and restore ACLs for files and directories. Perform conditional processing in batch programs. Display TCP/IP configuration. Create, change, or delete the volume label of a disk. Create a directory or subdirectory. Create symbolic and hard links. Configure a system device. Display output one screen at a time. Manage a volume mount point. Move files from one directory to another directory on the same drive. Display files opened by remote users for a file share. Display status of NetBIOS.

ICACLS

IF Ipconfig Label Md/Mkdir Mklink Mode More Mountvol

Move

Openfiles Nbtstat

Net Accounts

Manage user account and password policies.

Net Computer Add or remove computers from a domain. Net ConfigServer Net Config Workstation Net Continue Net File Net Group

Display or modify configuration of Server service.

Display or modify configuration of Workstation service.

Resume a paused service. Display or manage open files on a server. Display or manage global groups.

Net Localgroup Display or manage local group accounts. Net Pause Net Print Net Session Net Share Net Start Net Statistics Suspend a service. Display or manage print jobs and shared queues. List or disconnect sessions. Display or manage shared printers and directories. List or start network services. Display workstation and server statistics.

Net Stop Net Time Net Use Net User Net View

Stop services. Display or synchronize network time. Display or manage remote connections. Display or manage local user accounts. Display network resources or computers. Invoke a separate command prompt that allows you to manage the configuration of various network services on local and remote computers. Display status of network connections. Display or set a search path for executable files in the current command window. Trace routes and provides packet loss information. Suspend processing of a script and wait for keyboard input. Determine if a network connection can be established. Change to the directory stored by Pushd. Print a text file.

Netsh

Netstat

Path

Pathping Pause Ping Popd Print

Prompt Pushd Rd/Rmdir Recover Reg Add

Change the Windows command prompt. Save the current directory then changes to a new directory. Remove a directory. Recover readable information from a bad or defective disk. Add a new subkey or entry to the Registry.

Reg Compare Compare Registry subkeys or entries. Copy a Registry entry to a specified key path on a local or remote system. Delete a subkey or entries from the Registry. List the entries under a key and the names of subkeys (if any). Write saved subkeys and entries back to the Registry. Save a copy of specified subkeys, entries, and values to a file. Register and unregister DLLs. Add comments to scripts. Rename a file. Replace a file.

Reg Copy

Reg Delete

Reg Query

Reg Restore Reg Save Regsvr32 Rem Ren Replace

Route Rmdir

Manage network routing tables. Remove a directory. Display or modify Windows environment variables. Also used to evaluate numeric expressions at the command line. Begin localization of environment changes in a batch file. Display and configure background processes (services). Schedule commands and programs to run on a system. Scans and verifies protected operating system files. Shifts the position of replaceable parameters in scripts. Perform system shutdown. Sort input. Start a new command-shell window to run a specified program or command. Maps a path to a drive letter. Display machine properties and configuration. Display currently running tasks and services.

Set

Setlocal Sc Schtasks Sfc Shift Shutdown Sort

Start

Subst Systeminfo Tasklist

Taskkill Time Title Tracert Tree Type Ver

Kill or stop a running process or application. Display or sets the system time. Sets the title for the command-shell window. Display the path between computers. Graphically displays the directory structure of a drive or path. Display the contents of a text file. Display the Windows version. Tells Windows whether to verify that your files are written correctly to a disk. Display a disk volume label and serial number. Copy files and directories. Display WMI information.

Verify

Vol Xcopy WMI

PowerShell Tutorial CmdLets

In common with other scripting languages, in PowerShell has basic language elements like Variables, Arrays, Functions, Objects, Loops, IF statements, Switch statements, etc.

PowerShell CmdLets (Commands)

In PowerShell commands are known as CmdLets (pronounced Command Lets). Cmdlets follow the naming convention of Verb-Noun combination: E.g: Get-Help, Get-Service, Get-Process PowerShell cmdlets are not case sensitive and are the smallest unit of functionality in PS. You can use either the PowerShell Integrated Script Environment shown below (just typepowershell_ise into the search box in the Windows start menu to launch this) or the command line tool to execute Cmdlets.

In the PowerShell ISE. you enter the command at the prompt and the results of the cmdlet will be displayed in the middle panel of the tool. You can use the top panel in the tool to write scripts and also to execute single Cmdlets. The F5 key executes the entire script while F8 key executes only highlighted Cmdlets (Run Selection).

Cmdlets are simple to type, you can use Tab key to auto complete the Cmdlet. E.g: TypeGet-Pro then press the Tab key. Cmdlet parameters Cmdlet accept which are denoted by using the -symbol:

For example, the -Name is the parameter instructs PowerShell to display only winrm service information. Parameters are also auto completed using the Tab key, so that you dont have to remember the entire parameter name. Piping Piping or pipelining is a method of combining two or more PowerShell Cmdlets to do a single task. PowerShell is a fully objected oriented scripting language as a result Cmdlet returns an object as result. To combine Powershell Cmdlets you can use the symbol, |.

The Get-Service cmdlet returns all services (whatever the state) on the local machine. It returns as an object. The | or piping passes that object in to next cmdlet (where-object) which essentially does the filtering. The braces { } represents the body of the where-object cmdlet, whichs specifies a condition. $_.Status is the current object ($_.), property (Status) and -eq is the logical condition (ie =). Operators in PowerShell user characters and not as symbols as in other languages. The Where-object cmdlet iterates through all the objects returned from the Get-Servicecmdlet and filters out only the objects which are have the status of Running. Executing the Get-Command cmdlet will provide a full listing of all the cmdlets available in PowerShell (as well as all the Aliases, Functions etc):

Executing Get-Help for a cmdlet will provide details on how to use the cmdlet, for example say if you wanted to see the usage for the Add-Computer cmdlet.

The Get-Help cmdlet can even provide examples of cmdlets working:

Aliases
Each PowerShell cmdlet associates with an alias. You can use the alias instead of cmdlet full name. Execute Get-Alias for a full listing of all the Aliases in PowerShell (the Definition in the listing is the original Cmdlet name).

If you think cmdlet full name is a bit difficult, you can use short names (ie aliases) but note that this reduces the readability of the script. I prefer to use full names in scripts and aliases for ad-hoc queries.

Scripts
PowerShell scripts are text files with the extension of .ps1. You can write PowerShell scripts by using cmdlets and save themfor future use. Commonly used tasks are good candidates for scripts. By default PowerShell prevents the execution of any script, due to the execution policy of the PowerShell. You can see the current execution policy in PowerShell using the GetExecutionPolicy cmdlet. There are four levels of execution policies. 1. Restricted Default setting of PowerShell. No scripts can run 2. AllSigned- Scripts should have the trusted digital signature 3. RemoteSigned 4. Unrestricted- Any script can run. You can change the execution policy using the Set-ExecutionPolicy cmdlet. PowerShell needs to be Run as Administrator in order to set execution policy.

Adding New GPT and MBR Disks to Windows Server 2008 Systems
The purpose of this chapter is to provide an overview of the decisions and steps necessary to add new disk drives to a Windows Server 2008 system. Installing a new disk drive is not just about formatting the drive and creating volumes. With Windows Server 2008 decisions need to be made about the partitioning style since both Master Boot Record (MBR) and GUID (Globally Unique Identifier) Partition Table (GPT) disks are supported in this latest version of Windows. Given this requirement, this chapter will also provide an explanation of the difference between MBR and GPT disks. The concepts described in this chapter relate primarily to basic disks. Dynamic disks are covered in a later chapter. Overview Of MBR and GPT Partitions Styles Before a disk can be used to store data it must first have partitions created on it. These partitions are then formatted with a particular file system (FAT, FAT32 or NTFS) and used either as a basic disk or as dynamic disk. Obviously, the operating system needs some mechanism for organizing and managing these disk partitions and Windows Server 2008 provides two such partitioning styles named Master Boot Record (MBR) and GUID Partition Table (GPT). The MBR style was originally developed for x86-based computer systems and is by far the most common style in use at present. GPT, on the other hand, was originally developed for 64-bit Itanium based systems. With the arrival of Windows Server 2008 both x86 32-bit and 64-bit systems support MBR and GPT partition styles. It is important to note, however, that 32-bit systems can only boot from MBR based disks and 64-bit systems can only boot from GPT disks.

Understanding MBR Disks With MBR the first sector of the disk is reserved to store a partition table and the master boot record. The remainder of the disk is divided into partitions, information about which is stored in the partition table. MBR supports volume sizes up to 4TB. MBR on a basic disk supports two partition types, primary and extended. The primary partition has a file system created directly on it and is then either assigned a drive letter or mount point by which it is referenced by the user. An extended partition is divided into one or morelogical drives, each of which is then formatted and then assigned drive letter or mount point. A basic disk with MBR partition style can support either four primary partitions or three primary partitions and one extended partition (which in turn can support multiple logical volumes). Understanding GPT Disks GPT disks differ quite considerably from MBR disks. In terms of capability, GPT supports disks up to 18 Exabytes in size with up 128 partitions. GPT also differs from MBR in terms of layout. At the start of a GPT disk is an MBR. The MBR in this case, however, is provided purely so that the disk will be recognized by disk utilitiesthat do not recognize GPT disks. To an MBR disk utility, the disk will appear to be an MBR disk with a single partition taking up the entire disk space. Located immediately after the MBR is the primary GPT header. This header defines the blocks on the disk available for partitions and contains information about the number and respective sizes of any partitions on the disk. The GPT header also includes information about its own location on the disk drive and a pointer to a backup GPT header located in the final sectors of the drive. The backup GPT header is used in the event that the primary header becomes corrupted. Finally, the GPT header contains a CRC32 checksum of itself (including the partition table) so that the system firmware can verify the integrity of the header information before accessing the data on the disk. If the checksum fails, the firmware switches to the backup GPT header. If the checksum on backup GPT header also fails the disk is unusable. In between the primary GPT header at the start of the disk and backup GPT in the final sectors of the disk are the primary partitions. In addition to any data, each partition on a GPT disk has a header containing information about the partition type, the start and end blocks of the partition and a unique partition GUID. There are a number of additional partitions often required on a GPT disk. These are the EFI system partition (ESP) and the Microsoft Reserved Partition (MSR). The ESP must be present on the first disk in a system and is required to boot the operating system. The ESP is not mandatory on other disks. When the 64bit version of Windows Server 2008 is installed both the ESP and MSR are created by the setup process.

One important point of note regarding GPT is that it is not supported on removable disks such as USB and Firewire connected storagedevices or disks attached to storage clusters. Initializing a New Disk Once a new disk has been installed into a Windows Server 2008 system it must be initialized before any partitions can be created on it. This is performed using the Initialize Disk Wizard which can be accessed from the Disk Management snap-in. This can be accessed either from the Server Manager or Computer Management tools. To launch the Server Manager open the Start menu and click on the Server Manager option, or click on the Server Manager icon in the task bar. Alternatively launch Computer Management from Start -> All Programs -> Administration Tools -> Computer Management or run compmgmt.csc. With either the Server Manager or Computer Management tools running, select the Storage option from the left hand panel followed by Disk Management. The Disk Manager will subsequently appear. Ensure that the top pane is displaying the Disk List so that the new drive is visible. This is configured by selecting the View->Top-Disk List option from the top menu bar. Any uninitialized disks will be listed in the disk view as Offline and with a red down arrow on the disk drive icon in both the list and graphical views. In addition, the disk space will be indicated as unallocated in the graphical view. The following image shows a newly installed and uninitialized disk drive shown in the Disk Manager:

Before a new disk can be initialized it must first be brought online. To bring this disk online right click on the disk icon in either disk or graphical list and select Online from the popup menu. Once this disk is brought online the graphical view will categorize the disk as Not Initialized. To initialize the disk right click once again on the disk icon and select Initialize Disk. In the resulting dialog ensure that the correct disk is selected for initialization and then choose whether to initialize the disk using the MBR or GPT partition styles. The Initialize Disk dialog is shown in the following figure ready to initialize disk 1 using the MBR partition style:

Click on OK to initialize the disk. Once completed, the disk will be listed with the chosen partition style with the space marked asUnallocated in the graphical view. The next step is to create partitions on the disks or use them as dynamic disks. These topics are covered in subsequent chapters. Converting Disks between MBR and GPT Partition Styles Once a disk has been initialized as GPT or MBR it is quite possible that one day the disk partition style will need to be changed. There is good news and bad news regarding converting partition style in Windows Server 2008. The good news is that this can be achieved either using the Disk Management tool or from the command line using diskpart. The bad news is that conversions can only be performed on empty disks. This means that any pre-existing volumes on the disk must be backed up and deleted before performing the conversion. To perform a conversion from the Disk Management interface, right click on the icon for the empty drive in the graphical view. If the disk is currently using MBR then the menu will provide the option to Convert to GPT Disk. Alternatively, if the disk is currently using the GPT partition style the Convert Disk to MBR menu option will be presented. In either case, selecting the conversion option will immediately and silently change the partition style. To perform the same task using diskpart, begin by listing the available disks:
DISKPART> list disk Disk ### -------Disk 0 Disk 1 Status ---------Online Online Size ------30 GB 10 GB Free ------0 B 10 GB Dyn --Gpt ---

Select the desired disk (in this case disk 1):

DISKPART> select disk 1 Disk 1 is now the selected disk.

Finally, convert the disk using the convert command followed by mbr or gpt depending on whether the disk is being converted to MBR or GPT partition style respectively:
DISKPART> convert mbr DiskPart successfully converted the selected disk to MBR format. DISKPART> convert gpt DiskPart successfully converted the selected disk to GPT format.

Type exit to close the diskpart session.

Configuring Disk Mirroring (RAID 1) on Windows Server 2008

It is assumed in this chapter that the reader has a basic understanding of the difference between basic and dynamic disks within the context of Windows Server 2008. For information on this subject the chapter entitled Creating and Managing Simple and Spanned Volumes on Windows Server 2008 is recommended. Note that the focus of this chapter is the mirroring of data disks. For details of mirroring system disks refer to Mirroring Windows Server 2008 System Disks. An Overview of Disk Mirroring (RAID 1) Disk mirroring consists of two identical volumes on two different physical disk drives. Any data is written to the mirrored volume is, in fact, written to both disk drives such that if one disk drive fails the data will still be available on the other disk. Unlike striping, which increases I/O performance, mirroring will actually reduce performance for the simple reason that all data write transactions have to be performed twice - once on each drive in the mirrored set. Creating a Mirrored (RAID 1) Set using Disk Management The remainder of this chapter assumes that the disks in question have been converted from basic disks to dynamic disks. For details on performing this task refer to the initial sections of the Creating and Managing Simple and Spanned Volumes on Windows Server 2008chapter of this book. In this section a

mirrored set will be created using two similarly sized disk drives connected to a Windows Server 2008 system. Begin the process by invoking the Disk Management snap-in. This can be achieved by typing compmgmt.msc at a command prompt window or Run dialog and selecting Storage -> Disk Management. The system used in this example contains three disks numbered 0, 1 and 2 respectively. Disk 0 is the system disk and disks 1 and 2 will be used to create a mirrored set. Within the Disk Management tool right click on the unallocated space in the graphical view of the first disk to be used in the mirror set and select New Mirrored Volume... to invoke the New Mirrored Volume wizard. Click Next on the welcome screen to proceed to the disk selection screen. As mentioned previously, a mirrored set must be comprised of two disk drives. Initially, the wizard only lists the currently selected disk in the Selected column. In order to proceed, one more disk is required. To add a disk to the mirrored set, select a suitable disk from the available disks in the left hand column and click on Add to add it to the selected disks list:

With the necessary disks selected click Next to proceed and assign a drive letter or mount point for the volume. The Next button will then proceed to the Format Volume screen where the file system type and compression options may be selected. To view the summary screen, press the Next button. Assuming the

summary is acceptable the Finish button will format the volumes and create the mirrored volume ready for use. Creating a Mirrored (RAID 1) Volume from the Command Prompt Windows Server 2008 Mirrored (RAID 1) volumes may also be created from the command prompt using the diskpart tool. This may be launched either from a command prompt window, or from the Run dialog simply by entering diskpart at the prompt. Once invoked theDISKPART> prompt will displayed, ready to receive commands. The first step in creating a mirrored set using diskpart is to identify the disks to be used. This can be achieved using the list diskcommand:
DISKPART> list disk Disk ### -------Disk 0 Disk 1 Disk 2 Status ---------Online Online Online Size ------30 GB 8 GB 8 GB Free ------0 B 8189 MB 8189 MB Dyn --Gpt ---

For the purposes of this tutorial we will be creating a mirrored volume based on a set consisting of disks 1 and 2. The mirrored volume is created by first creating a simple volume on the first disk and then adding a second disk to the mirrored set. The first volume is created using the create volume command combined with the disk=directive. The size of the volume may also be specified using the size= directive.Omission of the size=option will cause diskpart to create volume which occupies all the available space on the designated disk. For example:
DISKPART>create volume simple disk=1

Having created the first volume on disk 1 the next step is to add the mirror volume on disk 2. This is achieved using the add command as follows:
add disk=2

The list volume command may be used to verify the new configuration:
DISKPART> list volume Volume ### ----------------Volume 0 Volume 1 Ltr --D C Label ----------Fs ----NTFS Type ---------DVD-ROM Partition Size ------0 B 30 GB Status --------No Media Healthy Info

System

* Volume 2

RAW

Mirror

8189 MB

Healthy

As shown above the new volume is listed as volume 2 and shown as Mirror. The volume is also listed as RAW because it has not yet been formatted with a file system. This, too, can be achieved within the diskpart tool:
DISKPART> select volume 2 DISKPART> format fs=ntfs label="Mirrored Volume" 100 percent completed DiskPart successfully formatted the volume.

Once formatted, the last task is to assign either a drive letter or mount point to the volume by which it will be accessed: To assign a drive letter:
DISKPART> assign letter=E: DiskPart successfully assigned the drive letter or mount point.

To assign a mount point:

DISKPART> assign mount=\bigvol DiskPart successfully assigned the drive letter or mount point.

Once assigned a drive letter or mount point, the new mirrored volume is ready for use. Adding a Mirror to an Existing Volume A mirror may be added to an existing volume using either the Disk Management snap-in, or from the command-prompt using the diskparttool. When a mirror is added to an existing volume Windows creates a second volume equal in size and file system type on a second disk of your choice and copies (a process also known as resynching) the data on the existing volume to the mirror. To mirror to an existing volume using Disk management, right click on the existing volume in the graphical view and select Add Mirror to invoke the Add Mirror dialog shown below:

The above dialog will list disks eligible to act as a mirror for the existing volume. Select the desired disk and click on Next. A warning dialog may appear notifying you of any additional changes that may be made as a result of the addition (such as converting basic disks to dynamic disks). Click Yes to proceed. The resynching process will now begin, the progress of which will be displayed in the graphical view. To add a mirror to an existing volume from the command prompt, start diskpart and identify the existing volume using the list volumecommand:
DISKPART> list volume Volume ### ----------------Volume 0 Volume 1 Volume 2 Ltr --D C E Label ----------Fs ----NTFS NTFS Type ---------DVD-ROM Partition Partition Size ------0 B 30 GB 8189 MB Status --------No Media Healthy Healthy Info

System

My Volume

The volume to be mirrored in this example is Volume 2. Having identified the volume, a disk to contain the mirror needs to be found using the list disk command:
DISKPART> list disk Disk ### -------Disk 0 * Disk 1 Disk 2 Status ---------Online Online Online Size ------30 GB 8 GB 8 GB Free ------0 B 0 B 8189 MB Dyn --Gpt ---

From the above information it is clear that Volume 2 is 8189 MB in size. In order to be able to mirror this volume, a disk with at least 8189 MB is required. Clearly, disk 2 meets this requirement. Therefore, all that needs to be done is to add disk 2 as the mirror disk for our volume using the add disk command. Note that if the disks are not dynamic disks they will need to be converted with the convert dynamiccommand:
select disk 1 convert dynamic select disk 2 convert dynamic

The next step is to select the existing volume on disk 1:

DISKPART> select disk 1 DISKPART> select volume 2 Volume 2 is the selected volume.

Finally, the mirrored set can be created using the add= command, passing through the number of the disk to be used as the mirror (in this case disk 2):
DISKPART> add disk=2 DiskPart succeeded in adding a mirror to the volume.

At this point Windows Server 2008 will begin the resynching process which, depending on the size of the volume being mirrored may take some time. This fact is reported by the show volume command which lists the volume as being of type Mirror with a status of Rebuild. Once the resynching process is complete the status will be displayed as Healthy. Breaking and Removing Mirrored Sets A Windows Server 2008 mirror may be broken (which creates two separate and independent volumes containing identical data) or removed (which removes the data on the mirror leaving free space on the designated mirror disk). To break a mirror from the Disk Management snap-in right click on one of the volumes in the set in graphical view and select Break Mirrored Volume from the pop-up menu. To break a mirror set from the command line use the break command, specifying one of the two disks in the mirrored set:
DISKPART>break disk=2

To remove a mirror from a mirrored set, removing all mirrored data and leaving free space on the disk right click on the mirror volume to be removed in the

Disk Management graphical view and select Remove Mirror. Alternatively, use the diskpart break command with theNOKEEPoption:
DISKPART>break nokeep disk=2

Recovering a Mirrored Set If one of the disks in a mirrored set fails the good news is that, unlike striped volumes, all the data is still present on the remaining healthy disk (this, after all is the whole point of disk mirroring). In this situation, however, it is important to replace the faulty disk and rebuild the mirror before the healthy drive also fails. To achieve this right click on the failed volume and select Remove Mirror. Next, identify a suitable alternate or newly installed drive with sufficient space to act as a mirror. Right click on the existing, healthy volume from the original mirrored set, select Add Mirror from the resulting menu, select the new disk in the Add Mirror dialog and click on Add Mirror. Windows will now rebuild the mirror using space on the new disk. As noted above, this process can take some time depending on the size of the volume in question.

Windows server 2008 Core ? How to set static IP address via command line This topic will show how to set static IP 192.168.2.30 with mask 255.255.255.0 to your Windows server 2008 Core interface named ?Local Area Connection? . Also we will set DNS server IP 192.168.1.70. To set static IP address and mask type: netsh interface ipv4 set address name=?Local Area Connection? source=static address=192.168.2.30 mask 255.255.255.0 To set DNS server IP type: netsh interface ipv4 add dnsserver name=?Local Area Connection? address=192.168.1.70

Taking Systemstate backup in Windows Server 2008

Ntbackup is deprecated in Windows Server 2008"coded name Longhorn" and is replaced by Windows Server Backup. To backup the System State in Windows Server 2008, you have to use the command line "WBADMIN" . Before using the command install Windows Backup feature in the server.

WBADMIN command will not allow you to take systemstate backup on critical volume (OS Volume). The exact command is like this:

C:\>WBADMIN START SYSTEMSTATEBACKUP -backuptarget:E:

Click "Y" to start the backup

New features in AD DS in Windows Server 2008

In Windows Server 2008, organizations can use Active Directory Domain Services (AD DS) to manage users and resources, such as computers, printers, or applications, on a network. AD DS includes many new features that are not available in previous versions of Windows Server Active Directory. These new features make it possible for organizations to deploy AD DS more simply and securely and to administer it more efficiently. This topic provides an overview of the improvements in AD DS. For details about the improvements, see the following topics that describe the new features in Windows Server 2008 AD DS: AD DS: Auditing. AD DS: Fine-Grained Password Policies. AD DS: Read-Only Domain Controllers. AD DS: Restartable Active Directory Domain Services. AD DS: Database Mounting Tool (Snapshot Viewer or Snapshot Browser). AD DS: User Interface Improvements. AD DS: Owner Rights.

AD DS: Auditing The global audit policy Audit directory service access controls whether auditing for directory service events is enabled or disabled. This security setting determines whether events are logged in the Security log when certain operations are carried out on objects in the directory. You can control what operations to audit by modifying the system access control list (SACL) on an object. In Windows Server 2008, this global audit policy is not enabled by default. Although the subcategory Directory Service Access is enabled for success events by default, the other subcategories are not enabled by default. If you define this policy setting (by modifying the default Domain Controllers Policy), you can specify whether to audit successes, audit failures, or not audit at all. Success audits generate an audit entry when a user successfully accesses an AD DS object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an AD DS object that has a SACL specified. You can set a SACL on an AD DS object on the Security tab in that object's properties dialog box. Audit directory service access is applied in the same manner as Audit object access; however, it applies only to AD DS objects and not to file system objects and registry objects. AD DS: Fine-Grained Password Policies You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain. For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources. AD DS: Read-Only Domain Controllers Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller. However, your organization may also choose to deploy an RODC for special administrative requirements. For example, a line-of-business (LOB) application may run successfully only if it is installed on a domain controller. Or, the domain controller might be the only server in the branch office, and it may have to host server applications.

In such cases, the LOB application owner must often log on to the domain controller interactively or use Terminal Services to configure and manage the application. This situation creates a security risk that may be unacceptable on a writable domain controller. An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant a nonadministrative domain user the right to log on to an RODC while minimizing the security risk to the Active Directory forest. You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a primary threat, for example, in an extranet or application-facing role. AD DS: Restartable Active Directory Domain Services Restartable AD DS reduces the time that is required to perform certain operations. AD DS can be stopped so that updates can be applied to a domain controller. Also, administrators can stop AD DS to perform tasks, such as offline defragmentation of the Active Directory database, without restarting the domain controller. Other services that are running on the server and that do not depend on AD DS to function, such as Dynamic Host Configuration Protocol (DHCP), remain available to satisfy client requests while AD DS is stopped. AD DS: Database Mounting Tool Although the Active Directory database mounting tool does not recover deleted objects by itself, it helps streamline the process for recovering objects that have been accidentally deleted. Before the Windows Server 2008 operating system, when objects or organizational units (OUs) were accidentally deleted, the only way to determine exactly which objects were deleted was to restore data from backups. This approach had two drawbacks:

Active Directory had to be restarted in Directory Services Restore Mode to perform an authoritative restore. An administrator could not compare data in backups that were taken at different points in time (unless the backups were restored to various domain controllers, a process which is not feasible).

The purpose of the Active Directory database mounting tool is to expose AD DS data that is stored in snapshots or backups online. Administrators can then compare data in snapshots or backups that are taken at different points in time, which in turn helps them to make better decisions about which data to restore, without incurring service downtime. AD DS: User Interface Improvements AD DS user interface (UI) improvements provide new installation options for

domain controllers. Furthermore, the updated Active Directory Domain Services Installation Wizard streamlines and simplifies AD DS installation. AD DS UI improvements also provide new management options for AD DS features such as read-only domain controllers (RODCs). Additional changes to the management tools improve the ability to find domain controllers throughout the enterprise. They also provide important controls for new features such as the Password Replication Policy for RODCs. AD DS: Owner Rights Owner Rights is a well-known security principal that you can add to the DACL of an object to specify the permissions that are assigned to owners of objects in the directory service. This added security feature overrides the default behavior of owners of objects in the system. Because owners of objects (as specified in the security descriptor of the object) have WRITE_DAC permission, they can give rights to themselves and to other security principals as they see fit. The Owner Rights security principal is specified using the well-known security identifier (SID) S-1-3-4. For example, if the Owner Rights security principal is located in the fabrikam.com domain, its distinguished name (also known as DN) can be expressed this way: CN=Owner Rights,CN=WellKnown Security Principals,CN=Configuration,DC=fabrikam,DC=com. By default, Owner Rights are not defined on objects. This means that the pre Windows Server 2008 behavior of owners having WRITE_DAC permissions to the objects that they own still applies. When you add the Owner Rights security principal to objects, you can specify what permissions are given to the owner of an object. For example you can specify in the access control entry (ACE) of an object that the owner of a particular object is given Read permissions or you can specify NULL permissions to an object, which grants the owner of the object no permissions.

Windows Server 2008 R2 new features

Powershell Cmdlets:They replace the current Active Directory command line tools. There are about 85 Active Directory-related PowerShell cmdlets. Active Directory Administrative Center:The Active Directory Administrative Center is a new task-oriented user interface for the Active Directory Services. You can perform similar tasks as with the Active Directory Users and Computers console (ADUC). It is based on the new PowerShell cmdlets and displays the PowerShell commands that correspond to the tasks performed with the GUI.

Recycle Bin:Accidently deleted Active Directory objects can be restored from the Recycle Bin. (Requires R2 functional level) Offline Domain Join:Admins can automate the joining of a Windows 7 machine to a domain during deployment with an XML file. The target computer can be offline during the deployment process. The tool that is used to join the domain is djoin.exe. Managed Service Accounts:Authentication Assurance provides an authentication mechanism that allows administrators to map specific certificates to security groups using certificate policies. Users logged on with a smart card, USB token, or some other type of certificate logon method can be distinguished in this way. This feature can be used to grant external users access to corporate resources using Active Directory Federated Services. (Requires R2 functional level). With Windows Server 2008, Microsoft introduced the most important changes regarding administration. The role model and the new Server Manager were the main changes. Also in Windows Server 2008, R2 componentization is a bit more fine-grained and Server Manager supports remote administration. Other highlights are the new power management features, the PowerShell support for Server Core, and DHCP Failover. Management tools:1.Server Manager now supports remote administration of servers 2.Better integration of management consoles in Server Manager 3.Active Directory Administrative Center and IIS have a task-driven user interface and their administrative capabilities are based on PowerShell cmdlets. 4.Hyper-Vs user interface is also based on PowerShell cmdlets, has updated VM performance and management capabilities, and tighter integration with Virtual Machine Manager 5.Best Practices Analyzer (BPA): Each server role has a BPA to help administrators configure it properly . PowerShell 2.0:Windows Server 2008 R2 will be delivered with PowerShell 2.0. I believe the main features are: 1.PowerShell remoting: Run scripts against remote computers 2.Constrained Runspaces: Restrict execution of commands, scripts, and language elements

3.Graphical PowerShell: GUI for creating and debugging PowerShell scripts 4.Server Core supports .NET and PowerShell . IP Configuration:1.DHCP Failover: Allows you to work with a primary and a secondary DHCP server. If the primary DHCP server fails, the secondary will take over. Windows Server 2008 R2 supports the DHCP Failover Protocol, which is an Internet Engineering Task Force (IETF) draft. 2.WINS Failover: Works similar to the DHCP failover 3.DNS Security Extensions (DNSSEC): DNS servers and DNS clients can verify the authenticity of a DNS record using public key cryptography. This method can prevent the interception of DNS queries. Power management:1.Core Parking: Suspends inactive processor cores and activates them again when necessary. 2.ACPI P-States: Allows you to configure the performance states (ACPI specification) of individual processors via Group Policy. Lower performance means lower power consumption. Intel calls this feature SpeedStep and AMD PowerNow! or Cooln'Quiet. 3.Boot from SAN: Windows Server 2008 R2 supports the ability to boot-up from a SAN (Storage Area Network). Thus, the server doesnt require a local hard disk, which reduces the overall number of disks in the data center, thereby lowering power consumption. SANs require less power than local hard disks with the same storage capacity.

Installing the SQL Failover Cluster in Windows Server 2008

Installing the Cluster Feature To install and configure failover clustering, complete the following steps: 1. Right-click on My Computer and select Manage. 2. In the Server Manager window, select Features from the list and click on Add Features.

3. In the Add Features Wizard window, select the following features: Failover Clustering Multipath IO (if you are planning to use MPIO)

4. Click Next. Confirm your selected features and click Install to continue. Confirm that the Installations succeeded and click Close.

Installation is in progress.

Installation completed click Close.

5. Validate the cluster configuration using the Failover Cluster Management tool. a. Ensure that all servers in your cluster are powered on and connected to the shared storage. b. Click StartProgramsAdministrative ToolsFailover Cluster Management to run the Failover Cluster Management tool.

c. Right click on Failover Cluster Management Select Validate a Configuration to run the validation wizard.

d. When prompted to select the servers you want to add, type in the system host name for each of the cluster nodes. Then click the Add button. When finished adding all nodes,click Next to continue.

e. In the next screen, select which test to run for validation (selecting Run all tests is recommended, especially for the first validation attempt). Then click Next.

f. After prompting you to confirm the tests you selected, the wizard runs the tests, and a Summary Report screen should display the results and indicate that all tests were completed successfully. All tests must pass with either a green check mark or in some cases a yellow triangle (warning).

Validation is in Process

Validation Result

g. When looking for problem areas (red X or yellow! marks), in the part of the report that summarizes the test results, click an individual test to review the details. Also review the summary statement for information about whether the cluster is considered a supported configuration. Active Directory Permission

Before creating the failover cluster delegate the object creation permissions to the user account which is going to use for cluster creation. Follow the steps to do it.

Logon to the domain controller . Open Active Directory Users and Computers.

Select Delegate Control by Right click on sore.com domain. Give Next in Welcome to delegation control wizard.

In below window add the respective users by hitting Add button and give Next.

Below window will appear select Create a custom task to delegate and give Next.

In the Delegate control of window chose Only the following objects in the folder and check Create selected objects in this folder.

From the Permission window check all and give Full control. Click Next.

The below window will appear click Finish to complete.

6. Creating the Cluster.

Right click on Failover Cluster Management tool, select Create a Cluster.

Create Cluster Wizard appears, with some useful information regarding clustering. After reading, hit Next.

This is where you will enter the servers that will participate in you cluster. Just enter the name and hit Add for each one of them. I already did it for my two servers (Node1 & Node2).

b. Enter a Cluster Name - in our scenario cluster name is PaymentCluster. Only select the public network (with a check mark), and then assign a unique IP address for the cluster (100.101.102.111). Finally, click Next to create the cluster.

c. After the cluster is created, make sure that the Public and Private networks are available,and that all shared storage disks are visible in the Failover Cluster Management tool. Cluster is created

Configuring the Quorum in a Failover Cluster

In our scenario we are using 2 nodes cluster, so we have chosen the Quorum as Node and Disk Majority.

Right click on cluster name. Go to More Actions... click Configure Cluster Quorum Settings...

Before you begin window will open. Give Next.

In next window select the Quorum as Node and Disk Majority and click Next.

Chose Cluster Disk 2 for Quorum and give Next.

In Confirmation windows verify the settings and give Next.

The below screen will Appear and click Finish.

Quorum settings report.

SQL Server Installation in Node1

The Installation Wizard starts the SQL Server Installation Center. To create a new cluster installation of SQL Server 2008, click New SQL Server failover cluster installation on the Installation page.

The System Configuration Checker runs a discovery operation on your computer. To continue, click OK.

The system configuration is completed with no error.

System Configuration Report.

On the Product key page, indicate whether you are installing a free edition of SQL Server, or whether you have a PID key for a production version of the product. Select the appropriate edition for installation.

On the License Terms page, select the check box to accept the license terms and conditions. Click Next to continue. To end Setup, click Cancel.

On the Setup Support Files page, click Install to install the setup support files.

The System Configuration Checker verifies the system state of your computer before Setup continues. After the check is complete, click Next to continue.

Correct any issues that are reported on the rules list. Errors block Setup, but warnings do not. It is a best practice to address all warnings and errors.

On the Feature Selection page, select the components for your installation.

In the component selection window Select All. The default installation path is C:\Program Files\Microsoft SQL Server\.

On the Instance Configuration page, specify whether to install a default or a named instance.

SQL Server Network Name Specify a network name for the new SQL Server failover cluster. This is the name that is used to identify your failover cluster on the network. In our scenario PAYSQLSRV is SQL server name. Instance ID we have set instance name as PAYMENT. The instance name is used as the Instance ID. This is used to identify installation directories and registry keys for your instance of SQL Server. Instance root directory By default, the instance root directory is C:\Program Files\Microsoft SQL Server\. To specify a no default root directory, use the field provided, or click the ellipsis button to locate an installation folder. Detected SQL Server instances and features on this computer - The grid shows instances of SQL Server that are on the computer where Setup is running. If a default instance is already installed on the computer, you must install a named instance of SQL Server 2008.

Click Next to continue.

The Disk Space Requirements page calculates the required disk space for the features that you specify, and it compares requirements to the available disk space on the computer where Setup is running.

Use the Cluster Resource Group page to specify the cluster resource group name where SQL Server virtual server resources will be located. To specify the SQL Server cluster resource group name, you have two options: Use the drop-down box to specify an existing group to use.

Type the name of a new group to create.

On the Cluster Disk Selection page, select the shared cluster disk resource for your SQL Server failover cluster.

The cluster disk is where the SQL Server data will be stored. More than one disk can be specified. The Available shared disks box displays a list of available disks, whether each is qualified as a shared disk, and a description of each disk resource. Click Next to continue. In our scenario we have given F: (Cluster drive 4) drive to store the DB data. Note: The first drive is used as the default drive for all databases, but it can be changed on the Database Engine or Analysis Services configuration pages.

On the Cluster Network Configuration page, specify the network resources for your failover cluster instance:

Network Settings Specify the IP type and IP address for your failover cluster instance, we have set 100.101.102.122 as IP address for failover cluster instance. Click Next to continue.

Use the following page to specify the security policy for the cluster.

The following screenshot displays the cluster security policies available for Windows Server 2008. In Windows Server 2008 and later versions, service SIDs (server security IDs) are the recommended and default setting. The option to specify domain groups is available but not recommended. This is displayed in the following screen shot.

Click Next to continue.

On the Service Accounts tab, specify login accounts for SQL Server services. The actual services that are configured on this page depend on the features that you are installing. We have used Use the same account for all SQL Server services and selected domain admin account.

You can assign the same login account to all SQL Server services, or you can configure each service account individually. The startup type is set to manual for all cluster-aware services, including full-text search and SQL Server Agent, and cannot be changed during installation. Microsoft recommends that you configure service accounts individually to provide least privileges for each service, where SQL Server services are granted the minimum permissions they

have to have complete their tasks. To specify the same login account for all service accounts in this instance of SQL Server, provide credentials in the fields at the bottom of the page.

When you are finished specifying login information for SQL Server services, click Next.

Use the Collation tab to specify nondefault collations for the Database Engine and Analysis Services.

Use the Account Provisioning tab to specify the following:

Authentication mode - select Mixed Mode authentication for your instance of SQL Server. If you select Mixed Mode authentication, you must provide a strong password for the built-in SQL Server system administrator account. We set sqladmin123 as password.

After a device establishes a successful connection to SQL Server, the security mechanism is the same for both Windows authentication and Mixed Mode.

SQL Server administrators - You must specify at least one system administrator for the instance of SQL Server. To add the account under which SQL Server Setup is running, click Add Current User. To add or remove accounts from the list of system administrators, click Add or Remove, and then edit the list of users, groups, or computers that will

have administrator privileges for the instance of SQL Server. Here administrator, hcluser accounts are added as SQL admin.

Click OK. Verify the list of administrators in the configuration dialog box. When the list is complete, click Next.

Use the Data Directories tab to specify nondefault installation directories. To install to default directories, click Next.

We selected default settings.

Use the FILESTREAM tab to enable FILESTREAM for your instance of SQL Server. In our scenario we have not enabled it.

Click Next to continue.

On the Analysis Services Configuration page, use the Account Provisioning tab to specify users or accounts that will have administrator permissions for Analysis Services. You must specify at least one system administrator for Analysis Services. To add the account under which SQL Server Setup is running, click Add Current User. To add or remove accounts from the list of system administrators, click Add or Remove, and then edit the list of users, groups, or computers that will have administrator privileges for Analysis Services. We added administrator & hcluser accounts.

Click Next.

Use the Data Directories tab to specify nondefault installation directories. To install to default directories, click Next.

Use the Reporting Services Configuration page to specify the kind of Reporting Services installation to create. For failover cluster installation, the option is set to Install, but do not configure the report server. You must configure Reporting Services after you complete the installation.

On the Error and Usage Reporting page, specify the information that you want to send to Microsoft that will help improve SQL Server. By default, options for error reporting and feature usage are disabled.

The System Configuration Checker runs one more set of rules to validate your configuration with the SQL Server features that you have specified.

The Ready to Install page displays a tree view of installation options that you specified during Setup. To continue, click Install.

During installation, the Installation Progress page provides status so that you can monitor installation progress as Setup continues.

After installation, the Complete page provides a link to the summary log file for the installation and other important notes. To complete the SQL Server installation process, click Close.

If you are instructed to restart the computer, do so now.

Adding Node to SQL failover cluster

To add a node to an existing failover cluster instance, click Installation in the left-hand pane. Then, click Add node to a SQL Server failover cluster.

The System Configuration Checker will run a discovery operation on your computer. To continue, click OK. Setup log files have been created for your installation.

On the Product Key page, specify the PID key for a production version of the product. Note that the product key you enter for this installation must be for the same SQL Server 2008 edition as that which is installed on the active node.

On the License Terms page, read the license agreement, and then select the check box to accept the licensing terms and conditions. To continue, click Next. To end Setup, click Cancel.

On the Setup Support Files page, click Install to install the setup support files. To install prerequisites, click Install.

The System Configuration Checker will verify the system state of your computer before Setup continues. After the check is complete, click Next to continue.

On the Cluster Node Configuration page, use the SQL Server instance name box to specify the name of the SQL Server 2008 failover cluster instance that will be modified during this setup operation.

On the Service Accounts page, specify login accounts for SQL Server services. The actual services that are configured on this page depend on the features you selected to install. For failover cluster installations, account name and startup type information will be prepopulated on this page based on settings provided for the active node. You must provide passwords for each account.

When you are finished specifying login information for SQL Server services, click Next.

On the Error and Usage Reporting page, specify the information to send to Microsoft that will help to improve SQL Server. By default, options for error reporting and feature usage are enabled.

The System Configuration Checker will run one more set of rules to validate your computer configuration with the SQL Server features you have specified.

The Ready to Add Node page displays a tree view of installation options that you specified during setup.

The Add Node Progress page provides status so you can monitor add node progress as Setup proceeds.

After installation, the Complete page provides a link to the summary log file for the installation and other important notes. To complete the SQL Server installation process, click Close.

If you are instructed to restart the computer, do so now.

Windows Server Update Services Installing WSUS

A major issue with security on Windows Server installations is the difficulty in keeping all servers up to date with the latest security patches and fixes. The

Windows Update service which allowed for automatically download and installation of security fixes is really only suitable for smaller enterprises, large enterprises with numerous Windows Server installations do not wish to run the bandwidth and overhead of having each server run its own individual update. Windows Server Update Services (WSUS) is a free download from Microsoft which effectively gives enterprise their own, independent of the Windows Update server. Clients then connect to the central intranet Windows Server Update Services (WSUS) server for all security patches and OS updates.

Windows Server Update Services (WSUS) Requirements

It is optimal to install WSUS on a dedicated server, but it can also be installed on a Windows Server 2008 R2 server that is running other tasks, provided the server is running Internet Information Services (IIS). The below is the minimum requirements for WSUS:

Windows Server 2003 SP1 or higher Background Intelligent Transfer Service (BITS) Internet Information Services (IIS) Windows Internal Database role or, alternatively SQL Server 2005 (or higher) installed locally or on a remote server .NET Framework 2.0 or higher

Installing WSUS on Windows Server 2008 R2

WSUS installation is a simple process as it is installed as a server role from Server Manager. The below steps install Windows Server Update Services plus all required components. To complete the initial installation of WSUS, follow these steps: 1. Launch the Server Manager. 2. On the Roles Summary pane, select Add Roles to launch the wizard and click Next. 3. Select Windows Server Update Services, and then click Next. 4. Next, the Add Role Services and Features Required for Windows Server Update Services window will prompt you for additional components to be installed, if necessary. The required components are the IIS web server and management tools, the Windows Process Activation Service Process Model, and the .NET framework. Once this is complete, click Add Required Role Services to continue and then lick Next. 5. Read the Introduction to Web Server (IIS) overview (if necessary) and then click Next. 6. Hit Next to select the default role services to install for IIS. 7. Read the Introduction to Windows Server Update Services overview(if necessary) and then click Next.

8. After reading the summary of installation selections, click Install. 9. The Server Manager will show Searching for Updates and Downloading while it connects to the Microsofts server and downloads WSUS. It will also install IIS and the Windows Process Activation Service, if required. 10. The Windows Server Update Services Setup Wizard will be shown displays as the installation progresses. Click Next. 11. Read and accept the license agreement for WSUS, and then click Next. 12. If alerted that Report Viewer 2005 is not installed just click Next to continue with the installation (note that some reports will be unavailable without Report Viewer installed). 13. Select the Store Updates Locally check box, and then enter a location to store them. This location needs be sufficient to hold a large number of downloadable patches. Click Next. 14. Select Install the Windows Internal Database on This Computer, or alternatively, Use an Existing Database Server on a Remote Computer if you wish to use a remote SQL Server. 15. Select to Use the Existing IIS Web Site and then click Next to continue with the installation. 16. Review the security settings on the Ready to Install page and then Click Next. 17. The installation then completes in the Server Manager and, once the Finish button is clicked, the WSUS Configuration Wizard is shown. Review the information and then click Next. 18. Click Next to sign up to the Microsoft Update Improvement Program. 19. Select Synchronize from Microsoft Update, and then click Next. 20. If necessary, configure your proxy server settings and then click Next. 21. Click on Start Connecting to save your settings and download update information. This process can take several minutes. Then click Next. 22. Select the preferred update language(s), and then click Next. 23. Select the products which you want to have updates for, and click Next. 24. Select the classifications of the updates that you wish to download, and click Next. 25. Set the schedule that you want WSUS to automatically synchronize with the Microsoft Update servers or alternatively you can select Synchronize Manually. Click Next. 26. Make sure that Begin Initial Synchronization is selected, and then click Finish. 27. Finally, review the installation results, click Close, and then close the Server Manager.

Windows Server Update Services is administered from the WSUS MMC which is the main location for all the configuration settings for WSUS and is its only administrative console. WSUS MMC is located at Administrative Tools > Microsoft Windows Server Update Services 3.0 SP1, or can directly accessed from Server Manager.

Monitoring Disk Usage in Windows Server

Hard disk controllers and disk drives are the two primary components of the disk subsystem. The two objects which gauge hard disk performance are Physical and Logical Disk. Despite the disk subsystem becoming more an powerful, they are still the most common performance bottleneck as their speeds are exponentially slower than other system resources. In the Windows Server Resource Monitors Disk tab, in Windows Server 2008 R2 the physical and logical disk counters are enabled by default . The Disk section in Resource Monitor, shown below, gives a decent high-level overview of the current combined physical and logical disk activity. For more fine-grained monitoring of the disk activity, you should consider using the Performance Monitor component with the desired counters in the Physical Disk and Logical Disk sections.

Monitoring using the Physical and Logical Disk objects comes with a small price however as each object uses a small amount of system resources when they are used for monitoring. As such, they should be disabled unless you are using them for monitoring purposes. The most useful counters to monitor the disk subsystem are the % Disk Time and Avg. Disk Queue Length counters.

% Disk Time monitors the time that a certain physical or logical drive uses in servicing the read and write requests. Avg. Disk Queue Length counts the number of requests which have not yet been serviced on the physical or logical drive. The Avg. Disk Queue Length is an interval average and therefore is a numerical representation of the number of delays the disk drive is having. In general, if the delay is often higher than 2, the disks are inadequate to service the system workload and performance may be compromised.

Monitoring Processor Usage in Windows Server 2008

To analyze the processor utilization of your system you should focus on two counters - % Processor Time and Interrupts/sec. % Processor Time shows the percentage of overall processor utilization. If there is more than one processor on a system, a counter for each one is shown as well as the total (combined) value counter. If % Processor Time averages a usage rate of over 50% for extended durations, you should first review other system counters to try and identify processes which may be improperly using the processing resource or alternatively consider upgrading the processor. Consistent utilization around the 50% range does not necessarily impair performance, however, the average processor utilization goes beyond 65% performance will almost certainly be impaired. If the system has multiple processors installed, you should use the % Total Processor Time counter to determine the average usage of all processors. Interrupts/sec is useful for providing an overall guide of processor health. This counter indicates the number of device interrupts which the processor is handling per second. Similar to the Page Faults/sec counter this counter can show very high numbers (well into the thousands) without there being a significantly performance drag. In general, conditions which could indicate a processor bottleneck include the below:

Average of % Processor Time is consistently beyond 60%70%. Additionally, spikes which frequently occur frequently of 90% or greater can also indicate a bottleneck even if the average is below 60%70%. Maximum of % Processor Time is consistently beyond 90%. Average of the System Performance Counter; Context Switches/second is consistently beyond 20,000. System Performance Counter; Processor Queue Length is consistently higher than two.

The CPU tab in the Resource Monitor (below) gives a good high-level overview of processor activity. For more advanced monitoring of processor utilization you should use the Performance Monitor snap-in with the counters. discussed previously.

Installing Active Directory on Windows 2008 Server Core

Server Core can host a few roles. See my "Managing Windows 2008 Server Core Server Roles" article for more info. One of these roles can be the Active Directory Directory Services (AD DS) role, where the server will act as a Domain Controller for an Active Directory domain. This Domain Controller (or DC for short) can be used as one of the following DC scenarios:

1. The first DC in a new Active Directory Domain, inside a new Active Directory Forest

An additional (replica) DC in an existing Active Directory Domain A Read Only DC (RODC) in an existing Active Directory Domain, in case you already have at least one regular DC running Windows Server 2008 in that domain The first DC in a new Active Directory Domain (child domain), under an existing Active Directory Tree, inside an existing Active Directory Forest The first DC in a new Active Directory Domain, as a new Active Directory Tree, inside an existing Active Directory Forest

Now, one might wonder how would you go about managing that DC if it were to run on a GUI-less server core. Well, the answer for that is based on 3 parts. The first part is to get your server core up and running. In order to do that, read my server core articles under the Related Articles section below. To make life easier on you, I've also written about a GUI tool called CoreConfigurator read more about it on my "Easily Manage Windows Server 2008 Server Core Settings with CoreConfigurator" article. The second part is the management of the specific Active Directory DS role that you're about to install on the core. That can be easily done from one of your regular Windows Server 2008 DCs, or even from a workstation computer running Windows Vista. Read more about it on my "Installing Remote Server Administrative Tools on Windows Vista" article. The third part is the process of the installation of the Active Directory DS role. It is done through the Active Directory Domain Services Installation Wizard (DCPROMO.exe). It performs the following tasks:

Installs Active Directory Domain Services (AD DS) on Windows Server 2008-based workgroup servers and member servers

Or, if you run it on a server that is already configured as a DC:

Removes AD DS from Windows Server 2008-based domain controllers

As noted above, since server core does not have a GUI, you will need to manually configure the DCPROMO settings and run them as an unattended process. So, now let's go to the business of actually installing the role. In order to install Active Directory DS on your server core machine you will need to perform the following tasks:

Configure an unattend text file, containing the instructions for the DCPROMO process Configure the right server core settings + meet the DCPROMO requirements

Copy that file to the server core machine Run the DCPROMO process with the unattend file Reboot the computer

Configure an unattend text file First, let's create the unattend, or answer, file. The unattend file is an ASCII text file that provides automated user input for each page of the Active Directory Domain Services Installation Wizard. One method of creating the unattend file is by editing a sample file you've created before or obtained from other sources (like this website). This is an example of such an Unattend file. In this example you will create an additional DC for a domain called petrilab.local:
[DCINSTALL] UserName=administrator UserDomain=petrilab Password=P@ssw0rd1 SiteName=Default-First-Site-Name ReplicaOrNewDomain=replica DatabasePath="%systemroot%'NTDS" LogPath="%systemroot%'NTDS" SYSVOLPath="%systemroot%'SYSVOL" InstallDNS=yes ConfirmGC=yes SafeModeAdminPassword=P@ssw0rd1 RebootOnCompletion=yes

Configure the right server core settings After that you need to make sure the core machine is properly configured. 1. Perform any configuration setting that you require (tasks such as changing computer name, changing and configure IP address, subnet mask, default gateway, DNS address, firewall settings, configuring remote desktop and so on). 2. After changing the required server configuration, make sure that for the task of creating it as a DC you have the following requirements in place:

A partition formatted with NTFS (you should, it's a server) A network interface card, configure properly with the right driver A network cable plugged in The right IP address, subnet mask, default gateway

And most importantly, do not forget:

The right DNS setting, in most cases, pointing to an existing internal DNS in your corporate network

Copy the unattend file to the server core machine Now you need to copy the unattend file from wherever you've stored it. You can run it from a network location but I prefer to have it locally on the core machine. You can use the NET USE command on server core to map to a network path and copy the file to the local drive. You can also use a regular server/workstation to graphically access the core's C$ drive (for example) and copy the file to that location.

Run the DCPROMO process

Next you need to manually run DCPROMO. To run the Active Directory Domain Services Installation Wizard in unattended mode, use the following command at a command prompt:
dcpromo /unattend:

Reboot the machine

In order to reboot the server core machine type the following text in the command prompt and press Enter.
shutdown /r /t 0

After the server comes back online you'll have yourself a new and shining DC running on a server core machine.

Running it all from one command line

Using an unattended file for DCPROMO is fine, and if you've prepared one handy it's quite easy. However, there's another method. DCPROMO will accept command line switches, and if provided correctly, it will use them to perform the required tasks. For example, running the following command:
Dcpromo /unattend /replicaOrnewDomain:replica /replicaDomainDNSName:petrilab.local /ConfirmGC:yes /username:petrilab'administrator /Password:* /safeModeAdminPassword:P@ssw0rd1

will run DCPROMO and add the server as a Global Catalog server to the petrilab.local domain. The Domain restore Mode password will be set to P@ssw0rd1. You will be asked to enter the domain administrator password when the command is run. The server will reboot itself as part of the install. BTW, to see the construction of the command we can enter the following command. It will create a text file containing the required information.

Dcpromo /?:Promotion > promotion.txt & promotion.txt

Installing Hyper-V on Windows Server 2008 Server Core

The benefits of using the Hyper-V on a Server Core installation include a reduced attack surface, reduced management, and reduced maintenance. After you have enabled the Hyper-V role on Server Core, you can manage the Hyper-V role and virtual machines remotely using the Hyper-V management tools. The management tools are available for Windows Server 2008 and Windows Vista Service Pack 1 (SP1). Hyper-V is a virtualization platform from Microsoft, originally available as Beta 3 on the RTM installation DVD of Windows Server 2008, but the RTM update for Hyper-V is now available for download or from Windows Update (after July 8, 2008). In order to get the Hyper-V role on Windows Server 2008 you need to install this update. The update package consists of the Hyper-V role, including the x64 version of the remote management tools, and integration services for the supported versions of the Windows operating system. With this update, you can now use Hyper-V in a production environment for supported configurations. Description of the update for the release version of the Hyper-V technology for Windows Server 2008 - 950050 Note: The Hyper-V role update package is a permanent package. Once you install the update package, you cannot remove it. Note: Looking at the above link, it might appear like there's a 32-bit version of Hyper-V. That is NOT correct. The 32-bit download is just for the Hyper-V management tool and connection tool. The download itself, around 30 MB, can be found here. Note: You can manage Hyper-V servers from other Windows Server 2008 machines, or from Windows Vista machines. See the following link for the download paths. Description of the Windows Vista Service Pack 1 Management Tools update for the release version of Hyper-V - 952627 The update that allows the Hyper-V role is for Windows Server 2008 x64 editions, and after installing it you will be able to enable the virtualization role through Server Manager. After the Hyper-V role is enabled, Hyper-V Manager will become available as a part of Administrative Tools. From the Hyper-V Manager you can easily create and configure virtual machines.

BIOS Settings
You must enter the BIOS setup of the server and make sure that Virtualization Technology and Execute Disable are both set to Enabled. In most cases, the required BIOS settings can be found in these BIOS sections (actual names may differ, based upon your server's BIOS settings):

Security > Execute Disable (set to On) Performance > Virtualization (set to On) Performance > VT for Direct I/O Access (set to On) Performance > Trusted Execution (set to Off)

Operating System Version and Architecture

In case you were not the person that has initially installed the server, you'd better make sure it supports Hyper-V and that is has the appropriate license to operate it, before starting to install the role. To find out what kind of Windows Server product is currently installed, you to run the following command:
wmic OS get OperatingSystemSKU

The number that is returned corresponds with Microsoft's list of SKU numbers for Windows Server. Please ensure that your version supports Hyper-V:

12 - Windows Server 2008 Datacenter Edition, Server Core 13 - Windows Server 2008 Standard Edition, Server Core 14 - Windows Server 2008 Enterprise Edition, Server Core

If any other number is returned, this means that you should not install Hyper-V on this server. You should also check the architecture of the server installation as well:
wmic OS get OSArchitecture

The architecture should be 64-bit in order to be able to install Hyper-V.

Installation procedure
Below is the step-by-step on installing Hyper-V on Windows Server 2008 Server Core: Note: For regular Windows Server 2008 Hyper-V installations please read my Installing Hyper-V on Windows Server 2008 article.

Complete the Server Core installation and initial configuration tasks. These include the following tasks:

Note: All the following configuration tasks need to be done from the Command Prompt. Please read my Managing Windows 2008 Server Core Local Settings article. Setting the administrative password Use the NET USER command. o Configuring the server's computer name Use the NETDOM command. o Setting a static IP address on all relevant NICs Use the NETSH command. o Activating the server Use the SLMGR.VBS command. o Joining the server to a domain (if required) Use the NETDOM command. o Configure the firewall for remote administration Use the NETSH command. o Enable Remote Desktop for Administration if you want to manage the server running a Server Core installation remotely Use the SCREGEDIT.WSF command. After you have installed Windows Server 2008, you must apply the Hyper-V update packages for Windows Server 2008 (KB950050). See download links above.
o

Download the Hyper-V updates, copy them either to the Server Core local hard disk or to a network share and then type the following command at a command prompt:
wusa.exe Windows6.0-KB950050-x64.msu /quiet

Lamer note: Please provide the correct path for the file To view the list of software updates and check if any are missing, at the command prompt, type:
wmic qfe list

After you install the updates, you must restart the server. Important note: Before you enable the Hyper-V role, ensure that you have enabled the required hardware-assisted virtualization and hardware-enforced Data Execution Prevention (DEP) BIOS settings. Checks for these settings are performed before you enable the Hyper-V role on a full installation, but not on a Server Core installation. If you enable the Hyper-V role without modifying the BIOS settings, the Windows hypervisor may not work as expected.

To install the Hyper-V role, at a command prompt, type:

start /w ocsetup Microsoft-Hyper-V

Note: The syntax for Ocsetup.exe is case sensitive.

Add a user or group to the local Administrators group so that they can manage the Server Core installation remotely. To add a user to the local Administrators group, you must first add the user. At a command prompt, type:

net user <username> * /add

To add a user to the local Administrators group, at a command prompt, type:

net localgroup administrators /add <user>

Restart the server to make the changes take effect. At a command prompt, type:

shutdown /r /t 0

Use a regular installation of Windows Server 2008 or Windows Vista SP1 to remotely connect to the Server Core machine and manage the Hyper-V role on it. You can download and install the Hyper-V management tools from the downloads section above. More about that in a future article.

BitLocker ToGo Encryption for Windows Server 2008 R2

BitLocker ToGo encryption is a new feature that ships with Windows Server 2008 R2 which provides encryption for removable drives. This is a very important feature for backups as it ensures that backups are protected. Before using BitLocker ToGo, you will need to add the BitLocker feature to Windows Server 2008 R2. From Server Manager, select the server then click Add Features from the Action menu which will open up the Add Features Wizard. From there, select BitLocker Drive Encryption and you will see the regular BitLocker designed for non-removable drives and uses a TPM (Trusted Platform Module) for encryption, and also the new BitLocker ToGo used for removable drives. To add BitLocker Drive Encryption from PowerShell, use the below code from an elevated PowerShell command line:
Import-Module ServerManager Add-WindowsFeature BitLocker

BitLocker ToGo can be managed by double-clicking the BitLocker Drive Encryption icon in the Control Panel. From there, to enable BitLocker ToGo on a removable drive, click Turn On BitLocker beside the drive icon.

The first time BitLocker or BitLocker ToGo is run on the server, you will see a warning message that this can impact performance, click Yes at this prompt and , the BitLocker Drive Encryption Wizard will start. Firstly, select how to unlock the drive by using either a password or smart card. Next you will be offered a several methods for saving the recovery key, normally it is preferable to use all possible methods save to a file and keep the file safe, print the recovery key and store the printout in a safe location. Make sure you store the recovery key where it can be easily accessed when you need it. Once you are confident of proceeding click Start Encrypting to begin the BitLocker encryption process. Once encryption begins, do not remove the drive until the process is fully complete. In the event you need to shut down the computer or remove the drive, first pause the encryption. Encrypting a large drive can take a long time, so try to schedule this procedure to impact the

minimum number of users. When the drive is fully encrypted, the performance penalty is usually very small and un-noticeable for normal use. Once the encryption is complete, a padlock icon will be shown on the drive and and a Manage BitLocker option will be shown beside the drive. Clicking Manage BitLocker will allow you to change or remove the password, add a smart card for unlocking the drive, save the encryption recovery keys, or finally to configure the drive to auto-unlock on the current computer. This final option means that anyone who can access the server will not need the key to access the data on it. Finally, when the drive is plugged into any computer, you will be prompted for the unlocking key which will be a password or a smart card. You will not be able to use the BitLocker ToGo drive until it has been unlocked. Once the drive has been unlocked on a computer, BitLocker ToGo can be configured to always unlock on that same computer without the need of a password or smart card. BitLocker ToGo can be used on any drive which is recognized by Windows Server 2008 R2 as removable storage, thus USB drives , eSATA drives, and FireWire drives are all compatible with BitLocker ToGo.

Windows Server 2008 Print Management

Windows Server 2008 includes a new print management architecture which provides a better print-server platform with improved performance. The new print management architecture is compatible with existing print drivers and applications and also enables them to use features which are found only in the newer XPSDrv printer drivers, which have a more efficient print queue operation. As well as the TS Easy Print capability, Windows Server 2008 integrates XPS (XML Paper Specification) to provide efficient and high-quality document delivery to the whole print subsystem. The XPS format is based on fixed-layout technology and, alongside OPC (Open Packaging Conventions), defines a new format and specification built on existing industry standards such as XML and ZIP.

Installing Windows Server 2008 Print Management Components

As with all the Windows Server 2008 components, you should install the Print Services Role via the Server Manager interface. After it has been selected, three sub-services are associated with the Print Services role:

Print Server. Includes the Print Management MMC snap-in which manages the print servers and their prints, as well as the capability to migrate printers between print servers. This is the same MMC which is included in Windows Vista Business, Enterprise, and Ultimate. Windows Vista can manage a Windows Server 2008 printer environment in small environments of up to ten concurrent network connections. LPD Service. The Line Printer Daemon is designed to provide print support for UNIX-based clients. Internet Printing. Enables Web-based print server management, and also provides Internet Printing Protocol support which allows for printing to a print server from the Web. Since the Internet Printing feature operates from a web site, the print server also needs to have the Web Server role installed. The Web Server role is automatically selected and enabled when the Internet Printing sub-role is selected.

Windows Server 2008 Print Management MMC

The Print Management MMC is focused on three core activity areas, as shown below, the navigation pane has a Custom Filters node, a Print Servers node, and finally a Deployed Printers node.

By default, there are four custom filters, which list all the known printers, all the known drivers, and any printer that is not in a ready state (which indicates a problem), and all the printers with assigned print jobs. More custom filters can be added to enable quick access to select groups of printers.

The Print Servers node displays the print servers which are known to the Print Management MMC. By default, only the local printer server is shown. Four areas of information are shown for each print server drivers currently installed on that print server, forms which available for printing, ports that are used for printing local as well as terminal server and IP, and finally the printers which the server has connections to. Lastly, the Deployed Printers node shows the printers that are being deployed via group policy. This was introduced with Windows Server 2003 R2 which used a combination of group policy and a client-side PushPrinterConnections.exe to check group policy for printers and then add them. This client-side tool is not required for Windows Server 2008 clients.

Adding Printer Servers to Windows Server 2008

To add a print server in the Print Management console , right-click on the Print Servers node and select Add/Remove Servers. Using the Add/Remove Server dialog you can browse for new printers or enter the name of a print server to add the server:

Adding a New Printer using the Windows Server 2008 Print Management MMC
The Print Management console is designed to simplify the management of print server environments, especially for branch offices which have no local admin to set up printers. You can statically add a new printer by just right-clicking the Printers node for the print server and then selecting Add Printer. This will launch the Network Printer Installation Wizard shown below.

Most modern printers are network capable and automatically grab an IP address via DHCP but allow for static configuration via a menu. Once the printers IP address is known to the admin, it can be added using the Add a TCP/IP or Web Services Printer by IP Address or Hostname option. This option will up a new dialog requesting the name or IP of the printer. The Network Printer Installation Wizard auto-detects the printer , but it can also be manually configured as a TCP/IP or Web Services printer. Also note, that by default, the Network Printer Installation Wizard tries to detect the correct printer driver. Once the IP address of the printer has been entered , the Network Printer Installation Wizard contacts the printer to collect information on it, such as the make and model, to ascertain which drivers to use. If the printer has a driver which is part of the OS, it will beselected automatically. However, for newer printers which are not known to the OS, you will need to install the driver or

use Microsoft XPS Document Writer or Terminal Services Easy Print. The XPS Document writer is a print-to-file driver which performs like a normal printer target but the output is a XPS Format file . You should never want to use this driver for a real printer, but it is a good choice for printing to an XPS file. When installing a printer driver, select the Install a New Driver option. This will open a dialog with a listing of all drivers known to the OS. Select a driver to work with your printer or click the Have Disk button to install a new driver from a media device or the network. A listing of all the printers which are serviced by the selected driver file are displayed, simply select the relevant driver. The last dialog specifies a name for the printer, give the printer a useful name that should describe its location, type, and capabilities (such as dual-sided, color, dual-sided, etc), as this same dialog allows a share to be set up for the printer. The share will have separate location and comment fields, allowing for greater detail to be given. Finally, confirmation screen of all the settings is shown. Click Next to install additional drivers which are required and to complete the installation of the printer to the print server. The completion dialog shows the status of the printer and driver, an option for printing t a test page, and also an option to keep the wizard open and add an additional printer. Select the required options and click Finish to complete the installation.

Getting Started with Hyper-V Server

Microsoft Hyper-V (formerly codenamed Viridian) is hypervisorbased visualization for Windows Server based x86-64 systems. The beta of Hyper-V shipped some x64 editions of Windows Server 2008 , and the finalized version was released via Windows Update in June 2008 and has since been released as a free stand-alone version (Hyper-V Server 2008 R2). Hyper-V currently exists in two distinct versions: a stand-alone product called Hyper-V Server 2008 R2 and as an integral part of Windows Server 2008 R2.

Getting Started
The first requirement is for a machine which can support a 64-bit operating system. You will need a clean installation of Windows Server 2008 Enterprise Edition (64-bit version) , as Hyper-V will not run within a virtual machine due to the need for hardware-assisted virtualization.

Prior to installing Hyper-V you should take some precautions, namely:

Back up all data on the system. Take an inventory of all virtual machines you will be migrating to the Hyper-V machine, including all of the virtual hardware settings for the virtual machines. Back up all virtual hard disks (VHDs) which will be migrated. Enable the hardware-assisted virtualization. This is normally found in the computers BIOS, and it may be necessary to refer to the documentation or contact for how to enable this. Install Windows Server 2008 / or 2008 R2. In this case, we will be using the full installation option (but note that Hyper-V can be also used on a Server Core installation). Do not install other roles on the target machine Hyper-V should be the sole role on the machine that will host virtual machines.

Install Hyper-V
Log in as an administrator and perform the following steps: 1. 1. Start the Server Manager (Start menu > Administrative Tools > Server Manager). 2. Under Roles Summary, select Add Roles, then select Hyper-V. 3. Complete the remainder of the setup wizard. You are not required to allow virtual machines to access network resources, but one network card needs to be selected, so that this can be bound to a virtual switch. You will also be shown a warning if your computer has just a single network adapter; two are network adapters are recommended. 4. Restart the computer once the wizard is complete. 5. When the system has restarted, reload the Server Manager, expand Roles in the left pane, and select Hyper-V. 6. From the right pane, verify that both vhdsvc and vmms are running, if so then the installation of the Hyper-V role has been completed successfully. If you are using a Server Core installation, the Hyper-V installation is very straightforward just enter the below command in the command line, and restart when prompted.
start /w ocsetup Microsoft-Hyper-V

Getting Started with Hyper-V Management Tools

Most Hyper-V settings and configurations can be management from the Hyper-V Manager MMC console which is accessible in the Administrative Tools group in the Start menu.

Using the Hyper-V Manager Console to create a new VM (virtual machine) : 1. Launch the New Virtual Machine manager from the Hyper-V Manager console. 2. Next Before You Begin screen is shown, you can quickly create a new VM without completing the rest of the wizard by clicking Finish and a new VM will be created with the default configuration. To customize the configurations, click Next. 3. The Specify Name and Location screen is shown next. Choose a name for your virtual machine and also the path where it will be stored. Then click Next. 4. On the Assign Memory screen, specify an appropriate amount of memory to allocate to the new VM. Then click Next.

5. Next the Configure Networking screen is shown, here you can connect the new VM to virtual networks that have been created elsewhere, or you can leave the VM disconnected. Then click Next. 6. On the Connect Virtual Hard Disk screen, connect a new virtual hard disk (VHD) or an existing one to the new VM and click Next. 7. On the Installation Options screen, to install your guest OS after completion of the wizard, specify a path to the OS installation disc and click Next. 8. Click Finish once you have reviewed the settings to close the wizard and create the new VM. When creating a new VM, there are some issues to consider. Firstly , Hyper-V supports 32- and 64-bit guest operating systems, and supports a variety of different storage mechanisms, including iSCSI and SANs over fiber channel. Up to 64 GB of memory can be allocated to any VM, and you can enable an integrated virtual switch to eliminate the requirement to traverse the virtualphysical-virtual layers to get network interface activity done. Removing Hyper-V Server Removing Hyper-V is very straightforward: just load the Server Manager, from the right pane under Roles Summary, click Remove Roles. Next, select Hyper-V in the Remove Roles Wizard, and then restart the system, and the uninstall is complete.

How to install Active Directory on Windows Server 2003

1. Click Start, click Run, type dcpromo, and then click OK. 2. On the first page of the Active Directory Installation Wizard, click Next. 3. On the next page of the Active Directory Installation Wizard, click Next. 4. On the Domain Controller Type page, click Domain Controller for a new domain, and then click Next. 5. On the Create New Domain page, click Domain in a new forest, and then click Next. 6. On the New Domain Name page, in the Full DNS name for new domain box, type Testdc.com, and then click Next.

7. On the Database and Log Folders page, accept the defaults in the Database folder box and the Log folder box, and then click Next. 8. On the Shared System Volume page, accept the default in theFolder location box, and then click Next. 9. On the DNS Registration Diagnostics page, click Install and configure the DNS server on this computer and set this computer to use this DNS server as its preferred DNS Server, and then click Next. 10. On the Permissions page, click Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems, and then click Next. 11. On the Directory Services Restore Mode Administrator Password page, enter a password in the Restore Mode Password box, retype the password to confirm it in the Confirm password box, and then click Next. 12. On the Summary page, confirm the information is correct, and then click Next. 13. When prompted to restart the computer, click Restart now. After the computer restarts, log on to testdc as a member of the Administrators group.