1) What is Active Directory?

A central component of the Windows platform, Active Directory directory service provides the means to manage the identities and relationships that make up network environments. For example we can create, manage and administrator users, computers and printers in the network from active directory. 2) What is DNS? Why it is used? What is "forward lookup" and "reverse lookup" in DNS? What are A records and mx records? DNS is domain naming service and is used for resolving names to IP address and IP addresses to names. The computer understands only numbers while we can easily remember names. So to make it easier for us what we do is we assign names to computers and websites. When we use these names (Like yahoo.com) the computer uses DNS to convert to IP address (number) and it executes our request. Forward lookup: Converting names to IP address is called forward lookup. Reverse lookup: Resolving IP address to names is called reverse lookup. 'A' record: Its called host record and it has the mapping of a name to IP address. This is the record in DNS with the help of which DNS can find out the IP address of a name. 'MX' Record: its called mail exchanger record. Its the record needed to locate the mail servers in the network. This record is also found in DNS. 3) What id DHCP? Why it is used? What are scopes and super scopes? DHCP: Dynamic host configuration protocol. Its used to allocate IP addresses to large number of PCs in a network environment. This makes the IP management very easy. Scope: Scope contains IP address like subnet mask, gateway IP, DNS server IP and exclusion range which a client can use to communicate with the other PCs in the network. Superscope: When we combine two or more scopes together its called super scope. 4) What are the types of LAN cables used? What is a cross cable? Types of LAN cables that are in use are "Cat 5" and "Cat 6". "Cat 5" can support 100 Mbps of speed and "CAT 6" can support 1Gbps of speed. Cross cable: Its used to connect same type of devices without using a switch/hub so that they can communicate. 5) What is the difference between a normal LAN cable and cross cable? What could be the maximum length of the LAN cable? The way the paired wires are connected to the connector (RJ45) is different in cross cable and normal LAN cable. The theoretical length is 100 meters but after 80 meters you may see drop in speed due to loss of signal. 6) What would you use to connect two computers without using switches? Cross cable. 7) What is IPCONFIG command? Why it is used? IPCONFIG command is used to display the IP information assigned to a computer. From the output we can find out the IP address, DNS IP address, gateway IP address assigned to that computer. 8) What is APIPA IP address? Or what IP address is assigned to the computer when the

DHCP server is not available? When DHCP server is not available the Windows client computer assigns an automatic IP address to itself so that it can communicate with the network computers. This ip address is called APIPA. ITs in the range of 169.254.X.X. APIPA stands for Automatic private IP addressing. Its in the range of 169.254.X.X. 9) What is a DOMAIN? What is the difference between a domain and a workgroup? Domain is created when we install Active Directory. It's a security boundary which is used to manage computers inside the boundary. Domain can be used to centrally administrator computers and we can govern them using common policies called group policies. We can't do the same with workgroup. 10) Do you know how to configure outlook 2000 and outlook 2003 for a user? Please visit the link below to find out how to configure outlook 2000 and outlook 2003 11) What is a PST file and what is the difference between a PST file and OST file? What file is used by outlook express? PST file is used to store the mails locally when using outlook 2000 or 2003. OST file is used when we use outlook in cached exchanged mode. Outlook express used odb file. 12) What is BSOD? What do you do when you get blue screen in a computer? How do you troubleshoot it? BSOD stands for blue screen of Death. when there is a hardware or OS fault due to which the windows OS can run it give a blue screen with a code. Best way to resolve it is to boot the computer is "Last known good configuration". If this doesn't work than boot the computer in safe mode. If it boots up than the problems with one of the devices or drivers. 13) What is RIS? What is Imaging/ghosting? RIS stands for remote installation services. You save the installed image on a windows server and then we use RIS to install the configured on in the new hardware. We can use it to deploy both server and client OS. Imaging or ghosting also does the same job of capturing an installed image and then install it on a new hardware when there is a need. We go for RIS or imaging/ghosting because installing OS every time using a CD can be a very time consuming task. So to save that time we can go for RIS/Ghosting/imaging. 14) What is VPN and how to configure it? VPN stands for Virtual private network. VPN is used to connect to the corporate network to access the resources like mail and files in the LAN. VPN can be configured using the steps mentioned in the 15) Your computer slowly drops out of network. A reboot of the computer fixes the problem. What to do to resolve this issue? Update the network card driver. 16) Your system is infected with Virus? How to recover the data? Install another system. Install the OS with the lates patches, Antivirus with latest updates. Connect the infected HDD as secondary drive in the system. Once done scan and clean the secondary HDD. Once done copy the files to the new system. 17) How to join a system to the domain? What type of user can add a system to the domain? Please visit the article below and read "Adding the Workstation to the Domain" 18) What is the difference between a switch and a hub? Switch sends the traffic to the port to which its meant for. Hub sends the traffic to all the ports.

19) What is a router? Why we use it? Router is a switch which uses routing protocols to process and send the traffic. It also receives the traffic and sends it across but it uses the routing protocols to do so. 20) What are manageable and non manageable switches? Switches which can be administered are called manageable switches. For example we can create VLAN for on such switch. On no manageable switches we can't do so. 1) What is Active Directory? A central component of the Windows platform, Active Directory directory service provides the means to manage the identities and relationships that make up network environments. For example we can create, manage and administrator users, computers and printers in the network from active directory. 2) What is DNS? Why it is used? What is "forward lookup" and "reverse lookup" in DNS? What are A records and mx records? DNS is domain naming service and is used for resolving names to IP address and IP addresses to names. The computer understands only numbers while we can easily remember names. So to make it easier for us what we do is we assign names to computers and websites. When we use these names (Like yahoo.com) the computer uses DNS to convert to IP address (number) and it executes our request. Forward lookup: Converting names to IP address is called forward lookup. Reverse lookup: Resolving IP address to names is called reverse lookup. 'A' record: Its called host record and it has the mapping of a name to IP address. This is the record in DNS with the help of which DNS can find out the IP address of a name. 'MX' Record: its called mail exchanger record. Its the record needed to locate the mail servers in the network. This record is also found in DNS. 3) What id DHCP? Why it is used? What are scopes and super scopes? DHCP: Dynamic host configuration protocol. Its used to allocate IP addresses to large number of PCs in a network environment. This makes the IP management very easy. Scope: Scope contains IP address like subnet mask, gateway IP, DNS server IP and exclusion range which a client can use to communicate with the other PCs in the network. Superscope: When we combine two or more scopes together its called super scope. 4) What are the types of LAN cables used? What is a cross cable? Types of LAN cables that are in use are "Cat 5" and "Cat 6". "Cat 5" can support 100 Mbps of speed and "CAT 6" can support 1Gbps of speed. Cross cable: Its used to connect same type of devices without using a switch/hub so that they can communicate.

5) What is the difference between a normal LAN cable and cross cable? What could be the maximum length of the LAN cable? The way the paired wires are connected to the connector (RJ45) is different in cross cable and normal LAN cable. The theoretical length is 100 meters but after 80 meters you may see drop in speed due to loss of signal. 6) What would you use to connect two computers without using switches? Cross cable. 7) What is IPCONFIG command? Why it is used? IPCONFIG command is used to display the IP information assigned to a computer. From the output we can find out the IP address, DNS IP address, gateway IP address assigned to that computer. 8) What is APIPA IP address? Or what IP address is assigned to the computer when the DHCP server is not available? When DHCP server is not available the Windows client computer assigns an automatic IP address to itself so that it can communicate with the network computers. This ip address is called APIPA. ITs in the range of 169.254.X.X. APIPA stands for Automatic private IP addressing. Its in the range of 169.254.X.X. 9) What is a DOMAIN? What is the difference between a domain and a workgroup? Domain is created when we install Active Directory. It's a security boundary which is used to manage computers inside the boundary. Domain can be used to centrally administrator computers and we can govern them using common policies called group policies. We can't do the same with workgroup. 10) Do you know how to configure outlook 2000 and outlook 2003 for a user? Please visit the link below to find out how to configure outlook 2000 and outlook 2003. IT: Help Desk: Quick Guide: Configuring Outlook 2003 for Exchange Server 11) What is a PST file and what is the difference between a PST file and OST file? What file is used by outlook express? PST file is used to store the mails locally when using outlook 2000 or 2003. OST file is used when we use outlook in cached exchanged mode. Outlook express used odb file. 12) What is BSOD? What do you do when you get blue screen in a computer? How do you troubleshoot it? BSOD stands for blue screen of Death. when there is a hardware or OS fault due to which the windows OS can run it give a blue screen with a code. Best way to resolve it is to boot the computer is "Last known good configuration". If this doesn't work than boot the computer in safe mode. If it boots up than the problems with one of the devices or drivers. 13) What is RIS? What is Imaging/ghosting? RIS stands for remote installation services. You save the installed image on a windows server and then we use RIS to install the configured on in the new hardware. We can use it to deploy both server and

client OS. Imaging or ghosting also does the same job of capturing an installed image and then install it on a new hardware when there is a need. We go for RIS or imaging/ghosting because installing OS every time using a CD can be a very time consuming task. So to save that time we can go for RIS/Ghosting/imaging. 14) What is VPN and how to configure it? VPN stands for Virtual private network. VPN is used to connect to the corporate network to access the resources like mail and files in the LAN. VPN can be configured using the steps mentioned in the KB: How to configure a VPN connection to your corporate network in Windows XP Professional 15) Your computer slowly drops out of network. A reboot of the computer fixes the problem. What to do to resolve this issue? Update the network card driver. 16) Your system is infected with Virus? How to recover the data? Install another system. Install the OS with the lates patches, Antivirus with latest updates. Connect the infected HDD as secondary drive in the system. Once done scan and clean the secondary HDD. Once done copy the files to the new system. 17) How to join a system to the domain? What type of user can add a system to the domain? Please visit the article below and read "Adding the Workstation to the Domain" http://www.microsoft.com/technet/pro...003/technologi /directory/ 18) What is the difference between a switch and a hub? Switch sends the traffic to the port to which its meant for. Hub sends the traffic to all the ports. 19) What is a router? Why we use it? Router is a switch which uses routing protocols to process and send the traffic. It also receives the traffic and sends it across but it uses the routing protocols to do so. 20) What are manageable and non manageable switches? Switches which can be administered are called manageable switches. For example we can create VLAN for on such switch. On no manageable switches we can't do s

1. Oct 7 VMWARE Questions and Answers

1. Is VMware Kernel a Linux/Unix Kernel? VMware Kernel is a Proprietary Kernel and is not based on any of the UNIX operating systems, it's a kernel developed by VMware Company.

2. Does the VMKernel boot by itself? The VMKernel can't boot by itself, so it takes the help of the 3rd party operating system. In the case of VMware the kernel is booted by RedHat Linux operating system which is known as service console.

3. The service console is developed based up on Redhat Linux Operating system; it is used to manage the VMKernel

4. Which command is used to restart webaccess service on vmware?service vmware-webaccess restart this will restart apache tomcat app

5. What is the command to restart ssh service on vmware?service sshd restart

6. What is the command to restart host agent(vmware-hostd) on VMware esx server? service mgmt-vmware restart

7. What is the Path of the struts-config.xml? /usr/lib/vmware/webAccess/tomcat/apache-tomcat-5.5.17/webapps/ui/WEB-INF/

8. What is the command to start the scripted install? esx ks=nfs:111.222.333.444:/data/KS.config ksdevice=eth0 location device name

9. Virtual Network in Simple. Virtual Nic(s) on Virtual Machine(s) ----->

Physical Nic on the ESX Server (Virtual Switch - 56 Ports) -----> Physical Switch Port should be trunked with all the VLANS to which the VM's need access All the ESX servers should be configured with Same number of Physical Nics (vSwitches) and Connectivity also should be same, So that vMotion succeeds. All the Virtual Machines are connected to one vSwitch with Different VLANS, this means the Physical Nic(vSwitch) needs to be trunked with the same VLANS on the Physical Switch Port

10 What are the three port groups present in ESX server networking?1. Virtual Machine Port Group - Used for Virtual Machine Network 2. Service Console Port Group - Used for Service Console Communications 3. VMKernel Port Group - Used for VMotion, iSCSI, NFS Communications

11. What is the use of a Port Group? The port group segregates the type of communication.

12. What are the types of communications which requires an IP address for sure? Service Console and VMKernel (VMotion and iSCSI), these communications does not happen without an ip address (Whether it is a single or dedicated)

13. In the ESX Server licensing features VMotion License is showing as Not used, why? Even though the license box is selected, it shows as "License Not Used" until, you enable the VMotion option for specific vSwitch.

14. How the Virtual Machine Port group communication works? All the vm's which are configured in VM Port Group are able to connect to the

physical machines on the network. So this port group enables communication between vSwitch and Physical Switch to connect vm's to Physical Machine's

15. What is a VLAN?A VLAN is a logical configuration on the switch port to segment the IP Traffic. For this to happen, the port must be trunked with the correct VLAN ID.

16. Does the vSwitches support VLAN Tagging? Why?Yes, the vSwitches support VLAN Tagging; otherwise if the virtual machines in an esx host are connected to different VLANS, we need to install a separate physical nic (vSwitch) for every VLAN. That is the reason vmware included the VLAN tagging for vSwitches. So every vSwitch supports upto 1016 ports, and BTW they can support 1016 VLANS if needed, but an ESX server doesnt support that many VMs.

17. What is Promiscuous Mode on vSwitch? What happens if it sets to accept?If the promiscuous mode set to Accept, all the communication is visible to all the virtual machines, in other words all the packets are sent to all the ports on vSwitch If the promiscuous mode set to Reject, the packets are sent to inteded port, so that the intended virtual machine was able to see the communication.

18. What is MAC address Changes? What happens if it is set to accept? When we create a virtual machine the configuration wizard generates a MAC address for that machine, you can see it in the .vmx (VM Config) file. If it doesn't matches with the MAC address in the OS this setting does not allow incoming traffic to the VM. So by setting Reject Option both MAC addresses will be remains same, and the incoming traffic will be allowed to the VM.

19. What is Forged Transmits? What happens if it is set to Accept?When we create a virtual machine the configuration wizard generates a MAC address for that machine, you can see it in the .vmx (VM Config) file. If it doesn't matches with the MAC address in the OS this setting does not allow outgoing traffic from

the VM. So by setting Reject Option both MAC addresses will be remains same and the outgoing traffic will be allowed from the VM.

20. What are the core services of VC? VM provisioning, Task Scheduling and Event Logging

21. Can we do vMotion between two datacenters? If possible how it will be? Yes we can do vMotion between two datacenters, but the mandatory requirement is the VM should be powered off.

22. What is VC agent? What service it corresponds to? What are the minimum requisites for VC agent installation?VC agent is an agent installed on ESX server which enables communication between VC and ESX server. The daemon associated with it is called vmware-hostd, and the service which corresponds to it is called as mgmt-vmware, in the event of VC agent failure just a restart of the service by typing the following command at the service console helps. " service mgmt-vmware restart " VC agent is installed on the ESX server when we add it to the VC, so at the time of installation if you are getting an error like " VC Agent service failed to install ", check the /Opt size whether it is sufficient or not.

23. How can you edit VI Client Settings and VC Server Settings?Click Edit Menu on VC and Select Client Settings to change VI settings Click Administration Menu on VC and Select VC Management Server Configuration to Change VC Settings.

24. What are the files that make a Virtual Machine? .vmx - Virtual Machine Configuration File .nvram - Virtual Machine BIOS .vmdk - Virtual Machine Disk file .vswp - Virtual Machine Swap File .vmsd - Virtual Machine Snapshot Database .vmsn - Virtual Machine Snapshot file

.vmss - Virtual Machine Suspended State file .vmware.log - Current Log File .vmware-#.log - Old Log file

25. What are the devices that can be added while the virtual Machine running? In VI 3.5 we can add Hard Disk and NIC's while the machine running. In vSphere 4.0 we can add Memory and Processor along with HDD and NIC's while the machine running

26. How to set the time delay for BIOS screen for a Virtual Machine? Right Click on VM, select edit settings, choose options tab and select boot option, set the delay how much you want.

27. What is a template? We can convert a VM into Template, and it cannot be powered on once its changed to template. This is used to quick provisioning of VM's.

23. What to do to customize the windows virtual machine clone? Copy the sysprep files to Virtual center directory on the server, so that the wizard will take the advantage of it.

24. What to do to customize the linux/unix virtual machine clone? VC itself includes the customization tools, as these operating systems are available as open source.

25. Does cloning from template happen between two datacenters? Yes... it can, if the template is in one datacenter, we can deploy the vm from that template in another datacenter without any problem.

26. What are the common issues with snapshots? What stops from taking a snapshot and how to fix it? If you configure the VM with Mapped LUN's, then the snapshot failed. If it is mapped as virtual then we can take a snapshot of it. If you configure the VM with Mapped LUN's as physical, you need to remove it to take a snapshot.

27. What are the settings that are taken into to consideration when we initiate a snapshot? Virtual Machine Configuration (What hardware is attached to it) State of the Virtual Machine Hard Disk file (To revert back if needed) State of the Virtual Machine Memory (if it is powered on).

28. What are the requirements for Converting a Physical machine to VM? An agent needs to be installed on the Physical machine VI client needs to be installed with Converter Plug-in A server to import/export virtual machines

29. What is VMWare consolidated backup? It is a backup framework, which supports 3rd party utilities to take backups of ESX servers and Virtual Machines. Its not a backup service.

30. To open the guided consolidation tool, what are the user requirements? The user must be member of administrator, the user should have "Logon as service" privileges - To give a user these privileges, open local sec policy, select Logon as service policy and add the user the user should have read access to AD to send queries 31. Difference between HA and Vmotion? VMotion and HA are not related and are not dependents of each other. DRS has a dependency on vMotion,but not HA. HA is used in the event that a hosts fails you can have your virtual machines restart on another host in the cluster. vMotion allows you to move a virtual machine from one host to another while it is running without service interruption. Ideally you will utilize vMotion, HA and DRS within your cluster to achieve a well balanced VI environment.

So HA fail over is not really seamless since you mentioned it has virtual machines restart on another host in the Cluster? No, your VM's will go down If there is a host failure and then HA will restart them on another ESX Host in the cluster. This is where DRS will take over and start to balance out the load across the remaining ESX Hosts in the cluster using vmotion. 32. What is DRS? DRS : Distributed Resource Scheduling (Youtube Video) VMware DRS dynamically balances computing capacity across a collection of hardware resources aggregated into logical resource pools, continuously monitoring utilization across resource pools and intelligently allocating available resources among the virtual machines based on pre-defined rules that reflect business needs and changing priorities. When a virtual machine experiences an increased load, VMware DRS automatically allocates additional resources by redistributing virtual machines among the physical servers in the resource pool. VMware DRS allows IT organizations to: Prioritize resources to the highest value applications in order to align resources with business goals Optimize hardware utilization automatically and continuously to respond to changing conditions Provide dedicated resources to business units while still profiting from higher hardware utilization through resource pooling. Conduct zero-downtime server maintenance * Lower power consumption costs by up to 20 percent. 33. What is HA? HA : High Availability (Youtube video) vSphere High Availability (HA) delivers the availability needed by many applications running in virtual machines, independent of the operating system and application running in it. HA provides uniform, cost-effective failover protection against hardware and operating system failures within your virtualized IT environment.
o o o

Monitors virtual machines to detect operating system and hardware failures. Restarts virtual machines on other physical servers in the resource pool without manual intervention when server failure is detected. Protects applications from operating system failures by automatically restarting virtual machines when an operating system failure is detected.

34. What is DPM in VMWARE? DPM : Distributed Power Management VMware Distributed Power Management (DPM) is a pioneering new feature of VMware DRS that continuously monitors resource requirements in a VMware

DRS cluster. When resource requirements of the cluster decrease during periods of low usage, VMware DPM consolidates workloads to reduce power consumption by the cluster. When resource requirements of workloads increase during periods of higher usage, VMware DPM brings powered-down hosts back online to ensure service levels are met. VMware DPM allows IT organizations to: Cut power and cooling costs in the datacenter Automate management of energy efficiency in the datacenter What is dvSwitch? Distributed vSwitch Its a new feature introduced in vSphere4.0.The configuration of vDS is centralized to vCenter. The ESX/ESXi 4.xand ESXi 5.x hosts that belong to a dvSwitch do not need further configuration to be compliant. Distributed Switches provide similar functionalities to vSwitches. dvPortgroups is a set of dvPorts. The vDS equivalent of portgroups is a set of ports in a vSwitch. Configuration is inherited from dvSwitch to dvPortgroup, like what happens for vSwitch/Portgroup. Virtual machines, Service Console interface (vswif), and VMKernel interfaces can be connected to dvPortgroups just as like they could be connected to portgroups in vSwitches Administrative rights are required to create the following virtual adapters on each ESX/ESXi host dvSwitch in vCenter:
o o

Service Console and VMKernel interfaces Physical NICs and their assignment to dvSwitch Uplink groups

Configuring vNetwork Distributed Switch using vCenter What is FT in vmware? FT : Fault Tolerance for Virtual Machines vSphere Fault Tolerance (FT) provides continuous availability for applications in the event of server failures, by creating a live shadow instance of a virtual machine that is in virtual lockstep with the primary instance. By allowing instantaneous failover between the two instances in the event of hardware failure, FT eliminates even the smallest chance of data loss or disruption. VMware Fault Tolerance FAQ

What is vApps in vmware? vApps : vApp is a container same as resource pool, but it is having some features of virtual machines, a vApp can be powered on or powered off, and it can be cloned too. More details on vApps along with a video.

What is vSafe? vmSafe : VMsafe's application programming interfaces are designed to help third-party vendors create virtualization security products that better secure VMware ESX, vShield Zones is a security tool targets the VMware administrator. In other words VMware VMsafe is a program for integrating partner security solutions into VMware-virtualized environments, offering visibility, control and choice to customers. The result is an approach to virtualized security that provides customers with a choice of enhanced security and IT compliance solutions enabling comprehensive protection for virtual datacenters and cloud environments

What is vShields? vShield : VShield Zones is essentially a virtual firewall designed to protect VMs and analyze virtual network traffic. This three-part series describes vShield Zones, explains how to install it and provides useful management tips. whats new in vShields 5?
.

Posted 7th October 2011 by Chandan Patralekh Labels: REDHAT LINUX Vshield Vshields VMotion VMWARE HA vApps Vswitch VMKERNEL VCB DRS dVswitch VSafe

2.
Sep 29 Some more active directory FAQ Microsoft Active Directory Questions. What is Active Directory? Active Directory is Microsoft's trademarked directory service, an integral part of the Windows 2000 architecture. Like other directory services, such as Novell Directory Services (NDS), Active Directory is a centralized and standardized system that automates network management of user data, security, and distributed resources, and enables interoperation with other directories. Active Directory is designed especially for distributed networking environments. What is LDAP? Short for Lightweight Directory Access Protocol, a set of protocols for accessing information directories. LDAP is based on the standards contained within the X.500 standard, but is significantly simpler. And unlike X.500, LDAP supports TCP/IP, which is necessary for any type of Internet access. Because it's a simpler version of X.500, LDAP is sometimes called X.500-lite. Can you connect Active Directory to other 3rd-party Directory Services? Name a few

options? Yes. Microsoft Identity Integration Server (MIIS) is used to connect Active Directory to other 3rd-party Directory Services (including directories used by SAP, Domino, etc). Where is the AD database held? What other folders are related to AD? AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure ntds.dit edb.log res1.log res2.log edb.chk When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database. During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the shutdown statement isn't present, AD will use the edb.log file to update the AD database. The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we've discussed. What is the SYSVOL folder? The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and reparse points in the file systems that exist on each domain controller in a domain. SYSVOL provides a standard location to store important elements of Group Policy objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them to other domain controllers within that domain. You can go to SYSVOL folder by typing : %systemroot%/sysvol Name the AD NCs and replication issues for each NC. *Schema NC, *Configuration NC, * Domain NC Schema NC: This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory. Configuration NC: Also replicated to every other DC in the forest, this NC contains forestwide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas. Domain NC: This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain. What are application partitions? When do I use them? There are two answers to this question. Answer A1 and A2 given below.

A1) Application Directory Partition is a partition space in Active Directory which an application can use to store that application specific data. This partition is then replicated only to some specific domain controllers. The application directory partition can contain any type of data except security principles (users, computers, groups).

**A2) These are specific to Windows Server 2003 domains. An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.

How do you create a new application partition? The DnsCmd command is used to create a new application directory partition. Ex. to create a partition named NewPartition on the domain controller DC1.contoso.com, log on to the domain controller and type following command. DnsCmd DC1/createdirectorypartition NewPartition.contoso.com How do you view replication properties for AD partitions and DCs? By using replication monitor go to start > run > type replmon

What is the Global Catalog? The Global Catalog (GC) contains an entry for every object in an enterprise forest but only a few properties for each object. An entire forest shares a GC, with multiple servers holding copies. You can perform an enterprisewide forest search only on the properties in the GC, whereas you can search for any property in a users domain tree. Only Directory Services (DSs) or domain controllers (DCs) can hold a copy of the GC. Configuring an excessive number of GCs in a domain wastes network bandwidth during replication. One GC server per domain in each physical location is sufficient. Windows NT sets servers as GCs as necessary, so you dont need to configure additional GCs unless you notice slow query response times. Because full searches involve querying the whole domain tree rather than the GC, grouping the enterprise into one tree will improve your searches. Thus, you can search for items not in the GC. How do you view all the GCs in the forest? C:\repadmin /showreps where domain_controller is the DC you want to query to determine whether its a GC. The output will include the text DSA Options: IS_GC if the DC is a GC. . . . You would need script to make such query, but you can also check your DNS for SRV records which contain _gc in their name.

 Why not make all DCs in a large forest as GCs? When all the DC become a GC replication traffic will get increased and we could not keep the Infrastructure master and GC on the same domain ,so atlease one dc should be act without holding the GC role . Trying to look at the Schema, how can I do that? Register the schmmgmt.dll with the command regsvr32 What are the Support Tools? Why do I need them? Support Tools are the tools that are used for performing the complicated tasks easily. These can also be the third party tools. Some of the Support tools include DebugViewer, DependencyViewer, RegistryMonitor, etc.

What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN? LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network. Replmon : Replmon displays information about Active Directory Replication. ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a lowlevel editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.MSC NETDOM : NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels. REPADMIN : REPADMIN is a built-in Windows diagnostic command-line utility that works at the Active Directory level. Although specific to Windows, it is also useful for diagnosing some Exchange replication problems, since Exchange Server is Active Directory based. REPADMIN doesn't actually fix replication problems for you. But, you can use it to help determine the source of a malfunction.

What are sites? What are they used for? Active Directory (AD) sites, which consist of well-connected networks defined by IP subnets that help define the physical structure of your AD, give you much better control over replication traffic and authentication traffic than the control you get with Windows NT 4.0 domains. Because AD relies on IP, all LAN segments should have a defined IP subnet. This makes creating your AD site structure straightforward; you simply group well-connected subnets to form a site. Creating AD sites benefits you in several ways, the first of which is that creating these sites lets you control replication traffic over WAN links. This control is important in Windows 2000

because any Win2K domain controller (DC) can originate changes to AD. To ensure that a change you make on one DC propagates to all DCs, Win2K uses multimaster replication (instead of the single-master replication that NT 4.0 uses). You might think that multimaster replication would make it difficult to plan for AD replications effect on your WAN links, but you can overcome this obstacle using AD sites.

What's the difference between a site link's schedule and interval? Site Link is a physical connection object on which the replication transport mechanism depends on. Basically to speak it is the type of communication mechanism used to transfer the data between different sites. Site Link Schedule is nothing but when the replication process has to be takes place and the interval is nothing but how many times the replication has to be takes place in a give time period i.e Site Link Schedule. What is the KCC? KCC stands for knowledge consistency checker. Apart of the ISTG role in active directory. The kcc checks and as an option, recreates topology information for the active directory domain.

What is the ISTG? Who has that role by default? Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).

What are the requirements for installing AD on a new server? An NTFS partition with enough free space (if you have FAT or FAT32 use convert c:/fs:ntfs command to convert it to NTFS) An Administrator's username and password The correct operating system version A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway) A network connection (to a hub or to another computer via a crossover cable) An operational DNS server (which can be installed on the DC itself) A Domain name that you want to use The Windows Server 2003 CD media (or at least the i386 folder) Brains (recommended, not required...)

What can you do to promote a server to DC if you're in a remote location with slow WAN link? Install from Media In Windows Server 2003 a new feature has been added, and this time it's

one that will actually make our lives easier... You can promote a domain controller using files backed up from a source domain controller!!! This feature is called "Install from Media" and it's available by running DCPROMO with the /adv switch. It's not a replacement for network replication, we still need network connectivity, but now we can use an old System State copy from another Windows Server 2003, copy it to our future DC, and have the first and basic replication take place from the media, instead of across the network, this saving valuable time and network resources. What you basically have to do is to back up the systems data of an existing domain controller, restore that backup to your replica candidate, use DCPromo /Adv to tell it to source from local media, rather than a network source. This also works for global catalogs. If we perform a backup of a global catalog server, then we can create a new global catalog server by performing DCPromo from that restored media. IFM Limitations It only works for the same domain, so you cannot back up a domain controller in domain A and create a new domain B using that media. It's only useful up to the tombstone lifetime with a default of 60 days. So if you have an old backup, then you cannot create a new domain controller using that, because you'll run into the problem of reanimating deleted objects. Answer Link:http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm

How can you forcibly remove AD from a server, and what do you do later?

Demoting Windows Server 2003 DCs: DCPROMO (Active Directory Installation Wizard) is a toggle switch, which allows you to either install or remove Active Directory DCs. To forcibly demote a Windows Server 2003 DC, run the following command either at the Start, Run, or at the command prompt: dcpromo /forceremoval Note: If you're running Certificate Services on the DC, you must first remove Certificate Services before continuing. If you specify the /forceremoval switch on a server that doesn't have Active Directory installed, the switch is ignored and the wizard pretends that you want to install Active Directory on that server. Once the wizard starts, you will be prompted for the Administrator password that you want to assign to the local administrator in the SAM database. If you have Windows Server 2003 Service Pack 1 installed on the DC, you'll benefit from a few enhancements. The wizard will automatically run certain checks and will prompt you to take appropriate actions. For example, if the DC is a Global Catalog server or a DNS server, you will be prompted. You will also be prompted to take an action if your DC is hosting any of the operations master roles. Demoting Windows 2000 DCs: On a Windows 2000 domain controller, forced demotion is supported with Service Pack 2 and later. The rest of the procedure is similar to the procedure I described for Windows Server 2003. Just make sure that while running the wizard, you clear the "This server is the last domain controller in the domain" check box. On Windows 2000 Servers you won't benefit from the enhancements in Windows Server 2003 SP1, so if the DC you are demoting is a Global Catalog server, you may have to manually promote some other DC to a Global Catalog server.

Cleaning the Metadata on a Surviving DC :

Once you've successfully demoted the DC, your job is not quite done yet. Now you must clean up the Active Directory metadata. You may be wondering why I need to clean the metadata manually. The metadata for the demoted DC is not deleted from the surviving DCs because you forced the demotion. When you force a demotion, Active Directory basically ignores other DCs and does its own thing. Because the other DCs are not aware that you removed the demoted DC from the domain, the references to the demoted DC need to be removed from the domain. Although Active Directory has made numerous improvements over the years, one of the biggest criticisms of Active Directory is that it doesn't clean up the mess very well. This is obvious in most cases but, in other cases, you won't know it unless you start digging deep into Active Directory database. To clean up the metadata you use NTDSUTIL. The following procedure describes how to clean up metadata on a Windows Server 2003 SP1. According to Microsoft, the version of NTDSUTIL in SP1 has been enhanced considerably and does a much better job of clean-up, which obviously means that the earlier versions didn't do a very good job. For Windows 2000 DCs, you might want to check out Microsoft Knowledge Base article 216498, "How to remove data in Active Directory after an unsuccessful domain controller demotion." Heres the step-by-step procedure for cleaning metadata on Windows Server 2003 DCs: 1. Logon to the DC as a Domain Administrator. 2. At the command prompt, type ntdsutil. 3. Type metadata cleanup. 4. Type connections. 5. Type connect to server servername, where servername is the name of the server you want to connect to. 6. Type quit or q to go one level up. You should be at the Metadata Cleanup prompt. 7. Type select operation target. 8. Type list domains. You will see a list of domains in the forest, each with a different number. 9. Type select domain number, where number is the number associated with the domain of your server 10. Type list sites. 11. Type select site number, where number is the number associated with the site of your server. 12. Type list servers in site. 13. Type select server number, where number is the number associated with the server you want to remove. 14. Type quit to go to Metadata Cleanup prompt. 15. Type remove selected server. You should see a confirmation that the removal completed successfully. 16. Type quit to exit ntdsutil. You might also want to cleanup DNS database by deleting all DNS records related to the server. In general, you will have better luck using forced promotion on Windows Server 2003, because the naming contexts and other objects don't get cleaned as quickly on Windows 2000 Global Catalog servers, especially servers running Windows 2000 SP3 or earlier. Due to the nature of forced demotion and the fact that it's meant to be used only as a last resort, there are additional things that you should know about forced demotion. Even after you've used NTDSUTIL to clean the metadata, you may still need to do additional cleaning manually using ADSIEdit or other such tools. You might want to check out Microsofts Knowledge Base article 332199, "Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server," for more information Read original full answer at http://redmondmag.com/columns/print.asp?EditorialsID=1352

And best read this also http://www.petri.co.il/forcibly_removing_active_directoy_from_dc.htm Can I get user passwords from the AD database?

As of my Knowledge there is no way to extract the password from AD Database. By the way there is a tool called cache dump. Using it we can extract the cached passwords from Windows XP machine which is joined to a Domain. What tool would I use to try to grab security related packets from the wire? Network Monitor, Ethereal or Wireshark. Name some OU design considerations. Design OU structure based on Active Directory business requirements NT Resource domains may fold up into OUs Create nested OUs to hide objects Objects easily moved between OUs Departments , Geographic Region, Job Function, Object Type Good Article about OU Design: http://www.windowsnetworking.com/articles_tutorials/Clearing-Confusion-OU-Design.html

What is tombstone lifetime attribute? The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NC. To Change the tombstone lifetime attribute read this article http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm

What do you do to install a new Windows 2003 DC in a Windows 2000 AD? Before you can introduce Windows Server 2003 domain controllers, you must prepare the forest and domains with the ADPrep utility. ADPrep /forestprep on the schema master in your Windows 2000 forest. ADPrep /domainprep on the Infrastructure Master in each AD domain. ADPrep is located in the i386 directory of the Windows Server 2003 install media. Note: In Windows Server 2003 R2, ADPrep is not located in the same folder as in the older Windows Server 2003 media, and instead you need to look for it in the second CD. You see, Windows Server 2003 R2 comes on two installation disks. Installation disk 1 contains a slipstreamed version of Windows Server 2003 with Service Pack 2 (SP2). Installation disk 2 contains the Windows Server 2003 R2 files. The correct version of the ADPrep.exe tool for Windows Server 2003 R2 is 5.2.3790.2075. You can find the R2 ADPrep tool in the following folder on the second CD: drive:\CMPNENTS\R2\ADPREP\ (where drive is the drive letter of your CD-Rom drive) Read more about ADPrep and Windows Server 2003 R2 in KB 917385 Exchange 2000 note: Please make sure you read Windows 2003 ADPrep Fix for Exchange 2000 before installing the first Windows Server 2003 DC in your existing organization.

Microsoft recommends that you have at least Service Pack (SP) 2 installed on your domain controllers before running ADPrep. SP2 fixed a critical internal AD bug, which can manifest itself when extending the schema. There were also some fixes to improve the replication delay that can be seen when indexing attributes. Similar to the Exchange setup.exe /forestprep and /domainprep switches. The Exchange /forestprep command extends the schema and adds some objects in the Configuration Naming Context. The Exchange / domainprep command adds objects within the Domain Naming Context of the domain it is being run on and sets some ACLs. The ADPrep command follows the same logic and performs similar tasks to prepare for the upgrade to Windows Server 2003. The ADPrep /forestprep command extends the schema with quite a few new classes and attributes. These new schema objects are necessary for the new features supported by Windows Server 2003. You can view the schema extensions by looking at the .ldf files in the \i386 directory on the Windows Server 2003 CD. These files contain LDIF entries for adding and modifying new and existing classes and attributes. Since the schema is extended and objects are added in several places in the Configuration NC, the user running /forestprep must be a member of both the Schema Admins and Enterprise Admins groups. The ADPrep /domainprep creates new containers and objects, modifies ACLs on some objects, and changes the meaning of the Everyone security principal. Before you can run ADPrep /domainprep, you must be sure that the updates from /forestprep have replicated to all domain controllers in the forest. /domainprep must be run on the Infrastructure Master of a domain and under the credentials of someone in the Domain Admins group. You can view detailed output of the ADPrep command by looking at the log files in the %Systemroot%\system32\debug\adprep\logs directory. Each time ADPrep is executed, a new log file is generated that contains the actions taken during that particular invocation. The log files are named based on the time and date ADPrep was run. Once youve run both /forestprep and /domainprep and allowed time for the changes to replicate to all domain controllers, you can then start upgrading your domain controllers to Windows Server 2003 or installing new Windows Server 2003 domain controllers.

What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD? If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen. If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which you'll find in the Cmpnents\r2\adprep folder on the second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later). Here's a sample execution of the Adprep /forestprep command: D:\CMPNENTS\R2\ADPREP>adprep /forestprep ADPREP WARNING: Before running adprep, all Windows 2000 domain controllers in the forest should be

upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later). QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent poten tial domain controller corruption. For more information about preparing your forest and domain see KB article Q3311 61 at http://support.microsoft.com. [User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit. C Opened Connection to SAVDALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to version 31 Connecting to "SAVDALDC01" Logging in as current user using SSPI Importing directory from file "C:\WINDOWS\system32\sch31.ldf" Loading entries..................................................... ...................................................... 139 entries modified successfully. The command has completed successfully Adprep successfully updated the forest-wide information. After running Adprep, install R2 by performing these steps: 1. Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows. 2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click Next. 3. You'll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if the underlying OS wasn't installed from R2 media (e.g., a regular Windows 2003 SP1 installation). Enter the R2 key and click Next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003 using a volume-license version key, then you can't use a retail or Microsoft Developer Network (MSDN) R2 key. 4. You'll see the setup summary screen which confirms the actions to be performed (e.g., Copy files). Click Next. 5. After the installation is complete, you'll see a confirmation dialog box. Click Finish.

How would you find all users that have not logged on since last month? If you are using windows 2003 domain environment, then goto Active Directory Users and Computers, select the Saved Queries, right click it and select new query, then using the custom common queries and define query there is one which shows days since last logon What are the DS* commands? Answer is at http://www.computerperformance.co.uk/Logon/DSadd_DSmod_DSrm.htm DSmod - modify Active Directory attributes DSrm - to delete Active Directory objects DSmove - to relocate objects

 DSadd - create new accounts DSquery - to find objects that match your query attributes DSget - list the properties of an object DSmod Adding objects is great, but there are times in Windows 2003 when you need to change the Active Directory properties. Scenario, you wish to quickly change a user's password. This is task you are going to have to do regularly, and you would like to able to do it quickly from the command line. Let us now modify the the user's password with DSmod Example 1 Modify Password Logon to your domain controller. Check which users you have, if necessary create an ou called guyds and user called guyt. Examine the script below. Decide how cn= or ou= or dc= need editing. Run, CMD then copy your script and paste into the command window. Alternatively type it starting with dsmod user ......... Command : dsmod user "cn=guyt, ou=guyds, dc=cp, dc=com" -pwd a1yC24kg Example 2 Create user WITH password Note 1: We could have created the password at the same time we created the user. For ease of learning I introduce one variable at a time. However, here is the complete command to add a user with a password. Command : dsadd user "cn=pault, ou=guyds, dc=cp, dc=com" -pwd a1yC24kg Example 3 Modify Groups Another use of DSmod is to add members to a group. In this instance you need the full distinguished name (DN) of the group then the -addmbr switch followed by the DN of the users. Tricky method! Try dsmod group /? for more help. Problems contact Guy Thomas see below for email address Introduction to DSadd DSadd is the most important member of this DS scripting family. The primary use of DSadd is to quickly add user accounts to Windows Server 2003 Active Directory. However, you can also use this method to create OUs computers, groups, or even contacts. Creating an OU - DSadd ou.... Let us create an OU (organizational unit) to hold the rest of the test objects. Edit the dc=cp and dc =com to the fully qualified name of your Windows 2003 domain. As ever, pay close attention to the syntax, for instance the DN "ou=guyds, dc=cp, dc=com" is enclosed in double speech marks. Single 'speech marks' will not work. Also remember that DS is new in Window 2003, so will not work in Windows 2000. Example 1 Using DSadd to Create an Organizational Unit in Windows 2003 Preparation: Logon to your domain controller. Examine the script below. Edit ou= or dc= to reflect YOUR domain. Run, CMD then copy your script and paste into the command window. Alternatively type it starting with dsadd ou .........

Command : dsadd ou "ou=guyds, dc=cp, dc=com" Note 1: dsadd ou. This command tells Active Directory which object to create, in this case an OU (not a user). Note 2: You only really need speech marks if there is a space in any of your names. So ou=guyds, dc=cp, dc=com would work fine, but ou=GUY Space DS, dc=cp, dc=com fails because of the spaces in the GUY Space DS, name. In this second example you would type: "ou=GUY Space DS, dc=cp, dc=com"

Example 2 Employing DSadd to Create a User. (Assumes you have completed Example 1) The purpose of this example is to create a new user in an OU called guyds. Preparation: Logon to your domain controller. Examine the script below. Decide if cn= or ou= or dc= need editing. Run, CMD then copy your script and paste into the command window. Alternatively type it starting with dsadd user ......... Creating a User - DSadd user.... Command: dsadd user "cn=guyt, ou=guyds, dc=cp, dc=com" Note: DSadd requires the complete distinguished name. Note also that the distinguished name is encased in double "speech marks". I expect you spotted that the user will be created in the guyds organizational unit that was created in the first example. Change "cn=guyt to a different user name if you wish. DS Error Messages DS has its own family of error messages. I found that they are specific and varied, just remember to pay attention to detail. READ ERROR MESSAGES SLOWLY. New DS built-in tools for Windows Server 2003 At last I have found a real useful member of the DS family of utilities. If I need to find a user quickly from the command prompt, i call for DSQuery. Example 1 - DSQuery to list all the OUs in your domain Let us find how many Organizational Units are there in your domain? This command will produce a listing of all OUs with this command. Commands: Dsquery ou dc=mydom,dc=com or dsquery ou domainroot Learning Points Note 1: dc does NOT mean domain controller, it means domain context. Note 2: The dc commands are not case sensitive, but they dislike spaces. dc=mydom, dc=com will draw an error. Note 3: If you haven't got any OUs (Organizational Units), I seriously suggest that you create some to organize your users. Note 4: Best of all, in this scenario, you can substitute domainroot for dc=cp. Example 2 - To find all users in the default Users folder with DSQuery In this example we just want to trawl the users folder and find out who is in that container. Commands: dsquery user cn=users,dc=cp,dc=com Learning Points Note 1: The default users' folder is actually a container object called cn=users. My point is if you try ou=users, the command fails. Note 2: I queried users, however dsquery requires the singular user, not userS. Other objects that you can query are computer (not computers!), group or even contact. Challenge 1: Substitute OU=xyz for cn=users, where xyz is the name of your OU. Unfortunately, cn=users domainroot does not work. Challenge 2: Substitute computer for user Example 3 - DSQuery to list all your Domain Controllers Suppose you want to list all of your domain controllers, (not computers). Which command do you think would supply the information? Commands: dsquery server dsquery server domainroot dsquery server dc=cp,dc=com

Learning Points Note 1: Amazingly, dsquery server, the simplest command get the job done. Note 2: I thank Jim D for pointing out that we want here is the singular 'server'. Example 4 - To query the FSMO roles of your Domain Controllers Here is a wonderful command to find the FSMO roles (Flexible Single Master Roles) hasfsmo. The arguments, which correspond to the 5 roles are: schema, rid, name, infr and pdc. Commands: dsquery server -hasfsmo schema Learning Points Note 1: The command is -hasfsmo not ?hasfsmo as in some documents. Example 5 - DSQuery to find all users whose name begins with smith* This DSQuery example shows two ways to filter your output and so home in on what you are looking for. Let us pretend that we know the user's name but have no idea which OU they are to be found. Moreover, we are not sure whether their name is spelt Smith, Smithy or Smithye. Commands : dsquery user domainroot -name smith* or dsquery user dc=cp,dc=com -name smith* d or plain dsquery user smith* Learning Points Note 1: Remember to type the singular user. Note 2: Probably no need to introduce *, you probably realize it's a wildcard. Note 3: -name is but one of a family of filters. -desc or -disabled are others. Example 6 - DSQuery to filter the output with -o rdn The purpose of -o rdn is to reduce the output to just the relative distinguished name. In a nutshell rdn strips away the OU=, DC= part which you may not be interested in. Command: dsquery user -name smith* -o rdn Learning Points Note 1: o is the letter oh (not a number). In my minds eye o stands for output. Note 2: There is a switch -o dn, but this is not a switch I use. Summary - DSQuery Knowledge is power. The DS family in general and DSQuery in particular, are handy commands for interrogating Active Directory from the command line. Perhaps the day will come when you need to find a user, computer or group without calling for the Active Users and Computers GUI. DSGet DSGet is a logical progression from DSQuery. The idea is that when DSQuery returns a list of objects, DSGet can interrogate those objects for extra properties such as, description, manager or department. Naturally this pre-supposes you entered the relevant information in the user's properties sheet! Introduction to DSGet My assumption is that you are comfortable with DSQuery, if this is not the case take the time to have a refresher Next a reminder to pay close attention to DS syntax. In this instance what we need is a pipe symbol ( ) to join DSQuery with DSGet. Just to be clear, you type this pipe () with the shift key and the key next to the Z. (A colon : would produce an error). Example 1 To Check that DSQuery is working Let build a solid foundation with a DSQuery (Only found on a Windows Server 2003 DC) Commands:

dsquery user domainroot -name smith* or dsquery user -name smith* Learning Points Note 1: You need a Windows Server 2003 machine. Perhaps you could remote desktop into such a server? Note 2: Feel free to change smith* to one of your users. Better still, create a test account and start filling in those user properties. Note 3: This example is just to build a foundation. Now let us move on to DSGet. Example 2 Basic DSGet We need to interrogate the output for more information. So we use DSGet to retrieve the description. Commands: dsquery user domainroot -name smith* or dsquery user -name smith* dsget user -dn -desc Learning Points for DSGet Note 1: Master the pipe command which separates dsquery from dsget. To create , Hold down the shift key while pressing the key next to the Z. Note 2: Even though dsquery told the operating system it was a user object, dsget still has to invoke user in its section of the command. Challenge: See what happens if you omit the -dn. Example 3 - Which extra properties shall we query? -display Display name is different from the user's description field. If you haven't done so already, time to get a user's properties sheet and start filling in those attribute boxes. -office Useful property -sn This command does not work. What's the matter with -sn? I will tell you what's wrong; dsget requires -ln instead of -sn and -fn instead of givenName grrrrrrrrrrrrrrrrrr. Calm down Guy, go with the flow; think of all these useful switches. O.K. No more moaning. DSGet is actually fun and productive. Guess what information these switches return? -email, -tel, -mgr, -mobile Answers: General (tab), email address, telephone number, Organization (tab), Manager, Telephones (tab), Mobile. Now find them on the user's properties sheet. Example 4 - Change the DSget output. They say the old tricks the best, so let us try exporting the DSGet output not to screen but a text file. Here we need a different type of pipe command; this time it's the greater than symbol, for example, > filename.txt. So, just tag on > filename.txt to your DS command. Follow up with: notepad filename.txt. Commands: dsquery user domainroot -name smith* or dsquery user -name smith* dsget user -fn -ln -mgr > dsget.txt Learning Points Note 1: To read the file type, notepad dsget.txt Note 2: I am impressed by the column format of the output I would like to leave you with a few more DSGet object that you can interrogate or experiment with. In addition to user, there are the following DSGet commands : Computer, also Server - meaning DC, OU, Group, even Site and Subnet. Note. There are also two commands called partition and quota, however, in the context of DSGet, partition and quota refer to Active Directory, not disk. For example, the application partition in Active Directory. Tell the truth, it was a big disappointment that DSGet did not

return the disk information, but on reflection I was expecting the impossible. DSGet partition means Active Directory partition. Summary - DSGet As far as DSGet is concerned, I have come from Philistine to champion. Now I really enjoy the challenge of DSGet and appreciate the way it works hand in glove with DSQuery. It also reminds of that old truism the more you know the easier it gets. What's the difference between LDIFDE and CSVDE? Usage considerations? CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users. Consult your help file for more info. Like CSVDE, LDIFDE is a command that can be used to import and export objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor; however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects.

What are the FSMO roles? Who has them by default? What happens when each one fails?

Windows 2000/2003 Multi-Master Model A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact. For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring. Windows 2000/2003 Single-Master Model To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain. In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are: Schema Master: The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema

master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest. Infrastructure Master: When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role. Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain. PDC Emulator: The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage. The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy

found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator. The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients. This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest. Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation). The five FSMO roles are: Schema master - Forest-wide and one per forest. Domain naming master - Forest-wide and one per forest. RID master - Domain-specific and one for each domain. PDC - PDC Emulator is domain-specific and one for each domain. Infrastructure master - Domain-specific and one for each domain. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. In order to better understand your AD infrastructure and to know the added value that each DC might possess, an AD administrator must have the exact knowledge of which one of the existing DCs is holding a FSMO role, and what role it holds. With that knowledge in hand, the administrator can make better arrangements in case of a scheduled shut-down of any given DC, and better prepare him or herself in case of a non-scheduled cease of operation from one of the DCs.

How to find out which DC is holding which FSMO role?

Well, one can accomplish this task by many means. This article will list a few of the available methods. Method #1: Know the default settings The FSMO roles were assigned to one or more DCs during the DCPROMO process. The following table summarizes the FSMO default locations: FSMO Role Number of DCs holding this role Original DC holding the FSMO role Schema One per forest The first DC in the first domain in the forest (i.e. the Forest Root Domain) Domain Naming One per forest RID One per domain The first DC in a domain (any domain, including the Forest Root Domain, any Tree Root Domain, or any Child Domain) PDC Emulator One per domain Infrastructure One per domain Method #2: Use the GUI The FSMO role holders can be easily found by use of some of the AD snap-ins. Use this table to see which tool can be used for what FSMO role:

FSMO Role Which snap-in should I use? Schema Schema snap-in Domain Naming AD Domains and Trusts snap-in RID AD Users and Computers snap-in PDC Emulator Infrastructure Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles: 1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder. 2. Right-click the Active Directory Users and Computers icon again and press Operation Masters. 3. Select the appropriate tab for the role you wish to view. 4. When you're done click Close. Finding the Domain Naming Master via GUI To find out who currently holds the Domain Naming Master Role: 1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder. 2. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters. 3. When you're done click Close. Finding the Schema Master via GUI To find out who currently holds the Schema Master Role: 1. Register the Schmmgmt.dll library by pressing Start > RUN and typing: regsvr32 schmmgmt.dll 2. Press OK. You should receive a success confirmation. 3. From the Run command open an MMC Console by typing MMC. 4. On the Console menu, press Add/Remove Snap-in. 5. Press Add. Select Active Directory Schema. 6. Press Add and press Close. Press OK. 7. Click the Active Directory Schema icon. After it loads right-click it and press Operation Masters. 8. Press the Close button. Method #3: Use the Ntdsutil command The FSMO role holders can be easily found by use of the Ntdsutil command. Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. 1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK. 2. Type roles, and then press ENTER. Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER. 1. Type connections, and then press ENTER. 2. Type connect to server , where is the name of the server you want to use, and then press ENTER. 3. At the server connections: prompt, type q, and then press ENTER again. 4. At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again. 5. At the select operation target: prompt, type List roles for connected server, and then press ENTER again. 6. Type q 3 times to exit the Ntdsutil prompt. Method #4: Use the Netdom command

The FSMO role holders can be easily found by use of the Netdom command. Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You must either download it separately (from here Download Free Windows 2000 Resource Kit Tools) or by obtaining the correct Support Tools pack for your operating system. The Support Tools pack can be found in the \Support\Tools folder on your installation CD (or you can Download Windows 2000 SP4 Support Tools, Download Windows XP SP1 Deploy Tools). 1. On any domain controller, click Start, click Run, type CMD in the Open box, and then click OK. 2. In the Command Prompt window, type netdom query /domain: fsmo (where is the name of YOUR domain). Method #5: Use the Replmon tool The FSMO role holders can be easily found by use of the Netdom command. Just like Netdom, Replmon.exe is a part of the Windows 2000/XP/2003 Support Tools. Replmon can be used for a wide verity of tasks, mostly with those that are related with AD replication. But Replmon can also provide valuable information about the AD, about any DC, and also about other objects and settings, such as GPOs and FSMO roles. Install the package before attempting to use the tool. 1. On any domain controller, click Start, click Run, type REPLMON in the Open box, and then click OK. 2. Right-click Monitored servers and select Add Monitored Server. 3. In the Add Server to Monitor window, select the Search the Directory for the server to add. Make sure your AD domain name is listed in the drop-down list. 4. In the site list select your site, expand it, and click to select the server you want to query. Click Finish. 5. Right-click the server that is now listed in the left-pane, and select Properties. 6. Click on the FSMO Roles tab and read the results. 7. Click Ok when you're done. What FSMO placement considerations do you know of? Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles. Single Domain Forest In a single domain forest, leave all of the FSMO roles on the first domain controller in the forest. You should also configure all the domain controller as a Global Catalog servers. This will NOT place additional stress on the DCs, while allowing GC-related applications (such as Exchange Server) to easily perform GC queries. Multiple Domain Forest In a multiple domain forest, use the following guidelines: In the forest root domain: If all domain controllers are also global catalog servers, leave all of the FSMO roles on the first DC in the forest. If all domain controllers are not also global catalog servers, move all of the FSMO roles to a DC that is not a global catalog server.

 In each child domain, leave the PDC emulator, RID master, and Infrastructure master roles on the first DC in the domain, and ensure that this DC is never designated as a global catalog server (unless the child domain only contains one DC, then you have no choice but to leave it in place). Configure a standby operations master - For each server that holds one or more operations master roles, make another DC in the same domain available as a standby operations master. Making a DC as a standby operation master involves the following actions: The standby operations master should not be a global catalog server except in a single domain environment, where all domain controllers are also global catalog servers. The standby operations master should have a manually created replication connection to the domain controller that it is the standby operations master for, and it should be in the same site. Configure the RID master as a direct replication partner with the standby or backup RID master. This configuration reduces the risk of losing data when you seize the role because it minimizes replication latency. To create a connection object on the current operations master: 1. In Active Directory Sites and Services snap-in, in the console tree in the left pane, expand the Sites folder to see the list of available sites. 2. Expand the site name in which the current role holder is located to display the Servers folder. 3. Expand the Servers folder to see a list of the servers in that site. 4. Expand the name of the server that is currently hosting the operations master role to display NTDS Settings. 5. Right-click NTDS Settings, click New, and then click Connection. 6. In the Find Domain Controllers dialog box, select the name of the standby operations master then click OK. 7. In the New Object-Connection dialog box, enter an appropriate name for the connection object or accept the default name and click OK. To create a connection object on the standby operations master perform the same procedure as above, and point the connection to the current FSMO role holder. Note regarding Windows 2000 Active Directory domains: If the forest is set to a functional level of Windows 2000 native, you must locate the domain naming master on a server that hosts the global catalog. If the forest is set to a functional level of Windows Server 2003, it is not necessary for the domain naming master to be on a global catalog server. Server performance and availability Most FSMO roles require that the domain controller that holds the roles be: Highly available server - FSMO functions require that the FSMO role holder is highly available at all times. A highly available DC is one that uses computer hardware that enables it to remain operational even during a hardware failure. For example, having a RAID1 or RAID5 configuration enables the server to keep running even if one hard disk fails. Although most FSMO losses can be dealt with within a matter of hours (or even days at some cases), some FSMO roles, such as the PDC Emulator role, should never be offline for more than a few minutes at a time. What will happen if you keep a FSMO role offline for a long period of time? This table has the info: FSMO Role Loss implications Schema The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time. Domain Naming Unless you are going to run DCPROMO, then you will not miss this FSMO role. RID Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.

PDC Emulator Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem. Infrastructure Group memberships may be incomplete. If you only have one domain, then there will be no impact. Not necessarily high capacity server - A high-capacity domain controller is one that has comparatively higher processing power than other domain controllers to accommodate the additional work load of holding the operations master role. It has a faster CPU and possibly additional memory and network bandwidth. FSMO roles usually do not place stress on the server's hardware. One exception is the performance of the PDC Emulator, mainly when used in Windows 2000 Mixed mode along with old NT 4.0 BDCs. That is why you should: Increase the size of the DC's processing power. Do not make the DC a global catalog server. Reduce the priority and the weight of the service (SRV) record in DNS to give preference for authentication to other domain controllers in the site. Do not require that the standby domain controller be a direct replication partner (Seizing the PDC emulator role does not result in lost data, so there is no need to reduce replication latency for a seize operation). Centrally locate this DC near the majority of the domain users. I want to look at the RID allocation table for a DC. What do I do? What's the difference between transferring a FSMO role and seizing one? Transferring FSMO Role Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in this article. The transfer of an FSMO role is the suggested form of moving a FSMO role between domain controllers and can be initiated by the administrator or by demoting a domain controller. However, the transfer process is not initiated automatically by the operating system, for example a server in a shut-down state. FSMO roles are not automatically relocated during the shutdown process - this must be considered when shutting down a domain controller that has an FSMO role for maintenance, for example. In a graceful transfer of an FSMO role between two domain controllers, a synchronization of the data that is maintained by the FSMO role owner to the server receiving the FSMO role is performed prior to transferring the role to ensure that any changes have been recorded before the role change. However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a nonoperational role holder to a different DC is called Seizing, and is described in the Seizing FSMO Roles article. You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools: Active Directory Schema snap-in Active Directory Domains and Trusts snap-in

 Active Directory Users and Computers snap-in To transfer the FSMO role the administrator must be a member of the following group: FSMO Role Administrator must be a member of Schema Schema Admins Domain Naming Enterprise Admins RID Domain Admins PDC Emulator Infrastructure Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles: 1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder. 2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller. 3. Select the domain controller that will be the new role holder, the target, and press OK. 4. Right-click the Active Directory Users and Computers icon again and press Operation Masters. 5. Select the appropriate tab for the role you wish to transfer and press the Change button. 6. Press OK to confirm the change. 7. Press OK all the way out. Transferring the Domain Naming Master via GUI To Transfer the Domain Naming Master Role: 1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder. 2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Domains and Trusts and press Connect to Domain Controller. 3. Select the domain controller that will be the new role holder and press OK. 4. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters. 5. Press the Change button. 6. Press OK to confirm the change. 7. Press OK all the way out. Transferring the Schema Master via GUI To Transfer the Schema Master Role: 1. Register the Schmmgmt.dll library by pressing Start > RUN and typing: 1. Press OK. You should receive a success confirmation. 2. From the Run command open an MMC Console by typing MMC. 3. On the Console menu, press Add/Remove Snap-in. 4. Press Add. Select Active Directory Schema. 5. Press Add and press Close. Press OK. 6. If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller. 7. Press Specify .... and type the name of the new role holder. Press OK. 8. Right-click right-click the Active Directory Schema icon again and press Operation Masters. 9. Press the Change button. 10. Press OK all the way out. Transferring the FSMO Roles via Ntdsutil To transfer the FSMO roles from the Ntdsutil command: Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active

Directory functionality. 1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK. 1. Type roles, and then press ENTER. Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER. 1. Type connections, and then press ENTER. 2. Type connect to server , where is the name of the server you want to use, and then press ENTER. 1. At the server connections: prompt, type q, and then press ENTER again. 1. Type transfer . where is the role you want to transfer. For example, to transfer the RID Master role, you would type transfer rid master: Options are: 1. You will receive a warning window asking if you want to perform the transfer. Click on Yes. 2. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe. 3. Restart the server and make sure you update your backup. Seizing the FSMO ROLES. Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation). The five FSMO roles are: Schema master - Forest-wide and one per forest. Domain naming master - Forest-wide and one per forest. RID master - Domain-specific and one for each domain. PDC - PDC Emulator is domain-specific and one for each domain. Infrastructure master - Domain-specific and one for each domain. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring, and is described in the Transferring FSMO Roles article. However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a nonoperational role holder to a different DC is called Seizing, and is described in this article. If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem to them to be unavailable for hours or even days. If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most cases, should be performed only if the original FSMO role owner will not be brought back into the environment. Only seize a FSMO role if absolutely necessary when the original role holder is not connected to the network. What will happen if you do not perform the seize in time? This table has the info:

FSMO Role Loss implications Schema The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time. Domain Naming Unless you are going to run DCPROMO, then you will not miss this FSMO role. RID Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week. PDC Emulator Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem. Infrastructure Group memberships may be incomplete. If you only have one domain, then there will be no impact. Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again. The following table summarizes the FSMO seizing restrictions: FSMO Role Restrictions Schema Original must be reinstalled Domain Naming RID PDC Emulator Can transfer back to original Infrastructure Another consideration before performing the seize operation is the administrator's group membership, as this table lists: FSMO Role Administrator must be a member of Schema Schema Admins Domain Naming Enterprise Admins RID Domain Admins PDC Emulator Infrastructure To seize the FSMO roles by using Ntdsutil, follow these steps: Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. 1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK. C:\WINDOWS>ntdsutil 2. Type roles, and then press ENTER. ntdsutil: roles fsmo maintenance: Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER. 1. Type connections, and then press ENTER. fsmo maintenance: connections server connections: 2. Type connect to server , where is the name of the server you want to use, and then press ENTER. server connections: connect to server server100 Binding to server100 ... Connected to server100 using credentials of locally logged on user. Server connections: 1. At the server connections: prompt, type q, and then press ENTER again.

server connections: q fsmo maintenance: 2. Type seize , where is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master: Options are: Seize domain naming master Seize infrastructure master Seize PDC Seize RID master Seize schema master 7. You will receive a warning window asking if you want to perform the seize. Click on Yes. fsmo maintenance: Seize infrastructure master Attempting safe transfer of infrastructure FSMO before seizure. ldap_modify_sW error 0x34(52 (Unavailable). Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE) , data 1722 Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde r could not be contacted.) ) Depending on the error code this may indicate a connection, ldap, or role transfer error. Transfer of infrastructure FSMO failed, proceeding with seizure ... Server "server100" knows about 5 roles Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=dpetri,DC=net fsmo maintenance: Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server. 1. Repeat steps 6 and 7 until you've seized all the required FSMO roles. 2. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool. Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest. Better look of this answer can be found at http://www.petri.co.il/seizing_fsmo_roles.htm Which FSMO role should you NOT seize? Why? How do you configure a "stand-by operation master" for any of the roles? How do you backup AD?

 How do you restore AD? How do you change the DS Restore admin password? Why can't you restore a DC that was backed up 4 months ago? What are GPOs? What is the order in which GPOs are applied? Name a few benefits of using GPMC. What are the GPC and the GPT? Where can I find them? What are GPO links? What special things can I do to them? What can I do to prevent inheritance from above? How can I override blocking of inheritance? How can you determine what GPO was and was not applied for a user? Name a few ways to do that. A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for? Name a few differences in Vista GPOs Name some GPO settings in the computer and user parts. What are administrative templates? What's the difference between software publishing and assigning? Can I deploy non-MSI software with GPO? You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that? Source : http://www.petri.co.il/mcse_system_administrator_active_directory_interview_questions.htm

Windows Server 2003 Active Directory and Security questions

Whats the difference between local, global and universal groups? Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains. I am trying to create a new universal user group. Why cant I? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory. What is LSDOU? Its group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units. Why doesnt LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest priority among the numerous policies. Where are group policies stored? %SystemRoot%System32\GroupPolicy What is GPT and GPC?

Group policy template and group policy container. Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority? The computer settings take priority. You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do? gponame> User Configuration> Windows Settings> Remote Installation Services> Choice Options is your friend. Whats contained in administrative template conf.adm? Microsoft NetMeeting policies How can you restrict running certain applications on a machine? Via group policy, security settings for the group, then Software Restriction Policies. You need to automatically install an app, but MSI file is not available. What do you do? A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer. Whats the difference between Software Installer and Windows Installer? The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files. What can be restricted on Windows Server 2003 that wasnt there in previous products? Group Policy in Windows Server 2003 determines a users right to modify network and dialup TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters. How frequently is the client policy refreshed? 90 minutes give or take. Where is secedit? Its now gpupdate. You want to create a new group policy but do not wish to inherit. Make sure you check Block inheritance among the options when creating the policy. What is "tattooing" the Registry? The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry. How do you fight tattooing in NT/2000 installations? You cant. How do you fight tattooing in 2003 installations?

User Configuration - Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only. What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline. Whats the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files. How do FAT and NTFS differ in approach to user shares? They dont, both have support for sharing. Explain the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission. I have a file to which the user has access, but he has no folder permission to read it. Can he access it? It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user cant drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run window. For a user in several groups, are Allow permissions restrictive or permissive? Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission. For a user in several groups, are Deny permissions restrictive or permissive? Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions. What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL. Whats the difference between standalone and fault-tolerant DFS (Distributed File System) installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders. Were using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares. Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain controllers.

Can you use Start->Search with DFS shares? Yes. What problems can you have with DFS installed? Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you cant. Install a standalone one. Is Kerberos encryption symmetric or asymmetric? Symmetric. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time stamp is attached to the initial client request, encrypted with the shared key. What hashing algorithms are used in Windows 2003 Server? RSA Data Securitys Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash. What third-party certificate exchange protocols are used by Windows 2003 Server? Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities. Whats the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that its the Administrator account, not any account thats part of the Administrators group. If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1? A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes. Whats the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003. How many passwords by default are remembered when you check "Enforce Password History Remembered"? Users last 6 passwords. Describe how the DHCP lease is obtained? Its a four-step process consisting of (a) IP request, (b) IP offer, IP selection and (d) acknowledgement. I cant seem to access the Internet, dont have any access to the corporate network and on ipconfig my address is 169.254.*.*. What happened? The 169.254.*.* netmask is assigned to Windows machines running 98/2000/XP if the DHCP server is not available. The name for the technology is APIPA (Automatic Private Internet Protocol Addressing). Weve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP leases off of it? The server must be authorized first with the Active Directory. How do you double-boot a Win 2003 server box?

The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini timeout and default settings, use the System option in Control Panel from the Advanced tab and select Startup.

What do you do if earlier application doesnt run on Windows Server 2003?

When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties > Compatibility > selecting the previously supported operating system.

What snap-in administrative tools are available for Active Directory?

Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak) What types of classes exist in Windows Server 2003 Active Directory? Structural class. The structural class is important to the system administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes.

What is presentation layer responsible for in the OSI model?

The presentation layer establishes the data format prior to passing it along to the network applications interface. TCP/IP networks perform this task at the application layer.

Does Windows Server 2003 support IPv6? Yes, run ipv6.exe from command line to disable it.

Can Windows Server 2003 function as a bridge? Yes, and its a new feature for the 2003 product. You can combine several networks and devices connected via several adapters by enabling IP routing.

Whats the role of http.sys in IIS?

It is the point of contact for all incoming HTTP requests. It listens for requests and queues them until they are all processed, no more queues are available, or the Web server is shut down. Wheres ASP cache located on IIS 6.0? On disk, as opposed to memory, as it used to be in IIS 5. What is socket pooling? Non-blocking socket usage, introduced in IIS 6.0. More than one application can use a given socket. Which characters should be enclosed in quotes when searching the index? &, @, $, #, ^, ( ), and . How would you search for C++? Just enter C++, since + is not a special character (and neither is C). What about Barnes&Noble? Should be searched for as Barnes&Noble. Are the searches case-sensitive? No. Whats the order of precedence of Boolean operators in Microsoft Windows 2003 Server Indexing Service? NOT, AND, NEAR, OR.

How many group policies can be applied to an OU? How many objects can be created in a Directory Partition? In Active Directory Replication, which FSMO roles is participating in replication.? A Case: A Min DC (Windows 2003) & A BDC (windows 2000 Server) when the time of replication, All partition will replicated, but what about "Applicatoin Partition in main DC".? What is Active Directory schema? The Active Directory schema contains formal definitions of every object class that can be created in an Active Directory forest it also contains formal definitions of every attribute that can exist in an Active Directory object. Active Directory stores and retrieves information from a wide variety of applications and services.

What is Global Catalog Server? A global catalog server is a domain controller it is a master searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. It have two important functions:

 Provides group membership information during logon and authentication Helps users locate resources in Active Directory What is the ntds.tit file default size? 40 MB What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog? SMTP 25, POP3 110, IMAP4 143, RPC 135, LDAP 389, Global Catalog - 3268 What is a default gateway? The exit-point from one network and entry-way into another network, often the router of the network. How do you set a default route on an Cisco router? ip route 0.0.0.0 0.0.0.0 x.x.x.x [where x.x.x.x represents the destination address] Describe the lease process of the DHCP server. DHCP Server leases the IP addresses to the clients as follows: DORA D (Discover) : DHCP Client sends a broadcast packets to identify the dhcp server, this packet will contain the source MAC. O (Offer) : Once the packet is received by the DHCP server, the server will send the packet containing Source IP and Source MAC. R (Request) : Client will now contact the DHCP server directly and request for the IP address. A (Acknowledge) : DHCP server will send an ack packet which contains the IP address. What is IPv6? Internet Protocol version 6 (IPv6) is a network layer IP standard used by electronic devices to exchange data across a packet-switched internetwork. It follows IPv4 as the second version of the Internet Protocol to be formally adopted for general use. ip v6 it is a 128 bit size address. This is total 8 octants each octant size is 16 bits separated with :, it is in hexa decimal format. These 3 types: 1. unicast address 2. multicast address 3. anycast address loopback address of ip v6 is ::1 How do you double-boot a Win 2003 server box? The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini timeout and default settings, use the System option in Control Panel from the Advanced tab and select Startup. What do you do if earlier application doesnt run on Windows Server 2003? When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties > Compatibility > selecting the previously supported operating system. If you uninstall Windows Server 2003, which operating systems can you revert to? Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and 98 to Windows Server 2003. How do you get to Internet Firewall settings? Start > Control Panel > Network and Internet Connections > Network Connections.

What are the Windows Server 2003 keyboard shortcuts? Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer. What is Active Directory? Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups. An underlying principle of the Active Directory is that everything is considered an object people, servers, workstations, printers, documents, and devices. Each object has certain attributes and its own security access control list (ACL). Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003? The Active Directory replaces them. Now all domain controllers share a multimaster peer-topeer read and write relationship that hosts copies of the Active Directory. How long does it take for security changes to be replicated among the domain controllers? Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA). Whats new in Windows Server 2003 regarding the DNS management? When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard. When should you create a forest? Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions. How can you authenticate between forests? Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the users home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials. What snap-in administrative tools are available for Active Directory?

Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak) What types of classes exist in Windows Server 2003 Active Directory?

Structural class. The structural class is important to the system administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes. Abstract class. Abstract classes are so named because they take the form of templates that actually create other templates (abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for the defining objects. Auxiliary class. The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural class, it provides a streamlined alternative by applying a combination of attributes with a single include action. 88 class. The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the development of objects in Windows Server 2003 environments.

How do you delete a lingering object? Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory. What is Global Catalog? The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network. How is user account security established in Windows Server 2003? When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user accounts security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access. If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same? No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different. What do you do with secure sign-ons in an organization with many roaming users? Credential Management feature of Windows Server 2003 provides a consistent single signon experience for users. This can be useful for roaming users who move between computer systems. The Credential Management feature provides a secure store of user credentials

that includes passwords and X.509 certificates. Anything special you should do when adding a user that has a Mac? "Save password as encrypted clear text" must be selected on User Properties Account Tab Options, since the Macs only store their passwords that way. What remote access options does Windows Server 2003 support? Dial-in, VPN, dial-in with callback. Where are the documents and settings for the roaming profile stored? All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is. Where are the settings for all the users stored on a given machine? \Document and Settings\All Users What languages can you use for log-on scripts? JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe)

What are the differences between a site-to-site VPN and a VPN client connecting to a VPN server? What protocols are used for these? > EXPERT RESPONSE Site-to-site VPNs connect entire networks to each other -- for example, connecting a branch office network to a company headquarters network. In a site-to-site VPN, hosts do not have VPN client software; they send and receive normal TCP/IP traffic through a VPN gateway. The VPN gateway is responsible for encapsulating and encrypting outbound traffic, sending it through a VPN tunnel over the Internet, to a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet towards the target host inside its private network. Remote access VPNs connect individual hosts to private networks -- for example, travelers and teleworkers who need to access their company's network securely over the Internet. In a remote access VPN, every host must have VPN client software (more on this in a minute). Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. Upon receipt, that VPN gateway behaves as described above for site-to-site VPNs. If the target host inside the private network returns a response, the VPN gateway performs the reverse process to send an encrypted response back to the VPN client over the Internet. The most common secure tunneling protocol used in site-to-site VPNs is the IPsec Encapsulating Security Payload (ESP), an extension to the standard IP protocol used by the Internet and most corporate networks today. Most routers and firewalls now support IPsec and so can be used as a VPN gateway for the private network behind them. Another site-tosite VPN protocol is Multi-Protocol Label Switching (MPLS), although MPLS does not provide encryption. Remote access VPN protocols are more varied. The Point to Point Tunneling Protocol (PPTP) has been included in every Windows operating system since Windows 95. The Layer 2 Tunneling Protocol (L2TP) over IPsec is present in Windows 2000 and XP and is more

secure than PPTP. Many VPN gateways use IPsec alone (without L2TP) to deliver remote access VPN services. All of these approaches require VPN client software on every host, and a VPN gateway that supports the same protocol and options/extensions for remote access. Over the past few years, many vendors have released secure remote access products that use SSL and ordinary web browsers as an alternative to IPsec/L2TP/PPTP VPNs. These "SSL VPNs" are often referred to as "clientless," but it is more accurate to say that they use web browsers as VPN clients, usually in combination with dynamically-downloaded software (Java applet, ActiveX control, or temporary Win32 program that is removed when the session ends). Also, unlike PPTP, L2TP, and IPsec VPNs, which connect remote hosts to an entire private network, SSL VPNs tend to connect users to specific applications protected by the SSL VPN gateway. To learn more about VPN protocols and topologies, watch the New directions in VPN searchSecurity webcast, or read this InfoSec Magazine article on SSL VPNs.

Posted 29th September 2011 by Chandan Patralekh

3.
Aug 29 How to extend a boot partition?

We can extend a boot partition and there is only one free utility which can do it for for you on all types of Windows OS. Its Dell EXTPART utility. The help file can be found at this location. Below are the steps one needs to follow: 1) To extend the boot partition you need to have space free just next to the boot drive. 2) For example of c drive is of 10 GB and you wish to extend its size, your drive D partition has to be deleted. Do take a backup of your data before deleting a partition. 3) then you need to run the extpart tool. 4) Extend the drive. 5) Reboot the system. 6) You'll see that the drive has been extended.

Tools Available for disk partitioning: 1) Dell ExtPart. I am listing it at top because its free, simple to use and can be used for any Windows OS including server OS. 2) Rest can be found here.

Posted 29th August 2011 by Chandan Patralekh Labels: extend a drive extend boot partition boot partition extpart Diskpart

4.
Aug

28 Why VMWARE WorkStation? Why Choose VMware Workstation? From the creator of PC virtualization comes the most reliable, secure way to run multiple operating systems at the same time. Winner of more than 50 industry awards, VMware Workstation transforms the way technical professionals develop, test, demo, and deploy software. VMware Workstation is an integral component of any serious technical professional's toolkit.

Get Maximum Performance for Windows 7 VMware Workstation 7 is optimized for maximum performance when running on 32-bit and 64-bit Windows 7 PCs. Supports Flip 3D and Aero Peek to show live thumbnails of your virtual machines. Run legacy application with 3D graphics, faster performance, and tighter desktop integration better than Windows XP Mode. Get shared folders and drag and drop convenience.

Gain an Indispensable Tool Automate and streamline tasks to save time and improve productivity. Run applications in Linux, Windows, and more at the same time on the same PC with no rebooting. Evaluate and test new operating systems, applications and patches in an isolated environment. Demonstrate complex software applications on a single laptop in a repeatable, reliable manner. Rich integration with Visual Studio, Eclipse, and the SpringSource Tool Suite make it incredibly easy to debug applications on multiple platforms. Run Your Most Demanding Applications on the Most Advanced Virtualization Platform Create virtual machines with up to 8 virtual processors or 8 virtual cores, 2 TB virtual disks and up to 32 GB of memory per virtual machine to run the most demanding applications. Protect your virtual machines from prying eyes with 256-bit AES encryption and smart card authentication.

Award-winning Backed by over a decade of proven engineering, VMware Workstation is trusted by millions of users worldwide. The company has won more than 200 awards for its industry-leading software, with over 50 awards for VMware Workstation. In addition to winning InfoWorld's 2009 Best Desktop Virtualization Tool, Visual Studio Magazine Reader's Choice for Best Software Development Product awards, VMware Workstation has been inducted into the Jolt Hall of Fame. More Reasons at a Glance -------------------------------------------

Seamlessly Integrated Unity mode integrates applications from within your Windows & Linux virtual machines and makes them appear like they are running on your native desktop. User friendly features such as the ability to cut and paste pictures, drag and drop email attachments, and driver-less printing make it easy to work in a virtual machine.

Snapshots and Clones: The Ultimate Time Saver Snapshots preserve the state of a virtual machine so you can return to it at any time. Snapshots are useful when you need to revert your virtual machine to a prior, stable system state. Workstation makes it easy to find and revert to a previously saved snapshot. Installing operating systems and applications can be time consuming. With clones, you can make many copies of a virtual machine from the baseline installation and configuration. This makes it fast and simple to maintain standardized computing environments for employees and students, or to create a baseline configuration for testing.

Run Multi-tiered Applications on a Single PC Manage multiple, network-connected virtual machines with Teams. Teams make it easy to start and run complex multi-tier enterprise applications on a single PC with just a click of the mouse.

Rewind and Replay Until You Find the Bug Diagnose non-deterministic bugs with the Replay Debugging technology integrated into Visual Studio and Eclipse. Test your applications in a virtual machine while recording and then let the developer step through the recording with a debugger attached. Never again will there be a non-reproducible bug.

Download VMware Workstation from Here

Posted 28th August 2011 by Chandan Patralekh Labels: Clone VMWARE VMWARE Workstation Snapshot

5.
Jul 15 Questions on Clustering Here I am putting in some questions that might help you prepare yourself on Clustering. This is just to start and then you can follow it up with more in depth study and CBTs. What is a Cluster? A group of two or more servers together ensuring availability of a service or application even when one of its members goes down. Example of clusters are Microsoft Clustering Services (MSCS) and Microsoft NLB cluster.

Is cluster high available or fault tolerant solution? When we talk about MSCS then we talk about a high available solution and when we talk about WLBS i.e. microsoft NLB we talk about fault tolerant solution.

How MSCS is different from NLB? Most important thing to remember is, MSCS maintains the session state but NLB doesn't. For example in case of two node cluster (MSCS with two nodes) if a SQL database is hosted on it and a transaction is going on, there will be no effect on the transaction even if one of the nodes goes down. While the fail over happens the transaction would definitely stop but resume as soon as the other node takes over. Where as in the case of NLB, if a node goes down,any session associated with it would end and the client has to reconnect and establish a new session. For example OWA, if the node to which my owa connections is established goes down, I need to reconnect as my session would time out after the node serving my session fails.

What is a quorum or What is a quorum resource or Quorum disk? The quorum resource is a common resource in the cluster that is accessible by all of the cluster nodes. Normally a physical disk on the shared storage, the quorum resource maintains data integrity, cluster unity, and cluster operationssuch as forming or joining a clusterby performing the following tasks:
o

Enables a single node to gain and defend its physical control of the quorum resource When the cluster is formed or when the cluster nodes fail to communicate, the quorum resource guarantees that only one set of active, communicating nodes is allowed to form a cluster. Maintains cluster unity The quorum resource allows cluster nodes that can communicate with the node containing the quorum resource to remain in the cluster. If a cluster node fails for any reason and the cluster node containing the quorum resource is unable to communicate with the remaining nodes in the cluster, MSCS automatically shuts down the node that does not control the quorum resource. Stores the most current version of the cluster configuration database and state data If a cluster node fails, the configuration database helps the cluster recover a failed resource or recreate the cluster in its current configuration.

The only type of resource supported by MSCS that can act as a quorum resource is the physical disk resource. However, developers can create their own quorum disk types for any resources that meet the arbitration and storage requirements.

Whats the advantage/disadvantage of having 1 node cluster? One node cluster is used for situations where in we just want the ability to get the stopped service restarted automatically. There are services which doesn't have the capability to restart on its own, they are hosted on one node cluster as the cluster service would restart the failed service and we are good to go. However if the node itself fails, the service becomes unavailable.

How important is to have public and hearbeat network separate? Is cluster possible with just one NIC per node? Its very important to have the public and private heart beat network separate as clubbing the two might induce the delay in hear beat packets reaching to the cluster service. This in turn would make the cluster fail over. Its not possible to have cluster with one single NIC but that is not a supported configuration. For more info please read support article. Whats the port number for heartbeat communication between Cluster Nodes? To ensure correct failover cluster functionality, add exceptions to firewall configuration settings for File and Printer Sharing (TCP 139/445 and UDP 137/1380. Is it possible to have heartbeat and public NICs on the same subnet without causing any problems? No its not possible to have heart beat and public NIC's on the same subnet without causing any problems. Reason is, public NICs generate a lot of traffic and it might interfere with the traffic of heartbeat NICs in terms of inducing delaydue to congestion. This would cause the cluster to fail over and we don't want this to happen.

Can 2 nodes belonging from multiple network subnet form a single Cluster? While configuring a set of clustered nodes we need to have them on the same subnet.

What is the difference between multicast and unicast in a Cluster? Under which scenario unicast/multicast is more viable solution that multicast/unicast?

The scenario in which Unicast/Multicast is more viable is given below. Its picked from here: As the number of nodes in a server cluster increases, the node-to-node communication rises significantly. In Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition, for server clusters with 3 or more nodes, multiple unicast messages for two classes of intracluster traffic are replaced by single multicast messages. This reduces the intracluster traffic, resulting in lower network bandwidth consumption and improved node performance. The configuration of the server cluster must meet the following conditions for heartbeat multicasting:
o

The number of nodes that are members of the server cluster (rather than the number of nodes that are currently up and actively participating in the cluster) must be 3 or greater. All the nodes in the server cluster must be running Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition.

Important

o o o

Both conditions above refer to nodes configured in the cluster membership rather than nodes that are currently up and actively participating in the cluster. 2-node server clusters use unicast, not multicast, messaging for all intracluster traffic. If you operate a server cluster of 3 or more nodes as a mixed version cluster (that is, Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition is installed on some nodes, and Windows 2000 on others), then the cluster as a whole will send unicast, not multicast, intracluster messages.

The two kinds of intracluster traffic affected by heartbeat multicasting are:

o o

Heartbeat messages sent between nodes. Node-to-node communication to verify node failures during cluster configuration changes.

What kind of application is called cluster-aware? An application is capable of being cluster-aware if it has the following characteristics: 1) It uses TCP/IP as a network protocol. 2) It maintains data in a configurable location. 3) It supports transaction processing. To know more please visit this page.

Is every Windows application Cluster aware? And why or why not? No, not every windows application is cluster aware. Reason is not all of them follow the three criterion laid out for an application to qualify as cluster aware. For example MS Office doesn't maintain its data at a configurable location and it doesn't support transaction processing as well. There could be better examples of cluster unaware applications but I can't think of as of now. But a service like file and printer sharing or an application like SQL or exchange does use all the three criterion and hence they are called cluster aware applications. Is it very important to have shared storage for a Cluster 2 run? What kind of applications may not run if we dont shared storage? Yes its important to have shared storage for clusters to run. Without shared storage location, using clusters (exception is single node cluster) is futile as the services won't be available after failover as the common data source is not there to be accessed. MS SQL or MS Exchange are the example of applications that will not run if we don't use shared storage.

What are the start options for Cluster service and under which scenario are they used?

Following are some of the start options for cluster service. Please follow the MS KB article to know more about it in detail. Switch FixQuorum Function Windows 2003 Abbreviation FQ NQ

Do not mount the quorum device, and quorum logging turned off. NoQuorumLogging Quorum logging turned off. Displays events during the start of Cluster service. Debug For special syntax, see the "Debug" section later in this article. LogLevel N Sets the log level for debug mode. The Cluster service waits for a debugger to be DebugResMon attached to all Resource Monitor processes at their start. Windows 2000 and later only switches include the following. Switch Function

DR

Windows 2003 Abbreviation RQ

Dynamically re-creates the quorum log and ResetQuorumLog checkpoint files (this functionality is automatic in Microsoft Windows NT 4.0). NoRepEvtLogging No replication of Event Log entries. Windows Server 2003 and later only switches include the following. Switch ForceQuorum or Function

Windows 2003 Abbreviation FO NG

Force a majority node set with the node list N1, N2, and so forth. (Applicable only for Majority Node Set quorum.) Do not log events to the event log related to NoGroupInfoEvtLogging group online and offline.

What is a cluster log? What is its default location? The cluster log is a diagnostic log that is a more complete record of cluster activity than the Microsoft Windows 2000/2003/2008 event log; the cluster log records the Cluster service activity that leads up to the events recorded in the event log. Although the event log can point you to a problem, the cluster log helps you get at its root. So, for diagnosis, check the event log first, then the cluster log. The default location of cluster log is %system root%\cluster.In Windows 2008 you won't find it at the same location. Please see this to get to know where to find the cluster log file in Windows 2008.

How many logging levels do we have in 2003? What is the default logging level of Cluster log in 2003?

We have the logging levels from 0 to 10. Out of them 5 are in use. From 6 to 10, it has been reserved for future use. Default logging level is 3 and setting it means we are asking the logging of Errors, Warning, Info to be done by cluster. MS KB has some info but may not be entirely related to Windows 2003 or Windows 2008. Please do research to find the relevant ones for them.

What could be the maximum size of a Cluster log and where can it be set/configured? The default diagnostic cluster log size is 8 megabytes (MB), but can be changed in the manner described here.

Explain the steps or things happening in background, while Cluster disk is coming online?

What is the difference between 2000 and 2003 Cluster?

What is difference between NLB and Cluster? How do you decide whether Cluster or NLB will be required to achieve the high availability?

To know the answer read "How MSCS is different from NLB?" which is the 3rd question from the top. How many Cluster nodes you can have in 2003 Cluster and Windows 2008 cluster? (depends on Os edition). A server cluster can consist of up to eight nodes and may be configured in one of three ways: as a single node server cluster, as a single quorum device server cluster, or as a majority node set server cluster. For more information about these three server cluster models, see Choosing a Cluster Model. In windows 2008 the number of nodes supported can go upto 16. Visit this to find out about windows 2003.

Is it possible to have 2000 and 2003 node co-exist in the same Cluster? Yes its possible. Please make a note that if you are running a mixed-mode cluster, the maximum number of supported nodes is that of the most restrictive node. For example, if you have a three-node Windows Server 2003 cluster (whose maximum number of nodes is eight), and you add a

single Windows 2000 Datacenter Server node, the maximum number of nodes is reduced to four. Is it possible to have x86 and x64 bit 2003 node in the same Cluster? No we cannot mix x86 and x64 OS nodes in one cluster. What is a difference between a Cluster and a geographically-dispersed Cluster from administrative perspective? Geographically dispersed clusters, also called stretched clusters or extended clusters, are clusters comprised of nodes that are placed in different physical sites. Geographically dispersed clusters are designed to provide failover in the event of a site loss due to power issues, natural disasters or other unforeseen events. From administrative perspective the difference would come up due to the storage that will be used. It won't be a common storage available at the respective locations instead a replication between the two will have to be set up and managed accordingly. Managing failover will also be different than a normal cluster.

Are dynamic disks support in 2003? What about GPT disks? The Windows 2000 Advanced Server and Windows Server 2003 Cluster service cannot read disks that are dynamic, and makes dynamic disks unavailable to programs or services that are dependent on these disk resources in the server cluster. For this reason, the option to upgrade these disks to dynamic is unavailable.So to summarize, "Dynamic disks are not supported in Windows 2003 clusters." GUID partition table disks are called GPT disks. Info on GPT disks - On GPT disks, you can create up to 128 partitions. Because GPT disks do not limit you to four partitions, extended partitions and logical drives are not available on GPT disks. The GUID partition table (GPT) disks are not supported in a Windows Server 2003 server cluster if you do not apply hotfix 919117. As soon as you apply this hotfix to all nodes in the Windows Server 2003 server cluster, GPT disks can be added as physical disk resources in the cluster. What is a File Share witness?

The file share witness is used to establish a majority node set. This is done by create a share on a server that gets a little file place into it automatically. The server hosting the cluster resource (which in the DAG I think is the Primary Activation Manager server) keeps an open file lock on this file. The other servers see this open file lock and interpret this as meaning another cluster node is online, healthy, and available. A file share witness as mentioned is used when the DAG contains an even number of servers with in it. When you initially create the DAG you must specify the server and file location that will act as the file share witness regardless of how many servers are in the DAG (0 to start) to ensure that if you do add an even number of DAG members the FSW will be properly used.

You do not need a dedicated server for the FSWs and typically it is recommended to use a hub transport server in the primary data center. This is usually a safe thing to do as the Exchange team also manages the hub transport servers and the Exchange Trusted Sub sytem will already be a member of the local administrators group and have the necessary permissions to create the file share. Some people put the FSW on clustered file servers.

What is a dependency tree and how is it crucial? A dependency tree is a series of dependency relationships such that resource A depends on resource B, resource B depends on resource C, and so on. Resources in a dependency tree obey the following rules:
o o

A dependent resource and all of its dependencies must be in the same group. The Cluster service takes a dependent resource offline before any of its dependencies are taken offline, and brings a dependent resource online after all of its dependencies are online, as determined by the dependency hierarchy. Resource dependencies determine bindings. For example, clients will be bound to the particular IP address that a Network Name resource is dependent on.

If any of the three rules laid out for dependency tree is not obeyed, it'll be detrimental to the overall working of a clustered servers. For example a virtual server is a combination of two resources (for instance, an IP address resource and a network name resource). Both of them has to be in the same group. If not then cluster service won't work properly so that it can failover the group.

What is ISAlive and LooksAlive? what is their frequency? What happens if the IsAlive fails for a resource? LooksAlive (Looks Alive) means general check of the resource. IsAlive (Is Alive) means detailed check of the resource. Both of them are used to determine if the resource is in the online state. You can specify two polling intervals and a timeout value for resources. The polling intervals affect how often the MSCS Resource Monitor checks that the resource is available and operating. There are two levels of polling; they are known in Cluster Administrator as "Looks Alive" and "Is Alive." These values are named for the calls that the Resource Monitor makes to the resource to perform the polling. In "Looks Alive" polling, MSCS performs a cursory check to determine if the resource is available and running. In "Is Alive" polling, MSCS performs a more thorough check to determine if the resource is fully operational. The timeout value specifies how many seconds MSCS waits before it considers the resource failed. Read more in the section MSCS Failover fourth paragraph. How many times Cluster will try to restart the group/resource, before it mark a group/resource as failed? It all depends on how we configure it. You can configure the advanced resource properties using the Advanced tab in the resource Properties dialog box. Use the Advanced tab to have MSCS perform the following tasks:

Restart a resource or allow the resource to fail. o To restart the resource, select Affect the group (if applicable). o To fail over the resource group to another cluster node when the resource fails, select Affect the group and then enter the appropriate values in Threshold and Period. If you do not select Affect the group, the resource group will not fail over to the healthy cluster node.

The Threshold value determines the number of attempts by MSCS to restart the resource before the resource fails over to a healthy cluster node. The Period value assigns a time requirement for the Threshold value to restart the resource. Adjust the time parameters for Looks Alive (general check of the resource) or Is Alive (detailed check of the resource) to determine if the resource is in the online state. Select the default number for the resource type.

To apply default number, select Use resource type value. Specify the time parameter for a resource in a pending state (Online Pending or Offline Pending) to resolve its status before moving the resource to Offline or Failed status.

What are the improvements made in Windows 2008 clustering? Some of the improvements worth mentioning here are given below: New validation feature. With this feature, you can check that your system, storage, and network configuration is suitable for a cluster. Support for GUID partition table (GPT) disks in cluster storage. GPT disks can have partitions larger than two terabytes and have built-in redundancy in the way partition information is stored, unlike master boot record (MBR) disks. For the list of improvements please visit this.

For some on demand webcasts and PPTs on Windows 2008 clustering please visit this page. Below are the technet resources which can be of help. Introduction

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5 I would like to inform you all that following resources has been referenced while writing these questionnaires. Microsoft Technet Microsofot MSDN support.dell.com microsoft technet blog Posted 15th July 2011 by Chandan Patralekh Mar 14 Troubleshooting RPC server is unavailable error, reported in failing AD replication scenario RPC end point mapper error can be fixed using the KB: 839880 Broadly speaking there are three things one need to check/troubleshoot the problem of "RPC server unavailable" during active directory replication. 1) DNS name resolution is working. 2) The ports across the firewall are open. 3) There are no resource crunch on the server. A resource means ports the server is listening on and it has available in the pool (MaxUserPort registry key) and memory. This ensures that the server is able to entertain the connection requests its receiving. To troubleshoot ports related issue, one can visit this link and fix the problem related to ports. Regarding DNS and resource crunch, I'll have a discussion here. Posted 14th March 2011 by Chandan Patralekh Labels: RPC server unavailable RPC endpoint mapper error AD replication Feb 18 The security database on the server does not have a computer account for this workstation trust relationship I recently faced this error "The security database on the server does not have a computer account for this workstation trust relationship". I resolved it by doing the following. This problem was resolved with the below simple steps.

1) Remove the system from Domain. 2) Set the DNS suffix correctly. Ensure that you have all the suffix set correctly especially for the domain where you log in. 3) Add the system back to domain. My guess is, if the DNS suffix is set up correctly before adding the system to the domain, this error/problem can be avoided. Further discussion is available HERE. Posted 18th February 2011 by Chandan Patralekh Aug 22 Exchange Server in Depth: Master Concepts and Optimize Your Server Environment > Webcasts

The above video demonstrates how to download the free webcast from the links available in this page and all my other pages.

(Part 01 of 24): Integration of Exchange Server 2007 and Active Directory (Level 200)
This kicks off 24-hour learning series on Microsoft Exchange Server 2007. In this webcast, we cover the basic relationship between the Active Directory directory service and Exchange

Server 2007. Learn about the important components of Active Directory that are required before you can install Exchange Server 2007. We also discuss the components Exchange Server installs and modifies, and we explain what these components do. This presentation starts on a high level with a review of some basic Active Directory concepts; we then get specific and look at the objects and scheme extensions Exchange Server 2007 installs. Click here for the Video.

(Part 02 of 24): Transport and Routing Architecture (Level 200)

In this installment of our 24-hour learning series, we discuss the changes made to the routing and transport functions in Microsoft Exchange Server 2007. We review the pros and cons of message routing and transport services in Microsoft Exchange Server 2003 and Exchange Server 2000. Then we look at the improvements made to transport and message routing in Exchange Server 2007, highlighting the benefits these enhancements offer users and administrators. Click here for the Video.

(Part 03 of 24): Planning Installation (Level 200)

In part three of our series, we focus on planning for the installation of Microsoft Exchange Server 2007. We concentrate on deploying the five distinct server roles in Exchange Server 2007: Edge Transport, Hub Transport, Client Access, Mailbox, and Unified Messaging. We also cover other planning considerations, including storage sizing, server sizing, server placement, and management options, such as Microsoft Operations Manager (MOM). Join us for part four, the next session of our series, for greater detail on installing Exchange Server 2007. Click here for the Video.

(Part 04 of 24): Installing Exchange Server 2007 (Level 200)

In this webcast, we continue with the installation of Microsoft Exchange Server 2007 we started in the previous session. We provide an overview of the complete installation process, starting with the Active Directory directory service preparation. Join us as we explore the options for installing Exchange Server 2007 in unattended mode. We describe how to verify your installation was successful and provide troubleshooting techniques if you experienced any issues with the installation. We conclude this presentation by illustrating how to install additional software that might be required by your installation of Exchange Server 2007. Click here for the Video.

(Part 05 of 24): Transitioning and Migrating to Exchange Server 2007 (Level 200)

In the previous session of this series, we discussed installing Microsoft Exchange Server 2007. But what if you have an existing Exchange Server environment? What are your options then? What if you are using another messaging environment? In this webcast, we cover transitioning from Microsoft Exchange Server 2003 to Exchange Server 2007. We also examine upgrading from Microsoft Exchange Server 2000 or Exchange Server 5.5 and explore migrating from a Lotus Notes environment to Exchange Server 2007. Click here for the video

(Part 06 of 24): Configuring Exchange Server Introduction (Level 200)

This webcast and the next webcast in this 24-part series are dedicated to configuring Microsoft Exchange Server 2007. In the first part of this two-part session on configuring the installation of Exchange Server 2007, we look at some post-installation tasks for securing the installation and the delegation of permissions. We explore the administration tools in Exchange Server 2007 and introduce Windows PowerShell, a new command-line shell and task-based scripting technology that we explore in greater detail in later sessions. We also cover implementing the Mailbox server role in Exchange Server 2007, explain how to configure this server role, and describe the database and storage groups. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click here for the Video

(Part 07 of 24): Configuring Exchange Server Conclusion (Level 200)

This webcast and the previous webcast in this 24-part series are dedicated to configuring Microsoft Exchange Server 2007. In this second presentation of our two-part session on configuring Exchange Server 2007, we focus on public folders by describing what public folders are, explaining the replication model for public folders, and exploring how client computers access public folders. We spend the majority of time in this webcast demonstrating the administrative tasks you need to perform to configure and manage public folders. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click here for the video

(Part 08 of 24): Introduction to Windows PowerShell (Level 200)

In this installment of our 24-hour learning series on Microsoft Exchange Server 2007, we explore the new command-line interface, Windows PowerShell. Over the course of the next

two sessions, we examine Windows PowerShell and provide examples of how to use it to manage Exchange Server 2007. We describe the new interface, outline the concepts behind it, and illustrate the language Windows PowerShell uses for scripting. Attend this presentation to learn more about operators, conditions, and other scripting techniques for building your first cmdlets, single-feature command-line tools used to manipulate objects in Windows PowerShell. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click here for the video

(Part 09 of 24): Using PowerShell for Exchange Management (Level 200)

Having covered the basics of Windows PowerShell in Part 08 of this 24-part series, Introduction to Windows PowerShell, this session concentrates on using Windows PowerShell to manage a Microsoft Exchange Server 2007 environment. In this webcast, we cover the Exchange management model, which provides us with the basis for our scripts later on. We spend time in an application showing the scripts and explaining how they work to describe Windows PowerShell management for Exchange Server. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click here for the Video

(Part 10 of 24): Recipient Management, Policies, and Permissions (Level 200)

This is the first of six webcasts in the series in which we focus on various aspects of security in Microsoft Exchange Server 2007. In this session, we explore policies and permissions, and we illustrate the recipient management model, which has changed since Microsoft Exchange Server 2003. Join this session to learn how Exchange Server 2007 handles resources and what changes there are to the administrative permission model. We also demonstrate how Exchange Server 2007 gives you the option to separate your Active Directory directory service administration from your Exchange Server. Other topics we cover in the next five webcasts on Exchange Server 2007 security include compliance, antivirus, anti-spam, edge protection with the Edge Transport server role, and Microsoft Internet Security and Acceleration (ISA) Server. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click Here for the Video

(Part 11 of 24): Messaging Policies and Compliance (Level 200)

In this session, we look at the messaging policy and compliance features within Microsoft Exchange Server 2007. We define messaging policy and compliance, and we explore the options for implementing messaging policies and records management. We also demonstrate how to implement and configure managed e-mail folders and retention policies. Join this webcast for a discussion on transport rules in Exchange Server 2007, as we examine what they are and describe how to establish them. We conclude this webcast discussing message journaling, illustrating how it works and showing you how to implement it. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click here for the video

(Part 12 of 24): Configuring Edge Transport Servers (Level 200)

In this session, we look at the Edge Transport server role in Microsoft Exchange Server 2007. While we provided an overview of server roles in an earlier session of this series on Exchange Server 2007, we look at configuring the Edge Transport role in greater detail in this webcast. We begin by exploring the process for implementing an Edge Transport server role and by discussing EdgeSync, a service that provides data replication and synchronization between Active Directory and Active Directory Application Mode (ADAM) for a subscribed Edge Transport server. From there, we examine the Internet message delivery, describe how it works, and demonstrate how to configure Simple Mail Transfer Protocol (SMTP) connectors. We conclude with a discussion of security concerns associated with using SMTP e-mail and illustrate the options you have for securing SMTP e-mail. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click here for the video

(Part 13 of 24): Maintaining Anti-Spam Systems (Level 200)

This is the fourth webcast of six in this webcast series in which we focus on various aspects of security in Microsoft Exchange Server 2007. We cover the anti-spam features and review the defense-in-depth approach to anti-spam management in Exchange Server 2007. We discuss Microsoft Exchange Hosted Services and describe how the services work to help protect your organization from malicious software (malware). Join this webcast to learn how to implement the anti-spam features and filtering capabilities in Exchange Server 2007. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click here for the video

(Part 14 of 24): Maintaining Antivirus (Level 200)

We continue looking at security in Microsoft Exchange Server 2007 in this session by introducing the antivirus features and the defense-in-depth approach to antivirus in Exchange Server 2007. We review the integration features in Exchange Server for antivirus software and discuss Microsoft Forefront for Exchange Server 2007. Join this webcast to learn how to implement these features in Exchange Server 2007 and to learn how Forefront for Exchange Server 2007 helps provide greater protection and control over the security of your network infrastructure. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a selfpaced Virtual Lab. Click here for the Video

(Part 15 of 24): Using Internet Security and Acceleration (ISA) Server 2006 for Secure Exchange Server Publishing (Level 200)
In this session, we explore how you can use Microsoft Internet Security and Acceleration (ISA) Server 2006 to allow a Microsoft Exchange Server 2007 environment be exposed to the outside world with little risk. We introduce the topic of our next session, Microsoft Office Outlook Web Access (OWA), by demonstrating ways you can publish Exchange Server 2007 messaging features to a mobile work force. We examine how ISA Server 2006 provides protection for those elements of your network that need to be connected to the outside world. Setting up the correct filters and polices can be tricky; however, we demonstrate how ISA Server 2006 has a number of built-in features that allow you to set up the correct filters and polices using simple wizards. We also describe the policies and filters in ISA Server 2006 and show how you can easily modify them to adapt to any environment. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click Here for the Video

(Part 16 of 24): Outlook Web Access in Exchange Server 2007 (Level 200)
In this session, we describe the new and enhanced features in Microsoft Office Outlook Web Access (OWA) in Microsoft Exchange Server 2007. We discuss the two versions of OWA, Outlook Web Access Light and Outlook Web Access Premium. Join this webcast to learn about the requirements for deploying and securing OWA and the new features in OWA, such as the integration with Microsoft SharePoint products and technologies. We conclude our presentation by exploring how to manage an OWA environment. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click here for the video

(Part 17 of 24): Unified Messaging (Level 200)

In this webcast, we describe deploying Microsoft Exchange Server 2007 Unified Messaging (UM). Learn how deploying UM requires integrating Exchange Server 2007 with your organizations existing telephony system, which can be a significant challenge to Exchange Server administrators, who may have little telephony knowledge. A successful UM deployment requires careful analysis of your existing telephony infrastructure and proper planning. Join this session for help with this planning stage; we explore the requirements and outline the questions you need to answer before deploying UM yourself or hiring a systems integrator to perform the integration. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click here for the video

(Part 18 of 24): Mobility (Level 200)

In previous sessions in our series, we discussed providing services to remote users by using Microsoft Office Outlook Web Access (OWA) and Microsoft Exchange Server 2007 Unified Messaging (UM). In this webcast, we explore the support for mobile devices in Exchange Server 2007. We cover Exchange ActiveSync and describe how it enables Windows Mobile powered devices to access information on a server running Exchange Server 2007. Join this presentation to learn how to configure ActiveSync virtual directories and how to create and manage ActiveSync policies for mobile devices. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click here for the video

(Part 19 of 24): Introduction to Exchange Server 2007 Disaster Recovery (Level 200)
In this webcast and the next, we look at disaster recovery in Microsoft Exchange Server 2007. Over the course of these two sessions, we cover: Recovering messaging databases. Preparing for and recovering from mailbox server failures. Preparing for and recovering from non-mailbox server failures. Join this session to learn about the options for database recovery, backup, and repair, in addition to dial-tone recovery. We also demonstrate the techniques required for these disaster recovery tasks. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click here for the Video

(Part 20 of 24): Exchange Server 2007 Disaster Recovery (Level 200)

In this webcast, we expand on the information covered in the previous webcast and further explore disaster recovery for Microsoft Exchange Server 2007. Our focus in this session is the server; we describe how to perform a recovery on mailbox servers and the other role servers. We discuss the recovery options you have and the data you need to recover a role server in Exchange Server 2007. We also demonstrate the recovery process and the steps you need to take for a successful recovery. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click here for the video

(Part 21 of 24): Monitoring (Level 200)

This is the first of four webcasts in the series in which we look at monitoring and troubleshooting Microsoft Exchange Server 2007. In this session, we describe how monitoring an Exchange Server 2007 environment breaks down into two areas, server and client computers. We cover Microsoft Operations Manager 2005 (MOM), describe the management pack concept used by MOM to monitor servers, and look closely at the management pack for Exchange Server 2007. We also explain how to use MOM to manage client computer connectivity. To complete the homework that is associated with this webcast series, you can register and attend the live Labcast Series, or you can register for a selfpaced Virtual Lab. Click here for the Video

(Part 22 of 24): Using the Toolbox (Level 200)

In this session, we look at the tools in Microsoft Exchange Server 20007 that you can use to maintain an Exchange Server messaging environment. Learn how you can check the health of your Exchange Server environment by using the Microsoft Exchange Server Best Practices Analyzer, a tool that remotely collects configuration data from each server in the topology and automatically analyzes the data. We also introduce the Microsoft Exchange Troubleshooting Assistant, a tool that helps you troubleshoot performance, manage database recovery, and troubleshoot mail-flow issues. We demonstrate how to use the Exchange Troubleshooting Assistant, and we explain the tool in more detail in the subsequent two sessions. We also cover Performance Monitor, a tool you can configure to collect information about the performance of your messaging system, and we describe how to use the counters in Performance Monitor for monitoring Exchange Server 2007. To complete the homework that is associated with this webcast series, you can register and

attend the live Labcast Series, or you can register for a self-paced Virtual Lab. Click here for the video

(Part 23 of 24): Troubleshooting MAPI and Client Access Server Clients (Level 200)
Keep the lines of communication open. We cover troubleshooting Microsoft Exchange Server 2007 MAPI and Client Access Server client computers in the last two webcasts of this 24part series. Attend this session to learn how to identify the causes for MAPI and remote client computer connectivity issues and what you can do to resolve these issues. To complete the homework that is associated with this webcast series, you can register and attend the live TechNet Labcast series, or you can register for a self-paced TechNet Virtual Lab. Click here for the video

(Part 24 of 24): Troubleshooting E-Mail Flow (Level 200)

To keep the messages flowing, we cover troubleshooting Microsoft Exchange Server 2007 email flow in this last webcast of the series. Learn how you can troubleshoot internal mail flow, external mail flow, message queue bottlenecks, undelivered e-mail messages, and problems with mailbox servers. To complete the homework that is associated with this webcast series, you can register and attend the live TechNet Labcast series, or you can register for a selfpaced TechNet Virtual Lab. Click here for the video

How do I: Install Exchange 2007 Prerequisites for Windows Server 2008

In this video Nicolas Blank shows you how to install the prerequisites for installing Exchange 2007 onto Windows Server 2008. Click Here for Video

How Do I: Configure Security Policies on my Windows Mobile Devices Using Exchange 2007?
With more users carrying smart phones, the possibilities of sensitive data being compromised as a result of a device being lost is a growing concern for IT Pros. Exchange 2007 provides a no cost option for securing Windows Mobile devices through the use of

Active Sync Policies. In this video Gordon Ryan steps through the process the of creating a policy and assigning it to a user. Click Here for the Video

How do I: Remotely Wipe a Windows Mobile Device if an Employee Loses it

Employees' losing mobile devices is a concern for any IT Pro, but with Exchange 2007 and Windows Mobile 6, you remote wipe a lost device and know that the data has been removed. In this video, Gordon Ryan shows you how to do this using Outlook Web Access and the Exchange graphical and Powershell administration tools. Click Here for Video

How do I: Configure Exchange 2007 to accept e-mail for multiple domains.

This video provides a walk through on how to configure Exchange 2007 to accept e-mail for multiple domains. It shows how to create an accepted domain record and how to create an e-mail address policy. Click Here for Video

How do I: Create a new storage group and a new mailbox database

This video provides a walk through on how to create a new storage group and a new mailbox database in Microsoft Exchange Server 2007 using the Exchange Management Console. Click Here for Video

How do I: Use Exchange Management Features in PowerShell

Learn how to combine the PowerShell skills youve learn in the previous sessions to manage Exchange 2007. Build reports, view event logs and manage your servers health using PowerShell. Click Here for Video

How Do I: Enable the Anti-spam Agent in a Single Server Exchange Server Environment?

This video provides a walk through on how to enable anti-spam filtering on a single server Exchange 2007 implementation. Click Here for Video

How do I: Set up E-mail Co-Existence Between MOS and a Local Exchange Server
This video shows how to setup email co-existence between Microsoft Online Services and your local Exchange server This demo shows how to: Add your registered domain to MOS Verify domain ownership Setup domain as an external relay server for mail Verify email traffic between MOS and your Exchange server Click Here for Video

Forefront Management Console Part 1

The Microsoft Forefront Security Management Console provides Forefront administrators with a tool that allows them to centrally manage the Forefront server deployments within their environments. In the first video in this series, Gordon Ryan demonstrates how to install the console and then create a package to deploy Forefront Security for Exchange. Click Here for Video

Forefront Management Console Part 2

The Microsoft Forefront Security Management Console provides Forefront administrators with a tool that allows them to centrally manage the Forefront server deployments within their environments. In this, the second video in this series, Gordon Ryan demonstrates how to create a scheduled job to download AV signature updates, configure the general options for a server and to modify the operations settings for a group of Forefront servers to respond to a worm outbreak. Click Here for Video

Forefront Management Console Part 3

The Microsoft Forefront Security Management Console provides Forefront administrators

with a tool that allows them to centrally manage the Forefront server deployments within their environments. In this, the third video in this series, Gordon Ryan demonstrates how to configure alerting using the management console and discuses the use of filters to view the alerts. Click Here for Video

Exchange Message Scan

Join Gordon Ryan as he shows how to configure Microsoft Forefront Security for Exchange Server to scan messages that are in the store and as they are accessed. In this video he shows how to configure file filters, content filters and email notifications. Click Here for Video

Exchange Quarantined E-mails

Join Gordon Ryan as he shows how to manage emails and files that have been quarantined by Microsoft Forefront Security for Exchange Server. In this video he shows how to configure the security mode for messages delivered from quarantine, how to export the incident and the quarantine log files, how to redeliver messages and how to save attachments. Click Here for Video

Incoming E-mail Scan Join Gordon Ryan as he shows how to configure Microsoft Forefront Security for Exchange Server to scan incoming and outgoing emails. In this video he shows how to configure file and keyword filters as well as configuring notifications. Click Here for Video

How do I: Synchronize Active Directory with Microsoft Online Services

This video shows how to synchronize users in your local Active Directory with the Microsoft Online Services. This demo shows how to: Download and install the MOS Directory Synchronization tool Synchronize Active Directory with MOS Edit an Active Directory user and synchronize with MOS Enable a synchronized account to use MOS

Click Here for Video