What is Active Directory ?

Active Directory is a Meta Data. Active Directory is a data base which store a
data base like your user information, computer information and also other
network object info. It has capabilities to manage and administor the complite
Network which connect with AD.
>What is KCC ?
!! " knowledge consistency checker # is used to generate replication topology
for inter site replication and for intrasite replication.with in a site replication
traffic is done via remote procedure calls over ip, while between site it is done
through either $%! or &M'%.
>What is the SYSVOL folder?
'he sys()* folder stores the server+s copy of the domain+s public files. 'he
contents such as group policy, users etc of the sysvol folder are replicated to all
domain controllers in the domain.
Enterprise Admins , Members of this group have full control of all domains in
the forest. -y default, this group is a member of the Administrators group on all
domain controllers in the forest. -y default, the Administrator account is a
member of this group. -ecause this group has full control of the forest, add
users with caution.
Domain Admins , Members of this group have full control of the domain. -y
default, this group is a member of the Administrators group on all domain
controllers, all domain workstations, and all domain member servers at the time
they are joined to the domain. -y default, the Administrator account is a
member of this group. -ecause the group has full control in the domain, add
users with caution.
What is LSDOU?
Its group policy inheritance model, where the policies are applied to Local
machines, Sites, Domains and Organizational Units.
> What is ar!a"e collection .
/arbage collection is the process of the online defragmentation of active
directory. It happens every 01 2ours
>What is difference !et#een Server $%%& vs $%%'?
0. (irtuali3ation. "4indows &erver 1556 introduces 2yper7( "( for
(irtuali3ation# but only on 89bit versions. More and more companies are seeing
this as a way of reducing hardware costs by running several +virtual+ servers on
one physical machine.#
1. &erver !ore "provides the minimum installation re:uired to carry out a
specific server role, such as for a D2!%, DN& or print server#
;. -etter security.
9. $ole7based installation.
<. $ead )nly Domain !ontrollers "$)D!#.
8. =nhanced terminal services.
>. Network Access %rotection 7 Microsoft+s system for ensuring that clients
connecting to &erver 1556 are patched, running a firewall and in compliance
with corporate security policies.
6. %ower&hell 7 Microsoft+s command line shell and scripting language has
proved popular with some server administrators.
?. II& > .
05. -itlocker 7 &ystem drive encryption can be a sensible security measure for
servers located in remote branch offices. @br@ 'he main difference between
155; and 1556 is (irtuali3ation, management. 1556 has more in7build
components and updated third party drivers.
00. 4indows Aero.
>What are the ro(ps types availa!le in active directory ?
&ecurity groups, Ase &ecurity groups for granting permissions to gain access to
resources. &ending an e7mail message to a group sends the message to all
members of the group. 'herefore security groups share the capabilities of
distribution groups.
Distribution groups, Distribution groups are used for sending e7main messages
to groups of users. Bou cannot grant permissions to security groups. =ven
though security groups have all the capabilities of distribution groups,
distribution groups still re:uires, because some applications can only read
distribution groups.
>E)plain a!o(t the "ro(ps scope in AD ?
Domain *ocal /roup, Ase this scope to grant permissions to domain resources
that are located in the same domain in which you created the domain local
group. Domain local groups can eCist in all miCed, native and interim functional
level of domains and forests. Domain local group memberships are not limited
as you can add members as user accounts, universal and global groups from
any domain. Dust to remember, nesting cannot be done in domain local group. A
domain local group will not be a member of another Domain *ocal or any other
groups in the same domain.
/lobal /roup, Asers with similar function can be grouped under global scope
and can be given permission to access a resource "like a printer or shared folder
and files# available in local or another domain in same forest. 'o say in simple
words, /lobal groups can be use to grant permissions to gain access to
resources which are located in any domain but in a single forest as their
memberships are limited. Aser accounts and global groups can be added only
from the domain in which global group is created. Nesting is possible in /lobal
groups within other groups as you can add a global group into another global
group from any domain. Einally to provide permission to domain specific
resources "like printers and published folder#, they can be members of a
Domain *ocal group. /lobal groups eCist in all miCed, native and interim
functional level of domains and forests.
Aniversal /roup &cope, 'hese groups are precisely used for email distribution
and can be granted access to resources in all trusted domain as these groups
can only be used as a security principal "security group type# in a windows 1555
native or windows server 155; domain functional level domain. Aniversal group
memberships are not limited like global groups. All domain user accounts and
groups can be a member of universal group. Aniversal groups can be nested
under a global or Domain *ocal group in any domain.
/lobal catalog
A domain controller that catains partial replica of every domain active directory
A global catalog hold a replica of every object in active directory but limited number
of attributes aglobal catalog store fre:uently used attributes like user first name
and last name
&chema
A descriptions of the object class and attributes store in the active directory for
each object class the schema define what attributes on objects is must have what
additional attributes must have what object class can be its parent.
E&M) $)*=&
Eorest wide roles
&chema master, schema master controls all updtates and modification to the
schema
Domain naming, domain name master must be availbe in the when adding and
removing domain in the forest
Domain wide roles
*elative +D ,*+D- .aster
Allocates $IDs to D!s within a Domain. 4hen an object such as a user, group or
computer is created in AD it is given a &ID. 'he &ID consists of a Domain &ID
"which is the same for all &IDs created in the domain# and a $ID which is uni:ue to
the Domain.
4hen moving objects between domains you must start the move on the D! which
is the $ID master of the domain that currently holds the object.
/DC Em(lator
'he %D! emulator acts as a 4indows N' %D! for backwards compaitbility, it can
process updates to a -D!.
It is also responsible for time syncronising within a domain.
It is also the password master "for want of a better term# for a domain. Any
password change is replicated to the %D! emulator as soon as is practical. If a
logon re:uest fails due to a bad password the logon re:uest is passed to the %D!
emulator to check the password before rejecting the login re:uest.
+nfrastr(ct(re .aster
'he infrastructure master is responsible for updating references from objects in its
domain to objects in other domains. 'he global catalog is used to compare data as
it recieves regular updates for all objects in all domains.
Any change to user7group references are updated by the infrastructure master. Eor
eCample if you rename or move a group member and the member is in a different
domain from the group the group will temporarily appear not to contain that
membe
01DS21+L
N'D&A'I* provides E&M) maintenance and the option to sei3e a role "covered in
the E&M) $ole Eailure section below#.
'o transfer a role using ntdsutil use the eCample below as a template for all the
roles.
)pen a command prompt
=nter in ntds(til
At the ntdsutil command prompt enter in roles
At the fsmo maintenance prompt enter in connection
At the server connections prompt enter in connect to domancontrollername
At the server connections prompt enter in 3(it
At the fsmo maintenance prompt enter in transfer schema master
Fuit from the console
D0S
>What is the port no of dns ?
<;.
>What is a 4or#ard Loo5(p?
$esolving 2ost Names to I% Addresses.
>What is *everse Loo5(p?
It.s a file contains host names to I% mapping information.
>What is a *eso(rce *ecord?
It is a record provides the information about the resources available in the NG4
infrastructure.
>What are the diff6 D0S *oles?
&tandard %rimary, &tandard &econdary, H AD Integrated.
>What is a 7one?
Ione is a sub tree of DN& database.
> What is primary8 Secondary8 st(! 9 AD +nte"rated 7one?
%rimary Ione, 7 3one which is saved as normal teCt file with filename ".dns# in
D-& folder. Maintains a read, write copy of 3one database.
&econdary Ione, 7 maintains a read only copy of 3one database on another DN&
server. %rovides fault tolerance and load balancing by acting as backup server to
primary server.
&tub 3one, 7 contains a copy of name server and &)A records used for reducing
the DN& search orders. %rovides fault tolerance and load balancing
> What is the main p(rpose of S*V records ?
&$( records are used in locating hosts that provide certain network services.
Windo#s Cl(ster
> What is :(or(m ? A shared storage need to provide for all servers which
keeps information about clustered application and session state and is useful in
EAI*)(=$ situation. 'his is very important if Fuorum disk fails entire cluster will
fails.
>E)plain a!o(t each :(or(m type ?
Node Majority, =ach node that is available and in communication can vote. 'he
cluster functions only with a majority of the votes, that is, more than half.
Node and Disk Majority, =ach node plus a designated disk in the cluster storage
"the Jdisk witnessK# can vote, whenever they are available and in
communication. 'he cluster functions only with a majority of the votes, that is,
more than half.
Node and Eile &hare Majority, =ach node plus a designated file share created by
the administrator "the Jfile share witnessK# can vote, whenever they are
available and in communication. 'he cluster functions only with a majority of
the votes, that is, more than half.
No Majority, Disk )nly, 'he cluster has :uorum if one node is available and in
communication with a specific disk in the cluster storage.
IM%)$'AN' %)$' NAM=$&
DN&,<;
D2!%,8>
E'% 10
'elnet 1;
*DA% ;6?
'he forest sets the default boundaries of trust, not the domain, and implicit,
transitive trust is automatic for all domains within a forest. As well as two7way
transitive trust, AD trusts can be a shortcut "joins two domains in different
trees, transitive, one7 or two7way#, forest ,transitive8 one; or t#o;#ay-8
realm "transitive or nontransitive, one7 or two7way#, or e)ternal
,nontransitive8 one; or t#o;#ay- in order to connect to other forests or non7
AD domains.
One;#ay tr(st < )ne domain allows access to users on another domain, but
the other domain does not allow access to users on the first domain.
1#o;#ay tr(st < 'wo domains allow access to users on both domains.
1r(stin" domain < 'he domain that allows access to users from a trusted
domain.
1r(sted domain < 'he domain that is trustedL whose users have access to the
trusting domain.
1ransitive tr(st < A trust that can eCtend beyond two domains to other
trusted domains in the forest.
+ntransitive tr(st < A one way trust that does not eCtend beyond two
domains.
E)plicit tr(st < A trust that an admin creates. It is not transitive and is one
way only.
Cross;lin5 tr(st < An eCplicit trust between domains in different trees or in the
same tree when a descendantGancestor "childGparent# relationship does not
eCist between the two domains.
++S
What is Application Pool in IIS ?
-efore /iving the Definition , you can say like this, !oncept of Application pool has from II&
8.5 .
Application pools are used to separate sets of II& worker processes that share the same
configuration and application boundaries. Application pools used to isolateour web
application for better security, reliability, and availability and performance and keep running
with out impacting each other . 'he worker process serves as the process boundary that
separates each application pool so that when one worker process or application is having an
issue or recycles, other applications or worker processes are not affected.
)ne Application %ool can have multiple worker process Also.
Main %oint to $emember,
0. Isolation of Different 4eb Application
1. Individual worker process for different web application
;. More reliably web application
9. -etter %erformance
What is Recycling of Application Pool ?
ecycling Application pool means recycle the 4orker process "#&#p6e)e # and the memory
used for the web application.
There are two types of recycling related with Application pool
0. $ecycling 4orker %rocess 7 %redefined &ettings
1. $ecycling 4orker %rocess 7 -ased on Memory
What are the different security settings available in IIS ?
-elow are the commonly used II& &ecurity settings
0 Anonymous
1 Integrated 4indows Authentication
;. -asic Authentication
9. Digest Authentication
<. %assport Authentication
Eor &et security permission you need to go to (irtul Directory @ $ight !lick @ %roperties @
Directory &ecurity
!lick on =dit -utton .
What is web garden ?
-y default =ach Application %ool runs with a &ingle 4orker %rocess "4;4p.eCe#. 4e can
assign multiple 4orker %rocess 4ith a &ingle Application %ool. An Application %oll with
multiple 4orker process called 4eb /ardens. =ach 4orker %rocess &hould have there own
'hread and )wn Memory space.
/enerally its not recommended to use In%roc &ession mode while we are using 4eb /arden.
How we can create an web garden ?
Eor creating web graden we need to go to Application %ool, then $ight !lick on Application
%ool @ %roperties @ /oto %erformance 'ab
In 4eb /arden &ection, increase the number of worker process. -y default it is 0.
++S E**O* L+S1
1xx - Informational
These HTTP status codes indicate a provisional response. The client computer receives one or more 1xx responses
before the client computer receives a regular response.
IIS 7.0, IIS 7.5, and IIS .0 use the follo!ing informational HTTP status codes"
100 # $ontinue.
101 # S!itching protocols.
2xx - Success
These HTTP status codes indicate that the server successfull% accepted the re&uest.
IIS 7.0, IIS 7.5, and IIS .0 use the follo!ing success HTTP status codes"
'00 # (). The client re&uest has succeeded.
'01 # $reated.
'0' # *ccepted.
'0+ # ,onauthoritative information.
'0- # ,o content.
'05 # .eset content.
'0/ # Partial content.
3xx - Redirection
These HTTP status codes indicate that the client bro!ser must ta0e more action to fulfill the re&uest. 1or e2ample,
the client bro!ser ma% have to re&uest a different page on the server. (r, the client bro!ser ma% have to repeat the
re&uest b% using a pro2% server.
IIS 7.0, IIS 7.5, and IIS .0 use the follo!ing redirection HTTP status codes"
+01 # 3oved permanentl%.
+0' # (b4ect moved.
+0- # ,ot modified.
+07 # Temporar% redirect.
4xx - Client error
These HTTP status codes indicate that an error occurred and that the client bro!ser appears to be at fault. 1or
e2ample, the client bro!ser ma% have re&uested a page that does not e2ist. (r, the client bro!ser ma% not have
provided valid authentication information.
IIS 7.0, IIS 7.5, and IIS .0 use the follo!ing client error HTTP status codes"
-00 # 5ad re&uest. The re&uest could not be understood b% the server due to malformed s%nta2. The client
should not repeat the re&uest !ithout modifications.
IIS 7.0, IIS 7.5, and IIS .0 define the follo!ing HTTP status codes that indicate a more specific cause of a
-00 error"
o -00.1 # Invalid 6estination Header.
o -00.' # Invalid 6epth Header.
o -00.+ # Invalid If Header.
o -00.- # Invalid (ver!rite Header.
o -00.5 # Invalid Translate Header.
o -00./ # Invalid .e&uest 5od%.
o -00.7 # Invalid $ontent 7ength.
o -00. # Invalid Timeout.
o -00.8 # Invalid 7oc0 To0en.
-01 # *ccess denied.
IIS 7.0, IIS 7.5, and IIS .0 define several HTTP status codes that indicate a more specific cause of a -01
error. The follo!ing specific HTTP status codes are displa%ed in the client bro!ser but are not displa%ed in
the IIS log"
o -01.1 # 7ogon failed.
o -01.' # 7ogon failed due to server configuration.
o -01.+ # 9nauthori:ed due to *$7 on resource.
o -01.- # *uthori:ation failed b% filter.
o -01.5 # *uthori:ation failed b% IS*PI;$<I application.
-0+ # 1orbidden.
IIS 7.0, IIS 7.5, and IIS .0 define the follo!ing HTTP status codes that indicate a more specific cause of a
-0+ error"
o -0+.1 # =2ecute access forbidden.
o -0+.' # .ead access forbidden.
o -0+.+ # >rite access forbidden.
o -0+.- # SS7 re&uired.
o -0+.5 # SS7 1' re&uired.
o -0+./ # IP address re4ected.
o -0+.7 # $lient certificate re&uired.
o -0+. # Site access denied.
o -0+.8 # 1orbidden" Too man% clients are tr%ing to connect to the !eb server.
o -0+.10 # 1orbidden" !eb server is configured to den% =2ecute access.
o -0+.11 # 1orbidden" Pass!ord has been changed.
o -0+.1' # 3apper denied access.
o -0+.1+ # $lient certificate revo0ed.
o -0+.1- # 6irector% listing denied.
o -0+.15 # 1orbidden" $lient access licenses have e2ceeded limits on the !eb server.
o -0+.1/ # $lient certificate is untrusted or invalid.
o -0+.17 # $lient certificate has e2pired or is not %et valid.
o -0+.1 # $annot e2ecute re&uested 9.7 in the current application pool.
o -0+.18 # $annot e2ecute $<I applications for the client in this application pool.
o -0+.'0 # 1orbidden" Passport logon failed.
o -0+.'1 # 1orbidden" Source access denied.
o -0+.'' # 1orbidden" Infinite depth is denied.
o -0+.50' # 1orbidden" Too man% re&uests from the same client IP? 6%namic IP .estriction limit
reached.
-0- # ,ot found.
IIS 7.0, IIS 7.5, and IIS .0 define the follo!ing HTTP status codes that indicate a more specific cause of a
-0- error"
o -0-.0 # ,ot found.
o -0-.1 # Site ,ot 1ound.
o -0-.' # IS*PI or $<I restriction.
o -0-.+ # 3I3= t%pe restriction.
o -0-.- # ,o handler configured.
o -0-.5 # 6enied b% re&uest filtering configuration.
o -0-./ # @erb denied.
o -0-.7 # 1ile e2tension denied.
o -0-. # Hidden namespace.
o -0-.8 # 1ile attribute hidden.
o -0-.10 # .e&uest header too long.
o -0-.11 # .e&uest contains double escape se&uence.
o -0-.1' # .e&uest contains high#bit characters.
o -0-.1+ # $ontent length too large.
o -0-.1- # .e&uest 9.7 too long.
o -0-.15 # Auer% string too long.
o -0-.1/ # 6*@ re&uest sent to the static file handler.
o -0-.17 # 6%namic content mapped to the static file handler via a !ildcard 3I3= mapping.
o -0-.1 # Auer%string se&uence denied.
o -0-.18 # 6enied b% filtering rule.
o -0-.'0 # Too 3an% 9.7 Segments
-05 # 3ethod ,ot *llo!ed.
-0/ # $lient bro!ser does not accept the 3I3= t%pe of the re&uested page.
-0 # .e&uest timed out.
-1' # Precondition failed.
5xx - Server error
These HTTP status codes indicate that the server cannot complete the re&uest because the server encounters an error.
IIS 7.0, IIS 7.5, and IIS .0 use the follo!ing server error HTTP status codes"
500 # Internal server error.
IIS 7.0, IIS 7.5, and IIS .0 define the follo!ing HTTP status codes that indicate a more specific cause of a
500 error"
o 500.0 # 3odule or IS*PI error occurred.
o 500.11 # *pplication is shutting do!n on the !eb server.
o 500.1' # *pplication is bus% restarting on the !eb server.
o 500.1+ # >eb server is too bus%.
o 500.15 # 6irect re&uests for <lobal.asa2 are not allo!ed.
o 500.18 # $onfiguration data is invalid.
o 500.'1 # 3odule not recogni:ed.
o 500.'' # *n *SP.,=T http3odules configuration does not appl% in 3anaged Pipeline mode.
o 500.'+ # *n *SP.,=T httpHandlers configuration does not appl% in 3anaged Pipeline mode.
o 500.'- # *n *SP.,=T impersonation configuration does not appl% in 3anaged Pipeline mode.
o 500.50 # * re!rite error occurred during .AB5=<I,B.=A9=ST notification handling. *
configuration or inbound rule e2ecution error occurred.
Note Here is !here the distributed rules configuration is read for both inbound and outbound rules.
o 500.51 # * re!rite error occurred during <7BP.=B5=<I,B.=A9=ST notification handling. *
global configuration or global rule e2ecution error occurred.
Note Here is !here the global rules configuration is read.
o 500.5' # * re!rite error occurred during .ABS=,6B.=SP(,S= notification handling. *n outbound
rule e2ecution occurred.
o 500.5+ # * re!rite error occurred during .AB.=7=*S=B.=A9=STBST*T= notification handling.
*n outbound rule e2ecution error occurred. The rule is configured to be e2ecuted before the output
user cache gets updated.
o 500.100 # Internal *SP error.
501 # Header values specif% a configuration that is not implemented.
50' # >eb server received an invalid response !hile acting as a gate!a% or pro2%.
IIS 7.0, IIS 7.5, and IIS .0 define the follo!ing HTTP status codes that indicate a more specific cause of a
50' error"
o 50'.1 # $<I application timeout.
o 50'.' # 5ad gate!a%" Premature =2it.
o 50'.+ # 5ad <ate!a%" 1or!arder $onnection =rror C*..D.
o 50'.- # 5ad <ate!a%" ,o Server C*..D.
50+ # Service unavailable.
IIS 7.0, IIS 7.5, and IIS .0 define the follo!ing HTTP status codes that indicate a more specific cause of a
50+ error"
o 50+.0 # *pplication pool unavailable.
o 50+.' # $oncurrent re&uest limit e2ceeded.
o 50+.+ # *SP.,=T &ueue full