Microsoft Active Directory Questions

Microsoft Active Directory Questions.
What is Active Directory?

Active Directory is Microsoft's trademarked directory service, an integral part of the
Windows 2000 architecture. Like other directoryservices,suchasNovellDirectoryServices
(NDS), Active Directory is a centralized and standardized system that automates network
management of user data, security, and distributed resources, and enables interoperation
with other directories. Active Directory is designed especially for distributed networking
environments.
What is LDAP?
Short for Lightweight Di rectory Access Protocol, a set of protocols for accessing
information directories. LDAP is based on the standards contained within the X.500
standard, but is significantly simpler. And unlike X.500, LDAP supports TCP/IP, which is
necessary for any type of Internet access. Because it's a simpler version of X.500, LDAP is
sometimes called X.500-lite.
Can you connect Active Directory to other 3rd-party Directory Services? Name a
few options?
Yes. Microsoft IdentityIntegrationServer(MIIS)isusedtoconnectActiveDirectorytoother
3rd-party Directory Services (including directories used by SAP, Domino, etc).
Where is the AD database held? What other folders are related to AD?
AD Database is saved in %systemroot%/ntds. You can see other files also in this folder.
These are the main files controlling the AD structure
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change ismadetotheWin2Kdatabase,triggeringawriteoperation,Win2Krecords
the transaction in the log file (edb.log). Once written to the log file, the change is then
written to the AD database. System performance determines how fast the system writes
the data to the AD database from the log file. Any time the system is shut down, all
transactions are saved to the database.
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial
size of each is 10MB. These files are used to ensure that changes can be written to disk
should the system run out of free disk space. The checkpoint file (edb.chk) records
transactions committed to the AD database (ntds.dit). During shutdown, a "shutdown"
statement is written to the edb.chk file. Then, during a reboot, AD determines that all
transactions in the edb.log file have been committed to the AD database. If, for some
reason, the edb.chk file doesn't exist on reboot or the shutdown statement isn't present,
AD will use the edb.log file to update the AD database.
The last file in our list of files to know is the AD database itself, ntds.dit. By default,the
file is located in\NTDS, along with the other files we've discussed.
What is the SYSVOL folder?

The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and reparse
points in the file systems that exist on each domain controller in a domain. SYSVOL
provides a standard location to store important elements of Group Policy objects (GPOs)
and scripts so that the File Replication service (FRS) can distribute them to other domain
controllers within that domain.
You can go to SYSVOL folder by typing : %systemroot%/sysvol
Name the AD NCs and replication issues for each NC
*Schema NC, *Configuration NC, * Domain NC
Schema NC:ThisNCisreplicatedtoeveryotherdomaincontrollerintheforest.Itcontains
information about the Active Directory schema, which in turn defines the differentobject
classes and attributes within Active Directory.
Configuration NC: Also replicated to every other DC in the forest, this NC contains
forest-wide configuration information pertaining to thephysicallayoutofActiveDirectory,
as well as information about display specifiers and forest-wide Active Directory quotas.
Domain NC: This NC is replicated to every other DC within a single Active Directory
domain. This is the NC that contains the most commonly-accessed Active Directory data:
the actual users, groups, computers, and other objects that reside within a particular
Active Directory domain.
What are application partitions? When do I use them
A1) Application Directory Partition is a partition space in Active Directory which an
application can use to store that applicationspecificdata.Thispartitionisthenreplicated
only to some specific domain controllers.
The application directory partition can contain any type of data exceptsecurityprinciples
(users, computers, groups).
**A2) These are specific to Windows Server 2003 domains.
An application directory partition is a directory partition that isreplicatedonlytospecific
domain controllers. A domain controller that participates in the replication ofaparticular
application directory partition hosts a replica of that partition. Only domain controllers
running Windows Server 2003 can host a replica of an application directory partition.
How do you create a new application partition
The DnsCmdcommandisusedtocreateanewapplicationdirectorypartition.Ex.tocreate
a partition named NewPartition on the domain controller DC1.contoso.com, log on to
the domain controller and type following command.
DnsCmd DC1/createdirectorypartition NewPartition.contoso.com
How do you view replication properties for AD partitions and DCs?

By using replication monitor
go to start > run > type replmon
What is the Global Catalog?

The Global Catalog (GC) contains an entry foreveryobjectinanenterpriseforestbutonly
a few properties for each object. An entire forest shares a GC, with multiple servers
holding copies. You can perform an enterprisewide forest search only on the propertiesin
the GC, whereas you can search for any property in a users domain tree. Only Directory
Services (DSs) or domain controllers (DCs) can hold a copy of the GC.
Configuring an excessive number of GCs in a domain wastes network bandwidth during
replication. One GC server per domain in each physical location is sufficient. Windows NT
sets servers as GCs as necessary, so you dont need to configure additionalGCsunlessyou
notice slow query response times.
Because full searches involve queryingthewholedomaintreeratherthantheGC,grouping
the enterprise into one treewillimproveyoursearches.Thus,youcansearchforitemsnot
in the GC.
How do you view all the GCs in the forest?
C:\>repadmin /showreps <domain_controller >
where domain_controller is the DC you want to query to determine whether it’s a
GC. The output will include the text DSA Options: IS_GC if the DC is a GC. . . .
Youwouldneedscripttomakesuchquery,butyoucanalsocheckyourDNSforSRVrecords
which contain _gc in their name.
Why not make all DCs in a large forest as GCs?
When all the DC become a GC replication traffic will get increased andwecouldnotkeep
the Infrastructure master and GC on the same domain ,so atlease one dc should be act
without holding the GC role .
Trying to look at the Schema, how can I do that?
Register the schmmgmt.dll with the command regsvr32
What are the Support Tools? Why do I need them?
Support Tools are the tools that are used for performing the complicated tasks easily.
These can also be the third party tools. Some of the Support tools include DebugViewer,
DependencyViewer, RegistryMonitor, etc.
What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is

REPADMIN?
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic
engineering is not required. It establishes LSPs that follow the existing IP routing, and is
particularly well suited for establishing a full mesh of LSPs between all of the routers on
the network.
Replmon : Replmon displays information about Active Directory Replication.
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a

low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network
administrators can use it for common administrative tasks such as adding, deleting, and
moving objects with a directory service. The attributes for each object can be edited or
deleted by usingthistool.ADSIEditusestheADSIapplicationprogramminginterfaces(APIs)
to access Active Directory. The following are the required files for using this tool:
ADSIEDIT.DLL ADSIEDIT.MSC
NETDOM : NETDOM is a command-line tool that allows management of Windows domains

and trust relationships. It is used for batch management of trusts, joining computers to
domains, verifying trusts, and secure channels.
REPADMIN : REPADMIN is a built-in Windows diagnostic command-line utility that works at
the Active Directory level. Although specific to Windows, it is also useful for diagnosing
some Exchange replication problems, since Exchange Server is Active Directory based.
REPADMIN doesn't actually fix replication problems for you. But, you can use it to help
determine the source of a malfunction.
What are sites? What are they used for?
Active Directory (AD) sites,whichconsistofwell-connectednetworksdefinedbyIPsubnets
that help define the physical structure of your AD, give you much better control over
replication traffic and authentication traffic than the controlyougetwithWindowsNT4.0
domains. Because AD relies on IP, all LAN segments should have a defined IP subnet. This
makes creating your AD site structure straightforward; you simply group well-connected
subnets to form a site.
Creating AD sitesbenefitsyouinseveralways,thefirstofwhichisthatcreatingthesesites
lets you control replication traffic over WAN links. This control is important in Windows
2000 because any Win2K domain controller (DC) can originate changes to AD. To ensure
that a change you make on one DC propagates to all DCs, Win2K uses multimaster
replication (instead of thesingle-masterreplicationthatNT4.0uses).Youmightthinkthat
multimaster replication would make it difficult to plan for AD replications effect on your
WAN links, but you can overcome this obstacle using AD sites.
What's the difference between a site link's schedule and interval?
Site Link is a physical connection object on which the replication transport mechanism
depends on. Basically to speak it isthetypeofcommunicationmechanismusedtotransfer
the data between different sites. Site Link Schedule is nothing but when the replication
process has to be takes place and the interval is nothing but how many times the
replication has to be takes place in a give time period i.e Site Link Schedule.
What is the KCC?

KCC stands for knowledge consistency checker. Apart of the ISTG<intersite topology
generator> role in active directory. The kcc checks and as an option, recreates topology
information for the active directory domain.
What is the ISTG? Who has that role by default?
Windows 2000 Domain controllers each create Active Directory Replication connection
objects representing inbound replication from intra-site replicationpartners.Forinter-site
replication, one domain controller per site has the responsibility of evaluating the
inter-site replication topologyandcreatingActiveDirectoryReplicationConnectionobjects
for appropriate bridgehead servers within its site. The domain controller in each site that
owns this role is referred to as the Inter-Site Topology Generator (ISTG).
What are the requirements for installing AD on a new server?
An NTFS partition with enough free space (if you have FAT or FAT32 use convert

c:/fs:ntfs command to convert it to NTFS)
An Administrator's username and password
The correct operating system version
A NIC
Properly configured TCP/IP (IP address, subnet mask and - optional - default
gateway)
A network connection (to a hub or to another computer via a crossover cable)
An operational DNS server (which can be installed on the DC itself)
A Domain name that you want to use
The Windows Server 2003 CD media (or at least the i386 folder)
Brains (recommended, not required...)
What can you do to promote a server to DC if you're in a remote location with slow
WAN link?
Install fromMedia InWindowsServer2003anewfeaturehasbeenadded,andthistimeit's

one that will actually make our lives easier... You can promote a domain controller using
files backed up from a source domain controller!!!
This feature is called "Install from Media" and it's available by runningDCPROMOwith
the /adv switch. It's not a replacementfornetworkreplication,westillneednetwork
connectivity, but now we can use an old System State copy from another Windows
Server 2003, copy it to our future DC, and have the first and basic replication take
place from the media, instead of across the network, this saving valuable time and
network resources.
What you basically have to do is to back up the systems data of an existing domain
controller, restore that backup to your replica candidate,useDCPromo/Advtotellit
to source from local media, rather than a network source.
This also works for global catalogs. If we performabackupofaglobalcatalogserver,
then we can create a new global catalog server by performing DCPromo from that
restored media.
IFM Limitations
It only works for the same domain, so you cannot back up a domain controller in
domain A and create a new domain B using that media.
It's only useful up to the tombstone lifetime with a default of 60 days.Soifyouhave
an old backup, then you cannot create a new domain controller using that, because
you'll run into the problem of reanimating deleted objects.
Answer
Link:http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm
How can you forcibly remove AD from a server, and what do you do later?
Demoting Windows Server 2003 DCs: DCPROMO (Active Directory Installation Wizard)isa
toggleswitch,whichallowsyoutoeitherinstallorremoveActiveDirectoryDCs.Toforcibly
demote a Windows Server 2003 DC, runthefollowingcommandeitherattheStart,Run,or
at the command prompt:
dcpromo /forceremoval
Note: If you're running Certificate Services on the DC, you must first remove Certificate
Services before continuing. Ifyouspecifythe/forceremovalswitchonaserverthatdoesn't
have Active Directory installed, the switch is ignored and the wizard pretends that you
want to install Active Directory on that server.
Once the wizard starts,youwillbepromptedfortheAdministratorpasswordthatyouwant
to assign to the local administrator in the SAM database. If you haveWindowsServer2003
ServicePack1installedontheDC,you'llbenefitfromafewenhancements.Thewizardwill
automatically run certain checks and will prompt you to take appropriate actions. For
example, if the DC is a Global Catalog server or a DNS server, you will be prompted. You
will also be prompted to take an action if your DC is hosting any of theoperationsmaster
roles.
Demoting Windows 2000 DCs: On a Windows 2000 domain controller, forced demotion is
supported with Service Pack 2 and later. The rest of the procedure is similar to the
procedure I described for Windows Server 2003. Just make sure that while running the
wizard, you clear the "This server is the last domain controller in the domain" check box.
OnWindows2000Serversyouwon'tbenefitfromtheenhancementsinWindowsServer2003
SP1, so if the DC you are demoting is a Global Catalog server, you may have to manually
promote some other DC to a Global Catalog server.
Cleaning the Metadata on a SurvivingDC:Onceyou'vesuccessfullydemotedtheDC,your
job is not quite done yet. Now you must clean up theActiveDirectorymetadata.Youmay
be wondering why I need to clean the metadata manually. The metadata forthedemoted
DC is not deleted fromthesurvivingDCsbecauseyouforcedthedemotion.Whenyouforce
a demotion, Active Directory basically ignores other DCs and does its own thing. Because
the other DCs are not aware that you removed the demoted DC from the domain, the
references to the demoted DC need to be removed from the domain.
Although Active Directory has made numerous improvements over the years, one of the
biggest criticisms of Active Directory is that it doesn't clean up the mess verywell.Thisis
obvious in most cases but, in other cases, you won't know it unless you start digging deep
into Active Directory database.
To clean up the metadata you use NTDSUTIL. The following procedure describes how to
clean up metadata on a Windows Server 2003 SP1. According to Microsoft, the version of
NTDSUTIL in SP1 has been enhanced considerably and does a muchbetterjobofclean-up,
which obviously means that the earlier versions didn't do a very good job. For Windows
2000 DCs, you might want to check out Microsoft Knowledge Base article 216498, "How to
remove data in Active Directory after an unsuccessful domain controller demotion."
Heres the step-by-step procedure for cleaning metadata on Windows Server 2003 DCs:
1. Logon to the DC as a Domain Administrator.
2. At the command prompt, type ntdsutil.
3. Type metadata cleanup.
4. Type connections.
5. Type connect to server servername, where servername is the name of the server
you want to connect to.
6. Type quit or q to go one level up. You should be at the Metadata Cleanup prompt.
7. Type select operation target.
8. Type list domains.Youwillseealistofdomainsintheforest,eachwithadifferent
number.
9. Type select domain number, where number is the number associated with the
domain of your server
10. Type list sites.
11. Type select site number, where number is the number associated with the site of
your server.
12. Type list servers in site.
13. Type selectservernumber,wherenumberisthenumberassociatedwiththeserver
you want to remove.
14. Type quit to go to Metadata Cleanup prompt.
15. Type remove selected server. You should see a confirmation that the removal
completed successfully.
16. Type quit to exit ntdsutil.
You might also want to cleanup DNS database by deleting all DNS records related to the
server.
In general, you will have better luck using forced promotion on Windows Server 2003,
because the naming contexts and other objects don't get cleaned as quickly on Windows
2000 GlobalCatalogservers,especiallyserversrunningWindows2000SP3orearlier.Dueto
the nature of forced demotion and the factthatit'smeanttobeusedonlyasalastresort,
there are additional things that you should know about forced demotion.
Evenafteryou'veusedNTDSUTILtocleanthemetadata,youmaystillneedtodoadditional
cleaning manually using ADSIEdit or other such tools. You might want to check out
Microsofts Knowledge Base article 332199, "Domain controllers do not demote gracefully
when you use the Active DirectoryInstallationWizardtoforcedemotioninWindowsServer
2003 and in Windows 2000 Server," for more information
Read original full answer at
http://redmondmag.com/columns/print.asp?EditorialsID=1352
And best read this also
http://www.petri.co.il/forcibly_removing_active_directoy_from_dc.htm

Can I get user passwords from the AD database?
As of my Knowledge there isnowaytoextractthepasswordfromADDatabase.Bytheway
there is a tool called cache dump. Using it we can extract the cached passwords from
Windows XP machine which is joined to a Domain.
What tool would I use to try to grab security related packets from the wire?
Network Monitor, Ethereal or Wireshark.
Name some OU design considerations.
Design OU structure based on Active Directory business requirements
NT Resource domains may fold up into OUs
Create nested OUs to hide objects
Objects easily moved between OUs
Departments , Geographic Region, Job Function, Object Type
Good Article about OU Design:

http://www.windowsnetworking.com/articles_tutorials/Clearing-Confusion-OU-Design.htm
l
What is tombstone lifetime attribute?
The number of days before a deleted object is removed from the directory services. This
assists in removing objects from replicated servers and preventing restores from
reintroducing a deleted object. This value is in the Directory Service object in the
configuration NC.
To Change the tombstone lifetime attribute read this article
http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm
What do you do to install a new Windows 2003 DC in a Windows 2000 AD?
Before you can introduce Windows Server 2003 domain controllers, you must prepare the
forest and domains with the ADPrep utility.
ADPrep / forestprep on the schema master in your Windows 2000 forest.
ADPrep / domainprep on the Infrastructure Master in each AD domain.
ADPrep is located in the i386 directory of the Windows Server 2003 install media.
Note: In Windows Server 2003 R2, ADPrep is not located in thesamefolderasintheolder
Windows Server 2003 media, and insteadyouneedtolookforitinthesecondCD.Yousee,
Windows Server 2003 R2 comes on two installation disks. Installation disk 1 contains a
slip-streamed version of Windows Server 2003 with Service Pack2(SP2).Installationdisk2
contains the Windows Server 2003 R2 files.
The correct version of the ADPrep.exe tool for Windows Server 2003 R2 is 5.2.3790.2075.
You can find the R2 ADPrep tool in the following folder on the second CD:
drive:\CMPNENTS\R2\ADPREP\
(where drive is the drive letter of your CD-Rom drive)
Read more about ADPrep and Windows Server 2003 R2 in KB 917385
Exchange 2000 note: Please make sure you read Windows 2003 ADPrep Fix for
Exchange 2000 before installing the first Windows Server 2003 DC in your existing
organization.
Microsoft recommends that you have at least Service Pack (SP) 2 installed onyourdomain
controllers before running ADPrep. SP2 fixedacriticalinternalADbug,whichcanmanifest
itself when extending the schema. There were also some fixes to improve the replication
delay that can be seen when indexing attributes.
Similar to the Exchange setup.exe /forestprep and /domainprep switches.
The Exchange /forestprep command extends the schema and addssomeobjectsin
the Configuration Naming Context.
The Exchange / domainprep command adds objects within the Domain Naming
Context of the domain it is being run on and sets some ACLs.
The ADPrep command follows the same logic and performs similartaskstoprepareforthe
upgrade to Windows Server 2003.
The ADPrep /forestprep command extends the schema with quite a few new classes and
attributes. These new schema objects are necessary for the new features supported by
Windows Server 2003.
You canviewtheschemaextensionsbylookingatthe.ldffilesinthe\i386directoryonthe
Windows Server2003CD.ThesefilescontainLDIFentriesforaddingandmodifyingnewand
existing classes and attributes.
Since the schema is extended and objects are added in severalplacesintheConfiguration
NC, the user running /forestprep must be a member of both the Schema Admins and
Enterprise Admins groups.
The ADPrep /domainprep creates new containers and objects, modifies ACLs on some
objects, and changes the meaning of the Everyone security principal.
Before you can run ADPrep /domainprep, you must be sure that the updates from
/forestprep have replicated to all domain controllers in the forest.
/domainprep must be run on the Infrastructure Master of a domain and under the
credentials of someone in the Domain Admins group.
You can view detailed output of the ADPrep command by looking at the log files in the
%Systemroot%\system32\debug\adprep\logs directory.
Each time ADPrep is executed, a new log file is generated that contains the actionstaken
during that particular invocation.
The log files are named based on the time and date ADPrep was run.
Once youve run both /forestprep and /domainprep and allowed time for the changes to
replicate to all domaincontrollers,youcanthenstartupgradingyourdomaincontrollersto
Windows Server 2003 or installing new Windows Server 2003 domain controllers.
What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
If you're installing Windows 2003 R2 onanexistingWindows2003serverwithSP1installed,
you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will
display the Windows 2003 R2 Continue Setup screen.
If you're installing R2 on a domain controller (DC), you must first upgrade the schema to
the R2 version (this is a minor change and mostly related to the new Dfs replication
engine). To update the schema, run the Adprep utility, which you'll find in the
Cmpnents\r2\adprep folder on the second CD-ROM. Before running this command, ensure
all DCs are running Windows 2003 or Windows 2000 with SP2 (or later). Here's a sample
execution of the Adprep /forestprep command:
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should be
upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or toWindows2000SP2
(or later).
QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent poten
tial domain controller corruption.
For more information about preparing your forest and domain see KB article Q3311
61 at http://support.microsoft.com.
[User Action]
If ALL your existing Windows 2000 domain controllers meet this requirement, type
C and then press ENTER to continue. Otherwise, type any other key and press ENT
ER to quit.
C
Opened Connection to SAVDALDC01
SSPI Bind succeeded
Current Schema Version is 30
Upgrading schema to version 31
Connecting to "SAVDALDC01"
Logging in as current user using SSPI
Importing directory from file "C:\WINDOWS\system32\sch31.ldf"
Loading entries.....................................................
......................................................
139 entries modified successfully.
The command has completed successfully

Adprep successfully updated the forest-wide information.
After running Adprep, install R2 by performing these steps:
1. Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows.
2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click Next.
3. You'll be prompted to enter an R2 CD key (this is different from your existing
Windows 2003 keys) if the underlying OS wasn't installed from R2 media (e.g., a regular
Windows 2003 SP1 installation). Enter the R2 key and click Next. Note: The license key
entered for R2 must match the underlying OS type, which means if you installed Windows
2003 using a volume-license version key, then you can't usearetailorMicrosoftDeveloper
Network (MSDN) R2 key.
4. You'll see the setup summary screen which confirms the actions to be performed
(e.g., Copy files). Click Next.
5. After the installation is complete, you'll see a confirmation dialog box. Click Finish.
How would you find all users that have not logged on since last month?
If you are using windows 2003 domain environment, then goto Active Directory Users and
Computers, select the Saved Queries, right click it and select new query, then using the
custom common queries and define query there is one which shows days since last logon
What are the DS* commands?
Answer is at http://www.computerperformance.co.uk/Logon/DSadd_DSmod_DSrm.htm
DSmod - modify Active Directory attributes
DSrm - to delete Active Directory objects
DSmove - to relocate objects
DSadd - create new accounts
DSquery - to find objects that match your query attributes
DSget - list the properties of an object
DSmod
Adding objects is great, but therearetimesinWindows2003whenyouneedtochangethe
Active Directory properties.
Scenario, you wish to quickly change a user's password. This is task you are goingtohave
to do regularly, and you would like to able todoitquicklyfromthecommandline.Letus
now modify the the user's password with DSmod
Example 1 Modify Password

Logon to your domain controller. Check which users you have, if necessary create an ou
called guyds and user called guyt.
Examine the script below. Decide how cn= or ou= or dc= need editing.
Run, CMD then copy your scriptandpasteintothecommandwindow.Alternativelytypeit
starting with dsmod user .........
Command : dsmod user "cn=guyt, ou=guyds, dc=cp, dc=com" -pwd a1yC24kg
Example 2 Create user WITH password

Note 1: We could have created the password at the same time we created the user. For
ease of learning I introduce one variable at a time. However, here is the complete
command to add a user with a password.
Command : dsadd user "cn=pault, ou=guyds, dc=cp, dc=com" -pwd a1yC24kg
Example 3 Modify Groups

Another use of DSmod is to add members to a group.
In this instance you need the full distinguished name (DN) of the group then the -addmbr
switch followed by the DN of the users. Tricky method! Try dsmod group /? for more help.
Problems contact Guy Thomas see below for email address
Introduction to DSadd
DSadd is the most important memberofthisDSscriptingfamily.TheprimaryuseofDSadd
is toquicklyadduseraccountstoWindowsServer2003ActiveDirectory.However,youcan
also use this method to create OUs computers, groups, or even contacts.
Creating an OU - DSadd ou....

Let us create an OU (organizational unit) to hold the rest of the test objects. Edit the
dc=cp and dc =com tothefullyqualifiednameofyourWindows2003domain.Asever,pay
closeattentiontothesyntax,forinstancetheDN"ou=guyds,dc=cp,dc=com"isenclosedin
doublespeechmarks.Single'speechmarks'willnotwork.AlsorememberthatDSisnewin
Window 2003, so will not work in Windows 2000.
Example 1 Using DSadd to Create an Organizational Unit in Windows 2003

Preparation:
Logon to your domain controller.
Examine the script below. Edit ou= or dc= to reflect YOUR domain.
starting with dsadd ou .........
Command : dsadd ou "ou=guyds, dc=cp, dc=com"
Note 1: dsaddou.ThiscommandtellsActiveDirectorywhichobjecttocreate,inthiscase
an OU (not a user).
Note 2:You only really need speech marks if there is a space in any of your names. So
ou=guyds, dc=cp, dc=com would work fine, but ou=GUY Space DS, dc=cp, dc=com fails
because of the spacesintheGUYSpaceDS,name.Inthissecondexampleyouwouldtype:
"ou=GUY Space DS, dc=cp, dc=com"
Example 2 Employing DSadd to Create a User. (Assumes you have completed Example 1)
The purpose of this example is to create a new user in an OU called guyds.
Preparation:
Logon to your domain controller.
Examine the script below. Decide if cn= or ou= or dc= need editing.
starting with dsadd user .........
Creating a User - DSadd user....

Command: dsadd user "cn=guyt, ou=guyds, dc=cp, dc=com"
Note: DSadd requires the complete distinguished name. Note also that the distinguished
name is encased in double "speech marks". I expect you spotted that the user will be
created in the guyds organizational unit that was created in the first example. Change
"cn=guyt to a different user name if you wish.
DS Error Messages
DS has its own family of error messages. I found that they are specific and varied, just
remember to pay attention to detail. READ ERROR MESSAGES SLOWLY.
New DS built-in tools for Windows Server 2003

At last I have found a real useful member of the DS family of utilities. If I need to find a
user quickly from the command prompt, i call for DSQuery.
Example 1 - DSQuery to list all the OUs in your domain

Let us find how many Organizational Units are there in your domain? This command will
produce a listing of all OUs with this command.
Commands:
Dsquery ou dc=mydom,dc=com
or
dsquery ou domainroot
Learning Points
Note 1:dc does NOT mean domain controller, it means domain context.
Note 2: The dc commands are not case sensitive, but they dislike spaces.
dc=mydom, dc=com will draw an error.
Note 3: If you haven't got any OUs (Organizational Units), I seriously suggest that you
create some to organize your users.
Note 4: Best of all, in this scenario, you can substitute domainroot for dc=cp.
Example 2 - To find all users in the default Users folder with DSQuery
In this example we just want to trawl the users folder and find out who is in that container.
Commands: dsquery user cn=users,dc=cp,dc=com
Learning Points
Note 1: The default users' folder is actually a container object called cn=users. Mypoint
is if you try ou=users, the command fails.
Note 2: I queried users, however dsquery requires the singular user, not userS. Other
objects that you can query are computer (not computers!), group or even contact.
Challenge 1: Substitute OU=xyz for cn=users, where xyz is the name of your OU.
Unfortunately, cn=users domainroot does not work.
Challenge 2: Substitute computer for user
Example 3 - DSQuery to list all your Domain Controllers

Suppose you want to list all of your domain controllers,(notcomputers).Whichcommand
do you think would supply the information?
Commands:
dsquery server
dsquery server domainroot
dsquery server dc=cp,dc=com
Learning Points
Note 1: Amazingly, dsquery server, the simplest command get the job done.
Note 2: I thank Jim D for pointing out that we want here is the singular 'server'.
Example 4 - To query the FSMO roles of your Domain Controllers

Here is a wonderful command to find the FSMO roles (Flexible Single Master Roles)
-hasfsmo. The arguments, which correspond to the 5 roles are: schema, rid, name, infr
and pdc.
Commands:
dsquery server -hasfsmo schema
Learning Points
Note 1: The command is -hasfsmo not ?hasfsmo as in some documents.
Example 5 - DSQuery to find all users whose name begins with smith*
This DSQueryexampleshowstwowaystofilteryouroutputandsohomeinonwhatyouare
looking for. Let us pretend that we know the user's namebuthavenoideawhichOUthey
are to be found. Moreover, we are not sure whether their name is spelt Smith, Smithyor
Smithye.
Commands :
dsquery user domainroot -name smith*
or
dsquery user dc=cp,dc=com -name smith* d
or plain
dsquery user smith*
Learning Points
Note 1: Remember to type the singular user.
Note 2: Probably no need to introduce *, you probably realize it's a wildcard.
Note 3: -name is but one of a family of filters. -desc or -disabled are others.
Example 6 - DSQuery to filter the output with -o rdn

The purpose of -o rdn is to reduce the outputtojusttherelativedistinguishedname.Ina
nutshell rdn strips away the OU=, DC= part which you may not be interested in.
Command: dsquery user -name smith* -o rdn
Learning Points
Note 1: o is the letter oh (not a number). In my minds eye o stands for output.
Note 2: There is a switch -o dn, but this is not a switch I use.
Summary - DSQuery
Knowledge is power. The DS family in general and DSQuery in particular, are handy
commands for interrogating Active Directory from thecommandline.Perhapsthedaywill
come when you need to findauser,computerorgroupwithoutcallingfortheActiveUsers
and Computers GUI.
DSGet
DSGet is a logical progression from DSQuery. The idea is that when DSQuery returnsalist
of objects, DSGet can interrogate those objects for extra properties such as, description,
manager or department. Naturally this pre-supposes you enteredtherelevantinformation
in the user's properties sheet!
Introduction to DSGet
My assumption is that you are comfortable with DSQuery, if this is not the case take the
time to have a refresher
Next a reminder to pay close attention to DS syntax. In this instance what we need is a
pipe symbol ( | ) to join DSQuery with DSGet. Justtobeclear,youtypethispipe(|)with
the shift key and the key next to the Z. (A colon : would produce an error).
Example 1 To Check that DSQuery is working

Let build a solid foundation with a DSQuery (Only found on a Windows Server 2003 DC)
Commands:
or
dsquery user -name smith*
Learning Points
Note1:YouneedaWindowsServer2003machine.Perhapsyoucouldremotedesktopinto
such a server?
Note 2: Feelfreetochangesmith*tooneofyourusers.Betterstill,createatestaccount
and start filling in those user properties.
Note 3: This example is just to build a foundation. Now let us move on to DSGet.
Example 2 Basic DSGet

We need to interrogate the output for more information. So weuseDSGettoretrievethe
description.
Commands:
or
dsquery user -name smith* | dsget user -dn -desc
Learning Points for DSGet

Note 1: Master the pipe command | which separates dsquery from dsget. To create |,
Hold down the shift key while pressing the key next to the Z.
Note 2: Even thoughdsquerytoldtheoperatingsystemitwasauserobject,dsgetstillhas
to invoke user in its section of the command.
Challenge: See what happens if you omit the -dn.
Example 3 - Which extra properties shall we query?

-display Display name is different from the user's description field. Ifyouhaven'tdoneso
already, time to get a user's properties sheet and start filling in those attribute boxes.
-office Useful property
-sn This command does not work. What'sthematterwith-sn?Iwilltellyouwhat'swrong;
dsget requires -ln instead of -sn and -fn instead of givenName grrrrrrrrrrrrrrrrrr. Calm
down Guy, go with the flow; think of all these useful switches.
O.K. No more moaning. DSGet is actually fun and productive. Guess what information
these switches return?
-email, -tel, -mgr, -mobile
Answers: General (tab), email address, telephone number, Organization (tab),
Manager,Telephones (tab), Mobile.
Now find them on the user's properties sheet.
Example 4 - Change the DSget output.
They say the old tricks the best, so letustryexportingtheDSGetoutputnottoscreenbut
a text file. Here weneedadifferenttypeofpipecommand;thistimeit'sthegreaterthan
symbol, for example, > filename.txt. So,justtagon>filename.txttoyourDScommand.
Follow up with: notepad filename.txt.
Commands:
or
dsquery user -name smith* | dsget user -fn -ln -mgr > dsget.txt
Learning Points
Note 1: To read the file type, notepad dsget.txt
Note 2: I am impressed by the column format of the output
I would like to leave you with a few more DSGet object that you can interrogate or
experiment with. In addition to user, there are the following DSGet commands :
Computer, also Server - meaning DC, OU, Group, even Site and Subnet.
Note. There are also two commandscalledpartitionandquota,however,inthecontextof
DSGet, partition and quota refer to Active Directory, not disk. For example, the
application partition in Active Directory. Tell the truth, it was a big disappointment that
DSGet did not return the disk information, but on reflection I was expecting the
impossible. DSGet partition means Active Directory partition.
Summary - DSGet
As far as DSGet is concerned, I have come fromPhilistinetochampion.NowIreallyenjoy
thechallengeofDSGetandappreciatethewayitworkshandinglovewithDSQuery.Italso
reminds of that old truism the more you know the easier it gets.
What's the difference between LDIFDE and CSVDE? Usage considerations?
CSVDE isacommandthatcanbeusedtoimportandexportobjectstoandfromtheADinto
a CSV-formatted file. A CSV(CommaSeparatedValue)fileisafileeasilyreadableinExcel.
I will not go to length into this powerful command,butIwillshowyousomebasicsamples
of how to import a large number of users into your AD. Of course, as with the DSADD
command, CSVDE can do more than just import users.Consultyourhelpfileformoreinfo.
Like CSVDE, LDIFDE is a command that can be used to import and export objects to and
from the AD into a LDIF-formatted file.ALDIF(LDAPDataInterchangeFormat)fileisafile
easily readable in any text editor; however it is not readable in programs like Excel. The
major difference between CSVDE and LDIFDE (besides the file format) is the fact that
LDIFDE can beusedtoeditanddeleteexistingADobjects(notjustusers),whileCSVDEcan
only import and export objects.
What are the FSMO roles? Who has them by default? What happens when each one
fails? *****
Windows 2000/2003 Multi-Master Model

A multi-master enableddatabase,suchastheActiveDirectory,providestheflexibility
of allowing changes to occur at any DC in the enterprise, but it also introduces the
possibility of conflicts that can potentially lead to problems once the data is
replicated to the rest of the enterprise. One way Windows 2000/2003 deals with
conflicting updates is by havingaconflictresolutionalgorithmhandlediscrepanciesin
values by resolving to the DC to which changes were written last (that is, "the last
writer wins"), while discarding the changes in all other DCs. Although this resolution
method may be acceptable in some cases, therearetimeswhenconflictsarejusttoo
difficult to resolve using the "last writer wins" approach. In such cases, it is best to
prevent the conflict from occurring rather than to try to resolve it after the fact.
For certain types of changes, Windows 2000/2003 incorporates methods to prevent
conflicting Active Directory updates from occurring.
Windows 2000/2003 Single-Master Model

To prevent conflicting updates in Windows 2000/2003, the Active Directory performs
updates to certain objects in a single-master fashion.
In a single-master model, only one DC in the entire directory is allowed to process
updates. This is similar to the role given to a primary domain controller (PDC) in
earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is
responsible for processing all updates in a given domain.
In a forest, there are five FSMO roles that are assigned to one or more domain
controllers. The five FSMO roles are:
Schema Master:
The schema master domain controller controls all updates and modifications to the
schema. Once the Schema update is complete, it is replicated from the schema
master to all other DCs in the directory. To update the schema of a forest, youmust
have access to theschemamaster.Therecanbeonlyoneschemamasterinthewhole
forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal of
domains in the forest. This DC is the only one that can add or removeadomainfrom
the directory. It can also add or remove cross references to domains in external
directories. There can be only one domain naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it
represents the reference by the GUID, the SID (for references to security principals),
and the DN of the object beingreferenced.TheinfrastructureFSMOroleholderisthe
DC responsible for updating an object's SID and distinguished name in a cross-domain
object reference. At any one time, there can be onlyonedomaincontrolleractingas
the infrastructure master in each domain.
Note: The Infrastructure Master (IM)roleshouldbeheldbyadomaincontrollerthatis
not a Global Catalog server (GC). IftheInfrastructureMasterrunsonaGlobalCatalog
server it will stop updating object information because it does not contain any
references to objects that it does not hold. This is because a Global Catalog server
holds a partial replica of every object in the forest. As a result, cross-domain object
references in that domain will not be updated and a warning to that effect will be
logged on that DC's event log. If all the domain controllers in a domain also host the
global catalog, all the domain controllers have the current data, and it is not
important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain
controllers in a particular domain. When a DCcreatesasecurityprincipalobjectsuch
as a user or group, it attaches a unique Security ID (SID) to the object. This SID
consists of a domain SID (the same for all SIDs createdinadomain),andarelativeID
(RID) that is unique for each security principal SID created in adomain.EachDCina
domain is allocated a poolofRIDsthatitisallowedtoassigntothesecurityprincipals
it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a
request for additional RIDs to the domain's RID master. The domain RID master
responds to the request by retrievingRIDsfromthedomain'sunallocatedRIDpooland
assigns them to the pool oftherequestingDC.Atanyonetime,therecanbeonlyone
domain controller acting as the RID master in the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows
2000/2003 includes the W32Time (Windows Time) timeservicethatisrequiredbythe
Kerberos authentication protocol. All Windows 2000/2003-based computers within an
enterprise use a common time. The purpose of the time service is to ensure thatthe
Windows Time serviceusesahierarchicalrelationshipthatcontrolsauthorityanddoes
not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at
the root of the forest becomes authoritative for the enterprise, and should be
configured to gather the time from an external source. All PDC FSMO role holders
follow the hierarchy of domains in the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following
functions:
Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator.
Authentication failures that occur at agivenDCinadomainbecauseofanincorrect
password are forwarded tothePDCemulatorbeforeabadpasswordfailuremessage
is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects(GPO)isalwaysdonefromtheGPOcopy
found in the PDC Emulator's SYSVOL share, unless configured not to do so by the
administrator.
The PDC emulator performs all of thefunctionalitythataMicrosoftWindowsNT4.0
Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier
clients.
This part of the PDC emulator role becomes unnecessary when all workstations,
member servers, and domain controllers that are running Windows NT 4.0 or earlier
are all upgraded to Windows 2000/2003. The PDC emulator still performs the other
functions as described in a Windows 2000/2003 environment.
At any one time, there can be only one domaincontrolleractingasthePDCemulator
master in each domain in the forest.
Windows2000/2003ActiveDirectorydomainsutilizeaSingleOperationMastermethod
called FSMO (Flexible Single Master Operation).
The five FSMO roles are:
Schema master - Forest-wide and one per forest.
Domain naming master - Forest-wide and one per forest.
RID master - Domain-specific and one for each domain.
PDC - PDC Emulator is domain-specific and one for each domain.
Infrastructure master - Domain-specific and one for each domain.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the
same spot (or actually, on the same DC) as has been configured by the Active
Directory installation process. However, there are scenarios where an administrator
would want to move one or more of the FSMO roles from the default holder DC to a
different DC.
In ordertobetterunderstandyourADinfrastructureandtoknowtheaddedvaluethat
each DC might possess, an AD administrator must have the exact knowledgeofwhich
one of the existing DCs is holding a FSMO role, and what role it holds. With that
knowledge in hand, the administrator can make better arrangements in case of a
scheduled shut-down of any given DC, and better prepare him or herself in case of a
non-scheduled cease of operation from one of the DCs.
How to find out which DC is holding which FSMO role? Well, one can accomplish this
task by many means. This article will list a few of the available methods.
Method #1: Know the default settings

The FSMO roles were assigned to one or more DCs during the DCPROMO process. The
following table summarizes the FSMO default locations:
Number of DCs
FSMO Role Original DC holding the FSMO role
holding this role
The firstDCinthefirstdomainin
Schema One per forest the forest (i.e. the Forest Root
Domain)
Domain
One per forest
Naming
The first DC in a domain (any

domain, including the Forest
RID One per domain
Root Domain, any Tree Root
Domain, or any Child Domain)
PDC Emulator One per domain

Infrastructure One per domain
Method #2: Use the GUI

The FSMO role holders can be easily foundbyuseofsomeoftheADsnap-ins.Usethis
table to see which tool can be used for what FSMO role:
FSMO Role Which snap-in should I use?

Schema Schema snap-in
Domain Naming AD Domains and Trusts snap-in
RID AD Users and Computers snap-in
PDC Emulator
Infrastructure
Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and
Infrastructure Master FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrative
Tools folder.
2. Right-click the Active Directory Users and Computers icon again and press
Operation Masters.
3. Select the appropriate tab for the role you wish to view.
4. When you're done click Close.
Finding the Domain Naming Master via GUI
To find out who currently holds the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative
Tools folder.
2. Right-click theActiveDirectoryDomainsandTrustsiconagainandpressOperation
Masters.
3. When you're done click Close.
Finding the Schema Master via GUI
To find out who currently holds the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing: regsvr32
schmmgmt.dll
2. Press OK. You should receive a success confirmation.
3. From the Run command open an MMC Console by typing MMC.
4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. Click the Active Directory Schema icon. After it loads right-click it and press
Operation Masters.
8. Press the Close button.
Method #3: Use the Ntdsutil command

The FSMO role holders can be easily found by use of the Ntdsutil command.
Caution: Using the Ntdsutil utility incorrectlymayresultinpartialorcompletelossof
Active Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box,
and then click OK.
2. Type roles, and then press ENTER.
Note: To see a list of available commands at any of the prompts in the Ntdsutil
tool, type ?, and then press ENTER.
1. Type connections, and then press ENTER.
2. Type connect to server <servername>, where <servername> is the name of the
server you want to use, and then press ENTER.
3. At the server connections: prompt, type q, and then press ENTER again.
4. At the FSMO maintenance: prompt, type Select operation target, and then press
ENTER again.
5. At the select operation target: prompt, type List roles for connected server, and
then press ENTER again.
6. Type q 3 times to exit the Ntdsutil prompt.
Method #4: Use the Netdom command

The FSMO role holders can be easily found by use of the Netdom command.
Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You must either
downloaditseparately(fromhereDownloadFreeWindows2000ResourceKitTools)or
by obtaining the correct Support Tools pack for your operating system. The Support
Tools pack can be found in the \Support\Tools folder on your installation CD (or you
can Download Windows 2000 SP4 Support Tools, Download Windows XP SP1 Deploy
Tools).
1. On any domain controller, click Start, click Run, type CMD in the Open box,
and then click OK.
2. In the Command Prompt window,typenetdomquery/domain:<domain>fsmo
(where <domain> is the name of YOUR domain).
Method #5: Use the Replmon tool

The FSMO role holders can be easily found by use of the Netdom command.
Just like Netdom, Replmon.exe is apartoftheWindows2000/XP/2003SupportTools.
Replmon can be used for a wide verity of tasks, mostly with those that are related
with AD replication. But Replmon canalsoprovidevaluableinformationabouttheAD,
aboutanyDC,andalsoaboutotherobjectsandsettings,suchasGPOsandFSMOroles.
Install the package before attempting to use the tool.
1. On any domain controller, click Start, click Run, type REPLMON in the Open box,
and then click OK.
2. Right-click Monitored servers and select Add Monitored Server.
3. In the Add Server to Monitor window, select the Search the Directory for the
server to add. Make sure your AD domain name is listed in the drop-down list.
4. In the site list select your site, expand it, and click to selecttheserveryouwant
to query. Click Finish.
5. Right-click the server that is now listed in the left-pane, and select Properties.
6. Click on the FSMO Roles tab and read the results.
7. Click Ok when you're done.
What FSMO placement considerations do you know of?

called FSMO (Flexible Single Master Operation), as described in Understanding FSMO
Roles in Active Directory.
different DC.
Windows Server 2003 ActiveDirectoryisabitdifferentthantheWindows2000version
whendealingwithFSMOplacement.InthisarticleIwillonlydealwithWindowsServer
2003 Active Directory, but you should bear in mind that most considerations are also
true when planning Windows 2000 AD FSMO roles.
Single Domain Forest

In a single domain forest, leave all of the FSMOrolesonthefirstdomaincontrollerin
the forest.
You should also configure all the domain controller as a Global Catalog servers. This
will NOT place additional stress on the DCs, while allowing GC-related applications
(such as Exchange Server) to easily perform GC queries.
Multiple Domain Forest

In a multiple domain forest, use the following guidelines:
In the forest root domain:
If all domain controllers are also global catalog servers, leave all of theFSMOroles
on the first DC in the forest.
If all domain controllers are not also global catalog servers, move all of the FSMO
roles to a DC that is not a global catalog server.
In each child domain, leave the PDC emulator, RID master, and Infrastructure
master roles on the first DC in the domain, and ensure that this DC is never
designatedasaglobalcatalogserver(unlessthechilddomainonlycontainsoneDC,
then you have no choice but to leave it in place).
Configure a standby operations master - For each server that holds one or more
operationsmasterroles,makeanotherDCinthesamedomainavailableasastandby
operations master.MakingaDCasastandbyoperationmasterinvolvesthefollowing
actions:
The standby operations master should not be a global catalog server except in a
single domain environment, where all domain controllers are also global catalog
servers.
The standby operations master should have a manually created replication
connection to the domain controller that it is the standby operations master for,
and it should be in the same site.
Configure the RID master as a direct replicationpartnerwiththestandbyorbackup
RID master. This configuration reduces the risk of losing data when you seize the
role because it minimizes replication latency.
To create a connection object on the current operations master:
1. In Active Directory Sites and Services snap-in, in the console tree in the left pane,
expand the Sites folder to see the list of available sites.
2. Expand the site name in which the current role holder is located to display the
Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that is currently hosting the operations master role
to display NTDS Settings.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Domain Controllers dialog box, select the name of the standby
operations master then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the
connection object or accept the default name and click OK.
To create a connection object on the standby operations master perform the same
procedure as above, and point the connection to the current FSMO role holder.
Note regarding Windows 2000 Active Directory domains: If the forest is set to a
functional level of Windows 2000 native, you must locate the domain naming master
on a server that hosts the global catalog. If the forest is set to a functional level of
Windows Server 2003, it is not necessary for the domain naming master to be on a
global catalog server.
Server performance and availability

Most FSMO roles require that the domain controller that holds the roles be:
Highly available server - FSMO functions require that the FSMO role holder is highly
available at all times. A highly available DC is one that uses computer hardware that
enables it to remain operational even during a hardware failure.Forexample,having
a RAID1 or RAID5 configuration enables the server to keep running even if one hard
disk fails.
Although most FSMOlossescanbedealtwithwithinamatterofhours(orevendaysat
some cases), some FSMO roles, such asthePDCEmulatorrole,shouldneverbeoffline
for more than a few minutes at a time.
What will happen if you keep a FSMO role offline foralongperiodoftime?Thistable
has the info:
FSMO Role Loss implications
The schema cannot be extended.However, in the

Schema short term no one will notice a missing Schema Master
unless you plan a schema upgrade during that time.
Unless you are going to run DCPROMO, then you will

Domain Naming
not miss this FSMO role.
Chances are good that the existing DCs will have

enough unused RIDs to last some time, unless you're
RID
building hundreds of users or computer object per
week.
Will be missed soon. NT 4.0 BDCs will not be able to

replicate, there will be no time synchronization in the
PDC Emulator domain, you will probably not be able to change or
troubleshoot group policies and password changes will
become a problem.
Group memberships may be incomplete.If you only

Infrastructure
have one domain, then there will be no impact.
Not necessarily high capacity server - A high-capacity domain controller is one that
has comparatively higher processing power than other domain controllers to
accommodate the additional work load of holding the operations master role. It has a
faster CPU and possibly additional memory and network bandwidth. FSMO roles usually
do not place stress on the server's hardware.
One exception is the performance of the PDC Emulator, mainly when used in Windows
2000 Mixed mode along with old NT 4.0 BDCs. That is why you should:
Increase the size of the DC's processing power.
Do not make the DC a global catalog server.
Reduce the priority and the weight of the service (SRV) record in DNS to give
preference for authentication to other domain controllers in the site.
Do not require that the standby domain controller be a direct replication partner
(Seizing the PDC emulator role does not result in lost data, so there is no need to
reduce replication latency for a seize operation).
Centrally locate this DC near the majority of the domain users.
I want to look at the RID allocation table for a DC. What do I do?
What's the difference between transferring a FSMO role and seizing one?
Transferring FSMO Role

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method
called FSMO (Flexible Single Master Operation), as described in Understanding FSMO
Roles in Active Directory.
different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO
role holder are online and operational is called Transferring, and is described in this
article.
The transfer of an FSMO role is the suggested form of moving a FSMO role between
domain controllers and can be initiated by the administrator or by demoting a domain
controller. However, the transfer process is not initiated automatically by the
operating system, for example a server in a shut-down state. FSMO roles are not
automatically relocated during the shutdown process - this must be considered when
shutting down a domain controller that has an FSMO role for maintenance, for
example.
In a graceful transfer of an FSMO role between two domain controllers, a
synchronization of the data that is maintained by the FSMO role owner to the server
receiving the FSMO role is performed prior to transferring the role to ensure that any
changes have been recorded before the role change.
However, when the original FSMO role holder went offline or became non operational
for a long period of time, the administrator might consider moving the FSMO role from
the original, non-operational holder, to a different DC. The process of moving the
FSMO role from a non-operational role holder to a different DC is called Seizing, and is
described in the Seizing FSMO Roles article.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using
an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can
use one of the following three MMC snap-in tools:
Active D
irectory S chema snap-in
Active D irectory D omains and Trusts snap-in
Active D irectory U sers and Computers snap-in
To transfer the FSMO role the administrator must be a member of the following group:

FSMO Role Administrator must be a member of
Schema Schema Admins
Domain Naming Enterprise Admins
RID Domain Admins
PDC Emulator
Infrastructure
Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master
FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrative
Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click
the icon next to Active Directory Users and Computers and press Connect to Domain
Controller.
3. Select the domain controller that will be the new role holder, the target, and press
OK.
4. Right-click the Active Directory Users and Computers icon again and press Operation
Masters.
5. Select the appropriate tab for the role you wish to transfer and press the Change
button.
6. Press OK to confirm the change.
7. Press OK all the way out.
Transferring the Domain Naming Master via GUI
To Transfer the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative
Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in,
right-click the icon next to Active Directory Domains and Trusts and press Connect to
Domain Controller.
3. Select the domain controller that will be the new role holder and press OK.
4. Right-click the Active Directory Domains and Trusts icon again and press
Operation Masters.
5. Press the Change button.
6. Press OK to confirm the change.
Transferring the Schema Master via GUI
To Transfer the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:

1. Press OK. You should receive a success confirmation.
2. From the Run command open an MMC Console by typing MMC.
3. On the Console menu, press Add/Remove Snap-in.
4. Press Add. Select Active Directory Schema.
5. Press Add and press Close. Press OK.
6. If you are NOT logged onto the target domain controller, in the snap-in,
right-click the Active Directory Schema icon in the Console Root and press Change
Domain Controller.
7. Press Specify .... and type the name of the new role holder. Press OK.
8. Right-click right-click the Active Directory Schema icon again and press
Operation Masters.
9. Press the Change button.
Transferring the FSMO Roles via Ntdsutil
To transfer the FSMO roles from the Ntdsutil command:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of
Active Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and
then click OK.


Note: To see a list of available commands at any of the prompts in the Ntdsutil tool,
type ?, and then press ENTER.
2. Type connect to server <servername>, where <servername> is the name of the
server you want to use, and then press ENTER.


1. Type transfer <role>. where <role> is the role you want to transfer.
For example, to transfer the RID Master role, you would type transfer rid master:
Options are:

1. You will receive a warning window asking if you want to perform the transfer.
Click on Yes.
2. After you transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.
3. Restart the server and make sure you update your backup.
Seizing the FSMO ROLES.

called FSMO (Flexible Single Master Operation).
The five FSMO roles are:
Schema master - Forest-wide and one per forest.
Domain naming master - Forest-wide and one per forest.
RID master - Domain-specific and one for each domain.
PDC - PDC Emulator is domain-specific and one for each domain.
Infrastructure master - Domain-specific and one for each domain.
different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO
role holder are online and operational is called Transferring, and is described in the
Transferring FSMO Roles article.
However, when the original FSMO role holder went offlineorbecamenonoperational
for a longperiodoftime,theadministratormightconsidermovingtheFSMOrolefrom
the original, non-operational holder, to a different DC. The process of moving the
FSMO role fromanon-operationalroleholdertoadifferentDCiscalledSeizing,andis
described in this article.
If a DC holding a FSMO role fails, the best thing to do is to try and get the server
online again. Since none of the FSMO roles are immediately critical (well, almost
none, the loss of the PDC Emulator FSMO role might becomeaproblemunlessyoufix
itinareasonableamountoftime),soitisnotaproblemtothemtobeunavailablefor
hours or even days.
If a DC becomes unreliable,trytogetitbackonline,andtransfertheFSMOrolestoa
reliable computer. Administrators should use extreme caution in seizing FSMO roles.
This operation, in most cases, should be performed only if the original FSMO role
owner will not be brought back into the environment. Only seize a FSMO role if
absolutely necessary when the original role holder is not connected to the network.
What will happen if you do not perform the seize in time? This table has the info:
FSMO Role Loss implications
The schema cannot be extended.However, in the

short term no one will notice a missing Schema
Schema
Master unless you plan a schema upgrade during
that time.
Unless you are going to run DCPROMO, then you will

Domain Naming
not miss this FSMO role.
Chances are good that the existing DCs will have

enough unused RIDs to last some time, unless you're
RID
building hundreds of users or computer object per
week.
Will be missed soon. NT 4.0 BDCs will not be able to

replicate, there will be no time synchronization in
PDC Emulator the domain, you will probably not be able to change
or troubleshoot group policies and password changes
will become a problem.
Group memberships may be incomplete.If you only

Infrastructure
have one domain, then there will be no impact.
Important: If the RID, Schema, or Domain NamingFSMOsareseized,thentheoriginal
domain controller mustnotbeactivatedintheforestagain.Itisnecessarytoreinstall
Windows if these servers are to be used again.
The following table summarizes the FSMO seizing restrictions:
FSMO Role Restrictions

Schema Original must be reinstalled
Domain Naming
RID
PDC Emulator Can transfer back to original
Infrastructure
Another consideration before performing the seize operation is the administrator's group membership,
as this table lists:
FSMO Role Administrator must be a member of

Schema Schema Admins
Domain Naming Enterprise Admins
RID Domain Admins
PDC Emulator
Infrastructure
To seize the FSMO roles by using Ntdsutil, follow these steps:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active
Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then
click OK.
C:\WINDOWS>ntdsutil
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then
press ENTER.
fsmo maintenance: connections
server connections:
2. Type connect to server <servername>, where <servername> is the name of the server you want
to use, and then press ENTER.
server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
Server connections:
server connections: q
fsmo maintenance:
2. Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID
Master role, you would type seize rid master:
Options are:
Seize domain naming master
Seize infrastructure master
Seize PDC
Seize RID master
Seize schema master
7. You will receive a warning window asking if you want to perform the seize. Click on Yes.
fsmo maintenance: Seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300,
problem 5002 (UNAVAILABLE)
, data 1722
Win32 error returned is 0x20af(The requested FSMO operation failed.

The current FSMO holde
r could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "server100" knows about 5 roles
Schema - CN=NTDS
Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=dpetri,DC=net
Domain - CN=NTDS
PDC - CN=NTDS
RID - CN=NTDS
Infrastructure - CN=NTDS
fsmo maintenance:

Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize
all roles. Determine which roles are to be on which remaining domain controllers so that all five roles
are not on only one server.
1. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
2. After you seize or transfer the roles, type q, and then press ENTER until you quit the
Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global
Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object
information because it does not contain any references to objects that it does not hold. This is because
a GC server holds a partial replica of every object in the forest.
Better look of this answer can be found at
http://www.petri.co.il/seizing_fsmo_roles.htm
Which FSMO role should you NOT seize? Why?
How do you configure a "stand-by operation master" for any of the roles?
How do you backup AD?
How do you restore AD?
How do you change the DS Restore admin password?
Why can't you restore a DC that was backed up 4 months ago?
What are GPOs?
What is the order in which GPOs are applied?
Name a few benefits of using GPMC.
What are the GPC and the GPT? Where can I find them?
What are GPO links? What special things can I do to them?
What can I do to prevent inheritance from above?
How can I override blocking of inheritance?
How can you determine what GPO was and was not applied for a user? Name a few
ways to do that.
A user claims he did not receive a GPO, yet his user and computer accounts are in
the right OU, and everyone else there gets the GPO. What will you look for?
Name a few differences in Vista GPOs
Name some GPO settings in the computer and user parts.
What are administrative templates?
What's the difference between software publishing and assigning?
Can I deploy non-MSI software with GPO?
You want to standardize the desktop environments (wallpaper, My Documents, Start
menu, printers etc.) on the computers in one department. How would you do that?
Source :
http://www.petri.co.il/mcse_system_administrator_active_directory_interview_questions.htm
Windows Server 2003 Active Directory and Security questions

Whats the difference between local, global and universal groups?
Domain local groups assign access permissions to global domain groups for local domain
resources. Globalgroupsprovideaccesstoresourcesinothertrusteddomains.Universalgroups
grant access to resources in all trusted domains.
I am trying to create a new universal user group. Why cant I?

Universal groups are allowed only in native-mode Windows Server 2003 environments. Native
mode requires that all domain controllers be promoted to Windows Server 2003 Active
Directory.
What is LSDOU?
Its group policy inheritance model, where the policies are applied to Local machines, Sites,
Domains and Organizational Units.
Why doesnt LSDOU work under Windows NT?

If the NTConfig.pol file exist, it has the highest priority among the numerous policies.

Where are group policies stored?
%SystemRoot%System32\GroupPolicy

What is GPT and GPC?
Group policy template and group policy container.

Where is GPT stored?
%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID

You change the group policies, and now the computer and user settings are in conflict.
Which one has the highest priority?
The computer settings take priority.

You want to set up remote installation procedure, but do not want theusertogainaccess
over it. What do you do?
gponame> User Configuration> Windows Settings> Remote Installation Services> Choice
Options is your friend.

Whats contained in administrative template conf.adm?
Microsoft NetMeeting policies

How can you restrict running certain applications on a machine?
Via group policy, security settings for the group, then Software Restriction Policies.

You need to automatically install an app, but MSI file is not available. What do you do?
A .zap text file can be used to add applications using the Software Installer, rather than the
Windows Installer.

Whats the difference between Software Installer and Windows Installer?
The former has fewer privileges and will probably require user intervention. Plus, it uses.zap
files.
What can be restricted on Windows Server 2003 that wasnt there in previous products?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up
TCP/IP properties. Users may be selectively restricted from modifying their IP address and
other network configuration parameters.
How frequently is the client policy refreshed?

90 minutes give or take.
Where is secedit?
Its now gpupdate.
You want to create a new group policy but do not wish to inherit. Make sure you check
Block inheritance among the options when creating the policy.
What is "tattooing" the Registry?

The user can view and modify user preferences that are not stored in maintained portions of
the Registry. If the group policy is removed or changed, theuserpreferencewillpersistinthe
Registry.
How do you fight tattooing in NT/2000 installations?

You cant.
How do you fight tattooing in 2003 installations?

User Configuration - AdministrativeTemplates-System-GroupPolicy-enable-EnforceShow
Policies Only.
What does IntelliMirror do?

It helps toreconciledesktopsettings,applications,andstoredfilesforusers,particularlythose
who move between workstations or those who must periodically work offline.
Whats the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides
extensive permission control on both remote and local files.
How do FAT and NTFS differ in approach to user shares?

They dont, both have support for sharing.
Explan the List Folder Contents permission on the folder in NTFS.

Same as Read & Execute, but not inherited by files within a folder. However, newly created
subfolders will inherit this permission.
Ihaveafiletowhichtheuserhasaccess,buthehasnofolderpermissiontoreadit.Canhe
access it?
It is possible for a user to navigate to a file forwhichhedoesnothavefolderpermission.This
involves simply knowing the path of the file object. Even if the user cant drill down the
file/folder tree using My Computer, he can still gain access to the file using the Universal
Naming Convention (UNC). The best way to start would be to type the full path of a file into
Run window.
For a user in several groups, are Allow permissions restrictive or permissive?

Permissive, if at least one group has Allow permission for the file/folder, user will have the
same permission.
For a user in several groups, are Deny permissions restrictive or permissive?

Restrictive, if at least one group has Deny permission for the file/folder, user will be denied
access, regardless of other group permissions.
What hidden shares exist on Windows Server 2003 installation?

Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
Whats the difference between standalone and fault-tolerant DFS (DistributedFileSystem)

installations?
The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a
shared folder is inaccessible or if the Dfs root server isdown,usersareleftwithnolinktothe
shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory,
which is replicated to other domain controllers. Thus, redundant root nodes may include
multiple connections to the same data residing in different shared folders.
Were using the DFS fault-tolerant installation, but cannot access itfromaWin98box.Use
the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant
shares.
Where exactly do fault-tolerant DFS shares store information in Active Directory?

In Partition Knowledge Table, which is then replicated to other domain controllers.
Can you use Start->Search with DFS shares?

Yes.
What problems can you have with DFS installed?

Two users opening the redundant copies of the file at the same time, with no file-locking
involved in DFS, changing the contents and then saving. Only one file will be propagated
through DFS.
I run Microsoft Cluster Server and cannot install fault-tolerant DFS.Yeah,youcant.Install

a standalone one.
Is Kerberos encryption symmetric or asymmetric?

Symmetric.
How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?
Time stamp is attached to the initial client request, encrypted with the shared key.
What hashing algorithms are used in Windows 2003 Server?

RSA Data Securitys Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash
Algorithm 1 (SHA-1), produces a 160-bit hash.
What third-party certificate exchange protocols are used by Windows 2003 Server?
Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7
certificate response to exchange CA certificates with third-party certificate authorities.
Whats the number of permitted unsuccessful logons on Administrator account? Unlimited.

Remember, though, that its the Administrator account, not any account thats part of the
Administrators group.

If hashing is one-way function andWindowsServeruseshashingforstoringpasswords,how
is it possible to attack the password lists, specifically the ones using NTLMv1?
A cracker wouldlaunchadictionaryattackbyhashingeveryimaginabletermusedforpassword
and then compare the hashes.
Whats the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003.
How many passwords by default are remembered when you check "Enforce Password
History Remembered"?
Users last 6 passwords.
Describe how the DHCP lease is obtained?

Its a four-step process consisting of (a) IP request, (b) IP offer, IP selection and (d)
acknowledgement.
I cant seem to access the Internet, dont have any access to the corporate network and on
ipconfig my address is 169.254.*.*. What happened?
The 169.254.*.* netmask is assigned to Windows machines running 98/2000/XP if the DHCP
server is not available. The name for the technology is APIPA (Automatic Private Internet
Protocol Addressing).
Weve installed a new Windows-based DHCP server, however, the users do not seem to be
getting DHCP leases off of it?
The server must be authorized first with the Active Directory.
How do you double-boot a Win 2003 server box?
The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To
change the Boot.ini timeout and default settings, use the System option inControlPanelfrom
the Advanced tab and select Startup.
What do you do if earlier application doesnt run on Windows Server 2003?
When an application that ran on an earlier legacy version ofWindowscannotbeloadedduring
the setup function or if it later malfunctions, you must run the compatibility mode function.
This is accomplished byright-clickingtheapplicationorsetupprogramandselectingProperties
> Compatibility > selecting the previously supported operating system.
What snap-in administrative tools are available for Active Directory?
Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager,
Active Directory Users and Group Manager, Active Directory Replication (optional, available
from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak)
What types of classes exist in Windows Server 2003 Active Directory?
Structural class. The structural class is important to the system administrator in that itisthe
only type from which new Active Directory objects are created. Structural classes are
developed from either the modificationofanexistingstructuraltypeortheuseofoneormore
abstract classes.
What is presentation layer responsible for in the OSI model? The presentation layer
establishes the data format prior to passing it along to the network applications interface.
TCP/IP networks perform this task at the application layer.
Does Windows Server 2003 support IPv6?
Yes, run ipv6.exe from command line to disable it.
Can Windows Server 2003 function as a bridge?
Yes, and its a new feature for the 2003 product. You can combine several networks and
devices connected via several adapters by enabling IP routing.
Whats the role of http.sys in IIS? It is the point of contact forallincomingHTTPrequests.It
listens for requests and queues them until they are all processed, no more queues are
available, or the Web server is shut down.
Wheres ASP cache located on IIS 6.0? On disk, as opposed to memory, as itusedtobeinIIS
5.
What is socket pooling? Non-blocking socket usage, introduced in IIS 6.0. More than one
application can use a given socket.
Which characters should be enclosedinquoteswhensearchingtheindex?&,@,$,#,^,(),
and |.
How would you search for C++? JustenterC++,since+isnotaspecialcharacter(andneither
is C).
What about Barnes&Noble? Should be searched for as Barnes&Noble.
Are the searches case-sensitive? No.
Whats the order of precedence of Boolean operators in Microsoft Windows 2003 Server
Indexing Service? NOT, AND, NEAR, OR.
How many group policies can be applied to an OU?
How many objects can be created in a Directory Partition?
In Active Directory Replication, which FSMO roles is participating in replication.?
A Case:
A Min DC (Windows 2003) & A BDC (windows 2000 Server) when the time of replication,
All partition will replicated, but what about "Applicatoin Partition in main DC".?
What is Active Directory schema?
The Active Directory schema contains formal definitions of every object class that can be
created in an Active Directory forest it also contains formal definitions of everyattributethat
can exist in an Active Directory object.
Active Directory stores and retrieves information from a wide variety of applications and
services.
What is Global Catalog Server?
A global catalog server is a domain controller itisamastersearchabledatabasethatcontains
information about every object in every domain in a forest. The global catalog contains a
complete replica of all objects in Active Directory for its host domain, and contains a partial
replica of all objects in Active Directory for every other domain in the forest. It have two
important functions:
Provides group membership information during logon and authentication
Helps users locate resources in Active Directory
What is the ntds.tit file default size?
40 MB
What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog?
SMTP 25, POP3 110, IMAP4 143, RPC 135, LDAP 389, Global Catalog - 3268
What is a default gateway?

The exit-point from one network and entry-way into another network, often the router ofthe
network.
How do you set a default route on an Cisco router?

ip route 0.0.0.0 0.0.0.0 x.x.x.x [where x.x.x.x represents the destination address]
Describe the lease process of the DHCP server.

DHCP Server leases the IP addresses to the clients as follows:
DORA
D (Discover) : DHCP Client sends a broadcast packets to identify the dhcp server, this packet
will contain the source MAC.
O (Offer) : Once the packet is received by the DHCP server, the server will send the packet
containing Source IP and Source MAC.
R (Request) : Client will now contact the DHCP server directly and request for the IP address.
A (Acknowledge) : DHCP server will send an ack packet which contains the IP address.
What is IPv6? Internet Protocol version 6 (IPv6) is a network layer IP standard used by
electronic devices to exchange data across a packet-switched internetwork. It follows IPv4 as
the second version oftheInternetProtocoltobeformallyadoptedforgeneraluse.ipv6itisa
128 bit size address. This is total 8 octants each octant size is 16 bitsseparatedwith:,itis
in hexa decimal format. These 3 types:
1. unicast address
2. multicast address
3. anycast address
loopback address of ip v6 is ::1
How do you double-boot a Win 2003 server box?
The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To
change the Boot.ini timeout and default settings, use the System option inControlPanelfrom
the Advanced tab and select Startup.
What do you do if earlier application doesnt run on Windows Server 2003?

When an application that ran on an earlier legacy version ofWindowscannotbeloadedduring
the setup function or if it later malfunctions, you must run the compatibility mode function.
This is accomplished byright-clickingtheapplicationorsetupprogramandselectingProperties
> Compatibility > selecting the previously supported operating system.
If you uninstall Windows Server 2003, which operating systems can you revert to?
Win ME,Win98,2000,XP.Note,however,thatyoucannotupgradefromMEand98toWindows
Server 2003.
How do you get to Internet Firewall settings?

Start > Control Panel > Network and Internet Connections > Network Connections.
What are the Windows Server 2003 keyboard shortcuts?

Winkey opens or closes the Start menu. Winkey + BREAK displays the System Propertiesdialog
box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT +
TAB moves the focus to the previous application inthetaskbar.Winkey+Bmovesthefocusto
the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer
showing My Computer. Winkey+FopenstheSearchpanel.Winkey+CTRL+FopenstheSearch
panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M
minimizes all. Winkey + SHIFT+ M undoesminimization.Winkey+RopensRundialog.Winkey+
U opens the Utility Manager. Winkey + L locks the computer.
What is Active Directory?

Active Directory is a network-based object store and service that locates and manages
resources, and makes these resources available to authorized users and groups. An underlying
principle of the Active Directory is that everything is considered an objectpeople, servers,
workstations, printers, documents, and devices. Each objecthascertainattributesanditsown
security access control list (ACL).
Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain
Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster
peer-to-peer read and write relationship that hosts copies of the Active Directory.
How long does it take for security changes to be replicated among the domain controllers?
Security-related modifications are replicated within a siteimmediately.Thesechangesinclude
account and individual user lockout policies, changes to password policies, changes to
computer account passwords, and modifications to the Local Security Authority (LSA).
Whats new in Windows Server 2003 regarding the DNS management?

When DC promotion occurs with an existing forest, the Active Directory Installation Wizard
contactsanexistingDCtoupdatethedirectoryandreplicatefromtheDCtherequiredportions
of the directory. If the wizard fails to locate a DC, it performs debugging and reports what
caused the failure and how to fix the problem. In order to be located on a network,everyDC
must register in DNS DC locatorDNSrecords.TheActiveDirectoryInstallationWizardverifiesa
proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting
activity is done with the Active Directory Installation Wizard.
When should you create a forest?

Organizations that operateonradicallydifferentbasesmayrequireseparatetreeswithdistinct
namespaces. Unique trade or brand names often give rise to separate DNS identities.
Organizations merge or are acquired and naming continuity is desired. Organizations form
partnerships and joint ventures. While access to common resources is desired, a separately
defined tree can enforce more direct administrative and security restrictions.
How can you authenticate between forests?

Four types of authentication are used across forests: (1) Kerberos andNTLMnetworklogonfor
remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for
physical logon outside the users home forest; (3) Kerberos delegation to N-tier application in
another forest; and (4) user principal name (UPN) credentials.
What snap-in administrative tools are available for Active Directory?

Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager,
Active Directory Users and Group Manager, Active Directory Replication (optional, available
from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak)
What types of classes exist in Windows Server 2003 Active Directory?

Structural class. The structural class is important to the system administrator in that itisthe
only type from which new Active Directory objects are created. Structural classes are
developed from either the modificationofanexistingstructuraltypeortheuseofoneormore
abstract classes.
Abstract class. Abstract classes are so named because they take the form of templates that
actually create other templates (abstracts) and structural and auxiliary classes. Think of
abstract classes as frameworks for the defining objects.
Auxiliary class.Theauxiliaryclassisalistofattributes.Ratherthanapplynumerousattributes
when creating a structural class, it provides a streamlined alternative by applying a
combination of attributes with a single include action.
88 class. The 88 class includes object classes defined prior to 1993, when the 1988 X.500
specification was adopted. This type does not use the structural, abstract, and auxiliary
definitions, nor is it in common use for the development of objects in Windows Server 2003
environments.
How do you delete a lingering object?
Windows Server 2003 provides a command called Repadmin that provides the ability todelete
lingering objects in the Active Directory.
What is Global Catalog?

The Global Catalog authenticates network user logons andfieldsinquiriesaboutobjectsacross
a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In
Windows 2000, there was typically one GC on every siteinordertopreventuserlogonfailures
across the network.
How is user account security established in Windows Server 2003?

When an account is created, it is given a unique access number known as asecurityidentifier
(SID). Every group to which the user belongs has anassociatedSID.Theuserandrelatedgroup
SIDstogetherformtheuseraccountssecuritytoken,whichdeterminesaccesslevelstoobjects
throughout the system and network. SIDs from the security token are mapped to the access
control list (ACL) of any object the user attempts to access.
If I delete a user and then create a new account with the same username and password,
would the SID and permissions stay the same?
No. If you delete a user account and attempt to recreate it with the same user name and
password, the SID will be different.
What do you do with secure sign-ons in an organization with many roaming users?
Credential Management feature of Windows Server 2003 provides a consistent single sign-on
experience for users. This can be useful for roaming users who move between computer
systems. The Credential Management feature provides a secure store of user credentials that
includes passwords and X.509 certificates.
Anything special you should do when adding a user that has a Mac?
"Save password as encrypted clear text" must be selected on User Properties Account Tab
Options, since the Macs only store their passwords that way.
What remote access options does Windows Server 2003 support?

Dial-in, VPN, dial-in with callback.
Where are the documents and settings for the roaming profile stored?
All the documents and environmental settings for the roaming user are stored locally on the
system, and, when the user logs off, all changes to thelocallystoredprofilearecopiedtothe
shared server folder. Therefore, the first time a roaming user logs on to a new system the
logon process may take some time, depending on how large his profile folder is.
Where are the settings for all the users stored on a given machine?
\Document and Settings\All Users
What languages can you use for log-on scripts?
JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe)
What are the differences between a site-to-site VPN and a VPN client connecting to a
VPN server? What protocols are used for these?
>
EXPERT RESPONSE
Site-to-site VPNs connect entire networks to each other -- for example, connecting a
branch office network to a company headquarters network. In a site-to-site VPN, hosts do
not have VPN client software; they send and receive normal TCP/IP traffic through a
VPN gateway. The VPN gateway is responsible for encapsulating and encrypting
outbound traffic, sending it through a VPN tunnel over the Internet, to a peer VPN
gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts
the content, and relays the packet towards the target host inside its private network.
Remote access VPNs connect individual hosts to private networks -- for example,
travelers and teleworkers who need to access their company's network securely over the
Internet. In a remote access VPN, every host must have VPN client software (more on this
in a minute). Whenever the host tries to send any traffic, the VPN client software
encapsulates and encrypts that traffic before sending it over the Internet to the VPN
gateway at the edge of the target network. Upon receipt, that VPN gateway behaves as
described above for site-to-site VPNs. If the target host inside the private network returns
a response, the VPN gateway performs the reverse process to send an encrypted response
back to the VPN client over the Internet.
The most common secure tunneling protocol used in site-to-site VPNs is the IPsec
Encapsulating Security Payload (ESP), an extension to the standard IP protocol used by
the Internet and most corporate networks today. Most routers and firewalls now support
IPsec and so can be used as a VPN gateway for the private network behind them. Another
site-to-site VPN protocol is Multi-Protocol Label Switching (MPLS), although MPLS
does not provide encryption.
Remote access VPN protocols are more varied. The Point to Point Tunneling Protocol
(PPTP) has been included in every Windows operating system since Windows 95. The
Layer 2 Tunneling Protocol (L2TP) over IPsec is present in Windows 2000 and XP and is
more secure than PPTP. Many VPN gateways use IPsec alone (without L2TP) to deliver
remote access VPN services. All of these approaches require VPN client software on
every host, and a VPN gateway that supports the same protocol and options/extensions for
remote access.
Over the past few years, many vendors have released secure remote access products that
use SSL and ordinary web browsers as an alternative to IPsec/L2TP/PPTP VPNs. These
"SSL VPNs" are often referred to as "clientless," but it is more accurate to say that they
use web browsers as VPN clients, usually in combination with dynamically-downloaded
software (Java applet, ActiveX control, or temporary Win32 program that is removed
when the session ends). Also, unlike PPTP, L2TP, and IPsec VPNs, which connect remote
hosts to an entire private network, SSL VPNs tend to connect users to specific
applications protected by the SSL VPN gateway.
To learn more about VPN protocols and topologies, watch my New directions in VPN
searchSecurity webcast, or read this InfoSec Magazine article on SSL VPNs.
What are

Microsoft Active Directory Questions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft Active Directory Questions

Uploaded by

Copyright:

Available Formats

Microsoft Active Directory Questions.

What is Active Directory?

What is the SYSVOL folder?

How do you view replication properties for AD partitions and DCs?

What is the Global Catalog?

What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is

Replmon : Replmon displays information about Active Directory Replication.

ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a

NETDOM : NETDOM is a command-line tool that allows management of Windows domains

What is the KCC?

Install fromMedia InWindowsServer2003anewfeaturehasbeenadded,andthistimeit's

Good Article about OU Design:

The command has completed successfully

Example 1 Modify Password

Example 2 Create user WITH password

Command : dsadd user "cn=pault, ou=guyds, dc=cp, dc=com" -pwd a1yC24kg

Example 3 Modify Groups

Creating an OU - DSadd ou....

Example 1 Using DSadd to Create an Organizational Unit in Windows 2003

Command : dsadd ou "ou=guyds, dc=cp, dc=com"

Creating a User - DSadd user....

New DS built-in tools for Windows Server 2003

Example 1 - DSQuery to list all the OUs in your domain

Example 3 - DSQuery to list all your Domain Controllers

Example 4 - To query the FSMO roles of your Domain Controllers

Example 6 - DSQuery to filter the output with -o rdn

Example 1 To Check that DSQuery is working

Example 2 Basic DSGet

Learning Points for DSGet

Example 3 - Which extra properties shall we query?

Windows 2000/2003 Multi-Master Model

Windows 2000/2003 Single-Master Model

Method #1: Know the default settings

The first DC in a domain (any

PDC Emulator One per domain

Method #2: Use the GUI

FSMO Role Which snap-in should I use?

Domain Naming AD Domains and Trusts snap-in

RID AD Users and Computers snap-in

Method #3: Use the Ntdsutil command

Method #4: Use the Netdom command

Method #5: Use the Replmon tool

What FSMO placement considerations do you know of?

Single Domain Forest

Multiple Domain Forest

Server performance and availability

FSMO Role Loss implications

The schema cannot be extended.However, in the

Unless you are going to run DCPROMO, then you will

Chances are good that the existing DCs will have

Will be missed soon. NT 4.0 BDCs will not be able to

Group memberships may be incomplete.If you only

Transferring FSMO Role

Domain Naming Enterprise Admins

RID Domain Admins

Seizing the FSMO ROLES.

FSMO Role Loss implications

The schema cannot be extended.However, in the

Unless you are going to run DCPROMO, then you will

Chances are good that the existing DCs will have

Will be missed soon. NT 4.0 BDCs will not be able to

Group memberships may be incomplete.If you only

FSMO Role Restrictions