1.

What is Active Directory schema?

Ans: The Active Directory schema contains formal definitions of every object class that can be created in an Active Directory forest it also contains formal definitions of every attribute that can exist in an Active Directory object.Active Directory stores and retrieves information from a wide variety of applications and services. So that it can store and replicate data from a potentially infinite variety of sources, Active Directory standardizes how data is stored in the directory. By standardizing how data is stored, the directory service can retrieve, update, and replicate data while ensuring that the integrity of the data is maintained.

2. What are the domain functional level in Windows Server 2003?

Ans: The four domain functional levels are: Windows 2000 Mixed Windows 2000 Native Windows Server 2003 Interim Windows Server 2003 Windows 2000 Mixed When you configure a new Windows Server 2003 domain, the default domain functional level is Windows 2000 mixed. Under this domain functional level, Windows NT, 2000, and 2003 domain controllers are supported. However, certain features such as group nesting, universal groups, and so on are not available. Windows 2000 Native Upgrading the functional level of a domain to Windows 2000 Native should only be done if there are no Windows NT domain controllers remaining on the network. By upgrading to Windows 2000 Native functional level, additional features become available including: group nesting, universal groups, SIDHistory, and the ability to convert security groups and distribution groups. Windows Server 2003 Interim The third functional level is Windows Server 2003 Interim and it is often used when upgrading from Windows NT to Windows Server 2003. Upgrading to this domain functional level provides support for Windows NT and Windows Server 2003 domain controllers. However, like Windows 2000 Mixed, it does not provide new features. Windows Server 2003 The last functional level is Windows Server 2003. This domain functional level only provides support for Windows Server 2003 domain controllers. If you want to take advantage of all the features included with Windows Server 2003, you must implement this functional level. One of the most important features introduced at this functional level is the ability to rename domain controllers

3.

What are the forest functional level in Windows Server 2003?

Ans: the domain functional level in Windows Server 2003 Domain fuctional level support only the windows domain controllers not client level o/s. They are four: windows 2000 mixed(by default) supports- win nt,win 2000,win2003. Windows 2000 native- supports- win 2000 ,win 2003 Windows 2003 interim- supports ->win NT,win 2003 Windows 2003 - supports-win 2003 only 3.forest functional level in Windows Server 2003 There are three windows 2000 mixed supports- win nt,win 2000,win2003. Windows 2000 native- supports- win 2000 ,win 2003 Windows 2003 - supports-win 2003 only 4. What is global catalog server?

Ans: A global catalog server is a domain controller it is a master searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. It have two important functions: i)Provides group membership information during logon and authentication ii)Helps users locate resources in Active Directory 5. How we can raise domain functional & forest functional level in Windows Server 2003?

Ans: AD users and computers>domain functional level->choose DFL as per your environment. AD Domain and Trust>Forest functional level>choose FFL as would your environment. Note:once you have change the DFL and FFL,cannot be revert. 6. Which is the deafult protocol used in directory services?

Ans: LDAP 7. What is IPv6?

Ans: Internet Protocol version 6 (IPv6) is a network layer IP standard used by electronic devices to exchange data across a packet-switched internetwork. It follows IPv4 as the second version of the Internet Protocol to be formally adopted for general use. 8. What is the default domain functional level in Windows Server 2003?

Ans: Windows 2000 mixed is the default

9.

What are the physical & logical components of ADS

Ans: Physical->sites,domain controller Logical ->Forest,domain,tree,ou 10. In which domain functional level, we can rename domain name? Ans: All domain controllers must be running Windows Server 2003, and the Active Directory functional level must be at the Windows Server 2003. Yes u can rename the domain in windows server 2003 11. What is multimaster replication? Ans: Multi-master replication is a method of replication employed by databases to transfer data or changes to data across multiple computers within a group. Multi-master replication can be contrasted with a master-slave method (also known as single-master replication). 12. What is a site? Ans: Site is one or more IP subnets.It contains connection objects and computer objects and mainly used for AD replication.

13. Which is the command used to remove active directory from a domain controler?
Ans: Removing Active Directory: 1. If we want to remove Active Directory then we will use command DCPROMO 2. If some one deleted parent domain and we want to remove from child domain then we will use command DCPROMO /FORCEREMOVAL Note: - we should not remove parent domain first. we should start from bottom means child domain and after that its parent and so on. 14. What is trust? Ans: To allow users in one domain to access resources in another, AD uses trust. Trust is automatically produced when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit trust is automatic. As well as two-way transitive trust, AD trusts can be shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains. AD uses the Kerberos V5 protocol, although NTLM is also supported and web clients use SSL/TLS. 15. What is the file thats responsible for keep all Active Directory database? Ans: NTDS.dit is the file thats responsible for keep all Active Directory database. 16. What is DHCP relay agent ?

Ans: If you have two or more subnet,you need to configure more DHCP server in each subnet instead of place DHCP server ,we can configure DHCP relay angent wherever you want. Note:Minimum one DHCP server on your network 17. How long does it take for security changes to be replicated among the domain controllers? Ans: Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA). 18. Whats new in Windows Server 2003 regarding the DNS management? Ans: When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard. 19. How can you authenticate between forests? Ans: Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the users home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials. 19. What snap-in administrative tools are available for Active Directory? Ans: Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak) 20. How do you delete a lingering object? Ans: Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory. 21. How is user account security established in Windows Server 2003? Ans: When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user accounts security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access. 22. If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same? Ans: No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different.

23. What do you do with secure sign-ons in an organization with many roaming users? Ans: Credential Management feature of Windows Server 2003 provides a consistent single sign-on experience for users. This can be useful for roaming users who move between computer systems. The Credential Management feature provides a secure store of user credentials that includes passwords and X.509 certificates. 24. Anything special you should do when adding a user that has a Mac? Ans: "Save password as encrypted clear text" must be selected on User Properties Account Tab Options, since the Macs only store their passwords that way. 25. What remote access options does Windows Server 2003 support? Ans: Dial-in, VPN, dial-in with callback. 26. Where are the documents and settings for the roaming profile stored? Ans: All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.

27. Whats the difference between local, global and universal groups?
Ans: Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.

28. I am trying to create a new universal user group. Why cant I?

Ans: Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

29. What is LSDOU?

Ans: Its group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.

30. Can Windows Server 2003 function as a bridge?

Ans: Yes, and its a new feature for the 2003 product. You can combine several networks and devices connected via several adapters by enabling IP routing. 31. Why doesnt LSDOU work under Windows NT? Ans: If the NTConfig.pol file exist, it has the highest priority among the numerous policies. 32. Where are group policies stored? Ans: %SystemRoot%System32\GroupPolicy

33. What is GPT and GPC? Ans: Group policy template and group policy container. 34. Where is GPT stored? Ans: %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID 35. You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority? Ans: The computer settings take priority. 36. You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do? Ans: gponame> User Configuration> Windows Settings> Remote Installation Services> Choice Options is your friend. 37. Whats contained in administrative template conf.adm? Ans: Microsoft NetMeeting policies 38. How can you restrict running certain applications on a machine? Ans: Via group policy, security settings for the group, then Software Restriction Policies. 39. You need to automatically install an app, but MSI file is not available. What do you do? Ans: A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer. 40. What can be restricted on Windows Server 2003 that wasnt there in previous products? Ans: Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters. 41. How frequently is the client policy refreshed? Ans: 90 minutes give or take.

42. Where is secedit?

Ans: Its now gpupdate.

43. You want to create a new group policy but do not wish to inherit.
Ans: Make sure you check Block inheritance among the options when creating the policy. 44. What is "tattooing" the Registry?

Ans: The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry. 45. What does IntelliMirror do? Ans: It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline. 46. Whats the major difference between FAT and NTFS on a local machine? Ans: FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files. 47. How do FAT and NTFS differ in approach to user shares? Ans: They dont, both have support for sharing.

48. Explan the List Folder Contents permission on the folder in NTFS.
Ans: Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission. 49. I have a file to which the user has access, but he has no folder permission to read it. Can he access it? Ans: It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user cant drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run window. 50. For a user in several groups, are Allow permissions restrictive or permissive? Ans: Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission. 51. For a user in several groups, are Deny permissions restrictive or permissive? Ans: Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions. 52. What hidden shares exist on Windows Server 2003 installation? Ans: Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL. 53. Whats the difference between standalone and fault-tolerant DFS (Distributed File System) installations? Ans: The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.

54. Were using the DFS fault-tolerant installation, but cannot access it from a Win98 box.
Ans :Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares. 55. Where exactly do fault-tolerant DFS shares store information in Active Directory? Ans: In Partition Knowledge Table, which is then replicated to other domain controllers. 56. Can you use Start->Search with DFS shares? Ans : Yes 57. What problems can you have with DFS installed? Ans: Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.

58. I run Microsoft Cluster Server and cannot install fault-tolerant DFS.
Ans: Yeah, you cant. Install a standalone one. 59. Is Kerberos encryption symmetric or asymmetric? Ans: Symmetric. 60. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Ans: Time stamp is attached to the initial client request, encrypted with the shared key. 61. What third-party certificate exchange protocols are used by Windows 2003 Server? Ans: Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities. 62. Whats the number of permitted unsuccessful logons on Administrator account? Ans: Unlimited. Remember, though, that its the Administrator account, not any account thats part of the Administrators group. 63. How many passwords by default are remembered when you check "Enforce Password History Remembered"? Ans: Users last 6 passwords. 64. Can you connect Active Directory to other 3rd-party Directory Services? Name a few options. Ans : Yes, you can use dirXML or LDAP to connect to other directories (ie. Edirectory from Novell).

65. Where is the AD database held? What other folders are related to AD? Ans: AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure ntds.dit edb.log res1.log res2.log edb.chk

66. What is the SYSVOL folder ?

Ans: The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and reparse points in the file systems that exist on each domain controller in a domain. SYSVOL provides a standard location to store important elements of Group Policy objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them to other domain controllers within that domain. You can go to SYSVOL folder by typing : %systemroot%/sysvol

67. Name the AD NCs and replication issues for each NC ?

Ans: Name the AD NCs and replication issues for each NC *Schema NC, *Configuration NC, * Domain NC Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory. Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas. Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain. 68. What are application partitions? When do I use them ? Ans: Application Directory Partition is a partition space in Active Directory which an application can use to store that application specific data. This partition is then replicated only to some specific domain controllers. The application directory partition can contain any type of data except security principles (users, computers, groups). 69. How do you view replication properties for AD partitions and DCs? Ans: By using replication monitor

go to start > run > type replmon 70. How do you view all the GCs in the forest? Ans: C:\>repadmin /showreps domain_controller where domain_controller is the DC you want to query to determine whether it's a GC. The output will include the text DSA Options: IS_GC if the DC is a GC. . . . 71. Why not make all DCs in a large forest as GCs? Ans: When all the DC become a GC replication traffic will get increased and we could not keep the Infrastructure master and GC on the same domain ,so atlease one dc should be act without holding the GC role .

72. Trying to look at the Schema, how can I do that & How to check AD schema version ?
Ans: To view the AD schema, use the Microsoft Management Console (MMC) Active Directory Schema snap-in, which you'll find among Win2K's Support Tools. (You can install these tools from the Win2K CDROM's \support folder.) To use this snap-in, you need to manually register the snap-in by selecting Start, Run (or entering a command-prompt session) and typing regsvr32 schmmgmt.dll You can check the schema version in either of two ways: 1. Simply run Schupgr.exe on the computer you want to check. You may receive an error message, but the third line does report the version number. 2. Use Registry Editor (Regedt32.exe) to view the following key: HKey_Local_Machine\system\CurrentControlSet\services\NTDS\Parameters The last parameter is the schema version number 73. What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN? Ans: LDP: Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network. Replmon : Replmon displays information about Active Directory Replication. ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.MSCNETDOM : NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.

REPADMIN : This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors. 73. What is the KCC? Ans: KCC ( knowledge consistency checker ) is used to generate replication topology for inter site replication and for intrasite replication.with in a site replication traffic is done via remote procedure calls over ip, while between site it is done through either RPC or SMTP.

74. What can you do to promote a server to DC if youre in a remote location with slow
WAN link? Ans: Take a System State Backup from another DC and restore locally to the server that are going to be the next Domain Controller. Run DCPromo /adv which will prompt in the next screen to specify the path to restore the System Backup. This will prevent replication of the entire configuration over the slow network.

75. What are sites? What are they used for?

Ans: Sites in Active Directory are the physical network structure of Active Directory based on subnet or subnets. Each site in Active Directory resembles well connected network. It is sometimes referred as physical structure of AD. Depending upon the locations and connection quality sites are created which include a domain or domains. Creating these sites lets you control replication traffic over WAN links. In a way Sites help define the ADs replication topology.

76. What is Site Link?

Ans: Site link allow the connections between two or more sites define. Site link is configured under two different protocols IP and SMTP. The most commonly used default protocol IP under reliable connections. SMTP is often used under poor network connections. 78. What is Cost in Site Link? Ans: Cost is a metric between 1 32,767 -is just a number to compare relative cost of the other links in the sites. That means lower the cost favorable the path is. The default cost for the site link is hundred and if there is only one site link there is no need to worry about the cost.

77. How can you forcibly remove AD from a server, and what do you do later?

Ans: DCPromo /Forceremoval. Though this command will seize the Domain Controller role, we have to use NTDSUTIL to cleanup the metadata. 80. What is tombstone lifetime attribute? Ans: This is the number of days before the object marked for deletion in the Active Directory is permanently deleted. The default is 180 days in Windows 2003 with SP1 and 60 days in Windows 2000 and Windows 2003 without SP1. During Tombstone lifetime the object mark for deletion stays in Deleted Object folder and every 15 mins Garbage collector comes along to check if the tombstone lifetime of expired for any objects. If found the object/objects will be permanently deleted. The Tombstone Lifetime can be changed by using the ADSIEdit tool. Right click on the CN=Directory Service folder and select Properties. Find Tombstone Lifetime in the attribute list, click the Edit button and enter the number of days in the value field. Or you can use dsquery as: dsquery * "CN=DirectoryService, CN=WindowsNT,CN=Services, CN=Configu ration, DC=yourdomain, DC=com" -scope base -attr tombstonelifetime 81. What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD? Ans: If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which you'll find in the Cmpnents\r2\adprep folder on the second CDROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later). Here's a sample execution of the Adprep /forestprep command:

D:\CMPNENTS\R2\ADPREP>adprep /forestprep ADPREP WARNING:

After running Adprep, install R2 by performing these steps:

1. Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows.
2. 3. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click Next. You'll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if the underlying OS wasn't installed from R2 media (e.g., a regular Windows 2003 SP1 installation). Enter the R2 key and click Next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003 using a volume-license version key, then you can't use a retail or Microsoft Developer Network (MSDN) R2 key. You'll see the setup summary screen which confirms the actions to be performed (e.g., Copy files). Click Next. After the installation is complete, you'll see a confirmation dialog box. Click Finish.

4.

5.

82. What are the DS* commands? Ans: The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet. DSadd - add Active Directory users and groups DSmod - modify Active Directory objects

 DSrm - to delete Active Directory objects DSmove - to relocate objects DSQuery - to find objects that match your query attributes DSget - list the properties of an object 83. What are the FSMO roles? Who has them by default? What happens when each one fails? Ans: FSMO stands for the Flexible single Master Operation It Has five role: Schema Master: The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest. Infrastructure Master: When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role. Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain. PDC Emulator: The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage. The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time

from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator. The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Serverbased PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients. This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment. 85. How do you backup AD? Ans:
Active Directory is backed up as part of system state, a collection of system components that

depend on each other. You must back up and restore system state components together. Components that comprise the system state on a domain controller include:

System Start-up Files (boot files). These are the files required for Windows 2000 Server to start. System registry. Class registration database of Component Services. The Component Object Model (COM) is a binary standard for writing component software in a distributed systems environment. SYSVOL. The system volume provides a default Active Directory location for files that must be shared for common access throughout a domain. The SYSVOL folder on a domain controller contains:

NETLOGON shared folders. These usually host user logon scripts and Group Policy

objects (GPOs) for non-Windows 2000based network clients. User logon scripts for Windows 2000 Professionalbased clients and clients that are

running Windows 95, Windows 98, or Windows NT 4.0. Windows 2000 GPOs. File system junctions. File Replication service (FRS) staging directories and files that are required to be

available and synchronized between domain controllers. Active Directory. Active Directory includes:

Ntds.dit: The Active Directory database.

Edb.chk: The checkpoint file. Edb*.log: The transaction logs, each 10 megabytes (MB) in size. Res1.log and Res2.log: Reserved transaction logs.

86. Methods for restoring deleted items in Active Directory? Ans: Restoring objects with ADRestore.net Guy Teverovsky, a fellow MVP from Israel, has written a cool tool that allows you to easily restore deleted AD objects. The tool is provided as freeware and has no kind of support, but from what I've seen, it works great. Some of the tools features include: Browsing the tombstones Domain Controller targeting Can be used with alternative credentials (convenient if you do not logon to your desktop as Domain Admin, which you should never do anyway) User/Computer/OU/Container reanimation Preview of tombstone attributes

C:\Docum ents and C:\software\ Settings\Adm inistrator\Desktop\windows interview\AD restore pic.doc ADRestore.NET.zip

Restoring objects with Microsoft ADRestore (previously Sysinternals) The tool enumerates all of the currently tombstoned objects in a domain and allows you to restore them selectively, and provides a convenient command-line interface for using the Active Directory reanimation functionality. If you run it from the command line you will be prompted to choose which object you want to restore, and since there could be quite a few tombstoned objects, this process might take some time as you answer NO to each and every prompt. To add a little selectivity to the restore operation, you can run ADRestore with a parameter to narrow down the search. For example:
adrestore -r daniel

would search for all objects with "daniel" as part of its name. The -r switch forces the program to prompt the user for each restoration. Otherwise, all the objects found matching said criteria will be automatically restored. The default (no criteria supplied) is that all tombstoned objects will be enumerated and restored. Note that deleted items may no longer be members of specific organizational units or OUs. Restoring these objects from deleted status will not automatically restore them to their respective OUs; this will need to be done manually.

C:\software\ AdRestore.zip

87. How to backup GPOs? Ans: We can backup GPO with help of Group Policy Management Console (GPMC) administration. The full list of management options that the GPMC provides include: Backing up GPOs Restoring backed up GPOs Importing GPO settings from a backed up GPO Duplication of GPOs

All of these functions can also be performed with the GPMC command line tool.

C:\software\ gpm si c.m

From Command prompt use Gpmc.msc to manage the same and log in with Domain user account.

C:\Docum ents and Settings\Adm inistrator\Desktop\windows interview\gpm ci.doc

88. You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that? go to Start->programs->Administrative tools->Active Directory Users and Computers Right Click on Domain->click on preoperties On New windows Click on Group Policy Select Default Policy->click on Edit on group Policy console go to User Configuration->Administrative Template->Start menu and Taskbar Select each property you want to modify and do the same 89. How can I override blocking of inheritance?

C:\Docum ents and Settings\Adm inistrator\Desktop\windows interview\Blocking Group Policy Inheritance.doc