Escolar Documentos
Profissional Documentos
Cultura Documentos
ASK
"ASK", the world of Knowledge, Experience, Views, thoughts and the spot to move a one ahead where some once get
stuck. So guys don't wait, share your knowledge, experience here or else ask anything related to Technical World if you
have any trouble to find or have any confusion, i.e., Internet, Download, Movies, games, Websites, Cracks, tutorial
...means anything and if you wanna know something .... Happy ASK ing!!! A Team of Fostwalk.com
GADGETs (35)
What is the difference between Authorized DHCP and Non Authorized DHCP?
How To... (1)
To avoid problems in the network causing by mis-configured DHCP servers, server in windows 2000
Interview Questions and Answers (2)
must be validate by AD before starting service to clients. If an authorized DHCP finds any DHCP
server in the network it stop serving the clients IT KBase (11)
ITIL (4)
Difference between inter-site and intra-site replication. Protocols using for replication. Latest Cover (11)
Intra-site replication can be done between the domain controllers in the same site. Inter-site Leadership (2)
replication can be done between two different sites over WAN links Software Download (2)
BHS (Bridge Head Servers) is responsible for initiating replication between the sites. Inter-site Solutions (2)
replication can be done B/w BHS in one site and BHS in another site.
Songs Download (7)
We can use RPC over IP or SMTP as a replication protocols where as Domain partition is not
possible to replicate using SMTP
LABELS BLOG ARCHIVE
How to monitor replication
GADGETs (35)
2011 (6)
We can user Replmon tool from support tools
How To... (1)
2009 (77)
Brief explanation of RAID Levels Interview
December
Questions and (14)
Microsoft Windows XP, Windows 2000 and Windows Server 2003 offer two types of disk storage:
Answers (2)
basic and dynamic. How to Write a
IT KBase (11) Letter
ITIL (4) Requesting
Basic Disk Storage Sponsorshi
Basic storage uses normal partition tables supported by MS-DOS, Microsoft Windows 95, Latest Cover (11) p
Microsoft Windows 98, Microsoft Windows Millennium Edition (Me), Microsoft Windows NT, Leadership (2)
Failure to
Microsoft Windows 2000, Windows Server 2003 and Windows XP. A disk initialized for basic Software install Sql
storage is called a basic disk. A basic disk contains basic volumes, such as primary partitions, Download (2) Server
Solutions (2) 2008
extended partitions, and logical drives. Additionally, basic volumes include multidisk volumes that
"access is
are created by using Windows NT 4.0 or earlier, such as volume sets, stripe sets, mirror sets, and Songs Download deni...
stripe sets with parity. Windows XP does not support these multidisk basic volumes. Any volume (7)
Right-Click,
sets, stripe sets, mirror sets, or stripe sets with parity must be backed up and deleted or Registry
converted to dynamic disks before you install Windows XP Professional. Access
Denied
(Final
Dynamic Disk Storage Solutio...
Dynamic storage is supported in Windows XP Professional, Windows 2000 and Windows Server
Veer
2003. A disk initialized for dynamic storage is called a dynamic disk. A dynamic disk contains
dynamic volumes, such as simple volumes, spanned volumes, striped volumes, mirrored volumes, Chance Pe
Dance
and RAID-5 volumes. With dynamic storage, you can perform disk and volume management
without the need to restart Windows. Pyaar
Impossible
Note: Dynamic disks are not supported on portable computers or on Windows XP Home Edition- Dulha Mil
based computers. Gaya
You cannot create mirrored volumes or RAID-5 volumes on Windows XP Home Edition, Windows Yahoo!
XP Professional, or Windows XP 64-Bit Edition-based computers. However, you can use a Messenger
10.0.0.542
Windows XP Professional-based computer to create a mirrored or RAID-5 volume on remote
Beta
computers that are running Windows 2000 Server, Windows 2000 Advanced Server, or Windows
3GP Player
2000 Datacenter Server, or the Standard, Enterprise and Data Center versions of Windows Server
2003. Kurbaan
3 Idiots -
Storage types are separate from the file system type. A basic or dynamic disk can contain any Download
combination of FAT16, FAT32, or NTFS partitions or volumes. Songs
Rocket Singh
A disk system can contain any combination of storage types. However, all volumes on the same (2009) -
Download
disk must use the same storage type.
Songs
Windows
To convert a Basic Disk to a Dynamic Disk:
Server
Support
RAID 0 Striping
Normal Backup
Incremental Backup
Differential Backup
Daily Backup
Copy Backup
Out of these Configuration, Schema partitions can be replicated between the domain controllers in
the in the entire forest. Where as Domain partition can be replicated between the domain
controllers in the same domain
What are the port numbers for Kerberos, LDAP and Global Catalog?
LDAP is a directory access protocol, which is used to exchange directory information from server
to clients or from server to servers
What are the problems that are generally come across DHCP?
Scope is full with IP addresses no IPs available for new machines
If scope options are not configured properly eg default gateway
Incorrect creation of scopes etc
DFS is a distributed file system used to provide common environment for users to access files and
folders even when they are shared in different servers physically.
There are two types of DFS domain DFS and Stand alone DFS. We cannot provide redundancy for
stand alone DFS in case of failure. Domain DFS is used in a domain environment which can be
accessed by /domain name/root1 (root 1 is DFS root name). Stand alone DFS can be used in
workgroup environment which can be accessed through /server name/root1 (root 1 is DFS root
name). Both the cases we need to create DFS root ( Which appears like a shared folder for end
users) and DFS links ( A logical link which is pointing to the server where the folder is physically
shared)
Client requirements
PXE DHCP-based boot ROM version 1.00 or later NIC, or a network adapter that is supported by
the RIS boot disk.
Should meet minimum operating system requirements
Software Requirements
Below network services must be active on RIS server or any server in the network
Domain Name System (DNS Service)
Dynamic Host Configuration Protocol (DHCP)
Active directory Directory service
High Level
A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing
changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that
can potentially lead to problems once the data is replicated to the rest of the enterprise. One way
Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm
handle discrepancies in values by resolving to the DC to which changes were written last (that is,
"the last writer wins"), while discarding the changes in all other DCs. Although this resolution
method may be acceptable in some cases, there are times when conflicts are just too difficult to
resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from
occurring rather than to try to resolve it after the fact.
For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting
Active Directory updates from occurring.
Windows 2000/2003 Single-Master Model
To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to
certain objects in a single-master fashion.
In a single-master model, only one DC in the entire directory is allowed to process updates. This is
similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such
as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a
given domain.
In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five
FSMO roles are:
Schema Master:
The schema master domain controller controls all updates and modifications to the schema. Once
the Schema update is complete, it is replicated from the schema master to all other DCs in the
directory. To update the schema of a forest, you must have access to the schema master. There
can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal of domains in the
forest. This DC is the only one that can add or remove a domain from the directory. It can also add
or remove cross references to domains in external directories. There can be only one domain
naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it represents the
reference by the GUID, the SID (for references to security principals), and the DN of the object
being referenced. The infrastructure FSMO role holder is the DC responsible for updating an
object's SID and distinguished name in a cross-domain object reference. At any one time, there
can be only one domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global
The RID master is responsible for processing RID pool requests from all domain controllers in a
particular domain. When a DC creates a security principal object such as a user or group, it
attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for
all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID
created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to
the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC
issues a request for additional RIDs to the domain's RID master. The domain RID master responds
to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the
pool of the requesting DC. At any one time, there can be only one domain controller acting as the
RID master in the domain.
PDC Emulator:
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of
the forest becomes authoritative for the enterprise, and should be configured to gather the time
from an external source. All PDC FSMO role holders follow the hierarchy of domains in the
selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC
emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect password are
forwarded to the PDC emulator before a bad password failure message is reported to the user.
Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the
PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based
PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers,
and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows
2000/2003. The PDC emulator still performs the other functions as described in a Windows
2000/2003 environment.
At any one time, there can be only one domain controller acting as the PDC emulator master in
each domain in the forest.
How can I determine who are the current FSMO Roles holders in my domain/forest?
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called
FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active
Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot
(or actually, on the same DC) as has been configured by the Active Directory installation process.
However, there are scenarios where an administrator would want to move one or more of the FSMO
roles from the default holder DC to a different DC. The transferring method is described in the
Transferring FSMO Roles article, while seizing the roles from a non-operational DC to a different
In order to better understand your AD infrastructure and to know the added value that each DC
might possess, an AD administrator must have the exact knowledge of which one of the existing
DCs is holding a FSMO role, and what role it holds. With that knowledge in hand, the administrator
can make better arrangements in case of a scheduled shut-down of any given DC, and better
prepare him or herself in case of a non-scheduled cease of operation from one of the DCs.
How to find out which DC is holding which FSMO role? Well, one can accomplish this task by
many means. This article will list a few of the available methods.
The FSMO roles were assigned to one or more DCs during the DCPROMO process. The following
table summarizes the FSMO default locations:
FSMO Role Number of DCs holding this role Original DC holding the FSMO role
Schema One per forest The first DC in the first domain in the forest (i.e. the Forest Root Domain)
Domain Naming One per forest
RID One per domain The first DC in a domain (any domain, including the Forest Root Domain, any
Tree Root Domain, or any Child Domain)
PDC Emulator One per domain
Infrastructure One per domain
The FSMO role holders can be easily found by use of some of the AD snap-ins. Use this table to
see which tool can be used for what FSMO role:
Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and Infrastructure
Master FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.
2. Right-click the Active Directory Users and Computers icon again and press Operation Masters.
3. Select the appropriate tab for the role you wish to view.
4. When you're done click close.
To find out who currently holds the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.
2. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.
3. When you're done click close.
The FSMO role holders can be easily found by use of the Ntdsutil command.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active
Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click
OK.
2. Type roles, and then press ENTER.
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and
then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server , where is the name of the server you want to use, and then press
ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
At the select operation target: prompt, type List roles for connected server, and then press ENTER
again.
onfiguration,DC=dpetri,DC=net
onfiguration,DC=dpetri,DC=net
iguration,DC=dpetri,DC=net
iguration,DC=dpetri,DC=net
tes,CN=Configuration,DC=dpetri,DC=net
Note: You can download THIS nice batch file that will do all this for you (1kb).
Another Note: Microsoft has a nice tool called Dumpfsmos.cmd, found in the Windows 2000
Resource Kit (and can be downloaded here: Download Free Windows 2000 Resource Kit Tools).
This tool is basically a one-click Ntdsutil script that performs the same operation described above.
The FSMO role holders can be easily found by use of the Netdom command.
Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You must either download it
separately (from here Download Free Windows 2000 Resource Kit Tools) or by obtaining the
correct Support Tools pack for your operating system. The Support Tools pack can be found in the
\Support\Tools folder on your installation CD (or you can Download Windows 2000 SP4 Support
Tools, Download Windows XP SP1 Deploy Tools).
1. On any domain controller, click Start, click Run, type CMD in the Open box, and then click OK.
2. In the Command Prompt window, type netdom query /domain: fsmo (where is the name of
YOUR domain).
Note: You can download THIS nice batch file that will do all this for you (1kb).
The FSMO role holders can be easily found by use of the Netdom command.
Just like Netdom, Replmon.exe is a part of the Windows 2000/XP/2003 Support Tools. Replmon
can be used for a wide verity of tasks, mostly with those that are related with AD replication. But
Replmon can also provide valuable information about the AD, about any DC, and also about other
objects and settings, such as GPOs and FSMO roles. Install the package before attempting to
use the tool.
1. On any domain controller, click Start, click Run, type REPLMON in the Open box, and then
click OK.
2. Right-click Monitored servers and select Add Monitored Server.
3. In the Add Server to Monitor window, select the Search the Directory for the server to add. Make
sure your AD domain name is listed in the drop-down list.
4. In the site list select your site, expand it, and click to select the server you want to query. Click
Finish.
5. Right-click the server that is now listed in the left-pane, and select Properties.
6. Click on the FSMO Roles tab and read the results.
How can I forcibly transfer (seize) some or all of the FSMO Roles from one DC to another?
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called
FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active
Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot
(or actually, on the same DC) as has been configured by the Active Directory installation process.
However, there are scenarios where an administrator would want to move one or more of the FSMO
roles from the default holder DC to a different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder
are online and operational is called Transferring, and is described in the Transferring FSMO Roles
article.
However, when the original FSMO role holder went offline or became non operational for a long
period of time, the administrator might consider moving the FSMO role from the original, non-
operational holder, to a different DC. The process of moving the FSMO role from a non-operational
role holder to a different DC is called Seizing, and is described in this article.
If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again.
Since none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC
Emulator FSMO role might become a problem unless you fix it in a reasonable amount of time), so
it is not a problem to them to be unavailable for hours or even days.
If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable
computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in
most cases, should be performed only if the original FSMO role owner will not be brought back into
the environment. Only seize a FSMO role if absolutely necessary when the original role holder is
not connected to the network.
What will happen if you do not perform the seize in time? This table has the info:
Schema The schema cannot be extended. However, in the short term no one will notice a missing
Schema Master unless you plan a schema upgrade during that time.
Domain Naming Unless you are going to run DCPROMO, then you will not miss this FSMO role.
RID Chances are good that the existing DCs will have enough unused RIDs to last some time,
unless you're building hundreds of users or computer object per week.
PDC Emulator Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no
time synchronization in the domain, you will probably not be able to change or troubleshoot group
policies and password changes will become a problem.
Infrastructure Group memberships may be incomplete. If you only have one domain, then there will
be no impact.
Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain
controller must not be activated in the forest again. It is necessary to reinstall Windows if these
servers are to be used again.
Another consideration before performing the seize operation is the administrator's group
membership, as this table lists:
FSMO Role Administrator must be a member of
Schema Schema Admins
Domain Naming Enterprise Admins
RID Domain Admins
PDC Emulator
Infrastructure
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active
Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click
OK.
2. Type roles, and then press ENTER.
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and
then press ENTER.
Options are:
7. You will receive a warning window asking if you want to perform the seize. Click on Yes.
fsmo maintenance: Seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002
(UNAVAILABLE)
data 1722
Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde
fsmo maintenance:
Note: All five roles need to be in the forest. If the first domain controller is out of the forest then
seize all roles. Determine which roles are to be on which remaining domain controllers so that all
five roles are not on only one server.
8. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
9. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil
tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global
Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object
information because it does not contain any references to objects that it does not hold. This is
because a GC server holds a partial replica of every object in the forest.
In authoritative restore, Objects that are restored will be replicated to all domain controllers in the
domain. This can be used specifically when the entire OU is disturbed in all domain controllers or
specifically restore a single object, which is disturbed in all DCs
The changed data is replicated between domain controllers, not the database, so there is no
guarantee that the files are going to be the same size across all domain controllers.
Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a
directory online defragmentation every 12 hours by default as part of the garbage-collection
process. This defragmentation only moves data around the database file (NTDS.DIT) and doesnt
reduce the files size - the database file cannot be compacted while Active Directory is mounted.
Active Directory routinely performs online database defragmentation, but this is limited to the
disposal of tombstoned objects. The database file cannot be compacted while Active Directory is
mounted (or online).
An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller than the
NTDS.DIT file on its peers.
However, defragmenting the NTDS.DIT file isnt something you should really need to do. Normally,
the database self-tunes and automatically tombstoning the records then sweeping them away
when the tombstone lifetime has passed to make that space available for additional records.
Defragging the NTDS.DIT file probably wont help your AD queries go any faster in the long run.
One reason you might want to defrag your NTDS.DIT file is to save space, for example if you
deleted a large number of records at one time.
To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the following
steps:
Back up Active Directory (AD).
Reboot the server, select the OS option, and press F8 for advanced options.
Select the Directory Services Restore Mode option, and press Enter. Press
Enter again to start the OS.
W2K will start in safe mode, with no DS running.
Use the local SAMs administrator account and password to log on.
Youll see a dialog box that says youre in safe mode. Click OK.
From the Start menu, select Run and type cmd.exe
In the command window, youll see the following text. (Enter the commands in bold.)
C:\> ntdsutil
ntdsutil: files
file maintenance:info
....
file maintenance:compact to c:\temp
Youll see the defragmentation process. If the process was successful, enter quit to return to the
command prompt.
Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the commands in
bold.)
refer question 7
What are the monitoring tools used for Server and Network Heath. How to define alert
mechanism
Spot Light , SNMP Need to enable .
How to deploy the patches and what are the softwares used for this process
Using SUS (Software update services) server we can deploy patches to all clients in the network.
We need to configure an option called Synchronize with Microsoft software update server option
and schedule time to synchronize in server. We need to approve new update based on the
requirement. Then approved update will be deployed to clients
We can configure clients by changing the registry manually or through Group policy by adding
WUAU administrative template in group policy
Clustering is a technology, which is used to provide High Availability for mission critical
applications. We can configure cluster by installing MCS (Microsoft cluster service) component
Server Cluster: This provides High availability by configuring active-active or active-passive cluster.
In 2 node active-passive cluster one node will be active and one node will be stand by. When active
server fails the application will FAILOVER to stand by server automatically. When the original
server backs we need to FAILBACK the application
Quorum: A shared storage need to provide for all servers which keeps information about clustered
application and session state and is useful in FAILOVER situation. This is very important if
Quorum disk fails entire cluster will fails
Heartbeat: Heartbeat is a private connectivity between the servers in the cluster, which is used to
identify the status of other servers in cluster.
SNMP can be configured by installing SNMP from Monitoring and Management tools from Add and
Remove programs.
For SNMP programs to communicate we need to configure common community name for those
machines where SNMP programs (eg DELL OPEN MANAGER) running. This can be configured
from services.msc--- SNMP service -- Security
In Windows 2000 it is not possible. In windows 2003 it is possible. On Domain controller by going
to MYCOMPUTER properties we can change.
SOA is a Start Of Authority record, which is a first record in DNS, which controls the startup
behavior of DNS. We can configure TTL, refresh, and retry intervals in this record.
Refer Question 1
You can access the restore portion by pressing F2 when prompted in the text-mode portion of
setup. ASR reads the disk configurations from the file that it creates. It restores all the disk
signatures, volumes, and partitions on (at a minimum) the disks that you need to start the
computer. ASR will try to restore all the disk configurations, but under some circumstances it
might not be able to. ASR then installs a simple installation of Windows and automatically starts a
restoration using the backup created by the ASR Wizard.
What are the different levels that we can apply Group Policy
We can apply group policy at SITE level---Domain Level---OU level
What is Domain Policy, Domain controller policy, Local policy and Group policy
Domain Policy will apply to all computers in the domain, because by default it will be associated
with domain GPO, Where as Domain controller policy will be applied only on domain controller. By
default domain controller security policy will be associated with domain controller GPO. Local
policy will be applied to that particular machine only and effects to that computer only.
The %USERNAME% variable may be used as part of the redirection path, thus allowing the
system to dynamically create a newly redirected folder for each user to whom the policy object
applies.
What are the domain and forest function levels in a Windows Server 2003-basedActive
Directory?
Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000
to activate new Active Directory features after all the domain controllers in the domain or forest are
running the Windows Server 2003 operating system.
When a computer that is running Windows Server 2003 is installed and promoted to a domain
controller, new Active Directory features are activated by the Windows Server 2003 operating
system over its Windows 2000 counterparts. Additional Active Directory features are available
when all domain controllers in a domain or forest are running Windows Server 2003 and the
administrator activates the corresponding functional level in the domain or forest.
To activate the new domain features, all domain controllers in the domain must be running
Windows Server 2003. After this requirement is met, the administrator can raise the domain
functional level to Windows Server 2003 (read Raise Domain Function Level in Windows Server
2003 Domains for more info).
To activate new forest-wide features, all domain controllers in the forest must be running Windows
Server 2003, and the current forest functional level must be at Windows 2000 native or Windows
Server 2003 domain level. After this requirement is met, the administrator can raise the domain
functional level (read Raise Forest Function Level in Windows Server 2003 Active Directory for
more info).
Note: Network clients can authenticate or access resources in the domain or forest without being
affected by the Windows Server 2003 domain or forest functional levels. These levels only affect the
way that domain controllers interact with each other.
Important
Raising the domain and forest functional levels to Windows Server 2003 is a nonreversible task and
prohibits the addition of Windows NT 4.0based or Windows 2000based domain controllers to the
environment. Any existing Windows NT 4.0 or Windows 2000based domain controllers in the
environment will no longer function. Before raising functional levels to take advantage of advanced
Windows Server 2003 features, ensure that you will never need to install domain controllers running
Windows NT 4.0 or Windows 2000 in your environment.
When the first Windows Server 2003based domain controller is deployed in a domain or forest, a
set of default Active Directory features becomes available. The following table summarizes the
Active Directory features that are available by default on any domain controller running Windows
Server 2003:
Feature Functionality
Multiple selection of user objects Allows you to modify common attributes of multiple user objects
at one time.
Drag and drop functionality Allows you to move Active Directory objects from container to container
by dragging one or more objects to a location in the domain hierarchy. You can also add objects to
group membership lists by dragging one or more objects (including other group objects) to the
target group.
Efficient search capabilities Search functionality is object-oriented and provides an efficient search
that minimizes network traffic associated with browsing objects.
Saved queries Allows you to save commonly used search parameters for reuse in Active Directory
Users and Computers
Active Directory command-line tools Allows you to run new directory service commands for
administration scenarios.
InetOrgPerson class The inetOrgPerson class has been added to the base schema as a security
principal and can be used in the same manner as the user class.
Application directory partitions Allows you to configure the replication scope for application-specific
data among domain controllers. For example, you can control the replication scope of Domain
Name System (DNS) zone data stored in Active Directory so that only specific domain controllers
in the forest participate in DNS zone replication.
Ability to add additional domain controllers by using backup media Reduces the time it takes to
When the first Windows Server 2003based domain controller is deployed in a domain or forest,
the domain or forest operates by default at the lowest functional level that is possible in that
environment. This allows you to take advantage of the default Active Directory features while
running versions of Windows earlier than Windows Server 2003.
When you raise the functional level of a domain or forest, a set of advanced features becomes
available. For example, the Windows Server 2003 interim forest functional level supports more
features than the Windows 2000 forest functional level, but fewer features than the Windows Server
2003 forest functional level supports. Windows Server 2003 is the highest functional level that is
available for a domain or forest. The Windows Server 2003 functional level supports the most
advanced Active Directory features; however, only Windows Server 2003 domain controllers can
operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain
controllers that are running versions of Windows earlier than Windows Server 2003 into that
domain. This applies to the forest functional level as well.
Domains that are upgraded from Windows NT 4.0 or created by the promotion of a Windows Server
2003-based computer operate at the Windows 2000 mixed functional level. Windows 2000
domains maintain their current domain functional level when Windows 2000 domain controllers are
upgraded to the Windows Server 2003 operating system. You can raise the domain functional level
to either Windows 2000 native or Windows Server 2003.
After the domain functional level is raised, domain controllers that are running earlier operating
systems cannot be introduced into the domain. For example, if you raise the domain functional
level to Windows Server 2003, domain controllers that are running Windows 2000 Server cannot be
added to that domain.
The following describes the domain functional level and the domain-wide features that are activated
for that level. Note that with each successive level increase, the feature set of the previous level is
included.
Forest functionality activates features across all the domains in your forest. Three forest functional
levels, the corresponding features, and their supported domain controllers are listed below.
Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server 2003
New features: Partial list includes universal group caching, application partitions, install from
media, quotas, rapid global catalog demotion, Single Instance Store (SIS) for System Access
Control Lists (SACL) in the Jet Database Engine, Improved topology generation event logging. No
global catalog full sync when attributes are added to the PAS Windows Server 2003 domain
controller assumes the Intersite Topology Generator (ISTG) role.
Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the "Upgrade from a
Windows NT 4.0 Domain" section of this article.
Activated features: Windows 2000 features plus Efficient Group Member Replication using Linked
Value Replication, Improved Replication Topology Generation. ISTG Aliveness no longer replicated.
Attributes added to the global catalog. ms-DS-Trust-Forest-Trust-Info. Trust-Direction, Trust-
Attributes, Trust-Type, Trust-Partner, Security-Identifier, ms-DS-Entry-Time-To-Die, Message
Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-
Rate-Unit
After the forest functional level is raised, domain controllers that are running earlier operating
systems cannot be introduced into the forest. For example, if you raise forest functional levels to
Windows Server 2003, domain controllers that are running Windows NT 4.0 or Windows 2000
Server cannot be added to the forest.
Different Active Directory features are available at different functional levels. Raising domain and
forest functional levels is required to enable certain new features as domain controllers are
upgraded from Windows NT 4.0 and Windows 2000 to Windows Server 2003
Domain Functional Levels: Windows 2000 Mixed mode, Windows 2000 Native mode, Windows
server 2003 and Windows server 2003 interim ( Only available when upgrades directly from
Windows NT 4.0 to Windows 2003)
Microsoft doesnt recommend Internet Protocol security (IPSec) network address translation (NAT)
traversal (NAT-T) for Windows deployments that include VPN servers and that are located behind
network address translators. When a server is behind a network address translator, and the server
uses IPSec NAT-T, unintended side effects may occur because of the way that network address
translators translate network traffic
If you put a server behind a network address translator, you may experience connection problems
because clients that connect to the server over the Internet require a public IP address. To reach
servers that are located behind network address translators from the Internet, static mappings
must be configured on the network address translator. For example, to reach a Windows Server
2003-based computer that is behind a network address translator from the Internet, configure the
network address translator with the following static network address translator mappings:
Public IP address/UDP port 500 to the server's private IP address/UDP port 500.
Public IP address/UDP port 4500 to the server's private IP address/UDP port 4500.
These mappings are required so that all Internet Key Exchange (IKE) and IPSec NAT-T traffic that
is sent to the public address of the network address translator is automatically translated and
forwarded to the Windows Server 2003-based computer
An application directory partition is a directory partition that is replicated only to specific domain
controllers. A domain controller that participates in the replication of a particular application
directory partition hosts a replica of that partition. Only domain controllers running Windows Server
2003 can host a replica of an application directory partition.
Applications and services can use application directory partitions to store application-specific data.
Application directory partitions can contain any type of object, except security principals. TAPI is
an example of a service that stores its application-specific data in an application directory partition.
Application directory partitions are usually created by the applications that will use them to store
and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins
group can manually create or manage application directory partitions using the Ntdsutil command-
line tool.
Implicit Transitive trust will not be possible in windows 2003. Between forests we can create
explicit trust
Two-way trust
One-way: incoming
One-way: Outgoing
Information is stored locally once this option is enabled and a user attempts to log on for the first
time. The domain controller obtains the universal group membership for that user from a global
catalog. Once the universal group membership information is obtained, it is cached on the domain
controller for that site indefinitely and is periodically refreshed. The next time that user attempts to
log on, the authenticating domain controller running Windows Server 2003 will obtain the universal
group membership information from its local cache without the need to contact a global catalog.
By default, the universal group membership information contained in the cache of each domain
controller will be refreshed every 8 hours.
GPMC is tool which will be used for managing group policies and will display information like how
many policies applied, on which OUs the policies applied, What are the settings enabled in each
policy, Who are the users effecting by these polices, who is managing these policies. GPMC will
display all the above information.
RSoP provides details about all policy settings that are configured by an Administrator, including
Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings,
Scripts, and Group Policy Software Installation.
When policies are applied on multiple levels (for example, site, domain, domain controller, and
organizational unit), the results can conflict. RSoP can help you determine a set of applied policies
and their precedence (the order in which policies are applied).
Through Group policy you can Assign and Publish the applications by creating .msi package for
that application
With Assign option you can apply policy for both user and computer. If it is applied to computer
then the policy will apply to user who logs on to that computer. If it is applied on user it will apply
where ever he logs on to the domain. It will be appear in Start menuPrograms. Once user click
the shortcut or open any document having that extension then the application install into the local
machine. If any application program files missing it will automatically repair.
With Publish option you can apply only on users. It will not install automatically when any
application program files are corrupted or deleted.
If you are unable to start your computer, you can run the Recovery Console from your Windows
2000 Setup disks or from the Windows 2000 Professional CD (if you can start your computer from
your CD-ROM drive).
As an alternative, you can install the Recovery Console on your computer to make it available in
case you are unable to restart Windows 2000. You can then select the Recovery Console option
from the list of available operating systems
Fault-tolerant process architecture----- The IIS 6.0 fault-tolerant process architecture isolates Web
sites and applications into self-contained units called application pools
Health Monitoring---- IIS 6.0 periodically checks the status of an application pool with automatic
restart on failure of the Web sites and applications within that application pool, increasing
application availability. IIS 6.0 protects the server, and other applications, by automatically
disabling Web sites and applications that fail too often within a short amount of time
Automatic Process Recycling--- IIS 6.0 automatically stops and restarts faulty Web sites and
applications based on a flexible set of criteria, including CPU utilization and memory consumption,
while queuing requests
Rapid-fail Protection---- If an application fails too often within a short amount of time, IIS 6.0 will
automatically disable it and return a "503 Service Unavailable" error message to any new or
queued requests to the application
NT SAM database is a flat database. Where as in windows 2000 active directory database is a
hierarchical database.
In windows NT only PDC is having writable copy of SAM database but the BDC is only read only
database. In case of Windows 2000 both DC and ADC is having write copy of the database
Windows NT will not support FAT32 file system. Windows 2000 supports FAT32
Default authentication protocol in NT is NTLM (NT LAN manager). In windows 2000 default
authentication protocol is Kerberos V5.
Windows 2000 depends and Integrated with DNS. NT user Netbios names
Active Directory can be backed up easily with System state data
Primary DNS
Secondary DNS
What is the process of DHCP for getting the IP address to the client?
There is a four way negotiation process b/w client and serverDHCP Discover (Initiated by client)
What are the port numbers for FTP, Telnet, HTTP, DNS?
FTP-21, Telnet 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389
Local Profiles
Roaming profiles
Mandatory Profiles