Active Directory Interview Questions and Answers

(1)

1. Explain three main features of Active Directory?

ANS: Active Directory enables single sign on to access resources on the network
such as desktops, shared files, printers etc. Active Directory provides advanced
security for the entire network and network resources. Active Directory is more
scalable and flexible for administration.

2. What do you mean by Active Directory functional levels? How does it help an
organization’s network functionality?

ANS: Functional levels help the coexistence of Active Directory versions such as,
Windows NT, Windows 2000 Server, Windows Server 2003 and Windows Server
2008. The functional level of a domain or forest controls which advanced features
are available in the domain or forest. Although lowest functional levels help to
coexist with legacy Active Directory, it will disable some of the new features of
Active Directory. But if you are setting up a new Active Directory environment with
latest version of Windows Server and AD, you can set to the highest functional level,
thus all the new AD functionality will be enabled.

3. What are the Domain and Forest functional levels of Windows Server 2003 AD?

ANS: Windows Server 2003 Domain Functional Levels: Windows 2000 mixed
(Default), Windows 2000 native, Windows Server 2003 interim, and Windows
Server2003.
Forest Functional Levels: Windows 2000 (default), Windows Server 2003 interim,
Windows Server.
4. What are the Domain and Forest functional levels of Windows Server 2008 AD?

ANS: Windows Server 2008 Domain Functional Levels: Windows 2000 Native,
Windows Server 2003, Windows Server 2008, Windows Server 2008 R2.
Forest Functional Levels: Windows 2000, Windows Server 2008, Windows Server
2008 R2.

5. How to add additional Domain Controller in a remote site with slower WAN link?

ANS: It is possible to take a backup copy of existing Domain Controller, and restore
it in Windows Server machine in the remote locations with slower WAN link.

6. How do we install Active Directory in Windows 7 Computer?

ANS: Active Directory is designed for Server Operating System, and it cannot be
installed on Windows 7.

7. What are the prerequisites to install Active Directory in a Server?

1. ANS: Windows Server Operating System. Free hard disk space with NTFS partition.
Administrator's privilege on the computer. Network connection with IP address,
Subnet Mask, Gateway and DNS address. A DNS server, that can be installed along
with first Domain Controller. Windows Server intallation CD or i386 folder.

8. What is FSMO role? (Or what are Single Master Operations / Flexible Single
Master Operations / Operations Master Role / SMO / OMR?)

2. ANS: Flexible Single-Master Operation (FSMO) roles,manage an aspect of the

domain or forest, to prevent conflicts, which are handled by Single domain
controllers in domain or forest. The tasks which are not suited to multi-master
replication, There are 5 FSMO roles, and Schema Master and Domain naming
 master roles are handled by a single domain controller in a forest, and PDC, RID
master and Infrastructure master roles are handled by a single domain controller
in each domain.

9. Explain Infrastructure Master Role. What will be the impact if DC with

Infrastructure Master Role goes down?

ANS: Infrastrcture master role is a domain-specific role and its purpose is to

ensure that cross-domain object references are correctly handled. For example, if
you add a user from one domain to a security group from a different domain, the
Infrastructure Master makes sure this is done properly. Intrastrcuture master does
not have any functions to do in a single domain environment. If the Domain
controller with Infrastructure master role goes down in a single domain
environemt, there will be no impact at all. Where as, in a complex environment
with multiple domains, it may impact creation and modification of groups and
group authentication.

10. What are the two forest specific FSMO roles?

ANS: Schema Master role and Domain Naming Master role.

11. Which FSMO role directly impacting the consistency of Group Policy?

ANS: PDC Emulator

12. I want to promote a new additional Domain Controller in an existing domain.

Which are the groups I should be a member of?
 ANS: You should be a member of Enterprise Admins group or the Domain Admins
group. Also you should be member of local Administrators group of the member
server which you are going to promote as additional Domain Controller.

13. Tell me one easiest way to check all the 5 FSMO roles.

ANS: Use netdom query /domain:YourDomain FSMO command. It will list all the
FSMO role handling domain controllers. (netdom query fsmo)

14. Can I configure two RID masters in a domain?

ANS: No, there should be only one Domain Controller handling RID master role
in a Domain.

15. Can I configure two Infrastructure Master Role in a forest? If yes, please explain.

ANS: There should be only one Domain Controller handling Infrastructure master
role in a domain. Hence if you have two domains in a forest, you can configure two
Infrastructure masters, one in each domain.

16. What will be the impact on the network if Domain Controller with PDC Emulator
crashes?

3. ANS: If PDC emulator crashes, there will be immediate impact on the environment.
User authentication will fail as password changes wont get effected, and there will
be frequent account lock out issues. Network time synchronization will be
impacted. It will also impact DFS consistency and Group policy replication as well.
17. What are the physical components of Active Directory?

ANS: Domain controllers and Sites. Domain controllers are physical computers
which is running Windows Server operating system and Active Directory data base.
Sites are a network segment based on geographical location and which contains
multiple domain controllers in each site.

18. What are the logical components of Active Directory?

ANS: Domains, Organizational Units, trees and forests are logical components of
Active Directory.

19. What are the Active Directory Partitions? (Or what are Active Directory Naming
Contexts? Or what is AD NC?)

ANS: Active Directory database is divided into different partitions such as Schema
partition, Domain partition, and Configuration partition. Apart from these
partitions, we can create Application partition based on the requirement.

20. What is group nesting?

4. ANS: Adding one group as a member of another group is called 'group nesting'.
This will help for easy administration and reduced replication traffic.

21. Explain Group Types and Group Scopes?

 ANS: Group types are categorized based on its nature. There are two group types:
Security Groups and Distribution Groups. Security groups are used to apply
permissions to resources where as distribution groups are used to create Exchange
server email communication groups. Group scopes are categorized based on the
usage. There are three group types: Domain Local Group, Global Group and
Universal Group.

22. What is the feature of Domain Local Group?

ANS: Domain local groups are mainly used for granting access to network
resources. A Domain local group can contain accounts from any domain, global
groups from any domain and universal groups from any domain. For example, if
you want to grant permission to a printer located at Domain A, to 10 users from
Domain B, then create a Global group in Domain B and add all 10 users into that
Global group. Then, create a Domain local group at Domain A, and add Global
group of Domain B to Domain local group of Domain A, then, add Domain local
group of Domain A to the printer(of Domain A) security ACL.

23. How will you take Active Directory backup?

ANS: Active Directory is backed up along with System State data. System state data
includes Local registry, COM+, Boot files, NTDS.DIT and SYSVOL folder. System
state can be backed up either using Microsoft's default NTBACKUP tool or third
party tools such as SymantechNetBackup, IBM Tivoli Storage Manager etc.

24. What are the Active Directory Restore types?

ANS: There are two types of Active Directory restores, Authoritative restore and
Non-Authoritative restore.
25. How is Authoritative Restore different from non-Authoritative Restore?

5. ANS: Non-Authoritative means, a normal restore of a single Domain controller in

case that particular domain controller OS or hardware crashed. After non-
authoritative restoration completed, compares its data base with peer domain
controllers in the network and accepts all the directory changes that have been
made since the backup. This is done through multi master replication.
Where as, in Authoritative restore, a restored data base of a Domain controller
forcefully replicated to all the other domain controllers. Authoritative restore is
performed to recover an active directory resource or object (eg. an Organizational
Unit) which accidentally deleted and it needs to be restored.

26. Explain me, how to restore Active Directory using command line?

ANS: We can use NTDSUTIL command line to perform Authoritative restore of

Active Directory. First, start a domain controller in 'Directory Service Restore
Mode'. Then, restore the System State data of Domain controller using NTBACKUP
tool. This is non-authoritative restore. Once non-authoritative restore is completed,
we have to perform authoritative restore immediately before restarting the
Domain Controller.
Open command prompt and type NTDSUTIL and enter, then type authoritative
restore and press enter, then type restore database and press enter, click OK and
then click Yes. This will restore all the data in authoritative restore mode. If you
want to restore only a specific object or sub-tree, you can type below command
instead of 'restore database'.
restore subtreeou=OU_Name,dc=Domain_Name,dc=xxx

27. Tell me few switches of NTDSUTIL command.

ANS: Authoritative restore, Configurable settings, Partition management, Set

DSRM Password etc.
28. What is a tombstone? What is the tombstone lifetime period?

ANS: A tombstone is a container object for deleted items from Active Directory
database, even if objects are deleted, it will be kept hidden in the active directory
data base for a specific period. This period is known as tombstone lifetime.
Tombstone lifetime is 180 days on Windows Server 2003 SP1 and later versions of
Windows Server.

29. What do you understand by Garbage Collection? Explain.

ANS: Garbage collection is a process of Active Directory. This process starts by

removing the remains of previously deleted objects from the database. These
objects are known as tombstones. Then, the garbage collection process deletes
unnecessary log files. And the process starts a defragmentation thread to claim
additional free space. The garbage collection process is running on all the domain
controllers in an interval of 12 hours.

30. What is Lost and Found Container?

6. ANS: In multimaster replication method, replication conflicts can happen. Objects

with replication conflicts will be stored in a container called 'Lost and Found'
container. This container also used to store orphaned user accounts and other
objects.

31. Where can I locate Lost and Found Container?

ANS; Lost and Found container can be viewed by enabling advanced features from
View menu of Active Directory User and Computers MMC
32. Is Lost and Found Container included in Windows Server 2008 AD?

ANS; Yes, it is included.

33. Have you ever installed Active Directory in a production environment?

7. ANS: We had set up an additional domain for a new subsidiary of the firm, and I
was a member of the team who handled installation and configuration of domain
controllers for the sub domain.[or] I was supporting an existing Active Directory
network environment of the company, but I have installed and configured Active
Directory in test environment several occasions.

34. Do we use clustering in Active Directory? Why?

ANS: No one installs Active Directory in a cluster. There is no need of clustering a

domain controller. Because Active Directory provides total redundancy with two
or more servers.

35. What is Active Directory Recycle Bin?

ANS: Active Directory Recycle bin is a feature of Windows Server 2008 AD. It
helps to restore accidentally deleted Active Directory objects without using a
backed up AD database, rebooting domain controller or restarting any services.

36. What is RODC? Why do we configure RODC?

ANS: Read only domain controller (RODC) is a feature of Windows Server 2008
Operating System. RODC is a read only copy of Active Directory database and it
can be deployed in a remote branch office where physical security cannot be
 guaranteed. RODC provides more improved security and faster log on time for the
branch office.

37. How do you check currently forest and domain functional levels? Say both GUI and
Command line.

ANS: To find out forest and domain functional levels in GUI mode, open ADUC,
right click on the domain name and take properties. Both domain and forest
functional levels will be listed there. TO find out forest and domain functional
levels, you can use DSQUERY command.

38. Explain Knowledge Consistency Checker (KCC)

8. ANS: KCC can be expanded as Knowledge Consistency Checker. It is a protocol

procecss running on all domain controllers, and it generates and maintains the
replication topology for replication within sites and between sites.

39. What are the tools used to check and troubleshoot replication of Active Directory?

ANS: We can use command line tools such as repadmin and dcdiag. GUI tool
REPLMON can also be used for replication monitoring and troubleshooting.

40. What is SYSVOL folder used for?

ANS: SYSVOL is a folder exits on each domain controller, which contains Active
Directory related files and folders. SYSVOL mainly stores important elements of
Group Policy Objects and scripts, and it is being replicated among domain
controllers using File Replication Service (FRS).
41. What is the use of Kerberos in Active Directory? Which port is used for Kerberos
communication?

ANS: Kerberos is a network authentication protocol. Active Directory uses

Kerberos for user and resource authentication and trust relationship functionality.
Kerberos uses port number 88.

42. Which version of Kerberos is used for Windows 2000/2003 and 2008 Active
Directory?

ANS: All versions of Windows Server Active Directory use Kerberos 5.

43. Please name few port numbers related to Active Directory.

ANS: Kerberos 88, LDAP 389, DNS 53, SMB 445.

44. What is an FQDN?

ANS: FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of

a domain name system which points to a device in the domain at its left most end.
For example in system.

45. Tell me few DS commands and its usage.

ANS: Dsadd - to add an object to the directory, Dsget - displays requested

properties of an object in AD, Dsmove - Used to move one object from one location
to another in the directory, DSquery - To query specific objects.
46. Explain Active Directory tree and forest.

ANS: A tree in Active Directory is a collection of one or more domains which are
interconnected and sharing global resources each other. If a tree has more than
one domain, it will have contiguous namespace. When we add a new domain in an
existing tree, it will be called a child domain.
A forest is a collection of one or more trees which trust each other and sharing a
common schema.It also shares common configuration and global catalog. When a
forest contains more than one tree, the trees will not form a contiguous namespace.

47. What are Intersite and Intrasite replication?

ANS: Replication between domain controllers inside a single site is called Intrasite
replication, where as replication between domain controllers located in different
sites is called Intersite replication. Intrasite replication will be very frequent,
whereas Intersite replication will be with specific interval and in a controlled
fashion just to preserve network bandwidth.

48. What is shortcut trust?

ANS: Shortcut trust is a manually created transitive trust which is configured to

enable fast and optimized authentication process.For example, If we create short
cut trust between two domains of different trees, they can quickly authenticate
each other without traveling through the entire parent domains. short cut trust can
be either one-way or two-way.

49. What is selective Authentication?

ANS: Selective authentication is generally used in forest trust and external trusts.
Selective authentication is a security setting which allows administrators to grant
access to shared resources in their organization’s forest to a limited set of users in
 another organization’s forest. Selective authentication method can decide which
groups of users in a trusted forest can access shared resources in the trusting forest.

50. Give me brief explanation of different types of Active Directory trusts.

ANS: Trusts can be categorized by its nature. There can be two-way trust or one-
way trust,implicit or explicit trust, transitive or non transitive trust. Trust can be
categorized by types, such as parent and child, tree root trust, external trust, realm
trust forest trust and shortcut trust.

51. Have you heard of ADAC?

ANS: ADAC- Active Directory Administrative Center is a new GUI tool came with
Windows Server 2008 R2, which provides enhanced data management experience
to the admin. ADAC helps administrators to perform common Active Directory
object management task across multiple domains with the same ADAC instance.

52. What is the use of ADSIEDIT? How do we install it in Windows Server 2003 AD?

ANS: ADSIEDIT- Active Directory Service Interfaces Editor is a GUI tool which is
used to perform advanced AD object and attribute management. This Active
Directory tool helps us to view objects and attributes that are not visible through
normal Active Directory Management Consoles. ADSIEDIT can be downloaded
and installed along with Windows Server 2003 Support Tools.

53. I am unable to create a Universal Security group in my Active Directory? What will
be the possible reason?
 ANS: This is due to domain functional level. If domain functional level of Windows
Server 2003 AD is Windows 2000 Mixed, Universal Group option will be greyed
out. You need to raise domain functional level to Windows 2000 native or above.

54. What is ADMT? What is it used for?

ANS: ADMT - Active Directory Migration Tool, is a tool which is used for migrating
Active Directory objects from one domain to another. ADMT is an effective tool
that simplifies the process of migrating users, computers, and groups to new
domains.

55. What do you mean by Lingering Objects in AD? How to remove Lingering Objects?

ANS: When a domain controller is disconnected for a period that is longer than the
tombstone life time, one or more objects that are deleted from Active Directory on
all other domain controllers may remain on the disconnected domain controller.
Such objects are called lingering objects. Lingering objects can be removed from
Windows Server 2003 or 2008 using REPADMIN utility.

56. Explain Global Catalog. What kind of AD infrastructure makes most use of Global
Catalog?

ANS: The Global catalog is a container which contains a searchable partial replica
of all objects from all domains of the forest, and full replica of all objects from the
domain where it is situated. The global catalog is stored on domain controllers that
have been designated as global catalog servers and is distributed through
multimaster replication. Global catalogs are mostly used in multidomain, multisite
and complex forest environment,where as Global catalog does not function in a
single domain forest.
57. Global Catalog and Infrastructure master roles cannot be configure in same
Domain Controller. Why?

ANS: In a forest that contains only a single Active Directory domain, there is no
harm in placing both GC and Infrastructure master in same DC, because
Infrastructure master does not have any work to do in a single domain
environment. But in a forest with multiple and complex domain structure, the
infrastructure master should be located on a DC which is not a Global Catalog
server. Because the global catalog server holds a partial replica of every object in
the forest, the infrastructure master, if placed on a global catalog server, will never
update anything, because it does not contain any references to objects that it does
not hold. (here infrastucture OMR will not work)

58. How do you check all the GCs in the forest?

ANS: Command line method: nslookupgc._msdcs.<forest root DNS Domain

Name>, nltest /dsgetdc:corp /GC. GUI method: Open DNS management, and
under ‘Forward Lookup Zone’, click on GC container. To check if a server is GC or
not, go to Active Directory Sites and Services MMC and under ‘Servers’ folder, take
properties of NTDS settings of the desired DC and find Global Catalog option is
checked.

59. How many objects can be created in Active Directory? (both 2003 and 2008)

ANS: As per Microsoft, a single AD domain controller can create around

2.15 billion objects during its lifetime.

60. Can you explain the process between a user providing his Domain credential to his
workstation and the desktop being loaded? Or how the AD authentication works?
 ANS: When a user enters a user name and password, the computer sends the user
name to the KDC. The KDC contains a master database of unique long term keys
for every principal in its realm. The KDC looks up the user's master key (KA), which
is based on the user's password. The KDC then creates two items: a session key (SA)
to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a
second copy of the SA, the user name, and an expiration time. The KDC encrypts
this ticket by using its own master key (KKDC), which only the KDC knows. The
client computer receives the information from the KDC and runs the user's
password through a one-way hashing function, which converts the password into
the user's KA. The client computer now has a session key and a TGT so that it can
securely communicate with the KDC. The client is now authenticated to the domain
and is ready to access other resources in the domain by using the Kerberos protocol.

61. What is LDAP?

ANS: Lightweight Directory Access Protocol (LDAP) is an Internet standard

protocol which is used as a standard protocol for Active Directory functions. It runs
directly over TCP, and can be used to access a standalone LDAP directory service
or to access a directory service that is back-ended by X.500.

62. Which is default location of Active Directory? What are the main files related to
AD?

ANS: AD Database is saved in %systemroot%/ntds. You can see other files also in
this folder. These are the main files controlling the AD structure

ntds.dit

edb.log

res1.log

res2.log

edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K
records the transaction in the log file (edb.log). Once written to the log file, the
change is then written to the AD database. System performance determines how
fast the system writes the data to the AD database from the log file. Any time the
system is shut down, all transactions are saved to the database.

During the installation of AD, Windows creates two files: res1.log and res2.log. The
initial size of each is 10MB. These files are used to ensure that changes can be
written to disk should the system run out of free disk space. The checkpoint file
(edb.chk) records transactions committed to the AD database (ntds.dit). During
shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a
reboot, AD determines that all transactions in the edb.log file have been committed
to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or
the shutdown statement isn’t present, AD will use the edb.log file to update the AD
database.

The last file in our list of files to know is the AD database itself, ntds.dit. By default,
the file is located in\NTDS, along with the other files we’ve discussed

63. In a large forest environment, why we don’t configure all Domain Controllers as
GCs?

ANS: Global Catalog servers produce huge traffic related to the replication process.
There for making all the domain controllers in the forest as Global Catalog servers
will cause network bandwidth problem. GCs should be placed based on Network
bandwidth and user or application requirement.

64. What is NETDOM command line tool used for?

65. What is role seizure? Who do we perform role seizure?
66. What is ISTG? What is role of ISTG in Active Directory?
67. Is it possible to find idle users who did not log in for last few months?
68. Tell me the order of GPO as it applied.
69. What are the uses of CSVDE and LDIFDE?
70. What are the differences between a user object and contact object?
71. What do you mean by Bridge Head server?
72. What is urgent replication?
73. Please explain Realm trust.
74. Explain object class and object attribute.
75. My organization wants to add new object attribute to the user object. How do you
achieve it?
76. What do you understand about GUID?
77. What is the command used for Domain Controller decommissioning?
78. Have you ever planned and implemented Active Directory infrastructure anywhere?
Tell me few considerations we have to take during the AD planning.
79. Name few differences from Windows Server 2003 AD and Windows Server 2008
AD.
80.Which domain and forest functional level I will select if I am installing Windows
Server 2008 AD in an Existing environment where we have Windows Server 2003
Domain Controllers?
81. What are the replication intervals for Intersite and intrasite replication? Is there
any change in 2003 and 2008?
82. I want to transfer RID master role to a new Domain Controller. What are the steps
I need to follow?
83. Tell me few uses of NTDSUTIL commands?
84. Name few services that directly impact the functionality of Domain Controller.
85. You said there are 5 FSMO roles. Please explain what will be the impact on the AD
infra if each FSMO roles fails?
86. What is Active Directory defragmentation? How do you do AD defragmentation?
And why do we do it?
87. Tell me Different between online and offline defragmentation.
88.How do you uninstall active directory? What are the precautions we have to take
before removing active directory?
89. A user is unable to log into his desktop which is connected to a domain. What are
the troubleshooting steps you will consider?
90. A Domain Controller called ABC is failing replication with XYZ. How do you
troubleshoot the issue?
 91. A user account is frequently being locked out. How do you investigate this issue?
What will be the possible solution suggest the user?
92. Imagine you are trying to add a Windows 7 computer to Active Directory domain.
But its showing an error ‘Unable to find Domain Controller’. How will you handle
this issue?
93. What are the services required for Active Directory replication?
94. What is Active Directory application partition? What are the uses of it?
95. Many users of a network are facing latency while trying to log into their
workstations. How do you investigate this problem?
96. Now, some questions related to Windows Server 2008 Active Directory. What do
you mean by IDA? What are the new components of Windows 2K8 Active Directory?
97. I want to edit the Active Directory Schema. How can I bring Schema editor into my
MMC?
98. Name few Active Directory Built in groups
99. What are the differences between Enterprise Administrators and Domain
Administrators groups?
100. I have to create 1000 user objects in my Active Directory domain. Who can
I achieve that with least administrative effort? Tell me few tools that I can use.

Active Directory Interview Questions & Answers

(3)

 What is Active Directory?

An active directory is a directory structure used on Microsoft Windows based

computers and servers to store information and data about networks and domains.
It is primarily used for online information and was originally created in 1996. It was
first used with Windows 2000.

An active directory (sometimes referred to as an AD) does a variety of functions

including the ability to Provide information on objects, helps organize these objects
for easy retrieval and access, allows access by end users and administrators and
allows the administrator to set security up for the directory.

Active Directory is a hierarchical collection of network resources that can contain

users, computers, printers, and other Active Directories. Active Directory Services
(ADS) allow administrators to handle and maintain all network resources from a
single location . Active Directory stores information and settings in a central
database
 What is LDAP?

The Lightweight Directory Access Protocol, or LDAP , is an application protocol for

querying and modifying directory services running over TCP/IP. Although not yet
widely implemented, LDAP should eventually make it possible for almost any
application running on virtually any computer platform to obtain directory
information, such as email addresses and public keys. Because LDAP is an open
protocol, applications need not worry about the type of server hosting the directory.
 Can you connect Active Directory to other 3rd-party Directory
Services? Name a few options.

-Yes you can connect other vendors Directory Services with Microsoft’s version.

-Yes, you can use dirXML or LDAP to connect to other directories (ie. E-directory
from Novell or NDS (Novel directory System).

-Yes you can Connect Active Directory to other 3rd -party Directory Services such as
dictonaries used by SAP, Domino etc with the help of MIIS ( Microsoft Identity
Integration Server )
 What is the SYSVOL folder?

- All active directory data base security related information store in SYSVOL folder
and its only created on NTFS partition.

- The Sysvol folder on a Windows domain controller is used to replicate file-based

data among domain controllers. Because junctions are used within the Sysvol folder
structure, Windows NT file system (NTFS) version 5.0 is required on domain
controllers throughout a Windows distributed file system (DFS) forest.

This is a quote from microsoft themselves, basically the domain controller info
stored in files like your group policy stuff is replicated through this folder structure
 Name the AD NCs and replication issues for each NC

*Schema NC, *Configuration NC, Domain NC

Schema NC This NC is replicated to every other domain controller in the forest. It
contains information about the Active Directory schema, which in turn defines the
different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC
contains forest-wide configuration information pertaining to the physical layout of
Active Directory, as well as information about display specifiers and forest-wide
Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active
Directory domain. This is the NC that contains the most commonly-accessed Active
Directory data: the actual users, groups, computers, and other objects that reside
within a particular Active Directory domain.
 What are application partitions? When do I use them

Application directory partitions: These are specific to Windows Server 2003

domains.
An application directory partition is a directory partition that is replicated only to
specific domain controllers. A domain controller that participates in the replication
of a particular application directory partition hosts a replica of that partition. Only
Domain controllers running Windows Server 2003 can host a replica of an
application directory partition.
 How do you create a new application partition

http://wiki.answers.com/Q/How_do_you_create_a_new_application_partition
 How do you view replication properties for AD partitions and DCs?

By using replication monitor

go to start > run > type replmon

 What is the Global Catalog?

The global catalog contains a complete replica of all objects in Active Directory for
its Host domain, and contains a partial replica of all objects in Active Directory for
every other domain in the forest.

The global catalog is a distributed data repository that contains a searchable, partial
representation of every object in every domain in a multidomain Active Directory
forest. The global catalog is stored on domain controllers that have been designated
as global catalog servers and is distributed through multimaster replication.
Searches that are directed to the global catalog are faster because they do not
involve referrals to different domain controllers.

In addition to configuration and schema directory partition replicas, every domain

controller in a Windows 2000 Server or Windows Server 2003 forest stores a full,
writable replica of a single domain directory partition. Therefore, a domain
controller can locate only the objects in its domain. Locating an object in a different
domain would require the user or application to provide the domain of the
requested object.
The global catalog provides the ability to locate objects from any domain without
having to know the domain name. A global catalog server is a domain controller
that, in addition to its full, writable domain directory partition replica, also stores a
partial, read-only replica of all other domain directory partitions in the forest. The
additional domain directory partitions are partial because only a limited set of
attributes is included for each object. By including only the attributes that are most
used for searching, every object in every domain in even the largest forest can be
represented in the database of a single global catalog server.
 How do you view all the GCs in the forest?

C:\>repadmin/showreps
domain_controller

OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookupgc._msdcs.%USERDNSDOMAIN%
 Why not make all DCs in a large forest as GCs?

The reason that all DCs are not GCs to start is that in large (or even Giant) forests
the DCs would all have to hold a reference to every object in the entire forest which
could be quite large and quite a replication burden.

For a few hundred, or a few thousand users even, this not likely to matter unless you
have really poor WAN lines.
 Trying to look at the Schema, how can I do that?

adsiedit.exe

option to view the schema

register schmmgmt.dll using this command

c:\windows\system32>regsvr32 schmmgmt.dll

Open mmc –> add snapin –> add Active directory schema

name it as schema.msc

Open administrative tool –>schema.msc

 What are the Support Tools? Why do I need them?

Support Tools are the tools that are used for performing the complicated tasks
easily. These can also be the third party tools. Some of the Support tools include
DebugViewer, DependencyViewer, RegistryMonitor, etc. -edit by Casquehead I
beleive this question is reffering to the Windows Server 2003 Support Tools, which
are included with Microsoft Windows Server 2003 Service Pack 2. They are also
available for download here:

http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-
419D-939B-A772EA2DF90&displaylang=en

You need them because you cannot properly manage an Active Directory network
without them.
Here they are, it would do you well to familiarize yourself with all of them.

Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe

> What is REPLMON? What is ADSIEDIT? What is NETDOM? What is

REPADMIN?

ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-

level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network
administrators can use it for common administrative tasks such as adding, deleting,
and moving objects with a directory service. The attributes for each object can be
edited or deleted by using this tool. ADSIEdit uses the ADSI application
programming interfaces (APIs) to access Active Directory. The following are the
required files for using this tool:

· ADSIEDIT.DLL

· ADSIEDIT.MSC

Regarding system requirements, a connection to an Active Directory environment

and Microsoft Management Console (MMC) is necessary
A: Replmon is the first tool you should use when troubleshooting Active Directory
replication issues. As it is a graphical tool, replication issues are easy to see and
somewhat easier to diagnose than using its command line counterparts. The
purpose of this document is to guide you in how to use it, list some common
replication errors and show some examples of when replication issues can stop
other network installation actions.

for more go to http://www.techtutorials.net/articles/replmon_howto_a.html

NETDOM is a command-line tool that allows management of Windows domains

and trust relationships. It is used for batch management of trusts, joining
computers to domains, verifying trusts, and secure channels

A:
Enables administrators to manage Active Directory domains and trust relationships
from the command prompt.

Netdom is a command-line tool that is built into Windows Server 2008. It is

available if you have the Active Directory Domain Services (AD DS) server role
installed. To use netdom, you must run the netdom command from an elevated
command prompt. To open an elevated command prompt, click Start, right-click
Command Prompt, and then click Run as administrator.

REPADMIN.EXE is a command line tool used to monitor and troubleshoot

replication on a computer running Windows. This is a command line tool that
allows you to view the replication topology as seen from the perspective of each
domain controller.

REPADMIN is a built-in Windows diagnostic command-line utility that works at the

Active Directory level. Although specific to Windows, it is also useful for diagnosing
some Exchange replication problems, since Exchange Server is Active Directory
based.

REPADMIN doesn’t actually fix replication problems for you. But, you can use it to
help determine the source of a malfunction.
 What are sites? What are they used for?

Active directory sites, which consist of well-connected networks defined by IP

subnets that help define the physical structure of your AD, give you much better
control over replication traffic and authentication traffic than the control you get
with Windows NT 4.0 domains.
Using Active Directory, the network and its objects are organized by constructs such
as domains, trees, forests, trust relationships, organizational units (OUs), and sites.
 What’s the difference between a site link’s schedule and interval?
Schedule enables you to list weekdays or hours when the site link is available for
replication to happen in the give interval. Interval is the re occurrence of the inter
site replication in given minutes. It ranges from 15 – 10,080 mins. The default
interval is 180 mins.
 What is the KCC?

The KCC is a built-in process that runs on all domain controllers and generates
replication topology for the Active Directory forest. The KCC creates separate
replication topologies depending on whether replication is occurring within a site
(intrasite) or between sites (intersite). The KCC also dynamically adjusts the
topology to accommodate new domain controllers, domain controllers moved to
and from sites, changing costs and schedules, and domain controllers that are
temporarily unavailable.
 What is the ISTG? Who has that role by default?

Intersite Topology Generator (ISTG), which is responsible for the connections

among the sites. By default Windows 2003 Forest level functionality has this
role. By Default the first Server has this role. If that server can no longer preform
this role then the next server with the highest GUID then takes over the role of
ISTG.

What are the requirements for installing AD on a new server?

· An NTFS partition with enough free space (250MB minimum)

· An Administrator’s username and password

· The correct operating system version

· A NIC

· Properly configured TCP/IP (IP address, subnet mask and – optional – default
gateway)

· A network connection (to a hub or to another computer via a crossover cable)

· An operational DNS server (which can be installed on the DC itself)

· A Domain name that you want to use

· The Windows 2000 or Windows Server 2003 CD media (or at least the i386
folder)

From the Petri IT Knowledge base. For more info, follow this link:

http://www.petri.co.il/active_directory_installation_requirements.htm
  What can you do to promote a server to DC if you’re in a remote
location with slow WAN link?

First available in Windows 2003, you will create a copy of the system state from an
existing DC and copy it to the new remote server. Run “Dcpromo /adv”. You will be
prompted for the location of the system state files
 How can you forcibly remove AD from a server, and what do you do
later? • Can I get user passwords from the AD database?

Demote the server using dcpromo /forceremoval, then remove the metadata from
Active directory using ndtsutil. There is no way to get user passwords from AD that
I am aware of, but you should still be able to change them.

Another way out too

Restart the DC is DSRM mode

a. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions

b. In the right-pane, double-click ProductType.

c. Type ServerNT in the Value data box, and then click OK.

Restart the server in normal mode

its a member server now but AD entries are still there. Promote teh server to a fake
domain say ABC.com and then remove gracefully using DCpromo. Else after restart
you can also use ntdsutil to do metadata as told in teh earlier post
 What tool would I use to try to grab security related packets from the
wire?

you must usesniffer-detectingtools to help stop the snoops. … A good packet

sniffer would be “ethereal”
www.ethereal.com
 Name some OU design considerations ?

OU design requires balancing requirements for delegating administrative rights –

independent of Group Policy needs – and the need to scope the application of
Group Policy. The following OU design recommendations address delegation and
scope issues:

Applying Group Policy An OU is the lowest-level Active Directory container to

which you can assign Group Policy settings.

Delegating administrative authority

usually don’t go more than 3 OU levels
 What is tombstone lifetime attribute?

The number of days before a deleted object is removed from the directory services.
This assists in removing objects from replicated servers and preventing restores
from reintroducing a deleted object. This value is in the Directory Service object in
the configuration NIC by default 2000 (60 days) 2003 (180 days)

What do you do to install a new Windows 2003 DC in a Windows
2000 AD?

If you plan to install windows 2003 server domain controllers into an existing
windows 2000 domain or upgrade a windows 2000 domain controllers to windows
server 2003, you first need to run the Adprep.exe utility on the windows 2000
domain controllers currently holding the schema master and infrastructure master
roles. The adprep / forestprer command must first be issued on the windows 2000
server holding schema master role in the forest root doman to prepare the existing
schema to support windows 2003 active directory. The adprep /domainprep
command must be issued on the sever holding the infrastructure master role in the
domain where 2000 server will be deployed.
 What do you do to install a new Windows 2003 R2 DC in a Windows
2003 AD?

A. If you’re installing Windows 2003 R2 on an existing Windows 2003 server with

SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and
the r2auto.exe will display the Windows 2003 R2 Continue Setup screen.

If you’re installing R2 on a domain controller (DC), you must first upgrade the
schema to the R2 version (this is a minor change and mostly related to the new Dfs
replication engine). To update the schema, run the Adprep utility, which you’ll find
in the Cmpnents\r2\adprep folder on the second CD-ROM. Before running this
command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2
(or later)
 How would you find all users that have not logged on since last
month?
http://wiki.answers.com/Q/How_would_you_find_all_users_that_have_not_l
ogged_on_since_last_month
 What are the DScommands?

New DS (Directory Service) Family of built-in command line utilities for Windows
Server 2003 Active Directory

New DS built-in tools for Windows Server 2003

The DS (Directory Service) group of commands are split into two families. In one
branch are DSadd, DSmod, DSrm and DSMove and in the other branch are
DSQuery and DSGet.

When it comes to choosing a scripting tool for Active Directory objects, you really
are spoilt for choice. The the DS family of built-in command line executables offer
alternative strategies to CSVDE, LDIFDE and VBScript.

Let me introduce you to the members of the DS family:

DSadd – add Active Directory users and groups

DSmod – modify Active Directory objects
DSrm – to delete Active Directory objects
DSmove – to relocate objects
DSQuery – to find objects that match your query attributes
DSget – list the properties of an object
 What are the FSMO roles? Who has them by default? What happens
when each one fails?

FSMO stands for the Flexible single Master Operation

It has 5 Roles: -
 Schema Master:

The schema master domain controller controls all updates and modifications to the
schema. Once the Schema update is complete, it is replicated from the schema
master to all other DCs in the directory. To update the schema of a forest, you must
have access to the schema master. There can be only one schema master in the
whole forest.
 Domain naming master:

The domain naming master domain controller controls the addition or removal of
domains in the forest. This DC is the only one that can add or remove a domain
from the directory. It can also add or remove cross references to domains in
external directories. There can be only one domain naming master in the whole
forest.
 Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it

represents the reference by the GUID, the SID (for references to security
principals), and the DN of the object being referenced. The infrastructure FSMO
role holder is the DC responsible for updating an object’s SID and distinguished
name in a cross-domain object reference. At any one time, there can be only one
domain controller acting as the infrastructure master in each domain.

Note: The Infrastructure Master (IM) role should be held by a domain controller
that is not a Global Catalog server (GC). If the Infrastructure Master runs on a
Global Catalog server it will stop updating object information because it does not
contain any references to objects that it does not hold. This is because a Global
Catalog server holds a partial replica of every object in the forest. As a result, cross-
domain object references in that domain will not be updated and a warning to that
effect will be logged on that DC’s event log. If all the domain controllers in a domain
also host the global catalog, all the domain controllers have the current data, and it
is not important which domain controller holds the infrastructure master role.
 Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain
controllers in a particular domain. When a DC creates a security principal object
such as a user or group, it attaches a unique Security ID (SID) to the object. This
SID consists of a domain SID (the same for all SIDs created in a domain), and a
relative ID (RID) that is unique for each security principal SID created in a domain.
Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the
security principals it creates. When a DC’s allocated RID pool falls below a
threshold, that DC issues a request for additional RIDs to the domain’s RID master.
The domain RID master responds to the request by retrieving RIDs from the
domain’s unallocated RID pool and assigns them to the pool of the requesting DC.
At any one time, there can be only one domain controller acting as the RID master
in the domain.
 PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows

2000/2003 includes the W32Time (Windows Time) time service that is required by
the Kerberos authentication protocol. All Windows 2000/2003-based computers
within an enterprise use a common time. The purpose of the time service is to
ensure that the Windows Time service uses a hierarchical relationship that controls
authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator
at the root of the forest becomes authoritative for the enterprise, and should be
configured to gather the time from an external source. All PDC FSMO role holders
follow the hierarchy of domains in the selection of their in-bound time partner.

:: In a Windows 2000/2003 domain, the PDC emulator role holder retains the
following functions:

:: Password changes performed by other DCs in the domain are replicated

preferentially to the PDC emulator.

Authentication failures that occur at a given DC in a domain because of an incorrect

password are forwarded to the PDC emulator before a bad password failure message
is reported to the user.

Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done from the GPO
copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by
the administrator.

The PDC emulator performs all of the functionality that a Microsoft Windows NT
4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier
clients.

This part of the PDC emulator role becomes unnecessary when all workstations,
member servers, and domain controllers that are running Windows NT 4.0 or
earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs
the other functions as described in a Windows 2000/2003 environment.
 What FSMO placement considerations do you know of?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master

method called FSMO (Flexible Single Master Operation), as described in
Understanding FSMO Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in
the same spot (or actually, on the same DC) as has been configured by the Active
Directory installation process. However, there are scenarios where an administrator
would want to move one or more of the FSMO roles from the default holder DC to a
different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000
version when dealing with FSMO placement. In this article I will only deal with
Windows Server 2003 Active Directory, but you should bear in mind that most
considerations are also true when planning Windows 2000 AD FSMO roles
 What’s the difference between transferring a FSMO role and seizing
one? Which one should you NOT seize? Why?

Certain domain and enterprise-wide operations that are not good for multi-master
updates are performed by a single domain controller in an Active Directory domain
or forest. The domain controllers that are assigned to perform these unique
operations are called operations masters or FSMO role holders.

The following list describes the 5 unique FSMO roles in an Active Directory forest
and the dependent operations that they perform:
 Schema master – The Schema master role is forest-wide and there is one for each
forest. This role is required to extend the schema of an Active Directory forest or
to run the adprep /domainprep command.
 Domain naming master – The Domain naming master role is forest-wide and
there is one for each forest. This role is required to add or remove domains or
application partitions to or from a forest.
 RID master – The RID master role is domain-wide and there is one for each
domain. This role is required to allocate the RID pool so that new or existing
 domain controllers can create user accounts, computer accounts or security
groups.
 PDC emulator – The PDC emulator role is domain-wide and there is one for each
domain. This role is required for the domain controller that sends database
updates to Windows NT backup domain controllers. The domain controller that
owns this role is also targeted by certain administration tools and updates to user
account and computer account passwords.
 Infrastructure master – The Infrastructure master role is domain-wide and there
is one for each domain. This role is required for domain controllers to run the
adprep /forestprep command successfully and to update SID attributes and
distinguished name attributes for objects that are referenced across domains.

The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to
the first domain controller in the forest root domain. The first domain controller in
each new child or tree domain is assigned the three domain-wide roles. Domain
controllers continue to own FSMO roles until they are reassigned by using one of
the following methods:
 An administrator reassigns the role by using a GUI administrative tool.
 An administrator reassigns the role by using the ntdsutil /roles command.
 An administrator gracefully demotes a role-holding domain controller by using
the Active Directory Installation Wizard. This wizard reassigns any locally-held
roles to an existing domain controller in the forest. Demotions that are
performed by using the dcpromo /forceremoval command leave FSMO roles
in an invalid state until they are reassigned by an administrator.

We recommend that you transfer FSMO roles in the following scenarios:

 The current role holder is operational and can be accessed on the network by the
new FSMO owner.
 You are gracefully demoting a domain controller that currently owns FSMO roles
that you want to assign to a specific domain controller in your Active Directory
forest.
 The domain controller that currently owns FSMO roles is being taken offline for
scheduled maintenance and you need specific FSMO roles to be assigned to a
“live” domain controller. This may be required to perform operations that
connect to the FSMO owner. This would be especially true for the PDC Emulator
role but less true for the RID master role, the Domain naming master role and
the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:

 The current role holder is experiencing an operational error that prevents an
FSMO-dependent operation from completing successfully and that role cannot be
transferred.
  A domain controller that owns an FSMO role is force-demoted by using the
dcpromo /forceremoval command.
 The operating system on the computer that originally owned a specific role no
longer exists or has been reinstalled.

As replication occurs, non-FSMO domain controllers in the domain or forest gain

full knowledge of changes that are made by FSMO-holding domain controllers. If
you must transfer a role, the best candidate domain controller is one that is in the
appropriate domain that last inbound-replicated, or recently inbound-replicated a
writable copy of the “FSMO partition” from the existing role holder. For example,
the Schema master role-holder has a distinguished name path of
CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles
reside in and are replicated as part of the CN=schema partition. If the domain
controller that holds the Schema master role experiences a hardware or software
failure, a good candidate role-holder would be a domain controller in the root
domain and in the same Active Directory site as the current owner. Domain
controllers in the same Active Directory site perform inbound replication every 5
minutes or 15 seconds.

A domain controller whose FSMO roles have been seized should not be permitted to
communicate with existing domain controllers in the forest. In this scenario, you
should either format the hard disk and reinstall the operating system on such
domain controllers or forcibly demote such domain controllers on a private network
and then remove their metadata on a surviving domain controller in the forest by
using the ntdsutil /metadata cleanup command. The risk of introducing a
former FSMO role holder whose role has been seized into the forest is that the
original role holder may continue to operate as before until it inbound-replicates
knowledge of the role seizure. Known risks of two domain controllers owning the
same FSMO roles include creating security principals that have overlapping RID
pools, and other problems.

Transfer FSMO roles

To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based
member computer or domain controller that is located in the forest where FSMO
roles are being transferred. We recommend that you log on to the domain
controller that you are assigning FSMO roles to. The logged-on user should be a
member of the Enterprise Administrators group to transfer Schema master or
Domain naming master roles, or a member of the Domain Administrators group
of the domain where the PDC emulator, RID master and the Infrastructure
master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.Note To see a list of available commands at
any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.
 4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is
the name of the domain controller you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type transfer role, where role is the role that you want to transfer. For a list of
roles that you can transfer, type ?at the fsmo maintenance prompt, and then
press ENTER, or see the list of roles at the start of this article. For example, to
transfer the RID master role, type transfer rid master. The one exception is for
the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain
access to the ntdsutil prompt. Type q, and then press ENTER to quit the
Ntdsutil utility.

Seize FSMO roles

To seize the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based
member computer or domain controller that is located in the forest where FSMO
roles are being seized. We recommend that you log on to the domain controller
that you are assigning FSMO roles to. The logged-on user should be a member of
the Enterprise Administrators group to transfer schema or domain naming
master roles, or a member of the Domain Administrators group of the domain
where the PDC emulator, RID master and the Infrastructure master roles are
being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is
the name of the domain controller that you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type seize role, where role is the role that you want to seize. For a list of roles
that you can seize, type ?at the fsmo maintenance prompt, and then press
ENTER, or see the list of roles at the start of this article. For example, to seize the
RID master role, type seize rid master. The one exception is for the PDC emulator
role, whose syntax is seizepdc, not seize pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain
access to the ntdsutil prompt. Type q, and then press ENTER to quit the
Ntdsutilutility.Notes
o Under typical conditions, all five roles must be assigned to “live” domain
controllers in the forest. If a domain controller that owns a FSMO role is
taken out of service before its roles are transferred, you must seize all roles
to an appropriate and healthy domain controller. We recommend that you
 only seize all roles when the other domain controller is not returning to the
domain. If it is possible, fix the broken domain controller that is assigned
the FSMO roles. You should determine which roles are to be on which
remaining domain controllers so that all five roles are assigned to a single
domain controller. For more information about FSMO role placement,
click the following article number to view the article in the Microsoft
Knowledge Base: 223346 (http://support.microsoft.com/kb/223346/ )
FSMO placement and optimization on Windows 2000 domain controllers
o If the domain controller that formerly held any FSMO role is not present
in the domain and if it has had its roles seized by using the steps in this
article, remove it from the Active Directory by following the procedure that
is outlined in the following Microsoft Knowledge Base article: 216498
(http://support.microsoft.com/kb/216498/ ) How to remove data in
active directory after an unsuccessful domain controller demotion
o Removing domain controller metadata with the Windows 2000 version or
the Windows Server 2003 build 3790 version of the ntdsutil /metadata
cleanup command does not relocate FSMO roles that are assigned to live
domain controllers. The Windows Server 2003 Service Pack 1 (SP1)
version of the Ntdsutil utility automates this task and removes additional
elements of domain controller metadata.
o Some customers prefer not to restore system state backups of FSMO role-
holders in case the role has been reassigned since the backup was made.
o Do not put the Infrastructure master role on the same domain controller
as the global catalog server. If the Infrastructure master runs on a global
catalog server it stops updating object information because it does not
contain any references to objects that it does not hold. This is because a
global catalog server holds a partial replica of every object in the forest.

To test whether a domain controller is also a global catalog server:

1. Click Start, point to Programs, point to Administrative Tools, and then
click Active Directory Sites and Services.
2. Double-click Sites in the left pane, and then locate the appropriate site or click
Default-first-site-name if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller’s folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, view the Global Catalog check box to see if it is selected.

For more information about FSMO roles, click the following article numbers to view
the articles in the Microsoft Knowledge Base:
 How do you configure a “stand-by operation master” for any of the
roles?
1. Open Active Directory Sites and Services.
 2. Expand the site name in which the standby operations master is located to
display the Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that you want to be the standby operations master
to display its NTDS Settings.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Domain Controllers dialog box, select the name of the current
role holder, and then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the
Connection object or accept the default name, and click OK.
 How do you backup AD?

Backing up Active Directory is essential to maintain an Active Directory database.

You can back up Active Directory by using the Graphical User Interface (GUI) and
command-line tools that the Windows Server 2003 family provides.
You frequently backup the system state data on domain controllers so that you can
restore the most current data. By establishing a regular backup schedule, you have a
better chance of recovering data when necessary.

To ensure a good backup includes at least the system state data and contents of the
system disk, you must be aware of the tombstone lifetime. By default, the tombstone
is 60 days. Any backup older than 60 days is not a good backup. Plan to backup at
least two domain controllers in each domain, one of at least one backup to enable an
authoritative restore of the data when necessary.

System State Data

Several features in the windows server 2003 family make it easy to backup Active
Directory. You can backup Active Directory while the server is online and other
network function can continue to function.

System state data on a domain controller includes the following components:

Active Directory system state data does not contain Active Directory unless the
server, on which you are backing up the system state data, is a domain controller.
Active Directory is present only on domain controllers.

The SYSVOL shared folder: This shared folder contains Group policy templates
and logon scripts. The SYSVOL shared folder is present only on domain controllers.

The Registry: This database repository contains information about the computer’s
configuration.

System startup files: Windows Server 2003 requires these files during its initial
startup phase. They include the boot and system files that are under windows file
protection and used by windows to load, configure, and run the operating system.
The COM+ Class Registration database: The Class registration is a database of
information about Component Services applications.

The Certificate Services database: This database contains certificates that a

server running Windows server 2003 uses to authenticate users. The Certificate
Services database is present only if the server is operating as a certificate server.

System state data contains most elements of a system’s configuration, but it may not
include all of the information that you require recovering data from a system failure.
Therefore, be sure to backup all boot and system volumes, including the System
State, when you back up your server.

Restoring Active Directory

In Windows Server 2003 family, you can restore the Active Directory database if it
becomes corrupted or is destroyed because of hardware or software failures. You
must restore the Active Directory database when objects in Active Directory are
changed or deleted.

Active Directory restore can be performed in several ways. Replication synchronizes

the latest changes from every other replication partner. Once the replication is
finished each partner has an updated version of Active Directory. There is another
way to get these latest updates by Backup utility to restore replicated data from a
backup copy. For this restore you don’t need to configure again your domain
controller or no need to install the operating system from scratch.

Active Directory Restore Methods

You can use one of the three methods to restore Active Directory from backup
media: primary restore, normal (non authoritative) restore, and authoritative
restore.

Primary restore: This method rebuilds the first domain controller in a domain when
there is no other way to rebuild the domain. Perform a primary restore only when
all the domain controllers in the domain are lost, and you want to rebuild the
domain from the backup.
Members of Administrators group can perform the primary restore on local
computer, or user should have been delegated with this responsibility to perform
restore. On a domain controller only Domain Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the state before
the backup, and then updates the data through the normal replication process.
Perform a normal restore for a single domain controller to a previously known good
state.
Authoritative restore: You perform this method in tandem with a normal restore.
An authoritative restore marks specific data as current and prevents the replication
from overwriting that data. The authoritative data is then replicated through the
domain.
Perform an authoritative restore individual object in a domain that has multiple
domain controllers. When you perform an authoritative restore, you lose all changes
to the restore object that occurred after the backup. Ntdsutil is a command line
utility to perform an authoritative restore along with windows server 2003 system
utilities. The Ntdsutil command-line tool is an executable file that you use to mark
Active Directory objects as authoritative so that they receive a higher version
recently changed data on other domain controllers does not overwrite system state
data during replication.
 How do you restore AD?

Restoring Active Directory :

In Windows Server 2003 family, you can restore the Active Directory database if it
becomes corrupted or is destroyed because of hardware or software failures. You
must restore the Active Directory database when objects in Active Directory are
changed or deleted.

Active Directory restore can be performed in several ways. Replication synchronizes

the latest changes from every other replication partner. Once the replication is
finished each partner has an updated version of Active Directory. There is another
way to get these latest updates by Backup utility to restore replicated data from a
backup copy. For this restore you don’t need to configure again your domain
controller or no need to install the operating system from scratch.

Active Directory Restore Methods

You can use one of the three methods to restore Active Directory from backup
media: primary restore, normal (non authoritative) restore, and authoritative
restore.

Primary restore: This method rebuilds the first domain controller in a domain
when there is no other way to rebuild the domain. Perform a primary restore only
when all the domain controllers in the domain are lost, and you want to rebuild the
domain from the backup.
Members of Administrators group can perform the primary restore on local
computer, or user should have been delegated with this responsibility to perform
restore. On a domain controller only Domain Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the state
before the backup, and then updates the data through the normal replication
process. Perform a normal restore for a single domain controller to a previously
known good state.
Authoritative restore: You perform this method in tandem with a normal
restore. An authoritative restore marks specific data as current and prevents the
replication from overwriting that data. The authoritative data is then replicated
through the domain.
Perform an authoritative restore individual object in a domain that has multiple
 domain controllers. When you perform an authoritative restore, you lose all changes
to the restore object that occurred after the backup. Ntdsutil is a command line
utility to perform an authoritative restore along with windows server 2003 system
utilities. The Ntdsutil command-line tool is an executable file that you use to mark
Active Directory objects as authoritative so that they receive a higher version
recently changed data on other domain controllers does not overwrite system state
data during replication.
METHOD

A.
You can’t restore Active Directory (AD) to a domain controller (DC) while the
Directory Service (DS) is running. To restore AD, perform the following steps.

Reboot the computer.

At the boot menu, select Windows 2000 Server. Don’t press Enter. Instead, press
F8 for advanced options. You’ll see the following text. OS Loader V5.0

Windows NT Advanced Options Menu

Please select an option:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Enable Boot Logging

Enable VGA Mode
Last Known Good Configuration
Directory Services Restore Mode (Windows NT domain controllers only)
Debugging Mode

Use | and | to move the highlight to your choice.

Press Enter to choose.
Scroll down, and select Directory Services Restore Mode (Windows NT domain
controllers only).
Press Enter.
When you return to the Windows 2000 Server boot menu, press Enter. At the
bottom of the screen, you’ll see in red text Directory Services Restore Mode
(Windows NT domain controllers only).
The computer will boot into a special safe mode and won’t start the DS. Be aware
that during this time the machine won’t act as a DC and won’t perform functions
such as authentication.

Start NT Backup.
Select the Restore tab.
Select the backup media, and select System State.
Click Start Restore.
Click OK in the confirmation dialog box.
After you restore the backup, reboot the computer and start in normal mode to use
the restored information. The computer might hang after the restore completes;
Sometimes it takes a 30-minute wait on some machines.
 How do you change the DS Restore admin password?

When you promote a Windows 2000 Server-based computer to a domain controller,

you are prompted to type a Directory Service Restore Mode Administrator
password. This password is also used by Recovery Console, and is separate from the
Administrator password that is stored in Active Directory after a completed
promotion.

The Administrator password that you use when you start Recovery Console or when
you press F8 to start Directory Service Restore Mode is stored in the registry-based
Security Accounts Manager (SAM) on the local computer. The SAM is located in
the\System32\Config folder. The SAM-based account and password are computer
specific and they are not replicated to other domain controllers in the domain.

For ease of administration of domain controllers or for additional security

measures, you can change the Administrator password for the local SAM. To change
the local Administrator password that you use when you start Recovery Console or
when you start Directory Service Restore Mode, use the following method.

1. Log on to the computer as the administrator or a user who is a member of the

Administrators group. 2. Shut down the domain controller on which you want to
change the password. 3. Restart the computer. When the selection menu screen is
displayed during restar, press F8 to view advanced startup options. 4. Click the
Directory Service Restore Mode option. 5. After you log on, use one of the
following methods to change the local Administrator password: • At a command
prompt, type the following command:

net user administrator

• Use the Local User and Groups snap-in (Lusrmgr.msc) to change the
Administrator password. 6. Shut down and restart the computer. You can now use
the Administrator account to log on to Recovery Console or Directory Services
Restore Mode using the new password.
 Why can’t you restore a DC that was backed up 4 months ago?

Because of the tombstone life which is set to only 60 days

 What are GPOs?

Group Policy gives you administrative control over users and computers in your
network. By using Group Policy, you can define the state of a user’s work
environment once, and then rely on Windows Server 2003 to continually force the
Group Policy settings that you apply across an entire organization or to specific
groups of users and computers.
Group Policy Advantages
You can assign group policy in domains, sites and organizational units.
All users and computers get reflected by group policy settings in domain, site and
organizational unit.
No one in network has rights to change the settings of Group policy; by default only
administrator has full privilege to change, so it is very secure.
Policy settings can be removed and can further rewrite the changes.
Where GPO’s store Group Policy Information
Group Policy objects store their Group Policy information in two locations:

Group Policy Container: The GPC is an Active Directory object that contains GPO
status, version information, WMI filter information, and a list of components that
have settings in the GPO. Computers can access the GPC to locate Group Policy
templates, and domain controller does not have the most recent version of the GPO,
replication occurs to obtain the latest version of the GPO.
Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder
on a domain controller. When you create GPO, Windows Server 2003 creates the
corresponding GPT which contains all Group Policy settings and information,
including administrative templates, security, software installation, scripts, and
folder redirection settings. Computers connect to the SYSVOL folder to obtain the
settings.
The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO
that you created. It is identical to the GUID that Active Directory uses to identify the
GPO in the GPC. The path to the GPT on a domain controller is
systemroot\SYSVOL\sysvol.
Managing GPOs
To avoid conflicts in replication, consider the selection of domain controller,
especially because the GPO data resides in SYSVOL folder and the Active Directory.
Active Directory uses two independent replication techniques to replicate GPO data
among all domain controllers in the domain. If two administrator’s changes can
overwrite those made by other administrator, depends on the replication latency. By
default the Group Policy Management console uses the PDC Emulator so that all
administrators can work on the same domain controller.

WMI Filter
WMI filters is use to get the current scope of GPOs based on attributes of the user or
computer. In this way, you can increase the GPOs filtering capabilities beyond the
security group filtering mechanisms that were previously available.

Linking can be done with WMI filter to a GPO. When you apply a GPO to the
destination computer, Active Directory evaluates the filter on the destination
computer. A WMI filter has few queries that active Directory evaluates in place of
WMI repository of the destination computer. If the set of queries is false, Active
Directory does not apply the GPO. If set of queries are true, Active Directory applies
the GPO. You write the query by using the WMI Query Language (WQL); this
language is similar to querying SQL for WMI repository.

Planning a Group Policy Strategy for the Enterprise

When you plan an Active Directory structure, create a plan for GPO inheritance,
administration, and deployment that provides the most efficient Group Policy
management for your organization.

Also consider how you will implement Group Policy for the organization. Be sure to
consider the delegation of authority, separation of administrative duties, central
versus decentralized administration, and design flexibility so that your plan will
provide for ease of use as well as administration.

Planning GPOs
Create GPOs in way that provides for the simplest and most manageable design —
one in which you can use inheritance and multiple links.

Guidelines for Planning GPOs

Apply GPO settings at the highest level: This way, you take advantage of Group
Policy inheritance. Determine what common GPO settings for the largest container
are starting with the domain and then link the GPO to this container.
Reduce the number of GPOs: You reduce the number by using multiple links
instead of creating multiple identical GPOs. Try to link a GPO to the broadest
container possible level to avoid creating multiple links of the same GPO at a deeper
level.
Create specialized GPOs: Use these GPOs to apply unique settings when necessary.
GPOs at a higher level will not apply the settings in these specialized GPOs.
Disable computer or use configuration settings: When you create a GPO to contain
settings for only one of the two levels-user and computer-disable the logon and
prevents accidental GPO settings from being applied to the other area.
 What is the order in which GPOs are applied?

Local, Site, Domain, OU

Group Policy settings are processed in the following order:

1:- Local Group Policy object-each computer has exactly one Group Policy object
that is stored locally. This processes for both computer and user Group Policy
processing.

2:- Site-Any GPOs that have been linked to the site that the computer belongs to are
processed next. Processing is in the order that is specified by the administrator, on
the Linked Group Policy Objects tab for the site in Group Policy Management
Console (GPMC). The GPO with the lowest link order is processed last, and
therefore has the highest precedence.
3:- Domain-processing of multiple domain-linked GPOs is in the order specified by
the administrator, on the Linked Group Policy Objects tab for the domain in GPMC.
The GPO with the lowest link order is processed last, and therefore has the highest
precedence.

4:- Organizational units-GPOs that are linked to the organizational unit that is
highest in the Active Directory hierarchy are processed first, then GPOs that are
linked to its child organizational unit, and so on. Finally, the GPOs that are linked to
the organizational unit that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many,
or no GPOs can be linked. If several GPOs are linked to an organizational unit, their
processing is in the order that is specified by the administrator, on the Linked
Group Policy Objects tab for the organizational unit in GPMC. The GPO with the
lowest link order is processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to
the organizational unit of which the computer or user is a direct member are
processed last, which overwrites settings in the earlier GPOs if there are conflicts.
(If there are no conflicts, then the earlier and later settings are merely aggregated.)
 Name a few benefits of using GPMC.

Microsoft released the Group Policy Management Console (GPMC) years ago, which
is an amazing innovation in Group Policy management. The tool provides control
over Group Policy in the following manner:
 Easy administration of all GPOs across the entire Active Directory Forest
 View of all GPOs in one single list
 Reporting of GPO settings, security, filters, delegation, etc.
 Control of GPO inheritance with Block Inheritance, Enforce, and Security
Filtering
 Delegation model
 Backup and restore of GPOs
 Migration of GPOs across different domains and forests

With all of these benefits, there are still negatives in using the GPMC alone.
Granted, the GPMC is needed and should be used by everyone for what it is ideal
for. However, it does fall a bit short when you want to protect the GPOs from the
following:
 Role based delegation of GPO management
 Being edited in production, potentially causing damage to desktops and servers
 Forgetting to back up a GPO after it has been modified
 Change management of each modification to every GPO
  How can you determine what GPO was and was not applied for a
user? Name a few ways to do that.

Simply use the Group Policy Management Console created by MS for that very
purpose, allows you to run simulated policies on computers or users to determine
what policies are enforced. Link in sources
 What are administrative templates?

Administrative Templates are a feature of Group Policy, a Microsoft technology

for centralised management of machines and users in an Active Directory
environment.

Administrative Templates facilitate the management of registry-based policy. An

ADM file is used to describe both the user interface presented to the Group Policy
administrator and the registry keys that should be updated on the target machines.
An ADM file is a text file with a specific syntax which describes both the interface
and the registry values which will be changed if the policy is enabled or disabled.

ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP
Service Pack 2 shipped with five ADM files (system.adm, inetres.adm,
wmplayer.adm, conf.adm and wuau.adm). These are merged into a unified
“namespace” in GPEdit and presented to the administrator under the
Administrative Templates node (for both machine and user policy).
 What’s the difference between software publishing and assigning?

ANS An administrator can either assign or publish software applications.

Assign Users
The software application is advertised when the user logs on. It is installed when the
user clicks on the software application icon via the start menu, or accesses a file that
has been associated with the software application.

Assign Computers
The software application is advertised and installed when it is safe to do so, such as
when the computer is next restarted.

Publish to users
The software application does not appear on the start menu or desktop. This means
the user may not know that the software is available. The software application is
made available via the Add/Remove Programs option in control panel, or by
clicking on a file that has been associated with the application. Published
applications do not reinstall themselves in the event of accidental deletion, and it is
not possible to publish to computers.
 Can I deploy non-MSI software with GPO?
How to create a third-party Microsoft Installer package

http://support.microsoft.com/kb/257718/
 You want to standardize the desktop environments (wallpaper, My
Documents, Start menu, printers etc.) on the computers in one
department. How would you do that?

Login on client as Domain Admin user change whatever you need add printers etc
go to system-User profiles copy this user profile to any location by select Everyone
in permitted to use after copy change ntuser.dat to ntuser.man and assgin this path
under user profile

System Administrator –
Active Directory Interview Questions and Answers
(4)

1) What is Active Directory?

ACTIVE DIRECTORY IS A CENTRALIZED DATABASE …WHICH IS USED IN DOMAIN FOR

ADMINISTRATIVE PURPOSES…

An active directory is a directory structure used on Microsoft Windows based computers and
servers to store information and data about networks and domains. It is primarily used for
online information and was originally created in 1996 and first used with Windows 2000.

An active directory (sometimes referred to as an AD) does a variety of functions including the
ability to provide information on objects, helps organize these objects for easy retrieval and
access, allows access by end users and administrators and allows the administrator to set
security up for the directory.

An active directory can be defined as a hierarchical structure and this structure is usually broken
up into three main categories, the resources which might include hardware such as printers,
services for end users such as web email servers and objects which are the main functions of the
domain and network.
It is interesting to note the framework for the objects. Remember that an object can be a piece of
hardware such as a printer, end user or security settings set by the administrator. These objects
can hold other objects within their file structure. All objects have an ID, usually an object name
(folder name). In addition to these objects being able to hold other objects, every object has its
own attributes which allows it to be characterized by the information which it contains. Most IT
professionals call these setting or characterizations schemas.

Depending on the type of schema created for a folder, will ultimately determine how these
objects are used. For instance, some objects with certain schemas can not be deleted, they can
only be deactivated. Others types of schemas with certain attributes can be deleted entirely. For
instance, a user object can be deleted, but the administrator object can not be deleted.

When understanding active directories, it is important to know the framework that objects can
be viewed at. In fact, an active directory can be viewed at either one of three levels; these levels
are called forests, trees or domains. The highest structure is called the forest because you can see
all objects included within the active directory.

Within theForeststructure are trees, these structures usually hold one or more domains, going
further down the structure of an active directory are single domains. To put the forest, trees and
domains into perspective, consider the following example.

A large organization has many dozens of users and processes. The forest might be the entire
network of end users and specific computers at a set location. Within this forest directory are
now trees that hold information on specific objects such as domain controllers, program data,
system, etc. Within these objects are even more objects which can then be controlled and
categorized

Another Answer

Active Directory in Windows Server 2003

The Active Directory is the one of the important part of Windows Server 2003 networking .First
need to know and understand Active directory. How does it work? It makes information easy for
the administrator and the users. You can use the Active Directory to design an organization’s
structure according to the requirement. If you are using the Active Directory then you can scale
active directory from a single computer to a single network or too many networks. In active
directory you can include every object server and domain in a network.

Logical Component

In the organization you set up in Windows Server 2003 and the organization you set up in
Exchange Server 2003 are the same and the same is the case with Windows 2000 and Exchange
2000 as well. Now I am going to tell you its advantage one user administrator manage all
aspects of user configuration. These logical constructs which are described in the following
subsections allow you to define and group resources so that they can be located and
administered by the name rather than by physical location.

Objects

Object is the basic unit in the Active Directory. It is an apocarpous named set of features that
represents something adjective such as a user, printer and the application. A user is also an
object. In Exchange a user’s features include its name and location, surrounded by other things.

Organization Unit

Organization Unit is a persona in which you can keep objects such as user accounts, groups,
computer, and printer. Applications and other (OU). In organization unit you can assign specific
permission to the users. Organization unit can also be used to create departmental limitation.

Domains

Domains is a group of computers and other resources that are part of a network and share a
common directory database .Once a server has been installed, you can use the Active Directory
Wizard to install Active Directory in order to install Active directory on the first server on the
network, that server must have the access to a server running DNS (Domain Name Service). If
you don’t have installed this service on your server then you will have to install this service
during the Active Directory installation…

How do you create a new application partition?

When you create an application directory partition, you are creating the first instance of this
partition. You can create an application directory partition by using the create nc option in the
domain management menu of Ntdsutil. When creating an application directory partition using
LDP or ADSI, provide a description in the description attribute of the domain DNS object that
indicates the specific application that will use the partition. For example, if the application
directory partition will be used to store data for a Microsoft accounting program, the description
could be Microsoft accounting application. Ntdsutil does not facilitate the creation of a
description.

To create or delete an application directory partition

1. Open Command Prompt.

2. Type:

Ntdsutil

3. At the Ntdsutil command prompt, type:

Domain management

4. At the domain management command prompt, do one of the following:

· To create an application directory partition, type:

Create ncApplicationDirectoryPartitionDomainController

Answer:

Start >> RUN>> CMD >> type there “NTDSUTIL” Press Enter

Ntdsutil: domain management Press Enter

Domain Management: Create NC dc=, dc=, dc=com <>

ANSWER B
Create an application directory partition by using the DnsCmd command

Use the DnsCmd command to create an application directory partition. To do this, use the
following syntax:

DnsCmdServerName /CreateDirectoryPartition FQDN of partition

To create an application directory partition that is named CustomDNSPartition on a domain

controller that is named DC-1, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.

2. Type the following command, and then press ENTER:dnscmd DC-1 /createdirectorypartition
CustomDNSPartition.contoso.com

When the application directory partition has been successfully created, the following
information appears:

DNS Server DC-1 created directory partition: CustomDNSPartition.contoso.com Command

completed successfully.

Configure an additional domain controller DNS server to host the application directory partition

Configure an additional domain controller that is acting as a DNS server to host the new
application directory partition that you created. To do this, use the following syntax with the
DnsCmd command:

DnsCmdServerName /EnlistDirectoryPartition FQDN of partition

To configure the example domain controller that is named DC-2 to host this custom application
directory partition, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.

2. Type the following command, and then press ENTER:dnscmd DC-2 /enlistdirectorypartition
CustomDNSPartition.contoso.com
The following information appears:

DNS Server DC-2 enlisted directory partition: CustomDNSPartition.contoso.com Command

completed successfully.

26) What is the difference between ldifde and csvde usage considerations?

Ldifde
Ldifde creates, modifies, and deletes directory objects on computers running Windows Server
2003 operating systems or Windows XP Professional. You can also use Ldifde to extend the
schema, export Active Directory user and group information to other applications or services,
and populate Active Directory with data from other directory services.

The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format that
may be used for performing batch operations against directories that conform to the LDAP
standards. LDIF can be used to export and import data, allowing batch operations such as add,
create, and modify to be performed against the Active Directory. A utility program called
LDIFDE is included in Windows 2000 to support batch operations based on the LDIF file
format standard. This article is designed to help you better understand how the LDIFDE utility
can be used to migrate directories.

http://support.microsoft.com/kb/237677

Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using files that store
data in the comma-separated value (CSV) format. You can also support batch operations based
on the CSV file format standard.

Csvde is a command-line tool that is built into Windows Server 2008 in the/system32 folder. It
is available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS)
server role installed. To use csvde, you must run the csvde command from an elevated
command prompt. To open an elevated command prompt, click Start, right-click Command
Prompt, and then click Run as administrator.
http://technet.microsoft.com/en-us/library/cc732101.aspx

DIFFERENCE USAGE WISE

Csvde.exe is a Microsoft Windows 2000 command-line utility that is located in the
SystemRoot\System32 folder after you install Windows 2000. Csvde.exe is similar to Ldifde.exe,
but it extracts information in a comma-separated value (CSV) format. You can use Csvde to
import and export Active Directory data that uses the comma-separated value format. Use a
spreadsheet program such as Microsoft Excel to open this .csv file and view the header and value
information. See Microsoft Excel Help for information about functions such as Concatenate
that can simplify the process of building a .csv file.

Note Although Csvde is similar to Ldifde, Csvde has a significant limitation: it can only import
and export Active Directory data by using a comma-separated format (.csv). Microsoft
recommends that you use the Ldifde utility for Modify or Delete operations. Additionally, the
distinguished name (also known as DN) of the item that you are trying to import must be in the
first column of the .csv file or the import will not work.

The source .csv file can come from an Exchange Server directory export. However, because of
the difference in attribute mappings between the Exchange Server directory and Active
Directory, you must make some modifications to the .csv file. For example, a directory export
from Exchange Server has a column that is named “obj-class” that you must rename to
“objectClass.” You must also rename “Display Name” to “displayName.”

http://support.microsoft.com/kb/327620

27) What are the FSMO roles that have them by default what happens when each
one fails?

FSMO stands for the Flexible single Master Operation

It has 5 Roles: -

 Schema Master:
The schema master domain controller controls all updates and modifications to the schema.
Once the Schema update is complete, it is replicated from the schema master to all other DCs in
the directory. To update the schema of a forest, you must have access to the schema master.
There can be only one schema master in the whole forest.

 Domain naming master:

The domain naming master domain controller controls the addition or removal of domains in
the forest. This DC is the only one that can add or remove a domain from the directory. It can
also add or remove cross references to domains in external directories. There can be only one
domain naming master in the whole forest.

 Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it represents
the reference by the GUID, the SID (for references to security principals), and the DN of the
object being referenced. The infrastructure FSMO role holder is the DC responsible for updating
an object’s SID and distinguished name in a cross-domain object reference. At any one time,
there can be only one domain controller acting as the infrastructure master in each domain.

Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a
Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will
stop updating object information because it does not contain any references to objects that it
does not hold. This is because a Global Catalog server holds a partial replica of every object in
the forest. As a result, cross-domain object references in that domain will not be updated and a
warning to that effect will be logged on that DC’s event log. If all the domain controllers in a
domain also host the global catalog, all the domain controllers have the current data, and it is
not important which domain controller holds the infrastructure master role.

 Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a
particular domain. When a DC creates a security principal object such as a user or group, it
attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same
for all SIDs created in a domain), and a relative ID (RID) that is unique for each security
principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is
allowed to assign to the security principals it creates. When a DC’s allocated RID pool falls below
a threshold, that DC issues a request for additional RIDs to the domain’s RID master. The
domain RID master responds to the request by retrieving RIDs from the domain’s unallocated
RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only
one domain controller acting as the RID master in the domain.

 PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003

includes the W32Time (Windows Time) time service that is required by the Kerberos
authentication protocol. All Windows 2000/2003-based computers within an enterprise use a
common time. The purpose of the time service is to ensure that the Windows Time service uses a
hierarchical relationship that controls authority and does not permit loops to ensure appropriate
common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of
the forest becomes authoritative for the enterprise, and should be configured to gather the time
from an external source. All PDC FSMO role holders follow the hierarchy of domains in the
selection of their in-bound time partner.

:: In a Windows 2000/2003 domain, the PDC emulator role holder retains the following
functions:

:: Password changes performed by other DCs in the domain are replicated preferentially to the
PDC emulator.

Authentication failures that occur at a given DC in a domain because of an incorrect password

are forwarded to the PDC emulator before a bad password failure message is reported to the
user.

Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in
the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-
based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

This part of the PDC emulator role becomes unnecessary when all workstations, member
servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to
Windows 2000/2003. The PDC emulator still performs the other functions as described in a
Windows 2000/2003 environment.

28) What FSMO placement considerations

do you know of?
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called
FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active
Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot
(or actually, on the same DC) as has been configured by the Active Directory installation
process. However, there are scenarios where an administrator would want to move one or more
of the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when
dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active
Directory, but you should bear in mind that most considerations are also true when planning
Windows 2000 AD FSMO roles

29) I want to look at the RID allocation table for a DC. What do I do?

1.install support tools from OS disk(OS Inst: Disk=>support=>tools=>suptools.msi)

2.In Command prompt type dcdiag /test:ridmanager /s:system1 /v (system1 is the name of our
DC)

30) What’s the difference between transferring a FSMO role and seizing one?
Which one should you NOT seize? Why?

Seizing an FSMO can be a destructive process and should only be attempted if the existing
server with the FSMO is no longer available.
If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable,
DO NOT seize the Schema Master role.
If you are going to seize the Schema Master, you must permanently disconnect the current
Schema Master from the network.
If you seize the Schema Master role, the boot drive on the original Schema Master must be
completely reformatted and the operating system must be cleanly installed, if you intend to
return this computer to the network.
NOTE: The Boot Partition contains the system files (\System32). The System Partition is the
partition that contains the startup files, NTDetect.com, NTLDR, Boot.ini, and possibly
Ntbootdd.sys.

The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first
domain controller in the forest root domain. The first domain controller in each new child or
tree domain is assigned the three domain-wide roles.

31) How do you configure a “stand-by operation master” for any of the roles?

1. Open Active Directory Sites and Services.

2. Expand the site name in which the standby operations master is located to display the
Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that you want to be the standby operations master to
display its NTDS Settings.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Domain Controllers dialog box, select the name of the current role holder,
and then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the
Connection object or accept the default name, and click OK.

32) How do you backup & restore AD.

Backing up Active Directory is essential to maintain an Active Directory database. You can back
up Active Directory by using the Graphical User Interface (GUI) and command-line tools that
the Windows Server 2003 family provides.
You frequently backup the system state data on domain controllers so that you can restore the
most current data. By establishing a regular backup schedule, you have a better chance of
recovering data when necessary.

To ensure a good backup includes at least the system state data and contents of the system disk,
you must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backup
older than 60 days is not a good backup. Plan to backup at least two domain controllers in each
domain, one of at least one backup to enable an authoritative restore of the data when
necessary.

SystemStateData
Several features in the windows server 2003 family make it easy to backup Active Directory. You
can backup Active Directory while the server is online and other network function can continue
to function.

System state data on a domain controller includes the following components:

Active Directory system state data does not contain Active Directory unless the server, on which
you are backing up the system state data, is a domain controller. Active Directory is present only
on domain controllers.
The SYSVOL shared folder: This shared folder contains Group policy templates and logon
scripts. The SYSVOL shared folder is present only on domain controllers.
The Registry: This database repository contains information about the computer’s
configuration.
System startup files: Windows Server 2003 requires these files during its initial startup phase.
They include the boot and system files that are under windows file protection and used by
windows to load, configure, and run the operating system.
The COM+ Class Registration database: The Class registration is a database of information
about Component Services applications.
The Certificate Services database: This database contains certificates that a server running
Windows server 2003 uses to authenticate users. The Certificate Services database is present
only if the server is operating as a certificate server.
System state data contains most elements of a system’s configuration, but it may not include all
of the information that you require recovering data from a system failure. Therefore, be sure to
backup all boot and system volumes, including theSystemState, when you back up your server.
Restoring Active Directory
In Windows Server 2003 family, you can restore the Active Directory database if it becomes
corrupted or is destroyed because of hardware or software failures. You must restore the Active
Directory database when objects in Active Directory are changed or deleted.

Active Directory restore can be performed in several ways. Replication synchronizes the latest
changes from every other replication partner. Once the replication is finished each partner has
an updated version of Active Directory. There is another way to get these latest updates by
Backup utility to restore replicated data from a backup copy. For this restore you don’t need to
configure again your domain controller or no need to install the operating system from scratch.

Active Directory Restore Methods

You can use one of the three methods to restore Active Directory from backup media: primary
restore, normal (non authoritative) restore, and authoritative restore.

Primary restore: This method rebuilds the first domain controller in a domain when there is no
other way to rebuild the domain. Perform a primary restore only when all the domain
controllers in the domain are lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on local computer, or user
should have been delegated with this responsibility to perform restore. On a domain controller
only Domain Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the state before the backup,
and then updates the data through the normal replication process. Perform a normal restore for
a single domain controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a normal restore. An
authoritative restore marks specific data as current and prevents the replication from
overwriting that data. The authoritative data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has multiple domain
controllers. When you perform an authoritative restore, you lose all changes to the restore object
that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative
restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an
executable file that you use to mark Active Directory objects as authoritative so that they receive
a higher version recently changed data on other domain controllers does not overwrite system
state data during replication.

33) Why can’t you restore a DC that was backed up 4 months ago?
Because of the tombstone life which is set to only 60 days

34) What are GPOs?

Group Policy Objects

35) What is the order in which GPOs are applied?

Local, Site, Domain, OU

Group Policy settings are processed in the following order:

1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored
locally. This processes for both computer and user Group Policy processing.

2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed
next. Processing is in the order that is specified by the administrator, on the Linked Group
Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the
lowest link order is processed last, and therefore has the highest precedence.

3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the

administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with
the lowest link order is processed last, and therefore has the highest precedence.

4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the
Active Directory hierarchy are processed first, then GPOs that are linked to its child
organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that
contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs
can be linked. If several GPOs are linked to an organizational unit, their processing is in the
order that is specified by the administrator, on the Linked Group Policy Objects tab for the
organizational unit in GPMC. The GPO with the lowest link order is processed last, and
therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the
organizational unit of which the computer or user is a direct member are processed last, which
overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the
earlier and later settings are merely aggregated.)

36) Name a few benefits of using GPMC.

 Easy administration of all GPOs across the entireActiveDirectoryForest

 View of all GPOs in one single list
 Reporting of GPO settings, security, filters, delegation, etc.
 Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering
 Delegation model
 Backup and restore of GPOs
 Migration of GPOs across different domains and forests

With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC
is needed and should be used by everyone for what it is ideal for. However, it does fall a bit short
when you want to protect the GPOs from the following:

 Role based delegation of GPO management

 Being edited in production, potentially causing damage to desktops and servers
 Forgetting to back up a GPO after it has been modified
 Change management of each modification to every GPO

37) What are the GPC and the GPT? Where can I find them?

A GPO is a collection of Group Policy settings, stored at the domain level as a virtual object
consisting of a Group Policy container (GPC) and a Group Policy template (GPT).

The GPC, which contains information on the properties of a GPO, is stored in Active Directory
on each domain controller in the domain. The GPT contains the data in a GPO and is stored in
the Sysvol in the /Policies sub-directory.

38) What are GPO links? What special things can I do to them?

Linking GPOs
To apply the settings of a GPO to the users and computers of a domain, site, or OU, you need to
add a link to that GPO. You can add one or more GPO links to each domain, site, or OU by using
GPMC. Keep in mind that creating and linking GPOs is a sensitive privilege that should be
delegated only to administrators who are trusted and understand Group Policy.

Linking GPOs to the Site

If you have a number of policy settings to apply to computers in a particular physical location
only – certain network or proxy configuration settings, for example – these settings might be
appropriate for inclusion in a site-based policy. Because domains and sites are independent, it is
possible that computers in the site might need to cross domains to link the GPO to the site. In
this case, make sure there is good connectivity.

If, however, the settings do not clearly correspond to computers in a single site, it is better to
assign the GPO to the domain or OU structure rather than to the site.

Linking GPOs to the Domain

Link GPOs to the domain if you want them to apply to all users and computers in the domain.
For example, security administrators often implement domain-based GPOs to enforce corporate
standards. They might want to create these GPOs with the GPMC Enforce option enabled to
guarantee that no other administrator can override these settings.

Important

 If you need to modify some of the settings contained in the Default Domain Policy
GPO, it is recommended that you create a new GPO for this purpose, link it to the
domain, and set the Enforce option. In general, do not modify this or the Default
Domain Controller Policy GPO. If you do, be sure to back up these and any other
GPOs in your network by using GPMC to ensure you can restore them.

As the name suggests, the Default Domain Policy GPO is also linked to the domain. The
Default Domain Policy GPO is created when the first domain controller in the domain is
installed and the administrator logs on for the first time. This GPO contains the domain-wide
account policy settings, Password Policy, Account Lockout Policy, and Kerberos Policy, which is
enforced by the domain controller computers in the domain. All domain controllers retrieve the
values of these account policy settings from the Default Domain Policy GPO. In order to
apply account policies to domain accounts, these policy settings must be deployed in a GPO
linked to the domain, and it is recommended that you set these settings in the Default Domain
Policy. If you set account policies at a lower level, such as an OU, the settings only affect local
accounts (non-domain accounts) on computers in that OU and its children.

Before making any changes to the default GPOs, be sure to back up the GPO using GPMC. If for
some reason there is a problem with the changes to the default GPOs and you cannot revert back
to the previous or initial states, you can use the Dcgpofix.exe tool to recreate the default policies
in their initial state.

Dcgpofix.exe is a command-line tool that completely restores the Default Domain Policy GPO
and Default Domain Controller GPO to their original states in the event of a disaster where you
cannot use GPMC. Dcgpofix.exe restores only the policy settings that are contained in the
default GPOs at the time they are generated. The only Group Policy extensions that include
policy settings in the default GPOs are RIS, Security, and EFS. Dcgpofix.exe does not restore
other GPOs that administrators create; it is only intended for disaster recovery of the default
GPOs.

Note that Dcgpofix.exe does not save any information created through applications, such as SMS
or Exchange. The Dcgpofix.exe tool is included with Windows Server 2003 and only works in a
Windows Server 2003 domain.

Dcgpofix.exe is located in the C:\Windows\Repair folder. The syntax for Dcgpofix.exe is as

follows:

Copy Code

DCGPOFix [/Target: Domain | DC | BOTH]

Table 2.1 describes the options you can use with the command line parameter /Target: when
using the Dcgpofix.exe tool.

Table 2.1 Dcgpofix.exe Options for Using the /Target Parameter

 DOMAINSpecifies that the Default Domain Policy should be
recreated.DCSpecifies that the Default Domain Controllers
Policy should be recreated.BOTH

/Target Description of Specifies that both the Default Domain Policy and the
option: option Default Domain Controllers Policy should be recreated.

For more information about Dcgpofix.exe, in Help and

Support Centerfor Windows Server 2003 click Tools, and
then click Command-line reference A-Z

Linking GPOs to the OU Structure

Most GPOs are normally linked to the OU structure because this provides the most flexibility
and manageability:

 You can move users and computers into and out of OUs.
 OUs can be rearranged if necessary.
 You can work with smaller groups of users who have common administrative
requirements.
 You can organize users and computers based on which administrators manage them.

Organizing GPOs into user- and computer-oriented GPOs can help make your Group Policy
environment easier to understand and can simplify troubleshooting. However, separating the
user and computer components into separate GPOs might require more GPOs. You can
compensate for this by adjusting the GPO Status to disable the user or computer configuration
portions of the GPO that do not apply and to reduce the time required to apply a given GPO.

Changing the GPO Link Order

Within each domain, site, and OU, the link order controls the order in which GPOs are applied.
To change the precedence of a link, you can change the link order, moving each link up or down
in the list to the appropriate location. Links with the lowest number have higher precedence for
a given site, domain, or OU. For example, if you add six GPO links and later decide that you
want the last one that you added to have the highest precedence, you can adjust the link order of
the GPO link so it has link order of 1. To change the link order for GPO links for a domain, OU,
or site, use GPMC
http://technet.microsoft.com/en-us/library/cc736813.aspx

http://technet.microsoft.com/en-us/library/cc757050.aspx

39) What can I do to prevent inheritance from above?

You can block policy inheritance for a domain or organizational unit. Using block inheritance
prevents GPOs linked to higher sites, domains, or organizational units from being automatically
inherited by the child-level. By default, children inherit all GPOs from the parent, but it is
sometimes useful to block inheritance. For example, if you want to apply a single set of policies
to an entire domain except for one organizational unit, you can link the required GPOs at the
domain level (from which all organizational units inherit policies by default), and then block
inheritance only on the organizational unit to which the policies should not be applied.

40) How can I override blocking of inheritance?

A. Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and
multiple GP’s for each level. Obviously it may be that some policy settings conflict hence the
application order of Site – Domain – Organization Unit and within each layer you set order for
all defined policies but you may want to force some polices to never be overridden (No Override)
and you may want some containers to not inherit settings from a parent container (Block
Inheritance).

A good definition of each is as follows:

No Override – This prevents child containers from overriding policies set at higher levels

Block Inheritance – Stops containers inheriting policies from parent containers

No Override takes precedence over Block Inheritance so if a child container has Block
Inheritance set but on the parent a group policy has No Override set then it will get applied.

Also the highest No Override takes precedence over lower No Override’s set.

To block inheritance perform the following:

1. Start the Active Directory Users and Computer snap-in (Start – Programs –
Administrative Tools – Active Directory Users and Computers)
2. Right click on the container you wish to stop inheriting settings from its parent and select
Properties
3. Select the ‘Group Policy’ tab
4. Check the ‘Block Policy inheritance’ option
Click here to view image
5. Click Apply then OK

To set a policy to never be overridden performs the following:

1. Start the Active Directory Users and Computer snap-in (Start – Programs –
Administrative Tools – Active Directory Users and Computers)
2. Right click on the container you wish to set a Group Policy to not be overridden and select
Properties
3. Select the ‘Group Policy’ tab
4. Click Options
5. Check the ‘No Override’ option
6. Click OK
7. Click Apply then OK

41) How can you determine what GPO was and was not applied for a user? Name a
few ways to do that.

1. Group Policy Management Console (GPMC) can provide assistance when you need
to troubleshoot GPO behavior. It allows you to examine the settings of a specific GPO, and
is can also be used to determine how your GPOs are linked to sites, domains, and OUs.
The Group Policy Results report collects information on a computer and user, to list
the policy settings which are enabled. To create a Group Policy Results report, right-
click Group Policy Results, and select Group Policy Results Wizard on the shortcut menu.
This launches the Group Policy Results Wizard, which guides you through various pages
to set parameters for the information that should be displayed in the Group Policy Results
report.
2. Gpresult.exe Click Start>RUN> CMD >gpresult, this will also give you information
of applied group policies.
1. 3. RSOP.MSC

42) A user claims he did not receive a GPO, yet his user and computer accounts are
in the right OU, and everyone else there gets the GPO. What will you look for?

Here interviewer want to know the troubleshooting steps

what GPOs is applying?
If it applying in all user and computer?
What GPOs are implemented on ou?
Make sure user not is member of loopback policy as in loopback policy it doesn’t affect user
settings only computer policy will applicable.
If he is member of GPOs filter grp or not?

You may also want to check the computers event logs. If you find event ID 1085 then you may
want to download the patch to fix this and reboot the computer.
===============================================
Answer 2: Start troubleshooting by running RSOP.MSC (Resultant Set of Policy) or gpresult /z
to verify whether relevant GPO actually applies to that user?

This also can be a reason of slow network; you can change the default setting by using the Group
Policy MMC snap-in. This feature is enabled by default, but you can disable it by using the
following policy: Administrative Templates\System\Logon\Always wait for the network at
computer startup and logon.

Identify which GPOs they correspond to; verify that they are applicable to the computer/user
(based on the output of RSOP.MSC/gpresult)

43) What are administrative templates?

The GPO settings are divided between the Computer settings and the User settings. In both
parts of the GPO you can clearly see a large section called Administrative Templates.

Administrative Templates are a large repository of registry-based changes (in fact, over 1300
individual settings) that can be found in any GPO on Windows 2000, Windows XP, and
Windows Server 2003.
By using the Administrative Template sections of the GPO you can deploy modifications to
machine (called HKEY_LOCAL_MACHINE in the registry) and user (called
HKEY_CURRENT_USER in the registry) portions of the Registry of computers that are
influenced by the GPO.

The Administrative Templates are Unicode-formatted text files with the extension .ADM and are
used to create the Administrative Templates portion of the user interface for the GPO Editor.

44) What’s the difference between software publishing and assigning?

An administrator can either assign or publish software applications.

Assign Users
the software application is advertised when the user logs on. It is installed when the user clicks
on the software application icon via the start menu, or accesses a file that has been associated
with the software application.
Assign Computers
The software application is advertised and installed when it is safe to do so, such as when the
computer is next restarted.
Publish to users
the software application does not appear on the start menu or desktop. This means the user may
not know that the software is available. The software application is made available via the
Add/Remove Programs option in control panel, or by clicking on a file that has been associated
with the application. Published applications do not reinstall themselves in the event of
accidental deletion, and it is not possible to publish to computers.

45) You want to standardize the desktop environments (wallpaper, My

Documents, Start menu, printers etc.) on the computers in one department. How
would you do that?

Yes… Through Group Policy

Windows Active directory Interview Questions !

(5)
How do you view replication properties for AD partitions and DCs?
By using replication monitor
go to start > run > type repadmin
go to start > run > type replmon

Why can't you restore a DC that was backed up 4 months ago?

Because of the tombstone life which is set to only 60 days.

Different modes of AD restore ?

A nonauthoritative restore is the default method for restoring Active Directory.
To perform a nonauthoritative restore, you must be able to start the domain
controller in Directory Services Restore Mode. After you restore the domain
controller from backup, replication partners use the standard replication
protocols to update Active Directory and associated information on the restored
domain controller.

An authoritative restore brings a domain or a container back to the state it was

in at the time of backup and overwrites all changes made since the backup. If
you do not want to replicate the changes that have been made subsequent to
the last backup operation, you must perform an authoritative restore. In this
one needs to stop the inbound replication first before performing the An
authoritative restore.

How do you configure a stand-by operation master for any of the roles?
# Open Active Directory Sites and Services.
# Expand the site name in which the standby operations master is located to
display the Servers folder.
# Expand the Servers folder to see a list of the servers in that site.
# Expand the name of the server that you want to be the standby operations
master to display its NTDS Settings.
# Right-click NTDS Settings, click New, and then click Connection.
# In the Find Domain Controllers dialog box, select the name of the current role
holder, and then click OK.
# In the New Object-Connection dialog box, enter an appropriate name for the
Connection object or accept the default name, and click OK.

What's the difference between transferring a FSMO role and seizing ?

Seizing an FSMO can be a destructive process and should only be attempted if
the existing server with the FSMO is no longer available.

If you perform a seizure of the FSMO roles from a DC, you need to ensure two
things:
the current holder is actually dead and offline, and that the old DC will NEVER
return to the network. If you do an FSMO role Seize and then bring the previous
holder back online, you'll have a problem.
An FSMO role TRANSFER is the graceful movement of the roles from a live,
working DC to another live DC During the process, the current DC holding the
role(s) is updated, so it becomes aware it is no longer the role holder

I want to look at the RID allocation table for a DC. What do I do?
dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)

What is BridgeHead Server in AD ?

A bridgehead server is a domain controller in each site, which is used as a
contact point to receive and replicate data between sites. For intersite
replication, KCC designates one of the domain controllers as a bridgehead
server. In case the server is down, KCC designates another one from the
domain controller. When a bridgehead server receives replication updates from
another site, it replicates the data to the other domain controllers within its site.

What is the default size of ntds.dit ?

10 MB in Server 2000 and 12 MB in Server 2003 .

Where is the AD database held and What are other folders related to
AD ?
AD Database is saved in %systemroot%/ntds. You can see other files also in
this folder. These are the main files controlling the AD structure.

ntds.dit
edb.log
res1.log
res2.log
edb.chk

When a change is made to the Win2K database, triggering a write operation,

Win2K records the transaction in the log file (edb.log). Once written to the log
file, the change is then written to the AD database. System performance
determines how fast the system writes the data to the AD database from the log
file. Any time the system is shut down, all transactions are saved to the
database.

During the installation of AD, Windows creates two files: res1.log and res2.log.
The initial size of each is 10MB. These files are used to ensure that changes can
be written to disk should the system run out of free disk space. The checkpoint
file (edb.chk) records transactions committed to the AD database (ntds.dit).
During shutdown, a "shutdown" statement is written to the edb.chk file.

Then, during a reboot, AD determines that all transactions in the edb.log file
have been committed to the AD database. If, for some reason, the edb.chk file
doesn't exist on reboot or the shutdown statement isn't present, AD will use the
edb.log file to update the AD database. The last file in our list of files to know is
the AD database itself, ntds.dit. By default, the file is located in\NTDS, along
with the other files we've discussed

What FSMO placement considerations do you know of ?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master
method called FSMO (Flexible Single Master Operation), as described in
Understanding FSMO Roles in Active Directory.

In most cases an administrator can keep the FSMO role holders (all 5 of them)
in the same spot (or actually, on the same DC) as has been configured by the
Active Directory installation process.

However, there are scenarios where an administrator would want to move one
or more of the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000
version when dealing with FSMO placement.

In this article I will only deal with Windows Server 2003 Active Directory, but
you should bear in mind that most considerations are also true when planning
Windows 2000 AD FSMO roles

What do you do to install a new Windows 2003 R2 DC in a Windows

2003 AD?
If you're installing Windows 2003 R2 on an existing Windows 2003 server with
SP1 installed, you require only the second R2 CD-ROM.

Insert the second CD and the r2auto.exe will display the Windows 2003 R2
Continue Setup screen. If you're installing R2 on a domain controller (DC), you
must first upgrade the schema to the R2 version (this is a minor change and
mostly related to the new Dfs replication engine).

To update the schema, run the Adprep utility, which you'll find in the
Components\r2\adprep folder on the second CD-ROM.
Before running this command, ensure all DCs are running Windows 2003 or
Windows 2000 with SP2 (or later).

Here's a sample execution of the Adprep /forestprep

command:
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest
should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or
to Windows 2000 SP2 (or later).

QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent
potential domain controller corruption.
[User Action] If ALL your existing Windows 2000 domain controllers meet this
requirement, type C and then press ENTER to continue. Otherwise, type any
other key and press ENT ER to quit.
C Opened Connection to SAV

DALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading

schema to version 31 Connecting to "SAVDALDC01" Logging in as current user
using SSPI Importing directory from file "C:\WINDOWS\system32\sch31.ldf"
Loading entries... 139 entries modified successfully.

The command has completed successfully Adprep successfully updated the

forest-wide information.
After running Adprep, install R2 by performing these steps:

1. Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows.
2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click
Next.
3. You'll be prompted to enter an R2 CD key (this is different from your existing
Windows 2003 keys) if the underlying OS wasn't installed from R2 media (e.g.,
a regular Windows 2003 SP1 installation).
Enter the R2 key and click Next. Note: The license key entered for R2 must
match the underlying OS type, which means if you installed Windows 2003
using a volume-license version key, then you can't use a retail or Microsoft
Developer Network (MSDN) R2 key.
4. You'll see the setup summary screen which confirms the actions to be
performed (e.g., Copy files). Click Next.
5. After the installation is complete, you'll see a confirmation dialog box. Click
Finish

What is OU ?
Organization Unit is a container object in which you can keep objects such as
user accounts, groups, computer, printer .applications and other (OU).
In organization unit you can assign specific permission to the user's.
organization unit can also be used to create departmental limitation.

Name some OU design considerations ?

OU design requires balancing requirements for delegating administrative rights -
independent of Group Policy needs - and the need to scope the application of
Group Policy.

The following OU design recommendations address delegation and scope issues:

Applying Group Policy An OU is the lowest-level Active Directory container to
which you can assign Group Policy settings.
Delegating administrative authority
usually don't go more than 3 OU levels
What is sites ? What are they used for ?
One or more well-connected (highly reliable and fast) TCP/IP subnets.
A site allows administrators to configure Active Directory access and replication
topology to take advantage of the physical network.

A Site object in Active Directory represents a physical geographic location that

hosts networks. Sites contain objects called Subnets.

Sites can be used to Assign Group Policy Objects, facilitate the discovery of
resources, manage active directory replication, and manage network link traffic.
Sites can be linked to other Sites. Site-linked objects may be assigned a cost
value that represents the speed, reliability, availability, or other real property of
a physical resource. Site Links may also be assigned a schedule.

Trying to look at the Schema, how can I do that ?

register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc --> add snapin --> add Active directory schema
name it as schema.msc
Open administrative tool -->schema.msc

What is the port no of Kerbrose ?

88

What is the port no of Global catalog ?

3268

What is the port no of LDAP ?

389

Explain Active Directory Schema ?

Windows 2000 and Windows Server 2003 Active Directory uses a database set
of rules called "Schema". The Schema is defines as the formal definition of all
object classes, and the attributes that make up those object classes, that can
be stored in the directory. As mentioned earlier, the Active Directory database
includes a default Schema, which defines many object classes, such as users,
groups, computers, domains, organizational units, and so on.

These objects are also known as "Classes". The Active Directory Schema can be
dynamically extensible, meaning that you can modify the schema by defining
new object types and their attributes and by defining new attributes for existing
objects. You can do this either with the Schema Manager snap-in tool included
with Windows 2000/2003 Server, or programmatically.

How can you forcibly remove AD from a server, and what do you do
later? ? Can I get user passwords from the AD database?
Dcpromo /forceremoval , an administrator can forcibly remove Active Directory
and roll back the system without having to contact or replicate any locally held
changes to another DC in the forest. Reboot the server then After you use the
dcpromo /forceremoval command, all the remaining metadata for the demoted
DC is not deleted on the surviving domain controllers, and therefore you must
manually remove it by using the NTDSUTIL command.

In the event that the NTDS Settings object is not removed correctly you can use
the Ntdsutil.exe utility to manually remove the NTDS Settings object. You will
need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active
Directory Users and Computers

What are the FSMO roles? Who has them by default? What happens
when each one fails?
Flexible Single Master Operation (FSMO) role. Currently there are five FSMO
roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master

What is domain tree ?

Domain Trees: A domain tree comprises several domains that share a common
schema and configuration, forming a contiguous namespace. Domains in a tree
are also linked together by trust relationships. Active Directory is a set of one or
more trees.
Trees can be viewed two ways. One view is the trust relationships between
domains. The other view is the namespace of the domain tree.

What is forests ?
A collection of one or more domain trees with a common schema and implicit
trust relationships between them. This arrangement would be used if you have
multiple root DNS addresses.

How to Select the Appropriate Restore Method ?

You select the appropriate restore method by considering:
Circumstances and characteristics of the failure. The two major categories of
failure, From an Active Directory perspective, are Active Directory data
corruption and hardware failure.

Active Directory data corruption occurs when the directory contains corrupt data
that has been replicated to all domain controllers or when a large portion of the
Active Directory hierarchy has been changed accidentally (such as deletion of an
OU) and this change has replicated to other domain controllers.
Where are the Windows NT Primary Domain Controller (PDC) and its
Backup Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a
multimaster peer-to-peer read and write relationship that hosts copies of the
Active Directory.

What is Global Catalog?

The Global Catalog authenticates network user logons and fields inquiries about
objects across a forest or tree. Every domain has at least one GC that is hosted
on a domain controller. In Windows 2000, there was typically one GC on every
site in order to prevent user logon failures across the network.

How long does it take for security changes to be replicated among the
domain controllers?
Security-related modifications are replicated within a site immediately. These
changes include account and individual user lockout policies, changes to
password policies, changes to computer account passwords, and modifications
to the Local Security Authority (LSA).

When should you create a forest?

Organizations that operate on radically different bases may require separate
trees with distinct namespaces. Unique trade or brand names often give rise to
separate DNS identities. Organizations merge or are acquired and naming
continuity is desired. Organizations form partnerships and joint ventures. While
access to common resources is desired, a separately defined tree can enforce
more direct administrative and security restrictions.

Describe the process of working with an external domain name ?

If it is not possible for you to configure your internal domain as a subdomain of
your external domain, use a stand-alone internal domain. This way, your
internal and external domain names are unrelated. For example, an
organization that uses the domain name contoso.com for their external
namespace uses the name corp.internal for their internal namespace.

The advantage to this approach is that it provides you with a unique internal
domain name. The disadvantage is that this configuration requires you to
manage two separate namespaces. Also, using a stand-alone internal domain
that is unrelated to your external domain might create confusion for users
because the namespaces do not reflect a relationship between resources within
and outside of your network.
In addition, you might have to register two DNS names with an Internet name
authority if you want to make the internal domain publicly accessible.

What is LDP?
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs
when traffic engineering is not required. It establishes LSPs that follow the
existing IP routing, and is particularly well suited for establishing a full mesh of
LSPs between all of the routers on the network.

What are the Groups types available in active directory ?

Security groups: Use Security groups for granting permissions to gain access to
resources. Sending an e-mail message to a group sends the message to all
members of the group. Therefore security groups share the capabilities of
distribution groups.

Distribution groups: Distribution groups are used for sending e-mail messages
to groups of users. You cannot grant permissions to security groups. Even
though security groups have all the capabilities of distribution groups,
distribution groups still requires, because some applications can only read
distribution groups.

Explain about the groups scope in AD ?

Domain Local Group: Use this scope to grant permissions to domain resources
that are located in the same domain in which you created the domain local
group. Domain local groups can exist in all mixed, native and interim functional
level of domains and forests. Domain local group memberships are not limited
as you can add members as user accounts, universal and global groups from
any domain. Just to remember, nesting cannot be done in domain local group. A
domain local group will not be a member of another Domain Local or any other
groups in the same domain.

Global Group: Users with similar function can be grouped under global scope
and can be given permission to access a resource (like a printer or shared folder
and files) available in local or another domain in same forest. To say in simple
words, Global groups can be use to grant permissions to gain access to
resources which are located in any domain but in a single forest as their
memberships are limited. User accounts and global groups can be added only
from the domain in which global group is created. Nesting is possible in Global
groups within other groups as you can add a global group into another global
group from any domain. Finally to provide permission to domain specific
resources (like printers and published folder), they can be members of a
Domain Local group. Global groups exist in all mixed, native and interim
functional level of domains and forests.
Universal Group Scope: These groups are precisely used for email distribution
and can be granted access to resources in all trusted domain as these groups
can only be used as a security principal (security group type) in a windows 2000
native or windows server 2003 domain functional level domain. Universal group
memberships are not limited like global groups. All domain user accounts and
groups can be a member of universal group. Universal groups can be nested
under a global or Domain Local group in any domain.

What is REPLMON ?
The Microsoft definition of the Replmon tool is as follows; This GUI tool enables
administrators to view the low-level status of Active Directory replication, force
synchronization between domain controllers, view the topology in a graphical
format, and monitor the status and performance of domain controller
replication.

What is ADSIEDIT ?
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that
acts as a low-level editor for Active Directory. It is a Graphical User Interface
(GUI) tool. Network administrators can use it for common administrative tasks
such as adding, deleting, and moving objects with a directory service. The
attributes for each object can be edited or deleted by using this tool. ADSIEdit
uses the ADSI application programming interfaces (APIs) to access Active
Directory. The following are the required files for using this tool: ADSIEDIT.DLL
ADSIEDIT.

What is NETDOM ?
NETDOM is a command-line tool that allows management of Windows domains
and trust relationships. It is used for batch management of trusts, joining
computers to domains, verifying trusts, and secure channels.

What is REPADMIN?
This command-line tool assists administrators in diagnosing replication
problems between Windows domain controllers.Administrators can use
Repadmin to view the replication topology (sometimes referred to as RepsFrom
and RepsTo) as seen from the perspective of each domain controller. In
addition, Repadmin can be used to manually create the replication topology
(although in normal practice this should not be necessary), to force replication
events between domain controllers, and to view both the replication metadata
and up-to-dateness vectors.

How to take backup of AD ?

For taking backup of active directory you have to do this : first go START ->
PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window
and ntbackup and take systemstate backup when the backup screen is flash
then take the backup of SYSTEM STATE it will take the backup of all the
necessary information about the syatem including AD backup , DNS ETC.
What are the DS* commands ?
The following DS commands: the DS family built in utility .
DSmod - modify Active Directory attributes.
DSrm - to delete Active Directory objects.
DSmove - to relocate objects
DSadd - create new accounts
DSquery - to find objects that match your query attributes.
DSget - list the properties of an object

What are the requirements for installing AD on a new server?

An NTFS partition with enough free space.
An Administrator's username and password.
The correct operating system version.
A NIC Properly configured TCP/IP (IP address, subnet mask and - optional -
default gateway).
A network connection (to a hub or to another computer via a crossover cable) .
An operational DNS server (which can be installed on the DC itself) .
A Domain name that you want to use .
The Windows 2000 or Windows Server 2003 CD media (or at least the i386
folder) .

Explain about Trust in AD ?

To allow users in one domain to access resources in another, Active Directory
uses trusts. Trusts inside a forest are automatically created when domains are
created.

The forest sets the default boundaries of trust, not the domain, and implicit,
transitive trust is automatic for all domains within a forest. As well as two-way
transitive trust, AD trusts can be a shortcut (joins two domains in different
trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm
(transitive or nontransitive, one- or two-way), or external (nontransitive, one-
or two-way) in order to connect to other forests or non-AD domains.

Trusts in Windows 2000 (native mode)

One-way trust – One domain allows access to users on another domain, but
the other domain does not allow access to users on the first domain.
Two-way trust – Two domains allow access to users on both domains.
Trusting domain – The domain that allows access to users from a trusted
domain.
Trusted domain – The domain that is trusted; whose users have access to the
trusting domain.
Transitive trust – A trust that can extend beyond two domains to other
trusted domains in the forest.
Intransitive trust – A one way trust that does not extend beyond two
domains.
Explicit trust – A trust that an admin creates. It is not transitive and is one
way only.
Cross-link trust – An explicit trust between domains in different trees or in the
same tree when a descendant/ancestor (child/parent) relationship does not
exist between the two domains.
Windows 2000 Server – supports the following types of trusts:
Two-way transitive trusts.
One-way intransitive trusts.
Additional trusts can be created by administrators. These trusts can be:
Shortcut
Windows Server 2003 offers a new trust type – the forest root trust. This type
of trust can be used to connect Windows Server 2003 forests if they are
operating at the 2003 forest functional level. Authentication across this type of
trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive
for all the domains in the forests that are trusted. Forest trusts, however, are
not transitive.

Difference between LDIFDE and CSVDE?

CSVDE is a command that can be used to import and export objects to and from
the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file
easily readable in Excel. I will not go to length into this powerful command, but
I will show you some basic samples of how to import a large number of users
into your AD. Of course, as with the DSADD command, CSVDE can do more
than just import users. Consult your help file for more info.

LDIFDE is a command that can be used to import and export objects to and
from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format)
file is a file easily readable in any text editor, however it is not readable in
programs like Excel. The major difference between CSVDE and LDIFDE (besides
the file format) is the fact that LDIFDE can be used to edit and delete existing
AD objects (not just users), while CSVDE can only import and export objects.

What is tombstone lifetime attribute ?

The number of days before a deleted object is removed from the directory
services. This assists in removing objects from replicated servers and
preventing restores from reintroducing a deleted object. This value is in the
Directory Service object in the configuration NIC.

What are application partitions? When do I use them ?

AN application diretcory partition is a directory partition that is replicated only
to specific domain controller.Only domain controller running windows Server
2003 can host a replica of application directory partition.
Using an application directory partition provides redundany,availability or fault
tolerance by replicating data to specific domain controller pr any set of domain
controllers anywhere in the forest.
How do you create a new application partition ?
Use the DnsCmd command to create an application directory partition.
To do this, use the following syntax:
DnsCmdServerName /CreateDirectoryPartition FQDN of partition

How do you view all the GCs in the forest?

C:\>repadmin /showrepsdomain_controller where domain_controller is the DC
you want to query to determine whether it?s a GC.
The output will include the text DSA Options: IS_GC if the DC is a GC.

Can you connect Active Directory to other 3rd-party Directory Services?

Name a few options.
Yes, you can use dirXML or LDAP to connect to other directories.
In Novell you can use E-directory.

What is IPSec Policy

IPSec provides secure gateway-to-gateway connections across outsourced
private wide area network (WAN) or Internet-based connections using
L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec Policy can be deployed
via Group policy to the Windows Domain controllers 7 Servers.

What are the different types of Terminal Services ?

User Mode & Application Mode.

What is RsOP
RsOP is the resultant set of policy applied on the object (Group Policy).

What is the System Startup process ?

Windows 2K boot process on a Intel architecture.

1. Power-On Self Tests (POST) are run.

2. The boot device is found, the Master Boot Record (MBR) is loaded into
memory, and its program is run.

3. The active partition is located, and the boot sector is loaded.

4. The Windows 2000 loader (NTLDR) is then loaded.

The boot sequence executes the following steps:

1. The Windows 2000 loader switches the processor to the 32-bit flat memory
model.

2. The Windows 2000 loader starts a mini-file system.

3. The Windows 2000 loader reads the BOOT.INI file and displays the operating
system selections (boot loader menu).

4. The Windows 2000 loader loads the operating system selected by the user. If
Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other operating
systems, NTLDR loads BOOTSECT.DOS and gives it control.

5. NTDETECT.COM scans the hardware installed in the computer, and reports

the list to NTLDR for inclusion in the Registry under the
HKEY_LOCAL_MACHINE_HARDWARE hive.

6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information
collected by NTDETECT.COM. Windows NT enters the Windows load phases.

How do you change the DS Restore admin password ?

In Windows 2000 Server, you used to have to boot the computer whose
password you wanted to change in Directory Restore mode, then use either the
Microsoft Management Console (MMC) Local User and Groups snap-in or the
command net user administrator * to change the Administrator password.
Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you
reset the Directory Service Restore Mode password without having to reboot the
computer. (Microsoft refreshed Setpwd in SP4 to improve the utility?s scripting
options.)

In Windows Server 2003, you use the Ntdsutil utility to modify the Directory
Service Restore Mode Administrator password.

To do so, follow these steps:

1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe).
2. Start the Directory Service Restore Mode Administrator password-reset utility
by entering the argument ?set dsrm password? at the ntdsutil prompt: ntdsutil:
set dsrm password.
3. Run the Reset Password command, passing the name of the server on which
to change the password, or use the null argument to specify the local machine.
For example, to reset the password on server testing, enter the following
argument at the Reset DSRM Administrator Password prompt: Reset DSRM
Administrator Password: reset password on server testing

To reset the password on the local machine, specify null as the server name:
Reset DSRM Administrator Password: reset password on server null

4. You?ll be prompted twice to enter the new password. You?ll see the following
messages:
5. Please type password for DS Restore Mode Administrator Account:
6. Please confirm new password:
Password has been set successfully.
7. Exit the password-reset utility by typing ?quit? at the following prompts:
8. Reset DSRM Administrator Password: quit
ntdsutil: quit

I am upgrading from NT to 2003. The only things that are NT are the
PDC and BDCs; everything else is 2000 or 2003 member servers. My
question is, when I upgrade my NT domain controllers to 2003, will I
need to do anything else to my Windows 2000/2003 member servers
that were in the NT domain?
Your existing member servers, regardless of operating system, will simply
become member servers in your upgraded AD domain. If you will be using
Organizational Units and Group Policy (and I hope you are), you'll probably
want to move them to a specific OU for administration and policy application,
since they'll be in the default "Computers" container immediately following the
upgrade.

How do I use Registry keys to remove a user from a group?

In Windows Server 2003, you can use the dsmod command-line utility with the
-delmbr switch to remove a group member from the command line. You should
also look into the freeware utilities available from www.joeware.net .ADFind and
ADMod are indispensable tools in my arsenal when it comes to searching and
modifying Active Directory.

Why are my NT4 clients failing to connect to the Windows 2000

domain?
Since NT4 relies on NetBIOS for name resolution, verify that your WINS server
(you do have a WINS server running, yes?) contains the records that you
expect for the 2000 domain controller, and that your clients have the correct
address configured for the WINS server.

How to add your first Windows 2003 DC to an existing Windows 2000

domain ?

The first step is to install Windows 2003 on your new DC. This is a
straighforward process, so we aren?t going to discuss that here.

Because significant changes have been made to the Active Directory schema in
Windows 2003, we need to make our Windows 2000 Active Directory compatible
with the new version. If you already have Windows 2003 DCs running with
Windows 2000 DCs, then you can skip down to the part about DNS.

Before you attempt this step, you should make sure that you have service pack
4 installed on your Windows 2000 DC. Next, make sure that you are logged in
as a user that is a member of the Schema Admin and Enterprise Admin groups.
Next, insert the Windows 2003 Server installation CD into the Windows 2000
Server.
Bring up a command line and change directories to the I386 directory on the
installation CD. At the command prompt, type: Code :
adprep /forestprep After running this command, make sure that the updates
have been replicated to all existing Windows 2000 DCs in the forest. Next, we
need to run the following command: Code :adprep /domainprep

The above command must be run on the Infrastructure Master of the domain by
someone who is a member of the Domain Admins group.
Once this is complete, we move back to the Windows 2003 Server. Click ?start?
then ?run? - type in dcpromo and click OK. During the ensuing wizard, make
sure that you select that you are adding this DC to an existing domain.
After this process is complete, the server will reboot. When it comes back
online, check and make sure that the AD database has been replicated to your
new server.
Next, you will want to check and make sure that DNS was installed on your new
server.

If not, go to the control panel,

click on ?Add or Remove Programs?, and click the ?Add/Remove Windows
Components? button.
In the Windows Components screen, click on ?Networking Services? and click
the details button.

In the new window check ?Domain Name System (DNS)? and then click the OK
button. Click ?Next? in the Windows Components screen.
This will install DNS and the server will reboot. After reboot, pull up the DNS
Management window and make sure that your DNS settings have replicated
from the Windows 2000 Server. You will need to re-enter any forwarders or
other properties you had set up, but the DNS records should replicate on their
own.

The next 2 items, global catalog and FSMO roles, are important if you plan on
decomissioning your Windows 2000 server(s). If this is the case, you need to
tansfer the global catalog from the old server to the new one.

First, let?s create a global catalog on our new server. Here are the steps:

1. On the domain controller where you want the new global catalog, start the
Active Directory Sites and Services snap-in.
To start the snap-in, click ?Start?, point to ?Programs?, point to ?Administrative
Tools?, and then click ?Active Directory Sites and Services?.
2. In the console tree, double-click ?Sites?, and then double-click ?sitename?.

3. Double-click ?Servers?, click your domain controller, right-click ?NTDS

Settings?, and then click ?Properties?.
4. On the General tab, click to select the Global catalog check box to assign the
role of global catalog to this server.
5. Restart the domain controller.

Make sure you allow sufficient time for the account and the schema information
to replicate to the new global catalog server before you remove the global
catalog from the original DC or take the DC offline.

After this is complete, you will want to transfer or seize the FSMO roles for your
new server.
For instructions, read Using Ntdsutil.exe to transfer or seize FSMO roles to a
domain controller.
After this step is complete, we can now run DCPROMO on the Windows 2000
Servers in order to demote them.

Once this is complete, copy over any files you need to your new server and you
should have successfully replaced your Windows 2000 server(s) with a new
Windows 2003 server.

How do you view replication properties for AD partitions and DCs?

By using replication monitor
go to start > run > type repadmin
go to start > run > type replmon

Why can't you restore a DC that was backed up 4 months ago?

Because of the tombstone life which is set to only 60 days.

Different modes of AD restore ?

A nonauthoritative restore is the default method for restoring Active Directory.
To perform a nonauthoritative restore, you must be able to start the domain
controller in Directory Services Restore Mode. After you restore the domain
controller from backup, replication partners use the standard replication
protocols to update Active Directory and associated information on the restored
domain controller.

An authoritative restore brings a domain or a container back to the state it was

in at the time of backup and overwrites all changes made since the backup. If
you do not want to replicate the changes that have been made subsequent to
the last backup operation, you must perform an authoritative restore. In this
one needs to stop the inbound replication first before performing the An
authoritative restore.

How do you configure a stand-by operation master for any of the roles?
# Open Active Directory Sites and Services.
# Expand the site name in which the standby operations master is located to
display the Servers folder.
# Expand the Servers folder to see a list of the servers in that site.
# Expand the name of the server that you want to be the standby operations
master to display its NTDS Settings.
# Right-click NTDS Settings, click New, and then click Connection.
# In the Find Domain Controllers dialog box, select the name of the current role
holder, and then click OK.
# In the New Object-Connection dialog box, enter an appropriate name for the
Connection object or accept the default name, and click OK.

What's the difference between transferring a FSMO role and seizing ?

Seizing an FSMO can be a destructive process and should only be attempted if
the existing server with the FSMO is no longer available.

If you perform a seizure of the FSMO roles from a DC, you need to ensure two
things:
the current holder is actually dead and offline, and that the old DC will NEVER
return to the network. If you do an FSMO role Seize and then bring the previous
holder back online, you'll have a problem.

An FSMO role TRANSFER is the graceful movement of the roles from a live,
working DC to another live DC During the process, the current DC holding the
role(s) is updated, so it becomes aware it is no longer the role holder

I want to look at the RID allocation table for a DC. What do I do?
dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)

What is BridgeHead Server in AD ?

A bridgehead server is a domain controller in each site, which is used as a
contact point to receive and replicate data between sites. For intersite
replication, KCC designates one of the domain controllers as a bridgehead
server. In case the server is down, KCC designates another one from the
domain controller. When a bridgehead server receives replication updates from
another site, it replicates the data to the other domain controllers within its site.

What is the default size of ntds.dit ?

10 MB in Server 2000 and 12 MB in Server 2003 .

Where is the AD database held and What are other folders related to
AD ?
AD Database is saved in %systemroot%/ntds. You can see other files also in
this folder. These are the main files controlling the AD structure.

ntds.dit
edb.log
res1.log
res2.log
edb.chk

When a change is made to the Win2K database, triggering a write operation,

Win2K records the transaction in the log file (edb.log). Once written to the log
file, the change is then written to the AD database. System performance
determines how fast the system writes the data to the AD database from the log
file. Any time the system is shut down, all transactions are saved to the
database.

During the installation of AD, Windows creates two files: res1.log and res2.log.
The initial size of each is 10MB. These files are used to ensure that changes can
be written to disk should the system run out of free disk space. The checkpoint
file (edb.chk) records transactions committed to the AD database (ntds.dit).
During shutdown, a "shutdown" statement is written to the edb.chk file.

Then, during a reboot, AD determines that all transactions in the edb.log file
have been committed to the AD database. If, for some reason, the edb.chk file
doesn't exist on reboot or the shutdown statement isn't present, AD will use the
edb.log file to update the AD database. The last file in our list of files to know is
the AD database itself, ntds.dit. By default, the file is located in\NTDS, along
with the other files we've discussed

What FSMO placement considerations do you know of ?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master
method called FSMO (Flexible Single Master Operation), as described in
Understanding FSMO Roles in Active Directory.

In most cases an administrator can keep the FSMO role holders (all 5 of them)
in the same spot (or actually, on the same DC) as has been configured by the
Active Directory installation process.

However, there are scenarios where an administrator would want to move one
or more of the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000
version when dealing with FSMO placement.

In this article I will only deal with Windows Server 2003 Active Directory, but
you should bear in mind that most considerations are also true when planning
Windows 2000 AD FSMO roles

What do you do to install a new Windows 2003 R2 DC in a Windows

2003 AD?
If you're installing Windows 2003 R2 on an existing Windows 2003 server with
SP1 installed, you require only the second R2 CD-ROM.
Insert the second CD and the r2auto.exe will display the Windows 2003 R2
Continue Setup screen. If you're installing R2 on a domain controller (DC), you
must first upgrade the schema to the R2 version (this is a minor change and
mostly related to the new Dfs replication engine).

To update the schema, run the Adprep utility, which you'll find in the
Components\r2\adprep folder on the second CD-ROM.
Before running this command, ensure all DCs are running Windows 2003 or
Windows 2000 with SP2 (or later).

Here's a sample execution of the Adprep /forestprep

command:
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest
should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or
to Windows 2000 SP2 (or later).

QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent
potential domain controller corruption.
[User Action] If ALL your existing Windows 2000 domain controllers meet this
requirement, type C and then press ENTER to continue. Otherwise, type any
other key and press ENT ER to quit.
C Opened Connection to SAV

DALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading

schema to version 31 Connecting to "SAVDALDC01" Logging in as current user
using SSPI Importing directory from file "C:\WINDOWS\system32\sch31.ldf"
Loading entries... 139 entries modified successfully.

The command has completed successfully Adprep successfully updated the

forest-wide information.
After running Adprep, install R2 by performing these steps:

1. Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows.
2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click
Next.
3. You'll be prompted to enter an R2 CD key (this is different from your existing
Windows 2003 keys) if the underlying OS wasn't installed from R2 media (e.g.,
a regular Windows 2003 SP1 installation).
Enter the R2 key and click Next. Note: The license key entered for R2 must
match the underlying OS type, which means if you installed Windows 2003
using a volume-license version key, then you can't use a retail or Microsoft
Developer Network (MSDN) R2 key.
4. You'll see the setup summary screen which confirms the actions to be
performed (e.g., Copy files). Click Next.
5. After the installation is complete, you'll see a confirmation dialog box. Click
Finish

What is OU ?
Organization Unit is a container object in which you can keep objects such as
user accounts, groups, computer, printer .applications and other (OU).
In organization unit you can assign specific permission to the user's.
organization unit can also be used to create departmental limitation.

Name some OU design considerations ?

OU design requires balancing requirements for delegating administrative rights -
independent of Group Policy needs - and the need to scope the application of
Group Policy.

The following OU design recommendations address delegation and scope issues:

Applying Group Policy An OU is the lowest-level Active Directory container to
which you can assign Group Policy settings.
Delegating administrative authority
usually don't go more than 3 OU levels

What is sites ? What are they used for ?

One or more well-connected (highly reliable and fast) TCP/IP subnets.
A site allows administrators to configure Active Directory access and replication
topology to take advantage of the physical network.

A Site object in Active Directory represents a physical geographic location that

hosts networks. Sites contain objects called Subnets.

Sites can be used to Assign Group Policy Objects, facilitate the discovery of
resources, manage active directory replication, and manage network link traffic.
Sites can be linked to other Sites. Site-linked objects may be assigned a cost
value that represents the speed, reliability, availability, or other real property of
a physical resource. Site Links may also be assigned a schedule.

Trying to look at the Schema, how can I do that ?

register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc --> add snapin --> add Active directory schema
name it as schema.msc
Open administrative tool -->schema.msc

What is the port no of Kerbrose ?

88

What is the port no of Global catalog ?

3268
What is the port no of LDAP ?
389

Explain Active Directory Schema ?

Windows 2000 and Windows Server 2003 Active Directory uses a database set
of rules called "Schema". The Schema is defines as the formal definition of all
object classes, and the attributes that make up those object classes, that can
be stored in the directory. As mentioned earlier, the Active Directory database
includes a default Schema, which defines many object classes, such as users,
groups, computers, domains, organizational units, and so on.

These objects are also known as "Classes". The Active Directory Schema can be
dynamically extensible, meaning that you can modify the schema by defining
new object types and their attributes and by defining new attributes for existing
objects. You can do this either with the Schema Manager snap-in tool included
with Windows 2000/2003 Server, or programmatically.

How can you forcibly remove AD from a server, and what do you do
later? ? Can I get user passwords from the AD database?
Dcpromo /forceremoval , an administrator can forcibly remove Active Directory
and roll back the system without having to contact or replicate any locally held
changes to another DC in the forest. Reboot the server then After you use the
dcpromo /forceremoval command, all the remaining metadata for the demoted
DC is not deleted on the surviving domain controllers, and therefore you must
manually remove it by using the NTDSUTIL command.

In the event that the NTDS Settings object is not removed correctly you can use
the Ntdsutil.exe utility to manually remove the NTDS Settings object. You will
need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active
Directory Users and Computers

What are the FSMO roles? Who has them by default? What happens
when each one fails?
Flexible Single Master Operation (FSMO) role. Currently there are five FSMO
roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master

What is domain tree ?

Domain Trees: A domain tree comprises several domains that share a common
schema and configuration, forming a contiguous namespace. Domains in a tree
are also linked together by trust relationships. Active Directory is a set of one or
more trees.
Trees can be viewed two ways. One view is the trust relationships between
domains. The other view is the namespace of the domain tree.

What is forests ?
A collection of one or more domain trees with a common schema and implicit
trust relationships between them. This arrangement would be used if you have
multiple root DNS addresses.

How to Select the Appropriate Restore Method ?

You select the appropriate restore method by considering:
Circumstances and characteristics of the failure. The two major categories of
failure, From an Active Directory perspective, are Active Directory data
corruption and hardware failure.

Active Directory data corruption occurs when the directory contains corrupt data
that has been replicated to all domain controllers or when a large portion of the
Active Directory hierarchy has been changed accidentally (such as deletion of an
OU) and this change has replicated to other domain controllers.

Where are the Windows NT Primary Domain Controller (PDC) and its
Backup Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a
multimaster peer-to-peer read and write relationship that hosts copies of the
Active Directory.

What is Global Catalog?

The Global Catalog authenticates network user logons and fields inquiries about
objects across a forest or tree. Every domain has at least one GC that is hosted
on a domain controller. In Windows 2000, there was typically one GC on every
site in order to prevent user logon failures across the network.

How long does it take for security changes to be replicated among the
domain controllers?
Security-related modifications are replicated within a site immediately. These
changes include account and individual user lockout policies, changes to
password policies, changes to computer account passwords, and modifications
to the Local Security Authority (LSA).

When should you create a forest?

Organizations that operate on radically different bases may require separate
trees with distinct namespaces. Unique trade or brand names often give rise to
separate DNS identities. Organizations merge or are acquired and naming
continuity is desired. Organizations form partnerships and joint ventures. While
access to common resources is desired, a separately defined tree can enforce
more direct administrative and security restrictions.

Describe the process of working with an external domain name ?

If it is not possible for you to configure your internal domain as a subdomain of
your external domain, use a stand-alone internal domain. This way, your
internal and external domain names are unrelated. For example, an
organization that uses the domain name contoso.com for their external
namespace uses the name corp.internal for their internal namespace.

The advantage to this approach is that it provides you with a unique internal
domain name. The disadvantage is that this configuration requires you to
manage two separate namespaces. Also, using a stand-alone internal domain
that is unrelated to your external domain might create confusion for users
because the namespaces do not reflect a relationship between resources within
and outside of your network.

In addition, you might have to register two DNS names with an Internet name
authority if you want to make the internal domain publicly accessible.

Global Catalog

Because AD is the central component of a Windows network, network clients

and servers frequently query it. In order to increase the availability of AD data
on the network as well as the efficiency of directory object queries from clients,
AD includes a service known as the GC. The GC is a separatedatabase from AD
and contains a partial, read-only replica of all the directory objects in the entire
AD forest.

Only Windows servers acting as domain controllers can be configured as GC

servers. By default, the first domain controller in a Windows forest is
automatically configured to be a GC server (this designation can be moved later
to a different domain controller if desired; however, every forest must contain
at least one GC). Like AD, the GC uses replication in order to ensure updates
between the various GC servers within a domain or forest. In addition to being a
repository of commonly queried AD object attributes, the GC plays two primary
roles on a Windows network:

Network logon authentication?In native-mode domains (networks in which all

domain controllers have been upgraded to Win2K or later, and the domain?s
functional level has been manually set to the appropriate level), the GC
facilitates network logons for ADenabled clients. It does so by providing
universal group membership information to the account sending the logon
request to a domain controller. This applies not only to regular users but also to
every type of object that must authenticate to AD (including computers).In
multi-domain networks, at least one domain controller acting as a GC must be
available in order for users to log on. Another situation that requires a GC
server occurs when a user attempts to log on with a user principal name (UPN)
other than the default. If a GC server is not available in these circumstances,
users will only be able to logon to the local computer (the one exception is
members of the domain administrators group, who do not require a GC server
in order to log on to the network).

Directory searches and queries With AD, read requests such as directory
searches and queries, by far tend to outweigh write-oriented requests such as
directory updates (for example, by an administrator or during replication). The
majority of AD-related network traffic is comprised of requests from users,
administrators, and applications about objects in the directory. As a result, the
GC is essential to the network infrastructure because it allows clients to quickly
perform searches acrossall domains within a forest.

(Although mixed-mode Win2K domains do not require the GC for the network
logon authentication process, GCs are still important in facilitating directory
queries and searches on these networks and should therefore be made available
at each site within the network.)

Flexible Single Master Operations (FSMO in AD)

Windows 2000/2003 Multi-Master Model

A multi-master enabled database, such as the Active Directory, provides the

flexibility of allowing changes to occur at any DC in the enterprise, but it also
introduces the possibility of conflicts that can potentially lead to problems once
the data is replicated to the rest of the enterprise.

One way Windows 2000/2003 deals with conflicting updates is by having a

conflict resolution algorithm handle discrepancies in values by resolving to the
DC to which changes were written last (that is, "the last writer wins"), while
discarding the changes in all other DCs. Although this resolution method may be
acceptable in some cases, there are times when conflicts are just too difficult to
resolve using the "last writer wins" approach. In such cases, it is best to prevent
the conflict from occurring rather than to try to resolve it after the fact.

For certain types of changes, Windows 2000/2003 incorporates methods to

prevent conflicting Active Directory updates from occurring.
Windows 2000/2003 Single-Master Model

To prevent conflicting updates in Windows 2000/2003, the Active Directory

performs updates to certain objects in a single-master fashion.

In a single-master model, only one DC in the entire directory is allowed to

process updates. This is similar to the role given to a primary domain controller
(PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in
which the PDC is responsible for processing all updates in a given domain.

In a forest, there are five FSMO roles that are assigned to one or more domain
controllers. The five FSMO roles are:

Schema Master:

The schema master domain controller controls all updates and modifications to
the schema. Once the Schema update is complete, it is replicated from the
schema master to all other DCs in the directory. To update the schema of a
forest, you must have access to the schema master. There can be only one
schema master in the whole forest.

Domain naming master:

The domain naming master domain controller controls the addition or removal
of domains in the forest. This DC is the only one that can add or remove a
domain from the directory. It can also add or remove cross references to
domains in external directories. There can be only one domain naming master
in the whole forest.

Infrastructure Master:

When an object in one domain is referenced by another object in another

domain, it represents the reference by the GUID, the SID (for references to
security principals), and the DN of the object being referenced. The
infrastructure FSMO role holder is the DC responsible for updating an object's
SID and distinguished name in a cross-domain object reference. At any one
time, there can be only one domain controller acting as the infrastructure
master in each domain.

Note: The Infrastructure Master (IM) role should be held by a domain controller
that is not a Global Catalog server (GC). If the Infrastructure Master runs on a
Global Catalog server it will stop updating object information because it does
not contain any references to objects that it does not hold. This is because a
Global Catalog server holds a partial replica of every object in the forest.
As a result, cross-domain object references in that domain will not be updated
and a warning to that effect will be logged on that DC's event log. If all the
domain controllers in a domain also host the global catalog, all the domain
controllers have the current data, and it is not important which domain
controller holds the infrastructure master role.

Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain
controllers in a particular domain. When a DC creates a security principal object
such as a user or group, it attaches a unique Security ID (SID) to the object.

This SID consists of a domain SID (the same for all SIDs created in a domain),
and a relative ID (RID) that is unique for each security principal SID created in
a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to
assign to the security principals it creates.

When a DC's allocated RID pool falls below a threshold, that DC issues a request
for additional RIDs to the domain's RID master. The domain RID master
responds to the request by retrieving RIDs from the domain's unallocated RID
pool and assigns them to the pool of the requesting DC. At any one time, there
can be only one domain controller acting as the RID master in the domain.

PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows

2000/2003 includes the W32Time (Windows Time) time service that is required
by the Kerberos authentication protocol.

All Windows 2000/2003-based computers within an enterprise use a common

time. The purpose of the time service is to ensure that the Windows Time
service uses a hierarchical relationship that controls authority and does not
permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC
emulator at the root of the forest becomes authoritative for the enterprise, and
should be configured to gather the time from an external source.

All PDC FSMO role holders follow the hierarchy of domains in the selection of
their in-bound time partner. In a Windows 2000/2003 domain, the PDC
emulator role holder retains the following functions:

Password changes performed by other DCs in the domain are replicated

preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of an
incorrect password are forwarded to the PDC emulator before a bad password
failure message is reported to the user.

Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done from the GPO
copy found in the PDC Emulator's SYSVOL share, unless configured not to do so
by the administrator.

The PDC emulator performs all of the functionality that a Microsoft Windows NT
4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or
earlier clients.

This part of the PDC emulator role becomes unnecessary when all workstations,
member servers, and domain controllers that are running Windows NT 4.0 or
earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs
the other functions as described in a Windows 2000/2003 environment. At any
one time, there can be only one domain controller acting as the PDC emulator
master in each domain in the forest.

Planning FSMO / Considerations for the FSMO placement in

Active Directory

Windows 2000/2003 Active Directory domains utilize a Single Operation Master

method called FSMO (Flexible Single Master Operation), as described in
Understanding FSMO Roles in Active Directory.

In most cases an administrator can keep the FSMO role holders (all 5 of them)
in the same spot (or actually, on the same DC) as has been configured by the
Active Directory installation process. However, there are scenarios where an
administrator would want to move one or more of the FSMO roles from the
default holder DC to a different DC.

Windows Server 2003 Active Directory is a bit different than the Windows 2000
version when dealing with FSMO placement. In this article I will only deal with
Windows Server 2003 Active Directory, but you should bear in mind that most
considerations are also true when planning Windows 2000 AD FSMO roles.

Single Domain Forest

In a single domain forest, leave all of the FSMO roles on the first domain
controller in the forest. You should also configure all the domain controller as a
Global Catalog servers. This will NOT place additional stress on the DCs, while
allowing GC-related applications (such as Exchange Server) to easily perform
GC queries.

Multiple Domain Forest

In a multiple domain forest, use the following guidelines:

# In the forest root domain:

• If all domain controllers are also global catalog servers, leave all of the FSMO
roles on the first DC in the forest.

• If all domain controllers are not also global catalog servers, move all of the
FSMO roles to a DC that is not a global catalog server.

• In each child domain, leave the PDC emulator, RID master, and Infrastructure
master roles on the first DC in the domain, and ensure that this DC is never
designated as a global catalog server (unless the child domain only contains one
DC, then you have no choice but to leave it in place).

Configure a standby operations master

For each server that holds one or more operations master roles, make another
DC in the same domain available as a standby operations master. Making a DC
as a standby operation master involves the following actions:

• The standby operations master should not be a global catalog server except in
a single domain environment, where all domain controllers are also global
catalog servers.

• The standby operations master should have a manually created replication

connection to the domain controller that it is the standby operations master for,
and it should be in the same site.

• Configure the RID master as a direct replication partner with the standby or
backup RID master. This configuration reduces the risk of losing data when you
seize the role because it minimizes replication latency.

To create a connection object on the current operations master:

1. In Active Directory Sites and Services snap-in, in the console tree in the left
pane, expand the Sites folder to see the list of available sites.

2. Expand the site name in which the current role holder is located to display
the Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.

4. Expand the name of the server that is currently hosting the operations
master role to display NTDS Settings.

5. Right-click NTDS Settings, click New, and then click Connection.

6. In the Find Domain Controllers dialog box, select the name of the standby
operations master then click OK.

7. In the New Object-Connection dialog box, enter an appropriate name for the
connection object or accept the default name and click OK.

To create a connection object on the standby operations master perform the

same procedure as above, and point the connection to the current FSMO role
holder.

Note regarding Windows 2000 Active Directory domains: If the forest is set to a
functional level of Windows 2000 native, you must locate the domain naming
master on a server that hosts the global catalog. If the forest is set to a
functional level of Windows Server 2003, it is not necessary for the domain
naming master to be on a global catalog server.

Transferring FSMO Roles

In most cases an administrator can keep the FSMO role holders (all 5 of them)
in the same spot (or actually, on the same DC) as has been configured by the
Active Directory installation process. However, there are scenarios where an
administrator would want to move one or more of the FSMO roles from the
default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the future
FSMO role holder are online and operational is called Transferring, and is
described in this article.

The transfer of an FSMO role is the suggested form of moving a FSMO role
between domain controllers and can be initiated by the administrator or by
demoting a domain controller. However, the transfer process is not initiated
automatically by the operating system, for example a server in a shut-down
state. FSMO roles are not automatically relocated during the shutdown process -
this must be considered when shutting down a domain controller that has an
FSMO role for maintenance, for example.

In a graceful transfer of an FSMO role between two domain controllers, a

synchronization of the data that is maintained by the FSMO role owner to the
server receiving the FSMO role is performed prior to transferring the role to
ensure that any changes have been recorded before the role change.

However, when the original FSMO role holder went offline or became non
operational for a long period of time, the administrator might consider moving
the FSMO role from the original, non-operational holder, to a different DC. The
process of moving the FSMO role from a non-operational role holder to a
different DC is called Seizing, and is described in the Seizing FSMO Roles article.

You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or
by using an MMC snap-in tool. Depending on the FSMO role that you want to
transfer, you can use one of the following three MMC snap-in tools:

 Active Directory Schema snap-in

 Active Directory Domains and Trusts snap-in
 Active Directory Users and Computers snap-in

Transferring the RID Master, PDC Emulator, and Infrastructure Masters

via GUI

To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure

Master FSMO Roles:

1. Open the Active Directory Users and Computers snap-in from the
Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in,
right-click the icon next to Active Directory Users and Computers and
press Connect to Domain Controller.
3. Select the domain controller that will be the new role holder, the target,
and press OK.
4. Right-click the Active Directory Users and Computers icon again and press
Operation Masters.
5. Select the appropriate tab for the role you wish to transfer and press the
Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.

Transferring the Domain Naming Master via GUI

To Transfer the Domain Naming Master Role:

1. Open the Active Directory Domains and Trusts snap-in from the
Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in,
right-click the icon next to Active Directory Domains and Trusts and press
Connect to Domain Controller.
 3. Select the domain controller that will be the new role holder and press
OK.
4. Right-click the Active Directory Domains and Trusts icon again and press
Operation Masters.

1. Press the Change button.

2. Press OK to confirm the change.
3. Press OK all the way out.

Transferring the Schema Master via GUI

To Transfer the Schema Master Role:

1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:

regsvr32 schmmgmt.dll

1. Press OK. You should receive a success confirmation.

2. From the Run command open an MMC Console by typing MMC.
3. On the Console menu, press Add/Remove Snap-in.
4. Press Add. Select Active Directory Schema.
5. Press Add and press Close. Press OK.
6. If you are NOT logged onto the target domain controller, in the snap-in,
right-click the Active Directory Schema icon in the Console Root and press
Change Domain Controller.
7. Press Specify ....and type the name of the new role holder. Press OK.
8. Right-click right-click the Active Directory Schema icon again and press
Operation Masters.
9. Press the Change button.
10. Press OK all the way out.

Transferring the FSMO Roles via Ntdsutil

To transfer the FSMO roles from the Ntdsutil command:

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete
loss of Active Directory functionality.

1. On any domain controller, click Start, click Run, type Ntdsutil in the
Open box, and then click OK.

Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS>ntdsutil
ntdsutil:

1. Type roles, and then press ENTER.

ntdsutil: roles fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the Ntdsutil
tool, type ?, and then press ENTER.

1. Type connections, and then press ENTER.

fsmo maintenance: connections server connections:

1. Type connect to server <servername>, where <servername> is the name

of the server you want to use, and then press ENTER.

server connections: connect to server server1

Binding to server1 ...
Connected to server1 using credentials of locally logged on user.
server connections:

1. At the server connections: prompt, type q, and then press ENTER again.

server connections: q
fsmo maintenance:

1. Type transfer <role>. where <role> is the role you want to transfer.

For example, to transfer the RID Master role, you would type transfer rid
master:

Options are:

Transfer domain naming master

Transfer infrastructure master
Transfer PDC
Transfer RID master
Transfer schema master

1. You will receive a warning window asking if you want to perform the
transfer. Click on Yes.
2. After you transfer the roles, type q and press ENTER until you quit
Ntdsutil.exe.
3. Restart the server and make sure you update your backup.

Seizing FSMO Roles

In most cases an administrator can keep the FSMO role holders (all 5 of
them) in the same spot (or actually, on the same DC)
 as has been configured by the Active Directory installation process.
However, there are scenarios where an administrator would want to move
one or more of the FSMO roles from the default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the
future FSMO role holder are online and operational is called Transferring,
and is described in the Transferring FSMO Roles article.

However, when the original FSMO role holder went offline or became non
operational for a long period of time, the administrator might consider
moving the FSMO role from the original, non-operational holder, to a
different DC. The process of moving the FSMO role from a non-operational
role holder to a different DC is called Seizing, and is described in this article.

If a DC holding a FSMO role fails, the best thing to do is to try and get the
server online again. Since none of the FSMO roles are immediately critical
(well, almost none, the loss of the PDC Emulator FSMO role might become a
problem unless you fix it in a reasonable amount of time), so it is not a
problem to them to be unavailable for hours or even days.

If a DC becomes unreliable, try to get it back on line, and transfer the FSMO
roles to a reliable computer. Administrators should use extreme caution in
seizing FSMO roles. This operation, in most cases, should be performed only
if the original FSMO role owner will not be brought back into the
environment. Only seize a FSMO role if absolutely necessary when the
original role holder is not connected to the network.

The following table summarizes the FSMO seizing restrictions:

FSMO Role Restrictions

Schema
Domain Naming Original must be reinstalled
RID
PDC Emulator
Can transfer back to original
Infrastructure

Another consideration before performing the seize operation is the

administrator's group membership, as this table lists:

FSMO Role Administrator must be a member of

Schema Schema Admins

Domain
Enterprise Admins
Naming
RID
PDC Emulator Domain Admins
Infrastructure

To seize the FSMO roles by using Ntdsutil, follow these steps:

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open
box, and then click OK.

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS>ntdsutil
ntdsutil:

1. Type roles, and then press ENTER.

ntdsutil: roles
fsmo maintenance:

Note: To see a list of available commands at any of the prompts in the

Ntdsutil tool, type ?, and then press ENTER.

1. Type connections, and then press ENTER.

fsmo maintenance: connections

server connections:

1. Type connect to server <servername>, where <servername> is the name of the

server you want to use, and then press ENTER.

server connections: connect to server server1

Binding to server1 ...
Connected to server1 using credentials of locally logged on user.
server connections:

1. At the server connections: prompt, type q, and then press ENTER again.

server connections: qfsmo maintenance:

1. Type seize <role>, where <role> is the role you want to seize. For example, to
seize the RID Master role, you would type seize rid master:

Options are:
Seize domain naming master
Seize infrastructure master
Seize PDC
Seize RID master
Seize schema master
 1. You will receive a warning window asking if you want to perform the
seize. Click on Yes.

fsmo maintenance: Seize infrastructure master

Attempting safe transfer of infrastructure FSMO before seizure.

ldap_modify_sW error 0x34(52 (Unavailable).

Ldap extended error messageis 000020AF: SvcErr: DSID-03210300, problem 5002
(UNAVAILABLE)
, data 1722
Win32 error returned is 0x20af(The requested FSMO operation failed. The
current FSMO holde
r could not be contacted.)
)
Depending on the error code this may indicate a connection,

ldap, or role transfer error.

Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "server1" knows about 5 roles

Note: All five roles need to be in the forest. If the first domain controller is out
of the forest then seize all roles. Determine which roles are to be on which
remaining domain controllers so that all five roles are not on only one server.

1. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
2. After you seize or transfer the roles, type q, and then press ENTER until
you quit the Ntdsutil tool.

Note: Do not put the Infrastructure Master (IM) role on the same domain
controller as the Global Catalog server. If the Infrastructure Master runs on a
GC server it will stop updating object information because it does not contain
any references to objects that it does not hold. This is because a GC server
holds a partial replica of every object in the forest.

Forest and Domain Functional Levels

Overview of Domain and Forest Functional levels

Domain and forest functional levels provides the means by which you can
enable additional domain-wide and forest-wide Active Directory features,
remove outdated backward compatibility within your environment, and
improve Active Directory performance and security. In Windows 2000, the
terminology used to refer to domain functional levels was domain modes.
Forests in Windows 2000 have one mode and domains can have the domain
mode set as either mixed mode or native mode. With Windows Server
2003 Active Directory came the introduction of the Windows Server
2003 interimfunctional level and Windows Server 2003 functional level for
both domains and forests. The four domain functional levels that can be set
for domain controllers are Windows 2000 mixed, Windows 2000 native,
Windows Server 2003 interim, and Windows Server 2003. The default
domain functional level is Windows 2000 mixed. The three forest functional
levels are Windows 2000, Windows Server 2003 interim, and
Windows Server 2003. The default forest functional level is Windows 2000.

When the Windows Server 2003 functional level is enabled in your

environment, additional Active Directory domain-wide and forest-wide
features are automatically enabled. Windows Server 2003functional level is
enabled in your environment when all domain controllers are running
WindowsServer 2003. The Active Directory Domains And Trusts console is
used to raise the functional levels of domains and forests in Active
Directory.

Domain Functional Levels

When raising the domain functional level from Windows mixed to Windows
2000 native or the Windows Server 2003 functional level, domain
controllers are regarded as peers to each other. What this essentially means
is that the domain master concept no longer exists. It also means that pre-
Windows 2000 replication no longer exists. If you are considering raising the
domain functional level within your environment to Windows Server 2003,
you should remember that after the domain functional level is raised, you
cannot add any Windows 2000 server to the particular domain.

Windows 2000 Mixed Domain Functional Level

Any newly installed domain controller operates in Windows 2000 mixed

domain functional level for the domain by default. This makes the Windows
2000 mixed domain functional level the default functional level for all
Windows Server 2003 domains. Windows 2000 mixed domain functional
level enables the Windows Server 2003 domain controller to operate
together with Windows NT 4, Windows 2000, and Windows Server
2003 domain controllers. The only Windows NT domain controllers
supported are Windows NT backup domain controllers (BDCs). Windows NT
primary domain controllers do not exist in Active Directory. In Active
Directory, domain controllers act as peers to one another. Windows 2000
mixed domain functional level is usually used to migrate domain controllers
from Windows NT to Windows 2000 domain controllers.

You can raise Windows 2000 mixed domain functional level to

  Windows 2000 native domain functional level
 Windows Server 2003 domain functional level

The Active Directory domain features that are available in Windows 2000
mixed domain functional level are listed below:

 Local and Global groups

 Distribution Groups
 Distribution Group nesting
 Global Catalog support
 Up to 40,000 domain objects are supported

The Active Directory domain features that are not supported in Windows
2000 mixed domain functional level are listed below:

 Renaming domain controllers

 Universal Groups
 Security group nesting
 SID History
 Update logon timestamp
 Group conversion between Security Groups and Distribution Groups
 Users/Computers container redirection
 Constrained delegation
 User password support on the InetOrgPerson object

windows 2000 Native Domain Functional Level

The Windows 2000 native domain functional level enables Windows Server
2003 domain controllers to operate with Windows 2000 domain controllers
and Windows Server 2003 domain controllers. This domain functional level
is typically used to support domain controller upgrades from Windows 2000
to Windows Server 2003. Windows NT 4.0 backup domain controllers are
not supported in the Windows 2000 native domain functional level. Windows
2000 native cannot be lowered again to the Windows 2000 mixed domain
functional level.

You can raise the Windows 2000 native domain functional level to

 Windows Server 2003 domain functional level.

The Active Directory domain features that are available in Windows 2000
native domain functional level are listed below:

 Local and Global groups

 Distribution Groups
 Distribution group nesting
  Security group nesting
 Universal Groups
 Group conversion between Security Groups and Distribution Groups
 Global Catalog support
 SID History
 Up to 1,000,000 domain objects are supported

The Active Directory domain features that are not supported in Windows
2000 native domain functional level are listed below:

 Renaming domain controllers

 Update logon timestamp
 Users/Computers container redirection
 Constrained delegation
 User password support on the InetOrgPerson object

Windows Server 2003 Interim Domain Functional Level

Windows Server 2003 interim domain functional level enable domain

controllers running WindowsServer 2003 to function in a domain containing
both Windows NT 4.0 domain controllers and Windows Server 2003 domain
controllers. Domain controllers running Windows 2000 are not supported in
this domain functional level. You can only set this domain functional level
when upgrading from Windows NT to Windows Server 2003. In fact, the
Windows Server 2003 interimdomain functional level can only be raised to
Windows Server 2003 domain functional level. WindowsServer
2003 interim domain functional level is also typically used when you are not
going to immediately upgrade your Windows NT 4.0 backup domain
controllers to Windows Server 2003, and when your existing Windows NT
domain has groups consisting of over 5,000 members.

The Active Directory domain features that are available in Windows Server
2003 interim domain functional level are listed below:

 Local and Global groups

 Distribution groups
 Distribution group nesting
 Global Catalog support
 Up to 40,000 domain objects are supported

The Active Directory domain features that are not supported in

Windows Server 2003 interim domain functional level are listed below:

 Renaming domain controllers

 Universal Groups
 Security group nesting
  SID History
 Update logon timestamp
 Group conversion between Security Groups and Distribution Groups
 Users/Computers container redirection
 Constrained delegation
 User password support on the InetOrgPerson object

Windows Server 2003 Domain Functional Level

Windows Server 2003 domain functional level is the highest level that can
be specified for a domain.All domain controllers in the domain are running
Windows Server 2003. This basically means thatWindows NT 4 and Windows
2000 domain controllers are not supported these domains. Once the domain
level is set as Windows Server 2003 domain functional level, it cannot be
lowered to any of the previous domain functional levels.

All Active Directory domain features are available in Windows Server

2003 domain functional level:

 Local and Global groups

 Distribution Groups
 Distribution group nesting
 Security group nesting
 universal Groups
 Group conversion between Security Groups and Distribution Groups
 Global Catalog support
 SID History
 Up to 1,000,000 domain objects are supported
 Renaming domain controllers
 Update logon timestamp
 Users/Computers container redirection
 Constrained delegation
 User password support on the InetOrgPerson object

How to check which domain function level is set for the domain

1. Open the Active Directory Domains And Trusts console

2. Right-click the particular domain whose functional level you want verify,
and select Raise Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens
4. You can view the existing domain functional level for the domain in
Current domain functional level.

How to raise the domain functional level to the Windows 2000

native domain functional level or Windows Server 2003 domain
functional level
 Before you can raise the domain functional level to Windows Server
2003 domain functional level, each domain controller in the domain has to
running Windows Server 2003.

To raise the domain functional level for a domain,

1. Open the Active Directory Domains And Trusts console

2. Right-click the particular domain whose functional level you want to raise,
and select Raise Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens.
4. Use the Select An Available Domain Functional Level list to choose the
domain functional level for the domain.
5. Click Raise
6. Click OK

Forest Functional Levels

While Window 2000 has only one forest functional level, Windows Server
2003 has three forest functional levels. Through the forest functional levels,
you can enable forest-wide Active Directory features in your Active Directory
environment. The forest functional levels are actually very much like the
domain functional levels.

Windows 2000 Forest Functional Level

This is the default forest functional level, which means that all newly created
Windows Server 2003 forests have this level when initially created. The
Windows 2000 forest functional level supports Windows NT 4, Windows
2000 and Windows Server 2003 domain controllers.

The Active Directory forest features that are available in Windows 2000
forest functional level are listed below:

 Universal Group caching

 Application directory partitions
 Global Catalog replication enhancements
 Installations from backups
 The Active Directory quota feature
 SIS for system access control lists (SACL)

The Active Directory forest features that are not supported in Windows 2000
forest functional level are listed below:

 Domain renaming
 Forest Trust
 Defunct schema objects
  Linked value replication
 Dynamic auxiliary classes
 Improved Knowledge Consistency Checker (KCC) replication algorithms
 Application groups
 InetOrgPersonobjectClass
 NTDS.DIT size reduction

Windows Server 2003 Interim Forest Functional Level

Domain controllers in a domain running Windows NT 4 and Windows Server

2003 are supported in the Windows Server 2003 interim forest functional
level. This level is used to when upgrading from Windows NT 4 to Windows
Server 2003. The functional level is also configured when you are not
planning to immediately upgrade your existing Windows NT 4 backup
domain controllers, or your existing Windows NT 4.0 domain has groups
consisting of over 5,000 members. No Windows 2000 domain controllers
can exist if the Windows Server 2003 interim forest functional level is set for
the forest. The Windows Server 2003 interim forest functional level can only
be raised to the Windows Server 2003 forest functional level.

The Active Directory forest-wide features that are available in Windows

Server 2003 interim forest functional level are listed below:

 Universal Group caching

 Application directory partitions
 Global Catalog replication enhancements
 Installations from backups
 The Active Directory quota feature
 SIS for system access control lists (SACL)
 Improved Knowledge Consistency Checker (KCC) replication algorithms
 Linked value replication

The Active Directory forest features that are not supported in Windows
Server 2003 interim forest functional level are listed below:

 Domain renaming
 Forest Trust
 Defunct schema objects
 Dynamic auxiliary classes
 Application groups
 InetOrgPersonobjectClass
 NTDS.DIT size reduction

Windows Server 2003 Forest Functional Level

All domain controllers in the forest have to be running Windows Server 2003
in order for the forest functional level to be raised to the Windows Server
2003 forest functional level. What this means is that no domain controllers
in the Active Directory forest can be running Windows NT 4 and Windows
2000. In the Windows Server 2003 forest functional level, all forest-wide
Active Directory features are available, including the following:

 Domain renaming
 Forest Trust
 Defunct schema objects
 Dynamic auxiliary classes
 Application groups
 Universal Group caching
 Application directory partitions
 Global Catalog replication enhancements
 Installations from backups
 The Active Directory quota feature
 SIS for system access control lists (SACL)
 Improved Knowledge Consistency Checker (KCC) replication algorithms
 Linked value replication
 InetOrgPersonobjectClass
 NTDS.DIT size reduction

How to check which forest functional level is set for the forest

1. Open the Active Directory Domains And Trusts console

2. Right-click Active Directory Domains and Trusts in the console tree, and
select Raise Forest Functional Level from the shortcut menu.
3. The Raise Forest Functional Level dialog box opens
4. You can view the existing domain functional level for the domain in
Current forest functional level.

How to raise the forest functional level to Windows Server 2003

forest functional level

Each domain controller in the forest has to be running Windows Server 2003
before you can change the forest functional level to Windows Server 2003.
When you raise the forest functional level, all domains in the forest will
automatically have their domain functional level raised to Windows Server
2003.

To raise the forest functional level for a forest,

1. Open the Active Directory Domains And Trusts console

2. Right-click Active Directory Domains And Trusts in the console tree, and
select Raise forest Functional Level from the shortcut menu.
 3. The Raise Domain Functional Level dialog box opens
4. Click Raise
5. Click OK

Approaches for Raising Functional Levels

You can use one of the following approaches to move from Windows 2000
mixed and Windows 2000 native functional levels to the Windows Server
2003 functional level for the entire forest. These are:

 Windows 2000 native route: This approach involves raising the domain
functional level to Windows native, and then raising the forest functional
level to Windows Server 2003.
 Windows Server 2003 route: This approach involves raising the domain
functional level to Windows native, and then to the Windows Server 2003
functional level. The forest functional level has to lastly be changed to
Windows Server 2003.

Windows Server 2008 RODC Interview Questions !

What new attributes support the RODC Password Replication Policy?

Password Replication Policy is the mechanism for determining whether a
user or computer’s credentials are allowed to replicate from a writable
domain controller to an RODC. The Password Replication Policy is always set
on a writable domain controller running SERVER 2008.
The following attributes have been added to the Active Directory schema to
expedite the functionality that is required for RODC caching operations:

 msDS-Reveal-OnDemandGroup. This attribute points to the

distinguished name (DN) of the Allowed List. The credentials of the
members of the Allowed List are permitted to replicate to the RODC.
 msDS-NeverRevealGroup. This attribute points to the distinguished
names of security principals whose credentials are denied replication to
the RODC. This has no impact on the ability of these security principals to
authenticate using the RODC. The RODC never caches the credentials of
the members of the Denied List. A default list of security principals whose
credentials are denied replication to the RODC is provided. This improves
the security of RODCs that are deployed with default settings.
 msDS-RevealedList. This attribute is a list of security principals whose
current passwords have been replicated to the RODC.
 msDS-AuthenticatedToAccountList. This attribute contains a list of
security principals in the local domain that have authenticated to the
RODC. The purpose of the attribute is to help an administrator determine
 which computers and users are using the RODC for logon. This enables
the administrator to refine the Password Replication Policy for the RODC.

How can you clear a password that is cached on an RODC?

There is no mechanism to erase passwords after they are cached on an
RODC. If you want to clear a password that is stored on an RODC, an
administrator should reset the password in the hub site. This way, the
password that is cached in the branch will no longer be valid for accessing
any resources in the hub site or other branches.

In the branch that contains the RODC on which the password may have
been compromised, the password will still be valid for authentication
purposes until the next replication cycle, at which time its value that is
stored on the RODC will be changed to Null. The new password will be
cached only after the user authenticates with it—or the new password is
prepopulated on the RODC—and if the PRP has not been changed.In the
event that an RODC is compromised, you should reset the passwords for all
accounts that have cached passwords and then rebuild the RODC.

Can an RODC replicate to other RODCs?

No, an RODC can only replicate from a writable Windows Server 2008
domain controller. In addition, two RODCs for the same domain in the same
site do not share cached credentials. You can deploy multiple RODCs for the
same domain in the same site, but it can lead to inconsistent logon
experiences for users if the WAN to the writeable domain controller in a hub
site is offline.

This is because the credentials for a user might be cached on one RODC but
not the other. If the WAN to a writable domain controller is offline and the
user tries to authenticate with an RODC that does not have the user’s
credentials cached, then the logon attempt will fail.

What operations fail if the WAN is offline, but the RODC is online in
the branch office?
If the RODC cannot connect to a writable domain controller running
Windows Server 2008 in the hub, the following branch office operations fail:

 Password changes
 Attempts to join a computer to a domain
 Computer rename
 Authentication attempts for accounts whose credentials are not cached on
the RODC
  Group Policy updates that an administrator might attempt by running the
gpupdate /force command.

What operations succeed if the WAN is offline, but the RODC is

online in the branch office?
If the RODC cannot connect to a writable domain controller running
Windows Server 2008 in the hub, the following branch office operations
succeed:

 Authentication and logon attempts, if the credentials for the resource and
the requester are already cached.
 Local RODC server administration performed by a delegated RODC server
administrator.

Will RODC support my Active Directory–integrated application?

Yes, RODC supports an Active Directory–integrated application if the
application conforms to the following rules:

 If the application performs write operations, it must support referrals

(enabled by default on clients).
 The application must tolerate Write outages when the hub is offline.

Does an RODC contain all of the objects and attributes that a

writable domain controller contains?
Yes, an RODC contains all the objects that a writable domain controller
contains. If you compare the LDAP store on a writable domain controller to
the LDAP store of an RODC, they are identical, except that the RODC does
not contain all of the credentials or attributes that are defined in the RODC
filtered attribute set.

Why does the RODC not have a relative ID (RID) pool?

All writable domain controllers can allocate RIDs from their respective RID
pools to create security principals as needed. Because an RODC cannot
create security principals, it cannot provide any RIDs, and it is never
allocated a RIDpool.

Can I list the krbtgt account that is used by each RODC in the
domain?
Yes. To list the krbtgt account that is used by each RODC in the domain,
type the following command at a command line, and then press ENTER:
Repadmin /showattr<WritableDcName><distinguished name of the
domain partition>/subtree /filter:”(&(objectclass=computer)(msDS-
Krbtgtlink=*))” /atts:msDS-krbtgtlink

How does the client DNS update referral mechanism work?

Because the DNS server that runs on an RODC cannot directly register client
updates, it has to refer the client to a DNS server that hosts a primary or
Active Directory-integrated copy of the zone file. This server is sometimes
referred to as a “writable DNS server.” When a client presents a Find
Authoritative Query, which is the precursor to an update request, the DNS
server on the RODC uses the domain controller Locator to find domain
controllers in the closest site.
The RODC then compares the list of domain controllers that is returned with
the list of name server (NS) resource records that it has. The RODC returns
to the client the NS resource record of a writable DNS server that the client
can use to perform the update. The client can then perform its update.
If no domain controller in the closest site matches an entry in the list of NS
records for the zone, the RODC attempts to discover any domain controller
in the forest that matches an entry in the list.
Suppose that a new client is introduced to a site that has a DNS server
running only on an RODC. In this case, the RODC DNS server tries to
replicate the DNS record that the client has tried to update on the writable
DNS server. This occurs approximately five minutes after the RODC provides
a response to the original Find Authoritative Query.
If the DNS client on the RODC attempts a DNS update, a writable domain
controller running Windows Server 2008 is returned so that the RODC can
perform the update.

Why doesn’t the KCC on writable domain controllers try to build

connections from an RODC?
To build the replication topology, the Knowledge Consistency Checker (KCC)
examines the following:

 All the sites that contain domain controllers

 The directory partitions that each domain controller holds
 The cost that is associated with the site links to build a least-cost
spanning tree

The KCC determines if there is a domain controller in a site by querying

AD DS for objects of the NTDS-DSA category—the objectcategory
attribute value of the NTDS Settings object. The NTDS Settings objects for
RODCs do not have this object category. Instead, they support a new
objectcategory value named NTDS-DSA-RO.

As a result, the KCCs on writable domain controllers never consider an

RODC as part of the replication topology. This is because the NTDS Settings
objects are not returned in the query.
However, the KCC on an RODC also needs to consider the local domain
controller (itself) to be part of the replication topology to build inbound
connection objects. This is achieved by a minor logic change to the
algorithm that the KCC uses on all domain controllers running Windows
Server 2008 that forces it to add the NTDS Settings object of the local
domain controller to the list of potential domain controllers in the topology.
This makes it possible for the KCC on an RODC to add itself to the topology.
However, the KCC on an RODC does not add any other RODCs to the list of
domain controllers that it generates.

How does the KCC build inbound connections locally on an RODC

when the RODC is supposed to be read-only?
An RODC is completely read-only from the perspective of external clients,
but it can internally originate changes for a limited set of objects. It permits
replicated write operations and a limited set of originating write operations.

Both the KCC and the replication engine are special “writers” on an RODC.
The replication engine performs replicated write operations on an RODC in
exactly the same way as it does on the read-only partitions of a global
catalog server that runs Windows Server 2003. The KCC is permitted to
perform originating write operations of the objects that are required to
perform Active Directory replication, such as connection objects.

Why does an RODC have two inbound connection objects?

This is because File Replication Service (FRS) requires its own pair of
connection objects in order to function correctly. In previous versions of
Windows Server, FRS was able to utilize the existing connection objects
between two domain controllers to support its replication of SYSVOL
content.

However, because an RODC only performs inbound replication of Active

Directory data, a reciprocal connection object on the writable replication
partner is not needed.
Consequently, the Active Directory Domain Services Installation Wizard
generates a special pair of connection objects to support FRS replication of
SYSVOL when you install an RODC. The FRS connection objects are not
required by DFS Replication.

How does RODC connection failover work?

If the bridgehead replication partner of an RODC becomes unavailable, the
KCC on the RODC builds a connection to another partner. By default, this
happens after about two hours, which is the same for a writable domain
controller. However, the FRS connection object on an RODC must use the
same target as the connection object that the KCC generates on the RODC
for Active Directory replication. To achieve this, the fromServer value on
the two connections is synchronized.
However, the trigger for changing the fromServer value on the FRS
connection object is not the creation of the new connection; instead, it is
the removal of the old connection. The removal step happens some hours
after the new connection object is created. Consequently, the fromServer
value continues to reference the original partner until the old connection is
removed by the KCC.
A side effect of this is that while Active Directory replication works
successfully against the new partner, FRS replication fails during this period.
The additional delay is by design—it avoids causing FRS to perform an
expensive VVJoin operation against the new partner, which is unnecessary if
the outage of the original partner is only temporary.

How can an administrator delete a connection object locally on an

RODC?
The KCC on an RODC will build inbound connection objects for Active
Directory replication. These objects cannot be seen on other writeable
domain controllers because they are not replicated from the RODC.

You cannot use the Active Directory Sites and Services snap-in to remove
these connection objects, but you can use Ldp.exe or Adsiedit.msc. The KCC
on the RODC will then rebuild a connection. This way, you can trigger
redistribution of connection objects across a set of RODCs that have site
links to a single hub site that has multiple bridgehead servers.

How can an administrator trigger replication to an RODC?

You can use the following methods:

1. By running the repadmin /replicate or repadmin /syncall operations.

2. By using the Active Directory Sites and Services snap-in. In this case, you
can right-click the connection object and click Replicate Now.
3. You can use Active Directory Sites and Services on a writable domain
controller to create an inbound replication connection object on any
domain controller, including an RODC, even if no inbound connection
exists on the domain controller.This is similar to running a repadmin
/add operation.

How are writable directory partitions differentiated from read-only

directory partitions?
This comes from an attribute on the directory partition head called
instancetype. This is a bit mask. If bit 3 (0×4) is set, the directory
partition is writable. If the bit is not set, the directory partition is read only.

Why can an RODC only replicate the domain directory partition from
a domain controller running Windows Server 2008 in the same
domain?
This is how the filtering of secrets is enforced during inbound replication to
an RODC. A domain controller running Windows Server 2008 is programmed
not to send secret material to an RODC during replication, unless the
Password Replication Policy permits it. Because a domain controller running
Windows Server 2003 has no concept of the Password Replication Policy, it
sends all secrets, regardless of whether they are permitted.