What is Active Directory ? Active Directory is a Meta Data.

Active Directory is a data base which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administor the complite Network which connect with AD. What is domain ? Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The 'domain' is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469. What is domain controller ? A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination. What is LDAP ? Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2. What is KCC ? KCC ( knowledge consistency checker ) is used to generate replication topology for inter site replication and for intrasite replication.with in a site replication traffic is done via remote procedure calls over ip, while between site it is done through either RPC or SMTP. Where is the AD database held? What other folders are related to AD? The AD data base is store in c:\windows\ntds\NTDS.DIT. What is the SYSVOL folder? The sysVOL folder stores the server's copy of the domain's public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain. What are the Windows Server 2003 keyboard shortcuts ? Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer. Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003 ? The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.

I am trying to create a new universal user group. Why cant I ? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory. What is LSDOU ? Its group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units. Why doesnt LSDOU work under Windows NT ? If the NTConfig.pol file exist, it has the highest priority among the numerous policies. Whats the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that its the Administrator account, not any account thats part of the Administrators group. Whats the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003. How many passwords by default are remembered when you check "Enforce Password History Remembered"? Users last 6 passwords. Can GC Server and Infrastructure place in single server If not explain why ? No, As Infrastructure master does the same job as the GC. It does not work together. Which is service in your windows is responsible for replication of Domain controller to another domain controller. KCC generates the replication topology. Use SMTP / RPC to replicate changes. What Intrasite and Intersite Replication ? Intrasite is the replication with in the same site & intersite the replication between sites. What is lost & found folder in ADS ? Its the folder where you can find the objects missed due to conflict. Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didnt find the OU then it will put that in Lost & Found Folder. What is Garbage collection ? Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours. What System State data contains ? Contains Startup files, Registry Com + Registration Database Memory Page file System files AD information Cluster Service information SYSVOL Folder

Windows Active Directory Interview Questions !

What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003? Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy - you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference. ADS stands for Automated Deployment Services, and is used to quickly roll out identically-configured servers in large-scale enterprise environments. You can get more information from the ADS homepage. I want to setup a DNS server and Active Directory domain. What do I do first? If I install the DNS service first and name the zone 'name.org' can I name the AD domain 'name.org' too? Not only can you have a DNS zone and an Active Directory domain with the same name, it's actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background. How do I determine if user accounts have local administrative access? You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong. Why am I having trouble printing with XP domain users? In most cases, the inability to print or access resources in situations like this one will boil down to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients' wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie. What is the ISTG? Who has that role by default? Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the intersite replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG). What is difference between Server 2003 vs 2008? 1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several 'virtual' servers on one physical machine.)

2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server) 3. Better security. 4. Role-based installation. 5. Read Only Domain Controllers (RODC). 6. Enhanced terminal services. 7. Network Access Protection - Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies. 8. PowerShell - Microsoft's command line shell and scripting language has proved popular with some server administrators. 9. IIS 7 . 10. Bitlocker - System drive encryption can be a sensible security measure for servers located in remote branch offices. >br> The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers. 11. Windows Aero. What are the requirements for installing AD on a new server? 1 The Domain structure. 2 The Domain Name . 3 storage location of the database and log file. 4 Location of the shared system volume folder. 5 DNS config Methode. 6 DNS configuration. What is LDP? LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network.

Windows Active Directory Interview Questions !

What are the Groups types available in active directory ? Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups. Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups. Explain about the groups scope in AD ? Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot

be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain. Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests. Universal Group Scope: These groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain. What is REPLMON ? The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication. What is ADSIEDIT ? ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT. What is NETDOM ? NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels. What is REPADMIN? This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors. How to take backup of AD ? For taking backup of active directory you have to do this : first go START ->

PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC. What are the DS* commands ? The following DS commands: the DS family built in utility . DSmod - modify Active Directory attributes. DSrm - to delete Active Directory objects. DSmove - to relocate objects DSadd - create new accounts DSquery - to find objects that match your query attributes. DSget - list the properties of an object What are the requirements for installing AD on a new server? An NTFS partition with enough free space. An Administrator's username and password. The correct operating system version. A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway). A network connection (to a hub or to another computer via a crossover cable) . An operational DNS server (which can be installed on the DC itself) . A Domain name that you want to use . The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) .

Windows Active directory Interview Questions !

Explain about Trust in AD ? To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or nonAD domains. Trusts in Windows 2000 (native mode) One-way trust One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. Two-way trust Two domains allow access to users on both domains. Trusting domain The domain that allows access to users from a trusted domain. Trusted domain The domain that is trusted; whose users have access to the trusting domain. Transitive trust A trust that can extend beyond two domains to other trusted domains in the forest. Intransitive trust A one way trust that does not extend beyond two domains. Explicit trust A trust that an admin creates. It is not transitive and is one way only. Cross-link trust An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two

domains. Windows 2000 Server supports the following types of trusts: Two-way transitive trusts. One-way intransitive trusts. Additional trusts can be created by administrators. These trusts can be: Shortcut Windows Server 2003 offers a new trust type the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive. Difference between LDIFDE and CSVDE? CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users. Consult your help file for more info. LDIFDE is a command that can be used to import and export objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor, however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects. What is tombstone lifetime attribute ? The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC. What are application partitions? When do I use them ? AN application diretcory partition is a directory partition that is replicated only to specific domain controller.Only domain controller running windows Server 2003 can host a replica of application directory partition. Using an application directory partition provides redundany,availability or fault tolerance by replicating data to specific domain controller pr any set of domain controllers anywhere in the forest. How do you create a new application partition ? Use the DnsCmd command to create an application directory partition. To do this, use the following syntax: DnsCmd ServerName /CreateDirectoryPartition FQDN of partition How do you view all the GCs in the forest? C:\>repadmin /showreps domain_controller where domain_controller is the DC you want to query to determine whether it?s a GC. The output will include the text DSA Options: IS_GC if the DC is a GC.

Can you connect Active Directory to other 3rd-party Directory Services? Name a few options. Yes, you can use dirXML or LDAP to connect to other directories. In Novell you can use E-directory. What is IPSec Policy IPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec Policy can be deployed via Group policy to the Windows Domain controllers 7 Servers. What are the different types of Terminal Services ? User Mode & Application Mode. What is RsOP RsOP is the resultant set of policy applied on the object (Group Policy). What is the System Startup process ? Windows 2K boot process on a Intel architecture. 1. Power-On Self Tests (POST) are run. 2. The boot device is found, the Master Boot Record (MBR) is loaded into memory, and its program is run. 3. The active partition is located, and the boot sector is loaded. 4. The Windows 2000 loader (NTLDR) is then loaded. The boot sequence executes the following steps: 1. The Windows 2000 loader switches the processor to the 32-bit flat memory model. 2. The Windows 2000 loader starts a mini-file system. 3. The Windows 2000 loader reads the BOOT.INI file and displays the operating system selections (boot loader menu). 4. The Windows 2000 loader loads the operating system selected by the user. If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other operating systems, NTLDR loads BOOTSECT.DOS and gives it control. 5. NTDETECT.COM scans the hardware installed in the computer, and reports the list to NTLDR for inclusion in the Registry under the HKEY_LOCAL_MACHINE_HARDWARE hive. 6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information collected by NTDETECT.COM. Windows NT enters the Windows load phases.

Latest Windows Active Directory Interview Questions !

How do you change the DS Restore admin password ? In Windows 2000 Server, you used to have to boot the computer whose password you wanted to change in Directory Restore mode, then use either the Microsoft Management Console (MMC) Local User and Groups snap-in or the command net user administrator * to change the Administrator password. Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you reset the Directory Service Restore Mode password without having to reboot the computer. (Microsoft refreshed Setpwd in SP4 to improve the utility?s scripting options.) In Windows Server 2003, you use the Ntdsutil utility to modify the Directory Service Restore Mode Administrator password. To do so, follow these steps: 1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe). 2. Start the Directory Service Restore Mode Administrator password-reset utility by entering the argument ?set dsrm password? at the ntdsutil prompt: ntdsutil: set dsrm password. 3. Run the Reset Password command, passing the name of the server on which to change the password, or use the null argument to specify the local machine. For example, to reset the password on server testing, enter the following argument at the Reset DSRM Administrator Password prompt: Reset DSRM Administrator Password: reset password on server testing To reset the password on the local machine, specify null as the server name: Reset DSRM Administrator Password: reset password on server null 4. You?ll be prompted twice to enter the new password. You?ll see the following messages: 5. Please type password for DS Restore Mode Administrator Account: 6. Please confirm new password: Password has been set successfully. 7. Exit the password-reset utility by typing ?quit? at the following prompts: 8. Reset DSRM Administrator Password: quit ntdsutil: quit

I am upgrading from NT to 2003. The only things that are NT are the PDC and BDCs; everything else is 2000 or 2003 member servers. My question is, when I upgrade my NT domain controllers to 2003, will I need to do anything else to my Windows 2000/2003 member servers that were in the NT domain? Your existing member servers, regardless of operating system, will simply become member servers in your upgraded AD domain. If you will be using Organizational Units and Group Policy (and I hope you are), you'll probably want to move them to a specific OU for administration and policy application, since they'll be in the default "Computers" container immediately following the upgrade. How do I use Registry keys to remove a user from a group? In Windows Server 2003, you can use the dsmod command-line utility with the -delmbr

switch to remove a group member from the command line. You should also look into the freeware utilities available from www.joeware.net . ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory. Why are my NT4 clients failing to connect to the Windows 2000 domain? Since NT4 relies on NetBIOS for name resolution, verify that your WINS server (you do have a WINS server running, yes?) contains the records that you expect for the 2000 domain controller, and that your clients have the correct address configured for the WINS server.

Windows Active directory Interview Questions !

How to add your first Windows 2003 DC to an existing Windows 2000 domain ? The first step is to install Windows 2003 on your new DC. This is a straighforward process, so we aren?t going to discuss that here. Because significant changes have been made to the Active Directory schema in Windows 2003, we need to make our Windows 2000 Active Directory compatible with the new version. If you already have Windows 2003 DCs running with Windows 2000 DCs, then you can skip down to the part about DNS. Before you attempt this step, you should make sure that you have service pack 4 installed on your Windows 2000 DC. Next, make sure that you are logged in as a user that is a member of the Schema Admin and Enterprise Admin groups. Next, insert the Windows 2003 Server installation CD into the Windows 2000 Server. Bring up a command line and change directories to the I386 directory on the installation CD. At the command prompt, type: Code : adprep /forestprep After running this command, make sure that the updates have been replicated to all existing Windows 2000 DCs in the forest. Next, we need to run the following command: Code : adprep /domainprep The above command must be run on the Infrastructure Master of the domain by someone who is a member of the Domain Admins group. Once this is complete, we move back to the Windows 2003 Server. Click ?start? then ?run? - type in dcpromo and click OK. During the ensuing wizard, make sure that you select that you are adding this DC to an existing domain. After this process is complete, the server will reboot. When it comes back online, check and make sure that the AD database has been replicated to your new server. Next, you will want to check and make sure that DNS was installed on your new server. If not, go to the control panel, click on ?Add or Remove Programs?, and click the ?Add/Remove Windows Components? button. In the Windows Components screen, click on ?Networking Services? and click the details button.

In the new window check ?Domain Name System (DNS)? and then click the OK button. Click ?Next? in the Windows Components screen. This will install DNS and the server will reboot. After reboot, pull up the DNS Management window and make sure that your DNS settings have replicated from the Windows 2000 Server. You will need to re-enter any forwarders or other properties you had set up, but the DNS records should replicate on their own. The next 2 items, global catalog and FSMO roles, are important if you plan on decomissioning your Windows 2000 server(s). If this is the case, you need to tansfer the global catalog from the old server to the new one.

First, let?s create a global catalog on our new server. Here are the steps: 1. On the domain controller where you want the new global catalog, start the Active Directory Sites and Services snap-in. To start the snap-in, click ?Start?, point to ?Programs?, point to ?Administrative Tools?, and then click ?Active Directory Sites and Services?. 2. In the console tree, double-click ?Sites?, and then double-click ?sitename?. 3. Double-click ?Servers?, click your domain controller, right-click ?NTDS Settings?, and then click ?Properties?. 4. On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server. 5. Restart the domain controller. Make sure you allow sufficient time for the account and the schema information to replicate to the new global catalog server before you remove the global catalog from the original DC or take the DC offline. After this is complete, you will want to transfer or seize the FSMO roles for your new server. For instructions, read Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller. After this step is complete, we can now run DCPROMO on the Windows 2000 Servers in order to demote them. Once this is complete, copy over any files you need to your new server and you should have successfully replaced your Windows 2000 server(s) with a new Windows 2003 server.

Windows Active directory Interview Questions !

How do you view replication properties for AD partitions and DCs? By using replication monitor go to start > run > type repadmin go to start > run > type replmon

Why can't you restore a DC that was backed up 4 months ago? Because of the tombstone life which is set to only 60 days. Different modes of AD restore ? A nonauthoritative restore is the default method for restoring Active Directory. To perform a nonauthoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller. An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. If you do not want to replicate the changes that have been made subsequent to the last backup operation, you must perform an authoritative restore. In this one needs to stop the inbound replication first before performing the An authoritative restore. How do you configure a stand-by operation master for any of the roles? # Open Active Directory Sites and Services. # Expand the site name in which the standby operations master is located to display the Servers folder. # Expand the Servers folder to see a list of the servers in that site. # Expand the name of the server that you want to be the standby operations master to display its NTDS Settings. # Right-click NTDS Settings, click New, and then click Connection. # In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK. # In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.

What's the difference between transferring a FSMO role and seizing ? Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available. If you perform a seizure of the FSMO roles from a DC, you need to ensure two things: the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you'll have a problem. An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another live DC During the process, the current DC holding the role(s) is updated, so it becomes aware it is no longer the role holder I want to look at the RID allocation table for a DC. What do I do? dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC) What is BridgeHead Server in AD ? A bridgehead server is a domain controller in each site, which is used as a contact point to receive and replicate data between sites. For intersite replication, KCC designates one of the domain controllers as a bridgehead server. In case the server is down, KCC designates another one from the domain controller. When a bridgehead server receives

replication updates from another site, it replicates the data to the other domain controllers within its site.

Windows Active directory Interview Questions !

What is the default size of ntds.dit ? 10 MB in Server 2000 and 12 MB in Server 2003 . Where is the AD database held and What are other folders related to AD ? AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure. ntds.dit edb.log res1.log res2.log edb.chk When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database. During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the shutdown statement isn't present, AD will use the edb.log file to update the AD database. The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we've discussed What FSMO placement considerations do you know of ? Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement.

In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD? If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen. If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which you'll find in the Components\r2\adprep folder on the second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later). Here's a sample execution of the Adprep /forestprep command: D:\CMPNENTS\R2\ADPREP>adprep /forestprep ADPREP WARNING: Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later). QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain controller corruption. [User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit. C Opened Connection to SAV DALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to version 31 Connecting to "SAVDALDC01" Logging in as current user using SSPI Importing directory from file "C:\WINDOWS\system32\sch31.ldf" Loading entries... 139 entries modified successfully. The command has completed successfully Adprep successfully updated the forest-wide information. After running Adprep, install R2 by performing these steps: 1. Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows. 2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click Next. 3. You'll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if the underlying OS wasn't installed from R2 media (e.g., a regular Windows 2003 SP1 installation). Enter the R2 key and click Next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003 using a volume-license version key, then you can't use a retail or Microsoft Developer Network (MSDN) R2 key. 4. You'll see the setup summary screen which confirms the actions to be performed (e.g.,

Copy files). Click Next. 5. After the installation is complete, you'll see a confirmation dialog box. Click Finish What is OU ? Organization Unit is a container object in which you can keep objects such as user accounts, groups, computer, printer . applications and other (OU). In organization unit you can assign specific permission to the user's. organization unit can also be used to create departmental limitation. Name some OU design considerations ? OU design requires balancing requirements for delegating administrative rights independent of Group Policy needs - and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues: Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. Delegating administrative authority usually don't go more than 3 OU levels

Windows Active directory Interview Questions !

What is sites ? What are they used for ? One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network. A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called Subnets. Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule. Trying to look at the Schema, how can I do that ? register schmmgmt.dll using this command c:\windows\system32>regsvr32 schmmgmt.dll Open mmc --> add snapin --> add Active directory schema name it as schema.msc Open administrative tool --> schema.msc

What is the port no of Kerbrose ? 88 What is the port no of Global catalog ? 3268

What is the port no of LDAP ? 389 Explain Active Directory Schema ? Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called "Schema". The Schema is defines as the formal definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory. As mentioned earlier, the Active Directory database includes a default Schema, which defines many object classes, such as users, groups, computers, domains, organizational units, and so on. These objects are also known as "Classes". The Active Directory Schema can be dynamically extensible, meaning that you can modify the schema by defining new object types and their attributes and by defining new attributes for existing objects. You can do this either with the Schema Manager snap-in tool included with Windows 2000/2003 Server, or programmatically.

Windows Active directory Interview Questions !

How can you forcibly remove AD from a server, and what do you do later? ? Can I get user passwords from the AD database? Dcpromo /forceremoval , an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest. Reboot the server then After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command. In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers What are the FSMO roles? Who has them by default? What happens when each one fails? Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles: Schema master Domain naming master RID master PDC emulator Infrastructure master

What is domain tree ? Domain Trees: A domain tree comprises several domains that share a common schema and configuration, forming a contiguous namespace. Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees.

Trees can be viewed two ways. One view is the trust relationships between domains. The other view is the namespace of the domain tree. What is forests ? A collection of one or more domain trees with a common schema and implicit trust relationships between them. This arrangement would be used if you have multiple root DNS addresses. How to Select the Appropriate Restore Method ? You select the appropriate restore method by considering: Circumstances and characteristics of the failure. The two major categories of failure, From an Active Directory perspective, are Active Directory data corruption and hardware failure. Active Directory data corruption occurs when the directory contains corrupt data that has been replicated to all domain controllers or when a large portion of the Active Directory hierarchy has been changed accidentally (such as deletion of an OU) and this change has replicated to other domain controllers.

Windows Active directory Interview Questions !

Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003? The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.

What is Global Catalog? The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.

How long does it take for security changes to be replicated among the domain controllers? Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).

When should you create a forest? Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS

identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.

Describe the process of working with an external domain name ? If it is not possible for you to configure your internal domain as a subdomain of your external domain, use a stand-alone internal domain. This way, your internal and external domain names are unrelated. For example, an organization that uses the domain name contoso.com for their external namespace uses the name corp.internal for their internal namespace. The advantage to this approach is that it provides you with a unique internal domain name. The disadvantage is that this configuration requires you to manage two separate namespaces. Also, using a stand-alone internal domain that is unrelated to your external domain might create confusion for users because the namespaces do not reflect a relationship between resources within and outside of your network. In addition, you might have to register two DNS names with an Internet name authority if you want to make the internal domain publicly accessible.

Windows Server 2003 Active Directory and Security questions

By admin | December 7, 2003 1. Whats the difference between local, global and universal groups? Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains. 2. I am trying to create a new universal user group. Why cant I? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory. 3. What is LSDOU? Its group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units. 4. Why doesnt LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest priority among the numerous policies. 5. Where are group policies stored? %SystemRoot%System32\GroupPolicy 6. What is GPT and GPC? Group policy template and group policy container. 7. Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID 8. You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority? The computer settings take priority. 9. You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do? gponame> User Configuration> Windows Settings> Remote Installation Services> Choice Options is your friend. 10. Whats contained in administrative template conf.adm? Microsoft NetMeeting policies 11. How can you restrict running certain applications on a machine? Via group policy, security settings for the group, then Software Restriction Policies. 12. You need to automatically install an app, but MSI file is not available. What do you do? A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer. 13. Whats the difference between Software Installer and Windows Installer? The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files. 14. What can be restricted on Windows Server 2003 that wasnt there in previous products? Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters. 15. How frequently is the client policy refreshed? 90 minutes give or take. 16. Where is secedit? Its now gpupdate. 17. You want to create a new group policy but do not wish to inherit. Make sure you check Block inheritance among the options when creating the policy. 18. What is "tattooing" the Registry? The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry. 19. How do you fight tattooing in NT/2000 installations? You cant.

20. How do you fight tattooing in 2003 installations? User Configuration Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only. 21. What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline. 22. Whats the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files. 23. How do FAT and NTFS differ in approach to user shares? They dont, both have support for sharing. 24. Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission. 25. I have a file to which the user has access, but he has no folder permission to read it. Can he access it? It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user cant drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run window. 26. For a user in several groups, are Allow permissions restrictive or permissive? Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission. 27. For a user in several groups, are Deny permissions restrictive or permissive? Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions. 28. What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL. 29. Whats the difference between standalone and fault-tolerant DFS (Distributed File System) installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders. 30. Were using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares. 31. Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain controllers. 32. Can you use Start->Search with DFS shares? Yes. 33. What problems can you have with DFS installed? Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS. 34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you cant. Install a standalone one. 35. Is Kerberos encryption symmetric or asymmetric? Symmetric.

36. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time stamp is attached to the initial client request, encrypted with the shared key. 37. What hashing algorithms are used in Windows 2003 Server? RSA Data Securitys Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash. 38. What third-party certificate exchange protocols are used by Windows 2003 Server? Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with thirdparty certificate authorities. 39. Whats the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that its the Administrator account, not any account thats part of the Administrators group. 40. If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1? A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes. 41. Whats the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003. 42. How many passwords by default are remembered when you check "Enforce Password History Remembered"? Users last 6 passwords.

Edited & Maintained by SYED JAHANZAIB / aacable@hotmail.com

What is Active Directory?

An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996. It was first used with Windows 2000. An active directory (sometimes referred to as an AD) does a variety of functions including the ability to rovide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory. Active Directory is a hierarchical collection of network resources that can contain users, computers, printers, and other Active Directories. Active Directory Services (ADS) allow administrators to handle and maintain all network resources from a single location . Active Directory stores information and settings in a central database

What is LDAP?

The Lightweight Directory Access Protocol, or LDAP , is an application protocol for querying and modifying directory services running over TCP/IP. Although not yet widely implemented, LDAP should eventually make it possible for almost any application running on virtually any computer platform to obtain directory information, such as email addresses and public keys. Because LDAP is an open protocol, applications need not worry about the type of server hosting the directory.

Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.

-Yes you can connect other vendors Directory Services with Microsofts version. -Yes, you can use dirXML or LDAP to connect to other directories (ie. E-directory from Novell or NDS (Novel directory System). -Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictonaries used by SAP, Domino etc with the help of MIIS ( Microsoft Identity Integration Server )

Where is the AD database held? What other folders are related to AD?

AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure ntds.dit edb.log res1.log res2.log edb.chk When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database. During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a shutdown statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesnt exist on reboot or the shutdown statement isnt present, AD will use the edb.log file to update the AD database. The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files weve discussed

What is the SYSVOL folder?

- All active directory data base security related information store in SYSVOL folder and its only created on NTFS partition.

- The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain controllers. Because junctions are used within the Sysvol folder structure, Windows NT file system (NTFS) version 5.0 is required on domain controllers throughout a Windows distributed file system (DFS) forest. This is a quote from microsoft themselves, basically the domain controller info stored in files like your group policy stuff is replicated through this folder structure

Name the AD NCs and replication issues for each NC

*Schema NC, *Configuration NC, Domain NC Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory. Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas. Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.

What are application partitions? When do I use them

Application directory partitions: These are specific to Windows Server 2003 domains. An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only Domain controllers running Windows Server 2003 can host a replica of an application directory partition.

How do you create a new application partition

http://wiki.answers.com/Q/How_do_you_create_a_new_application_partition

How do you view replication properties for AD partitions and DCs?

By using replication monitor go to start > run > type replmon

What is the Global Catalog?

The global catalog contains a complete replica of all objects in Active Directory for its Host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are

directed to the global catalog are faster because they do not involve referrals to different domain controllers. In addition to configuration and schema directory partition replicas, every domain controller in a Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object. The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.

How do you view all the GCs in the forest?

C:\>repadmin/showreps domain_controller OR You can use Replmon.exe for the same purpose. OR AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%

Why not make all DCs in a large forest as GCs?

The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs would all have to hold a reference to every object in the entire forest which could be quite large and quite a replication burden. For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor WAN lines.

Trying to look at the Schema, how can I do that?

adsiedit.exe option to view the schema register schmmgmt.dll using this command c:\windows\system32>regsvr32 schmmgmt.dll Open mmc > add snapin > add Active directory schema name it as schema.msc

Open administrative tool > schema.msc

What are the Support Tools? Why do I need them?

Support Tools are the tools that are used for performing the complicated tasks easily. These can also be the third party tools. Some of the Support tools include DebugViewer, DependencyViewer, RegistryMonitor, etc. -edit by Casquehead I beleive this question is reffering to the Windows Server 2003 Support Tools, which are included with Microsoft Windows Server 2003 Service Pack 2. They are also available for download here: http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D939B-A772EA2DF90&displaylang=en You need them because you cannot properly manage an Active Directory network without them. Here they are, it would do you well to familiarize yourself with all of them. Acldiag.exe Adsiedit.msc Bitsadmin.exe Dcdiag.exe Dfsutil.exe Dnslint.exe Dsacls.exe Iadstools.dll Ktpass.exe Ldp.exe Netdiag.exe Netdom.exe Ntfrsutl.exe Portqry.exe Repadmin.exe Replmon.exe Setspn.exe > What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN? ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.MSC Regarding system requirements, a connection to an Active Directory environment and Microsoft Management Console (MMC) is necessary

A: Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts. The purpose of this document is to guide you in how to use it, list some common replication errors and show some examples of when replication issues can stop other network installation actions. for more go to http://www.techtutorials.net/articles/replmon_howto_a.html NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels A: Enables administrators to manage Active Directory domains and trust relationships from the command prompt. Netdom is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. REPADMIN.EXE is a command line tool used to monitor and troubleshoot replication on a computer running Windows. This is a command line tool that allows you to view the replication topology as seen from the perspective of each domain controller. REPADMIN is a built-in Windows diagnostic command-line utility that works at the Active Directory level. Although specific to Windows, it is also useful for diagnosing some Exchange replication problems, since Exchange Server is Active Directory based. REPADMIN doesnt actually fix replication problems for you. But, you can use it to help determine the source of a malfunction.

What are sites? What are they used for?

Active directory sites, which consist of well-connected networks defined by IP subnets that help define the physical structure of your AD, give you much better control over replication traffic and authentication traffic than the control you get with Windows NT 4.0 domains. Using Active Directory, the network and its objects are organized by constructs such as domains, trees, forests, trust relationships, organizational units (OUs), and sites.

Whats the difference between a site links schedule and interval?

Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges from 15 10,080 mins. The default interval is 180 mins.

What is the KCC?

The KCC is a built-in process that runs on all domain controllers and generates replication topology for the Active Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable.

What is the ISTG? Who has that role by default?

Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role. By Default the first Server has this role. If that server can no longer preform this role then the next server with the highest GUID then takes over the role of ISTG.

What are the requirements for installing AD on a new server? An NTFS partition with enough free space (250MB minimum) An Administrators username and password The correct operating system version A NIC Properly configured TCP/IP (IP address, subnet mask and optional default gateway) A network connection (to a hub or to another computer via a crossover cable) An operational DNS server (which can be installed on the DC itself) A Domain name that you want to use The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) From the Petri IT Knowledge base. For more info, follow this link: http://www.petri.co.il/active_directory_installation_requirements.htm

What can you do to promote a server to DC if youre in a remote location with slow WAN link?

First available in Windows 2003, you will create a copy of the system state from an existing DC and copy it to the new remote server. Run Dcpromo /adv. You will be prompted for the location of the system state files

How can you forcibly remove AD from a server, and what do you do later? Can I get user passwords from the AD database?

Demote the server using dcpromo /forceremoval, then remove the metadata from Active directory using ndtsutil. There is no way to get user passwords from AD that I am aware of, but you should still be able to change them. Another way out too Restart the DC is DSRM mode a. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions b. In the right-pane, double-click ProductType. c. Type ServerNT in the Value data box, and then click OK. Restart the server in normal mode its a member server now but AD entries are still there. Promote teh server to a fake domain say ABC.com and then remove gracefully using DCpromo. Else after restart you can also use ntdsutil to do metadata as told in teh earlier post

What tool would I use to try to grab security related packets from the wire?

you must use sniffer-detecting tools to help stop the snoops. A good packet sniffer would be ethereal www.ethereal.com

Name some OU design considerations ?

OU design requires balancing requirements for delegating administrative rights independent of Group Policy needs and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues: Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. Delegating administrative authority usually dont go more than 3 OU levels

What is tombstone lifetime attribute?

The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC by default 2000 (60 days) 2003 (180 days)

What do you do to install a new Windows 2003 DC in a Windows 2000 AD?

If you plan to install windows 2003 server domain controllers into an existing windows 2000 domain or upgrade a windows 2000 domain controllers to windows server 2003, you first need to run the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema master and infrastructure master roles. The adprep / forestprer command must first be issued on the windows 2000 server holding schema master role in the forest root doman to prepare the existing schema to support windows 2003 active directory. The adprep /domainprep command must be issued on the sever holding the infrastructure master role in the domain where 2000 server will be deployed.

What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?

A. If youre installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen. If youre installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which youll find in the Cmpnents\r2\adprep folder on the second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later)

How would you find all users that have not logged on since last month? http://wiki.answers.com/Q/How_would_you_find_all_users_that_have_not_logge d_on_since_last_month What are the DScommands?

New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003 Active Directory New DS built-in tools for Windows Server 2003 The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet. When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for choice. The the DS family of built-in command line executables offer alternative strategies to CSVDE, LDIFDE and VBScript. Let me introduce you to the members of the DS family: DSadd add Active Directory users and groups DSmod modify Active Directory objects DSrm to delete Active Directory objects DSmove to relocate objects DSQuery to find objects that match your query attributes DSget list the properties of an object

What are the FSMO roles? Who has them by default? What happens when each one fails?

FSMO stands for the Flexible single Master Operation It has 5 Roles:

Schema Master:

The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.

Domain naming master:

The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an objects SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DCs event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DCs allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domains RID master. The domain RID master responds to the request by retrieving RIDs from the domains unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.

PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage. The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner. :: In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions: :: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulators SYSVOL share, unless configured not to do so by the administrator. The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients. This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.

What FSMO placement considerations do you know of?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles

Whats the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?

Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to perform these unique operations are called operations masters or FSMO role holders. The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform:

Schema master The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command. Domain naming master The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest. RID master The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups. PDC emulator The PDC emulator role is domain-wide and there is one for each domain. This role is required for the domain controller that sends database updates to Windows NT backup domain controllers. The domain controller that owns this role is also targeted by certain administration tools and updates to user account and computer account passwords. Infrastructure master The Infrastructure master role is domain-wide and there is one for each domain. This role is required for domain controllers to run the adprep /forestprep command successfully and to update SID attributes and distinguished name attributes for objects that are referenced across domains.

The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:

An administrator reassigns the role by using a GUI administrative tool. An administrator reassigns the role by using the ntdsutil /roles command. An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator.

We recommend that you transfer FSMO roles in the following scenarios:

The current role holder is operational and can be accessed on the network by the new FSMO owner. You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest. The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a live domain controller. This may be required to perform operations that connect

to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles. We recommend that you seize FSMO roles in the following scenarios:

The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred. A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command. The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled.

As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domain controller is one that is in the appropriate domain that last inbound-replicated, or recently inbound-replicated a writable copy of the FSMO partition from the existing role holder. For example, the Schema master roleholder has a distinguished name path of CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles reside in and are replicated as part of the CN=schema partition. If the domain controller that holds the Schema master role experiences a hardware or software failure, a good candidate role-holder would be a domain controller in the root domain and in the same Active Directory site as the current owner. Domain controllers in the same Active Directory site perform inbound replication every 5 minutes or 15 seconds. A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems.

Transfer FSMO roles

To transfer the FSMO roles by using the Ntdsutil utility, follow these steps: 1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred. 2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.

3. Type roles, and then press ENTER.Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER. 4. Type connections, and then press ENTER. 5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to. 6. At the server connections prompt, type q, and then press ENTER. 7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator. 8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Seize FSMO roles

To seize the FSMO roles by using the Ntdsutil utility, follow these steps: 1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred. 2. Click Start, click Run, type ntdsutil in the Open box, and then click OK. 3. Type roles, and then press ENTER. 4. Type connections, and then press ENTER. 5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to. 6. At the server connections prompt, type q, and then press ENTER. 7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator. 8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.Notes o Under typical conditions, all five roles must be assigned to live domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles. You should determine which roles are to be on which remaining domain controllers so that all five roles are assigned to a single domain controller. For more information about FSMO role placement, click the following article number to view the article in the Microsoft Knowledge Base: 223346 (http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on Windows 2000 domain controllers

o o

If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by using the steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article: 216498 (http://support.microsoft.com/kb/216498/ ) How to remove data in active directory after an unsuccessful domain controller demotion Removing domain controller metadata with the Windows 2000 version or the Windows Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes additional elements of domain controller metadata. Some customers prefer not to restore system state backups of FSMO roleholders in case the role has been reassigned since the backup was made. Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest.

To test whether a domain controller is also a global catalog server: 1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services. 2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available. 3. Open the Servers folder, and then click the domain controller. 4. In the domain controllers folder, double-click NTDS Settings. 5. On the Action menu, click Properties. 6. On the General tab, view the Global Catalog check box to see if it is selected. For more information about FSMO roles, click the following article numbers to view the articles in the Microsoft Knowledge Base:

How do you configure a stand-by operation master for any of the roles?

1. Open Active Directory Sites and Services. 2. Expand the site name in which the standby operations master is located to display the Servers folder. 3. Expand the Servers folder to see a list of the servers in that site. 4. Expand the name of the server that you want to be the standby operations master to display its NTDS Settings. 5. Right-click NTDS Settings, click New, and then click Connection. 6. In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK. 7. In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.

How do you backup AD?

Backing up Active Directory is essential to maintain an Active Directory database. You can back up Active Directory by using the Graphical User Interface (GUI) and command-

line tools that the Windows Server 2003 family provides. You frequently backup the system state data on domain controllers so that you can restore the most current data. By establishing a regular backup schedule, you have a better chance of recovering data when necessary. To ensure a good backup includes at least the system state data and contents of the system disk, you must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backup older than 60 days is not a good backup. Plan to backup at least two domain controllers in each domain, one of at least one backup to enable an authoritative restore of the data when necessary. System State Data Several features in the windows server 2003 family make it easy to backup Active Directory. You can backup Active Directory while the server is online and other network function can continue to function. System state data on a domain controller includes the following components: Active Directory system state data does not contain Active Directory unless the server, on which you are backing up the system state data, is a domain controller. Active Directory is present only on domain controllers. The SYSVOL shared folder: This shared folder contains Group policy templates and logon scripts. The SYSVOL shared folder is present only on domain controllers. The Registry: This database repository contains information about the computers configuration. System startup files: Windows Server 2003 requires these files during its initial startup phase. They include the boot and system files that are under windows file protection and used by windows to load, configure, and run the operating system. The COM+ Class Registration database: The Class registration is a database of information about Component Services applications. The Certificate Services database: This database contains certificates that a server running Windows server 2003 uses to authenticate users. The Certificate Services database is present only if the server is operating as a certificate server. System state data contains most elements of a systems configuration, but it may not include all of the information that you require recovering data from a system failure. Therefore, be sure to backup all boot and system volumes, including the System State, when you back up your server. Restoring Active Directory In Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. You must restore the Active Directory database when objects in Active Directory are changed or deleted.

Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from every other replication partner. Once the replication is finished each partner has an updated version of Active Directory. There is another way to get these latest updates by Backup utility to restore replicated data from a backup copy. For this restore you dont need to configure again your domain controller or no need to install the operating system from scratch. Active Directory Restore Methods You can use one of the three methods to restore Active Directory from backup media: primary restore, normal (non authoritative) restore, and authoritative restore. Primary restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup. Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore. Normal restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state. Authoritative restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain. Perform an authoritative restore individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects as authoritative so that they receive a higher version recently changed data on other domain controllers does not overwrite system state data during replication.

How do you restore AD?

Restoring Active Directory : In Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. You must restore the Active Directory database when objects in Active Directory are changed or deleted. Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from every other replication partner. Once the replication is finished each partner has an updated version of Active Directory. There is another way to get these latest updates by Backup utility to restore replicated data from a backup copy. For this restore you dont need to configure again your domain controller or no need to install the operating system from scratch. Active Directory Restore Methods You can use one of the three methods to restore Active Directory from backup media: primary restore, normal (non authoritative) restore, and authoritative restore.

Primary restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup. Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore. Normal restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state. Authoritative restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain. Perform an authoritative restore individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects as authoritative so that they receive a higher version recently changed data on other domain controllers does not overwrite system state data during replication.

METHOD
A. You cant restore Active Directory (AD) to a domain controller (DC) while the Directory Service (DS) is running. To restore AD, perform the following steps. Reboot the computer. At the boot menu, select Windows 2000 Server. Dont press Enter. Instead, press F8 for advanced options. Youll see the following text. OS Loader V5.0 Windows NT Advanced Options Menu Please select an option: Safe Mode Safe Mode with Networking Safe Mode with Command Prompt Enable Boot Logging Enable VGA Mode Last Known Good Configuration Directory Services Restore Mode (Windows NT domain controllers only) Debugging Mode Use | and | to move the highlight to your choice. Press Enter to choose. Scroll down, and select Directory Services Restore Mode (Windows NT domain controllers only). Press Enter. When you return to the Windows 2000 Server boot menu, press Enter. At the bottom of the screen, youll see in red text Directory Services Restore Mode (Windows NT domain

controllers only). The computer will boot into a special safe mode and wont start the DS. Be aware that during this time the machine wont act as a DC and wont perform functions such as authentication. Start NT Backup. Select the Restore tab. Select the backup media, and select System State. Click Start Restore. Click OK in the confirmation dialog box. After you restore the backup, reboot the computer and start in normal mode to use the restored information. The computer might hang after the restore completes; Sometimes it takes a 30-minute wait on some machines.

How do you change the DS Restore admin password?

When you promote a Windows 2000 Server-based computer to a domain controller, you are prompted to type a Directory Service Restore Mode Administrator password. This password is also used by Recovery Console, and is separate from the Administrator password that is stored in Active Directory after a completed promotion. The Administrator password that you use when you start Recovery Console or when you press F8 to start Directory Service Restore Mode is stored in the registry-based Security Accounts Manager (SAM) on the local computer. The SAM is located in the\System32\Config folder. The SAM-based account and password are computer specific and they are not replicated to other domain controllers in the domain. For ease of administration of domain controllers or for additional security measures, you can change the Administrator password for the local SAM. To change the local Administrator password that you use when you start Recovery Console or when you start Directory Service Restore Mode, use the following method. 1. Log on to the computer as the administrator or a user who is a member of the Administrators group. 2. Shut down the domain controller on which you want to change the password. 3. Restart the computer. When the selection menu screen is displayed during restar, press F8 to view advanced startup options. 4. Click the Directory Service Restore Mode option. 5. After you log on, use one of the following methods to change the local Administrator password: At a command prompt, type the following command: net user administrator Use the Local User and Groups snap-in (Lusrmgr.msc) to change the Administrator password. 6. Shut down and restart the computer. You can now use the Administrator account to log on to Recovery Console or Directory Services Restore Mode using the new password.

Why cant you restore a DC that was backed up 4 months ago?

Because of the tombstone life which is set to only 60 days

What are GPOs?

Group Policy gives you administrative control over users and computers in your network. By using Group Policy, you can define the state of a users work environment once, and then rely on Windows Server 2003 to continually force the Group Policy settings that you apply across an entire organization or to specific groups of users and computers. Group Policy Advantages You can assign group policy in domains, sites and organizational units. All users and computers get reflected by group policy settings in domain, site and organizational unit. No one in network has rights to change the settings of Group policy; by default only administrator has full privilege to change, so it is very secure. Policy settings can be removed and can further rewrite the changes. Where GPOs store Group Policy Information Group Policy objects store their Group Policy information in two locations: Group Policy Container: The GPC is an Active Directory object that contains GPO status, version information, WMI filter information, and a list of components that have settings in the GPO. Computers can access the GPC to locate Group Policy templates, and domain controller does not have the most recent version of the GPO, replication occurs to obtain the latest version of the GPO. Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT which contains all Group Policy settings and information, including administrative templates, security, software installation, scripts, and folder redirection settings. Computers connect to the SYSVOL folder to obtain the settings. The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol. Managing GPOs To avoid conflicts in replication, consider the selection of domain controller, especially because the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two independent replication techniques to replicate GPO data among all domain controllers in the domain. If two administrators changes can overwrite those made by other administrator, depends on the replication latency. By default the Group Policy Management console uses the PDC Emulator so that all administrators can work on the same domain controller. WMI Filter WMI filters is use to get the current scope of GPOs based on attributes of the user or computer. In this way, you can increase the GPOs filtering capabilities beyond the security group filtering mechanisms that were previously available. Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination computer, Active Directory evaluates the filter on the destination computer. A WMI filter has few queries that active Directory evaluates in place of WMI repository of the destination computer. If the set of queries is false, Active Directory does not apply the GPO. If set of queries are true, Active Directory applies the GPO. You write the query by using the WMI Query Language (WQL); this language is similar to querying SQL for WMI repository. Planning a Group Policy Strategy for the Enterprise When you plan an Active Directory structure, create a plan for GPO inheritance,

administration, and deployment that provides the most efficient Group Policy management for your organization. Also consider how you will implement Group Policy for the organization. Be sure to consider the delegation of authority, separation of administrative duties, central versus decentralized administration, and design flexibility so that your plan will provide for ease of use as well as administration. Planning GPOs Create GPOs in way that provides for the simplest and most manageable design one in which you can use inheritance and multiple links. Guidelines for Planning GPOs Apply GPO settings at the highest level: This way, you take advantage of Group Policy inheritance. Determine what common GPO settings for the largest container are starting with the domain and then link the GPO to this container. Reduce the number of GPOs: You reduce the number by using multiple links instead of creating multiple identical GPOs. Try to link a GPO to the broadest container possible level to avoid creating multiple links of the same GPO at a deeper level. Create specialized GPOs: Use these GPOs to apply unique settings when necessary. GPOs at a higher level will not apply the settings in these specialized GPOs. Disable computer or use configuration settings: When you create a GPO to contain settings for only one of the two levels-user and computer-disable the logon and prevents accidental GPO settings from being applied to the other area.

What is the order in which GPOs are applied?

Local, Site, Domain, OU Group Policy settings are processed in the following order: 1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing. 2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence. 3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence. 4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed. At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their

processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence. This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)

Name a few benefits of using GPMC.

Microsoft released the Group Policy Management Console (GPMC) years ago, which is an amazing innovation in Group Policy management. The tool provides control over Group Policy in the following manner:

Easy administration of all GPOs across the entire Active Directory Forest View of all GPOs in one single list Reporting of GPO settings, security, filters, delegation, etc. Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering Delegation model Backup and restore of GPOs Migration of GPOs across different domains and forests

With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC is needed and should be used by everyone for what it is ideal for. However, it does fall a bit short when you want to protect the GPOs from the following:

Role based delegation of GPO management Being edited in production, potentially causing damage to desktops and servers Forgetting to back up a GPO after it has been modified Change management of each modification to every GPO How can you determine what GPO was and was not applied for a user? Name a few ways to do that.

Simply use the Group Policy Management Console created by MS for that very purpose, allows you to run simulated policies on computers or users to determine what policies are enforced. Link in sources

What are administrative templates?

Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment. Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines. An ADM file is a text file with a specific syntax which describes both the interface and the registry values which will be changed if the policy is enabled or disabled.

ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged into a unified namespace in GPEdit and presented to the administrator under the Administrative Templates node (for both machine and user policy).

Whats the difference between software publishing and assigning?

ANS An administrator can either assign or publish software applications. Assign Users The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application. Assign Computers The software application is advertised and installed when it is safe to do so, such as when the computer is next restarted. Publish to users The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application. Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers.

Can I deploy non-MSI software with GPO?

How to create a third-party Microsoft Installer package

http://support.microsoft.com/kb/257718/

You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that?

Login on client as Domain Admin user change whatever you need add printers etc go to system-User profiles copy this user profile to any location by select Everyone in permitted to use after copy change ntuser.dat to ntuser.man and assgin this path under user profile

Hardware RAID Levels RAID Minimum Description Strengths Weaknesses Level Number of Drives RAID 0 2 Data striping Highest performance No data protection; without One drive fails, all data redundancy is lost RAID 1 2 Disk mirroring Very high High redundancy cost performance; Very overhead; Because all high data protection; data is duplicated, Very minimal penalty twice the storage on write performance capacity is required RAID 2 Not used in No practical use Previously used for No practical use; Same LAN RAM error performance can be environments achieved by RAID 3 at correction (known as lower cost Hamming Code ) and in disk drives before the use of embedded error correction Not well-suited for RAID 3 3 Byte-level data Excellent striping with performance for large, transaction-oriented network applications; dedicated parity sequential data drive requests Single parity drive does not support multiple, simultaneous read and write requests RAID 4 3 (Not Block-level data Data striping supports Write requests suffer multiple widely striping with from same single parity-drive bottleneck used) dedicated parity simultaneous read drive requests as RAID 3; RAID 5 offers equal data protection and better performance at same cost RAID 5 3 Block-level data Best cost/performance Write performance is striping with for transactionslower than RAID 0 or distributed oriented networks; RAID 1 parity Very high performance, very high data protection; Supports multiple simultaneous reads and writes; Can also be optimized for large, sequential requests

RAID 4 0/1

Combination of RAID 0 (data striping) and RAID 1 (mirroring)

RAID 4 1/0

Highest performance, High redundancy cost highest data overhead; Because all protection (can data is duplicated, tolerate multiple drive twice the storage failures) capacity is required; Requires minimum of four drives Shares the same fault High redundancy cost tolerance as RAID 1 Combination of overhead; Because all (the basic mirror), but RAID 1 data is duplicated, compliments said (mirroring) and twice the storage fault tolerance with a RAID 0 (data capacity is required; striping mechanism striping) Requires minimum of that can yield very four drives high read rates

RAID 0

RAID 1

RAID 5

Windows DNS Server Interview Questions !

What is the main purpose of a DNS server? DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa.
What is the port no of dns ? 53. What is a Forward Lookup? Resolving Host Names to IP Addresses. What is Reverse Lookup? It?s a file contains host names to IP mapping information. What is a Resource Record? It is a record provides the information about the resources available in the N/W infrastructure. What are the diff. DNS Roles? Standard Primary, Standard Secondary, & AD Integrated. What is a Zone? Zone is a sub tree of DNS database. Secure services in your network require reverse name resolution to make it more difficult to launch successful attacks against the services. To set this up, you configure a reverse lookup zone and proceed to add records. Which record types do you need to create? PTR Records SOA records must be included in every zone. What are they used for ? SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers. By default, if the name is not found in the cache or local hosts file, what is the first step the client takes to resolve the FQDN name into an IP address ? Performs a recursive search through the primary DNS server based on the network interface configuration . What is primary, Secondary, stub & AD Integrated Zone? Primary Zone: - zone which is saved as normal text file with filename (.dns) in DBS folder. Maintains a read, write copy of zone database. Secondary Zone: - maintains a read only copy of zone database on another DNS server. Provides fault tolerance and load balancing by acting as backup server to primary server. Stub zone: - contains a copy of name server and SOA records used for reducing the DNS search orders. Provides fault tolerance and load balancing.

How do you manually create SRV records in DNS? This is on windows server go to run ---> dnsmgmt.msc rightclick on the zone you want to add srv record to and choose "other new record" and choose service location(srv). What is the main purpose of SRV records ? SRV records are used in locating hosts that provide certain network services. Before installing your first domain controller in the network, you installed a DNS server and created a zone, naming it as you would name your AD domain. However, after the installation of the domain controller, you are unable to locate infrastructure SRV records anywhere in the zone. What is the most likely cause of this failure ? The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates. Which of the following conditions must be satisfied to configure dynamic DNS updates for legacy clients ? The zone to be used for dynamic updates must be configured to allow dynamic updates. The DHCP server must support, and be configured to allow, dynamic updates for legacy clients. At some point during the name resolution process, the requesting party received authoritative reply. Which further actions are likely to be taken after this reply ? After receiving the authoritative reply, the resolution process is effectively over. Name 3 benefits of using AD-integrated zones. Active Directory integrated DNS enables Active Directory storage and replication of DNS zone databases. Windows 2000 DNS server, the DNS server that is included with Windows 2000 Server, accommodates storing zone data in Active Directory. When you configure a computer as a DNS server, zones are usually stored as text files on name servers that is, all of the zones required by DNS are stored in a text file on the server computer. These text files must be synchronized among DNS name servers by using a system that requires a separate replication topology and schedule called a zone transfer However, if you use Active Directory integrated DNS when you configure a domain controller as a DNS name server, zone data is stored as an Active Directory object and is replicated as part of domain replication. Describe the importance of DNS to AD ? When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority. Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet. While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS

environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher. When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority. Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet. While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher Describe the importance of DNS to AD ? When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority. Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet. While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher. When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority. Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet. While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher.

How to install Active Directory on Windows Server 2003

1. Click Start, click Run, type dcpromo, and then click OK. 2. On the first page of the Active Directory Installation Wizard, click Next. 3. On the next page of the Active Directory Installation Wizard, click Next. 4. On the Domain Controller Type page, click Domain Controller for a new domain, and then click Next. 5. On the Create New Domain page, click Domain in a new forest, and then click Next. 6. On the New Domain Name page, in the Full DNS name for new domain box, type Testdc.com, and then click Next. 7. On the Database and Log Folders page, accept the defaults in the Database folder box and the Log folder box, and then click Next. 8. On the Shared System Volume page, accept the default in theFolder location box, and then click Next. 9. On the DNS Registration Diagnostics page, click Install and configure the DNS server on this computer and set this computer to use this DNS server as its preferred DNS Server, and then click Next. 10. On the Permissions page, click Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems, and then click Next. 11. On the Directory Services Restore Mode Administrator Password page, enter a password in the Restore Mode Password box, retype the password to confirm it in the Confirm password box, and then click Next. 12. On the Summary page, confirm the information is correct, and then click Next. 13. When prompted to restart the computer, click Restart now. After the computer restarts, log on to testdc as a member of the Administrators group.

Windows DHCP Interview Questions! What is dhcp ? Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network. What is the dhcp process for client machine? 1. A user turns on a computer with a DHCP client. 2. The client computer sends a broadcast request (called a DISCOVER or DHCPDISCOVER), looking for a DHCP server to answer. 3. The router directs the DISCOVER packet to the correct DHCP server. 4. The server receives the DISCOVER packet. Based on availability and usage policies set on the server, the server determines an appropriate address (if any) to give to the client. The server then temporarily reserves that address for the client and sends back to the client an OFFER (or DHCPOFFER) packet, with that address information. The server also configures the client's DNS servers, WINS servers, NTP servers, and sometimes other services as well. 5. The client sends a REQUEST (or DHCPREQUEST) packet, letting the server know that it intends to use the address. 6. The server sends an ACK (or DHCPACK) packet, confirming that the client has a been given a lease on the address for a server-specified period of time. What is dhcp scope ? DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients. Types of scopes in windows dhcp ? Normal Scope - Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet. Multicast Scope - Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options. Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination). Superscope - Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity. What is Authorizing DHCP Servers in Active Directory ? If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized. This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console or at the command prompt using the netsh tool. If the DHCP server was not authorized during installation, invoke the DHCP console (Start -> All Programs -> Administrative Tools -> DHCP), right click on the DHCP to be authorized and select Authorize. To achieve the same result from the command prompt, enter the following command: netsh dhcp server serverID initiate auth

In the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed. What ports are used by DHCP and the DHCP clients ? Requests are on UDP port 68, Server replies on UDP 67 . Benefits of using DHCP DHCP provides the following benefits for administering your TCP/IP-based network: Safe and reliable configuration.DHCP avoids configuration errors caused by the need to manually type in values at each computer. Also, DHCP helps prevent address conflicts caused by a previously assigned IP address being reused to configure a new computer on the network. Reduces configuration management. Using DHCP servers can greatly decrease time spent to configuring and reconfiguring computers on your network. Servers can be configured to supply a full range of additional configuration values when assigning address leases. These values are assigned using DHCP options. Also, the DHCP lease renewal process helps assure that where client configurations need to be updated often (such as users with mobile or portable computers who change locations frequently), these changes can be made efficiently and automatically by clients communicating directly with DHCP servers. The following section covers issues that affect the use of the DHCP Server service with other services or network configurations. Using DNS servers with DHCP Using Routing and Remote Access servers with DHCP Multihomed DHCP servers. Describe the process of installing a DHCP server in an AD infrastructure ? Open Windows Components Wizard. Under Components , scroll to and click Networking Services. Click Details . Under Subcomponents of Networking Services , click Dynamic Host Configuration Protocol (DHCP) and then click OK . Click Next . If prompted, type the full path to the Windows Server 2003 distribution files, and then click Next. Required files are copied to your hard disk.

Welcome to Network Interview Questions! Q:What is Networking?=Inter connection between the two or more computers is called the networking. Using three types of network are Intranet, Internet and Extranet (Eg. LAN, WAN & MAN) Q:What is Bandwidth?=Every line has an upper limit and a lower limit on the frequency of signals it can carry. This limited range is called the bandwidth. Every line has a capacity of transmission of data, The maximum amount of data that can be transferred in a single line is called Bandwidth. Q:What is VLAN?=VLAN Stand for Virtual Local Area Network. It is a logical grouping of network users and resources connected to administratively defined ports on a switch. Uses of VLAN are as follows:-1. It is securied connection. 2. It increases flexibility. 3. It creates separate broadcast domain. Q:What is CIDR?=CIDR Stands for classless inter domain routing. It helps in preventing the wasting of IP address and nowadays we are facing the shortage of the IP address.So this CIDR helps to prevent the waste of IP address.Shortly IPV6 will come into exist. Q:What is VLSM?=VLSM stands for Variable length subnet mask, when try to separate a major subnet into minor ones, then that process is called VLSM. We can subnet in various lengths. Eg: 1.1.1.0-/24 can be separated into 1.1.1.0-/30 and 1.1.1.4-/28 Q:What is unicast?=Unicast is one type of transmission in which information is sent from one host to another host (i.e Source to Destination). In another words, Unicast transmission is between one-to-one nodes Unicast ---> A transmission to a single interface card. Q:What is Multicast? =Multicast is such differ from Unicast. It is another type of transmission or communication in which there may be more than host and the information sent is meant for a set of host.(i.e one source to group of destination Multicast ---> A transmission to a group of interface cards on the network. Q:What is Broadcast? =Broadcast is one type of transmission in which information is transfer from just one host but is received by all the host connected to the network. (i.e one source to all destination) Broadcast ---> A transmission to all interface cards on the network.

IPv4 Subnetting A subnet allows the flow of network traffic between computers to be segregated based on a network configuration. subnetting can improve network security and performance.
CIDR /32 /31 /30 /29 /28 /27 /26 /25 /24 /23 /22 /21 /20 /19 /18 /17 /16 /15 /14 /13 /12 /11 /10 /9 /8 /7 /6 /5 /4 /3 /2 /1 /0 Subnet Mask 255.255.255.255 255.255.255.254 255.255.255.252 255.255.255.248 255.255.255.240 255.255.255.224 255.255.255.192 255.255.255.128 255.255.255.0 255.255.254.0 255.255.252.0 255.255.248.0 255.255.240.0 255.255.224.0 255.255.192.0 255.255.128.0 0.0.127.255 255.255.0.0 0.0.255.255 255.254.0.0 0.1.255.255 255.252.0.0 0.3.255.255 255.248.0.0 0.7.255.255 255.240.0.0 0.15.255.255 255.224.0.0 0.31.255.255 255.192.0.0 0.63.255.255 255.128.0.0 0.127.255.255 255.0.0.0 0.255.255.255 254.0.0.0 1.255.255.255 252.0.0.0 3.255.255.255 248.0.0.0 7.255.255.255 240.0.0.0 15.255.255.255 224.0.0.0 31.255.255.255 192.0.0.0 63.255.255.255 128.0.0.0 127.255.255.255 0.0.0.0 255.255.255.255 Addresses 1 2 4 8 16 32 64 128 256 512 1,024 2,048 4,096 8,192 16,384 32,768 65,536 131,072 262,144 524,288 1,048,576 2,097,152 4,194,304 8,388,608 16,777,216 33,554,432 67,108,864 134,217,728 268,435,456 536,870,912 1,073,741,824 2,147,483,648 4,294,967,296 Wildcard 0.0.0.0 0.0.0.1 0.0.0.3 0.0.0.7 0.0.0.15 0.0.0.31 0.0.0.63 0.0.0.127 0.0.0.255 0.0.1.255 0.0.3.255 0.0.7.255 0.0.15.255 0.0.31.255 0.0.63.255