Active Directory
Q. What is Directory Service?
A. Directory service is a software application that stores and organizes information of networked computers, users, and network resources, and that allows network administrators to manage users’ access the resources.
Q. What is Active Directory?
A. Active Directory is an implementation of LDAP directory services. Active Directory allows administrators to assign enterprise-wide policies, deploy programs to many computers, and apply critical updates to an entire organization. Active Directory stores information and settings related to an organization in a central, organized, accessible database. Active Directory networks can vary from a small installation with a few hundred objects, to a large installation with millions of objects.
Q. What is Active Directory Services?
A. Active Directory is a directory service used to store information about the network resources across a domain.
Q. What are components of Active Directory (Hierarchy)?
A. Components of Active Directory are Domain, Forest, Tree, Organizational Unit, Schema, Group Policy Objects and Global Catalog.
Q. What is Tree (Logical Component)?
A. Domain trees is a hierarchical grouping of one or more domains that share a single DNS namespace & have one or more child domain and are connected by transitive trust relationship. Example: ttsl.com is root and mah.ttsl.com is child.
Q. What is Forest (Logical Component)?
A. A forest is a group of one or more domain trees which share a common schema and global catalog. There is always at least one forest on a network, and it is created when the first Active Directory (domain controller) installed on a network.
This first domain in a forest, called the forest root domain, is special because it holds the schema and controls domain naming for the entire forest. It cannot be removed from the forest without removing the entire forest itself. Also, no other domain can ever be created above the forest root domain in the forest domain hierarchy.
Q. What is Domain (Logical Component)?
A. A Domain is a logical grouping of networked computers in which more than one computer has shared resources. (Domains are the fundamental units that make up Active Directory).
Q. What is OU (Logical Component)?
A. OU is administrative-level container object in ADS that organize users, computers, groups and other organizational units together so that any changes, security privileges or any other administrative tasks could be accomplished more efficiently.
Q. What is Domain Controller (Physical Component)?
A. Domain Controllers are the physical storage location for the Active Directory Services Database.
Q. What is Sites (Physical Component)?
A. A Site is a physical component of Active Directory that is used to define and represent the physical topology of a network.
Q. What is Object?
A. Active Directory objects are the entities that make up a network. An object is a distinct, named set of attributes that represents something concrete, such as a user, a printer, or an application. For example, when we create a user object, Active Directory assigns the globally unique identifier (GUID), and we provide values for such attributes as the user's given name, surname, the logon identifier, and so on.
Q. What is Schema?
A. The schema defines the type of objects and the attributes that each object has. The schema is what defines a user account for example. A user account must have a name, a password, and a unique SID. A user account can also have many additional attributes, such as location, address, phone number, e-mail addresses, terminal services profiles, and so on.
Q. What is Schema Class & Attributes?
A. Every directory object you create is an instance of an object class contained in the schema. Each object class contains a list of associated attributes that determine the information the object can contain. Classes and attributes are defined independently, so that a single attribute can be associated with multiple classes. All schema classes and attributes are defined by the classSchema and attributeSchema objects, respectively.
Q. What is Global Catalog?
A Global catalog is a domain controller that stores a copy of all Active Directory objects in a forest. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.
Q. What is Universal Group Membership Cache?
A. In a forest that has more than one domain, in sites that have domain users but no global catalog server, Universal Group Membership Caching can be used to enable caching of logon credentials so that the global catalog does not have to be contacted for subsequent user logons.
Q. What is LDAP?
A. LDAP stands for Lightweight Directory Access Protocol is a networking protocol for querying and modifying directory services running over TCP/IP. And the TCP port for LDAP is 389. LDAP Version 5.
Q. What are IIS services?
A. IIS services are used to publish web based applications.
What is TCP/IP port no for Global Catalog? 3268
What is TCP/IP port no for LDAP? 389
What is TCP/IP port no for RDP? 3389
What is the TCP/IP port no for SNMP? 161,162
What is the TCP/IP port no for SMTP? 25
What is the TCP/IP port no for POP3? 110
What is the TCP/IP port no for IMAP? 143
What is the TCP/IP port no for HTTP? 80
What is the TCP/IP port no for HTTPS? 443
Q. What are important operations roles in Active Directory?
A. In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:
• | Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. |
• | Domain Naming Master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest. |
• | Infrastructure Master: Responsible for maintaining all inter-domain object references. In other words, the infrastructure master informs certain objects (such as groups) that other objects (such as users in another domain) have been moved, changed, or otherwise modified. This update is needed only in a multiple-domain environment. |
• | Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain. |
• | PDC Emulator: Used whenever a domain contains non–Active Directory computers. It acts as a Windows NT primary domain controller (PDC) for legacy client operating systems, as well as for Windows NT backup domain controllers (BDCs). The PDC emulator also processes password changes and receives preferential treatment within the domain for password updates. If another domain controller is unable to authenticate a user because of a bad password, the request is forwarded to the PDC emulator. The PDC emulator performs this additional (and important) operations master role whether or not there are any BDCs in the domain. |
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools:
Q. How can we view All FSMO roles using command prompt?
A. Ntdsutil.exe
Q. How can we transfer Schema Master Role?
A. Transfer the Schema Master Role
Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.
Register Schmmgmt.dll
1. | Click Start, and then click Run. |
2. | Type regsvr32 schmmgmt.dll in the Open box, and then click OK. |
3. | Click OK when you receive the message that the operation succeeded. |
Transfer the Schema Master Role
1. | Click Start, click Run, type mmc in the Open box, and then click OK. |
2. | On the File, menu click Add/Remove Snap-in. |
3. | Click Add. |
4. | Click Active Directory Schema, click Add, click Close, and then click OK. |
5. | In the console tree, right-click Active Directory Schema, and then click Change Domain Controller. |
6. | Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK. |
7. | In the console tree, right-click Active Directory Schema, and then click Operations Master. |
8. | Click Change. |
9. | Click OK to confirm that you want to transfer the role, and then click Close. |
Q. How can we transfer Domain naming Master?
A. Transfer the Domain Naming Master Role
1. | Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts. |
2. | Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. |
3. | Do one of the following:
• | In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
-or- |
• | In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK. |
|
4. | In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master. |
5. | Click Change. |
6. | Click OK to confirm that you want to transfer the role, and then click Close. |
Q. How can we transfer PDC Emulator, RID Master, Infrastructure Master?
A. Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles
1. | Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. |
2. | Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. |
3. | Do one of the following:
• | In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
-or- |
• | In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK. |
|
4. | In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master. |
5. | Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change. |
6. | Click OK to confirm that you want to transfer the role, and then click Close. |
Q. What will happen if Schema Master fails?
A. No updates to the Active Directory schema will be possible. Since schema updates are rare (usually done by certain applications and possibly an Administrator adding an attribute to an object), then the malfunction of the server holding the Schema Master role will not pose a critical problem.
Q. What will happen if Domain Naming Master fails?
A. Domain Naming Master must be available when adding or removing a domain from the forest (i.e. running DCPROMO). If it is not, then the domain cannot be added or removed. It is also needed when promoting or demoting a server to/from a Domain Controller. Like the Schema Master, this functionality is only used on occasion and is not critical unless you are modifying your domain or forest structure.
Q. What will happen if RID Master fails?
A. RID Master provides RIDs for security principles (users, groups, computer accounts). The failure of this FSMO server would have little impact unless you are adding a very large number of users or groups.
Each DC in the domain has a pool of RIDs already, and a problem would occur only if the DC you adding the users/groups on ran out of RIDs.
Q. What will happen if PDC Emulator fails?
A. The server holding the PDC emulator role will cause the most problems if it is unavailable. This would be most noticeable in a mixed mode domain where you are still running NT 4 BDCs and if you are using down-level clients (NT and Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions that depend on the PDC would be affected (User Manager for Domains, Server Manager, changing passwords, browsing and BDC replication).
In a native mode domain the failure of the PDC emulator isn't as critical because other domain controllers can assume most of the responsibilities of the PDC emulator.
Q. What will happen if Infrastructure Master fails?
A. This FSMO server is only relevant in a multi-domain environment. If you only have one domain, then the Infrastructure Master is irrelevant. Failure of this server in a multi-domain environment would be a problem if you are trying to add objects from one domain to another.
Q. What are the basic requirements (Hardware/Software) to implement the Windows ADS server?
A. Minimum requirements:
Processor: Single 550 MHz PIII or comparable
Memory: 512 MB of RAM
Hard Disks: Two 9 GB - Mirrored
Network: 100 Megabit Ethernet
Systems: 2 Windows 2000 SP4 Servers- Redundancy
Recommended requirement Processor: Dual Intel Xeon or comparable
Memory: 1 GB of RAM
Hard Disks: Three 9 GB - RAID5
Network: 100 Megabit Ethernet
Systems: 2 Windows 2000 SP4 Servers- Redundancy
Desktop/Member Server Requirements:
Windows desktop OS should be at least Windows 2000 and have hardware to support such to receive benefit from the GTAD service.
Windows member servers should be at the Windows 2000 level and have hardware to support such.
Q. What is GROUPS?
A. Groups are Active Directory (or local computer) objects that can contain users, contacts, computers, and other groups. In Windows 2003, groups are created in domains, using the Active Directory Users and Computers tool. You can create groups in the root domain, in any other domain in the forest, in any organizational unit, or in any container class object (such as the default Users container). Like user and computer accounts, groups are Windows 2000 security principals; they are directory objects to which SID’s are assigned at creation.
Q. What is Distribution Group?
A. These are used for non-security purposes by applications other than Windows. One of the primary uses is within an e-mail.
As with user accounts, there are both local and domain-level groups. Local groups are stored in a local computer’s security database and are intended to control resource access on that computer. Domain groups are stored in Active Directory and let you gather users and control resource access in a domain and on domain controllers.
Q. What is Security Groups?
A. Security groups are used to group domain users into a single administrative unit. Security groups can be assigned permissions and can also be used as e-mail distribution lists. Users placed into a group inherit the permissions assigned to the group for as long as they remain members of that group. Windows itself uses only security groups.
Q. What is Global Group?
A. Global groups are used to gather users that have similar permissions requirements. Global groups have the following characteristics:
1. Global groups can contain user and computer accounts only from the domain in which the global group is created.
2. When the domain functional level is set to Windows 2000 native or Windows Server 2003 (i.e., the domain contains only Windows 2000 or 2003 servers), global groups can also contain other global groups from the local domain.
3. Global groups can be assigned permissions or be added to local groups in any domain in a forest.
Q. What is Domain Local Group?
A. Exist on domain controllers and are used to control access to resources located on domain controllers in the local domain (for member servers and workstations, you use local groups on those systems instead). Domain local groups share the following characteristics:
1. Domain local groups can contain users and global groups from any domain in a forest no matter what functional level is enabled.
2. When the domain functional level is set to Windows 2000 native or Windows Server 2003, domain local groups can also contain other domain local groups and universal groups.
Q. What is Universal Group?
A. Are normally used to assign permissions to related resources in multiple domains. Universal groups share the following characteristics:
1. Universal groups are available only when the forest functional level is set to Windows 2000 native or Windows Server 2003.
2. Universal groups exist outside the boundaries of any particular domain and are managed by Global Catalog servers.
3. Universal groups are used to assign permissions to related resources in multiple domains.
4. Universal groups can contain users, global groups, and other universal groups from any domain in a forest.
5. You can grant permissions for a universal group to any resource in any domain.
Q. What is GROUP Policy?
A. Group Policies are configuration settings applied to computers or users as they are initialized. All Group Policy settings are contained in Group Policy Objects (GPO’s) applied to Active Directory sites, domains, or organizational units.
A. Group policy is part of Microsoft's IntelliMirror technology which aims to reduce the overall cost of supporting users of Windows. Group policy provides centralized management of computers and users in an Active Directory environment.
Q. What is Group Policy Object?
A. Group Policy Object (GPO) is a collection of settings that define what a system will look like and how it will behave for a defined group of users.
Q. What is LSDO?
A. LSDO - Local policies first, then Site based policies, then Domain level policies, then OU polices, then nested OU polices (OUs within OUs). Group polices cannot be linked to a specific user or group, only container objects.
Q. What is the difference between FAT, FAT32 & NTFS & what is it?
A. Following are Microsoft's Windows Glossary definitions for each of the 3 file systems:
- File Allocation Table (FAT): A file system used by MS-DOS and other Windows-based operating systems to organize and manage files. The file allocation table (FAT) is a data structure that Windows creates when you format a volume by using the FAT or FAT32 file systems. Windows stores information about each file in the FAT so that it can retrieve the file later.
- FAT32: A derivative of the File Allocation Table (FAT) files system. FAT32 supports smaller cluster sizes and larger volumes than FAT, which results in more efficient space allocation on FAT32 volumes.
- NTFS: An advanced file system that provides performance, security, reliability, and advanced features that are not found in any version of FAT. For example, NTFS guarantees volume consistency by using standard transaction logging and recovery techniques. If a system fails, NTFS uses its log file and checkpoint information to restore the consistency of the file system. In Windows 2000 and Windows XP, NTFS also provides advanced features such as file and folder permissions, encryption, disk quotas, and compression.
NTFS File System:
- NTFS is the best file system for large drives. Unlike FAT and FAT32, performance with NTFS isn't corrupted as drive size increases.
- One of the major security features in NTFS is encryption or, in other words, the process of disguising a message or data in such a way as to hide its substance.
- Another feature in NTFS is disk quotas. It gives you the ability to monitor and control the amount of disk space used by each user.
- Using NTFS, you can keep access control on files and folders and support limited accounts. In FAT and FAT32, all files and folders are accessible by all users no matter what their account type is.
- Domains can be used to tweak security options while keeping administration simple.
- Compression available in NTFS enables you to compress files, folders, or whole drives when you're running out of disk space.
- Removable media (such as tapes) are made more accessible through the Remote Storage feature.
- Recovery logging helps you restore information quickly if power failures or other system problems occur.
- In NTFS we can convert the file system through:
1. Back up all your data before formatting:
So you want to start with a 'clean' drive but can't afford losing your precious files? Very simple. All you need to do is back up your files to an external hard-drive or a partition other than the one you want to convert, or burn the data onto CDs. After you're done you can format a drive with NTFS.
2. Use the convert command from command prompt:
This way, you don't need to back up. All files are preserved as they are. However, I recommend a backup. You don't know what might go wrong and besides what would you lose if you do back-up? When I converted to NTFS using convert.exe, everything went smooth. Chances are your conversion will be equally smooth.
IMPORTANT NOTE: This is a one-way conversion. Once you've converted to NTFS, you can't go back to FAT or FAT32 unless you format the drive.
1. Open Command Prompt
Start | All Programs | Accessories | Command Prompt
OR
Start | Run | type "cmd" without quotes | OK
2. Type "convert drive letter: /fs:ntfs" and press Enter. For example, type "convert C: /fs:ntfs" (without quotes) if you want to convert drive C.
3. If you're asked whether you want to dismount the drive, agree.
Q. What are Permissions?
A. Permissions are a key component of the Windows Server 2003 security architecture that you can use to manage the process of authorizing users, groups, and computers to access objects on a network.
Q. What is Backup?
A. To copy files to a second medium (a disk or tape) as a precaution in case the first medium fails.
Q. What are the types of Backup?
A. There are 5 types of backup in windows 2003 and are as follows: Copy, Normal, Incremental, Daily and Differential.
Q. Difference between Incremental & Differential Backup?
A. Differential backup backs up only the files that changed since the last full back. For example, suppose you do a full backup on Sunday. On Monday you back up only the files that changed since Sunday, on Tuesday you back up only the files that changed since Sunday, and so on until the next full backup. Differential backups are quicker than full backups because so much less data is being backed up. But the amount of data being backed up grows with each differential backup until the next full back up. Differential backups are more flexible than full backups, but still unwieldy to do more than about once a day, especially as the next full backup approaches.
Incremental backups also back up only the changed data, but they only back up the data that has changed since the last backup — be it a full or incremental backup. They are sometimes called "differential incremental backups," while differential backups are sometimes called "cumulative incremental backups." Confused yet? Don't be.
Q. How can we take the backup for ADS?
A We can take the ADS backup through ntbackup and select the system state backup.
Q. How to restore an ADS Backup?
A. Restoring Windows Server 2003 system state and system services
Tivoli Storage Manager supports the Microsoft Volume Shadow copy Service (VSS) on Windows Server 2003. Tivoli Storage Manager uses VSS to restore all system state components as a single object, to provide a consistent point-in-time snapshot of the system state. You can restore all system service components (the default) or individual components. System state components include the following:
- Active Directory (domain controller only)
- Windows Server 2003 system volume
- Certificate Server Database
- COM+ database
- Windows Registry
- System and boot files
Attention: Restoring system state in a situation other than system recovery is not recommended.
You must have administrative authority to restore System State information. To restore the Windows Server 2003 system state using the GUI:
- Click Restore from the GUI main window. The Restore window appears.
- Expand the directory tree by clicking the plus sign +. To display files in a folder, click the folder icon.
- Locate the System State node in the directory tree. You can expand the System State node to display the components.
- Click the selection box next to the System State node to restore the entire system state. You can restore the System State node only as a single entity because of dependencies among the system state components. By default, all components are selected; you cannot back up individual system state components.
- Click Restore. The Task List window displays the restore processing status.
On the command line, use the restore system state command to restore a backup of a system state. See Restore System state for more information.
Considerations:
- You can restore System State data to an alternate machine.
- If you are upgrading from a Windows 2000 machine to a Windows Server 2003 machine, you cannot restore the Windows 2000 system objects that were backed up to the server.
- Your Windows Server 2003 client must be connected to a Tivoli Storage Manager Version 5.2.0 or higher server.
- If Active Directory is installed, you must be in Active Directory restore mode.
- See Performing a Windows XP or Windows Server 2003 system recovery for procedures on how to perform the following tasks:
- Your operating system is still functioning, but a complete system restore is required.
- A complete recovery is required, including an operating system re-installation.
System services components include the following:
- Background Intelligent Transfer Service (BITS)
- Event logs
- Removable Storage Management Database (RSM)
- Cluster Database (cluster node only)
- Remote Storage Service
- Terminal Server Licensing
- Windows Management Instrumentation (WMI)
- Internet Information Services (IIS) metabase
- DHCP database
- Wins database
To restore the system services using the GUI:
- Click Restore from the GUI main window. The Restore window appears.
- Expand the directory tree by clicking the plus sign +. To display files in a folder, click the folder icon.
- Locate the System Services node in the directory tree. You can expand the System Services node to display the components.
- Click the selection box next to the system services component(s) that you want to restore.
- Click Restore. The Task List window displays the backup processing status.
On the command line, use the restore system services command to restore a backup of the system services. See Restore System services for more information. Q. What is a Cluster?
A. A cluster is a group of independent computers that work together to run a common set of applications and provide the image of a single system to the client and application. The computers are physically connected by cables and programmatically connected by cluster software. These connections allow computers to use problem-solving features such as failover in Server clusters and load balancing in Network Load Balancing (NLB) clusters.
Q. What is the definition for Additional Domain Controller?
A As name suggest its additional domain controller ...can play any of the FSMO roles at any given instance and provide SRV services to clients
Q. What is Domain Controller?
A. A domain controller is a server in which Active Directory Service is installed. Domain controllers are used to administer domain objects, such as user accounts and groups.
Q. What is Proxy Server?
A. In an enterprise that uses the Internet, a proxy server is a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion.
