1. What is Active Directory?

2. What is LDAP?
3. What is DNS?
4. What are types of records in DNS?
5. What is WINS?
6. What is DHCP?
7. How clients use servers?
8. How servers provide optional data?
9. What are DHCP options?
10.How options are applied?
11.How the Lease Process Works
12.What are DHCP Client States in the Lease Process?
13.What are tombstone objects?
14.What is Global Catalog and Global Catalog Server?
15.What is Active Directory schema?
16.What are Active Directory Objects?
17.What are Active Directory Components?
18.What is Active Directory Replication?
19.What are the different partitions in AD?
20.What are types of Active Directory Trust Relationships?
21.In Active Directory, what are the differences between universal,
global, and domain local groups?
22.What are Forward Lookup Zones and Reverse Lookup Zones?
23.What are Operations Master Roles?
24.What are Forest-Wide Operations Master Roles?
25.What are Domain-Wide Operations Master Roles?
26.How to Plan the Placement of the FSMOs?
27.How to Manage Operations Master Roles?
28.How to view the existing Schema Master Role assignment?
29.How to view the existing Domain Naming Master role assignment?
30.How to view the existing RID Master role, PDC Emulator, and
Infrastructure Master Role assignments?
31.How to transfer the Schema Master role to another domain
controller?
32.How to transfer the Domain Naming Master role to another domain
controller?
33.How to transfer the RID Master role, PDC Emulator role, or
Infrastructure Master Role to another domain controller?
34.How to seize an Operations Master role?
35.How to perform a metadata cleanup?
36.What is "tattooing" the Registry?
37.What’s the major difference between FAT and NTFS on a local
machine?
38.What is LSDOU?
39.What is "tattooing" the Registry?
40.What is boot processing computer?
41.What do you mean by deadlock?
42.What is Distributed File System
43.What are the domain functional levels in Windows Server 2003?
44.How we can raise domain functional & forest functional level in
Windows Server 2003?
45.What is the default domain functional level in Windows Server 2003?
46.What is multi-master replication?
47.Which is the command used to remove active directory from a
domain controller?
48.What Exchange process is responsible for communication with AD?
49.What is DSACCESS?
50.Explain APIPA?
51.Where is GPT stored?
52.What hidden shares exist on Windows Server 2003 installation?
53.What’s the difference between standalone and fault-tolerant DFS
(Distributed File System) installations?
54.When should you create a forest?
55.How can you authenticate between forests?
56.What is an incremental backup?
57.What is Differential Backup?
58.What is Multilevel Incremental Backup?
59.What is reverse Incremental Backup?
60.What is Synthetic full backup?
61.What is RAID?
62.What is concatenation?
63.What is striping/RAID-0?
64.What is RAID 0+1? Why is it better than 0?
65.What is RAID-5?
66.What are types of Backups?
67.What is Incremental Backup?
68.What is Differential Backup
69.What is Full Backup?
70.
1. What is Active Directory?
An active directory is a directory structure used on Microsoft Windows based
computers and servers to store information and data about networks and domains. It
is primarily used for online information and was originally created in 1996 and first
used with Windows 2000.
An active directory (sometimes referred to as an AD) does a variety of functions
including the ability to provide information on objects, helps organize these objects
for easy retrieval and access, allows access by end users and administrators and
allows the administrator to set security up for the directory.
An active directory can be defined as a hierarchical structure and this structure is
usually broken up into three main categories, the resources which might include
hardware such as printers, services for end users such as web email servers and
objects which are the main functions of the domain and network.
2. What is LDAP?
LDAP (Lightweight Directory Access Protocol) is a protocol for communications
between LDAP servers and LDAP clients. LDAP servers store "directories" which are
access by LDAP clients.
LDAP is called lightweight because it is a smaller and easier protocol which was
derived from the X.500 DAP (Directory Access Protocol) defined in the OSI network
protocol stack.
LDAP servers store a hierarchical directory of information.
3. What is DNS?
Domain Name System (DNS) is one of the industry-standard suite of protocols that
comprise TCP/IP. Microsoft Windows Server 2003. DNS is implemented using two
software components: the DNS server and the DNS client (or resolver). Both
components are run as background service applications.
Network resources are identified by numeric IP addresses, but these IP addresses
are difficult for network users to remember. The DNS database contains records that
map user-friendly alphanumeric names for network resources to the IP address used
by those resources for communication. In this way, DNS acts as a mnemonic device,
making network resources easier to remember for network users.
The Windows Server 2003 DNS Server and Client services use the DNS protocol that
is included in the TCP/IP protocol suite. DNS is part of the application layer of the
TCP/IP reference model
4. What are types of records in DNS?
'A' Record: Points a hostname to an IP Addressing
NS Record: Shows the Authoritative DNS for the zone
SOA Record : Start of Authority Record which shows the crucial information like
SERIAL number, which is monitor by other name servers for change, which indicates
to them a change in information for a zone, REFRESH which tell how often a
secondary name server should check for a change in the serial number, RETRY is to
inform a secondary server how long it should use it current entry if it is unable to
perform a refresh and MINIMUM is how long the other name servers should hold
these information.
CNAME Record: Canonical Naming Record Which allows a node to be address using
more than one host name
MX Record: which is used for message routing where there are multiple mail
exchange hosts an A Record is needed for every MX Record Set
PTR Records: These are reverse of 'A-Record' it points IP Address to a Host name
HINFO record: Indicates CPU and operating system types for mapping to specific
host names
TXT Records: Provides a descriptive text associated with host name
5. What is WINS?
WINS name resolution means successfully mapping a NetBIOS name to an IP
address. A NetBIOS name is a 16-byte address that is used to identify a NetBIOS
resource on the network. A NetBIOS name is either a unique (exclusive) or group
(nonexclusive) name. When a NetBIOS process is communicating with a specific
process on a specific computer, a unique name is used. When a NetBIOS process is
communicating with multiple processes on multiple computers, a group name is used.
The exact mechanism by which NetBIOS names are resolved to IP addresses
depends on the NetBIOS node type that is configured for the node. RFC 1001,
“Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Concepts and
Methods,” defines the NetBIOS node types, as listed in the following table.
NetBIOS Node Types

Node Type Description

B-node B-node uses broadcast NetBIOS name queries for name registration
(broadcast) and resolution. B-node has two major limitations: (1) Broadcasts
disturb every node on the network, and (2) Routers typically do not
forward broadcasts, so only NetBIOS names on the local network can
be resolved.
P-node (peer- P-node uses a NetBIOS name server (NBNS), such as a WINS server,
peer) to resolve NetBIOS names. P-node does not use broadcasts; instead,
it queries the name server directly.
M-node (mixed)M-node is a combination of B-node and P-node. By default, an M-
node functions as a B-node. If an M-node is unable to resolve a
name by broadcast, it queries a NBNS using P-node.
H-node(hybrid) H-node is a combination of P-node and B-node. By default, an H-
node functions as a P-node. If an H-node is unable to resolve a name
through the NBNS, it uses a B-node to resolve the name.
Computers running Windows Server 2003 operating systems are B-node by default
and become H-node when they are configured with a WINS server. Those computers
can also use a local database file called Lmhosts to resolve remote NetBIOS names.
The Lmhosts file is stored in the systemroot\System32\Drivers\Etc folder.
Typically, Windows-based computers are configured with the IP address of a WINS
server so remote NetBIOS names can be resolved. Active Directory-based computers,
such as Windows XP Professional, Microsoft Windows 2000 and Windows Server 2003
operating systems, must be configured with the IP address of a WINS server if they
are to communicate with computers running Microsoft Windows NT, Windows 95,
Windows 98, or Windows Millennium Edition that are not Active Directory-based.
6. What is DHCP?
Dynamic Host Configuration Protocol (DHCP) is an IP standard for simplifying
management of host IP configuration. The DHCP standard provides for the use of
DHCP servers as a way to manage dynamic allocation of IP addresses and other
related configuration details for DHCP-enabled clients on your network.
Every computer on a TCP/IP network must have a unique IP address. The IP address
(together with its related subnet mask) identifies both the host computer and the
subnet to which it is attached. When you move a computer to a different subnet, the
IP address must be changed. DHCP allows you to dynamically assign an IP address
to a client from a DHCP server IP address database on your local network:

For TCP/IP-based networks, DHCP reduces the complexity and amount of

administrative work involved in reconfiguring computers.
The Microsoft® Windows Server 2003 family provides an RFC-compliant DHCP
service you can use to manage IP client configuration and automate IP address
assignment on your network.
DHCP servers
Configuring DHCP servers for a network provides the following benefits:
• The administrator can assign and specify global and subnet-specific TCP/IP
parameters centrally for use throughout the entire network.
• Client computers do not require manual TCP/IP configuration.
• When a client computer moves between subnets, its old IP address is freed
for reuse. The client reconfigures its TCP/IP settings automatically when the
computer is restarted in its new location.
• Most routers can forward DHCP and BOOTP configuration requests, so DHCP
servers are not required on every subnet in the network.
7. How clients use servers?
A computer running Windows XP becomes a DHCP client if Obtain an IP address
automatically is selected in its TCP/IP properties. When a client computer is set to
use DHCP, it accepts a lease offer and can receive from the server the following:
• Temporary use of an IP address known to be valid for the network it is joining.
• Additional TCP/IP configuration parameters for the client to use in the form of
options data.
Also, if conflict detection is configured, the DHCP server attempts to ping each
available address it intends to offer prior to presenting the address in a lease offer to
a client. This ensures that each IP address offered to clients is not already in use by
another non-DHCP computer that uses manual TCP/IP configuration.
8. How servers provide optional data?
In addition to an IP address, DHCP servers can be configured to provide optional
data to fully configure TCP/IP for clients. Some of the most common DHCP option
types configured and distributed by the DHCP server during leases include:
• Default gateways (routers), which are used to connect a network segment to
other network segments.
• Other optional configuration parameters to assign to DHCP clients, such as IP
addresses for the DNS servers or WINS servers that the client can use in
resolving network host names.
9. What are DHCP options?
DHCP provides an internal framework for passing configuration information on to
clients on your network. Configuration parameters and other control information are
carried in tagged data items stored within protocol messages exchanged between the
DHCP server and its clients. These data items are called options.
Most standard DHCP options are currently defined in Request for Comments (RFCs)
published by the Internet Engineering Task Force (IETF). The full set of standard
DHCP options are described specifically in RFC 2132, "DHCP Options and BOOTP
Vendor Extensions."
All DHCP options mentioned in RFC 2132 are predefined for you to configure and use
at any DHCP server running Windows Server 2003 . If needed, you can also use the
DHCP console to define new DHCP options at each server.
Even though most DHCP servers can assign many options, most DHCP clients are
typically designed to request or support only a subset of the full RFC-specified
standard options set.
10. How options are applied?
Options can be managed using different levels assigned for each managed DHCP
server, including:
• Server options: These options are applied for all scopes defined at a DHCP
server.
• Scope options: These options are applied specifically to all clients that obtain
a lease within a particular scope.
• Class options: These options are applied only to clients that are identified as
members of a specified user or vendor class when obtaining a lease.
• Reservation options: These options apply only for a single reserved client
computer and require a reservation to be used in an active scope.
11. How the Lease Process Works
The first time a DHCP-enabled client starts and attempts to join the network, it
automatically follows an initialization process to obtain a lease from a DHCP server.
Figure 4.2 shows the lease process.

Figure 4.2 The DHCP Lease Process

1.The DHCP client requests an IP address by broadcasting a DHCPDiscover message
to the local subnet.
2.The client is offered an address when a DHCP server responds with a DHCPOffer
message containing an IP address and configuration information for lease to the
client. If no DHCP server responds to the client request, the client can proceed in
two ways:
•If it is a Windows 2000–based client, and IP auto-configuration has not been
disabled, the client self-configures an IP address for its interface.
•If the client is not a Windows 2000–based client, or IP auto-configuration has
been disabled, the client network initialization fails. The client continues to resend
DHCPDiscover messages in the background (four times, every 5 minutes) until it
receives a DHCPOffer message from a DHCP server.
3.The client indicates acceptance of the offer by selecting the offered address and
replying to the server with a DHCPRequest message.
4.The client is assigned the address and the DHCP server sends a DHCPAck message,
approving the lease. Other DHCP option information might be included in the
message.
5.Once the client receives acknowledgment, it configures its TCP/IP properties using
any DHCP option information in the reply, and joins the network.
In rare cases, a DHCP server might return a negative acknowledgment to the client.
This can happen if a client requests an invalid or duplicate address. If a client
receives a negative acknowledgment (DHCPNak), the client must begin the entire
lease process again.
Restarting a DHCP Client
When a client that previously leased an IP address restarts, it broadcasts a
DHCPRequest message instead of a DHCPDiscover message. The DHCPRequest
message contains a request for the previously assigned IP address.
If the requested IP address can be used by the client, the DHCP server responds with
a DHCPAck message.
If the IP address cannot be used by the client because it is no longer valid, is now
used by another client, or is invalid because the client has been physically moved to
a different subnet, the DHCP server responds with a DHCPNak message. If this
occurs, the client restarts the lease process.
If the client fails to locate a DHCP server during the renewal process, it attempts to
ping the default gateway listed in the current lease, with the following results:

•If a ping of the default gateway succeeds, the DHCP client assumes it is still located
on the same network where it obtained its current lease, and the client continues to
use the current lease. By default, the client attempts, in the background, to renew
its current lease when 50 percent of its assigned lease time has expired.
•If a ping of the default gateway fails, the DHCP client assumes that it has been
moved to a different network, where DHCP services are not available (such as a
home network). By default, the client auto-configures its IP address as described
previously, and continues (every five minutes in the background) trying to locate a
DHCP server and obtain a lease.
Lease Renewals
The renewal process occurs when a client already has a lease, and needs to renew
that lease with the server. To ensure that addresses are not left in an assigned state
when they are no longer needed, the DHCP server places an administrator-defined
time limit, known as a lease duration, on the address assignment.
Halfway through the lease period, the DHCP client requests a lease renewal, and the
DHCP server extends the lease. If a computer stops using its assigned IP address
(for example, if a computer is moved to another network segment or is removed),
the lease expires and the address becomes available for reassignment.
The renewal process occurs as follows:
1.The client sends a request to the DHCP server, asking for a renewal and extension
of its current address lease. The client sends a directed request to the DHCP
server, with a maximum of three retries at 4, 8, and 16 seconds.
•If the DHCP server can be located, it typically sends a DHCP acknowledgment
message to the client. This renews the lease.
•If the client is unable to communicate with its original DHCP server, the client
waits until 87.5 percent of its lease time elapses. Then the client enters a
rebinding state, broadcasting (with a maximum of three retries at 4, 8, and 16
seconds) a DHCPDiscover message to any available DHCP server to update its
current IP address lease.
2.If a server responds with a DHCPOffer message to update the client's current
lease, the client renews its lease based on the offering server and continues
operation.
3.If the lease expires and no server has been contacted, the client must immediately
discontinue using its leased IP address. The client then proceeds to follow the
same process used during its initial startup to obtain a new IP address lease.
Managing Lease Durations
When a scope is created, the default lease duration is set to eight days, which works
well in most cases. However, because lease renewal is an ongoing process that can
affect the performance of DHCP clients and your network, it might be useful to
change the lease duration. Use the following guidelines to decide how best to modify
lease duration settings for improving DHCP performance on your network:

•If you have a large number of IP addresses available and configurations that rarely
change on your network, increase the lease duration to reduce the frequency of
lease renewal queries between clients and the DHCP server. This reduces network
traffic.
•If there are a limited number of IP addresses available and if client configurations
change frequently or clients move often on the network, reduce the lease duration.
This increases the rate at which addresses are returned to the available address
pool for reassignment.
•Consider the ratio between connected computers and available IP addresses. For
example, if there are 40 systems sharing a Class C address (with 254 available
addresses), the demand for reusing addresses is low. A long lease time, such as
two months, would be appropriate in such a situation. However, if 230 computers
share the same address pool, demand for available addresses is greater, and a
lease time of a few days or weeks is more appropriate.
•Use infinite lease durations with caution. Even in a relatively stable environment,
there is a certain amount of turnover among clients. At a minimum, roving
computers might be added and removed, desktop computers might be moved from
one office to another, and network adapter cards might be replaced. If a client with
an infinite lease is removed from the network, the DHCP server is not notified, and
the IP address cannot be reused. A better option is a very long lease duration, such
as six months. This ensures that addresses are ultimately recovered.
12. What are DHCP Client States in the Lease Process?
DHCP clients cycle through six different states during the DHCP lease process, as
illustrated in Figures 4.3 and 4.4. Figure 4.4 illustrates the DHCP lease process for
clients that are renewing a lease.
Figure 4.3 DHCP Client States During the Lease Process

Figure 4.4 DHCP Client States During the Lease Renewal Process
When the DHCP client and DHCP server are on the same subnet, the DHCPDiscover,
DHCPOffer, DHCPRequest, and DHCPAck messages are sent via media access control
and IP-level broadcasts.
In order for DHCP clients to communicate with a DHCP server on a remote network,
the connecting router or routers must support the forwarding of DHCP messages
between the DHCP client and the DHCP server using a BOOTP/DHCP Relay Agent. For
more information, see "Supporting BOOTP Clients" and "Managing Relay Agents"
later in this chapter.
Initializing
This state occurs the first time the TCP/IP protocol stack is initialized on the DHCP
client computer. The client does not yet have an IP address to request from the
DHCP servers. This state also occurs if the client is denied the IP address it is
requesting or the IP address it previously had was released. Figure 4.5 shows the
Initialization state.

Figure 4.5 The Initialization State

When the DHCP client is in this state, its IP address is 0.0.0.0. To obtain a valid
address, the client broadcasts a DHCPDiscover message from UDP port 68 to UDP
port 67, with a source address of 0.0.0.0 and a destination of 255.255.255.255 (the
client does not yet know the address of any DHCP servers). The DHCPDiscover
message contains the DHCP client's media access control address and computer
name.
Selecting
Next, the client moves into the Selecting state, where it chooses a DHCPOffer. All
DHCP servers that receive a DHCPDiscover message and have a valid IP address to
offer the DHCP client respond with a DHCPOffer message sent from UDP port 68 to
UDP port 67. The DHCPOffer is sent via the media access control and IP broadcast
because the DHCP client does not yet have a valid IP address that can be used as a
destination. The DHCP server reserves the IP address to prevent it from being
offered to another DHCP client.
The DHCPOffer message contains an IP address and matching subnet mask, a DHCP
server identifier (the IP address of the offering DHCP server), and a lease duration.
Figure 4.6 shows the Selecting state.
Figure 4.6 The Selecting State
The DHCP client waits for a DHCPOffer message. If a DHCP client does not receive a
DHCPOffer message from a DHCP server on startup, it will retry four times (at
intervals of 2, 4, 8, and 16 seconds, plus a random amount of time between 0 and
1,000 milliseconds). If a DHCP client does not receive a DHCPOffer after four
attempts, it waits 5 minutes, then retries at 5-minute intervals.
Requesting
After a DHCP client has received a DHCPOffer message from a DHCP server, the
client moves into the Requesting state. The DHCP client knows the IP address it
wants to lease, so it broadcasts a DHCPRequest message to all DHCP servers. The
client must use a broadcast because it still does not have an assigned IP address.
Figure 4.7 shows the Requesting state.

Figure 4.7 The Requesting State

If the IP address of the client was known (that is, the computer restarted and is
trying to lease its previous address), the broadcast is looked at by all of the DHCP
servers. The DHCP server that can lease the requested IP address responds with
either a successful acknowledgment (DHCPAck) or an unsuccessful acknowledgment
(DHCPNak). The DHCPNak message occurs when the IP address requested is not
available or the client has been physically moved to a different subnet that requires a
different IP address. After receiving a DHCPNak message, the client returns to the
Initializing state and begins the lease process again.
If the IP address of the client was just obtained with a DHCPDiscover or DHCPOffer
exchange with a DHCP server, the client puts the IP address of that DHCP server in
the DHCPRequest. The specified DHCP server responds to the request, and any other
DHCP servers retract their DHCPOffer. This ensures that the IP addresses that were
offered by the other DHCP servers go back to an available state for another DHCP
client.
Binding
The DHCP server responds to a DHCPRequest message with a DHCPAck message.
This message contains a valid lease for the negotiated IP address, and any DHCP
options configured by the DHCP administrator. Figure 4.8 shows the Binding state.

Figure 4.8 The Binding State

The DHCPAck message is sent by the DHCP server using an IP broadcast. When the
DHCP client receives the DHCPAck message, it completes initialization of the TCP/IP
stack. It is now considered a bound DHCP client that can use TCP/IP to communicate
on the network.
The IP address remains allocated to the client until the client manually releases the
address, or until the lease time expires and the DHCP server cancels the lease.
Renewing
IP addressing information is leased to a client, and the client is responsible for
renewing the lease. By default, DHCP clients try to renew their lease when 50
percent of the lease time has expired. To renew its lease, a DHCP client sends a
DHCPRequest message to the DHCP server from which it originally obtained the lease.
The DHCP server automatically renews the lease by responding with a DHCPAck
message. This DHCPAck message contains the new lease as well as any DHCP option
parameters. This ensures that the DHCP client can update its TCP/IP settings in case
the network administrator has updated any settings on the DHCP server. Figure 4.9
illustrates the Renewing state.
Figure 4.9 The Renewing State
Once the DHCP client has renewed its lease, it returns to the Bound state. Renewal
messages (DHCPRequest and DHCPAck) are sent by media access control and IP-
level unicast traffic.
Rebinding
If the DHCP client is unable to communicate with the DHCP server from which it
obtained its lease, and 87.5 percent of its lease time has expired, it will attempt to
contact any available DHCP server by broadcasting DHCPRequest messages. Any
DHCP server can respond with a DHCPAck message, renewing the lease, or a
DHCPNak message, forcing the DHCP client to initialize and restart the lease process.
Figure 4.10 shows the Rebinding state.

Figure 4.10 The Rebinding State

If the lease expires or a DHCPNak message is received, the DHCP client must
immediately discontinue using its current IP address. If this occurs, communication
over TCP/IP stops until a new IP address is obtained by the client.
13. What are tombstone objects?
Because of Windows 2000’s and Active Directory’s (AD’s) complex replication, if you
simply delete an object, Win2K’s replication algorithm might recreate the object at
the next replication interval. Thus, AD marks deleted objects with tombstones.
Win2K deletes tombstone objects 60 days after their original tombstone status
setting. To change this default time (which I don’t recommend), modify the
tombstone lifetime setting under the
cd=DirectoryServices,cn=WindowsNT,cn=Services,cn=Configuration,dc=DomainNam
e parameter
14. What is Global Catalog and Global Catalog Server?
Domains and Forests can also share resources available in active directory. These
resources are searched by Global Catalog across domains and forests and this search
is transparent to user. For example, if you make a search for all of the printers in a
forest, this search goes to global catalog server for its query and then global catalog
returns the results. Without a global catalog server this query needs to go to every
domain in the forest of its result.
It is important to have a global catalog on at least one domain controller because
many applications use port 3268 for searching. For example, if you do not have any
global catalog servers in your network, the Search command on the Start menu of
Windows 2000/2003 cannot locate objects in Active Directory.
The global catalog is a domain controller that contains attributes for every object in
the Active Directory. By default, only the members of the Schema Admins group
have rights to change which attributes stored in the global catalog, according to
organization's requirements.
The global catalog contains:
• The commonly used attributes need in queries, such as a user's first and last
name, and logon name.
• All the information or records which are important to determine the location
of any object in the directory.
• A default subset of attributes for each object type.
• All the access related permissions for every object and attribute that is stored
in the global catalog. Say, without permission you can't access or view the
objects. If you are searching for an object where you do not have the
appropriate permissions to view, the object will not appear in the search
results. These access permissions ensure that users can find only objects to
which they have been assigned access.
A global catalog server is a domain controller that contains full and writable replica of
its domain directory, and a partial, read-only replica of all other domain directory
partitions in the forest. Let's take an example of a user object; by default user
objects have lot of attributes such as first name, last name, address, phone number,
and many more. The Global Catalog will store only the main attributes of user
objects in search operations like a user's first name and last name, or login name.
This partial attributes of that user object which is stored would be enough to allow a
search for that object to be able to locate the full replica of the object in active
directory. If a search comes to locate objects, then first it goes to local global catalog
and reduces network traffic over the WAN.
Domain Controllers always contain the full attribute list for objects belonging to their
domain. If the Domain Controller is also a GC, it will also contain a partial replica of
objects from all other domains in the forest.
It is always recommended to have a global catalog server for every active directory
site in an enterprise network.
15. What is Active Directory schema?
The Active Directory data store is the database that holds all the directory
information such as information on users, computer, groups, other objects, and
information on the objects which users can access. It also includes other network
components. Another name used to refer to the Active Directory data store is the
directory. The Active Directory data store or directory is stored on the hard disk of
the server by means of the Ntds.dit file. The file has to be stored on a drive that is
formatted with the NTFS file system. The Ntds.dit file is placed in the Ntds folder in
the systemroot. When changes are made to the directory, these changes are saved
to the Ntds.dit file. Because all the data in Active Directory is stored in one
distributed data store, the availability of data is improved. A centralized data store
means less duplication, and also needs less administration.
Because domain controllers are utilized to manage domains, each domain controller
within the domain hosts a write copy of the Active Directory directory. This means is
that if one domain controller is unavailable; users, computers and programs would
still able to still access the Active Directory data store hosted on a different domain
controller in the particular domain. When changes are made to the data store on one
domain controller, these changes are replicated to the remainder of the domain
controllers within the domain. Because of Active Directory replication, domain
controllers in a domain remain synchronized with one another. Active Directory
replication occurs automatically. Only domain data, configuration data and schema
data is replicated.
Information stored in Active Directory is not all placed in the identical location. The
different locations wherein data is stored is called directory partitions. The domain
partition holds information about the domain such as users, and resources in the
domain. The configuration partition contains information on the Active Directory
structure such as the configuration of the domains, domain trees and forests. The
schema partition stores information on object classes and attributes.
16. What are Active Directory Objects?
All information on users, groups, computers, servers and security policies in Active
Directory are organized and categorized into different Active Directory objects. An
Active Directory object can be defined as a group of attributes that represents a
resource in the network. Each object has a unique name or unique identifier called a
distinguished name. Objects can also contain other objects. These objects are known
as containers. In the Active Directory Users and Computers console, the default
object types created in a new domain in Active Directory are:
• Domain, Organizational Unit, User, Computer, Contact, Group, Shared Folder
and Shared Printer
17. What are Active Directory Components?
Domains, organizational units (OUs), domain trees and forests are considered logical
structures. Sites and domain controllers are considered physical structures.
• Domains are the main logical structure in Active Directory because they
contain Active Directory objects. Network objects such as users, printers,
shared resources, and more, are all stored in domains. Domains are also
security boundaries. Access to objects in the domain is controlled by access
control lists (ACLs). You can use the domain functional level to enable
additional Active Directory features. You do this by raising the domain
functional level of the domain controllers within the domain. In Windows 2000,
the domain mode concept was used and not the domain functional level. The
domain functional levels that can be specified are Windows 2000 Mixed,
Windows 2000 Native, Windows Server 2003 Interim and Windows Server
2003.
• Organizational Unit (OU): An OU is a container that enables you to organize
objects such as users, computers and even other OUs in a domain to form a
logical administrative group. An OU is the smallest Active Directory
component to which you can delegate administrative authority. A domain can
have it own unique OU hierarchy.
 • Domain Trees: When you group multiple domains into a hierarchical structure
by adding child domains to a parent domain, you are basically forming a
domain tree. Domains are regarded as being part of the same domain tree
when they have a contiguous naming structure. A two-way transitive trust
relationship is automatically created between the parent domain and child
domains when you create the child domain.
• Forests: A forest is the grouping of multiple domain trees into a hierarchical
structure. Domain trees in a forest have a common schema, configuration,
and global catalog. Domains within the forest are linked by two-way transitive
trust. Through the forest functional level, you can enable additional forest
wide Active Directory features. The forest functional levels that can be set are
Windows 2000, Windows Server 2003 Interim, and Windows Server 2003.
• Sites: In Active Directory, sites are formed through the grouping of multiple
subnets. Sites are typically defined as locations in which network access is
highly reliable, fast and not very expensive.
• Domain Controllers (DCs): A domain controller is a server that stores a write
copy of Active Directory. They maintain the Active Directory data store.
Certain master roles can be assigned to domain controllers within a domain
and forest. Domain controllers that are assigned special master roles are
called Operations Masters. These domain controllers host a master copy of
particular data in Active Directory. They also copy data to the remainder of
the domain controllers. There are five different types of master roles that can
be defined for domain controllers. Two types of master roles, forestwide
master roles, are assigned to one domain controller in a forest. The other
three master roles, domainwide master roles, are applied to a domain
controller in every domain.
o The Schema Master is a forestwide master role applied to a domain
controller that manages all changes in the Active Directory schema.
o The Domain Naming Master is a forestwide master role applied to a
domain controller that manages changes to the forest, such as adding
and removing a domain. The domain controller serving this role also
manages changes to the domain namespace.
o The Relative ID (RID) Master is a domainwide master role applied to a
domain controller that creates unique ID numbers for domain
controllers and manages the allocation of these numbers.
o The PDC Emulator is a domainwide master role applied to a domain
controller that operates like a Windows NT primary domain controller.
This role is typically necessary when there are computers in your
environment running pre-Windows 2000 and XP operating systems.
o The Infrastructure Master is a domainwide master role applied to a
domain controller that manages changes made to group memberships.
Active Directory Schema
The Active Directory schema defines what types of objects can be stored in Active
Directory. It also defines what the attributes of these objects are. The schema is
defined by the following two types of schema objects or metadata:
• Schema class objects, also known as schema classes: Define the objects that
can be created and stored in Active Directory. The schema attributes store
information on the schema class object when you create a new class. A
schema class is therefore merely a set of schema attribute objects.
 • Schema attribute objects, also known as schema attributes: Schema
attributes provide information on object classes. The attributes of an object is
also called the object's properties.
Although Active Directory includes a large number of object classes, you can create
additional object classes if necessary. These additions are known as extensions to
the schema. Extensions can only be performed on the domain controller acting the
Schema Master role.
The object classes that can be used on access control lists (ACLs) to protect security
objects are User, Computer, and Group. These object classes are called security
principals. A security principal has a Security Identifier (SID) which is a unique
number. A security principal's SID consists of the security principal's domain and a
Relative ID (RID). The RID is a unique suffix.
A few other concepts associated with the Active Directory schema are:
• Class Derivations: Set a way for forming new object classes using existing
object classes.
• Schema Rules: The Active Directory directory service implements a set of
rules into the Active Directory schema that control the manner in which
classes and attributes are utilized, and what values classes and attributes can
include. Schema rules are organized into Structure Rules, Syntax Rules, and
Content Rules
• Structure Rules: The structure rule in Active Directory is that an object class
can have only specific classes directly on top of it. These specific classes are
called Possible Superiors. Structure rules prevent you from placing an object
class in an inappropriate container.
• Syntax Rules: These rules define the types of values and ranges allowed for
attributes.
• Content Rules dictate what attributes can be associated with a particular class.
Global Catalog
The global catalog is a central information store on the objects in a forest and
domain, and is used to improve performance when searching for objects in Active
Directory. The first domain controller installed in a domain is designated as the
global catalog server by default. The global catalog server stores a full replica of all
objects in its host domain, and a partial replica of objects for the remainder of the
domains in the forest. The partial replica contains those objects which are frequently
searched for. It is generally recommended to configure a global catalog server for
each site in a domain. You can use the Active Directory Sites and Services console to
set up additional global catalog servers.
Group Policies and Active Directory
Active Directory enables you to perform policy based administration through Group
Policy. Through group policies, you can deploy applications and configure scripts to
execute at startup, shutdown, logon, or logoff. You can also implement password
security, control certain desktop settings, and redirect folders. When you create new
group policies in Active Directory, the policy is stored as Group Policy Objects (GPOs).
In Active directory, you can apply a GPO to a domain, site or Organizational Unit.
Active Directory Object Naming Schemes
Each object in the Active Directory data store must have a unique name. Active
Directory supports a number of object naming schemes for naming objects:
 • Distinguished name (DN): Each object has a DN. The DN uniquely identifies a
particular object and uniquely identify where the object is stored. The
components that make up the DN of an object are:
o CN - common name
o OU - organizational unit
o DC - domain component
• A canonical name is merely a different manner of depicting the object's DN in
a method that is simpler to interpret.
• Relative distinguished name (RDN): The RDN identifies a particular object
within a parent container or OU.
• Globally unique identifier (GUID): A GUID is a unique hexadecimal number
that is assigned to an object at the time that the object is created. The GUID
of an object never changes.
• User principal name (UPN): The UPN is made up of the user account name of
the user, and a domain name that identifies the domain that contains the user
account.
18. What is Active Directory Replication?
In Active Directory, replication ensures that any changes made to a domain
controller within a domain are replicated to all the other domain controllers in the
domain. Active Directory utilizes multimaster replication to replicate changes in the
Active Directory data store to the domain controllers. With multimaster replication,
domains are considered peers to one another.
With Windows Server 2003, the Knowledge Consistency Checker (KCC) is used to
create a replication topology of the forest, to ensure that the changes are replicated
efficiently to the domain controllers. A replication topology reflects the physical
connections utilized by domain controllers to replicate the Active Directory directory
to domain controllers in a site, or in different sites. Intra-site replication occurs when
the Active Directory directory is replicated within a site. When replication occurs
between sites, it is known inter-site replication. Since the bandwidth between sites
are typically slow, information on site link objects is utilized to identify the most
favourable link that should be used for moving replication data between sites in
Active Directory.
19. What are the different partitions in AD?
Active Directory objects are stored in the Directory Information Tree (DIT) which
is broken into the following partitions:
Schema partition - Defines rules for object creation and modification for all objects
in the forest Replicated to all domain controllers in the forest. Replicated to all
domain controllers in the forest, it is known as an enterprise partition.
Configuration partition - Information about the forest directory structure is
defined including trees, domains, domain trust relationships, and sites (TCP/IP
subnet group). Replicated to all domain controllers in the forest, it is known as an
enterprise partition.
Domain partition - Has complete information about all domain objects (Objects
that are part of the domain including OUs, groups, users and others). Replicated only
to domain controllers in the same domain.
Partial domain directory partition - Has a list of all objects in the directory with a
partial list of attributes for each object.
The DIT holds a subset of Active Directory information and stores enough
information to start and run the Active Directory service.
20. What are types of Active Directory Trust Relationships?
In Active Directory, when two domains trust each other or a trust relationship exists
between the domains, the users and computers in one domain can access resources
residing in the other domain. The trust relationships supported in Windows Server
2003 are summarized below:
• Parent/Child trust: A parent/child trust relationship exists between two
domains in Active Directory that have a common contiguous DNS namespace,
and who belong to the identical forest. This trust relationship is established
when a child domain is created in a domain tree.
• Tree Root trust: A tree root trust relationship can be configured between root
domains in the same forest. The root domains do not have a common DNS
namespace. This trust relationship is established when a new tree root
domain is added to a forest.
• Shortcut trust: This trust relationship can be configured between two domains
in different domain trees but within the same forest. Shortcut trust is typically
utilized to improve user logon times.
• External trust: External trust relationships are created between an Active
Directory domain and a Windows NT4 domain.
• Realm trust: A realm trust relationship exists between an Active Directory
domain and a non-Windows Kerberos realm.
• Forest trust: Forest trust can be created between two Active Directory forests.
21. In Active Directory, what are the differences between universal, global,
and domain local groups?
Domain local, global, and universal are group scopes, which allow you to use groups
in different ways to assign permissions. The scope of a group determines from where
in the network you can assign permissions to the group.
Domain local groups: - Domain local security groups are most often used to assign
permissions for access to resources. You can assign these permissions only in the
same domain where you create the domain local group. Members from any domain
may be added to a domain local group.
The domain local scope can contain user accounts, universal groups, and global
groups from any domain.
In addition, the scope can both contain and be a member of domain local groups
from the same domain.
Global groups : - Global security groups are most often used to organize users who
share similar network access requirements. Members can be added only from the
domain in which the global group was created.
A global group can be used to assign permissions for access to resources in any
domain. The global scope can contain user accounts and global groups from the
same domain, and can be a member of universal and domain local groups in any
domain.
Note: Groups created in the Active Directory at Indiana University should be global
groups. Since there is a single ADS Domain at IU, this is the most appropriate group
to use.
Universal groups: - Universal security groups are most often used to assign
permissions to related resources in multiple domains. Members from any domain
may be added. Also, you can use a universal
group to assign permissions for access to resources in any domain. Universal
security groups are not available in mixed mode. The full feature set of Windows
2000 and later Microsoft NT-based operating systems is available only in native
mode. The universal scope can contain user accounts, universal groups, and global
groups from any domain. The scope can be a member of domain local or universal
groups in any domain.
22. What are Forward Lookup Zones and Reverse Lookup Zones?
DNS plays an important role in creating an effective Windows 2000 Active Directory
(AD) implementation. AD requires DNS and uses it for name resolution and, with the
help of a new Resource Record (RR) type called SRV Records, for service location.
Because AD relies on DNS for these services, Win2K offers a more scalable and
efficient solution than Windows NT 4.0, which uses WINS. A DNS database known as
a zone file contains RRs to link host names with their corresponding IP addresses.
Win2K DNS supports two kinds of zone files, standard and AD integrated.
Standard Zone Files
Standard zone files are traditional DNS zone files. To use standard zone files, you
create a zone on the DNS server that you plan to use to perform DNS database
administration. This server becomes the primary zone server where all updates, such
as RR additions or deletions, occur. When you create a DNS server to function as a
secondary zone server, you specify the name or IP address of the primary zone
server that will provide a copy of the zone file. You can use secondary zone servers
to provide load balancing and a certain degree of fault tolerance. Secondary zone
servers provide only limited fault tolerance because they continue to respond to DNS
queries; secondary zone servers can’t perform any updates because they only have a
read-only copy of the zone file. The primary zone server periodically replicates its
zone file to the secondary zone server to ensure that the secondary zone server's
copy is current. With earlier versions of Microsoft DNS, the primary zone server
transfers a full copy of the zone file and overwrites the existing zone file on the
secondary zone server. Win2K DNS supports Incremental Zone Transfers, which
means that the primary zone server sends only changes that have occurred to the
zone file since the last replication. . . .
23. What are Operations Master Roles?
Active Directory operates in a multi-master replication manner. What this means is
that each domain controller in the domain holds a readable, writable replica of the
Active Directory data store. In multi-master replication, any domain controller is able
to change objects within Active Directory. Multi-master replication is ideal for the
majority of information located in Active Directory. However, certain Active Directory
functions or operations are not managed in a multi-master manner because they
cannot be shared without causing some data uniformity issues. These functions are
called Flexible Single Master Operations (FSMOs).
There are five Operations Master (OM) roles which are automatically installed when
you install the first domain controller. These five OMs are installed on the domain
controller. Two of these OM roles apply to the entire Active Directory forest. The
roles that apply to the forest are the Schema Master role and the Domain Naming
Master role. The other three OM roles apply to each domain. The roles that apply to
a domain are the Relative identifier (RID)/relative ID Master role, the Primary
Domain Controller (PDC) Emulator role, and the Infrastructure Master role. When a
domain controller is assigned a FSMO, that domain controller becomes a role master.
The particular domain controller that is assigned these roles performs single-master
replication within the Active Directory environment.
Because domain controllers generally contain the same Active Directory information,
when one domain controller is unavailable, the remainder of the domain controllers
are able to provide access to Active Directory objects. However, if the domain
controller that is lost has one of these OM roles installed, you could find that no new
objects can be added to the domain.
24. What are Forest-Wide Operations Master Roles?
Each Forest-wide OM role can exist on only one domain controller in the entire forest.
What this means is that these roles have to be unique in the entire forest. The two
forest-wide OM roles are:
• Schema Master role: Because the objects that exist in the in the schema
directory partition define the Active Directory structure for a forest, great
control is placed on who can add objects to this partition. Since each domain
controller in an Active Directory environment have a common schema, the
information in the schema has to be consistent on each domain controller. It
is the domain controller that is assigned the Schema Master role that controls
which objects are added, changed, or removed from the schema. The domain
controller with the Schema Master role is the only domain controller in the
entire Active Directory forest that can perform any changes to the schema.
You can use the Active Directory Schema MMC snap-in to make changes to
the schema, and only if you are a member of the Schema Admins group. Any
changes made to the schema would affect each domain controller within the
Active Directory forest. You can transfer the Schema Master role to a different
domain controller within the forest. You can also seize the role if the existing
domain controller holding the role had a failure and cannot be recovered.
• Domain Naming Master role: As is the case with the Schema Master role, only
one Domain Naming Master role is allowed in the entire forest. The domain
controller that is assigned the Domain Naming Master role is responsible for
tracking all the domains within the entire Active Directory forest to ensure
that duplicate domain names are not created. The domain controller with the
Domain Naming Master role is accessed when new domains are created for a
tree or forest. This ensures that domains are not simultaneously created
within the forest. The default configuration is that the first domain controller
promoted in a forest, is assigned this role. You can however transfer the
Domain Naming Master role to a different domain controller within the forest.
25. What are Domain-Wide Operations Master Roles?
The three domain-wide OM roles have to unique in each domain within a forest.
What this means is that there should be one of each of these roles in each domain.
The three domain-wide OM roles are:
• Relative identifier (RID) Master role: When a security object is created within
Active Directory, it is allocated a security ID. The security ID is made up of
the domain security ID and a relative ID. The domain security ID is exactly
the same for each security ID created in the particular domain. The relative
ID on the other hand is unique to each security ID created within the domain.
Because each relative ID has to be unique, the domain controller that is
assigned the RID Master role is responsible for tracking and for assigning
unique relative IDs to domain controllers whenever new objects are created.
To ensure efficiency when assigning relative IDs to domain controllers, the
domain controller assigned the RID Master role actually generates a set of
 500 relative IDs to allocate to domain controllers. As the number of available
relative IDs decreases, the RID Master generates more relative IDs to
maintain the number of relative IDs available as 500. The default
configuration is that the RID Master role and PDC Emulator role is assigned to
the identical domain controller. You can however transfer the RID Master role
to a different domain controller within the domain.
• PDC Emulator role: In domains that contain Windows NT Backup Domain
Controllers (BDCs), the domain controller which is assigned the PDC Emulator
role functions as the Windows NT Primary Domain Controller (PDC). The PDC
Emulator role has importance when it comes to replication – BDCs only
replicate from a Primary Domain Controller! Objects that are security
principles can only be created and replicated by the PDC Emulator. Security
principles are Users, Computers, and Groups. It is therefore the PDC Emulator
that enables down-level operating systems to co-exist in Windows 2000 and
Windows Server 2003 Active Directory environments. After the domain is
operating in the Windows Server 2003 functional level, the domain controller
assigned the PDC Emulator role continues to perform other operations for the
domain. These additional functions include the following:
o All password changes and account lockout requests are forwarded to
the PDC Emulator. A domain controller within a domain checks first
with the PDC Emulator to verify whether a bad password provided by a
user was a recently changed password, and is therefore a valid
password.
o Group policies consist of a Group Policy Container (GPC) in Active
Directory, and a Group Policy Template (GPT) in the SYSVOL folder.
Because these two items can become out of sync due to multi-master
replication, the Group Policy Editor is by default set to the PDC
Emulator. This prevents group policy changes from being made on all
domain controllers within the domain.
• Infrastructure Master role: The domain controller assigned the Infrastructure
Master role has the following functions within the domain:
o Updates the group-to-user references when the members of groups
are changed. These updates are sent by the Infrastructure Master to
the remainder of the domain controllers within the domain via multi-
master replication.
o Deletes any stale or invalid group-to-user references within the
domain. To do this, the Infrastructure Master role checks with the
Global Catalog for stale group-to-user references.
26. How to Plan the Placement of the FSMOs ?
A mentioned previously, all the OM roles are by default automatically assigned to the
first domain controller created for the first domain in a new Active directory forest.
Then, when you create either a root domain of a new tree in a forest, or a new child
domain, the three domain specific OM roles are assigned to the first domain
controller in that domain. In cases where a domain has only one domain controller,
each domain specific OM role has to exist on that single domain controller. The two
forest specific OM roles stay on the initial domain controller for the first domain
created within the forest.
OM roles are usually transferred to other domain controllers when you need to
perform maintenance activities, or load balance the existing load of the domain
controllers, or simply move the particular OM role to a better equipped domain
controller.
In instances where multiple domain controllers exist for a particular domain, consider
the following recommendations when placing your Operations Master roles within the
domain:
• Where you have two domain controllers that are direct replication partners
and are well-connected, assign the RID Master role, PDC Emulator role and
Infrastructure Master role to one domain controller. This particular domain
controller would become the OM domain controller for the domain. The
remaining domain controller would become the designated standby OM
domain controller.
• It is generally recommended to assign the PDC Emulator and RID Master roles
to the same domain controller.
• However, if the domain which you are placing FSMO roles for is large in size,
consider locating the RID Master role and PDC Emulator role on two different
domain controllers. Each of these domain controllers should be well-
connected to the domain controller designated as the standby OM domain
controller for these two roles. This strategy is usually implemented to reduce
the load on the domain controller assigned the PDC Emulator.
• You should place the Schema Master role and the Domain Naming Master role
on the same domain controller.
• You should refrain from assigning the Infrastructure Master role to a domain
controller that contains the Global Catalog. The domain controller assigned
the Infrastructure Master role should be well-connected to the Global Catalog
server. The Infrastructure Master would not operate correctly if the Global
Catalog is hosted on the identical domain controller.
27. How to Manage Operations Master Roles?
Since only one or a few domain controllers are assigned the Operations Master roles,
it is important that these specific domain controllers remain functioning in the Active
Directory environment. There are essentially two processes involved in the
management of FSMOs. These management tasks are outlined below:
• Because the FSMOs are automatically created when the first domain controller
is installed, you might need to transfer OM roles to a more robust server. You
would also need to transfer OM roles to a different server before demoting the
domain controller hosting them.
• When a lost domain controller cannot be recovered, you would to need any
seize OM roles assigned to the particular domain controller.
Transferring an Operations Master role, involves moving it from one server to a
different server. To transfer the Schema Master role, you need to have Schema
Admins rights, and to transfer the Domain Naming Master role, you need to have
Enterprise Admin rights.
You can use an Active Directory console or a command-line utility to transfer OM
roles. The Active Directory MMC consoles that can be utilized to transfer the different
FSMOs are outlined below:
• Active Directory Schema MMC snap-in: For transferring the Schema Master
role
• Active Directory Domains and Trusts console: For transferring the Domain
Naming Master role
 • Active Directory Users and Computers console: For transferring the RID
Master role, PDC Emulator role, and Infrastructure Master role.
When you seize an OM role, you do it without the cooperation of the existing domain
controller that is assigned with the particular OM role. When an OM role is seized, it
is basically reassigned to a different domain controller. Before you attempt to seize
any OM roles, first try to determine what the reason is for the failure of the existing
domain controller which is assigned with the particular OM role. Certain network
issues which are likely to be corrected in short time fames are well worth enduring
through. Before you seize OM roles, first ensure that the domain controller you are
planning to shift these roles to; is indeed powerful enough to uphold these roles. In
summary, you should only really seize an OM role if the existing OM cannot be
recovered again. You would need to use the Ntdsutil tool command-line tool to seize
OM roles.
The Consequences of FSMOs Failing
The following section looks at what actually happens when each FSMO role fails:
• A Schema Master failure is basically only evident when an Administrator
attempts to change the Active Directory schema. What this means is that a
Schema Master failure is invisible to your standard network users. You should
only seize this role to the domain controller designated as the standby
schema master if the existing Schema Master can in fact never be recovered.
• As is the case with a Schema Master failure, Domain Naming Master failure is
only evident if an Administrator is attempting to add a domain to the forest,
or remove a domain from the forest. A Domain Naming Master failure can
generally not be perceived by your standard network users. You should only
seize this role to the domain controller designated as its standby when the
existing Domain Naming Master would never be operational again.
• A RID Master failure is only evident to Administrators if they are attempting
to add new Active Directory objects in the particular domain where the RID
Master failed. When this happens, the RID Master is unable to allocate
relative IDs to the domain controllers on which the new Active Directory
objects are being created. A RID Master failure cannot be detected by your
conventional network users. You should also generally only seize this OM role
when the existing domain controller assigned with the RID Master role would
never recover from the failure.
• An Infrastructure Master failure is also not visible to your standard network
users. The failure only impacts Administrators that are attempting to move
user accounts, or rename them. Consider moving the role to the designated
standby domain controller if the existing domain controller assigned with the
Infrastructure Master is to be unavailable for a reasonably extended period of
time, and the changes that need to be made are pertinent.
• Unlike the OM role failures previously described that are not evident to your
standard network users, a PDC Emulator failure does impact network users. It
is important to immediately seize this role to its designated standby domain
controller if the domain contains any Windows NT backup domain controllers.
You can always return this role to its previous domain controller when it is
recovered and online again.
28. How to view the existing Schema Master role assignment?
1. Open a command prompt, and enter regsvr32 schmmgmt.dll to register the
schmmgmt.dll on the computer.
2. Click Start, Run, and enter mmc in the Run dialog box. Click OK.
3. From the File menu, select Add/Remove Snap-in and then select Add.
4. In the list of available snap-ins, double-click Active Directory Schema.
5. Click Close. Click OK.
6. Open the Active Directory Schema snap-in.
7. In the console tree, right-click Active Directory Schema and select Operations
Masters from the shortcut menu.
8. The Change Schema Master dialog box opens.
9. You can view the name of the existing Schema Master in the Current Schema
Master (Online) box.
10. Click Close.
29. How to view the existing Domain Naming Master role assignment?
1. Open the Active Directory Domains And Trusts console from the
Administrative Tools menu.
2. In the console tree, right-click Active Directory Domains And Trusts and select
Operations Masters from the shortcut menu.
3. The Change Operations Master dialog box opens.
4. You can view the name of the existing Domain Naming Master in the Domain
Naming Operations Master box.
5. Click Close.
30. How to view the existing RID Master role, PDC Emulator, and
Infrastructure Master role assignments?
1. Open the Active Directory Users And Computers console from the
Administrative Tools menu.
2. In the console tree, right-click Active Directory Users And Computers and click
All Tasks, and then Operations Masters from the shortcut menu.
3. The Operations Masters dialog box contains the following tabs:
o RID tab: The name of the existing RID Master is displayed in the
Operations Master box of this tab.
o PDC tab: In the Operations Master box of the PDC tab, you can view
the name of the existing PDC Emulator.
o Infrastructure tab: The existing Infrastructure Master's name is
displayed in the Operations Master box.
4. Click Close.
31. How to transfer the Schema Master role to another domain controller?
Before you can transfer the Schema Master role to another domain controller, ensure
that you have the required Schema Admins rights, and that both domain controllers
you are planning to work with are available. Before you can use the Active Directory
Schema MMC snap-in, you first have to add it to a MMC.
To add the Active Directory Schema snap-in to a MMC,
 1. Open a command prompt, and enter regsvr32 schmmgmt.dll to register the
schmmgmt.dll on the computer.
2. Click Start, Run, and enter mmc in the Run dialog box. Click OK.
3. From the File menu, select Add/Remove Snap-in and then select Add.
4. In the list of available snap-ins, double-click Active Directory Schema.
5. Click Close. Click OK
To transfer the Schema Master role,
1. Open the Active Directory Schema snap-in.
2. Right-click Active Directory Schema in the console tree, and select Change
Domain Controller from the shortcut menu.
3. The options available when the Change Domain Controller dialog box opens
are
o Any DC: If this option is selected, Active Directory will select a new
domain controller for the Schema Master role.
o Specify Name: If this option is enabled, you have to enter the name of
the new location for the Schema Master Role.
4. Click OK
5. Right-click Active Directory Schema in the console tree again, and choose
Operations Master from the shortcut menu.
6. When the Change Schema Master dialog box opens, click Change.
7. Click OK when a message appears prompting for verification of the OM role
transfer you want to perform.
8. Click OK to exit the Change Schema Master dialog box.
32. How to transfer the Domain Naming Master role to another domain
controller?
You have to be a member of the Enterprise Admin group to transfer the Domain
Naming Master role to another domain controller.
1. Open the Active Directory Domains And Trusts console from the
Administrative Tools menu.
2. In the console tree, right-click Active Directory Domains And Trusts and select
Connect To Domain Controller from the shortcut menu.
3. The Connect To Domain Controller dialog box opens. This is where you specify
the name of the new domain controller that should be assigned the Domain
Naming Master role.
4. Click OK
5. In the console tree, right-click Active Directory Domains And Trusts and select
Operations Masters from the shortcut menu.
6. When the Change Operations Master dialog box opens, click Change
7. Click Close
33. How to transfer the RID Master role, PDC Emulator role, or
Infrastructure Master role to another domain controller?
1. Open the Active Directory Users And Computers console from the
Administrative Tools menu.
2. In the console tree, right-click Active Directory Users And Computers and click
Connect To Domain from the shortcut menu.
3. When the Connect To Domain dialog box opens, enter the domain name that
you want to work with.
4. Click OK
5. In the console tree, right-click Active Directory Users And Computers and click
Connect To Domain Controller from the shortcut menu.
6. When the Connect To Domain Controller dialog box opens, specify the new
domain controller for the OM role that you are transferring.
7. Click OK
8. In the console tree, right-click Active Directory Users And Computers and click
All Tasks, and then click Operations Masters from the shortcut menu.
9. The Operations Masters dialog box opens. On one of the following tabs,
o RID tab: Click Change to change the location of the RID Master
o PDC tab: Click Change to change the location of the PDC Emulator
o Infrastructure tab: Click Change to change the location of the
Infrastructure Master.
10. Click Yes to verify that you want to transfer the particular OM role to a
different domain controller.
11. Click OK. Click Close.
34. How to seize an Operations Master role?
When you seize an OM role, you need to perform the following tasks:
• Verify that the new domain controller for the role is completely updated with
changes performed on the existing domain controller of the particular role.
You can use the Replication Diagnostics command-line utility for this
verification. Repadmin.exe is included with the Windows Support Tools on the
Windows Server 2003 CD-ROM.
• You would not use the Ntdsutil tool to seize the particular OM role. The
Ntdsutil tool first attempts to transfer the role before it actually proceeds to
seize the role.
However, if you need to seize the PDC Emulator or Infrastructure FSMOs, you can
use the Active Directory Users and Computers console. The Ntdsutil tool has to
though be used to seize the other FSMOs – Schema Master role, Domain Naming
Master role, and RID Master role. You can however also use the Ntdsutil tool to seize
the PDC Emulator role or Infrastructure Master role.
To seize the PDC Emulator or Infrastructure FSMOs using the Active Directory Users
and Computers console,
1. Open the Active Directory Users and Computers console
2. In the console tree, right-click the domain object, and choose Connect to
Domain Controller from the shortcut menu.
3. Enter the name of the other domain controller. Click OK
 4. To perform the seizure of the role, right-click the domain object and choose
Operations Masters from the shortcut menu.
5. Click either the PDC tab, or the Infrastructure tab
6. You will notice that the particular OM role is indicated as being offline.
7. Click Change.
8. Click OK to verify that you want to transfer the OM role.
9. Click Yes when prompted to verify that you want to perform a forced transfer.
To seize any OM roles using the Ntdsutil tool,
1. Click Start, Command Prompt.
2. Enter the following at the command prompt: ntdsutil. Press Enter
3. Enter the following at the ntdsutil prompt: roles. Press Enter
4. Enter the following at the fsmo maintenance prompt: connections. Press Enter
5. Enter the following at the server connections prompt: connect to server, and
the fully qualified domain name (FQDN). Press Enter
6. Enter the following at the server connections prompt: quit. Press Enter.
7. Enter one of the following at the fsmo maintenance prompt:
o seize schema master. Press Enter
o seize domain naming master. Press Enter
o seize RID master. Press Enter
o seize PDC. Press Enter
o seize infrastructure master. Press Enter
8. Enter quit at the fsmo maintenance prompt. Press Enter
9. Enter quit at the ntdsutil prompt.
35. How to perform a metadata cleanup?
The class objects and attribute objects of the schema are referred to as metadata. A
metadata cleanup is usually performed when you are unable to restore a failed
domain controller. The cleanup removes any references to the failed domain
controller in Active Directory.
To perform the metadata cleanup,
1. From the command prompt, enter ntdsutil and press Enter.
2. Enter the following at the ntdsutil prompt: metadata cleanup. Press Enter
3. Enter the following at the metadata cleanup prompt: connections. Press Enter
4. Enter the following at the server connections prompt: connect to server,
followed by the server name. Press Enter
5. Enter quit, and press Enter
6. Enter the following at the metadata cleanup prompt: select operation target.
Press Enter
7. Enter list domains. Press Enter
8. Enter select domain, followed by the number of the domain that holds the
server that you want to remove. Press Enter
9. Enter list sites. Press Enter
 10. Enter select site, followed by the number of the site that holds the server that
you want to remove. Press Enter
11. Enter list servers in site. Press Enter
12. Enter select server, followed by the number of the server that you want to
remove. Press Enter.
13. Enter quit and press Enter to return to the metadata cleanup prompt.
14. Enter remove selected server, and press Enter.
15. When a message box appears prompting you to verify whether the server
should be removed, click Yes
16. Quit from Ntdsutil.
36. What is "tattooing" the Registry?
The user can view and modify user preferences that are not stored in maintained
portions of the Registry. If the group policy is removed or changed, the user
preference will persist in the Registry.
37. What’s the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native NTFS
provides extensive permission control on both remote and local files.
38. What is LSDOU?
It is group policy inheritance model, where the policies are applied to Local machines,
Sites, Domains and Organizational Units.
39. What is "tattooing" the Registry?
The user can view and modify user preferences that are not stored in maintained
portions of the Registry. If the group policy is removed or changed, the user
preference will persist in the Registry.
40. what is boot processing computer?
As soon as the CPU is turned on, it initializes itself and looks for ROM BIOS for the
first instruction which is the Power On Self-Test (POST). This process checks the
BIOS chip and then the CMOS RAM. After checking everything and detecting no
power failure, it checks the hardware devices and the storage device. Then CMOS
looks through the boot sequence of drives to find the OS. The boot sequence is the
sequence of drives which the CMOS scans to find OS and load it. Generally, OS is
stored in C drive. If it is not found there, the next drive to scan is A drive that is the
floppy drive.
Hence on finding the OS, it is loaded. Its files are copied to main memory by BIOS,
and from here, the Os takes the charge of boot process like loading device drivers
etc.
41. What do you mean by deadlock?
Deadlock is a situation where a group of processes are all blocked and none of them
can become unblocked until one of the other becomes unblocked.
The simplest deadlock is two processes each of which is waiting for a message from
the other.
42. What is Distributed File System
DFS, or the distrbuted file system, was a feature originally found in the NT 4 product
but underutilized. The distributed file system allows you to organize shared folders
on the network into a single logical hierarchy, while maintaining data on different
physical servers. To the user, data which is actually distributed appears to fall under
an organized, structured hierarchy. This allows you to not only manipulate how users
see the data (you can use different share names for existing folders), but also how
they access it (you can create whatever hierarchy will best suit the needs of the
users). For example, data might be physically distributed, as outlined below:
Sales data files \\server13\salesdata
Sales quota files \\server2\s-quotainfo
Sales report files \\server1\rpt
Using DFS, we could create a DFS root called Sales using an empty shared folder on
Server1 called Sales, and create a the following hierarchy:
\\Server1\Sales
\Data
\Quotas
\Reports

We would simply map a drive for users to the Sales folder on Server1, and they
would automatically be redirected to the appropriate folder of the appropriate server
as they accessed the subfolders. Note that DFS maintains and does not change any
of the permissions associated with the actual folders. Whatever level of access users
had to the folders before DFS will be the same level of access after DFS has been
configured.

In Windows 2000, two types of DFS structures exist – standalone DFS, and domain-
based DFS. Note that while a domain can host multiple DFS roots, any server can
host only a single DFS root, regardless of type (stand-alone or domain-based).

Standalone DFS structures can be created on any server running Windows 2000 with
DFS installed (it is installed by default). With standalone DFS, Active Directory is not
required. Creating a DFS structure begins with a server hosting the ‘root’ of DFS.
This is the shared folder that will first be connected to by clients. With Standalone
DFS, this root can only be hosted on a single server. As such, if this server fails,
users will not be able to gain access to the DFS tree (of course, they will still be able
to access resources that exist on other physical servers if they knew the location of
those folders). Standalone DFS does not support having replicas of the root,
although you can configure replicas of folders beneath the root. This would allow
users to be load-balanced between folders that exist of different servers, but contain
identical information. Note that in a standalone DFS setup, the replication of data
between replicas does not happen automatically – you must somehow make
replication happen between the replicas (using a tool such a robo copy, for instance).

Domain-based DFS takes advantage of Active Directory by storing DFS topology

information in Active Directory. This type of DFS supports the ability to have root
replicas, which provide both load-balancing and fault-tolerance. For example, if
multiple root-replicas were created and a replica is taken offline, a user can still
access the DFS structure, simply by being redirected to another replica. On top of
this, replicas of shared folders can also be created, and replication can take place
automatically using the file replication service (FRS) – up to 32 replicas are
supported. In the case of domain-based DFS, the root points not to a server, but
instead to the domain – an example of a DFS root might be
\\win2000trainer.com\dfsroot. Using site information stored in Active Directory, a
user attempting to access the DFS root would be redirected to the root replica in
their own site, for example, instead of accessing the root from over the WAN. Note
that in order to access domain-based DFS, a client running Windows 9x, or Windows
NT 4 needs to have the Active Directory client software installed.
43. What are the domain functional levels in Windows Server 2003?
Functional levels are an extension of the mixed/native mode concept introduced in
Windows 2000 to activate new Active Directory features after all the domain
controllers in the domain or forest are running the Windows Server 2003 operating
system.
When a computer that is running Windows Server 2003 is installed and
promoted to a domain controller, new Active Directory features are activated by
the Windows Server 2003 operating system over its Windows 2000 counterparts.
Additional Active Directory features are available when all domain controllers in
a domain or forest are running Windows Server 2003 and the administrator
activates the corresponding functional level in the domain or forest.
To activate the new domain features, all domain controllers in the domain must
be running Windows Server 2003. After this requirement is met, the
administrator can raise the domain functional level to Windows Server 2003 To
activate new forest-wide features, all domain controllers in the forest must be
running Windows Server 2003, and the current forest functional level must be at
Windows 2000 native or Windows Server 2003 domain level. After this
requirement is met, the administrator can raise the domain functional level
Note: Network clients can authenticate or access resources in the domain or
forest without being affected by the Windows Server 2003 domain or forest
functional levels. These levels only affect the way that domain controllers
interact with each other.
When the first Windows Server 2003–based domain controller is deployed in a
domain or forest, a set of default Active Directory features becomes available.
The following table summarizes the Active Directory features that are available
by default on any domain controller running Windows Server 2003:
Feature Functionality
Multiple selection of user Allows you to modify common attributes of
objects multiple user objects at one time.
Allows you to move Active Directory objects
from container to container by dragging one
or more objects to a location in the domain
Drag and drop functionality hierarchy. You can also add objects to group
membership lists by dragging one or more
objects (including other group objects) to the
target group.
Search functionality is object-oriented and
provides an efficient search that minimizes
Efficient search capabilities
network traffic associated with browsing
objects.

Saved queries
Active Directory command-
line tools
InetOrgPerson class
Application directory
partitions
Ability to add additional
domain controllers by using
backup media
Universal group membership
caching
Secure Lightweight Directory
Access Protocol (LDAP)
traffic
Partial synchronization of the
global catalog
Active Directory quotas
When the first Windows Server 2003–based domain controller is deployed in a
domain or forest, the domain or forest operates by default at the lowest
functional level that is possible in that environment. This allows you to take
advantage of the default Active Directory features while running versions of
Windows earlier than Windows Server 2003.
Allows you to save commonly used search
parameters for reuse in Active Directory Users
and Computers
Allows you to run new directory service
commands for administration scenarios.
The inetOrgPerson class has been added to
the base schema as a security principal and
can be used in the same manner as the user
class.
Allows you to configure the replication scope
for application-specific data among domain
controllers. For example, you can control the
replication scope of Domain Name System
(DNS) zone data stored in Active Directory so
that only specific domain controllers in the
forest participate in DNS zone replication.
Reduces the time it takes to add an additional
domain controller in an existing domain by
using backup media.
Prevents the need to locate a global catalog
across a wide area network (WAN) when
logging on by storing universal group
membership information on an authenticating
domain controller.
Active Directory administrative tools sign and
encrypt all LDAP traffic by default. Signing
LDAP traffic guarantees that the packaged
data comes from a known source and that it
has not been tampered with.
Provides improved replication of the global
catalog when schema changes add attributes
to the global catalog partial attribute set. Only
the new attributes are replicated, not the
entire global catalog.
Quotas can be specified in Active Directory to
control the number of objects a user, group,
or computer can own in a given directory
partition. Members of the Domain
Administrators and Enterprise Administrators
groups are exempt from quotas.
When you raise the functional level of a domain or forest, a set of advanced
features becomes available. For example, the Windows Server 2003 interim
forest functional level supports more features than the Windows 2000 forest
functional level, but fewer features than the Windows Server 2003 forest
functional level supports. Windows Server 2003 is the highest functional level
that is available for a domain or forest. The Windows Server 2003 functional
level supports the most advanced Active Directory features; however, only
Windows Server 2003 domain controllers can operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot
introduce any domain controllers that are running versions of Windows earlier
than Windows Server 2003 into that domain. This applies to the forest functional
level as well.
Domain Functional Level
Domain functionality activates features that affect the whole domain and that
domain only. The four domain functional levels, their corresponding features,
and supported domain controllers are as follows:
Windows 2000 mixed (Default)
• Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000,
Windows Server 2003
• Activated features: local and global groups, global catalog support
Windows 2000 native
• Supported domain controllers: Windows 2000, Windows Server 2003
• Activated features: group nesting, universal groups, SidHistory,
converting groups between security groups and distribution groups, you
can raise domain levels by increasing the forest level settings
Windows Server 2003 interim
• Supported domain controllers: Windows NT 4.0, Windows Server 2003
• Supported features: There are no domain-wide features activated at this
level. All domains in a forest are automatically raised to this level when
the forest level increases to interim. This mode is only used when you
upgrade domain controllers in Windows NT 4.0 domains to Windows
Server 2003 domain controllers.
Windows Server 2003
• Supported domain controllers: Windows Server 2003
• Supported features: domain controller rename, logon timestamp attribute
updated and replicated. User password support on the InetOrgPerson
objectClass. Constrained delegation, you can redirect the Users and
Computers containers.
Domains that are upgraded from Windows NT 4.0 or created by the promotion of
a Windows Server 2003-based computer operate at the Windows 2000 mixed
functional level. Windows 2000 domains maintain their current domain
functional level when Windows 2000 domain controllers are upgraded to the
Windows Server 2003 operating system. You can raise the domain functional
level to either Windows 2000 native or Windows Server 2003.
After the domain functional level is raised, domain controllers that are running
earlier operating systems cannot be introduced into the domain. For example, if
you raise the domain functional level to Windows Server 2003, domain
controllers that are running Windows 2000 Server cannot be added to that
domain.
The following describes the domain functional level and the domain-wide
features that are activated for that level. Note that with each successive level
increase, the feature set of the previous level is included.
Forest Functional Level
Forest functionality activates features across all the domains in your forest.
Three forest functional levels, the corresponding features, and their supported
domain controllers are listed below.
Windows 2000 (default)
• Supported domain controllers: Windows NT 4.0, Windows 2000, Windows
Server 2003
• New features: Partial list includes universal group caching, application
partitions, install from media, quotas, rapid global catalog demotion,
Single Instance Store (SIS) for System Access Control Lists (SACL) in the
Jet Database Engine, Improved topology generation event logging. No
global catalog full sync when attributes are added to the PAS Windows
Server 2003 domain controller assumes the Intersite Topology Generator
(ISTG) role.
Windows Server 2003 interim
• Supported domain controllers: Windows NT 4.0, Windows Server 2003.
See the "Upgrade from a Windows NT 4.0 Domain" section of this article.
• Activated features: Windows 2000 features plus Efficient Group Member
Replication using Linked Value Replication, Improved Replication
Topology Generation. ISTG Aliveness no longer replicated. Attributes
added to the global catalog. ms-DS-Trust-Forest-Trust-Info. Trust-
Direction, Trust-Attributes, Trust-Type, Trust-Partner, Security-Identifier,
ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source, Message
Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-Rate-Unit
Windows Server 2003
• Supported domain controllers: Windows Server 2003
• Activated features: all features in Interim Level, Defunct schema objects,
Cross Forest Trust, Domain Rename, Dynamic auxiliary classes,
InetOrgPerson objectClass change, Application Groups, 15-second
intrasite replication frequency for Windows Server 2003 domain
controllers upgraded from Windows 2000
After the forest functional level is raised, domain controllers that are running
earlier operating systems cannot be introduced into the forest. For example, if
you raise forest functional levels to Windows Server 2003, domain controllers
that are running Windows NT 4.0 or Windows 2000 Server cannot be added to
the forest.
44. How we can raise domain functional & forest functional level in
Windows Server 2003?
Functional levels are an extension of the mixed/native mode concept introduced
in Windows 2000 to activate new Active Directory features after all the domain
controllers in the domain or forest are running the Windows Server 2003
operating system.
When a computer that is running Windows Server 2003 is installed and
promoted to a domain controller, new Active Directory features are activated by
the Windows Server 2003 operating system over its Windows 2000 counterparts.
Additional Active Directory features are available when all domain controllers in
a domain or forest are running Windows Server 2003 and the administrator
activates the corresponding functional level in the domain or forest
To activate the new domain features, all domain controllers in the domain must
be running Windows Server 2003. After this requirement is met, the
administrator can raise the domain functional level to Windows Server 2003.
To activate new forest-wide features, all domain controllers in the forest must be
running Windows Server 2003, and the current forest functional level must be at
Windows 2000 native or Windows Server 2003 domain level. After this requirement
is met, the administrator can raise the domain functional level
Note: Network clients can authenticate or access resources in the domain or forest
without being affected by the Windows Server 2003 domain or forest functional
levels. These levels only affect the way that domain controllers interact with each
other.
To raise the domain functional level, you must be a member of the Domain
Administrators group.
In order to raise the Domain Functional Level:
1. Log on the PDC of the domain with domain administrator credentials.
2. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers (you can also perform this action from the Active
Directory Domains and Trusts snap-in).
3. In the console tree, right-click the domain node and then click Raise
Domain Functional Level.
 4. Under Select an available domain functional level, do one of the following:
Click Windows 2000 native, and then click Raise to raise the domain functional level
to Windows 2000 native.
or
Click Windows Server 2003

and then click Raise to raise the domain functional level to Windows Server 2003.
5. Read the warning message, and if you wish to perform the action, click Ok.

You will receive an acknowledgement message telling you that the operation was
completed successfully. Click Ok.
You can check the function level by performing step 3 again and viewing the current
function level.

To raise the forest functional level, you must be a member of the Enterprise
Admins group.
In order to raise the Forest Functional Level:
1. Log on to the PDC of the forest root domain with a user account that is a
member of the Enterprise Administrators group.
2. Open Active Directory Domains and Trusts, click Start, point to All
Programs, point to Administrative Tools, and then click Active Directory
Domains and Trusts.
3. In the console tree, right-click Active Directory Domains and Trusts, and
then click Raise Forest Functional Level.
4. Under Select an available forest functional level, click Windows Server
2003. and then click Raise to raise the forest functional level to Windows
Server 2003.
 5. Read the warning message, and if you wish to perform the action, click
Ok.

6. You will receive an acknowledgement message telling you that the

operation was completed successfully. Click Ok.
7. You can check the function level by performing step 3 again and viewing
the current function level.

45. Which is the deafult protocol used in directory services?

LDAP
46. What is multimaster replication?
In a Windows 2000 domain, all domain controllers (DCs) are equal. Thus, you can
make changes on any DC. Servers’ complete domain directories are kept up-to-date
with one another through a process of multimaster replication.
Each time you make a change to Active Directory (AD), the servers’ update sequence
number (USN), where the change implements, increases by one. AD then stores the
new USN, as well as the change. These changes must replicate to all the DCs in the
domain; the USN provides the key to multimaster replication.
USN increments are atomic in operation, which means that the increment to the USN
and the actual change occur simultaneously. If one part fails, the whole change fails.
A change can’t occur without the USN being incremented; therefore, changes can’t
be lost. Each DC keeps track of the highest USNs of the DCs it replicates with. This
procedure lets a DC calculate which changes must replicate on a replication cycle.
At the start of a replication cycle, each server checks its USN table and queries the
DCs it replicates with for the DCs’ latest USNs. Below is an example USN table for
Server A.
Domain Domain Domain
Controller B Controller C Controller D

54 23 53
Server A queries the DCs for their current USNs and gets the following information.
Domain Domain Domain
Controller B Controller C Controller D

58 23 64
From this information, Server A can calculate the changes it needs from each server,
as follows.
Domain Domain Domain
Controller B Controller C Controller D

55-58 None 54-64

Server A then queries each DC for the necessary changes.
Multiple changes to an object’s property can occur. Every property has a property
version number, which helps detect collisions. Property version numbers work like
USNs: Each time you modify a property, the property version number increases by
one.
If you try to modify an object’s property multiple times, the change with the highest
property version number takes precedence. A collision occurs when the property
version numbers are the same for two or more property updates. When two property
version numbers match, the timestamp helps resolve the conflict. Because every
change has a timestamp, DCs must be accurate with one another. In the unlikely
event that the property version numbers match and the timestamps match, a binary
buffer comparison occurs; the larger buffer size change takes precedence. Property
version numbers increase only on original writes (not on replication writes, as USNs
do) and aren’t server specific. Instead, a property version number travels with a
property.
A propagation-dampening scheme prevents changes repeatedly going to other
servers. Each server keeps a table of up-to-date vectors, which are the highest
originating writes received from each controller. The vectors take the following form.
,,
For example,
DCs send this information with the USNs so that they can calculate whether they
already have the change the other DCs are trying to replicate.
47. Which is the command used to remove active directory from a domain
controler?
Dcpromo is the Windows 2000 and Windows Server 2003 GUI interface for
promoting a server to the role of being a Domain Controller, and if is already a DC,
then dcpromo will be the tool to use to demote it back to being a member server.
Dcpromo has a specific set of checks it performs before allowing the process to
continue. These requirements change based on whether the server is being
promoted or demoted. In this article we will deal with demoting issues.
Dcpromo might fail when trying to demote a Domain Controller in some cases. These
scenarios include, for example:
• There are no domain controllers currently available in the parent domain
when you try to demote the last domain controller in a child domain.
• Dcpromo cannot complete because there is a name resolution, authentication,
replication engine, or AD object dependency that you cannot resolve.
• A DC has not replicated incoming Active Directory changes in Tombstone
Lifetime (Default Tombstone Lifetime is 60 days for Windows 2000 and
Windows Server 2003 DCs, and 180 days for Windows Server 2003 SP1 and
R2 DCs) number of days for one or more naming contexts.
If you run Dcpromo on an existing DC to demote it and it fails because of one of the
above scenarios the best thing you should do is to try to resolve the problem and
then restart Dcpromo. However, if Dcpromo still fails you can still demote the DC by
running Dcpromo with the /forceremoval switch, which tells the process to ignore
errors. Note that the /forceremoval demotion causes the loss of any locally held
changes and should be considered a last resort that you should use and only when
absolutely necessary.
With /forceremoval, an administrator can forcibly remove Active Directory and roll
back the system without having to contact or replicate any locally held changes to
another DC in the forest.
Note: The /forceremoval switch is only supported on Windows 2000 Servers that
either have SP2 with Q332199 hotfix installed on them, or with SP4, and on Windows
Server 2003 servers.
Windows Server 2003 SP1 enhances the /forceremoval process. When it is run it
checks to determine whether the DC hosts an operations master role, is a Domain
Name System (DNS) server, or is a global catalog server. For each of these roles,
the administrator receives a popup warning that advises the administrator to take
appropriate action.
RID Master warning:
PDC Emulator warning:

Infrastructure Master warning:

Naming Master warning:

Schema Master warning:

DNS Server warning:

Global Catalog Server warning:

When you force the demotion of a DC, you return the operating system to a state
that is the same as the successful demotion of the last domain controller in a domain
(service start values, installed services, use of a registry based SAM for the account
database, computer is a member of a workgroup).

Note: In Windows 2000, the System event log identifies forcibly demoted DCs and
instances of the /forceremoval operation by event ID 29234. In Windows Server
2003 the System event log identifies forcibly demoted DCs by event ID 29239.
1. Click Start, click Run, and then type the following command:
dcpromo /forceremoval
At the Welcome to the Active Directory Installation Wizard page, click Next.
At the Force the Removal of Active Directory page, click Next.

In Administrator Password, type the password and confirmed password that you
want to assign to the Administrator account of the local SAM database, and then
click Next.
In Summary, click Next.

When Dcpromo finishes it will prompt you to click Finish.

 Restart the server.

After you use the dcpromo /forceremoval command, all the remaining metadata
for the demoted DC is not deleted on the surviving domain controllers, and
therefore you must manually remove it by using the NTDSUTIL command.
48. What Exchange process is responsible for communication with AD?
DSACCESS
49. What is DSACCESS?
DSAccess implements a directory access cache that stores recently accessed
information for a configurable length of time. This reduces the number of queries
made to global catalog
50. Explain APIPA?
Auto Private IP Addressing (APIPA) takes effect on Windows 2000 Professional
computers if no DHCP server can be contacted. APIPA assigns the computer an IP
address within the range of 169.254.0.0 through 169.254.255.254 with a subnet
mask of 255.255.0.0.
51. Where is GPT stored?
%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
52. What hidden shares exist on Windows Server 2003 installation?
Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
53. What’s the difference between standalone and fault-tolerant DFS
(Distributed File System) installations?
The standalone server stores the Dfs directory tree structure or topology locally.
Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left
with no link to the shared resources. A fault-tolerant root node stores the Dfs
topology in the Active Directory, which is replicated to other domain controllers. Thus,
redundant root nodes may include multiple connections to the same data residing in
different shared folders
54. When should you create a forest?
Organizations that operate on radically different bases may require separate trees
with distinct namespaces. Unique trade or brand names often give rise to separate
DNS identities. Organizations merge or are acquired and naming continuity is desired.
Organizations form partnerships and joint ventures. While access to common
resources is desired, a separately defined tree can enforce more direct administrative
and security restrictions.
55. How can you authenticate between forests?
Four types of authentication are used across forests: (1) Kerberos and NTLM network
logon for remote access to a server in another forest; (2) Kerberos and NTLM
interactive logon for physical logon outside the user’s home forest; (3) Kerberos
delegation to N-tier application in another forest; and (4) user principal name (UPN)
credentials.
56. What is an incremental backup?
A "normal" incremental backup will only back up files that have been changed since
the last backup of any type. This provides the quickest means of backup, since it
only makes copies of files that have not yet been backed up. For instance, following
our full backup on Friday, Monday’s tape will contain only those files changed since
Friday. Tuesday’s tape contains only those files changed since Monday, and so on.
The downside to this is obviously that in order to perform a full restore, you need to
restore the last full backup first, followed by each of the subsequent incremental
backups to the present day in the correct order. Should any one of these backup
copies be damaged (particularly the full backup), the restore will be incomplete.
57. What is Differential Backup?
A cumulative backup of all changes made after the last full backup. The advantage to
this is the quicker recovery time, requiring only a full backup and the latest
differential backup to restore the system. The disadvantage is that for each day
elapsed since the last full backup, more data needs to be backed up, especially if a
majority of the data has been changed.
58. What is Multilevel Incremental Backup?
A more sophisticated incremental backup scheme involves multiple numbered
backup levels. A full backup is level 0. A level n backup will back up everything since
the most recent level n-1 backup. Assume a level 0 backup was taken on a Sunday.
A level 1 backup taken on Monday would only include changes made since Sunday. A
level 2 backup taken on Tuesday would only include changes made since Monday. A
level 3 backup taken on Wednesday would only include changes made since Tuesday.
If a level 2 backup was taken on Thursday, it would include all changes made since
Monday because Monday was the most recent level n-1 backup.
59. What is reverse Incremental Backup?
An incremental backup of the changes made between two instances of a mirror is
called a reverse incremental. By applying a reverse incremental to a mirror, the
result will be a previous version of the mirror.
60. What is Synthetic full backup?
A synthetic backup is a form of an incremental backup that is possible when there is
a separate computer that manages the backups. The backup server takes a typical
incremental backup of the system in question and combines this data with the
previous backups to generate a new synthetic backup. This new synthetic backup is
indistinguishable from a normal full backup and shares all the advantages, such as
faster restore times.
61. What is RAID?
RAID-Redundant Array of Inexpensive Discs, It is a technique that was developed to
provide speed, reliability, and increased storage capacity using multiple disks, rather
than single disk solutions. RAID basically takes multiple hard drives and allows them
to be used as one large hard drive with benefits depending on the scheme or level of
RAID being used.
62. What is Raid-Concatenation?
Concatenations are also known as "Simple" RAIDs. A Concatenation is a collection of
disks that are "welded" together. Data in a concatenation is layed across the disks in
a linear fashion from on disk to the next. So if we've got 3 9G (gig) disks that are
made into a Simple RAID, we'll end up with a single 27G virtual disk (volume). When
you write data to the disk you'll write to the first disk, and you'll keep writing your
data to the first disk until it's full, then you'll start writing to the second disk, and so
on. All this is done by the Volume Manager, which is "keeper of the RAID".
Concatenation is the cornerstone of RAID.
Now, do you see the problem with this type of RAID? Because we're writing data
linearly across the disks, if we only have 7G of data on our RAID we're only using the
first disk! The 2 other disks are just sitting there bored and useless. This sucks. We
got the big disk we wanted, but it's not any better than a normal disk drive you can
buy off the shelves in terms of performance. There has got to be a better way..........
63. What is Striping/RAID-0?
Striping is similar to Concatenation because it will turn a bunch of little disks into a
big single virtual disk (volume), but the difference here is that when we write data
we write it across ALL the disks. So, when we need to read or write data we're
moving really fast, in fact faster than any one disk could move. There are 2 things to
know about RAID-0, they are: stripe width, and columns. If we're going to read and
write across multiple disks in our RAID we need an organized way to go about it.
First, we'll have to agree on how much data should be written to a disk before
moving to the next; we call that our "stripe width".
Then we'll need far cooler term for each disk, a term that allows us to visualize our
new RAID better..... "Column" sounds cool! Alright, so each disk is a "column" and
the amount of data we put on each "column" before moving to the next is our "stripe
width"
64. What is Mirroring/RAID-1?
Mirroring is a concept where you are creating same mirror of RAID, i.e. in order to
create 27 G disk if you are using 3 X 9 G Disks to form a simple RAID(RAID-0), then
for Mirroring/RAID-1 you have to use 6 X 9 G Disks. This is because the first 27 G
will form a simple RAID and the remaining 27 G will become the Mirror of First one.
What ever data that is being written into the first one will be replicated into second
one, such that if the first RAID Fails then automatically the second will come to
existence.
65. What is RAID 0+1? Why is it better than 0?
Raid 0 is using striping technology which means in case of failure of any one of the
disks in the Raid then the data will be lost. But in case of RAID 0+1 both the striping
and mirroring technologies were used. What ever data is on striped volume the same
will be mirrored hence recovery will be easier and secure.
66. What is RAID-5?
67. What are the types of backups?
Normal Backups: A normal backup is the first step to any backup plan. When the Normal
backup option is selected; all the selected files and folders are backed up and the archive
attribute of all files are cleared. Normal backups are the most time consuming process but
prove more efficient at the time of restoration than other backup types.
Copy Backups: A copy backup option is not considered as a planned schedule
backup, all the selected files and folders are backed up. Archive attributes of the files
are not cleared while this option is selected.
Incremental Backups: Incremental backups are the fastest backup process. An
incremental backup backs up the files and folders which were last created or
modified or changed since last normal or incremental backup. An incremental backup
backs up files that are created or changed since the last normal or incremental
backup. After the backup is performed the archive attributes of the files are cleared.
Restoration of data from an incremental backup requires the last normal backup and
all the following incremental backups. These backups need to be restored in the
same manner as they were created.
Note: If any media in the incremental backup set is damaged or data becomes
corrupt, the data backed up after corruption cannot be restored.
Differential Backups: Differential backups back up those files which were created or
changed since the last normal backup. Archive attributes of the files does not get
cleared after taking the backup with the differential backup method. The restoration
process of files from differential backup is more efficient than an incremental backup.
Daily Backups: All the selected files and folders which have been changed during a
day are backed up with Daily Backups option. The data is backed up by using the
modified date of the files and the archive attributes are also does not get cleared
with this option.
68. What is a Full Backup?
A full backup is a backup of every file on a file system, whether that file has changed
or not. A full backup takes longer to accomplish and requires the most storage space
on the backup media, but it also provides the quickest restore times. A full backup
should be performed weekly or monthly on production systems, along with daily
differential backups. A full backup should also be performed before any major
planned changes to a system.
69. What is Incremental Backup?
An incremental backup is a backup of every file on a file system which has changed
since the last backup. An incremental backup is the fastest backup and requires the
least storage space on the backup media. However, incremental backups also require
the longest time and the most tapes to restore. Incremental backups should be used
only in environments where backup time or backup storage media are extremely
constrained. For most environments, a weekly full backup and a daily differential
backup represent a better plan. If you perform a full backup on Sunday along with
incremental backups every night and the system crashes on Thursday, you will need
to restore the full backup from Sunday along with the incremental backups from
Monday, Tuesday, and Wednesday. In contrast, if you perform a full backup on
Sunday and a differential every night, when the system crashes on Thursday you will
only need to restore the full backup from Sunday and the differential backup from
Wednesday.
70. What is Differential Backup?
A differential backup is a backup of every file on a file system which has changed
since the last full backup. A differential backup can be an optimal middle-ground
between a full backup and an incremental backup. A differential backup is not as
fast as an incremental backup, but it is faster than a full backup. A differential
backup requires more storage space than an incremental backup, but less than a full
backup. A differential backup requires more time to restore than a full backup, but
not as much time to restore as an incremental backup. If you perform a full backup
on Sunday and a differential every night, and the system crashes on Thursday, you
will only need to restore the full backup from Sunday and the differential backup
from Wednesday. In contrast, if you perform a full backup on Sunday and
incremental backups every night, when the system crashes on Thursday, you will
need to restore the full backup from Sunday along with the incremental backups
from Monday, Tuesday, and Wednesday. A differential backup should be performed
daily on production systems.
71. What are Cold Backups and Hot Backups?
Cold Backup and Hot Backup terms are used by Oracle.
Cold Backup: Takes the Database offline and copy database files to different loction
is called cold backup in Oracle.
Hot Backup: Taking the Database backup when the Database is online.
72. How can I prohibit users from using the Internet by using Group Policy
in a Windows 2000 server?
There is not a direct Group Policy setting that disables IE. There are three ways that
I can think of to disable it from functioning to connect to the Internet.
The first is using the IE policies. This method breaks IE, but does not prohibit it from
running. This solution configures the Proxy Settings incorrectly. Give it a Proxy
server name or address that does not exist, or a wrong port to use for the proxy.
You can configure this setting under User Configuration->Windows Settings-
>Internet Explorer Maintenance->Connection->Proxy Settings. IE will look for a
Proxy server, but always fail.
The other two ways target the IE application directly. First, you can configure the
Don't Run Specified Windows Applications policy, which is located under User
Configuration->Administrative Templates->System. Just add in Iexplore.exe to deny
IE from running. The second way is to use a Software Restriction policy for
Iexplore.exe. You could use a path rule here, but I would suggest using a hash rule,
to ensure the file can't be moved or renamed.