>>Run diagnostics against your Active Directory domain.

>> >>If you don't have the support tools installed, install them from your >>server >>install disk. >>d:\support\tools\setup.exe >> >>Run dcdiag, netdiag and repadmin in verbose mode. >>-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log >>-> netdiag.exe /v > c:\netdiag.log (On each dc) >>-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt >>-> dnslint /ad /s "ip address of your dc" >> >>**Note: Using the /E switch in dcdiag will run diagnostics against ALL >>dc's >>in the forest. If you have significant numbers of DC's this test could >>generate significant detail and take a long time. You also want to take >>into >>account slow links to dc's will also add to the testing time. >>

>>If you download a gui script I wrote it should be simple to set and run >>(DCDiag and NetDiag). It also has the option to run individual tests >>without >>having to learn all the switch options. The details will be output in >>notepad text files that pop up automagically. >> >>The script is located on my website at >>http://www.pbbergs.com/windows/downloads.htm >> >>Just select both dcdiag and netdiag make sure verbose is set. (Leave the >>default settings for dcdiag as set when selected) >> >>When complete search for fail, error and warning messages

ACTIVE DIRECTORY AD Contains users, computers, shares, policies, security, groups, dfs, dhcp, dns, ras, vpn, fw, dbase, proxy, sites, trusts, publish index, certificates and replication. Sites Domains Forests Trusts Roles Schema Master Domain Naming Master RID Master Infrastructure Master PDC Emulator Global Catalog Server Replication and effect of universal groups over Replication. AD

Logical Structure

Physical Structure

Server Relocation is nothing but creating sites. For each forest u will have one site. A site can have multiple domains. A domain can have multiple sites. AD divided into 2 parts. Local Domain Info Other Domain Info in GC

Talk to 389

Talk to 3268

If a user from other domain want to login in another domain, no need to talk to DNS bcoz it will talk to GC since it contains complete information. Because of replication topology it will take 6 hrs to become GC Server. In Registry we can know which is acting as GC Localmac\system\currentcontrolset\services\ntds\parameters\glob al catalog promotion complete Here if the value is 1 then it is GC.(or) dssite.mscDC\NTDS settings\properties\check is it GC or not. AD is a centralized repository of Entire Forest. In AD there are 2 types of partitions. 1. Local Domain Partition 2. Global Domain Partition AD Sites and Services Only one Domain in Multiple locations (Physical location) but each server should have different Network Address. After Creating Sites u should create Subnets also. Hyd 10.0.0.1 Malaysia 80.0.0.1

DC1

DC_MALAYSIA

DNS1

DNS2_MALAYSIA

 Root DC is in Hyd.We have opened a branch in Malaysia then Create DC_Malaysia & DNS2_Malaysia in Hyd.Shutdown the PCs and put in Malaysia and join all the pcs in the domain. After Creating Sites, create subnet and create links between 2 sites. Replication with in the site is called Intrasite. Replication across the sites is called Intersite. Any DC can replicate info to other DCs that are only 3 hobs away. The Replication latency between 2 DCs is 15 sec. Replication is done by 2 methods. Poling Inbound Notification Outbound W2K3 automatically creates connections between 2 DCs.If we want to make manually we can make. These Connections are called DRA (Directory Replication Agent) connections. One inbound and one outbound will be created. For Every 1hr Replication done with in a site. 1. 2.

Note: Not 3 hobs away DC1

DC1

DC1

DC1

DC1

DC1

 For DC1 Replication partners are DC2, DC3, DC4 & DC6, DC7, and DC8. High water mark vector (algorithm) and USN (Update Sequence Number).Using these 2 techniques DC1 will inform DC2. DC5 DC1 DC1 DC5 DC2 DC6 DC3 DC7 DC4 DC8

Active Directory

WINNT WINDOWS NTDS NTDS Schema.ini Ntds.dit Edb.log Edbxxxx.log Edb.chk Res1.log Res2.log

PC

TCP/IP LAN

PC

PC WAN

PC

TCP/IP L2F L2TP PPTP PPP RAS Active Directory & DNS will have information about sites. Two sites will differ by ip address & subnet. Router 202.4.1.49 DC1 DNS1 Router 202.4.1.50 DC2 DNS2

50 clients 50 clients Force Manual Replication

 Forest Wide Roles : 1. Domain Naming Master and 2. Schema Master. Domain Naming Master: There should be only one domain naming master in the entire forest at any time and it Controls the addition or removal of domains in the forest. Domain Naming Master will have list of domains. Without Domain Naming Master u cannot add or demote domain controllers. To know which is acting as DNM then type domain.mscRightclick AD Domains and Trustsoperations master. A Role can be transferred from one domain to other domain. SEIZE the Role if one is working. Note: Seize = If the main domain is lost then seize the ADC. To Demote ADC u should get permission fm DC. Note: According to Microsoft Both DNM & Schema Master should be in same Computer. All these roles are called flexible single master operation (FSMO) roles becoz u can move any role to any DC according to Microsoft. Schema Master: It is a definition of Classes & Attributes. The first domain will hold the role called Schema Master. If u wants to see Schema MMC Add/Rem snap-in Add AD Schema Right click operations masterthere u will know who is acting as Schema Master. Always select a PC which is fast and having more space to make Schema Master. Every Domain Controller will have a copy of Schema Master. In win2K u can add classes (ex: user, computer, etc) but u cannot delete or modify whereas in win2K3 u can add, modify and delete classes and attributes. Only members of Schema Admin can modify schema which will be the first DC in the forest which acts as a Schema Master. First Register dll by typing cmdregsvr32 c:\winnt\system32\schmmgmt.dll then u will get message succeeded. To see the attributes of user mmcA D Schemaclasses userProperties.

To Create Class right click classes create class but u cannot create bcoz u need to know object id etc for that u have to mail Microsoft. When u install Active Directory it will take default Schema from Schema.ini which will be in \\winnt\system32\schema.ini. Dcpromo = ntds.dit + schema.ini Before installing dcpromo schema.ini will be in Ntds folder. After installing dcpromo, schema.ini is no more bcoz all info will be stored in ntds.dit When a user is created, it will be in edb.log file, then entry is written in edb.chk(exchange database. checkpoint) file, then it will transfer to ntds.dit Maximum size of edb.log is 10 MB standard size according to Microsoft. If edb.log file is full then edbtemp.log file is automatically created and edb.log is renamed is edb00001.log and edbtemp.log will be renamed as edb.log.This process is called Circular Logging. Schema is same through out the forest. The Official Recommendation from Microsoft is when u transfer Domain Naming Master then transfer Schema Master and when u seize DNM then seize Schema Master also. User = Class Attributes: age, sex, height, weight etc. Domain Wide Roles : PDC Emulator RID Master Infrastructure Master. PDC Emulator: The First Domain Controller in every Domain holds this role. PDC Emulator will keep track of changing passwords in Native Mode and helping NT BDCs in Mixed mode.. Note: If a user pwd is changed in DC2 it will inform PDC Emulator and this role can be seized to all the DCs. Domain Wide Roles RID, PDC, Infrastructure can be transferred to other DCs. Relative Identity Master (RID): The First Domain Controller in every Domain will act as RID Master. It issues the numbers that are to be given to objects when created. When a Object is created a number is given i.e., SID When a user or computer is created it gives one SID and

1. 2. 3.

 When a file or folder is created it gives one GUID. SID is a Combination of Domain ID and RID. Example: constant S-1-5-21-1659004503-117609710-839522115-500

These 3 are

RID SID Constant Version no. Issuing NT 4.0 Constant no. Domain ID Note: Here in Domain ID, 21 are given by a program called NTLSA (Local Security Authority) in 2K3. Every RID will start from 500 in W2K bcoz program is written like that. 1043 PDC is programmed to start RIDs from 1001. DC is programmed to start RIDs from 500. UNIX is programmed to start RIDs from 0. 1043 1043 DC The Actual RID Pool Size is 500. The maximum size of Pool is 2^30=1073741824/500=21, 47,483. In PDC 1001 to 1042 users created. Now PDC promoted to DC then 1001 to 1042 will remain same and extra will start from 1043 in mixed mode Where as in Native Mode RID uses range randomly. Note: According to Mixed Mode it has to start from 1043 but RID will tell to BDC that do not Maintain Sequence. To change RID value, Regeditlocal Mac\system\current controlset\services\NTDS\RID Values\ SP4 will come with w2K3 if u have sp4 then 50% remains it will ask RID master to issue RIDs otherwise without sp4 it will remain 20%. Note: According to Microsoft Both RID & PDC Emulator should be in same Computer.
DC

Authority These 3 is randomly Generated

BD C

Special Role : Global Catalog Server GC Contains other Domains Partial Information. Any number of GCs can be present. Advice1: Let there be GCs in every domain. Advice2: If u have 2 sites let there be 2GCs in 2 sites. Advice3: If u have 3 mail servers then let there be 3 GCs.

By Default when u install Server OS it will install AD thats why it will not ask CD when u run dcpromo but for DNS it will ask CD. Active Directory is common in all the DCs. There are 2 types of Profiles: 1. Roaming Profiles. 2. Mandatory Profiles. File Server can be created in 2 ways. Group Policy Manual Settings (Home folder) Note: Where there is a profile server there should be a file server. PDC Emulator Mixed mode When ur promoting BDC s to ADCs, BDC will ask in information fm DC1 in the form of SAM but it will sh show Active Directory. Note: U cannot install NT BDC in Native Mode. (1PDC BDC4 DC2 100)users RID Master
DC1 AD

. .

DC3

BDC5

DC 1

DC 2

DC 3

Note: Even if the objects are increased then it will contact DC1, which is acting as RID Master.
1001-10000) users (101-1000) users

DFS(Distributed File System) DFS Root DFS Link U can create n number of links. The moment u creates DFS Root it will be published in Active Directory. There are 2 types of roots. 1. Domain Root It maintains copy of root in AD. 2. Standalone Root It will display links in ur local pc and it is not maintains in AD. Right Click on Root check status Green Link (ok). Dsa.msc system Dfs-Configuration. In Win2K & 2K3 Standard Edition, A DFS Server can hold only one Root but In Win2K3 Enterprise A DFS Server can hold multiple roots. A DFS Server act as a traffic cop or receptionist. When a End-user contacts DFS for information it replies PKT (Partition Knowledge table) contains address, type of OS and referral time. 1800 W2K C100

Referral time Type of OS

Address

Root Links are called Tree of DFS. DFS Structure will be stored in the Registry. NT/2K HKLM System Supports 3-4 MB Can create 2000 links 2K3 HKLM Software Supports 13 MB Can create 10,000 Links.

DFS Information is stored in Active Directory FTDFS (Fault Tolerance DFS). In NT Lan Manager Replicator (LM Repel) will take care of Replication. In 2K & 2K3 FRS (File Replication Service) will take care of Replication.

Note: DFS is replicated to all Dfs Replicas by using FRS FRS Use RPC Protocol. Domain Replication uses RPC & SMTP Recommended Links from Microsoft is 3-4 MB 1000 Links. No Replication in Standalone. Take Root Replica. In FRS At a time 8 files will be replicated. In a Domain u cannot create more than 32 Root Replicas including Main Root, but practically according to Microsoft 32 will not work only 15. Disadvantages in Standalone Advantages in Domain No Fault Tolerance Fault Tolerance More Links Less Links No Replica Replica Behind a Bridge or Router or in a network not more than 255 computers used when there is NetBIOS. Modified Version of NetBIOS is SMB. NetBIOS is Interface and NetBEUI is protocol. A Program is written to act like bios is called Emulation means changing NetBIOS to TCP/IP (netbt.sys). Using NetBIOS computers communicate through names MAC Address. Every Computer will have hosts.txt file in \\winnt\system32\drivers\etc. First when u ping a computer it will check in hosts.txt, if the entry is not there then it will go to DNS. To know the broadcast after pinging type nbtstat r UNICODE allocates 2 bytes to a character. According to OS, DNS servers are called BIND (Berkeley Internet Naming Domain) Servers. WinNT uses BIND Version 4.9.4 Win2K & 2K3 uses BIND Version 8.1.2 RedHat Enterprise uses Latest BIND Version 9.2 Two Computers will communicate in frames(packets) through MAC Address.

00 - 50 - BA - 80 - 2B - B7

MAC Address

Represents Company Name Note: U can Change the MAC Address of Reputed Companies like D-Link, Intel Etc. 1. 2. 3. Three types of communication Broadcast Unicast Multicast Multicast Address starts from 224.0.0.0

C1 - MAC - C4 - ff.ff.ff.ff.ff.ff

FRAME

My Name My MAC indicates Broadcast Address

Destination MAC Address Note: All FFs

Destination computer Name

(In RAM) ARP Cache Contains only Mac Address and IP Address. It will not remember host name. ARP will be updating in every 15 min in RAM. We can change the behavior in Registry. When u sees Preparing Network Connections is nothing but ARP is going on computer is shouting this is my hostname, this is my ipaddress, and this is my Mac address. DNS DNS is maintaining hosts.txt file in the form of database. A Zone is nothing but a database or a domain. A Zone contains list of hostnames and ipaddress. DNS always communicate in the form of Fully Qualified Name ex: Proxy.xltelecom.com.

 Forward Lookup zone: If u gives host name it will give ipaddress. Reverse Lookup zone: If u gives ip address it will give hostname. In Mail Servers Reverse Lookup zone is used. DNS Servers are always named as NS1 or NS2 etc. An entry in the zone is called Host Record or A Type of Record. When creating MX Record, dont include host name. DNS Client is called Resolver Service. Every Domain will have their own DNS Server(port no.53) Any Computer can talk to Active Directory through port nos. 389, 3268, 88. Resource Record are also called as service (SRV) records will tell the computer roles. It will tell to DNS which is a Domain Controller to clients. To find out whether the port no is opened type :> telnet ip address 53 When Clients talk to DNS it uses UDP Protocol. There are 3 types of zones. 1. Primary zone 2. Secondary zone 3. stub zone There will be only one primary zone in domain and there can be unlimited secondary zones. The Option (Store in Active Directory) is there only in Root DC not in other DCs. If u want to check Reverse Lookup zone go to NsLookup. To Create SRV Records go to Forward lookup zone right click other new records SRV DNS will communicate with Active Directory through LDAP. Minimum 16 to 18 Resource Records should be created in Active Directory. Note: Kerberos=Realm takes care of Authentication. Mostly Authentication servers & Logon servers are Linux Machines. There are 2 types of Records. 1. IN (Internet Record) 2. HESIOD (Massachusetts Institute of technology (MIT) will use these type of records). Records will be stored in netlogon.dns \\windows\system32\config\netlogon.dns A zone is created in the form of data base file \\windows\system32\dns\xltelecom.com.dns

 If ur web server and DNS Server are same then start this service :> iisstart If u have 2 machines Linux & windows and u have created users in Linux machine but it is not in the domain even though there will be trust between Linux machine Kerberos and win2k machine Kerberos (Realm). DNS Commands : 1. ipconfig /registerdns 2. ipconfig /flushdns 3. ipconfig /displaydns TNSIG is a Security Protocol for DNS. Earlier Internet (Root Domains) was maintained by ICANN, IANA, IETF, WWW. Now it is maintained by VERISIGN. RAS Server will have 17 slots and in each slot 30 customers can connect. Root Domains will be in \\winnt\system32\cache.dns Primary zone is created in Forward Lookup zone. Secondary is created in Reverse Lookup zone. If a Parent Domain wants to talk to Child domain use Delegation. Delegation is done only in Primary zone (Main DNS Server). If a Child Domain wants to talk to Parent Domain DNS use Root Hints. If any changes made in Child domain should immediately know to Parent domain or replicated to parent domain then use stub zone. If u have multiple root domains or child domains use forwarders. www.yahoo.com Delegation NS1

Forwarders

chat

NS1

Mail

Chat.yahoo.com mail.yahoo.com

NS1

hyd

Forwarders Root Hints

Hyd.mail.yahoo.com From Parent u will delegate to all child domains. In 2000 Root Hints will not be there. but when u connect internet it will be displayed. When the primary DNS is talking to Secondary DNS it communicates through TCP. When a Client talks to Primary DNS it uses UDP. In DNS Server Properties -->Debug logging --> u have to create a log file(txt file) in any drive and give path in debug logging. When ur creating Primary DNS and if it is not AD Integrated then the information will be maintained in Local Registry and in \\winnt\system32\dns\xltelecom.dns. In Registry --> software --> winnt --> current version --> dns server --> zone --> from here computer will take the information. In Registry --> HKEY_LOCAL_MACHINE --> system --> tcpip --> parameters --> here if u create key and automatic updates and put value 1 then it will not talk to DNS. AD Integrated option will be enabled only when ur installing Primary DNS in DC. If u want AC Integrated Primary zone then create in DC and u can change this into Secondary and If the DNS Server is not created in DC then u cannot change it to Primary or secondary. If u want to know whether ur DNS Server is AD Integrated then go to dsa.msc --> view --> advanced features --> system --> Microsoft DNS. SOA: Start of Authority (For Secondary zones). 1. When do I talk to Primary for changes? 2. Who is responsible person? 3. when to stop its work 4. TTL (If any client is asking secondary for ip address DNS Server will give ip address and tell to remember for 3 minutes.

5. Who is my Primary? 6. TTL 2 types (a) TTL DNS Zone (Resolved ip) (b) TTL SOA SOA is a record maintained by Primary (when secondary communicating with Primary). Cmd : runas /user:imtiaz@xltelecom.com mmc.exe dnsmgmt.msc In SOA Primary Server xltelecomdc.xltelecom.com; In Responsible personimtiaz.xltelecom.com Note: There should be. In the end of Primary server and responsible person. In Zone Properties Name Servers By default there will be only Primary DNS Server is added, if u have secondary servers u have to add manually. Secondary zone means a copy of primary zone is maintained in Secondary. WINS cannot have Resource Records. It contains only ip address and host names. WINS is very fast compare to DNS.It is implemented in Sites. Zone aging/scavenging properties: No-refresh interval: By default it will be 7 days becoz DNS tell to client, dont talk to metill 7 days bcoz it increases Network traffic. Refresh Interval: It is nothing but Renewal time. Note: In ISPs Refresh-Interval will be kept for 1 day. If u creates records manually then u has to delete manually. Stub zone is copied from SUN Systems. If u has 10 sub domains then u have to add 10 domain ips in root hints and give delegation to all 10 domains, otherwise one domain will not have information about other domain. Delegation is Per Domain Basis, it does not care hierarchy. Stub zone remembers 3 records: 1. SOA Records 2. Host Records 3. Name Servers Advantage of Stub zone: If IP or any setting is changed in child domain it will be intimated to parent domain. Note: Even there is Delegation, without stub zone it will not update. Even DNS is AD integrated its information will be stored in Registry & AD & \\winnt\system32\dns\xltelecom.com.dns If AD fails then first take System State Backup and make one Dummy domain and install Active Directory and restore System State Backup.

 Stub zones are used only in internet domains not in intranet. Delegation: Changes in DNS in child domain will not be replicated to parent domain. Stub zone: Changes in DNS in child domain will replicated to parent domain. Note: Never use stub zone in Intranet becoz Performance will be slow. stub zone is only for External domains. DHCP Earlier DHCP called as BootP. ISSUES: 1. Migration 2. Backup DHCP 3. IP Release Duration. Note: When a Client broadcast it will ask DHCP Server what is my IP, then Client will send a packet to DHCP Server i.e., called DHCP Discover. So DHCP will also broadcast. Excluded IP means it will be static for DCs & NS & web servers. Mostly DHCP Server based on NT because Migration is a problem. DHCP Server will listen in Port no.67 DHCP Client will listen in Portno.68 In WINNT IP Release Duration is 3 days. In W2K & W2K3 duration is 8 days. After 8 days u have to renew. Reservation will be used mostly for Mobile Users. Static Servers, which will not move will be excluded. Two types of Classes. User Class. Vendor Class. Two different range of ips wanted to communicate then we need a router. Suppose we do not have router then add other ips in each Tcpip properties and ping. On Router BootP Forwarding Protocol is used. Ping uses ICMP Protocol. If ur configuring router then u have to enable ip forwarding in RRAS. There is a new feature called Media-Sense in W2K3. In Routing and Remote AccessIP Routingright click on General New Routing Protocolright click RIPNew Interface(Internal & External) Assign ur ip. Cmd: net stop rras; net start rras. In Registry we have to enable ip forwarding \\localmac\system\currentcontrolset\services\tcpip\parameters\IP Enable Router Make it 1 from 0.

 Every Computer will have Routing table. To see that type :> route print, for this we need not depend on RIP. According to Microsoft there should not be more than 2 DHCP Servers. After installing DHCP we have to authorize to A D. For that Right Click on the server and click Authorize. :> ntdsutil : metadata cleanup :> server connections: connect to server proxy.xltelecom.com If u see RPC unavailable error, i.e., it is DNS error. Configuring Scope options in DHCP is nothing but Assigning Gateway & DNS. There is an extra tab in 2K3 DHCP.If u select obtain ip address automatically then Alternate Configuration tab is seen. In Scope Options u has to select DNS Servers and ARP Cache timeout. In Vendor Class: system identifies by vendor. suppose ur using SUN machines then u need to create a vendor class, for that u have to get an id from SUN or they will give a floppy through that it will automatically assigns id. In User Class: we can assign different range of ip addresses or classes in user class. :> Ipconfig /set classid RTL8139 HR. If u have 95, 98, NT, UNIX clients in DHCP then there is a setting in DHCP where it will update DNS behalf of clients. These clients (old) are called legacy clients bcoz old OS cannot update DNS except OS2k clients. DHCP Communicates with DNS through authentication protocol called Kerberos; there DHCP generates TSIG-keys. Knowledge Consistency Checker (KCC), USN, High water mark vector. These will take care of Replication between DCs. A user contains 470 attributes. In W2K 470 attributes will be replicated between DCs whereas in W2K3 we can select which attributes should be replicated. There are 2 types of lists. (a) DACL (Discretionary Access Control List) (b) SACL (Security Access Control List) Discretionary Access Control List (DACL) contains SIDs (system identifiers). Security Access Control List (SACL) contains audit of PCs.

 share

If u want to know shares in Local Computer :> net

WELL KNOWN SIDS S-1-0-0 S-1-1-0 S-1-2-0 S-1-3-0 S-1-3-1 S-1-5 S-1-5-1 S-1-5-2 S-1-5-3 S-1-5-4 S-1-5-6 S-1-5-7 S-1-5-8 S-1-5-9 S-1-5-11 S-1-5-13 S-1-5-18 S-1-5-19 S-1-5-20 S-1-5-30 = Null Session ID = Every Group = Local Group = Creator Owner Group = Users Primary Group NT Authority = Dialup User = Network User = Batch Jobs = Interactive Group = Service = Anonymous Login = Proxy = Enterprise Admens Group Authenticated User Group -----(Important) Terminal Services User Local System Local Service (New in 2K3) Network Service (New in 2K3) All Built-in Local Groups.

= = = = = =

WELL KNOWN RIDS Administrator Guest = Kerberos = Domain Admin = Domain Users Domain Guests = Domain Computers Domain Controller= Schema Admens = Enterprise Admens Local Administrators Local Users = Local Guests Power Users Account Operators Server Operators = Print Operators = Backup Operators = = 501 502 512 = 514 = 516 518 = = 545 = = = 549 550 551 500

513 515

519 544 546 547 548

 Replicators

552

GROUP POLICY Group Policy Editor (2K & 2K3) Group Policy Management Control +SP1(GPMC) SMS (System Management Console) ---used in NT MARIMBA FAZAM (Full Armor) Tivoli (IBM) ELM (Enterprise LAN Manager)

When Policy is created it is called GPO (Group Policy Object) Every Computer will have Local Group Policy Policies can be created for DCs, Domain, OU and Site. When a Computer starts it will load computer settings (policies) from DC(if there r policies). When a User logins it will load settings (policies) from DC (if there r policies). By Default 2 Policies are created in SYSVOL. 1. Domain Level 2. Domain Controller Level Group Policies are identified by GUIDs. When Ever a Group policy is created, a GPC (group policy container) and GPT (group policy template) is created in AD. Template is nothing but Predefined fill in the blanks. We can Add Templates by right clicking Administrative templates. GP is a Combination of Administrative (Predefined & independent) template. Win logon is a file which loads computer polices at client place when computer starts. USENV (user environment) is a file which loads user policies at client place when user logins.usenv.dll will download policies from SYSVOL. Dlls responsible at client level will be in HLM\software\Microsoft\windowsnt\currentversion\winlogo n\gpextentions\------------ (guids). GROUP POLICY GPT FILE CLIENT SIDE TYPE EXTENTIONS(CSI) Registry Registry.pol Userenv.dll Folder Redirection Fdeploy.ini Fdeploy.dll Log on-off / start up- Script.ini Gptext.dll down Security Gpttmpl.inf Scecli.dll Software Restriction Registry.pol OS Software *.aas files Appmgmts.dll

Deployment Disk Quotas Efs or pki (encryption) IE RIS QOS(Quality of Service)

Registry.pol Certificates stored in AD Install.ins Oscfilter.ini AD

Diskquota.dll Scecli.dll Iedkis32.dll BINL(Binary info negotiation layer) Gptext.dll

There are 5 levels of Policies. 1. Local Policy 2. Site 3. Domain Policy 4. Domain Controller Policy 5. OU Regular group policy will not apply to administrator. Group Policy Filtering Winlogon.exe is a process through which a client downloads policies from SYSVOL. When u Create a Policy, link it to their respective levels. U can delete the link but u cannot delete the DC Policy permanently. U cannot delete default policies, which is created by system. Auditing: 1. Create a folder--> Properties--> security--> auditing--> add--> success failure. 2. GP--> Audit policy--> Audit object access--> check auditing in eventvwr--> security 3. Audit account logon events ----- DC Authentication 4. Audit logon events ------ Client computer authentication 5. Audit Process tracing ----- only for programmers. 6. Do not add authenticated users in a policy bcoz some policy will apply to administrators. So create group and then create policy and apply. Note: Plug-in is a mediator between browser and application. It is a tiny component to enhance the browser behavior.

BACKUP & RESTORE

. .

1. Who can backup 2. What files and folders to backup 3. Where to backup 4. When to backup 5. How to backup 6. What softwares are available to backup Cmd: ntbackup.exe Softwares: VERITAS LEGATO SUNBELT ARC SERVE ULTRA BKUP WINDOWS BKUP In 2K3 Automated System Recovery and Volume Shadow Copy features are there. U cannot take Registry backup remotely. Backup format should be like ex: Sdata_14jul04_9.30pm_imi.bkf. When u starts backup, first it will check the status of volume shadow copy n 2K3 but in 2K it will start bkp immediately. Differential will not effect archive bit Normal & Incremental will affect archive bit. To Restore users, policies, group memberships in NT we need to take the backup of Emergency Repair Disk Registry How to view and transfer FSMO roles in the graphical user interface SUMMARY There are five Flexible Single Master Operations (FSMO) roles in a Windows 2000... There are five Flexible Single Master Operations (FSMO) roles in a Windows 2000 forest. There are two ways to transfer a FSMO role in Windows 2000. This article describes how to transfer all five FSMO roles by using Microsoft Management Console (MMC) snap-ins. The five FSMO roles are: Schema Master - One master role holder per forest. The schema master FSMO role holder is the domain controller responsible for performing updates to the directory schema.

Domain Naming Master - One master role holder per forest. The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. Infrastructure Master - One master role holder per domain. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. RID Master - One master role holder per domain. The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. PDC Emulator - One master role holder per domain. The PDC emulator FSMO role holder is a Windows 2000 DC that advertises itself as the primary domain controller (PDC) to earlier version workstations, member servers, and domain controllers. It is also the Domain Master Browser and handles password discrepancies.

Back to the top Transferring FSMO Roles with MMC Tools You can transfer all five FSMO roles through the MMC tool in Windows 2000. In order for a transfer to work both computers must be available on-line. If a computer no longer exists, then the role must be seized. To seize a role, you must use a utility called Ntdsutil. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: Back to the top Transferring the Domain-Specific Roles: Infrastructure Master RID, PDC, and

Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 1. 1.Right-click the icon next to Active Directory Users and Computers, and then click Connect to Domain Controller.NOTE: If you are not on the domain controller where you want to transfer the role ,you need to take this step. It is not necessary if you are connected to the domain controller whose role you want to transfer.

2. 2.Click the domain controller which will be the new role holder, and then click OK. 3. Right-click Active Directory Users and Computers icon, and then click Operation Masters. 4. In the Change Operations Master dialog box, click the appropriate tab (RID, PDC, or Infrastructure) for the role you want to transfer. 5. Click Change in the Change Operations Master dialog box. 6. Click OK to confirm that you want to transfer the role. Click OK. 7.Click Cancel to close the dialog box. Back to the top Transferring the Domain Naming Master role Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts. 2. Right-click the Active Directory Domains and Trusts icon, and then click Connect to Domain Controller.NOTE: If you are not on the domain controller where you want to transfer the role ,you need to take this step. It is not necessary if you are connected to the domain controller whose role you want to transfer. 1. 3. click the domain controller that will be the new role holder, and then click OK. 4. Right-click Active Directory Domains and Trusts, and then click Operation Masters. 5. In the Change Operations Master dialog box, click Change. 6. Click OK to confirm that you want to transfer the role. 7. Click OK. 8. Click Cancel to close the dialog box. Back to the top Transferring the Schema Master Role You can use the Schema Master tool to transfer the role. However, the Schmmgmt.dll dynamic-link library must be registered in order to make the Schema tool available as an MMC snap-in.

Registering the Schema Tool Click Start, and then click Run. Type regsvr32 schmmgmt.dll, and then click OK. A message should be displayed stating that the registration was successful. Transferring the Schema Master Role 1. 2. 3. 4. 5. 6. 7. 8. Click Start, click run, type mmc, and then click OK. On the Console, menu click Add/Remove Snap-in. Click Add. Click Active Directory Schema. Click Add. Click Close to close the Add Standalone Snap-in dialog box. Click OK to add the snap-in to the console. Right-click the Active Directory Schema icon, and then click Change Domain Controller.NOTE: If you are not on the domain controller where you want to transfer the role ,you need to take this step. It is not necessary if you are connected to the domain controller whose role you want to transfer.

9. Click Specify Domain Controller, type the name of the domain controller that will be the new role holder, and then click OK. 10. Right-click Active Directory Schema, and then click Operation Masters. 11. In the Change Schema Master dialog box, click Change. 12. Click OK. 13. Click OK . 14. Click Cancel to close the dialog box.

How to view and transfer FSMO roles in Windows Server 2003 SUMMARY This article describes how to transfer Flexible Single Master Operations (FSMO) roles (also known as operations master roles) by using the Active Directory snap-in tools in Microsoft Management Console (MMC) in Windows Server 2003. You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools: Active Directory Schema snap-in

Active Directory Domains and Trusts snap-in Active Directory Users and Computers snap-in If a computer no longer exists, the role must be seized. To seize a role, use the Ntdsutil.exe utility. Transfer the Schema Master Role Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file. Register Schmmgmt.dll 1. Click Start, and then click Run. 2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK. 3. Click OK when you receive the message that the operation succeeded. Transfer the Schema Master Role 1. Click Start, click Run, type mmc in the Open box, and then click OK. 2. On the File, menu click Add/Remove Snap-in. 3. Click Add. 4. Click Active Directory Schema, click Add, click Close, and then click OK. 5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller. 6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK. 7. In the console tree, right-click Active Directory Schema, and then click Operations Master. 8. Click Change. 9. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the Domain Naming Master Role 1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts. 2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller. NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. 3. Do one of the following: In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK. -or In the Or, select an available domain controller list, click the domain controller that will

be the new role holder, and then click OK. 4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master. 5. Click Change. 6. Click OK to confirm that you want to transfer the role, and then click Close. Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles 1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller. NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. 3. Do one of the following: In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK. -or In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK. 4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master. 5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change. 6. Click OK to confirm that you want to transfer the role, and then click Close.