1

Windows Active Directory Workgroup: It is group of computers, to access a system we have to create login name in each system to access a file in that system. If we want to login in another system again We have to create our login name in that system. Domain : It is group of systems in a network. User name will be created in the Domain and we can login in any system in that network and access any file in any system. What is a DC? A DC is a Domain Controller that contains the copy of Active Directory for a domain. What is the primary function of domain controllers? The primary function of domain controllers is to validate users to the network. However, domain controllers also provide the catalog of Active Directory objects to users on the network. What is ADC ? Additional Domain Controller ADC is a copy of DC. If the DC fails ADC can be converted as DC. It gives Load Balancing and Fault Tolerance. Group : collection of users is group. It is used to give permissions, access rights to a collection of users. OU Organizatoinal Unit : Its like a container , contains users, groups, computers and other OUs,. Its used to create Departments or Branches. - Delegate administrative rights to a user in that OU. Windows 2003 Versions : Standard : Max RAM 4 GB Enterprise : 64 GB Web Edision : 4 GB , cant run DCPROMO, so no DC, Clusters Data center : 512 GB What is Global Catalog? It stores all objects in the directory for its host domain and a partial information of all objects of every other domain in the forest. The information is partial because it stores only some attributes for each objects. The GC performs two key directory roles: 1. It gives universal group membership information when a user logs in to a DC 2. We can search and locate users information in any domain in the forest. When a user logs on to the network, the GC provides universal group membership information for the account sending the logon request to the DC. If a GC is not available the user is only able to log on to the local computer.

If a user is a member of the Domain Admins group, they are able to log on to the network even when a global catalog is not available. What is Active Directory? AD is a database. It stores information about users,groups,printers,network resources and make the resources accessible to users and computers. 1 .It helps to centrally manage, organize and control access to resources. 2. It gives User logon, Authentication services 3. Users can search and locate objects in the forest. File Name of Active Directory = Ntds.Dit File Size 40 MB Max Size 16 TB New Technology Directory Service . Directory Information Tree Active Directory includes 4 files. Ntds.Dit, EDB.LOG, EDB.chk, Res1.log and Res2.log Location C: %systemroot%\ntds\ntds.dit, EDB.log, EDB.chk, Res1.log and Res2.log Minimum Requirement for Installing AD 1. Windows Server, Advanced Server, Datacenter Server 2. Minimum Disk space of 200MB for AD and 50MB for log files 3. NTFS partition 4. TCP/IP Installed and Configured to use DNS 5. Administrative privilege for creating a domain in existing network What is LDAP? LDAP Port number 389 Light Weight Directory Access Protocol LDAP is the directory service protocol used to access AD. used to exchange directory information from Server to Clients or from Server to Servers How will you verify whether the AD installation is proper? Verifying Database and Log files Make sure that the following files are there at C>%systemroot%\ntds Ntds.dit, Edb.*, Res*.log Active Directory includes 4 files. 1. NTDS.DIT This is the AD database and stores all AD objects. Default location is SystemRoot%\ntds\NTDS.DIT. 2. Verifying SYSVOL folder in C:/systemroot/sysvol/sysvol If SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO, etc will not be replicated between DCs.

Verify the following folders created in SYSVOL folder Domain Staging Staging areas ,Sysvol Then verify the 2 shares >net share It should show two shares, NETLOGON and SYSVOL What is the use of SYSVOL folder Group Policies and scripts saved in SYSVOL folder will be replicated to all domain controllers in the domain. FRS (File replication service) is responsible for replicating all policies and scripts. 3. Verify SRV Resource Records After AD is installed, the DC will register SRV records in DNS when it restarts. We can check this using DNS MMC or nslookup command. Using MMC If the SRV records are registered, the following folders will be there in the domain folder in Forward Lookup Zone. msdcs sites tcp udp Using nslookup >nslookup >ls t SRV Domain If the SRV records are properly created, they will be listed. EDB.LOG This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log. Where nnnn is the increasing number starting from 1 EDB.CHK This is the checkpoint file used to track the data not yet written to database file. This indicates the starting point from which data is to be recovered from the logfile, in case of failure. Res1.log and Res2.log This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction log files enough room to shutdown if the other spaces are being used. Explain ADS Database Garbage Collection Process? Garbage Collection is a process to free space within the Active Directory database.

This process runs in DC for every 12 hours. The Garbage Collection process has 3 main steps 1. Removing "tombstones" from the database. Tombstones are deleted objects. (Tombstones ::When an object is deleted, it is not actually removed from the Active Directory database. It is marked for deletion at a later date. When the Tombstone Lifetime is over, the object is deleted.) 2. Deletion of any unnecessary log files. 3. The process launches a Online defragmentation to create space. this method does not shrink the Active Directory database file (Ntds.dit). There are two ways to defragment the Active Directory database . Online Defragmentation method that runs as part of the garbage collection process. The only advantage to this method is that the server does not need to be taken offline for it to run. This method does not shrink the Active Directory database file (Ntds.dit). This process runs in DC for every 12 hours. Offline Defragmentation: This is done by taking the server offline and use Ntdsutil.exe to defragment the database. Start the server in repair mode. In this method the database size is reduced. To defrag ntds.dit offline: Back up System State in the backup wizard. Reboot and select Directory Services Restore Mode At the command prompt type : Ntdsutil Files Info This will display current information about the path and size of the Active Directory database and its log files. Compact to D:\DbBackup\ You must specify a directory path and if the path name has spaces, the command will not work unless you use quotation marks Quit (till you reach the command prompt) A new compacted database named Ntds.dit can be found in D:\DbBackup Copy the new ntds.dit file over the old ntds.dit file. You have successfully compacted the Active Directory database. Active directory 3 partitions

1.Configuration partition 2. Schema Partition 3. Domain partition 4. Application Partition (only in windows 2003 not available in windows 2000) What is the Physical structure of AD Physical structure is - Forests TreesDomainsChild DomainsGrand Child What are they components on Active Directory? There are two types of components are there One is logical structures - Domains, Organization Units, Tress and Forest Second one is Physical structures - Sites and Domain Controller Command to Install Active Directory Start RUN type DCPROMO When installing or removing Active Directory the following log files are created in %system root%\Debug folder. Dcpromoui.log Dcpromos.log Dcpromo.log Introducing domain trees and forests TREES Tree is a hierarchical arrangement of W2K domains that share a contiguous name space. The first domain in a domain tree is called the root domain. Additional domains in the same domain tree are child domains. A domain immediately above another domain in the same domain tree is referred to as the parent of the child domain. FORESTS A forest consists of multiple domain trees. The domain trees in a forest do not form a contiguous namespace but share a common schema and GC. A common schema Common configuration information A common global catalog Explain schema? Schema is collection of Objects and its Classes. Example : Object = User Name

Attribute : Home Dir, Home Address Schema oblect can not be deleted. objects can be marked as deactivated, This is managed by Schema Master. Explain Sites. What are the advantages of Sites? Site consists of one or more IP subnets connected by a high speed link. Uses of Sites Service requests When a client requests a service from a domain controller, it directs the request to a domain controller in the same site. Selecting a domain controller that is well-connected to the client makes handling the request more efficient. Replication Site streamlines replication of directory information and reduces replication traffic GC and infrastructure master should not be on the same Server. Why? The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog's data will always be up-to-date. If the infrastructure master finds data that is out-of-date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain. Important 1. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so will never replicate any changes to the other domain controllers in the domain. 2. If all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.

FOREST-WIDE OPERATIONS MASTER ROLES There can be only one schema master and one domain naming master for the entire forest. Schema master Domain naming master

Schema master The schema master DC controls all updates and modifications to the schema. Domain naming master Domain Naming Master DC controls the addition or removal of domains in the forest. DOMAIN-WIDE OPERATIONS MASTER ROLES Every domain in the forest must have the following roles: Relative ID master Primary DC (PDC) emulator Infrastructure master What is FSMO Flexible Single Master Operations. What are the FSMO roles . Schema master Domain naming master RID master PDC emulator Infrastructure daemon Schema Master The schema master is responsible for performing updates to the directory schema. This DC is the only one that can process updates to the directory schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. There is only one schema master per directory. Domain Naming Master This DC is the only one that can add or remove a domain from the directory. RID Master The RID master gives relative Ids to all DCs in the domain When we create a user or group, it gives a ID to each User. SID, Each user has a SID. This SID consists of a domain SID and a relative ID (RID) , Domain ID is given to the Domain, RID is the ID given to the user. ACL Access Control List Each file has a ACL , it maintains the list of SIDs who has the access rights to access the file. So the SID is used by files to give access permissions.

PDC Emulator FSMO Role s Time Synchronize Password changes Authentication Failures Account Lockouts The PDC emulator is necessary to synchronize the time in All Windows 2000-based computers within an enterprise use a common time. Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. ator receives no down-level replica requests.

InfraStructure Master It is responsible for updating Group Membership Information when a group is added, modified, Schema master, Domain master - One per forest RID ,PDC Emulator ,Infrastructure - One per domain How to find out FSMO roles in server : Schema Master Cmd run type Regsvr32 schmmgmt.dll You should receive a success confirmation.Click ok Type MMC On the Console menu, press Add/Remove Snap-in Choose AD schema from in list and add it. Press Add and press Close. Press OK. Click the Active Directory Schema icon. After it loads right-click it and press Operation Masters. To find out the Domain Naming Master Role: 1.

Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder. 2. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters. 3. When you're done click Close. Finding the RID Master, PDC Emulator, and Infrastructure Masters 1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder. . Right-click the Active Directory Users and Computers icon again and press Operation Masters. 3. Select the appropriate tab for the role you wish to view. 4. When you're done click Close.

To find from CMD prompt : Type : Netdom command.

10

Do not place the infrastructure master on a global catalog server The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. How will you place the FSMO roles? Place the RID and PDC emulator roles on the same domain controller. Good communication from the PDC to the RID master is desirable as downlevel clients and applications target the PDC, making it a large consumer of RIDs. As a general rule, the infrastructure master should be located on a nonglobal catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled. Additionally, the Domain Naming master FSMO should also be a global catalog server. Responding to operations master failures SCHEMA MASTER FAILURE This failure will be visible if we are trying to modify the schema or install an application that modifies the schema during installation. Seize this Schema master from other DC. A DC whose schema master role has been seized must never be brought back online.

To seize the schema master role

11

1. Click Start, click Run, and then type cmd. 2. At the command prompt, type ntdsutil. 3. At the ntdsutil prompt, type roles. 4. At the fsmo maintenance prompt, type connections. 5. At the server connections prompt, type connect to server, followed by the fully qualified domain name. 6. At the server connections prompt, type quit. 7. At the fsmo maintenance prompt, type seize schema master. 8. At the fsmo maintenance prompt, type quit. 9. At the ntdsutil prompt, type quit.

DOMAIN NAMING MASTER FAILURE We can not add a domain, we cant run DCPromo command to add a new domain if Domain operations master is failed . So we can seize it from other DC or Additional DC. RELATIVE ID MASTER FAILURE We cannot add users if RID is failed. So we can seize it from other DC or Additional DC. PDC EMULATOR FAILURE Time Sync will not happen, it will affect Replications. Password changes, account lockout will not happen. Group policies changes will not be updated. The loss of the PDC emulator affects network users. Therefore, when the PDC emulator is not available, you may need to immediately seize the role. INFRASTRUCTURE MASTER FAILURE We can find this problem when we move or rename a group of accounts or groups. So we can seize it from other DC or Additional DC. How will you remove Orphaned Domains from Active Directory? Typically, when the last DC for a domain is demoted, the administrator selects this server is

12

the last DC in the domain option in the DCPromo tool, which removes the domain metadata from Active Directory. 1. Determine the DC that holds the Domain Naming Master FSMO role. 2. Verify that all servers for the specified domain have been demoted. 3. At the command prompt: ntdsutil metadata cleanup connections connect to server servername (Servername is the name of the DC holding the Domain Naming Master FSMO Role) Quit Metadata Cleanup menu is displayed Select operation target List domains A list of domains in the forest is displayed, each with an associated number Select domain number Where number is the number associated with the domain to be removed Quit The Metadata Cleanup menu is displayed. Remove selected domain You should receive confirmation that the removal was successful. Quit You should receive confirmation that the connection disconnected successfully.

Audit Active Directory Objects Audit : to check who logged in the server. An audit entry in the Security log contains the following information: The action that was performed. The user who performed the action. The success or failure of the event and the time that the event occurred. When you audit Active Directory events, Windows 2003 writes an event to the Security log on the domain controller. If a user tries to log on to the domain using a domain user account and

13

the logon attempt is unsuccessful, the event is recorded on the DC and not on the computer on which the logon attempt was made. This is because it is the domain controller that tried to authenticate the logon attempt. How to Configure an Audit Policy Setting for a Domain Controller Auditing is turned off by default. To audit all DCs, Enable auditing on Domain Controllers OU To configure an audit policy setting for a domain controller, follow these steps: 1. Start Directory Users and Computers. 2. Click Advanced Features on the View menu. 3. Right-click Domain Controllers, and then click Properties. 4. Click the Group Policy tab, click Default Domain Controller Policy, and then click Edit. 5. Click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy. 6. In the right pane, right-click Audit Directory Services Access, and then click Security. 7. Click Define These Policy Settings, and then click to select one or both of the following check boxes: o Success: Click to select this check box to audit successful attempts for the event category. o Failure: Click to select this check box to audit failed attempts for the event category. 8. Right-click any other event category that you want to audit, and then click Security. Click OK How to Configure Auditing for Specific Active Directory Objects You can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the types of access and the users whose access that you want to audit. To configure auditing for specific Active Directory objects, follow these steps: 1. Open Active Directory Users and Computers. 2. Select Advanced Features on the View menu. 3.

14

Right-click the Active Directory object that you want to audit, and then click Properties. 4. Click the Security tab, and then click Advanced. 5. Click the Auditing tab, and then click Add. Enter the name of either the user or the group whose access you want to audit 6. Click to select either the Successful check box or the Failed check box for the actions that you want to audit, and then click OK. How to publish a printer in AD 1. Log on to the computer as an administrator. 2. Click Start, point to Settings, and then click Printers. 3. In the Printers folder, right-click the printer that you want to publish in Active Directory, and then click Properties. 4. Click the Sharing tab, click Share As, and then either type a share name or accept the default name. Use only letters and numbers; do not use spaces, punctuation, or special characters. 5. Click to select the List in the Directory check box, and then click OK. 6. Close the Printers folder. NOTE: If you want to make this printer available to users who are running different versions of Windows, you must install additional drivers. To do so, click Additional Drivers on the Sharing tab of the Printer properties, and then select the appropriate items in the list. How to Configure an Authoritative Time Server in Windows 2000? The purpose of the Time service is to ensure that all computers In the organization use a common time. Windows includes the W32Time Time service tool that is required by the Kerberos authentication protocol. To reset the local computer's time against the authoritative time server for the domain: Net time /domain_name /set Net stop w32time
W32time update

15
Net start w32time

SNTP defaults to using UDP port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers. What is universal group membership cache in windows 2003. When a user logs in first time , The DC gets the users universal group membership information From the Global Catalog and stores it in its cache. Next time when the user logs in the DC will Get t he Universal group membership information from its local cache. It will not contact the GC. It reduces the network traffic. By default, the universal group membership information will be refreshed every 8 hours. Group policy : Its a set of rules and settings applied to users or computers. Uses Configure user's desktops Configure local security on computers Install applications Run start-up/shut-down or logon/logoff scripts Configure Internet Explorer settings Redirect special folders Group Policy Location : C:\WINDOWS\SYSVOL\sysvol\domain.com\Policies Command to apply Group policy GPUpdate Group Policy is applied in the following order: Local system > Site > Domain > OU > Child OU Group Policy sections Computer configuration contains the settings that configure the computer prior to the user logon. User configuration contains the settings that configure the user after the logon. You cannot choose to apply the setting on a single user, all users, including administrator, are affected by the settings. Within these two section you can find more sub-folders: Software settings and Windows settings both of computer and user are settings that configure local DLL files on the machine. Administrative templates are settings that configure the local registry of the machine. You can add more options to administrative templates by right clicking it and choose .ADM files. Many programs that are installed on the computer add their .ADM files to %systemroot%\inf folder so you can add them to the Administrative Templates.

16

Assign & Publish the applications in GP & how? Through Group policy you can Assign and Publish the applications by creating .msi package for that application With Assign option you can apply policy for both user and computer. If it is applied to computer then the policy will apply to user who logs on to that computer. If it is applied on user it will apply where ever he logs on to the domain. It will be appear in Start menuPrograms. Once user click the shortcut or open any document having that extension then the application install into the local machine. If any application program files missing it will automatically repair. With Publish option you can apply only on users. It will not install automatically when any application program files are corrupted or deleted. GPMC & RSOP in windows 2003? GPMC is tool which will be used for managing group policies and will display information like how many policies applied, on which OUs the policies applied, What are the settings enabled in each policy, Who are the users effecting by these polices, who is managing these policies. GPMC will display all the above information. Configuring Group Policy : 1. Group Policy Object Editor snap-in in MMC - or - use gpedit.msc from the Run command. 2. Active Directory Users and Computers snap in - or dsa.msc to invoke the Group Policy tab on every OU or on the Domain. 3. Active Directory Sites and Services - or dssite.msc to invoke the Group Policy tab on a site. 4. Group Policy Management Console - or gpmc.msc - this utility is NOT included in Windows 2003 server and needs to be separately installed. You can download it from HERE Note that if you'd like to use the GPMC tool on Windows XP, you need to install it on computers running Windows XP SP2. Installing it on computers without SP2 will generate errors due to unsupported and newer .ADM files. RSoP Resultant set of policies - provides details about all policy settings that are configured by an Administrator, including Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and Group Policy Software Installation. When policies are applied on multiple levels (for example, site, domain, domain controller, and organizational unit), the results can conflict. RSoP can help you determine a set of applied policies and their precedence (the order in which policies are applied). Group Policy inherited from AD is refreshed on the computers by several ways:

17

1. Logon to computer (If the settings are of "user settings" in GPO) 2. Restart of the computer (If the settings are of "computer settings" in GPO) 3. Every 60 to 90 minutes, the computers query their DC for updates. 4. Manually by using gpupdate command. You can add the /force switch to force all settings and not only the delta. Note: Windows 2000 doesn't support the Gpupdate command so you need run a different command instead: for computer settings. for user settings. In both commands you can use the /enforce that is similar to the /force in gpupdate. If any configuration change requires a logoff or a restart message will appear: You can force logoff or reboot using gpupdate switches. How to check that the GP was deployed To be sure that GP was deployed correctly, you can use several ways. The term for the results is called RSoP Resultant Sets of Policies. 1. Use gpresult command in the command prompt. The default result is for the logged on user on that machine. You can also choose to check what is the results for other users on to that machine. If you use /v or /z switches you will get very detailed information. Suppose there are 4 group policies applied in an OU, the last policy will be applied First. What is Domain Policy, Domain controller policy, Local policy . Domain Policy will apply to all computers in the domain, Domain controller policy will be applied only on domain controller. Local policy will be applied to that particular machine only and effects to that computer only. Block/Enforce inheritance Block will block group policies. We cant apply GP in that OU. Enforce - It will force to apply GP even Block is configured. You can block policy inheritance to an OU if you dont want the settings from upper GPOs to configure your OU. To block GPO inheritance, simply right click your OU and choose "Block Inheritance". Blocking inheritance will block all upper GPOs. In case you need one of the upper GPOs to configure all downstream OUs and overcome Block inheritance, use the Enforce option of a link. Enforcing a GPO is a powerful option and rarely should be used.

18

You can see in this example that when you look at Computers OU, three different GPOs are inherited to it. In this example you can see that choosing "Block inheritance" will reject all upper GPOs. Now, if we configure the "Default domain policy" with the Enforce option, it will overcome the inheritance blocking. Loop back Processing of Group Policy We can use the loopback Group Policy to apply only on which computer the user logs on to. To set user configuration per computer: In the Group Policy Microsoft Management Console (MMC), click Computer Configuration. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option. Usually users in their OU have GPOs applied in order during logon, regardless of which computer they log on to. In some cases, this processing order may not be appropriate (E.g., when you do not want applications assigned to users to be installed while they are logged on to the computers in some specific OU). With the Group Policy loopback, you can specify some other ways to retrieve the list of GPOs for any user who logs on to any of the computers in this specific OU: Merge Mode Here, first users policy is applied. Then computer policy is added Computer's GPOs is the effective policy.. Replace Mode In this mode, the user's policy is not applied. Only computer policy is object is used. Explain Kerberos V5 authentication process? Kerberos V5 is the primary security protocol for authentication within a domain. The Kerberos V5 protocol verifies both the identity of the user and network services. This dual verification is known as mutual authentication. Users Login process 1. The user on a client system, using a password authenticates to the KDC. 2. The KDC issues a special ticket-granting ticket (A ticket issued by the Kerberos V5 Key Distribution Center (KDC) for purposes of obtaining a service ticket from the ticket-granting service (TGS) to the client. The client system uses this TGT to access the ticket-granting service (TGS), which is part of the Kerberos V5 authentication

19

mechanism on the DC. 3. The TGS then issues a service ticket to the client. 4. The client presents this service ticket to the requested network service. The service ticket proves both the user's identity to the service and the service's identity to the user.

Group Types
Security Group : Used to assign permissions. When we add users we will select This option. Distribution Group : Used to send mails to a group of users . to send a mail to 100 users .

Group Scopes
Domain Local Group : It gives rights to local users, global and universal users to access shared folder and printers in its Domain. Global Group : Its gives access rights to users in other trusted domains. It cant contain Domain local or Universal groups. Universal Group : It gives access rights to users in all Trusted Domain And forest to
Forest.

3 major Account Policies

1. 2. 3. Possword policy Account lockout policy Kerberos Policy

Roaming User Profile : User will get the same desktop and settings in any system they login.

DNS Domain Name System

Location C:\systemroot\system32\DNS.Edb DNS converts host name to IP address Resolves host name to IP address Use Clients systems use DNS server to locate Domain Controllers when users login. And uses DNS to access AD resources in the network. Without DNS server Client computers can not locate DC, Other Servers and AD resources. DNS Zones : Forward Lookup Zone : contains host name to Ip address mappings Reverse Lookup zone : contains Ip address to host name mappings Standard Primary Zone Standard Secondary Zone

20

Active Directory Zone : DNS entries are stored in Active Directory , not in zone file. DNS Records A record Contains Host name to Ip Address mappings. PTR record - contains IP address to Host name mappings Cname Alias name.Used to give additional name to a host, MX record used to map DNS domain name to host name of Mail Server. SRV record used to map service to a server. Service locator. SOA Start of Authority It contains Serial Number , Primary server name, responsible person name Refresh, Retry, Expire Time, TTL. Zone Transfer If the Serial Number increases Zone Transfer will happen from Primary DNS server To Secondary DNS server. Advantages of Active Directory Integrated Zones : 1. Incremental Zone Transfer it transfers only new changes not entire data So it reduces network traffic. 2. It supports both secure and Dynamic updates. 3. It will be replicated to all domain wide, forest wide through replication. TTL Time To Live DNS resolves host name to IP address to client systems and stores the results in its cache. If same query comes next time, DNS server will give the answer from its Cached information without contacting other DNS servers. These Information will be stored in the Cache for a specified amount of Time. That is called as TTL. After that it will be Cleared from the cache. Ipconfig/registerdns To manually Register Server's A and PTR resource records, run this command at a command prompt: Net Logon service If the server is a Domain Controller, stop and restart the Net Logon service to register the Service (SRV) records in the DNS server. NSLOOKUP : DNS diagnostic Tool from the command promt. What a DC registers in DNS? The Netlogon service registers all the SRV records for that DC. These records are displayed as the _msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your domain name. Other computers look for these records to find Active Directory-related information. DNS Dynamic Update : Client systems and servers will register their host names and Ip addresses in DNS server without administrators intervention.

21

How to Allow Only Secure Dynamic Updates 1. Click Start, point to Programs, point to Administrative Tools, and then click DNS. 2. Under DNS, expand the applicable DNS server, expand Forward Lookup Zones (or Reverse Lookup Zones) , and then click the applicable zone. 3. On the Action menu, click Properties. 4. On the General tab, verify that the zone type is Active Directory-integrated. 5. In the Allow dynamic updates? box, click Only secure updates. The secure dynamic update functionality is supported only for Active Directory-integrated zones. Stub Zone : It is created in remote places ,branch offices to increase speed of login process File access speed. It has only read only copy of SOA record, NS , A record. It reduces network traffic and Bandwidth utilization. How to Configure DNS Dynamic Update for DHCP Clients By default, DHCP clients are configured to request that the client register the A resource record and the server register the PTR resource record. By default, the name that is used in the DNS registration is a concatenation of the computer name and the primary DNS suffix. To change this default name, open the TCP/IP properties of your network connection. To enable DNS dynamic update on a Windows DNS server: 1. Click Start, point to Programs, point to Administrative Tools, and then click DNS. 2. Click the appropriate zone under either Forward Lookup Zones or Reverse Lookup Zones. 3. On the Action menu, click Properties. 4. On the General tab, verify that the zone type is either Primary or Active Directoryintegrated. 5. If the zone type is Primary, click Yes in the Allow dynamic updates? list. 6. If the zone types is Active Directory-integrated, click either Yes or Only secure updates in the Allow dynamic updates? list, depending on whether you want DNS dynamic updates to be secure. Why can't I use WINS for name resolution like it is used in Microsoft Windows NT 4.0?

22

A Windows 2000 DC does not register Active Directory-related information with a WINS server; it only registers this information with a DNS server that supports dynamic updates such as a Windows 2000 DNS server. Other Windows 2000-based computers do not query How to Configure DNS Dynamic Update on a Windows DHCP Server To configure DNS dynamic update for a DHCP server: 1. Click Start, point to Programs, point to Administrative Tools, and then click DHCP. 2. Click the appropriate DHCP server or a scope on the appropriate DHCP server. 3. On the Action menu, click Properties. 4. Click the DNS tab. 5. To enable DNS dynamic update for DHCP clients that support it, click to select the Automatically update DHCP client information in DNS check box. This check box is selected by default. 6. To enable DNS dynamic update for DHCP clients that do not support it, click to select the Enable updates for DNS clients that do not support dynamic updates check box. This check box is selected by default. How to Enable DNS Dynamic Updates on a DHCP Server DHCP and DNS servers now support dynamic updates to a DNS server. clients can dynamically update their forward lookup records themselves with the DNS server after the clients obtain a new IP address from a DHCP server. In DHCP server, you can dynamically update the DNS records for pre-Windows 2000 clients that cannot do it for themselves. This feature currently works only with the

Scavenging : Removing old unwanted records from DNS server. Enable Aging and Scavenging You need to enable the Aging and Scavenging feature at a server level, and optionally set the Aging feature on zones if you need different aging periods: 1. Open the DNS manager. 2. In the left pane, under the DNS icon, right-click the server name. 3. Click Set Aging/Scavanging for all zones. 4. Click to select the Scavenge Stale Resource Records check box, and then set the

23

interval that you want the Aging feature to use. To set the Aging feature on an individual zone: 1. Right-click the zone, and then click Properties. 2. Click Aging. 3. Click to select the Scavenge Stale Resource Records check box, and then set the interval that you want the Aging feature to use. left pane, click Scavenge Stale Resource Records, and then click YES when asked if you want to scavenge. How to move DNS Zones to Another DNS Server To move zone files from one server to another, follow these steps: To use the following method, the DNS Server service must be installed on a new server. The DNS Server service should not be configured yet. 1. On the DNS server that is currently hosting the DNS zone(s), change any Active Directory-integrated zones to standard primary. This action creates the zone files that are needed for the destination DNS server. 2. Stop the DNS Server service on both DNS servers. 3. Manually copy the entire contents of the %SystemRoot%\System32\DNS folder from the source server to the destination server. 4. On the current DNS server, start Registry Editor. 5. Locate and click the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Zones 6. Export the Zones key to a registry file. 7. On the destination DNS server, double-click the registry file to import the Zones key into the registry. 8. Bring the current DNS server down and transfer its IP address to the destination DNS server. 9. On the destination DNS server, start the DNS Server service. To initiate the registration of the server's A and PTR resource records, run the following command at a command prompt: Ipconfig/registerdns 10.If this server is also a domain controller, stop and restart the Net Logon service to

24

register the Service (SRV) records, or run the following command at a command prompt: Netdiag/fix 11.The standard zones that were previously Active Directory-integrated can be converted back to Active Directory-integrated on the replacement DNS server if it is a domain controller. 12.Verify that the SOA resource records on each zone contain the correct name for the primary server and that the NS resource records for the zone(s) are correct. The steps outlined in this article do not migrate the following DNS server settings: Interfaces, Forwarders, Advanced, Root Hints, Logging, Security

Port numbers
FTP-21, Telnet 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389, Global Catalog 3268
DHCP client - 67 , DHCP server- 68

DNS Interview Questions and Answer

1. Secure services in your network require reverse name resolution to make it more difficult to launch successful attacks against the services. To set this up, you configure a reverse lookup zone and proceed to add records. Which record types do you need to create? Ans : PTR Records 2. 3. What is the main purpose of a DNS server? DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa SOA records must be included in every zone. What are they used for? SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers.

4. By default, if the name is not found in the cache or local hosts file, what is the first step the client takes to resolve the FQDN name into an IP address? Performs a recursive search through the primary DNS server based on the network interface configuration What is the main purpose of SRV records? SRV records are used in locating hosts that provide certain network services 5. Before installing your first domain controller in the network, you installed a DNS server and created a zone, naming it as you would name your AD domain. However, after the installation of the domain controller, you are unable to locate infrastructure SRV records anywhere in the zone. What is the most likely cause of this failure?

25

The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates. 6. Which of the following conditions must be satisfied to configure dynamic DNS updates for legacy clients? The zone to be used for dynamic updates must be configured to allow dynamic updates. The DHCP server must support, and be configured to allow, dynamic updates for legacy clients. 7. At some point during the name resolution process, the requesting party received authoritative reply. Which further actions are likely to be taken after this reply? After receiving the authoritative reply, the resolution process is effectively over. 8. Your company uses ten domain controllers, three of which are also used as DNS servers. You have one companywide AD-integrated zone, which contains several thousand resource records. This zone also allows dynamic updates, and it is critical to keep this zone up-to-date. Replication between domain controllers takes up a significant amount of bandwidth. You are looking to cut bandwidth usage for the purpose of replication. What should you do? Change the replication scope to all DNS servers in the domain. 9. You are administering a network connected to the Internet. Your users complain that everything is slow. Preliminary research of the problem indicates that it takes a considerable amount of time to resolve names of resources on the Internet. What is the most likely reason for this? DNS servers are not caching replies.. Local client computers are not caching replies The cache.dns file may have been corrupted on the server.

What is the purpose of deploying local DNS servers? A domain DNS server provides for the local mapping of fully qualified domain names to IP addresses. Because the DNS is a distributed database, the local DNS servers can provide record information to remote DNS servers to help resolve remote requests related to fully qualified domain names on your network.

DHCP Dynamic Host Configuration Protocol DHCP client uses port 67 DHCP server uses port 68.

26

Location C:\systemroot\system32\dhcp.edb
DHCP used to automatically assign Ip address to clients with Subnet emask, Default Gateway And DNS Server. How DHCP Works DHCP server PING process to test the available IP address. If it is a successful ping means the IP address is already used by a system. So DHCP server will not give that IP to the client. If ping request fails and gets time out result, It means IP address is not used by system , And DHCP server will give that IP to client system. Lease Process of DHCP server It is called as DORA D- Discover client system will broadcast packets to identify the DHCP server, this packet Will contain the source MAC Address. O- Offer Once this packet is received by DHCP server, The server will send the packet containing Source IP and Source MAC. R Request - Client System now contact DHCP server directly and request for IP Address. A Acknowledge DHCP server will send an Acknowledgement packet with a IP Address.

Disadvantage
Your machine name does not change when you get a new IP address. The DNS (Domain Name System) name is associated with your IP address and therefore does change. This only presents a problem if other clients try to access your machine by its DNS name. DHCP Relay Agent It is used to give Ip address to a subnet which does not have a DHCP server. It will be placed outside of our local network. Scope : It is a range of IP address a DHCP server will assign to clients in a single subnet.

Superscope : It is a collection of scopes. It contains more that one scope. It is used give Ip address to systems in multiple subnets. A superscope allows a DHCP server to provide leases from more than one scope to clients on a single physical network. Before you can create a superscope, you must use DHCP Manager to define all scopes to be included in the superscope. Scopes added to a superscope are called member scopes. Superscopes can resolve DHCP service issues in several different ways Superscopes can resolve DHCP service issues in several different ways; these issues include situations in which:

Support is needed for DHCP clients on a single physical network segmentsuch as a single Ethernet LAN segmentwhere multiple logical IP networks are used. When more than one

27

logical IP network is used on a physical network, these configurations are also known as multinets. The available address pool for a currently active scope is nearly depleted and more computers need to be added to the physical network segment. Clients need to be migrated to a new scope. Support is needed for DHCP clients on the other side of BOOTP relay agents, where the network on the other side of the relay agent has multiple logical subnets on one physical network. For more information, see Supporting BOOTP Clients later in this chapter. A standard network with one DHCP server on a single physical subnet is limited to leasing addresses to clients on the physical subnet.

Multicast Scope: It is assigned to one IP address , It is used to transmit Multimedia data Like Radio Speech or TV programs. The purpose is to send data once and the data to be Delivered to all computers on the network. It uses Class D ip address. it can be used to send messages to a group of computers at the same time. 1 :: To negate rogue DHCP servers from running with a domain, what is required for your zDHCP server to function? The DHCP server must be authorized in the Active Directory before it can function in the domain. 2 :: How can you configure the DHCP server so that it provides certain devices with the same IP address each time the address is renewed? You can create a reservation for the device (or create reservations for a number of devices). To create a reservation, you need to know the MAC hardware address of the device. You can use the ipconfig or nbstat command-line utilities to determine the MAC address for a network device such as a computer or printer. 3 :: What TCP/IP configuration parameters can be provided to a DHCP client? The DHCP server can supply a DHCP client an IP address and subnet mask. It also can optionally include the default gateway address, the DNS server address, and the WINS server address to the client.

4 :: How is the range of IP addresses defined for a Windows Server 2008 DHCP server? The IP addresses supplied by the DHCP server are held in a scope. A scope that contains more than one subnet of IP addresses is called a superscope. IP addresses in a scope that you do not want to lease can be included in an exclusion range. WINS Windows Internet Name Service It converts NETBIOS name to Ip Addresses. DNS server converts Host name to Ip address.

28

NetBios name is 16 charectors 15 character system name 1 character service name ( DNS,DHCP,DC ) Command to check a systems NetBios Name : Nbtstat N Ipconfig all WINS server uses LMHOST file which contains all systems Netbios name and its IP addresses. Path C:\windows\system32\drivers\etc\lmhost.sam When a new system is added in the network, the LMHost file should be manually updated by the system administrator.It should be created in all systems. But DNS server is using Dynamic DNS method, when a new system is added it will update host name and IP address Automatically. RAID Redantant Array of InExpensice Disks Basic Disk can contain 4 Primary Partitions. Dynamic Disk No limitations. NTFS file system Gives folder , file level security Supports file Encryptions Faster file Access Speed Supports Compression Supports Disk Quota Reduces Disk Fragmentations

Different Volume types Simple Volume Spanned Volume Stripped Volume - 0 Mirrored Volume - 1 RAID-5 Volume - 5 Raid 0 - Stripped Volume 3 Hard Disks will be used. If one hard fails we cant recover data. We should restore from Backups. We can use 100% space from all 3 disks. Raid -1 - Mirrored Volume 2 Hard Disks will be used. All data will be copied to the second Disk.

29

If one hard fails we can recover data from other Hard disk We can use 50% space . RAID-5 Volume 3 to 32 Disks can be used. Out of 3 disks 1 disk will be used for Parity Information. It takes 33% of space. If the parity info damaged, we cant recover the failed hard disk. Parity Information is used to recover the data from a failed hard disk. RAID-6 Volume Minimum 4 Hard Disks. 2 disks used for Dual Parity. If one Parity fails we can use other parity disk to recover data. What is the ISTG Who has that role by default? The first server in the site becomes the ISTG for the site, The domain controller holding this role may not necessarily also be a bridgehead server.

Windows Server 2008

What are RODCs? And what are the major benefits of using RODCs? A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory Domain Services (AD DS) database. What are the different editions of Windows Server 2008? The entry-level version of Windows Server 2008 is the Standard Edition. The Enterprise Edition provides a platform for large enterprisewide networks. The Datacenter Edition provides support for unlimited Hyper-V virtualization and advanced clustering services. The Web Edition is a scaled-down version of Windows Server 2008 intended for use as a dedicated web server. The Standard, Enterprise, and Datacenter Editions can be purchased with or without the Hyper-V virtualization technology. What two hardware considerations should be an important part of the planning process for a Windows Server 2008 deployment? Any server on which you will install Windows Server 2008 should have at least the minimum hardware requirement for running the network operating system. Server hardware should also be on the Windows Server 2008 Hardware Compatibility List to avoid the possibility of hardware and network operating system incompatibility. What are the options for installing Windows Server 2008? You can install Windows Server 2008 on a server not currently configured with NOS, or you can upgrade existing servers running Windows 2000 Server and Windows Server 2003.

30

How do you configure and manage a Windows Server 2008 core installation? This stripped-down version of Windows Server 2008 is managed from the command line.

Whats New in Windows Server 2008 Active Directory Domain Services? Active Directory Domain Services in Windows Server 2008 provides a number of enhancements over previous versions, including these: AuditingAD DS auditing has been enhanced significantly in Windows Server 2008. The enhancements provide more granular auditing capabilities through four new auditing categories: Directory Services Access, Directory Services Changes, Directory Services Replication, and Detailed Directory Services Replication. Additionally, auditing now provides the capability to log old and new values of an attribute when a successful change is made to that attribute. Fine-Grained Password PoliciesAD DS in Windows Server 2008 now provides the capability to create different password and account lockout policies for different sets of users in a domain. User and group password and account lockout policies are defined and applied via a Password Setting Object (PSO). A PSO has attributes for all the settings that can be defined in the Default Domain Policy, except Kerberos settings. PSOs can be applied to both users and groups.

Read-Only Domain ControllersAD DS in Windows Server 2008 introduces a new type of domain controller called a read-only domain controller (RODC). RODCs contain a read-only copy of the AD DS database. RODCs are covered in more detail in Chapter 6, Manage Sites and Replication. Restartable Active Directory Domain ServicesAD DS in Windows Server 2008 can now be stopped and restarted through MMC snap-ins and the command line. The restartable AD DS service reduces the time required to perform certain maintenance and restore operations. Additionally, other services running on the server remain available to satisfy client requests while AD DS is stopped. AD DS Database Mounting ToolAD DS in Windows Server 2008 comes with a AD DS database mounting tool, which provides a means to compare data as it exists in snapshots or backups taken at different times. The AD DS database mounting eliminates the need to restore multiple backups to compare the AD data that they contain and provides the capability to examine any change made to data stored in AD DS.
Hyper-V

What are RODCs? And what are the major benefits of using RODCs? A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations

31

where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory Domain Services (AD DS) database. Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller. Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of time that is required to log on. It can also hamper access to network resources. Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result, users in this situation can receive the following benefits:

Major benefits
* Improved security * Faster logon times * More efficient access to resources on the network

What does an RODC do? Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller. However, your organization may also choose to deploy an RODC for special administrative requirements. For example, a line-of-business (LOB) application may run successfully only if it is installed on a domain controller. Or, the domain controller might be the only server in the branch office, and it may have to host server applications. In such cases, the LOB application owner must often log on to the domain controller interactively or use Terminal Services to configure and manage the application. This situation creates a security risk that may be unacceptable on a writable domain controller. An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant a nonadministrative domain user the right to log on to an RODC while minimizing the security risk to the Active Directory forest. You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a primary threat, for example, in an extranet or application-facing role.

What is REPADMIN? Repadmin.exe: Replication Diagnostics Tool

32

This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers. Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and upto-dateness vectors. Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest. The operations replsummary, showrepl, showrepl /csv, and showvector /latency can be used to check for replication problems.

What is NETDOM? NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels

KCC
The KCC is a built-in process that runs on all domain controllers and generates replication topology for the Active Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable. How do you view replication properties for AD? By using Active Directory Replication Monitor. Start> Run> Replmon What are sites What are they used for? One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.

What Windows Server 2008 service is used to install client operating systems over the network? Windows Deployment Services (WDS) enables you to install client and server operating systems over the network to any computer with a PXE-enabled network interface. What domain services are necessary for you to deploy the Windows Deployment Services on your network?

33

Windows Deployment Services requires that a DHCP server and a DNS server be installed in the domain How is WDS configured and managed on a server running Windows Server 2008? The Windows Deployment Services snap-in enables you to configure the WDS server and add boot and install images to the server. What protocol stack is installed by default when you install Windows Server 2008 on a network server? TCP/IP (v4 and v6) is the default protocol for Windows Server 2008. It is required for Active Directory implementations and provides for connectivity on heterogeneous networks What are some of the tools used to manage Active Directory objects in a Windows Server 2008 domain? When the Active Directory is installed on a server (making it a domain controller), a set of Active Directory snap-ins is provided. The Active Directory Users and Computers snap-in is used to manage Active Directory objects such as user accounts, computers, and groups. The Active Directory Domains and Trusts snap-in enables you to manage the trusts that are defined between domains. The Active Directory Sites and Services snap-in provides for the management of domain sites and subnets.

New Features in Windows Server 2008

Self-healing NTFS file system : In WS2K8, a new system service works in the background that can detect a file system error, and perform a healing process without anyone taking the server down. Clean service shutdown. One of Windows' historical problems concerns its system shutdown procedure. In XP, once shutdown begins, the system starts a 20-second timer. After that time is up, it signals the user whether she wants to terminate the application herself, In WS2K8, that 20-second countdown has been replaced with a service that will keep applications given the signal all the time they need to shut down, as long as they continually signal back that they're indeed shutting down Virtualization : Microsoft's Hyper-V hypervisor-based virtualization technology Server Core Many server administrators, especially those used to working in a Linux environment, instinctively dislike having to install a large, feature-packed operating system to run a particular specialized server.

34

Server 2008 offers a Server Core installation, which provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server. the Server Core installation option installs only what is required to have a manageable server for the AD DS, AD LDS, AD CS, DHCP Server, DNS Server, File Services, Print Services, Web Server and HyperV server roles, less maintenance is required than on a full installation of Windows Server 2008. IIS IIS 7, the Web server bundled with Server 2008, is a big upgrade from the previous version. "There are significant changes in terms of security and the overall implementation which make this version very attractive Windows PowerShell Microsoft's new(ish) command line shell and scripting language has proved popular with some server administrators, especially those used to working in Linux environments. Included in Server 2008, PowerShell can make some jobs quicker and easier to perform than going through the GUI Read Only Domain Controllers (RODC) It's hardly news that branch offices often lack skilled IT staff to administer their servers, but they also face another, less talked about problem. While corporate data centers are often physically secured, servers at branch offices rarely have the same physical security protecting them. This makes them a convenient launch pad for attacks back to the main corporate servers. RODC provides a way to make an Active Directory database read-only. Network Access Protection Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies and that those that are not can be remediated is useful. However, similar functionality has been and remains available from third parties. New password policies. No longer is there a restriction of one password policy per domain. Group Policy database. Server 2008 adds a searchable database for group policy managers, so admins no longer have to track this manually. Active Directory Rights Management Services (AD RMS). This was available in Server 2003 but only as an add-on purchase. The new version adds new features to limit access to certain files. Windows Remote Shell (WinRS). This is a more advanced version of Terminal Services that allows connections to many remote computers at a time, all from a single console. The Print Management Console (PMC). First making its debut in Windows Server 2003 R2, this new release is a native function and is available as a snap-on addition for the Microsoft Management Console (MMC). This handy utility lets an administrator see every printer in the entire organization, and map printers to specific user groups.

35

RemoteApp & Desktop Connections (RAD)

RemoteApp was introduced with Windows Server 2008. It allows end-users to launch a single application on a remote server via RDP. Desktop Connections are common sessions on a Terminal Server. Virtual Desktop Infrastructure (VDI) Desktop Virtualization is a new feature in Windows Server 2008 R2.

VSS Writer
Windows Server Backup is scheduled to run nightly but will often fail intermittently and then consistently. From a command line one can see the status of the Volume Shadow Copy writers by typing vssadmin list writers . A number of the writers will show: State: [5] Waiting for completion Last error: No error Stopping and starting the Volume Shadow Copy service does not change the status. A reboot of the server does fix the issue but is not a good solution. The easiest thing to fix the status is to run a Backup Once of just the C drive to either a local or remote drive. Once completed the writers all go back to Stable, No Error.

Migrating from 2003 to 2008

1 . Provide a static IP address to the Windows Server 2008 box you intend to use as Domain Controller

2. Prepare your Active Directory environment for the first Windows Server 2008 Domain Controller by running adprep.exe with the needed switches. 3. Make the Windows Server 2008 box an extra Domain Controller for your existing domain by running dcpromo.exe 4. Make the new server a Global Catalog server 5 . When your Windows Server 2003 Domain Controller is the only DNS Server, convert your DNS zone into an Active Directory Integrated Zone. Install DNS on the new server and it will automatically be populated. If another server is your DNS Server you need not do anything with DNS 6. Migrate any data you'd want to migrate to the new Windows Server 2008 box (except for the SYSVOL and NETLOGON shares, these will be copied automatically) 7. Migrate any Server roles you'd want to migrate to the new Windows Server 2008 box (think about Certificate services, DHCP, Print Server and any business specific application at this moment)

36

8. Transfer all the FSMO roles from the Windows Server 2003 Active Directory Domain Controller to the Windows Server 2008 Domain Controller. 9 . Get rid of your Windows Server 2003 box as a Domain Controller by demoting is using dcpromo.exe 10. Optional: (see step 4) When your current Domain Controller is DNS Server and you don't want it to be anymore be sure to change this information on your clients (change DHCP option, when DHCP is available) and reconfigure your DNS zones not to include the old server anymore. 11. Remote the Windows Server 2003 box from the domain and delete its computer account from Active Directory. 12. Get rid of your Windows Server 2003 box. .
Transitioning your Active Directory will not require you to configure anything on the desktops of your users and your users can start using the server right away, since each Active Directory Domain Controller stores a copy of the Active Directory information, like users, computers, etc. and the NETLOGON and SYSVOL shares

Backup Types
1, Normal backup - It copy all the files marked in to be backed up 2, Incremental backup - only those files that have been created or changed since last incremental or normal backup. It will remove the archieve. 3, Decremental backup - The only copies files that have been created or changed since the last normal or incremental backup. It will not remove the archieve. 4, copy backup - It copy all the files u have selected 5, Daily backup - It copy all the files u have selected that have been modified on the day