WINDOWS SERVER INTERVIEW QUESTIONS 1) What are different file systems in Windows NT based Systems--Fat , Fat 32, Ntfs

2) Difference between FAT 1 , Fat 32 and NTFS file systems---Properties of FAT16 S!""orts "artition si#es of !" to 2$1 %& !nder 'S-D(S) and *$+ %& !nder Windows) NT *$+$ ,ach "artition may contain a ma-im!m of .,.3 files /estricted to .12 entries in the root directory of the hard dri0e and 121 entries in the root "artition of a flo""y dis2 No b!ilt-in s!""ort for lon3 file names - Windows) 4.541 6FAT writes additional entries to a modified file allocation table containin3 the lon3 file name 7!" to 2.. characters)8 this red!ces the ma-im!m n!mber of entries into the root directory

Advantages 9om"atible with o"eratin3 systems other than D(S 7incl!din3 Windows) 4., Windows) 41, and Windows) NT) No si#e o0erhead

Disadvantages :ar3e cl!ster si#e res!lts in "oor !se of dri0e s"ace for lar3e "artitions No com"ression a0ailable !nder Windows) NT 'inimal sec!rity - may only set the read only and hidden attrib!tes of files ;"datin3 the FAT table is slow - "erformance decreases as "artition si#es become 3reater than a few h!ndred '&

Properties of FAT ! Theoretical ma-im!m "artition si#e of 2+*1 %& ,ach "artition may contain a ma-im!m of 2,+4<,1.2 files /estricted to .,.3. entries in root directory of the hard dri0e :on3 file names s!""orted thro!3h Windows) 4.541 6FAT - 6FAT writes additional entries to a modified file allocation table containin3 the lon3 file name 7!" to 2.. characters)

Advantages

Small cl!ster si#e 7as small as *=) /elocatable root directory allows for 3reater n!mber of entries The file allocation table 7FAT) and master boot record 7'&/) may be relocated &ac2!" co"ies of the FAT and '&/ may be created with the "ro"er tool 'ay disable writin3 to the secondary FAT8 can r!n directly from the secondary FAT if the "rimary FAT lies on a bad cl!ster

Disadvantages (nly com"atible with Windows) 4. (S/2541 - not accessible if FAT 32 "artition is booted from media formatted !nder any o"eratin3 system other than 'icrosoft Windows) 4. (S/2 or Windows) 41 Some si#e o0erhead - best !sed with lar3er hard dri0es Not com"atible with many e-istin3 dis2 !tilities

Properties of NTFS >artition s!""ort for !" to 1 e-abytes 92 le0el sec!rity 7s!itable for 3o0ernment !se) :on3 file names s!""orted

Advantages Small cl!ster si#e >erformance does not de3rade as "artition si#e increases 9om"ression on the directory and file le0els A!tomatic bad cl!ster rema""in3 :ittle need for dri0e re"air !tilities

Disadvantages (nly com"atible with Windows) NT, 2+++, or ?> :ar3e o0erhead - sho!ld not be !sed with dri0es smaller than *++ '& Not "ossible to format a remo0able dis2ette 7flo""y5@i")59D-/) with the NTFS file system

"#$ster Si%e vs& Partition Si%e The table below shows the "artition and cl!ster si#e differences of each of the file system ty"es$ NOTE' FAT 1 "artition si#es 3reater than 2$1 %& are only s!""orted !nder Windows) NT *$+$ Partition Si%e 1 '& - 12< '& 121 '& - 2.. '& 2. '& - .11 '& .12 '& - 1+23 '& "#$ster 16 2= *= 1= 1 = Si%e FAT "#$ster ! AAA AAA AAA * =& Si%e FAT "#$ster Si%e NTFS .12 bytes .12 bytes .12 bytes 1=

1+2* '& - 2+*1 '& 2+*1 '& - *+4 '& *+4 '& - 1142 '& 1142 '& - 1 31* '& 3reater '& than 32< 1

32= *= AAA AAA

* =& * =& * =& 1 =& 1 =& 32 =&

2= *= 1= 1 = 32= *=

1 31* '& - 32< 1 '& AAA AAA

3) What is a Domain and Wor23ro!"B Ci3hli3ht ad0t3s and disad0t3s$ Domain Wor23ro!" 9entrali#ed way of administration ,ach com"!ter is seen as a ser0er The c!rrent Windows sho!ld be a !ser a!thentication in a wor23ro!" member of the Domain Administrators networ2 may be an iss!e if not set!" 3ro!", and that 3ro!", in t!rn, m!st be "ro"erly$ Dn a Wor23ro!", there is no in the local Administrators 3ro!" of the common re"ository of !sernames and 9lients "asswords 7and their associated "ri0ile3es as in a Domain) so !sernames m!st be man!ally created on each 9lient$ A !ser lo33ed on to the 9ontrol 9enter m!st ha0e local Administrator "ermissions on the 9lient com"!ters$ Administrator !ser name and "assword m!st be the same for all 9lients and Ser0er com"onents in the wor23ro!"$ Networ2 "rinter can be confi3!red Need to remember the ;N and >WD for another com" always The ad0anta3e is that yo! ha0e a A Wor23ro!" has not dedicated ser0er7s) dedicated ser0er to lo35trac2 all !sers to trac2 !sers and s!ch, itGs all done 0ia and shares 0ia Acti0e Directory and yo! each client machine on the :AN, this can also !se this ser0er for other thin3s incl!des shared obHects and !ser lo3ons$ s!ch as a SE: ser0er and5or S&S etc$$$ Ad0anta3e, chea"er to r!n and maintain The disad0anta3e to this is the cost and as yo! only need two machines r!nnin3 maintanence reF!ired to 2ee" this in the same wor23ro!" to be called a confi3!ration r!nnin3$ wor23ro!" 1$ (ne location for all !ser acco!nts, Ad0anta3es 3ro!"s and com"!ters, "asswords are 1$ ;sef!l for small networ2s 71+ or less same for all com"!ters$ com"!ters) 2$ ,asier and F!ic2er to maintain 2$ 6ery easy to set!" 3$ Scales easier if yo! add more !sers 3$ No additional 2nowled3e reF!ired and com"!ters *$ No ser0er reF!ired$ Disad0anta3es 1$ /eF!ires a windows 2$ 9om"le- to set !" ser0er Disad0anta3es 1$ Need to set!" acco!nt and "assword on each and e0ery machine$ 2$ >asswords can become o!t of sync, if chan3ed on one com"!ter and not others 3$ No easily scalable$ Df !sin3 more than 1+ com"!ters, the n!mber of acco!nts to set !" increases a lot more

*$ 'ore time reF!ired to set!" for new !sersI .$ Df !sin3 file sharin3, yo! may reach the 1+ ma- sim!ltaneo!s connections limit *) Difference between Winnt*$+ Domain and Win22 ADS domain 'odel$---Win !(( Ntfs . /ename J 'ost Dm"ortant 32 trillio :ar3e dis2 &etter remote connec DDS .) Which is the latest S> for Winnt*$+--Ans KS>- a ) What are >D9 and &D9B Ci3hli3ht the difference between >D9 and &D9--A >D9 is a >rimary Domain 9ontroller, and a &D9 is a &ac2!" Domain 9ontroller$ Lo! m!st install a >D9 before any other domain ser0ers$ The >rimary Domain 9ontroller maintains the master co"y of the directory database and 0alidates !sers$ A &ac2!" Domain 9ontroller contains a co"y of the directory database and can 0alidate !sers$ Df the >D9 fails then a &D9 can be "romoted to a >D9$ >ossible data loss is !ser chan3es that ha0e not yet been re"licated from the >D9 to the &D9$ A >D9 can be demoted to a &D9 if one of the &D9Gs is "romoted to the >D9$ <) 9an we reset "assword or ma2e chan3es to domain in NT*$+ when >D9 is down and &D9 is !"$ N(, since it is read only, yo! ha0e to first "romote the &D9 to >D9 then ma2e the chan3es$ 1) What are the NT a!thentication methods in Winnt*$+ domain model 4) What is :ocal and %lobal 3ro!" in NT*$+ 1+) What is the Winnt systems boot seF!ence Windo)s NT *oot pro+ess o++$rs in t,ese stages' o o o o o T,e T,e T,e T,e T,e Po)er On Se#f Test -POST. Pro+ess Initia# Start$p Pro+ess /oot 0oader Pro+ess /oot Se1$en+e 0oad P,ase Win !((( .$2 No rename + mil 'ini Not m!ch DDS .

A## t,ese fi#es 2UST *e in t,e root dire+tor3 of t,e s3ste4 partition Fi#e Fi#e Attri*$tes C8 / 8 S /8S C o F$n+tion

Nt#dr /oot&ini

:oads (S

o &!ilds OS 0oader V5&(( Operating S3ste4 Se#e+tion men! o :oaded by Ntldr if another (S 7'S-D(S, Windows 4., (S52 1$- ) is selected instead of Windows NT$ o 9ontains a co"y of the boot sector that was on hard dis2 before installin3 Windows NT

/ootse+t&dos

NTdete+t&+o4

C8 / 8 S

o ;sed to e-amine a0ailable hardware and to b!ild a hardware list$ Dnformation is "assed bac2 to Ntldr to be added to re3istry later in boot o (nly on systems bootin3 from &D(S-disabled S9SD hard dis2, o Dri0er accesses de0ices attached to S9SD ada"ter d!rin3 Windows NT boot seF!ence$

NT*ootdd&s3s

C8 / 8 S

11) What are the two ty"es of dis2s systemsB Ans &asic and Dynamic 12) What are the different 0ersions of Win22 (SB AnsK Win 2+++ >ro, Win 22 ser0er, Ad0 Sr0, Data 9entre 13) What is latest S> for win22B Ans KSer0ice >ac2 * 1*) What are FS'( rolesB ,-"lain each FS'( roles Overvie) of FS2O Ro#es There are fi0e different FS'( roles and they each "lay a different f!nction in ma2in3 Acti0e Directory wor2K

PD" E4$#ator - This role is the most hea0ily !sed of all FS'( roles and has the widest ran3e of f!nctions$ The domain controller that holds the >D9 ,m!lator role is cr!cial in a mi-ed en0ironment where Windows NT *$+ &D9s are still "resent$ This is beca!se the >D9 ,m!lator role em!lates the f!nctions of a Windows NT *$+ >D9$ &!t e0en if yo!G0e mi3rated all yo!r Windows NT *$+ domain controllers to Windows 2+++ or Windows Ser0er 2++3, the domain controller that holds the >D9 ,m!lator role still has a lot to do$ For e-am"le, the >D9 ,m!lator is the root time ser0er for synchroni#in3 the cloc2s of all Windows com"!ters in yo!r forest$ DtGs critically im"ortant that com"!ter cloc2s are synchroni#ed across yo!r forest beca!se if theyGre o!t by too m!ch then =erberos a!thentication can fail and !sers wonGt be able to lo3 on to the networ2$ Another f!nction of the >D9 ,m!lator is that it is the domain controller to which all chan3es to %ro!" >olicy are initially made$ For e-am"le, if yo! create a new %ro!" >olicy (bHect 7%>() then this is first created in the directory database and within the SLS6(: share on the >D9 ,m!lator, and from there the %>( is re"licated to all other domain controllers in the domain$ Finally, all "assword chan3es and acco!nt loc2o!t iss!es are handled by the >D9 ,m!lator to ens!re that "assword chan3es are re"licated "ro"erly and acco!nt loc2o!t "olicy is effecti0e$ So e0en tho!3h the >D9 ,m!lator em!lates an NT >D9 7which is why this role is called >D9 ,m!lator), it also does a whole lot of other st!ff$ Dn fact, the >D9 ,m!lator role is the most hea0ily !tili#ed FS'( role so yo! sho!ld ma2e s!re that the domain controller that holds this role has s!fficiently beefy hardware to handle the load$ Similarly, if the >D9 ,m!lator role fails then it can "otentially ca!se the most "roblems, so the hardware it r!ns on sho!ld be fa!lt tolerant and reliable$ Finally, e0ery domain has its own >D9 ,m!lator role, so if yo! ha0e N domains in yo!r forest then yo! will ha0e N domain controllers with the >D9 ,m!lator role as well$ RID 2aster - This is another domain-s"ecific FS'( role, that is, e0ery domain in yo!r forest has e-actly one domain controller holdin3 the /DD 'aster role$ The "!r"ose of this role is to re"lenish the "ool of !n!sed relati0e DDs 7/DDs) for the domain and "re0ent this "ool from becomin3 e-ha!sted$ /DDs are !sed !" whene0er yo! create a new sec!rity "rinci"le 7!ser or com"!ter acco!nt) beca!se the SDD for the new sec!rity "rinci"le is constr!cted by combinin3 the domain SDD with a !niF!e /DD ta2en from the "ool$ So if yo! r!n o!t of /DDS, yo! wonGt be able to create any new !ser or com"!ter acco!nts, and to "re0ent this from ha""enin3 the /DD 'aster monitors the /DD "ool and 3enerates new /DDs to re"lenish it when it falls beneath a certain le0el$ Infrastr$+t$re 2aster - This is another domain-s"ecific role and its "!r"ose is to ens!re that cross-domain obHect references are correctly handled$ For e-am"le, if yo! add a !ser from one domain to a sec!rity 3ro!" from a different domain, the Dnfrastr!ct!re 'aster ma2es s!re this is done "ro"erly$ As yo! can 3!ess howe0er, if yo!r Acti0e Directory de"loyment has only a sin3le domain, then the Dnfrastr!ct!re 'aster role does no wor2 at all, and e0en in a m!lti-domain en0ironment it is rarely !sed e-ce"t when com"le!ser administration tas2s are "erformed, so the machine holdin3 this role doesnGt need to ha0e m!ch horse"ower at all$ S+,e4a 2aster - While the first three FS'( roles described abo0e are domain-s"ecific, the Schema 'aster role and the one followin3 are forests"ecific and are fo!nd only in the forest root domain 7the first domain yo! create when yo! create a new forest)$ This means there is one and only one Schema 'aster in a forest, and the "!r"ose of this role is to re"licate schema

chan3es to all other domain controllers in the forest$ Since the schema of Acti0e Directory is rarely chan3ed howe0er, the Schema 'aster role will rarely do any wor2$ Ty"ical scenarios where this role is !sed wo!ld be when yo! de"loy ,-chan3e Ser0er onto yo!r networ2, or when yo! !"3rade domain controllers from Windows 2+++ to Windows Ser0er 2++3, as these sit!ations both in0ol0e ma2in3 chan3es to the Acti0e Directory schema$ Do4ain Na4ing 2aster - The other forest-s"ecific FS'( role is the Domain Namin3 'aster, and this role resides too in the forest root domain$ The Domain Namin3 'aster role "rocesses all chan3es to the names"ace, for e-am"le addin3 the child domain 0anco!0er$mycom"any$com to the forest root domain mycom"any$com reF!ires that this role be a0ailable, so yo! canGt add a new child domain or new domain tree, chec2 to ma2e s!re this role is r!nnin3 "ro"erly$

To s!mmari#e then, the Schema 'aster and Domain Namin3 'aster roles are fo!nd only in the forest root domain, while the remainin3 roles are fo!nd in each domain of yo!r forest$ Now letGs loo2 at best "ractices for assi3nin3 these roles to different domain controllers in yo!r forest or domain$ 16. W,at is t,e $se of PD" e4$#ator in *ot, Native and 2i7ed 4ode PD" e4$#ator &y defa!lt, Windows 2+++ 7Win2=) networ2s o"erate in a mi-ed mode, which lets both Win2= and Windows NT domain controllers coe-ist$ D!rin3 mi3ration to Win2=, the mi-ed mode "ro0ides the f!nctionality that lets NT domain controllers offer domain ser0ices$ After yo! !"3rade all NT domain controllers to Win2=, switch from mi-ed mode to nati0e mode, which doesnMt s!""ort NT domain controllers$ Cowe0er, before yo! switch to nati0e mode, yo! need to !nderstand the differences between the two modes$ De"endin3 on yo!r or3ani#ation, when yo! con0ert to nati0e mode can be a critical decision with maHor im"lications$ DtMs a one-way con0ersionNthereMs no 3oin3 bac2$ 'i-ed 'odeK Dn mi-ed mode, a Win2= domain assi3ns a domain controller to act as a >D9 for NT &D9s$ &y defa!lt, the first domain controller in a Win2= domain acts as a >D9 em!lator$ There can be only one >D9 em!lator in a domain, and yo! can assi3n the role to any domain controller in a domain$ The >D9 em!lator "erforms se0eral im"ortant tas2s in mi-ed mode, incl!din3K ,m!latin3 as a >D9 and re"licatin3 acco!nt information to &D9s$ Candlin3 acco!nt modifications, incl!din3 "assword chan3es$ Actin3 as a master browser for NT clients$ >ro0idin3 NT :AN 'ana3er 7NT:') a!thentication ser0ices$ S!""ortin3 Acti0e Directory 7AD) re"lication to Win2= domain controllers and NT:' re"lication to &D9s$

Df a Win2= site in mi-ed mode contains Win2= clients, ma2e s!re thereMs at least one Win2= domain controller in that site beca!se the Win2= clients first attem"t to locate Win2= domain controllers !sin3 DNS$ Df a client doesnMt find a Win2= domain controller, itMll try to !se NT:' to lo3 on to an NT domain controller$ (b0io!sly, NT doesnMt s!""ort 3ro!" "olicies so yo!r Win2= client !sers wonMt be able to ta2e ad0anta3e of either the 3ro!" "olicies or the lo3on scri"ts$ & & &

1<) What are the 3 namin3 conte-t in which ADS is di0ided$ 11) What will be the effect on root and child domain if Schema master is down 14) What is Win22 A!thentication method AnsK =erbrose and certificate 2+) What is %9B Why is it recommended to ha0e %9 for each AD site and s!b domain ;sin3 a %lobal 9atalo3 allows for circ!m0entin3 this obstacle, when F!eryin3 for obHects o!tside of reF!esterGs domain$ %lobal 9atalo3 contains inde- of all obHects in the forest and a small, most commonly !sed, s!bset 7abo!t + o!t of 1.++) of their attrib!tes $ This eliminates most of the time the need for reF!esterGs searches thro!3h other domains in a forest 7!nless one of non-ty"ical attrib!tes is searched for)$ The n!mber of attrib!tes stored on each %lobal 9atalo3 ser0er can be modifed by !sin3 Schema 'ana3ement sna"-in 7by selectin3 O/e"licate this attrib!te to the %lobal 9atalo3O o"tion for selected attrib!tes of an obHect)$$ Dn addition, %9s are !sed by defa!lt in a nati0e mode en0ironment when loo2in3 !" !ni0ersal 3ro!" information d!rin3 lo3in$ Df any one of the %9s can not be contacted, !sers are not allowed to lo3on to the domain 7if cost of "lacin3 a hi3h "erformance ser0er in a site is "rohibiti0e, this reF!irement can be eliminated by modifyin3 C=:'PSLST,'P9!rrent9ontrolSetP9ontrolP:saPD3nore%9Fail!res re3istry entry - in s!ch case, tho!3h, the !se of !ni0ersal 3ro!"s is disco!ra3ed)$ Therefore, at least one %lobal 9atalo3 "er site sho!ld be a0ailable$ %lobal 9atalo3 is installed a!tomatically on the first domain controller in the forest$ S!bseF!ent installations 7or relocation of ori3inal %9) are !" to forest and domain administrators$ (/ Windows 2+++ %lobal 9atalo3 Ser0ers store all of the Acti0e Directory obHect attrib!tes for all of the Acti0e Directory obHects from their own domain$ This is referred to as a f!ll re"lica$ They also contain some of the Acti0e Directory obHect attrib!tes from all of the remainin3 Acti0e Directory obHects from all of the other domains in the forest$ This is referred to as a "artial re"lica$ This s!bset of data from thro!3ho!t the forest, allows for !ser and ser0ice F!eries for findin3 directory information and directory obHects from any domain in the forest re3ardless of which domain that data and 5 or obHect e-ists$ Dn a n!tshell this means, for e-am"le, a !ser from one domain can search for a "rinter that is "!blished in the Acti0e Directory and locate it in any domain, e0en an e-ternal one, by !sin3 only the "rinterGs name or some other 2nown 7to the Acti0e Directory database) attrib!te$ This co!ld be a b!ildin3 n!mber or floor or some other namin3 con0ention !sed within the 3i0en or3ani#ation$ 21) What is T9>5D> "ort for %9$ 32 1532 4 22) What is the DDS 0ersion on win22 Ser0ers ANS K.$+ 23) What ty"e of Dynamic dis2s s!""orted in Win 22 ser0er

Windows 2+++ s!""orts the followin3 ty"es of 0ol!mes which can only be created on dynamic dis2sK Si4p#e Vo#$4es - Formatted "artition on a hard dri0e$ Cas no fa!lt tolerance$ Spanned Vo#$4es - Formatted "artition or dis2 s"ace on more than one "artition or hard dri0e that a""ears as one 0ol!me$ Dn Windows NT, this is called a 0ol!me set$ Cas no fa!lt tolerance$ The system or boot "artitions cannot be incl!ded in a s"anned 0ol!me$ FAT, FAT32 and NTFS file systems may be incl!ded$ S"ace from two to thirty two dynamic dis2s can be incl!ded$ Df one dis2 on the s"anned 0ol!me fails, all data is lost, and no "art of a s"anned 0ol!me may be remo0ed witho!t destroyin3 the entire 0ol!me$ Striped Vo#$4es - Also called dis2 stri"in3 or a stri"ed set in Windows NT, it is when two areas of dis2 s"ace which are identical in si#e ha0e half the information written on one area and the other half written on the second area$ This effecti0ely do!bles the dis2 access s"eed, b!t "ro0ides no fa!lt tolerance$ Dn Windows NT, this is called a stri"e set which is created on a basic dis2$ 2irrored Vo#$4es - Also 2nown as /ADD 1 or a mirror set on Windows NT, this is a fa!lt tolerance method where data is stored on two 0ol!mes 7that a""ear as one) rather than a sin3le 0ol!me$ This costs access time, b!t is fa!lt tolerant$ RAID86 Vo#$4es - /eF!ire three or more areas of formatted dri0e s"ace$ %eneratin3 "arity information can cost "rocessor time$

2*) What are local, 3lobal and ;ni0ersal 3ro!"s in ADS domain 2.) What is the database for ADS ser0icesB 2 ) What is Sys0ol !sed forB

The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and re arse oints in the file systems that e!ist on each domain controller in a domain" SYSVOL rovides a standard location to store im ortant elements of #rou $olicy o%&ects (#$Os) and scri ts so that the 'ile (e lication service ('(S) can distri%ute them to other domain controllers within that domain"
Note: (nly the %ro!" >olicy tem"late 7%>T) is re"licated by SLS6(:$ The %ro!" >olicy container 7%>9) is re"licated thro!3h Acti0e Directory re"lication$ To be effecti0e, both "arts m!st be a0ailable on a domain controller$ F/S monitors SLS6(: and, if a chan3e occ!rs to any file stored on SLS6(:, then F/S a!tomatically re"licates the chan3ed file to the SLS6(: folders on the other domain controllers in the domain$ The day-to-day o"eration of SLS6(: is an a!tomated "rocess that does not reF!ire any h!man inter0ention other than watchin3 for alerts from the monitorin3 system$

(ccasionally, yo! mi3ht "erform some system maintenance as yo! chan3e yo!r networ2$ This obHecti0e describes the basic tas2s reF!ired for mana3in3 SLS6(: in order to maintain ca"acity and "erformance of SLS6(:, for hardware maintenance, or for data or3ani#ation$ htt"K55technet2$microsoft$com5WindowsSer0er5en5:ibrary5..1f+123-2 a<-*ce.be<1-1<3e<aa<4bd31+33$ms"-

2<) What is Dcdia3, netdia3, re"lmon, re"stat and dsadia3B Q Cow to !se B D"Diag is command-line tool which analy#es the state of domain controllers in a forest or enter"rise and re"orts any "roblems to assist in tro!bleshootin3$ As an end!ser re"ortin3 "ro3ram, D9Dia3 enca"s!lates detailed 2nowled3e of how to identify abnormal beha0ior in the system$ D9Dia3 consists of a framewor2 for e-ec!tin3 tests and a series of tests to 0erify different f!nctional areas of the system$ This framewor2 selects which domain controllers are tested accordin3 to sco"e directi0es from the !ser, s!ch as enter"rise, site, or sin3le ser0er$ Netdiag Netdia3 is a command-line dia3nostic tool that yo! can !se to test networ2 connecti0ity and the 2ey networ2 stat!s$ These tests and information will 3i0e networ2 administrators and s!""ort "ersonnel a more direct means of identifyin3 and isolatin3 networ2 "roblems$ Rep#i+ation 2onitor ;se /,>:'(N to F!ery and control re"lication and to 0iew the location of the FS'( roles Lo! can !se the DSADiag !tility to dis"lay the c!rrent list of cached ser0ers that DSAccess is !sin3 7and th!s s!""lyin3 to DS>ro-y) and also to force DSAccess to refresh the ser0er list$ DSADia3, which is a0ailable from htt"K55www$e-internals$com, is a sin3le e-ec!table file$ To !se the !tility, yo! m!st "lace the file in the Pe-chsr0rPbin directory$ ,-ec!tin3 DSADia3 from a command window

21) What are different ty"es bac2!" in windows 2+++B ANSK Normal, co"y, Differential, Dncremental, Daily 24) ,-"lain by means of a scenario where wo!ld D reF!ire a tree, 9hild domain, Additional Domain 9ontrollerB 3+) What is T9>5D>B

31) What is Distrib!ted File SystemB The Distrib!ted File System is !sed to b!ild a hierarchical 0iew of m!lti"le file ser0ers and shares on the networ2$ Dnstead of ha0in3 to thin2 of a s"ecific machine name for each set of files, the !ser will only ha0e to remember one name8 which will be the G2eyG to a list of shares fo!nd on m!lti"le ser0ers on the networ2$ Thin2 of it as the home of all file shares with lin2s that "oint to one or more ser0ers that act!ally host those shares$ DFS has the ca"ability of ro!tin3 a client to the closest a0ailable file ser0er by !sin3 Acti0e Directory site metrics$ Dt can also be installed on a cl!ster for e0en better "erformance and reliability$ 'edi!m to lar3e si#ed or3ani#ations are most li2ely to benefit from the !se of DFS - for smaller com"anies it is sim"ly not worth settin3 !" since an ordinary file ser0er wo!ld be H!st fine$ 32) What is !nattended installation in 2+++B 33) What are the Different ty"es of /ADDB ANsK /ADD + to . /ADD + 7Stri""ed) /ADD 1 'irrored /ADD 2 /ADD 3 /ADD * /ADD . 3*) What do yo! mean by 9l!sterin3B 3.) What is the Difference between (; Q %ro!"B Organi%ationa# Units An or3ani#ational !nit is an administrati0e-le0el container, de"icted in Fi3!re $1, that is !sed to lo3ically or3ani#e obHects in Acti0e Directory$ The conce"t of the or3ani#ational !nit is deri0ed from the :i3htwei3ht Directory Access >rotocol 7:DA>) standard !"on which Acti0e Directory was b!ilt, altho!3h there are some conce"t!al differences between "!re :DA> and Acti0e Directory$ Fig$re 6&1 A+tive Dire+tor3 organi%ationa# str$+t$re& (bHects within Acti0e Directory can be lo3ically "laced into (;s as defined by the administrator$ Altho!3h all !ser obHects are "laced in the ;sers folder by defa!lt and com"!ter obHects are "laced in the 9om"!ters folder, they can be mo0ed at any time$ NOTE The defa!lt ;sers and 9om"!ters folders in Acti0e Directory are not technically or3ani#ational !nits$ /ather, they are technically defined as 9ontainer class obHects$ Dt is im"ortant to !nderstand this "oint beca!se these 9ontainer class obHects do not beha0e in the same way as or3ani#ational !nits$ To be able to "ro"erly !tili#e ser0ices s!ch as %ro!" >olicies that de"end on the f!nctionality of (;s, it is recommended that yo! mo0e yo!r !ser and com"!ter obHects into an (; str!ct!re$

,ach obHect in the Acti0e Directory str!ct!re can be referenced 0ia :DA> F!eries that "oint to its s"ecific location in the (; str!ct!re$ Lo! will often see obHects referenced in this format when yo!Gre writin3 scri"ts to modify or create !sers in Acti0e Directory or sim"ly r!nnin3 :DA> F!eries a3ainst Acti0e Directory$ For e-am"le, in Fi3!re $2, a !ser named Andrew Abbate in the San Rose ;sers (; wo!ld be re"resented by the followin3 :DA> strin3K Fig$re 6&! A+tive Dire+tor3 organi%ationa# str$+t$re& NOTE (; str!ct!re can be nested, or incl!de s!b-(;s that are many layers dee"$ =ee" in mind, howe0er, that the more com"le- the (; str!ct!re, the more diffic!lt it becomes to administer and the more time-cons!min3 directory F!eries become$ 'icrosoft recommends not nestin3 more than 1+ layers dee"$ Cowe0er, it wo!ld be wise to 2ee" the com"le-ity si3nificantly shorter than that n!mber to maintain the res"onsi0eness of directory F!eries$ (;s "rimarily satisfy the need to dele3ate administration to se"arate 3ro!"s of administrators$ Altho!3h there other "ossibilities for the !se of (;s, this ty"e of administration dele3ation is, in reality, the "rimary factor that e-ists for the creation of (;s in an AD en0ironment$ See the O(; Desi3nO section of this cha"ter for more details on this conce"t$ T,e Need for Organi%ationa# Units While there is a tendancy to !se or3ani#ational !nits to str!ct!re the desi3n of Acti0e Directory, (;s sho!ld not be created to H!st doc!ment the or3ani#ational chart of the com"any$ The fact that the or3ani#ation has a Sales de"artment, a 'an!fact!rin3 de"artment, and a 'ar2etin3 de"artment doesnGt s!33est that there sho!ld be these three Acti0e Directory (;s$ An administrator sho!ld create or3ani#ational !nits if the de"artments will be administered se"arately and5or "olicies will be a""lied differently to the 0ario!s de"artments$ Cowe0er if the de"artments will all be administered by the same DT team, and the "olicies bein3 a""lied will also be the same, ha0in3 m!lti"le (;s is not necessary$ Additionally, or3ani#ational !nits are not e-"osed to the directory, meanin3 that if a !ser wants to send an e-mail to the members of an (;, he wo!ld not see the (; str!ct!re nor the members in the (; 3ro!"in3$ To see members of an or3ani#ational str!ct!re, Acti0e Directory 3ro!"s sho!ld be created$ %ro!"s are e-"osed to the directory and will be seen when a !ser wants to list members and 3ro!"s in the or3ani#ation$ 9ro$ps The idea of 3ro!"s has been aro!nd in the 'icrosoft world for m!ch lon3er than (;s ha0e been$ As with the (; conce"t, 3ro!"s ser0e to lo3ically or3ani#e !sers into an easily identifiable str!ct!re$ Cowe0er, there are some maHor differences in the way that 3ro!"s f!nction as o""osed to (;s$ Amon3 these differences are the followin3K

9ro$p 2e4*ers,ip Vie)a*#e *3 UsersNWhereas (; 0isibility is restricted to administrators !sin3 s"ecial administrati0e tools, 3ro!"s can be 0iewed by all !sers en3a3ed in domain acti0ities$ For e-am"le, !sers who are settin3 sec!rity on a local share can a""ly "ermissions to sec!rity 3ro!"s that ha0e been set !" on the domain le0el$ 2e4*ers,ip in 2$#tip#e 9ro$psN(;s are similar to a file systemGs folder str!ct!re$ Dn other words, a file can reside in only one folder or (; at a time$ %ro!" membershi", howe0er, is not e-cl!si0e$ A !ser can become a member of any one of a n!mber of 3ro!"s, and her membershi" in that 3ro!" can be chan3ed at any time$ 9ro$ps as Se+$rit3 Prin+ipa#sN,ach sec!rity 3ro!" in Acti0e Directory has a !niF!e Sec!rity DD 7SDD) associated with it !"on creation$ (;s do not ha0e associated Access 9ontrol ,ntries 7A9,s) and conseF!ently cannot be a""lied to obHect-le0el sec!rity$ This is one of the most si3nificant differences beca!se sec!rity 3ro!"s allow !sers to 3rant or deny sec!rity access to reso!rces based on 3ro!" membershi"$ Note, howe0er, that the e-ce"tion to this is distrib!tion 3ro!"s, which are not !sed for sec!rity$ 2ai#8Ena*#ed 9ro$p F$n+tiona#it3NThro!3h distrib!tion 3ro!"s and 7with the latest 0ersion of 'icrosoft ,-chan3e) mail-enabled sec!rity 3ro!"s, !sers can send a sin3le e-mail to a 3ro!" and ha0e that e-mail distrib!ted to all the members of that 3ro!"$ The 3ro!"s themsel0es become distrib!tion lists, while at the same time bein3 a0ailable for sec!rity-based a""lications$ This conce"t is elaborated f!rther in the ODistrib!tion %ro!" Desi3nO section later in this cha"ter$

9ro$p T3pes' Se+$rit3 or Distri*$tion %ro!"s in a Windows $N,T Ser0er 2++3 come in two fla0orsK sec!rity and distrib!tion$ Dn addition, 3ro!"s can be or3ani#ed into different sco"esK machine local, domain local, 3lobal, and !ni0ersal$ Se+$rit3 9ro$ps The ty"e of 3ro!" that administrators are most familiar with is the sec!rity 3ro!"$ This ty"e of 3ro!" is !sed to a""ly "ermissions to reso!rces en masse so that lar3e 3ro!"s of !sers can be administered more easily$ Sec!rity 3ro!"s can be established for each de"artment in an or3ani#ation$ For e-am"le, !sers in the 'ar2etin3 de"artment can be 3i0en membershi" in a 'ar2etin3 sec!rity 3ro!", as shown in Fi3!re $3$ This 3ro!" is then allowed to ha0e "ermissions on s"ecific directories in the en0ironment$ Fig$re 6& Se+$rit3 gro$p per4ission s,aring&

This conce"t sho!ld be familiar to anyone who is !sed to administerin3 down-le0el Windows networ2s s!ch as NT or Windows 2+++$ As yo! will soon see, howe0er, some f!ndamental chan3es in Windows $N,T Ser0er 2++3 chan3e the way that these 3ro!"s f!nction$ As "re0io!sly mentioned, sec!rity 3ro!"s ha0e a !niF!e Sec!rity DD 7SDD) associated with them, m!ch in the same way that indi0id!al !sers in Acti0e Directory ha0e an SDD$ The !niF!eness of the SDD is !tili#ed to a""ly sec!rity to obHects and reso!rces

in the domain$ This conce"t also e-"lains why yo! cannot sim"ly delete and rename a 3ro!" to ha0e the same "ermissions that the old 3ro!" "re0io!sly maintained$ Distri*$tion 9ro$ps The conce"t of distrib!tion 3ro!"s in Windows $N,T Ser0er 2++3 was introd!ced in Windows 2+++ alon3 with its im"lementation of Acti0e Directory$ ,ssentially, a distrib!tion 3ro!" is a 3ro!" whose members are able to recei0e Sim"le 'ail Transfer >rotocol 7S'T>) mail messa3es that are sent to the 3ro!"$ Any a""lication that can !se Acti0e Directory for address boo2 loo2!"s can !tili#e this f!nctionality in Windows $N,T Ser0er 2++3$ Distrib!tion 3ro!"s are often conf!sed with mail-enabled 3ro!"s, a conce"t in en0ironments with ,-chan3e 2+++$ Dn addition, in most cases distrib!tion 3ro!"s are not !tili#ed in en0ironments witho!t ,-chan3e 2+++ beca!se their f!nctionality is limited to infrastr!ct!res that can s!""ort them$ NOTE Dn en0ironments with ,-chan3e 2+++, distrib!tion 3ro!"s can be !tili#ed to create email distrib!tion lists that cannot be !tili#ed to a""ly sec!rity$ Cowe0er, if se"aration of sec!rity and e-mail f!nctionality is not reF!ired, yo! can ma2e sec!rity 3ro!"s mail-enabled$ 2ai#8Ena*#ed 9ro$ps With the introd!ction of ,-chan3e 2+++ into an Acti0e Directory en0ironment comes a new conce"tK mail-enabled 3ro!"s$ These 3ro!"s are essentially sec!rity 3ro!"s that are referenced by an e-mail address, and can be !sed to send S'T> messa3es to the members of the 3ro!"$ This ty"e of f!nctionality becomes "ossible only with the incl!sion of ,-chan3e 2+++ or hi3her$ ,-chan3e 2+++ act!ally e-tends the forest schema to allow for ,-chan3e-related information, s!ch as S'T> addresses, to be associated with each 3ro!"$ 'ost or3ani#ations will find that mail-enabled sec!rity 3ro!"s satisfy most of their needs, both sec!rity-wise and e-mailJwise$ For e-am"le, a sin3le 3ro!" called 'ar2etin3 that contains all !sers in that de"artment co!ld also be mail-enabled to allow ,-chan3e !sers to send e-mails to e0eryone in the de"artment$ 9ro$p S+ope There are fo!r "rimary sco"es of 3ro!"s in Acti0e Directory$ ,ach sco"e is !sed for different "!r"oses, b!t all sim"ly ser0e to ease administration and "ro0ide a way to 0iew or "erform f!nctions on lar3e 3ro!"s of !sers at a time$ The 3ro!" sco"es are as followsK 'achine local 3ro!"s Domain local 3ro!"s %lobal 3ro!"s ;ni0ersal 3ro!"s

%ro!" sco"e can become one of the most conf!sin3 as"ects of Acti0e Directory, and it can often reF!ire a doctorate de3ree in A""lied &io%ro!"olo3y to sort it all o!t$ Cowe0er, if certain desi3n criteria are a""lied to 3ro!" membershi" and creation, the conce"t becomes more "alatable$ 2a+,ine 0o+a# 9ro$ps 'achine local 3ro!"s are essentially 3ro!"s that are b!ilt into the o"eratin3 system and can be a""lied only to obHects local to the machine in which they e-ist$ Dn other words, they are the defa!lt local 3ro!"s s!ch as >ower ;sers, Administrators, and the li2e created on a standalone system$ &efore networ2in3 sim"lified administration, local 3ro!"s were !sed to control access to the reso!rces on a ser0er$ The downside to this a""roach was that !sers needed to ha0e a se"arate !ser acco!nt on each machine that they wanted to access$ Dn a domain en0ironment, !tili#in3 these 3ro!"s for "ermissions is not recommended beca!se the administrati0e o0erhead wo!ld be o0erwhelmin3$ NOTE Domain controllers in an Acti0e Directory forest do not contain local 3ro!"s$ When the dc"romo command is r!n on a ser0er to "romote it to a domain controller, all local 3ro!"s and acco!nts are deleted in fa0or of domain acco!nts$ ,ssentially, the local 3ro!"s and !sers are re"laced with a co"y of the domain 3ro!"s and !sers$ Any s"ecial "ermissions !sin3 local !sers m!st be rea""lied !sin3 domain acco!nts$ Do4ain 0o+a# 9ro$ps Domain local 3ro!"s, a term that may seem contradictory at first, are domain-le0el 3ro!"s that can be !sed to establish "ermissions on reso!rces in the domain in which they reside$ ,ssentially, domain local 3ro!"s are the e0ol!tion of the old Windows NT local 3ro!"s$ Domain local 3ro!"s can contain members from anywhere in an Acti0e Directory forest or any tr!sted domain o!tside the forest$ A domain local 3ro!" can contain members from any of the followin3K %lobal 3ro!"s ;ser acco!nts ;ni0ersal 3ro!"s 7in AD Nati0e mode only) (ther domain local 3ro!"s 7nested, in Nati0e mode only)

Domain local 3ro!"s are "rimarily !sed for access to reso!rces beca!se different domain local 3ro!"s are created for each reso!rce and then other acco!nts and5or 3ro!"s are added to them$ This hel"s to readily determine which !sers and 3ro!"s ha0e access to a reso!rce$ 9#o*a# 9ro$ps %lobal 3ro!"s are the reincarnation of the NT 3lobal 3ro!", b!t with sli3htly different characteristics$ These 3ro!"s can contain the followin3 ty"es of obHectsK

;ser acco!nts %lobal 3ro!"s from their own domain 7Nati0e mode only)

%lobal 3ro!"s are "rimarily !sef!l in sortin3 !sers into easily identifiable 3ro!"in3s and !sin3 them to a""ly "ermissions to reso!rces$ What se"arates 3lobal 3ro!"s from !ni0ersal 3ro!"s, howe0er, is that 3lobal 3ro!"s sto" their membershi" re"lication at the domain bo!ndary, limitin3 re"lication o!tside the domain$ Universa# 9ro$ps The conce"t of !ni0ersal 3ro!"s was new with the release of Windows 2+++ and has become e0en more !sef!l in Windows $N,T Ser0er 2++3$ ;ni0ersal 3ro!"s are H!st thatN!ni0ersal$ They can contain obHects from any tr!sted domain and can be !sed to a""ly "ermissions to any reso!rce in the domain$ ;ni0ersal 3ro!"s are a0ailable only in Nati0e Windows $N,T Ser0er 2++3 or Windows 2+++ modes and cannot be !sed in Dnterim or Windows NT 'i-ed mode$ This is beca!se Windows NT* bac2!" domain controllers 7&D9s) cannot re"licate the f!nctionality "resent in !ni0ersal 3ro!"s$ Altho!3h sim"ly ma2in3 all 3ro!"s within a domain into !ni0ersal 3ro!"s may seem "ractical, the limitin3 factor has always been that membershi" in !ni0ersal 3ro!"s is re"licated across the entire forest$ To ma2e matters worse, Windows 2+++ Acti0e Directory !ni0ersal 3ro!" obHects contained a sin3le m!lti-entry attrib!te that defined membershi"$ This meant that any time membershi" was chan3ed in a !ni0ersal 3ro!", the entire 3ro!" membershi" was re-re"licated across the forest$ 9onseF!ently, !ni0ersal 3ro!"s were limited in f!nctionality$ Windows $N,T Ser0er 2++3 introd!ces the conce"t of incremental !ni0ersal 3ro!" membershi" re"lication, which accom"lishes re"lication of membershi" in !ni0ersal 3ro!"s on a member-by-member basis$ This drastically red!ces the re"lication effects that !ni0ersal 3ro!"s ha0e on an en0ironment and ma2es the conce"t of !ni0ersal 3ro!"s more feasible for distrib!ted en0ironments$

3 ) What is the Difference between &asic Dis2 Q Dynamic dis2B /asi+ Dis:s - A standard dis2 with standard "artitions 7"rimary and e-tended)$ D3na4i+ Dis:s - Dis2s that ha0e dynamic mo!ntin3 ca"ability to add additional local or remote "artitions or directories to a dis2 dri0e$ These are called dynamic 0ol!mes$ This is new with the Windows 2+++ o"eratin3 system and is not s!""orted by any other o"eratin3 systems$ Any 0ol!me that is on more than one hard dri0e m!st be created with dynamic dis2s$ A dis2 can only be con0erted from dynamic to basic by first deletin3 all the 0ol!mes in the dynamic dis2$

3<) What is Cost file, :'C(ST file, WDNS Q DNSB

,osts fi#e, stored on the com"!terGs filesystem, is !sed to loo2 !" the Dnternet >rotocol address of a de0ice connected to a com"!ter networ2$ The hosts file describes a many-to-one ma""in3 of de0ice names to D> addresses$ When accessin3 a de0ice by name, the networ2in3 system will attem"t to locate the name within the hosts file if it e-ists$ Ty"ically, this is !sed as a first means of locatin3 the address of a system, before accessin3 the Dnternet domain name system$ The reason for this is that the hosts file is stored on the com"!ter itself and does not reF!ire any networ2 access to be !sed, 04,ost A local hosts file !sed by 'icrosoft Wins 9lients s!ch as 'icrosoft Windows 41 or Windows NT to "ro0ide ma""in3s of D> addresses to NT com"!ter names 7Net&D(S name)$ The lmhost file is 3enerally located in either root Windows directory or the WindowsPSystem32Pdri0ersPetc directory and is called O#4,ost&sa4O$ The lmhost file will li2ely already contain data in the file, s!ch as commented instr!ctions and e-am"les similar to the below e-am"le$ 12<$+$+$1 123$+$123$< localhost e-am"le Se-am"le of the local host Se-am"le of a fa2e D> and name$

Dn the abo0e two e-am"les, yo! can see that we ha0e s"ecified the D> address, the name, and the S remar2 for that line$ Dn the abo0e e-am"le, OlocalhostO or Oe-am"leO wo!ld be the Net&D(S name8 therefore, when ty"in3 OlocalhostO or Oe-am"leO in Dnternet ,-"lorer, for e-am"le, the com"!ter wo!ld attem"t to resol0e that name by accessin3 the D> address corres"ondin3 with that name$ This is also commonly !sed when !nable to access or ha0in3 diffic!lties with the DNS ser0er$ 31) What are NTFS "ermission Q shared >ermissionB NTFS "ermissions are an attrib!te of the folder or file for which they are confi3!red$ The NTFS "ermissions incl!de both standard and s"ecial le0els of settin3s$ The standard settin3s are combinations of the s"ecial "ermissions, ma2in3 the confi3!ration more efficient and easier to establish$ These "ermissions incl!de the followin3, as shown in Fi3!re 2K F!ll 9ontrol 'odify /ead Q ,-ec!te :ist Folder 9ontents /ead Write

There are 1* s"ecial "ermissions for folders, which incl!de detailed control o0er creatin3, modifyin3, readin3, and deletin3 s!bfolders and files contained within the folder where the "ermissions are established$ NTFS "ermissions are associated with the obHect, so the "ermissions are always connected with the obHect d!rin3 a rename, mo0e, or archi0e of the obHect$ Share "ermissions are only associated with the folder that is bein3 shared$ For e-am"le, if there are . s!bfolders below the folder that is shared, only the initial shared folder can ha0e share "ermissions confi3!red on it$ NTFS "ermissions can be established on e0ery file and folder within the data stora3e str!ct!re, e0en if a folder is not shared$ Share "ermissions are confi3!red on the Sharin3 tab of the shared folder$ (n this tab, yo! will ha0e a >ermissions b!tton, which e-"oses the share "ermissions when selected, as shown in Fi3!re 3$

Fig$re

' Share "ermissions on a shared folder

As yo! can see, the share "ermissions standard list of o"tions is not as rob!st as the NTFS "ermissions$ The share "ermissions only "ro0ide F!ll 9ontrol, 9han3e, and /ead$ There are no s"ecial "ermissions a0ailable for share "ermissions, so the standard "ermissions are as 3ran!lar as yo! can 3o for this set of access control$ The share "ermissions are not "art of the folder or file, so when the share name is chan3ed, the folder is mo0ed, or the folder is bac2ed !", the share "ermissions are not incl!ded$ This ma2es for a fra3ile control of the share "ermissions if the folder is modified$ 34) What is Symmetric Q asymmetric "rocessin3B A3s44etri+K one 9>; does the wor2 of the system, the other 9>;s ser0ice !ser reF!ests$ S344etri+K All "rocessors can be !sed by the system and !sers ali2e$ No 9>; is s"ecial$

The asymmetric 0ariant is "otentially more wastef!l, since it is rare that the system reF!ires a whole 9>; H!st to itself$ This a""roach is more common on 0ery lar3e machines with many "rocessors, where the Hobs the system has to do is F!ite diffic!lt and warrants a 9>; to itself$ *+) What is ro!tin3 Q remote accessB *1) What DS 6>N Q What is the difference between >>T> Q :2T>B *2) What is the mean by s!bnetB

s$*net A s!bnet 7short for Os!bnetwor2O) is an identifiably se"arate "art of an or3ani#ationGs networ2$ Ty"ically, a s!bnet may re"resent all the machines at one 3eo3ra"hic location, in one b!ildin3, or on the same local area networ2 7:AN)$ Ca0in3 an or3ani#ationGs networ2 di0ided into s!bnets allows it to be connected to the Dnternet with a sin3le shared networ2 address$ Witho!t s!bnets, an or3ani#ation co!ld 3et m!lti"le connections to the Dnternet, one for each of its "hysically se"arate s!bnetwor2s, b!t this wo!ld reF!ire an !nnecessary !se of the limited n!mber of networ2 n!mbers the Dnternet has to assi3n$ Dt wo!ld also reF!ire that Dnternet ro!tin3 tables on 3ateways o!tside the or3ani#ation wo!ld need to 2now abo!t and ha0e to mana3e ro!tin3 that co!ld and sho!ld be handled within an or3ani#ation$ The Dnternet is a collection of networ2s whose !sers comm!nicate with each other$ ,ach comm!nication carries the address of the so!rce and destination networ2s and the "artic!lar machine within the networ2 associated with the !ser or host com"!ter at each end$ This address is called the D> address 7Dnternet >rotocol address)$ This 32-bit D> address has two "artsK one "art identifies the networ2 7with the network number) and the other "art identifies the s"ecific machine or host within the networ2 7with the host number)$ An or3ani#ation can !se some of the bits in the machine or host "art of the address to identify a s"ecific s!bnet$ ,ffecti0ely, the D> address then contains three "artsK the networ2 n!mber, the s!bnet n!mber, and the machine n!mber$ The standard "roced!re for creatin3 and identifyin3 s!bnets is "ro0ided in Dnternet T,e IP Address The 32-bit D> address 7we ha0e a se"arate definition of it with D> address) is often de"icted as a dot address 7also called dotted quad notation) - that is, fo!r 3ro!"s 7or F!ads) of decimal n!mbers se"arated by "eriods$ CereGs an e-am"leK 13+$.$.$2. ,ach of the decimal n!mbers re"resents a strin3 of ei3ht binary di3its$ Th!s, the abo0e D> address really is this strin3 of +s and 1sK 1+++++1+$+++++1+1$+++++1+1$+++11++1 As yo! can see, we inserted "eriods between each ei3ht-di3it seF!ence H!st as we did for the decimal 0ersion of the D> address$ (b0io!sly, the decimal 0ersion of the D> address is easier to read and thatGs the form most commonly !sed$ Some "ortion of the D> address re"resents the networ2 n!mber or address and some "ortion re"resents the local machine address 7also 2nown as the host number or address)$ D> addresses can be one of se0eral classes, each determinin3 how many bits re"resent the networ2 n!mber and how many re"resent the host n!mber$ The most common class !sed by lar3e or3ani#ations 79lass &) allows 1 bits for the networ2 n!mber and 1 for the host n!mber$ ;sin3 the abo0e e-am"le, hereGs how the D> address is di0idedK T--Networ2 address--UT--Cost address--U 13+$. $ .$2.

Df yo! wanted to add s!bnettin3 to this address, then some "ortion 7in this e-am"le, ei3ht bits) of the host address co!ld be !sed for a s!bnet address$ Th!sK T--Networ2 address--UT--S!bnet address--UT--Cost address--U 13+$. $ . $ 2. To sim"lify this e-"lanation, weG0e di0ided the s!bnet into a neat ei3ht bits b!t an or3ani#ation co!ld choose some other scheme !sin3 only "art of the third F!ad or e0en "art of the fo!rth F!ad$ T,e S$*net 2as: (nce a "ac2et has arri0ed at an or3ani#ationGs 3ateway or connection "oint with its !niF!e networ2 n!mber, it can be ro!ted within the or3ani#ationGs internal 3ateways !sin3 the s!bnet n!mber as well$ The ro!ter 2nows which bits to loo2 at 7and which not to loo2 at) by loo2in3 at a s!bnet mas2$ A mas2 is sim"ly a screen of n!mbers that tells yo! which n!mbers to loo2 at !nderneath$ Dn a binary mas2, a O1O o0er a n!mber says O:oo2 at the n!mber !nderneathO8 a O+O says ODonGt loo2$O ;sin3 a mas2 sa0es the ro!ter ha0in3 to handle the entire 32 bit address8 it can sim"ly loo2 at the bits selected by the mas2$ ;sin3 the "re0io!s e-am"le 7which is a 0ery ty"ical case), the combined networ2 n!mber and s!bnet n!mber occ!"y 2* bits or three of the F!ads$ The a""ro"riate s!bnet mas2 carried alon3 with the "ac2et wo!ld beK 2..$2..$2..$+ (r a strin3 of all 1Gs for the first three F!ads 7tellin3 the ro!ter to loo2 at these) and +Gs for the host n!mber 7which the ro!ter doesnGt need to loo2 at)$ S!bnet mas2in3 allows ro!ters to mo0e the "ac2ets on more F!ic2ly$ Df yo! ha0e the Hob of creatin3 s!bnets for an or3ani#ation 7an acti0ity called subnetting) and s"ecifyin3 s!bnet mas2s, yo!r Hob may be sim"le or com"licated de"endin3 on the si#e and com"le-ity of yo!r or3ani#ation and other factors$ Ans K S!bnets are "art of a networ2 *3) What is NATB Networ2 Address Translation allows a sin3le de0ice, s!ch as a ro!ter, to act as an a3ent between the Dnternet 7or O"!blic networ2O) and a local 7or O"ri0ateO) networ2$ This means that only a sin3le, !niF!e D> address is reF!ired to re"resent an entire 3ro!" of com"!ters$ &!t the shorta3e of D> addresses is only one reason to !se NAT

**) ,-"lain the "roced!re for mi3ratin3 from Windows NT*$+ to Windows 2+++B Upgrading fro4 Win NT to Win !((( Do4ains 1$ ;"3rade the >D9 in the master domain that will be the root domain$ ;"3rade the >D9 to Windows 2+++$ 2$ ;se mi-ed mode for acti0e directory$ 3$ ;"3rade &D9s and ser0ers to Windows 2+++$

)" ;"date client com"!ters in the domain to Windows 2+++ or install Directory
Ser0ice 9lient onm$ .$ Follow the same "roced!re for each s!cceedin3 domain down thro!3h the domain tree$ $ (nce all !"dates are com"lete, the m!lti"le domains may be mer3ed into one or reconfi3!red !sin3 Windows 2+++ tools$ When the NT Domain controller is !"3raded to Windows 2+++, the followin3 chan3es are madeK The >D9 com"!ter acco!nt is "laced in the domain controllerGs AD container obHect$ 9om"!ter acco!nts are "laced in the 9om"!ters AD container obHect$ ;ser acco!nts, 3lobal 3ro!"s, local 3ro!"s, and created 3ro!"s are "laced in the ;sers AD container obHect$ Defa!lt 3ro!"s are "!t in the &!ilt-in AD container obHect$

*.) Cow to enable a!ditin3 in files Q folderB ANSK Thro!3h 3ro!" >olicy

* ) What is software Distrib!tionB htt"K55www$microsoft$com5technet5"rodtechnol5windows2+++ser05howto5instmain$m s"-

Software Dnstallation and 'aintenance for the Windows) 2++3 o"eratin3 system allows administrators to mana3e software for their or3ani#ations, incl!din3 a""lications, ser0ice "ac2s, and o"eratin3 system !"3rades$

*<) What is tr!stin3 Domain Q and what is Tr!sted DomainB Tr$sting do4ain - The domain that allows access to !sers on another domain$ Tr$sted do4ain - The domain that is tr!sted, whose !sers ha0e access to the tr!stin3 domain$

Ne) Feat$res in Windo)s Server !(( 'icrosoft has done F!ite a bit of t!nin3 on Acti0e Directory in Windows Ser0er 2++3 to im"ro0e scalability and s"eed and to correct a co!"le of 2ey deficiencies$ Some of these !"dates mi3ht not ma2e m!ch sense !ntil yo! read f!rther, b!t here is a syno"sis to !se for reference$ The first three feat!res reF!ire ha0in3 Windows Ser0er 2++3 on e0ery domain controllerK Site s+a#a*i#it3& The calc!lations for determinin3 re"lication to"olo3y between sites ha0e been streamlined$ This corrects a "roblem where lar3e or3ani#ations with h!ndreds of sites mi3ht e-"erience re"lication fail!re beca!se the to"olo3y calc!lations cannot be com"leted in the time allotted to them$ /a+:#in: attri*$te rep#i+ation& %ro!" members are now re"licated as discrete entities instead of re"licatin3 the entire 3ro!" membershi" list as a sin3le !nit$ This corrects a "roblem where membershi" chan3es made to the same 3ro!" on different domain controllers in the same re"lication inter0al o0erwrite each other$ Federations& A new tr!st ty"e called Forest was added to sim"lify transiti0e tr!st relationshi"s between root domains in different forests$ ;sin3 Forest tr!sts, it is "ossible to b!ild a federation of inde"endent Acti0e Directory forests$ This feat!re does not im"lement tr!e V"r!ne and 3raftW in Acti0e Directory, b!t it 3oes a lon3 way toward sim"lifyin3 o"erations within affiliated or3ani#ations$ Si4p#ified do4ain #ogon& ;ni0ersal 3ro!" membershi" can be cached at non-3lobal catalo3 ser0ers$ This "ermits !sers to lo3 on e0en if connecti0ity to a 3lobal catalo3 ser0er is lost$ This enhancement is co!"led with a feat!re in ?> where the domainPname res!lt of crac2in3 a ;ser >rinci"al Name 7;>N) is cached locally$ This "ermits a !ser at an ?> des2to" to lo3 on with the format !serXcom"any$com e0en if a 3lobal catalo3 ser0er is not a0ailable$ App#i+ation na4ing +onte7ts& Windows Ser0er 2++3 introd!ces the ca"ability to create new namin3 conte-ts to hold DNS record obHects for Acti0e Directory Dnte3rated #ones$ (ne namin3 conte-t holds domain #one records and one holds the Ymsdcs records !sed thro!3ho!t a forest$ These namin3 conte-ts ma2e it "ossible to tar3et re"lication of DNS #ones only to domain controllers that are r!nnin3 DNS$

E#i4inate pi#ing onto ne) do4ain +ontro##ers& There is "otential for a "roblem when an NT* "rimary domain controller 7>D9) is !"3raded to Windows Ser0er 2++3$ Dn this circ!mstance, all e-istin3 Windows 2+++ and ?> des2to"s will !se the newly "romoted >D9 as a lo3on ser0er$ Dn Windows Ser0er 2++3, domain controllers can be confi3!red to res"ond to modern Windows clients as if they were still classic NT domain controllers !ntil s!fficient domain controllers are a0ailable to handle local a!thentication$ This feat!re is also a0ailable in Windows 2+++ S>2 and later$ DNS diagnosti+s& >ro"er DNS confi3!ration is critical for "ro"er Acti0e Directory o"eration$ The Domain 9ontroller "romotion !tility now "erforms a s!ite of DNS dia3nostics to ens!re that a s!itable DNS ser0er is a0ailable to re3ister the ser0ice locator reso!rce records associated with a Windows domain controller$ Fe)er g#o*a# +ata#og re*$i#ds& Addin3 or remo0in3 an attrib!te from the %lobal 9atalo3 no lon3er reF!ires a com"lete synchroni#ation cycle$ This minimi#es the re"lication traffic ca!sed by addin3 an attrib!te to the %9$ 2anage4ent +onso#e en,an+e4ents& The Acti0e Directory ;sers and 9om"!ters console now "ermits dra3-and-dro" mo0e o"erations and modifyin3 "ro"erties on m!lti"le obHects at the same time$ There is also the ca"ability of creatin3 and storin3 c!stom LDAP F!eries to sim"lify mana3in3 lar3e n!mbers of obHects$ The new ''9 2$+ console incl!des scri"tin3 s!""ort that can eliminate the need to !se the console entirely$ Rea#8ti4e 0DAP& S!""ort was added for /F9 2.14, V:DA>03K ,-tensions for Dynamic Directory Ser0ices$W This "ermits "!ttin3 time-sensiti0e information in Acti0e Directory, s!ch as a !serGs c!rrent location$ Dynamic entries a!tomatically time o!t and are deleted if they are not refreshed$ En,an+ed 0DAP se+$rit3& S!""ort was added for di3est a!thentication as described in /F9 2124, VA!thentication 'ethods for LDAP$W This ma2es it easier to inte3rate Acti0e Directory into non-Windows en0ironments$ S!""ort was also added for /F9 213+, V:DA>03K ,-tension for Trans"ort :ayer Sec!rity$W This "ermits !sin3 sec!re connections when sendin3 LDAP 7:i3htwei3ht Directory Access >rotocol) F!eries to a domain controller$ S+,e4a en,an+e4ents& The ability was added to associate an a!-iliary schema class to indi0id!al obHects rather than to an entire class of obHects$ This association can be dynamic, ma2in3 it "ossible to tem"orarily assi3n new attrib!tes to a s"ecific obHect or obHects$ Attrib!tes and obHect classes can also be declared def!nct to sim"lify reco0erin3 from "ro3rammin3 errors$ 0DAP 1$er3 en,an+e4ents& The LDAP search mechanism was e-"anded to "ermit searchin3 for indi0id!al entries in a m!lti0al!ed Distin3!ished Name 7DN) attrib!te$ This is called an Attribute Scoped Query, or ASE$ For e-am"le, an ASE co!ld be !sed to F!ic2ly list e0ery 3ro!" to which a s"ecific !ser belon3s$ S!""ort was also added for 6irt!al :ist 6iews, a new LDAP control that "ermits lar3e data sets to be 0iewed in order instead of "a3in3 thro!3h a random set of information$ This chan3e "ermits Windows Ser0er 2++3 to show al"habetically sorted lists of !sers and 3ro!"s in "ic2 lists$ Interopera*i#it3& S!""ort was added for /F9 2<41, VDefinition of the inet(r3>erson LDAP (bHect 9lass$W This enhances intero"erability with Netsca"e and NetWare directory ser0ices, both of which !se the inet(r3>erson obHect class to create ;ser obHects$ Speedier do4ain +ontro##er pro4otions& The ca"ability was added for !sin3 a ta"e bac2!" of the Acti0e Directory database to "o"!late the database on a new domain controller$ This 3reatly sim"lifies domain controller de"loyments in sit!ations where it is not "ractical to shi" an entire ser0er$

S+a#a*i#it3& The ma-im!m n!mber of obHects that can be stored in Acti0e Directory was increased to o0er one billion$

Do4ain Str$+t$re and Re#ations,ips TermsK Do4ain tree - A hierarchial 3ro!" of one or more domains with one root domain$ On#3 one do4ain is re1$ired to 4a:e a tree& Parent do4ain - (ne domain abo0e another in a domain tree$ ",i#d do4ain - (ne domain below another in a domain tree$ The child inherits the domain name of its "arent in a DNS hierarchial namin3 con0ention$ ,-am"leK Ochild$"arent$root$comO$ Forest root do4ain The first domain created in a forest$ Tree root - The first domain created in a tree$

Tr$sts and Tr$st Re#ations,ips Tr!st relationshi" is a descri"tion of the !ser access between two domains consistin3 of a one way and a two way tr!st$ TermsK One )a3 tr$st - When one domain allows access to !sers on another domain, b!t the other domain does not allow access to !sers on the first domain$ T)o )a3 tr$st - When two domains allow access to !sers on the other domain$ Tr$sting do4ain - The domain that allows access to !sers on another domain$ Tr$sted do4ain - The domain that is tr!sted, whose !sers ha0e access to the tr!stin3 domain$ Transitive tr$st - A tr!st which can e-tend beyond two domains to other tr!sted domains in the tree$ Intransitive tr$st - A one way tr!st that does not e-tend beyond two domains$ E7p#i+it tr$st - A tr!st that an administrator creates$ Dt is not transiti0e and is one way only$ "ross8#in: tr$st - An e-"licit tr!st between domains in different trees or in the same tree when a descendent5ancestor 7child5"arent) relationshi" does not e-ist between the two domains$

Windows 2+++ only s!""orts the followin3 ty"es of tr!stsK Two way transiti0e tr!sts (ne way non-transiti0e tr!sts$

This means the two way non transiti0e tr!st s!""orted by Windows NT is no lon3er s!""orted$ The way to deal with this is to create two one way tr!sts in Windows 2+++$

"ontro##ers The "ro3ram Od+pro4o&e7eO is !sed to ma2e a Windows 2+++ domain member ser0er a domain controller or demote it from domain controller stat!s bac2 to a member ser0er$ Dt can be !sed to add a domain controller for an e-istin3 domain or create a domain controller for a new domain$ TermsK Forest root +ontro##er - The first domain controller created when Acti0e Directory is first installed on any com"!ter if there are no "re0io!sly installed controllers a0ailable on the networ2$

A+tive Dire+tor3 Tr$sts Windo)s NT 5&( does not s$pport transitive tr$sts$ All windows 2+++ Acti0e Directory tr!sts are transiti0e by defa!lt with tr!sts e-istin3 between "arents and children$ Transiti0e tr!sts do not e-ist between children e0en if they are of the same "arent$ Transiti0e tr!sts e-tend !" and down thro!3h "arents to children to 3randchildren and so on$ Administrators may create e7p#i+it tr$sts between any two domains$ Dt is 3ood "olicy for the administrator to set !" a root domain with the administrator acco!nt$ This will allow all child domains to be controlled from that domain$ Do4ain "ontro##er Data Rep#i+ation /e"licated data between domain controllers containsK S+,e4a "onfig$ration data - Forest, tree, and domain information$ Do4ain data - Dnformation abo!t all domain obHects sent to domain controllers in the domain$

Do4ain "ontro##ers Windows NT !ses a >rimary Domain 9ontroller 7>D9) and &ac2!" Domain 9ontrollers 7>D9) to control the o"erations of its domains$ The &D9 or &D9s bac2 !" the o"erations of the >D9 in the e0ent that it fails$ Data is constantly re"licated between these controllers$ Windows 2+++ has chan3ed this method of controllin3 the domain$ Windows 2+++ may be o"erated in one of two modesK Native 4ode - Dn this mode Acti0e Directory interfaces only with Windows 2+++ domain controllers and directory ser0ice client software$ Windows 2+++ is more efficient in nati0e mode$ Dn this case, the >D9 em!lator will 3et "assword chan3es faster$ 2i7ed 4ode - ;sed to s!""ort domains where there are still Windows NT domain controllers$ 'i-ed mode occ!rs when Acti0e Directory interfaces with NT *$+ &D9s or ones witho!t Windows 2+++ Directory Ser0ice client software$

Dn mi-ed mode, com"!ters witho!t Windows 2+++ client software m!st contact the >D9 em!lator to chan3e !ser acco!nt information A domain cannot be chan3ed from nati0e mode to mi-ed mode$ An NT domain controller cannot be added to a Windows 2+++ networ2 r!nin3 in nati0e mode$ 1$ 2$ 3$ *$ local domain domain domain 3ro!" 3ro!" 3ro!" 3ro!"

local 3lobal !ni0esal

/emember that OlocalO, O3lobalO, O!ni0ersalO refers to where these 3ro!"s may be assi3ned "ermissions and are not related to the 3ro!" membershi" itself$ &!t letGs define each of them nowK 1$ :ocal 3ro!"K The members of this 3ro!" ty"e can be assi3ned "ermissions only localy on the com"!ter where the 3ro!" e-ist$ Dt cannot be !sed to assi3n "ermissions on the domain and this 3ro!" is not 2nown by other com"!ters$ Cowe0er, it can contain local sec!rity acco!nts 7created on the same com"!ter - in the local sec!rity database SA') or other domains members acco!nts 7when the machine5com"!ter is "art of a domain) from any domain$ ,-am"leK when yo! Hoin the com"!ter to a domain, the domain administrator acco!nt is a!tomaticaly added to the local Administrators 3ro!"$ ThatGs why a domain administrator can handle administrati0e tas2s on any domain client com"!ter$ &!t yo! cannot !se this local OAdministratorsO 3ro!" to assi3n "ermissions on any other com"!ter5reso!rce on the domain$ Lo! will !se this 3ro!" only locally on the com"!ter it e-ists$ OAdministratorsO membershi" co!ld be domain1P!ser1, domain2P!ser2, local!ser3, etc$ 2$ Domain :ocal 3ro!"K can ha0e as their members, acco!nts, 3lobal 3ro!"s, and !ni0ersal 3ro!"s F/(' ANL D('ADN, as well as domain local 3ro!"s from the same domain$ This 3ro!"s can belon3 to another domain local 3ro!"s and assi3ned "ermissions only in the same domain$ 9an be con0erted to !ni0ersal sco"e, as lon3 as it does not ha0e as its member another 3ro!" ha0in3 domain local sco"e$ ,-am"leK S!""ose yo! were the networ2 administrator for a three domains networ2$ Now yo! ha0e to 3i0e "ermissions to some !sers from domain2 and domain3 to reso!rces located in domain1$ What yo! doB Well $$$ Lo! can create a domain local 3ro!" in the domain1 and then assi3n the res"ecti0e !sers from domain2 and domain3 to the 3ro!" yo! ha0e H!st created in domain1$ Then !se this 3ro!" to assi3n "ermissions to reso!rces inside domain1 only$ Lo! will not be able to assi3n "ermissions for this 3ro!" in other domains reso!rcesII Cowe0er, yo! did add !sers from other domains$ 3$ Domain %lobal 3ro!"K can ha0e as their members acco!nts and 3lobal 3ro!"s F/(' TC, SA', D('ADN$ 9an be con0erted to !ni0ersal sco"e, as lon3 as it is not a member of any other 3ro!" ha0in3 3lobal sco"e$ ,-am"leK Lo! create a O3ro!"1O in the Odomain1O domain$ Then yo! add acco!nts, other 3lobal 3ro!"s from the same domain to it$ Lo! can !se this 3ro!" to assi3n "ermissions to reso!rces located on other domains or for other domain

administrators to assi3n "ermissions to yo!r domain !sers in their own domains reso!rces$ *$ Domain ;n0ersal 3ro!"K can ha0e as their members acco!nts F/(' ANL D('ADN, 3lobal 3ro!"s from any domain and !ni0ersal 3ro!"s F/(' ANL D('ADN$ This 3ro!" cannot be con0erted to any other 3ro!" sco"e$ ,-am"le5Some more detailK This is the less restricti0e 3ro!"$ For some administrators it mi3ht be a better sol!tion for easy administration$ Cowe0er the !se of ;ni0ersal %ro!" ha0e a bi3 im"act on acti0e directory "erformance beca!se the !ni0ersal 3ro!" memebershi" is stored on the 3lobal catalo3$ There mi3ht al3o occ!r "roblems with the lo3in$ When a !ser lo3in, if the !ser belon3s to a ;ni0ersal 3ro!", a 3lobal catalo3 most be fo!nd otherwise the !ser wo!ld not be able to lo3in$ Df the !ser doesnGt belon3 to a !ni0ersal 3ro!", cached credentials are !sed if a 3lobal catalo3 cannot be fo!nd$ Dn that case, if the !ser had ne0er before lo3ed in, cached credentials doesnGt e-ist, therefore the !ser will not be able to lo3in also$ The followin3 con0ersion can be made between 3ro!"s ty"esK Z %lobal to !ni0ersal KK this is only allowed if the 3ro!" is not a member of another 3ro!" ha0in3 3lobal sco"e$ Z Domain local to !ni0ersal KK Cowe0er, the 3ro!" bein3 con0erted cannot ha0e as its member another 3ro!" ha0in3 domain local sco"e$ Note1K Df yo! ha0e m!lti"le forests, !sers defined in only one forest cannot be "laced into 3ro!"s defined in another forest, and 3ro!"s defined in only one forest cannot be assi3ned "ermissions in another forest$ Note2K %ro!" nestin3 is a0ailable only when in Nati0e mode$ Dn mi-ed mode, !ni0ersal 3ro!"s cannot be !sed$ There are also some differences abo!t the way the >D9 em!lator wor2s$ &!t yo! will learn abo!t it $$$ DtGs related with AD a!thentication and with the mster o"eration roles$ Now, why add a 3lobal 3ro!" to domain local 3ro!"B This is beca!se itGs a best "ractice to always assi3n "ermissions to 3ro!"s and not to !sers indi0id!aly$ D will try to 3i0e yo! a "ractical a""roach$ :etGs ass!me a3ain that yo! are a networ2 administrator for a com"any with .+ !sers$ Df yo! were to assi3n "ermissions for a networ2 reso!rce itGs better 7from the administratorGs "oint of 0iew) to define "ermissions only once 7for a 3ro!") than assi3nin3 "ermissions for e0ery time a !ser ha0e to be 3i0en access$ So, thatGs the reason why e0en ha0in3 a sin3le !ser, yo! "!t it inside a 3ro!" and then assi3n "ermissions to the 3ro!" itself$ Dn the f!t!re when yo! need to assi3n "ermissions to other !sers, yo! H!st add them to the 3ro!" and !s!aly, they will ha0e to lo3-off and lo3-in a3ain$ DonGt yo! a3ree B K) Now the A % D: > conce"t 3oes all arro!nd this$ DtGs H!st a bit more 3eneric and does ma2e a lot sense when in an en0ironement with m!lti"le domains II So yo! "!t A99(;NT inside a %:(&A: %/(;>$ Then the %:(&A: %/(;> yo! "!t it inside the D('ADN :(9A: %/(;> and finaly, yo! assi3n >,/'DSSD(NS$ (ne "ractical e-am"leK There are 2 domains 7dom1 and dom2)$ Lo! are

administerin3 dom1$ Df the dom2 administrator tells yo! that some of his !sers need access to some reso!rces located in yo!r domain 7in dom1)$ Lo! say to the dom2 administrator to create a 3lobal 3ro!" in domain dom2 and "!t the !sers inside it$ Then yo! ta2e that 3lobal 3ro!" in "!t it inside a domain local 3ro!" and assi3n "ermissions for this domain local 3ro!" to the s"ecified reso!rces in yo!r domain$ Now, for e0erytime the dom2 administrator wants to add5remo0e a !ser he H!st need to remo0e the !ser5!sers from the 3lobal 3ro!" in his domain 7beca!se he doesnGt ha0e "ermission on dom1 domain)$ Df yo! were assi3nin3 !sers to a domain local 3ro!", e0ery time the dom2 administrator wanted to add a !ser, he will ha0e to contact yo! and only yo! wo!ld be the "erson allowed to ma2e the chan3e beca!se only yo! ha0e "ermissions in yo!r domain 7it mi3ht be the case)$ some ad0anta3esK 1$ Lo!, as dom1 domain administrator assi3n "ermissions only once$ 2$ yo! will not ha0e to worry in the f!t!re if the dom2 domain administrator wants to add5remo0e !sers from the !sers list witch mi3ht ha0e access to s"ecified reso!rces$

A+tive Dire+tor3 Users and "o4p$ters - Acti0e Directory ;sers and 9om"!ters is a 'icrosoft 'ana3ement 9onsole sna"-in$ Dt is started by selectin3 OStartO, O>ro3ramsO, OAdministrati0e ToolsO, and OActi0e Directory ;sers and 9om"!tersO$ (nly members of the Domain Admins or ,nter"rise Admins 3ro!" can !se this tool$ This tool is !sed to create, confi3!re, locate, mo0e, and delete obHects incl!din3K o ;ser 7a!tomatically "!blished) - Domain !ser acco!nts may be co"ied$ o %ro!" 7a!tomatically "!blished) o 9om"!ter 7Those in the domain are a!tomatically "!blished) o 9ontact 7a!tomatically "!blished) o Domain o (r3ani#ational ;nit 7a!tomatically "!blished) o Shared folder o >rinter 7'ost are a!tomatically "!blished) - Windows NT shared "rinters are not "!blished a!tomatically$ Tabs from the (; >ro"erties dialo3 bo-K %ro!" "olicy - %ro!" "olicy obHect selectionsK Windows Settin3s Sec!rity Settin3s >!blic 2ey "olicies A!tomatic certificate reF!est men! itemsK Action New A!tomatic 9ertificate /eF!est A+tive Dire+tor3 Do4ains and Tr$sts A+tive Dire+tor3 Sites and Servi+es o

D"PRO2O Domain controller mana3ement tool which is r!n from the command line$ 0DIFDE b!l2 schema modification tool$ "SVDE b!l2 schema !"date tool$ >arametersK o -B - Cel" o -i - 'ode for command$ 9hoices are im"ort, e-"ort, or modify$ o -f - File name o -0 - 6erbose mode o -" - S"ecify the "ort for the soc2et$ The :DA> defa!lt is 314$ A+tive Dire+tor3 "onne+tor -AD". Dt sim"lifies administration amon3 m!lti"le directory ser0ices$ The AD9 can aid Windows 2+++ im"lementations where ,-chan3e Ser0er is de"loyed$ Dt can re"licate Acti0e Directory information, and ,-chan3e Ser0er .$. information as well$ Dt comes with Windows 2+++ and ,-chan3e 2+++$ DtK o ;ses :DA> to "erfrom re"lication$ o (nly re"licates chan3es$ o Costs all acti0e Acti0e Directory re"lication com"onents$ o S!""orts m!lti"le connections on one ser0er$ o 'a"s obHects for re"lication$ /eF!irementsK o o o o Windows 2+++ Ser0er A0ailable T9> >ort 'icrosoft ,-chan3e Ser0er .$. or 2+++$ :DA> 0ersion 3

"onne+tion agree4ents confi3!re directory synchroni#ation between ,-chan3e and Acti0e Directory and one or more are s!""orted with AD9$ Dtems !sed to confi3!re a connection a3reementK o o o o Ser0er name Tar3er containers (bHects to be synchroni#ed Synchroni#ation sched!le

AD9 DnstallationK 1. AD9 reF!ires a ser0ice !ser acco!nt and "assword$ >!t the Windows 2+++ Ser0er installation 9D/(' in the com"!ter$ ,nter the directory P6al!eaddP'SFTP'3mtPAD9$ Do!ble clic2 on set!"$e-e$ Select the O'icrosoft Acti0e Directory 9onnector Ser0ice com"onentO to install AD9 and theO'icrosoft Acti0e Directory 9onnector 'ana3ement com"onentO to install the ability to mana3e the ser0ice$ The 'ana3ement com"onent can be installed on Windows 2+++ >rofessional com"!ters to allow AD9 mana3ement from them$ 6. 9hoose a directory to install the com"onents to$ 7. ,nter the acco!nt name and "assword for the ser0ice to !se$ 8. 9ontin!e and finish the installation$ 2. 3. 4. 5.

AD9 9onfi3!rationK 9. /!n the Administrati0e tool, OActi0e Directory 9onnector 7AD9) 'ana3ementO$ 10. /i3ht clic2 the ser0er to confi3!re and select O"ro"ertiesO to see the "ro"erties dialo3 bo-$ This is !sed to confi3!re connection a3reements between Acti0e Directory and the ,-chan3e .$. directory ser0ice$ The followin3 tabs e-ist in the bo-K %eneral - Select re"lication direction as OTwo wayO, OFrom ,-chan3e to WindowsO, or OFrom Windows to ,-chan3eO$ Set the connection name, and the ser0er to r!n the connection a3reement$ For slow networ2 connections, the a3reement can !se ,-chan3e Ser0erGs Site Rep#i+ation Servi+e -SRS.$ 9onnections - 9onfi3!re the brid3ehead ser0ers to handle the connection$ The ser0ers recei0in3 !"dates only reF!ire write "ermission$ Select the Windows ser0er name, the Windows a!thentication "rotocol, the ,-chan3e ser0er, The ,-chan3e ser0er "ort, and the ,-chan3e ser0er a!thentication "rotocol$ Sched!le - Set synchroni#ation sched!le$ The re3istrey settin3 at ;<=E>?0O"A0?2A"<INES@S3ste4@"$rrent"ontro#Set@S ervi+es@2SAD"@Para4eters; can be !sed to red!ce the defa!lt "ollin3 sched!le$ The "arameters that are confi3!rable areK Name - The delay in seconds to wait between chec2in3 for !"dates$ The defa!lt 0al!e is e0ery . seconds$ Ty"e - DW(/D Data - Seconds to wait between cycles$ From ,-chan3e - S"ecify the obHects to re"licate and the ,-chan3e recei"ient containers$ From Windows - S"ecify obHects to be synchroni#ed and the containers that will recei0e obHects$ The o"tion O/e"licate sec!red Acti0e Directory obHects to the ,-chan3e DirectoryO can be chec2ed and the obHects can be filtered !sin3 Discretionary Access 9ontrol :ists 7DA9:s)$ Deletion - ;se this tab to confi3!re obHect deletion beha0ior$ When obHects are deleted, the deletions are stored in System/ootPSystem32P'SAD9P9onnectionYA3reementYNameP NT.$:DF for Acti0e Directory and System/ootPSystem32P'SAD9P9onnectionYA3reementYNameP ,-..$9S6 for ,-chan3e$ Ad0anced - 9onfi3!re O>a3ed res!ltsO confi3!res the F!antity of entries to be synchroni#ed for each reF!est$ The settin3s are OWindows Ser0er entries "er "a3eO and O,-chan3e Ser0er entries "er "a3eO$ 9hec2bo- o"tions incl!de OThis is a "rimary 9onnection A3reement for the connected ,-chan3e or3ani#ationO, and OThis is a "rimary 9onnection A3reement for the connected Windows DomainO$ 9hoices for OWhen re"licatin3 a 'ailbo- whose >rimary Windows Acco!nt does not e-ist in the domainO areK 9reate a Windows 9ontact 9reate a Disabled Windows ;ser Acco!nt

9reate a New Windows ;ser Acco!nt

AD9 ,0ent lo33in3 le0elsK o o o o None - (nly lo3 critical e0ents 'inim!m - :o3 :DA> session errors, s!ccess or fail!re of added or remo0ed !ser acco!nts$ 'edi!m - :o3 directory obHect e0ents and "ro-y errors$ 'a-im!m

The Administrati0e tool OActi0e Directory 9onnector 'ana3ementO is !sed to set !" e0ent lo33in3$ AD9 ,0ent :o33in3 cate3oriesK o o o o o /e"lication Acco!nt 'ana3ement - ,0ents while writin3 to or deletin3 an obHects$ Attrib!te 'a""in3 - ,0ents while attrib!tes are ma""ed between AD and ,-chan3e$ Ser0ice 9ontroller - ,0ents when the AD9 ser0ice is sto""ed or started$ :DA> ("erations - ,0ents when :DA> accesses the directory$