You are on page 1of 28

AD Video Notes:

X.500: is the first directory designed in 1984.It introduced distinguished name and relative
Distinguished name.

Q.What is LDAP?

 In 1993 university of Michigan developed Ldap(Light weight directory access protocol)


 Ldap is based on the X.500 but is significantly simpler
 It is a client server directory which means client makes a request to the server ,the server
provides the information of the location of the particular object.
 Ldap is an application protocol for querying and modifying directory services running over
TCP/IP unlike X.500.

Q.What is Novell?
Novell directory service(now called E directory) was introduced in 1992 which can run on Linux, Unix,
Windows NT/2000/2003.

Q. What is the difference between Ad and other directory service?


 The difference between and AD and other directory services is the fact that
registers its items by using DNS.It relies on Dns for locating and naming
objects.
 First implementation of Ad came in windows 2000.
Q.What is Active Directory?
 Active Directory consists of a series of components that constitute both its
logical structure and its physical structure.
 It provides a way for organizations to centrally manage and store their user
objects, computer objects, group membership, and defines security boundaries
in a logical database structure.
 It provides aconsistent way to name, describe, locate, access, manage, and
secure information about these resources
Functions in AD:
 Centralizes control of network resources
 Centralizes and decentralizes resource management
 Store objects securely in a logical structure
 Optimizes network traffic

Q.How does Ad client locate Domain controllers?


 Ad client sends a Dns request to configured Dns server looking for the Domain
controller.
 Ad domain controllers have a record in Dns known as a service record (SRV).
 Dns looks into the srv record and gives the ip address of the nearest domain
controller.
Q.What are the two types of views in Active directory?
Two types of views are logical and physical.

Q.Explain Domains?
 Domain is container object of the Ad components.
 In a Ad installation the first thing that gets installed is Domain and this Domain
is called Tree root Domain. it is highest AD domain in the tree.
 A tree root domain can also be a forest root Domain.
 Each Domain should have one or more Ad domain controllers.
 Domains can have child domains and grandchild domain.

Q.What is a Domain controller?


 Domain controllers are the servers that will be running AD and will responsible
for storing actual domain data.
 Domain data includes data records about of all the organizational unit’s, users,
computers, printers, groups etc.

Q.What is a Tree?
 AD tree is group of domains based on the same namespace.
 Here Domain are connected with a two way transitive trust.
 They share the same schema.
 Have Common Global Catalogs.

Q.What is a Forest?
 Forest is multiple trees linked together.
 Any number of trees can be linked to make up a forest.
 A forest root domain is the first domain created in the Ad forest.

Q. What is a Schema?
 A schema is a building blocks that make up all the attributes of any particular
object in a tree.
 A schema of a user would have last name, first name and logon id .

Q. What is a forest root domain?


 Forest root domain is the first domain created in the AD forest.
 There are two types of forest root domains: Dedicated and regional forest root
domains.
 Dedicated forest root domain is a server which maintains the master copy of the
Ad forest and Is dedicated only for AD and also it allows to choose the
replication traffic and increase scalability.
 Regional forest domain is set to divide the domain into parts and is being
managed by other members of the sections of the database.
 You can add a new domain or designate the existing domain as the forest root
domain.
 In windows 2003 forest root domain can be renamed.
 It helps to determine the number of domain trees.

Q. What is a trust relationship?


 Trust relationship is a link between two domains.
 Trusting domain honour the logon authentications from the trusted domains.
 Trust protocol for windows 2000 and windows 2003 uses Kerberos Version
5.Previous versions of windows use NT Lan manager (NTLM).
 Trusts can be created manually or they can be created automatically.

Q. What is a container Object?


 Container objects are designed to contain other objects, and are referred to as
leaf objects.
 Domain object is a container objects that can contain Organizational Unit (OU)
container objects, users, printers etc.
 Domain objects are referred as triangle in the diagram.

Q.What is Organization unit Objects?


 Ou container objects are referred by a circle.
 Ou units are created to delegate to the administration.
 Ou units are also created based on location, business function or department.
 Ou’s can contain users, groups, computers, printers etc.
 Ou’s can have hierarchy such as child and grandchild like domains.
 Ou’s should be designed for simplicity.
 Ou’s are not security principles i.e. we cannot assign rights and permissions to
it.
 We can assign GPO (group policy objects) to Ou’s.
 Users don’t use to Ou’s for navigation.
 Ou’s most of the time represent dept,companies etc.

Q.What is Ad site ?
 Ad site is one or more well connected highly reliable and fast TCP/IP subnets.
 Ad site will contain servers and site links.
 Site is used to configure AD access and replication topologies according to the
network’s physical layer.
 2 sites can be in the same domain and vice versa.

Q.What is Site link?


 Site link is a connector between two sites and allows replication to occur.
 Site link can be anything between 56kpbs to T1 line.
 A site link cost is a value assigned to a link that is used to regulate the traffic
according to the speed of the link. The higher the site link cost, the slower the
link speed.
 Replication between sites can be scheduled according to what is known as site
link cost.

Q.What is a Domain controller?


 Domain controllers are servers that have copies of AD database that can be
written to.
 DC will participate in the replication of directory i.e copy information from one
domain controller and make sure that other Dc in the site or domain have access
to that information.
 Domain controller is what controls access to network resources.
 Administrators use Dc to manage users and computer accounts, share resources
like printers, scanners.
 Admins also to configure the site topology between the sites within a domain or
sites within a network.

Q.What are the 4 types of partitions in Ad database?


 Domain partition
 Configuration partition
 Schema Partition
 Application partition.

Q.What is Domain partition?


 It has information about the objects that are created within the domain.
 Since the information is specific to the domain, it is not sent to any domain
controller in another domain but the information is replicated with domain
controllers within that domain.

Q.What is Configuration partition?


 The configuration partition contains information about the domain (how the
domains are configured) and how replication takes place.
 It is replicated with domain controllers within the domain.
Q.What is Schema partition?
 The schema partition is used as a template for all the objects in the directory; it
also lays out all the attributes that object can have eg: for a user firstname, last
name, telephone no.
 This information is the same in all domain in the forest, so the schema partition
is replicated with domain controllers throughout the forest.

Q.What is application directory partition?


The application directory partition stores dynamic program specific information i.e information specific to
certain applications.
It is replicated to specific domain controllers.
It can contain any type of objects except the security principal like a user.
It is managed to Ntdsutil executable program
Q.What does domain controller hold?
Domain controllers hold a copy of the schema partition for the forest.

Q.What is a global catalog?


 Global catalog enables finding directory information regardless of which
domain in the forest actually contains the data.
 Global catalog servers are created automatically.
 The first domain controller in a new forest becomes the global catalog server for
that domain.
 Global catalog servers store a full replica of information for its own domain.
 It stores Partial information for other domain in the forest (like logon names and
first and last names)

Q.What does Global catalog servers hold?


 It holds the Schema partition for the forest.
 It holds the configuration partition for the domain.
 It holds a partial replica of commonly used attributes for all the directory objects
in the forest.
 Global catalog is important in the multiple domain scenario but not in the single
domain system.
 There is full replica of all the attributes for all of the objects in the domain for
which the global catalog server is located. That information is replicated
between global catalog servers only.

Q.How do users find objects in Ad?


Users find objects in Ad by querying the database.

Q.How do u perform query on a multiple domain environment?


 User is looking for printer.
 The user types the printer name.
 The client sends a Dns request looking for the location of the global catalog
server.
 This way the computer communicates directly with the Dns server asking for
the service provided by the global catalog server.
 Dns responds back with the Ip address of the global catalog server and then the
client sends the directed message to port 3268 on the Domain controller i.e the
global catalog server.
 The global catalog server searches the database and if it knows where the printer
is then the information is returned with a direct communication back to the
workstation.
 If unable to find the printer the global catalog server refers the query to the AD
to handle the request.
Q.What is saved queries?
 Ad users and computers provide saved queries folder, here the administrators
can create and save queries.
 Saved queries will use predefined Ldap strings to search only for specialized
domain partitions.
 Searches can be narrowed down to a single computer object.
 You can also create customized saved queries that contain an Ldap search filter.

Q.What are the 3 snap ins for Ad?


 Active directory domains and trusts
 Active directory sites and services
 Active directory users and computers.

Q.What are the physical and network requirements to install AD?


 Tcp/ip running on the servers and clients.
 A Dns server with SRV support.
 Windows 2000 or 2003 operating systems.

Q.Which is the default folder for Ad database in the Ad server?


It is c:\windows\NTDS

Q.Where does the server’s copy of the domain public files saved?
It is saved in C:\windows\sysvol.

Q.How do you install Ad on to a domain controller?


You can run a program called Dcpromo.

Q.How do you install Ad on a server after installing the OS?


Configure your server wizard would pop up after the OS install.

Q.How do you install Ad server to Domain control?


Run Dcpromo to promote a member server to a domain controller and install AD and Dns and Dhcp
server can also be installed after that.

Q.What are the inputs will be asked during AD installation wizard?


 It will ask if it is first domain controller in the AD tree or it is the new domain
controller added to existing tree.
 It will ask for the type of domain like, New domain for a new forest, Child
domain in an existing tree, New domain and tree in an existing tree or a Peer
domain controller.
 Peer domain controller can be created in a different location to minimize traffic
and increase the bandwidth.
 It will ask for the Domain name, NetBIOS name and the location of Ad
database and log file.
 Domain configuration includes sysvol folder, default Permissions for users and
groups and directory service restore mode password.

Q.How many Domain controllers do you need for fault tolerance?


We need two domain controllers for fault tolerance.

Q.How do you prepare AD before installing windows server 2003 server into an existing windows
2000 AD?

If you are installing a Windows Server 2003 server into an existing Windows 2000 Active Directory
structure, you must first prepare Active Directory for the installation by taking the following steps:
 Apply Service Pack 2 or later on all domain controllers.
 Back up your data.
 On the schema master for the forest, disconnect the server from the network and
run Adprep /forestprep. Reconnect the server and wait at least 15 minutes (or as
long as a half a day or more) for synchronization to occur.
 If Active Directory has multiple domains, or if the infrastructure master for the
domain is on a different server than the schema master, run Adprep /domainprep
on the infrastructure master for the domain.

Keep in mind the following facts about using Adprep:


 To run /forestprep, you must be a member of the Schema Admins or Enterprise
Admins group.
 To run /domainprep, you must be a member of the Domain Admins or Enterprise
Admins group.
 If you have a single domain, and the infrastructure master is on the same server as
the schema master, you do not need to run /domainprep (/forestprep performs all
necessary functions to prepare Active Directory).
 While running the AD prep command make sure that you have inserted the
Windows 2003 cd which has AD prep.exe file in it

Q.What are the different ways to install AD?


Using the network or back up media and type dcpromo /adv: filepath.
Using the answer file where we create the answer file and type dcpromo /answer: filename which does the
installation
Using the configure your server wizard.

Q.What are the circumstances where you can rename the Domains?
 All domain controllers are running windows server 2003.
 The domain functional level is at windows 2003.
 The forest functional level is at windows 2003.

Q.What is the utility to rename a domain?


 Rendom.exe is used to rename domain.
 It is also used to restructure domain locations and also to modify domain
information and NetBIOS name.
 It cannot be used in a forest where Microsoft exchange is installed.
 The sid (security identifier) does not change even if the domains are renamed.
 You cannot use this utility to move the forest but you can rename the forest.

Q.What is the utility to rename domain controller?


We use Netdom.exe to rename domain controllers and the domain functional must be windows server
2003.

Q.What is the command to uninstall AD?


 Dcpromo is the command.
 You need to have the enterprise administrator rights to uninstall Domain
controller in the tree root domain.
 You need to be in the domain admin group to uninstall the last domain
controller in the forest.

Q.What are the tools to troubleshoot AD?

Tool Description
Directory Services log Use Event Viewer to examine the log. The log lists informational,
warning, and error events.
Netdiag Run from the command line. Test for domain controller connectivity (in
some cases, it can make repairs).
DCDiag Analyzes domain controller states and tests different functional levels of
Active Directory.
Dcpromo log files Located in %Systemroot%/Debug folder.
Dcpromoui gives a detailed progress report of Active Directory
installation and removal.
Dcpromos is created when a Windows 3.x or NT 4 domain controller is
promoted.
Ntdsutil It is a command line tool provides management facilities for Ad.
Can remove orphaned data or a domain controller object from Active
Directory.

Dcpromoui.log includes information like:


 Source domain controller for replication.
 Replicated partitions.
 Number of replicated items.
 Services that are configured on the target domain controller and Ace’s i.e
Access control entries set on the registry and files and the directories on sysvol.
 Error messages.
 Administrator choices entered during the installation and removal.
Q.What are the basic troubleshooting steps taken for AD?
You can also check the following settings to begin troubleshooting an Active Directory installation:
 Make sure the DNS name is properly registered.
 Check the spelling in the configuration settings.
 PING the computer to verify connectivity.
 Verify the domain name to which you are authenticating.
 Verify that the username and password are correct.
 Verify the DNS settings.
Q.What are the facts about back up and restore?
You should know the following facts about backup and restore:

 When you reboot after restoring, Active Directory replication replicates


changes.
 Items restored non-authoritatively will be overwritten during replication.
 Use an authoritative restore to restore deleted objects. Objects will be replicated
back to other domain controllers on the network.
 Use a non authoritative restore to get the DC back online. Items will replicate
from other DCs after the restored DC goes back online.
 Active Directory data is restored by restoring the System State data. You cannot
selectively restore Active Directory objects from the backup media.
 To restore objects that were added to deleted OUs, move the objects from the
LostAndFound container. No restore of objects is necessary.
 Make sure you perform backups more often than the tombstone lifetime setting
in Active Directory. For example, if the tombstone lifetime is set to 10 days,
you should back up Active Directory at least every 9 days. If your backup
interval is larger than the tombstone lifetime, your Active Directory backup can
be viewed as expired by the system.

Q.How do we do an Authoritative restore?


An Authoritative restore restores all data from the backup. Changes made since the last back up are
discarded.
To perform an authoritative restore:
1. Perform a non-authoritative restore.
2. Run Ntdsutil.
Do not restart the server after performing the non-authoritative restore.

Note: Microsoft gives the following as the best practice procedure for restoring Active Directory
from backup media:
 Reboot into Active Directory restore mode. Log in using the password you
specified during setup (not a domain account).
 Restore the System State data from backup to its original and to an alternate
location.
 Run Ntdsutil to mark the entire Active Directory database (if you're restoring
the entire database) or specific Active Directory objects (if you're only restoring
selected Active Directory objects) as authoritative.
 Reboot normally.
 Restore Sysvol contents by copying the Sysvol directory from the alternate
location to the original location to overwrite the existing Sysvol directory (if
you're restoring the entire database). Or, copy the policy folders (identified by
GUID) from the alternate location to the original location to overwrite the
existing policy folders.

You should know the following facts about Sysvol restoration:


 Sysvol is the shared system volume on all domain controllers.
 Sysvol stores scripts and Group Policy objects for the local domain and the
network.
 The default location for Sysvol is %Systemroot/Sysvol.
 To ensure that the proper settings are authoritatively restored, copy the Sysvol
directory from an alternate location over the existing Sysvol directory. Or, copy
the Sysvol policy folders from the alternate location over the original location.
(This maintains the integrity of the Group Policy of the computer.)

Q.What is a Guid?
 Guid is a globally unique identifier.
 Guid is a 128 bit number that is guaranteed to be unique across the network.
 It is assigned to objects when they are created and guid never changes even if
the objects renamed or moved.

Q.What is a SID?
 Sid is a security identifier.
 Sid is a unique number that is assigned when an account is created.
 Every account on the network has a unique Sid and are used to track the account
rather than the account’s user or group.
 Account Sid is made up of the domain sid and unique Rid.
 Deleting and recreating/moving an account results in a new Sid assigned, so the
rights and permissions made to the account will have to be recreated and re
assigned.

Q.What is RID?
 Relative identifier (RID) is the part of a Security identifier (SID) that uniquely
identifies an account or group within a domain.
 It is unique to all Sid’s in a domain.

Q.What is a group?
 Group is a set of users or computers or other groups all put together to provide
access to resources or providing them as a distribution list.
 It can include any combination of object types.
 It is used to make administration simpler.

Q.What is a Local group?


 Local groups are stored in local security database on each computer.
 They are only granted to permissions to that particular computers local group.

Q.What is a Domain groups?


 Domain groups are stored in the Ad instead of the local computer.
 Computers that are booted as domain controllers will use domain groups only.
 Domain groups are of three types:
Domain local group, Domain global group or universal group.

Q.What is distribution groups and security groups?


Distribution groups are used primarily for email.
Security groups are used to control and access to resources.

Q.What is Domain local group?


 Are used to grant access to resources in the local domain.
 They have open membership, so they may contain user and computer accounts,
universal groups, and global groups from any domain in the forest.
 A domain local group can also contain other domain local groups from its
domain.
 Domain local groups can be used to grant permissions to resources in the
domain in which the domain local group resides.

Q.What is Global groups?


 Are used to group users from the local domain.
 Typically, you assign users who perform similar job functions to a global group
 Global groups can contain user, groups and computers in a domain.
 Global Groups can contain users and computers from only within the same
domain.
 They get rights and permissions for any resource in any domain in the forest
 Global groups can be used to grant permissions to resources in any domain in
the forest.

Q.What is a universal groups?


 Are used to grant access to resources in any domain in the forest
 Universal groups can contain users, groups and computers from any domain in
the forest.
 They have open membership, so you can include user and computer accounts,
universal groups, and global groups from any domain in the forest
 Universal groups can be used to grant permissions to resources in any domain in
the forest.
 Universal groups are available only in Windows 2000 Native or Windows 2003
domain functional level.
 It should be used sparingly as it increases network traffic as it checks the
membership variety of different domain which will have the traffic going back
and forth to domain controller.

Q.What is Builtin local groups?


 Builtin domain local groups are administrators, users and guests.
 In domain level there global groups for domain Admins, global group for
domain users and global group for enterprise administrators.

Q.What are groups can domain local group contain?


 It can contain the below groups:
 Universal groups.
 Global groups.
 Accounts within the forest.
 Other Domain local groups in the domain.

Q.What is group nesting?


In windows 2000 and 2003 interim domain, we can create local groups and domain global groups to it.
In windows 2003 and 2000 native mode, we can add global groups to universal groups.

Q.Explain the Group strategy facts?


To make permission assignments easier, assign permissions to a group, then add the accounts that need to
use the group's resources. You can add user accounts, computers, and other groups to groups. You should
remember the following when assigning members to groups:
 Adding a user account to a group gives that account all the permissions and
rights granted to the group (the user must log off and log back on before the
change takes effect).
 The same user account can be included in multiple groups. (This multiple
inclusion may lead to permissions conflicts, so be aware of the permissions
assigned to each group.)
 Nesting is the technique of making a group a member of another group. Using
hierarchies of nested groups may make administration simpler--as long as you
remember what permissions you have assigned at each level.
The following table shows the three basic recommended approaches to managing users, groups, and
permissions.
Strategy Use Description Application
ALP Used on workstations A: Place user Best used in a workgroup
and member servers. Accounts environment, not in a domain.
L: Into Local
groups
P: Assign
Permissions to
the local groups
AGDLP Used in mixed mode A: Place user 1. Identify the users in the
domains and in native Accounts domain who use the same
mode domains (does not G: Into Global resources and perform the
use universal groups, groups same tasks. Group these
which are also not DL: Into accounts together in global
available in mixed Domain Local groups.
mode). groups 2. Create new domain local
P: Assign groups if necessary, or use
Permissions to the built-in groups to control
domain local access to resources.
groups 3. Combine all global groups
that need access to the same
resources into the domain
local group that controls
those resources.

4. Assign permissions to the


resources to the domain local
group.
AGUDLP Used in native mode A: Place user Universal groups should be used
domains, when there is Accounts when you need to grant access to
more than one domain, G: Into Global similar groups defined in multiple
and you need to grant groups domains. It is best to add global
access to similar groups U: Into groups to universal groups, instead
defined in multiple Universal of placing user accounts directly in
domains. groups universal groups.
DL: Into
Domain Local
groups
P: Assign
Permissions to
domain local
groups

Q.What are the objects you can delegate administrative containers to?
 Domains.
 Organizational units.
 Containers.

Q.How do you design Ad for delegation?


 Designing Active Directory for Delegation
 You should know the following facts about delegating control:
 You should structure the OUs and user account location based on administrative
needs.
 When you delegate control of an OU, you assign a user or group the
permissions necessary to administer Active Directory functions according to
their needs.
 In a small organization, you may have a single administrative group to manage
the Active Directory objects.
 In larger organizations, you may have OUs for several departments. In this case,
you could delegate control to a user or group within each OU.
 Use the Delegate Control wizard in Active Directory Users and Groups to
delegate control.

You can verify permissions delegation two ways:


 Select the Security tab in the container's Properties dialog box.
 Open the Advanced Security Settings dialog box for the container.

Q.What are the reasons for getting multiple forests?


 Company has different divisions and they are all totally autonomous.
 Company has different locations and they are spread wide across the globe and you
want it to be independent.
 To have Trust limitations
 Schema differences.

Q.What are the additional administrative difficulties of having multiple forest?


 Schema Consistency (Schema has to be replicated properly and has to be the
same across all of the forest).
 Global catalog placement ,Need to have multiple global catalog server.
 Trust configuration, (need to check if we need two way trust or some other
configuration)
 Resource access, Difficulties to access resources.

Q.What are the reasons for getting multiple domains?


 Configure different security policies.
 Separate administration. (Eg. Sales team want manage their own systems)
 Control replication traffic.
 Support Windows NT(To retain windows NT domains)
 Create distinct name spaces.
 Configure password policies. (Different password policies for different groups).

Q.What are the disadvantages of creating multiple domains?


Every time you add a domain, you add administrative and hardware costs.

Q.What are the reasons to create Ou’s?


 Administrative purposes.
 Corporate policies.
 Administer Group policies.
Eg: Development team wants to manage their resources, so you create a user Ou’s and assign permissions
to one of the team to manage the resources.

Q.What is a External domain?


An external domain is a domain in another forest or it can be a domain run by a domain controller running
Windows NT or earlier.

Q.What is a Internal domain?


A internal domain is a domain within the same forest.

Q.What is a trust?
 Trust is a link between two or more domains.
 It is a communication path which is secure allows security principles from one
domain to the authenticated and accepted other domain.
 Trusting domain is the domain granting authentications to security principles in
another domain
 Trusted is the domain housing the security principles that will be trusted.

Q.What is Transitivity & selective authentication?


 Transitivity determines whether a trust relationship can be created within
another domain.
 Selective authentication allows only selected users or groups to authenticate
across a trust relationship.

Q.What is a Tree root trust?


 It is established between the roots of two trees in the same forest.
 It is transitive.
 It is two way.

Q.What is a parent child trust?


 Automatically created when you create a child domain.
 It is transitive.
 It is two way.

Q.What is a shortcut trust?


 It is manually created between two domains in the same forest.
 It is transitive.
 It can be one way or two ways.
 Create a shortcut trust to reduce the amount of Kerberos traffic on the network
due to authentication.

Q.What is a External trust?


 An External trust has to be created manually.
 It has to be created between domains in different forest or it can be created in a
windows 2003 domain or Windows NT 4 or earlier domain.
 It can be one or two way and also can be transitive or non transitive.

Q.What is a forest root trust?


 Forest root trust is created manually between two forest root domains.
 All the domains in one forest will trust all the domains in another forest.
 But it is only transitive within two forests.
 It can be one way or two ways, it is only available with windows 2003
functional level.

Q.What is a Realm trust?


 Realm trust is created to manually between a non windows Kerberos realm and
windows 2003 domain.
 It can be transitive or non transitive.
 It can be one way or two ways.

Q.Name different types of trusts?


1. Tree root trust
2. Parent child trust
3. Shortcut trust.
4. External trust.
5. Forest root trust.
6. Realm trust.

Note the below:

The table below shows the domain functional levels.

Domain Domain Controller


Functional Operating Systems Features
Level
2000 Mixed NT The following features are available in 2000 Mixed:
2000
2003 • Universal groups are available for
distribution groups.

• Group nesting is available for distribution


groups.
2000 Native 2000 The following features are available in 2000 Native:
2003
• Universal groups are available for security
and distribution groups.
• Group nesting.
• Group converting (allows conversion
between security and distribution groups).
• SID history (allows security principals to be
migrated among domains while maintaining
permissions and group memberships).
2003 2003 The following features are available in 2003:

• All features of 2000 Native domains.


• Domain controller rename.
• Update logon time stamp.

• User password on InetOrgPerson object.

Forest functional levels depend on the domain functional levels. The table below shows
the forest functional levels.

Forest Domain
Functional Functional Features
Level Level
2000 2000 Mixed The following features are available in 2000:
or
2000 Native • Global catalog replication improvements are
available if both replication partners are running
Windows Server 2003.
2003 2003 The following features are available in 2003:

• Global catalog replication improvements


• Defunct schema objects
• Forest trusts
• Linked value replication
• Domain rename
• Improved AD replication algorithms
• Dynamic auxiliary classes

• InetOrg Person object Class change

Q.What are the reasons to upgrade/change domain and forest functional level?
 Domain functional levels (formerly known as domain modes) provide a way to
enable domain-wide Active Directory features within your network
environment.
 Four domain functional levels are available: Windows 2000 mixed (default),
Windows 2000 native, Windows Server 2003 interim, and Windows Server
2003.
 The change in domain functional level is only one way it cannot be reversed.
 You can rename the domains in your forest if both domain and forest functional
levels are windows server 2003 level.

Q.What is operation master role?


 Operation master is a Domain controller designated to perform an operation.
 Only one domain controller in the domain or forest performs each role.
 Operations masters exist at both the domain and forest levels.
 Operation master role servers are also called flexible single master operation
(FSMO) servers.
 By default, the first domain controller in the forest holds all operation masters.
When you create a new domain, the first domain controller holds the three
domain operation masters (RID master, PDC emulator, and infrastructure
master).

More facts about Operations master role:


 Use Active Directory Users and Computers to transfer RID master, PDC
emulator, and infrastructure masters.
 Use Active Directory Domains and Trusts to transfer the domain naming
master.
 Use the Active Directory Schema snap-in to transfer the schema master.
 Run Regsvr32 schmmgmt.dll to register the Active Directory Schema snap-in to
make it available for adding to a custom console.
 Before transferring any role, you must connect to the domain controller that will
receive the transferred role.
 To move an object between domains (using Movetree.exe), you must initiate the
move on the domain controller acting as the RID master of the domain that
currently contains the object.
 With a few exceptions, the infrastructure master should not be located on a
global catalog server.

Eg: if you want to change the schema of Ad forest from one location to another and this can be done by
operation master role.

Q.List all the operation masters?


 RID Master
 PDC Emulator
 Infrastructure Master.
 Domain Naming Master.
 Schema Master.

Q.What is Schema Master?


 Schema master is a domain controller and it controls all the updates to the
Active directory schema.
 There is only one schema master per forest.
 You would need to access to schema master if you want to change the schema.
 You can change schema master role from one server to another.

Q.What is a Domain naming master?


 Domain naming master is a domain controller and it controls adding and
removing domains.
 There is only one domain naming master in the forest.
 You can move it from one domain controller to another.
 It ensures that domain names are unique.

Q.What is RID Master?


 Rid master ensures domain wide unique relative Id’s.
 One domain controller in each domain performs this role.
 The Rid master allocates pools of Id’s to each domain controller.
 When Dc has used all Ids’, it gets a new pool of Id’s.

Q.What is PDC (Primary domain controller) emulator?


 If the domain contains computers operating without Windows Server 2003
client soft-ware or if it contains Windows NT backup domain controllers
(BDCs), the domain controller assigned the PDC emulator role acts as a
Windows NT PDC.
 There is only one PDC emulator in a domain.
 Replicates password changes within a domain.
 Ensures synchronized time within the domain (and between domains in the
forest).

Q.What is infrastructure master?


 An infrastructure master role updates references of groups to users, when a
member of group is renamed or changed.
 One domain controller in each domain performs this role.
 Infrastructure master role should not be assigned to the same computer that is
the global catalog.

Q.What are the important facts of Schema?


 The schema is the database of object classes and attributes that can be stored in
Active Directory.
 Each object definition in the schema is stored as an object itself, so Active
Directory can manage these definitions just as it does other objects.
 The schema includes definitions for classes and attributes (the definitions are
also called metadata).
 Extending the schema allows Active Directory to recognize new attributes and
classes.
 Adding a component like Microsoft Exchange requires the Active Directory to
be extended.
 Only a member of the Schema Admins group has the permission to modify or
extend the schema.
 To perform schema management tasks, use the Active Directory Schema snap-
in.

Q.What Is Active directory Migration tool?


Active directory migration tool helps to migrate objects (users, groups, trust etc) from Windows NT or
lower to windows 2003 and can also be used to move user accounts and computers between domains.
Migration tool can be installed from windows server 2003 in cd:\I386\Admt\admigration.msi.
Groups must be migrated along with users, so that users can retain the permissions.

Q.Provide us some more facts about object management tasks and tools?
 You should know be familiar with the following object management tasks and
tools:
 The Active Directory Migration Tool (ADMT) is a GUI-based utility that lets
you migrate users and other objects between domains. The tool requires that the
source domain trust the target domain.
 You can use the ADMT to retain an object's SID.
 Moving an object within a domain retains its permissions.
 Deleting the object deletes existing permissions.
 You should rename or move an object rather than delete and recreate the object.
 The Ldp utility allows you to search for and view the properties of multiple
Active Directory objects.
 If a computer that does not have an account is joined to the domain, a computer
object is created by default in the built-in Computers OU.
 Use the Dsadd command to add an OU object to Active Directory from the
command line.
 The easiest way to create a single OU in Active Directory is to use the Active
Directory Users and Computers snap-in in the MMC.
 To view the Lost And Found folder, select Advanced Features from the View
menu in the Active Directory Users and Computers snap-in.

Q.List all the AD default objects and containers?


When you install Active Directory, several objects and containers are automatically created. The
following table lists the default containers and their contents.

Container Contents
Builtin Built-in domain local security groups.
These groups are pre-assigned permissions needed to perform
domain management tasks.
All computers joined to the domain without a computer
Computers
account.
All domain controllers.
Domain Controllers*
This OU cannot be deleted.
Proxy objects for security principals in NT 4.0 domains or
ForeignSecurityPrincipals
domains outside of the forest.
Objects moved or created at the same time an Organizational
Unit is deleted. Because of Active Directory replication, the
parent OU can be deleted on one domain controller.
LostAndFound** Administrators at other domain controllers can add or move
objects to the deleted OU before the change has been replicated.
During replication, new objects are placed in the
LostAndFound container.
Objects that contain limits on the number of objects users and
NTDS Quotas**
groups can own.
Application-specific data created by other programs.
Program Data** This container is empty until a program designed to store
information in Active Directory uses it.
Configuration information about the domain including security
System** groups and permissions, the domain SYSVOL share, Dfs
configuration information, and IP security policies.
Built-in user and group accounts.
Users Users and groups are pre-assigned membership and permissions
for completing domain and forest management tasks.

*Be aware that the Domain Controllers OU is the only default organizational unit object.
All other default containers are just containers, not OUs. As such, you cannot apply a
GPO to any default container except for the Domain Controllers OU.
**By default, these containers are hidden in Active Directory Users and Computers. To
view these containers, click View/Advanced Features from the menu.

Q.What is Group policy?


 Group policy is a tool used to implement system configurations that can be
deployed from a central location through GPOs (Group Policy Objects)
 Group policy is a way to control and lock down what a user and computer can
do.
 Group policy will lock down the changes that could be made to a computer or
user and which will prevent in an unstandardize network environment.
 Group policy can be used to centrally manage software installation, repair
software installation, provide updates to software and remove software from a
computer.
 Group policy can be configured to a user data to follow the user where ever they
go.

Q.Can Group policy be linked?


Group policy can be linked to:
Sites
Domains
Organizational units.
After you link with the above, for eg: it would be linked to all the users in site.

Q.What is a group policy object?


Group policy object is a collection of group policy settings.
Each windows 2003 server has one local group policy object and it can have a variety of non local or Ad
based Group policy object.
Local group policy can be overwritten.
The local Gpo is stored in %systemroot%\system32\grouppolicy folder.

Q.Add more notes on GPO?


Non local GPO’s are created in Ad
Windows 2003 or 2000 must Domain controller installed in order to use group policy.
When Ad is installed 2 non local GPO’s are created a) Default domain policy b) default controller policy.

Q.What are the two Gpo to apply Group policy?


To apply Group policy there are two types of Gpo i.e. Local Group policy object and Site group policy
object.

Q.Mention the most important facts about Gpo?


 GPOs contain hundreds of configuration settings.
 GPOs can be linked to Active Directory sites, domain, or organizational units
(OUs).
 GPOs include computer and user sections. Computer settings are applied at
startup. User settings are applied at logon.
 A GPO only affects the users and computers beneath the object to which the
GPO is linked.
 Group policy settings take precedence over user profile settings.
 A local GPO is stored on a local machine. It can be used to define settings even
if the computer is not connected to a network.
 GPOs are applied in the following order:
 Local
 Site
 Domain
 OU

 If GPOs conflict, the last GPO to be applied overrides conflicting settings.


 The Computers container is not an OU, so it cannot have a GPO applied to it.
 Group policy is not available for Windows 98/NT clients or Windows NT 4.0
domains.
 You can use a GPO for document redirection, which customizes where user files are
saved. (For example, you can redirect the My Documents folder to point to a network
drive where regular backups occur. Folder redirection requires Active Directory-
based group policy.)
 Configuring a domain group policy to delete cached copies of roaming user profiles
will remove the cached versions of the profile when a user logs off.
 If there is a conflict between computer configuration settings and user configuration
setting then user configuration settings are applied.

Q. Refreshing Group Policy

 By default, Computer Configuration group policy settings (except Software


Installation and Folder Redirection) refresh every 5 minutes on domain controllers
and every 90 minutes (plus a random offset between 0 and 30 minutes) for other
computers.
 By default, User Configuration group policy settings (except Software Installation
and Folder Redirection) refresh every 90 minutes (plus a random offset between 0
and 30 minutes).
 You can modify refresh rates by editing the properties of the following settings in
Group Policy:
o Group Policy refresh interval for computers.
o Group Policy refresh interval for Domain Controllers.
o Group Policy refresh intervals for users.

Software Installation and Folder Redirection don't refresh because it is too risky to install/uninstall
Software or move files while users are using their computers.
To manually refresh group policy settings, use the Gpupdate command with the following switches:

Switch Function
No switch Refresh user and computer-related group policy.
/target:user Refresh user-related group policy.
/target:computer Refresh computer-related group policy.
Q.How do you create and edit group policy?
 Group policy can be created with group policy object editor(MMC)

 You should know the following facts about editing a GPO:


 Group Policy Object Editor has two nodes:
 Computer Configuration to set Group Policies for computers.
 User Configuration to set Group Policies for users.
 You can extend each node's capabilities by using snap-ins.
 Use an Administrative Template file (.adm) to extend registry settings available
in the Group Policy Editor.
 Use the Software setting to automate installation, update, repair, and removal of
software for users or computers.
 The Windows setting automates tasks that occur during startup, shutdown,
logon, or logoff.
 Security settings allow administrators to set security levels assigned to a local or
non-local GPO.
 These security policy can be imported if necessary

Q.Explain about group policy inheritance?

Controlling GPO Application


 You should know the following controlling GPO application:
 All GPOs directly linked to or inherited by a site, domain, or OU apply to all
users and computers within that container that have Apply Group Policy and
Read permissions.
 By default, each GPO you create grants the Authenticated Users group
(basically all network users) Apply Group Policy and Read permissions.
 To apply settings to computers, configure the Computer Configuration node of a
GPO.
 Group policy is not inherited from a parent domain to a child domain but
inherited from domain to Ou’s.

Edit Permissions
 You can control the application of GPOs by editing the permissions in the GPO
access control list (ACL). (When you deny an object the required permissions to a
GPO, the object will not receive the GPO.)
 To deny access to a GPO, add the user, group, or computer to the GPO permissions
and deny the Apply Group Policy and Read permissions.
 To apply a GPO to specific users, groups, or computers, remove the Authenticated
Users group from the GPO permissions. Add the specific user, group, or computer
and grant the Apply Group Policy and Read permissions.

Block Inheritance
You can prevent Active Directory child objects from inheriting GPOs that are linked to the parent
objects. To block GPO inheritance,
 Click the Group Policy tab for the domain or OU for which you want to block GPO
inheritance.
 Select the Block Policy inheritance check box.
You cannot block inheritance on a per-GPO basis. Blocking policy inheritance prevents the domain or
OU (along with all the containers and objects beneath them) from inheriting GPOs.
No Override
You should know the following facts about the No Override option:
 The no override option prevents a GPO from being overridden by another GPO.
 When no override is set on more than one GPO, the GPO highest in the Active
Directory hierarchy takes precedence.
 No override cannot be set on a local GPO.

Q.What is Group policy filtering?


 Group policy filtering can used to segregate the users who need the Gpo to be
applied.
 Eg: For instance Administrator can taken out of Lock desktop Gpo from being
applied.
 Gpo’s can be filtered in two ways:
 Denying the read and Apply Group policy permissions.
 Removing the Authenticated users group from the ACL and adding custom
groups to control GPO application.

Q.What is Wmi filtering?


 We use Windows Management instrumentation (WMI) query to filter the scope of a Gpo
and control the objects affected by the Gpo.
 You can use WMI queries to filter the scope of GPOs.
 WMI filtering is similar to using security groups to filter the scope of GPOs.
 WMI queries are written in WMI query language (WQL).

Q.What is Loopback processing?

By default, Group Policy configuration applies Computer Configuration GPOs during startup and User
Configuration GPOs during logon. User Configuration settings take precedence in the event of a
conflict.

You can control how Group Policy is applied by enabling loopback processing. Following are some
circumstances when you might use loopback processing:

• If you want Computer Configuration settings to take precedence over User


Configuration settings.
• If you want to prevent User Configuration settings from being applied.
• If you want to apply User Configuration settings for the computer, regardless of
the location of the user account in Active Directory.
Loopback processing is typically used to apply User Configuration settings to special computers located
in public locations, such as kiosks and public Internet stations.

Keep in mind the following about how loopback processing works.

• Loopback processing runs in Merge or Replace Mode.


• Merge mode gathers the Computer Configuration GPOs and appends them to the
User Configuration GPOs when the user logs on.
• Replace mode prevents the User Configuration GPOs from being applied.

To enable loopback processing:

 Create or edit a GPO to distribute to computers on which you want to enable


loopback processing mode. Choose Group Policy from the System node of
Administrative Templates in Computer Configuration. Right-click Users Group
Policy loopback processing mode and click Properties.
 Click Enabled.
 Choose Merge mode or Replace Mode.

Q.What Is Gpresult?
 Gpresult is a command line tool that allows you to examine the policy settings
of specific users and computers.
 Start Gpresult by entering Gpresult at the command line (use the /? switch for
syntax help).
 Gpresult can show the following:
o Last application of Group Policy and the domain controller from which
policy was applied.
o Detailed list of the applied GPOs.
o Detailed list of applied Registry settings.
o Details of redirected folders.
o Software management information, like information about assigned and
published software.

Q.What is Rsop?
RSoP (Resultant Set of Policy) is the accumulated results of the group policies applied to a user or
computer. You should know the following facts about RSoP:
 The RSoP wizard reports on how GPO settings affect users and computers. The
wizard runs in two modes: logging and planning.
 The RSoP wizard logging mode reports on existing group policies applied
against computers or users.
 The RSoP wizard planning mode simulates the effects policies would have if
applied to computers or users.

You can access the Resultant Set of Policy (RSoP) wizard in various ways. Here are some common ways:
 Install the RSoP wizard as an MMC snap-in
 Use the Start > Run sequence and run Rsop.msc.
 You can also select an object in Active Directory Users and Computer and
select Resultant Set of Policy (in planning or logging mode) from the All Tasks
menu

Note: Both Rsop and Gpresult are used to identify the net effects of all applied GPO’s.

Q.What Is Gpupdate?
 Gpupdate is Group policy update.
 It is used to force the update of Group policy settings.

Q.What is a Gpotool?
 Gpotool is a command line tool which lets us check the health of Gpo on
Domain controller.
 It can also be used to check Gpo for consistency.
 It can also be used to Gpo to make sure they have been replicated.
 It will allow us to display information about a particular Gpo object.
Q.What are the tasks can Domain admin do?
 They can’t link GPO’s to sites.
 They can do anything within the domain like creating gpo, linking gpo in the
domain.

Q. What are the tasks can enterprise admin do?


 Enterprise can almost do anything in the domain or though out the forest.
 They can link GPO’s to sites.

Q.What is Installer package?


 Installer package is a file that has instructions on how to install and remove a
specific program.
 .Msi is windows installer package file.
 Windows installer package we can choose to install a part of the application
instead of the complete application.
 Additional installer files include:
 .mst (transform file allows to customize the installation of an application)
 .msp (patch file used to update existing msi files with patches and service
packs)
 .zap (text file instructions helps to install program)

Q.What is a distribution point?


 Software distribution point is a location where users or computer go to access the software
files.
 It is a network share that holds the software installation files.
 User should have read access to this distribution point.
Q.What is the difference between Publishing software and assigning software?
 Publishing an application, here the application does not appear as installed on
the user’s computers
 There would be no shortcuts visible neither updates made to the registry.
 Application would be shown up in Add/remove programs and can be installed
by users as needed.

 Assigning an application is only installed when it is needed.


 Application can be assigned to computers or users as needed.
 Application assigned to user would show up in the start menu when the user
logs in from any computer.
 Application assigned to a computer, it would show up in start menu and would
be available to any user who logs on to the computer.

Note: Advanced publishing or assigning check box would pop when you link a Msi file to gpo which
would install the application when the computer boots up.

Q.How to uninstall software from all the users and computers?


 Click on the software settings in Group policy editor and right click on the msi
files ->all tasks->remove.
 This will remove applications for all the users.

Q.What is software restriction policy?


Gpo editor has software restriction policy link where you can block various stuff on users computers
starting from blocking executables, internet explorer settings etc.

Q.

You might also like