Professional Documents
Culture Documents
Q) What is LDAP?
LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and
other programs use to look up information from a server.
Te SYSVOL folder is critical because it contains the domain’s public files. This
directory is shared out (as SYSVOL), and any files kept in the SYSVOL folder are
replicated to all other domain controllers in the domain using the file replication
service.
1) Net logon shares, which is the location where domain logons are sent for
processing and where logon scripts can be stored for client processing foe a
long time.
2) Windows Group policies.
3) File replication service folders and files the must be available and
synchronized between domain controllers, if the FRS is in use.
Q) What is KCC?
KCC is Knowledge Consistency Checker, which creates the connection object that
links the DCs into common replication topology and dictates the replication routes
between one DC to another in Active Directory forest. The default run interval is 15
mins. There are two type of algorithm of KCC - Intrasite KCC – which is responsible
for the connection within the site, and Intersite Topology Generator (ISTG) – which
is responsible for the connections among the sites.
To communicate across site links, the KCC automatically designates a single server,
called the bridgehead server, in each site to perform site-to-site replication.
Q) What is ADSIEDIT?
ADSIEDIT.DLL
ADSIEDIT.MSC
Q) What is the ISTG? Who has that role by default?
CSVDE is a command that can be used to import and export objects to and from the
AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily
readable in Excel.
Like CSVDE, LDIFDE is a command that can be used to import and export objects to
and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format)
file is a file easily readable in any text editor, however it is not readable in programs
like Excel. The major difference between CSVDE and LDIFDE (besides the file format)
is the fact that LDIFDE can be used to edit and delete existing AD objects (not just
users), while CSVDE can only import and export objects.
This is the number of days before the object marked for deletion in the Active
Directory is permanently deleted. The default is 180 days in Windows 2003 with SP1
and 60 days in Windows 2000 and Windows 2003 without SP1. During Tombstone
lifetime the object mark for deletion stays in Deleted Object folder and every 15 mins
Garbage collector comes along to check if the tombstone lifetime of expired for any
objects. If found the object/objects will be permanently deleted.
The Tombstone Lifetime can be changed by using the ADSIEdit tool. Right click on
the CN=Directory Service folder and select Properties. Find Tombstone Lifetime in
the attribute list, click the Edit button and enter the number of days in the value
field. Or you can use dsquery as: dsquery * "CN=DirectoryService,
CN=WindowsNT,CN=Services, CN=Configuration, DC=yourdomain, DC=com" -scope
base -attr tombstonelifetime
Q) What is REPADMIN?
This command-line tool assists administrators in diagnosing replication problems
between Windows domain controllers. Administrators can use Repadmin to view the
replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from
the perspective of each domain controller. In addition, Repadmin can be used to
manually create the replication topology (although in normal practice this should not
be necessary), to force replication events between domain controllers.
Q) What are the GPC and the GPT? Where can I find them?
One of the parts of the GPO is the GPT (Group Policy Template), which is responsible
for storing the specific settings created within the GPO. The GPT is stored in the
Policies subfolder, which is under the SYSVOL folder on each domain controller. The
GPT includes key files and folders including:
• GPT.ini
• Machine and User folders
• GptTmpl.inf
• Registry.pol
• Scripts (Logon, Logoff, Startup, and Shutdown) folders
The Group Policy Container (GPC) is the portion of a GPO stored in Active Directory
that resides on each domain controller in the domain. The GPC is responsible for
keeping references to Client Side Extensions (CSEs), the path to the GPT, paths to
software installation packages, and other referential aspects of the GPO.
The DS (Directory Service) group of commands is split into two families. In one
branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery
and DSGet.
With too many DCs are configured to become the GC servers, it will cause the
replication overhead between the DCs across the forest.
Cost is a metric between 1 – 32,767 -is just a number to compare relative cost of the
other links in the sites. That means lower the cost favorable the path is. The default
cost for the site link is hundred and if there is only one site link there is no need to
worry about the cost.
Schedule enables you to list weekdays or hours when the site link is available for
replication to happen in the give interval. Interval is the reoccurrence of the inter site
replication in given minutes. It range from 15 – 10,080 mins. The default interval is
180 mins.
Take a System State Backup from another DC and restore locally to the server that
are going to be the next Domain Controller. Run DCPromo /adv which will prompt
in the next screen to specify the path to restore the System Backup. This will prevent
replication of the entire configuration over the slow network.
Q) How can you forcibly remove AD from a server, and what do you do later?
DCPromo /Forceremoval. Though this command will seize the Domain Controller
role, we have to use NTDSUTIL to cleanup the metadata.
Site link allow the connections between two or more sites define. Site link is
configured under two different protocols IP and SMTP. The most commonly used
default protocol IP under reliable connections. SMTP is often used under poor
network connections.
Sites in Active Directory are the physical network structure of Active Directory based
on subnet or subnets. Each site in Active Directory resembles well connected
network. It is sometimes referred as physical structure of AD. Depending upon the
locations and connection quality sites are created which include a domain or
domains. Creating these sites lets you control replication traffic over WAN links. In a
way Sites help define the AD’s replication topology.
The Directory Information Base can be separated into parts called naming contexts,
or NCs. In Active Directory, each domain represents a separate naming context.
Domain controllers in the same domain have a read/write replica of that Domain
naming context. Configuration and Schema objects are stored in their own naming
contexts, as are DNS Record objects when using Active Directory Integrated DNS
zones.
When a client submits a query for information about a particular object, the system
must determine which DSA hosts the naming context that contains the particular
object. It does this using the object’s distinguished name and knowledge about the
directory topology.
DSA that host the copies of the same naming context must replicate changes to each
other. It’s important to keep this in mind as you work with Active Directory servers.
If you have separate domains, then clients in one domain must walk the tree to get
access to Active Directory objects in another domain. If the domain controllers for
the domains are in different locations in the WAN, this can slow performance. Many
of the architectural decisions you’ll make as you design your system focus on the
location, accessibility, and reliability of naming contexts
Q) What is GPMC?
Microsoft group policy management console (GPMC) provides a single solution for
managing all group policy related tasks. GPMC lets administrators manage group
policy for multiple domain and sites within one or more forests, in a simplified user
interface with drag and drop support.
Highlights include new functionality such as backup, restore, import, copy and
reporting of group policy objects.
If the backup is older than the tombstone age set in Active Directory, then it is not
considered to be a good backup.
When an object is deleted in Windows 2000, the DC from which the object was
deleted informs the other DCs in the environment about the deletion by replicating
what is known as a tombstone.
A tombstone is a representation of an object that has been deleted but not fully
removed from the directory. The tombstone will eventually be removed based on the
tombstone lifetime setting, which by default is set to 60 days. If a DC is restored to a
state prior to the deletion of an object, and the tombstone for that object is not
replicated to the restored DC before the tombstone expires, the object remains
present only on the restored DC, resulting in an inconsistency. Thus it is important
that the DC be restored prior to expiration of the tombstone, and that inbound
replication from a DC containing the tombstone to the restored DC is completed prior
to expiration of the tombstone.
Active Directory protects itself from restoring data older than the tombstone lifetime
by disallowing the restore. As a result, the useful life of a backup is equivalent to the
"tombstone lifetime" setting for the enterprise.
Given this, the backup interval should be at least once within the tombstone lifetime.
However, Microsoft strongly recommends that administrators backup the System
State and system disk more often to ensure, at any given time, a backup is available
that holds a recent version of the data.
System State-
Active Directory is backed up as part of System State, a collection of system components that
depend on each other. These components must be backed up (and restored) together.
System registry. The contents of the registry are automatically backed up when you back up
System State data. In addition, a copy of your registry files are saved in the folder %SystemRoot
%\Repair\Regback allowing you to restore the registry without doing a complete restore of the
System State.
Class registration database of COM+. The Component Object Model (COM) is a binary
standard for writing component software in a distributed systems environment. The Component
Services Class Registration Database is backed up and restored with the System State data.
SYSVOL. The system volume provides a default Active Directory location for files that must be
shared for common access throughout a domain. The SYSVOL folder on a domain controller
contains the following:
• Net Logon shares. (These usually host logon scripts and policy objects for non-
Windows 2000–based network clients.)
• User logon scripts for Windows 2000 Professional–based clients and clients that are
running Windows 95, Windows 98, or Windows NT 4.0.
• File replication service (FRS) staging directories and files that are required to be available
and synchronized between domain controllers.
Note: If you have an Active Directory-integrated DNS, the zone data will be backed up as part of
the Active Directory database. If you do not have an Active Directory-integrated DNS, the zone
files will have to be backed up explicitly. However if you backup the system disk along with the
System State, this data will be backed up as part of the system disk.
If you have Cluster Service or Certificate Services installed on your domain controller, they are
backed up as part of System State. Details of these components are not discussed in this paper.
To back up Active Directory, you must be a member of either the Backup Operators
Group or the Administrators Group
To restore the System State data, the person performing the procedure must be a Local
Administrator.
Universal groups are allowed only in native-mode Windows Server 2003 environments.
Native mode requires that all domain controllers be promoted to Windows Server 2003
Active Directory.
Q) What is LSDOU?
It’s group policy inheritance model, where the policies are applied to Local machines,
Sites, Domains and Organizational Units.
If the NTConfig.pol file exist, it has the highest priority among the numerous policies.
%SystemRoot%System32\GroupPolicy
%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
Q) You change the group policies, and now the computer and user settings are in
conflict. Which one has the highest priority?
Permissive, if at least one group has Allow permission for the file/folder, user will have
the same permission.
Q) For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, if at least one group has Deny permission for the file/folder, user will be
denied access, regardless of other group permissions.
Unlimited. Remember, though, that it’s the Administrator account, not any account that’s
part of the Administrators group.
Q) What is Striping?
Striping is a process whereby data is split across multiple disks. This is typically done
with identical drives. Data being written is split into small blocks (8-32K typically) and
written across as many drives that are in the striped volume. The block-size is typically
called an ‘interlace’ or ‘interleave’ factor. This makes writing and reading data much
faster than writing to a single disk.
There are two types of defragmentation. The first is online, which happens automatically,
by default, every 12 hours as part of the garbage collection process. The good news about
online defrag is that it’s automatic, and the domain controller stays online. Unfortunately,
online defrag doesn’t reduce the total size of the database file. It only reclaims free space
from within the database file. Reducing the total size of the database can only be
accomplished by performing an offline defrag.
To reduce the size of the AD database, you’ll need to reboot the server and use the F8
option, and then choose Directory Services Restore Mode. This allows you to boot the
server, but not start AD. You can now work with the AD files that are open when the
server’s in normal operation. Once booted into Directory Services Restore Mode, you can
use the NTDSUtil.exe utility to compact the database. When compacting ntds.dit, you
need to have enough free disk space to hold a copy of the current ntds.dit file. Here are
the steps to complete an offline defrag.
I added steps one and three as a safety measure to ensure that any mistakes made running
the NTDSUtil.exe utility wouldn’t be catastrophic.
Copy the new Ntds.dit file over the old Ntds.dit file in the current Active Directory
database path that you noted in step 6.
After completing an offline defrag, perform a backup immediately. Once you’re sure that
AD is working and a backup has been completed, you can delete the backup copy of the
ntds.dit file. Figure 2 shows the NTDSUtil utility after it’s finished running.
6.01 MB
Q) What is the by default, online defragmentation time in active directory as part of AD’s
Maintenance process?
By default, online defragmentation automatically happens every 12 hours as part of AD's
Maintenance process.
The ESE uses transaction and log files to ensure the integrity of the active directory
database. Active Directory includes the following files:
• Ntds.dit is the Active Directory database which stores the entire active directory
objects on the domain controller. The .dit extension refers to the directory
information tree. The default location is the %systemroot%\Ntds folder. Active
Directory records each and every transaction log files that are associated with the
Ntds.dit file.
• Edb*.log is the transaction log file. Each transaction file is 10 megabytes (MB).
When Edb.log file is full, active directory renames it to Edbnnnnn.log, where
nnnnn is an increasing number starts from 1.
• Edb.chk is a checkpoint file which is use by database engine to track the data
which is not yet written to the active directory database file. The checkpoint file
act as a pointer that maintains the status between memory and database file on
disk. It indicates the starting point in the log file from which the information must
be recovered if a failure occurs.
• Res1.log and Res2.log: These are reserved transaction log files. The amount of
disk space that is reserved on a drive or folder for this log is 20 MB. This reserved
disk space provides a sufficient space to shut down if all the other disk space is
being used.
Garbage collection is a housekeeping process that is designed to free space within the
Active Directory database. In Windows 2000 and in the original release version of
Windows Server 2003, this process runs on every domain controller in the enterprise with
a default lifetime interval of 12 hours.
When object is deleted in active directory it becomes tombstone, the tombstone is used
to replicate the deletion throughout the Active Directory environment.
Q) Why do we associate subnet information with sites in Active Directory Sites and
Services?
One of the major uses of the site topology is for clients to find their closest DC. That is
why subnet information must be associated with sites. Clients use their IP address to
determine which active directory subnet they belong to and subsequently which site. The
site information can be used to determine the closest DC.
This information also is used during Active Directory replication to determine the best
routes between domain controllers.
TCP - 379