Active Directory

Q) What is LDAP?

LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and
other programs use to look up information from a server.

Q) What is the SYSVOL folder?

Te SYSVOL folder is critical because it contains the domain’s public files. This
directory is shared out (as SYSVOL), and any files kept in the SYSVOL folder are
replicated to all other domain controllers in the domain using the file replication
service.

The SYSVOL folder also contains the following items.

1) Net logon shares, which is the location where domain logons are sent for
processing and where logon scripts can be stored for client processing foe a
long time.
2) Windows Group policies.
3) File replication service folders and files the must be available and
synchronized between domain controllers, if the FRS is in use.

Q) What is KCC?

KCC is Knowledge Consistency Checker, which creates the connection object that
links the DCs into common replication topology and dictates the replication routes
between one DC to another in Active Directory forest. The default run interval is 15
mins. There are two type of algorithm of KCC - Intrasite KCC – which is responsible
for the connection within the site, and Intersite Topology Generator (ISTG) – which
is responsible for the connections among the sites.
To communicate across site links, the KCC automatically designates a single server,
called the bridgehead server, in each site to perform site-to-site replication.

Q) What is ADSIEDIT?

ADSIEDIT is a Microsoft Management Console (MMC) snap-in that acts as a low-level

editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network
administrators can use it for common administrative tasks such as adding, deleting,
and moving objects with a directory service. The attributes for each object can be
edited or deleted by using this tool. ADSIEDIT uses the ADSI application
programming interfaces (APIs) to access Active Directory. The following are the
required files for using this tool:

ADSIEDIT.DLL
ADSIEDIT.MSC
Q) What is the ISTG? Who has that role by default?

Intersite Topology Generator (ISTG) is one of the algorithms of KCC, which is

responsible for the connections among the sites. By default Windows 2003 Forest
level functionality has this role.

Q) What’s the difference between LDIFDE and CSVDE? Usage considerations?

CSVDE is a command that can be used to import and export objects to and from the
AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily
readable in Excel.

Like CSVDE, LDIFDE is a command that can be used to import and export objects to
and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format)
file is a file easily readable in any text editor, however it is not readable in programs
like Excel. The major difference between CSVDE and LDIFDE (besides the file format)
is the fact that LDIFDE can be used to edit and delete existing AD objects (not just
users), while CSVDE can only import and export objects.

Q) What is tombstone lifetime attribute?

This is the number of days before the object marked for deletion in the Active
Directory is permanently deleted. The default is 180 days in Windows 2003 with SP1
and 60 days in Windows 2000 and Windows 2003 without SP1. During Tombstone
lifetime the object mark for deletion stays in Deleted Object folder and every 15 mins
Garbage collector comes along to check if the tombstone lifetime of expired for any
objects. If found the object/objects will be permanently deleted.

The Tombstone Lifetime can be changed by using the ADSIEdit tool. Right click on
the CN=Directory Service folder and select Properties. Find Tombstone Lifetime in
the attribute list, click the Edit button and enter the number of days in the value
field. Or you can use dsquery as: dsquery * "CN=DirectoryService,
CN=WindowsNT,CN=Services, CN=Configuration, DC=yourdomain, DC=com" -scope
base -attr tombstonelifetime

Q) What are the requirements for installing AD on a new server?

Appropriately configured TCP/IP and DNS.

Q) What is REPADMIN?
This command-line tool assists administrators in diagnosing replication problems
between Windows domain controllers. Administrators can use Repadmin to view the
replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from
the perspective of each domain controller. In addition, Repadmin can be used to
manually create the replication topology (although in normal practice this should not
be necessary), to force replication events between domain controllers.

Q) What are the GPC and the GPT? Where can I find them?

Group Policy Template

One of the parts of the GPO is the GPT (Group Policy Template), which is responsible
for storing the specific settings created within the GPO. The GPT is stored in the
Policies subfolder, which is under the SYSVOL folder on each domain controller. The
GPT includes key files and folders including:

• GPT.ini
• Machine and User folders
• GptTmpl.inf
• Registry.pol
• Scripts (Logon, Logoff, Startup, and Shutdown) folders

Group Policy Container

The Group Policy Container (GPC) is the portion of a GPO stored in Active Directory
that resides on each domain controller in the domain. The GPC is responsible for
keeping references to Client Side Extensions (CSEs), the path to the GPT, paths to
software installation packages, and other referential aspects of the GPO.

Q) What are the DS* commands?

The DS (Directory Service) group of commands is split into two families. In one
branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery
and DSGet.

DSmod - modify Active Directory attributes.

DSrm - to delete Active Directory objects.

DSmove - to relocate objects.

DSadd - create new accounts.

DSquery - to find objects that match your query attributes.

DSget - list the properties of an object.

Q) Where is the AD database held? What other folders are related to AD?

Active Directory physical database file is ntds.dit in %systemroot%\ntds (ntds – NT

Directory Service and dit – Directory Information Tree) which resides in all the
domain controller. The Active Directory make use of the database engine called
Extensible Storage Engine also referred as Microsoft Jet DB. ESE is the actually the
database for Active Directory. ESE records the transaction in Log file called Edb.log
and back to Ntdis.dit, and provide the consistency to the database. It resides in the
file called ESent.dll. Other files related to active directory are: edbxxx.log – Auxiliary
file come into use if edb.log is full. Edb.chk – This is the checkpoint file which is used
by transaction logging system to point at which the updates are being transferred to
ntds.dit. Res1.log /Res2.log – the log file used when space is full and edbxxx.log can
no longer be used. Temp.edb – it is just like scratch pad which store information of
current transaction in process. Schema.ini – file used to initialize ntds.dit

Q) Why not make all DCs in a large forest as GCs?

With too many DCs are configured to become the GC servers, it will cause the
replication overhead between the DCs across the forest.

Q) What is Cost in Site Link?

Cost is a metric between 1 – 32,767 -is just a number to compare relative cost of the
other links in the sites. That means lower the cost favorable the path is. The default
cost for the site link is hundred and if there is only one site link there is no need to
worry about the cost.

Q) What’s the difference between a site link’s schedule and interval?

Schedule enables you to list weekdays or hours when the site link is available for
replication to happen in the give interval. Interval is the reoccurrence of the inter site
replication in given minutes. It range from 15 – 10,080 mins. The default interval is
180 mins.

Q) What can you do to promote a server to DC if you’re in a remote location with

slow WAN link?

Take a System State Backup from another DC and restore locally to the server that
are going to be the next Domain Controller. Run DCPromo /adv which will prompt
in the next screen to specify the path to restore the System Backup. This will prevent
replication of the entire configuration over the slow network.

Q) How can you forcibly remove AD from a server, and what do you do later?
DCPromo /Forceremoval. Though this command will seize the Domain Controller
role, we have to use NTDSUTIL to cleanup the metadata.

Q) What is Site Link?

Site link allow the connections between two or more sites define. Site link is
configured under two different protocols IP and SMTP. The most commonly used
default protocol IP under reliable connections. SMTP is often used under poor
network connections.

Q) What are sites? What are they used for?

Sites in Active Directory are the physical network structure of Active Directory based
on subnet or subnets. Each site in Active Directory resembles well connected
network. It is sometimes referred as physical structure of AD. Depending upon the
locations and connection quality sites are created which include a domain or
domains. Creating these sites lets you control replication traffic over WAN links. In a
way Sites help define the AD’s replication topology.

Q) What is the Naming context in Active Directory?

The Directory Information Base can be separated into parts called naming contexts,
or NCs. In Active Directory, each domain represents a separate naming context.
Domain controllers in the same domain have a read/write replica of that Domain
naming context. Configuration and Schema objects are stored in their own naming
contexts, as are DNS Record objects when using Active Directory Integrated DNS
zones.

When a client submits a query for information about a particular object, the system
must determine which DSA hosts the naming context that contains the particular
object. It does this using the object’s distinguished name and knowledge about the
directory topology.

If a DSA cannot respond to a query using information in the naming contexts it

hosts, it sends the client a referral to a DSA hosting the next higher or lower naming
context in the tree (depending on the distinguished name of the object in the
search). The client then submits the request to a DSA hosting the naming context in
the referral. This DSA either responds with the information being requested or a
referral to another DSA. This is called walking the tree.

DSA that host the copies of the same naming context must replicate changes to each
other. It’s important to keep this in mind as you work with Active Directory servers.
If you have separate domains, then clients in one domain must walk the tree to get
access to Active Directory objects in another domain. If the domain controllers for
the domains are in different locations in the WAN, this can slow performance. Many
of the architectural decisions you’ll make as you design your system focus on the
location, accessibility, and reliability of naming contexts
Q) What is GPMC?

Microsoft group policy management console (GPMC) provides a single solution for
managing all group policy related tasks. GPMC lets administrators manage group
policy for multiple domain and sites within one or more forests, in a simplified user
interface with drag and drop support.
Highlights include new functionality such as backup, restore, import, copy and
reporting of group policy objects.

Q) Why can't you restore a DC that was backed up 4 months ago?

If the backup is older than the tombstone age set in Active Directory, then it is not
considered to be a good backup.
When an object is deleted in Windows 2000, the DC from which the object was
deleted informs the other DCs in the environment about the deletion by replicating
what is known as a tombstone.

A tombstone is a representation of an object that has been deleted but not fully
removed from the directory. The tombstone will eventually be removed based on the
tombstone lifetime setting, which by default is set to 60 days. If a DC is restored to a
state prior to the deletion of an object, and the tombstone for that object is not
replicated to the restored DC before the tombstone expires, the object remains
present only on the restored DC, resulting in an inconsistency. Thus it is important
that the DC be restored prior to expiration of the tombstone, and that inbound
replication from a DC containing the tombstone to the restored DC is completed prior
to expiration of the tombstone.

Active Directory protects itself from restoring data older than the tombstone lifetime
by disallowing the restore. As a result, the useful life of a backup is equivalent to the
"tombstone lifetime" setting for the enterprise.
Given this, the backup interval should be at least once within the tombstone lifetime.
However, Microsoft strongly recommends that administrators backup the System
State and system disk more often to ensure, at any given time, a backup is available
that holds a recent version of the data.

Q) What are the contents included in a system state backup?

System State-

Active Directory is backed up as part of System State, a collection of system components that
depend on each other. These components must be backed up (and restored) together.

Components that make up the System State on a domain controller include:

System Start-up Files (boot files). These are the files required for Windows 2000 to boot. They
are automatically backed up as part of the System State.

System registry. The contents of the registry are automatically backed up when you back up
System State data. In addition, a copy of your registry files are saved in the folder %SystemRoot
%\Repair\Regback allowing you to restore the registry without doing a complete restore of the
System State.

Class registration database of COM+. The Component Object Model (COM) is a binary
standard for writing component software in a distributed systems environment. The Component
Services Class Registration Database is backed up and restored with the System State data.

SYSVOL. The system volume provides a default Active Directory location for files that must be
shared for common access throughout a domain. The SYSVOL folder on a domain controller
contains the following:

• Net Logon shares. (These usually host logon scripts and policy objects for non-
Windows 2000–based network clients.)

• File system junctions.

• User logon scripts for Windows 2000 Professional–based clients and clients that are
running Windows 95, Windows 98, or Windows NT 4.0.

• Windows 2000 Group Policy.

• File replication service (FRS) staging directories and files that are required to be available
and synchronized between domain controllers.

Active Directory. This includes:

• Ntds.dit. The Active Directory database.

• Edb.chk. The checkpoint file.

• Edb*.log. The transaction logs; each 10 MB in size.

• Res1.log and Res2.log. Reserved transaction logs.

Note: If you have an Active Directory-integrated DNS, the zone data will be backed up as part of
the Active Directory database. If you do not have an Active Directory-integrated DNS, the zone
files will have to be backed up explicitly. However if you backup the system disk along with the
System State, this data will be backed up as part of the system disk.

If you have Cluster Service or Certificate Services installed on your domain controller, they are
backed up as part of System State. Details of these components are not discussed in this paper.

Q) Access rights required for AD Backup & Restore?

To back up Active Directory, you must be a member of either the Backup Operators
Group or the Administrators Group
To restore the System State data, the person performing the procedure must be a Local
Administrator.

Q) What is multi master replication?

Multi-master replication is a method of replication employed by databases to transfer data

or changes to data across multiple computers within a group.

Q) I am trying to create a new universal user group. Why can’t I?

Universal groups are allowed only in native-mode Windows Server 2003 environments.
Native mode requires that all domain controllers be promoted to Windows Server 2003
Active Directory.

Q) What is LSDOU?

It’s group policy inheritance model, where the policies are applied to Local machines,
Sites, Domains and Organizational Units.

Q) Why doesn’t LSDOU work under Windows NT?

If the NTConfig.pol file exist, it has the highest priority among the numerous policies.

Q) Where are group policies stored?

%SystemRoot%System32\GroupPolicy

Q) Where is GPT (Group policy template) stored?

%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID

Q) You change the group policies, and now the computer and user settings are in
conflict. Which one has the highest priority?

The computer settings take priority.

Q) How frequently is the client policy refreshed?

90 minutes give or take.

Q) For a user in several groups, are Allow permissions restrictive or permissive?

Permissive, if at least one group has Allow permission for the file/folder, user will have
the same permission.
Q) For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, if at least one group has Deny permission for the file/folder, user will be
denied access, regardless of other group permissions.

Q) What hidden shares exist on Windows Server 2003 installation?

Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

Q) What’s the number of permitted unsuccessful logons on Administrator account?

Unlimited. Remember, though, that it’s the Administrator account, not any account that’s
part of the Administrators group.

Q) What is Striping?

Striping is a process whereby data is split across multiple disks. This is typically done
with identical drives. Data being written is split into small blocks (8-32K typically) and
written across as many drives that are in the striped volume. The block-size is typically
called an ‘interlace’ or ‘interleave’ factor. This makes writing and reading data much
faster than writing to a single disk.

Q) Active Directory Online vs. Offline Defragmentation?

There are two types of defragmentation. The first is online, which happens automatically,
by default, every 12 hours as part of the garbage collection process. The good news about
online defrag is that it’s automatic, and the domain controller stays online. Unfortunately,
online defrag doesn’t reduce the total size of the database file. It only reclaims free space
from within the database file. Reducing the total size of the database can only be
accomplished by performing an offline defrag.

To reduce the size of the AD database, you’ll need to reboot the server and use the F8
option, and then choose Directory Services Restore Mode. This allows you to boot the
server, but not start AD. You can now work with the AD files that are open when the
server’s in normal operation. Once booted into Directory Services Restore Mode, you can
use the NTDSUtil.exe utility to compact the database. When compacting ntds.dit, you
need to have enough free disk space to hold a copy of the current ntds.dit file. Here are
the steps to complete an offline defrag.

I added steps one and three as a safety measure to ensure that any mistakes made running
the NTDSUtil.exe utility wouldn’t be catastrophic.

1. Using NTBackup, create a System State Backup.

2. Boot to Directory Services Restore Mode.
3. If you have the space, you can rename the old file as a backup until you’re sure
that everything is working.
 4. At the command prompt, run NTDSUtil.
5. Type files and press Enter.
6. Type info and press Enter. Note the path to the current active ntds.dit file.
7. Type compact to “c:\new” (this will create a new, compacted ntds.dit file in
c:\new. The directory will be created if it doesn’t exist).
8. A new database named Ntds.dit is created in the path you specified.
9. Type quit, and then press ENTER. Type quit again to return to the command
prompt.
10. If defragmentation succeeds without errors, follow the Ntdsutil.exe on-screen
instructions. Delete all the log files in the log directory by typing the following
command:

del drive :\ pathToLogFiles \*.log

Copy the new Ntds.dit file over the old Ntds.dit file in the current Active Directory
database path that you noted in step 6.

Note You do not have delete the Edb.chk file.

After completing an offline defrag, perform a backup immediately. Once you’re sure that
AD is working and a backup has been completed, you can delete the backup copy of the
ntds.dit file. Figure 2 shows the NTDSUtil utility after it’s finished running.

Restart the computer normally.

Q) What’s the tombstone life time with SP1 and without SP1?

It is 180 days with SP1 and without SP1 it is 60 days.

Q) What is the default size of the ntds.dit database?

6.01 MB

Q) What is the by default, online defragmentation time in active directory as part of AD’s
Maintenance process?
By default, online defragmentation automatically happens every 12 hours as part of AD's
Maintenance process.

Q) Describe the Active directory database?

Active Directory Database and Log Files

The ESE uses transaction and log files to ensure the integrity of the active directory
database. Active Directory includes the following files:

• Ntds.dit is the Active Directory database which stores the entire active directory
objects on the domain controller. The .dit extension refers to the directory
information tree. The default location is the %systemroot%\Ntds folder. Active
Directory records each and every transaction log files that are associated with the
Ntds.dit file.
• Edb*.log is the transaction log file. Each transaction file is 10 megabytes (MB).
When Edb.log file is full, active directory renames it to Edbnnnnn.log, where
nnnnn is an increasing number starts from 1.
• Edb.chk is a checkpoint file which is use by database engine to track the data
which is not yet written to the active directory database file. The checkpoint file
act as a pointer that maintains the status between memory and database file on
disk. It indicates the starting point in the log file from which the information must
be recovered if a failure occurs.
• Res1.log and Res2.log: These are reserved transaction log files. The amount of
disk space that is reserved on a drive or folder for this log is 20 MB. This reserved
disk space provides a sufficient space to shut down if all the other disk space is
being used.

Q) What is the default running time of AD garbage collection process?

Garbage collection is a housekeeping process that is designed to free space within the
Active Directory database. In Windows 2000 and in the original release version of
Windows Server 2003, this process runs on every domain controller in the enterprise with
a default lifetime interval of 12 hours.

Q) What is Tombstone in AD?

When object is deleted in active directory it becomes tombstone, the tombstone is used
to replicate the deletion throughout the Active Directory environment.

Q) What are lingered objects?

LingeringObjects are introduced by DCs/GCs that have been offline or failed to replicate
for the tombstone lifetime.

Q) Why do we associate subnet information with sites in Active Directory Sites and
Services?

One of the major uses of the site topology is for clients to find their closest DC. That is
why subnet information must be associated with sites. Clients use their IP address to
determine which active directory subnet they belong to and subsequently which site. The
site information can be used to determine the closest DC.

This information also is used during Active Directory replication to determine the best
routes between domain controllers.

Q) What is the port number used by site replication service?

TCP - 379