MM877-NHP2K-CP22M-CVPD8-6MQ67

1. What is the purpose of having AD?

Active directory is a directory service that identifies all resources on a network
and makes that information available to users and services. The Main purposeof
AD is to control and authenticate network resources.
2. Explain about sysvol folder?
The sysvol folder stores the server's copy of the domain's public files. The
contents such as group policy, users, and groups of the sysvol folder are
replicatedto all domain controllers in the domain. The sysvol folder must be
located on an NTFS volume.
3.Explain Functions of Active Directory?
AD enables centralization in a domain environment. The Main purpose of AD is
to control and authenticate network resources.
4. What is the name of AD database?
AD database is NTDS.DIT
5. Explain briefly about AD Partition?
The Active Directory database is logically separated into directory partitions:
Schema Partition:
 Only one schema partition exists per forest. The schema partition is stored on all
domain controllers in a forest. The schema partitioncontains definitions of all
objects and attributes that you can create in the directory, and the rules for
creating and manipulating them. Schema information isreplicated to all domain
controllers in the attribute definitions.
Configuration Partition:
 There is only one configuration partition per forest. Second on all domain
controllers in a forest, the configuration partitioncontains information about the
forest-wide active directory structure including what domains and sites exist,
which domain controllers exist in each forest,and which services are
available. Configuration information is replicated to all domain controllers in a
forest.
Domain Partition:
 Many domain partitions can exist per forest. Domain partitions are stored on
each domain controller in a given domain. A domainpartition contains
information about users, groups, computers and organizational units. The domain
partition is replicated to all domain controllers of thatdomain. All objects in
every domain partition in a forest are stored in the global catalog with only a
subset of their attribute values.
Application Partition:
Application partitions store information about application in Active Directory.
Each application determines how it stores, categorizes,and uses application
specific information. To prevent unnecessary replication to specific application
partitions, you can designate which domain controllers in aforest host specific
application partitions. Unlike a domain partitions, an application partition cannot
store security principal objects, such as user accounts. Inaddition, the data in an
application partition is not stored in the global catalog.
6. Explain different zone involved in DNS Server?
DNS has two different Zones Forward Lookup Zone and Reverse Lookup Zone.
There two Zones are categorized into three zones and are as follows
Primary zone:
It contains the read and writable copy of the DNS Database.
Secondary Zone:
It acts as a backup for the primary zone and contains the read only copy of the
DNS database.
Stub zone:
It is also read-only like a secondary zone; stub zone contains only SOA, copies of
NS and A records for all name servers authoritative for thezone.
7. Explain Briefly about Stub Zone?
It is also read-only like a secondary zone, so administrators can't manually add,
remove, or modify resource records on it. But secondary zones containcopies of
all the resource records in the corresponding zone on the master name server;
stub zones contain only three kinds of resource records:A copy of the SOA record
for the zone.Copies of NS records for all name servers authoritative for the
zone.Copies of A records for all name servers authoritative for the zone.
8. Explain File Replication Service (FRS).
File Replication Service is a Microsoft service which replicates folders stored in
sysvol shared folders on domain controllers and distributed file system
sharedfolders. This service is a part of Microsoft’s Active Directory Service.
9. What is authoritative and non-authoritative restore?
Windows Administrator L2 Interview Question - System
Administratorhttp://www.systemadministrator.in/index.php/interview-
questions/225-windows-administrator-l2-inter...2 of 103/13/2014 4:10 PM

9. What is authoritative and non-authoritative restore?Nonauthoritative restore

: When a nonauthoritative restore is performed, Active Directory is restored from
backup media on the domain controller. Thisinformation is then updated during
replication from the other domain controllers. The nonauthoritative restore
method is the default method to restoresystem state data to a domain controller.
Authoritative restore:
In an authoritative restore, Active Directory is installed to the point of the last
backup job. This method is typically used to recoverActive Directory objects that
were deleted in error. An authoritative restore is performed by first performing a
nonauthoritative restore, and then running theNtdsutil utility prior to restarting
the server. You use the Ntdsutil utility to indicate those items that are
authoritative. Items that are marked as authoritativeare not updated when the
other domain controllers replicate to the particular domain controller.
10. What is the replication protocol involved in replication from PDC and ADC?
Normally Remote Procedure Call (RPC)is used to replicate data and is always used
for intrasite replication since it is required to support the FRS. RPCdepends on
IP
(internet protocol) for transport.Simple Mail Transfer Protocol (SMTP)may be
used for replication between sites.
11. What are the benefits of AD integrated DNS?
A few advantages that Active Directory-integrated zone implementations have
over standard primary zone implementations are:Active Directory replication is
faster, which means that the time needed to transfer zone data between zones is
far less.The Active Directory replication topology is used for Active Directory
replication, and for Active Directory-integrated zone replication. There is no
longer aneed for DNS replication when DNS and Active Directory are
integrated.Active Directory-integrated zones can enjoy the security features of
Active Directory.The need to manage your Active Directory domains and DNS
namespaces as separate entities is eliminated. This in turn reduces administrative
overhead.When DNS and Active Directory are integrated; the Active Directory-
integrated zones are replicated, and stored on any new domain
controllersautomatically. Synchronization takes place automatically when new
domain controllers are deployed.
Windows Administrator L2 Interview Question - System
Administratorhttp://www.systemadministrator.in/index.php/interview-
questions/225-windows-administrator-l2-inter...3 of 103/13/2014 4:10 PM

12. Explain some types of DNS records?

A Record: Binds an Name with an IP AddressPTR Record: Binds an IP Address with
an Host NameNS Record: Is name of an DNS ServerMX Record: Responsible for
Mail receiving mail from different MTA
13. How many tables are there in NTDS.DIT?
The Active Directory ESE database, NTDS.DIT, consists of the following tables:
Schema table
the types of objects that can be created in the Active Directory, relationships
between them, and the optional and mandatory attributes on each type of object.
This table is fairly static and much smaller than the data table.
Link table
contains linked attributes, which contain values referring to other objects in the
Active Directory. Take the Member Of attribute on a user object. Thatattribute
contains values that reference groups to which the user belongs. This is also far
smaller than the data table.
Data table
users, groups, application-specific data, and any other data stored in the Active
Directory. The data table can be thought of as having rows where each
rowrepresents an instance of an object such as a user, and columns where each
column represents an attribute in the schema such as Given Name.
14. What is the purpose of the command NETDOM?
NETDOM is a command-line tool that allows management of Windows domains
and trust relationships. It is used for batch management of trusts,
joiningcomputers to domains, verifying trusts, and secure channels.
15. What is REPADMIN?
This command-line tool assists administrators in diagnosing replication problems
between Windows domain controllers. Administrators can use Repadmin toview
the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen
from the perspective of each domain controller.

]   Explain what is Windows Server?

Window server is a series of server operating system developed by Microsoft Corporation.

2)      Explain in windows DNS server what is Primary, Secondary and Stub zone?

In windows DNS server,

 Primary Zone: In this, the file is saved as normal text file with filename (.dns).
  Secondary Zone: It maintains a read-only copy of zone database on another DNS
server.  Also, it acts as a back-up server to the primary server by providing fault
tolerance and load balancing
 Stub Zone: It consists of a copy of name server and SOA records which is used for
reducing the DNS search orders.
3)      Explain what does IntelliMirror do?

IntelliMirror helps to reconcile desktop settings, applications and stored files for users
especially for those users who move between workstations or those who works offline

4)      In the case when MSI file is not available, how you can install an app?

To add the application using the Software Installer.ZAP text file can be used rather than the
windows installer

5)      Explain how you can set up remote installation procedure without giving access to user?

To do that, you have to go to,

gponameà  User Configuration à Windows Settings à Remote Installation Services à Choice

Options

6)      What does it mean by “tattooing” the Registry ?

“ Tattooing” the registry means user can modify and view user preference that are not
stored in the maintained portions of the Registry.  Even if the group policy is changed or
removed, the user preference will still persist in the registry.

7)      Mention how many types of queries DNS does?

The types of queries DNS does are

 Iterative Query
 Recursive Query

8)      Explain what is the primary function of the domain controller?

Primary function of the domain controller is to validate users to the networks, it also provide
a catalog of Active Directory Objects.
9)      What information is required when TCP/IP is configured on Window Server?

To configure a TCP/PI client for an IPv4 client, you have to provide the IP address and the
subnet mask.

10)   Explain what does it mean caching only server in terms of DNS?

The caching only DNS server provides information related to queries based on the data it
contains in its DNS cache.

11)   Explain what is the way to configure the DHCP server such that it allocates the same IP
address to certain devices each time the address is removed?

To configure the DHCP server, you can create a reservation for the device.  To create a
reservation, you must know the MAC hardware address of the device.  To determine the
MAC address for a network device you can use the ipconfig or nbs tat command line
utilities.

12)     Explain what is LDAP?

To look up for the information from the server, e-mail and another program follows or uses
the internet protocol. This protocol is referred as LDAP or Lightweight Directory Access
Protocol.

13)   Explain what is SYSVOL folder?

It is a set of files and folders that is stored on the local hard disk of each domain controller in
a domain and are replicated by the FRS ( File Replication Service).  These files contain
group or user policy information.

14)   Explain what is the difference between a thread and a computer process?

Computer Process: In computing, a process is an instance of a computer program that is

executed sequentially by a computer system which can run several computer programs
concurrently.

Thread: A thread is a several executable program that work together as a single process. 
For instance, one thread might send an error message to the user; another might handle
error signals while the third thread might be executing the original action.

15)   Explain what is INODE?

INODE holds the metadata of files; INODE is a pointer to a block on the disk, and it is
unique.

In simple words, it is a unique number allocated to a file in UNIX-like OS.

16)   Explain what is RAID in Windows Server?

For storing same data at a different place RAID or Redundant Array of Independent Disks
strategy is used. It is a strategy for building fault tolerance and increase the storage
capacity. On separate drives it allows you to combine one or more volumes so that they are
accessed by a single drive letter

17)   Explain what is the purpose of deploying local DNS servers?

A local DNS server provides the local mapping of fully qualified domain names to IP
addresses.  To resolve remote requests related to the domains names on your network,
local DNS servers can provide record information to remote DNS servers.

18)   To check TCP/IP configurations and IP connectivity, what are the two command line
utilities that can be used?
Ipconfig: To check the computer’s IP configuration, command ipconfig can be used and
also it can be used to renew the client’s IP address if it is provided by a DHCP server.
Ping: To check the connection between the local computer and any of the other computer
device on the network Ping command is used
 
19)   Explain if it is possible to connect Active Directory to other 3 rd party Directory services?

Yes, you can connect other vendors directory services with Microsoft version.  By using
dirXML or LDAP to connect to other directories.

20)   Explain where is the AD database is held?

AD database is saved in %systemroot%/ntds.  Files that controls the AD structure are

 ntds.dit
 edb.log
 res1.log
 res2.log
 edn.chk
21)   Explain what is the major difference between NTFS ( New Technology File System) or
FAT (File Allocation Table) on a local server?

For local users FAT (File Allocation Table) and FAT32 provides security, while NTFS ( New
Technology File System) provides security for domain users as well as local users.  NTFS
provides file level security which is not possible through FAT32.

22)   Mention what windows server 2008 service is used to install client operating system over
the network?

WDE ( Windows Deployment Services ) allows you to install client and server operating
systems over the network to any computer with a PXE enabled network interface

System Administrator
- Who work 24/7 in administrating both wintel & VMware technical Support.

Windows: Interview Q & A: L1 & L2 Interview question

- January 19, 2015
Active Directory

Active Directory is a centralized and standardized system, stores information about objects
in a network and makes this information available to users and network administrators.

Domain Controller

In an Active Directory forest, the domain controller is a server that contains a writable copy
of the Active Directory database, participates in Active Directory replication, and controls
access to network resources.

Global catalog server

A global catalog server is a domain controller that stores information about all objects in the
forest. Like all domain controllers, a global catalog server stores full, writable replicas of the
schema and configuration directory partitions and a full, writable replica of the domain
directory partition for the domain that it is hosting. In addition, a global catalog server
stores a partial, read-only replica of every other domain in the forest. Partial replicas are
stored on Global Catalog servers so that searches of the entire directory can be achieved
without requiring referrals from one domain controller to another.
Partial information of other domains. Partial information nothing but classes and attributes
(first name and last name and phones and addresses) attribute level security improvement
in 2003….
OU:

"Organizational Units", are administrative-level containers on a computer, it allows

administrators to organize groups of users together so that any changes, security privileges
or any other administrative tasks could be accomplished more efficiently.

Domain:
Windows Domain is a logical grouping of computers that share common security and user
account information.

Forest
A Windows forest is a group of one or more trusted Windows trees. The trees do not need to
have contiguous DNS names. A forest shares a schema and global catalog servers. A single
tree can also be called a forest.

Tree:
A Windows tree is a group of one or more trusted Windows domains with contiguous DNS
domains. “Trusted” means that an authenticated account from one domain isn’t rejected by
another domain. “Contiguous DNS domains” means that they all have the same root DNS
name.

Site:
Sites are manually defined groupings of subnets. Objects in a site share the same global catalog servers,
and can have a common set of group policies applied to them.
Schema:

The schema defines what attributes, objects, classes, and rules are available in the Active Directory.

SID (Security Identifier):

The SID is a unique name (alphanumeric character string) that is used to identify an object, such as a
user or a group of users. 

Group Policy

Group policy Architecture:

Group Policy objects (GPO):

A GPO is a collection of Group Policy settings, stored at the domain level as a virtual object
consisting of a Group Policy container (GPC) and a Group Policy template (GPT).
Password history will store
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
Group Policy Container (GPC)

The Group Policy container (GPC) is an Active Directory container that contains GPO
properties, such as version information, GPO status, plus a list of other component settings.

Group Policy Template (GPT)

The Group Policy template (GPT) is a file system folder that includes policy data specified by
.adm files, security settings, script files, and information about applications that are
available for installation. The GPT is located in the system volume folder (SysVol) in the
domain \Policies sub-folder.
Filtering the Scope of a GPO
By default, a GPO affects all users and computers that are contained in the linked site,
domain, or organizational unit. The administrator can further specify the computers and
users that are affected by a GPO by using membership in security groups.
Starting with Windows 2000, the administrator can add both computers and users to
security groups. Then the administrator can specify which security groups are affected by
the GPO by using the Access Control List editor.

Knowledge Consistency Checker (KCC)

The Knowledge Consistency Checker (KCC) is a Windows component that automatically

generates and maintains the intra-site and inter-site replication topology.

Intrasite Replication

Replication that happens between controllers inside one site. All of the subnets inside the
site should be connected by high speed network wires.

Intersite Replication

Intersite replication is replication between sites and must be set up by an administrator.

Simple Mail Transfer Protocol (SMTP) may be used for replication between sites.

Active Directory Replication?

Replication must often occur both (intrasite) within sites and (Intersite) between sites to
keep domain and forest data consistent among domain controllers that store the same
directory partitions
Adprep.exe
Adprep.exe is a command-line tool used to prepare a Microsoft Windows 2000 forest or a
Windows 2000 domain for the installation of Windows Server 2003 domain controllers.

USE:
When Microsoft Exchange Server is deployed in an organization, Exchange Server uses
Active Directory as a data store and it extends the Windows 2000 Active Directory schema
to enable it to store objects specific to Exchange Server. The ldapDisplayName of the
attribute schema ms-Exch-Assistant-Name, ms-Exch-LabeledURI, and ms-Exch-House-
Identifier defined by Exchange Server conflicts with the iNetOrgPerson schema that Active
Directory uses in Windows Server 2003. When Windows Server 2003 Service Pack 1 is
installed, Adprep.exe will be able to detect the presence of the schema conflict and block
the upgrade of the schema until the issue has been resolved.

GUID:
When a new domain user or group account is created, Active Directory stores the account's
SID in the Object-SID (objectSID) property of a User or Group object. It also assigns the
new object a globally unique identifier (GUID), which is a 128-bit value that is unique not
only in the enterprise but also across the world. GUIDs are assigned to every object created
by Active Directory, not just User and Group objects. Each object's GUID is stored in its
Object-GUID (objectGUID) property.
Active Directory uses GUIDs internally to identify objects.

SID:
A security identifier (SID) is a data structure in binary format that contains a variable
number of values. When a DC creates a security principal object such as a user or group, it
attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the
same for all SIDs created in a domain), and a relative ID (RID) that is unique for each
security Principal SID created in a domain.

Lingering objects

When a domain controller is disconnected for a period that is longer than the TSL, one or
more objects that are deleted from Active Directory on all other domain controllers may
remain on the disconnected domain controller. Such objects are called lingering objects.
Because the domain controller is offline during the time that the tombstone is alive, the
domain controller never receives replication of the tombstone

Sysvol

Sysvol is a shared directory that stores the server copy of the domain’s public files, which
are replicated among all domain controllers in the domain. The Sysvol contains the data in a
GPO: the GPT, which includes Administrative Template-based Group Policy settings, security
settings, script files, and information regarding applications that are available for software
installation. It is replicated using the File Replication Service (FRS).
File Replication Service (FRS)

In Windows 2000, the SYSVOL share is used to authenticate users. The SYSVOL share
includes group policy information which is replicated to all local domain controllers. File
replication service (FRS) is used to replicate the SYSVOL share. The "Active Directory Users
and Computers" tool is used to change the file replication service schedule.

Win logon

A component of the Windows operating system that provides interactive logon support,
Winlogon is the service in which the Group Policy engine runs.

Lightweight Directory Access Protocol (LDAP)

It defines how clients and servers exchange information about a directory. LDAP version 2
and version 3 are used by Windows 2000 Server's Active Directory.
An LDAP URL names the server holding Active Directory services and the Attributed Name of the object. For

example:

LDAP://SomeServer.Myco.Com/CN=jamessmith,CN=Sys,CN=Product,CN
=Division,DC=myco,DC=domain-controller

USN

Each object has an Update Sequence Number (USN), and if the object is modified, the USN
is incremented. This number is different on each domain controller. USN provides the key to
multimaster replication.

Universal group membership caching

Due to available network bandwidth and server hardware limitations, it may not be practical
to have a global catalog in smaller branch office locations. For these sites, you can deploy
domain controllers running Windows Server 2003, which can store universal group
membership information locally.
By default, the universal group membership information contained in the cache of each
domain controller will be refreshed every 8 hours. Up to 500 universal group memberships
can be updated at once. Universal groups couldn't be created in Mixed mode.

What is an ACL or access-control list?

 A list of security protections that applies to an object. (An object can be a file, process, event, or anything
else having a security descriptor.)

What is an ACE or access-control entry?

 ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the
rights are allowed, denied, or audited.

Flexible Single Master Operations (FSMO)

MultiMaster Operation:

In Windows 2000 & 2003, every domain controller can receive changes, and the changes
are replicated to all other domain controllers. The day-to-day operations that are associated
with managing users, groups, and computers are typically multimaster operations.

There is a set of Flexible Single Master Operations (FSMO) which can only be done on a
single controller. An administrator determines which operations must be done on the master
controller. These operations are all set up on the master controller by default and can be
transferred later. FSMO operations types include:
Schema Master: The schema master domain controller controls all updates and
modifications to the schema. There can be only one schema master in the whole forest.
Domain naming master: The domain naming master domain controller controls the
addition or removal of domains in the forest and responsibility of ensuring that domain
names are unique in the forest. There can be only one domain naming master in the whole
forest.

Infrastructure Master:

Synchronizes cross-domain group membership changes. The infrastructure master cannot

run on a global catalog server (unless all DCs are also GCs.)

The infrastructure is responsible for updating references from objects in its domain to
objects in other domains. At any one time, there can be only one domain controller acting
as the infrastructure master in each domain.

This works when we are renaming any group member ship object this role takes care.

Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a
Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it
will stop updating object information because it does not contain any references to objects
that it does not hold. This is because a Global Catalog server holds a partial replica of every
object in the forest. As a result, cross-domain object references in that domain will not be
updated and a warning to that effect will be logged on that DC's event log. If all the domain
controllers in a domain also host the global catalog, all the domain controllers have the
current data, and it is not important which domain controller holds the infrastructure master
role.
Relative ID (RID) Master: 
It assigns RID and SID to the newly created object like Users and computers. If RID master
is down (u can create security objects up to RID pools are available in DCs) else u can’t
create any object one itSDs down
When a DC creates a security principal object such as a user or group, it attaches a unique
Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs
created in a domain), and a relative ID (RID) that is unique for each security principal SID
created in a domain.
PDC Emulator - When Active Directory is in mixed mode, the computer Active Directory is
on acts as a Windows NT PDC. The first server that becomes a Windows 2000 domain
controller takes the role of PDC emulator by default.
Functions performed by the PDC emulator:
User account changes and password changes.
SAM directory replication requests.
Domain master browser requests
Authentication requests.
GPO
Time synchronization

         

New Active Directory features in Windows Server 2003

• Multiple selection of user objects.

• Drag-and-drop functionality.
• Efficient search capabilities. Search functionality is object-oriented and provides an
efficient search that minimizes
• Saved queries. Save commonly used search parameters for reuse in Active Directory
Users and Computers
• Active Directory command-line tools.
• InetOrgPerson class. The inetOrgPerson class has been added to the base schema
as a security principal and can be used in the same manner as the user class. The
userPassword attribute can also be used to set the account password.
• Ability to add additional domain controllers using backup media. Reduce the
time it takes to add an additional domain controller in an existing domain by using
backup media.
• Universal group membership caching. Prevent the need to locate a global catalog
across a WAN when logging on by storing universal group membership information on
an authenticating domain controller.
 • Secure LDAP traffic. Active Directory administrative tools sign and encrypt all LDAP
traffic by default. Signing LDAP traffic guarantees that the packaged data comes from
a known source and that it has not been tampered with.
• Active Directory quotas. Quotas can be specified in Active Directory to control the
number of objects a user, group, or computer can own in a given directory partition.
Domain Administrators and Enterprise

Windows Functional levels

In Windows 2000 Active Directory domains is the concept of Mixed and Native Modes. The
default mixed mode allows both NT and Windows 2000 domain controllers to coexist. Once
you convert to Native Mode, you are only allowed to have Windows 2000 domain controllers
in your domain. The conversion is a one-way conversion -- it cannot be reversed. In
Windows Server 2003, Microsoft introduced forest and domain functional levels. The concept
is rather similar to switching from Mixed to Native Mode in Windows 2000. The new
functional levels give you additional capabilities that the previous functional levels didn’t
have.
There are four domain functional levels:

1. Windows 2000 Mixed (supports NT4/2000/2003 DCs)

2. Windows 2000 Native (supports 2000/2003 DCs)
3. Windows Server 2003 Interim (supports NT4/2003 DCs)
4. Windows Server 2003 (supports only 2003 DCs)

And three forest functional levels:

1. Windows 2000 (supports NT4/2000/2003 DCs)

2. Windows 2000 Interim (supports NT4/2003 DCs)
3. Windows Server 2003 (supports only 2003 DCs)

To raise the domain functional level, you go to the properties of your domain in Active
Directory Domains and Trusts. To raise the forest functional level you go to the properties of
Active Directory Domains and Trusts at the root. Of course, if your domains are not at the
correct level, you won’t be able to raise the forest functional level. 
Directory partition
 A directory partition, or naming context, is a contiguous Active Directory sub tree replicated
on one, or more, Windows 2000 domain controllers in a forest. By default, each domain
controller has a replica of three partitions: the schema partition the Configuration partition
and a Domain partition.

Schema partition
It contains all class and attributes definitions for the forest. There is one schema
directory partition per forest.
Configuration partition
It contains replication configuration information (and other information) for the forest. There
is one configuration directory partition per forest.
Domain partition
It contains all objects that are stored by one domain. There is one domain directory
partition for each domain in the forest.

 Application Directory Partition

Application directory partitions are most often used to store dynamic data. An application
partition can not contain security principles (users, groups, and computers).The KCC
generates and maintains the replication topology for an application directory partition

Application: The application partition is a new feature introduced in Windows Server 2003.

This partition contains application specific objects. The objects or data that applications and
services store here can comprise of any object type excluding security principles. Security
principles are Users, Groups, and Computers. The application partition typically contains
DNS zone objects, and dynamic data from other network services such as Remote Access
Service (RAS), and Dynamic Host Configuration Protocol (DHCP).
Dynamic Data:
A dynamic entry is an object in the directory which has an associated time-to-live (TTL)
value. The TTL for an entry is set when the entry is created.
Security Principles - Objects that can have permissions assigned to them and each
contain security identifiers. The following objects are security principles:
o    User

o Computer
o Group

RPC:
Active Directory uses RPC over IP to transfer both intersite and intrasite replication between
domain controllers. To keep data secure while in transit, RPC over IP replication uses both
the Kerberos authentication protocol and data encryption.
SMTP:
If you have a site that has no physical connection to the rest of your network, but that can
be reached using the Simple Mail Transfer Protocol (SMTP), that site has mail-based
connectivity only. SMTP replication is used only for replication between sites. You also
cannot use SMTP replication to replicate between domain controllers in the same domain—
only inter-domain replication is supported over SMTP (that is, SMTP can be used only for
inter-site, inter-domain replication). SMTP replication can be used only for schema,
configuration, and global catalog partial replica replication. SMTP replication observes the
automatically generated replication schedule.
Changing of ntds.dit file from one Drive to another

1.Boot the domain controller in Directory Services Restore mode and log on with the
Directory Services Restore mode administrator account and password (this is the
password you assigned during the Dcpromo process).
2.At a command prompt, type ntdsutil.exe. You receive the following prompt:
ntdsutil:
3.Type files to receive the following prompt:
file maintenance:
4.Type info. Note the path of the database and log files.
5.To move the database, type move db to %s (where %s is the target folder).
6.To move the log files, type move logs to %s (where %s is the target folder).
7.Type quit twice to return to the command prompt.
8.Reboot the computer normally.

DNS

DNS (Domain Name system)

Domain Name System (DNS) is a database system that translates a computer's fully
qualified domain name into an IP address.

The local DNS resolver

The following graphic shows an overview of the complete DNS query process.
DNS Zones

Forward lookup zone - Name to IP address map.

Reverse lookup zone - IP address to name map.

Primary Zones - It Holds Read and Write copies of all resource records (A, NS, _SRV). 

Secondary Zones- which hold read only copies of the Primary Zones. 

Stub Zones
Conceptually, stub zones are like secondary zones in that they have a read only copy of a
primary zone. Stub zones are more efficient and create less replication traffic.
Stub Zones only have 3 records, the SOA for the primary zone, NS record and a Host (A)
record.  The idea is that if a client queries a record in the Stub Zone, your DNS server can
refer that query to the correct Name Server because it knows its Host (A) record.

Queries

Query types are: 

Inverse - Getting the name from the IP address. These are used by servers as a security
check.
Iterative - Server gives its best answer. This type of inquiry is sent from one server to
another.
Recursive - Cannot refer the query to another name server.
Conditional Forwarding
Another classic use of forwards is where companies have subsidiaries, partners or people
they know and contact regularly query.  Instead of going the long-way around using the
root hints, the network administrators configure Conditional Forwarders
Purpose of Resource Records
Without resource records DNS could not resolve queries.  The mission of a DNS Query is
to locate a server that is Authoritative for a particular domain.  The easy part is for the
Authoritative server to check the name in the query against its resource records.

SOA (start of authority) record each zone has one SOA record that identifies which
DNS server is authoritative for domains and sub domains in the zone.

NS (name server) record An NS record contains the FQDN and IP address of a DNS
server authoritative for the zone. Each primary and secondary name server authoritative
in the domain should have an NS record.

A (address) record          By far the most common type of resource record, an A record
is used to resolve the FQDN of a particular host into its associated IP address.

CNAME (canonical name) record          A CNAME record contains an alias (alternate

name) for a host.

PTR (pointer) record the opposite of an A record, a PTR record is used to resolve the IP
address of a host into its FQDN.

SRV (service) record        An SRV record is used by DNS clients to locate a server that
is running a particular service—for example, to find a domain controller so you can log on
to the network. SRV records are key to the operation of Active Directory.

MX (mail exchange) record        An MX record points to one or more computers that

process SMTP mail for an organization or site.

Where DNS resource records will be stored:

After running DCPROMO, A text file containing the appropriate DNS resource records for
the domain controller is created. The file called Netlogon.dns is created in the
%systemroot%\System32\config folder and contains all the records needed to register
the resource records of the domain controller. Netlogon.dns is used by the Windows 2000
NetLogon service and to support Active Directory for non-Windows 2000 DNS servers.

Procedures for changing a Server’s IP Address

Once DNS and replication are setup, it is generally a bad idea to change a servers IP
address (at least according to Microsoft). Just be sure that is what you really want to do
before starting the process. It is a bit kin to changing the Internal IPX number of A Novell
server, but it can be done.

1.      Change the Server’s IP address

2.      Stop the NETLOGON service.

3.      Rename or delete SYSTEM32\CONFIG\NETLOGON.DNS and NETLOGON.DNB

4.      Restart the NETLOGON service and run “IPconfig /registerDNS”

5.      Go to one of the other DCs and verify that its DNS is now pointing to the new IP
address of the server. If not, change the records manually and give it 15 minutes to
replicate the DNS changes out.

6.      Run REPLMON and make sure that replication is working now. You may have to wait
a little while for things to straighten out. Give it an hour or two if necessary.

If a server shows that it isn’t replicating with one of its partners, there are
several issues to address:

A.     Check to see that the servers can ping each other.

B.     Make sure that both servers’ DNS entries for each other point to the proper IP
addresses

C.    If server A says it replicated fine, but server B says it couldn’t contact Server A,
check the DNS setup on Server B. Chances are it has a record for Server A pointing to the
wrong place.

D.    Run Netdiag and see if it reports any errors or problems.

Trust Relationship

 One way trust - When one domain allows access to users on another domain, but
the other domain does not allow access to users on the first domain.
 Two way trust - When two domains allow access to users on the other domain.
 Trusting domain - The domain that allows access to users on another domain.
 Trusted domain - The domain that is trusted, whose users have access to the
trusting domain.
 Transitive trust - A trust which can extend beyond two domains to other trusted
domains in the tree.
 Intransitive trust - A one way trust that does not extend beyond two domains.
 Explicit trust - A trust that an administrator creates. It is not transitive and is one
way only.
 Cross-link trust - An explicit trust between domains in different trees or in the
same tree when a descendent/ancestor (child/parent) relationship does not exist
between the two domains.
 Forest trust - When two forests have a functional level of Windows 2003, you can
use a forest trust to join the forests at the root.
 Shortcut trust - When domains that authenticate users are logically distant from
one another, the process of logging on to the network can take a long time. You
can manually add a shortcut trust between two domains in the same forest to
speed authentication. Shortcut trusts are transitive and can either be one way or
 two way.

Windows 2000 only supports the following types of trusts:

 Two way transitive trusts

 One way non-transitive trusts.