AD Video Notes

8/8/2019 AD Video Notes

1/28

AD Video Notes:

500: is the first directory designed in 1984.It introduced distinguished name and relative

stinguished name.

What is LDAP?

In 1993 university of Michigan developed Ldap(Light weight directory access protocol)

Ldap is based on the X.500 but is significantly simpler

It is a client server directory which means client makes a request to the server ,the server

provides the information of the location of the particular object.

Ldap is an application protocol for querying and modifying directory services running over

TCP/IP unlike X.500.

What is Novell?

vell directory service(now called E directory) was introduced in 1992 which can run on Linux, Unix,indows NT/2000/2003.

What is the difference between Ad and other directory service?

The difference between and AD and other directory services is the fact thatregisters its items by using DNS.It relies on Dns for locating and naming

objects.

First implementation of Ad came in windows 2000.

What is Active Directory?

Active Directory consists of a series of components that constitute both its

logical structure and its physical structure.

It provides a way for organizations to centrally manage and store their userobjects, computer objects, group membership, and defines security boundaries

in a logical database structure.

It provides aconsistent way to name, describe, locate, access, manage, andsecure information about these resources

nctions in AD:

Centralizes control of network resources

Centralizes and decentralizes resource management

Store objects securely in a logical structure

Optimizes network traffic

.How does Ad client locate Domain controllers?

Ad client sends a Dns request to configured Dns server looking for the Domain

controller.

Ad domain controllers have a record in Dns known as a service record (SRV).

Dns looks into the srv record and gives the ip address of the nearest domain

controller.


2/28

What are the two types of views in Active directory?

wo types of views are logical and physical.

Explain Domains?

Domain is container object of the Ad components.

In a Ad installation the first thing that gets installed is Domain and this Domainis called Tree root Domain. it is highest AD domain in the tree.

A tree root domain can also be a forest root Domain.

Each Domain should have one or more Ad domain controllers.

Domains can have child domains and grandchild domain.

What is a Domain controller?

Domain controllers are the servers that will be running AD and will responsible

for storing actual domain data.

Domain data includes data records about of all the organizational units, users,computers, printers, groups etc.

What is a Tree?

AD tree is group of domains based on the same namespace.

Here Domain are connected with a two way transitive trust.

They share the same schema.

Have Common Global Catalogs.

What is a Forest?

Forest is multiple trees linked together.

Any number of trees can be linked to make up a forest.

A forest root domain is the first domain created in the Ad forest.

Q. What is a Schema?

A schema is a building blocks that make up all the attributes of any particularobject in a tree.

A schema of a user would have last name, first name and logon id .

Q. What is a forest root domain?

Forest root domain is the first domain created in the AD forest.

There are two types of forest root domains: Dedicated and regional forest root

domains. Dedicated forest root domain is a server which maintains the master copy of the

Ad forest and Is dedicated only for AD and also it allows to choose thereplication traffic and increase scalability.

Regional forest domain is set to divide the domain into parts and is being

managed by other members of the sections of the database.

You can add a new domain or designate the existing domain as the forest root

domain.


3/28

In windows 2003 forest root domain can be renamed.

It helps to determine the number of domain trees.

What is a trust relationship?

Trust relationship is a link between two domains.

Trusting domain honour the logon authentications from the trusted domains. Trust protocol for windows 2000 and windows 2003 uses Kerberos Version

5.Previous versions of windows use NT Lan manager (NTLM).

Trusts can be created manually or they can be created automatically.

What is a container Object?

Container objects are designed to contain other objects, and are referred to asleaf objects.

Domain object is a container objects that can contain Organizational Unit (OU)

container objects, users, printers etc.

Domain objects are referred as triangle in the diagram.

What is Organization unit Objects?

Ou container objects are referred by a circle.

Ou units are created to delegate to the administration.

Ou units are also created based on location, business function or department.

Ous can contain users, groups, computers, printers etc.

Ous can have hierarchy such as child and grandchild like domains.

Ous should be designed for simplicity.

Ous are not security principles i.e. we cannot assign rights and permissions toit.

We can assign GPO (group policy objects) to Ous. Users dont use to Ous for navigation.

Ous most of the time represent dept,companies etc.

What is Ad site ?

Ad site is one or more well connected highly reliable and fast TCP/IP subnets.

Ad site will contain servers and site links.

Site is used to configure AD access and replication topologies according to thenetworks physical layer.

2 sites can be in the same domain and vice versa.

What is Site link?

Site link is a connector between two sites and allows replication to occur.

Site link can be anything between 56kpbs to T1 line.

A site link cost is a value assigned to a link that is used to regulate the traffic

according to the speed of the link. The higher the site link cost, the slower the

link speed.


4/28

Replication between sites can be scheduled according to what is known as site

link cost.

What is a Domain controller?

Domain controllers are servers that have copies of AD database that can bewritten to.

DC will participate in the replication of directory i.e copy information from one

domain controller and make sure that other Dc in the site or domain have access

to that information.

Domain controller is what controls access to network resources.

Administrators use Dc to manage users and computer accounts, share resources

like printers, scanners.

Admins also to configure the site topology between the sites within a domain orsites within a network.

What are the 4 types of partitions in Ad database? Domain partition

Configuration partition

Schema Partition

Application partition.

What is Domain partition?

It has information about the objects that are created within the domain.

Since the information is specific to the domain, it is not sent to any domain

controller in another domain but the information is replicated with domain

controllers within that domain.

What is Configuration partition?

The configuration partition contains information about the domain (how the

domains are configured) and how replication takes place.

It is replicated with domain controllers within the domain.

What is Schema partition?

The schema partition is used as a template for all the objects in the directory; it

also lays out all the attributes that object can have eg: for a user firstname, last

name, telephone no.

This information is the same in all domain in the forest, so the schema partition

is replicated with domain controllers throughout the forest.

What is application directory partition?

e application directory partition stores dynamic program specific information i.e information specific to

rtain applications.

s replicated to specific domain controllers.can contain any type of objects except the security principal like a user.

s managed to Ntdsutil executable program


5/28

What does domain controller hold?

omain controllers hold a copy of the schema partition for the forest.

What is a global catalog?

Global catalog enables finding directory information regardless of whichdomain in the forest actually contains the data.

Global catalog servers are created automatically.

The first domain controller in a new forest becomes the global catalog server forthat domain.

Global catalog servers store a full replica of information for its own domain.

It stores Partial information for other domain in the forest (like logon names andfirst and last names)

What does Global catalog servers hold?

It holds the Schema partition for the forest.

It holds the configuration partition for the domain. It holds a partial replica of commonly used attributes for all the directory objects

in the forest.

Global catalog is important in the multiple domain scenario but not in the single

domain system.

There is full replica of all the attributes for all of the objects in the domain forwhich the global catalog server is located. That information is replicated

between global catalog servers only.

How do users find objects in Ad?

ers find objects in Ad by querying the database.

How do u perform query on a multiple domain environment?

User is looking for printer.

The user types the printer name.

The client sends a Dns request looking for the location of the global catalog

server.

This way the computer communicates directly with the Dns server asking for

the service provided by the global catalog server.

Dns responds back with the Ip address of the global catalog server and then the

client sends the directed message to port 3268 on the Domain controller i.e the

global catalog server. The global catalog server searches the database and if it knows where the printer

is then the information is returned with a direct communication back to the

workstation.

If unable to find the printer the global catalog server refers the query to the AD

to handle the request.


6/28

What is saved queries?

Ad users and computers provide saved queries folder, here the administratorscan create and save queries.

Saved queries will use predefined Ldap strings to search only for specialized

domain partitions.

Searches can be narrowed down to a single computer object. You can also create customized saved queries that contain an Ldap search filter.

What are the 3 snap ins for Ad?

Active directory domains and trusts

Active directory sites and services

Active directory users and computers.

What are the physical and network requirements to install AD?

Tcp/ip running on the servers and clients.

A Dns server with SRV support.

Windows 2000 or 2003 operating systems.

Which is the default folder for Ad database in the Ad server?

s c:\windows\NTDS

Where does the servers copy of the domain public files saved?

s saved in C:\windows\sysvol.

How do you install Ad on to a domain controller?

ou can run a program called Dcpromo.

How do you install Ad on a server after installing the OS?

nfigure your server wizard would pop up after the OS install.

How do you install Ad server to Domain control?

n Dcpromo to promote a member server to a domain controller and install AD and Dns and Dhcp

ver can also be installed after that.

What are the inputs will be asked during AD installation wizard?

It will ask if it is first domain controller in the AD tree or it is the new domain

controller added to existing tree.

It will ask for the type of domain like, New domain for a new forest, Child

domain in an existing tree, New domain and tree in an existing tree or a Peer

domain controller.

Peer domain controller can be created in a different location to minimize traffic

and increase the bandwidth.

It will ask for the Domain name, NetBIOS name and the location of Addatabase and log file.


7/28

Domain configuration includes sysvol folder, default Permissions for users and

groups and directory service restore mode password.

How many Domain controllers do you need for fault tolerance?

e need two domain controllers for fault tolerance.

How do you prepare AD before installing windows server 2003 server into an existing windows

00 AD?

you are installing a Windows Server 2003 server into an existing Windows 2000 Active Directory

ucture, you must first prepare Active Directory for the installation by taking the following steps:

Apply Service Pack 2 or later on all domain controllers.

Back up your data.

On the schema master for the forest, disconnect the server from the network and

run Adprep /forestprep. Reconnect the server and wait at least 15 minutes (or as

long as a half a day or more) for synchronization to occur.

If Active Directory has multiple domains, or if the infrastructure master for thedomain is on a different server than the schema master, run Adprep /domainprepon the infrastructure master for the domain.

Keep in mind the following facts about using Adprep:

To run /forestprep, you must be a member of the Schema Admins or EnterpriseAdmins group.

To run /domainprep, you must be a member of the Domain Admins or Enterprise

Admins group.

If you have a single domain, and the infrastructure master is on the same server as

the schema master, you do not need to run /domainprep (/forestprep performs all

necessary functions to prepare Active Directory). While running the AD prep command make sure that you have inserted the

Windows 2003 cd which has AD prep.exe file in it

What are the different ways to install AD?

ing the network or back up media and type dcpromo /adv: filepath.

ing the answer file where we create the answer file and type dcpromo /answer: filename which does the

tallationing the configure your server wizard.

What are the circumstances where you can rename the Domains?

All domain controllers are running windows server 2003.

The domain functional level is at windows 2003.

The forest functional level is at windows 2003.

What is the utility to rename a domain?

Rendom.exe is used to rename domain.


8/28

It is also used to restructure domain locations and also to modify domain

information and NetBIOS name.

It cannot be used in a forest where Microsoft exchange is installed.

The sid (security identifier) does not change even if the domains are renamed.

You cannot use this utility to move the forest but you can rename the forest.

What is the utility to rename domain controller?

e use Netdom.exe to rename domain controllers and the domain functional must be windows server

03.

What is the command to uninstall AD?

Dcpromo is the command.

You need to have the enterprise administrator rights to uninstall Domain

controller in the tree root domain.

You need to be in the domain admin group to uninstall the last domaincontroller in the forest.

What are the tools to troubleshoot AD?

Tool Description

Directory Services log Use Event Viewer to examine the log. The log lists informational,

warning, and error events.

Netdiag Run from the command line. Test for domain controller connectivity (in

some cases, it can make repairs).

DCDiag Analyzes domain controller states and tests different functional levels of Active Directory.

Dcpromo log files Located in %Systemroot%/Debug folder.Dcpromoui gives a detailed progress report of Active Directory

installation and removal.Dcpromos is created when a Windows 3.x or NT 4 domain controller is

promoted.

Ntdsutil It is a command line tool provides management facilities for Ad.

Can remove orphaned data or a domain controller object from ActiveDirectory.

promoui.log includes information like:

Source domain controller for replication. Replicated partitions.

Number of replicated items.

Services that are configured on the target domain controller and Aces i.e

Access control entries set on the registry and files and the directories on sysvol.

Error messages.

Administrator choices entered during the installation and removal.


9/28

What are the basic troubleshooting steps taken for AD?

ou can also check the following settings to begin troubleshooting an Active Directory installation:

Make sure the DNS name is properly registered.

Check the spelling in the configuration settings.

PING the computer to verify connectivity. Verify the domain name to which you are authenticating.

Verify that the username and password are correct.

Verify the DNS settings.

What are the facts about back up and restore?

ou should know the following facts about backup and restore:

When you reboot after restoring, Active Directory replication replicates

changes.

Items restored non-authoritatively will be overwritten during replication.

Use an authoritative restore to restore deleted objects. Objects will be replicated

back to other domain controllers on the network.

Use a non authoritative restore to get the DC back online. Items will replicatefrom other DCs after the restored DC goes back online.

Active Directory data is restored by restoring the System State data. You cannot

selectively restore Active Directory objects from the backup media.

To restore objects that were added to deleted OUs, move the objects from theLostAndFound container. No restore of objects is necessary.

Make sure you perform backups more often than the tombstone lifetime settingin Active Directory. For example, if the tombstone lifetime is set to 10 days,

you should back up Active Directory at least every 9 days. If your backup

interval is larger than the tombstone lifetime, your Active Directory backup canbe viewed as expired by the system.

How do we do an Authoritative restore?

n Authoritative restore restores all data from the backup. Changes made since the last back up arecarded.

perform an authoritative restore:

Perform a non-authoritative restore.Run Ntdsutil.

o not restart the server after performing the non-authoritative restore.

ote: Microsoft gives the following as the best practice procedure for restoring Active Directory

om backup media:

Reboot into Active Directory restore mode. Log in using the password youspecified during setup (not a domain account).

Restore the System State data from backup to its original and to an alternate

location.


10/28

Run Ntdsutil to mark the entire Active Directory database (if you're restoring

the entire database) or specific Active Directory objects (if you're only restoringselected Active Directory objects) as authoritative.

Reboot normally.

Restore Sysvol contents by copying the Sysvol directory from the alternate

location to the original location to overwrite the existing Sysvol directory (ifyou're restoring the entire database). Or, copy the policy folders (identified by

GUID) from the alternate location to the original location to overwrite the

existing policy folders.

ou should know the following facts about Sysvol restoration:

Sysvol is the shared system volume on all domain controllers.

Sysvol stores scripts and Group Policy objects for the local domain and the

network.

The default location for Sysvol is %Systemroot/Sysvol.

To ensure that the proper settings are authoritatively restored, copy the Sysvol

directory from an alternate location over the existing Sysvol directory. Or, copythe Sysvol policy folders from the alternate location over the original location.(This maintains the integrity of the Group Policy of the computer.)

What is a Guid?

Guid is a globally unique identifier.

Guid is a 128 bit number that is guaranteed to be unique across the network.

It is assigned to objects when they are created and guid never changes even if

the objects renamed or moved.

What is a SID?

Sid is a security identifier.

Sid is a unique number that is assigned when an account is created.

Every account on the network has a unique Sid and are used to track the account

rather than the accounts user or group.

Account Sid is made up of the domain sid and unique Rid.

Deleting and recreating/moving an account results in a new Sid assigned, so the

rights and permissions made to the account will have to be recreated and reassigned.

What is RID?

Relative identifier (RID) is the part of a Security identifier (SID) that uniquelyidentifies an account or group within a domain.

It is unique to all Sids in a domain.

What is a group?

Group is a set of users or computers or other groups all put together to provide

access to resources or providing them as a distribution list.

It can include any combination of object types.


11/28

It is used to make administration simpler.

What is a Local group?

Local groups are stored in local security database on each computer.

They are only granted to permissions to that particular computers local group.

What is a Domain groups?

Domain groups are stored in the Ad instead of the local computer.

Computers that are booted as domain controllers will use domain groups only.

Domain groups are of three types:

omain local group, Domain global group or universal group.

What is distribution groups and security groups?

stribution groups are used primarily for email.

curity groups are used to control and access to resources.

What is Domain local group? Are used to grant access to resources in the local domain.

They have open membership, so they may contain user and computer accounts,universal groups, and global groups from any domain in the forest.

A domain local group can also contain other domain local groups from itsdomain.

Domain local groups can be used to grant permissions to resources in the

domain in which the domain local group resides.

What is Global groups?

Are used to group users from the local domain.

Typically, you assign users who perform similar job functions to a global group

Global groups can contain user, groups and computers in a domain.

Global Groups can contain users and computers from only within the same

domain.

They get rights and permissions for any resource in any domain in the forest

Global groups can be used to grant permissions to resources in any domain in

the forest.

What is a universal groups?

Are used to grant access to resources in any domain in the forest

Universal groups can contain users, groups and computers from any domain inthe forest.

They have open membership, so you can include user and computer accounts,universal groups, and global groups from any domain in the forest

Universal groups can be used to grant permissions to resources in any domain in

the forest.

Universal groups are available only in Windows 2000 Native or Windows 2003

domain functional level.


12/28

It should be used sparingly as it increases network traffic as it checks the

membership variety of different domain which will have the traffic going backand forth to domain controller.

What is Builtin local groups?

Builtin domain local groups are administrators, users and guests. In domain level there global groups for domain Admins, global group for

domain users and global group for enterprise administrators.

What are groups can domain local group contain?

It can contain the below groups:

Universal groups.

Global groups.

Accounts within the forest.

Other Domain local groups in the domain.

What is group nesting?windows 2000 and 2003 interim domain, we can create local groups and domain global groups to it.

windows 2003 and 2000 native mode, we can add global groups to universal groups.

Explain the Group strategy facts?

make permission assignments easier, assign permissions to a group, then add the accounts that need to

e the group's resources. You can add user accounts, computers, and other groups to groups. You shouldmember the following when assigning members to groups:

Adding a user account to a group gives that account all the permissions and

rights granted to the group (the user must log off and log back on before thechange takes effect).

The same user account can be included in multiple groups. (This multiple

inclusion may lead to permissions conflicts, so be aware of the permissions

assigned to each group.)

Nestingis the technique of making a group a member of another group. Using

hierarchies of nested groups may make administration simpler--as long as youremember what permissions you have assigned at each level.

e following table shows the three basic recommended approaches to managing users, groups, and

rmissions.

Strategy Use Description ApplicationALP Used on workstations

and member servers.A: Place userAccounts

L: Into Local

groups

P: AssignPermissions to

the local groups

Best used in a workgroupenvironment, not in a domain.


13/28

AGDLP Used in mixed mode

domains and in native

mode domains (does notuse universal groups,

which are also not

available in mixedmode).

A: Place user

Accounts

G: Into Globalgroups

DL: Into

Domain Localgroups

P: Assign

Permissions to

domain localgroups

1. Identify the users in the

domain who use the same

resources and perform thesame tasks. Group these

accounts together in global

groups.2. Create new domain local

groups if necessary, or use

the built-in groups to control

access to resources.3. Combine all global groups

that need access to the same

resources into the domainlocal group that controls

those resources.

4. Assign permissions to theresources to the domain localgroup.

AGUDLP Used in native mode

domains, when there is

more than one domain,and you need to grant

access to similar groups

defined in multipledomains.

A: Place user

Accounts

G: Into Globalgroups

U: Into

Universalgroups

DL: Into

Domain Localgroups

P: Assign

Permissions to

domain localgroups

Universal groups should be used

when you need to grant access to

similar groups defined in multipledomains. It is best to add global

groups to universal groups, instead

of placing user accounts directly inuniversal groups.

What are the objects you can delegate administrative containers to?

Domains.

Organizational units.

Containers.

How do you design Ad for delegation?

Designing Active Directory for Delegation

You should know the following facts about delegating control:

You should structure the OUs and user account location based on administrative

needs.


14/28

When you delegate control of an OU, you assign a user or group the

permissions necessary to administer Active Directory functions according totheir needs.

In a small organization, you may have a single administrative group to manage

the Active Directory objects.

In larger organizations, you may have OUs for several departments. In this case,you could delegate control to a user or group within each OU.

Use the Delegate Control wizard in Active Directory Users and Groups to

delegate control.

ou can verify permissions delegation two ways:

Select the Security tab in the container's Properties dialog box.

Open the Advanced Security Settings dialog box for the container.

What are the reasons for getting multiple forests?

Company has different divisions and they are all totally autonomous.

Company has different locations and they are spread wide across the globe and youwant it to be independent.

To have Trust limitations

Schema differences.

What are the additional administrative difficulties of having multiple forest?

Schema Consistency (Schema has to be replicated properly and has to be the

same across all of the forest).

Global catalog placement ,Need to have multiple global catalog server.

Trust configuration, (need to check if we need two way trust or some other

configuration) Resource access, Difficulties to access resources.

What are the reasons for getting multiple domains?

Configure different security policies.

Separate administration. (Eg. Sales team want manage their own systems)

Control replication traffic.

Support Windows NT(To retain windows NT domains)

Create distinct name spaces.

Configure password policies. (Different password policies for different groups).

What are the disadvantages of creating multiple domains?ery time you add a domain, you add administrative and hardware costs.

What are the reasons to create Ous?

Administrative purposes.

Corporate policies.

Administer Group policies.


15/28

: Development team wants to manage their resources, so you create a user Ous and assign permissions

one of the team to manage the resources.

What is a External domain?

n external domain is a domain in another forest or it can be a domain run by a domain controller running

indows NT or earlier.

What is a Internal domain?

internal domain is a domain within the same forest.

What is a trust?

Trust is a link between two or more domains.

It is a communication path which is secure allows security principles from onedomain to the authenticated and accepted other domain.

Trusting domain is the domain granting authentications to security principles inanother domain

Trusted is the domain housing the security principles that will be trusted.

What is Transitivity & selective authentication?

Transitivity determines whether a trust relationship can be created within

another domain.

Selective authentication allows only selected users or groups to authenticateacross a trust relationship.

What is a Tree root trust?

It is established between the roots of two trees in the same forest.

It is transitive.

It is two way.

What is a parent child trust?

Automatically created when you create a child domain.

It is transitive.

It is two way.

What is a shortcut trust?

It is manually created between two domains in the same forest.

It is transitive.

It can be one way or two ways.

Create a shortcut trust to reduce the amount of Kerberos traffic on the network

due to authentication.

What is a External trust?

An External trust has to be created manually.

It has to be created between domains in different forest or it can be created in awindows 2003 domain or Windows NT 4 or earlier domain.


16/28

It can be one or two way and also can be transitive or non transitive.

What is a forest root trust?

Forest root trust is created manually between two forest root domains.

All the domains in one forest will trust all the domains in another forest.

But it is only transitive within two forests. It can be one way or two ways, it is only available with windows 2003

functional level.

What is a Realm trust?

Realm trust is created to manually between a non windows Kerberos realm and

windows 2003 domain.

It can be transitive or non transitive.

It can be one way or two ways.

Name different types of trusts?

1. Tree root trust2. Parent child trust

3. Shortcut trust.4. External trust.

5. Forest root trust.

6. Realm trust.

Note the below:

The table below shows the domain functional levels.

Domain

Functional

Level

Domain Controller

Operating Systems Features

2000 Mixed NT

2000

2003

The following features are available in 2000 Mixed:

Universal groups are available fordistribution groups.

Group nesting is available fordistribution

groups.

2000 Native 20002003

The following features are available in 2000 Native:

Universal groups are available for securityanddistribution groups.

Group nesting.

Group converting (allows conversion

between security and distribution groups).


17/28

SID history (allows security principals to be

migrated among domains while maintaining

permissions and group memberships).

2003 2003 The following features are available in 2003:

All features of 2000 Native domains.

Domain controller rename.

Update logon time stamp.

User password on InetOrgPerson object.

Forest functional levels depend on the domain functional levels. The table below showsthe forest functional levels.

Forest

Functional

Level

Domain

Functional

Level

Features

2000 2000 Mixedor

2000 Native

The following features are available in 2000:

Global catalog replication improvements are

available if both replication partners are running

Windows Server 2003.

2003 2003 The following features are available in 2003:

Global catalog replication improvements

Defunct schema objects

Forest trusts

Linked value replication Domain rename Improved AD replication algorithms

Dynamic auxiliary classes

InetOrg Person object Class change

What are the reasons to upgrade/change domain and forest functional level?


18/28

Domain functional levels (formerly known as domain modes) provide a way to

enable domain-wide Active Directory features within your networkenvironment.

Four domain functional levels are available: Windows 2000 mixed (default),

Windows 2000 native, Windows Server 2003 interim, and Windows Server

2003. The change in domain functional level is only one way it cannot be reversed.

You can rename the domains in your forest if both domain and forest functional

levels are windows server 2003 level.

What is operation master role?

Operation master is a Domain controller designated to perform an operation.

Only one domain controller in the domain or forest performs each role.

Operations masters exist at both the domain and forest levels.

Operation master role servers are also called flexible single master operation(FSMO) servers.

By default, the first domain controller in the forest holds all operation masters.

When you create a new domain, the first domain controller holds the threedomain operation masters (RID master, PDC emulator, and infrastructure

master).

ore facts about Operations master role:

Use Active Directory Users and Computers to transfer RID master, PDC

emulator, and infrastructure masters.

Use Active Directory Domains and Trusts to transfer the domain naming

master.

Use the Active Directory Schema snap-in to transfer the schema master.

Run Regsvr32 schmmgmt.dll to register the Active Directory Schema snap-in to

make it available for adding to a custom console.

Before transferring any role, you must connect to the domain controller that willreceive the transferred role.

To move an object between domains (using Movetree.exe), you must initiate the

move on the domain controller acting as the RID master of the domain thatcurrently contains the object.

With a few exceptions, the infrastructure master should not be located on a

global catalog server.

: if you want to change the schema of Ad forest from one location to another and this can be done by

eration master role.

List all the operation masters?

RID Master

PDC Emulator

Infrastructure Master.


19/28

Domain Naming Master.

Schema Master.

What is Schema Master?

Schema master is a domain controller and it controls all the updates to the

Active directory schema. There is only one schema master per forest.

You would need to access to schema master if you want to change the schema.

You can change schema master role from one server to another.

What is a Domain naming master?

Domain naming master is a domain controller and it controls adding andremoving domains.

There is only one domain naming master in the forest.

You can move it from one domain controller to another.

It ensures that domain names are unique.

What is RID Master?

Rid master ensures domain wide unique relative Ids.

One domain controller in each domain performs this role.

The Rid master allocates pools of Ids to each domain controller.

When Dc has used all Ids, it gets a new pool of Ids.

What is PDC (Primary domain controller) emulator?

If the domain contains computers operating without Windows Server 2003

client soft-ware or if it contains Windows NT backup domain controllers

(BDCs), the domain controller assigned thePDC emulatorrole acts as aWindows NT PDC.

There is only one PDC emulator in a domain.

Replicates password changes within a domain.

Ensures synchronized time within the domain (and between domains in theforest).

What is infrastructure master?

An infrastructure master role updates references of groups to users, when a

member of group is renamed or changed.

One domain controller in each domain performs this role.

Infrastructure master role should not be assigned to the same computer that isthe global catalog.

What are the important facts of Schema?

Theschema is the database of object classes and attributes that can be stored in

Active Directory.

Each object definition in the schema is stored as an object itself, so Active

Directory can manage these definitions just as it does other objects.


20/28

The schema includes definitions for classes and attributes (the definitions are

also called metadata).

Extending the schema allows Active Directory to recognize new attributes andclasses.

Adding a component like Microsoft Exchange requires the Active Directory to

be extended. Only a member of the Schema Admins group has the permission to modify or

extend the schema.

To perform schema management tasks, use the Active Directory Schema snap-in.

What Is Active directory Migration tool?

tive directory migration tool helps to migrate objects (users, groups, trust etc) from Windows NT or

wer to windows 2003 and can also be used to move user accounts and computers between domains.

gration tool can be installed from windows server 2003 in cd:\I386\Admt\admigration.msi.oups must be migrated along with users, so that users can retain the permissions.

Provide us some more facts about object management tasks and tools?

You should know be familiar with the following object management tasks andtools:

The Active Directory Migration Tool (ADMT) is a GUI-based utility that lets

you migrate users and other objects between domains. The tool requires that thesource domain trust the target domain.

You can use the ADMT to retain an object's SID.

Moving an object within a domain retains its permissions.

Deleting the object deletes existing permissions.

You should rename or move an object rather than delete and recreate the object.

The Ldp utility allows you to search for and view the properties of multipleActive Directory objects.

If a computer that does not have an account is joined to the domain, a computer

object is created by default in the built-in Computers OU.

Use the Dsadd command to add an OU object to Active Directory from the

command line.

The easiest way to create a single OU in Active Directory is to use the ActiveDirectory Users and Computers snap-in in the MMC.

To view the Lost And Found folder, select Advanced Features from the View

menu in the Active Directory Users and Computers snap-in.

List all the AD default objects and containers?

hen you install Active Directory, several objects and containers are automatically created. The

lowing table lists the default containers and their contents.

Container Contents

Builtin Built-in domain local security groups.


21/28

These groups are pre-assigned permissions needed to perform

domain management tasks.

ComputersAll computers joined to the domain without a computer

account.

Domain Controllers*All domain controllers.

This OU cannot be deleted.

ForeignSecurityPrincipalsProxy objects for security principals in NT 4.0 domains or

domains outside of the forest.

LostAndFound**

Objects moved or created at the same time an OrganizationalUnit is deleted. Because of Active Directory replication, the

parent OU can be deleted on one domain controller.

Administrators at other domain controllers can add or moveobjects to the deleted OU before the change has been replicated.

During replication, new objects are placed in the

LostAndFound container.

NTDS Quotas**Objects that contain limits on the number of objects users andgroups can own.

Program Data**

Application-specific data created by other programs.

This container is empty until a program designed to store

information in Active Directory uses it.

System**Configuration information about the domain including securitygroups and permissions, the domain SYSVOL share, Dfs

configuration information, and IP security policies.

Users

Built-in user and group accounts.

Users and groups are pre-assigned membership and permissions

for completing domain and forest management tasks.

*Be aware that the Domain Controllers OU is the only default organizational unit object.All other default containers are just containers, not OUs. As such, you cannot apply a

GPO to any default container except for the Domain Controllers OU.

**By default, these containers are hidden in Active Directory Users and Computers. Toview these containers, click View/Advanced Features from the menu.

What is Group policy?

Group policy is a tool used to implement system configurations that can bedeployed from a central location through GPOs (Group Policy Objects)

Group policy is a way to control and lock down what a user and computer can

do.


22/28

Group policy will lock down the changes that could be made to a computer or

user and which will prevent in an unstandardize network environment.

Group policy can be used to centrally manage software installation, repairsoftware installation, provide updates to software and remove software from a

computer.

Group policy can be configured to a user data to follow the user where ever theygo.

Can Group policy be linked?

oup policy can be linked to:

es

omainsganizational units.

ter you link with the above, for eg: it would be linked to all the users in site.

What is a group policy object?

oup policy object is a collection of group policy settings.ch windows 2003 server has one local group policy object and it can have a variety of non local or Ad

sed Group policy object.cal group policy can be overwritten.

e local Gpo is stored in %systemroot%\system32\grouppolicy folder.

Add more notes on GPO?

n local GPOs are created in Ad

indows 2003 or 2000 must Domain controller installed in order to use group policy.hen Ad is installed 2 non local GPOs are created a) Default domain policy b) default controller policy.

What are the two Gpo to apply Group policy?apply Group policy there are two types of Gpo i.e. Local Group policy object and Site group policy

ject.

Mention the most important facts about Gpo?

GPOs contain hundreds of configuration settings.

GPOs can be linked to Active Directory sites, domain, or organizational units

(OUs).

GPOs include computer and user sections. Computer settings are applied at

startup. User settings are applied at logon.

A GPO only affects the users and computers beneath the object to which the

GPO is linked. Group policy settings take precedence over user profile settings.

A local GPO is stored on a local machine. It can be used to define settings evenif the computer is not connected to a network.

GPOs are applied in the following order:

Local

Site


23/28

Domain

OU

If GPOs conflict, the last GPO to be applied overrides conflicting settings.

The Computers container is not an OU, so it cannot have a GPO applied to it.

Group policy is not available for Windows 98/NT clients or Windows NT 4.0domains.

You can use a GPO for document redirection, which customizes where user files are

saved. (For example, you can redirect the My Documents folder to point to a networkdrive where regular backups occur. Folder redirection requires Active Directory-

based group policy.)

Configuring a domain group policy to delete cached copies of roaming user profileswill remove the cached versions of the profile when a user logs off.

If there is a conflict between computer configuration settings and user configuration

setting then user configuration settings are applied.

Q. Refreshing Group Policy

By default, Computer Configuration group policy settings (except SoftwareInstallation and Folder Redirection) refresh every 5 minutes on domain controllers

and every 90 minutes (plus a random offset between 0 and 30 minutes) for other

computers.

By default, User Configuration group policy settings (except Software Installationand Folder Redirection) refresh every 90 minutes (plus a random offset between 0

and 30 minutes).

You can modify refresh rates by editing the properties of the following settings inGroup Policy:

o Group Policy refresh interval for computers.

o Group Policy refresh interval for Domain Controllers.

o Group Policy refresh intervals for users.

Software Installation and Folder Redirection don't refresh because it is too risky to install/uninstallSoftware or move files while users are using their computers.

To manually refresh group policy settings, use the Gpupdate command with the following switches:

Switch Function

No switch Refresh user and computer-related group policy.

/target:user Refresh user-related group policy.

/target:computer Refresh computer-related group policy.


24/28

How do you create and edit group policy?

Group policy can be created with group policy object editor(MMC)

You should know the following facts about editing a GPO:

Group Policy Object Editor has two nodes:

Computer Configuration to set Group Policies for computers. User Configuration to set Group Policies for users.

You can extend each node's capabilities by using snap-ins.

Use an Administrative Template file (.adm) to extend registry settings available

in the Group Policy Editor.

Use the Software setting to automate installation, update, repair, and removal of

software for users or computers.

The Windows setting automates tasks that occur during startup, shutdown,

logon, or logoff.

Security settings allow administrators to set security levels assigned to a local ornon-local GPO.

These security policy can be imported if necessary

Explain about group policy inheritance?

ontrolling GPO Application

You should know the following controlling GPO application:

All GPOs directly linked to or inherited by a site, domain, or OU apply to all

users and computers within that container that have Apply Group Policy andRead permissions.

By default, each GPO you create grants the Authenticated Users group

(basically all network users) Apply Group Policy and Read permissions. To apply settings to computers, configure the Computer Configuration node of a

GPO.

Group policy is not inherited from a parent domain to a child domain but

inherited from domain to Ous.

Edit Permissions

You can control the application of GPOs by editing the permissions in the GPOaccess control list (ACL). (When you deny an object the required permissions to a

GPO, the object will not receive the GPO.)

To deny access to a GPO, add the user, group, or computer to the GPO permissions

and deny the Apply Group Policy and Read permissions. To apply a GPO to specific users, groups, or computers, remove the Authenticated

Users group from the GPO permissions. Add the specific user, group, or computerand grant the Apply Group Policy and Read permissions.

Block Inheritance

You can prevent Active Directory child objects from inheriting GPOs that are linked to the parentobjects. To block GPO inheritance,


25/28

Click the Group Policy tab for the domain or OU for which you want to block GPO

inheritance.

Select the Block Policy inheritance check box.You cannot block inheritance on a per-GPO basis. Blocking policy inheritance prevents the domain or

OU (along with all the containers and objects beneath them) from inheriting GPOs.

No OverrideYou should know the following facts about the No Override option:

The no override option prevents a GPO from being overridden by another GPO.

When no override is set on more than one GPO, the GPO highest in the ActiveDirectory hierarchy takes precedence.

No override cannot be set on a local GPO.

What is Group policy filtering?

Group policy filtering can used to segregate the users who need the Gpo to be

applied.

Eg: For instance Administrator can taken out of Lock desktop Gpo from being

applied. Gpos can be filtered in two ways:

Denying the read and Apply Group policy permissions.

Removing the Authenticated users group from the ACL and adding custom

groups to control GPO application.

What is Wmi filtering?

We use Windows Management instrumentation (WMI) query to filter the scope of a Gpo

and control the objects affected by the Gpo.

You can use WMI queries to filter the scope of GPOs.

WMI filtering is similar to using security groups to filter the scope of GPOs.

WMI queries are written in WMI query language (WQL).

Q.What is Loopback processing?

By default, Group Policy configuration applies Computer Configuration GPOs during startup and User

Configuration GPOs during logon. User Configuration settings take precedence in the event of aonflict.

You can control how Group Policy is applied by enabling loopback processing. Following are some

ircumstances when you might use loopback processing:

If you want Computer Configuration settings to take precedence over User

Configuration settings.

If you want to prevent User Configuration settings from being applied.

If you want to apply User Configuration settings for the computer, regardless of

the location of the user account in Active Directory.


26/28

Loopback processing is typically used to apply User Configuration settings to special computers located

n public locations, such as kiosks and public Internet stations.

Keep in mind the following about how loopback processing works.

Loopback processing runs in Merge or Replace Mode. Merge mode gathers the Computer Configuration GPOs and appends them to the

User Configuration GPOs when the user logs on.

Replace mode prevents the User Configuration GPOs from being applied.

To enable loopback processing:

Create or edit a GPO to distribute to computers on which you want to enable

loopback processing mode. Choose Group Policy from the System node of

Administrative Templates in Computer Configuration. Right-click Users GroupPolicy loopback processing mode and click Properties.

Click Enabled. Choose Merge mode or Replace Mode.

What Is Gpresult?

Gpresult is a command line tool that allows you to examine the policy settings

of specific users and computers.

Start Gpresult by entering Gpresult at the command line (use the /? switch forsyntax help).

Gpresult can show the following:

o Last application of Group Policy and the domain controller from which

policy was applied.

o Detailed list of the applied GPOs.o Detailed list of applied Registry settings.

o Details of redirected folders.

o Software management information, like information about assigned and

published software.

What is Rsop?

oP (Resultant Set of Policy) is the accumulated results of the group policies applied to a user or

mputer. You should know the following facts about RSoP:

The RSoP wizard reports on how GPO settings affect users and computers. Thewizard runs in two modes: logging and planning.

The RSoP wizard logging mode reports on existing group policies applied

against computers or users.

The RSoP wizard planning mode simulates the effects policies would have if

applied to computers or users.

ou can access the Resultant Set of Policy (RSoP) wizard in various ways. Here are some common ways:

Install the RSoP wizard as an MMC snap-in


27/28

Use the Start > Run sequence and run Rsop.msc.

You can also select an object in Active Directory Users and Computer and

select Resultant Set of Policy (in planning or logging mode) from the All Tasksmenu

ote: Both Rsop and Gpresult are used to identify the net effects of all applied GPOs.

What Is Gpupdate?

Gpupdate is Group policy update.

It is used to force the update of Group policy settings.

What is a Gpotool?

Gpotool is a command line tool which lets us check the health of Gpo on

Domain controller.

It can also be used to check Gpo for consistency.

It can also be used to Gpo to make sure they have been replicated.

It will allow us to display information about a particular Gpo object.What are the tasks can Domain admin do?

They cant link GPOs to sites.

They can do anything within the domain like creating gpo, linking gpo in the

domain.

What are the tasks can enterprise admin do?

Enterprise can almost do anything in the domain or though out the forest.

They can link GPOs to sites.

What is Installer package?

Installer package is a file that has instructions on how to install and remove a

specific program.

.Msi is windows installer package file.

Windows installer package we can choose to install a part of the application

instead of the complete application.

Additional installer files include:

.mst (transform file allows to customize the installation of an application)

.msp (patch file used to update existing msi files with patches and service

packs)

.zap (text file instructions helps to install program)

What is a distribution point?

Software distribution point is a location where users or computer go to access the software

files.

It is a network share that holds the software installation files.

User should have read access to this distribution point.


28/28

What is the difference between Publishing software and assigning software?

Publishing an application, here the application does not appear as installed on

the users computers

There would be no shortcuts visible neither updates made to the registry.

Application would be shown up in Add/remove programs and can be installedby users as needed.

Assigning an application is only installed when it is needed.

Application can be assigned to computers or users as needed.

Application assigned to user would show up in the start menu when the user

logs in from any computer.

Application assigned to a computer, it would show up in start menu and would

be available to any user who logs on to the computer.

ote: Advanced publishing or assigning check box would pop when you link a Msi file to gpo which

ould install the application when the computer boots up.

How to uninstall software from all the users and computers?

Click on the software settings in Group policy editor and right click on the msi

files ->all tasks->remove.

This will remove applications for all the users.

What is software restriction policy?

po editor has software restriction policy link where you can block various stuff on users computers

rting from blocking executables, internet explorer settings etc.