Active Directory TOTAL - QA

SAGAR
1. What is Active Directory ?

Ans: Microsofts directory database for Windows 2000/2003 networks.
Stores information about resources on the network and provides a means
of centrally organizing, managing, and controlling access to the resources.
2. What is LDAP ?
Ans: Lightweight Directory Access Protocol. It is a database of active
directory and is used to store the active directory objects in windows
2000. It is named as Active Directory in windows 2000/2003.
3. What is DNS ?
Ans: Domain Name System) - The Internet naming scheme which consists
of a hierarchical sequence of names, from the most specific to the most
general (left to right), separated by dots,
And it is the system which translates the internet domain name into IP
address and vice-versa.
The Server, which translates such types of request, is DNS server.
4. How do you check DNS is working or how do you check the service record
of DNS is working?
Ans: nslookup command is used to check the DNS server.
Go to command prompt
After you have setup your DNS Server, its very important to check that
the entries which are populated to the Internet are correct. You can use
the following checklist using nslookup.
Start nslookup for the desired DNS Server
nslookup
> server 193.247.121.196
Default Server: rabbit.akadia.ch
Address: 193.247.121.196
Check Start of Authority (SOA)
set q=SOA
> akadia.com
Server: rabbit.akadia.ch
Address: 193.247.121.196
akadia.com
origin = rabbit.akadia.com
mail addr = postmaster.akadia.com
serial = 2000061501
refresh = 10800 (3H)
retry = 3600 (1H)
expire = 604800 (1W)
minimum ttl = 86400 (1D)
akadia.com nameserver = rabbit.akadia.com
akadia.com nameserver = lila.thenet.ch
rabbit.akadia.com internet address = 193.247.121.196
lila.thenet.ch internet address = 193.135.252.2
Check the Nameservers (NS)
set q=NS
> akadia.com
Address: 193.247.121.196
Check E-Mail MX-Records (MX)
set q=MX
> akadia.com
Address: 193.247.121.196
akadia.com preference = 20, mail exchanger = opal.akadia.com
akadia.com preference = 10, mail exchanger = rabbit.akadia.com
opal.akadia.com internet address = 193.247.121.197
Check everything (ANY)
set q=any
> akadia.com
Address: 193.247.121.196
akadia.com preference = 10, mail exchanger = rabbit.akadia.com
akadia.com preference = 20, mail exchanger = opal.akadia.com
akadia.com
origin = rabbit.akadia.com
mail addr = postmaster.akadia.com
serial = 2000061501
refresh = 10800 (3H)
retry = 3600 (1H)
expire = 604800 (1W)
minimum ttl = 86400 (1D)
opal.akadia.com internet address = 193.247.121.197
Lookup all hosts within a domain
ls -d akadia.com
type=X
- set query type (ex. A,ANY,CNAME,MX,NS,PTR,SOA,SRV)
5. What is DHCP?
Dynamic Host Configuration Protocol (DHCP) is a communications protocol
that lets network administrators manage and automate the assignment of
Internet Protocol (IP) addresses in an organizations network. DHCP allows

devices to connect to a network and be automatically assigned an IP
address.
6. what is WINS? And what is the difference between WINS and DNS.
Windows Internet Name Server, it translate the NetBIOS name to IP
address.
DNS translate the FQDN name to IP address. FQDN Name consists of zone
name, domain name and host name and these are separated by dots. And
it resolve this address into IP address.
WINS does not translate from FQDN name to IP address.
7. Why DNS is required for AD not WINS?
The naming structure of Active Directory objects is based on Internet
Naming System. It consists of hierarchal naming structure separated by
dots. And to resolve computer record/ service record / mail exchange
records, a service is required which support such type of translation/
resolution. And DNS fits very much to this service. In fact Active Directory
is of no use without DNS. Thats why DNS is very much required for Active
directoy.
8. What is Disaster Recovery.
Disaster recovery is the process to bring the server on line in short period
of time and less effect to the business in disaster.
Disaster recovery is consists of
a. Backup
b. Recovery console
c. ASR ( Automated System Recovery) in Windows 2003 and ERD in
Windows 2000
9. What is the difference between Authoritative and Non-Authoritative
Restore.
a. Authoritative Restore:
The main purpose of Authoritative restore is to undo or roll back
changes that have been made to active directory, or to reset data
stored in a distributed directory such as sysvol.
b. Non-Authoritative Restore.
The data and distributed services on a domain controller are
restored from a backup media and then updated through normal
replication.
Example: If a restore backup contains a user named Mark and the
user was deleted after last backup, the mark user object will also be
deleted on the restored domain controller via the replication
process
Reason for Non-Authoritative Restore
I. Restoring a single domain controller in an environment
that includes multiple domain controller
II. Attempting to restore SYSVOL or File Replication Service

data on domain controllers.
c. Primary Restore
New in windows 2003
Reason for Primary Restore
I.
Restoring the only domain controller in an Active

Directory Environment
II.
Restoring the first of several domain controllers
III.
Restoring the first domain controller in a replica set.
When All the domain controller or the only domain controller in a

domain have failed, primary restore in needed. If a domain is lost,
the first domain controller should be restored as primary restore,
and any subsequent domain controller should be restored using a
Normal or Non-Authoritative restore.
10.What is File Replication Service

The replication service maintains identical sets of files and directories on
different servers and workstations. When files are updated on one server,
the file replication service replaces the corresponding files on other
servers and workstations with the updated files. The replication process
simplifies the task of updating and coordinating files, and maintains the
integrity of the replicated data.
11.What are backed up in System State Backup.
In System State Backup
I.
The System Registry
II.
The COM+ Class Registration Database
III.
The boot files

a) Boot.ini
b) Ntdetect.com
c) Ntldr
d) Bootsect.dos
e) Ntbootdd.sys
IV.
System files protected by windows File Protection

Service
V.
Certificate Service Database if installed.
VI.
Active Directory and Sysvol folder on the DC.
VII.
Cluster Service information on cluster server
VIII.
Internet Information Server Metabase.
12.What is Forest, Domain, Schema, Global Catalogue, Universal Group

Caching?
Forest:
Tree is collection of hierarchal structure of domains that share a common

name space and are connected by transitive trust relationship. And the
collection of such trees are called forest.
Domain:
Active Directory environment are logical groupings of resources that
ultimately forms units of replication. And logical grouping of these units
are Domains.
Schema:
Schema represents the definitions of all objects types that exists within
Active Directory and their associated attributes. The schema is stored on
all domain controllers throughout the forest. It controls all updates and
modification to schema. Schema is make up of class and attributes.
Global Catalogue:
It:
I.
Information about all Active Directory Objects from all

domains in a single forest.
II.
Stores information of universal groups and their associated

membership.
III.
Forwarding authentication request to the appropriate domain

when user principal name is used to log on.
IV.
Validate object references within a forest.
Universal Group Membership Caching:

UGMC helps to reduce the number of universal group membership queries
that need to be forwarded across a WAN link when a user attempts to log
on.
By default UGMC updates the Universal Group Membership information
every 8 hours for a user.
Benefit of UGMC:
I.
Faster user login times, because the global catalogue server

does not need to be contacted for all logon requests.
II.
Reducing the need to place global catalogue servers in each

site.
III.
Reducing the usage of WAN bandwidth usage associated with

Global Catalogue replication.
Note: Where a high member of directory queries are expected global

catalogue at each site represents the best possible solution.
13.What are common reasons to split domain?
These are:
I. Different password requirements are defined for different
domains
II. Administration of specific domain wide feature, user
account, security policy is decentralized.
III.Extraordinarily large amounts (numbers) of objects are
created.
IV. More control over replication is required.
14.What is stub zone?

Stub zone is new in Windows 2003 Server. It contains read-only resource
record which it obtains from other name servers. But it contains only three
types of resource record
I.
A copy of SOA record for the servers
II.
Copies of NS records for all name servers authoritative

for the zone.
Copies of A records for all name servers authoritative for
the zone
III.
It does not contain CNAME records, MX records, SRV records, or A records

for other hosts in the zone. The most important benefit for stub zone
is to reduce the network traffic over WAN link connection and
time to resolve the resource records queries.
15.What is the steps and commands to restore?
I.
Start the computer in Directory Service Restore Mode.
II.
Restore the backup from the media as in NonAuthoritative Mode.
III.
After restore complete do not restart the computer.
IV.
Go to command prompt
V.
Enter into ntdsutil
E:\ntdsutil>ntdsutil
ntdsutil: authoritative restore
authoritative restore: restore object
OU=bosses,DC=ourdom,DC=com
Opening DIT database... Done.
The current time is 06-17-05 12:34.12.
Most recent database update occurred at 06-16-05 00:41.25.
Increasing attribute version numbers by 100000.
Counting records that need updating...
Records found: 0000000012
After Completing the authoritative restore restart the
computer.
16.How may types of backup and advantage and disadvantage?
Types of Backup
There are different kinds of backups, the following lists some of them:
Full Backup
Full backup is the starting point for all other backups, and contains all the
data in the folders and files that are selected to be backed up. Because
full backup stores all files and folders, frequent full backups result in faster
and simpler restore operations. Remember that when you choose other
backup types, restore jobs may take longer.
Advantages
Disadvantages
Restore is the fastest

Backing up are the slowest
The storage space requirements are the highest
Incremental Backup
An incremental backup backs up only those files created or changed since
the last normal or incremental backup. It marks files as having been
backed up (in other words, the archive attribute is cleared). If you use a
combination of normal and incremental backups, you will need to have the
last normal backup set as well as all incremental backup sets in order to
restore your data.
Advantages
Disadvantages
Backing up are the fastest

The storage space requirements are the lowest
Restore is the slowest
Differential Backup
A differential backup copies files created or changed since the last normal
or incremental backup. It does not mark files as having been backed up (in
other words, the archive attribute is not cleared). If you are performing a
combination of normal and differential backups, restoring files and folders
requires that you have the last normal as well as the last differential
backup.
Advantages
Restore is faster than restoring from incremental
backup
Backing up is faster than a full backup
The storage space requirements are lower than
for full backup
Disadvantages
Restore is slower than restoring from full
backup
Backing up is slower than incremental backup
The storage space requirements are higher than
for incremental backup
17.What are the ports numbers of these?
TCP/UDP Port
DNS
DHCP
RDP
LDAP
SMTP
POP
IMAP
HTTP
TELNET
KERBEROS
SNMP
IRC
NNTP
MS EXCH ROUTING
MS SQL
FTP
Number
53
67 & 68
3389
389
25
110
143
80
23
88
161
194
119
691
1433
20 & 21
Secure
N/A
N/A
N/A
636
465
995
993
443
992
N/A
N/A
N/A
563
18.How to know the size of Active directory Database?

The size of ntds.dit will often be different sizes across the domain
controllers in a domain. Remember that Active Directory is a multi-master
independent model where updates are occuring in each of the ADs with
the changes being replicated over time to the other domain controllers.
The changed data is replicated between domain controllers, not the

database, so there is no guarantee that the files are going to be the same
size across all domain controllers.
Start/Reboot
Press F8
Choose Directory Services Restore Mode and press ENTER.
Press ENTER again to start the boot process.
Logon using the password defined for the local Administrator
account
Open the Command Prompt
At the command prompt,
Run the ntdsutil command.
When ntdsutil has started
Type files and press ENTER.
Type info and then press ENTER. This will display current
information about the path and size of the Active Directory
database and its log files
19.What are the FSMO roles?
In a forest there are 5 FSMO roles.
I.
Schema Master
II.
Domain Naming Master
III.
Infrastructure Master
IV.
Relative ID Master.
V.
PDC Emulator
I. Schema Master:
The schema master domain controller controls all updates and
modifications to the schema. Once the Schema update is complete,
it is replicated from the schema master to all other DCs in the
directory. To update the schema of a forest, you must have access
to the schema master. There can be only one schema master in the
whole forest.
II. Domain Naming Master
The domain naming master domain controller controls the addition
or removal of domains in the forest. This DC is the only one that can
add or remove a domain from the directory. It can also add or
remove cross references to domains in external directories. There
can be only one domain naming master in the whole forest.
III. Infrastructure Master
When an object in one domain is referenced by another object in
another domain, it represents the reference by the GUID, the SID
(for references to security principals), and the DN of the object
being referenced. The infrastructure FSMO role holder is the DC
responsible for updating an object's SID and distinguished name in
a cross-domain object reference. At any one time, there can be only
one domain controller acting as the infrastructure master in each
domain.
Note: The Infrastructure Master (IM) role should be held by a

domain controller that is not a Global Catalog server (GC). If the
Infrastructure Master runs on a Global Catalog server it will stop
updating object information because it does not contain any
references to objects that it does not hold. This is because a Global
Catalog server holds a partial replica of every object in the forest.
As a result, cross-domain object references in that domain will not
be updated and a warning to that effect will be logged on that DC's
event log. If all the domain controllers in a domain also host the
global catalog, all the domain controllers have the current data, and
it is not important which domain controller holds the infrastructure
master role.
IV. Relative ID Master
The RID master is responsible for processing RID pool requests from
all domain controllers in a particular domain. When a DC creates a
security principal object such as a user or group, it attaches a
unique Security ID (SID) to the object. This SID consists of a domain
SID (the same for all SIDs created in a domain), and a relative ID
(RID) that is unique for each security principal SID created in a
domain. Each DC in a domain is allocated a pool of RIDs that it is
allowed to assign to the security principals it creates. When a DC's
allocated RID pool falls below a threshold, that DC issues a request
for additional RIDs to the domain's RID master. The domain RID
master responds to the request by retrieving RIDs from the
domain's unallocated RID pool and assigns them to the pool of the
requesting DC. At any one time, there can be only one domain
controller acting as the RID master in the domain.
V. PDC Emulator
The PDC emulator is necessary to synchronize time in an
enterprise. Windows 2000/2003 includes the W32Time (Windows
Time) time service that is required by the Kerberos authentication
protocol. All Windows 2000/2003-based computers within an
enterprise use a common time. The purpose of the time service is
to ensure that the Windows Time service uses a hierarchical
relationship that controls authority and does not permit loops to
ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The
PDC emulator at the root of the forest becomes authoritative for the
enterprise, and should be configured to gather the time from an
external source. All PDC FSMO role holders follow the hierarchy of
domains in the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder
retains the following functions:
Password changes performed by other DCs in the domain are

replicated preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain
because of an incorrect password are forwarded to the PDC
emulator before a bad password failure message is reported to the
user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done

from the GPO copy found in the PDC Emulator's SYSVOL share,
unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft
Windows NT 4.0 Server-based PDC or earlier PDC performs for
Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all
workstations, member servers, and domain controllers that are running
Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The
PDC emulator still performs the other functions as described in a Windows
2000/2003 environment
20.What are the files of active directory
NTDS.DIT
Main Database File
Edb.chk
Checkpoint log file
Edb.log
Transaction Log Files (If more than one log files, its name
becomes edbhhhhhh.log. Where hhhhhh is the hexadecimal
numbers.
.pat
Patch files - Manages data while backups are done.
res1.log
& res2.log Reserve log files - Reserves hard drive space for transaction
log files
21.What is the location of NTDS.DIT file?

%systemroot%\ntds\ntds.dit
22.What is difference between Primary and Secondary DNS servers?
Primary DNS server contains the read-write copy of the zone data
base
Secondary DNS server contains read only copy of the zone
database.
Primary DNS server can be an Active Directory Integrated.
Secondary DNS server can not be.
Secondary DNS server updates the DNS records from the Primary
DNS server.
23.How the Secondary DNS server get the updates from Primary DNS server?
Tell me the process
The actual data transfer process is started by the client on client
server mechanism.
With every new record entry, edit or update in the primary server,
the serial number increases and it makes two changes one to the
record and other to the zone serial number
The first record updated is SOA record.
Others are not any specified order
The end of update is signaled by SOA record
24.What is conditional forwarding in DNS?
Conditional forwarding is the process to forward the client request to the
exact DNS server for a particular domain name resolution request. DNS
server needs to configure for conditional forwarding.
For example a DNS server is configured for domain.com

And a client sends a request for name resolution for host.microsoft.com.
And this DNS server does not host any record for Microsoft.com domain. In
this case this DNS server may be configured to forward all the name
resolution request for Microsoft.com to the DNS server which host such
types of records.
http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_For
warding_in_Windows_Server_2003.html
To configure conditional forwarding
Go to DNS server properties
Forwarders
Click New
Enter the domain name in DNS domain text box
OK
Add the IP address for that domain
OK
25.What is TCP and IP?
TCP:
1. It provides a reliable-connection oriented packet delivery service
2. Guarantees delivery of IP datagram.
3. Perform segmentation and reassembly of large block of data sent by
programs.
4. Ensures proper sequencing and ordered delivery of segmented
data.
5. Perform check on the integrity of transmitted data by using
checksum calculation
6. Sends acknowledgement of the received data.
IP:
1.
IP is a connectionless, unreliable datagram
protocol.
2.
Primarily responsible for addressing and
routing packets between hosts
3.
IP does not attempt to recover from these
types of error..
VINAY
1)PORTS
DNS -53 TCP/UDP
HTTP80 HTTPS -443
POP-110
SMTP-25
FTP-21 only TCP
Telnet -23
DHCP-67 server only UDP
DHCP-68-Clint Only UDP
Kerberos
88 Tcp /Udp
NetBIOS 137 TCP/UDP
AD Port (Global catalog) ---3268
LDAP -389 TCP.
RDP 3389 TCP this use TS client to connect server (remote desktop Protocol )
2)AD replication Protocol IP /SMTP /File replication Service this is service (IMP
for Ad replication)
Bridge Head server use every site one Bridge Head Server it replication with
other Dc within Site
That Bridge head server replicate with other Bridge head server in other site
.
3) Forest concept
4) Tree concept
5) Stored in Active Directory
A)The Schema Partition
The schema partition stores two types of information: class and attribute schema
definitions. The schema classes define all the types of objects that can be
created and stored in Active Directory. The schema attributes define all the
properties that can be used to describe the objects that are stored in
Active Directory. When you install the first Exchange 2007 server role in the
forest, the Active Directory preparation process adds many classes and attributes
to the Active Directory schema. The classes that are added to the schema are
used to create Exchange-specific objects, such as agents and connectors. The
attributes that are added to the schema are used to configure both the
Exchange-specific objects, and the mail-enabled users and groups. These
attributes include properties, such as Office Outlook Web Access settings and
unified messaging settings. Every domain controller and global catalog server in
the forest contains a complete replica of the schema partition.
B)The Configuration Partition
The configuration partition stores information about the forest-wide
configuration. This data includes how Active Directory sites are configured, how
information is displayed, and network services. Each type of configuration
information is stored in a container in the configuration partition. Exchange
configuration information is stored in a subfolder under the configuration
partition's Services container. The information that is stored in this container
includes the following:
Address lists
Address and display templates
Administrative groups
Connections
Messaging Records Management, mobile, and unified messaging
mailbox policies
Global settings
Recipient policies
System policies
Transport settings
Every domain controller and global catalog server in the forest contains a
complete replica of the configuration partition.
C)The Domain Partition
The domain partition stores information in default containers and in

organizational units that have been created by the Active Directory
administrator. These containers hold the domain-specific objects. This data
includes Exchange system objects and information about the as computers,
users, and groups in that domain. When Exchange 2007 is installed, Exchange
updates the objects in this partition to support Exchange functionalities. This
includes storing and accessing recipient information. Each domain controller
contains a complete replica of the domain partition for the domain for which it is
authoritative. Every global catalog server in the forest contains a subset of every
domain partition in the forest.
5)Trust ---- two way trust (AD always ), one way trust, shortcut trust (It is direct
trust with DC to Dc no need to trust forest level this future in only windows 2003
and in windows 2003 we can make trust forest to forest it not happened in
windows 2000)
6)What is Global catalog ---?
The global catalog contains a partial replica of every Windows 2000 domain in
the directory. The GC lets users and applications find objects in an Active
Directory domain tree given one or more attributes of the target object. It also
contains the schema and configuration of directory partitions. This means the
global catalog holds a replica of every object in the Active Directory, but with
only a small number of their attributes. ...
7)DNS types of DNS primary, secondary, forwarder DNS (Also ISP kept), Cache
DNS (ISP).
8)Types of DNS Records Host, NS, SOA and MX Record for Exchange mail pls do
9)PTR Record use for Reveres lookup zone (IP into HOST)
Q1. What is DNS.
DNS provides name registration and name to address resolution capabilities. And
DNS drastically lowers the need to remember numeric IP addresses when
accessing hosts on the Internet or any other TCP/IP-based network.
Before DNS, the practice of mapping friendly host or computer names to IP
addresses was handled via host files. Host files are easy to understand. These
are static ASCII text files that simply map a host name to an IP address in a
table-like format. Windows ships with a HOSTS file in the
\winnt\system32\drivers\etc subdirectory
The fundamental problem with the host files was that these files were labor
intensive. A host file is manually modified, and it is typically centrally
administrated.
The DNS system consists of three components: DNS data (called resource
records), servers (called name servers), and Internet protocols for fetching data
from the servers.
Q2. Which are the four generally accepted naming conventions?
NetBIOS Name (for instance, SPRINGERS01)
TCP/IP Address (121.133.2.44)

Host Name (Abbey)
Media Access Control (MAC)this is the network adapter hardware address
Q3. How DNS really works
DNS uses a client/server model in which the DNS server maintains a static
database of domain names mapped to IP addresses. The DNS client, known as
the resolver, perform queries against the DNS servers. The bottom line? DNS
resolves domain names to IP address using these steps
Step 1. A client (or resolver) passes its request to its local name server. For
example, the URL term www.idgbooks.com typed into Internet Explorer is passed
to the DNS server identified in the client TCP/IP configuration. This DNS server is
known as the local name server.
Step 2. If, as often happens, the local name server is unable to resolve the
request, other name servers are queried so that the resolver may be satisfied.
Step 3. If all else fails, the request is passed to more and more, higher-level
name servers until the query resolution process starts with far-right term (for
instance, com) or at the top of the DNS tree with root name servers
Below is the Steps explained with the help of a chart.
Figure 8-5: How DNS works
Q4. Which are the major records in DNS?

1. Host or Address Records (A):- map the name of a machine to its numeric
IP address. In clearer terms, this record states the hostname and IP address of a
certain machine. Have three fields: Host Name, Domain, Host IP Address.
E.g.:- eric.foobarbaz.com. IN A 36.36.1.6
It is possible to map more than one IP address to a given hostname. This often
happens for people who run a firewall and have two Ethernet cards in one
machine. All you must do is add a second A record, with every column the same
save for the IP address.
2. Aliases or Canonical Name Records (CNAME)
CNAME records simply allow a machine to be known by more than one

hostname. There must always be an A record for the machine before aliases can
be added. The host name of a machine that is stated in an A record is called the
canonical, or official name of the machine. Other records should point to the
canonical name. Here is an example of a CNAME:
www.foobarbaz.com. IN CNAME eric.foobarbaz.com.
You can see the similarities to the previous record. Records always read from left
to right, with the subject to be queried about on the left and the answer to the
query on the right. A machine can have an unlimited number of CNAME aliases.
A new record must be entered for each alias.
You can add A or CNAME records for the service name pointing to the machines
you want to load balance.
3. Mail Exchange Records (MX)
MX records are far more important than they sound. They allow all mail for a
domain to be routed to one host. This is exceedingly useful it abates the load
on your internal hosts since they do not have to route incoming mail, and it
allows your mail to be sent to any address in your domain even if that particular
address does not have a computer associated with it. For example, we have a
mail server running on the fictitious machine eric.foobarbaz.com. For
convenience sake, however, we want our email address to be
user@foobarbaz.com rather than user@eric.foobarbaz.com. This is
accomplished by the record shown below:
foobarbaz.com. IN MX 10 eric.foobarbaz.com.
The column on the far left signifies the address that you want to use as an
Internet email address. The next two entries have been explained thoroughly in
previous records. The next column, the number 10, is different from the normal
DNS record format. It is a signifier of priority. Often larger systems will have
backup mail servers, perhaps more than one. Obviously, you will only want the
backups receiving mail if something goes wrong with the primary mail server. You
can indicate this with your MX records. A lower number in an MX record means a
higher priority, and mail will be sent to the server with the lowest number (the
lowest possible being 0). If something happens so that this server becomes
unreachable, the computer delivering the mail will attempt every other server
listed in the DNS tables, in order of priority.
Obviously, you can have as many MX records as you would like. It is also a good
idea to include an MX record even if you are having mail sent directly to a
machine with an A record. Some sendmail programs only look for MX records.
It is also possible to include wildcards in MX records. If you have a domain where
your users each have their own machine running mail clients on them, mail could
be sent directly to each machine. Rather than clutter your DNS entry, you can
add an MX record like this one:
*.foobarbaz.com. IN MX 10 eric.foobarbaz.com.
This would make any mail set to any individual workstation in the foobarbaz.com
domain go through the server eric.foobarbaz.com.
One should use caution with wildcards; specific records will be given precedence
over ones containing wildcards.
4. Pointer Records (PTR)
Although there are different ways to set up PTR records, we will be explaining
only the most frequently used method, called in-addr.arpa.
In-addr.arpa PTR records are the exact inverse of A records. They allow your
machine to be recognized by its IP address. Resolving a machine in this fashion is
called a reverse lookup. It is becoming more and more common that a machine
will do a reverse lookup on your machine before allowing you to access a service
(such as a World Wide Web page). Reverse lookups are a good security measure,
verifying that your machine is exactly who it claims to be. In-addr.arpa records
look as such:
6.1.36.36.in-addr.arpa. IN PTR eric.foobarbaz.com.
As you can see from the example for the A record in the beginning of this
document, the record simply has the IP address in reverse for the host name in
the last column.
A note for those who run their own name servers: although Allegiance Internet is
capable of pulling zones from your name server, we cannot pull the inverse
zones (these in-addr.arpa records) unless you have been assigned a full class C
network. If you would like us to put PTR records in our name servers for you, you
will have to fill out the online web form on the support.allegianceinternet.com
page.
5. Name Server Records (NS)
NS records are imperative to functioning DNS entries. They are very simple; they
merely state the authoritative name servers for the given domain. There must be
at least two NS records in every DNS entry. NS records look like this:
foobarbaz.com. IN NS draven.foobarbaz.com.
There also must be an A record in your DNS for each machine you enter as A
NAME server in your domain.
If Allegiance Internet is doing primary and secondary names service, we will set
up these records for you automatically, with nse.algx.net and nsf.algx.net as
your two authoritative name servers.
6. Start Of Authority Records (SOA)
The SOA record is the most crucial record in a DNS entry. It conveys more
information than all the other records combined. This record is called the start of
authority because it denotes the DNS entry as the official source of information
for its domain. Here is an example of a SOA record, then each part of it will be
explained:
foobarbaz.com. IN SOA draven.foobarbaz.com. hostmaster.foobarbaz.com. (
1996111901 ; Serial
10800
3600
; Refresh
; Retry
3600000
; Expire
86400 )
; Minimum
The first column contains the domain for which this record begins authority for.
The next two entries should look familiar. The draven.foobarbaz.com entry is
the primary name server for the domain. The last entry on this row is actually an
email address, if you substituted a @ for the first .. There should always be a
viable contact address in the SOA record.
The next entries are a little more unusual then what we have become used to.
The serial number is a record of how often this DNS entry has been updated.
Every time a change is made to the entry, the serial number must be
incremented. Other name servers that pull information for a zone from the
primary only pull the zone if the serial number on the primary name servers
entry is higher than the serial number on its entry. In this way the name servers
for a domain are able to update themselves. A recommended way of using your
serial number is the YYYYMMDDNN format shown above, where the NN is the
number of times that day the DNS has been changed.
Also, a note for Allegiance Internet customers who run their own name servers:
even if the serial number is incremented, you should still fill out the web form
and use the comment box when you make changes asking us to pull the new
zones.
All the rest of the numbers in the record are measurements of time, in seconds.
The refresh number stands for how often secondary name servers should
check the primary for a change in the serial number. Retry is how long a
secondary server should wait before trying to reconnect to primary server if the
connection was refused. Expire is how long the secondary server should use its
current entry if it is unable to perform a refresh, and minimum is how long
other name servers should cache, or save, this entry.
There can only be one SOA record per domain. Like NS records,
Allegiance Internet sets up this record for you if you are not running
your own name server.
Quick Summary of the major records in DNS
Record Type
Definition
Host (A)
Maps host name to IP address in a DNS zone. Has three

fields: Domain, Host Name, Host IP Address.
Aliases (CNAME)
Canonical name resource record that creates an alias for a

host name. CNAME records are typically used to hide
implementation details from clients. Fields include: Domain,
Alias Name, For Host DNS Name.
Nameservers (NS)
Identifies the DNS name servers in the DNS domain. NS

records appear in all DNS zones and reverse zones. Fields
include: Domain, Name Server DNS Name.
Pointer (PTR)
Maps IP address to host name in a DNS reverse zone. Fields

include: IP Address, Host DNS Name.
Mail Exchange
(MX)
Specifies a mail exchange server for a DNS domain name.

Note that the term exchange does not refer to Microsoft
Exchange, a BackOffice e-mail application. However, to
connect Microsoft Exchange to the Internet via the Internet
Mail Server (IMS), the MX record must be correctly
configured by your ISP.
A mail exchange server is a host that will either process or
forward mail for the DNS domain name. Processing the mail
means either delivering it to the addressee or passing it to a
different type of mail transport. Forwarding the mail means
sending it to its final destination server, sending it using

Simple Mail Transfer Protocol to another mail server that is
closer to the final destination, or queuing it for a specified
amount of time.
Fields include: Domain, Host Name (Optional), Mail Exchange
Server DNS Name, Preference Number.
Q5.What is a DNS zone
A zone is simply a contiguous section of the DNS namespace. Records for a zone
are stored and managed together. Often, subdomains are split into several
zones to make manageability easier. For example, support.microsoft.com and
msdn.microsoft.com are separate zones, where support and msdn are
subdomains within the Microsoft.com domain.
Q6. Name the two Zones in DNS?
DNS servers can contain primary and secondary zones. A primary zone is a copy
of a zone where updates can be made, while a secondary zone is a copy of a
primary zone. For fault tolerance purposes and load balancing, a domain may
have several DNS servers that respond to requests for the same information.
The entries within a zone give the DNS server the information it needs to satisfy
requests from other computers or DNS servers.
Q7. How many SOA record does each zone contain?
Each zone will have one SOA record. This records contains many miscellaneous
settings for the zone, such as who is responsible for the zone, refresh interval
settings, TTL (Time To Live) settings, and a serial number (incremented with
every update).
Q8. Short summary of the records in DNS.
The NS records are used to point to additional DNS servers. The PTR record is
used for reverse lookups (IP to name). CNAME records are used to give a host
multiple names. MX records are used when configuring a domain for email.
Q9. What is an AD-integrated zone?

AD-integrated zones store the zone data in Active Directory and use the same
replication process used to replicate other data between domain controllers. The
one catch with AD-integrated zones is that the DNS server must also be a
domain controller. Overloading DNS server responsibilities on your domain
controllers may not be something you want to do if you plan on supporting a
large volume of DNS requests.
Q10.What is a STUB zone?
A stub zone is a copy of a zone that contains only those resource records
necessary to identify the authoritative Domain Name System (DNS) servers for
that zone. A stub zone is used to resolve names between separate DNS
namespaces. This type of resolution may be necessary when a corporate merger
requires that the DNS servers for two separate DNS namespaces resolve names
for clients in both namespaces.
The master servers for a stub zone are one or more DNS servers authoritative for
the child zone, usually the DNS server hosting the primary zone for the
delegated domain name.
Q11. What does a stub zone consists of?
A stub zone consists of:
The start of authority (SOA) resource record, name server (NS) resource
records, and the glue A resource records for the delegated zone.
The IP address of one or more master servers that can be used to update the
stub zone.
Q12. How the resolution in a stub zone takes place?
When a DNS client performs a recursive query operation on a DNS server hosting
a stub zone, the DNS server uses the resource records in the stub zone to resolve
the query. The DNS server sends an iterative query to the authoritative DNS
servers specified in the NS resource records of the stub zone as if it were using
NS resource records in its cache. If the DNS server cannot find the authoritative
DNS servers in its stub zone, the DNS server hosting the stub zone attempts
standard recursion using its root hints.
The DNS server will store the resource records it receives from the authoritative
DNS servers listed in a stub zone in its cache, but it will not store these resource
records in the stub zone itself; only the SOA, NS, and glue A resource records
returned in response to the query are stored in the stub zone. The resource
records stored in the cache are cached according to the Time-to-Live (TTL) value
in each resource record. The SOA, NS, and glue A resource records, which are not
written to cache, expire according to the expire interval specified in the stub
zone's SOA record, which is created during the creation of the stub zone and
updated during transfers to the stub zone from the original, primary zone.
If the query was an iterative query, the DNS server returns a referral containing
the servers specified in the stub zone.
Q 13.What is the benefits of Active Directory Integration?
For networks deploying DNS to support Active Directory, directory-integrated
primary zones are strongly recommended and provide the following benefits:
* Multimaster update and enhanced security based on the capabilities

of Active Directory
In a standard zone storage model, DNS updates are conducted based upon a
single-master update model. In this model, a single authoritative DNS server for
a zone is designated as the primary source for the zone.
This server maintains the master copy of the zone in a local file. With this model,
the primary server for the zone represents a single fixed point of failure. If this
server is not available, update requests from DNS clients are not processed for
the zone.
With directory-integrated storage, dynamic updates to DNS are conducted based
upon a multimaster update model.
In this model, any authoritative DNS server, such as a domain controller running
a DNS server, is designated as a primary source for the zone. Because the
master copy of the zone is maintained in the Active Directory database, which is
fully replicated to all domain controllers, the zone can be updated by the DNS
servers operating at any domain controller for the domain.
With the multimaster update model of Active Directory, any of the primary
servers for the directory-integrated zone can process requests from DNS clients
to update the zone as long as a domain controller is available and reachable on
the network.
Also, when using directory-integrated zones, you can use access control list (ACL)
editing to secure a dnsZone object container in the directory tree. This feature
provides granulated access to either the zone or a specified RR in the zone.
For example, an ACL for a zone RR can be restricted so that dynamic updates are
only allowed for a specified client computer or a secure group such as a domain
administrators group. This security feature is not available with standard primary
zones.
Note that when you change the zone type to be directory-integrated, the default
for updating the zone changes to allow only secure updates. Also, while you may
use ACLs on DNS-related Active Directory objects, ACLs may only be applied to
the DNS client service.
* Directory replication is faster and more efficient than standard DNS
replication.
Because Active Directory replication processing is performed on a per-property
basis, only relevant changes are propagated. This allows less data to be used
and submitted in updates for directory-stored zones.
Note: Only primary zones can be stored in the directory. A DNS server cannot
store secondary zones in the directory. It must store them in standard text files.
The multimaster replication model of Active Directory removes the need for
secondary zones when all zones are stored in Active Directory.
Q14. What is Scavenging?
DNS scavenging is the process whereby resource records are automatically
removed if they are not updated after a period of time. Typically, this applies to
only resource records that were added via DDNS, but you can also scavenge
manually added, also referred to as static, records. DNS scavenging is a
recommended practice so that your DNS zones are automatically kept clean of
stale resource records.
Q15. What is the default interval when DNS server will kick off the
scavenging process?
The default value is 168 hours, which is equivalent to 7 days.
DNS Q&A corner
Q1. How do I use a load balancer with my name servers?
> Just wanted to ask a question about load balanced DNS servers
> via an external network load balancing appliance (i.e - F5's Big IP,
> Cisco's Content Switches/ Local Directors).
> The main question being the configuration whether to use 2
> Master/Primary Servers or is it wiser to use 1 Primary and 1
> Secondary? The reason is that I feel there are two configurations
> that could be setup. One in which only the resolvers query the
> virtual IP address on the load balancing appliance or actually
> configure your NS records to point to the Virtual Address so that all
> queries, ie - both by local queries directly from local users and
> also queries from external DNS servers. I've included a text
> representation of the physical configuration. Have you ever
> heard or architected such a configuration?
>
>
VIP = 167.147.1.5
> ----------------------------------->> Load Balancer Device |
> ----------------------------------->
|
>
|
>
---------------->
|
|
> ---------------------------->> DNS 1
|
| DNS 2 |
> ----------------------------> 1.1.1.1
1.1.1.2
There's usually not much need to design solutions like these, since most
name server implementations will automatically choose the name server
that responds most quickly. In other words, if DNS 1 fails, remote
name servers will automatically try DNS 2, and vice versa.
However, it can be useful for resolvers. In that case, you don't need to
worry about NS records (since resolvers don't use them), just setting up
a virtual IP address.
> Also, Is there any problems in running two Master/Primaries?
Just that you'd have to synchronize the zone data between the two
manually.
Q2. How does reverse mapping work?

>
>
>
>
>
How can reverse lookup possibly work on the Internet - how can a local
resolver or ISP's Dns server find the pointer records please? E.g. I run
nslookup 161.114.1.206 & get a reply for a Compaq server
- how does it know where to look? Is there a giant reverse lookup zone in
the sky?
Yes, actually, there is: in-addr.arpa.

If a resolver needs to reverse map, say, 161.114.1.206 to a domain name, it first
inverts the octets of the IP address and appends "in-addr.arpa." So, in this case,
the IP address would become the domain name 206.1.114.161.in-addr.arpa.
Then the resolver sends a query for PTR records attached to that domain name.
If necessary, the resolution process starts at the root name servers. The root
name servers refer the querier to the 161.in-addr.arpa name servers, run by an
organization called ARIN, the American Registry for Internet Numbers. These
name servers refer the querier to 1.114.161.in-addr.arpa name servers, run by
Compaq. And, finally, these name servers map the IP address to
inmail.compaq.com.
Q3. What are the pros and cons of running slaves versus caching-only
name servers?
> Question: I am in the process of setting up dns servers in several locations for
my
> business. I have looked into having a primary master server running in my
server
> room and adding slave servers in the other areas. I then thought I could just
> setup a primary and a single slave server and run caching only servers in the
other
> areas. What are the pros and cons of these two options, or should I run a slave
> server in every location and still have a caching server with it? I just don't
> know what the best way would be. Please help.
The main advantage of having slaves everywhere is that you have a
source of your own zone data on each name server. So if you have
a community of hosts near each slave that look up domain names in
your zones, the local name server can answer most of their queries.
On the other hand, administering slaves is a little more work than
administering caching-only name servers, and a little greater burden
on the primary master name server.
Q4. Can I set a TTL on a specific record?
> Is it possible to setup ttl values for individual records in bind?
Sure. You specify explicit TTLs in a record's TTL field, between the owner
field and the class field:
foo.example. 300 IN A 10.0.0.1
Q5. Can I use an A record instead of an MX record?

>
>
>
>
I have a single machine running DNS mail and web for a domain
and I'm not sure that I have DNS setup properly. If the machine
that is running the mail is the name of the domain does there need
to be an MX record for mail?
Technically, no. Nearly all mailers will look up A records for a

domain name in a mail destination if no MX records exist.
> If an MX record is not needed, how would you put in an MX
> record for a backup mailserver.
You can't. If you want to use a backup mailer, you need to use
MX records.
>
>
>
>
www cname 192.168.0.1

mail cname 192.168.0.1
pop cname 192.168.0.1
smtp cname 192.168.0.1
These CNAME records are all incorrect. CNAME records create

an alias from one domain name to another, so the field after "CNAME"
must contain a domain name, not an IP address. For example:
www CNAME foo.example.
Q6. What are a zone's NS records used for?
>
>
>
>
Could you elaborate a little bit on why do we need to put NS records for
the zone we are authoritative for ?
The parent name server handles these already. Is there any problem if our
own NS records have lower TTLs than the records from parent name server ?
That's a good question. The NS records from your zone data file are used for
several things:
- Your name servers returns them in responses to queries, in the authority
section of the DNS message. Moreover, the set of NS records that comes directly
from your name server supersedes the set that a querier gets from your parent
zone's name servers, so if the two sets are different, yours "wins."
- Your name servers use the NS records to determine where to send NOTIFY
messages.
- Dynamic updaters determine where to send updates using the NS records,
which they often get from the authoritative name servers.
Q7. Do slaves only communicate with their masters over TCP?
>
>
>
>
When the slave zone checks in with the master zone for the serial number, is
all this traffic happening on TCP. For example, if you have acl's blocking
udp traffic but allowing tcp traffic will the transfer work or will it fail
due to the slaves inability to query for the SOA record on udp?
No. The refresh query (for the zone's SOA record) is usually done over UDP.
Q8. What's the largest number I can use in an MX record?

> Could you tell us the highest possible number we can use for the MX
> preference ?
Preference is an unsigned, 16-bit number, so the largest number you
can use is 65535.
Q9. Why are there only 13 root name servers?
>
>
>
>
>
>
>
I'm very wondering why there are only 13 root servers on globally.
Some documents explain that one of the reason is technical limit on Domain
Name System (without any detailed explanation).
From my understanding, it seems that some limitation of NS record numbers
in DNS packet that specified by certain RFCs, or just Internet policy stuff.
Which one is proper reason?
It's a technical limitation. UDP-based DNS messages can be up to 512 bytes

long, and only 13 NS records and their corresponding A records will fit into a DNS
message that size.
IMP information
http://www.menandmice.com/online_docs_and_faq/glossary/glossarytoc.
htm
10)Active directory Integrated DNS and non integrated (In integrated DNS we
cant edit DNS if failed need to restore System state backup and non Int DNS we
can edit DNS and DNS files)
11)What is recursion Authoritative DNS server?

Ans --A DNS server which recursive DNS servers contact in order to resolve a
given DNS node
DNS node
A name which DNS usually converts in to an IP, such as www.yahoo.com.
Not all DNS nodes have IPs, however.
DNS record
A single piece of DNS data, which can either, be data for a DNS node, or
meta-data which DNS uses.
DNS server
A program which resolves DNS records
DNS server administrator
A person who manages DNS; setting up DNS servers, changing DNS
records, and what not.
Domain registry
A domain registry is a company that allows one to have their authoritative
DNS servers be contacted by recursive name servers.
Domain suffix
The part of the domain which is (usually) after the first dot in a DNS node.
The domain suffix for www.yahoo.com, for example, is yahoo.com.
Domain zone
A domain zone is a set of one or more DNS nodes. All names in a given
domain zone share the same domain suffix.
IP
A number which a computer connected to the internet has, similar to a
phone number.
Internet service provider
An internet service provider (or ISP) is a company that offers access to the
internet.
Mail Transport Agent
A computer program which accepts incoming SMTP (email) connections,
allowing a server to receive email.
Recursive DNS server
A recursive DNS server is a DNS server which contacts other DNS servers
to resolve a given DNS node.
To resolve.
To convert a DNS node, such as www.yahoo.com, in to an IP, such as
10.17.243.32.
To serve
The action of an authoritative DNS server making DNS nodes available to
recursive DNS servers.
Static IP address
A static IP address is an IP addresses whose value does not change. Only
some internet service providers offer static IP addresses.
12) Iterative DNS Resolution
When a client sends an iterative request to a name server, the server responds
back with either the answer to the request (for a regular resolution, the IP
address we want) or the name of another server that has the information or is
closer to it. The original client must then iterate by sending a new request to this
referred server, which again may either answer it or provide another server
name. The process continues until the right server is found; the method is
illustrated in
Iterative and recursion option is at DNS properties we can enable the
same which we want (by default Recursion enabled)
If u enable Iterative then we need proxy server for Internet otherwise
we will not able get Internet or the DNS request will not pass to
internet from u r local DNS.
So that time proxy will take care of to connect Internet
13) DNS round robin Is there at DNS properties we can enable that DNS query
will fire like round robin (If we have two DNS server a client request take one by
one we can say load balancing as well)
14) FSMO Roles do carefully.
Q1.Which is the FIVE FSMO roles?
Schema Master
Forest Level
One per forest
Domain Naming Master
Forest Level
One per forest
PDC Emulator
Domain Level
One per domain
RID Master
Domain Level
One per domain
Domain Level
One per domain
Q2. What are their functions?

1. Schema Master (Forest level)
The schema master FSMO role holder is the Domain Controller
responsible for performing updates to the active directory schema. It
contains the only writable copy of the AD schema. This DC is the only
one that can process updates to the directory schema, and once the
schema update is complete, it is replicated from the schema master to all
other DCs in the forest. There is only one schema master in the forest.
2. Domain Naming Master (Forest level)
The domain naming master FSMO role holder is the DC responsible for
making changes to the forest-wide domain name space of the directory.
This DC is the only one that can add or remove a domain from the
directory, and that is it's major purpose. It can also add or remove cross
references to domains in external directories. There is only one domain
naming master in the active directory or forest.
3. PDC Emulator (Domain level)
In a Windows 2000 domain, the PDC emulator server role performs the
following functions:
Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator first.
Authentication failures that occur at a given DC in a domain because of
an incorrect password are forwarded to the PDC emulator for validation
before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Time synchronization for the domain.
Group Policy changes are preferentially written to the PDC emulator.
Additionally, if your domain is a mixed mode domain that contains
Windows NT 4 BDCs, then the Windows 2000 domain controller, that is
the PDC emulator, acts as a Windows NT 4 PDC to the BDCs.
There is only one PDC emulator per domain.
Note: Some consider the PDC emulator to only be relevant in a mixed
mode domain. This is not true. Even after you have changed your
domain to native mode (no more NT 4 domain controllers), the PDC
emulator is still necessary for the reasons above.
4. RID Master (Domain level)
The RID master FSMO role holder is the single DC responsible for
processing RID Pool requests from all DCs within a given domain. It is also
responsible for removing an object from its domain and putting it in
another domain during an object move.
When a DC creates a security principal object such as a user, group or
computer account, it attaches a unique Security ID (SID) to the object.
This SID consists of a domain SID (the same for all SIDs created in a
domain), and a relative ID (RID) that makes the object unique in a
domain.
Each Windows 2000 DC in a domain is allocated a pool of RIDs that it

assigns to the security principals it creates. When a DC's allocated RID
pool falls below a threshold, that DC issues a request for additional RIDs
to the domain's RID master. The domain RID master responds to the
request by retrieving RIDs from the domain's unallocated RID pool and
assigns them to the pool of the requesting DC.
There is one RID master per domain in a directory.
5. Infrastructure Master (Domain level)
The DC that holds the Infrastructure Master FSMO role is responsible for
cross domain updates and lookups. When an object in one domain is
referenced by another object in another domain, it represents the
reference by the GUID, the SID (for references to security principals), and
the distinguished name (DN) of the object being referenced. The
Infrastructure role holder is the DC responsible for updating an object's
SID and distinguished name in a cross-domain object reference.
When a user in DomainA is added to a group in DomainB, then the
Infrastructure master is involved. Likewise, if that user in DomainA, who
has been added to a group in DomainB, then changes his username in
DomainA, the Infrastructure master must update the group
membership(s) in DomainB with the name change.
There is only one Infrastructure master per domain.
Q3. What if a FSMO server fails?

Schema Master
No updates to the Active Directory schema will be

possible. Since schema updates are rare (usually done
by certain applications and possibly an Administrator
adding an attribute to an object), then the malfunction
of the server holding the Schema Master role will not
pose a critical problem.
Domain Naming
Master
The Domain Naming Master must be available when

adding or removing a domain from the forest (i.e.
running DCPROMO). If it is not, then the domain cannot
be added or removed. It is also needed when
promoting or demoting a server to/from a Domain
Controller. Like the Schema Master, this functionality is
only used on occasion and is not critical unless you are
modifying your domain or forest structure.
PDC Emulator
The server holding the PDC emulator role will cause the
most problems if it is unavailable. This would be most
noticeable in a mixed mode domain where you are still
running NT 4 BDCs and if you are using downlevel
clients (NT and Win9x). Since the PDC emulator acts as
a NT 4 PDC, then any actions that depend on the PDC
would be affected (User Manager for Domains, Server
Manager, changing passwords, browsing and BDC
replication).
In a native mode domain the failure of the PDC
emulator isn't as critical because other domain

controllers can assume most of the responsibilities of
the PDC emulator.
RID Master
The RID Master provides RIDs for security principles

(users, groups, computer accounts). The failure of this
FSMO server would have little impact unless you are
adding a very large number of users or groups.
Each DC in the domain has a pool of RIDs already, and
a problem would occur only if the DC you adding the
users/groups on ran out of RIDs.
Infrastructure Master This FSMO server is only relevant in a multi-domain

environment. If you only have one domain, then the
Infrastructure Master is irrelevant. Failure of this server
in a multi-domain environment would be a problem if
you are trying to add objects from one domain to
another.
Q4. Where are these FSMO server roles found?

The first domain controller that is installed in a Windows 2000 domain, by
default, holds all five of the FSMO server roles. Then, as more domain controllers
are added to the domain, the FSMO roles can be moved to other domain
controllers.
Q5. Can you Move FSMO roles?
Yes, moving a FSMO server role is a manual process, it does not happen
automatically. But what if you only have one domain controller in your domain?
That is fine. If you have only one domain controller in your organization then you
have one forest, one domain, and of course the one domain controller. All 5
FSMO server roles will exist on that DC. There is no rule that says you have to
have one server for each FSMO server role.
Q6. Where to place the FSMO roles?
Assuming you do have multiple domain controllers in your domain, there are
some best practices to follow for placing FSMO server roles.
The Schema Master and Domain Naming Master should reside on the same
server, and that machine should be a Global Catalog server. Since all three are,
by default, on the first domain controller installed in a forest, then you can leave
them as they are.
Note: According to MS, the Domain Naming master needs to be on a Global
Catalog Server. If you are going to separate the Domain Naming master and
Schema master, just make sure they are both on Global Catalog servers.
IMP:- Why Infrastructure Master should not be on the same server that
acts as a Global Catalog server?
The Infrastructure Master should not be on the same server that acts as a Global
Catalog server.
The reason for this is the Global Catalog contains information about every object
in the forest. When the Infrastructure Master, which is responsible for updating
Active Directory information about cross domain object changes, needs
information about objects not in it's domain, it contacts the Global Catalog server
for this information. If they both reside on the same server, then the
Infrastructure Master will never think there are changes to objects that reside in
other domains because the Global Catalog will keep it constantly updated. This
would result in the Infrastructure Master never replicating changes to other
domain controllers in its domain.
Note: In a single domain environment this is not an issue.
Microsoft also recommends that the PDC Emulator and RID Master be on the
same server. This is not mandatory like the Infrastructure Master and the Global
Catalog server above, but is recommended. Also, since the PDC Emulator will
receive more traffic than any other FSMO role holder, it should be on a server
that can handle the load.
It is also recommended that all FSMO role holders be direct replication partners
and they have high bandwidth connections to one another as well as a Global
Catalog server.
Q7.What permissions you should have in order to transfer a FSMO role?
Before you can transfer a role, you must have the appropriate permissions
depending on which role you plan to transfer:
Schema Master
member of the Schema Admins group
Domain Naming
Master
member of the Enterprise Admins

group
PDC Emulator
member of the Domain Admins group

and/or the Enterprise Admins group
RID Master


FSMO TOOLS
Q8. Tools to find out what servers in your domain/forest hold what
server roles?
1. Active Directory Users and Computers:- use this snap-in to find out where
the domain level FSMO roles are located (PDC Emulator, RID Master,
Infrastructure Master), and also to change the location of one or more of these 3
FSMO roles.
Open Active Directory Users and Computers, right click on the domain you want
to view the FSMO roles for and click "Operations Masters". A dialog box (below)
will open with three tabs, one for each FSMO role. Click each tab to see what
server that role resides on. To change the server roles, you must first connect to
the domain controller you want to move it to. Do this by right clicking "Active
Directory Users and Computers" at the top of the Active Directory Users and
Computers snap-in and choose "Connect to Domain Controller". Once connected
to the DC, go back into the Operations Masters dialog box, choose a role to move
and click the Change button.
When you do connect to another DC, you will notice the name of that DC will be
in the field below the Change button (not in this graphic).
2. Active Directory Domains and Trusts - use this snap-in to find out where
the Domain Naming Master FSMO role is and to change it's location.
The process is the same as it is when viewing and changing the Domain level
FSMO roles in Active Directory Users and Computers, except you use the Active
Directory Domains and Trusts snap-in. Open Active Directory Domains and Trusts,
right click "Active Directory Domains and Trusts" at the top of the tree, and
choose "Operations Master". When you do, you will see the dialog box below.
Changing the server that houses the Domain Naming Master requires that you
first connect to the new domain controller, then click the Change button. You
can connect to another domain controller by right clicking "Active Directory
Domains and Trusts" at the top of the Active Directory Domains and Trusts snapin and choosing "Connect to Domain Controller".
3. Active Directory Schema - this snap-in is used to view and change the
Schema Master FSMO role. However... the Active Directory Schema snap-in is not
part of the default Windows 2000 administrative tools or installation. You first
have to install the Support Tools from the \Support directory on the Windows
2000 server CD or install the Windows 2000 Server Resource Kit. Once you
install the support tools you can open up a blank Microsoft Management Console
(start, run, mmc) and add the snap-in to the console. Once the snap-in is open,
right click "Active Directory Schema" at the top of the tree and choose
"Operations Masters". You will see the dialog box below. Changing the server
the Schema Master resides on requires you first connect to another domain
controller, and then click the Change button.
You can connect to another domain controller by right clicking "Active Directory
Schema" at the top of the Active Directory Schema snap-in and choosing
"Connect to Domain Controller".
4.Netdom
The easiest and fastest way to find out what server holds what FSMO role is by
using the Netdom command line utility. Like the Active Directory Schema snapin, the Netdom utility is only available if you have installed the Support Tools
from the Windows 2000 CD or the Win2K Server Resource Kit.
To use Netcom to view the FSMO role holders, open a command prompt
window and type:
netdom query fsmo and press enter. You will see a list of the FSMO role servers:
5. Active Directory Relication Monitor

Another tool that comes with the Support Tools is the Active Directory
Relication Monitor. Open this utility from Start, Programs, Windows 2000
Support Tools. Once open, click Edit, Add Monitored Server and add the name of
a Domain Controller. Once added, right click the Server name and choose
properties. Click the FSMO Roles tab to view the servers holding the 5 FSMO
roles (below). You cannot change roles using Replication Monitor, but this tool
has many other useful purposes in regard to Active Directory information. It is
something you should check out if you haven't already.
Finally, you can use the Ntdsutil.exe utility to gather information about and
change servers for FSMO roles. Ntdsutil.exe, a command line utility that is
installed with Windows 2000 server, is rather complicated and beyond the scope
of this document.
6. DUMPFSMOS
Command-line tool to query for the current FSMO role holders
Part of the Microsoft Windows 2000 Server Resource Kit
Downloadable from http://www.microsoft.com/windows2000
/techinfo/reskit/default.asp
Prints to the screen, the current FSMO holders
Calls NTDSUTIL to get this information
7. NLTEST
Command-line tool to perform common network administrative tasks
Type nltest /? for syntax and switches
Common uses
Get a list of all DCs in the domain
Get the name of the PDC emulator
Query or reset the secure channel for a server
Call DsGetDCName to query for an available domain controller
8. Adcheck (470k) (3rd party)

A simple utility to view information about AD and FSMO roles
http://www.svrops.com/svrops/downloads/zipfiles/ADcheck.msi
Q9. How to Transfer and Seize a FSMO Role
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q255504
15) Group Policy ---Read docs which I given u last time

Q1. What are Group Policies?
Group Policies are settings that can be applied to Windows computers, users or
both. In Windows 2000 there are hundreds of Group Policy settings. Group
Policies are usually used to lock down some aspect of a PC. Whether you don't
want users to run Windows Update or change their Display Settings, or you want
to insure certain applications are installed on computers - all this can be done
with Group Policies.
Group Policies can be configured either Locally or by Domain Polices. Local
policies can be accessed by clicking Start, Run and typing gpedit.msc. They can
also be accessed by opening the Microsoft Management Console (Start, Run type
mmc), and adding the Group Policy snap-in. You must be an Administrator to
configure/modify Group Policies. Windows 2000 Group Policies can only be used
on Windows 2000 computers or Windows XP computers. They cannot be used on
Win9x or WinNT computers.
Q2. Domain policy gets applied to whom?
Domain Policies are applied to computers and users who are members of a
Domain, and these policies are configured on Domain Controllers. You can
access Domain Group Polices by opening Active Directory Sites and Services
(these policies apply to the Site level only) or Active Directory Users and
Computers (these policies apply to the Domain and/or Organizational Units).
Q3. From Where to create a Group Policy?
To create a Domain Group Policy Object open Active Directory Sites and Services
and right click Default-First-Site-Name or another Site name, choose properties,
then the Group Policy tab, then click the New button. Give the the GPO a
name, then click the Edit button to configure the policies.
For Active Directory Users and Computers, it the same process except you right
click the Domain or an OU and choose properties.
Q4. Who can Create/Modify Group Policies?
You have to have Administrative privileges to create/modify group policies. The
following table shows who can create/modify group policies:
Policy Type
Allowable Groups/Users
Site Level Group Policies Enterprise Administrators and/or Domain

Administrators in the root domain. The root domain
is the first domain created in a tree or forest. The
Enterprise Administrators group is found only in the
root domain.
Domain Level Group
Policies
Enterprise Administrators, Domain Administrators

or members of the built-in group - Group Policy
Creator Owners. By default only the Administrator
user account is a member of this group
OU Level Group Policies
Enterprise Administrators, Domain Administrators

or members of the Group Policy Creator Owners.
By default only the Administrator user account is a
member of this group.
Additionally, at the OU level, users can be
delegated control for the OU Group Policies by
starting the Delegate Control Wizard (right click the
OU and choose Delegate Control). However, the
wizard only allows the delegated user to Link
already created group policies to the OU. If you
want to give the OU administrators control over
creating/modifying group policies, add them to the
Group Policy Creator Owners group for the domain.
Local Group Policies
The local Administrator user account or members

of the local Administrators group.
Q5. How are Group Policies Applied?

Group Polices can be configured locally, at the Site level, the Domain level or at
the Organizational Unit (OU) level. Group Policies are applied in a Specific Order,
LSDO - Local policies first, then Site based policies, then Domain level policies,
then OU polices, then nested OU polices (OUs within OUs). Group polices
cannot be linked to a specific user or group, only container objects.
In order to apply Group Polices to specific users or computers, you add users (or
groups) and computers to container objects. Anything in the container object will
then get the policies linked to that container. Sites, Domains and OUs are
considered container objects.
Computer and User Active Directory objects do not have to put in the same
container object. For example, Sally the user is an object in Active Directory.
Sally's Windows 2000 Pro PC is also an object in Active Directory. Sally the user
object can be in one OU, while her computer object can be another OU. It all
depends on how you organize your Active Directory structure and what Group
Policies you want applied to what objects.
User and Computer Policies
There are two nodes in each Group Policy Object that is created. A Computer
node and a User Node. They are called Computer Configuration and User
Configuration (see image above). The polices configured in the Computer node
apply to the computer as a whole. Whoever logs onto that computer will see
those policies.
Note: Computer policies are also referred to as machine policies.
User policies are user specific. They only apply to the user that is logged on.
When creating Domain Group Polices you can disable either the Computer node
or User node of the Group Policy Object you are creating. By disabling a node
that no policies are defined for, you are decreasing the time it takes to apply the
polices.
To disable the node polices: After creating a Group Policy Object, click that
Group Policy Object on the Group Policy tab, then click the Properties button. You
will see two check boxes at the bottom of the General tab.
It's important to understand that when Group Policies are being applied, all the
policies for a node are evaluated first, and then applied. They are not applied
one after the other. For example, say Sally the user is a member of the
Development OU, and the Security OU. When Sally logs onto her PC the policies
set in the User node of the both the Development OU and the Security OU Group
Policy Objects are evaluated, as a whole, and then applied to Sally the user.
They are not applied Development OU first, and then Security OU (or visaversa).
The same goes for Computer policies. When a computer boots up, all the
Computer node polices for that computer are evaluated, then applied.
When computers boot up, the Computer policies are applied. When users
login, the User policies are applied. When user and computer group policies
overlap, the computer policy wins.
Note: IPSec and EFS policies are not additive. The last policy applied is the
policy the user/computer will have.
When applying multiple Group Policies Objects from any container, Group Policies
are applied from bottom to top in the Group Policy Object list. The top Group
Policy in the list is the last to be applied. In the above image you can see three
Group Policy Objects associated with the Human Resources OU. These polices
would be applied No Windows Update first, then No Display Settings, then No
ScreenSaver. If there were any conflicts in the policy settings, the one above it
would take precedence.
Q6.How to disable Group Policy Objects
When you are creating a Group Policy Object, the changes happen immediately.
There is no "saving" of GPOs. To prevent a partial GPO from being applied,
disable the GPO while you are configuring it. To do this, click the Group Policy
Object on the Group Policy tab and under the Disable column, double click - a
little check will appear. Click the Edit button, make your changes, then double
click under the Disable column to re-enable the GPO. Also, if you want to
temporarily disable a GPO for troubleshooting reasons, this is the place to do it.
You can also click the Options button on the Group Policy tab and select the
Disabled check box.
Q7. When does the group policy Scripts run?
Startup scripts are processed at computer bootup and before the user logs in.
Shutdown scripts are processed after a user logs off, but before the computer
shuts down.
Login scripts are processed when the user logs in.
Logoff scripts are processed when the user logs off, but before the shutdown
script runs.
Q8. When the group policy gets refreshed/applied?
Group Policies can be applied when a computer boots up, and/or when a user
logs in. However, policies are also refreshed automatically according to a
predefined schedule. This is called Background Refresh.
Background refresh for non DCs (PCs and Member Servers) is every 90 mins.,
with a +/- 30 min.
interval. So the refresh could be 60, 90 or 120 mins. For DCs (Domain
Controllers), background refresh is every 5 mins.
Also, every 16 hours every PC will request all group policies to be reapplied
(user and machine) These settings can be changed under Computer and User
Nodes, Administrative Templates,System, Group Policy.
Q9. Which are the policies which does not get affected by background
refresh?
Policies not affected by background refresh. These policies are only applied at
logon time:
Folder Redirection
Software Installation
Logon, Logoff, Startup, Shutdown Scripts
Q10. How to refresh Group Policies suing the command line?
Secedit.exe is a command line tool that can be used to refresh group policies on
a Windows 2000 computer. To use secedit, open a command prompt and type:
secedit /refreshpolicy user_policy to refresh the user policies
secedit /refreshpolicy machine_policy to refresh the machine (or computer)
policies
These parameters will only refresh any user or computer policies that have
changed since the last refresh. To force a reload of all group policies regardless
of the last change, use:
secedit /refreshpolicy user_policy /enforce
secedit /refreshpolicy machine_policy /enforce
Gpupdate.exe is a command line tool that can be used to refresh group policies
on a Windows XP computer. It has replaced the secedit command. To use
gpupdate, open a command prompt and
type:
gpupdate /target:user to refresh the user policies
gpupdate /target:machine to refresh the machine (or computer) policies
As with secedit, these parameters will only refresh any user or computer policies
that have changed since the last refresh. To force a reload of all group policies
regardless of the last change, use:
gpupdate /force
Notice the /force switch applies to both user and computer policies. There is no
separation of the two like there is with secedit
Q11. What is the Default Setting for Dial-up users?
Win2000 considers a slow dial-up link as anything less than 500kbps. When a
user logs into a domain on a link under 500k some policies are not applied.
Windows 2000 will automatically detect the speed of the dial-up connection and
make a decision about applying Group Policies.
Q12. Which are the policies which get applied regardless of the speed
of the dial-up connection?
Some policies are always applied regardless of the speed of the dial-up
connection. These are:
Administrative Templates
Security Settings
EFS Recovery
IPSec
Q13. Which are the policies which do not get applied over slow links?
IE Maintenance Settings
Folder Redirection
Scripts
Disk Quota settings
Software Installation and Maintenance
These settings can be changed under Computer and User Nodes, Administrative
Templates,
System, Group Policy.
If the user connects to the domain using "Logon Using Dial-up Connection" from
the logon screen, once the user is authenticated, the computer policies are
applied first, followed by the user policies.
If the user connects to the domain using "Network and Dial-up Connections",
after they logon, the policies are applied using the standard refresh cycle.
Q14. Which are the two types of default policies?
There are two default group policy objects that are created when a domain is
created. The Default Domain policy and the Default Domain Controllers policy.
Default Domain Policy - this GPO can be found under the group policy tab for
that domain. It is the first policy listed. The default domain policy is unique in
that certain policies can only be applied at the domain level.
If you double click this GPO and drill down to Computer Configuration, Windows
Settings, Security Settings, Account Policies, you will see three policies listed:
Password Policy
Acount Lockout Policy
Kerberos Policy
These 3 policies can only be set at the domain level. If you set these policies
anywhere else- Site or OU, they are ignored. However, setting these 3 policies
at the OU level will have the effect of setting these policies for users who log on
locally to their PCs. Login to the domain you get the domain policy, login locally
you get the OU policy.
If you drill down to Computer Configuration, Windows Settings, Security Settings,
Local Policies, Security Options, there are 3 policies that are affected by Default
Domain Policy:
Automatically log off users when logon time expires
Rename Adminsitrator Account - When set at the domain level, it affects the
Domain Administrator account only.
Rename Guest Account - When set at the domain level, it affects the Domain
Guest account only.
The Default Domain Policy should be used only for the policies listed above. If
you want to create additional domain level policies, you should create additional
domain level GPOs.
Do not delete the Default Domain Policy. You can disable it, but it is not
recommended.
Default Domain Controllers Policy - This policy can be found by right clicking
the Domain Controllers OU, choosing Properties, then the Group Policy tab. This
policy affects all Domain Controllers in the domain regardless of where you put
the domain controllers. That is, no matter where you put your domain controllers
in Active Directory (whatever OU you put them in), they will still process this
policy.
Use the Default Domain Controllers Policy to set local policies for your domain
controllers, e.g. Audit Policies, Event Log settings, who can logon locally and so
on.
Q15.How to restore Group policy setting back to default?

The following command would replace both the Default Domain Security Policy
and Default
Domain Controller Security Policy. You can specify Domain or DC instead of Both,
to only
restore one or the other.
> dcgpofix /target:Both
Note that this must be run from a domain controller in the target domain where
you want to reset the GPO
If you've ever made changes to the default GPOs and would like to revert back to
the original
settings, the dcgpofix utility is your solution. dcgpofix works with a particular
version of
schema. If the version it expects to be current is different from what is in Active
Directory, it
not restore the GPOs. You can work around this by using the /ignoreschema
switch, which
restore the GPO according to the version dcgpofix thinks is current. The only time
you might
experience this issue is if you install a service pack on a domain controller (dc1)
that extends
schema, but have not installed it yet on a second domain controller (dc2). If you
try to run
dcgpofix from dc2, you will receive the error since a new version of the schema
and the
dcgpofix utility was installed on dc1.
16)MS patching
17 )DHCP Scops ---1)Super Scope 2) Multi Scope--- Do this .
18)Where store DHCP database and what is file name I think DHCPS.mdb --Pls
ckeck this
How to configure DHCP for Command promotes net stat command can use
.
19)Terminal Services while installing TS it will ask two modes ---1)Administator
mode 1) Application Mode
20)RAID --- (redundant array of inexpensive disks) Very Very IMP

quasion Do carefully .
http://www.acnc.com/04_01_00.html Go through like
like
What is parity.ext .,
How many min. disks and max. Disks for every RAID.
21) Antivirus--- again very IMP question
22 )Type of backup I no need to tell u
Full backup
Full backup is the starting point for all other backups, and contains all the data
in the folders and files that are selected to be backed up. Because full backup
stores all files and folders, frequent full backups result in faster and simpler
restore operations. Remember that when you choose other backup types,
restore jobs may take longer.
Read full backup page for more details. Our backup software performs full
backups.
Differential backup
A differential backup contains all files that have changed since the last FULL
backup. The advantage of a differential backup is that it shortens restore time
compared to a full backup or an incremental backup. However, if you
perform the differential backup too many times, the size of the differential
backup might grow to be larger than the baseline full backup.
Read differential backup page for more details. Our backup software
performs differential backups.
Incremental backup
An incremental backup stores all files that have changed since the last FULL
OR DIFFERENTIAL backup. The advantage of an incremental backup is that
it takes the least time to complete. However, during a restore operation, each
incremental backup must be processed, which could result in a lengthy restore
job.
Read incremental backup page for more details. Our backup software
performs incremental backups.
Mirror backup
A mirror backup is identical to a full backup, with the exception that the files
are not compressed in zip files and they can not be protected with a password. A
mirror backup is most frequently used to create an exact copy of the backup
data. It has the benefit that the backup files can also be readily accessed using
tools like Windows Explorer.
23) U can tell them any other technology which u r in master
Like VM ware ,Citrix , Cluster ,,,,,,,,,,,,ext
Kerberos v.5
Windows 2000 Active Directory relies on a different authentication protocol than
Windows NT 4. Where NT 4 used the NT Lan Manager (NTLM) protocol for
authentication, Windows 2000 utilizes Kerberos. The Kerberos protocol was
developed at MIT, and is named after Cerebus, the three-headed fire-breathing
dog that guards the gate to Hades. Why do I bother telling you this? Because it
makes it easier to remember that Kerberos is a 3-pronged authentication
scheme. The three parts of Kerberos are:
1.Client - the system/user making the request
2.Server - the system that offers a service to systems whose identity can be
confirmed
3.Key Distribution Center (KDC) - the third-party intermediary between the client
and the server, who vouches for the identity of a client. In a Windows 2000
environment, the KDC in a domain controller running Active Directory (It could be
a UNIX-based KDC also)
The way that Kerberos works can seem a little intimidating if you get into all of
the tiny little details, but I'll spare them for an overview of how things work. It is
more important that you understand the process to begin with. If you want every
behind-the-scenes detail, I've provided a link at the end of the section.
In a Kerberos environment a user provides a username, password, and domain

name (often referred to as a Realm in Kerberos lingo) that they wish to log on to.
This information is sent to a KDC, who authenticate the user. If the user is valid,
they are presented with something called a ticket-granting ticket, or TGT. I like to
consider the TGT to be like a hand-stamp admission to a country fair - it proves
that you have paid admission and have proof. The TGT is helpful in that it does
not require you to constantly re-authenticate every time you need to access a
server.
However, if you do want to access a server, you still require a ticket for that
server or you will not be able to create a session with that machine. Think of a
ticket as being like the ticket you need to purchase to get on rides at the country
fair - even though you've paid admission (proved by the hand-stamp or TGT), you
still need a ticket to get into the haunted house. When you wish to access a
server, you first need to go to the KDC, present your TGT as proof of identity, and
then request a session ticket for the server you wish to contact. This ticket
simply acts as authentication between the client and the server you wish to
contact. If you are authenticated, whether or not you will be able to actually
access anything on the server will depend on your permissions. The TGT and
session tickets that you are presented with actually expire after a period of time
that is configurable via group policy. The default value for a TGT (also referred to
as a user ticket) is 7 days, while the default value for a session ticket (sometimes
called a service ticket) is 10 hours.
In a single-domain environment, Kerberos authentication is pretty
straightforward. However in a multiple domain environment Kerberos has more
steps involved. The reason for this is that when you are attempting to obtain a
session ticket for a server, it must be obtained from a KDC in the domain where
the server exists. Also, you must obtain session tickets in order to traverse the
trust-path to the KDC you need to contact. The example below outlines the steps
necessary for a client in west.win2000trainer.com to access a server in
east.win2000trainer.com.
1.The client logs on to the network as a user in east.win2000trainer.com, and is
presented with a TGT.
2.The client wants to communicate with a server in west.win2000trainer.com. It
contacts the KDC in east.win2000trainer.com, asking for a session ticket for a
KDC in the win2000trainer.com domain.
3.After it receives this ticket, it contacts the KDC in win2000trainer.com,
requesting a session ticket for the KDC in west.win2000trainer.com.
4.After it receives this ticket, it contacts the KDC in west.win2000trainer.com,
and requests a session ticket for the server in west.win2000trainer.com whom it
originally wanted to contact.
5.Once granted the session ticket for the server, the client contacts that server
directly and can access resources according to the permissions in place.
If this seems like a great deal of steps, that is indeed true. This is one of the
reasons that you might consider implementing shortcut trusts, as outlined in my
last article. If shortcut trusts exist, the shorter available path would be used.
Kerberos is a wonderful protocol in that is makes the network much more secure,
due to the necessity of authentication between clients and servers before a
session can be established. It is actually much faster than you might think. For a
good hands-on experiment, you might consider setting up multiple domains and
then running network monitor while accessing resources between domains.
Though the packets contents are encrypted, it will still give you a great idea of
what is happening behind the scenes. Three utilities that you should be aware of
for troubleshooting Kerberos problems are Netdom (discussed in a previous

article), as well as the resource kit utilities KerbTray.exe and Llist.exe.
Active dirintegrated
The DNS service provided with Windows 2000 Server meets both these
requirements and also offers two important additional features:
Active Directory integration

Using this feature, the Windows 2000 DNS service stores zone data in the
directory. This makes DNS replication create multiple masters, and it allows
any DNS server to accept updates for a directory service-integrated zone.
Using Active Directory integration also reduces the need to maintain a
separate DNS zone transfer replication topology.
Secure dynamic update

Secure dynamic update is integrated with Windows security. It allows an
administrator to precisely control which computers can update which names,
and it prevents unauthorized computers from obtaining existing names from
DNS.
The remaining DNS servers on your network that are not authoritative for the
locator records do not need to meet these requirements. Servers that are not
authoritative are generally able to answer SRV record queries even if they do not
explicitly support that record type.
OTHER
O/S Related
1.) What is FAT16? What is FAT32? What is NTFS 4.0, 5.0? Difference
Older version of the FAT file system, based on 16-bit integers. It has a limitation
with respect to the size of partitions it can handle. File Allocation Table (FAT) is a
file system that was developed for MS-DOS and used in consumer versions of
Microsoft Windows up to and including Windows ME.
Newer version of the FAT file system, based on 32-bit integers. The file system
is able to handle partitions of 2 TB size and uses the storage capacity more
efficiently than FAT16. A 32-bit version of the File Allocation Table which first
shipped with Windows95 SR2. FAT32 uses 32 bits to address each cluster and
can support drives as big as two Terabytes. The older FAT used 16-bits to
address each cluster and was limited to drive sizes of 512 Mb. Each cluster in a
FAT32 system is only 4 Kb which also helps to save space on your hard drive.
NTFS, short for NT File System, is the most secure and robust file system for
Windows NT, 2000, and XP. It provides security by supporting access control
and ownership privileges, meaning you can set permission for groups or
individual users to access certain files.
There are currently two versions of NTFS being used in Microsoft operating
systems. NTFS 4.0 is the file system used with Windows NT 4.0. NTFS 5.0 was
released with Windows 2000, and is also being used in Windows XP. NTFS 5.0
provides some additional capabilities which were not included in NTFS 4.0. Both
versions of NTFS share the following features:
2.) what are the sharing options in FAT16,32,NTFS 4.0,5.0

what are the security options in NTFS 4.0, NTFS 5.0
Ans. In NTFS 5.0
1.FULL CONTROL
2.MODIFY
3.READ & EXICUTE
4.LIST FOLDER CONTENTS
5.READ
6.WRITE
7.SPECIAL PERMISSIONS.
3.) What is SCSI, IDE? Abbreviations, Differentiate?

Ans. SCSI: Small Computer System Interface
SCSI is a hardware interface that allows for the connection of up to 15 peripheral
devices to a single PCI board called a "SCSI host adapter" that plugs into the
motherboard.
SCSI peripherals are daisy chained together. Each device has a second port used
to connect the next device in line. Like Scanners, Cd roms connection.
Abbreviation of either Intelligent Drive Electronics or Integrated Drive
Electronics,
(Integrated Drive Electronics) A type of hardware interface widely used to
connect hard disks, optical disks and tape drives to a PC. IDE was always the
more economical interface, compared to SCSI
The IDE interface had always been officially the ATA (Advanced Technology
Attachment) specification.
The ATAPI (ATA Packet Interface) was developed to allow CD-ROM drives to run
over the IDE/ATA interface by using commands similar to SCSI drives. ATAPI is
essentially ATA for peripherals such as CD-ROMs, DVDs and tapes
Difference:
SCSI devices can communicate independently from the CPU over the SCSI bus.
This is due to the fact that each device has its own embedded controller. Data
can then be transferred at high-speeds between the devices without taking any
CPU power. IDE, likewise, uses controllers on each device, but they cannot
operate at the same time and they do not support command queuing.
4.) How SCSI is more faster and reliable than IDE,SATA?
SCSI devices can communicate independently from the CPU over the SCSI
bus. This is due to the fact that each device has its own embedded controller.
Data can then be transferred at high-speeds between the devices without
taking any CPU power. IDE, likewise, uses controllers on each device, but they
cannot operate at the same time and they do not support command queuing
5.) What is SATA? Abbreviation and Difference with SCSI, IDE, SCSI ?
Serial ATA
A serial version of the ATA (IDE) interface, which has been parallel since its
inception in 1986. Ratified by ANSI in 2002 as the next-generation ATA
technology, Serial ATA (SATA) provides a point-to-point channel between
motherboard and drive rather than the Parallel ATA (PATA) master-slave
architecture that supports two drives on the same cable.
Serial ATA (SATA) transfers data in a half-duplex channel at 1.5 Gbps in one
direction. With SATA II, introduced in 2003, speed was increased to 3 Gbps.
Difference PATA & SATA:
A specification for consumer hard drive connections that boosts the data transfer
rate up to 150MB/second. In addition, it changes IDE/ATA from a parallel interface
requiring 40 separate wires to connect components to a serial interface requiring
only 6 wires. 2x and 4x versions of Serial ATA double and quadruple the speed of
Serial ATA.
Difference SATA & Scsi:
SCSI is much more expensive.
10,000 RPM SATA drives, SCSI simply does not hold the edge it used to, and we
do not feel it is worth the sizable increase in cost.
But Scsi devices can communicate independently from the CPU over the SCSI.
Scsi is for Servers. And Sata is for Desktops.
6,) What is cluster and clustering where it is used?
7.)What are the RAID levels, Description? Min Max Discs supported by
each level?
RAID stands for Redundant Array of Inexpensive Disks. A RAID system consists of
two or more disks working in parallel. They appear as one drive to the user, and
offer enhanced performance or security (or both).
a) RAID 0: striping b) RAID 1: mirroring
c) RAID 3 d) RAID 5
e) RAID 10: a mix of RAID 0 & RAID 1
a) RAID 0 :
In a RAID 0 system, data are split up in blocks that get written across all the
drives in the array. By using multiple disks (at least 2) at the same time, RAID 0
offers superior I/O performance. This performance can be enhanced further by
using multiple controllers, ideally one controller per disk.
Advantages
RAIDS 0 offers great performances, both in read and write operations. There is no
overhead caused by parity controls.
All storage capacity can be used, there is no disk overhead.
The technology is easy to implement.
Disadvantages
RAID 0 is not fault-tolerant. If one disk fails, all data in the RAID 0 array are lost.
It should not be used on mission-critical systems.
Video Production and Editing

Image Editing
Pre-Press Applications
Any application requiring high bandwidth
B) RAID 1:
Data are stored twice by writing them to either the data disk (or set of data
disks) and a mirror disk (or set of disks). If a disk fails, the controller uses either
the data drive or the mirror drive for data recovery and continues operation. You
need at least 2 disks for a RAID 1 array
RAID 1 systems are often combined with RAID 0 to improve performance. Such a
system is sometimes referred to by the combined number: a RAID 10 system.
Advantages
RAID 1 offers excellent read speed and a write-speed that is comparable to that
of a single disk.
In case a disk fails, data do not have to be rebuilding, they just have to be copied
to the replacement disk.
RAID 1 is a very simple technology.
Disadvantages
The main disadvantage is that the effective storage capacity is only half of the
total disk capacity because all data get written twice.
Software RAID 1 solution do not always allow a hot swap of a failed disk
(meaning it cannot be replaced while the server keeps running). Ideally a
hardware controller is used.
Accounting
Payroll
Financial
Any application requiring very high availability
C) RAID 3:
On RAID 3 systems, data blocks are subdivided (striped) and written in parallel
on two or more drives. An additional drive stores parity information. You need at
least 3 disks for a RAID 3 array.
Since parity is used, a RAID 3 stripe set can withstand a single disk failure
without losing data or access to data.
Advantages
RAID-3 provides high throughput (both read and write) for large data transfers.
Disk failures do not significantly slow down throughput.
Disadvantages
This technology is fairly complex and too resource intensive to be done in
software.
lPerformance is slower for random, small I/O operations.
D) RAID 5:
RAID 5 is the most common secure RAID level. It is similar to RAID-3 except that
data are transferred to disks by independent read and write operations (not in
parallel). The data chunks that are written are also larger. Instead of a dedicated
parity disk, parity information is spread across all the drives. You need at least 3
disks for a RAID 5 array.
A RAID 5 array can withstand a single disk failure without losing data or access to
data. Although RAID 5 can be achieved in software, a hardware controller is
recommended. Often extra cache memory is used on these controllers to
improve the write performance
Advantages
Read data transactions are very fast while write data transaction are somewhat
slower (due to the parity that has to be calculated).
Disadvantages
Disk failures have an effect on throughput, although this is still acceptable.
Like RAID 3, this is complex technology.
File and Application servers
Database servers
Web, E-mail, and News servers
Intranet servers
Most versatile RAID level
E) RAID 10: a mix of RAID 0 & RAID 1

RAID 10 combines the advantages (and disadvantages) of RAID 0 and RAID 1 in a
single system. It provides security by mirroring all data on a secondary set of
disks (disk 3 and 4 in the drawing below) while using striping across each set of
disks to speed up datatransfers.
Database server requiring high performance

and fault tolerance
8.)What is Parity Bit?

In computers, parity (from the Latin paritas: equal or equivalent) refers to a
technique of checking whether data has been lost or written over when it's
moved from one place in storage to another or when transmitted between
computers
One can improve upon memory-style ECC disk arrays by noting that, unlike
memory component failures, disk controllers can easily identify which disk has
failed. Thus, one can use a single parity rather than a set of parity disks to
recover lost information.
9.)what is the tools/software used in 95/98 to connect to 2000/2003
Domain?
By default, Windows 95 and Windows 98 clients will connect to the PDC unless
the Load Balancing option is enabled in system policy. This is enabled in Default
Computer|Network|System Policies Update|Remote Update And Setting The Load
Balancing option. This will allow the Windows 95 or Windows 98 client to load
system policy from the authenticating DC.
Windows NT 4.0 with Service Pack 4.0 or later will also support NTLMv2
authentication.
Market Florist must ensure that a plan is created for the distribution of the
DSClient software to all Windows 95 and Windows NT 4.0 client computers.
The DSClient software will increase the performance and strength of downlevel client authentication by allowing local password changes and use of
NTLMv2 for authentication.
Market Florist must ensure that all necessary registry settings are
deployed to Windows NT 4.0 and Windows 95 clients to ensure that the
client computers will use NTLMv2 rather than LM or NTLM authentication.
You must configure Group Policy after the DSClient software is fully
deployed to allow only NTLMv2 authentication to be used. You must not
configure this setting until all down-level clients have the DSClient
software and necessary registry settings, or the down-level clients will lose
access to all network data. The setting that you must apply is Group Policy
Container \Computer Configuration\Windows Settings\Security
Settings\LocalPolicies\Security Options\LAN Manager Authentication Level.
This must be applied at each OU where Windows 2000 computers exist.
DNS services must be configured locally at each site to ensure that downlevel clients using the DSClient software can locate local DCs and global
catalog servers in the event that the WAN link is down and DNS services
can't be contacted.
For download DSclient http://www.4help.vt.edu/lm/

10.)what is root directories, login scripts of NT/2000/2003 all Flavors ?
Quickly display your root directory or network home directory in Windows XP by
clicking Start / Run and in the open field type two periods ( ..) and press enter or
click ok.
Root directory command: %SYSTEMROOT%
WIN XP : WINDOWS
WIN2K: WINNT
11.)How do you create a New domain tree in an existing forest in 2000?
http://www.washington.edu/computing/support/windows/UWdomains/domainSetu
p.html
If you are joining an existing forest, choose "Place this new domain tree in an
existing forest". Otherwise, choose "Create a new forest of domain trees".
12.)Which is the best O/S in 2000 and 2003 that you feel? Why ?
Windows 2003 is Best OS than 2000.
Windows 2003 AD introduced a number of new security features:
Such as the ability to rename a domain controller and even an entire domain.
Kerberos v5 is an authentication mechanism used to verify user or host identity
and is the preferred authentication method for services in Windows Server 2003.
13.) What are Domain, Domain Controller, and DNS?

DOMAIN: In Windows NT and Windows 2000, a domain is a set of network
resources (applications, printers, and so forth) for a group of users. The user
need only to log in to the domain to gain access to the resources, which may be
located on a number of different servers in the network.
DOMAIN CONTROLLER:
DNS:
14.) Explain the common problems in AD, DNS that you faced?
15.) AD, DNS problems solved by you which you fell critical/difficult, And WHY?
16.)Reason, solution, time taken to solve the problem? why its critical?
17.) What is the Process of Renaming a Domain in 2003, without
restart?
18.) How do you secure your Domain password? process, steps in your
organization?
19.) How to put the password for AD?
Start --- Run
Syskey
20.) What is AD? What are the versions? What is the difference in
versions?
http://www.windowsitlibrary.com/Content/155/07/1.html#1
Active Directory is a directory service. The term directory service refers to two
things a directory where information about users and resources is stored and a
service or services that let you access and manipulate those resources. Active
Directory is a way to manage all elements of your network, including computers,
groups, users, domains, security policies, and any type of user-defined objects.
Active Directory is built around Domain Name System (DNS) and lightweight
directory access protocol (LDAP). Active Directory clients use DNS and LDAP to
locate and access any type of resource on the network.
FUNDAMENTALS OF ACTIVE DIRECTORY
In the world of Active Directory, clients and servers interact in the following
manner:
1. If a client wants to access a service or a resource, it does so using the
resources Active Directory name. To locate the resource, the client sends
a standard DNS query to a dynamic DNS server by parsing the Active
Directory name and sending the DNS part of the name as a query to the
dynamic DNS server.
2. The dynamic DNS server provides the network address of the domain
controller responsible for the name. This is similar to the way static DNS
currently operates it provides an IP address in response to a name
query.
3. The client receives the domain controllers address and uses it to make an
LDAP query to the domain controller. The LDAP query finds the address of
the system that has the resource or service that the client requires.
4. The domain controller responds with the requested information. The client
accepts this information.
5. The client uses the protocols and standards that the resource or service
requires and interacts with the server providing the resource.
21.) What are the partitions in AD ?
Schema partition, configuration partition, global partition and Application

Partition
22.)What are the protocols in AD ?
NTLM/KERBOROS V4,V5
23.)What is a print server? Can we use AD as a print server ?

Print servers probably show the greatest variation of machine, from dedicated
print servers, you get printers hanging off domain controllers to 'Jet Direct'
printers with their own network cards. In my experience there is a contrast
between the software settings which are easy to configure and the hardware
which constantly cries for attention e.g. paper jam, 'out of toner'.
24.)what is forward lookup, reverse lookup?
25.)What are authoritative, non authoritative restorations?

When you are taking the backup of Active directory database run this command
In Start----Run-----ntbackup.
In this utility you have to choose restore on the restore you have to select
Systemstate data.Its contain Active Directory database,Registry and Com+ root
Certifications.
After taking the backup if you want to restore the database Go F8 Start menu in
That choose Directory Services Restore Mode.
After booting the system In Start Menu ------Run----------ntbackup
Restore Database (What you are taken previous backup)
After restore it will ask you restart the system -------Dont restart system at that
time.Press No.
Why Because Data will restore it will show in Active Directory Users And
Computers but it will not work .You have to Authorize the database
Next you go on Command Prompt Type this Commands
C:\>ntdsutil
Ntdsutil: Authoritative restore (Type this Command)
: Restore Database (Type this Command) This Means Entire Database
Will be Authorize. If you want to restore only single user of OU.Type the
Command Like This
Restore Subtree cn=(username),cn=(Ou name),cn=(dot Before
name),cn=(dot after name)---------then Enter .
Dot Before and Dot After Means.
Suppose your Domain is unics.com
User Name is test
Ou Name is sales
The Context Should be Like this:
Cn=test,cn=sales,cn=unics,cn=com
If there is no OU pls remove the ou Context .
Caution:This Procedure Will Work When the Active Directory Database Will
Corrupt.
If you want format the system after installation of OS You Have to
restore same OUs and Users Follow This Procedure:
First you take the backup of System state.
Then format the system and install OS in Workgroup.
Here No need to create a Domain
Then you Restore System state backup what aim said in Previous Document
The Same Procedure Will Work.
But Here one Disadvantage is there -----You Follow this Procedure Users Group
Policys Will not work.
If u wants Group Policys also after installation OS Create Domain in Same Name
What is Previous name Of Domain.
Then Restore Database and Authorize. It will Work.
26.) What data is available in system state? How we can retrieve each?
System State data
With Backup, you can back up and restore the following system components to
back up the System State:
Registry
When this component is included in

System State?
Always
COM+ Class Registration database
Always
Boot files, including the system files
Always
Certificate Services database
If it is a Certificate Services server
Active Directory directory service
If it is a domain
SYSVOL directory
Only if it is a domain controller
Cluster service information
If it is within a cluster
IIS Metadirectory
If it is installed
Component
System files that are under Windows File Always

Protection
Backup refers to these system components as the System State data. The exact
system components that make up your computer's System State data depend on
the computer's operating system and configuration.
27.)What is the use of a OU in AD?
As defined in the RFP for the LDAP standard, organizational units (OUs) are
containers that logically store directory information and provide a method of
addressing Active Directory through LDAP. In Active Directory, OUs are the
primary method for organizing user, computer, and other object information into
a more easily understandable layout. the organization has a root organizational
unit where three nested organizational units (marketing, IT, and research) have
been placed. This nesting enables the organization to distribute users across
multiple containers for easier viewing and administration of network resources.
Organizational Units allow organizations on campus to maintain control over their

resources, like computers, servers, printers and file shares. Below are
instructions on how to maintain OUs.
28.) What are Group policies? is it possible to implement for a specific
user? If not why?
29.) How many types of users we can create in AD? Who are they, and
their rights?
30) Who is Roaming user? How to create a Roaming user between two
different forests?
31) How to create a user with other domain login scripts which is not in
the same tree?
32) What are the boot files of NT/XP/2000/2003 all flavors?
33) Difference between NT/2000/2003?
34)What is a trust? How to enable trust relationship with other
domains? Requirements?
35)What is LDAP? Where and when it is used?
36)What is the other backup options (other than NT Backup) in

2000/2003.
37)What is the Major difference in IIS 5 and IIS 6?
38)What is the best client O/S that you feel WHY?
39)What are the Backup process in your organization ? your roll?
40)What is Tape? Difference between DAT, DLT, LTO?
41. What is a site? Types and differences?

42. Dns types and differences?
Network Related
1)
2)
3)
4)
5)
What are the ISO standards for a Network?

What are the classes and IP ranges of each class?
What are the public IPs , Private IPs , Differences ?
What are the OSI layers? Protocols, devices in each layer?
What is packet? what is the Minimum , Maximum ,Default size of a
packet?
6) What is IP ? Technical Names of the Octets in IP Adress?
7) What is CAT 5,CAT 6 ,RJ 45,Fiber Optic cables, abbreviations?
8) What is the Min, Max speed of CAT 5,CAT 6, Fiber Optic cables?
9) What is the Max length Supported by CAT 5,CAT 6, Fiber Optic
cables?
10)
What is router ? types of switches? Deference between HUB
and switch?
11)
What is the series of switches, hubs that are using in your
location?
12)
How to connect two networks without a router?
13)
What is a software used for routing? how to use?
14)
How Switch is faster than HUB?
15)
What is IP Tables?
16)
What is VPN? How it works?
17)
What is Port ? give the port numbers for the protocols ?
18)
What is protocol? Use of protocols ?
19)
What is VLAN ?what is use of VLAN?
20)
What are the protocols used for Mailing? Port numbers?
21)
Difference between POP3,SMTP, and other mailing
protocols?
22)
What is the best mailing protocol ?WHY?
23)
What is validation? What are the ISO standard levels for a
Valid Network?
24)
As a Network Administrator, How do you validate your
Network that it is reliable for the requirement ?
25)
As a System Administrator, How do you validate your
Domain that it is reliable for the requirement ?
Ramesh Nambaru R&D Engg Active Directory & Vmware
1. How to Determine What Domain Controller Authenticated the User ?
Execute the command below it will display the DC Name

echo %logonserver%
2. User logon authentication process Domain & Local

Process of Logging On
1. CTRL+ALT+DEL is pressed, name and password entered, and local or
domain logon is indicated.
2. If the logon is local, the name and password are checked against the local
database. If the logon is a domain logon, the name and password are
encrypted into a key, and timestamp information is encrypted. This
information is sent to the Windows 2000 domain controller with an
authentication request.
3. The domain controller decrypts the information and checks for a valid
timestamp. If the timestamp is valid, two Kerberos tickets are made and
encrypted with the password. The tickets are sent back to the client
computer. The tickets are:
o User session key - Used to log on.
o User ticket - Used to get other Kerberos tickets for accessing other
domain resources.
4. The client decrypts the tickets and uses the session key to log on.
ANTIVIRUS
Anti-virus software is used to identify and remove viruses in computers and
many other types of harmful computer software. The first antivirus software
was designed exclusively to combat computer viruses but now a days modern
antivirus software can protect computer systems against a wide range of
Trojans, malware, worms, phishing attacks, and rootkits.
There are many methods which antivirus software can be used to identify
malware; it depends on the software we use.
Signature based detection
Malicious activity detection
Heuristic-based detection
Signature based detection is the most common method used by antivirus
software to identify malware. Normally to identify malware and viruses
antivirus software compares the content of the file to a dictionary of virus
signatures. As viruses can embed themselves in existing files the entire file is
searched in pieces not just as a whole.
Malicious activity detection is the other method used to identify malware. In
this method antivirus software monitors the system for suspicious program
behavior. If any suspicious behavior is detected the suspect program may be
further investigated using signature based detection, this type of malicious
activity detection can be used to identify unknown viruses.
Heuristic-based detection is the method used by more advanced antivirus
software, Heuristics method can be used to identify unknown viruses. This

process has two approaches file analysis and file emulation. In file analysis
approach if a program has instructions to format the D drive, anti virus software
might further investigate the file. File analysis is the process of searching a
suspect file for virus like instructions. File emulation approach involves
executing a program in a virtual environment and logging what actions the
program performs
Based on the actions logged, the antivirus software can determine if the
program is malicious or not and carry out the appropriate actions.
Identifying a Server whether it is a domain controller
Check for the Roles

1. In Event Viewer check for logs
Directory Service Log

File Replication Service Log
DFS Replication Log

Active Directory TOTAL - QA

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Active Directory TOTAL - QA

Загружено:

Авторское право:

Доступные форматы

SAGAR

1. What is Active Directory ?

- set query type (ex. A,ANY,CNAME,MX,NS,PTR,SOA,SRV)

Internet Protocol (IP) addresses in an organizations network. DHCP allows

II. Attempting to restore SYSVOL or File Replication Service

Restoring the only domain controller in an Active

Restoring the first of several domain controllers

Restoring the first domain controller in a replica set.

When All the domain controller or the only domain controller in a

10.What is File Replication Service

The System Registry

The COM+ Class Registration Database

The boot files

System files protected by windows File Protection

Certificate Service Database if installed.

Active Directory and Sysvol folder on the DC.

Cluster Service information on cluster server

Internet Information Server Metabase.

12.What is Forest, Domain, Schema, Global Catalogue, Universal Group

Tree is collection of hierarchal structure of domains that share a common

Information about all Active Directory Objects from all

Stores information of universal groups and their associated

Forwarding authentication request to the appropriate domain

Validate object references within a forest.

Universal Group Membership Caching:

Faster user login times, because the global catalogue server

Reducing the need to place global catalogue servers in each

Reducing the usage of WAN bandwidth usage associated with

Note: Where a high member of directory queries are expected global

14.What is stub zone?

A copy of SOA record for the servers

Copies of NS records for all name servers authoritative

It does not contain CNAME records, MX records, SRV records, or A records

Start the computer in Directory Service Restore Mode.

Restore the backup from the media as in NonAuthoritative Mode.

After restore complete do not restart the computer.

Enter into ntdsutil

Restore is the fastest

Backing up are the fastest

18.How to know the size of Active directory Database?

The changed data is replicated between domain controllers, not the

Domain Naming Master

Note: The Infrastructure Master (IM) role should be held by a

Password changes performed by other DCs in the domain are

Editing or creation of Group Policy Objects (GPO) is always done

21.What is the location of NTDS.DIT file?

For example a DNS server is configured for domain.com

The domain partition stores information in default containers and in

TCP/IP Address (121.133.2.44)

Figure 8-5: How DNS works

Q4. Which are the major records in DNS?

CNAME records simply allow a machine to be known by more than one

Maps host name to IP address in a DNS zone. Has three

Canonical name resource record that creates an alias for a

Identifies the DNS name servers in the DNS domain. NS

Maps IP address to host name in a DNS reverse zone. Fields

Specifies a mail exchange server for a DNS domain name.

sending it to its final destination server, sending it using

Q9. What is an AD-integrated zone?

* Multimaster update and enhanced security based on the capabilities

Q2. How does reverse mapping work?

Yes, actually, there is: in-addr.arpa.

Q5. Can I use an A record instead of an MX record?