Академический Документы
Профессиональный Документы
Культура Документы
WINDOWS 2000
Q. Name 3 differences between Windows 2000 Standard and Windows 2000 Advanced Server.?
Ans. The Windows® 2000 Advanced Server operating system contains all the functionality and reliability of the
standard version of Windows 2000 Server, plus additional features for applications that require higher levels of
scalability and availability. This makes Advanced Server the right operating system for essential business and e-
commerce applications that handle heavier workloads and high-priority processes.
Advanced Server helps ensure your systems are available by addressing the causes of both planned and
unplanned network and server downtime. It also has features that let your applications grow to support large
numbers of users and data.
Advanced Server lets you increase server performance and capacity by adding processors and memory. This
approach to increasing your network capacity is referred to as scaling up.
You can increase the performance of a server computer by adding processors that can work together, and many
well-known server manufacturers offer multi-processor servers. Enhanced symmetric multiprocessing (SMP)
support in Advanced Server lets you use multiprocessor servers. Advanced Server includes enhanced memory
capabilities that let you increase the memory available for server processing to as much as eight gigabytes (GB).
As you well know, server downtime can result in lost revenue, wasted IT staff work, and unhappy customers. To
address these concerns, the clustering technologies in Advanced Server let more than one server work together
on a particular task. Clustering technologies increase server availability because they provide a safety net should
one of the clustered servers fail. There are two clustering technologies in Advanced Server. The first, called the
Cluster service, is used to link individual servers so they can perform common tasks. If one server stops
functioning, its workload is transferred to the other server. The second clustering technology, called Network
Load Balancing (NLB), is used to make sure a server is always available to handle requests. NLB works by
spreading incoming client requests among a number of servers that are linked together to support a particular
application
Q. In reference to Windows 2000 DNS, what is resources records -better known as SRV records?
Ans. Active uses DNS' as a locator service. These records allow clients and Server to locate various resources
within Active Directory (Ex, Global Catalog server, AD Sites, KERBEROS, LDAP etc.)
Q. Where would I go in Windows 2000 to find out more information in reference to a service not
starting?
Ans. Event Viewer
Q. If there are domain and a child domain on two different servers, will we have GC on both the
servers?
Ans. Yes, we can have more than in every domain but one is compulsory.
Q. There are 3 servers on LAN, how do you check for connectivity and name resolution?
There are five different FSMO roles and they each play a different function in making Active Directory work:
PDC Emulator - This role is the most heavily used of all FSMO roles and has the widest range of functions. The
domain controller that holds the PDC Emulator role is crucial in a mixed environment where Windows NT 4.0
BDCs are still present. This is because the PDC Emulator role emulates the functions of a Windows NT 4.0 PDC.
But even if you've migrated all your Windows NT 4.0 domain controllers to Windows 2000 or Windows Server
2003, the domain controller that holds the PDC Emulator role still has a lot to do. For example, the PDC Emulator
is the root time server for synchronizing the clocks of all Windows computers in your forest. It's critically
important that computer clocks are synchronized across your forest because if they're out by too much then
Kerberos authentication can fail and users won't be able to log on to the network. Another function of the PDC
Emulator is that it is the domain controller to which all changes to Group Policy are initially made. For example, if
you create a new Group Policy Object (GPO) then this is first created in the directory database and within the
SYSVOL share on the PDC Emulator, and from there the GPO is replicated to all other domain controllers in the
domain. Finally, all password changes and account lockout issues are handled by the PDC Emulator to ensure
that password changes are replicated properly and account lockout policy is effective. So even though the PDC
Emulator emulates an NT PDC (which is why this role is called PDC Emulator), it also does a whole lot of other
stuff. In fact, the PDC Emulator role is the most heavily utilized FSMO role so you should make sure that the
domain controller that holds this role has sufficiently beefy hardware to handle the load. Similarly, if the PDC
Emulator role fails then it can potentially cause the most problems, so the hardware it runs on should be fault
tolerant and reliable. Finally, every domain has its own PDC Emulator role, so if you have N domains in your
forest then you will have N domain controllers with the PDC Emulator role as well.
RID Master - This is another domain-specific FSMO role, that is, every domain in your forest has exactly one
domain controller holding the RID Master role. The purpose of this role is to replenish the pool of unused relative
IDs (RIDs) for the domain and prevent this pool from becoming exhausted. RIDs are used up whenever you
create a new security principle (user or computer account) because the SID for the new security principle is
constructed by combining the domain SID with a unique RID taken from the pool. So if you run out of RIDS, you
won't be able to create any new user or computer accounts, and to prevent this from happening the RID Master
monitors the RID pool and generates new RIDs to replenish it when it falls beneath a certain level.
Infrastructure Master - This is another domain-specific role and its purpose is to ensure that cross-domain
object references are correctly handled. For example, if you add a user from one domain to a security group from
a different domain, the Infrastructure Master makes sure this is done properly. As you can guess however, if
your Active Directory deployment has only a single domain, then the Infrastructure Master role does no work at
all, and even in a multi-domain environment it is rarely used except when complex user administration tasks are
performed, so the machine holding this role doesn't need to have much horsepower at all.
Schema Master - While the first three FSMO roles described above are domain-specific, the Schema Master role
and the one following are forest-specific and are found only in the forest root domain (the first domain you
create when you create a new forest). This means there is one and only one Schema Master in a forest, and the
purpose of this role is to replicate schema changes to all other domain controllers in the forest. Since the schema
of Active Directory is rarely changed however, the Schema Master role will rarely do any work. Typical scenarios
where this role is used would be when you deploy Exchange Server onto your network, or when you upgrade
domain controllers from Windows 2000 to Windows Server 2003, as these situations both involve making
changes to the Active Directory schema.
Domain Naming Master - The other forest-specific FSMO role is the Domain Naming Master, and this role
resides too in the forest root domain. The Domain Naming Master role processes all changes to the namespace,
for example adding the child domain vancouver.mycompany.com to the forest root domain mycompany.com
requires that this role be available, so you can't add a new child domain or new domain tree, check to make sure
this role is running properly.
Rule One: In your forest root domain, keep your Schema Master and Domain Naming Master on the same
domain controller to simplify administration of these roles, and make sure this domain controller contains a copy
of the Global Catalog. This is not a hard-and-fast rule as you can move these roles to different domain controllers
if you prefer, but there's no real gain in doing so and it only complicates FSMO role management to do so. If for
reasons of security policy however your company decides that the Schema Master role must be fully segregated
from all other roles, then go ahead and move the Domain Naming Master to a different domain controller that
hosts the Global Catalog. Note though that if you've raised your forest functional level to Windows Server 2003,
your Domain Naming Master role can be on a domain controller that doesn't have the Global Catalog, but in this
case be sure at least to make sure this domain controller is a direct replication partner with the Schema Master
machine.
Rule Two: In each domain, place the PDC Emulator and RID Master roles on the same domain controller and
make sure the hardware for this machine can handle the load of these roles and any other duties it has to
perform. This domain controller doesn't have to have the Global Catalog on it, and in general it's best to move
these two roles to a machine that doesn't host the Global Catalog because this will help balance the load (the
Global Catalog is usually heavily used).
Rule Three: In each domain, make sure that the Infrastructure Master role is not held by a domain controller
that also hosts the Global Catalog, but do make sure that the Infrastructure Master is a direct replication partner
of a domain controller hosting the Global Catalog that resides in the same site as the Infrastructure Master. Note
however that this rule does have some exceptions, namely that the Infrastructure Master role can be held by a
domain controller hosting the Global Catalog in two circumstances: when there is only one domain in your forest
or when every single domain controller in your forest also hosts the Global Catalog.
· Schema table
the types of objects that can be created in the Active Directory, relationships between
them, and the optional and mandatory attributes on each type of object. This table is fairly
static and much smaller than the data table.
· Link table
contains linked attributes, which contain values referring to other objects in the Active
Directory. Take the MemberOf attribute on a user object. That attribute contains values
that reference groups to which the user belongs. This is also far smaller than the data table.
· Data table
users, groups, application-specific data, and any other data stored in the Active Directory.
The data table can be thought of as having rows where each row represents an instance of
an object such as a user, and columns where each column represents an attribute in the
schema such as GivenName.
Distribution groups
Security groups
Although this section is primarily about the role groups play in security, distribution groups are also briefly
described to clarify the difference between the two group types. The next two subsections describe the
characteristics of security and distribution groups.
Distribution Groups
Distribution groups have only one function—to create e-mail distribution lists. You use distribution groups with e-
mail applications (such as Microsoft Exchange) to send e-mail to the members of the group. As with a security
group, you can add a contact to a distribution group so that the contact receives e-mail sent to the group.
Distribution groups play no role in security (you do not assign permissions to distribution groups), and you
cannot use them to filter Group Policy settings.
Security Groups
In the Windows 2000 operating system, security groups are an essential component of the relationship between
users and security. Security groups have two functions:
Mode. Local groups are the only type of local group available in a Windows 2000 mixed-mode domain. In the
case of Windows 2000 native-mode domains, only Built-in groups have local scope.
Membership. Local groups can have members from anywhere in the forest, from trusted domains in other
forests, and from trusted down-level domains.
Permissions. A local group has only machine-wide scope; that is, it can be used to grant resource permissions
only on the machine on which it exists. (Note, however, that local groups created on a domain controller are
available on every domain controller in that domain and can be used to grant resource permissions on any
domain controller in that domain.)
Mode. Domain local groups are available only in native-mode (but not mixed-mode) domains.
Membership. Like local groups, domain local groups can have members from anywhere in the forest, from
trusted domains in other forests, and from trusted down-level domains.
Permissions. A domain local group has domain-wide scope; that is, it can be used to grant resource
permissions on any Windows 2000 machine within the domain in which it exists (but not beyond its domain).
Syntax:
Ldifde [-i] [-f FileName] [-s ServerName] [-c String1 String2] [-v] [-j Path] [-t PortNumber] [-d BaseDN] [-r
LDAPFilter] [-p Scope] [-l LDAPAttributeList] [-o LDAPAttributeList] [-g] [-m] [-n] [-k] [-a
UserDistinguishedName Password] [-b UserName Domain Password] [-?]
Csvde
Imports and exports data from Active Directory using files that store data in the comma-separated value (CSV)
format. You can also support batch operations based on the CSV file format standard.
Csvde is a command-line tool that is installed in the %windir%/system32 folder on Windows Server 2003 by
default. To run csvde on a computer running Windows Server 2003, open a command prompt, type csvde with
the appropriate parameters, and then press ENTER.
You can also run csvde on a computer running Windows XP Professional if you install Active Directory Application
Mode (ADAM) on that computer. Csvde will be located in the %windir%/ADAM folder. To download ADAM, see
Active Directory Application Mode (ADAM) at the Download Center (http://go.microsoft.com/fwlink/?
LinkID=29359).
Syntax:
Csvde [-i ] [-f FileName] [-s ServerName] [-c String1 String2] [-v ] [-j Path] [-t PortNumber] [-d BaseDN] [-r
LDAPFilter] [-p Scope] [-l LDAPAttributeList] [-o LDAPAttributeList] [-g ] [-m ] [-n ] [-k ] [-a
UserDistinguishedName Password] [-b UserName Domain Password]
1. Place the RID and PDC FSMO emulator roles on the same DC.
2. Place the infrastructure FSMO master on a non-global catalog server.
3. Place the domain naming FSMO master on a Global Catalog Server.
Structural class The structural class is important to the system administrator in that it is the only type from
which new Active Directory objects are created. Structural classes are developed from either the modification of
an existing structural type or the use of one or more abstract classes.
Abstract class Abstract classes are so named because they take the form of templates that actually create
other templates (abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for the
defining objects.
Auxiliary class The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a
structural class, it provides a streamlined alternative by applying a combination of attributes with a single include
action.
88 class The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was
adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the
development of objects in Windows Server 2003 environments.
Q. What is “REGEDIT” ?
It is a tool for editing registry.
Q. Types of Backup
Ans. The Backup utility supports five methods of backing up data on your computer or network.
Copy backup
A copy backup copies all selected files but does not mark each file as having been backed up (in other words, the
archive attribute is not cleared). Copying is useful if you want to back up files between normal and incremental
backups because copying does not affect these other backup operations.
Daily backup
A daily backup copies all selected files that have been modified the day the daily backup is performed. The
backed-up files are not marked as having been backed up (in other words, the archive attribute is not cleared).
Differential backup
A differential backup copies files created or changed since the last normal or incremental backup. It does not
mark files as having been backed up (in other words, the archive attribute is not cleared). If you are performing
a combination of normal and differential backups, restoring files and folders requires that you have the last
normal as well as the last differential backup.
Incremental backup
An incremental backup backs up only those files created or changed since the last normal or incremental backup.
It marks files as having been backed up (in other words, the archive attribute is cleared). If you use a
combination of normal and incremental backups, you will need to have the last normal backup set as well as all
incremental backup sets in order to restore your data.
Normal backup
A normal backup copies all selected files and marks each file as having been backed up (in other words, the
archive attribute is cleared). With normal backups, you need only the most recent copy of the backup file or tape
to restore all of the files. You usually perform a normal backup the first time you create a backup set.
Backing up your data using a combination of normal backups and incremental backups requires the least amount
of storage space and is the quickest backup method. However, recovering files can be time-consuming and
difficult because the backup set can be stored on several disks or tapes.
Backing up your data using a combination of normal backups and differential backups is more time-consuming,
especially if your data changes frequently, but it is easier to restore the data because the backup set is usually
stored on only a few disks or tapes.
Q.Disaster Recovery
In most cases this is caused by a glitch in the migration process. The Exchange 2000 Setup program examines
the access control list for the public folder being migrated, and ensures that every user or group found on the
access control list also exists in the Active Directory. If even a single user or group exists in the folder’s access
control list but doesn’t exist in the Active Directory, then nobody except for the public folder’s owner is given
access to the public folder under Exchange 2000. What makes this problem even stranger is apparently it is a
design feature rather than a glitch. I say this because migrating from Exchange 5.5 to Exchange 2003 works in
the exact same way.
The solution to the problem is to bring an Exchange 2000 Server online prior to attempting the migration. To do
so, you can just load Windows 2000 Server and Exchange Server onto a spare PC. You can remove this
temporary server from your Exchange organization and the network after the migration has been completed.
In the meantime, you want to have this temporary Exchange 2000 Server online at the same time as your
existing Exchange 5.x servers. Once you have the temporary server in place, run a DS/IS consistency check on
your Exchange 5.x server. This will cause Exchange to identify any users or groups who have entries on access
control lists within Exchange 5.x, but do not have a corresponding Active Directory account. These accounts are
then removed from the access control list. This means you can safely replicate your public folders to the
Exchange 2000 Server or migrate your Exchange 5.5 Servers to Exchange 2000 or Exchange 2003 without
having to worry about public folder access problems.
Before I explain how to do a DS/IS consistency check, I need to give you a word of caution. Before running the
DS/IS consistency check, you must verify that all your existing Exchange Servers in all your sites are online and
accessible. If you fail to do this and a site is inaccessible, you will cause major problems for your Exchange
organization.
With that said, open the Exchange Administrator program on your Exchange 5.5 Server. Next, select your
Exchange Server from the server list and then select the Properties command from the console’s File menu.
When you do, you’ll see the server’s properties sheet. Select the Advanced tab and click on Consistency
Adjustment.
When you see the DI/IS Consistency Adjustment dialog box, select the Remove Unknown User Accounts From
Public Folder Permissions check box. Now, clear all other check boxes and click All Inconsistencies. When the
process completes, it should be safe to migrate the public folders for that server.
Exchange 5.5
- Create new Active Directory users based on Exchange 5.5 accounts in the source organization (if matching
users do not already exist in Active Directory).
- Convert Active Directory contacts to users.
- Migrate X.400, SMTP, cc:Mail, Microsoft Mail, and other e-mail addresses into the e-mail addresses attribute of
the new Active Directory user.
- Migrate the following mailbox and calendar data to the new Exchange 2000 mailboxes:
- Inbox
- Drafts
- Sent Items
- Calendar
- Tasks
- Custom folders created by the mailbox owner
- Update Exchange 2000 groups (but does not migrate Exchange 5.5 distribution lists). For example, a
distribution group in Active Directory may contain contacts. During migration, the Active Directory contacts
become disabled users, and the distribution group in Active Directory is updated to reflect this change.
Ans. Exchange Server, the Microsoft messaging and collaboration server, is software that runs on
servers that enables you to send and receive electronic mail and other forms of interactive communication
through computer networks. Designed to interoperate with a software client application such as Microsoft
Outlook, Exchange Server also interoperates with Outlook Express and other e-mail client applications.
Q. Describe Mail Flow in an exchange Server.
Q. What files are usually located in the MDBDATA directory on an Exchange 5.5 server
Ans : Priv.edb is the private information store primarily for mailboxes. Pub.edb is a public
Exchange 2000
Ans. The most notable difference between Exchange 5.5 and Exchange 2000 is the location where directory
information is stored. In Exchange 5.5, directory information resides in the Exchange 5.5 directory. Exchange
2000, however, relies entirely on Microsoft Active Directory directory service. To migrate mailboxes from
Exchange 5.5 to Exchange 2000, you must update Active Directory with all of the accounts that exist in the
Exchange 5.5 directory. You can use Migration Wizard to do this process for you by allowing Migration Wizard to
match Exchange 5.5 mailboxes with existing Active Directory users and create users if they do not already exist.
You access Migration Wizard from the Start menu (click Start, point to Programs, point to Microsoft Exchange,
and then click Migration Wizard).
Note You can also use the command prompt utility, Mailmig.exe, with a combination of switches and a control file
to perform a batch-process migration
Q.How many times do you need to run forest prep in a single Active Directory forest that contains 4
domains?
Ans. Only one because Forestprep runs on the Root to update the schema but if you want to run Domainprep
you need to run for all the domain as there are 4 domains.
Setup /forestprep. The /forestprep option runs in the AD forest domain that hosts the schema master
(typically the root domain). The option updates the schema, instantiates the Exchange 2000 organization, adds
the Exchange 2000 container to the configuration naming context, and creates the Domain EX Admins and All
Exchange Servers universal groups. The /forestprep option is useful when you want to replicate schema updates
throughout the forest before any server installations begin.
You can't execute this command unless you can log on with Enterprise and Schema Admin privileges. In addition,
if you need to join an existing Exchange Server 5.5 organization, you must have Read access (at a minimum) to
the Exchange Server 5.5 Directory Store. (This option replaced the /schema only command-line switch that was
in the first Exchange 2000 public beta.) If you plan to run a mixed-mode Exchange server organization, you must
install the ADC within the organization before you run /forestprep.
((( “” The Forestprep Utility will perform three major functions. It creates an Exchange organization object in AD,
defines the first Exchange administrator account, and extends the AD Schema with the Exchange 2000 schema
extensions. There are user rights required to run Forestprep. If your plan is to create a new Exchange 2000
organization, you can use an account that has rights to modify the schema and to write information to the
Configuration Naming Context. A member of the Schema Admins and Enterprise Admins security groups has
these rights. If you are migrating from an existing Exchange 2000 Organization, you should clone the service
account from NT to Win2K and make this cloned account a member of the same two security groups. Then, use
the service account to log on to run Forestprep to get sufficient rights to execute the operation.”””)))
Setup /domainprep. The /domainprep option runs in every domain in which an Exchange 2000 server resides.
The option performs tasks such as creating the global groups that Exchange administration uses. You must be a
domain administrator to run this option.
The Domainprep Utility will perform several crucial tasks. It will create the global security group Exchange
Domain Servers, create the local security group Exchange Enterprise Servers, place the Exchange Domain Server
group into the Exchange Enterprise Servers group, grant permission for the Exchange Enterprise Servers on the
Domain object and the AdminSDHolder object, create the Microsoft Exchange System Objects container
underneath the domain node, and change the DC security policy to let all Exchange servers manage the auditing
and security log. The Domainprep Utility will run quickly. After it is complete, allow time for the domain changes
to replicate to all DCs. Then, to set the security policy, run the command:
secedit / refreshpolicy
machine_policy
A. The task of the ADC is to replicate directory information (such as mailboxes, users and groups) between the
Exchange 5.5 directory and Active Directory.
The ADC uses LDAP to contact both the Exchange 5.5 and Active Directory. LDAP works efficiently over all types
of network links, regardless of whether the connection is fast, slow, or high latency.
With the help of the ADC, you can create the following CA (Connection Agreement):
The Recipient Connection Agreement creates a connector to replicate mailbox information, distribution lists and
custom recipients from Exchange 5.5 to Active Directory.
It is important to know that the Recipient Connection Agreement and Public Folder Connection Agreement don’t
replicate the content of Public Folders and Mailboxes.
Organizations deploy Active Directory Connector (ADC) for four main reasons:
To replicate Microsoft Exchange directory information (from DIR.EDB) to Microsoft Active Directory (NTDS)
To replicate existing Microsoft Exchange Server version 5.5 directory data to Active Directory so that third-party
applications can take advantage of it.
To replicate directory information between Active Directory and the Exchange directory for coexistence from one
management application.
To deploy Exchange 2003 Server in an existing Exchange 5.5 environment for consolidation and migration
purposes.
A; The Recipient Update Service (RUS) is a very important component in your Exchange
installation, it is RUS that is responsible for updating address lists and email addresses in your
Active Directory.
Many people ask a simple question, "I just created a new mailbox, but when I look at the users
properties in Active Directory Users and Computers, nothing is listed on the Email Address Tab,
what did I do wrong?", well the simple answer is nothing, the RUS takes it's time to update all the
information in AD, so give it some time and everything will appear.
What we will discuss here is how to ensure that the RUS is running correctly and some issue with
using RUS in a multiple domain environment.
a. The "Enterprise Configuration" Recipient Update Service is responsible for the updating
of the email addresses for the system objects such as the Message Transfer Agent (MTA)
and System Attendant.
b. The "Domain" Recipient Update Service is responsible for the updating of the address
information for recipient objects in the domain that it is responsible for, in Figure 1 our
domain is NWTRADERS
To adjust the properties for the Recipient Update Service, right click over the service and then
select Properties, the properties for the Recipient Update Service will now be displayed (Figure 2).
Field Description
This is the domain that is serviced by this Recipient
Domain
Update Service.
This is the Exchange server responsible for the creation
Exchange Server and updating of the address list for the domain specified
in the Domain field.
The Windows 2000 Domain Controller that this Recipient
Windows 2000
Update Service will connect to when it creates and
Domain Controller
updates the address list.
How often the Recipient Update Service will run, if you
Update Interval leave it selected to "Always Run" it will update once
every minute.
Q. What is LSDOU ?
Ans. It’s group policy inheritance model, where the policies are applied to
Local machines, Sites, Domains and Organizational Units.
Reverse lookup zones are contained in a special domain called in-addr.arpa. This special domain behaves
similarly to the forward lookup zone. Subdomains in the in-addr.arpa zone are configured using the octets
in the dotted quads of each network ID. Each octet is reversed in the naming of each zone. For example,
you have a network ID of 132.165.7.0. The reverse lookup zone for this domain is 7.165.132.in-addr.arpa.
If you have a Network ID of 151.255.0.0, the reverse lookup zone is 255.151.in-addr.arpa.
Reverse lookup zones are created independently of Forward lookup zones. Pointer records (PTR) are
created when you set up the reverse lookup zones for your domain. You can manually enter the reverse
lookup zones for each computer on your network, or you can automatically create the PTR record when
you enter a record into the Forward lookup zone.
Q. If there are two Windows 2003 computer connected in Network. One Computer is the Domain
having FSMO Rules. Somehow the Domain Controller is burnt so how we will get back all FSMO
roles through other Computer.
Ans. You can transfer FSMO roles either by using the Microsoft Management Console (MMC) Active
Directory (AD) snap-ins (e.g., Active Directory Users and Computers) or the Ntdsutil utility. However, if
the server trying to take ownership of the FSMO role can't contact that role, you might need to force the
FSMO role transfer by using Ntdsutil with the seize switch. To use this option, perform the same actions as
you usually do when transferring a role with Ntdsutil, except that instead of entering the command
Q. What is Loopback Policy. Is it possible that a User logs on to different machine but when he logs
on one particular machine the RUN command text box is deactivated.
And. Group Policy applies to the user or computer in a manner that depends on where both the user and the
computer objects are located in Active Directory. However, in some cases, users may need policy applied
to them based on the location of the computer object alone. You can use the Group Policy loopback feature
to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.
1. In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
2. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback
Policy option
This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a
computer affected by this policy. This policy is intended for special-use computers where you must modify
the user policy based on the computer that is being used. For example, computers in public areas, in
laboratories, and in classrooms.
Note Loopback is supported only in an Active Directory environment. Both the computer account and the
user account must be in Active Directory. If a Microsoft Windows NT 4.0 based domain controller
manages either account, the loopback does not function.
With a DHCP server installed and configured on your network, DHCP-enabled clients can obtain their IP
address and related configuration parameters dynamically each time they start and join your network.
DHCP servers provide this configuration in the form of an address-lease offer to requesting clients
The network administrator establishes one or more DHCP servers that maintain TCP/IP configuration
information and provide address configuration to DHCP-enabled clients in the form of a lease offer. The
DHCP server stores the configuration information in a database, which includes:
DHCP client does not have an IP address configured or has an IP address configured as 0.0.0.0.
The client was not able to contact a DHCP server and obtain an IP address lease, either because of a
network hardware failure or because the DHCP server is unavailable.
Verify that the client computer has a valid, functioning network connection. First, check that related client
hardware devices (cables and network adapters) are working properly at the client.
DHCP client has an auto-configured IP address that is incorrect for its current network.
The Windows 2000 or Windows 98 DHCP client could not find a DHCP server and has used the Automatic
Private IP Addressing (APIPA) feature to configure its IP address. In some larger networks, disabling this
feature might be desirable for network administration.
First, use the ping command to test connectivity from the client to the server. Next, verify or manually
attempt to renew the client lease. Depending on your network requirements, it might be necessary to
disable APIPA at the client.
Next, if the client hardware appears to be functioning properly, check that the DHCP server is available on
the network by pinging it from another computer on the same network as the affected DHCP client.
Also, try releasing or renewing the client's address lease, and check the TCP/IP configuration settings on
automatic addressing.
• The IP address of the DHCP server was changed and now DHCP clients cannot get IP addresses.
A DHCP server can only service requests for a scope that has a network ID that is the same as the network
ID of its IP address. Make sure that the DHCP server IP address falls in the same network range as the
scope it is servicing. For example, a server with an IP address in the 192.168.0.0 network cannot assign
addresses from scope 10.0.0.0 unless superscopes are used.
• The DHCP clients are located across a router from the subnet where the DHCP server resides and are
unable to receive an address from the server.
A DHCP server can provide IP addresses to client computers on remote multiple subnets only if the router
that separates them can act as a DHCP relay agent. Completing the following steps might correct this
problem:
1. Configure a BOOTP/DHCP relay agent on the client subnet (that is, the same physical network
segment). The relay agent can be located on the router itself or on a Windows 2000 Server computer
running the DHCP Relay service component.
2. At the DHCP server, configure a scope to match the network address on the other side of the router
where the affected clients are located.
3. In the scope, make sure that the subnet mask is correct for the remote subnet.
4. Use a default gateway on the network connection of the DHCP server in such a way that it is not using
the same IP address as the router that supports the remote subnet where the clients are located.
5. Do not include this scope (that is, the one for the remote subnet) in superscopes configured for use on the
same local subnet or segment where the DHCP server resides.
6. Make sure there is only one logical route between the DHCP server and the remote subnet clients.
• Multiple DHCP servers exist on the same local area network (LAN).
Make sure that you do not configure multiple DHCP servers on the same LAN with overlapping scopes.
You might want to rule out the possibility that one of the DHCP servers in question is a Small Business
Server (SBS) computer. By design, the DHCP service, when running under SBS, automatically stops when
it detects another DHCP server on the LAN.
Address Conflicts : DHCP operates on a lease renewal basis. During the leasing process, address conflicts
can occur as leases are renewed and expired. Client lease requests might be denied by the server for invalid
(out of pool) or duplicate addresses. Multiple address conflict messages can indicate that your lease period,
your scope, or both, need adjustment in your DHCP server configuration.
Client Service Availability: A computer running Microsoft Windows Vista becomes a DHCP client if
Obtain an IP address automatically is selected in its TCP/IP properties. When a client computer is set to use
DHCP, it accepts a lease offer and can receive the following from the server:
- Temporary use of an IP address known to be valid for the network it is joining.
- Additional TCP/IP configuration parameters for the client to use in the form of options data.
Configuration: Each time a DHCP client starts, it requests IP addressing information from a DHCP server,
including:
- Ip Address.
- Subnet mask
- Additional configuration parameters, such as a default gateway address, Domain Name System
(DNS) server addresses, a DNS domain name, and Windows Internet Name Service (WINS) server
addresses.
When a DHCP server receives a request, it selects an available IP address from a pool of addresses defined
in its database (along with other configuration parameters) and offers it to the DHCP client. If the client
accepts the offer, the IP addressing information is leased to the client for a specified period of time.
The DHCP client will typically continue to attempt to contact a DHCP server if a response to its request for
an IP address configuration is not received, either because the DHCP server cannot be reached or because
no more IP addresses are available in the pool to lease to the client. For DHCP clients that are based on
Microsoft Windows Vista, Microsoft Windows XP or Windows Server 2003 operating systems, the DHCP
Client service uses the alternate configuration when it cannot contact a DHCP server. The alternate
configuration can be either an Automatic Private IP Addressing (APIPA) address or an alternate
configuration that has been configured manually.
Ipv6 Availability : DHCP can lease both Internet Protocol version 4 (IPv4) and Internet Protocol version 6
(IPv6) addresses. If IPv6 is not available, the DHCP service uses IPv4 only.
Lease Availability: Each time a DHCP client starts, it requests IP addressing information from a DHCP
server, including:
- Ip Address.
- Subnet mask
- Additional configuration parameters, such as a default gateway address, Domain Name System
(DNS) server addresses, a DNS domain name, and Windows Internet Name Service (WINS) server
addresses.
When a DHCP server receives a request, it selects an available IP address from a pool of addresses defined
in its database (along with other configuration parameters) and offers it to the DHCP client. If the client
accepts the offer, the IP addressing information is leased to the client for a specified period of time.
The DHCP client will typically continue to attempt to contact a DHCP server if a response to its request for
an IP address configuration is not received, either because the DHCP server cannot be reached or because
no more IP addresses are available in the pool to lease to the client. For DHCP clients that are based on
Microsoft Windows Vista, Microsoft Windows XP or Windows Server 2003 operating systems, the DHCP
Client service uses the alternate configuration when it cannot contact a DHCP server. The alternate
configuration can be either an Automatic Private IP Addressing (APIPA) address or an alternate
configuration that has been configured manually.
Network Errors: A network error might prevent the DHCP client from sending messages to the DHCP
server. DHCP clients and servers use the following messages to communicate during the DHCP
configuration process:
• DHCPDiscover - Sent from client to server to initially discover the presence of DHCP servers on the
network.
• DHCPOffer - Sent from server to client to respond to the DHCPDiscover message. The DHCPOffer
message contains an IP address configuration offered to the requesting DHCP client.
• DHCPRequest - Sent from client to server to request a specific IP address configuration from a specific
DHCP server.
• DHCPAck - Sent from server to client to acknowledge that the client has been allocated a specific IP
address configuration.
• DHCPNak - Sent from server to client to indicate that the client cannot use a specific IP address
configuration. For example, DHCP servers send DHCPNak messages when a wireless client has moved to
a different subnet and attempts to renew the lease on its previous address.
• DHCPDecline - Sent from client to server to indicate that the offered IP address configuration is invalid.
For example, DHCP clients send DHCPDecline messages when they discover that the offered IP address is
a duplicate.
• DHCPRelease - Sent from client to server to indicate that the DHCP client is no longer using the IP
address configuration.
• DHCPInform - Sent from client to server to request additional configuration settings.
The Wires
--NAS uses TCP/IP Networks: Ethernet, FDDI, ATM (perhaps TCP/IP over Fibre Channel someday)
--SAN uses Fibre Channel
The Protocols
--NAS uses TCP/IP and NFS/CIFS/HTTP
--SAN uses Encapsulated SCSI
A NAS identifies data by file name and byte offsets, transfers file data or file meta-data (file's owner,
permissions, creation data, etc.), and handles security, user authentication, file locking
A NAS allows greater sharing of information especially between disparate operating systems such as Unix
and NT.
Backups and mirrors (utilizing features like NetApp's Snapshots) are done on files, not blocks, for a savings
in bandwidth and time. A Snapshot can be tiny compared to its source volume.
SAN
Only server class devices with SCSI Fibre Channel can connect to the SAN. The Fibre Channel of the SAN
has a limit of around 10km at best
A SAN addresses data by disk block number and transfers raw disk blocks.
File Sharing is operating system dependent and does not exist in many operating systems.
File System managed by servers
Backups and mirrors require a block by block copy, even if blocks are empty. A mirror machine must be
equal to or greater in capacity compared to the source volume.
• RAID 0: Striped Set (2 disks minimum) without parity. Provides improved performance and
additional storage but no fault tolerance from disk errors or disk failure. Any disk failure destroys
the array, which becomes more likely with more disks in the array. The reason a single disk failure
destroys the entire array is because when data is written to a RAID 0 drive, the data is broken into
"fragments". The number of fragments is dictated by the number of disks in the drive. Each of
these fragments are written to their respective disks simultaneously on the same sector. This
allows smaller sections of the entire chunk of data to be read off the drive in parallel, giving this
type of arrangement huge bandwidth. When one sector on one of the disks fails, however, the
corresponding sector on every other disk is rendered useless because part of the data is now
corrupted. RAID 0 does not implement error checking so any error is unrecoverable. More disks in
the drive means higher bandwidth, but greater risk of data loss.
• RAID 1: Mirrored Set (2 disks minimum) without parity. Provides fault tolerance from disk errors
and single disk failure. Increased read performance occurs when using a multi-threaded operating
system that supports split seeks, very small performance reduction when writing. Array continues
to operate so long as at least one drive is functioning.
• RAID 3 and RAID 4: Striped Set (3 disk minimum) with Dedicated Parity, the parity bits
represent a memory location each, they have a value of 0 or 1, whether the given memory location
they represent, is empty or full, thus enhancing the speed of read and write. This mechanism
provides an improved performance and fault tolerance similar to RAID 5, but with a dedicated
parity disk rather than rotated parity stripes. The single disk is a bottle-neck for writing since every
write requires updating the parity data. One minor benefit is the dedicated parity disk allows the
parity drive to fail and operation will continue without parity or performance penalty.
• RAID 5: Striped Set (3 disk minimum) with Distributed Parity. Distributed parity requires all but
one drive to be present to operate; drive failure requires replacement, but the array is not destroyed
by a single drive failure. Upon drive failure, any subsequent reads can be calculated from the
distributed parity such that the drive failure is masked from the end user. The array will have data
loss in the event of a second drive failure and is vulnerable until the data that was on the failed
drive is rebuilt onto a replacement drive.
• RAID 6: Striped Set (4 disk minimum) with Dual Distributed Parity. Provides fault tolerance from
two drive failures; array continues to operate with up to two failed drives. This makes larger RAID
groups more practical, especially for high availability systems. As drives grow in size, they
become more prone to error and exposure to failure during fixing, a single drive may be 1
Terabyte in size. Single parity RAID levels are vulnerable to data loss until the failed drive is
rebuilt: the larger the drive, the longer the rebuild will take. With dual parity, it gives time to
rebuild the array by recreating a failed drive with the ability to sustain failure on another drive in
the same array.
Many storage controllers allow RAID levels to be nested. That is, one RAID can use another as its basic
element, instead of using physical drives. It is instructive to think of these arrays as layered on top of each
other, with physical drives at the bottom.
Nested RAIDs are usually signified by joining the numbers indicating the RAID levels into a single
number, sometimes with a '+' in between. For example, RAID 10 (or RAID 1+0) conceptually consists of
multiple level 1 arrays stored on physical drives with a level 0 array on top, striped over the level 1 arrays.
In the case of RAID 0+1, it is most often called RAID 0+1 as opposed to RAID 01 to avoid confusion with
RAID 1. However, when the top array is a RAID 0 (such as in RAID 10 and RAID 50), most vendors
choose to omit the '+', though RAID 5+0 is more informative.
[edit] Common nested RAID levels
RAID 0+1: Striped Set + Mirrored Set (4 disk minimum; Even number of disks) provides fault tolerance
and improved performance but increases complexity. The key difference from RAID 1+0 is that RAID 0+1
creates a second striped set to mirror a primary striped set. The array continues to operate with one or more
drives failed in the same mirror set, but if two or more drives fail on different sides of the mirroring, the
data on the RAID system is lost.
RAID 1+0: Mirrored Set + Striped Set (4 disk minimum; Even number of disks) provides fault tolerance
and improved performance but increases complexity. The key difference from RAID 0+1 is that RAID 1+0
creates a striped set from a series of mirrored drives. The array can sustain multiple drive losses as long as
no two drives lost comprise a single pair of one mirror.
RAID 5+0: A stripe across distributed parity RAID systems
RAID 5+1: A mirror striped set with distributed parity (some manufacturers label this as RAID 53)
Given the large amount of custom configurations available with a RAID array, many companies,
organizations, and groups have created their own non-standard configurations, typically designed to meet at
least one but usually very small niche groups of arrays. Most of these non-standard RAID levels are
proprietary.
Some of the more prominent modifications are:
ATTO Technology's DVRAID™ adds parity RAID protection to systems which demand performance for
4K film, 2K film, high-definition audio and video.
The Storage Computer Corporation uses RAID 7, which adds caching to RAID 3 and RAID 4 to improve
performance.
EMC Corporation offers RAID S as an alternative to RAID 5 on their Symmetrix systems, though this is no
longer supported on the latest release of Enginuity, the Symmetrix's operating system.
RAID-Z in the zfs filesystem of OpenSolaris solves the "write hole" problem of RAID-5.
[Intel(R)] has introduced a concept of ['Matrix Storage'] whereby a part(identical) of each of the disk drive
will be configured as one type of RAID(Say Striped) while the other part may act like a mirrored array.
Ans. Yes
The information in this tutorial applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2003 Server Family
Microsoft Small Business Server 2000
Important Notice:
Microsoft Internet Information Server (IIS) 5.x under Windows 2000, Windows XP Home or Windows XP
Professional does not allow you to host more than one web server.
You will have to upgrade to one of the operating systems in the list above to be able to host multiple Web sites
with IIS or simply choose other Web Server platform (e.g. Apache).
Summary:
This tutorial provides step-by-step instructions for hosting multiple Web sites with IIS (Internet Information
Server) 5.x or 6.x by using a single IP address and No-IP service.
Setting up NO-IP+ Plus accounts
Create an No-Ip account, if you haven't already done that, login to your account, and click "Add Domain" in the
No-Ip Plus menu. Enter the domain name you want to use with No-IP Plus service and follow instructions to
complete your setup.
Download and install Dynamic DNS update client and configure it for your account allowing it to download your
hosts you recently setup with NO-IP+ Plus service.
Note:
If you have choosen to setup a new domain name, you have to allow DNS services for your domain name up to
24 hours to be propagated on the Internet.
Setting up IIS
Usually IIS is not installed automatically under MS Windows operating systems, so you will have to install it by
going to Windows Control Panel, choosing Add/Remove Programs, then Add/Remove Windows components, and
check Internet Information Services (IIS).
After installation is completed, go to Windows Control Panel, Administrative Tools and start Internet Services
Manager.
1. Right-click the Website name in your server list you recently setup and choose Properties from the menu.
2. Click Directory Security tab then click Edit "Anonymous Access.." section.
3. Make sure that Anonymous Access property is checked and click "Edit..." button.
4. See if user account located has right access setup to access information on your computer/website folder.
To make sure that you have a problem with access rights, try using/setting Administrators account here.
Now, try opening your browser and type your domain name in the URLs field, (e.g. mysite1.com) If you had a
problem with access rights, this has been resolved and you will be able to see your website.
If you have resolved access-right issue, but you are receiving "Directory Listing Denied" message, you have
probably pointed your website to the index file that has not been associated with allowed/registered index file
on/for your website.
1. Right-click the Website name in your server list you recently setup and choose Properties from the menu.
2. Click Documents tab.
Under Enable Default Document section you will se index files registered with your website. If you are using e.g.
myindexfile.htm or myindexfile.html or myindexfile.php as your index file you will have to declare/register it
here.
3. Click Add, then type your index file name (e.g. index.php), and press Ok.
4. Press Ok again.
Now, try opening your browser and type your domain name in the URLs field, (e.g. mysite1.com).
Congratulations!
Now, you can repeat process above to properly configure all Website(s) with IIS.
• A specified DNS domain name, stated as a fully qualified domain name (FQDN)
• A specified query type, which can either specify a resource record by type or a specialized type of query
operation
• A specified class for the DNS domain name.
For Windows DNS servers, this should always be specified as the Internet (IN) class.
For example, the name specified could be the FQDN for a computer, such as "host-a.example.microsoft.com.",
and the query type specified to look for an address (A) resource record by that name. Think of a DNS query as a
client asking a server a two-part question, such as "Do you have any A resource records for a computer named
'hostname.example.microsoft.com.'?" When the client receives an answer from the server, it reads and interprets
the answered A resource record, learning the IP address for the computer it asked for by name.
DNS queries resolve in a number of different ways. A client can sometimes answer a query locally using cached
information obtained from a previous query. The DNS server can use its own cache of resource record
information to answer a query. A DNS server can also query or contact other DNS servers on behalf of the
requesting client to fully resolve the name, then send an answer back to the client. This process is known as
recursion.
In addition, the client itself can attempt to contact additional DNS servers to resolve a name. When a client does
so, it uses separate and additional nonrecursive queries based on referral answers from servers. This process is
known as iteration.
The following figure shows an overview of the complete DNS query process.
Art Image
As shown in the initial steps of the query process, a DNS domain name is used in a program on the local
computer. The request is then passed to the DNS Client service for resolution using locally cached information. If
the queried name can be resolved, the query is answered and the process is completed.
The local resolver cache can include name information obtained from two possible sources:
• If a Hosts file is configured locally, any host name-to-address mappings from that file are preloaded into the
cache when the DNS Client service is started.
• Resource records obtained in answered responses from previous DNS queries are added to the cache and kept
for a period of time.
If the query does not match an entry in the cache, the resolution process continues with the client querying a
DNS server to resolve the name
As indicated in the previous figure, the client queries a preferred DNS server. The actual server used during the
initial client/server query part of the process is selected from a global list. For more information about how this
global list is compiled and updated, see Client features.
When the DNS server receives a query, it first checks to see if it can answer the query authoritatively based on
resource record information contained in a locally configured zone on the server. If the queried name matches a
corresponding resource record in local zone information, the server answers authoritatively, using this
information to resolve the queried name.
If no zone information exists for the queried name, the server then checks to see if it can resolve the name using
locally cached information from previous queries. If a match is found here, the server answers with this
information. Again, if the preferred server can answer with a positive matched response from its cache to the
requesting client, the query is completed.
If the queried name does not find a matched answer at its preferred server -- either from its cache or zone
information -- the query process can continue, using recursion to fully resolve the name. This involves assistance
from other DNS servers to help resolve the name. By default, the DNS Client service asks the server to use a
process of recursion to fully resolve names on behalf of the client before returning an answer. In most cases, the
DNS server is configured, by default, to support the recursion process as shown in the following figure.
Art Image
In order for the DNS server to do recursion properly, it first needs some helpful contact information about other
DNS servers in the DNS domain namespace. This information is provided in the form of root hints, a list of
preliminary resource records that can be used by the DNS service to locate other DNS servers that are
authoritative for the root of the DNS domain namespace tree. Root servers are authoritative for the domain root
and top-level domains in the DNS domain namespace tree. For more information, see Updating root hints.
By using root hints to find root servers, a DNS server is able to complete the use of recursion. In theory, this
process enables any DNS server to locate the servers that are authoritative for any other DNS domain name
used at any level in the namespace tree.
For example, consider the use of the recursion process to locate the name "host-b.example.microsoft.com."
when the client queries a single DNS server. The process occurs when a DNS server and client are first started
and have no locally cached information available to help resolve a name query. It assumes that the name
queried by the client is for a domain name of which the server has no local knowledge, based on its configured
zones.
First, the preferred server parses the full name and determines that it needs the location of the server that is
authoritative for the top-level domain, "com". It then uses an iterative (that is, a nonrecursive) query to the
"com" DNS server to obtain a referral to the "microsoft.com" server. Next, a referral answer comes from the
"microsoft.com" server to the DNS server for "example.microsoft.com".
Finally, the "example.microsoft.com." server is contacted. Because this server contains the queried name as part
of its configured zones, it responds authoritatively back to the original server that initiated recursion. When the
original server receives the response indicating that an authoritative answer was obtained to the requested
query, it forwards this answer back to the requesting client and the recursive query process is completed.
Although the recursive query process can be resource-intensive when performed as described above, it has some
performance advantages for the DNS server. For example, during the recursion process, the DNS server
performing the recursive lookup obtains information about the DNS domain namespace. This information is
cached by the server and can be used again to help speed the answering of subsequent queries that use or
match it. Over time, this cached information can grow to occupy a significant portion of server memory
resources, although it is cleared whenever the DNS service is cycled on and off.
• An authoritative answer
• A positive answer
• A referral answer
• A negative answer
An authoritative answer is a positive answer returned to the client and delivered with the authority bit set in the
DNS message to indicate the answer was obtained from a server with direct authority for the queried name.
A positive response can consist of the queried RR or a list of RRs (also known as an RRset) that fits the queried
DNS domain name and record type specified in the query message.
A referral answer contains additional resource records not specified by name or type in the query. This type of
answer is returned to the client if the recursion process is not supported. The records are meant to act as helpful
reference answers that the client can use to continue the query using iteration.
A referral answer contains additional data such as resource records (RRs) that are other than the type queried.
For example, if the queried host name was "www" and no A RRs for this name were found in this zone but a
CNAME RR for "www" was found instead, the DNS server can include that information when responding to the
client.
If the client is able to use iteration, it can make additional queries using the referral information in an attempt to
fully resolve the name for itself.
A negative response from the server can indicate that one of two possible results was encountered while the
server attempted to process and recursively resolve the query fully and authoritatively:
• An authoritative server reported that the queried name does not exist in the DNS namespace.
• An authoritative server reported that the queried name exists but no records of the specified type exist for that
name.
The resolver passes the results of the query, in the form of either a positive or negative response, back to the
requesting program and caches the response.
Notes
• If the resultant answer to a query is too long to be sent and resolved in a single UDP message packet, the DNS
server can initiate a failover response over TCP port 53 to answer the client fully in a TCP connected session.
• Disabling the use of recursion on a DNS server is generally done when DNS clients are being limited to
resolving names to a specific DNS server, such as one located on your intranet. Recursion might also be disabled
when the DNS server is incapable of resolving external DNS names, and clients are expected to fail over to
another DNS server for resolution of these names.
You can disable the use of recursion by configuring in the Advanced properties in the DNS console on the
applicable server. For more information, see Disable recursion on the DNS server.
• If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.
• By default, DNS servers use several default timings when performing a recursive query and contacting other
DNS servers. These are:
• A recursion retry interval of 3 seconds. This is the length of time the DNS service waits before retrying a query
made during a recursive lookup.
• A recursion time-out interval of 15 seconds. This is the length of time the DNS service waits before failing a
recursive lookup that has been retried.
Under most circumstances, these parameters do not need adjustment. However, if you are using recursive
lookups over a slow-speed WAN link, you might be able to improve server performance and query completion by
making slight adjustments to the settings. For more information, see Tuning advanced server parameters.
Iteration is the type of name resolution used between DNS clients and servers when the following conditions are
in effect:
• The client requests the use of recursion, but recursion is disabled on the DNS server.
• The client does not request the use of recursion when querying the DNS server.
An iterative request from a client tells the DNS server that the client expects the best answer the DNS server can
provide immediately, without contacting other DNS servers.
When iteration is used, a DNS server answers a client based on its own specific knowledge about the namespace
with regard to the names data being queried. For example, if a DNS server on your intranet receives a query
from a local client for "www.microsoft.com", it might return an answer from its names cache. If the queried
name is not currently stored in the names cache of the server, the server might respond by providing a referral
-- that is, a list of NS and A resource records for other DNS servers that are closer to the name queried by the
client.
When a referral is made, the DNS client assumes responsibility to continue making iterative queries to other
configured DNS servers to resolve the name. For example, in the most involved case, the DNS client might
expand its search as far as the root domain servers on the Internet in an effort to locate the DNS servers that
are authoritative for the "com" domain. Once it contacts the Internet root servers, it can be given further
iterative responses from these DNS servers that point to actual Internet DNS servers for the "microsoft.com"
domain. When the client is provided records for these DNS servers, it can send another iterative query to the
external Microsoft DNS servers on the Internet, which can respond with a definitive and authoritative answer.
When iteration is used, a DNS server can further assist in a name query resolution beyond giving its own best
answer back to the client. For most iterative queries, a client uses its locally configured list of DNS servers to
contact other name servers throughout the DNS namespace if its primary DNS server cannot resolve the query.
As DNS servers process client queries using recursion or iteration, they discover and acquire a significant store of
information about the DNS namespace. This information is then cached by the server.
Caching provides a way to speed the performance of DNS resolution for subsequent queries of popular names,
while substantially reducing DNS-related query traffic on the network.
As DNS servers make recursive queries on behalf of clients, they temporarily cache resource records (RRs).
Cached RRs contain information obtained from DNS servers that are authoritative for DNS domain names learned
while making iterative queries to search and fully answer a recursive query performed on behalf of a client.
Later, when other clients place new queries that request RR information matching cached RRs, the DNS server
can use the cached RR information to answer them.
When information is cached, a Time-To-Live (TTL) value applies to all cached RRs. As long as the TTL for a
cached RR does not expire, a DNS server can continue to cache and use the RR again when answering queries by
its clients that match these RRs. Caching TTL values used by RRs in most zone configurations are assigned the
Minimum (default) TTL which is set used in the zone's start of authority (SOA) resource record. By default, the
minimum TTL is 3,600 seconds (1 hour) but can be adjusted or, if needed, individual caching TTLs can be set at
each RR.
Notes
• You can install a DNS server as a caching-only server. For more information, see Using caching-only servers.
• By default, DNS servers use a root hints file, Cache.dns, that is stored in the systemroot\System32\Dns folder
on the server computer. The contents of this file are preloaded into server memory when the service is started
and contain pointer information to root servers for the DNS namespace where you are operating DNS servers.
For more information about this file or how it is used, see DNS-related files.
• Host (A) For mapping a DNS domain name to an IP address used by a computer.
• Alias (CNAME) For mapping an alias DNS domain name to another primary or canonical name.
• Mail Exchanger (MX) For mapping a DNS domain name to the name of a computer that exchanges or forwards
mail.
• Pointer (PTR) For mapping a reverse DNS domain name based on the IP address of a computer that points to
the forward DNS domain name of that computer.
• Service location (SRV) For mapping a DNS domain name to a specified list of DNS host computers that offer a
specific type of service, such as Active Directory domain controllers.
• Other resource records as needed.
Host (A) resource records are used in a zone to associate DNS domain names of computers (or hosts) to their IP
addresses, and can be added to a zone in several ways:
• You can manually create an A resource record for a static TCP/IP client computer using the DNS console.
• Windows clients and servers use the DHCP Client service to dynamically register and update their own A
resource records in DNS when an IP configuration change occurs.
• DHCP-enabled client computers running earlier versions of Microsoft operating systems can have their A
resource records registered and updated by proxy if they obtain their IP lease from a qualified DHCP server (only
the Windows 2000 and Windows Server 2003 DHCP Server service currently supports this feature).
The host (A) resource record is not required for all computers, but is needed by computers that share resources
on a network. Any computer that shares resources and needs to be identified by its DNS domain name, needs to
use A resource records to provide DNS name resolution to the IP address for the computer.
Most A RRs that are required in a zone can include other workstations or servers that share resources, other DNS
servers, mail servers, and Web servers. These resource records comprise the majority of resource records in a
zone database.
For more information, see Resource records reference.
When renaming a computer with an existing A RR in the zone, you can use a CNAME RR temporarily, to allow a
grace period for users and programs to switch from specifying the old computer name to using the new one. To
do this, you need the following:
• For the new DNS domain name of the computer, a new A RR is added to the zone.
• For the old DNS domain name, a CNAME RR is added that points to the new A RR.
• The original A RR for the old DNS domain name (and its associated PTR RR if applicable) is removed from the
zone.
When using a CNAME RR for aliasing or renaming a computer, set a temporary limit on how long the record is
used in the zone before removing it from DNS. If you forget to delete the CNAME RR and later its associated A
RR is deleted, the CNAME RR can waste server resources by trying to resolve queries for a name no longer used
on the network.
The most common or popular use of a CNAME RR is to provide a permanent DNS aliased domain name for
generic name resolution of a service-based name, such as www.example.microsoft.com to more than one
computer or one IP address used in a Web server. For example, the following shows the basic syntax of how a
CNAME RR is used.
alias_nameIN CNAMEprimary_canonical_name
In this example, a computer named host-a.example.microsoft.com needs to function as both a Web server
named "www.example.microsoft.com." and an FTP server named "ftp.example.microsoft.com." To achieve the
intended use for naming this computer, you can add and use the following CNAME entries in the
example.microsoft.com zone:
host-a IN A 10.0.0.20
ftp IN CNAME host-a
www IN CNAME host-a
If you later decide to move the FTP server to another computer, separate from the Web server on "host-a",
simply change the CNAME RR in the zone for ftp.example.microsoft.com and add an additional A RR to the zone
for the new computer hosting the FTP server.
Based on the earlier example, if the new computer were named "host-b.example.microsoft.com", the new and
revised A and CNAME RRs would be as follows:
host-a IN A 10.0.0.20
host-b IN A 10.0.0.21
ftp IN CNAME host-b
www IN CNAME host-a
The MX RR shows the DNS domain name for the computer or computers that process mail for a domain. If
multiple MX RRs exist, the DNS Client service attempts to contact mail servers in the order of preference from
lowest value (highest priority) to highest value (lowest priority). The following shows the basic syntax for use of
an MX RR.
By using the MX RRs shown below in the example.microsoft.com zone, mail addressed to
user@example.microsoft.com is delivered to user@mailserver0.example.microsoft.com first if possible. If this
server is unavailable, the resolver client can then use user@mailserver1.example.microsoft.com instead.
@ IN MX 1 mailserver0
@ IN MX 2 mailserver1
Note that the use of the at sign (@) in the records indicates that the mailer DNS domain name is the same as the
name of origin (example.microsoft.com) for the zone.
For more information, see Resource records reference.
The pointer (PTR) resource record is used only in reverse lookup zones to support reverse lookup. For more
information, see Resource records reference.
By default, the Active Directory installation wizard attempts to locate a DNS server based on the list of preferred
or alternate DNS servers, configured in any of its TCP/IP client properties, for any of its active network
connections. If a DNS server that can accept dynamic update of the SRV RR (and other RRs related to registering
Active Directory as a service in DNS) is contacted, the configuration process is complete.
If, during the installation, a DNS server that can accept updates for the DNS domain name used to name your
Active Directory is not found, the wizard can install a DNS server locally and automatically configure it with a
zone to support the Active Directory domain.
For example, if the Active Directory domain that you chose for your first domain in the forest was
example.microsoft.com, a zone rooted at the DNS domain name of example.microsoft.com would be added and
configured to use with the DNS server running on the new domain controller.
Whether or not you install the DNS Server service locally, a file (Netlogon.dns) is written and created during the
Active Directory installation process that contains the SRV RRs and other RRs needed to support the use of Active
Directory. This file is created in the systemroot\System32\Config folder.
If you are using a DNS server that fits one of the following descriptions, you should use the records in
Netlogon.dns to manually configure the primary zone on that server to support Active Directory.
1. The computer operating your DNS server is running on another platform, such as UNIX, and cannot accept or
recognize dynamic updates.
2. A DNS server at this computer that is not the DNS Server service provided with the Windows Server 2003
family is authoritative for the primary zone corresponding to the DNS domain name for your Active Directory
domain.
3. The DNS server supports the SRV RR, as defined in the Internet draft, "A DNS RR specifying the location of
services (DNS SRV)", but does not support dynamic updates.
For example, the DNS Server service provided with Windows NT Server 4.0, when updated to Service Pack 4 or
later, fits this description.
In the future, the SRV RR might also be used to register and lookup other well-known TCP/IP services on your
network if applications implement and support DNS name queries that specify this record type. For more
information, see Resource records reference.
Software RAID
Software implementations are now provided by many operating systems. A software layer sits above the
(generally block based) disk device drivers and provides an abstraction layer between the logical drives (RAID
arrays) and physical drives. Software RAID is typically limited to RAID 0 (striping across multiple drives for
increased space and performance), RAID 1 (mirroring two drives) and RAID 5 (data striping with parity).
In a multi-threaded operating system (such as Linux, FreeBSD, Mac OS X, Windows NT/2000/XP/Vista and Novell
NetWare) the operating system can perform overlapped I/O, allowing multiple read or write requests to be
initiated without waiting for completion on each request. This is the capability that makes RAID 0/1 possible in an
operating system. However, most operating systems do not support RAID 0/1 striping or mirroring with parity,
due to the substantial processing demands of calculating parity[citation needed].
Since the software must run on a host server attached to storage, the processor (as mentioned above) on that
host must dedicate processing time to run the RAID software. Like hardware-based RAID, if the server
experiences a hardware failure, the attached storage could be inaccessible for a period of time.
Software implementations can allow RAID arrays to be created from partitions rather than entire physical drives.
Hardware RAID
A hardware implementation of RAID requires at a minimum a special-purpose RAID controller. On a desktop
system, this may be a PCI expansion card, or might be a capability built in to the motherboard. In industrial
applications the controller and drives are provided as a stand alone enclosure. The drives may be IDE/ATA,
SATA, SCSI, SSA, Fibre Channel, or any combination thereof. The using system can be directly attached to the
controller or, more commonly, connected via a SAN. The controller hardware handles the management of the
drives, and performs any parity calculations required by the chosen RAID level.
Most hardware implementations provide a read/write cache which, depending on the I/O workload, will improve
performance. Cached RAID controllers are most commonly used in industrial applications. Sometimes write cache
is non-volatile, so pending writes are not lost on power failure.
Hardware implementations provide guaranteed performance, add no overhead to the local CPU complex and can
support many operating systems, as the controller simply presents a logical disk to the operating system.
Hardware implementations also typically support hot swapping, allowing failed drives to be replaced while the
system is running.
Hybrid RAID
Hybrid RAID implementations have become very popular with the introduction of inexpensive RAID controllers,
implemented using a standard disk controller and then implementing the RAID in the controllers BIOS extension
(for early boot-up/real mode operation) and the operating system driver (for after the system switches to
protected mode). Since these controllers actually do all calculations typically proprietary to a given RAID
controller manufacturer and typically cannot span multiple controllers. The only advantages over software RAID
are that the BIOS can boot from them, and the tighter integration with the device driver may offer better error
handling.
Both hardware and software implementations may support the use of hot spare drives, a pre-installed drive
which is used to immediately (and almost always automatically) replace a drive that has failed. This reduces the
mean time to repair period during which a second drive failure in the same RAID redundancy group can result in
loss of data. It also prevents data loss when multiple drives fail in a short period of time, as is common when all
drives in an array have undergone very similar use patterns, and experience wear-out failures.
Q. Explain VirtualCenter can manage an inventory of ESX Server, GSX Server and Workstation hosts.
Ans.
Vmware GSX Server – Old server and now it is not used. In this first OS needs to be installed and then we need
to install GSX as application.
Vmware ESX Server – Currently used and it installs as OS directly on hardware. No OS required in installing.
Q. What Is DFS?
Ans. DFS provides the ability to create a single logical directory tree from different areas of data. The data
included in a DFS tree can be in any location accessible from the computer acting as the DFS root. In other
words, the data can be on the same partition, disk, or server, or on a completely different server. As far as DFS
is concerned, it makes no difference. A DFS tree appears as one contiguous directory structure, regardless of the
logical or physical location of the data.
After the DFS root is created, links to directories can be added or removed to construct the single logical
directory structure. The DFS tree can be navigated using standard file utilities such as Windows Explorer. Unless
users are made aware of the fact that the data is being accessed from different locations, they will not realize
that they are using a DFS system at all.
DFS trees can be used with both FAT and NTFS partitions. If you do use NTFS, the inclusion of a file or directory
in a DFS structure has no effect on security permissions.
Stand-alone DFS--Refers to a DFS tree that is hosted on a single physical server, and is accessed by connecting
to a DFS share point on that server. DFS configuration information is stored in the server's Registry. Stand-alone
DFS provides no fault tolerance. If the server hosting the DFS root should go down, users will no longer be able
to access their data unless they explicitly know where the data is stored.
Domain DFS--Provides more functionality, including features such as replication and load-balancing capabilities.
Domain DFS information is stored in Active Directory. A domain member server must act as the host for the DFS
tree. By storing the domain DFS configuration in Active Directory, the server-centric nature of stand-alone DFS is
removed, enabling the administrator to create DFS root replicas. If a server were to go down, users would be
redirected to a DFS root replica and could continue to access the DFS tree
Brocade StorageX makes it easy to create and manage Global Namespaces of any size. A Brocade StorageX
Global Namespace provides an ideal platform on which to build business-critical storage management solutions,
including file sharing, disaster recovery, data migration, server consolidation, load-balancing, storage
optimization, and data lifecycle management.
Unlike the transformation in the directory service architecture that took place between Windows NT and Windows
2000, the changes you see between Windows 2000 and Windows Server 2003 are much more incremental in
nature. Windows Server 2003 is grounded in the same Active Directory structure in Windows 2000 where each
domain controller holds a read-write copy of the AD database, relying on multi-master replication to keep
everything up-to-date.
In the Windows Server 2003 Active Directory Users & Computers MMC snap-in, you can now move an object
from one location in the directory tree to another by using the familiar drag-and-drop method, rather than being
forced to right-click the object and select "Move", as was the case in Windows 2000. You can also now select
multiple objects simultaneously for editing or deletion, and save commonly-used queries within the ADUC
console window. Although really, if you're going to be working with more than one object at a time, I would
recommend that you get out of the MMC console anyway and use command-line tools or scripts to take away
some of your administrative burdens.
Windows Server 2003 includes a number of built-in command-line tools that were not available in Windows 2000,
including:
Another new feature is the "Install from Media" option for promoting new domain controllers into a domain. In
Windows 2000, if you needed to install a domain controller at a remote location, you had one of two options:
1. Travel to the remote site to running dcpromo and allow the entire AD database to replicate across a slow (and
often expensive) WAN link, or
2. Configure the database at your corporate headquarters, and then ship the DC to the remote site; this is often
an expensive process and one that runs the risk of damaging expensive computer hardware in transit.
Enter the "Install From Media" feature. In Windows Server 2003 you can initially populate the Active Directory
database using a System State backup from an existing DC, saving you both WAN traffic and shipping costs. For
those of us who run extremely decentralized environments, this is one of those "Where has this been all my life?"
kinds of features.
Another significant change, particularly for larger environments, is a replication enhancement called linked-value
replication for objects such as Active Directory group objects. In Windows 2000, a group's membership list was
replicated as one single block of information. This led to a number of potential problems, such as the following:
Inconsistent replication. Consider this: you have a group called DOMAIN\Finance. From Domain Controller A,
you add the jsmith user to the Finance group. What happens if, at precisely the same nanosecond, your junior
admin removed the bthomas user from the Finance group while connected to Domain Controller B? Without
linked-value replication, this would create a replication conflict, which would either lead to jsmith being added to
the group and bthomas not being removed, or vice versa.
Replication delays. In Windows 2000, Microsoft published a size limitation where you could not place more
than 5,000 members in a single group object; more than this created significant replication delays since the
membership list was replicated as a single block.
Linked-value replication solves these problems by replicating these multi-valued attributes separately. In our first
example above, the addition of jsmith and the removal of bthomas would be replicated as two separate
transactions, allowing both updates to be applied without causing a replication conflict. In our second example,
only the individual changes to the group membership will be replicated, greatly streamlining the replication
process and removing the 5000-member limitation on Active Directory groups.
Tombstone:
60 days with Windows 2000
180 with Windows 2003 SP1
Group Policy
Windows 2000 you can configure upto 620 GPO
Windows 2003 you can configure upto 720 GPO
GPO once removed cannot be restored in 2000 but in 2003 it can be restored.
Q. If one object is deleted from Active directory can it be restored immediately? If yes how and if no
can we create another object with the same attributes?
Ans. When an object is deleted from Active Directory, it is not immediately erased, but is marked for future
deletion. The marker used to designate an AD object scheduled to be destroyed is called, appropriately enough, a
"tombstone." Tombstoned objects are deleted whenever the Active Directory database is defragmented online
or offline, which generally happens twice a day (once around noon, and once around midnight).
Normally, doing a manual undelete of tombstoned object is a bit of a hassle; it often involves performing an
authoritative backup restore, which is not a trivial operation. Thankfully, Mark Russinovich at Sysinternals has
created a little command-line freeware application called AdRestore 1.1. AdRestore enumerates all of the
currently-tombstoned objects in a domain and allows you to restore them selectively.
To add a little selectivity to the restore operation, you can run AdRestore with a parameter to narrow down the
search. For instance:
adrestore -r Serdar
would search for all objects with "Serdar" as part of its name. The -r switch forces the program to prompt the
user for each restoration; otherwise, all the objects found matching said criteria will be automatically restored.
The default (no criteria supplied) is that all tombstoned objects will be enumerated and restored.
Note that deleted items may no longer be members of specific organizational units or OUs. Restoring these
objects from deleted status will not automatically restore them to their respective OUs; this will need to be done
manually.
Q. Extra with Windows server 2003 SP1 with Tombstone, Backup etc. ?
Ans.
Changes to the default tombstone lifetime
Several changes in Service Pack 1 have to do with the way Active Directory handles "tombstoned" objects. Just
like in Windows 2000, when you delete an AD object, it is not immediately deleted; instead, it's marked as a
tombstoned object. This allows the deletion to be replicated properly to other domain controllers. Once an object
has been in this tombstoned state for a certain amount of time, it is finally deleted outright.
In Windows 2000, the default tombstone lifetime was 60 days. However, in Windows Server 2003, Microsoft
changed it to 180 days, effectively tripling the amount of time that a deletion had to be communicated to all of
the domain controllers in your environment.
There are two crucial caveats to keep in mind concerning this tombstone lifetime value:
If you have already installed Active Directory using either Windows 2000 or the original Windows Server 2003
media, the default tombstone lifetime will not automatically change when you upgrade to Windows Server 2003
SP1. You will only receive the 180-day tombstone lifetime value automatically by building a pristine 2003 SP1
Active Directory forest.
Several months ago, Microsoft Active Directory MVP Joe Richards discovered that the version of Dcpromo that
comes with Windows Server 2003 R2 will revert this value back to its original setting of 60 days. Therefore, if you
build a brand-new Active Directory forest using Windows Server 2003 R2 media, you will still receive the original
60-day default tombstone lifetime.
In addition to modifying the tombstone lifetime for new Active Directory installations, 2003 Service Pack 1 added
the SID History attribute to the list of attributes that are retained when an object is tombstoned. When an Active
Directory object is tombstoned, it is stripped of most of its attributes, so the tombstoned object only takes up a
fraction of the size of the original object within the Active Directory database. Each user, group and computer
object within Active Directory is assigned a numeric security identifier, or SID. SIDs are unique within the domain
and do not change, even if the security principal is renamed or moved to another container within the same
domain.
Note: The SID is not retained if an object is deleted and re-created with the same display name; the re-created
object would be a brand new object with a completely different SID.
All access control lists (ACLs) on files, folders or AD objects use the SID to determine whether a particular user or
computer should be granted or denied access.
The notion of SIDs can become problematic, though, when you begin migrating from Windows NT domains into
new Active Directory environments. If you migrate a user object from a legacy NT domain into a new Active
Directory domain, a new SID will be created for the migrated user that corresponds to the new domain. If this
migrated user still requires access to resources in the old NT domain, however, an issue will crop up in which the
new Active Directory SID would not match the old NT4 SID.
To prevent this from happening, Windows 2000 introduced a feature called SID History, which allows migrated
user objects to retain records of any old SIDs they once possessed. This allows a migrated user to continue to
access a resource that used his old SID in its Access Control List. If the user attempted to access the resource
with his current SID and was denied, Windows would check the SID History attribute to see if any previous SIDs
would fit the bill and allow access.
Prior to Windows Server 2003 SP1, one of the attributes that was stripped when an object was tombstoned was
this SID History attribute, which meant that if you restored an object, any previous SIDs that were recorded in its
SID History were lost. Fortunately, Windows Server 2003 SP1 includes SID History among the attributes retained
when an object is deleted.
Service Pack 1 also made changes in the types of Active Directory information that are logged in the Event
Viewer on a domain controller, thus allowing for more proactive monitoring and easier troubleshooting.
One such update is Event ID 2089, which is recorded in the Directory Service event log if any directory partition
has not been backed up for a significant length of time (half of the tombstone lifetime or more). The event is
logged whether the partition is the Schema, Configuration, or domain partitions -- or any application partitions or
ADAM partitions that are hosted on the DC in question.
Service Pack 1 also created an event in the Directory Services log if it attempts to perform an action that requires
a particular Flexible Single Master Operation (FSMO), and that FSMO can't be contacted. For example, if an
administrator attempts to add a new domain to Active Directory, but the DC cannot locate or contact the Domain
Naming Master, an event would be logged in the Directory Services log if any of the FSMO role holders:
A) don't exist
B) can't be contacted, or
C) have not replicated recently with the DC in question.
Ever since SP1, administrators can run domain controllers using virtualization technology such as Microsoft
Virtual Server 2005. That allows you to run multiple domains or forests on a single machine or to use
virtualization to reduce the attack footprint of a physical server by separating its roles onto multiple virtual
machines.
Running DCs in a virtual environment is not without its own considerations, however, and you should consult the
Microsoft white paper Running Domain Controllers in Virtual Server 2005 before deploying this configuration in a
production environment, as well as this article by Gary Olsen: Is domain controller virtualization really a good
idea?
Backups, restores and disaster recovery measures for AD domain controllers also improved with Service Pack 1
by the inclusion of the following features:
The Install From Media feature allows you to populate application directory partitions when installing a DC
from backup media. This saves you from needing to replicate the whole of the DomainDNSZones and
ForestDNSZones partitions across a slow or expensive WAN link.
The authoritative restore process provides a much cleaner option for restoring group memberships of
authoritatively restored users, groups and computer objects by generating an LDIF file that contains any back-
link references for restored objects.
The Ntdsutil utility has a greatly simplified syntax to remove extinct server metadata from the AD database.
Extinct server metadata is created when a domain controller suffers an irretrievable hardware failure or is
otherwise removed from the directory without using the Dcpromo tool. The metadata must be removed manually
from the directory. Microsoft provides the simplified syntax in KB 216498.
Q. What is Distributed File System (DFS)?
Ans.
Distributed File System (DFS) allows administrators to group shared folders located on different servers and
present them to users as a virtual tree of folders known as a namespace. A namespace provides numerous
benefits, including increased availability of data, load sharing, and simplified data migration.
Q. What are the DFS size limits and recommendations for Windows Server 2003?
Ans.
The following table describes the DFS size limits and recommendations for Windows Server 2003
Q. How do I back up and restore a DFS namespace or move a DFS namespace from one server to
another?
Ans.
Two Command line tools
Dfscmd.exe
The Dfscmd.exe command-line tool is available in Windows Server 2003. Use Dfscmd.exe for basic DFS tasks,
such as creating links, adding and removing link targets, and viewing the namespace. For more information
about Dfscmd.exe, in Help and Support Center for Windows Server 2003 click Tools, and then click Command-
line reference A-Z.
Dfsutil.exe
The Dfsutil.exe command-line tool is a Windows Support Tool. You can install Dfsutil.exe from the \Support\Tools
folder on the Windows Server 2003 operating system CD. Dfsutil.exe provides extensive features for configuring
and managing DFS, including those that are not available in the Distributed File System snap-in, such as root
scalability mode and least expensive target selection (site-costing).
You can use Dfsutil.exe to export the namespace from the source server, and then optionally restore the
namespace to a destination server.
In the following example, an administrator wants to migrate the following namespaces on different servers to a
single server running Windows Server 2003 Enterprise Edition:
First, the administrator creates the following stand-alone DFS roots on the server running Windows Server 2003
Enterprise Edition:
• \\2003SVR\Marketing
• \\2003SVR\Public
Next, the administrator installs Windows Support Tools from the Windows Server 2003 operating system CD, and
then uses the Dfsutil.exe tool to run the following commands:
• Dfsutil /Root:\\NT4SVR\Marketing /export:Nt4.txt
• Dfsutil /Root:\\W2KSVR\Public /export:w2k.txt
Finally, the administrator runs the following commands to import the namespaces onto the server running
Windows Server 2003 Enterprise Edition:
• Dfsutil /Root:\\2003SVR\Marketing /import:Nt4.txt /set
• Dfsutil /Root:\\2003SVR\Public /import:w2k.txt /set
Q.