A topnotch site

System Administrator – Active Directory

Leave a comment

Q. What is Active Directory?

Active Directory is the directory service used by Windows 2000. A directory service is a centralized, hierarchical database that contains information about users and resources on a network. In Windows 2000, this database is called the Active Directory data store. The Active Directory data store contains information about various types of network objects, including printers, shared folders, user accounts, groups, and computers. In a Windows 2000 domain, a read/write copy of the Active Directory data store is physically located on each domain controller in the domain.

Three primary purposes of Active Directory are:

  • · To provide user logon and authentication services
  • · To enable administrators to organize and manage user accounts groups, and network resources
  • · To enable authorized users to easily locate network resources, regardless of where they are located on the network

directory service consists of two parts—a centralized, hierarchical database that contains information about users and resources on a network, and a service that manages the database and enables users of computers on the network to access the database. In Windows 2008, the database is called the Active Directory data store, or sometimes just the directory. The Active Directory data store contains information about various types of network objects, including printers, shared folders, user accounts, groups, and computers. Windows 2000 Server computers that have a copy of the Active Directory data store, and that run Active Directory are called domain controllers. In a Windows 2008 domain, a read/write copy of the Active Directory data store is physically located on each domain controller in the domain.

Q. What are the physical components of active directory?

Logical Components of Active Directory

In creating the hierarchical database structure of Active Directory, Microsoft facilitated locating resources such as folders and printers by name rather than by physical location. These logical building blocks include domains, trees, forests, and OUs. The physical location of objects within Active Directory is represented by including all objects in a given location in its own site. Because a domain is the basic unit on which Active Directory is built, the domain is introduced first; followed by trees and forests (in which domains are located); and then OUs, which are containers located within a domain.


domain is a logical grouping of networked computers in which one or more of the computers has one or more shared resources, such as a shared folder or a shared printer, and in which all of the computers share a common central domain directory database that contains user account security information. One distinct advantage of using a domain, particularly on a large network, is that administration of user account security for the entire network can be managed from a centralized location. In a domain, a user has only one user account, which is stored in the domain directory database. This user account enables the user to access shared resources (that the user has permissions to access) located on any computer in the domain

Active Directory domains can hold millions of objects, as opposed to the Windows NT domain structure, which was limited to approximately 40,000 objects. As in previous versions of Active Directory, the Active Directory database file (ntds.dit) defines the domain. Each domain has its own ntds.dit file, which is stored on (and replicated among) all domain controllers by a process called multimaster replication. The domain controllers manage the configuration of domain security and store the directory services database. This arrangement permits central administration of domain account privileges, security, and network resources. Networked devices and users belonging to a domain validate with a domain controller at startup. All computers that refer to a specific set of domain controllers make up the domain. In addition, group accounts such as global groups and domain local groups are defined on a domain-wide basis.


tree is a group of domains that shares a contiguous namespace. In other words, a tree consists of a parent domain plus one or more sets of child domains whose name reflects that of a parent. For example, a parent domain named can include child domains with names such as,, and Furthermore, the tree structure can contain grandchild domains such as or, and so on, as shown in Figure 1-2. A domain called would not belong to the same tree. Following the inverted tree concept originated by X.500, the tree is structured with the parent domain at the top and child domains beneath it. All domains in a tree are linked with two-way, transitive trust relationships; in other words, accounts in any one domain can access resources in another domain and vice versa.



forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees. As such, forests have the following characteristics:

  • All domains in a forest share a common schema.
  • All domains in a forest share a common global catalog.
  • All domains in a forest are linked by implicit two-way transitive trusts.

Trees in a forest have different naming structures, according to their domains. Domains in a forest operate independently, but the forest enables communication across the entire organization.


Organizational Unit:

An organizational unit (OU) is a container used to organize objects within one domain into logical administrative groups. An OU can contain objects such as user accounts, groups, computers, printers, applications, shared folders, and other OUs from the same domain. OUs are represented by a folder icon with a book inside. The Domain Controllers OU is created by default when Active Directory is installed to hold new Microsoft Windows Server 2003 domain controllers. OUs can be added to other OUs to form a hierarchical structure; this process is known as nesting OUs. Each domain has its own OU structure—the OU structure within a domain is independent of the OU structures of other domains.

There are three reasons for defining an OU:

  • To delegate administration – In the Windows Server 2003 operating system, you can delegate administration for the contents of an OU (all users, computers, or resource objects in the OU) by granting administrators specific permissions for an OU on the OU’s access control list.
  • To administer Group Policy
  • To hide object

Physical Components of Active Directory

There are two physical components of Active Directory:

  • Domain Controllers
  • Sites

Domain Controllers

Any server on which you have installed Active Directory is a domain controller. These servers authenticate all users logging on to the domain in which they are located, and they also serve as centers from which you can administer Active Directory in Windows Server 2008. A domain controller stores a complete copy of all objects contained within the domain, plus the schema and configuration information relevant to the forest in which the domain is located. Unlike Windows NT, there are no primary or backup domain controllers. Similar to Windows 2000 and Windows Server 2003, all domain controllers hold a master, editable copy of the Active Directory database.

Every domain must have at least one DC. A domain may have more than one DC; having more than one DC provides the following benefits:

  • Fault tolerance: If one domain controller goes down, another one is available to authenticate logon requests and locate resources through the directory.
  • Load balancing: All domain controllers within a site participate equally in domain activities, thus spreading out the load over several servers. This configuration optimizes the speed at which requests are serviced.


By contrast to the logical grouping of Active Directory into forests, trees, domains, and OUs, Microsoft includes the concept of sites to group together resources within a forest according to their physical location and/or subnet. A siteis a set of one or more IP subnets, which are connected by a high-speed, always available local area network (LAN) link. Figure 1-5 shows an example with two sites, one located in Chicago and the other in New York. A site can contain objects from more than one tree or domain within a single forest, and individual trees and domains can encompass more than one site. The use of sites enables you to control the replication of data within the Active Directory database as well as to apply policies to all users and computers or delegate administrative control to these objects within a single physical location. In addition, sites enable users to be authenticated by domain controllers in the same physical location rather than a distant location as often as possible. You should configure a single site for all work locations connected within a high-speed, always available LAN link and designate additional sites for locations separated from each other by a slower wide area network (WAN) link. Using sites permits you to configure Active Directory replication to take advantage

of the high-speed connection. It also enables users to connect to a domain controller using a reliable, high-speed connection.


Q. What are the components of Active Directory:


An object is any specific item that can be cataloged in Active Directory. Examples of objects include users, computers, printers, folders, and files. These items are classified by a distinct set of characteristics, known asattributes. For example, a user can be characterized by the username, full name, telephone number, email address, and so on. Note that, in general, objects in the same container have the same types of attributes but are characterized by different values of these attributes. The Active Directory schema defines the extent of attributes that can be specified for any object.


The Active Directory service, in turn, classifies objects into classes. These classes are logical groupings of similar objects, such as users. Each class is a series of attributes that define the characteristics of the object.


The schema is a set of rules that define the classes of objects and their attributes that can be created in Active Directory. It defines what attributes can be held by objects of various types, which of the various classes can exist, and what object class can be a parent of the current object class. For example, the User class can contain user account objects and possess attributes such as password, group membership, home folder, and so on.

When you first install Active Directory on a server, a default schema is created, containing definitions of commonly used objects and properties such as users, computers, and groups. This default schema also contains definitions of objects and properties needed for the functioning of Active Directory.

Global catalog

global catalog server is a domain controller that has an additional duty—it maintains a global catalog. A global catalog is a master, searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest.

  • A global catalog server performs two important functions:
  • Provides group membership information during logon and authentication
  • Helps users locate resources in Active Directory




Q. What are the protocols used by AD?

Because Active Directory is based on standard directory access protocols, such as Lightweight Directory Access Protocol (LDAP) version 3, and the Name Service Provider Interface (NSPI), it can interoperate with other directory services employing these protocols.

LDAP is the directory access protocol used to query and retrieve information from Active Directory. Because it is an industry-standard directory service protocol, programs can be developed using LDAP to share Active Directory information with other directory services that also support LDAP.

The NSPI protocol, which is used by Microsoft Exchange 4.0 and 5.x clients, is supported by Active Directory to provide compatibility with the Exchange directory.

Q. Minimum requirement to install Win 2008 AD?

  1. An NTFS partition with enough free space
  2. An Administrator’s username and password
  3. The correct operating system version
  4. A NIC
  5. Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)
  6. A network connection (to a hub or to another computer via a crossover cable)
  7. An operational DNS server (which can be installed on the DC itself)
  8. A Domain name that you want to use

Q. How do you verify whether the AD installation is proper?

  1. Default containers: These are created automatically when the first domain is created. Open Active Directory Users and Computers, and then verify that the following containers are present: ComputersUsers, andForeignSecurityPrincipals.
  2. Default domain controllers organizational unit: Open Active Directory Users and Computers, and then verify this organizational unit.
  3. Default-First-Site-Name
  4. Active Directory database: The Active Directory database is your Ntds.dit file. Verify its existence in the %Systemroot%\Ntds folder.
  5. Global catalog server: The first domain controller becomes a global catalog server, by default. To verify this item:
  • a. Click Start, point to Programs, click Administrative Tools, and then click Active Directory Sites and Services.
  • b. Double-click Sites to expand it, expand Servers, and then select your domain controller.
  • c. Double-click the domain controller to expand the server contents.
  • d. Below the server, an NTDS Settings object is displayed. Right-click the object, and then click Properties.
  • e. On the General tab, you can observe a global catalog check box, which should be selected, by default.

Root domain: The forest root is created when the first domain controller is installed. Verify your computer network identification in My Computer. The Domain Name System (DNS) suffix of your computer should match the domain name that the domain controller belongs to. Also, ensure that your computer registers the proper computer role. To verify this role, use the net accounts command. The computer role should say “primary” or “backup” depending on whether it is the first domain controller in the domain.

Shared system volume: A Windows 2000 domain controller should have a shared system volume located in the %Systemroot%\Sysvol\Sysvol folder. To verify this item, use the net share command. The Active Directory also creates two standard policies during the installation process: The Default Domain policy and the Default Domain Controllers policy (located in the %Systemroot%\Sysvol\Domain\Policies folder). These policies are displayed as the following globally unique identifiers (GUIDs):

{31B2F340-016D-11D2-945F-00C04FB984F9} representing the Default Domain policy
{6AC1786C-016F-11D2-945F-00C04fB984F9} representing the Default Domain Controllers policy

SRV resource records: You must have a DNS server installed and configured for Active Directory and the associated client software to function correctly. Microsoft recommends that you use Microsoft DNS server, which is supplied with Windows 2000 Server as your DNS server. However, Microsoft DNS server is not required. The DNS server that you use must support the Service Resource Record (SRV RR) Requests for Comments (RFC) 2052, and the dynamic update protocol (RFC 2136). Use the DNS Manager Microsoft Management Console (MMC) snap-in to verify that the appropriate zones and resource records are created for each DNS zone. Active Directory creates its SRV RRs in the following folders:

  • _Msdcs/Dc/_Sites/Default-first-site-name/_Tcp
  • _Msdcs/Dc/_Tcp

In these locations, an SRV RR is displayed for the following services:

  • o _kerberos
  • o _ldap



Q. What is LDAP?

Short for Lightweight Directory Access Protocol, a set of protocols for accessing information directories. LDAP is based on the standards contained within the X.500 standard, but is significantly simpler. And unlike X.500, LDAP supports TCP/IP, which is necessary for any type of Internet access. Because it’s a simpler version of X.500, LDAP is sometimes called X.500-lite.

Q. What is FRS (File replication services)?

The File Replication Service (FRS) replicates specific files using the same multi-master model that Active Directory uses. It is used by the Distributed File System for replication of DFS trees that are designated as domain root replicas. It is also used by Active Directory to synchronize content of the SYSVOL volume automatically across domain controllers. The reason the FRS service replicates contents of the SYSVOL folder is so clients will always get a consistent logon environment when logging on to the domain, no matter which domain controller actually handles the request. When a client submits a logon request, he or she submits that request for authentication to the SYSVOL directory. A subfolder of this directory, called \scripts, is shared on the network as the netlogon share. Any logon scripts contained in the netlogon share are processed at logon time. Therefore, the FRS is responsible for all domain controllers providing the same logon directory structure to clients throughout the domain.

Q. Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.

Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictonaries used by SAP, Domino etc with the help of MIIS ( Microsoft Identity Integration Server )
you can use dirXML or LDAP to connect to other directories (ie. E-directory from Novell).

Q. Where is the AD database held? What other folders are related to AD?

AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure

  • ntds.dit
  • edb.log
  • res1.log
  • res2.log
  • edb.chk

When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.

During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database.

The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we’ve discussed.

Q. What is the SYSVOL folder?

The SYSVOL folder is critical because it contains the domain’s public files. This directory is shared out (as SYSVOL), and any files kept in the SYSVOL folder are replicated to all other domain controllers in the domain using the File Replication Service (FRS)—and yes, that’s important to know on the exam.

The SYSVOL folder also contains the following items:

  • The NETLOGON share, which is the location where domain logon requests are submitted for processing, and where logon scripts can be stored for client processing at logon time.
  • Windows Group Policies
  • FRS folders and files that must be available and synchronized between domain controllers if the FRS is in use. Distributed File System (DFS), for example, uses the FRS to keep shared data consistent between replicas.

You can go to SYSVOL folder by typing : %systemroot%/sysvol on DC.

Q. Name the AD NCs and replication issues for each NC

*Schema NC, *Configuration NC, * Domain NC

Schema NC: This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.

Configuration NC: Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.

Domain NC: This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.

Q. What are application partitions? When do I use them?

A1) Application Directory Partition is a partition space in Active Directory which an application can use to store that application specific data. This partition is then replicated only to some specific domain controllers.

The application directory partition can contain any type of data except security principles (users, computers, groups).

**A2) These are specific to Windows Server 2003 domains.
An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.

Q. How do you create a new application partition?

The DnsCmd command is used to create a new application directory partition. Ex. to create a partition named “NewPartition” on the domain controller, log on to the domain controller and type following command.

DnsCmd DC1/createdirectorypartition

Q. How do you view replication properties for AD partitions and DCs?

By using replication monitor

go to start > run > type replmon

Q. What is the Global Catalog?

The global catalog is the central repository of information about objects in a tree or forest. By default, a global catalog is created automatically on the initial domain controller in the first domain in the forest. A domain controller that holds a copy of the global catalog is called a global catalog server. You can designate any domain controller in the forest as a global catalog server. Active Directory uses multimaster replication to replicate the global catalog information between global catalog servers in other domains. It stores a full replica of all object attributes in the directory for its host domain and a partial replica of all object attributes contained in the directory for every domain in the forest. The partial replica stores attributes most frequently used in search operations (such as a user’s first and last names, logon name, and so on). Attributes are marked or unmarked for replication in the global catalog when they are defined in the Active Directory schema. Object attributes replicated to the global catalog inherit the same permissions as in source domains, ensuring that data in the global catalog is secure.

Another Definition of Global Catalog:

Global Catalog Server

global catalog server is a domain controller that has an additional duty—it maintains a global catalog. A global catalog is a master, searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest.

  • A global catalog server performs two important functions:
  • Provides group membership information during logon and authentication
  • Helps users locate resources in Active Directory

Q. What is schema?

The Active Directory schema defines objects that can be stored in Active Directory. The schema is a list of definitions that determines the kinds of objects and the types of information about those objects that can be stored in Active Directory. Because the schema definitions themselves are stored as objects, they can be administered in the same manner as the rest of the objects in Active Directory. The schema is defined by two types of objects: schema class objects (also referred to as schema classes) and schema attribute objects (also referred to as schema attributes).

Q. GC and infrastructure master should not be on same server, why?

Unless your domain consists of only one domain controller, the infrastructure master should not be assigned to a domain controller that’s also a Global Catalog server. If the infrastructure master and Global Catalog are stored on the same domain controller, the infrastructure master will not function because it will never find data that is out of date. It therefore won’t ever replicate changes to the other domain controllers in the domain. There are two exceptions:

  • If all your domain controllers are Global Catalog servers, it won’t matter because all servers will have the latest changes to the Global Catalog.
  • If you are implementing a single Active Directory domain, no other domains exist in the forest to keep track of, so in effect, the infrastructure master is out of a job

Q. Why not make all DCs in a large forest as GCs?

When all the DC become a GC replication traffic will get increased and we could not keep the Infrastructure master and GC on the same domain ,so atlease one dc should be act without holding the GC role .

Q. Trying to look at the Schema, how can I do that?

Register the schmmgmt.dll with the command regsvr32

Q. What are the Support Tools? Why do I need them?

Support Tools are the tools that are used for performing the complicated tasks easily. These can also be the third party tools. Some of the Support tools include DebugViewer, DependencyViewer, RegistryMonitor, etc.

Q. What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?

LDP – Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network.

Replmon – Replmon displays information about Active Directory Replication.

ADSIEDIT – ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.MSC

NETDOM – NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.

REPADMIN – REPADMIN is a built-in Windows diagnostic command-line utility that works at the Active Directory level. Although specific to Windows, it is also useful for diagnosing some Exchange replication problems, since Exchange Server is Active Directory based. REPADMIN doesn’t actually fix replication problems for you. But, you can use it to help determine the source of a malfunction.

Q. What are the Naming Conventions used in AD?

Within Active Directory, each object has a name. When you create an object in Active Directory, such as a user or a computer, you assign the object a name. This name must be unique within the domain—you can’t assign an object the same name as any other object (regardless of its type) in that domain.

At the same time that you create an object, not only do you assign a name to the object, but Active Directory also assigns identifiers to the object. Active Directory assigns every object a globally unique identifier (GUID), and assigns many objects a security identifier (SID). A GUID is typically a 32-digit hexadecimal number that uniquely identifies an object within Active Directory. A SID is a unique number created by the Windows 2000 Security subsystem that is assigned only to security principal objects (users, groups, and computers) when they are created.Windows 2000 uses SIDs to grant or deny a security principal object access to other objects and network resources.

Active Directory uses a hierarchical naming convention that is based on Lightweight Directory Access Protocol (LDAP) and DNS standards.

Objects in Active Directory can be referenced by using one of three Active Directory name types:

  • Relative distinguished name (RDN)
  • Distinguished name (DN)
  • User principal name (UPN)

relative distinguished name (RDN) is the name that is assigned to the object by the administrator when the object is created. For example, when

I create a user named AlanC, the RDN of that user is AlanC. The RDN only identifies an object—it doesn’t identify the object’s location within Active Directory. The RDN is the simplest of the three Active Directory name types, and is sometimes called the common name of the object.

distinguished name (DN) consists of an object’s RDN, plus the object’s location in Active Directory. The DN supplies the complete path to the object. An object’s DN includes its RDN, the name of the organizational unit(s) that contains the object (if any), and the FQDN of the domain. For example, suppose that I create a user named AlanC in an organizational unit called US in a domain named The DN of this user would

user principal name (UPN) is a shortened version of the DN that is typically used for logon and e-mail purposes. A UPN consists of the RDN plus the FQDN of the domain. Using my previous example, the UPN for the user named AlanC would be:

Another way you can think of a UPN is as a DN stripped of all organizational unit references.





Q. What are sites? What are they used for?

site consists of one or more TCP/IP subnets, which are specified by an administrator. Additionally, if a site contains more than one subnet, the subnets should be connected by high-speed, reliable links. Sites do not correspond to domains:You can have two or more sites within a single domain, or you can have multiple domains in a single site.A site is solely a grouping based on IP addresses. Figure 2-7 shows two sites connected by a slow WAN link.


The purpose of sites is to enable servers that regularly copy data to other servers (such as Active Directory replication data) to distinguish between servers in their own site (which are connected by high-speed links) and servers in another site (which are connected by slower-speed WAN links). Replication between domain controllers in the same site is fast, and typically administrators can permit Windows 2000 to automatically perform this task. Replication between a domain controller in one site and domain controllers in other sites is slower (because it takes place over a slow WAN link) and often should be scheduled by the administrator so that use of network bandwidth for replication is minimized during the network’s peak-activity hours.

Sites and Active Directory replication can be configured by using Active Directory Sites and Services.

Uses of site:

Sites are primarily used to control replication traffic. Domain controllers within a site are pretty much free to replicate changes to the Active Directory database whenever changes are made. Domain controllers in different sites compress the replication traffic and operate based on a defined schedule, both of which are intended to cut down on network traffic.

More specifically, sites are used to control the following:

  • Workstation logon traffic
  • Replication traffic
  • Distributed File System (DFS)

What’s the difference between a site link’s schedule and interval?

Site Link is a physical connection object on which the replication transport mechanism depends on. Basically to speak it is the type of communication mechanism used to transfer the data between different sites. Site Link Schedule is nothing but when the replication process has to be takes place and the interval is nothing but how many times the replication has to be takes place in a give time period i.e Site Link Schedule.

Q. What is replication? How it occurs in AD? What is KCC and ISTG

Each domain controller stores a complete copy of all Active domain controllers in the same domain. Domain controllers in a domain automatically replicate directory information for all objects in the domain to each other. When you perform an action that causes an update to Active Directory, you are actually making the change at one of the domain controllers. That domain controller then replicates the change to all other domain controllers within the domain. You can control replication of traffic between domain controllers in the network by specifying how often replication occurs and the amount of data that each domain controller replicates at one time. Domain controllers immediately replicate certain important updates, such as the disabling of a user account.

Active Directory uses multimaster replication, in which no one domain controller is the master domain controller. Instead, all domain controllers within a domain are peers, and each domain controller contains a copy of the directory database that can be written to. Domain controllers can hold different information for short periods of time until all domain controllers have synchronized changes to Active Directory.

Although Active Directory supports multimaster replication, some changes are impractical to perform in multimaster fashion. One or more domain controllers can be assigned to perform single-master replication (operations not permitted to occur at different places in a network at the same time). Operations master roles are special roles assigned to one or more domain controllers in a domain to perform single-master replication.

Domain controllers detect collisions, which can occur when an attribute is modified on a domain controller before a change to the same attribute on another domain controller is completely propagated. Collisions are detected by comparing each attribute’s property version number, a number specific to an attribute that is initialized upon creation of the attribute. Active Directory resolves the collision by replicating the changed attribute with the higher property version number.

Q. What can you do to promote a server to DC if you’re in a remote location with slow WAN link?

Install from Media In Windows Server 2003 a new feature has been added, and this time it’s one that will actually make our lives easier… You can promote a domain controller using files backed up from a source domain controller!!!

This feature is called “Install from Media” and it’s available by running DCPROMO with the /adv switch. It’s not a replacement for network replication, we still need network connectivity, but now we can use an old System State copy from another Windows Server 2003, copy it to our future DC, and have the first and basic replication take place from the media, instead of across the network, this saving valuable time and network resources.

What you basically have to do is to back up the systems data of an existing domain controller, restore that backup to your replica candidate, use DCPromo /Adv to tell it to source from local media, rather than a network source.

This also works for global catalogs. If we perform a backup of a global catalog server, then we can create a new global catalog server by performing DCPromo from that restored media.

IFM Limitations

It only works for the same domain, so you cannot back up a domain controller in domain A and create a new domain B using that media.

It’s only useful up to the tombstone lifetime with a default of 60 days. So if you have an old backup, then you cannot create a new domain controller using that, because you’ll run into the problem of reanimating deleted objects.

Q. How can you forcibly remove AD from a server, and what do you do later?

Demoting Windows Server 2003 DCs: DCPROMO (Active Directory Installation Wizard) is a toggle switch, which allows you to either install or remove Active Directory DCs. To forcibly demote a Windows Server 2003 DC, run the following command either at the Start, Run, or at the command prompt:

dcpromo /forceremoval

Note: If you’re running Certificate Services on the DC, you must first remove Certificate Services before continuing. If you specify the /forceremoval switch on a server that doesn’t have Active Directory installed, the switch is ignored and the wizard pretends that you want to install Active Directory on that server.

Once the wizard starts, you will be prompted for the Administrator password that you want to assign to the local administrator in the SAM database. If you have Windows Server 2003 Service Pack 1 installed on the DC, you’ll benefit from a few enhancements. The wizard will automatically run certain checks and will prompt you to take appropriate actions. For example, if the DC is a Global Catalog server or a DNS server, you will be prompted. You will also be prompted to take an action if your DC is hosting any of the operations master roles.

Demoting Windows 2000 DCs: On a Windows 2000 domain controller, forced demotion is supported with Service Pack 2 and later. The rest of the procedure is similar to the procedure I described for Windows Server 2003. Just make sure that while running the wizard, you clear the “This server is the last domain controller in the domain” check box. On Windows 2000 Servers you won’t benefit from the enhancements in Windows Server 2003 SP1, so if the DC you are demoting is a Global Catalog server, you may have to manually promote some other DC to a Global Catalog server.

Cleaning the Metadata on a Surviving DC : Once you’ve successfully demoted the DC, your job is not quite done yet. Now you must clean up the Active Directory metadata. You may be wondering why I need to clean the metadata manually. The metadata for the demoted DC is not deleted from the surviving DCs because you forced the demotion. When you force a demotion, Active Directory basically ignores other DCs and does its own thing. Because the other DCs are not aware that you removed the demoted DC from the domain, the references to the demoted DC need to be removed from the domain.

Although Active Directory has made numerous improvements over the years, one of the biggest criticisms of Active Directory is that it doesn’t clean up the mess very well. This is obvious in most cases but, in other cases, you won’t know it unless you start digging deep into Active Directory database.

To clean up the metadata you use NTDSUTIL. The following procedure describes how to clean up metadata on a Windows Server 2003 SP1. According to Microsoft, the version of NTDSUTIL in SP1 has been enhanced considerably and does a much better job of clean-up, which obviously means that the earlier versions didn’t do a very good job. For Windows 2000 DCs, you might want to check out Microsoft Knowledge Base article 216498, “How to remove data in Active Directory after an unsuccessful domain controller demotion.”

Here’s the step-by-step procedure for cleaning metadata on Windows Server 2003 DCs:

  1. Logon to the DC as a Domain Administrator.
  2. At the command prompt, type ntdsutil.
  3. Type metadata cleanup.
  4. Type connections.
  5. Type connect to server servername, where servername is the name of the server you want to connect to.
  6. Type quit or q to go one level up. You should be at the Metadata Cleanup prompt.
  7. Type select operation target.
  8. Type list domains. You will see a list of domains in the forest, each with a different number.
  9. Type select domain number, where number is the number associated with the domain of your server
  10. Type list sites.
  11. Type select site number, where number is the number associated with the site of your server.
  12. Type list servers in site.
  13. Type select server number, where number is the number associated with the server you want to remove.
  14. Type quit to go to Metadata Cleanup prompt.
  15. Type remove selected server. You should see a confirmation that the removal completed successfully.
  16. Type quit to exit ntdsutil.

You might also want to cleanup DNS database by deleting all DNS records related to the server.

In general, you will have better luck using forced promotion on Windows Server 2003, because the naming contexts and other objects don’t get cleaned as quickly on Windows 2000 Global Catalog servers, especially servers running Windows 2000 SP3 or earlier. Due to the nature of forced demotion and the fact that it’s meant to be used only as a last resort, there are additional things that you should know about forced demotion.

Even after you’ve used NTDSUTIL to clean the metadata, you may still need to do additional cleaning manually using ADSIEdit or other such tools

Q. Can I get user passwords from the AD database?

As of my Knowledge there is no way to extract the password from AD Database. By the way there is a tool calledcache dump. Using it we can extract the cached passwords from Windows XP machine which is joined to a Domain.

Q. Name some OU design considerations.

  • Design OU structure based on Active Directory business requirements
  • NT Resource domains may fold up into OUs
  • Create nested OUs to hide objects
  • Objects easily moved between OUs
  • Departments , Geographic Region, Job Function, Object Type

Q. What is tombstone lifetime attribute?

The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NC.

Q. How would you find all users that have not logged on since last month?

If you are using windows 2003 domain environment, then goto Active Directory Users and Computers, select the Saved Queries, right click it and select new query, then using the custom common queries and define query there is one which shows days since last logon

Q. What are the DS* commands?

What’s the difference between LDIFDE and CSVDE? Usage considerations?

CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users. Consult your help file for more info. Like CSVDE, LDIFDE is a command that can be used to import and export objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor; however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects

What is DFS?

The Distributed File System is used to build a hierarchical view of multiple file servers and shares on the network. Instead of having to think of a specific machine name for each set of files, the user will only have to remember one name; which will be the ‘key’ to a list of shares found on multiple servers on the network. Think of it as the home of all file shares with links that point to one or more servers that actually host those shares.

DFS has the capability of routing a client to the closest available file server by using Active Directory site metrics. It can also be installed on a cluster for even better performance and reliability.

It is important to understand the new concepts that are part of DFS. Below is an definition of each of them.

Dfs root: You can think of this as a share that is visible on the network, and in this share you can have additional files and folders.

Dfs link: A link is another share somewhere on the network that goes under the root. When a user opens this link they will be redirected to a shared folder.

Dfs target (or replica): This can be referred to as either a root or a link. If you have two identical shares, normally stored on different servers, you can group them together as Dfs Targets under the same link.
The image below shows the actual folder structure of what the user sees when using DFS and load balancing.

The actual folder structure of DFS and load balancing

Q. What are the types of replication in DFS?

There are two types of replication:

  • Automatic – which is only available for Domain DFS
  • Manual – which is available for stand alone, DFS and requires all files to be replicated manually.

1. What are the Important Windows port numbers:

RDP – 3389 – (windows rdp port number and remote desktop port number)
FTP – 21 – (file transfer protocol)
TFTP – 69 – ( tftp port number )
Telnet – 23 – ( telnet port number)
SMTP – 25 – ( SMTP port number)
DNS – 53 – ( dns port number and Domain Name System port number)
DHCP – 68 – (DHCP port number and Dynamic Host Configuration Protocol port number )
POP3 – 110 – ( post office Protocol 3 port )
HTTP – 80 – (http port number)
HTTPS – 443 – (https port number)
NNTP – 119 – ( Network News Transfer Protocol Port number )
NTP – 123 – (ntp port number and network Time Protocol and SNTP port number )
IMAP – 143 – (Internet Message Access Protocol port number)
SSMTP – 465 – ( SMTP Over SSl )
SIMAP – 993 – ( IMAP Over SSL )
SPOP3 – 995 – ( POP# Over SS L)
Time – 123 – ( ntp port number and network Time Protocol and SNTP port number )
NetBios – 137 – ( Name Service )
NetBios – 139 – ( Datagram Service )
DHCP Client – 546 – (DHCP Client port number)
DHCP Server – 547 – (DHCP Server port number)
Global Catalog – 3268 – (Global Catalog port number)
LDAP – 389 – ( LDAP port number and Lightweight Directory Access Protocol port number )
RPC – 135 – (remote procedure call Port number)
Kerberos – 88 – ( Kerberos Port Number)
SSH – 22 – ( ssh port number and Secure Shell port number)

2. How to check tombstone lifetime value in your Forest

Tombstone lifetime value different from OS to OS, for windows server 2000/2003 it’s 60 days, In Windows Server 2003 SP1, default tombstone lifetime (TSL) value has increased from 60 days to 180 days, again in Windows Server 2003 R2 TSL value has been decreased to 60 days, Windows Server 2003 R2 SP2 and windows server 2008 it’s 180 days

If you migrating windows 2003 environment to windows 2008 then its 60 day’s

you can use the below command to check/view the current tombstone lifetime value for your Domain/Forest

dsquery * “cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=” –scope base –attr tombstonelifetime

Replace forestDN with your domain partition DN, for the DN would be dc=domainname, dc=com


3. How to find the domain controller that contains the lingering object

If we enable Strict Replication Consistency

Lingering objects are not present on domain controllers that log Event ID 1988. The source domain controller contains the lingering object

If we doesn’t enable Strict Replication Consistency

Lingering objects are not present on domain controllers that log Event ID 1388. Domain controller that doesn’t log Event ID 1388 and that domain controller contain the lingering object

You have a 100 Domain controllers which doesn’t enable Strict Replication Consistency, then you will get the Event ID 1388 on all the 99 Domain controllers except the one that contain the lingering object

Need to Remove Lingering Objects from the affected domain controller or decommission the domain controller

You can use Event Comb tool (Eventcombmt.exe) is a multi-threaded tool that can be used to gather specific events from the Event Viewer logs of different computers at the same time.

You can download these tools from the following location:

4. What are Active Directory ports:

List of Active Directory Ports for Active Directory replication and Active Directory authentication, this ports can be used to configure the Firewall

Active Directory replication- There is no defined port for Active Directory replication, Active Directory replication remote procedure calls (RPC) occur dynamically over an available port through RPCSS (RPC Endpoint Mapper) by using port 135

File Replication Services (FRS)- There is no defined port for FRS, FRS replication over remote procedure calls (RPCs) occurs dynamically over an available port by using RPCSS (RPC Endpoint Mapper ) on port 135

Other required ports for Active Directory

TCP 53 – DSN (DNS Download)
UDP 53 – DSN (DNS Queries)
TCP 3389- RDP (Remote Desktop)
TCP 135 – MS-RPC
TCP 1025 & 1026 – AD Login & replication
TCP 389 – LDAP
TCP 639 – LDAP over SSL/TLS
TCP 3268 -Global Catalog
TCP 3268 – Global Catalog over SSL/TSL
UDP 137 & 138 – NetBIOS related
UDP 88 – Kerberos v5
TCP 445 – SMB , Microsoft-ds
TCP 139 – SMB

5. How to do active directory health checks?

As an administrator you have to check your active directory health daily to reduce the active directory related issues, if you are not monitoring the health of your active directory what will happen

Let’s say one of the Domain Controller failed to replicate, first day you will not have any issue. If this will continue then you will have login issue and you will not find the object change and new object, that’s created and changed in other Domain Controller this will lead to other issues

If the Domain Controller is not replicated more then 60 day’s then it will lead to Lingering issue

Command to check the replication to all the DC’s(through this we can check Active Directory Health)

Repadmin /replsum /bysrc /bydest /sort:delta

You can also save the command output to text file, by using the below command

Repadmin /replsum /bysrc /bydest /sort:delta >>c:\replication_report.txt

this will list the domain controllers that are failing to replicate with the delta value
You can daily run this to check your active directory health

6. GPRESULT falied with access denied error:

Unable to get the result from gpresult on windows 2003 server, gpresult return with the access denied errors, you can able to update the group policy without issue

Run the following commands to register the userenv.dll and recompile the rsop mof file
To resolve the access denied error while doing the gpresult.
1. Open a cmd
1. re-register the userenv.dll
Regsvr32 /n /I c:\winnt\system32\userenv.dll
2. CD c:\windows\system32\wbem
3. Mofcomp scersop.mof
4. Gpupdate /force
5. Gpresult

Now you able to run the gpresult without error and even server reboot not required for this procedure

7. What is the command to find out site name for given DC

dsquery server NYDC01 -site

domain controller name = NYDC01

8. Command to find all DCs in the given site

Command to find all the Domain Controllers in the “Default-First-Site-Name” site

dsquery server -o rdn -site Default-First-Site-Name

Site name = Default-First-Site-Name

9. How many types of  queries DNS does?

Iterative Query
Recursive Query

Iterative Query

In this query the client ask the name server for the best possible answer, the name server check the cache and zone for which it’s authoritative and returns the best possible answer to the client, which would be the full answer like IP address or try the other name server

Recursive Query

Client demands either a full answer or an error message (like record or domain name does not exist)
Client machine always send recursive query to the DNS server, if the DNS server does not have the requested information, DNS server send the iterative query to the other name server (through forwarders or secondary DNS server) until it gets the information, or until the name query fails.


Server roles in Windows Server 2008

Windows Server 2008 is designed around certain roles and features. A role is a primary duty that a server performs. For example, you typically would point at a server and say “that’s my domain controller (DC) and DNS server.” A feature is something that helps a server perform its primary duty (Windows Backup, network load balancing). Certain roles are comprised of sub-elements called Role Services, which are distinct units of functionality. For example, within the role of Terminal Services, is the TS Gateway and TS Licensing Role Services (among others). Please note that Server 2008 Web Edition has only the Web Server role. Also note that WINS isn’t a role in Server 2008, it’s a feature.

  • Active Directory Certificate Services. Provides the services for creating and managing public key certificates used in most aspects of security today, including HTTP Security (HTTPS), which is vital to many Windows Roles; Wireless network security; VPNs; IPsec; Encrypting File System (EFS); and other software security systems that require encryption or digital signatures.
  • Active Directory Domain Services. Previously known as just Active Directory, AD Domain Services stores information about users, computers, and other devices on the network in a security boundary known as a domain. With resources and users being  members of a domain or trusted hierarchy of domains known as a forest, access to company wide information is secure and no burden on the user.
  • Active Directory Federation Services (ADFS). Provides Web single-sign-on (SSO) capabilities across separate organizations, allowing authentication across multiple Web applications in various companies using a single user account. ADFS accomplishes this by securely federating, or sharing, user identities and access rights, in the form of digital claims, between partner organizations once a federation trust has been established.
  • Active Directory Lightweight Directory Services. Previously known as Active Directory Application Mode (ADAM), Active Directory Lightweight Directory Services provides a directory service that organizations can use to store information specific to an application that is separate from the organization’s main AD. Active Directory Lightweight Directory Services runs as a non-OS service and doesn’t require deployment on a DC, with multiple Active Directory Lightweight Directory Services instances supported on a single server.
  • Active Directory Rights Management Services. Provides very granular protection on supported documents via AD RMS-enabled applications to not only protect documents and other digital information but also to control the actions that authorized consumers of the information can do.
  • Application Server. Comprises a number of components that are responsible for the deployment and managing of .NET Framework 3.0 applications. These components include the .NET Framework, Web Server (IIS) Support, Message Queuing, COM+ Network Access, TCP Port Sharing, Distributed Transactions and Windows Process Activation Service Support.
  • Dynamic Host Configuration Protocol (DHCP) Server. Allows servers to assign or lease IP addresses to computers and other devices that are enabled as DHCP clients on the network.
  • DNS Server. DNS is used to resolve host names to IP addresses, both IPv4 and IPv6.
  • Fax Server. Sends and receives faxes, and allows you to manage fax resources such as jobs, settings, reports, and fax devices on this computer or on the network.
  • File Services. Provides technologies for storage management, which includes control of the types of files stored on a server via file screens and powerful quotas, file replication, distributed namespace management, NFS, and support for UNIX clients.
  • Hyper-V. Provides the services that you can use to create and manage virtual machines (VMs) and their resources. Hyper-V will ship within 180 days of the Server 2008 launch, but a beta version is supplied with the 2008 RTM.
  • Network Policy and Access Services. Delivers a variety of methods to provide users with local and remote network connectivity, to connect network segments, and to allow network administrators to centrally manage network access and client health policies. With Network Access Services, you can deploy VPN servers, dial-up servers, routers, and 802.11 protected wireless access. You can also deploy RADIUS servers and proxies, and use Connection Manager Administration Kit to create remote access profiles that allow client computers to connect to your network.
  • Print Services. Enables the management of print servers and printers. A print server reduces administrative and management workload by centralizing printer management tasks. Also part of Print Services is the Print Management Console, which streamlines the management of all aspects of printer server management including the ability to remotely scan a subnet for printers and automatically create the necessary print queues and shares.
  • Terminal Services. Enables users to access Windows-based programs that are installed on a terminal server or to access the Windows desktop from almost any computing device that supports the RDP protocol. Users can connect to a terminal server to run programs and to use network resources on that server. Server 2008 has technologies that allow the RDP traffic necessary for communication with a terminal server from a client to be encapsulated in HTTPS packets, which means all communication is via port 443 so no special holes are required in the firewall for access to terminal servers within an organization from the Internet.
  • Universal Description, Discovery, and Integration (UDDI) Services. UDDI Services provides description, discovery, and integration capabilities for sharing information about Web services within an organization’s intranet, between business partners on an extranet, or on the Internet.
  • Web Server (IIS). Enables sharing of information on the Internet, intranets, or extranets. It’s a unified Web platform that integrates IIS 7.0, ASP.NET, and Windows Communication Foundation. IIS 7.0 also features enhanced security, simplified diagnostics, and delegated administration.
  • Windows Deployment Services (WDS). Used to install and configure Windows OSs that are stored in the Windows Imagine format remotely on computers via Pre-boot Execution Environment (PXE) boot ROMs.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s