what is RIS and what are its requirements
RIS is a remote installation service, which is used to install operation system remotely
Client requirements
PXE DHCP-based boot ROM version 1.00 or later NIC, or a network adapter that is supported by the RIS boot disk.
Should meet minimum operating system requirements
Software Requirements
Below network services must be active on RIS server or any server in the network Domain Name System (DNS Service) Dynamic Host Configuration Protocol (DHCP) Active directory “Directory” service
Can we establish trust relationship between two forests
In Windows 2000 it is not possible. In Windows 2003 it is possible
What is FSMO Roles
Flexible single master operation (FSMO) roles are
Domain Naming Master
Schema Master
PDC Emulator
Infrastructure Master
RID Master
Brief all the FSMO Roles
Windows 2000/2003 Multi-Master Model
A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.
For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring.
Windows 2000/2003 Single-Master Model
To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion
In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain
In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are
Schema Master
The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
Domain naming master
The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.
Infrastructure Master
When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.
PDC Emulator
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be
configured to gather the time from an external source. All PDC FSMO role holders
follow the hierarchy of domains in the selection of their in-bound time partner
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following
functions:
Password changes performed by other DCs in the domain are replicated preferentially
to the PDC emulator
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator
Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.
At any one time, there can be only one domain controller acting as the PDC emulator
master in each domain in the forest.
What is the difference between authoritative and non-authoritative restore
In authoritative restore, Objects that are restored will be replicated to all domain controllers in the domain. This can be used specifically when the entire OU is disturbed in all domain controllers or specifically restore a single object, which is disturbed in all DC’s
In non-authoritative restore, Restored directory information will be updated by other domain controllers based on the latest modification time
what is Active Directory De-fragmentation
De-fragmentation of AD means separating used space and empty space created by deleted objects and reduces directory size (only in offline De-fragmentation
Difference between online and offline de-fragmentation
The size of NTDS.DIT will often be different sizes across the domain controllers in a domain. Remember that Active Directory is a multi-master independent model where updates are occurring in each of the domain controllers with the changes being replicated over time to the other domain controllers.
The changed data is replicated between domain controllers, not the database, so there is no guarantee that the files are going to be the same size across all domain controllers.
Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a directory online defragmentation every 12 hours by default as part of the garbage-collection process. This defragmentation only moves data around the database file (NTDS.DIT) and doesn’t reduce the file’s size - the database file cannot be compacted while Active Directory is mounted.
Active Directory routinely performs online database defragmentation, but this is limited to the disposal of tombstoned objects. The database file cannot be compacted while Active Directory is mounted (or online).
An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller than
the NTDS.DIT file on its peers. However, defragmenting the NTDS.DIT file isn’t something you should really need to do. Normally, the database self-tunes and automatically tombstoning the records then sweeping them away when the tombstone lifetime has passed to make that space available for additional records
Defragging the NTDS.DIT file probably won’t help your AD queries go any faster in the long run.
So why defrag it in the first place? One reason you might want to defrag your NTDS.DIT file is to save space, for example if you deleted a large number of records at one time.
To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the following steps: Back up Active Directory (AD). Reboot the server, select the OS option, and press F8 for advanced options. Select the Directory Services Restore Mode option, and press Enter. Press Enter again to start the OS. W2K will start in safe mode, with no DS running. Use the local SAM’s administrator account and password to log on. You’ll see a dialog box that says you’re in safe mode. Click OK. From the Start menu, select Run and type cmd.exe In the command window, you’ll see the following text. (Enter the commands in bold.) C:\> ntdsutil ntdsutil: files file maintenance:info .... file maintenance:compact to c:\temp
You’ll see the defragmentation process. If the process was successful, enter quit to return to the command prompt.
Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the commands in bold.)
C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit
Restart the computer, and boot as normal.
What is tombstone period
Tombstones are nothing but objects marked for deletion. After deleting an object in AD the objects will not be deleted permanently. It will be remain 60 days by default (which can be configurable) it adds an entry as marked for deletion on the object and replicates to all DC’s. After 60 days object will be deleted permanently from all Dc’s.
what are the monitoring tools used for Server and Network Heath. How to define alert mechanism
Spot Light , SNMP Need to enable
How to deploy the patches and what are the softwares used for this process
Using SUS (Software update services) server we can deploy patches to all clients in the network. We need to configure an option called “Synchronize with Microsoft software update server” option and schedule time to synchronize in server. We need to approve new update based on the requirement. Then approved update will be deployed to clients
We can configure clients by changing the registry manually or through Group policy
by adding WUAU administrative template in group policy
What is Clustering. Briefly define & explain it
Clustering is a technology, which is used to provide High Availability for mission critical applications. We can configure cluster by installing MCS (Microsoft cluster service) component from Add remove programs, which can only available in Enterprise Edition and Data center edition.In Windows we can configure two types of clusters
NLB (network load balancing) cluster for balancing load between servers. This cluster will not provide any high availability. Usually preferable at edge servers like web or proxy.
Server Cluster: This provides High availability by configuring active-active or active-passive cluster. In 2 node active-passive cluster one node will be active and one node will be stand by. When active server fails the application will FAILOVER to stand by server automatically. When the original server backs we need to FAILBACK the application
Quorum: A shared storage need to provide for all servers which keeps information about clustered application and session state and is useful in FAILOVER situation. This is very important if Quorum disk fails entire cluster will fails
Heartbeat: Heartbeat is a private connectivity between the servers in the cluster, which is used to identify the status of other servers in cluster.
How to configure SNMP
SNMP can be configured by installing SNMP from Monitoring and Management tools from Add and Remove programs.
For SNMP programs to communicate we need to configure common community name for those machines where SNMP programs (eg DELL OPEN MANAGER) running. This can be configured from services.msc--- SNMP service -- Security
Is it possible to rename the Domain name & how?
In Windows 2000 it is not possible. In windows 2003 it is possible. On Domain controller by going to MYCOMPUTER properties we can change.
What is SOA Record
SOA is a Start Of Authority record, which is a first record in DNS, which controls the startup behavior of DNS. We can configure TTL, refresh, and retry intervals in this record.
What is a Stub zone and what is the use of it.
Stub zones are a new feature of DNS in Windows Server 2003 that can be used to streamline name resolution, especially in a split namespace scenario. They also help reduce the amount of DNS traffic on your network, making DNS more efficient especially over slow WAN links
What are the different types of partitions present in AD
Active directory is divided into three partitions
Configuration Partition—replicates entire forest
Schema Partition—replicates entire forest
Domain Partition—replicate only in domain
Application Partition (Only in Windows 2003)
What are the (two) services required for replication
File Replication Service (FRS) Knowledge Consistency Checker (KCC)
Can we use a Linux DNS Sever in 2000 Domain
We can use, But the BIND version should be 8 or greater
What is ASR (Automated System Recovery) and how to implement it
ASR is a two-part system; it includes ASR backup and ASR restore. The ASR Wizard, located in Backup, does the backup portion. The wizard backs up the system state, system services, and all the disks that are associated with the operating system components. ASR also creates a file that contains information about the backup, the disk configurations (including basic and dynamic volumes), and how to perform a restore You can access the restore portion by pressing F2 when prompted in the text-mode portion of setup. ASR reads the disk configurations from the file that it creates. It restores all the disk signatures, volumes, and partitions on (at a minimum) the disks that you need to start the computer. ASR will try to restore all the disk configurations, but under some circumstances it might not be able to. ASR then installs a simple installation of Windows and automatically starts a restoration using the backup created by the ASR Wizard.
What are the different levels that we can apply Group Policy
We can apply group policy at SITE level---Domain Level---OU level
What is Domain Policy, Domain controller policy, Local policy and Group policy
Domain Policy will apply to all computers in the domain, because by default it will be associated with domain GPO, Where as Domain controller policy will be applied only on domain controller. By default domain controller security policy will be associated with domain controller GPO. Local policy will be applied to that particular machine only and effects to that computer only.
What is the use of SYSVOL folder
Policies and scripts saved in SYSVOL folder will be replicated to all domain controllers in the domain. FRS (File replication service) is responsible for replicating all policies and scripts
What is folder redirection?
Folder Redirection is a User group policy. Once you create the group policy and link it to the appropriate folder object, an administrator can designate which folders to redirect and where To do this, the administrator needs to navigate to the following location in the Group Policy Object:
User Configuration\Windows Settings\Folder Redirection
In the Properties of the folder, you can choose Basic or Advanced folder redirection, and you can designate the server file system path to which the folder should be redirected.
The %USERNAME% variable may be used as part of the redirection path, thus allowing the system to dynamically create a newly redirected folder for each user to whom the policy object applies
Domain Functional Level
Domain functionality activates features that affect the whole domain and that domain only. The four domain functional levels, their corresponding features, and supported domain controllers are as follows:
Windows 2000 mixed (Default)
Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows Server 2003
Activated features: local and global groups, global catalog support
Windows 2000 native
Supported domain controllers: Windows 2000, Windows Server 2003
Activated features: group nesting, universal groups, SidHistory, converting groups between security groups and distribution groups, you can raise domain levels by increasing the forest level settings
Windows Server 2003 interim
Supported domain controllers: Windows NT 4.0, Windows Server 2003
Supported features: There are no domain-wide features activated at this level. All domains in a forest are automatically raised to this level when the forest level increases to interim. This mode is only used when you upgrade domain controllers in Windows NT 4.0 domains to Windows Server 2003 domain controllers.
Windows Server 2003
Supported domain controllers: Windows Server 2003
Supported features: domain controller rename, logon timestamp attribute updated and replicated. User password support on the InetOrgPerson objectClass. Constrained delegation, you can redirect the Users and Computers containersDomains that are upgraded from Windows NT 4.0 or created by the promotion of a Windows Server 2003-based computer operate at the Windows 2000 mixed functional level. Windows 2000 domains maintain their current domain functional level when Windows 2000 domain controllers are upgraded to the Windows Server 2003 operating system. You can raise the domain functional level to either Windows 2000 native or Windows Server 2003. After the domain functional level is raised, domain controllers that are running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain controllers that are running Windows 2000 Server cannot be added to that domain
The following describes the domain functional level and the domain-wide features that are activated for that level. Note that with each successive level increase, the feature set of the previous level is included.
Forest Functional Level
Forest functionality activates features across all the domains in your forest. Three forest functional levels, the corresponding features, and their supported domain controllers are listed below
Windows 2000 (default)
Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server 2003
New features: Partial list includes universal group caching, application partitions, install from media, quotas, rapid global catalog demotion, Single Instance Store (SIS) for System Access Control Lists (SACL) in the Jet Database Engine, Improved topology generation event logging. No global catalog full sync when attributes are added to the PAS Windows Server 2003 domain controller assumes the Intersite Topology Generator (ISTG) role.
Windows Server 2003 interim
Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the "Upgrade from a Windows NT 4.0 Domain" section of this article.
Activated features: Windows 2000 features plus Efficient Group Member Replication using Linked Value Replication, Improved Replication Topology Generation. ISTG Aliveness no longer replicated. Attributes added to the global catalog. ms-DS-Trust-Forest-Trust-Info. Trust-Direction, Trust-Attributes, Trust-Type, Trust-Partner, Security-Identifier, ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-Rate-Unit
Windows Server 2003
Supported domain controllers: Windows Server 2003
Activated features: all features in Interim Level, Defunct schema objects, Cross Forest Trust, Domain Rename, Dynamic auxiliary classes, InetOrgPerson objectClass change, Application Groups, 15-second intrasite replication frequency for Windows Server 2003 domain controllers upgraded from Windows 2000
After the forest functional level is raised, domain controllers that are running earlier operating systems cannot be introduced into the forest. For example, if you raise forest functional levels to Windows Server 2003, domain controllers that are running Windows NT 4.0 or Windows 2000 Server cannot be added to the forest.
Different Active Directory features are available at different functional levels. Raising domain and forest functional levels is required to enable certain new features as domain controllers are upgraded from Windows NT 4.0 and Windows 2000 to Windows Server 2003
Domain Functional Levels: Windows 2000 Mixed mode, Windows 2000 Native mode, Windows server 2003 and Windows server 2003 interim ( Only available when upgrades directly from Windows NT 4.0 to Windows 2003)
Forest Functional Levels: Windows 2000 and Windows 2003
Ipsec usage and difference window 2000 & 2003.
Microsoft doesn’t recommend Internet Protocol security (IPSec) network address translation (NAT) traversal (NAT-T) for Windows deployments that include VPN servers and that are located behind network address translators. When a server is behind a network address translator, and the server uses IPSec NAT-T, unintended side effects may occur because of the way that network address translators translate network traffic If you put a server behind a network address translator, you may experience connection problems because clients that connect to the server over the Internet require a public IP address. To reach servers that are located behind network address translators from the Internet, static mappings must be configured on the network address translator. For example, to reach a Windows Server 2003-based computer that is behind a network address translator from the Internet, configure the network address translator with the following static network address translator mappings
• Public IP address/UDP port 500 to the server's private IP address/UDP port 500
• Public IP address/UDP port 4500 to the server's private IP address/UDP port 4500.
These mappings are required so that all Internet Key Exchange (IKE) and IPSec NAT¬T traffic that is sent to the public address of the network address translator is automatically translated and forwarded to the Windows Server 2003-based computer
How to create application partition windows 2003 and its usage?
An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.
Applications and services can use application directory partitions to store application-specific data. Application directory partitions can contain any type of object, except security principals. TAPI is an example of a service that stores its application-specific data in an application directory partition
Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
Is it possible to do implicit transitive forest to forest trust relation ship in windows 2003?
Implicit Transitive trust will not be possible in windows 2003. Between forests we can create explicit trust
Two-way trust
One-way: incoming
One-way: Outgoing
What is universal group membership cache in windows 2003
Information is stored locally once this option is enabled and a user attempts to log on for the first time. The domain controller obtains the universal group membership for that user from a global catalog. Once the universal group membership information is obtained, it is cached on the domain controller for that site indefinitely and is periodically refreshed. The next time that user attempts to log on, the authenticating domain controller running Windows Server 2003 will obtain the universal group membership information from its local cache without the need to contact a global catalog. By default, the universal group membership information contained in the cache of each domain controller will be refreshed every 8 hours
GPMC & RSOP in windows 2003?
GPMC is tool which will be used for managing group policies and will display information like how many policies applied, on which OU’s the policies applied, What are the settings enabled in each policy, Who are the users effecting by these polices, who is managing these policies. GPMC will display all the above informationRSoP provides details about all policy settings that are configured by an Administrator, including Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and Group Policy Software Installation.When policies are applied on multiple levels (for example, site, domain, domain controller, and organizational unit), the results can conflict. RSoP can help you determine a set of applied policies and their precedence (the order in which policies are applied).
Assign & Publish the applications in GP & how?
Through Group policy you can Assign and Publish the applications by creating .msi package for that application
With Assign option you can apply policy for both user and computer. If it is applied to computer then the policy will apply to user who logs on to that computer. If it is applied on user it will apply where ever he logs on to the domain. It will be appear in Start menu—Programs. Once user click the shortcut or open any document having that extension then the application install into the local machine. If any application program files missing it will automatically repair.With Publish option you can apply only on users. It will not install automatically when any application program files are corrupted or deleted.
0 comments:
Post a Comment