How to crack any Wintel Support L2 interview.. ?

How to crack any Wintel Support L2 interview..  ?

By preparing answers for the below questions you can crack any Wintel infrastructure L2 support Interview. I have collected Windows server support interview questions from various blogs and forums and posting here. Windows server support interview questions includes windows active directory (AD) , DNS, DHCP, Windows 2003, windows 2008 , windows 2012 servers .

WindowsL2 support interview questions - Active Directory

1. How to check AD configured properly?Ans: Check NTDS and SYSVOL shared folder at %systemroot%windows\.

2. How to transfer global catalog to another domain?Ans: We can not transfer the global catalog; we can only remove the global catalog from one server and enable other server as a global catalog.

3. How to configure global catalog server?Ans: Go to Active directory site and services and expand till your desire server’s NTDS settings and then right click; property and check mark the Global catalog check box.

4. What are the fsmo roles and it gets down what will impact?
Ans: Flexible Single Master Operation, There are five roles.
Domain Naming Master (Forest wide role)
Schema Master (Forest wide role)
PDC Emulator (Domain wide role)
RID Master (Domain wide role)
Infrastructure Master (Domain wide role)

5. What is the RID pool?Ans: RID Master provides the RID (Relative Identifier) pool to Domain controller of the Domain. When an object is create in a domain, a Unique SID (Security ID) is assigned to it which consisting of a RID (Unique ID) and a SID (Common ID for all Object), A RID pool contain 500 RIDs.

6. How to check FSMO roles running on which server? 
Ans: By using “DCdiag /test:Knowsofroleholders /v” command.
ii) Type “Netdom query fsmo”

7. How to transfer FSMO role one domain controller to another domain controller command prompt and GUI?Ans: Go to Start->Run->dsa.msc go the property of users and computers and transfer the RID, PDC, and Infrastructure roles.
Go to Start à Run->go to the property of the active directory domain and trust and transfer the Domain naming master role
For transferring schema master role, first we have to register the schema master by using “regsvr32 schmgmt.dll” command in run. Than Go start à Runà MMCàAdd Active directory schema and transfer the schema master role.

8. What is AD data base file and log file where it stored is and what is the use of log file?
Ans: AD Data base is NTDS.DIT and its location is %system root%\windows\NTDS\ntds.dit. AD Log files are EDB.log ,EDB.chk and REG.log and the location of there files are %system root%\windows\NTDS\ntds.dit.

9. How to recover corrupted AD data base file?
Ans: It’s described very well in the article available here. 

10. Is it possible to rename domain name in windows 2003?Ans: Yes, We can rename the domain name in windows 2003.

11. What are the two types of replication?
Ans: Inter-site replication, Intra-site replication.

12. What are the protocols used in replication?
Ans: RPC and SMTP. Predominantly RPC is used. SMTP is not used as its not recommended for replication of Domain Partition. 

Replication conflict is managed using a method described here. Read the full article several times and you would be happy that you got to know something very important. 

13. What is default time for replication?
Ans: KCC (Knowledge Consistency Checker) is the algorithm and the two protocols used are RPC over IP and SMTP over IP. They replicate in every 15 min.

14. What is the difference between the two types of replication i.e. intrasite and intersite? 
Intersite replication is for replication with in the site and Intra-site replication is for the replication between the sites.

15. What are replication partition and tell about partition?
Ans: FSMO role Partition
Schema CN=Schema,CN=configuration, DC=
Domain Naming Master CN=configuration,DC=
PDC DC=
RID DC=
Infrastructure DC=
Replication partitions are.
Schema Partition
Configuration Partition
Domain Partition
Application Partition

16. Is application partition available in windows 2003?
Ans: Yes, Windows 2003 contains application partition, mainly application partition contains the application information like: DNS

17. What is the DNS?
Ans: Domain Naming System.
Used to resolve the host name (FQDN) name to IP Address and Vice Versa

18. What are types of DNS and zones?
(i)Primary DNS zone
(ii)Secondary DNS zone
(iii)Active directory integrated zone
(IV)Stub zone

To know more about DNS please read the blog http://dnsfunda.blogspot.com


19. What is the Start of Authority (SOA) record and is its use?
Ans: It contains information like the server name where the file was created (Primary DNS Server name), it Maintains the serial number and increments it after every change in the DNS Zone, stores Refresh interval and Retry interval time, maintains TTL of the records as well. Read this article for more details. 

@   IN  SOA     nameserver.place.dom.  postmaster.place.dom. (

                               1            ; serial number

                               3600         ; refresh   [1h]

                               600          ; retry     [10m]

                               86400        ; expire    [1d]

                               3600 )       ; min TTL   [1h]

20. What are records available in dns?
Ans: Address records, Host Records, MX Records, and CNAME records.

21. Explain about SRV, MX and CNAME records?
ANS: SRV records point a client to the servers which are hosting a service. For example Active Directory Service. MXrecord points to the client to servers hosting mail service. MX stands for Mail Exchanger. CNAME record is a alias record for a name that already exists. Suppose there were two servers and both of them consolidated into one, in that case one name becomes useless. But any application dependent on unused name has to work, in that case we create an alias record which is the unused name pointing to the name in use. Hence the application keeps functioning. 

22. Where DNS file stored and data base of DNS?
Ans: %SYSTEMROOT%\Windows\System32\DNS

23. How do I configure DHCP Server and steps?
ANS: If you have already installed DHCP on the server then follow the steps mentioned in this Trainsignal Article. 

24. How to reserve IP address?Ans: We can assign a particular IP address to the MAC address of a machine using IP reservation in DHCP.

25. Why do we need two or more subnets?ANS: To segment or restrict/localize one type of traffic to one segment or subnet of the network.

26. If we have two different subnets then how do I configure it in single DHCP server?
ANS: Two different scopes are created for two subnets.

27. What is the use of relay agent?
A router drops the DHCP packet as its a broadcast packet. When we enable the relay agent option on the router it then lets the DHCP Broadcast packets pass through. Hence the relay agent helps in sending it over to the destined subnet.

28. What is the group policy?
Ans: It is way to provide the desirable predefined environment to all users in an Active Directory environment and it is centrally manageable.

29. My requirement is to need disable USB port, how will you do?
Through Group policy.

30. How to take a backup of group policy?
Ans: We can use GPMC (Group Policy Management Console), right click on the GPO and select backup and take backup on destination folder

31. You are an administrator and my requirement is to configure active directory for four different locations. How will you plan it?
Ans: Depending on the requirement I' ll configure one parent domain and three child domains, or One domain with four sites, or four different domains (least preferred).

32. What are the two modes a terminal server works in?
ANS: User mode and applciation mode.

33. What is the default security group, groups give explanations?
Ans:

34. You are maintaining remote servers that you can take remote but you can’t ping them, how to troubleshoot?

35. What is use of Kerberos protocol?
Ans: Kerberos protocol is an authentication protocol. When we login in an Active Directory environment its the protocol that is used to authenticate us.

36. What is the version Kerberos protocol?
Ans: We are using Kerberos V 5.0.

37. What is the authentication protocol in Windows NT?
Ans: Windows NT supported two kinds of challenge/response authentication:
LanManager (LM) challenge/response
Windows NT challenge/response (also known as NTLM challenge/response)

38. What are RAID levels?
Ans: Main RAID levels are RAID-0, RAID-1, RAID-5 and RAID-10.

39. Which RAID you will recommend and why?
Ans: RAID-1 for O.S - mirroring
         RAID-5 for DATA partition- Stripe set with parity.

40. What are the different RAID1 and RAID 5?RAID-1:- In RAID-1 two hard disk are there and the data on one is mirrored to another. So even if one fails other one is there with the same data for service continuity.
RAID-5: We can use minimum three hard disk and maximum depend upon RAID controller card, Data written on disk in stripes with distributed parity set.


41. What are the Different between and disk mirroring and disk duplexing?

Ans: 

Disk Mirroring: Disk mirroring (also known as RAID-1) is the practice of duplicating data in separate volumes on two hard disks to make storage more fault-tolerant. Mirroring provides data protection in the case of disk failure, because data is constantly updated to both disks. However, since the separate disks rely upon a common controller, access to both copies of data is threatened if the controller fails.

Disk Duplexing: Disk duplexing is a variation of disk mirroring in which each of multiple storage disks has its own SCSI controller. Disk duplexing overcomes this problem; the use of redundant controllers enables continued data access as long as one of the controllers continues to function. 
Since the controllers for each disk are different, one of the disks keeps working even if the other disk fails or one of the disk controller fails. So it gives us the luxury to plan for the downtime based on our convinience. Another benefit of disk duplexing is increased throughput. Using a technique known as a split seek, whichever disk can deliver the requested data more quickly responds. Multiple requests may also be split between the disks for simultaneous processing.


42. What is the dynamic disk?Dynamic disks provide the ability to create volumes that span multiple disks (spanned and striped volumes) and the ability to create fault-tolerant volumes (mirrored and RAID-5 volumes).Dynamic disks offer greater flexibility for volume management because they use a database to track information about dynamic volumes on the disk and about other dynamic disks in the computer. Because each dynamic disk in a computer stores a replica of the dynamic disk database, for example, a corrupted dynamic disk database can repair one dynamic disk by using the database on another dynamic disk.

Dynamic disks are a separate form of volume management that allows volumes to have noncontiguous extents on one or more physical disks. Dynamic disks and volumes rely on the Logical Disk Manager (LDM) and Virtual Disk Service (VDS) and their associated features. These features enable you to perform tasks such as converting basic disks into dynamic disks, and creating fault-tolerant volumes. To encourage the use of dynamic disks, multi-partition volume support was removed from basic disks, and is now exclusively supported on dynamic disks.

The following operations can be performed only on dynamic disks:
1) Create and delete simple, spanned, striped, mirrored, and RAID-5 volumes.
2) Extend a simple or spanned volume.
3) Remove a mirror from a mirrored volume or break the mirrored volume into two volumes.
4) Repair mirrored or RAID-5 volumes.
5) Reactivate a missing or offline disk.



43. What is disk striping?
Ans: Disk striping is the technique of spreading data over multiple disks. The data to be stored is divided into blocks and spread across several partitions on various hard disk. Disk striping is used with or without equivalence. Disk striping helps in improving the performance of the disk.


44. What are the backup types?
Ans: 
(i) Normal or full Backup
(ii) Deferential Backup
(iii)Incremental Backup
(iv)Copy backup

(v)Daily Backup

45. Which type backup reset archive bits?
Ans: The bit which has check mark on the folder whose backup has been done using normal backup method.

46. What is the use of DFS?
Ans: Distributed File System, It is used for the fault tolerance because it makes the duplicate copy of every DFS root. Not only that the domain login process as well uses DFS to find out the nearest DC to login.

47. Do you know about FRS?
Ans: File Replication Services.
Example: Replication of SYSVOL folder.

48. What are difference between TCP and UDP protocol?
Ans: TCP is a connection orientated protocol while UDP is not a connection orientated protocol.

49. What is different between HUB and Switch?Ans: HUB broadcast the data packet but Switches multicast the data packet into the network which reduces the collision of data packets.

50. Which layer of OSI model does the Router works in? 
Ans: One layer Three (Network layer)

51. You are going to migrate the domain how to plan?
Ans: The answer is here.

52. For project requirement you going to share 20 folders what is the step you will take?
53. What is the need of a VLAN?Ans: To divide/restrict the traffic into one segment of the network.

54. What kind of privilege is required to transfer FSMO roles?
Ans. logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.

55. Write down the command line to transfer all the FSMO roles to other server?
Ans: Click Start, click Run, type ntdsutil in the Open box, and then click OK
Type roles, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type transfer role, where role is the role that you want to transfer. For example,
To transfer the RID master role, type transfer schema master
To transfer the RID master role, type transfer domain naming master
To transfer the RID master role, type transfer rid master
To transfer the RID master role, type transfer pdc
To transfer the RID master role, type transfer infrastructure master
7. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.

56. Write down the command line to seize all the FSMO roles to a server?Ans:
Click Start, click Run, type ntdsutil in the Open box, and then click OK
Type roles, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type seize role, where role is the role that you want to seize. For example,
To seize the RID master role, type seize schema master
To seize the RID master role, type seize domain naming master
To seize the RID master role, type seize rid master
To seize the RID master role, type seize pdc
To seize the RID master role, type seize infrastructure master.
7. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.

57. Command for removing active directory?
Ans: dcpromo /forceremoval

58. How to test whether a domain controller is also a global catalog server: 

Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.

Open the Servers folder, and then click the domain controller.

In the domain controller's folder, double-click NTDS Settings.

On the Action menu, click Properties.

On the General tab, view the Global Catalog check box to see if it is selected.

1) What is Active Directory?

A central component of the Windows platform, Active Directory directory service provides the means to manage the identities and relationships that make up network environments. For example we can create, manage and administrator users, computers and printers in the network from active directory.

2) What is DNS? Why it is used? What is “forward lookup” and “reverse lookup” in DNS? What are A records and mx records?

DNS is domain naming service and is used for resolving names to IP address and IP addresses to names. The computer understands only numbers while we can easily remember names. So to make it easier for us what we do is we assign names to computers and websites. When we use these names (Like yahoo.com) the computer uses DNS to convert to IP address (number) and it executes our request.

Forward lookup: Converting names to IP address is called forward lookup.

Reverse lookup: Resolving IP address to names is called reverse lookup.

‘A’ record: Its called host record and it has the mapping of a name to IP address. This is the record in DNS with the help of which DNS can find out the IP address of a name.

‘MX’ Record: its called mail exchanger record. Its the record needed to locate the mail servers in the network. This record is also found in DNS.

3) What id DHCP? Why it is used? What are scopes and super scopes?

DHCP: Dynamic host configuration protocol. Its used to allocate IP addresses to large number of PCs in a network environment. This makes the IP management very easy.

Scope: Scope contains IP address like subnet mask, gateway IP, DNS server IP and exclusion range which a client can use to communicate with the other PCs in the network.

Superscope: When we combine two or more scopes together its called super scope.

4) What are the types of LAN cables used? What is a cross cable?

Types of LAN cables that are in use are “Cat 5″ and “Cat 6″. “Cat 5″ can support 100 Mbps of speed and “CAT 6″ can support 1Gbps of speed.

Cross cable: Its used to connect same type of devices without using a switch/hub so that they can communicate.

5) What is the difference between a normal LAN cable and cross cable? What could be the maximum length of the LAN cable?

The way the paired wires are connected to the connector (RJ45) is different

in cross cable and normal LAN cable.

The theoretical length is 100 meters but after 80 meters you may see drop in speed due to loss of signal.

6) What would you use to connect two computers without using switches?

Cross cable.

7) What is IPCONFIG command? Why it is used?

IPCONFIG command is used to display the IP information assigned to a computer. From the output we can find out the IP address, DNS IP address, gateway IP address assigned to that computer.

What is APIPA IP address? Or what IP address is assigned to the computer when the DHCP server is not available?

When DHCP server is not available the Windows client computer assigns an automatic IP address to itself so that it can communicate with the network computers. This ip address is called APIPA. ITs in the range of 169.254.X.X.

APIPA stands for Automatic private IP addressing. Its in the range of 169.254.X.X.

9) What is a DOMAIN? What is the difference between a domain and a workgroup?

Domain is created when we install Active Directory. It’s a security boundary which is used to manage computers inside the boundary. Domain can be used to centrally administrator computers and we can govern them using common policies called group policies.

We can’t do the same with workgroup.

10) Do you know how to configure outlook 2000 and outlook 2003 for a user?

Please visit the link below to find out how to configure outlook 2000 and outlook 2003. http://www.it.cmich.edu/quickguides/qg_outlook2003_server.asp 

11) What is a PST file and what is the difference between a PST file and OST file? What file is used by outlook express?

PST file is used to store the mails locally when using outlook 2000 or 2003. OST file is used when we use outlook in cached exchanged mode. Outlook express used odb file.

12) What is BSOD? What do you do when you get blue screen in a computer? How do you troubleshoot it?

BSOD stands for blue screen of Death. when there is a hardware or OS fault due to which the windows OS can run it give a blue screen with a code. Best way to resolve it is to boot the computer is “Last known good configuration”.

If this doesn’t work than boot the computer in safe mode. If it boots up than the problems with one of the devices or drivers.

13) What is RIS? What is Imaging/ghosting?

RIS stands for remote installation services. You save the installed image on a windows server and then we use RIS to install the configured on in the new hardware. We can use it to deploy both server and client OS. Imaging or ghosting also does the same job of capturing an installed image and then install it on a new hardware when there is a need. We go for RIS or imaging/ghosting because installing OS every time using a CD can be a very time consuming task. So to save that time we can go for RIS/Ghosting/imaging.

14) What is VPN and how to configure it?

VPN stands for Virtual private network. VPN is used to connect to the corporate network to access the resources like mail and files in the LAN. VPN can be configured using the steps mentioned in the KB: http://support.microsoft.com/kb/305550

15) Your computer slowly drops out of network. A reboot of the computer

fixes the problem. What to do to resolve this issue?

Update the network card driver.

16) Your system is infected with Virus? How to recover the data?

Install another system. Install the OS with the lates patches, Antivirus with latest updates. Connect the infected HDD as secondary drive in the system. Once done scan and clean the secondary HDD. Once done copy the files to the new system.

17) How to join a system to the domain? What type of user can add a system to the domain?

Please visit the article below and read “Adding the Workstation to the Domain” http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologi /directory/

18) What is the difference between a switch and a hub?

Switch sends the traffic to the port to which its meant for. Hub sends the traffic to all the ports.

19) What is a router? Why we use it?

Router is a switch which uses routing protocols to process and send the traffic. It also receives the traffic and sends it across but it uses the routing protocols to do so.

20) What are manageable and non manageable switches?

Switches which can be administered are called manageable switches. For example we can create VLAN for on such switch. On no manageable switches we can’t do so.

KCC

The KCC is a built-in process that runs on all domain controllers and generates replication topology for the Active Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable.

How do you view replication properties for AD?

By using Active Directory Replication Monitor.

Start--> Run--> Replmon

What are sites What are they used for?

One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.

Name some OU design considerations?

OU design requires balancing requirements for delegating administrative rights - independent of Group Policy needs - and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues:

Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. Delegating administrative authority usually don't go more than 3 OU levels

http://technet.microsoft.com/en-us/library/cc783140.aspx

What are FMSO Roles? List them.

Fsmo roles are server roles in a Forest

There are five types of FSMO roles

1-Schema master

2-Domain naming master

3-Rid master

4-PDC Emullator

5-Infrastructure master

Logical Diagram of Active Directory ?, What is the difference between child domain & additional domain Server?

Well, if you know what a domain is then you have half the answer. Say you have the domain Microsoft.com. Now microsoft has a server named server1 in that domain, which happens to the be parent domain. So it's FQDN is server1.microsoft.com. If you add an additional domain server and name it server2, then it's FQDN is server2.microsoft.com.

Now Microsoft is big so it has offices in Europe and Asia. So they make child domains for them and their FQDN would look like this: europe.microsoft.com & asia.microsoft.com. Now lets say each of them have a server in those child domains named server1. Their FQDN would then look like this: server1.europe.microsoft.com & server1.asia.microsoft.com..

What are Active Directory Groups?

Groups are containers that contain user and computer objects within them as members. When security permissions are set for a group in the Access Control List on a resource, all members of that group receive those permissions. Domain Groups enable centralized administration in a domain. All domain groups are created on a domain controller.

In a domain, Active Directory provides support for different types of groups and group scopes. The group type determines the type of task that you manage with the group. The group scope determines whether the group can have members from multiple domains or a single domain.



Group Types

* Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.

* Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups.

Group Scopes

Group scope normally describe which type of users should be clubbed together in a way which is easy for there administration. Therefore, in domain, groups play an important part. One group can be a member of other group(s) which is normally known as Group nesting. One or more groups can be member of any group in the entire domain(s) within a forest.

* Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.

* Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.

* Universal Group Scope: these groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.

What are the types of backup? Explain each?

Incremental

A "normal" incremental backup will only back up files that have been changed since the last backup of any type. This provides the quickest means of backup, since it only makes copies of files that have not yet been backed up. For instance, following our full backup on Friday, Monday’s tape will contain only those files changed since Friday. Tuesday’s tape contains only those files changed since Monday, and so on. The downside to this is obviously that in order to perform a full restore, you need to restore the last full backup first, followed by each of the subsequent incremental backups to the present day in the correct order. Should any one of these backup copies be damaged (particularly the full backup), the restore will be incomplete.

Differential

A cumulative backup of all changes made after the last full backup. The advantage to this is the quicker recovery time, requiring only a full backup and the latest differential backup to restore the system. The disadvantage is that for each day elapsed since the last full backup, more data needs to be backed up, especially if a majority of the data has been changed.

What is the SYSVOL folder?

The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and reparse points in the file systems that exist on each domain controller in a domain. SYSVOL provides a standard location to store important elements of Group Policy objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them to other domain controllers within that domain.

You can go to SYSVOL folder by typing : %systemroot%/sysvol

What is the ISTG Who has that role by default?

The first server in the site becomes the ISTG for the site, The domain controller holding this role may not necessarily also be a bridgehead server.

What is the order in which GPOs are applied?

Local, Site, Domain, OU

What is FSMO Roles?(Flexible Single Master Operations)

What is FSMO Roles?(Flexible Single Master Operations)
There are times when you may need to change the Domain Controller which holds one of the 5 FSMO roles. Either you could be facing a disaster recovery, where you have lost the first Windows 2003 Domain Controller, or you are organized and want to get the most out of your Active Directory Forest. Although you rarely need to deal with Microsoft's FSMO, there is the feeling that knowledge of these Operation Masters gives you power over your Windows 2003 Servers.
Background of Operations Masters
For most Active Directory operations, Windows 2003 uses the multiple master model. The benefit is you can add a computer, or change a user's password on any domain controller. For example, if you have three domain controllers, you can physically create a new computer account in the NTDS.dit database on any of the three. Within five minutes (15 seconds in Windows 2003), the new computer object will be replicated to the other two domain controllers.Technically, the Microsoft multiple master model uses a change notification mechanism. Occasionally problems arise if two administrators perform duplicate operations before the next replication cycle. For example, you created an OU called Accounts last week, today at the same instant you create new users in that OU, another administrator on another DC, deletes that OU. Active Directory does it's best to obey both administrators. It deletes the OU and creates the Users, but as it cannot create the Users in the OU because it was deleted, the result is the users are added to the orphaned objects in the 'LostAndFound' folder. You can troubleshoot what has happed by locating the 'LostAndFound' folder in Active Directory Users and Computers.
From the View Menu in Active Directory Users and Computer-> Advanced Features.It was worth investigating how Active Directory handles orphaned objects because the point of FSMO is that a few operations are so critical that only one domain controller can carry out that process. Imagine what would happen if two administrators tried to make different changes to the same schema object - chaos. That is why administrators can only change the schema on one Domain Controller. Emulating a PDC is the most famous example of such a Single Master Operation; creating a new child domain would be another example.
The Five FSMO Roles
There are just five operations where the usual multiple master model breaks down, and the Active Directory task must only be carried out on one Domain Controller. FSMO roles:
1. PDC Emulator - Most famous for backwards compatibility with NT 4.0 BDC's. However, there are two other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service and creating group policies. I admit that it is confusing that these two jobs have little to do with PDCs and BDCs.
2. RID Master - Each object must have a globally unique number (GUID). The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers. For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 - 9999.
3. Infrastructure Master - Responsible for checking objects in other other domains. Universal group membership is the most important example. To me, it seems as though the operating system is paranoid that, a) You are a member of a Universal Group in another domain and b) that group has been assigned Deny permissions. So if the Infrastructure master could not check your Universal Groups there could be a security breach.
4. Domain Naming Master - Ensures that each child domain has a unique name. How often do child domains get added to the forest? Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity. My point is it's worth the price to confine joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains.
5. Schema Master - Operations that involve expanding user properties e.g. Exchange 2003 / forestprep which adds mailbox properties to users. Rather like the Domain naming master, changing the schema is a rare event. However if you have a team of Schema Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest. So its a case of Microsoft know best, the Schema Master should be a Single Master Operation and thus a FSMO role.
How many FSMO Domain controllers in your Forest?
Three of the FSMO roles (1. 2. and 3.) are held in each domain, whilst two (4. 5.) are unique to the entire forest. Thus, if you have three domains there will be 3 PDC emulators, but only 1 Schema Master.
Checking which DC holds which FSMO role
RID, PDC, Infrastructure (1. 2. and 3.)
You can discover which server holds the Operation Master by opening Active Directory Users and Computers, Right click your Domain and select Properties, Operations Masters.Domain Naming Master (4.)To see the Domain Naming Master (4.), navigate to the little used, Active Directory Domains and Trusts, Right click your Domain and select Properties, Operations Masters.
Schema Master (5.)
The Schema Master (5.) is the most difficult FSMO to find. The reason is the Schema snap-in is hidden by default. Perhaps is this is Microsoft saying - don't mess with the object definitions. However, you can reveal the Schema and its FSMO settings thus:1) Register the Schema Snap with this command, RUN regsvr32 schmmgmt.dll2) Run MMC, File menu, Add\Remove Snap-in,


click the Add button and select,
Active Directory Schema
3) Select Active Directory Schema, Right Click, Operations Master.

Posted by Papudesi Chalapathi at 3:31 PM No comments: Links to this post

Labels: Windows 2003

Windows Server 2003 Active Directory and Securityquestions

1.     What’s the difference between local, global and universal groups?

 
Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.

2. I am trying to create a new universal user group. Why can’t I? 
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

3. What is LSDOU? 
It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.

4. Why doesn’t LSDOU work under Windows NT?
If the NTConfig.pol file exist, it has the highest priority among the numerous policies.

5. Where are group policies stored? 
%SystemRoot%System32\GroupPolicy

6. What is GPT and GPC? 
Group policy template and group policy container.

7. Where is GPT stored? 
%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID

8. You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority?
The computer settings take priority.

9. You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do? 
gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice Options is your friend.

10. What’s contained in administrative template conf.adm?
Microsoft NetMeeting policies

11. How can you restrict running certain applications on a machine? 
Via group policy, security settings for the group, then Software Restriction Policies.

12. You need to automatically install an app, but MSI file is not available. What do you do? A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.

13. What’s the difference between Software Installer and Windows Installer?
The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.

14. What can be restricted on Windows Server 2003 that wasn’t there in previous products? Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.

15.How frequently is the client policy refreshed? 90 minutes give or take.

16. Where is secedit?
It’s now gpupdate.

17.You want to create a new group policy but do not wish to inherit. Make sure you check Block inheritance among the options when creating the policy.

18. What is "tattooing" the Registry? 
The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry.

19. How do you fight tattooing in NT/2000 installations? 
You can’t.

20. How do you fight tattooing in 2003 installations? User Configuration - Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only.
\

21. What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.

22. What’s the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and 

local files.

23. How do FAT and NTFS differ in approach to user shares?
They don’t, both have support for sharing.

24. Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.

25. I have a file to which the user has access, but he has no folder permission to read it. Can he access it? 
It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.

26. For a user in several groups, are Allow permissions restrictive or permissive? Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.

27. For a user in several groups, are Deny permissions restrictive or permissive? Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.

28. What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

29. What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations?The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.

30. We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.

31. Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain controllers.

32. Can you use Start->Search with DFS shares? Yes.

33. What problems can you have with DFS installed? Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.

34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a standalone one.

35. Is Kerberos encryption symmetric or asymmetric? Symmetric.

36. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time stamp is attached to the initial client request, encrypted with the shared key.

37. What hashing algorithms are used in Windows 2003 Server? RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.

38. What third-party certificate exchange protocols are used by Windows 2003 Server? Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities.

39. What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.

40. If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1? A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes.

41. What’s the difference between guest accounts in Server 2003 and other editions? 
More restrictive in Windows Server 2003.

42. How many passwords by default are remembered when you check "Enforce Password History Remembered"? 
User’s last 6 passwords. 

43. How do you double-boot a Win 2003 server box?
The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini timeout and default settings, use the System option in Control Panel from the Advanced tab and select Startup.

44. What do you do if earlier application doesn’t run on Windows Server 2003? When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties –> Compatibility –> selecting the previously supported operating system.

45. If you uninstall Windows Server 2003, which operating systems can you revert to? Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and 98 to Windows Server 2003.

46. How do you get to Internet Firewall settings?
Start –> Control Panel –> Network and Internet Connections –> Network Connections.

47. What are the Windows Server 2003 keyboard shortcuts?
Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.

48. What is Active Directory?
Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups. An underlying principle of the Active Directory is that everything is considered an object—people, servers, workstations, printers, documents, and devices. Each object has certain attributes and its own security access control list (ACL).

49. Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.

50. How long does it take for security changes to be replicated among the domain controllers?
Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).

51. What’s new in Windows Server 2003 regarding the DNS management?
When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard.

52. When should you create a forest?
Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.

53. How can you authenticate between forests?
Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials.

Windows 2008Server Interview Questions Part II

1. What are the Important Windows port numbers:

RDP – 3389 – (windows rdp port number and remote desktop port number)
FTP – 21 – (file transfer protocol)
TFTP – 69 – ( tftp port number )
Telnet – 23 – ( telnet port number)
SMTP – 25 – ( SMTP port number)
DNS – 53 – ( dns port number and Domain Name System port number)
DHCP – 68 – (DHCP port number and Dynamic Host Configuration Protocol port number )
POP3 – 110 – ( post office Protocol 3 port )
HTTP – 80 – (http port number)
HTTPS – 443 – (https port number)
NNTP – 119 – ( Network News Transfer Protocol Port number )
NTP – 123 – (ntp port number and network Time Protocol and SNTP port number )
IMAP – 143 – (Internet Message Access Protocol port number)
SSMTP – 465 – ( SMTP Over SSl )
SIMAP – 993 – ( IMAP Over SSL )
SPOP3 – 995 – ( POP# Over SS L)
Time – 123 – ( ntp port number and network Time Protocol and SNTP port number )
NetBios – 137 – ( Name Service )
NetBios – 139 – ( Datagram Service )
DHCP Client – 546 – (DHCP Client port number)
DHCP Server – 547 – (DHCP Server port number)
Global Catalog – 3268 – (Global Catalog port number)
LDAP – 389 – ( LDAP port number and Lightweight Directory Access Protocol port number )
RPC – 135 – (remote procedure call Port number)
Kerberos – 88 – ( Kerberos Port Number)
SSH – 22 – ( ssh port number and Secure Shell port number)

2. How to check tombstone lifetime value in your Forest

Tombstone lifetime value different from OS to OS, for windows server 2000/2003 it’s 60 days, In Windows Server 2003 SP1, default tombstone lifetime (TSL) value has increased from 60 days to 180 days, again in Windows Server 2003 R2 TSL value has been decreased to 60 days, Windows Server 2003 R2 SP2 and windows server 2008 it’s 180 days
If you migrating windows 2003 environment to windows 2008 then its 60 day’s

you can use the below command to check/view the current tombstone lifetime value for your Domain/Forest

dsquery * “cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=” –scope base –attr tombstonelifetime

Replace forestDN with your domain partition DN, for domainname.com the DN would be dc=domainname, dc=com

Source:  http://technet.microsoft.com/en-us/library/cc784932(WS.10).aspx

3. How to find the domain controller that contains the lingering object

If we enable Strict Replication Consistency

Lingering objects are not present on domain controllers that log Event ID 1988. The source domain controller contains the lingering object

If we doesn’t enable Strict Replication Consistency

Lingering objects are not present on domain controllers that log Event ID 1388. Domain controller that doesn’t log Event ID 1388 and that domain controller contain the lingering object

You have a 100 Domain controllers which doesn’t enable Strict Replication Consistency, then you will get the Event ID 1388 on all the 99 Domain controllers except the one that contain the lingering object

Need to Remove Lingering Objects from the affected domain controller or decommission the domain controller

You can use Event Comb tool (Eventcombmt.exe) is a multi-threaded tool that can be used to gather specific events from the Event Viewer logs of different computers at the same time.

You can download these tools from the following location:

http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en

4. What are Active Directory ports:

List of Active Directory Ports for Active Directory replication and Active Directory authentication, this ports can be used to configure the Firewall

Active Directory replication- There is no defined port for Active Directory replication, Active Directory replication remote procedure calls (RPC) occur dynamically over an available port through RPCSS (RPC Endpoint Mapper) by using port 135

File Replication Services (FRS)- There is no defined port for FRS, FRS replication over remote procedure calls (RPCs) occurs dynamically over an available port by using RPCSS (RPC Endpoint Mapper ) on port 135

Other required ports for Active Directory
TCP 53 – DSN (DNS Download)
UDP 53 – DSN (DNS Queries)
TCP 42- WINS
UDP 42- WINS
TCP 3389- RDP (Remote Desktop)
TCP 135 – MS-RPC
TCP 1025 & 1026 – AD Login & replication
TCP 389 – LDAP
TCP 639 – LDAP over SSL/TLS
TCP 3268 -Global Catalog
TCP 3268 – Global Catalog over SSL/TSL
UDP 137 & 138 – NetBIOS related
UDP 88 – Kerberos v5
TCP 445 – SMB , Microsoft-ds
TCP 139 – SMB

5. How to do active directory health checks?

As an administrator you have to check your active directory health daily to reduce the active directory related issues, if you are not monitoring the health of your active directory what will happen

Let’s say one of the Domain Controller failed to replicate, first day you will not have any issue. If this will continue then you will have login issue and you will not find the object change and new object, that’s created and changed in other Domain Controller this will lead to other issues

If the Domain Controller is not replicated more then 60 day’s then it will lead to Lingering issue

Command to check the replication to all the DC’s(through this we can check Active Directory Health)

Repadmin /replsum /bysrc /bydest /sort:delta

You can also save the command output to text file, by using the below command

Repadmin /replsum /bysrc /bydest /sort:delta >>c:\replication_report.txt

this will list the domain controllers that are failing to replicate with the delta value
You can daily run this to check your active directory health

6. GPRESULT falied with access denied error:

Unable to get the result from gpresult on windows 2003 server, gpresult return with the access denied errors, you can able to update the group policy without issue

Run the following commands to register the userenv.dll and recompile the rsop mof file
To resolve the access denied error while doing the gpresult.
1. Open a cmd
1. re-register the userenv.dll
Regsvr32 /n /I c:\winnt\system32\userenv.dll
2. CD c:\windows\system32\wbem
3. Mofcomp scersop.mof
4. Gpupdate /force
5. Gpresult

Now you able to run the gpresult without error and even server reboot not required for this procedure

7. What is the command to find out site name for given DC

dsquery server NYDC01 -site

domain controller name = NYDC01

8. Command to find all DCs in the given site

Command to find all the Domain Controllers in the “Default-First-Site-Name” site

dsquery server -o rdn -site Default-First-Site-Name

Site name = Default-First-Site-Name

9. How many types of  queries DNS does?

Iterative Query
Recursive Query

Iterative Query

In this query the client ask the name server for the best possible answer, the name server check the cache and zone for which it’s authoritative and returns the best possible answer to the client, which would be the full answer like IP address or try the other name server

Recursive Query

Client demands either a full answer or an error message (like record or domain name does not exist)
Client machine always send recursive query to the DNS server, if the DNS server does not have the requested information, DNS server send the iterative query to the other name server (through forwarders or secondary DNS server) until it gets the information, or until the name query fails.

 

 

 

 

 

 

 

Windows Sever 2008/R2 Interview questions Part 1

Difference between 2003 and 2008

1) 2008 is combination of vista and windows 2003r2. Some new services are introduced in it
1. RODC one new domain controller introduced in it  [Read-only Domain controllers.]
2. WDS (windows deployment services) instead of RIS in 2003 server
3. shadow copy for each and every folders
4.boot sequence is changed
5.installation is 32 bit where as 2003 it is 16 as well as 32 bit, that’s why installation of 2008 is faster
6.services are known as role in it
7. Group policy editor is a separate option in ads

2) The main difference between 2003 and 2008 is Virtualization, management.
2008 has more inbuilt components and updated third party drivers Microsoft introduces new feature with 2k8 that is Hyper-V  Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several ‘virtual’ servers on one physical machine. If you like this exciting technology, make sure that you buy an edition of Windows Server 2008 that includes Hyper-V, then launch the Server Manger, add Roles.

Windows server 2008 new features

1. Virtualization with Hyper V

2. Server Core – provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server. From a security standpoint, this is attractive. Fewer applications and services on the sever make for a smaller attack surface. In theory, there should also be less maintenance and management with fewer patches to install, and the whole server could take up as little as 3Gb of disk space according to Microsoft

3. IIS 7

4. Role based installation – rather than configuring a full server install for a particular role by uninstalling unnecessary components (and installing needed extras), you simply specify the role the server is to play, and Windows will install what’s necessary — nothing more.

5. Read Only Domain Controllers (RODC)
It’s hardly news that branch offices often lack skilled IT staff to administer their servers, but they also face another, less talked about problem. While corporate data centers are often physically secured, servers at branch offices rarely have the same physical security protecting them. This makes them a convenient launch pad for attacks back to the main corporate servers. RODC provides a way to make an Active Directory database read-only. Thus, any mischief carried out at the branch office cannot propagate its way back to poison the Active Directory system as a whole. It also reduces traffic on WAN links.

6. Enhanced terminal services
Terminal services has been beefed up in Server 2008 in a number of ways. TS RemoteApp enables remote users to access a centralized application (rather than an entire desktop) that appears to be running on the local computer’s hard drive. These apps can be accessed via a Web portal or directly by double-clicking on a correctly configured icon on the local machine. TS Gateway secures sessions, which are then tunnelled over https, so users don’t need to use a VPN to use RemoteApps securely over the Internet. Local printing has also been made significantly easier.

7. Network Access Protection
Microsoft’s system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies — and that those that are not can be remediated — is useful. However, similar functionality has been and remains available from third parties.

8. Windows PowerShell

Microsoft’s new (ish) command line shell and scripting language has proved popular with some server administrators, especially those used to working in Linux environments. Included in Server 2008, PowerShell can make some jobs quicker and easier to perform than going through the GUI. Although it might seem like a step backward in terms of user friendly operation, it’s one of those features that once you’ve gotten used to it; you’ll never want to give up.

Restartable Active Directory Domain Services: You can now perform many actions, such as offline defragmentation of the database, simply by stopping Active Directory. This reduces the number of instances in which you must restart the server in Directory Services Restore Mode and thereby reduces the length of time the domain controller is unavailable to serve requests from

Enhancements to Group Policy: Microsoft has added many new policy settings. In particular, these settings enhance the management of Windows Vista client computers. All policy management is now handled by means of the Group Policy Management Console (GPMC), which was an optional feature first added to Windows Server 2003 R2. In addition, Microsoft has added new auditing capabilities to Group Policy and added a searchable database for locating policy settings from within GPMC. In Windows Server 2008 R2, GPMC enables you to use a series of PowerShell cmdlets to automate many of the tasks (such as maintenance and linking of GPOs) that you would otherwise perform in the GUI. In addition, R2 adds new policy settings that enhance the management of Windows 7 computers.

Windows Server 2008 R2 new features:

Active Directory Recycle Bin

Windows PowerShell 2.0

Active Directory Administrative Center (ADAC)

Offline domain join

Active Directory health check

Active Directory Web Services

Active Directory Management Pack

Windows Server Migration Tools

Managed Service Accounts

What is server core? How do you configure and manage a windows server 2008 core installation?

The Server Core installation option is an option that you can use for installing Windows Server 2008 or Windows Server 2008 R2. A Server Core installation provides a minimal environment for running specific server roles, which reduces the maintenance and management requirements and the attack surface for those server roles. A server running a Server Core installation of Windows Server 2008 supports the following server roles:

§   Active Directory Domain Services (AD DS)

§   Active Directory Lightweight Directory Services (AD LDS)

§   DHCP Server

§   DNS Server

§   File Services

§   Hyper-V

§   Print Services

§   Streaming Media Services

§   Web Server (IIS)

A server running a Server Core installation of Windows Server 2008 R2 supports the following server roles:

§   Active Directory Certificate Services

§   Active Directory Domain Services

§   Active Directory Lightweight Directory Services (AD LDS)

§   DHCP Server

§   DNS Server

§   File Services (including File Server Resource Manager)

§   Hyper-V

§   Print and Document Services

§   Streaming Media Services

§   Web Server (including a subset of ASP.NET)

A Server Core installation does not include the traditional full graphical user interface. Once you have configured the server, you can manage it locally at a command prompt or remotely using a Terminal Server connection. You can also manage the server remotely using the Microsoft Management Console (MMC) or command-line tools that support remote use.

 

 

Benefits of a Server Core installation

The Server Core installation option of Windows Server 2008 or Windows Server 2008 R2 provides the following benefits:

§   Reduced maintenance. Because the Server Core installation option installs only what is required to have a manageable server for the supported roles, less maintenance is required than on a full installation of Windows Server 2008.

§   Reduced attack surface. Because Server Core installations are minimal, there are fewer applications running on the server, which decreases the attack surface.

§   Reduced management. Because fewer applications and services are installed on a server running the Server Core installation, there is less to manage.

§   Less disk space required. A Server Core installation requires only about 3.5 gigabytes (GB) of disk space to install and approximately 3 GB for operations after the installation.

How do you promote a Server Core to DC?

In order to install Active Directory DS on your server core machine you will need to perform the following tasks:

1. Configure an unattend text file, containing the instructions for the DCPROMO process. In this example you will create an additional DC for a domain called petrilab.local:

2. Configure the right server core settings

After that you need to make sure the core machine is properly configured.

1.      Perform any configuration setting that you require (tasks such as changing computer name, changing and configure IP address, subnet mask, default gateway, DNS address, firewall settings, configuring remote desktop and so on).

2.      After changing the required server configuration, make sure that for the task of creating it as a DC – you have the following requirements in place:

§   A partition formatted with NTFS (you should, it’s a server…)

§   A network interface card, configure properly with the right driver

§   A network cable plugged in

§   The right IP address, subnet mask, default gateway

And most importantly, do not forget:

§   The right DNS setting, in most cases, pointing to an existing internal DNS in your corporate network

3. Copy the unattend file to the server core machine

Now you need to copy the unattend file from wherever you’ve stored it. You can run it from a network location but I prefer to have it locally on the core machine. You can use the NET USE command on server core to map to a network path and copy the file to the local drive. You can also use a regular server/workstation to graphically access the core’s C$ drive (for example) and copy the file to that location.

4. Run the DCPROMO process

Next you need to manually run DCPROMO. To run the Active Directory Domain Services Installation Wizard in unattended mode, use the following command at a command prompt:

Dcpromo /unattend

Reboot the machine

In order to reboot the server core machine type the following text in the command prompt and press Enter.

shutdown /r /t 0

What are RODCs? What are advantages?

A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory Domain Services (AD DS) database.

Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller. Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of time that is required to log on. It can also hamper access to network resources.

Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result, users in this situation can receive the following benefits:

§   Improved security

§   Faster logon times

§   More efficient access to resources on the network

What does an RODC do?

Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller.

However, your organization may also choose to deploy an RODC for special administrative requirements. For example, a line-of-business (LOB) application may run successfully only if it is installed on a domain controller. Or, the domain controller might be the only server in the branch office, and it may have to host server applications.

In such cases, the LOB application owner must often log on to the domain controller interactively or use Terminal Services to configure and manage the application. This situation creates a security risk that may be unacceptable on a writable domain controller.

An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant a non administrative domain user the right to log on to an RODC while minimizing the security risk to the Active Directory forest.

You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a primary threat, for example, in an extranet or application-facing role.

How do you install an RODC?

1 Make sure you are a member of Domain Admin group

2. Ensure that the forest functional level is Windows Server 2003 or higher

3. Run adprep /rodcprep

3. Install a writable domain controller that runs Windows Server 2008 – An RODC must replicate domain updates from a writable domain controller that runs Windows Server 2008. Before you install an RODC, be sure to install a writable domain controller that runs Windows Server 2008 in the same domain. The domain controller can run either a full installation or a Server Core installation of Windows Server 2008. In Windows Server 2008, the writable domain controller does not have to hold the primary domain controller (PDC) emulator operations master role.

4. You can install an RODC on either a full installation of Windows Server 2008 or on a Server Core installation of Windows Server 2008. Follow the below steps:

§   Click Start, type dcpromo, and then press ENTER to start the Active Directory Domain Services Installation Wizard.

§   On the Choose a Deployment Configuration page, click Existing forest, click Add a domain controller to an existing domain

§   On the Network Credentials page, type the name of a domain in the forest where you plan to install the RODC. If necessary, also type a user name and password for a member of the Domain Admins group, and then clickNext.

§   Select the domain for the RODC, and then click Next.

§   Click the Active Directory site for the RODC and click next

§   Select the Read-only domain controller check box, as shown in the following illustration. By default, the DNS server check box is also selected. To run the DNS server on the RODC, another domain controller running Windows Server 2008 must be running in the domain and hosting the DNS domain zone. An Active Directory–integrated zone on an RODC is always a read-only copy of the zone file. Updates are sent to a DNS server in a hub site instead of being made locally on the RODC.

§   To use the default folders that are specified for the Active Directory database, the log files, and SYSVOL, clickNext.

§   Type and then confirm a Directory Services Restore Mode password, and then click Next.

§   Confirm the information that appears on the Summary page, and then click Next to start the AD DS installation. You can select the Reboot on completion check box to make the rest of the installation complete automatically.

What is the minimum requirement to install Windows 2008 server?

Talk about all the AD-related roles in Windows Server 2008/R2.

Active Directory Domain Services

Active Directory Domain Services (AD DS), formerly known as Active Directory Directory Services, is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location.

Benefits

§   Lower costs of managing Windows networks.

§   Simplify identity management by providing a single view of all user information.

§   Boost security with the ability to enable multiple types of security mechanisms within a single network.

§    Improve compliance by using Active Directory as a primary source for audit data.

Active Directory Rights Management Services

Your organization’s intellectual property needs to be safe and highly secure. Active Directory Rights Management Services, a component of Windows Server 2008, is available to help make sure that only those individuals who need to view a file can do so. AD RMS can protect a file by identifying the rights that a user has to the file. Rights can be configured to allow a user to open, modify, print, forward, or take other actions with the rights-managed information. With AD RMS, you can now safeguard data when it is distributed outside of your network.

Active Directory Federation Services

Active Directory Federation Services is a highly secure, highly extensible, and Internet-scalable identity access solution that allows organizations to authenticate users from partner organizations. Using AD FS in Windows Server 2008, you can simply and very securely grant external users access to your organization’s domain resources. AD FS can also simplify integration between untrusted resources and domain resources within your own organization.

Active Directory Certificate Services

Most organizations use certificates to prove the identity of users or computers, as well as to encrypt data during transmission across unsecured network connections. Active Directory Certificate Services (AD CS) enhances security by binding the identity of a person, device, or service to their own private key. Storing the certificate and private key within Active Directory helps securely protect the identity, and Active Directory becomes the centralized location for retrieving the appropriate information when an application places a request.

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Service (AD LDS), formerly known as Active Directory Application Mode, can be used to provide directory services for directory-enabled applications. Instead of using your organization’s AD DS database to store the directory-enabled application data, AD LDS can be used to store the data. AD LDS can be used in conjunction with AD DS so that you can have a central location for security accounts (AD DS) and another location to support the application configuration and directory data (AD LDS). Using AD LDS, you can reduce the overhead associated with Active Directory replication, you do not have to extend the Active Directory schema to support the application, and you can partition the directory structure so that the AD LDS service is only deployed to the servers that need to support the directory-enabled application.

What are the new Domain and Forest Functional Levels in Windows Server 2008/R2?

Domain Function Levels

To activate a new domain function level, all DCs in the domain must be running the right operating system. After this requirement is met, the administrator can raise the domain functional level. Here’s a list of the available domain function levels available in Windows Server 2008:

Windows 2000 Native Mode

This is the default function level for new Windows Server 2008 Active Directory domains.

Supported Domain controllers – Windows 2000, Windows Server 2003, Windows Server 2008.

Windows Server 2003 Mode

To activate the new domain features, all domain controllers in the domain must be running Windows Server 2003. After this requirement is met, the administrator can raise the domain functional level to Windows Server 2003.

Supported Domain controllers – Windows Server 2003, Windows Server 2008.

Windows Server 2008 Mode

Supported Domain controllers – Windows Server 2008.

Windows 2008 Forest function levels

Forest functionality activates features across all the domains in your forest. To activate a new forest function level, all the domain in the forest must be running the right operating system and be set to the right domain function level. After this requirement is met, the administrator can raise the forest functional level. Here’s a list of the available forest function levels available in Windows Server 2008:

Windows 2000 forest function level

This is the default setting for new Windows Server 2008 Active Directory forests.

Supported Domain controllers in all domains in the forest – Windows 2000, Windows Server 2003, Windows Server 2008.

Windows Server 2003 forest function level

To activate new forest-wide features, all domain controllers in the forest must be running Windows Server 2003.

Supported Domain controllers in all domains in the forest – Windows Server 2003, Windows Server 2008.

Windows Server 2008 forest function level

To activate new forest-wide features, all domain controllers in the forest must be running Windows Server 2008.

Supported Domain controllers in all domains in the forest – Windows Server 2008.

To activate the new domain features, all domain controllers in the domain must be running Windows Server 2008. After this requirement is met, the administrator can raise the domain functional level to Windows Server 2008.

When a child domain is created in the domain tree, what type of trust relationship exists between the new child domain and the trees root domain?

Transitive and two way.

http://technet.microsoft.com/en-us/library/cc775736%28WS.10%29.aspx

Which Windows Server 2008 tools make it easy to manage and configure a servers roles and features?

The Server Manager window enables you to view the roles and features installed on a server and also to quickly access the tools used to manage these various roles and features. The Server Manager can be used to add and remove roles and features as needed

What is WDS? How is WDS configured and managed on a server running Windows Server 2008?

The Windows Deployment Services is the updated and redesigned version of Remote Installation Services (RIS). Windows Deployment Services enables you to deploy Windows operating systems, particularly Windows Vista. You can use it to set up new computers by using a network-based installation. This means that you do not have to install each operating system directly from a CD or DVD.

Benefits of Windows Deployment Services

Windows Deployment Services provides organizations with the following benefits:

§   Allows network-based installation of Windows operating systems, which reduces the complexity and cost when compared to manual installations.

§   Deploys Windows images to computers without operating systems.

§   Supports mixed environments that include Windows Vista, Microsoft Windows XP and Microsoft Windows Server 2003.

§ Built on standard Windows Vista setup technologies including Windows PE, .wim files, and image-based setup.

Prerequisites for installing Windows Deployment Services

Your computing environment must meet the following technical requirements to install Windows Deployment Services:

§   Active Directory. A Windows Deployment Services server must be either a member of an Active Directory domain or a domain controller for an Active Directory domain. The Active Directory domain and forest versions are irrelevant; all domain and forest configurations support Windows Deployment Services.

§   DHCP. You must have a working Dynamic Host Configuration Protocol (DHCP) server with an active scope on the network because Windows Deployment Services uses PXE, which relies on DHCP for IP addressing.

§   DNS. You must have a working Dynamic Name Services (DNS) server on the network to run Windows Deployment Services.

§   An NTFS partition. The server running Windows Deployment Services requires an NTFS file system volume for the image store.

§   Credentials. To install the role, you must be a member of the Local Administrators group on the Windows Deployment Services server. To install an image, you must be a member of the Domain Users group.

§   Windows Server 2003 SP1 or SP2 with RIS installed. RIS does not have to be configured, but must be installed.

http://technet.microsoft.com/en-us/library/cc766320%28WS.10%29.aspx#BKMK_1

Name some of the major changes in GPO in Windows Server 2008.

Cost savings through power options

In Windows Server 2008, all power options have been Group Policy enabled, providing a potentially significant cost savings. Controlling power options through Group Policy could save organizations a significant amount of money. You can modify specific power options through individual Group Policy settings or build a custom power plan that is deployable by using Group Policy.

Ability to block device installation

In Windows Server 2008, you can centrally restrict devices from being installed on computers in your organization. You will now be able to create policy settings to control access to devices such as USB drives, CD-RW drives, DVD-RW drives, and other removable media.

Improved security settings

In Windows Server 2008, the firewall and IPsec Group Policy settings are combined to allow you to leverage the advantages of both technologies, while eliminating the need to create and maintain duplicate functionality. Some scenarios supported by these combined firewall and IPsec policy settings are secure server-to-server communications over the Internet, limiting access to domain resources based on trust relationships or health of a computer, and protecting data communication to a specific server to meet regulatory requirements for data privacy and security.

Expanded Internet Explorer settings management

In Windows Server 2008, you can open and edit Internet Explorer Group Policy settings without the risk of inadvertently altering the state of the policy setting based on the configuration of the administrative workstation. This change replaces earlier behavior in which some Internet Explorer policy settings would change based on the policy settings enabled on the administrative workstation used to view the settings

Printer assignment based on location

The ability to assign printers based on location in the organization or a geographic location is a new feature in Windows Server 2008. In Windows Server 2008, you can assign printers based on site location. When mobile users move to a different location, Group Policy can update their printers for the new location. Mobile users returning to their primary locations see their usual default printers.

Printer driver installation delegated to users

In Windows Server 2008, administrators can now delegate to users the ability to install printer drivers by using Group Policy. This feature helps to maintain security by limiting distribution of administrative credentials.

What is the AD Recycle Bin? How do you use it?

Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers.

When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains.

Active Directory Recycle Bin is functional for both AD DS and Active Directory Lightweight Directory Services (AD LDS) environments.

By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to be running Windows Server 2008 R2.

To enable Active Directory Recycle Bin using the Enable-ADOptionalFeature cmdlet

1.    Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

1.      At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER:

Enable-ADOptionalFeature -Identity -Scope -Target

For example, to enable Active Directory Recycle Bin for contoso.com, type the following command, and then press ENTER:

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso.com’

What are AD Snapshots? How do you use them?

A snapshot is a shadow copy—created by the Volume Shadow Copy Service (VSS)—of the volumes that contain the Active Directory database and log files. With Active Directory snapshots, you can view the data inside such a snapshot on a domain controller without the need to start the server in Directory Services Restore Mode.

Windows Server 2008 has a new feature allowing administrators to create snapshots of the Active Directory database for offline use. With AD snapshots you can mount a backup of AD DS under a different set of ports and have read-only access to your backups through LDAP.

There are quite a few scenarios for using AD snapshots. For example, if someone has changed properties of AD objects and you need to revert to their previous values, you can mount a copy of a previous snapshot to an alternate port and easily export the required attributes for every object that was changed. These values can then be imported into the running instance of AD DS. You can also restore deleted objects or simply view objects for diagnostic purposes.

It does not allow you to move or copy items or information from the snapshot to the live database. In order to do that you will need to manually export the relevant objects or attributes from the snapshot, and manually import them back to the live AD database.

Steps for using Snapshot:

1. Create a snapshot:

open CMD.exe, Ntdsutil, activate instance ntds, snapshot, create, list all.

2. Mounting an Active Directory snapshot:

Before connecting to the snapshot we need to mount it. By looking at the results of the List All command in above step, identify the snapshot that you wish to mount, and note the number next to it.

Type Ntdsutil, Snapshot, List all, Mount 2. The snapshot gets mounted to c:\$SNAP_200901250030_VOLUMEC$. Now you can refer this path to see the objects in these snapshots.

3. Connecting an Active Directory snapshot:

In order to connect to the AD snapshot you’ve mounted you will need to use the DSAMAIN command. DSAMAIN is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed.

After using DSAMAIN to expose the information inside the AD snapshot, you can use any GUI tool that can connect to the specified port, tools such as Active Directory Users and Computers (DSA.msc), ADSIEDIT.msc, LDP.exe or others. You can also connect to it by using command line tools such as LDIFDE or CSVDE, tools that allow you to export information from that database.

dsamain -dbpath ” c:\$SNAP_200901250030_VOLUMEC$\Windows\NTDS\ntds.dit” -ldapport 10289

The above command will allow you to access the database using port 10289.

Now you can useLDP.exetool to connect to this mounted instance.

4. Disconnecting from the Active Directory snapshot:

In order to disconnect from the AD snapshot all you need to do is to type CTRL+C at the DSAMAIN command prompt window. You’ll get a message indicating that the DS shut down successfully.

5. Unmounting the snapshot:

Run command, Ntdsutil, Snapshot, List all, Unmount 2.

What is Offline Domain Join? How do you use it?

 You can use offline domain join to join computers to a domain without contacting a domain controller over the network. You can join computers to the domain when they first start up after an operating system installation. No additional restart is necessary to complete the domain join. This helps reduce the time and effort required to complete a large-scale computer deployment in places such as datacenters.

For example, an organization might need to deploy many virtual machines within a datacenter. Offine domain join makes it possible for the virtual machines to be joined to the domain when they initially start following the operating system installation. No additional restart is required to complete the domain join. This can significantly reduce the overall time required for wide-scale virtual machine deployments.

A domain join establishes a trust relationship between a computer running a Windows operating system and an Active Directory domain. This operation requires state changes to AD DS and state changes on the computer that is joining the domain. To complete a domain join in the past using previous Windows operating systems, the computer that joined the domain had to be running and it had to have network connectivity to contact a domain controller. Offline domain join provides the following advantages over the previous requirements:

§   The Active Directory state changes are completed without any network traffic to the computer.

§   The computer state changes are completed without any network traffic to a domain controller.

§   Each set of changes can be completed at a different time.

http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step%28WS.10%29.aspx

What are Fine-Grained Passwords? How do you use them?

 You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain.

For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.

Talk about Restartable Active Directory Domain Services in Windows Server 2008/R2. What is this feature good for?

Restartable AD DS is a feature in Windows Server 2008 that you can use to perform routine maintenance tasks on a domain controller, such as applying updates or performing offline defragmentation, without restarting the server.

While AD DS is running, a domain controller running Windows Server 2008 behaves the same way as a domain controller running Microsoft® Windows® 2000 Server or Windows Server 2003.

While AD DS is stopped, you can continue to log on to the domain by using a domain account if other domain controllers are available to service the logon request. You can also log on to the domain with a domain account while the domain controller is started in Directory Services Restore Mode (DSRM) if other domain controllers are available to service the logon request.

If no other domain controller is available, you can log on to the domain controller where AD DS is stopped in Directory Services Restore Mode (DSRM) only by using the DSRM Administrator account and password by default, as in Windows 2000 Server Active Directory or Windows Server 2003 Active Directory.

 

 

 

 

 

 

 

 

 

 

Benefits of restartable AD DS

Restartable AD DS reduces the time that is required to perform offline operations such as offline defragmentation. It also improves the availability of other services that run on a domain controller by keeping them running when AD DS is stopped. In combination with the Server Core installation option of Windows Server 2008, restartable AD DS reduces the overall servicing requirements of a domain controller.

In Windows 2000 Server Active Directory and Windows Server 2003 Active Directory, you must restart the domain controller in DSRM when you perform offline defragmentation of the database or apply security updates. In contrast, you can stop Windows Server 2008 AD DS as you stop other services that are running locally on the server. This makes it possible to perform offline AD DS operations more quickly than you could with Windows 2000 Server and Windows Server 2003.

You can use Microsoft Management Console (MMC) snap-ins, or the Net.exe command-line tool, to stop or restart Active Directory® Domain Services (AD DS) in the Windows Server® 2008 operating system. You can stop AD DS to perform tasks, such as offline defragmentation of the AD DS database, without restarting the domain controller. Other services that run on the server, but that do not depend on AD DS to function, are available to service client requests while AD DS is stopped. An example of such a service is Dynamic Host Configuration Protocol (DHCP).

  

Before few days ago I returned snapshot/checkpoint with scvmm and turned on virtual machine, but when I tried to logon with domain user I gave this message, „The security database on the server does not have a computer account for this workstation trust relationship“. I need to mention that snapshot/checkpoint was old only three hours. 

I logged in with local Administrator account and removed server from the domain and again join to the domain. After restart I logged in with domain account but few services didn’t start. I again restarted server, tried to logon and I gave the same message „The security database on the server does not have a computer account for this workstation trust relationship“.

Solution/Workaround:

You need to do two things.

1. Reapply values in ADSI Edit (adsiedit.msc) or enter new if SPN missing.

    Open adsiedit.msc like on picture below and check settings inservicePrincipalName

2. Restart the computer.

3. Login on to your server with local Administrator account.

4. Change domain from FQDN to the short name. In my case ekobit.corp change toekobit_corp

5. Restart your server and Login as the domain user.

Relax your mind and enjoy .

NOTE: As you might know Winlogon service on Windows 7, Windows Server 2008 and Windows Server 2008 R2 Operating Systems use Kerberos logon. So the Service Principal Names (SPNs) need to be configured properly to support Kerberos Authentication.

Other Reference Articles:

Kerberos Authentication Problems:http://blogs.technet.com/b/askds/archive/2008/05/29/kerberos-authentication-problems-service-principal-name-spn-issues-part-1.aspx

Symptoms when secure channel is broken:http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx

Machine Account Password Process:http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Windows Server DHCP Interview Questions

1. What is dhcp ?

Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range ofnumbers (i.e., a scope) configured for a given network.

2. What is the dhcp process for client machine?

1. A user turns on a computer with a DHCP client.

2. The client computer sends a broadcast request (called a DISCOVER or DHCPDISCOVER), looking for a DHCP server to answer.

3. The router directs the DISCOVER packet to the correct DHCP server.

4. The server receives the DISCOVER packet. Based on availability and usage policies set on the server, the server determines an appropriate address (if any) to give to the client. The server then temporarily reserves that address for the client and sends back to the client an OFFER (or DHCPOFFER) packet, with that address information. The server also configures the client’s DNS servers, WINS servers, NTP servers, and sometimes other services as well.

5. The client sends a REQUEST (or DHCPREQUEST) packet, letting the server know that it intends to use the address.

6. The server sends an ACK (or DHCPACK) packet, confirming that the client has a been given a lease on the address for a server-specified period of time.

3. What is dhcp scope ?

DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients.

4. Types of scopes in windows dhcp ?

Normal Scope – Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet.

Multicast Scope – Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options.

Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination).

Superscope – Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity.

5. What is Authorizing DHCP Servers in Active Directory ?

If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized.

This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console or at the command prompt using the netsh tool.

If the DHCP server was not authorized during installation, invoke the DHCP console (Start -> All Programs -> Administrative Tools -> DHCP),

right click on the DHCP to be authorized and select Authorize. To achieve the same result from the command prompt, enter the following command:

netsh dhcp server serverID initiate auth

In the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed.

6. What ports are used by DHCP and the DHCP clients ? 

Requests are on UDP port 68, Server replies on UDP 67 .

7. List some Benefits of using DHCP 

DHCP provides the following benefits for administering your TCP/IP-based network:

Safe and reliable configuration.DHCP avoids configuration errors caused by the need to manually type in values at each computer. Also, DHCP helps prevent address conflicts caused by a previously assigned IP address being reused to configure a new computer on the network. 

Reduces configuration management.

Using DHCP servers can greatly decrease time spent to configuring and reconfiguring computers on your network. Servers can be configured to supply a full range of additional configuration values when assigning address leases. These values are assigned using DHCP options. Also, the DHCP lease renewal process helps assure that where client configurations need to be updated often (such as users with mobile or portable computers who change locations frequently), these changes can be made efficiently and automatically by clients communicating directly with DHCP servers.

The following section covers issues that affect the use of the DHCP Server service with other services or network configurations. Using DNS servers with DHCP Using Routing and Remote Access servers with DHCP Multihomed DHCP servers.

8. Describe the process of installing a DHCP server in an AD infrastructure ?

Open Windows Components Wizard. Under Components , scroll to and click Networking Services. Click Details . Under Subcomponents of Networking Services , click Dynamic Host Configuration Protocol (DHCP) and then click OK . Click Next . If prompted, type the full path to the Windows Server 2003 distribution files, and then click Next. Required files are copied to your hard disk.

9. How to authorize a DHCP server in Active Directory Open DHCP ?. 

In the console tree, click DHCP

On the Action menu, click Manage authorized servers.

The Manage Authorized Servers dialog box appears. Click Authorize.

When prompted, type the name or IP address of the DHCP server to be authorized, and then click OK.

10. What is DHCPINFORM? 

DHCPInform is a DHCP message used by DHCP clients to obtain DHCP options. While PPP remote access clients do not use DHCP to obtain IP addresses for the remote access connection, Windows 2000 and Windows 98 remote access clients use the DHCPInform message to obtain DNS server IP addresses, WINS server IP addresses, and a DNS domain name.

The DHCPInform message is sent after the IPCP negotiation is concluded. The DHCPInform message received by the remote access server is then forwarded to a DHCP server. The remote access server forwards DHCPInform messages only if it has been configured with the DHCP Relay Agent

Flexible Single Master Operation Roles (FSMO)

Active Directory has five special roles which are vital for the smooth running of AD as a multimaster system. Some functions of AD require there is an authoritative master to which all Domain Controllers can refer to. These roles are installed automatically and there is normally very little reason to move them, however if you de-commission a DC and DCPROMO fails to run correctly or have a catastrophic failure of a DC you will need to know about these roles to recover or transfer them to another DC.

The forest wide roles must appear once per forest, the domain wide roles must appear once per domain.

The Roles

There are five FSMO roles, two per forest, three in every Domain. A brief summary of the role is below.

Forest Wide Roles:

§  Schema Master

The schema is shared between every Tree and Domain in a forest and must be consistent between all objects. The schema master controls all updates and modifications to the schema.

§  Domain Naming

When a new Domain is added to a forest the name must be unique within the forest. The Domain naming master must be available when adding or removing a Domain in a forest.

Domain Wide Roles:

§  Relative ID (RID) Master

Allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the Domain.

When moving objects between domains you must start the move on the DC which is the RID master of the domain that currently holds the object.

§  PDC Emulator

The PDC emulator acts as a Windows NT PDC for backwards compatibility, it can process updates to a BDC.

It is also responsible for time synchronising within a domain.

It is also the password master (for want of a better term) for a domain. Any password change is replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad password the logon request is passed to the PDC emulator to check the password before rejecting the login request.

§  Infrastructure Master

The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The global catalogue is used to compare data as it receives regular updates for all objects in all domains.

Any change to user-group references are updated by the infrastructure master. For example if you rename or move a group member and the member is in a different domain from the group the group will temporarily appear not to contain that member.

Important Note :

Unless there is only one DC in a domain the Infrastructure role should not be on the DC that is hosting the global catalogue. If they are on the same server the infrastructure master will not function, it will never find data that is out of date and so will never replicate changes to other DCs in a domain.

If all DCs in a domain also host a global catalogue then it does not matter which DC has the infrastructure master role as all DCs will be up to date due to the global catalogue.

Viewing and Transferring Roles

The roles can be viewed and transferred in the GUI or from the command line.

Gui View

Schema Master

To view the schema you must first register the schema master dll with Windows. To do this enter the following in the RUN dialog of the start menu.

regsvr32 schmmgmt.dll

Once you have done this the schema master mmc snap-in will be available.

Active Directory Domains and Trusts

The Domain naming master can be viewed and transferred from here.

Active Directory User and Computers

The RID, PDC emulator and Infrastructure master roles can be viewed and transferred from here.

NTDSUTIL

NTDSUTIL provides FSMO maintenance and the option to seize a role (covered in the FSMO Role Failure section below).

To transfer a role using ntdsutil use the example below as a template for all the roles.

§  Open a command prompt

§  Enter in ntdsutil

§  At the ntdsutil command prompt enter in roles

§  At the fsmo maintenance prompt enter in connection

§  At the server connections prompt enter in connect to domancontrollername

§  At the server connections prompt enter in quit

§  At the fsmo maintenance prompt enter in transfer schema master

§  Quit from the console

FSMO Role Failure

Some of the operations master roles are essential for AD functionality, others can be unavailable for a while before their absence will be noticed. Normally it is not the failure of the role, but rather the failure of the DC on which the role is running.

If a DC fails which is a role holder you can seize the role on another DC, but you should always try and transfer the role first.

Before seizing a role you need to asses the duration of the outage of the DC which is holding the role. If it is likely to be a short outage due to a temporary power or network issue then you would probably want to wait rather than seize the role.

Schema Master Failure

In most cases the loss of the schema master will not affect network users and only affect Admins if modifications to the schema are required. You should however only seize this role when the failure of the existing holder is considered permanent.

Note: A DC whose schema master role has been seized should never be brought back online

Domain Naming Master Failure

Temporary loss of this role holder will not be noticeable to network users. Domain Admins will only notice the loss if they try and add or remove a domain in the forest. You should however only seize this role when the failure of the existing holder is considered permanent.

Note: A DC whose schema master role has been seized should never be brought back online

RID Master Failure

Temporary loss of this role holder will not be noticeable to network users. Domain Admins will only notice the loss if a domain they are creating objects in runs out of relative IDS (RIDs). You should however only seize this role when the failure of the existing holder is considered permanent.

Note: A DC whose schema master role has been seized should never be brought back online

PDC Emulator Master Failure

Network users will notice the loss of the PDC emulator. If the DC with this role fails you may need to immediately seize this role. Only pre Windows 2000 clients and NT4 BDCs will be affected.

If you seize the role and return the original DC to the network you can transfer the role back.

Infrastructure Master Failure

Temporary loss of this role holder will not be noticeable to network users. Administrators will not notice the role loss unless they are or have recently moved or renamed large numbers of accounts.

If you are required to seize the role do not seize it to a DC which is a global catalogue server unless all DCs are global catalogue servers.

If you seize the role and return the original DC to the network you can transfer the role back.

Backup and Restore IIS 6.0 in Windows Server 2003

This article will show how to succesfully backup and restore an IIS 6.0 configuration without any issues to a new server installation. Although it is an easy process to do there are some issues that we have to be aware of.
If we plan to backup and restore IIS 6.0 to the same server installation or repair an IIS we can create a backup without a passsword. This way we are creating a non-portable backup for IIS 6 metabase. Because the machine key is used in case we dont provide a backup we will have to restore it to the same original machine.
The trick here is that to succesfully create a backup for a new server and for us to be able to restore it without errors we MUST create a password. This approach is called a portable backup for IIS 6 metabase.
Portable Backup of IIS 6.0 Metabase
1) Open IIS Manager
2) Second Mouse Click on Local Computer -> All Tasks -> Backup/Restore Configuration

3) Under Configuration backup name type a name for your backup

4) Select Encrypt backup using password and type your password twice.

5) Start -> Run -> %systemroot%\system32\inetsrv\MetaBack
6) Copy to the new server the two ackup files created under the name you give with extensions .SC0 and MD0
7) Copy all your web folders to the new server

Restoring IIS 6.0 Metabase on new server

1) Restore all your web folders back to the new server
2) Open IIS Manager
3) Second Mouse Click on Local Computer -> All Tasks -> Backup/Restore Configuration

4) Select the file you want to restore and enter the password when prompt

After restoration is complete be sure that you have installed latest Framework 3.5 SP1 and in case you have the sites connected to an external sql database you double check your configuration changes.

Windows Server 2003 IIS and Scripting interview questions

1. What is presentation layer responsible for in the OSI model?
The presentation layer establishes the data format prior to passing it along to the network application’s interface. TCP/IP networks perform this task at the application layer.
2. Does Windows Server 2003 support IPv6?
Yes, run ipv6.exe from command line to disable it.
3. Can Windows Server 2003 function as a bridge?
Yes, and it’s a new feature for the 2003 product. You can combine several networks and devices connected via several adapters by enabling IP routing.
4. What’s the difference between the basic disk and dynamic disk?
The basic type contains partitions, extended partitions, logical drivers, and an assortment of static volumes; the dynamic type does not use partitions but dynamically manages volumes and provides advanced storage options
5. What’s a media pool?
It is any compilation of disks or tapes with the same administrative properties. 
6. How do you install recovery console?
C:\i386\win32 /cmdcons, assuming that your Win server installation is on drive C.
7. What’s new in Terminal Services for Windows 2003 Server?
Supports audio transmissions as well, although prepare for heavy network load.
8. What scripts ship with IIS 6.0?
iisweb.vsb to create, delete, start, stop, and list Web sites, iisftp.vsb to create, delete, start, stop, and list FTP sites, iisdir.vsb to create, delete, start, stop, and display virtual directories, iisftpdr.vsb to create, delete, start, stop, and display virtual directories under an FTP root, iiscnfg.vbs to export and import IIS configuration to an XML file.
9. What’s the name of the user who connects to the Web site anonymously?IUSR_computername
10. What secure authentication and encryption mechanisms are supported by IIS 6.0?
Basic authentication, Digest authentication, Advanced digest authentication, Certificate-based Web transactions that use PKCS #7/PKCS #10, Fortezza, SSL, Server-Gated Cryptography, Transport Layer Security
11. What’s the relation between SSL and TLS?
Transport Layer Security (TLS) extends SSL by providing cryptographic authentication. 
12. What’s the role of http.sys in IIS?
It is the point of contact for all incoming HTTP requests. It listens for requests and queues them until they are all processed, no more queues are available, or the Web server is shut down.
13. Where’s ASP cache located on IIS 6.0?
On disk, as opposed to memory, as it used to be in IIS 5.
14. What is socket pooling?
Non-blocking socket usage, introduced in IIS 6.0. More than one application can use a given socket.
15.Describe the process of clustering with Windows 2003 Server when a new node is added. As a node goes online, it searches for other nodes to join by polling the designated internal network. In this way, all nodes are notified of the new node’s existence. If other nodes cannot be found on a preexisting cluster, the new node takes control of the quorum resources residing on the shared disk that contains state and configuration data.
16. What applications are not capable of performing in Windows 2003 Server clusters?
The ones written exclusively for NetBEUI and IPX.
17.What’s a heartbeat?
Communication processes between the nodes designed to ensure node’s health.
18. What’s a threshold in clustered environment?
The number of times a restart is attempted, when the node fails.
19. You need to change and admin password on a clustered Windows box, but that requires rebooting the cluster, doesn’t it?
No, it doesn’t. In 2003 environment you can do that via cluster.exe utility which does not require rebooting the entire cluster.
20. For the document of size 1 MB, what size would you expect the index to be with Indexing Service? 
150-300 KB, 15-30% is a reasonable expectation.
21. Doesn’t the Indexing Service introduce a security flaw when allowing access to the index?
No, because users can only view the indices of documents and folders that they have permissions for.
22. What’s the typical size of the index?
Less then 100K documents - up to 128 MB. More than that - 256+ MB.
23. Which characters should be enclosed in quotes when searching the index?
&, @, $, #, ^, ( ), and .
24. How would you search for C++?
Just enter C++, since + is not a special character (and neither is C).
25. What about Barnes&Noble?
Should be searched for as Barnes’&’Noble.
26. Are the searches case-sensitive?
No.
27. What’s the order of precedence of Boolean operators in Microsoft Windows 2003 Server Indexing Service?
NOT, AND, NEAR, OR.
28. What’s a vector space query?
A multiple-word query where the weight can be assigned to each of the search words. For example, if you want to fight information on ‘black hole’, but would prefer to give more weight to the word hole, you can enter black[1] hole[20] into the search window.
29. What’s a response queue?
It’s the message queue that holds response messages sent from the receiving application to the sender.
30. What’s MQPing used for?
Testing Microsoft Message Queue services between the nodes on a network.
31. Which add-on package for Windows 2003 Server would you use to monitor the installed software and license compliance? SMS (System Management Server).
32. Which service do you use to set up various alerts?
MOM (Microsoft Operations Manager).
33. What languages does Windows Scripting Host support?
VB, VBScript, JScript.