Professional Documents
Culture Documents
1. Features of windows2003
ACTIVE DIRECTORY
Easier Deployment and Management
ADMT version 2.0—migrates password from NT4 to 2000 to 20003 or
from 2000 to 2003
Domain Rename--- supports changing Domain Name System and/or
NetBios name
Schema Redefine--- Allows deactivation of attributes and class definitions
in the Active directory schema
AD/AM--- Active directory in application mode is a new capability of AD
that addresses certain deployment scenarios related to directory enabled
applications
Group Policy Improvements----introduced GPMC tool to manage group
policy
UI—Enhanced User Interface
Greater Security
Cross-forest Authentication
Cross-forest Authorization
Cross-certification Enhancements
IAS and Cross-forest authentication
Credential Manager
Software Restriction Policies
Improved Performance and Dependability
Easier logon for remote offices
Group Membership replication enhancements
Application Directory Partitions
Install Replica from media
Dependability Improvements--- updated Inter-Site Topology Generator
(ISTG) that scales better by supporting forests with a greater number of sites than
Windows 2000.
FILE AND PRINT SERVICES
Volume shadow copy service
NTFS journaling file system
EFS
Improved CHDSK Performance
Enhanced DFS and FRS
Shadow copy of shared folders
Enhanced folder redirection
Remote document sharing (WEBDAV)
IIS
Fault-tolerant process architecture----- The IIS 6.0 fault-tolerant process
architecture isolates Web sites and applications into self-contained units called
application pools
1
Health Monitoring---- IIS 6.0 periodically checks the status of an application
pool with automatic restart on failure of the Web sites and applications within that
application pool, increasing application availability. IIS 6.0 protects the server,
and other applications, by automatically disabling Web sites and applications that
fail too often within a short amount of time
Automatic Process Recycling--- IIS 6.0 automatically stops and restarts faulty
Web sites and applications based on a flexible set of criteria, including CPU
utilization and memory consumption, while queuing requests
Rapid-fail Protection---- If an application fails too often within a short amount
of time, IIS 6.0 will automatically disable it and return a "503 Service
Unavailable" error message to any new or queued requests to the application
Edit-While-Running
http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/def
ault.mspx
In windows NT only PDC is having writable copy of SAM database but the BDC
is only read only database. In case of Windows 2000 both DC and ADC is having
write copy of the database
Windows NT will not support FAT32 file system. Windows 2000 supports
FAT32
Windows 2000 depends and Integrated with DNS. NT user Netbios names
Active Directory can be backed up easily with System state data
2
4. Difference between PDC & BDC
PDC contains a write copy of SAM database where as BDC contains read only
copy of SAM database. It is not possible to reset a password or create objects with
out PDC in Windows NT.
There is no difference between in DC and ADC both contains write copy of AD.
Both can also handles FSMO roles (If transfers from DC to ADC). It is just for
identification. Functionality wise there is no difference.
Primary DNS
Secondary DNS
Active Directory Integrated DNS
Forwarder
Caching only DNS
Client will not get IP and it cannot be participated in network . If client already
got the IP and having lease duration it use the IP till the lease duration expires.
Implicit Trusts
Explicit Trusts—NT to Win2k or Forest to Forest
10. what is the process of DHCP for getting the IP address to the client
3
DHCP Select (Initiated by client)
DHCP Acknowledgement (Initiated by Server)
DHCP Negative Acknowledgement (Initiated by server if any issues after DHCP
offer)
In FAT file system we can apply only share level security. File level protection is
not possible. In NTFS we can apply both share level as well as file level security
NTFS supports large partition sizes than FAT file systems
NTFS supports long file names than FAT file systems
12. What are the port numbers for FTP, Telnet, HTTP, DNS
Local Profiles
Roaming profiles
Mandatory Profiles
NTDS.DIT
%System root%/NTDS/NTDS>DIT
4
17. What is subnetting and supernetting
Subnetting is the process of borrowing bits from the host portion of an address to
provide bits for identifying additional sub-networks
RDP
3389
Medium Level
Intra-site replication can be done between the domain controllers in the same site.
Inter-site replication can be done between two different sites over WAN links
BHS (Bridge Head Servers) is responsible for initiating replication between the
sites. Inter-site replication can be done B/w BHS in one site and BHS in another
site.
5
We can use RPC over IP or SMTP as a replication protocols where as Domain
partition is not possible to replicate using SMTP
6
2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server,
or the Standard, Enterprise and Data Center versions of Windows Server 2003.
Storage types are separate from the file system type. A basic or dynamic disk can
contain any combination of FAT16, FAT32, or NTFS partitions or volumes.
A disk system can contain any combination of storage types. However, all volumes
on the same disk must use the same storage type.
To convert a Basic Disk to a Dynamic Disk:
Use the Disk Management snap-in in Windows XP/2000/2003 to convert a basic
disk to a dynamic disk. To do this, follow these steps:
6. Select the check box that is next to the disk that you want to convert (if it is
not already selected), and then click OK.
7. Click Details if you want to view the list of volumes in the disk. Click
Convert.
8. Click Yes when you are prompted to convert the disk, and then click OK.
7
Warning: After you convert a basic disk to a dynamic disk, local access to the
dynamic disk is limited to Windows XP Professional, Windows 2000 and Windows
Server 2003. Additionally, after you convert a basic disk to a dynamic disk, the
dynamic volumes cannot be changed back to partitions. You must first delete all
dynamic volumes on the disk and then convert the dynamic disk back to a basic disk.
If you want to keep your data, you must first back up the data or move it to another
volume.
Dynamic Storage Terms
A volume is a storage unit made from free space on one or more disks. It can be
formatted with a file system and assigned a drive letter. Volumes on dynamic disks
can have any of the following layouts: simple, spanned, mirrored, striped, or RAID-
5.
A simple volume uses free space from a single disk. It can be a single region on a
disk or consist of multiple, concatenated regions. A simple volume can be extended
within the same disk or onto additional disks. If a simple volume is extended across
multiple disks, it becomes a spanned volume.
A spanned volume is created from free disk space that is linked together from
multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A
spanned volume cannot be mirrored and is not fault-tolerant.
A striped volume is a volume whose data is interleaved across two or more physical
disks. The data on this type of volume is allocated alternately and evenly to each of
the physical disks. A striped volume cannot be mirrored or extended and is not fault-
tolerant. Striping is also known as RAID-0.
A mirrored volume is a fault-tolerant volume whose data is duplicated on two
physical disks. All of the data on one volume is copied to another disk to provide
data redundancy. If one of the disks fails, the data can still be accessed from the
remaining disk. A mirrored volume cannot be extended. Mirroring is also known as
RAID-1.
A RAID-5 volume is a fault-tolerant volume whose data is striped across an array of
three or more disks. Parity (a calculated value that can be used to reconstruct data
after a failure) is also striped across the disk array. If a physical disk fails, the portion
of the RAID-5 volume that was on that failed disk can be re-created from the
remaining data and the parity. A RAID-5 volume cannot be mirrored or extended.
8
The system volume contains the hardware-specific files that are needed to load
Windows (for example, Ntldr, Boot.ini, and Ntdetect.com). The system volume can
be, but does not have to be, the same as the boot volume.
The boot volume contains the Windows operating system files that are located in
the %Systemroot% and %Systemroot%\System32 folders. The boot volume can be,
but does not have to be, the same as the system volume.
RAID 0 – Striping
RAID 1- Mirroring (minimum 2 HDD required)
RAID 5 – Striping With Parity (Minimum 3 HDD required)
RAID levels 1 and 5 only gives redundancy
Normal Backup
Incremental Backup
Differential Backup
Daily Backup
Copy Backup
Global catalog is a role, which maintains Indexes about objects. It contains full
information of the objects in its own domain and partial information of the objects
in other domains. Universal Group membership information will be stored in
global catalog servers and replicate to all GC’s in the forest.
Active directory is a directory service, which maintains the relation ship between
resources and enabling them to work together. Because of AD hierarchal structure
windows 2000 is more scalable, reliable. Active directory is derived from X.500
standards where information is stored is hierarchal tree like structure. Active
directory depends on two Internet standards one is DNS and other is LDAP.
Information in Active directory can be queried by using LDAP protocol
9
Out of these Configuration, Schema partitions can be replicated between the
domain controllers in the in the entire forest. Where as Domain partition can be
replicated between the domain controllers in the same domain
After giving logon credentials an encryption key will be generated which is used
to encrypt the time stamp of the client machine. User name and encrypted
timestamp information will be provided to domain controller for authentication.
Then Domain controller based on the password information stored in AD for that
user it decrypts the encrypted time stamp information. If produces time stamp
matches to its time stamp. It will provide logon session key and Ticket granting
ticket to client in an encryption format. Again client decrypts and if produced time
stamp information is matching then it will use logon session key to logon to the
domain. Ticket granting ticket will be used to generate service granting ticket
when accessing network resources
10. what are the port numbers for Kerberos, LDAP and Global catalog
12. what are the problems that are generally come across DHCP
TTL is Time to Live setting used for the amount of time that the record should
remain in cache when name resolution happened.
We can set TTL in SOA (start of authority record) of DNS
%System root%/system32/dns
10
%System root%/system32/WINS
%System root%/system32/DHCP
Recovery console is a utility used to recover the system when it is not booting
properly or not at all booting. We can perform fallowing operations from recovery
console
We can copy, rename, or replace operating system files and folders
Enable or disable service or device startup the next time that start computer
Repair the file system boot sector or the Master Boot Record
Create and format partitions on drives
DFS is a distributed file system used to provide common environment for users to
access files and folders even when they are shared in different servers physically.
There are two types of DFS domain DFS and Stand alone DFS. We cannot
provide redundancy for stand alone DFS in case of failure. Domain DFS is used
in a domain environment which can be accessed by /domain name/root1 (root 1 is
DFS root name). Stand alone DFS can be used in workgroup environment which
can be accessed through /server name/root1 (root 1 is DFS root name). Both the
cases we need to create DFS root ( Which appears like a shared folder for end
users) and DFS links ( A logical link which is pointing to the server where the
folder is physically shared)
The maximum number of Dfs roots per server is 1.
The maximum numbers of Dfs root replicas are 31.
The maximum number of Dfs roots per domain is unlimited.
The maximum number of Dfs links or shared folders in a Dfs root is 1,000
11
31
20. What is the difference between Domain DFS and Standalone DFS
High Level
12
In a single-master model, only one DC in the entire directory is allowed to
process updates. This is similar to the role given to a primary domain controller
(PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in
which the PDC is responsible for processing all updates in a given domain.
In a forest, there are five FSMO roles that are assigned to one or more domain
controllers. The five FSMO roles are:
Schema Master:
The schema master domain controller controls all updates and modifications to
the schema. Once the Schema update is complete, it is replicated from the schema
master to all other DCs in the directory. To update the schema of a forest, you
must have access to the schema master. There can be only one schema master in
the whole forest.
The domain naming master domain controller controls the addition or removal of
domains in the forest. This DC is the only one that can add or remove a domain
from the directory. It can also add or remove cross references to domains in
external directories. There can be only one domain naming master in the whole
forest.
Infrastructure Master:
Note: The Infrastructure Master (IM) role should be held by a domain controller
that is not a Global Catalog server (GC). If the Infrastructure Master runs on a
Global Catalog server it will stop updating object information because it does not
contain any references to objects that it does not hold. This is because a Global
Catalog server holds a partial replica of every object in the forest. As a result,
cross-domain object references in that domain will not be updated and a warning
to that effect will be logged on that DC's event log. If all the domain controllers in
a domain also host the global catalog, all the domain controllers have the current
data, and it is not important which domain controller holds the infrastructure
master role.
13
The RID master is responsible for processing RID pool requests from all domain
controllers in a particular domain. When a DC creates a security principal object
such as a user or group, it attaches a unique Security ID (SID) to the object. This
SID consists of a domain SID (the same for all SIDs created in a domain), and a
relative ID (RID) that is unique for each security principal SID created in a
domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to
assign to the security principals it creates. When a DC's allocated RID pool falls
below a threshold, that DC issues a request for additional RIDs to the domain's
RID master. The domain RID master responds to the request by retrieving RIDs
from the domain's unallocated RID pool and assigns them to the pool of the
requesting DC. At any one time, there can be only one domain controller acting as
the RID master in the domain.
PDC Emulator:
The PDC emulator of a domain is authoritative for the domain. The PDC emulator
at the root of the forest becomes authoritative for the enterprise, and should be
configured to gather the time from an external source. All PDC FSMO role
holders follow the hierarchy of domains in the selection of their in-bound time
partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the
following functions:
Editing or creation of Group Policy Objects (GPO) is always done from the GPO
copy found in the PDC Emulator's SYSVOL share, unless configured not to do so
by the administrator.
14
The PDC emulator performs all of the functionality that a Microsoft Windows NT
4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or
earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations,
member servers, and domain controllers that are running Windows NT 4.0 or
earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs
the other functions as described in a Windows 2000/2003 environment.
At any one time, there can be only one domain controller acting as the PDC
emulator master in each domain in the forest.
How can I determine who are the current FSMO Roles holders in my domain/forest?
Windows 2000/2003 Active Directory domains utilize a Single Operation Master
method called FSMO (Flexible Single Master Operation), as described in
Understanding FSMO Roles in Active Directory.
The five FSMO roles are:
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the
same spot (or actually, on the same DC) as has been configured by the Active
Directory installation process. However, there are scenarios where an administrator
would want to move one or more of the FSMO roles from the default holder DC to a
different DC. The transferring method is described in the Transferring FSMO Roles
article, while seizing the roles from a non-operational DC to a different DC is
described in the Seizing FSMO Roles article.
In order to better understand your AD infrastructure and to know the added value
that each DC might possess, an AD administrator must have the exact knowledge of
which one of the existing DCs is holding a FSMO role, and what role it holds. With
that knowledge in hand, the administrator can make better arrangements in case of a
15
scheduled shut-down of any given DC, and better prepare him or herself in case of a
non-scheduled cease of operation from one of the DCs.
How to find out which DC is holding which FSMO role? Well, one can accomplish
this task by many means. This article will list a few of the available methods.
Method #1: Know the default settings
The FSMO roles were assigned to one or more DCs during the DCPROMO process.
The following table summarizes the FSMO default locations:
Number of DCs Original DC holding the FSMO
FSMO Role
holding this role role
Schema One per forest The first DC in the first domain in
the forest (i.e. the Forest Root
Domain Naming One per forest
Domain)
RID One per domain The first DC in a domain (any
PDC Emulator One per domain domain, including the Forest Root
Domain, any Tree Root Domain, or
Infrastructure One per domain
any Child Domain)
Method #2: Use the GUI
The FSMO role holders can be easily found by use of some of the AD snap-ins. Use
this table to see which tool can be used for what FSMO role:
FSMO Role Which snap-in should I use?
Schema Schema snap-in
Domain Naming AD Domains and Trusts snap-in
RID
PDC Emulator AD Users and Computers snap-in
Infrastructure
Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To find out who currently holds the Domain-Specific RID Master, PDC Emulator,
and Infrastructure Master FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the
Administrative Tools folder.
2. Right-click the Active Directory Users and Computers icon again and press
Operation Masters.
16
3. Select the appropriate tab for the role you wish to view.
1. Open the Active Directory Domains and Trusts snap-in from the
Administrative Tools folder.
2. Right-click the Active Directory Domains and Trusts icon again and press
Operation Masters.
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
regsvr32 schmmgmt.dll
17
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. Click the Active Directory Schema icon. After it loads right-click it and press
Operation Masters.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open
box, and then click OK.
C:\WINDOWS>ntdsutil
ntdsutil:
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool,
type ?, and then press ENTER.
18
4. Type connect to server <servername>, where <servername> is the name of
the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
server connections: q
fsmo maintenance:
6. At the FSMO maintenance: prompt, type Select operation target, and then
press ENTER again.
At the select operation target: prompt, type List roles for connected server, and then
press ENTER again.
select operation target: List roles for connected server
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
19
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-
First-Site-Name,CN=Si
tes,CN=Configuration,DC=dpetri,DC=net
select operation target:
Note: You can download THIS nice batch file that will do all this for you (1kb).
Another Note: Microsoft has a nice tool called Dumpfsmos.cmd, found in the
Windows 2000 Resource Kit (and can be downloaded here: Download Free
Windows 2000 Resource Kit Tools). This tool is basically a one-click Ntdsutil script
that performs the same operation described above.
Method #4: Use the Netdom command
The FSMO role holders can be easily found by use of the Netdom command.
Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You must either
download it separately (from here Download Free Windows 2000 Resource Kit
Tools) or by obtaining the correct Support Tools pack for your operating system.
The Support Tools pack can be found in the \Support\Tools folder on your
installation CD (or you can Download Windows 2000 SP4 Support Tools, Download
Windows XP SP1 Deploy Tools).
1. On any domain controller, click Start, click Run, type CMD in the Open box,
and then click OK.
2. In the Command Prompt window, type netdom query /domain:<domain>
fsmo (where <domain> is the name of YOUR domain).
20
Method #5: Use the Replmon tool
The FSMO role holders can be easily found by use of the Netdom command.
Just like Netdom, Replmon.exe is a part of the Windows 2000/XP/2003 Support
Tools. Replmon can be used for a wide verity of tasks, mostly with those that are
related with AD replication. But Replmon can also provide valuable information
about the AD, about any DC, and also about other objects and settings, such as
GPOs and FSMO roles. Install the package before attempting to use the tool.
1. On any domain controller, click Start, click Run, type REPLMON in the
Open box, and then click OK.
2. Right-click Monitored servers and select Add Monitored Server.
3. In the Add Server to Monitor window, select the Search the Directory for the
server to add. Make sure your AD domain name is listed in the drop-down list.
4. In the site list select your site, expand it, and click to select the server you
want to query. Click Finish.
5. Right-click the server that is now listed in the left-pane, and select Properties.
21
7. Click Ok when you're done.
How can I forcibly transfer (seize) some or all of the FSMO Roles from one DC to
another?
Windows 2000/2003 Active Directory domains utilize a Single Operation Master
method called FSMO (Flexible Single Master Operation), as described in
Understanding FSMO Roles in Active Directory.
The five FSMO roles are:
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the
same spot (or actually, on the same DC) as has been configured by the Active
Directory installation process. However, there are scenarios where an administrator
would want to move one or more of the FSMO roles from the default holder DC to a
different DC.
Moving the FSMO roles while both the original FSMO role holder and the future
FSMO role holder are online and operational is called Transferring, and is described
in the Transferring FSMO Roles article.
However, when the original FSMO role holder went offline or became non
operational for a long period of time, the administrator might consider moving the
FSMO role from the original, non-operational holder, to a different DC. The process
of moving the FSMO role from a non-operational role holder to a different DC is
called Seizing, and is described in this article.
If a DC holding a FSMO role fails, the best thing to do is to try and get the server
online again. Since none of the FSMO roles are immediately critical (well, almost
none, the loss of the PDC Emulator FSMO role might become a problem unless you
fix it in a reasonable amount of time), so it is not a problem to them to be
unavailable for hours or even days.
If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to
a reliable computer. Administrators should use extreme caution in seizing FSMO
22
roles. This operation, in most cases, should be performed only if the original FSMO
role owner will not be brought back into the environment. Only seize a FSMO role if
absolutely necessary when the original role holder is not connected to the network.
What will happen if you do not perform the seize in time? This table has the info:
FSMO Role Loss implications
The schema cannot be
extended. However, in the short term no
Schema one will notice a missing Schema Master
unless you plan a schema upgrade during
that time.
Unless you are going to run DCPROMO,
Domain Naming
then you will not miss this FSMO role.
Chances are good that the existing DCs
will have enough unused RIDs to last
RID some time, unless you're building
hundreds of users or computer object per
week.
Will be missed soon. NT 4.0 BDCs will
not be able to replicate, there will be no
time synchronization in the domain, you
PDC Emulator
will probably not be able to change or
troubleshoot group policies and password
changes will become a problem.
Group memberships may be
Infrastructure incomplete. If you only have one domain,
then there will be no impact.
Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the
original domain controller must not be activated in the forest again. It is necessary to
reinstall Windows if these servers are to be used again.
The following table summarizes the FSMO seizing restrictions:
FSMO Role Restrictions
Schema Original must be reinstalled
Domain Naming
23
RID
PDC Emulator
Can transfer back to original
Infrastructure
Another consideration before performing the seize operation is the administrator's
group membership, as this table lists:
FSMO Role Administrator must be a member of
Schema Schema Admins
Domain Naming Enterprise Admins
RID
PDC Emulator Domain Admins
Infrastructure
To seize the FSMO roles by using Ntdsutil, follow these steps:
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss
of Active Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open
box, and then click OK.
C:\WINDOWS>ntdsutil
ntdsutil:
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool,
type ?, and then press ENTER.
24
4. Type connect to server <servername>, where <servername> is the name of
the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
server connections: q
fsmo maintenance:
6. Type seize <role>, where <role> is the role you want to seize. For example,
to seize the RID Master role, you would type seize rid master:
Options are:
Seize domain naming master
Seize infrastructure master
Seize PDC
Seize RID master
Seize schema master
7. You will receive a warning window asking if you want to perform the seize.
Click on Yes.
Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holde
r could not be contacted.)
25
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-
First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
fsmo maintenance:
Note: All five roles need to be in the forest. If the first domain controller is out of
the forest then seize all roles. Determine which roles are to be on which remaining
domain controllers so that all five roles are not on only one server.
8. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
9. After you seize or transfer the roles, type q, and then press ENTER until you
quit the Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain controller
as the Global Catalog server. If the Infrastructure Master runs on a GC server it will
stop updating object information because it does not contain any references to
objects that it does not hold. This is because a GC server holds a partial replica of
every object in the forest.
In authoritative restore, Objects that are restored will be replicated to all domain
controllers in the domain. This can be used specifically when the entire OU is
disturbed in all domain controllers or specifically restore a single object, which is
disturbed in all DC’s
26
In non-authoritative restore, Restored directory information will be updated by
other domain controllers based on the latest modification time.
The size of NTDS.DIT will often be different sizes across the domain controllers in a
domain. Remember that Active Directory is a multi-master independent model where
updates are occurring in each of the domain controllers with the changes being replicated
over time to the other domain controllers.
The changed data is replicated between domain controllers, not the database, so there is
no guarantee that the files are going to be the same size across all domain controllers.
Windows 2000 and Windows Server 2003 servers running Directory Services (DS)
perform a directory online defragmentation every 12 hours by default as part of the
garbage-collection process. This defragmentation only moves data around the database
file (NTDS.DIT) and doesn’t reduce the file’s size - the database file cannot be
compacted while Active Directory is mounted.
Active Directory routinely performs online database defragmentation, but this is limited
to the disposal of tombstoned objects. The database file cannot be compacted while
Active Directory is mounted (or online).
An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller
than the NTDS.DIT file on its peers.
However, defragmenting the NTDS.DIT file isn’t something you should really need to
do. Normally, the database self-tunes and automatically tombstoning the records then
sweeping them away when the tombstone lifetime has passed to make that space
available for additional records.
Defragging the NTDS.DIT file probably won’t help your AD queries go any faster in the
long run.
One reason you might want to defrag your NTDS.DIT file is to save space, for example if
you deleted a large number of records at one time.
To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform
the following steps:
27
Back up Active Directory (AD).
Reboot the server, select the OS option, and press F8 for advanced options.
Select the Directory Services Restore Mode option, and press Enter. Press
Use the local SAM’s administrator account and password to log on.
You’ll see a dialog box that says you’re in safe mode. Click OK.
In the command window, you’ll see the following text. (Enter the commands in bold.)
C:\> ntdsutil
ntdsutil: files
file maintenance:info
....
file maintenance:compact to c:\temp
You’ll see the defragmentation process. If the process was successful, enter quit to return
to the command prompt.
Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the
commands in bold.)
refer question 7
28
10. what are the monitoring tools used for Server and Network Heath. How to
define alert mechanism
11. How to deploy the patches and what are the softwares used for this process
Using SUS (Software update services) server we can deploy patches to all clients
in the network. We need to configure an option called “Synchronize with
Microsoft software update server” option and schedule time to synchronize in
server. We need to approve new update based on the requirement. Then approved
update will be deployed to clients
We can configure clients by changing the registry manually or through Group
policy by adding WUAU administrative template in group policy
NLB (network load balancing) cluster for balancing load between servers. This
cluster will not provide any high availability. Usually preferable at edge servers
like web or proxy.
Server Cluster: This provides High availability by configuring active-active or
active-passive cluster. In 2 node active-passive cluster one node will be active and
one node will be stand by. When active server fails the application will
FAILOVER to stand by server automatically. When the original server backs we
need to FAILBACK the application
Quorum: A shared storage need to provide for all servers which keeps
information about clustered application and session state and is useful in
FAILOVER situation. This is very important if Quorum disk fails entire cluster
will fails
Heartbeat: Heartbeat is a private connectivity between the servers in the cluster,
which is used to identify the status of other servers in cluster.
29
For SNMP programs to communicate we need to configure common community
name for those machines where SNMP programs (eg DELL OPEN MANAGER)
running. This can be configured from services.msc--- SNMP service -- Security
SOA is a Start Of Authority record, which is a first record in DNS, which controls
the startup behavior of DNS. We can configure TTL, refresh, and retry intervals
in this record.
Stub zones are a new feature of DNS in Windows Server 2003 that can be used to
streamline name resolution, especially in a split namespace scenario. They also help
reduce the amount of DNS traffic on your network, making DNS more efficient
especially over slow WAN links.
20. What is the difference between IIS Version 5 and IIS Version 6
Refer Question 1
30
ASR is a two-part system; it includes ASR backup and ASR restore. The ASR
Wizard, located in Backup, does the backup portion. The wizard backs up the
system state, system services, and all the disks that are associated with the
operating system components. ASR also creates a file that contains information
about the backup, the disk configurations (including basic and dynamic volumes),
and how to perform a restore.
You can access the restore portion by pressing F2 when prompted in the text-
mode portion of setup. ASR reads the disk configurations from the file that it
creates. It restores all the disk signatures, volumes, and partitions on (at a
minimum) the disks that you need to start the computer. ASR will try to restore all
the disk configurations, but under some circumstances it might not be able to.
ASR then installs a simple installation of Windows and automatically starts a
restoration using the backup created by the ASR Wizard.
22. What are the different levels that we can apply Group Policy
23. What is Domain Policy, Domain controller policy, Local policy and Group
policy
Domain Policy will apply to all computers in the domain, because by default it
will be associated with domain GPO, Where as Domain controller policy will be
applied only on domain controller. By default domain controller security policy
will be associated with domain controller GPO. Local policy will be applied to
that particular machine only and effects to that computer only.
Policies and scripts saved in SYSVOL folder will be replicated to all domain
controllers in the domain. FRS (File replication service) is responsible for
replicating all policies and scripts
Folder Redirection is a User group policy. Once you create the group policy and
link it to the appropriate folder object, an administrator can designate which
folders to redirect and where To do this, the administrator needs to navigate to the
following location in the Group Policy Object:
User Configuration\Windows Settings\Folder Redirection
In the Properties of the folder, you can choose Basic or Advanced folder
redirection, and you can designate the server file system path to which the folder
should be redirected.
31
The %USERNAME% variable may be used as part of the redirection path, thus
allowing the system to dynamically create a newly redirected folder for each user
to whom the policy object applies.
26. What different modes in windows 2003 (Mixed, native & intrim….etc)
What are the domain and forest function levels in a Windows Server 2003-basedActive
Directory?
Functional levels are an extension of the mixed/native mode concept introduced in
Windows 2000 to activate new Active Directory features after all the domain
controllers in the domain or forest are running the Windows Server 2003 operating
system.
When a computer that is running Windows Server 2003 is installed and promoted to
a domain controller, new Active Directory features are activated by the Windows
Server 2003 operating system over its Windows 2000 counterparts. Additional
Active Directory features are available when all domain controllers in a domain or
forest are running Windows Server 2003 and the administrator activates the
corresponding functional level in the domain or forest.
To activate the new domain features, all domain controllers in the domain must be
running Windows Server 2003. After this requirement is met, the administrator can
raise the domain functional level to Windows Server 2003 (read Raise Domain
Function Level in Windows Server 2003 Domains for more info).
To activate new forest-wide features, all domain controllers in the forest must be
running Windows Server 2003, and the current forest functional level must be at
Windows 2000 native or Windows Server 2003 domain level. After this requirement
is met, the administrator can raise the domain functional level (read Raise Forest
Function Level in Windows Server 2003 Active Directory for more info).
Note: Network clients can authenticate or access resources in the domain or forest
without being affected by the Windows Server 2003 domain or forest functional
levels. These levels only affect the way that domain controllers interact with each
other.
Important
Raising the domain and forest functional levels to Windows Server
2003 is a nonreversible task and prohibits the addition of Windows
32
NT 4.0–based or Windows 2000–based domain controllers to the
environment. Any existing Windows NT 4.0 or Windows 2000–
based domain controllers in the environment will no longer
function. Before raising functional levels to take advantage of
advanced Windows Server 2003 features, ensure that you will
never need to install domain controllers running Windows NT 4.0
or Windows 2000 in your environment.
When the first Windows Server 2003–based domain controller is deployed in a
domain or forest, a set of default Active Directory features becomes available. The
following table summarizes the Active Directory features that are available by
default on any domain controller running Windows Server 2003:
Feature Functionality
Multiple selection of user Allows you to modify common attributes of
objects multiple user objects at one time.
Allows you to move Active Directory objects
from container to container by dragging one or
more objects to a location in the domain
Drag and drop functionality hierarchy. You can also add objects to group
membership lists by dragging one or more
objects (including other group objects) to the
target group.
Search functionality is object-oriented and
Efficient search capabilities provides an efficient search that minimizes
network traffic associated with browsing objects.
Allows you to save commonly used search
Saved queries parameters for reuse in Active Directory Users
and Computers
Active Directory command- Allows you to run new directory service
line tools commands for administration scenarios.
The inetOrgPerson class has been added to the
InetOrgPerson class base schema as a security principal and can be
used in the same manner as the user class.
Application directory Allows you to configure the replication scope for
33
application-specific data among domain
controllers. For example, you can control the
replication scope of Domain Name System
partitions
(DNS) zone data stored in Active Directory so
that only specific domain controllers in the forest
participate in DNS zone replication.
Ability to add additional Reduces the time it takes to add an additional
domain controllers by using domain controller in an existing domain by using
backup media backup media.
Prevents the need to locate a global catalog
across a wide area network (WAN) when logging
Universal group membership
on by storing universal group membership
caching
information on an authenticating domain
controller.
Active Directory administrative tools sign and
Secure Lightweight Directory encrypt all LDAP traffic by default. Signing
Access Protocol (LDAP) LDAP traffic guarantees that the packaged data
traffic comes from a known source and that it has not
been tampered with.
Provides improved replication of the global
catalog when schema changes add attributes to
Partial synchronization of the
the global catalog partial attribute set. Only the
global catalog
new attributes are replicated, not the entire global
catalog.
Quotas can be specified in Active Directory to
control the number of objects a user, group, or
computer can own in a given directory partition.
Active Directory quotas
Members of the Domain Administrators and
Enterprise Administrators groups are exempt
from quotas.
When the first Windows Server 2003–based domain controller is deployed in a
domain or forest, the domain or forest operates by default at the lowest functional
level that is possible in that environment. This allows you to take advantage of the
34
default Active Directory features while running versions of Windows earlier than
Windows Server 2003.
When you raise the functional level of a domain or forest, a set of advanced features
becomes available. For example, the Windows Server 2003 interim forest functional
level supports more features than the Windows 2000 forest functional level, but
fewer features than the Windows Server 2003 forest functional level supports.
Windows Server 2003 is the highest functional level that is available for a domain or
forest. The Windows Server 2003 functional level supports the most advanced
Active Directory features; however, only Windows Server 2003 domain controllers
can operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot
introduce any domain controllers that are running versions of Windows earlier than
Windows Server 2003 into that domain. This applies to the forest functional level as
well.
Domain Functional Level
Domain functionality activates features that affect the whole domain and that
domain only. The four domain functional levels, their corresponding features, and
supported domain controllers are as follows:
Windows 2000 mixed (Default)
35
Windows Server 2003
Domains that are upgraded from Windows NT 4.0 or created by the promotion of a
Windows Server 2003-based computer operate at the Windows 2000 mixed
functional level. Windows 2000 domains maintain their current domain functional
level when Windows 2000 domain controllers are upgraded to the Windows Server
2003 operating system. You can raise the domain functional level to either Windows
2000 native or Windows Server 2003.
After the domain functional level is raised, domain controllers that are running
earlier operating systems cannot be introduced into the domain. For example, if you
raise the domain functional level to Windows Server 2003, domain controllers that
are running Windows 2000 Server cannot be added to that domain.
The following describes the domain functional level and the domain-wide features
that are activated for that level. Note that with each successive level increase, the
feature set of the previous level is included.
Forest Functional Level
Forest functionality activates features across all the domains in your forest. Three
forest functional levels, the corresponding features, and their supported domain
controllers are listed below.
Windows 2000 (default)
36
• Activated features: Windows 2000 features plus Efficient Group Member
Replication using Linked Value Replication, Improved Replication Topology
Generation. ISTG Aliveness no longer replicated. Attributes added to the global
catalog. ms-DS-Trust-Forest-Trust-Info. Trust-Direction, Trust-Attributes, Trust-
Type, Trust-Partner, Security-Identifier, ms-DS-Entry-Time-To-Die, Message
Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory,
Print-Rate, Print-Rate-Unit
After the forest functional level is raised, domain controllers that are running earlier
operating systems cannot be introduced into the forest. For example, if you raise
forest functional levels to Windows Server 2003, domain controllers that are running
Windows NT 4.0 or Windows 2000 Server cannot be added to the forest.
37
the network address translator with the following static network address
translator mappings:
• Public IP address/UDP port 500 to the server's private IP address/UDP port 500.
• Public IP address/UDP port 4500 to the server's private IP address/UDP port 4500.
These mappings are required so that all Internet Key Exchange (IKE) and IPSec
NAT-T traffic that is sent to the public address of the network address translator
is automatically translated and forwarded to the Windows Server 2003-based
computer
28. How to create application partition windows 2003 and its usage?
An application directory partition is a directory partition that is replicated only
to specific domain controllers. A domain controller that participates in the
replication of a particular application directory partition hosts a replica of that
partition. Only domain controllers running Windows Server 2003 can host a
replica of an application directory partition.
Applications and services can use application directory partitions to store
application-specific data. Application directory partitions can contain any type
of object, except security principals. TAPI is an example of a service that stores
its application-specific data in an application directory partition.
Application directory partitions are usually created by the applications that will
use them to store and replicate data. For testing and troubleshooting purposes,
members of the Enterprise Admins group can manually create or manage
application directory partitions using the Ntdsutil command-line tool.
Implicit Transitive trust will not be possible in windows 2003. Between forests
we can create explicit trust
Two-way trust
One-way: incoming
One-way: Outgoing
Information is stored locally once this option is enabled and a user attempts to log
on for the first time. The domain controller obtains the universal group
membership for that user from a global catalog. Once the universal group
membership information is obtained, it is cached on the domain controller for that
site indefinitely and is periodically refreshed. The next time that user attempts to
log on, the authenticating domain controller running Windows Server 2003 will
38
obtain the universal group membership information from its local cache without
the need to contact a global catalog.
By default, the universal group membership information contained in the cache of
each domain controller will be refreshed every 8 hours.
GPMC is tool which will be used for managing group policies and will display
information like how many policies applied, on which OU’s the policies applied,
What are the settings enabled in each policy, Who are the users effecting by these
polices, who is managing these policies. GPMC will display all the above
information.
RSoP provides details about all policy settings that are configured by an
Administrator, including Administrative Templates, Folder Redirection, Internet
Explorer Maintenance, Security Settings, Scripts, and Group Policy Software
Installation.
When policies are applied on multiple levels (for example, site, domain, domain
controller, and organizational unit), the results can conflict. RSoP can help you
determine a set of applied policies and their precedence (the order in which
policies are applied).
Through Group policy you can Assign and Publish the applications by creating
.msi package for that application
With Assign option you can apply policy for both user and computer. If it is
applied to computer then the policy will apply to user who logs on to that
computer. If it is applied on user it will apply where ever he logs on to the
domain. It will be appear in Start menu—Programs. Once user click the shortcut
or open any document having that extension then the application install into the
local machine. If any application program files missing it will automatically
repair.
With Publish option you can apply only on users. It will not install automatically
when any application program files are corrupted or deleted.
39
The Windows 2000 Recovery Console is a command-line console that you can
start from the Windows 2000 Setup program. Using the Recovery Console, you
can start and stop services, format drives, read and write data on a local drive
(including drives formatted to use NTFS), and perform many other administrative
tasks. The Recovery Console is particularly useful if you need to repair your
system by copying a file from a floppy disk or CD-ROM to your hard drive, or if
you need to reconfigure a service that is preventing your computer from starting
properly. Because the Recovery Console is quite powerful, it should only be used
by advanced users who have a thorough knowledge of Windows 2000. In
addition, you must be an administrator to use the Recovery Console.
• Crisis Management?
40
• Difference between Schema Master and Global Catlog?
Second level
• What are the services installed when RIS is installed. Read about RIS.
• How to trouble shoot if a DHCP client won’t get IP from DHCP Server?
• Tell me one example when Infracture master and Global catalog will be on
one DC, what is the issue if both resides on same system?
41
Note: This article assumes that the source domain is running Windows NT 4.0
Service Pack 4 (SP4) or later with 128-Bit encryption, and that the target domain
is a Windows Server 2003-based domain in native mode. Also, the Windows
Server 2003 must have 128-Bit encryption (which comes as a default setting in
Windows 2003).
Trusts
Groups
Add the Domain Admins global group from the source domain to the
Administrators local group in the target domain.
Add the Domain Admins global group from the target domain to the
Administrators local group in the source domain.
Create a new local group in the source domain called Source Domain$$$.
Auditing
Enable auditing for the success and failure of user and group management on the
source domain.
Enable auditing for the success and failure of Audit account management on the
target domain in the Default Domain Controllers policy.
Registry
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA
Administrative Shares
Administrative shares must exist on the domain controller in the target domain on
which you run ADMT, and on any computers on which an agent must be
dispatched.
42
User Rights
You must log on to the computer on which you run ADMT with an account that
has the following permissions:
You will have the appropriate rights when you log on to the PDC that is the
FSMO role holder in the target domain with the Source Domain\Administrator
account, assuming that the Source Domain\Domain Administrators group is a
member of the Administrators group on each computer.
How to Set Up ADMT for a Windows 2000 to Windows Server 2003 Migration
You can install the Active Directory Migration Tool version 2 (ADMTv2) on any
computer that is running Windows 2000 or later, including:
The computer on which you install ADMTv2 must be a member of either the source or
the target domain.
Intraforest Migration
Intraforest migration does not require any special domain configuration. The account you
use to run ADMT must have enough permissions to perform the actions that are
requested by ADMT. For example, the account must have the right to delete accounts in
the source domain, and to create accounts in the target domain.
43
optional in interforest migrations occur automatically. Specifically, the sIDHistory and
password are automatically migrated during all intraforest migrations.
Interforest Migration
ADMT requires the following permissions to run properly:
The account you use to run ADMT must have enough permissions to complete the
required tasks. The account must have permission to create computer accounts in the
target domain and organizational unit, and must be a member of the local Administrators
group on each computer to be migrated.
Create a new local group in the source domain that is named %sourcedomain%$$$.
There must be no members in this group.
Turn on auditing for the success and failure of Audit account management on both
domains in the Default Domain Controllers policy.
Configure the source domain to allow RPC access to the SAM by configuring the
following registry entry on the PDC Emulator in the source domain with a DWORD
value of 1:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\TcpipClientSupport
44
You must restart the PDC Emulator after you make this change.
Note: For Windows 2000 domains, the account you use to run ADMTv2 must have
domain administrator permissions in both the source and target domains. For Windows
Server 2003 target domains, the 'Migrate sIDHistory' may be delegated. For more
information, see Windows Server 2003 Help & Support.
You can turn on interforest password migration by installing a DLL that runs in the
context of LSA. By running in this protected context, passwords are shielded from being
viewed in cleartext, even by the operating system. The installation of the DLL is
protected by a secret key that is created by ADMTv2, and must be installed by an
administrator.
Move the .pes file you created in step 2 to the designated Password Export Server in the
source domain. This can be any domain controller, but make sure it has a fast, reliable
link to the computer that is running ADMT.
Install the Password Migration DLL on the Password Export Server by running the
Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT folder on the Windows Server
2003 installation media, or the folder to which you downloaded ADMTv2 from the
Internet.
When you are prompted to do so, specify the path to the .pes file that you created in step
2. This must be a local file path.
If you are ready to migrate passwords, modify the following registry key to have a
DWORD value of 1. For maximum security, do not complete this step until you are ready
to migrate.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\AllowPasswordExport
45
The Active Directory Migration Tool v2 is included in the I386\Admt folder on the
Windows Server 2003 CD.
The Active Directory Migration Tool provides an easy, secure, and fast way to migrate to
Windows 2000 Active Directory service. As a system administrator, you can use this tool
to diagnose any possible problems before starting migration operations to Windows 2000
Server Active Directory. You can then use the task-based wizard to migrate users,
groups, and computers; set correct file permissions; and migrate Microsoft Exchange
Server mailboxes. The tool's reporting feature allows you to assess the impact of the
migration, both before and after move operations.
In many cases, if there is a problem, you can use the rollback features to automatically
restore previous structures. The tool also provides support for parallel domains, so you
can maintain your existing Windows NT 4.0 domains while you deploy Windows 2000.
Note: To successfully run the AD Migration Tool the source domain must be running
Windows NT 4.0 Service Pack 4 or later, and the target domain will be a Windows 2000-
based domain in Native mode.
Version 2.0 of ADMT is from Windows Server 2003 and has many new features:
Password Migration
Translation
Agent Credentials
Migration Log
• What are the steps you follow when you are promoting a server as ADC in
windows 2003?
46
• What are the two parameters you run before upgrading the server to an
ADC(/forestprep, /domainprep).
• What happens if DNS server fails. Can a user is able to login if the DNS
server fails(if you have only one DNS Server).
In fact, you can configure any aspect of the computer behavior with it. Although
it is a cool toy; working with it without proper attention can cause unexpected
behavior.
Here are some basic terms you need to be familiar with before drilling down into
Group Policy:
Local policy - Refers to the policy that configures the local computer or server,
and is not inherited from the domain. You can set local policy by running
gpedit.msc from the Run command, or you can add "Group Policy Object Editor"
snap-in to MMC. Local Policies also exist in the Active Directory environment, but
have many fewer configuration options that the full-fledged Group Policy in AD.
47
GPO - Group Policy Object - Refers to the policy that is configured at the
Active Directory level and is inherited by the domain member computers. You
can configure a GPO – Group Policy Object - at the site level, domain level or OU
level.
GPC – Group Policy Container - The GPC is the store of the GPOs; The GPC is
where the GPO stores all the AD-related configuration. Any GPO that is created
is not effective until it is linked to an OU, Domain or a Site. The GPOs are
replicated among the Domain Controllers of the Domain through replication of
the Active Directory.
GPT - Group Policy Templates - The GPT is where the GPO stores the actual
settings. The GPT is located within the Netlogon share on the DCs.
Netlogon share - A share located only on Domain Controllers and contains
GPOs, scripts and .POL files for policy of Windows NT/98. The Netlogon share
replicates among all DCs in the Domain, and is accessible for read only for the
Everyone group, and Full Control for the Domain Admins group. The Netlogon's
real location is:
C:\WINDOWS\SYSVOL\sysvol\domain.com\SCRIPTS
When a domain member computer boots up, it finds the DC and looks for the
Netlogon share in it.
To see what DC the computer used when it booted, you can go to the Run
command and type %logonserver%\Netlogon. The content of the Netlogon
share should be the same on all DCs in the domain.
GPO behavior
Group Policy is processed in the following order:
Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO
and so on.
GPOs inherited from the Active Directory are always stronger than local policy.
When you configure a Site policy it is being overridden by Domain policy, and
Domain policy is being overridden by OU policy. If there is an OU under the
previous OU, its GPO is stronger the previous one.
The rule is simple, as more you get closer to the object that is being configured,
the GPO is stronger.
What does it mean "stronger"? If you configure a GPO and linke it to
"Organization" OU, and in it you configure Printer installation – allowed and then
at the "Dallas" OU you configured other GPO but do not allow printer installation,
then the Dallas GPO is more powerful and the computers in it will not allow
installation of printers.
48
The example above is true when you have different GPOs that have similar
configuration, configured with opposite settings. When you apply couple of GPOs
at different levels and every GPO has its own settings, all settings from all GPOs
are merged and inherited by the computers or users.
Group Policy sections
Each GPO is built from 2 sections:
You can download .ADM files for the Microsoft operating systems
Tools used to configure GPO
You can configure GPOs with these set of tools from Microsoft (other 3rd-party
tools exist but we will discuss these in a different article):
1. Group Policy Object Editor snap-in in MMC - or - use gpedit.msc from the
Run command.
2. Active Directory Users and Computers snap in - or dsa.msc – to invoke
the Group Policy tab on every OU or on the Domain.
3. Active Directory Sites and Services - or dssite.msc – to invoke the Group
Policy tab on a site.
4. Group Policy Management Console - or gpmc.msc - this utility is NOT
included in Windows 2003 server and needs to be separately installed. You can
download it from HERE
Note that if you'd like to use the GPMC tool on Windows XP, you need to install it
on computers running Windows XP SP2. Installing it on computers without SP2
will generate errors due to unsupported and newer .ADM files.
49
GPMC utility - Creating a GPO
When you create a GPO it is stored in the GPO container. After creation you
should link the GPO to an OU that you choose.
Linking a GPO
To link a GPO simply right click an OU and choose Link an existing GPO or you
can create and link a GPO in the same time. You can also drag and drop a GPO
from the Group Policy Objects folder to the appropriate Site, Domain or OU.
When you right-click a link you can:
Edit a GPO - This will open the GPO window so you can configure settings.
Link/Unlink a GPO - This setting allows you to temporarily disable a link if you
need to add settings to it or if you will activate it later.
Enabling/disabling computer or user settings
GPO has computer and user settings but if you create a GPO that contains only
computer settings, you might want to disable the user settings in that GPO, this
will reduce the amount of settings replicated and can also be used for testing.
To disable one of the configurations simply choose the GPO link and go to
Details tab:
50
Block/Enforce inheritance
You can block policy inheritance to an OU if you don’t want the settings from
upper GPOs to configure your OU.
To block GPO inheritance, simply right click your OU and choose "Block
Inheritance". Blocking inheritance will block all upper GPOs.
In case you need one of the upper GPOs to configure all downstream OUs and
overcome Block inheritance, use the Enforce option of a link. Enforcing a GPO is
a powerful option and rarely should be used.
You can see in this example that when you look at Computers OU, three
different GPOs are inherited to it.
In this example you can see that choosing "Block inheritance" will reject all
upper GPOs.
Now, if we configure the "Default domain policy" with the Enforce option, it will
overcome the inheritance blocking.
Link order
When linking more than one GPO to an OU, there could be a problem when two
or more GPOs have the same settings but with opposite configuration, like,
GPO1 have Allow printer installation among other settings but GPO2 is
configured to prevent printer installation among other settings. Because the two
GPOs are at the same level, there is a link order which can be changed.
The GPO with the lowest link order is processed last, and therefore has the
highest precedence.
Security Filtering
Filtering let you choose the user, group or computer that the GPO will apply
onto. If you configured "Computers" OU with a GPO but you only want to
configure Win XP stations with that GPO and exclude Win 2000 stations, you can
easily create a group of Win XP computers and apply the GPO only to that
group.
This option save you from creating complicated OU tree with each type of
computer in it.
51
A user or a group that you configure in the filtering field have by default the
"Read" and "Apply" permission. By default when you create a GPO link, you can
see that "Authenticated users" are listed.
In the above example, Office 2K3 will be installed on all computers that are part
of the two listed groups.
If we still were using Authenticated users, the installation of the Office suite
could have followed the user to any computer that he logs onto, like servers or
other machines. Using filtering narrows the installation options.
If you want to configure these permissions with higher resolution, you can go to
Delegation tab and see the permissions. Going to the Advanced Tab will let you
configure the ACL permission with the highest resolution.
Note: Windows 2000 doesn't support the Gpupdate command so you need run a
different command instead:
Secedit /refreshpolicy machine_policy
52
If any configuration change requires a logoff or a restart message will appear:
The default result is for the logged on user on that machine. You can also choose
to check what is the results for other users on to that machine. If you use /v
or /z switches you will get very detailed information.
You can see what GPOs were applied and what GPOs were filtered out and the
reason for not being deployed.
53
Microsoft (R) Window s (R) XP Operating System Group Policy
Copyright (C) Microsoft Corp. 1981-2001
Created On 04/24/2005
RSOP results for XPPRO\Administrator on XPPRO: Logging Mod
-------------------------------------------------------------------------
OS Type: Microsoft Window s XP Professio
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: NWTRADERS
Domain Type: Window sNT 4
Site Name: N/A
Roaming Profile:
Local Profile: C:\Documents and Sett
Connected over a slow link? No
COMPUTER SETTINGS
-------------------------
Last time Group Policy w as applied: 04/24/2005
Group Policy w as applied from: london.nw traders.msft
Group Policy slow link threshold: 500 kbps
The follow ing GPOs w ere not applied because they w ere filter
----------------------------------------------------------------------------
Raanana XP SP2 Behavior
Filtering: Not Applied (Empty)
USER SETTINGS
--------------
Last time Group Policy w as applied: 04/24/2005
Group Policy w as applied from: N/A
Group Policy slow link threshold: 500 kbps
54
2. Resultant Set of Policy snap-in in MMC.
This is the most comfortable option that let you check the RSoP data on every
computer or user from a central location. This option also displays the summary
of the RSoP and Detailed RSoP data in HTML format.
In the example above example you can see the summary of applied or non
applied GPOs both of computer and user settings.
When looking at the Settings tab we can see what settings did applied on the
computer and see which is the "Winning GPO" that actually configured the
computer with the particular setting.
55