Active Directory

A hub is a layer 1 (physical) device because it does not use any part of the packet header to direct the packet to the right destination, it just broadcasts to all connected computers.

universal groups are not present in the win2000 mixed mode the forest level needs to be win2003 for it to work.

Universal groups can be used anywhere in the same Windows forest. They are only available in a Native-mode enterprise. Universal groups may be an easier approach for some administrators because there are no intrinsic limitations on their use. Users can be directly assigned to Universal groups, they can be nested, and they can be used directly with access-control lists to denote access permissions in any domain in the enterprise.

Universal groups are stored in the global catalog (GC); this means that all changes made to these groups engender replication to all global catalog servers in the entire enterprise. Changes to universal groups must therefore be made only after a careful examination of the benefits of universal groups as compared to the cost of the increased global catalog replication load. If an organization has but a single, well-connected LAN, no performance degradation should be experienced, while widely dispersed sites might experience a significant impact. Typically, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely

3 as it is the minimum amount of domains in anything. I think this is for and Active Directory Tree !

Yes all domain controllers 2003, 2008 are writable except when its 2008 RODC..

The (cognitive) brain is what sends the receptive signals. The brain sends that signal and responds with physical development and actions. Cognitive development affects emotional development because it allows us to think and understand emotions and feelings of others and ourselves.

To provide authentication and authorization services for hardware and software resources on the network like computer,users,printers groups etc. Authentication would be verifying the user's identity while authorization is the process of granting the user access to only the resources they are permitted to use
To provide authentication and authorization services for hardware and software resources on the network. Authentication would be verifying the user's identity while authorization is the process of granting the user access to only the resources they are permitted to use.

Zone transfers

2

recognition

250 MB

Domain Name Servers hold IP address to host name and host name to IP address mappings. For each domain there is usually a primary and secondary Domain Name Server.

Kerberos

helper of dc

The term is active directory dns integrated means that during replication of AD all changed/ updated data is replicated and we dont have to replicate DNS zone files(which contains information aout the dns records) seperately .

Active Directory-integrated DNS enables Active Directory storage and replication of DNS zone databases. Windows 2000 DNS server, the DNS server that is included with Windows 2000 Server, accommodates storing zone data in Active Directory. When you configure a computer as a DNS server, zones are usually stored as text files on name servers - that is, all of the zones required by DNS are stored in a text file on the server computer. These text files must be synchronized among DNS name servers by using a system that requires a separate replication topology and schedule called a zone transfer However, if you use Active Directory-integrated DNS when you configure a domain controller as a DNS name server, zone data is stored as an Active Directory object and is replicated as part of domain replication.

To demote a domain controller, again your best option is UnInstall-ADDSDomainController . You need to specify at least the local administrator's password, which is defined as a SecureString . The syntax looks like this:

UnInstall-ADDSDomainController -LocalAdministratorPassword (read-host -prompt "Password" -assecurestring)

The get-help UnInstall-ADDSDomainController cmdlet gives you more information on the command. You can also name, reboot, and add servers to domains in PowerShell. To do this, PowerShell provides the following cmdlets:

Rename-Computer -Name <Computername>

Add-Computer -DomainName <domain name>

Restart-Computer

You can also set up replication in PowerShell. For a list of the available commands, type get-command *adreplication* , and to display help for the cmdlets, use the get-help cmdlet.

Uninstall-addsdomaincontroller

Uninstall-windowsfeature

-credential <pscredential>

-forceremoval <{ $true | false }>

-lastdomaincontrollerindomain <{ $true | false }>

-ignorelastdnsserverforzone <{ $true | false }>

-removeapplicationpartitions <{ $true | false }>

-removednsdelegation <{ $true | false }>

-dnsdelegationremovalcredential <pscredential>

Uninstall-DomainController

Authentication

The purpose of a Virtual Private Network (VPN) tunnel is to create a safe and secure network environment between a server network and a remote terminal so that a remote user can gain access to networked resources that they would not normally be able to gain access to.

if you have not selected any DC as bridgehead server then it automatically follows ISTG - InterSite Topology Generator,chooses its own DC to replicate and if this link is down makes another but if you define bridgehead server,in that case if the link fails the replication stops.

The Windows operating systems implements a default set of authentication protocols-Kerberos, NTLM, TLS/SSL, Digest, and PKU2U-as part of an extensible architecture. In addition, some protocols are combined into authentication packages such as the Credential Security Support Provider (CredSSP), Negotiate, and Negotiate Extensions. These protocols and packages enable authentication of users, computers, and services; the authentication process, in turn, enables authorized users and services to access resources in a secure manner.

Windows authentication protocols are conventions that control or enable the connection, communication, and data transfer between computers in a Windows environment by verifying the identity of the credentials of a user, computer, or process. The authentication protocols are security support providers (SSPs) that are installed in the form of dynamic-link libraries (DLLs).

Negotiate

Microsoft Negotiate is an SSP that acts as an application layer between the Security Support Provider Interface (SSPI) and the other SSPs. When an application calls into SSPI to log on to a network, it can specify an SSP to process the request. If the application specifies Negotiate, Negotiate analyzes the request and selects the best SSP to handle the request based on the configured security policy.

Currently, the Negotiate SSP selects either the Kerberos or NTLM protocol. Negotiate selects the Kerberos protocol unless it cannot be used by one of the systems involved in the authentication or if the client application did not provide a target name as a service principal name (SPN), a user principal name (UPN), or a NetBIOS account name. Otherwise, Negotiate will select the NTLM protocol.

A server that uses the Negotiate SSP can respond to client applications that specifically select either the Kerberos or NTLM protocol. However, a client application must first query the server to determine if it supports the Negotiate package before using Negotiate. (Negotiate is supported on Windows operating systems beginning with Windows Server 2003 and Windows XP.) A server that does not support Negotiate cannot always respond to requests from clients that specify Negotiate as the SSP

Kerberos

:The Kerberos version 5 (v5) authentication protocol provides a mechanism for authentication-and mutual authentication-between a client and a server, or between one server and another server

NTLM

The NTLM version 2 (NTLMv2) authentication protocol is a challenge/response authentication protocol. NTLM is used when exchanging communications with a computer running Windows NT Server 4.0 or earlier. Networks with this configuration are referred to as mixed-mode. NTLM is also the authentication protocol for computers that are not participating in a domain, such as stand-alone servers and workgroups.

Negotiate Extensions

NegoExts (NegoExts.dll) is an authentication package that negotiates the use of SSPs for applications and scenarios implemented by Microsoft and other software companies. Pku2u.dll is one of the supported SSPs that is installed by default, and developers can create custom providers.

PKU2U

The PKU2U protocol in Windows 7 and Windows Server 2008 R2 is implemented as an SSP. The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain.

Credential Security Support Provider

Windows Vista introduced a new authentication package called the Credential Security Support Provider (CredSSP) that provides a single sign-on (SSO) user experience when starting new Terminal Services sessions. CredSSP enables applications to delegate users' credentials from the client computer (by using the client-side SSP) to the target server (through the server-side SSP) based on client policies

TLS/SSL

The TLS/SSL protocols are used to authenticate servers and clients, and to encrypt messages between the authenticated parties. The TLS/SSL protocols, versions 2.0 and 3.0, and the Private Communications Transport (PCT) protocol are based on public key cryptography. The secure channel (Schannel) authentication protocol suite provides these protocols. All Schannel protocols use a client/server model and are primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications

Digest

The Digest authentication protocol is a challenge/response protocol that is designed for use with HTTP and Simple Authentication Security Layer (SASL) exchanges. These exchanges require that parties requesting authentication must provide secret keys.

LDAP (Lightweight Directory Access Protocol ) is a protocol that is used for authentication in domain

RODC has Read only NTDS.Dit file & other hand Domain controller(ADC & DC) have read & write NTDS.Dit file.

Replication is only one way.. DC to RODC

Amit Tripathi

Annik SAT

the main purpose of srv record is to know whether the AD installation was successfull. ie we can find these records in DNS.these indicate that the AD has communicated with the DNS during it's installation