0
Active Directory
Active Directory is a set of networking services made by Microsoft. Questions about using and configuring Active Directory belong here.
849 Questions
PWD
Personal Identifier Number (PIN)
What are gpo in Active Directory?
Group Policy Objects (GPOs) are collections of settings for Windows operating systems.
In general terms, they are created for two reasons: to control the look and feel of the operating system and its functionality (the "user experience") or to govern the way the system works such as its security and operation.
Administrators have been able to apply policies to machines since Windows 9x/NT3 but with the advent of Active Directory in Windows 2000, GPOs have allowed a granular centralised control mechanism for domain members ranging across almost all aspects of the OS and many of the Microsoft products (primarily Internet Explorer and the Office suite, although customisation allows virtually any application to be controlled).
Group Policy settings can apply either to the machine itself (and consequently apply to all users of that machine) or to groups of users of the machine. They grant the ability to standardise an estate.
In large organisations, they are used to control password policies, logon rights, privileges, permissions, registry settings, the desktop and the underlying security of the infrastructure. They are vital in maintaining control and governance.
As examples of their capabilities, you can set all machines to have the same colour scheme, screensaver, minimum password length/complexity, or any of the thousands of options available. They can be used to roll out software, fire startup and logon scripts, and enable/disable services, etc.
The GLobal Catalogue has a reference to all objects within Active Directory. Its is know as GC
What are the five FSMO roles in Active Directory forest with one parent and two child domains?
There are five roles:
They are further classified in two
1. Forest Roles- Schema Master - As name suggests, the changes that are made while creation of any object in AD or changes in attributes will be made by single domain controller and then it will be replicated to another domain controllers that are present in your environment. There is no corruption of AD schema if all the domain controllers try to make changes. This is one of the very important roles in FSMO roles infrastructure.
- Domain Naming Master - This role is not used very often, only when you add/remove any domain controllers. This role ensures that there is a unique name of domain controllers in environment.
- Infrastructure Master - This role checks domain for changes to any objects. If any changes are found then it will replicate to another domain controller.
- RID Master - This role is responsible for making sure each security principle has a different identifier.
- PDC emulator - This role is responsible for Account policies such as client password changes and time synchronization in the domain
It depends on your setup. If this all of the computers are networked in a workgroup environment, then you need to have a locally stored profile on each computer that redirects to the master fileserver. The SAM will be the database in this case
If you have a domain environment, then just join all of the computers into the domain and they should be able to log on to any computer on the network.The AD will take care of security nad NTDS.DIT will be database in this case
Which utility allows you to create Active Directory trust relationships from the command line?
netdom
Netdom
yes and it is recommended that the roles should be seized and transferred to a healthy DC
They way to transfer is as follows
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
C:\WINDOWS>ntdsutil
ntdsutil:
1. Type roles, and then press ENTER.
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
1. Type connections, and then press ENTER.
fsmo maintenance: connections
server connections:
1. Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.
server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:
1. At the server connections: prompt, type q, and then press ENTER again.
server connections: q
fsmo maintenance:
1. Type seize <role>, where <role> is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:
Options are:
Seize domain naming master
Seize infrastructure master
Seize PDC
Seize RID master
Seize schema master
1. You will receive a warning window asking if you want to perform the seize. Click on Yes.
fsmo maintenance: Seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE)
, data 1722
Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde
r could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
fsmo maintenance:
Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.
1. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
2. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest
Enterprise Admins.
What services does Next Directory offer to its customers?
NextDirectory is a British website offering clothing for men, women and children, as well as a small range of homewares. Next is a large retail group with hundreds of physical stores as well as a large online presence.
What is the Active Directory organizational unit?
- Open Active Directory Users and Computers.
- In the console tree, right-click the folder in which you want to add an organizational unit.
Where?
- Active Directory Users and Computers/domain node/folder
- Point to New, and then click Organizational Unit.
- Type the name of the organizational unit.
The administrator of the first domain in a forest is called the?
The administrator .he/she is part of administrators group and has all rights in the domain.The entreprise admin has all the rights on the forest/domain both are default groups.You can rename your administrator's name and make him part of this group.
What are authoritative dns server and none authoritative dns server?
authoritative dns server is server that has own databases that has name resolution for the clients that for resolve from name to ip address and for ip address to name.
non-authorititative dns server is server that forward request of dns client to authoritative dns server for resolve.
Why is dns a requirement for active directory to work?
DNS is extremely important to all aspects of proper Active Directory operation. Any time a client makes a request for a domain service, it must find a domain controller to service that request, which is where DNS comes in to play.
There are two types of DNS queries: recursive and iterative.
When a DNS client requests DNS information, it uses a recursive query to do so.
In a recursive query, the DNS client sends its query to the first DNS server that it has been configured for in its TCP/IP configuration. It then sits and waits for the server to return an answer. If the server returns a positive response, the client will then go to the IP address returned by the server.
What is the name of the first domain in an Active Directory tree?
The first is the parent domain, and everything after that is a child domain. So you might have something like.
parent.local this would be the first domain of the parent domain
child.parent.local is the second or child domain
B). Delegation of Control Wizard
What can you do to promote a server to DC if you are on a remote location with slow WAN link?
First available in Windows 2003, you will create a copy of the system state from an existing DC and copy it to the new remote server. Run "Dcpromo /adv". You will be prompted for the location of the system state files
===================================
Answer B:
Backup system state as;
- Click Start, click Run, type ntbackup, and then click OK. (If the Backup utility starts in wizard mode, click the Advanced Mode hyperlink.)
- From the Backup tab, click to select the System State check box in the left pane. Do not back up the file system part of the SYSVOL tree separately from the system state backup.
- In the Backup media or file name box, specify the drive, path, and file name of the system state backup.
Restore system stat as below on the target computer;
- Log on to the Windows Server 2003-based computer that you want to promote. You must be a member of the local administrators group on this computer.
- Click Start, click Run, type ntbackup, and then click OK. (If the Backup utility starts in wizard mode, click the Advanced Mode hyperlink.)
- In the Backup utility, click the Restore and Manage Media tab. In the Tools menu, click Catalog a backup file..., and then locate the .bkf file that you created earlier. Click OK.
- Expand the contents of the .bkf file, and then click to select the System State check box.
- In Restore files to:, click Alternate Location. To restore the system state, type the logical drive and the path. We suggest that you type X:\Ntdsrestore. In this command, X is the logical drive that will ultimately host the Active Directory database when the member computer is promoted. The final location for the Active Directory database is selected when you run the Active Directory Installation Wizard. This folder must be different from the folder that contains the restored system state.
- Verify that the domain controller that is to be promoted has DNS name resolution and network connectivity to existing domain controllers in the domain controller's target domain.
- Click Start, click Run, type dcpromo /adv, and then click OK.
- Click Next to bypass the Welcome to the Active Directory Installation Wizard and Operating System Compatibility dialog boxes.
- On the Domain Controller Type page, click Additional domain controller for an existing domain, and then click Next.
- On the Copying Domain Information page, click From these restored backup files:, and then type the logical drive and the path of the alternative location where the system state backup was restored. Click Next.
- In Network Credentials, type the user name, the password, and the domain name of an account that is a member of the domain administrators group for the domain that you are promoting in.
- Continue with the remainder of the Active Directory Installation Wizard pages as you would with the standard promotion of an additional domain controller.
- After the SYSVOL tree has replicated in, and the SYSVOL share exists, delete any remaining restored system files and folders.
Rizwan Ranjha
Network Engineer
===================================
Remote Access
Time-to-Live (TTL)
The DNS System powers the Internet as we know it today and is responsible for converting domain names into IP addresses and for placing them on the correct hosting server. But the DNS system would have been just a theoretical concept, if TTL was not presented.
TTL is an acronym for Time To Live and refers to the capability of the DNS servers to cache DNS records. It represents the amount of time that a DNS record for a certain host remains in the cache memory of a DNS server after the latter has located the host's matching IP address.
By specifying TTL settings for a particular domain's DNS records, webmasters define the frequency of website content updates. The longer the TTL value is, the faster the domain resolution time periods will be. The TTL value can be set from one to several hours, if you are not planning any changes to your domain's DNS records in the meantime. If you need to make such changes, you will have to decrease the TTL value entry to several minutes to avoid any outdated data on your website.
TTL values are entered as seconds and the common TTL time value is 86400 seconds, which is virtually equal to one day (24 hours). With this value set for your domain, any changes to your DNS records will be reflected online in up to 24 hour
What is a location on an Internet server that permits users to chat with each other?
Location on an internet server that permits users to chat with each other?
What is a group scope and what are the different types of group scopes?
Group scopes determine where in the Active Directory forest a group is accessible and what objects can be placed into the group. Windows Server 2003 includes three group scopes: global, domain local, and universal.
How do you find primary and secondary DNS number?
could somebody help me out on this one i can't figure it out to?
there is no difference between a primary and secondary DNS server except that in normal operation the primary is the one that is tried first if that dosent work then the secondry is used, just list any 2 of the 3 you have as primary and secondry
Which types of dns records does a domain client use to find a domain controller?
NS 2 RFC 1035
Name Server. Defines the authoritative name server(s) for the domain (defined by the SOA record) or the subdomain.
SOA
What is organizational unit in active directory?
Domain: A security boundary for the network On a local area network (LAN), a domain is a subnetwork made up of a group of clients and servers under the control of one central security database. Within a domain, users authenticate once to a centralized server known as a domain controller, rather than repeatedly authenticating to individual servers and services. Individual servers and services accept the user based on the approval of the domain controller. Organisational Unit: A part of Active Directory used to Organise and Manage the objects of AD An organizational unit (OU) is a subdivision within an Active Directory into which you can place users, groups, computers, and other organizational units. You can create organizational units to mirror your organization's functional or business structure. Each domain can implement its own organizational unit hierarchy. If your organization contains several domains, you can create organizational unit structures in each domain that are independent of the structures in the other domains. The term "organizational unit" is often called as "OU" in casual conversation. "Container" is also often applied in its place, even in Microsoft's own documentation. All terms are considered correct and interchangeable.
