36.What are the objects naming conventions used by active
directory?
1.
Distinguished names
2. Relative
distinguished name
3.
Globally unique identifiers
4.
User principal Names.
37.What are the three types of log events?
Application log:
Contains errors, warnings, or information that programs, such as a database
program or an e-mail program, generate. The program developer presets which
events to record
Security
log: Contains information about the success or failure of audited
events. The events that Windows XP Professional records are a result of your
audit policy.
System
log: Contains errors, warnings, and information that Windows XP
Professional generates. Windows XP Professional presets which events to record.
38.What
are the items contained in a log?
Type, Date, Time, Source,
Category, User, Computer.
39.What are the four methods of Active Directory
installation?
·
Using active
directory installation wizard
We must input
1.
Domain
controller type
2.
Domain
type
3.
Domain
Name
4.
NetBIOS
Name
5.
Active
Directory and Database log folder location
6.
Shared
sysvol folder location
7.
Default
permission for user and group objects
8.
Directory
services restore mode administrator password
·
Using
Answer file to perform unattended installation
Click
Run and type dcpromo/answer: answer file where answer file is the name of the
answer file
·
Using the
network or backup media
If
we want to upgrade a member server to additional domain controller in 2000
needs the replication of the entire active directory database which is time
consuming .But the servers running
Windows Server 2003 can be promoted using a restored backup taken from a
Windows server 2003 domain controller. The backup can be stored any backup
media or a network share. It reduces the amount of replication required. But
make sure that the backup which is restored shouldn’t be older than the
tombstone life time of domain which is 60 days set as default.
Click
run and type dcpromo/adv
·
Using the
configure your server wizard
It
is available in the Manage your Server page. We can use that only if that
machine is the first server on the network and not yet been configured.
40. How you will verify active directory is properly
installed?
To
check we should verify the following
Domain configuration:
Click
Active Directory Users and Computers, Find the name of the domain in the
console and click domain and find the domain controller details and click
domain controller and ensure all details are correct.
DNS Configuration
Click
DNS and double click the DNS server ,double click forward lookup zone,double
click the zone and expand the msdcs,sites,tcp,udp folders to view default reords.(Because if
DNS is configured with Active Directory some default SRV records will be
created)
DNS integration with Active Directory
Click
DNS and select Forward lookup zone .Right Click zone and select properties and
in the general tab ensure active directory integrated zone appears after type.
Installation of Shared system volume
Sysvol
is a tree of folders contains files that needed to be available and
synchronised between domain controllers in a domain or forest and it contains
·
Sysvol
shared folder
·
Netlogon
shared folder
·
Windows
95,98,Me,NT System policies
·
User logon
and logoff scripts
Verify the operation of Directory services
restore mode boot option
This
option is not available with the member servers.Boot the system and verifies
whether the password given at the time of installation is oeprational.
41. What are the troubleshooting tools in Active
Directory?
Netdiag: It is a command line network diagnostic tool included in
support tools of the Server 2003 CD.It diagonises all network problems by
checking all aspects of the host Computers network configuration and
connections.Syntax is
Netdiag /q- Lists only tests that return errors
Netdiag/l- Stores netdiag.log in default directory.
Netdiag/fix: Fixes the minor problems.
Netdiag/debug: Complete list of test data with reasons for success and
failure.
Dcdiag
It
analyses the state of Domain controllers in a forest and reports any
problems.It is used to check the domain controller connectivity.Syntax is
Dcdiag/s:
Checks all servers on the site
Dcdiag/fix:
It fixes all errors to use that
Run
cmd then type Dcdiag/s: domain_controller_name/test: connectivity
Ntdsutil.exe
It
is a command line tool that provides management facilities for active
directory.By default it is installed in system 32 folder.It can be used to
remove the metadata clean up (if we uninstall ative directory sometimes ntds
objects may not be removed properly or if we remove a domain controller ntds
objects may not be removed properly )
By
default it is created in the Sytem32 directory.
Directory service log: Active directory creates events regarding errors and
information to directory service log.It is available in Administrative tools,
Directory Services.
Log
files are created in %systemroot%debug folder
Dcpromui.log
Dcpromoui.log
contains the detailed progress report of the active directory installation and
removal process from graphical interphase perpective.
Dcpromo.log
Dcpromos.log
42. How you will remove a domain controller?
Active
directory sites and services double click the site container to expand and
double click the appropriate site object and double click the server and delete
it.
43. How you will upgrade windows 2000 domain to windows
2003 domain
Run
adprep/forestprep in domain controller holding schema master role
Then
Run adprep/domainprep in domain controller holding infrastructure master role
44. What are the stages of designing active directory?
- Creating
a forest plan
- Creating a domain plan
- Creating
an OU plan
- Creating
a site topology plan
45. What are the active directory installation prerequisites?
- The
domain structure
- Domain
name
- Storage
location of database and log files
- The
location of shared system volume folder
- The
DNS configuration method
- The
DNS configuration
46. What is mean by Domain functional level?
The domain functional
level provides a way to enable domain wide active directory features within the
network environment. Four domain functional levels are given below
Windows
2000 mixed (Default): It allows
windows 2003 domain controllers to interact in the same domain running Windows
NT 4, Windows 2000 or Windows 2003
Windows
2000 Native: It allows windows 2003
domain controllers to interact in the same domain running Windows 2000 or
Windows 2003
Windows
2003 Interim: It allows windows 2003
domain controllers to interact in the same domain running Windows NT 4 or
Windows 2003
Windows
2003 Server: It allows windows 2003
domain controllers to interact in the same domain running Windows 2003. The
Forest functional level provides a way to enable Forest wide active directory
features within the network environment. Three Forest functional levels are
given below
Windows
2000 (Default): It allows
windows 2003 domain controllers to interact in the domain running Windows NT 4,
Windows 2000 or Windows 2003
Windows
Server 2003: It allows windows 2003
domain controllers to interact in the domain running Windows 2003
47.What is a site?
A Site is a
combination of one or more IP Subnets connected by a highly reliable and fast
link to localize as much network traffic as possible.(Fast link=At least 512
kbps)
48. What are the limitations of Security Accounts
Manager?
1) It has a limitation
of 40000 objects per domain but in Windows server 2003 one million objects is
possible
2) In Windows NT only
PDC could accept updates to domain database. But in windows 2003 any domain
controller can accept changes
3) In Windows N T
domains were the smallest unit of administrative delegation. But in server 2003
OU is the smallest unit of delegation.
49. Why we create more than one domain in a forest?
·
To meet
required security policy settings
·
To meet
special administrative requirements
·
To
optimize replication traffic
·
To retain
windows NT domains
·
To
establish a distinct namespace
50. What is a trust relationship and what are the
important trust relationships?
A trust relationship
is a link between two domains in which the trusting domain honors the logon
authentication of trusted domain.
Trusts have the
following characteristics
1. Method of creation:
Trusts can be created manually and automatically
2. Transitivity: If A
trusts B and B trusts C then A trusts C
3. Direction: Trusts
can be one-way or two ways
Windows server 2003
supports the following forms of trusts
Tree root trust: A tree root trust is established when a new tree root
domain is added to a forest. A tree root trust can be set up only between the
roots of two trees in the same forest.
Parent Child trust: It is established when a new child domain is created in
the tree.
Shortcut trust: It
is created between two domains in a forest to improve the user logon times.
It is used to optimize
the authentication process between domains that are logically distant from each
other. Short cut trusts help to shorten the path traveled for authentication
requests made between domains located in separate trees but in same forest.
External trust : It is created between server 2003 that are in different
forests or between Windows 2003 server and a domain whose domain controller is
Windows NT 4 or earlier.
Forest Trust: It
is created between two forests
Realm Trust: It
is created between a non-windows Kerberos realm and a windows server 2003
domain to allow cross platform interoperability.
51. Who can remove Active Directory?
If it is the last
domain controller in a tree root –Enterprise Admin
If it is the last
domain controller in a forest -- Domain
Admin
52. How to install Support tools?
Insert 2003 CD and in
the Run dialogue box type E:/Support/tools/suptools.msi where E is the drive
letter of the CD Drive. It will take 22 MB and creates a folder in program files.
And it is available from start menu.
53. What are the reasons to create multiple domains?
·
To meet
security requirements
·
To meet
administrative requirements
·
Optimize
replication traffic
·
Retain
Microsoft windows NT domains
54. What are the Options in Active Directory
installation?
·
Domain
controller for a new Domain
·
Additional
domain controller for an existing domain
·
Domain in
a new forest
·
Child
domain in an existing domain tree
·
Domain
tree in an existing tree
55. What are the options in renaming in Active Directory?
Rendom.exe. – For renaming
domain
Netdom.exe –For
renaming Domain Controller
For renaming the
domain controller the functional level should be windows server 2003.
56. Steps to rename a domain controller
1. Cmd
2. Type netdom computer name current computer name/add: new
computer name
3. Wait for replication latency time interval
4. Type netdom computername current computer name/make
primary :new computer name
5. Restart
57. What are the steps involved in configuring the
Intersite replication?
Create Site links
Configure site link attributes
It includes site link
cost; configure site link replication frequency, site link replication
availability
Designate a preferred bridgehead server
Create site link bridges
Create and configure connection objects
58. Which are the protocols used for Intersite
replication?
·
Directory
services Remote Procedure Call
·
Inter site
messaging Simple Mail Transport Protocol
59. What is an Application Directory Partition?
It is a directory
partition that is replicated only to specific domain controllers. Only domain
controllers running Windows Server 2003 hosts a replica of Application
Directory Partition. Applications and services can use Application Directory
partition to store application specific data. (/Not users, groups,
computers).It has the following benefits
·
Provides
redundancy, availability and fault tolerance
·
Reduces
replication traffic
·
Applications
and services that use LDAP can continue using it to access and store
application data in Active Directory.
60. What are the tools used to monitor and troubleshoot replication?
1) Replmon.exe
It enables the administrators to view the low
level status of replication, force synchronization between domain controllers
and monitor the status and performance of active directory replication. Install
it first from tools and from command prompt type replmon then press enter. We
can add the servers which needed monitoring.
2) Repadmin.exe
The replication
diagnostic tool is a command line tool allows viewing the replication topology.
It can also be used to force replication, and to view replicated data. This can
be used to check how up-to-date each domain controller is .To use type cmd then
repadmin/showrepl DC_List.
3) Dsastat.exe
It compares and
detects the differences between directory partitions on domain controllers and
can be used to ensure that domain controllers are up to date with one another.
61. What are the account policies?
Password policy and
Account lockout policy
62. What is a software restriction policy?
Software restriction
policies are security settings in a GPO provided to identify software and
control its ability to run on a local computer, site, domain or OU... With
software restriction policies we can
·
Control
the ability of programs run on the system
·
Permit
users to run only specific files on multi-user computers
·
Decide who
can add trusted publishers
GROUP POLICY
63. What is group policy?
Group policies are collections of
user and computer configuration settings that can be linked to computers,
sites, domains and OU’s to specify the behavior of users desktops for example
using group policies we can set the programs that are available to the users
the program that appear on users desktops and start menu options.In short Group
policy allows to specify security settings,deploy software,and configure
operating system and application behaviour without ever touching a machine.
64. What is Group policy object?
GPO’s are collections of
group policies. For example to create a specific desktop configuration for a
particular group of users we create group policy objects.In other words GPO’s
are collections of hundreds of possible configuration settings from user logon
rights and privileges to the software that is allowed to run on the system.A
GPO is linked to a con tainer within active directory-typically to an OU,but
can also be to a domain,or even sites and all the users and computers beneath
that container are affected by the settings contained in that GPO.
65. How many types of group policies available in windows 2003?
One local GPO’s and many number
of Non local GPO’s
Local GPO’s: One
local GPO is stored on each computer whether or not the computer is a part of
active directory or networked environment. A local GPO affects only the one
which it is stored. It is the least influential if the computer is in an active
directory environment. In no networked environment local GPO’s are most
influential. The local GPO is stored in %system root%/system 32\group policy
No local GPO’s: No
local GPO’s are created in active directory and must be linked to a site,
domain or OU in order to be applied either to users or computers .To use non
local GPO’s we must have a domain controller installed. By default when active
directory is installed two non local GPO’s are created.
Default domain policy: This
GPO is linked to the domain and it affects all users and computers in the
domain through group policy inheritance.
Default domain controllers policy: The GPO
is linked to the Domain controllers OU and it generally affects only domain
controllers because computer accounts for domain controllers are kept
exclusively in the domain controllers OU. Nonlocal GPO’s are stored in %system
root% /sysvol/ Domain name/policies/GPOGUID/Adm.
GPO’s can’t be applied to
Windows 95, 98, Me and NT
66. What are the ways to open group policy object editor?
4 Ways
The local computer(Local GPO)
Another Computer ( Local GPO)
A site
A Domain or OU
67. What are two types of Group policy settings?
Computer configuration settings
and User configuration settings
Computer configuration settings
used to set group policies applied to computers regardless of who logs on to
them. And they are applied when the operating system initializes.
The User configuration node
contains settings used to set group policies applied to users regardless of
which computer the user logs on to. Those are applied when a user logs on to a
computer. Both nodes contain Software
settings. It contains
software installation extension. It helps to specify how soft wares are
installed and maintained within the organization. Windows
settings It contains script (start up & shut down and logon
&logoff) and security settings node
Administrative templates It
contains registry based group policy settings.
68. How group policy is applied?
LSDO
Local GPO
Site GPO
Domain GPO
OU GPO.OUs linked to the OU
highest in the active directory is applied first. Followed by GPO’s linked to
its child OU’s.
69. What are the steps in planning group policy implementation?
- Plan
the group policy settings necessary for computers and users at each level(Sites,
Domains and OU’s)
- Plan
the GPO’s necessary for computers and users at each level(Sites ,Domains
and OU’s)
- Plan
administrative control of GPO’s
70. What are the steps included in implementing a GPO?
1. Creating
a GPO
2. Creating
an MMC for the GPO
3. Delegating
an administrative control of GPO
4. Configuring
group policy settings of the GPO
5. Disabling
unused group policy settings
6. Filtering
the scope of GPO with security groups
7. linking
the GPO to a site domain or OU
No comments:
Post a Comment