Active Directory Interview Questions

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 30

System Administrator Active Directory

Interview Questions and Answers


Uncategorized March 14, 2012 Comments: 47
1) What is Active Directory?
ACTIVE DIRECTORY IS A CENTRALIZED DATABASE WHICH IS USED IN DOMAIN FOR
ADMINISTRATIVE PURPOSES
An active directory is a directory structure used on Microsoft Windows based computers and
servers to store information and data about networks and domains. It is primarily used for online
information and was originally created in 1996 and first used with Windows 2000.
An active directory (sometimes referred to as an AD) does a variety of functions including the
ability to provide information on objects, helps organize these objects for easy retrieval and
access, allows access by end users and administrators and allows the administrator to set
security up for the directory.
An active directory can be defined as a hierarchical structure and this structure is usually broken
up into three main categories, the resources which might include hardware such as printers,
services for end users such as web email servers and objects which are the main functions of
the domain and network.
It is interesting to note the framework for the objects. Remember that an object can be a piece
of hardware such as a printer, end user or security settings set by the administrator. These
objects can hold other objects within their file structure. All objects have an ID, usually an object
name (folder name). In addition to these objects being able to hold other objects, every object
has its own attributes which allows it to be characterized by the information which it contains.
Most IT professionals call these setting or characterizations schemas.
Depending on the type of schema created for a folder, will ultimately determine how these
objects are used. For instance, some objects with certain schemas can not be deleted, they can
only be deactivated. Others types of schemas with certain attributes can be deleted entirely. For
instance, a user object can be deleted, but the administrator object can not be deleted.
When understanding active directories, it is important to know the framework that objects can be
viewed at. In fact, an active directory can be viewed at either one of three levels; these levels
are called forests, trees or domains. The highest structure is called the forest because you can
see all objects included within the active directory.
Within theForeststructure are trees, these structures usually hold one or more domains, going
further down the structure of an active directory are single domains. To put the forest, trees and
domains into perspective, consider the following example.
A large organization has many dozens of users and processes. The forest might be the entire
network of end users and specific computers at a set location. Within this forest directory are
now trees that hold information on specific objects such as domain controllers, program data,
system, etc. Within these objects are even more objects which can then be controlled and
categorized
Another Answer
Active Directory in Windows Server 2003
The Active Directory is the one of the important part of Windows Server 2003 networking .First
need to know and understand Active directory. How does it work? It makes information easy for
the administrator and the users. You can use the Active Directory to design an organizations
structure according to the requirement. If you are using the Active Directory then you can scale
active directory from a single computer to a single network or too many networks. In active
directory you can include every object server and domain in a network.
Logical Component
In the organization you set up in Windows Server 2003 and the organization you set up in
Exchange Server 2003 are the same and the same is the case with Windows 2000 and
Exchange 2000 as well. Now I am going to tell you its advantage one user administrator
manage all aspects of user configuration. These logical constructs which are described in the
following subsections allow you to define and group resources so that they can be located and
administered by the name rather than by physical location.
Objects
Object is the basic unit in the Active Directory. It is an apocarpous named set of features that
represents something adjective such as a user, printer and the application. A user is also an
object. In Exchange a users features include its name and location, surrounded by other things.
Organization Unit
Organization Unit is a persona in which you can keep objects such as user accounts, groups,
computer, and printer. Applications and other (OU). In organization unit you can assign specific
permission to the users. Organization unit can also be used to create departmental limitation.
Domains
Domains is a group of computers and other resources that are part of a network and share a
common directory database .Once a server has been installed, you can use the Active Directory
Wizard to install Active Directory in order to install Active directory on the first server on the
network, that server must have the access to a server running DNS (Domain Name Service). If
you dont have installed this service on your server then you will have to install this service
during the Active Directory installation
Active Directory in Windows Server 2003
The Active Directory is the one of the important part of Windows Server 2003 networking .First
need to know and understand Active directory. How does it work? It makes information easy for
the administrator and the users. You can use the Active Directory to design an organizations
structure according to the requirement. If you are using the Active Directory then you can scale
active directory from a single computer to a single network or too many networks. In active
directory you can include every object server and domain in a network.
Logical Component
In the organization you set up in Windows Server 2003 and the organization you set up in
Exchange Server 2003 are the same and the same is the case with Windows 2000 and
Exchange 2000 as well. Now I am going to tell you its advantage one user administrator
manage all aspects of user configuration. These logical constructs which are described in the
following subsections allow you to define and group resources so that they can be located and
administered by the name rather than by physical location.
Objects
Object is the basic unit in the Active Directory. It is an apocarpous named set of features that
represents something adjective such as a user, printer and the application. A user is also an
object. In Exchange a users features include its name and location, surrounded by other things.
Organization Unit
Organization Unit is a persona in which you can keep objects such as user accounts, groups,
computer, and printer. Applications and other (OU). In organization unit you can assign specific
permission to the users. Organization unit can also be used to create departmental limitation.
Domains
Domains is a group of computers and other resources that are part of a network and share a
common directory database .Once a server has been installed, you can use the Active Directory
Wizard to install Active Directory in order to install Active directory on the first server on the
network, that server must have the access to a server running DNS (Domain Name Service). If
you dont have installed this service on your server then you will have to install this service
during the Active Directory installation
Another Answer
An active directory is a directory structure used on Microsoft Windows based computers and
servers to store information and data about networks and domains. It is primarily used for online
information and was originally created in 1996 and first used with Windows 2000.
An active directory (sometimes referred to as an AD) does a variety of functions including the
ability to provide information on objects, helps organize these objects for easy retrieval and
access, allows access by end users and administrators and allows the administrator to set
security up for the directory.
An active directory can be defined as a hierarchical structure and this structure is usually broken
up into three main categories, the resources which might include hardware such as printers,
services for end users such as web email servers and objects which are the main functions of
the domain and network.
It is interesting to note the framework for the objects. Remember that an object can be a piece
of hardware such as a printer, end user or security settings set by the administrator. These
objects can hold other objects within their file structure. All objects have an ID, usually an object
name (folder name). In addition to these objects being able to hold other objects, every object
has its own attributes which allows it to be characterized by the information which it contains.
Most IT professionals call these setting or characterizations schemas.
Depending on the type of schema created for a folder, will ultimately determine how these
objects are used. For instance, some objects with certain schemas can not be deleted, they can
only be deactivated. Others types of schemas with certain attributes can be deleted entirely. For
instance, a user object can be deleted, but the administrator object can not be deleted.
When understanding active directories, it is important to know the framework that objects can be
viewed at. In fact, an active directory can be viewed at either one of three levels; these levels
are called forests, trees or domains. The highest structure is called the forest because you can
see all objects included within the active directory.
Within theForeststructure are trees, these structures usually hold one or more domains, going
further down the structure of an active directory are single domains. To put the forest, trees and
domains into perspective, consider the following example.
A large organization has many dozens of users and processes. The forest might be the entire
network of end users and specific computers at a set location. Within this forest directory are
now trees that hold information on specific objects such as domain controllers, program data,
system, etc. Within these objects are even more objects which can then be controlled and
categorized.
2) What is LDAP?
LDAP means Light-Weight Directory Access Protocol. It determines how an object in an Active
directory should be named. LDAP (Lightweight Directory Access Protocol) is a proposed open
standard for accessing global or local directory services over a network and/or the Internet. A
directory, in this sense, is very much like a phone book. LDAP can handle other information, but
at present it is typically used to associate names with phone numbers and email addresses.
LDAP directories are designed to support a high volume of queries, but the data stored in the
directory does not change very often. It works on port no. 389. LDAP is sometimes known as
X.500 Lite. X.500 is an international standard for directories and full-featured, but it is also
complex, requiring a lot of computing resources and the full OSI stack. LDAP, in contrast, can
run easily on a PC and over TCP/IP. LDAP can access X.500 directories but does not support
every capability of X.500
ANSWER B:
The Lightweight Directory Access Protocol or LDAP is an application protocol for querying and
modifying directory services running over TCP/IP. [1]A directory is a set of objects with
attributes organized in a logical and hierarchical manner. The most common example is the
telephone directory, which consists of a series of names (either of persons or organizations)
organized alphabetically, with each name having an address and phone number attached.
An LDAP directory tree often reflects various political, geographic, and/or organizational
boundaries, depending on the model chosen. LDAP deployments today tend to use Domain
name system (DNS) names for structuring the topmost levels of the hierarchy. Deeper inside
the directory might appear entries representing people, organizational units, printers,
documents, groups of people or anything else that represents a given tree entry (or multiple
entries).
Its current version is LDAPv3, which is specified in a series of Internet Engineering Task Force
(IETF) Standard Track Requests for comments (RFCs) as detailed in RFC 4510.
3) Can you connect Active Directory to other 3rd-party Directory Services? Name a few
options.
Yes, you can use dirXML or LDAP to connect to other directories (ie. E-directory from Novell).
Novell eDirectory, formerly called Novell Directory Services (NDS)
4) Where is the AD database held? What other folders are related to AD?
AD Database is saved in/ntds. You can see other files also in this folder. These are the main
files controlling the AD structure ntds.dit
edb.log
res1.log
res2.log
edb.chk
SysVOl folder is also created which is used for replication
When a change is made to the Win2K database, triggering a write operation, Win2K records the
transaction in the log file (edb.log). Once written to the log file, the change is then written to the
AD database. System performance determines how fast the system writes the data to the AD
database from the log file. Any time the system is shut down; all transactions are saved to the
database.
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of
each is 10MB. These files are used to ensure that changes can be written to disk should the
system run out of free disk space. The checkpoint file (edb.chk) records transactions committed
to the AD database (ntds.dit). During shutdown, a shutdown statement is written to the
edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have
been committed to the AD database. If, for some reason, the edb.chk file doesnt exist on reboot
or the shutdown statement isnt present, AD will use the edb.log file to update the AD database.
The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is
located in\NTDS, along with the other files weve discussed
5) What is the SYSVOL folder?
All active directory data base security related information store in SYSVOL folder and its only
created on NTFS partition.
B:
The Sysvol folder on a Windows domain controller is used to replicate file-based data among
domain controllers. Because junctions are used within the Sysvol folder structure, Windows NT
file system (NTFS) version 5.0 is required on domain controllers throughout a Windows
distributed file system (DFS) forest.
This is a quote from Microsoft themselves; basically the domain controller info stored in files like
your group policy stuff is replicated through this folder structure
6) Name the AD NCs and replication issues for each NC
*Schema NC, *Configuration NC, * DomainNC
Schema NC This NC is replicated to every other domain controller in the forest. It contains
information about the Active Directory schema, which in turn defines the different object classes
and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide
configuration information pertaining to the physical layout of Active Directory, as well as
information about display specifies and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain.
This is the NC that contains the most commonly-accessed Active Directory data: the actual
users, groups, computers, and other objects that reside within a particular Active Directory
domain.
7) What are application partitions? When do I use them?
Application directory partitions: These are specific to Windows Server 2003 domains.
An application directory partition is a directory partition that is replicated only to specific domain
controllers. A domain controller that participates in the replication of a particular application
directory partition hosts a replica of that partition. Only Domain controllers running Windows
Server 2003 can host a replica of an application directory partition.
8) How do you create a new application partition?
When you create an application directory partition, you are creating the first instance of this
partition. You can create an application directory partition by using the create nc option in the
domain management menu of Ntdsutil. When creating an application directory partition using
LDP or ADSI, provide a description in the description attribute of the domain DNS object that
indicates the specific application that will use the partition. For example, if the application
directory partition will be used to store data for a Microsoft accounting program, the description
could be Microsoft accounting application. Ntdsutil does not facilitate the creation of a
description.
To create or delete an application directory partition
1. Open Command Prompt.
2. Type:
Ntdsutil
3. At the Ntdsutil command prompt, type:
Domain management
4. At the domain management command prompt, do one of the following:
To create an application directory partition, type:
Create ncApplicationDirectoryPartitionDomainController
Answer:
Start >> RUN>> CMD >> type there NTDSUTIL Press Enter
Ntdsutil: domain management Press Enter
Domain Management: Create NC dc=, dc=, dc=com <>
ANSWER B
Create an application directory partition by using the DnsCmd command
Use the DnsCmd command to create an application directory partition. To do this, use the
following syntax:
DnsCmd ServerName /CreateDirectoryPartition FQDN of partition
To create an application directory partition that is named CustomDNSPartition on a domain
controller that is named DC-1, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command, and then press ENTER:dnscmd DC-1 /createdirectorypartition
CustomDNSPartition.contoso.com
When the application directory partition has been successfully created, the following information
appears:
DNS Server DC-1 created directory partition: CustomDNSPartition.contoso.com Command
completed successfully.
Configure an additional domain controller DNS server to host the application directory partition
Configure an additional domain controller that is acting as a DNS server to host the new
application directory partition that you created. To do this, use the following syntax with the
DnsCmd command:
DnsCmd ServerName /EnlistDirectoryPartition FQDN of partition
To configure the example domain controller that is named DC-2 to host this custom application
directory partition, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command, and then press ENTER:dnscmd DC-2 /enlistdirectorypartition
CustomDNSPartition.contoso.com
The following information appears:
DNS Server DC-2 enlisted directory partition: CustomDNSPartition.contoso.com Command
completed successfully.
9) How do you view replication properties for AD partitions and DCs?
By using replication monitor
go to start > run > type repadmin
go to start > run > type replmon
10) What is the Global Catalog?
The global catalog contains a complete replica of all objects in Active Directory for its Host
domain, and contains a partial replica of all objects in Active Directory for every other domain in
the forest.
ANSWER B:
The global catalog is a distributed data repository that contains a searchable, partial
representation of every object in every domain in a multidomain Active Directory forest. The
global catalog is stored on domain controllers that have been designated as global catalog
servers and is distributed through multimaster replication. Searches that are directed to the
global catalog are faster because they do not involve referrals to different domain controllers.
In addition to configuration and schema directory partition replicas, every domain controller in a
Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single
domain directory partition. Therefore, a domain controller can locate only the objects in its
domain. Locating an object in a different domain would require the user or application to provide
the domain of the requested object.
The global catalog provides the ability to locate objects from any domain without having to know
the domain name. A global catalog server is a domain controller that, in addition to its full,
writable domain directory partition replica, also stores a partial, read-only replica of all other
domain directory partitions in the forest. The additional domain directory partitions are partial
because only a limited set of attributes is included for each object. By including only the
attributes that are most used for searching, every object in every domain in even the largest
forest can be represented in the database of a single global catalog server.
11) How do you view all the GCs in the forest?
C:\>repadmin /showreps
domain_controller
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.
To find the in GC from the command line you can try using DSQUERY command.
dsquery server -isgc to find all the GCs in the forest
you can try dsquery server -forest -isgc.
12) Why not make all DCs in a large forest as GCs?
The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs
would all have to hold a reference to every object in the entire forest which could be quite large
and quite a replication burden.
For a few hundred, or a few thousand users even, this not likely to matter unless you have really
poor WAN lines.
13) Trying to look at the Active Directory Schema, how can I do that?
Option to view the schema
Register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc > add snapin > add Active directory schema
name it as schema.msc
Open administrative tool > schema.msc
14) What are the Support Tools? Why do I need them?
Support Tools are the tools that are used for performing the complicated tasks easily. These
can also be the third party tools. Some of the Support tools include DebugViewer,
DependencyViewer, RegistryMonitor, etc.
-edit by Casquehead
I believe this question is referring to the Windows Server 2003 Support Tools, which are
included with Microsoft Windows Server 2003 Service Pack 2. They are also available for
download here:
http://www.Microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-
9A772EA2DF90&displaylang=en
you need them because you cannot properly manage an Active Directory network without them.
Here they are, it would do you well to familiarize yourself with all of them.
Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe
15) What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is
REPADMIN?
What is LDP?
A:
The Lightweight Directory Access Protocol, or LDAP is an application protocol for querying and
modifying directory services running over TCP/IP.[1]
A directory is a set of objects with attributes organized in a logical and hierarchical manner. The
most common example is the telephone directory, which consists of a series of names (either of
persons or organizations) organized alphabetically, with each name having an address and
phone number attached.
An LDAP directory tree often reflects various political, geographic, and/or organizational
boundaries, depending on the model chosen. LDAP deployments today tend to use Domain
name system (DNS) names for structuring the topmost levels of the hierarchy. Deeper inside
the directory might appear entries representing people, organizational units, printers,
documents, groups of people or anything else that represents a given tree entry (or multiple
entries).
Its current version is LDAPv3, which is specified in a series of Internet Engineering Task Force
(IETF) Standard Track Requests for comments (RFCs) as detailed in RFC 4510.
LDAP means Light-Weight Directory Access Protocol. It determines how an object in an Active
directory should be named. LDAP (Lightweight Directory Access Protocol) is a proposed open
standard for accessing global or local directory services over a network and/or the Internet. A
directory, in this sense, is very much like a phone book. LDAP can handle other information, but
at present it is typically used to associate names with phone numbers and email addresses.
LDAP directories are designed to support a high volume of queries, but the data stored in the
directory does not change very often. It works on port no. 389. LDAP is sometimes known as
X.500 Lite. X.500 is an international standard for directories and full-featured, but it is also
complex, requiring a lot of computing resources and the full OSI stack. LDAP, in contrast, can
run easily on a PC and over TCP/IP. LDAP can access X.500 directories but does not support
every capability of X.500
What is REPLMON?
A: Replmon is the first tool you should use when troubleshooting Active Directory replication
issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to
diagnose than using its command line counterparts. The purpose of this document is to guide
you in how to use it, list some common replication errors and show some examples of when
replication issues can stop other network installation actions.
For more go to http://www.techtutorials.net/articles/replmon_howto_a.html
What is ADSIEDIT?
A: Adsiedit.msc is a Microsoft Management Console (MMC) snap-in that acts
as a low-level editor for Active Directory. It is a Graphical User Interface (GUI)
tool. Network administrators can use it for common administrative tasks such
as adding, deleting, and moving objects with a directory service. The
attributes for each object can be edited or deleted by using this tool.
Adsiedit.msc uses the ADSI application programming interfaces (APIs) to
access Active Directory. The following are the required files for using this
tool:
ADSIEDIT.DLL
ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory
environment and Microsoft Management Console (MMC) is necessary
What is NETDOM?
A: NETDOM is a command-line tool that allows management of Windows domains and trust
relationships. It is used for batch management of trusts, joining computers to domains, verifying
trusts, and secure channels
A:
Enables administrators to manage Active Directory domains and trust relationships from the
command prompt.
Netdom is a command-line tool that is built into Windows Server 2008. It is available if you have
the Active Directory Domain Services (AD DS) server role installed. To use Netdom, you must
run the Netdom command from an elevated command prompt. To open an elevated command
prompt, click Start, right-click Command Prompt, and then click Run as administrator.
You can use Netdom to:
Join a computer that runs Windows XP Professional or Windows Vista to a Windows Server
2008 or Windows Server 2003 or Windows 2000 or Windows NT 4.0 domain.
Provide an option to specify the organizational unit (OU) for the computer account.
Generate a random computer password for an initial Join operation.
Manage computer accounts for domain member workstations and member servers.
Management operations include:
Add, Remove, Query.
An option to specify the OU for the computer account.
An option to move an existing computer account for a member workstation from one domain to
another while maintaining the security descriptor on the computer account.
Establish one-way or two-way trust relationships between domains, including the following kinds
of trust relationships:
From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows
NT 4.0 domain.
From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows
2000 or Windows Server 2003 or Windows Server 2008 domain in another enterprise.
Between two Windows 2000 or Windows Server 2003 or Windows Server 2008 domains in an
enterprise (a shortcut trust).
The Windows Server 2008 or Windows Server 2003 or Windows 2000 Server half of an
interoperable Kerberos protocol realm.
Verify or reset the secure channel for the following configurations:
Member workstations and servers.
Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
Specific Windows Server 2008 or Windows Server 2003 or Windows 2000 replicas.
Manage trust relationships between domains, including the following operations:
Enumerate trust relationships (direct and indirect).
View and change some attributes on a trust.
16) What are sites? What are they used for?
One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows
administrators to configure Active Directory access and replication topology to take advantage
of the physical network.
B: A Site object in Active Directory represents a physical geographic location that hosts
networks. Sites contain objects called Subnets. [3] Sites can be used to Assign Group Policy
Objects, facilitate the discovery of resources, manage active directory replication, and manage
network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a
cost value that represents the speed, reliability, availability, or other real property of a physical
resource. Site Links may also be assigned a schedule
17) Whats the difference between a site links schedule and interval?
Schedule enables you to list weekdays or hours when the site link is available for replication to
happen in the give interval. Interval is the re occurrence of the inter site replication in given
minutes. It ranges from 15 10,080 mins. The default interval is 180 mins.
18) What is the KCC?
Knowledge consistency checker- it generates the replication topology by specifying what
domain controllers will replicate to which other domain controllers in the site. The KCC
maintains a list of connections, called a replication topology, to other domain controllers in the
site. The KCC ensures that changes to any object are replicated to all site domain controllers
and updates go through no more than three connections. Also an administrator can configure
connection objects.
19) What is the ISTG? Who has that role by default?
Intersite Topology Generator (ISTG), which is responsible for the connections among the sites.
By default Windows 2003 Forestlevel functionality has this role.
By Default the first Server has this role. If that server can no longer perform this role then the
next server with the highest GUID then takes over the role of ISTG.
20) What are the requirements for installing AD on a new server?
An NTFS partition with enough free space (250MB minimum)
An Administrators username and password
The correct operating system version
A NIC
Properly configured TCP/IP (IP address, subnet mask and optional default gateway)
A network connection (to a hub or to another computer via a crossover cable)
An operational DNS server (which can be installed on the DC itself)
A Domain name that you want to use
The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)
20) What can you do to promote a server to DC if youre in a remote location with slow
WAN link?
First available in Windows 2003, you will create a copy of the system state from an existing DC
and copy it to the new remote server. Run Dcpromo /adv. You will be prompted for the location
of the system state files
===================================
Answer B:
Backup system state as;
1. Click Start, click Run, type ntbackup, and then click OK. (If the Backup utility starts in
wizard mode, click the Advanced Mode hyperlink.)
2. From the Backup tab, click to select the System State check box in the left pane. Do
not back up the file system part of the SYSVOL tree separately from the system state
backup.
3. In the Backup media or file name box, specify the drive, path, and file name of the
system state backup.
Name the file .bak (recommended and general)
Restore system stat as below on the target computer;
1. Log on to the Windows Server 2003-based computer that you want to promote. You
must be a member of the local administrators group on this computer.
2. Click Start, click Run, type ntbackup, and then click OK. (If the Backup utility starts in
wizard mode, click the Advanced Mode hyperlink.)
3. In the Backup utility, click the Restore and Manage Media tab. In the Tools menu,
click Catalog a backup file, and then locate the .bkf file that you created earlier.
Click OK.
4. Expand the contents of the .bkf file, and then click to select the System State
check box.
5. In Restore files to: click Alternate Location. To restore the system state, type the
logical drive and the path. We suggest that you type X:\Ntdsrestore. In this
command, X is the logical drive that will ultimately host the Active Directory
database when the member computer is promoted. The final location for the
Active Directory database is selected when you run the Active
Directory Installation Wizard. This folder must be different from the folder
that contains the restored system state.
Now Last stage is Promoting an additional domain controller
1. Verify that the domain controller that is to be promoted has DNS name resolution and
network connectivity to existing domain controllers in the domain controllers target
domain.
2. Click Start, click Run, type dcpromo /adv, and then click OK.
3. Click Next to bypass the Welcome to the Active Directory Installation Wizard and
Operating System Compatibility dialog boxes.
4. On the Domain Controller Type page, click Additional domain controller for an
existing domain, and then click next.
5. On the Copying Domain Information page, click from these restored backup
files: and then type the logical drive and the path of the alternative location where the
system state backup was restored. Click Next.
6. In Network Credentials, type the user name, the password, and the domain name of
an account that is a member of the domain administrators group for the domain that
you are promoting in.
7. Continue with the remainder of the Active Directory Installation Wizard pages as you
would with the standard promotion of an additional domain controller.
8. After the SYSVOL tree has replicated in, and the SYSVOL share exists, delete any
remaining restored system files and folders.
21) How can you forcibly remove AD from a server, and what do you do later? Can I get
user passwords from the AD database?
Demote the server using dcpromo /forceremoval, and then remove the metadata from Active
directory using Ntdsutil. There is no way to get user passwords from AD that I am aware of, but
you should still be able to change them.
Another way out too
Restart the DC is DSRM mode
a. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
b. In the right-pane, double-click ProductType.
c. Type ServerNT in the Value data box, and then click OK.
Restart the server in normal mode
its a member server now but AD entries are still there. Promote the server to a fake domain say
ABC.com and then remove gracefully using Dcpromo. Else after restart you can also use
Ntdsutil to do metadata as told in the earlier post
22) Name some OU design considerations
OU design requires balancing requirements for delegating administrative rights independent of
Group Policy needs and the need to scope the application of Group Policy. The following OU
design recommendations address delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active Directory container to which you can
assign Group Policy settings.
Delegating administrative authority
Usually dont go more than 3 OU levels
23) What is tombstone lifetime attribute?
The number of days before a deleted object is removed from the directory services. This assists
in removing objects from replicated servers and preventing restores from reintroducing a
deleted object. This value is in the Directory Service object in the configuration NIC
By default 2000 (60 days)
2003 (180 days)
24) How would you find all users that have not logged on since last month?
Using only native commands, JSILLD.bat produces a sorted/formated report of Users who have
not logged on since YYYYMMDD.
The report is sorted by UserName and list the users full name and last logon date.
The syntax for using JSILLD.bat is:
JSILLD \Folder\OutputFile.Ext YYYYMMDD [/N]
where:
YYYYMMDD will report all users who have not logged on since this date.
/N is an optional parameter that will bypass users who have never logged on.
JSILLD.bat contains:
@echo off
setlocal
if {%2}=={} goto syntax
if %3== goto begin
if /i %3==/n goto begin
:syntax
@echo Syntax: JSILLD File yyyymmdd [/N]
endlocal
goto :EOF
:begin
if /i %2==/n goto syntax
set dte=%2
set XX=%dte:~0,4%
if %XX% LSS 1993 goto syntax
set XX=%dte:~4,2%
if %XX% LSS 01 goto syntax
if %XX% GTR 12 goto syntax
set XX=%dte:~6,2%
if %XX% LSS 01 goto syntax
if %XX% GTR 31 goto syntax
set never=X
if /i %3==/n set never=/n
set file=%1
if exist %file% del /q %file%
for /f Skip=4 Tokens=* %%i in (net user /domain^|findstr /v /c:-^|findstr /v /i /c:The
command completed) do (
do call :parse %%i
)
endlocal
goto :EOF
:parse
set str=#%1#
set str=%str:#=%
set str=%str:#=%
set substr=%str:~0,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if %substr%== goto :EOF
for /f Skip=1 Tokens=* %%i in (net user %substr% /domain) do call :parse1 %%i
set substr=%str:~25,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if %substr%== goto :EOF
for /f Skip=1 Tokens=* %%i in (net user %substr% /domain) do call :parse1 %%i
set substr=%str:~50,25%#
set substr=%substr: =%
set substr=%substr: #=%
set substr=%substr:#=%
if %substr%== goto :EOF
for /f Skip=1 Tokens=* %%i in (net user %substr% /domain) do call :parse1 %%i
goto :EOF
:parse1
set ustr=%1
if %ustr%==The command completed successfully. goto :EOF
set ustr=%ustr:=%
if /i %ustr:~0,9%==Full Name set fullname=%ustr:~29,99%
if /i not %ustr:~0,10%==Last logon goto :EOF
set txt=%ustr:~29,99%
for /f Tokens=1,2,3 Delims=/ %%i in (@echo %txt%) do set MM=%%i&set DD=%%j&set
YY=%%k
if /i %MM%==Never goto tstnvr
goto year
:tstnvr
if /i %never%==/n goto :EOF
goto report
:year
if %YY% GTR 1000 goto mmm
if %YY% GTR 92 goto Y19
set /a YY=100%YY%%%100
set YY=%YY% + 2000
goto mmm
:Y19
set YY=19%YY%
:mmm
set /a XX=100%MM%%%100
if %XX% LSS 10 set MM=0%XX%
set /a XX=100%DD%%%100
if %XX% LSS 10 set DD=0%XX%
set YMD=%YY%%MM%%DD%
if %YMD% GEQ %dte% goto :EOF
:report
set fullname=%fullname% #
set fullname=%fullname:~0,35%
set substr=%substr% #
set substr=%substr:~0,30%
@echo %substr% %fullname% %txt% >> %file%
25) What are the DS commands?
New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003
Active Directory
A:
New DS built-in tools for Windows Server 2003
The DS (Directory Service) group of commands are split into two families. In one branch are
DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.
When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for
choice. The DS family of built-in command line executables offers alternative strategies to
CSVDE, LDIFDE and VBScript.
Let me introduce you to the members of the DS family:
DSadd add Active Directory users and groups
DSmod modify Active Directory objects
DSrm to delete Active Directory objects
DSmove to relocate objects
DSQuery to find objects that match your query attributes
DSget list the properties of an object
DS Syntax
These DS tools have their own command structure which you can split into five parts:
1 2 3 4 5
Tool object DN (as in LDAP distinguished name) -switch value For example:
DSadd user cn=billy, ou=managers, dc=cp, dc=com -pwd cX49pQba
This will add a user called Billy to the Managers OU and set the password to cx49Qba
Here are some of the common DS switches which work with DSadd and DSmod
-pwd (password) -upn (userPrincipalName) -fn (FirstName) -samid (Sam account name).
The best way to learn about this DS family is to logon at a domain controller and experiment
from the command line. I have prepared examples of the two most common programs. Try
some sample commands for DSadd.
Two most useful Tools: DSQuery and DSGet
The DSQuery and DSGet remind me of UNIX commands in that they operate at the command
line, use powerful verbs, and produce plenty of action. One pre-requisite for getting the most
from this DS family is a working knowledge of LDAP.
If you need to query users or computers from a range of OUs and then return information, for
example, office, department manager. Then DSQuery and DSGet would be your tools of choice.
Moreover, you can export the information into a text file
26) What is the difference between ldifde and csvde usage considerations?
Ldifde
Ldifde creates, modifies, and deletes directory objects on computers running Windows Server
2003 operating systems or Windows XP Professional. You can also use Ldifde to extend the
schema, export Active Directory user and group information to other applications or services,
and populate Active Directory with data from other directory services.
The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format that may
be used for performing batch operations against directories that conform to the LDAP
standards. LDIF can be used to export and import data, allowing batch operations such as add,
create, and modify to be performed against the Active Directory. A utility program called LDIFDE
is included in Windows 2000 to support batch operations based on the LDIF file format
standard. This article is designed to help you better understand how the LDIFDE utility can be
used to migrate directories.
http://support.microsoft.com/kb/237677
Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using files that store
data in the comma-separated value (CSV) format. You can also support batch operations based
on the CSV file format standard.
Csvde is a command-line tool that is built into Windows Server 2008 in the/system32 folder. It is
available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS)
server role installed. To use csvde, you must run the csvde command from an elevated
command prompt. To open an elevated command prompt, click Start, right-click Command
Prompt, and then click Run as administrator.
http://technet.microsoft.com/en-us/library/cc732101.aspx
DIFFERENCE USAGE WISE
Csvde.exe is a Microsoft Windows 2000 command-line utility that is located in the
SystemRoot\System32 folder after you install Windows 2000. Csvde.exe is similar to Ldifde.exe,
but it extracts information in a comma-separated value (CSV) format. You can use Csvde to
import and export Active Directory data that uses the comma-separated value format. Use a
spreadsheet program such as Microsoft Excel to open this .csv file and view the header and
value information. See Microsoft Excel Help for information about functions such as
Concatenate that can simplify the process of building a .csv file.
Note Although Csvde is similar to Ldifde, Csvde has a significant limitation: it can only import
and export Active Directory data by using a comma-separated format (.csv). Microsoft
recommends that you use the Ldifde utility for Modify or Delete operations. Additionally, the
distinguished name (also known as DN) of the item that you are trying to import must be in the
first column of the .csv file or the import will not work.
The source .csv file can come from an Exchange Server directory export. However, because of
the difference in attribute mappings between the Exchange Server directory and Active
Directory, you must make some modifications to the .csv file. For example, a directory export
from Exchange Server has a column that is named obj-class that you must rename to
objectClass. You must also rename Display Name to displayName.
http://support.microsoft.com/kb/327620
27) What are the FSMO roles that have them by default what happens when each one
fails?
FSMO stands for the Flexible single Master Operation
It has 5 Roles: -
Schema Master:
The schema master domain controller controls all updates and modifications to the schema.
Once the Schema update is complete, it is replicated from the schema master to all other DCs
in the directory. To update the schema of a forest, you must have access to the schema master.
There can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal of domains in the
forest. This DC is the only one that can add or remove a domain from the directory. It can also
add or remove cross references to domains in external directories. There can be only one
domain naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it represents
the reference by the GUID, the SID (for references to security principals), and the DN of the
object being referenced. The infrastructure FSMO role holder is the DC responsible for updating
an objects SID and distinguished name in a cross-domain object reference. At any one time,
there can be only one domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a
Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will
stop updating object information because it does not contain any references to objects that it
does not hold. This is because a Global Catalog server holds a partial replica of every object in
the forest. As a result, cross-domain object references in that domain will not be updated and a
warning to that effect will be logged on that DCs event log. If all the domain controllers in a
domain also host the global catalog, all the domain controllers have the current data, and it is
not important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers in a
particular domain. When a DC creates a security principal object such as a user or group, it
attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same
for all SIDs created in a domain), and a relative ID (RID) that is unique for each security
principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is
allowed to assign to the security principals it creates. When a DCs allocated RID pool falls
below a threshold, that DC issues a request for additional RIDs to the domains RID master. The
domain RID master responds to the request by retrieving RIDs from the domains unallocated
RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only
one domain controller acting as the RID master in the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003
includes the W32Time (Windows Time) time service that is required by the Kerberos
authentication protocol. All Windows 2000/2003-based computers within an enterprise use a
common time. The purpose of the time service is to ensure that the Windows Time service uses
a hierarchical relationship that controls authority and does not permit loops to ensure
appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of
the forest becomes authoritative for the enterprise, and should be configured to gather the time
from an external source. All PDC FSMO role holders follow the hierarchy of domains in the
selection of their in-bound time partner.
:: In a Windows 2000/2003 domain, the PDC emulator role holder retains the following
functions:
:: Password changes performed by other DCs in the domain are replicated preferentially to the
PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect password
are forwarded to the PDC emulator before a bad password failure message is reported to the
user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in
the PDC Emulators SYSVOL share, unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-
based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member
servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to
Windows 2000/2003. The PDC emulator still performs the other functions as described in a
Windows 2000/2003 environment.
28) What FSMO placement considerations
do you know of?
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called
FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active
Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot
(or actually, on the same DC) as has been configured by the Active Directory installation
process. However, there are scenarios where an administrator would want to move one or more
of the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when
dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active
Directory, but you should bear in mind that most considerations are also true when planning
Windows 2000 AD FSMO roles
29) I want to look at the RID allocation table for a DC. What do I do?
1.install support tools from OS disk(OS Inst: Disk=>support=>tools=>suptools.msi)
2.In Command prompt type dcdiag /test:ridmanager /s:system1 /v (system1 is the name of our
DC)
30) Whats the difference between transferring a FSMO role and seizing one? Which one
should you NOT seize? Why?
Seizing an FSMO can be a destructive process and should only be attempted if the existing
server with the FSMO is no longer available.
If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable,
DO NOT seize the Schema Master role.
If you are going to seize the Schema Master, you must permanently disconnect the current
Schema Master from the network.
If you seize the Schema Master role, the boot drive on the original Schema Master must be
completely reformatted and the operating system must be cleanly installed, if you intend to
return this computer to the network.
NOTE: The Boot Partition contains the system files (\System32). The System Partition is the
partition that contains the startup files, NTDetect.com, NTLDR, Boot.ini, and possibly
Ntbootdd.sys.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first
domain controller in the forest root domain. The first domain controller in each new child or tree
domain is assigned the three domain-wide roles.
31) How do you configure a stand-by operation master for any of the roles?
1. Open Active Directory Sites and Services.
2. Expand the site name in which the standby operations master is located to display
the Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that you want to be the standby operations master to
display its NTDS Settings.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Domain Controllers dialog box, select the name of the current role
holder, and then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the
Connection object or accept the default name, and click OK.
32) How do you backup & restore AD.
Backing up Active Directory is essential to maintain an Active Directory database. You can back
up Active Directory by using the Graphical User Interface (GUI) and command-line tools that the
Windows Server 2003 family provides.
You frequently backup the system state data on domain controllers so that you can restore the
most current data. By establishing a regular backup schedule, you have a better chance of
recovering data when necessary.
To ensure a good backup includes at least the system state data and contents of the system
disk, you must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any
backup older than 60 days is not a good backup. Plan to backup at least two domain controllers
in each domain, one of at least one backup to enable an authoritative restore of the data when
necessary.
SystemStateData
Several features in the windows server 2003 family make it easy to backup Active Directory.
You can backup Active Directory while the server is online and other network function can
continue to function.
System state data on a domain controller includes the following components:
Active Directory system state data does not contain Active Directory unless the server, on which
you are backing up the system state data, is a domain controller. Active Directory is present
only on domain controllers.
The SYSVOL shared folder: This shared folder contains Group policy templates and logon
scripts. The SYSVOL shared folder is present only on domain controllers.
The Registry: This database repository contains information about the computers configuration.
System startup files: Windows Server 2003 requires these files during its initial startup phase.
They include the boot and system files that are under windows file protection and used by
windows to load, configure, and run the operating system.
The COM+ Class Registration database: The Class registration is a database of information
about Component Services applications.
The Certificate Services database: This database contains certificates that a server running
Windows server 2003 uses to authenticate users. The Certificate Services database is present
only if the server is operating as a certificate server.
System state data contains most elements of a systems configuration, but it may not include all
of the information that you require recovering data from a system failure. Therefore, be sure to
backup all boot and system volumes, including theSystemState, when you back up your server.
Restoring Active Directory
In Windows Server 2003 family, you can restore the Active Directory database if it becomes
corrupted or is destroyed because of hardware or software failures. You must restore the Active
Directory database when objects in Active Directory are changed or deleted.
Active Directory restore can be performed in several ways. Replication synchronizes the latest
changes from every other replication partner. Once the replication is finished each partner has
an updated version of Active Directory. There is another way to get these latest updates by
Backup utility to restore replicated data from a backup copy. For this restore you dont need to
configure again your domain controller or no need to install the operating system from scratch.
Active Directory Restore Methods
You can use one of the three methods to restore Active Directory from backup media: primary
restore, normal (non authoritative) restore, and authoritative restore.
Primary restore: This method rebuilds the first domain controller in a domain when there is no
other way to rebuild the domain. Perform a primary restore only when all the domain controllers
in the domain are lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on local computer, or user
should have been delegated with this responsibility to perform restore. On a domain controller
only Domain Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the state before the backup,
and then updates the data through the normal replication process. Perform a normal restore for
a single domain controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a normal restore. An authoritative
restore marks specific data as current and prevents the replication from overwriting that data.
The authoritative data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has multiple domain
controllers. When you perform an authoritative restore, you lose all changes to the restore
object that occurred after the backup. Ntdsutil is a command line utility to perform an
authoritative restore along with windows server 2003 system utilities. The Ntdsutil command-line
tool is an executable file that you use to mark Active Directory objects as authoritative so that
they receive a higher version recently changed data on other domain controllers does not
overwrite system state data during replication.
33) Why cant you restore a DC that was backed up 4 months ago?
Because of the tombstone life which is set to only 60 days
34) What are GPOs?
Group Policy Objects
35) What is the order in which GPOs are applied?
Local, Site, Domain, OU
Group Policy settings are processed in the following order:
1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored
locally. This processes for both computer and user Group Policy processing.
2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed
next. Processing is in the order that is specified by the administrator, on the Linked Group Policy
Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the
lowest link order is processed last, and therefore has the highest precedence.
3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the
administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with
the lowest link order is processed last, and therefore has the highest precedence.
4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the
Active Directory hierarchy are processed first, then GPOs that are linked to its child
organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that
contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs
can be linked. If several GPOs are linked to an organizational unit, their processing is in the
order that is specified by the administrator, on the Linked Group Policy Objects tab for the
organizational unit in GPMC. The GPO with the lowest link order is processed last, and
therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the
organizational unit of which the computer or user is a direct member are processed last, which
overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the
earlier and later settings are merely aggregated.)
36) Name a few benefits of using GPMC.
Easy administration of all GPOs across the entireActiveDirectoryForest
View of all GPOs in one single list
Reporting of GPO settings, security, filters, delegation, etc.
Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering
Delegation model
Backup and restore of GPOs
Migration of GPOs across different domains and forests
With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC
is needed and should be used by everyone for what it is ideal for. However, it does fall a bit
short when you want to protect the GPOs from the following:
Role based delegation of GPO management
Being edited in production, potentially causing damage to desktops and servers
Forgetting to back up a GPO after it has been modified
Change management of each modification to every GPO
37) What are the GPC and the GPT? Where can I find them?
A GPO is a collection of Group Policy settings, stored at the domain level as a virtual object
consisting of a Group Policy container (GPC) and a Group Policy template (GPT).
The GPC, which contains information on the properties of a GPO, is stored in Active Directory
on each domain controller in the domain. The GPT contains the data in a GPO and is stored in
the Sysvol in the /Policies sub-directory.
38) What are GPO links? What special things can I do to them?
Linking GPOs
To apply the settings of a GPO to the users and computers of a domain, site, or OU, you need
to add a link to that GPO. You can add one or more GPO links to each domain, site, or OU by
using GPMC. Keep in mind that creating and linking GPOs is a sensitive privilege that should be
delegated only to administrators who are trusted and understand Group Policy.
Linking GPOs to the Site
If you have a number of policy settings to apply to computers in a particular physical location
only certain network or proxy configuration settings, for example these settings might be
appropriate for inclusion in a site-based policy. Because domains and sites are independent, it
is possible that computers in the site might need to cross domains to link the GPO to the site. In
this case, make sure there is good connectivity.
If, however, the settings do not clearly correspond to computers in a single site, it is better to
assign the GPO to the domain or OU structure rather than to the site.
Linking GPOs to the Domain
Link GPOs to the domain if you want them to apply to all users and computers in the domain.
For example, security administrators often implement domain-based GPOs to enforce corporate
standards. They might want to create these GPOs with the GPMC Enforce option enabled to
guarantee that no other administrator can override these settings.
Important
If you need to modify some of the settings contained in the Default Domain Policy
GPO, it is recommended that you create a new GPO for this purpose, link it to the
domain, and set the Enforce option. In general, do not modify this or the Default
Domain Controller Policy GPO. If you do, be sure to back up these and any other
GPOs in your network by using GPMC to ensure you can restore them.
As the name suggests, the Default Domain Policy GPO is also linked to the domain. The
Default Domain Policy GPO is created when the first domain controller in the domain is
installed and the administrator logs on for the first time. This GPO contains the domain-wide
account policy settings, Password Policy, Account Lockout Policy, and Kerberos Policy, which is
enforced by the domain controller computers in the domain. All domain controllers retrieve the
values of these account policy settings from the Default Domain Policy GPO. In order to apply
account policies to domain accounts, these policy settings must be deployed in a GPO linked to
the domain, and it is recommended that you set these settings in the Default Domain Policy. If
you set account policies at a lower level, such as an OU, the settings only affect local accounts
(non-domain accounts) on computers in that OU and its children.
Before making any changes to the default GPOs, be sure to back up the GPO using GPMC. If
for some reason there is a problem with the changes to the default GPOs and you cannot revert
back to the previous or initial states, you can use the Dcgpofix.exe tool to recreate the default
policies in their initial state.
Dcgpofix.exe is a command-line tool that completely restores the Default Domain Policy GPO
and Default Domain Controller GPO to their original states in the event of a disaster where you
cannot use GPMC. Dcgpofix.exe restores only the policy settings that are contained in the
default GPOs at the time they are generated. The only Group Policy extensions that include
policy settings in the default GPOs are RIS, Security, and EFS. Dcgpofix.exe does not restore
other GPOs that administrators create; it is only intended for disaster recovery of the default
GPOs.
Note that Dcgpofix.exe does not save any information created through applications, such as
SMS or Exchange. The Dcgpofix.exe tool is included with Windows Server 2003 and only works
in a Windows Server 2003 domain.
Dcgpofix.exe is located in the C:\Windows\Repair folder. The syntax for Dcgpofix.exe is as
follows:
Copy Code
DCGPOFix [/Target: Domain | DC | BOTH]
Table 2.1 describes the options you can use with the command line parameter /Target: when
using the Dcgpofix.exe tool.
Table 2.1 Dcgpofix.exe Options for Using the /Target Parameter
/Target
option:
Description
of option
DOMAINSpecifies that the Default Domain Policy should be
recreated.DCSpecifies that the Default Domain Controllers Policy
should be recreated.BOTHSpecifies that both the Default Domain
Policy and the Default Domain Controllers Policy should
be recreated.For more information about Dcgpofix.exe, in Help and
Support Centerfor Windows Server 2003 click Tools, and then click
Command-line reference A-Z
Linking GPOs to the OU Structure
Most GPOs are normally linked to the OU structure because this provides the most flexibility
and manageability:
You can move users and computers into and out of OUs.
OUs can be rearranged if necessary.
You can work with smaller groups of users who have common administrative
requirements.
You can organize users and computers based on which administrators manage them.
Organizing GPOs into user- and computer-oriented GPOs can help make your Group Policy
environment easier to understand and can simplify troubleshooting. However, separating the
user and computer components into separate GPOs might require more GPOs. You can
compensate for this by adjusting the GPO Status to disable the user or computer configuration
portions of the GPO that do not apply and to reduce the time required to apply a given GPO.
Changing the GPO Link Order
Within each domain, site, and OU, the link order controls the order in which GPOs are applied.
To change the precedence of a link, you can change the link order, moving each link up or down
in the list to the appropriate location. Links with the lowest number have higher precedence for a
given site, domain, or OU. For example, if you add six GPO links and later decide that you want
the last one that you added to have the highest precedence, you can adjust the link order of the
GPO link so it has link order of 1. To change the link order for GPO links for a domain, OU, or
site, use GPMC
http://technet.microsoft.com/en-us/library/cc736813.aspx
http://technet.microsoft.com/en-us/library/cc757050.aspx
39) What can I do to prevent inheritance from above?
You can block policy inheritance for a domain or organizational unit. Using block inheritance
prevents GPOs linked to higher sites, domains, or organizational units from being automatically
inherited by the child-level. By default, children inherit all GPOs from the parent, but it is
sometimes useful to block inheritance. For example, if you want to apply a single set of policies
to an entire domain except for one organizational unit, you can link the required GPOs at the
domain level (from which all organizational units inherit policies by default), and then block
inheritance only on the organizational unit to which the policies should not be applied.
40) How can I override blocking of inheritance?
A. Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and
multiple GPs for each level. Obviously it may be that some policy settings conflict hence the
application order of Site Domain Organization Unit and within each layer you set order for all
defined policies but you may want to force some polices to never be overridden (No Override)
and you may want some containers to not inherit settings from a parent container (Block
Inheritance).
A good definition of each is as follows:
No Override This prevents child containers from overriding policies set at higher levels
Block Inheritance Stops containers inheriting policies from parent containers
No Override takes precedence over Block Inheritance so if a child container has Block
Inheritance set but on the parent a group policy has No Override set then it will get applied.
Also the highest No Override takes precedence over lower No Overrides set.
To block inheritance perform the following:
1. Start the Active Directory Users and Computer snap-in (Start Programs
Administrative Tools Active Directory Users and Computers)
2. Right click on the container you wish to stop inheriting settings from its parent and
select Properties
3. Select the Group Policy tab
4. Check the Block Policy inheritance option
Click here to view image
5. Click Apply then OK
To set a policy to never be overridden performs the following:
1. Start the Active Directory Users and Computer snap-in (Start Programs
Administrative Tools Active Directory Users and Computers)
2. Right click on the container you wish to set a Group Policy to not be overridden and
select Properties
3. Select the Group Policy tab
4. Click Options
5. Check the No Override option
6. Click OK
7. Click Apply then OK
41) How can you determine what GPO was and was not applied for a user? Name a few
ways to do that.
1. Group Policy Management Console (GPMC) can provide assistance when you
need to troubleshoot GPO behavior. It allows you to examine the settings of a
specific GPO, and is can also be used to determine how your GPOs are linked to
sites, domains, and OUs. The Group Policy Results report collects information on a
computer and user, to list the policy settings which are enabled. To create a Group
Policy Results report, right-click Group Policy Results, and select Group Policy
Results Wizard on the shortcut menu. This launches the Group Policy Results
Wizard, which guides you through various pages to set parameters for the
information that should be displayed in the Group Policy Results report.
2. Gpresult.exe Click Start > RUN > CMD > gpresult, this will also give you
information of applied group policies.
1. 3. RSOP.MSC
42) A user claims he did not receive a GPO, yet his user and computer accounts are in
the right OU, and everyone else there gets the GPO. What will you look for?
Here interviewer want to know the troubleshooting steps
what GPOs is applying?
If it applying in all user and computer?
What GPOs are implemented on ou?
Make sure user not is member of loopback policy as in loopback policy it doesnt affect user
settings only computer policy will applicable.
If he is member of GPOs filter grp or not?
You may also want to check the computers event logs. If you find event ID 1085 then you may
want to download the patch to fix this and reboot the computer.
===============================================
Answer 2: Start troubleshooting by running RSOP.MSC (Resultant Set of Policy) or gpresult /z
to verify whether relevant GPO actually applies to that user?
This also can be a reason of slow network; you can change the default setting by using the
Group Policy MMC snap-in. This feature is enabled by default, but you can disable it by using
the following policy: Administrative Templates\System\Logon\Always wait for the network at
computer startup and logon.
Identify which GPOs they correspond to; verify that they are applicable to the computer/user
(based on the output of RSOP.MSC/gpresult)
43) What are administrative templates?
The GPO settings are divided between the Computer settings and the User settings. In both
parts of the GPO you can clearly see a large section called Administrative Templates.
Administrative Templates are a large repository of registry-based changes (in fact, over 1300
individual settings) that can be found in any GPO on Windows 2000, Windows XP, and
Windows Server 2003.
By using the Administrative Template sections of the GPO you can deploy modifications to
machine (called HKEY_LOCAL_MACHINE in the registry) and user (called
HKEY_CURRENT_USER in the registry) portions of the Registry of computers that are
influenced by the GPO.
The Administrative Templates are Unicode-formatted text files with the extension .ADM and are
used to create the Administrative Templates portion of the user interface for the GPO Editor.
44) Whats the difference between software publishing and assigning?
An administrator can either assign or publish software applications.
Assign Users
the software application is advertised when the user logs on. It is installed when the user clicks
on the software application icon via the start menu, or accesses a file that has been associated
with the software application.
Assign Computers
The software application is advertised and installed when it is safe to do so, such as when the
computer is next restarted.
Publish to users
the software application does not appear on the start menu or desktop. This means the user
may not know that the software is available. The software application is made available via the
Add/Remove Programs option in control panel, or by clicking on a file that has been associated
with the application. Published applications do not reinstall themselves in the event of accidental
deletion, and it is not possible to publish to computers.
45) You want to standardize the desktop environments (wallpaper, My Documents, Start
menu, printers etc.) on the computers in one department. How would you do that?
Yes Through Group Policy

You might also like