Good Question /Answer for Active Directory1. What is Global Catalog Server?Global Catalog server is the server which keeps the stores the details of each object created in the forest. Global Catalog is the master searchable index to all objects in forest2. Can GC Server and Infrastructure place in single server? If not explain why?No, As Infrastructure master does the same job as the GC. It does not work together.3. What is the size of log file which created before updating into ntds.dit and the total number of files?Three Log files NamesEdb.logRes1.logRes2.logEach initially 10 MB4. What does SYSVOL contains?SysVol Folder contains the public information of the domain & the information for replicationEx: Group policy object & scripts can be found in this directory.5. Which is service in your windows is responsible for replication of Domain controller to another domain controller.KCC generates the replication topology.Use SMTP / RPC to replicate changes.6. How data will travel between sites in ADS replication? As determined in the site connectors7. What is the port number for SMTP, Kerberos, rdp, LDAP, and GC Server??SMTP 25, Kerberos 88, GC 3268, LDAP 389Rdp 3389.

8. What Intrasite and Intersite Replication?Intrasite is the replication within the same site & Intersite the replication between sites9. What is lost & found folder in ADS?It's the folder where you can find the objects missed due to conflict.Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn't find the OU then it will put that in Lost & Found Folder.10. What is Garbage collection?Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours.11. What System State data contains?Contains Startup files, RegistryCom + Registration DatabaseMemory Page fileSystem filesAD informationCluster Service informationSYSVOL Folder12. How do you restore a particular OU which got deleted by accident?Go authoritative restore 13. What is IPSec Policy?IPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode.IPSec Policy can be deployed via Group policy to the Windows Domain controllers 7 Servers.14. What are different types of Group Policy?I don't think there are types of group policies????15. What is the order of applying Group Policy?Local Policy. Site Policy.Domain Policy.OU Policy.16. What are the new features in Windows 2003 related to ADS, Replication, and Trust?ADS: Can more than 5000 users in the groups17. How to edit the Schema in ADS?ADSI Edit18. What is Domain Local, Global Group, Universal group?Domain Local Only Users with in DomainGlobal groups are used to grant permissions to objects in any domain in the domain tree or forest. Members of global groups can include only accounts and groups from the domain in which they are defined.Universal groups are used to grant permissions on a wide scale throughout a domain tree or forest. Members of global groups include accounts and groups from any domain in the domain tree or forest.19. Diff between Global & Universal group?Check the answer above.20. What are the different types of Terminal Services?User Mode & Application Mode21. What does mean by root DNS servers?Public DNS servers Hosted in the Internet which registers the DNS 22. What are the different records in DNS?A Address recordMX Mail Server RecordNS Name ServerCNAME Canonical name / AliasSOA Start of authority23. What is a SOA record?Start of authority authorized DNS in the domain24. How does the down-level clients register it names with DNS server?Enable the WINS integration with DNS.25. What is RsOP?RsOP is the resultant set of policy applied on the object (Group Policy)26. What is default lease period for DHCP Server?8 days Default 27. What is the process of DHCP clients for getting the ip address?Discover Order Receive - Acknowledge28. What is multicast?Multicast scopes enable you to lease Class D IP addresses to clients for participation in multicast transmissions, such as streaming video and audio transmissions.29. What is superscope?Superscope enables you to group several standard DHCP scopes into a single administrative group without causing any service disruption to network clients. 30. What is the System Startup process?Windows 2K boot process on Intel architecture.1. Power-On Self Tests (POST) is run.2. The boot device is found, the Master Boot Record (MBR) is loaded into memory, and its program is run.3. The active partition is located, and the boot sector is loaded.4. The Windows 2000 loader (NTLDR) is then loaded.The boot sequence executes the following steps:1. The Windows 2000 loader switches the processor to the 32-bit flat memory model.2. The Windows 2000 loader starts a mini-file system.3. The Windows 2000 loader reads the BOOT.INI file and displays the operating system selections (boot loader menu).4. The Windows 2000 loader loads the operating system selected by the user. If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other operating systems, NTLDR loads BOOTSECT.DOS and gives it control.5. NTDETECT.COM scans the hardware installed in the computer, and reports the list to NTLDR for inclusion in the Registry under the HKEY_LOCAL_MACHINE_HARDWARE hive.6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information collected by NTDETECT.COM. Windows NT enters the Windows load phases. 31. What is WINS hybrid & mixed mode?Systems that are configured to use WINS are normally configured as a hybrid (H-node) client, meaning they attempt to resolve NetBIOS names via a WINS server and then try a broadcast (B-node) if WINS is unsuccessful. Most systems can be configured to resolve NetBIOS names in one of four modes:Broadcast (B-node)Clients use a broadcast only to resolve names. An enhanced B-node setting has the client use an LMHOST file as well. The hex value for this setting is 0x1. Peer-to-Peer (P-node)Clients use WINS only to resolve names. The hex value for this setting is 0x2. Mixed (M-node)Clients first use a broadcast in an attempt to resolve NetBIOS names. If this fails, they attempt the resolution via the WINS server. The hex value for this setting is 0x4. Hybrid (H-node)Clients first use the WINS service in an attempt to resolve NetBIOS names. If this fails, they attempt the resolution via broadcast. The hex value for this setting is 0x8.32. What is Disk Quota?Disk Quota is the specifying the limits of usage on the disks.1) What is different Editions of Windows 2003 server?i)Standard Editionii)Web Editioniii)Enterprise Editioniv)Datacenter Edition2) What is active directory?Active Directory is the directory service included in the Windows Server 2003 family. Active Directory includes the directory, which stores information about network resources, as well as all the services that make the information available and useful. Active Directory is also the directory service included in Windows 2000.3)What is the active directory database name and where it is located?Name : NTDS.Dit located in c:\windows\ntds\4)What is the expansion of .Dit ? Scalable size of NTDS in 2k3?.Dit Directory Information Tree. It is scalable up to 70 TB.5) What is schema in AD?The Active Directory schema defines objects that can be stored in Active Directory. The schema is a list of definitions that determines the kinds of objects and the types of information about those objects that can be stored in Active Directory. Because the schema definitions themselves are stored as objects, they can be administered in the same manner as the rest of the objects in Active Directory. Normally called schema object or metadata.6) Structure of AD in 2kX?1) Physical structure Sites, Domain Controllers2) Logical structuresForest, Tree, Domain, OU, object7) What are the domain functional levels in 2k3?1) Mixed mode2) Native mode3) Interim mode 8) What is Global catalog and GC server?The global catalog is the central repository of information about objects in a tree or forest. By default, a global catalog is created automatically on the initial domain controller in the first domain in the forest. A domain controller that holds a copy of the global catalog is called a global catalog server. 9) What are the functions of GC?A) It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated. B) It enables finding directory information regardless of which domain in the forest actually contains the data.10) What is the active directory database engine name?ESE (Extensible Storage Engine)11) What are the partitions available in AD?i) Schema partition ii) Configuration Partitioniii) Domain PartitionIV) Application Partition12) What are the two types of replications?Inter-site (Site to site) and Intra-site (With in site) replications.13) What is KCC? What is the function of the KCC? The KCC is a built-in process that runs on all domain controllers. The KCC configures connection objects between domain controllers. Within a site, each KCC generates its own connections. For replication between sites, a single KCC per site generates all connections between sites. 14) What is the two trust protocols 2k3 using?Kerberos V5 and NTLM15) What are the trust relations available in 2k3?Tree-Root, Parent- Child, Shortcut, Realm, Forest trust, External trust16) What is the hierarchy of applying GPO in 2k3?It is applied from parent level to child level in AD.i) Local GPO ii) GPOs linked to sitesiii) GPOs linked to domains iv) GPOs linked to OUs17) What are the protocols used on replication?RPC over IP (Used for synchronies transfer) , SMTP over IP (Asynchronies transfer) 18) What is the default time delay on replication?Intra site 15 min (KCC automatically create the topology for Replication)Inter-site 1 hrs. Security related changes replicated immediately across sites. 19) What Different tables available in NTDS database?i) Schema tableIi) Link Tableiii) Data tableIV) Configuration Table 19) Where is the FRS logs stored in and what is the database engine name? c:\windows\ntfrs\jet\log, The engine used is jet database engine. Ntfrs.jdb.20) What is tombstone object in AD? What is its life time?Any objects deleted from Active directory will not removed from Database immediately. That object is called tombstone object. The default life time for that object is 60 days. For win 2k3 SP1 180 days 21) FSMO RolesIn a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles areSchema Master:The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.Domain naming masterThe domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.Infrastructure Master:The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.Relative ID (RID) Master:The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.PDC Emulator The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forestQuicker Q&A1. What are the required components of Windows Server 2003 for installing Exchange 2003? - ASP.NET, SMTP, NNTP, W3SVC 2. What must be done to an AD forest before Exchange can be deployed? - Setup /forestprep 3. What Exchange process is responsible for communication with AD? - DSACCESS 4. What 3 types of domain controller does Exchange access? - Normal Domain Controller, Global Catalog, Configuration Domain Controller 5. What connector type would you use to connect to the Internet, and what are the two methods of sending mail over that connector? - SMTP Connector: Forward to smart host or use DNS to route to each address 6. How would you optimize Exchange 2003 memory usage on a Windows Server 2003 server with more than 1Gb of memory? - Add /3Gb switch to boot.ini 7. What would a rise in remote queue length generally indicate? - This means mail is not being sent to other servers. This can be explained by outages or performance issues with the network or remote servers. 8. What would a rise in the Local Delivery queue generally mean? - This indicates a performance issue or outage on the local server. Reasons could be slowness in consulting AD, slowness in handing messages off to local delivery or SMTP delivery. It could also be databases being dismounted or a lack of disk space. 9. What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog? - SMTP 25, POP3 110, IMAP4 143, RPC 135, LDAP 389, Global Catalog - 3268 10. Name the process names for the following: System Attendant? MAD.EXE, Information Store STORE.EXE, SMTP/POP/IMAP/OWA INETINFO.EXE 11. What is the maximum amount of databases that can be hosted on Exchange 2003 Enterprise? - 20 databases. 4 SGs x 5 DBs. 12. What are the disadvantages of circular logging? - In the event of a corrupt database, data can only be restored to the last backup. 1. What are the Default shares in Windows Server 2003?By default, Windows automatically creates special hidden administrative shares that administrators, programs, and services can use to manage the computer environment or network. These special shared resources are not visible in Windows Explorer or in My Computer, but you can use the Shared Folders tool in Computer Management to view them. Depending on the configuration of your computer, you may see some or all the following special shared resources listed in the Shares folder in Shared Folders: DriveLetter$: Root partitions and volumes are shared as the drive letter name appended with the $ character. For example, drive letters C and D are shared as C$ and D$.

ADMIN$: A resource that is used during remote administration of a computer.

IPC$: A resource that shares the named pipes that you must have for communication between programs. Note that this resource cannot be deleted.

NETLOGON: A resource that is used on domain controllers.

SYSVOL: A resources that is used on domain controllers.

PRINT$: A resource that is used during the remote administration of printers.

FAX$: A shared folder on a server that is used by fax clients during fax transmission.

Note NETLOGON and SYSVOL are not hidden shares but are instead special administrative shares.

Generally, Microsoft recommends that you do not modify these special shared resources. However, if you want to remove the special shared resources and prevent them from being created automatically, you can do this by editing the registry.1. Q) Can I changed password if my machines connectivity to DC who holds PDC emulator role has been fails?A) No you cant the password.Q) I have been asked if there is set of 30 harddisk configured for raid 5 if two harddisk failed what about dataA) It depends how u had configured ur RAID its only Raid5 or with with spare if its only raid 5 then in raid5 if ur 2 nos of HDD goes then ur raid is gone.Q) How can I Deploy the Latest Patched in Pc through G.P. without having the Admin Right in Pc.A) Create a batch file and place all the patches in the Net logon, and deploy the batch file through GP to all the pcs so the same should take affect after restarting the pc.Q) In Raid 5,Suppose i have 5 HDD of 10-10 GB, After configuring the Raid how much space do i have for utilise.A) -1 out of the total (eg- if u r using 5 u will get only 4 because 1 goes for parity).Q) How Can i Resolve the Svr name through NslookupA) what exactly u want to do, nslookup command will let u know through which server u r getting routed, (eg- c:\nslookup then u will get ur domain name to which u r getting routed. and if u want to get the name of the pc/server with the ip address then u have to give the command c:\nbtstat -a ip xx-xx-xx-xx)1. DHCP relay agent where to place it?Ans: DHCP Relay agent u need to place in Software Router.Question: How many Zones in Windows 2000 server and Windows 2003 Server ?Ans: In Windows 2000 there are mainly 3 zonesStandard Primary zone information is written in Txt fileStandard Secondary copy of PrimaryActive Directory Integrated Information stores in Active DirectoryIn Win2k3 one more zone is added that is Stub zoneStub is like secondary but it contains only copy of SOA records, copy of NS records, copy of A records for that zone. No copy of MX, SRV records etc.,With this Stub zone DNS traffic will be lowQuestion: What is Kerberos? Which version is currently used by Windows? How does Kerberos work?Answer: Kerberos is the user authentication used in Win2000 and Win2003 Active Directory serversKerberos version in 5.0Port is: 88It's more secure and encrypted than NTLM (NT authentication)1. Which protocol is used for Public Folder?ANS: SMTPWhat is the use of NNTP with exchange?ANS: This protocol is used the news group in exchange.1. What is the content of System State backup?The contents are: Boot files, system filesActive directory (if it's done on DC)SysVol folder(if it done on DC)Certificate service ( on a CA server)Cluster database ( on a cluster server)registryPerformance counter configuration informationComponent services class registration databaseQ: What are the perquisites for installation of Exchange Server?The prerequisite areIISSMTPWWW serviceNNTP.NET FrameworkASP.NETThen run ForestprepThen run domainprepQuestion: What is Multi Master Replication?Answer: Multi-master replication is a method of replication employed by databases to transfer data or changes to data across multiple computers within a group. Multi-master replication can be contrasted with a master-slave method (also known as single-master replication).DFS? DFS Namespace ?1. DFS Replication. New state-based, multimaster replication engine that is optimized for WAN environments. DFS Replication supports replication scheduling, bandwidth throttling, and a new byte-level compression algorithm known as remote differential compression (RDC).DFS Namespaces. Technology that helps administrators group shared folders located on different servers and present them to users as a virtual tree of folders known as a namespace. DFS Namespaces was formerly known as Distributed File System in Windows 2000 Server and Windows Server 2003.What are the four domain functional levels?Windows 2000 MixedWindows 2000 NativeWindows Server 2003 InterimWindows Server 2003Windows 2000 MixedWhen you configure a new Windows Server 2003 domain, the default domain functional level is Windows 2000 mixed.Under this domain functional level, Windows NT, 2000, and 2003 domain controllers are supported. However,certain features such as group nesting, universal groups, and so on are not available.Windows 2000 Native

Upgrading the functional level of a domain to Windows 2000 Native should only be done if there areno Windows NT domain controllers remaining on the network. By upgrading to Windows 2000 Native functional level,additional features become available including: group nesting, universal groups, SID History, and the ability to convertsecurity groups and distribution groups. Windows Server 2003 Interim

The third functional level is Windows Server 2003 Interim and it is often used when upgrading fromWindows NT to Windows Server 2003. Upgrading to this domain functional level provides support forWindows NT and Windows Server 2003 domain controllers. However, like Windows 2000 Mixed, it does not provide new features.Windows Server 2003

The last functional level is Windows Server 2003. This domain functional level only provides support forWindows Server 2003 domain controllers. If you want to take advantage of all the features included withWindows Server 2003, you must implement this functional level. One of the most important features introducedat this functional level is the ability to rename domain controllersQ1.Which is the FIVE FSMO roles?Schema MasterForest LevelOne per forest

Domain Naming MasterForest LevelOne per forest

PDC EmulatorDomain LevelOne per domain

RID MasterDomain LevelOne per domain

Infrastructure MasterDomain LevelOne per domain

Q2. What are their functions? 1. Schema Master (Forest level)

The schema master FSMO role holder is the Domain Controller responsible for performing updates to the active directory schema. It contains the only writable copy of the AD schema. This DC is the only one that can process updates to the directory schema, and once the schema update is complete, it is replicated from the schema master to all other DCs in the forest. There is only one schema master in the forest.

2. Domain Naming Master (Forest level)

The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. This DC is the only one that can add or remove a domain from the directory, and that is it's major purpose. It can also add or remove cross references to domains in external directories. There is only one domain naming master in the active directory or forest.

3. PDC Emulator (Domain level)

In a Windows 2000 domain, the PDC emulator server role performs the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator first. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator for validation before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Time synchronization for the domain.Group Policy changes are preferentially written to the PDC emulator.

Additionally, if your domain is a mixed mode domain that contains Windows NT 4 BDCs, then the Windows 2000 domain controller, that is the PDC emulator, acts as a Windows NT 4 PDC to the BDCs.

There is only one PDC emulator per domain.

Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. This is not true. Even after you have changed your domain to native mode (no more NT 4 domain controllers), the PDC emulator is still necessary for the reasons above.

4. RID Master (Domain level)

The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move. When a DC creates a security principal object such as a user, group or computer account, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that makes the object unique in a domain. Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC.

There is one RID master per domain in a directory.

5. Infrastructure Master (Domain level)

The DC that holds the Infrastructure Master FSMO role is responsible for cross domain updates and lookups. When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the distinguished name (DN) of the object being referenced. The Infrastructure role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.

When a user in DomainA is added to a group in DomainB, then the Infrastructure master is involved. Likewise, if that user in DomainA, who has been added to a group in DomainB, then changes his username in DomainA, the Infrastructure master must update the group membership(s) in DomainB with the name change.

There is only one Infrastructure master per domain.

Q3. What if a FSMO server fails? If Schema MasterNo updates to the Active Directory schema will be possible. Since schema updates are rare (usually done by certain applications and possibly an Administrator adding an attribute to an object), then the malfunction of the server holding the Schema Master role will not pose a critical problem.

If Domain Naming MasterThe Domain Naming Master must be available when adding or removing a domain from the forest (i.e. running DCPROMO). If it is not, then the domain cannot be added or removed. It is also needed when promoting or demoting a server to/from a Domain Controller. Like the SchemaMaster, this functionality is only used on occasion and is not critical unless you are modifying your domain or forest structure.

If PDC EmulatorThe server holding the PDC emulator role will cause the most problems if it is unavailable. This would be most noticeable in a mixed mode domain where you are still running NT 4 BDCs and if you are using downlevel clients (NT and Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions that depend on the PDC would be affected (User Manager for Domains, Server Manager, changing passwords, browsing and BDC replication).In a native mode domain the failure of the PDC emulator isn't as critical because other domain controllers can assume most of the responsibilities of the PDC emulator.

If RID MasterThe RID Master provides RIDs for security principles (users, groups, computer accounts). The failure of this FSMO server would have little impact unless you are adding a very large number of users or groups.Each DC in the domain has a pool of RIDs already, and a problem would occur only if the DC you adding the users/groups on ran out of RIDs.

If Infrastructure MasterThis FSMO server is only relevant in a multi-domain environment. If you only have one domain, then the Infrastructure Master is irrelevant. Failure of this server in a multi-domain environment would be a problem if you are trying to add objects from one domain to another.

Q4. Where are these FSMO server roles found?The first domain controller that is installed in a Windows 2000 domain, by default, holds all five of the FSMO server roles. Then, as more domain controllers are added to the domain, the FSMO roles can be moved to other domain controllers.Q5. Can you Move FSMO roles?Yes, moving a FSMO server role is a manual process, it does not happen automatically. But what if you only have one domain controller in your domain? That is fine. If you have only one domain controller in your organization then you have one forest, one domain, and of course the one domain controller. All 5 FSMO server roles will exist on that DC. There is no rule that says you have to have one server for each FSMO server role. Q6. Where to place the FSMO roles?Assuming you do have multiple domain controllers in your domain, there are some best practices to follow for placing FSMO server roles.The Schema Master and Domain Naming Master should reside on the same server, and that machine should be a Global Catalog server. Since all three are, by default, on the first domain controller installed in a forest, then you can leave them as they are.Note: According to MS, the Domain Naming master needs to be on a Global Catalog Server. If you are going to separate the Domain Naming master and Schema master, just make sure they are both on Global Catalog servers.

IMP:- Why Infrastructure Master should not be on the same server that acts as a Global Catalog server?The Infrastructure Master should not be on the same server that acts as a Global Catalog server.The reason for this is the Global Catalog contains information about every object in the forest. When the Infrastructure Master, which is responsible for updating Active Directory information about cross domain object changes, needs information about objects not in it's domain, it contacts the Global Catalog server for this information. If they both reside on the same server, then the Infrastructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it constantly updated. This would result in the Infrastructure Master never replicating changes to other domain controllers in its domain.Note: In a single domain environment this is not an issue.

Microsoft also recommends that the PDC Emulator and RID Master be on the same server. This is not mandatory like the Infrastructure Master and the Global Catalog server above, but is recommended. Also, since the PDC Emulator will receive more traffic than any other FSMO role holder, it should be on a server that can handle the load.

It is also recommended that all FSMO role holders be direct replication partners and they have high bandwidth connections to one another as well as a Global Catalog server.Q7.What permissions you should have in order to transfer a FSMO role?Before you can transfer a role, you must have the appropriate permissions depending on which role you plan to transfer:Schema Mastermember of the Schema Admins group

Domain Naming Mastermember of the Enterprise Admins group

PDC Emulatormember of the Domain Admins group and/or the Enterprise Admins group

RID Mastermember of the Domain Admins group and/or the Enterprise Admins group

Infrastructure Mastermember of the Domain Admins group and/or the Enterprise Admins group

FSMO TOOLSQ8. Tools to find out what servers in your domain/forest hold what server roles?1. Active Directory Users and Computers:- use this snap-in to find out where the domain level FSMO roles are located (PDC Emulator, RID Master, Infrastructure Master), and also to change the location of one or more of these 3 FSMO roles.

Open Active Directory Users and Computers, right click on the domain you want to view the FSMO roles for and click "Operations Masters". A dialog box (below) will open with three tabs, one for each FSMO role. Click each tab to see what server that role resides on. To change the server roles, you must first connect to the domain controller you want to move it to. Do this by right clicking "Active Directory Users and Computers" at the top of the Active Directory Users and Computers snap-in and choose "Connect to Domain Controller". Once connected to the DC, go back into the Operations Masters dialog box, choose a role to move and click the Change button.When you do connect to another DC, you will notice the name of that DC will be in the field below the Change button (not in this graphic).

2. Active Directory Domains and Trusts - use this snap-in to find out where the Domain Naming Master FSMO role is and to change it's location.

The process is the same as it is when viewing and changing the Domain level FSMO roles in Active Directory Users and Computers, except you use the Active Directory Domains and Trusts snap-in. Open Active Directory Domains and Trusts, right click "Active Directory Domains and Trusts" at the top of the tree, and choose "Operations Master". When you do, you will see the dialog box below. Changing the server that houses the Domain Naming Master requires that you first connect to the new domain controller, then click the Change button. You can connect to another domain controller by right clicking "Active Directory Domains and Trusts" at the top of the Active Directory Domains and Trusts snap-in and choosing "Connect to Domain Controller".

3. Active Directory Schema - this snap-in is used to view and change the Schema Master FSMO role. However... the Active Directory Schema snap-in is not part of the default Windows 2000 administrative tools or installation. You first have to install the Support Tools from the \Support directory on the Windows 2000 server CD or install the Windows 2000 Server Resource Kit. Once you install the support tools you can open up a blank Microsoft Management Console (start, run, mmc) and add the snap-in to the console. Once the snap-in is open, right click "Active Directory Schema" at the top of the tree and choose "Operations Masters". You will see the dialog box below. Changing the server the Schema Master resides on requires you first connect to another domain controller, and then click the Change button.

You can connect to another domain controller by right clicking "Active Directory Schema" at the top of the Active Directory Schema snap-in and choosing "Connect to Domain Controller".

4.Netdom

The easiest and fastest way to find out what server holds what FSMO role is by using the Netdom command line utility. Like the Active Directory Schema snap-in, the Netdom utility is only available if you have installed the Support Tools from the Windows 2000 CD or the Win2K Server Resource Kit.

To use Netdom to view the FSMO role holders, open a command prompt window and type:netdom query fsmo and press enter. You will see a list of the FSMO role servers:

5. Active Directory Replication MonitorAnother tool that comes with the Support Tools is the Active Directory Replication Monitor. Open this utility from Start, Programs, Windows 2000 Support Tools. Once open, click Edit, Add Monitored Server and add the name of a Domain Controller. Once added, right click the Server name and choose properties. Click the FSMO Roles tab to view the servers holding the 5 FSMO roles (below). You cannot change roles using Replication Monitor, but this tool has many other useful purposes in regard to Active Directory information. It is something you should check out if you haven't already.

Finally, you can use the Ntdsutil.exe utility to gather information about and change servers for FSMO roles. Ntdsutil.exe, a command line utility that is installed with Windows 2000 server, is rather complicated and beyond the scope of this document.6. DUMPFSMOSCommand-line tool to query for the current FSMO role holdersPart of the Microsoft Windows 2000 Server Resource KitDownloadable from http://www.microsoft.com/windows2000/techinfo/reskit/default.aspPrints to the screen, the current FSMO holdersCalls NTDSUTIL to get this information7. NLTESTCommand-line tool to perform common network administrative tasks Type "nltest /?" for syntax and switchesCommon usesGet a list of all DCs in the domainGet the name of the PDC emulatorQuery or reset the secure channel for a serverCall DsGetDCName to query for an available domain controller8. Adcheck (470k) (3rd party)A simple utility to view information about AD and FSMO roleshttp://www.svrops.com/svrops/downloads/zipfiles/ADcheck.msiQ9. How to Transfer and Seize a FSMO Rolehttp://support.microsoft.com/default.aspx?scid=kb;en-us;Q255504++++++++++++++++++++++DNS is a distributed file system standsfor domain naming system. Resolves name to IP address n vice versa.

There are three types of queries that a client can make to a DNS server.

1. Recursive2. Iterative3. Inverse.There r two types of lookup1. Forward lookup- resolves name to IP address.2. Reverse lookup- resolves address to name.

There r three types of zones

1. AD integrated zone 2. Standard primary zone3. Standard secondary zone Protocols & Port No for DNSDNS uses both UDP & TCP Normal resource records lookups are done with UDP.Ordinary DNS requests can be made with TCP, though convention dictates the use of UDP for normal operation. TCP used for zone transfers.DNS will use 53 port number. Sequence toRESOLVE aqueryTo resolve query it following sequence1.NetBIOS name cache2.WINS, broadcast3.LMHOSTS4.HOSTS5.Domain Name System (DNS) cache6.DNS Server Which configured on sys. Zone Database Transfer Type :

1. AXFR --All zone database trans2. IXFR -- Incremental database transIt is always inititated by client side 1.In ACtive Directory Integrated Zones , DNS zonefiles are stored in the ACtive directory database, So zone files replicate when replication happens between Domain Controllers. An Active Directory-integrated zone is an available option when the DNS server is installed on an Active Directory domain controller. When a DNS zone is installed as an Active Directory zone, the DNS information is automatically updated on other server AD domain controllers with DNS by using Active Directory's multimaster update techniques. Zone information stored in the Active Directory allows DNS zone transfers to be part of the Active Directory replication process secured by Kerberos authentication A Standard primary DNS holds a master copy of a zone and can replicate it to all configured secondary zones in standard text format. Any changes that must be made to the zone are made on the copy stored on the primary.On the Other hand , A standard secondary zone holds a read-only copy of the zone information in standard text format. Secondary zones are created to increase performance and resilience of the DNS configuration. Information is transferred from the primary zone to the secondary zones. STUB ZONE

A stub zone is a read-only copy of a zone that contains only those resource records necessary to identify the authoritative DNS servers for the actual zone. A stub zone is used to keep a parent zone aware of the authoritative DNS servers for a delegated zone and thereby maintain DNS name resolution efficiency. For example, a customer who is running Windows 2000 (that has both a parent and child domain) will typically create a delegation record in the parent zone for the child domain, thus enabling the child DNS server to host the primary zone for the child domain. As new DNS servers are added to the child domain, the delegation record must be updated manually on the parent DNS server to reflect those new child DNS servers. Alternatively, with stub zones, the parent DNS server can host a stub zone for the child domain and become aware of new child DNS servers automatically when the stub zone is loaded or reloaded.Stub zones are not limited to use in a parent-child domain topology; they also can be used to resolve resource records in other domains in the forest and, theoretically, for other forests as well.

The administrator cannot modify a stub zone's resource records. Any changes the administrator wants to make to the resource records in a stub zone must be made in the original, primary zone from which the stub zone is derived. Unlike secondary zones, stub zones can be stored in Active Directory.

A stub zone is composed of:The start-of-authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone.The IP address of one or more master servers that can be used to update the stub zone. In short about stub zone1) Allow a parent domain to automatically identify the DNS servers in a child domain.

2)Only contain the SOA, NS, and A records.

3)The DNS server is able to query NS directly instead of through recursion with root hints.

4)Changes to zones are made when the master zone is updated or loaded.The local list of master zones define physically local servers from which to transfer. Using the Local List of MastersUsing the Local List of MastersMaster servers are DNS servers that the stub zone will contact to retrieve the necessary resource records. It is comparable to the list of servers defined when creating a secondary zone ( i.e.. the list of servers from which the zone is transferred). When more than one server appears in the list and a zone update is requested, the list of master servers is used and the servers are prioritized by the order in which they appear in the list. When Active Directory-integrated stub zones are replicated into different physical sites, it is recommended that they be updated using a local list of master servers in each site. For example, an Active Directory-integrated stub zone, widgets.microsoft.com, was loaded in a site in Seattle and replicated to a site in Boston. Master servers for the stub zone exist in each of these sites. When the stub zone in Boston is updated, the domain controller may contact both master servers for resource records in widgets.microsoft.com. However, because of network traffic, the administrator may want the domain controller in Boston to use only the master server in Boston and not the master server in Seattle. To force the domain controller in Boston to use only the master server in Boston, the administrator can specify that the stub zone in Boston be updated using a local list of master servers.

Master server list in the stub zone properties dialog box

To use a local list of masters, enable the checkbox "Use the list above as a local list of master" on the General tab of the stub zone properties. This option will only be available if the zone is stored in Active Directory. Stub zones that are not stored in active directory will only use the list of masters that are specified in the stub zone properties. New Registry KeysName: LocalMasterServersKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\Type: REG_SZValid Range: space-separated, IP list of masters to be used by this DNS server Conditional forwarding

Conditional forwarding allows a DNS server to forward queries to other DNS servers based on the DNS domain names in the queries. With conditional forwarding, a DNS server could be configured to forward all the queries it receives for names ending with widgets.microsoft.com to a specific DNS server's IP address, or to the IP addresses of multiple DNS servers.For example, when two companies ( example1.com and example2.com) merge or collaborate, they may want to allow clients from the internal namespace of one company to resolve the names of the clients from the internal namespace of another company. The administrators from one organization (e.g., example1.com) may inform the administrators of the other organization (e.g., example2.com) about the set of DNS servers that they can use to send DNS queries to for the name resolution within the internal namespace of the first organization. In this case the DNS servers within the example2.com organization will be configured to forward all queries for names ending with "example1.com." to the designated DNS servers.NoteAuthoritative DNS servers cannot forward queries according to domain names for which they are authoritative. For example, the authoritative DNS server for the zone widgets.microsoft.com cannot forward queries according to the domain name widgets.microsoft.com. If the DNS server were allowed to do this, it would nullify the server's ability to respond to queries for the domain name widgets.microsoft.com. The DNS server authoritative for widgets.microsoft.com can forward queries for DNS names that end with hr.widgets.microsoft.com, if hr.widgets.microsoft.com is delegated to another DNS server.

Forwarders tab in DNS server properties.The conditional forwarder setting consists of the following: The domain names for which the DNS server will forward queries One or more DNS server IP addresses for each domain name specified Forwarding Sequence

Forwarding SequenceEach domain name used for forwarding on a DNS server is associated with the IP addresses of one or more DNS servers. A DNS server configured for forwarding will use its forwarders list after it has determined that it cannot resolve a query using its authoritative data (primary or secondary zone data) or cached data. If the server cannot resolve a query using forwarders, it may attempt recursion to the root hint servers. The order of the IP addresses listed determines the sequence in which the IP addresses are used. After the DNS server forwards the query to the forwarder with the first IP address associated with the domain name, it waits a short period for an answer from that forwarder (according to the DNS server's time out setting) before resuming the forwarding operation with the next IP address associated with the domain name. It continues this process until it receives an affirmative answer from a forwarder.

Unlike conventional client resolution, where a roundtrip time (RTT) is associated with each server, the IP addresses in the forwarders list are not ordered according to roundtrip time and must be reordered manually to change preference. Domain Name LengthWhen a DNS server configured to use conditional forwarding receives a query for a domain name, it will compare that domain name with its list of domain name conditions and use the longest domain name condition that corresponds to the domain name in the query. For example (using Figure 3), the DNS server receives a query for www.testcenter.research.example.com. It compares that domain name with both example.com and research.example.com. The DNS server determines that research.example.com is the domain name that more closely matches the domain name query. The DNS server forwards the query to the DNS server with the IP address 192.168.200.1, which is associated with research.example.com. Forward-only ServerForward-only ServerA DNS server can be configured to not perform recursion after the forwarders fail; if it does not get a successful query response from any of the servers configured as forwarders, then it sends a negative response to the DNS client. The option to prevent recursion can be set for each conditional forwarder in Windows .NET Server. For example, a DNS server can be configured to perform recursion for the domain name research.example.com, but not to perform recursion for the domain name example.com.

Warning If you disable recursion on the Advance tab in DNS server properties, you will not be able to use forwarders on the same server. New Registry KeysThis key toggles recursion for a particular domain:Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\Name: ForwarderSlaveType: REG_DWORDValid Range: 0x0 (recursion) and 0x1 (no recursion) This key sets the forwarder timeout for a particular domain:Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\Name: ForwarderTimeoutType: REG_DWORDValid Range: any number (seconds) This key lists the order of forwarders a domain will use:Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones\Name: MasterServersType: REG_SZValid Range: spaced list of IP addresses used in order DNS Group Policies in the Default Domain Policy1. Primary DNS suffixAllows you specify a primary DNS suffix for a group of computers and prevents users, including administrators, from changing it.

2. Dynamic updateDetermines if dynamic update is enabled.

3. DNS suffix search listWhen this setting is enabled, if a user submits a query for a single-label name, such as widgets, a local DNS client attaches a suffix, such as microsoft.com, resulting in the query widgets.microsoft.com before sending the query to a DNS server.

4.Primary DNS suffix devolutionDetermines whether the DNS client performs primary DNS suffix devolution in a name resolution process.

5. Register PTR recordsDetermines whether the registration of PTR resource records is enabled for the computers to which this policy is applied. 6. Registration refresh intervalSpecifies the registration refresh interval of A and PTR resource records for computers to which this setting is applied. This setting may be applied to computers using dynamic update only.

7. Replace addresses in conflictsDetermines whether a DNS client that attempts to register its A resource record should overwrite an existing A resource record containing conflicting IP addresses.

8. Register DNS records with connection-specific DNS suffix Determines if a computer performing dynamic registration may register its A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix.

9. TTL set in the A and PTR records Specifies the value for the Time-To-Live (TTL) field in A and PTR resource records registered in the computers to which this setting is applied.

10. Update security levelSpecifies whether the computers to which this setting is applied use secure dynamic update or standard dynamic update to register DNS records.

11. Update top-level domain zonesSpecifies whether the computers to which this policy is applied may send dynamic updates to the zones named with a single label name--also known as top-level domain zones, for example, com.