Syed Jahanzaib Personal Blog to Share Knowledge !

February 18, 2010

Technical Interview Questions (Part 3/4) [EXCHANGE SERVER]

Filed under: General IT Related — Syed Jahanzaib / Pinochio~:) @ 9:40 AM

~!~

Technical Interview Questions (Part 3/4)
[EXCHANGE SERVER]


Edited & Maintained by SYED JAHANZAIB / aacable@hotmail.com

  • Tell me a bit about the capabilities of Exchange Server.

Microsoft Exchange is a server that centrally stores a company’s email, files, task lists, calendar and contact information. General features of Microsoft Exchange Server are following:

  • Mobile access
  • Centrally stored information
  • Shared calendars
  • Shared task lists
  • Shared contacts
  • Outlook Web access

===========================================================
The Capabilities of Exchange Server is for Communicating through Emails,with the help of Exchange Server one can configure OutLook and can communicate through mails. In Exchange Server POP3 and SMTP Service plays vital Roles. POP3 Service helps in receiving emails and SMTP Service helps in Sending Emails.
===========================================================

Microsoft Exchange Server is a client-server, collaborative application product developed by Microsoft. Exchange’s major features consist of electronic mail, calendaring, contacts and tasks; support for mobile and web-based access to information; and support for data storage
===========================================================

  • What’s the main differences between Exchange 5.5 and Exchange 2000/2003?
  • What are the major network infrastructure for installing Exchange 2003?
  • What is the latest Exchange 2003 Service Pack? Name a few changes in functionality in that SP.

The main difference between Exchange 5.5 and Exchange 2000/2003 is in Exchange 2000/2003 we can assign full rights to Users to make changes to Exchange Server without Admin if we assign rights like creation of Users , assigninig particular user particular right and this can be done with the help of registry key goto HKCU—Software–Microsoft— ExchangeServer and add a Dword key and assign a value 1.where as this is not possible in Exchange 5.5.

Exchange 5.5 does not integrate with the NT4 domain or the  Windows 2000/2003 Active Directory in a meaningful way. A single user could be associated with several different  mailboxes. Exchange 2000/2003/2007 integrates tightly with Active Directory, and there is a 1:1 relationship between mailboxes and AD user accounts. There are other differences, depending on whether you have a standard or enterprise version as it relates to maximum database size, but the directory integration is probably

the biggest difference.
The primary differences are…

-Exchange 2000/2003 does not have its own directory or directory service; it uses Active Directory instead.

-Exchange 2000/2003 uses native components of Windows 2000 (namely, IIS and its SMTP, NNTP, W3SVC and other components, Kerberos and others) for many core functions.

-SMTP is now a full peer to RPC, and is it the default transport protocol between Exchange 2000/2003 servers.

-Exchange 2000/2003 supports Active/Active clustering and was recently certified for Windows 2000 Datacenter/2003.

-Exchange 2000/2003 scales much higher.

-It boasts conferencing services and instant messaging.

To Instal Exchange Server 2003 the major requirements are a system should be a Domain Controller with ASP.Net Service started for successful installation of Exchange Server.

Latest Exchange Server 2003 Service Pack is service pack2 (SP2) adds improved mobile e-mail capabilities, larger storage in Standard Edition, better protection from spam, enhanced security, advanced mailbox fundamentals, and more.

  • What are the disk considerations when installing Exchange (RAID types, locations and so on).

Exchange 2003 basically requires a server with at least 512MB though 1GB or more is recommended.

CPU is always an issue, but most servers and even workstations have enough CPU horsepower for Exchange if you’re not loading your server with anything else that is CPU intensive. Exchange supports hyper threading feature available with Pentium 4 and other CPUs. If you need more CPU power you can use Intel Xeon which can offer you more cache and multiple CPU support.

Today, 64-Bit support is available in some CPUs but is Not support by Exchange 2003 and will only be available with the next version of Exchange, E12.

Disk configuration is a complex issue and is covered in my article:

http://www.msexchange.org/tutorials/Choosing-Storage-Exchange-Server.html

To make a long story short, today, you can choose either SATA disks for lower end Exchange servers or SCSI disks if you can afford it. SATA disks can give you more disk space for less money but are generally slower though by far better than ATA (IDE) disks. You will need some form of disk redundancy (RAID) so disk failure will not bring you down. Hardware based RAID is recommended in most cases.

When planning for disk space it is best to leave room for a bit more than double the disk space expected for the Exchange databases. 32GB or more for the Exchange database partition is recommended for Exchange Standard edition.

Recommended Server hardware

•              Four 1 gigahertz (GHz), 1 megabyte (MB) or 2 MB L2 cache processors

•              4 gigabytes (GB) of Error Correction Code (ECC) RAM

•              Two 100 megabits per second (Mbps) or 1000 Mbps network interface cards

•              RAID-1 array with two internal disks for the Windows Server 2003 and Exchange Server 2003 program files

•              Two redundant 64-bit fiber Host Bus Adapters (HBAs) to connect to the Storage Area Network

  • Why not install Exchange on the same machine as a DC?

well, this is not a good pratice to so and the reasons behind are :

1. Redundancy and Stability – if the exchange server fails then Domain Controller also fails and it concludes a big failure…

2. Overload : It may overload your existing server and that can cause a significant performance problem.

Alternate Answer is :

1-LDAP Port Conflict may Occured

2-Overload

3-Redundancy

  • How would you prepare the AD Schema in advance before installing Exchange?

Part of the Exchange installation is to run ForestPrep. ForestPrep extends the AD schema by adding Exchange-specific properties. If you just start the Exchange setup, it guides you right through this step.

  • What type or permissions do you need in order to install the first Exchange server in a forest? In a domain?
  • How would you verify that the schema was in fact updated?

Exchange Full Administrator at organization Level and Local machine Administrator Permissions
You need Schema Admin, Domain Admin and Enterprise Admin Permission.

That can be check by accessing the Active directory. When you create new user, you can see four more attributes or tabs in the user properties. That means the schema has been updated.

  • What type of memory optimization changes could you do for Exchange 2003?
  • How would you check your Exchange configuration settings to see if they’re right?

Add /3GB switch to boot.ini file and you can use upto 3GB memory instead of 1GB by default.

Once your exchange server configuration is done run the tool EXBPA.exc .This will give you the correct ficture of  your exchange organization.

  • What are the Exchange management tools? How and where can you install them?

Exchange Management tools are to monitor, analyze and troubleshoot the Exchange Server. By default XGE 2K3 is not installed with XGE mgmt tools. we need to download from microsoft or xge setup and install them.

http://technet.microsoft.com/en-us/library/bb123850(EXCHG.65).aspx

you may install these tools directly on server not need to be XP client

http://www.microsoft.com/downloads/details.aspx?familyid=21e5a788-5993-40a9-bd35-b14d414e3e16&displaylang=en

These tools are install by default for 2007 Xge server

Ø      What types of permissions are configurable for Exchange?

If you modify the default permissions on Exchange Server 2003 mailbox stores and public folder stores, make sure you maintain the following minimum permissions:

•              Administrators group   Full Control

•              Authenticated Users group   Read and Execute, List Folder Contents, and Read

•              Creator Owner   None

•              Server Operators group   Modify, Read and Execute, List Folder Contents, Read, and Write

•              System account   Full Control

1)Exchange full admin – full control over the exchange organization including permission

2)Exchange Admin – Manage everything within the organization except org permission.

3)Exchange view only administrator – read only administrative access to Exchange organization

  • How can you grant access for an administrator to access all mailboxes on a specific server?
  • What is the Send As permission?

1. Start Exchange System Manager.

2. Drill down to your server object within the appropriate Administrative Group. Right-click it and choose Properties.

3. In the Properties window go to the Security tab.

4. Click Add, click the user or group who you want to have access to the mailboxes, and then click OK.

5. Be sure that the user or group is selected in the Name box.

6. In the Permissions list, click Allow next to Full Control, and then click OK.

Note: Make sure there is no Deny checkbox selected next to the Send As and Receive As permissions.

7. Click Ok all the way out.

“Send As” allows one user to send an email as though it came from another user. The recipient will not be given any indication that the email was composed by someone other than the stated sender.

“Send As” can only be granted by a system administrator. “Send on Behalf of” may be more appropriate in many situations, it allows the recipient to be notified both who the author was and on who’s behalf the email was sent. (See How to grant Send On Behalf Of permission.)

The following procedure will allow system managers to grant users the ability to send as another:

  1. Log onto the server running Exchange.
  2. Run Active Directory Users and Computers.
  3. Under the “View” menu ensure that “Advanced Features” is ticked.
  4. Find the user’s account that you want to be able to send as, and open up the account properties.
  5. Select the “Security” tab.
  6. Click [Add …] (under “Group or user names”) and add the user (users or group) that is to be granted permission to send-as this account.
  7. For each account added, highlight the account under “Group or user names” and in the “Permissions for …” window grant the account “Send As” permission.
  8. Click [OK] to close the account properties dialog.

==========================================================================

Send As Permission means user A will be able to access the mail box of user B and reply back to those mail. Even though user A has replied to the mail, the send address will display user b email.
==========================================================================

Active Directory Users and Computers or the Exchange Management Shell to grant the Send As permission for a mailbox. Use the Send As permission in Microsoft Exchange Server to configure a mailbox so that users other than the mailbox owner can use that mailbox to send messages. After this permission is granted, any messages that are sent from the mailbox will appear as if they were sent by the mailbox owner.

  • What are Exchange Recipient types? Name 5.

The people and resources that send and receive messages are the core of any messaging and collaboration system. In an Exchange Server organization, these people and resources are referred to as recipients.

A recipient is any mail-enabled object in the Active Directory directory service to which Exchange can deliver or route messages. This topic discusses the recipient types that are supported in Microsoft Exchange Server 2007.

User mailbox

A mailbox that is assigned to an individual user in your Exchange organization. It typically contains messages, calendar items, contacts, tasks, documents, and other important business data.

Linked mailbox

A mailbox that is assigned to an individual user in a separate, trusted forest.

Shared mailbox

A mailbox that is not primarily associated with a single user and is generally configured to allow logon access for multiple users.

Legacy mailbox

A mailbox that resides on a server running Exchange Server 2003 or Exchange 2000 Server.

Room mailbox

A resource mailbox that is assigned to a meeting location, such as a conference room, auditorium, or training room. Room mailboxes can be included as resources in meeting

requests, providing a simple and efficient way of organizing meetings for your users.

==============================================================================

In exchange 2003,

1.Mail-enabled user

2.Mailbox enabled user.

3.DL

4.Contact

5.Mail-Enabled public folder

  • You created a mailbox for a user, yet the mailbox does not appear in ESM. Why?
  • What’s the difference between Exchange 2003 Std. and Ent. editions when related to storage options and size?

Generally, when you create a mailbox for a user. The user’s e-mail address will be updated in the GAL. During the  regular update interval. But in order for you to be able to view the mail box. The user has to access the Exchange  server (either through MS outlook or OWA). Then you will be able to view the user’s mail box.

OR if you send a test mail to that id then the mailbox will be populated in the ESM

Ø      What are Query Based Distribution groups?

A query-based distribution group provides the same functionality as a standard distribution group. However, instead of specifying static user memberships, you can use an LDAP query (for example, “All full-time employees in my company”) to dynamically build membership in a query-based distribution group.

This reduces administrative costs because of the dynamic nature of the distribution group. However, query-based distribution groups have a higher performance cost for queries whose outcome produces many results.

This cost is in terms of server resources, such as high CPU usage and increased memory usage. This increased usage occurs because every time an e-mail message is sent to a query-based distribution group, an LDAP query is executed against Active Directory to determine its membership.

Standard Edition

1.            One storage group

2.            2 Databases max per Server

3.            16 GB DB Size and 72 GB with SP2

4.            x.400 connectors not included

Enterprise Edition

1.            Four Storage group

2.            20 Databases

3.            16 TB DB size limited by hardware

4.            Clustering Supported

5.            x.400 connectors included

  • What are System Public Folders? Where would you find them?

In Exchange Server 2003, public folders can be used to share information between a group of users. In smaller organizations where only one Exchange server is typically installed, one public folder instance can exist.

Where there are multiple Exchange servers and you need to provide fast access to public folder information, then you would probably have to create an additional public folder

instance.

Public folders can be created through:

•              Outlook 2003

•              Outlook XP

•              Outlook 2000

•              Exchange System Manager

•              Windows Explorer

•              Internet clients

•              Web browsers

To View

Click Start, All Programs, Microsoft Exchange, and then select Exchange System Manager.

Exchange System Manager opens. In the left pane, expand the Public Folders container. All

existing folders in the public folder tree are displayed.

  • What are virtual servers? When would you use more than one?
  • What is a Mail Relay? Name a few known mail relay software or hardware options.

Exchange Virtual Server is a clustered Exchange installation. When Exchange is installed on a Windows Server 2003 cluster, it is configured as an Exchange Virtual Server that can be

passed between cluster nodes transparently to Exchange clients.

1. SMTP Virtual Server, 2. HTTP Virtual Server, 3.POP3 Virtual Server, 4. IMAP4 Virtual Server and so on

===========================================================

To access a network application or resource in a nonclustered environment, network clients must connect to a physical server (that is, a specific computer on the network identified by a unique network name and Internet protocol (IP) address). If that server fails, access to the application or resource is impossible.

Through server clusters, Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition enable the creation of virtual servers. Unlike a physical server,

a virtual server is not associated with a specific computer and can be failed over like a group. If the node hosting the virtual server fails, clients can still access its

resources using the same server name.

A virtual server is a group that contains:

A Network Name resource.

An IP Address resource.

All other resources, including applications, to be accessed by the clients of the virtual server.

Other virtual servers.

exchange server uses protocol virtual server

1.smtp virtual server

2.imap virtual server

3.http virtual server

4.pop3 virtual server

Often referred to as an e-mail server, a device and/or program that routes an e-mail to the correct destination. Mail relays are typically used within local networks to transmit e-mails among local users. (For example, all of the student and faculty e-mail of a college campus.) Mail relays are particularly useful in e-mail aliasing where multiple e-mail addresses are used but the mail relay forwards all messages to the specified e-mail addresses to one single address.

A mail relay is different than an open relay, where an e-mail server processes a mail message that that neither originates or ends with a user that is within the server’s local domain (i.e., local IP range).

============================================

Often referred to as an e-mail server, a device and/or program that routes an e-mail to the correct destination. Mail relays are typically used within local networks to transmit e-mails among local users.

(For example, all of the student and faculty e-mail of a college campus.) Mail relays are particularly useful in e-mail aliasing where multiple e-mail addresses are used but

the mail relay forwards all messages to the specified e-mail addresses to one single address.

A mail relay is different than an open relay, where an e-mail server processes a mail message that that neither originates or ends with a user that is within the server’s

local domain (i.e., local IP range).

Mail relay Softwares:

1.NoticeWare Email Server 4.3

2. Flash Mailer 20.

  • What is a Smart Host? Where would you configure it?

A smart host is a type of mail relay server which allows an SMTP server to route e-mail to an intermediate mail server rather than directly to the recipient’s server.

Often this smart host requires authentication from the sender to verify that the sender has privileges to have mail forwarded through the smart host.

This is an important distinction from an open relay that will forward mail from the sender without authentication. Common authentication techniques include SMTP-AUTH and POP

before SMTP.

1.Use for backup mail (secondary MX) services

When configured to be a backup mail server (not the primary MX record) a smart host configuration will accept mail on behalf of the primary mail server if it were to go offline. When the primary mail server comes back online, mail is subsequently delivered via the smart host.

2.Use in spam control efforts

Some ISPs, in an effort to reduce e-mail spam originating at their customer’s IP addresses, will not allow their customers to communicate directly with the recipient’s mail

server via the default SMTP port number 25. In this case the customer has no choice but to use the smart host provided by the ISP.A growing number of systems also verify the sending system against known lists of cable modem and DSL networks and will not accept SMTP connections from these systems to reduce the amount of incoming spam. Field tests have shown

this can have a sizable impact on the number of spam messages one receives and it is expected to become more and more common

3.Use in centralizing email services

When a host runs its own local mail server, a smart host is often used to transmit all mail to other systems through a central mail server. This is used to ease the management of

a single mail server with aliases, security, and Internet access rather than maintaining numerous local mail servers.

  • What are Routing Groups? When would you use them?

A routing group is a logical collection of servers used to control mail flow and public folder referrals. In a routing group, all servers communicate and transfer messages

directly to one another.

In a routing group, all servers communicate and transfer messages directly to one another, as follows:

1.            A user in your Exchange organization uses a mail client to send mail to another user.

2.            Using SMTP, the sender’s client submits this mail to the SMTP virtual server on the Exchange server on which the client’s mailbox resides.

3.            The Exchange server looks up the recipient of the mail message to determine which server the recipient’s mailbox resides on.

4.            One of two things occurs:
•              If the recipient’s mailbox is on the same Exchange server, Exchange delivers the message to the recipient’s mailbox.

•              If the recipient’s mailbox is on another Exchange server, the first Exchange server sends the message to the recipient’s home mailbox server, and it is the recipient’s home mailbox server that delivers the message to the recipient’s mailbox.

==========================================================

To accommodate varying network connectivity across servers.

To restrict the usage of a connector to users in a particular area.

USES OF THIS GROUP:

Allows scheduling and control of mail flow. You can restrict connector use to a particular routing group or schedule the use of a connector.

Allows you to control usage based on message size or content by using connector restrictions.

==========================================================

Routing group is a logical collection exchange server.they communicate each other directly using RPC protocl over SMTP but if Exchange server exist into two diffenent groups,then

communcation will take place b/n these groups,if one of routing group connector esixt b/n routing groups mentioned below..

1 – Routing group conncetor

2 – Smtp Connector,

  • What are the types of Connectors you can use in Exchange?
  • What is the cost option in Exchange connectors? What is the cost option in Exchange connectors? If you add a cost from 1 through 100 to any Exchange Server connector’s Address Space tab, any messages that use that connector take the new cost into consideration when e-mail is routed.

•              Routing group connector

The routing group connector is the recommended connector for connecting routing groups that are in the same Exchange organization. This connector uses SMTP to transfer messages to other servers running Exchange Server 2003. The routing group connector can only be used to connect routing groups.

•              SMTP connector

The SMTP connector establishes a messaging route between two routing groups or between a routing group and a non-Exchange SMTP host. Although the routing group connector and the SMTP connector use SMTP as the transport protocol, the SMTP connector provides additional functionality in that it can be used to connect an Exchange organization with any SMTP server.

•              X.400 connector

The X.400 connector establishes an X.400 messaging route between two routing groups or between a routing group and an X.400 system. Like the routing group connector and the

SMTP connector, an X.400 connector can be used to link Exchange routing groups. Generally, X.400 connectors are used only when connecting to other X.400 messaging systems.

Exchange Server 2003 supports the following optional connectors that you can use to connect the organization to non-Exchange messaging systems:
•              Exchange Calendar Connector

Exchange Calendar Connector is used for exchanging free/busy information between an Exchange organization and a Lotus Notes or Novell GroupWise messaging system.

•              Exchange Connector for Lotus Notes

•              Exchange Connector for Novell GroupWise

Routing cost typically ranges from 1 through 99. The default is 1. If the cost of a route is set to 1, other routes are used only if that route does not work. If the cost of a route is set to 100, that route is used only when all other routes does not work.
Lowest cost has Highest priority.


What is the Link State Table? How would you view it?

Every Exchange server maintains its own routing table, called the link state table, dynamically in memory, based on Active Directory and link state information, as follows:
•              Routing-related Active Directory information. This information is stored in attributes of the organization object, routing group objects, connector objects, and

server objects. These objects reside in the configuration directory partition and define the routing topology of the entire Exchange organization.

•              Link state information   This information specifies whether each connector in the routing topology is available (up) or unavailable (down). Link state information is

dynamic and might change when a connector experiences transfer problems or when transfer issues are resolved.

View Link state table

you can use to view Link state table in Exchange Server 2000/2003 WinRoute tool (Winroute.exe)

  • How would you configure mail transfer security between 2 routing groups?

To configure security setting in routing group get a certificate from the CA you install it on the IIS server which runs on Microsoft Exchange Server 2003. The certificate can also be used for secure Web Outlook session. Once you successfully install the TLS\SSL certificate, you can precede with TLS configuration on the Exchange 2003 SMTP server


What is the Routing Group Master? Who holds that role?

When you create a routing group, the first server in that routing group is assigned the role of routing group master.
The routing group master keeps track of the link state information and propagates it to the other servers in the routing group, and other servers communicate back any changes in link state.

For example, if a member server tries to contact another server over a connector, and this link is unavailable, the member server immediately notifies the routing group master.

Likewise, when a non-master receives new link state information, it immediately transfers the link state information to the master, so that other servers can receive the information about the routing change

  • What is DS2MB?

Metabase update service, also referred to as the directory service/metabase synchronization process, or DS2MB (because this process is implemented in DS2MB.dll) is a component in

Exchange Server 2003 that is used to synchronize several Exchange configuration settings in Active Directory with counterpart settings in the IIS metabase.  The function of DS2MB is to replicate configuration information from Active Directory to the local IIS metabase.

==============================================
DS2MB is short for Directory Service to Metabase and the purpose of this process is to transfer configuration information from Active Directory to the IIS Metabase. The

configuration is stored in the IIS Metabase instead of the registry mainly for performance and scalability reasons. The DS2MB process is a one-way write from Active Directory to the IIS Metabase, which means that the Metabase never writes back to Active Directory

  • What is Forms Based Authentication?

Exchange Server 2003 has greatly improved the Outlook Web Access (or OWA for short) experience when compared to older Exchange versions. Instead of entering the username and password in an annoying pop-up screen, when configured with Forms-Based Authentication (or FBA for short), OWA will display a logon screen that enables the user to select various options and get a generally better look for the logon process.

Ø      What is DSACCESS?

It is a exchange process to communicate with AD
DSACCESS: Means also communicate with Acdive Directory in Exchange Server
DSAccess implements a directory access cache that stores recently accessed information for a configurable length of time. This reduces the number of queries made to global catalog servers
Its very simple answer is that when exchenge clients send request to access his/her mailbox ,that time exchange sent cliets request for authentication to dc and for this it maintains a dsaccess profile in which it maintains the name of DC and GC server and according  to this profile it sends authentication request to clients nearest dc means dsaccess is a process which works as bridge between exchnage server and dc to pass AD releated query from exchange server to Domain controller.

Ø      What are Recipient Policies?

When you install Exchange for the first time, it determines the format of the SMTP address you’ll want for your users based on your organization name and the DNS name of your

domain. It places the result into an Active Directory object called a Recipient Policy
A recipient policy that manages e-mail addresses has the following characteristics:
•              It applies to a selected group of recipients.

•              It always contains information about the address types that are to be applied to those recipients.

•              It is given a priority, so that administrators can control which address is applied as the primary address to a recipient that may appear in more than one policy

  • What is the RUS?

RUS (Recipient Update Service) is responsible for making updates to e-mail addresses, and it does this based on recipient policy changes. These updates are made at a specific interval that is defined for the service. You can view the update interval and modify it as necessary.
RUS works hand in hand with GAL (Global Address List).  Together they generate the list of addresses that users see in Outlook.  I think of Exchange 2003’s RUS as a little engine which runs an LDAP query, the results are to build or update the Users’ property sheets and the Address Lists.

Here is a list of the jobs that RUS performs:

– Updates proxyAddresses attribute controlled by recipient policies.

– Initializes the homeMDB, homeMTA and msExchHomeServerName attributes.  Also the
legacyExchangeDN and msExchMailboxGUID if appropriate.

– Sets the showInAddressBook (or hideDLMembership).

– Sets the ACL on the Microsoft Exchange System Objects (Check with ADSI Edit)

– Populates the group called Exchange Enterprise Servers in Active Directory.

Ø      How can you create multiple GALs and allow the users to only see the one related to them?

This step-by-step article describes how to create Global Address Lists and how to set security levels on the Global Address Lists so only specific groups can view them.

When you use Exchange 2003 in a hosting environment, you must create multiple Global Address Lists. The address lists typically have different user accounts listed in them based on the Lightweight Directory Access Protocol (LDAP) filter that you create. By default, all the users in the Exchange 2003 organization can view all the defined Global Address Lists. This may not be acceptable in some situations; for example, it would not be acceptable at a company that that serves as an e-mail host for other companies. However, you can restrict access to a particular set of users for specific address lists.

For more step by step guide, look into
http://web.archive.org/web/20041121012214/http://support.microsoft.com/default.aspx?kbid=822940

Ø      What is a Front End server? In what scenarios would you use one?

A fornt-end server is a server which is for load balancing / user security purpose. this server doesnot hold any mailbox stores or public folders. using this fornt-end server we can increase limitation ie.firewall, where other than users or admins cannot handle mailbox stores  since these mailbox store are kept in back-end servers.

front-end servers handles in coming client connections. in large org. front-end servers simplifies admins with UNIFIED NAMESPACE, FIREWALL, AND REDUCED OVERHEAD SSL.
Microsoft® Exchange Server 2003 and Microsoft Exchange 2000 Server support using a server architecture that distributes server tasks among front-end and back-end servers. In this

architecture, a front-end server accepts requests from clients and proxies them to the appropriate back-end server for processing.

Ø      What type of authentication is used on the front end servers?

1. Basic Authendication

2. NTLM Authendication

Ø      When would you use NLB?


NLB is used for network load Balancing when there is a heavy information flow and network traffic. I can also be useful for applications which interact with users or database.
like Oracle, SQL, Exchange, etc.

A single computer running Windows can provide a limited level of server reliability and scalable performance. However, by combining the resources of two or more computers running one of the products in the Windows Server 2003 family into a single cluster, Network Load Balancing can deliver the reliability and performance that Web servers and other

mission-critical servers need.

  • How would you achieve incoming mail redundancy?

One can configure two routing group connector with different cost. Lets say primary with 10 and secondary RGC with 20 and both are pointing to different bridgehead servers. We can then setup a rule in smart host that if primary bridgehead server ip not reposing, start delivering emails to secondary bridgehead server.

==========================================

There is an option in the mailbox store of the first routing group in the server that contains the mail box of a user. Drill down till the sorage group, right click and

select properties, in general tab, you can find “Archive all messages sent or received by mailboxes on this store. create a mail box enabled account called “master” (or anything you may like ;-)) and  select the account by browsing the accounts. so that user collects all the sent and received mails thrugh this store. Create a outlook account in a seperate machine for the user and bingo … u have all the mails.

  • What are the 4 types of Exchange backups?

1.normal

2.copy

3.incremental

4.differential

5.daily

  • What is the Dial-Tone server scenario?

See if a Database gets corrupt and if it is large, it would take hours to restore it and this would mean downtime. WIth Dial Tone recovery method what you do is, create an empty Database, for mails flow to continue and in the meantime use RSG to recover DB from backup. Once recovery is done, you merge recovered DB and new DB into one, this means no mail is lost.
For more info, see http://www.msexchange.org/tutorials/Exchange-Dial-tone-Restore-Method-Part1.html

  • When would you use offline backup?

OFFLINE BACKUP is simply flat file copy of the .edb and .stm file {database]
its taken when your stores are down and you have no other option except for hard repair to get the database clean

  • How do you re-install Exchange on a server that has crashed but with AD intact?

If you have multiple DCs then you can reinstall it using the disaster recovery switch. This will pullup the information from AD and reinstall it the way it was before after that you will have to restore the back up

If this was the only DC+Exchange Server than you will have to restore from backup (SYStem state bakcup) .

  • What are the e00xxxxx.log files?

E#######.log are the secondary transaction logs.  They are number sequentially starting with E0000001.log using the hexadecimal numbering format and are 5MB in size.

E##.log is the current transaction log for the database.  Once the log file reaches 5MB in size it is renamed E#######.log and a new E##.log is created.  As with the checkpoint file the ## represents the Storage Group identifier.  While the new E##.log file is being created you will see a file called Edbtmp.log which is a template for Exchange server log files.

  • What is the e00.chk file?

The E##.chk file maintains the checkpoint for the Storage Group. The ## represents the Storage Group number with the First Storage Group file called E00.chk. This checkpoint file keeps track of the last committed transaction. If you are ever forced to perform a recovery, this file contains the point at which the replaying of transaction logs starts.

  • What is circular logging? When would you use it?

In order to understand Circular logging, perhaps it is best to understand Exchange server Transaction logs in general.

Exchange uses transaction logs to add information such as e-mails, users and changes to the relevant database files on the disk of your Exchange server. In a default Exchange installation you will find them in the C:\program files\exchsrvr\mdbdata folder (they look like EBD.log and Edb0xxxxx.log), the other files in that folder are typically the Priv1.edb/Pub1.edb and Priv1.stm/Pub.stm files (Exchange Database and Streaming file plus the equivalent public folder databases) and an Edb.chk (checkpoint) file – more on this later.

The most recent transactions (data changes) are held in the Edb.log file when this file reaches around 5 MB in size another file called Edbtmp.log is created which temporarily takes over from the Edb.log accepting new changes to the database whilst the Edb.log is renamed to Edb00001.log.

After the Edb.log file has been renamed, the Edbtmp.log is renamed to Edb.log and then the process continues at every 5 Mb interval. – got that? – nope clear as mud I guess, think of it this way – when the Edb.log file gets to 5 MB another file comes in that takes over from it, whilst Edb.log gets a new name, then the interim file becomes the new Edb.log.

Exchange uses a process which is called “read ahead” transaction logs, this means that each transaction is placed within the log, the database cache and then into the relevant database itself. When the operation is written to the database the checkpoint (Edb.chk) is incremented which signals the position in the log files where the database is in a consistent (or clean) state – more on that in a minute.

This means that any amount of your transaction logs can be considered either active (not committed) or inactive (committed), if for any reason the store service is terminated (crash, power cut etc) Exchange will automatically recover the next time the server starts – this happens by Exchange “rolling forward” all of the transactions in the logs which bring us up to the marker in the checkpoint file (Edb.chk).

Logs will continue to be created until a full online backup of Exchange has been completed (using NTBackup or another vendors product) where the process of backing up will commit all transactions to the database in the log files, and then flush (delete) the files and then the system is ready to start again. It is at this point that I will say that UNDER NO CIRCUMSTANCES SHOULD YOU EVER MANUALLY DELETE THE TRANSACTION LOGS it is possible to identify unused logs – but – it is much easier to allow a backup product to do it for you.

Ok, I hear you ask, but what is Circular Logging?, well when Circular logging is enabled Exchange behaves in exactly the same way – but the key difference is when the checkpoint file is incremented the inactive part of the transaction log is overwritten by new transactions (rather than a new log being created). Now this in some aspects is Ok as you are still fairly protected in regard to hardware and software failures, but, you are not protected against media failures.

It is still possible to see more than one transaction log in the directory (for example if a large number of large sized mails are being sent – each log can only be 5 MB so if a 6 MB mail is sent that will produce an additional log) – and again these logs will not be cleared until a full online backup is completed. However generally speaking when Circular logging is enabled less log files are created.

Consistencies;

If a database has not closed down gracefully it is said to be inconsistent. When this happens the database believes that it is still in communication with the transaction logs, however not all of the information from the logs may not have been committed to the database.

When the Database next starts up this situation is noticed, and the STORE process will attempted to commit the missing data from the logs (this is called replaying). If however the some logs that are required are missing the Database will not mount, and you will be left in the situation of having to use ESEUTIL to recover the database or return to a recent backup where the database was consistent (this is beyond the scope of this article – but I will cover it at some point).

Summary;

Circular logging may at first glances seem like a bad idea, but it does have its uses in some Exchange environments – for example Front-End Servers (where there is no mailbox data) and relay servers (again no mailboxes) can make great use of it – however, for Database servers it is essential that Circular logging is not used as it will put you in the position of not having full control over your restoration processes.

  • What’s the difference between online and offline defrag?

Online defrag is an automated process which runs daily. The process rearranges mailbox store and public folder store data more efficiently, eliminating unused storage space. Online defragmentation makes additional database space available by detecting and removing database objects that are no longer being used. The defragmentation process provides more database space without actually changing the file size of the database.
http://www.petri.co.il/defragment_exchange_2000_2003_server_databases.htm

Offline drag is a more complicated process. It compacts the exchange database and shrink to its right size. It is a time consuming process too. You usually do it when your exchange database is growing to its limits.
http://searchexchange.techtarget.com/tip/0,289483,sid43_gci1086459,00.html
http://www.msexchange.org/tutorials/Defragmenting-Exchange-Database.html

  • How would you know if it is time to perform an offline defrag of your Exchange stores?

You need to do offline defrag only when needed.. in some issue like the database size limit exceeding to the max. when you do offline defrag.. it cleans up the white space on the database and hence helps to create large amount of space… this takes a very long time and runs at a speed of 4-5GB /hr

  • How would you monitor Exchange’s services and performance? Name 2 or 3 options.

Exchange Monitor 2003 Tool
SolarWind Exchange Monitor Tool

  • What is Direct Push? What are the requirements to run it?

Direct Push provides end-users by providing close to real over the air (OTA) push technology.

The DirectPush technology keeps your mobile device up-to-date by delivering e-mail, Calendar, Contacts and Tasks directly to your device, allowing you to react quickly to changes in your mailbox. AUTD v1 did the same thing but DirectPush offers several benefits.

The cool thing about the DirectPush technology is that it maintains an HTTPS connection between the Exchange server and the mobile device, a session which is kept alive by using heartbeats. This way the Exchange server can notify a mobile device whether or not there’s a change in the associated mailbox, and if a change occurs in the mailbox, the server can initiate a synchronization. Since the device keeps an open session to the Exchange server, some of you might think this could become rather expensive. But fear not because the device simply sits there and waits for a response, it doesn’t send or receive any data when it’s in this pending state. Said in another way, no data will travel over the wire, unless a change is detected in the mailbox, or the heartbeat expires.
http://www.msexchange.org/tutorials/Exchange-2003-Mobile-Messaging-Part1-Microsoft-DirectPush-technology.html

Requirements:

Server-side
As the DirectPush feature is a new technology included in Exchange 2003 SP2, it’s required that you apply Exchange 2003 SP2 at least on the Exchange 2003 front-end servers in your organization. Note that I say front-end servers, because your back-end servers can run anything from Exchange 2003 RTM, SP1 to SP2 as long as you have one or more front-end servers with SP2 applied. But although DirectPush doesn’t require it, I still recommended you upgrade the back-end servers to SP2 as well, not because you will gain any advantage out of doing so when it comes to the DirectPush technology, but because the service pack is packed with new great features and improvements as well as a lot of bug fixes. You can read more about the stuff included in Exchange 2003 SP2 in a previous article of mine.

Note:
In addition to the above requirements it’s highly recommended you adjust the time-out values for HTTPS connection in your firewall (more on this later in the article).

Client Side:
Another requirement in order to make use of the DirectPush technology is that the mobile devices need to run Windows Mobile 5.0. In addition the devices need to have the Messaging and Security Feature Pack (MSFP) installed. Although Microsoft shipped firmware that included the MSFP to mobile device manufactures back in October 2005, new firmware releases with the MSFP included have been heavily delayed. But March 2006 seemed to be the month where things started to kick off. Both i-mate and Qtek as well as Orange have finally released new firmware updates with the MSFP included, although so far only for their newer models.

Note:
The Messaging and Security Feature Pack (MSFP) is also known as the Adaption Kit Update 2 (AKU2)

  • What are the issues with connecting Outlook from a remote computer to your mailbox?

To connect Outlook from remote computer, you can have several issues depending on how you are connected to the exchange server. You have to be specific with your setup.

Some issues could be,
1. Network connectivity – The remote computer must be able to communicate with the exchange server
2. Password Issues – If using RPC over HTTP, the system keeps prompting for the User password.

  • What is RPC over HTTP? What are the requirements to run it?

RPC over HTTP/S is a cool method for connecting your Outlook 2003 client to the corporate Exchange Server 2003 from the Internet or WAN, without the need to establish a VPN session to the corporate LAN and/or needing to open many ports on your corporate firewall. The only ports you’ll need to open on your firewall are TCP 80 and, if using SSL, TCP 443.

In the past remote users where forced to use a VPN to connect Outlook to the corporate Exchange servers or be forced to use the limited features available in Outlook Web Access. With the release of Exchange 2003 and Outlook 2003 a new connectivity option was introduced: RPC over HTTPS. RPC over HTTPS tunnels remote procedure calls through an HTTPS connection allowing you to connect to the Exchange server when outside the corporate LAN without needing to establish a VPN connection. To understand how to troubleshoot issues, you need to be aware of what is going on when an RPC connection is made.

Server requirements

RPC over HTTP/S requires Windows Server 2003 and Exchange Server 2003. RPC over HTTP/S also requires Windows Server 2003 in a Global Catalog role.

Client requirements

  • The client computer must be running Microsoft Windows XP Professional Service Pack 1 (SP1) or later.

  • What is S/MIME? What are the usage scenarios for S/MIME?

S/MIME: Secure/Multipurpose Internet Mail Extensions. S/MIME provides Digital Signatures and Message Encryption, as SMTP is inherently not secure.
Please Refer: http://technet.microsoft.com/en-us/library/aa995740(EXCHG.65).aspx

  • How do you enable SSL on OWA?

Outlook Web Access (or OWA for short) is one of Exchange Server’s best features, allowing you to connect to your corporate mailbox from virtually any spot on earth as long as you have an Internet connection and a decent web browser.

You can read more about OWA in the featured links at the bottom of this article.

OWA transmits traffic to and from the web browser in HTTP (based upon TCP, port 80) and in clear text, meaning that anyone could potentially “listen” to your talk and grab frames and valuable information from the net.

To secure the transmission of information between Exchange Server 2003 and Outlook Web Access clients, you can encrypt the information being transmitted by using SSL (Secure Sockets Layer).

For step by step Guide, Follow this link
http://www.petri.co.il/configure_ssl_on_owa.htm

What do you need to consider when using a client-type AV software on an Exchange server?

First thing, make sure your anti-virus is exchange aware or just exclude the databases from the real-time scan.

You need to make sure that it doesn’t scan any of the following:

1. EXCHSRV folder
2. INETSRV
3. INETPUB

  • What are the different clustering options in Exchange 2003? Which one would you choose and why.

Windows Clustering technologies can help you achieve scalability, availability, reliability, and fault tolerance for your Exchange 2003 organization. A cluster consists of individual computers (also called nodes) that function cohesively in a Cluster service. These computers act as network service providers or as reserve computers that assume the responsibilities of failed nodes. Depending on how you configure your cluster, clustering can simplify the process of recovering a single server from disasters.

In a clustering environment, Exchange runs as a virtual server (not as a stand-alone server) because any node in a cluster can assume control of a virtual server. If the node running the EVS experiences problems, the EVS goes offline for a brief period until another node takes control of the EVS. All recommendations for Exchange clustering are for active/passive configurations. For information about active/passive and active/active cluster configurations, see “Cluster Configurations” later in this topic.

A recommended configuration for your Exchange 2003 cluster is a four-node cluster comprised of three active nodes and one passive node. Each of the active nodes contains one EVS. This configuration is cost-effective because it allows you to run three active Exchange servers, while maintaining the failover security provided by one passive server.

To create Exchange 2003 clusters, you must use Windows Clustering.
Windows Clustering is a feature of Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition. The Windows Cluster service controls all aspects of Windows Clustering.
When you run Exchange 2003 Setup on a Windows Server 2003 cluster node, the cluster-aware version of Exchange is automatically installed.

Technical Interview Questions (Part 2/3) ACTIVE DIRECTORY]

Filed under: Microsoft Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 9:38 AM

 ~!~ Technical Interview Questions (Part 2/3) ACTIVE DIRECTORY]
Edited & Maintained by SYED JAHANZAIB / aacable@hotmail.com

  • What is Active Directory?

An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996. It was first used with Windows 2000.

An active directory (sometimes referred to as an AD) does a variety of functions including the ability to  rovide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory.

Active Directory is a hierarchical collection of network resources that can contain users, computers, printers, and other Active Directories. Active Directory Services (ADS) allow administrators to handle and maintain all network resources from a single location . Active Directory stores information and settings in a central database

  • What is LDAP?

The Lightweight Directory Access Protocol, or LDAP , is an application protocol for querying and modifying directory services running over TCP/IP. Although not yet widely implemented, LDAP should eventually make it possible for almost any application running on virtually any computer platform to obtain directory information, such as email addresses and public keys. Because LDAP is an open protocol, applications need not worry about the type of server hosting the directory.

  • Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.

-Yes you can connect other vendors Directory Services with Microsoft’s version.

-Yes, you can use dirXML or LDAP to connect to other directories (ie. E-directory from Novell or NDS (Novel directory  System).

-Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictonaries used by SAP, Domino etc with the help of MIIS ( Microsoft Identity Integration Server )

  • Where is the AD database held? What other folders are related to AD?

AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure

ntds.dit

edb.log

res1.log

res2.log

edb.chk

When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.

During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database.

The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we’ve discussed

  • What is the SYSVOL folder?

– All active directory data base security related information store in SYSVOL folder and its only created on NTFS partition.

– The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain controllers. Because junctions are used within the Sysvol folder structure, Windows NT file system (NTFS) version 5.0 is required on domain controllers throughout a Windows distributed file system (DFS) forest.

This is a quote from microsoft themselves, basically the domain controller info stored in files like your group policy stuff is replicated through this folder structure

  • Name the AD NCs and replication issues for each NC

*Schema NC, *Configuration NC, Domain NC
Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.

  • What are application partitions? When do I use them

Application directory partitions: These are specific to Windows Server 2003 domains.
An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only Domain controllers running Windows Server 2003 can host a replica of an application directory partition.

  • How do you create a new application partition

http://wiki.answers.com/Q/How_do_you_create_a_new_application_partition

  • How do you view replication properties for AD partitions and DCs?

By using replication monitor

go to start > run > type replmon

  • What is the Global Catalog?

The global catalog contains a complete replica of all objects in Active Directory for its Host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest.

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

In addition to configuration and schema directory partition replicas, every domain controller in a Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object.

The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.

  • How do you view all the GCs in the forest?

C:\>repadmin/showreps
domain_controller

OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%

  • Why not make all DCs in a large forest as GCs?

The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs would all have to hold a reference to every object in the entire forest which could be quite large and quite a replication burden.

For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor WAN lines.

  • Trying to look at the Schema, how can I do that?

adsiedit.exe

option to view the schema

register schmmgmt.dll using this command

c:\windows\system32>regsvr32 schmmgmt.dll

Open mmc –> add snapin –> add Active directory schema

name it as schema.msc

Open administrative tool –> schema.msc

  • What are the Support Tools? Why do I need them?

Support Tools are the tools that are used for performing the complicated tasks easily. These can also be the third party tools. Some of the Support tools include DebugViewer, DependencyViewer, RegistryMonitor, etc.  -edit by Casquehead  I beleive this question is reffering to the Windows Server 2003 Support Tools, which are included with Microsoft Windows Server 2003 Service Pack 2. They are also available for download here:
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-A772EA2DF90&displaylang=en

You need them because you cannot properly manage an Active Directory network without them.
Here they are, it would do you well to familiarize yourself with all of them.

Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe

> What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?

ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool:

· ADSIEDIT.DLL

· ADSIEDIT.MSC

Regarding system requirements, a connection to an Active Directory environment and Microsoft Management Console (MMC) is necessary


A: Replmon
is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts. The purpose of this document is to guide you in how to use it, list some common replication errors and show some examples of when replication issues can stop other network installation actions.

for more go to http://www.techtutorials.net/articles/replmon_howto_a.html

NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels

A:
Enables administrators to manage Active Directory domains and trust relationships from the command prompt.

Netdom is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

REPADMIN.EXE is a command line tool used to monitor and troubleshoot replication on a computer running Windows. This is a command line tool that allows you to view the replication topology as seen from the perspective of each domain controller.

REPADMIN is a built-in Windows diagnostic command-line utility that works at the Active Directory level. Although specific to Windows, it is also useful for diagnosing some Exchange replication problems, since Exchange Server is Active Directory based.

REPADMIN doesn’t actually fix replication problems for you. But, you can use it to help determine the source of a malfunction.

  • What are sites? What are they used for?

Active directory sites, which consist of well-connected networks defined by IP subnets that help define the physical structure of your AD, give you much better control over replication traffic and authentication traffic than the control you get with Windows NT 4.0 domains.
Using Active Directory, the network and its objects are organized by constructs such as domains, trees, forests, trust relationships, organizational units (OUs), and sites.

  • What’s the difference between a site link’s schedule and interval?

Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges from 15 – 10,080 mins. The default interval is 180 mins.

  • What is the KCC?

The KCC is a built-in process that runs on all domain controllers and generates replication topology for the Active Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable.

  • What is the ISTG? Who has that role by default?

Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role.  By Default the first Server has this role. If that server can no longer preform this role then the next server with the highest GUID then takes over the role of ISTG.


  • What are the requirements for installing AD on a new server?

· An NTFS partition with enough free space (250MB minimum)

· An Administrator’s username and password

· The correct operating system version

· A NIC

· Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)

· A network connection (to a hub or to another computer via a crossover cable)

· An operational DNS server (which can be installed on the DC itself)

· A Domain name that you want to use

· The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)

From the Petri IT Knowledge base. For more info, follow this link:

http://www.petri.co.il/active_directory_installation_requirements.htm

  • What can you do to promote a server to DC if you’re in a remote location with slow WAN link?

First available in Windows 2003, you will create a copy of the system state from an existing DC and copy it to the new remote server. Run “Dcpromo /adv”. You will be prompted for the location of the system state files

  • How can you forcibly remove AD from a server, and what do you do later? • Can I get user passwords from the AD database?

Demote the server using dcpromo /forceremoval, then remove the metadata from Active directory using ndtsutil. There is no way to get user passwords from AD that I am aware of, but you should still be able to change them.

Another way out too

Restart the DC is DSRM mode

a. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions

b. In the right-pane, double-click ProductType.

c. Type ServerNT in the Value data box, and then click OK.

Restart the server in normal mode

its a member server now but AD entries are still there. Promote teh server to a fake domain say ABC.com and then remove gracefully using DCpromo. Else after restart you can also use ntdsutil to do metadata as told in teh earlier post

  • What tool would I use to try to grab security related packets from the wire?

you must use sniffer-detecting tools to help stop the snoops. A good packet sniffer would be “ethereal”
www.ethereal.com

  • Name some OU design considerations ?

OU design requires balancing requirements for delegating administrative rights – independent of Group Policy needs – and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues:

Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.

Delegating administrative authority

usually don’t go more than 3 OU levels

  • What is tombstone lifetime attribute?

The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC by default 2000 (60 days) 2003 (180 days)


  • What do you do to install a new Windows 2003 DC in a Windows 2000 AD?

If you plan to install windows 2003 server domain controllers into an existing windows 2000 domain or upgrade a windows 2000 domain controllers to windows server 2003, you first need to run the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema master and infrastructure master roles. The adprep / forestprer command must first be issued on the windows 2000 server holding schema master role in the forest root doman to prepare the existing schema to support windows 2003 active directory. The adprep /domainprep command must be issued on the sever holding the infrastructure master role in the domain where 2000 server will be deployed.

  • What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?

A. If you’re installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen.

If you’re installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which you’ll find in the Cmpnents\r2\adprep folder on the second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later)

  • What are the DScommands?

New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003 Active Directory

New DS built-in tools for Windows Server 2003
The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.

When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for choice. The the DS family of built-in command line executables offer alternative strategies to CSVDE, LDIFDE and VBScript.

Let me introduce you to the members of the DS family:

DSadd – add Active Directory users and groups
DSmod – modify Active Directory objects
DSrm – to delete Active Directory objects
DSmove – to relocate objects
DSQuery – to find objects that match your query attributes
DSget – list the properties of an object

  • What are the FSMO roles? Who has them by default? What happens when each one fails?

FSMO stands for the Flexible single Master Operation

It has 5 Roles: –

  • Schema Master:

The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.

  • Domain naming master:

The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

  • Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC’s event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

  • Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC’s allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain’s RID master. The domain RID master responds to the request by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.

  • PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.

:: In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:

:: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.

Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.

Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.

The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.

  • What FSMO placement considerations do you know of?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles

  • What’s the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?

Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to perform these unique operations are called operations masters or FSMO role holders.

The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform:

  • Schema master – The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command.
  • Domain naming master – The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest.
  • RID master – The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups.
  • PDC emulator – The PDC emulator role is domain-wide and there is one for each domain. This role is required for the domain controller that sends database updates to Windows NT backup domain controllers. The domain controller that owns this role is also targeted by certain administration tools and updates to user account and computer account passwords.
  • Infrastructure master – The Infrastructure master role is domain-wide and there is one for each domain. This role is required for domain controllers to run the adprep /forestprep command successfully and to update SID attributes and distinguished name attributes for objects that are referenced across domains.

The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:

  • An administrator reassigns the role by using a GUI administrative tool.
  • An administrator reassigns the role by using the ntdsutil /roles command.
  • An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator.

We recommend that you transfer FSMO roles in the following scenarios:

  • The current role holder is operational and can be accessed on the network by the new FSMO owner.
  • You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.
  • The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:

  • The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred.
  • A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command.
  • The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled.

As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domain controller is one that is in the appropriate domain that last inbound-replicated, or recently inbound-replicated a writable copy of the “FSMO partition” from the existing role holder. For example, the Schema master role-holder has a distinguished name path of CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles reside in and are replicated as part of the CN=schema partition. If the domain controller that holds the Schema master role experiences a hardware or software failure, a good candidate role-holder would be a domain controller in the root domain and in the same Active Directory site as the current owner. Domain controllers in the same Active Directory site perform inbound replication every 5 minutes or 15 seconds.

A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems.

Transfer FSMO roles

To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:

  1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
  2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
  3. Type roles, and then press ENTER.Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.
  4. Type connections, and then press ENTER.
  5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.
  6. At the server connections prompt, type q, and then press ENTER.
  7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
  8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Seize FSMO roles

To seize the FSMO roles by using the Ntdsutil utility, follow these steps:

  1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
  2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
  3. Type roles, and then press ENTER.
  4. Type connections, and then press ENTER.
  5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
  6. At the server connections prompt, type q, and then press ENTER.
  7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
  8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.Notes
    • Under typical conditions, all five roles must be assigned to “live” domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles. You should determine which roles are to be on which remaining domain controllers so that all five roles are assigned to a single domain controller. For more information about FSMO role placement, click the following article number to view the article in the Microsoft Knowledge Base: 223346 (http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on Windows 2000 domain controllers
    • If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by using the steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article: 216498 (http://support.microsoft.com/kb/216498/ ) How to remove data in active directory after an unsuccessful domain controller demotion
    • Removing domain controller metadata with the Windows 2000 version or the Windows Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes additional elements of domain controller metadata.
    • Some customers prefer not to restore system state backups of FSMO role-holders in case the role has been reassigned since the backup was made.
    • Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest.

To test whether a domain controller is also a global catalog server:

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
  2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
  3. Open the Servers folder, and then click the domain controller.
  4. In the domain controller’s folder, double-click NTDS Settings.
  5. On the Action menu, click Properties.
  6. On the General tab, view the Global Catalog check box to see if it is selected.

For more information about FSMO roles, click the following article numbers to view the articles in the Microsoft Knowledge Base:

  • How do you configure a “stand-by operation master” for any of the roles?
  1. Open Active Directory Sites and Services.
  2. Expand the site name in which the standby operations master is located to display the Servers folder.
  3. Expand the Servers folder to see a list of the servers in that site.
  4. Expand the name of the server that you want to be the standby operations master to display its NTDS Settings.
  5. Right-click NTDS Settings, click New, and then click Connection.
  6. In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK.
  7. In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.
  • How do you backup AD?

Backing up Active Directory is essential to maintain an Active Directory database. You can back up Active Directory by using the Graphical User Interface (GUI) and command-line tools that the Windows Server 2003 family provides.
You frequently backup the system state data on domain controllers so that you can restore the most current data. By establishing a regular backup schedule, you have a better chance of recovering data when necessary.

To ensure a good backup includes at least the system state data and contents of the system disk, you must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backup older than 60 days is not a good backup. Plan to backup at least two domain controllers in each domain, one of at least one backup to enable an authoritative restore of the data when necessary.

System State Data
Several features in the windows server 2003 family make it easy to backup Active Directory. You can backup Active Directory while the server is online and other network function can continue to function.

System state data on a domain controller includes the following components:

Active Directory system state data does not contain Active Directory unless the server, on which you are backing up the system state data, is a domain controller. Active Directory is present only on domain controllers.

The SYSVOL shared folder: This shared folder contains Group policy templates and logon scripts. The SYSVOL shared folder is present only on domain controllers.

The Registry: This database repository contains information about the computer’s configuration.

System startup files: Windows Server 2003 requires these files during its initial startup phase. They include the boot and system files that are under windows file protection and used by windows to load, configure, and run the operating system.

The COM+ Class Registration database: The Class registration is a database of information about Component Services applications.

The Certificate Services database: This database contains certificates that a server running Windows server 2003 uses to authenticate users. The Certificate Services database is present only if the server is operating as a certificate server.

System state data contains most elements of a system’s configuration, but it may not include all of the information that you require recovering data from a system failure. Therefore, be sure to backup all boot and system volumes, including the System State, when you back up your server.

Restoring Active Directory

In Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. You must restore the Active Directory database when objects in Active Directory are changed or deleted.

Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from every other replication partner. Once the replication is finished each partner has an updated version of Active Directory. There is another way to get these latest updates by Backup utility to restore replicated data from a backup copy. For this restore you don’t need to configure again your domain controller or no need to install the operating system from scratch.

Active Directory Restore Methods
You can use one of the three methods to restore Active Directory from backup media: primary restore, normal (non authoritative) restore, and authoritative restore.

Primary restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects as authoritative so that they receive a higher version recently changed data on other domain controllers does not overwrite system state data during replication.

  • How do you restore AD?


Restoring Active Directory :

In Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. You must restore the Active Directory database when objects in Active Directory are changed or deleted.

Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from every other replication partner. Once the replication is finished each partner has an updated version of Active Directory. There is another way to get these latest updates by Backup utility to restore replicated data from a backup copy. For this restore you don’t need to configure again your domain controller or no need to install the operating system from scratch.

Active Directory Restore Methods
You can use one of the three methods to restore Active Directory from backup media: primary restore, normal (non authoritative) restore, and authoritative restore.

Primary restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects as authoritative so that they receive a higher version recently changed data on other domain controllers does not overwrite system state data during replication.

METHOD

A.
You can’t restore Active Directory (AD) to a domain controller (DC) while the Directory Service (DS) is running. To restore AD, perform the following steps.

Reboot the computer.
At the boot menu, select Windows 2000 Server. Don’t press Enter. Instead, press F8 for advanced options. You’ll see the following text. OS Loader V5.0

Windows NT Advanced Options Menu
Please select an option:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Enable Boot Logging
Enable VGA Mode
Last Known Good Configuration
Directory Services Restore Mode (Windows NT domain controllers only)
Debugging Mode

Use | and | to move the highlight to your choice.
Press Enter to choose.
Scroll down, and select Directory Services Restore Mode (Windows NT domain controllers only).
Press Enter.
When you return to the Windows 2000 Server boot menu, press Enter. At the bottom of the screen, you’ll see in red text Directory Services Restore Mode (Windows NT domain controllers only).
The computer will boot into a special safe mode and won’t start the DS. Be aware that during this time the machine won’t act as a DC and won’t perform functions such as authentication.

Start NT Backup.
Select the Restore tab.
Select the backup media, and select System State.
Click Start Restore.
Click OK in the confirmation dialog box.
After you restore the backup, reboot the computer and start in normal mode to use the restored information. The computer might hang after the restore completes; Sometimes it takes a 30-minute wait on some machines.

  • How do you change the DS Restore admin password?

When you promote a Windows 2000 Server-based computer to a domain controller, you are prompted to type a Directory Service Restore Mode Administrator password. This password is also used by Recovery Console, and is separate from the Administrator password that is stored in Active Directory after a completed promotion.

The Administrator password that you use when you start Recovery Console or when you press F8 to start Directory Service Restore Mode is stored in the registry-based Security Accounts Manager (SAM) on the local computer. The SAM is located in the\System32\Config folder. The SAM-based account and password are computer specific and they are not replicated to other domain controllers in the domain.

For ease of administration of domain controllers or for additional security measures, you can change the Administrator password for the local SAM. To change the local Administrator password that you use when you start Recovery Console or when you start Directory Service Restore Mode, use the following method.

1. Log on to the computer as the administrator or a user who is a member of the Administrators group. 2. Shut down the domain controller on which you want to change the password. 3. Restart the computer. When the selection menu screen is displayed during restar, press F8 to view advanced startup options. 4. Click the Directory Service Restore Mode option. 5. After you log on, use one of the following methods to change the local Administrator password: • At a command prompt, type the following command:

net user administrator

• Use the Local User and Groups snap-in (Lusrmgr.msc) to change the Administrator password. 6. Shut down and restart the computer. You can now use the Administrator account to log on to Recovery Console or Directory Services Restore Mode using the new password.

  • Why can’t you restore a DC that was backed up 4 months ago?

Because of the tombstone life which is set to only 60 days

  • What are GPOs?

Group Policy gives you administrative control over users and computers in your network. By using Group Policy, you can define the state of a user’s work environment once, and then rely on Windows Server 2003 to continually force the Group Policy settings that you apply across an entire organization or to specific groups of users and computers.
Group Policy Advantages
You can assign group policy in domains, sites and organizational units.
All users and computers get reflected by group policy settings in domain, site and organizational unit.
No one in network has rights to change the settings of Group policy; by default only administrator has full privilege to change, so it is very secure.
Policy settings can be removed and can further rewrite the changes.
Where GPO’s store Group Policy Information
Group Policy objects store their Group Policy information in two locations:

Group Policy Container: The GPC is an Active Directory object that contains GPO status, version information, WMI filter information, and a list of components that have settings in the GPO. Computers can access the GPC to locate Group Policy templates, and domain controller does not have the most recent version of the GPO, replication occurs to obtain the latest version of the GPO.
Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT which contains all Group Policy settings and information, including administrative templates, security, software installation, scripts, and folder redirection settings. Computers connect to the SYSVOL folder to obtain the settings.
The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol.
Managing GPOs
To avoid conflicts in replication, consider the selection of domain controller, especially because the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two independent replication techniques to replicate GPO data among all domain controllers in the domain. If two administrator’s changes can overwrite those made by other administrator, depends on the replication latency. By default the Group Policy Management console uses the PDC Emulator so that all administrators can work on the same domain controller.

WMI Filter
WMI filters is use to get the current scope of GPOs based on attributes of the user or computer. In this way, you can increase the GPOs filtering capabilities beyond the security group filtering mechanisms that were previously available.

Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination computer, Active Directory evaluates the filter on the destination computer. A WMI filter has few queries that active Directory evaluates in place of WMI repository of the destination computer. If the set of queries is false, Active Directory does not apply the GPO. If set of queries are true, Active Directory applies the GPO. You write the query by using the WMI Query Language (WQL); this language is similar to querying SQL for WMI repository.

Planning a Group Policy Strategy for the Enterprise
When you plan an Active Directory structure, create a plan for GPO inheritance, administration, and deployment that provides the most efficient Group Policy management for your organization.

Also consider how you will implement Group Policy for the organization. Be sure to consider the delegation of authority, separation of administrative duties, central versus decentralized administration, and design flexibility so that your plan will provide for ease of use as well as administration.

Planning GPOs
Create GPOs in way that provides for the simplest and most manageable design — one in which you can use inheritance and multiple links.

Guidelines for Planning GPOs
Apply GPO settings at the highest level: This way, you take advantage of Group Policy inheritance. Determine what common GPO settings for the largest container are starting with the domain and then link the GPO to this container.
Reduce the number of GPOs: You reduce the number by using multiple links instead of creating multiple identical GPOs. Try to link a GPO to the broadest container possible level to avoid creating multiple links of the same GPO at a deeper level.
Create specialized GPOs: Use these GPOs to apply unique settings when necessary. GPOs at a higher level will not apply the settings in these specialized GPOs.
Disable computer or use configuration settings: When you create a GPO to contain settings for only one of the two levels-user and computer-disable the logon and prevents accidental GPO settings from being applied to the other area.

  • What is the order in which GPOs are applied?

Local, Site, Domain, OU

Group Policy settings are processed in the following order:

1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.

2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.

3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)

  • Name a few benefits of using GPMC.

Microsoft released the Group Policy Management Console (GPMC) years ago, which is an amazing innovation in Group Policy management. The tool provides control over Group Policy in the following manner:

  • Easy administration of all GPOs across the entire Active Directory Forest
  • View of all GPOs in one single list
  • Reporting of GPO settings, security, filters, delegation, etc.
  • Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering
  • Delegation model
  • Backup and restore of GPOs
  • Migration of GPOs across different domains and forests

With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC is needed and should be used by everyone for what it is ideal for. However, it does fall a bit short when you want to protect the GPOs from the following:

  • Role based delegation of GPO management
  • Being edited in production, potentially causing damage to desktops and servers
  • Forgetting to back up a GPO after it has been modified
  • Change management of each modification to every GPO
  • How can you determine what GPO was and was not applied for a user? Name a few ways to do that.

Simply use the Group Policy Management Console created by MS for that very purpose, allows you to run simulated policies on computers or users to determine what policies are enforced. Link in sources

  • What are administrative templates?

Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment.

Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines. An ADM file is a text file with a specific syntax which describes both the interface and the registry values which will be changed if the policy is enabled or disabled.

ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged into a unified “namespace” in GPEdit and presented to the administrator under the Administrative Templates node (for both machine and user policy).

  • What’s the difference between software publishing and assigning?

ANS An administrator can either assign or publish software applications.

Assign Users
The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application.

Assign Computers
The software application is advertised and installed when it is safe to do so, such as when the computer is next restarted.

Publish to users
The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application. Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers.

  • Can I deploy non-MSI software with GPO?

How to create a third-party Microsoft Installer package

http://support.microsoft.com/kb/257718/

  • You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that?

Login on client as Domain Admin user change whatever you need add printers etc go to system-User profiles copy this user profile to any location by select Everyone in permitted to use after copy change ntuser.dat to ntuser.man and assgin this path under user profile

Regard’s

Syed Jahanzaib

%d bloggers like this: