Windows: Interview Q & A: L1 & L2 Interview question
Active Directory
Active Directory is a centralized and
standardized system, stores information about objects in a network and makes
this information available to users and network administrators.
Domain Controller
In an Active Directory forest, the domain
controller is a server that contains a writable copy of the Active Directory
database, participates in Active Directory replication, and controls access to
network resources.
Global catalog server
A global catalog server is a domain
controller that stores information about all objects in the forest. Like all
domain controllers, a global catalog server stores full, writable replicas of
the schema and configuration directory partitions and a full, writable replica
of the domain directory partition for the domain that it is hosting. In
addition, a global catalog server stores a partial, read-only replica of every
other domain in the forest. Partial replicas are stored on Global
Catalog servers so that searches of the entire directory can be achieved
without requiring referrals from one domain controller to another.
Partial information of other domains. Partial
information nothing but classes and attributes (first name and last name and
phones and addresses) attribute level security improvement in 2003….
OU:
"Organizational Units", are
administrative-level containers on a computer, it allows administrators to
organize groups of users together so that any changes, security privileges or
any other administrative tasks could be accomplished more efficiently.
Domain:
Windows Domain is a logical grouping of computers
that share common security and user account information.
A Windows forest is a group of one or more trusted Windows trees. The trees do not need to have contiguous DNS names. A forest shares a schema and global catalog servers. A single tree can also be called a forest.
Tree:
A Windows tree is a group of one or more trusted Windows domains with
contiguous DNS domains. “Trusted” means that an authenticated account from one
domain isn’t rejected by another domain. “Contiguous DNS domains” means that
they all have the same root DNS name.
Site:
Sites are manually defined groupings of subnets. Objects in a site share the same global catalog servers, and can have a common set of group policies applied to them.
Schema:
The schema defines what
attributes, objects, classes, and rules are available in the Active Directory.
SID (Security
Identifier):
The SID is a unique name (alphanumeric character
string) that is used to identify an object, such as a user or a group of users.
Group Policy
Group policy
Architecture:
Group Policy objects
(GPO):
A
GPO is a collection of Group Policy settings, stored at the domain level as a
virtual object consisting of a Group Policy container (GPC) and a Group Policy
template (GPT).
Password history will store
Computer
Configuration\Windows Settings\Security Settings\Account Policies\Password
Policy
Group Policy Container (GPC)
The
Group Policy container (GPC) is an Active Directory container that contains GPO
properties, such as version information, GPO status, plus a list of other
component settings.
Group Policy Template (GPT)
The
Group Policy template (GPT) is a file system folder that includes policy data
specified by .adm files, security settings, script files, and information about
applications that are available for installation. The GPT is located in the
system volume folder (SysVol) in the domain \Policies sub-folder.
Filtering
the Scope of a GPO
By
default, a GPO affects all users and computers that are contained in the linked
site, domain, or organizational unit. The administrator can further specify the
computers and users that are affected by a GPO by using membership in security
groups.
Starting
with Windows 2000, the administrator can add both computers and users to
security groups. Then the administrator can specify which security groups are
affected by the GPO by using the Access Control List editor.
Knowledge Consistency Checker (KCC)
The Knowledge Consistency Checker
(KCC) is a Windows component that automatically generates and maintains the
intra-site and inter-site replication topology.
Intrasite
Replication
Replication
that happens between controllers inside one site. All of the subnets inside the
site should be connected by high speed network wires.
Intersite
Replication
Intersite replication
is replication between sites and must be set up by an administrator. Simple
Mail Transfer Protocol (SMTP) may be used for replication between sites.
Active Directory Replication?
Replication
must often occur both (intrasite) within sites and (Intersite) between sites to
keep domain and forest data consistent among domain controllers that store the
same directory partitions
Adprep.exe
Adprep.exe is a command-line tool used to prepare a
Microsoft Windows 2000 forest or a Windows 2000 domain for the installation of
Windows Server 2003 domain controllers.
USE:
When Microsoft
Exchange Server is deployed in an organization, Exchange Server uses Active
Directory as a data store and it extends the Windows 2000 Active Directory
schema to enable it to store objects specific to Exchange Server. The
ldapDisplayName of the attribute schema ms-Exch-Assistant-Name,
ms-Exch-LabeledURI, and ms-Exch-House-Identifier defined by Exchange Server
conflicts with the iNetOrgPerson schema that Active Directory uses in Windows
Server 2003. When Windows Server 2003 Service Pack 1 is installed, Adprep.exe
will be able to detect the presence of the schema conflict and block the
upgrade of the schema until the issue has been resolved.
GUID:
When a new domain user or
group account is created, Active Directory stores the account's SID in the
Object-SID (objectSID) property of a User or Group object. It also assigns the
new object a globally unique identifier (GUID), which is a 128-bit value that
is unique not only in the enterprise but also across the world. GUIDs are
assigned to every object created by Active Directory, not just User and Group
objects. Each object's GUID is stored in its Object-GUID (objectGUID) property.
Active Directory uses GUIDs
internally to identify objects.
SID:
A security identifier (SID) is a data
structure in binary format that contains a variable number of values. When a DC creates a security principal object such
as a user or group, it attaches a unique Security ID (SID) to the object. This
SID consists of a domain SID (the same for all SIDs created in a domain), and a
relative ID (RID) that is unique for each security Principal SID created in a
domain.
Lingering objects
When a domain
controller is disconnected for a period that is longer than the TSL, one or
more objects that are deleted from Active Directory on all other domain
controllers may remain on the disconnected domain controller. Such objects are
called lingering objects. Because the domain controller is offline during the
time that the tombstone is alive, the domain controller never receives
replication of the tombstone
Sysvol
Sysvol is a shared directory that stores the
server copy of the domain’s public files, which are replicated among all domain
controllers in the domain. The Sysvol contains the data in a GPO: the GPT,
which includes Administrative Template-based Group Policy settings, security
settings, script files, and information regarding applications that are
available for software installation. It is replicated using the File
Replication Service (FRS).
File
Replication Service (FRS)
In
Windows 2000, the SYSVOL share is used to authenticate users. The SYSVOL share
includes group policy information which is replicated to all local domain
controllers. File replication service (FRS) is used to replicate the SYSVOL
share. The "Active Directory Users and Computers" tool is used to
change the file replication service schedule.
Win logon
A
component of the Windows operating system that provides interactive logon
support, Winlogon is the service in which the Group Policy engine runs.
Lightweight
Directory Access Protocol (LDAP)
It
defines how clients and servers exchange information about a directory. LDAP
version 2 and version 3 are used by Windows 2000 Server's Active Directory.
An LDAP URL names the server holding Active Directory services and
the Attributed Name of the object. For example:
LDAP://SomeServer.Myco.Com/CN=jamessmith,CN=Sys,CN=Product,CN
=Division,DC=myco,DC=domain-controller
USN
Each object has an Update Sequence Number (USN), and if the
object is modified, the USN is incremented. This number is different on each
domain controller. USN provides the key to multimaster replication.
Universal
group membership caching
Due
to available network bandwidth and server hardware limitations, it may not be
practical to have a global catalog in smaller branch office locations. For
these sites, you can deploy domain controllers running Windows Server 2003,
which can store universal group membership information locally.
By
default, the universal group membership information contained in the cache of
each domain controller will be refreshed every 8 hours. Up to 500 universal
group memberships can be updated at once. Universal groups
couldn't be created in Mixed mode.
What
is an ACL or access-control list?
A list of security protections that applies to
an object. (An object can be a file, process, event, or anything else having a
security descriptor.)
What
is an ACE or access-control entry?
ACE contains a set of access rights and a
security identifier (SID) that identifies a trustee for whom the rights are
allowed, denied, or audited.
Flexible
Single Master Operations (FSMO)
MultiMaster
Operation:
In Windows 2000 & 2003, every domain
controller can receive changes, and the changes are replicated to all other
domain controllers. The day-to-day operations that are associated with managing
users, groups, and computers are typically multimaster operations.
There is a set of Flexible Single Master
Operations (FSMO) which can only be done on a single controller. An
administrator determines which operations must be done on the master
controller. These operations are all set up on the master controller by default
and can be transferred later. FSMO operations types include:
Schema
Master: The schema master domain controller controls all updates
and modifications to the schema. There can be only one schema master in the
whole forest.
Domain
naming master: The domain naming master domain controller
controls the addition or removal of domains in the forest and responsibility of
ensuring that domain names are unique in the forest. There can be only one
domain naming master in the whole forest.
Infrastructure Master:
Synchronizes
cross-domain group membership changes. The infrastructure master cannot run on
a global catalog server (unless all DCs are also GCs.)
The infrastructure is responsible for
updating references from objects in its domain to objects in other domains. At
any one time, there can be only one domain controller acting as the
infrastructure master in each domain.
This works when we are renaming any group
member ship object this role takes care.
Note: The
Infrastructure Master (IM) role should be held by a domain controller that is
not a Global Catalog server (GC). If the Infrastructure Master runs on a Global
Catalog server it will stop updating object information because it does not
contain any references to objects that it does not hold. This is because a
Global Catalog server holds a partial replica of every object in the forest. As
a result, cross-domain object references in that domain will not be updated and
a warning to that effect will be logged on that DC's event log. If all the
domain controllers in a domain also host the global catalog, all the domain
controllers have the current data, and it is not important which domain
controller holds the infrastructure master role.
Relative ID (RID) Master:
It
assigns RID and SID to the newly created object like Users and computers. If
RID master is down (u can create security objects up to RID pools are available
in DCs) else u can’t create any object one itSDs down
When
a DC creates a security principal object such as a user or group, it attaches a
unique Security ID (SID) to the object. This SID consists of a domain SID (the
same for all SIDs created in a domain), and a relative ID (RID) that is unique
for each security principal SID created in a domain.
PDC Emulator - When Active Directory
is in mixed mode, the computer Active Directory is on acts as a Windows NT PDC.
The first server that becomes a Windows 2000 domain controller takes the role
of PDC emulator by default.
Functions performed by the PDC emulator:
User account changes and password changes.
SAM directory replication requests.
Domain master browser requests
Authentication requests.
GPO
Time synchronization
New
Active Directory features in Windows Server 2003
•
|
Multiple
selection of user objects. |
•
|
Drag-and-drop
functionality. |
•
|
Efficient
search capabilities. Search functionality is
object-oriented and provides an efficient search that minimizes |
•
|
Saved
queries. Save commonly used search parameters for reuse in
Active Directory Users and Computers |
•
|
Active
Directory command-line tools. |
•
|
InetOrgPerson
class. The inetOrgPerson class has been added to the base
schema as a security principal and can be used in the same manner as the user
class. The userPassword attribute can also be used to set the account password.
|
•
|
Ability
to add additional domain controllers using backup media.
Reduce the time it takes to add an additional domain controller in an existing
domain by using backup media. |
•
|
Universal
group membership caching. Prevent the need to locate a global
catalog across a WAN when logging on by storing universal group membership
information on an authenticating domain controller. |
•
|
Secure
LDAP traffic. Active Directory administrative tools sign
and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that
the packaged data comes from a known source and that it has not been tampered
with. |
•
|
Active
Directory quotas. Quotas can be specified in Active
Directory to control the number of objects a user, group, or computer can own
in a given directory partition. Domain Administrators and |
Windows Functional
levels
In
Windows 2000 Active Directory domains is the concept of Mixed and Native Modes.
The default mixed mode allows both NT and Windows 2000 domain controllers to
coexist. Once you convert to Native Mode, you are only allowed to have Windows
2000 domain controllers in your domain. The conversion is a one-way conversion
-- it cannot be reversed. In Windows Server 2003, Microsoft introduced forest
and domain functional levels. The concept is rather similar to switching from
Mixed to Native Mode in Windows 2000. The new functional levels give you
additional capabilities that the previous functional levels didn’t have.
There are four domain functional levels:
- Windows 2000 Mixed (supports
NT4/2000/2003 DCs)
- Windows 2000 Native (supports
2000/2003 DCs)
- Windows Server 2003 Interim
(supports NT4/2003 DCs)
- Windows Server 2003 (supports
only 2003 DCs)
And three forest functional levels:
- Windows 2000 (supports
NT4/2000/2003 DCs)
- Windows 2000 Interim (supports
NT4/2003 DCs)
- Windows Server 2003 (supports
only 2003 DCs)
To raise
the domain functional level, you go to the properties of your domain in Active
Directory Domains and Trusts. To raise the forest functional level you go to
the properties of Active Directory Domains and Trusts at the root. Of course,
if your domains are not at the correct level, you won’t be able to raise the
forest functional level.
Directory
partition
A
directory partition, or naming context, is a contiguous Active Directory sub
tree replicated on one, or more, Windows 2000 domain controllers in a
forest. By default, each domain controller has a replica of three partitions:
the schema partition the Configuration partition and a Domain partition.
Schema
partition
It contains all class and attributes definitions for the forest. There is one
schema directory partition per forest.
Configuration
partition
It contains replication configuration
information (and other information) for the forest. There is one configuration
directory partition per forest.
Domain
partition
It contains all objects that are stored by
one domain. There is one domain directory partition for each domain in the
forest.
Application Directory Partition
Application
directory partitions are most often used to store dynamic data. An application partition can not contain security
principles (users, groups, and computers).The KCC generates and
maintains the replication topology for an application directory partition
Application: The application
partition is a new feature introduced in Windows Server 2003. This partition
contains application specific objects. The objects or data that applications
and services store here can comprise of any object type excluding security
principles. Security principles are Users, Groups, and Computers. The
application partition typically contains DNS zone objects, and dynamic data
from other network services such as Remote Access Service (RAS), and Dynamic
Host Configuration Protocol (DHCP).
Dynamic Data:
A
dynamic entry is an object in the directory which has an associated
time-to-live (TTL) value. The TTL for an entry is set when the entry is
created.
Security Principles - Objects that
can have permissions assigned to them and each contain security identifiers.
The following objects are security principles:
o
User
- Computer
- Group
RPC:
Active
Directory uses RPC over IP to transfer both intersite and intrasite replication
between domain controllers. To keep data secure while in transit, RPC over IP
replication uses both the Kerberos authentication protocol and data encryption.
SMTP:
If
you have a site that has no physical connection to the rest of your network,
but that can be reached using the Simple Mail Transfer Protocol (SMTP), that
site has mail-based connectivity only. SMTP replication is used only for
replication between sites. You also cannot use SMTP replication to replicate
between domain controllers in the same domain—only inter-domain replication is
supported over SMTP (that is, SMTP can be used only for inter-site,
inter-domain replication). SMTP replication can be used only for schema,
configuration, and global catalog partial replica replication. SMTP replication
observes the automatically generated replication schedule.
Changing
of ntds.dit file from one Drive to another
1.
|
Boot the domain controller in Directory Services Restore mode
and log on with the Directory Services Restore mode administrator account and
password (this is the password you assigned during the Dcpromo process).
|
2.
|
At a command prompt, type ntdsutil.exe. You receive the
following prompt:
ntdsutil:
|
3.
|
Type files to receive the following prompt:
file maintenance:
|
4.
|
Type info. Note the path of the database and log files.
|
5.
|
To move the database, type move db to %s (where %s is the
target folder).
|
6.
|
To move the log files, type move logs to %s (where %s is
the target folder).
|
7.
|
Type quit twice to return to the command prompt.
|
8.
|
Reboot the computer normally.
DNS
DNS (Domain Name system)
Domain Name System (DNS) is a database system that
translates a computer's fully qualified domain name into an IP address.
The
local DNS resolver
The following graphic
shows an overview of the complete DNS query process.
DNS Zones
Forward lookup zone -
Name to IP address map.
Reverse lookup zone - IP
address to name map.
Primary
Zones - It Holds Read and Write copies of
all resource records (A, NS, _SRV).
Secondary Zones- which hold read
only copies of the Primary Zones.
Stub
Zones
Conceptually,
stub zones are like secondary zones in that they have a read only copy of a
primary zone. Stub zones are more efficient and create less replication
traffic.
Stub
Zones only have 3 records, the SOA for the primary zone, NS record and a Host
(A) record. The idea is that if a client queries a record in the Stub
Zone, your DNS server can refer that query to the correct Name Server because
it knows its Host (A) record.
Queries
Query types are:
Inverse - Getting the name from the IP
address. These are used by servers as a security check.
Iterative - Server gives its best answer. This
type of inquiry is sent from one server to another.
Recursive - Cannot refer the query to another
name server.
Conditional
Forwarding
Another
classic use of forwards is where companies have subsidiaries, partners or
people they know and contact regularly query. Instead of going the
long-way around using the root hints, the network administrators configure
Conditional Forwarders
Purpose of Resource Records
Without
resource records DNS could not resolve queries. The mission of a DNS
Query is to locate a server that is Authoritative for a particular
domain. The easy part is for the Authoritative server to check the name
in the query against its resource records.
SOA (start of
authority) record
each zone has one SOA record that
identifies which DNS server is authoritative for domains and sub domains in the
zone.
NS (name server)
record
An NS record contains the FQDN and IP
address of a DNS server authoritative for the zone. Each primary and secondary
name server authoritative in the domain should have an NS record.
A (address) record By far the most common type of resource
record, an A record is used to resolve the FQDN of a particular host into its
associated IP address.
CNAME (canonical
name) record
A CNAME record contains an alias
(alternate name) for a host.
PTR (pointer) record the opposite of an A
record, a PTR record is used to resolve the IP address of a host into its FQDN.
SRV (service) record An SRV record is used by DNS clients to
locate a server that is running a particular service—for example, to find a
domain controller so you can log on to the network. SRV records are key to the
operation of Active Directory.
MX (mail exchange)
record
An MX record points to one or more
computers that process SMTP mail for an organization or site.
Where DNS resource
records will be stored:
After
running DCPROMO, A text file containing the appropriate DNS resource records
for the domain controller is created. The file called Netlogon.dns is created
in the %systemroot%\System32\config folder and contains all the records needed
to register the resource records of the domain controller. Netlogon.dns is used
by the Windows 2000 NetLogon service and to support Active Directory for
non-Windows 2000 DNS servers.
Procedures for
changing a Server’s IP Address
Once
DNS and replication are setup, it is generally a bad idea to change a servers
IP address (at least according to Microsoft). Just be sure that is what you
really want to do before starting the process. It is a bit kin to changing the
Internal IPX number of A Novell server, but it can be done.
1. Change the Server’s IP address
2. Stop the NETLOGON service.
3. Rename or delete
SYSTEM32\CONFIG\NETLOGON.DNS and NETLOGON.DNB
4. Restart the NETLOGON service and run
“IPconfig /registerDNS”
5. Go to one of the other DCs and verify
that its DNS is now pointing to the new IP address of the server. If not,
change the records manually and give it 15 minutes to replicate the DNS changes
out.
6. Run REPLMON and make sure that
replication is working now. You may have to wait a little while for things to
straighten out. Give it an hour or two if necessary.
If a server shows
that it isn’t replicating with one of its partners, there are several issues to
address:
A. Check to see that the servers can ping
each other.
B. Make sure that both servers’ DNS entries
for each other point to the proper IP addresses
C. If server A says it replicated fine, but
server B says it couldn’t contact Server A, check the DNS setup on Server B.
Chances are it has a record for Server A pointing to the wrong place.
D. Run Netdiag and see if it reports any
errors or problems.
Trust Relationship
Windows
2000 only supports the following types of trusts:
|
Comments
Post a Comment