Active Directory Overview

Sanjo Thomas, CCNA, MCSE, MCDBA
Sanjo900@yahoo.com
This is a rough copy. Corrections required - Sanjo
What is Active Directory?

AD is the directory service in Windows2000 network. AD is a hierarchical database. A directory service stores information about network resources and make the resources accessible to users and computers. It helps to centrally manage, organize and control access to resources. AD objects include users, groups, computers, printers, etc. Servers, domains and sites are also considered as AD objects.
What is LDAP?
LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths are used to access AD objects and includes the following: Distinguished names Relative Distinguished names
Distinguished name gives the complete path of the object E.g. CN=Sanjo Thomas,OU=India,DC=Microsoft,DC=com Relative Distinguished name is the portion of the distinguished name that uniquely identifies the object. E.g. CN=Sanjo Thomas OR OU= India
Introducing domain trees and forests

TREES Tree is a hierarchical arrangement of W2K domains that share a contiguous name space. The first domain in a domain tree is called the root domain. Additional domains in the same domain tree are child domains. A domain immediately above another domain in the same domain tree is referred to as the parent of the child domain. The name of the chills domain is combined with its parent domain to form its DNS name. Every child domain has a two two-way, transitive trust relationship with its parent domain Because these trust relationships are two-way and transitive, a Windows 2000 domain newly created in a domain tree or forest immediately has trust relationships established with every other Windows 2000 domain in the domain tree or forest. These trust relationships allow a single logon process to authenticate a user on all domains in the domain tree or forest. This does not necessarily mean that the authenticated user has rights and permissions in all domains in the domain tree. Because a domain is a security boundary, rights and permissions must be assigned on a per-domain basis. FORESTS
Sanjo900@yahoo.com
A forest consists of multiple domain trees. The domain trees in a forest do not form a contiguous namespace but share a common schema and GC. The forest root domain is the first domain created in the forest. The root domains of all domain trees in the forest establish transitive trust relationships with the forest root domain. This is necessary for the purposes of establishing trust across all the domain trees in the forest. All of the Windows 2000 domains in all of the domain trees in a forest share the following traits: Transitive trust relationships between the domains Transitive trust relationships between the domain trees A common schema Common configuration information A common global catalog
Using both domain trees and forests provides you with the flexibility of both contiguous and noncontiguous naming conventions. This can be useful in, for example, companies with independent divisions that must each maintain their own DNS names.
Explain the role of Global Catalog Server in a Domain?

By default, a global catalog is created automatically on the initial domain controller in the forest. It stores a full replica of all objects in the directory for its host domain and a partial replica of all objects contained in the directory of every other domain in the forest. The replica is partial because it stores some, but not all, of the property values for every object in the forest. The global catalog performs two key directory roles: It enables network logon by providing universal group membership information to a domain controller when a logon process is initiated. It enables finding directory information in the entire forest regardless of which domain in the forest actually contains the data.
When a user logs on to the network, the global catalog provides universal group membership information for the account sending the logon request to the domain controller. If there is only one domain controller in the domain, the domain controller and the global catalog are the same server. If there are multiple domain controllers in the network, the global catalog is hosted on the domain controller configured as such. If a global catalog is not available when a user initiates a network logon process, the user is only able to log on to the local computer. If a user is a member of the Domain Admins group, they are able to log on to the network even when a global catalog is not available. The global catalog is designed to respond to queries about objects anywhere in the forest with maximum speed and minimum network traffic. Because a single global catalog contains information about objects in all domains in the forest, a query about an object can be resolved by a global catalog
Sanjo900@yahoo.com

in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain boundaries. You can optionally configure any domain controller to host a global catalog, based on your organization's requirements for servicing logon requests and search queries. After additional domain controllers are installed in the domain, you can change the default location of the global catalog to another domain controller using Active Directory Sites and Services.
GC and infrastructure master should not be on the same Server. Why?

The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog's data will always be up-to-date. If the infrastructure master finds data that is out-of-date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain. Important 1. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so will never replicate any changes to the other domain controllers in the domain. 2. If all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.
Explain Active Directory schema?

The Active Directory schema is the set of definitions that defines the kinds of objects, and the types of information about those objects, that can be stored in Active Directory. The definitions are themselves stored as objects so that Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory. There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata. Attributes are defined separately from classes. Each attribute is defined only once and can be used in multiple classes. For example, the Description attribute is used in many classes, but is defined once in the schema, assuring consistency. Classes, also referred to as object classes; describe the possible directory objects that can be created. Each class is a collection of attributes. When you create an object, the attributes store the information that describes the object. The User class, for example, is composed of many attributes, including Network Address, Home Directory, and so on. Every object in Active Directory is an instance of an object class.
Sanjo900@yahoo.com

Active Directory does not support deletion of schema objects; however, objects can be marked as deactivated, providing many of the benefits of deletion. The structure and content of the schema is controlled by the domain controller that holds the schema operations master role. A copy of the schema is replicated to all domain controllers in the forest. The use of this common schema ensures data integrity and consistency throughout the forest.
Explain Sites. What are the advantages of Sites?

Site consists of one or more IP subnets connected by a high speed link. Wide area networks should employ multiple sites for efficiently handling servicing requests and reducing replication traffic. Sites map the physical structure of your network whereas domains generally map the logical structure of your organization. Active Directory Sites and Services allow you to specify site information. Active Directory uses this information to determine how best to use available network resources. This makes the following types of operations more efficient: Service requests When a client requests a service from a domain controller, it directs the request to a domain controller in the same site. Selecting a domain controller that is well-connected to the client makes handling the request more efficient. Replication Site streamlines replication of directory information and reduces replication traffic Site membership is determined differently for domain controllers and clients. A client determines it is in when it is turned on, so its site location will often be dynamically updated. A domain controller's site location is established by which site its Server object belongs to in the directory, so its site location will be consistent unless the domain controller's Server object is intentionally moved to a different site.
Minimum Requirement for Installing AD

1. 2. 3. 4. 5. Windows Server, Advanced Server, Datacenter Server Minimum Disk space of 200MB for AD and 50MB for log files NTFS partition TCP/IP Installed and Configured to use DNS Administrative privilege for creating a domain in existing network
How will you verify whether the AD installation is proper?

1. Verify SRV Resource Records
Sanjo900@yahoo.com

After AD is installed, the DC will register SRV records in DNS when it restarts. We can check this using DNS MMC or nslookup command. Using MMC If the SRV records are registered, the following folders will be there in the domain folder in Forward Lookup Zone. msdes sites tcp adp
Using nslookup >nslookup >ls t SRV Domain If the SRV records are properly created, they will be listed. 2. Verifying SYSVOL If SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO, etc will not be replicated between DCs. First verify the following folder structure is created in SYSVOL Domain Staging Staging areas Sysvol Then verify necessary shares are created. >net share It should show two shares, NETLOGON and SYSVOL 3. Verifying Database and Log files Make sure that the following files are there at %systemroot%\ntds Ntds.dit, Edb.*, Res*.log
Explain User and Computer naming in AD?

Active Directory domain names are usually the full DNS name of the domain. For backward compatibility, each domain also has a pre-Windows 2000 name.
Sanjo900@yahoo.com

USER ACCOUNTS In Active Directory, each user account has a user logon name, a pre-Windows 2000 user logon name (SAM account name), and a user principal name suffix. Active Directory suggests a preWindows 2000 user logon name using the first 20 bytes of the user logon name. In Active Directory, each user account has a user principal which is composed of the user logon name and the user principal name suffix joined by the @ sign. Do not add the @ sign to the user logon name or to the user principal name suffix. Active Directory automatically adds it when it creates the user principal name. A user principal name that contains more than one @ sign is invalid. The second part of the user principal name, referred to as the user principal name suffix, identifies the domain in which the user account is located. This user principal name suffix can be the DNS domain name, the DNS name of any domain in the forest, or it can be an alternative name created by an administrator and used just for logon purposes. This alternative user principal name suffix does not need to be a valid DNS name. Using alternative domain names as the user principal name suffix can provide additional logon security and simplify the names used to log on to another domain in the forest. E.g. Sanjo is user in sales.westcoast.microsoft.com. So the logon name would be sanjo@sales.westcoast.microsoft.com. Creating a user principal name suffix of "microsoft" would allow that same user to log on using the much simpler logon name of sanjo@microsoft. You can add or remove user principal name suffixes using Active Directory Domains and Trusts. COMPUTER ACCOUNTS Each computer account created in Active Directory has a relative distinguished name, a preWindows 2000 computer name (SAM account name), a primary DNS suffix, a DNS host name and a service principal name. This computer name is used as the LDAP relative distinguished name. Active Directory suggests the pre-Windows 2000 name using the first 15 bytes of the relative distinguished name. This can be changed at any time. The primary DNS suffix defaults to the full DNS name of the domain to which the computer is joined. The DNS host name is built from the first 15 characters of the relative distinguished name + the primary DNS suffix. The service principal name is built from the DNS host name. The service principal name is used in the process of mutual authentication between the client and the server hosting a particular service. The client finds a computer account based on the service principal name of the service to which it is trying to connect. It is possible for administrators to change the way the service principal name is created. This security modification allows a computer to use primary DNS suffixes that are different than the domain to
Sanjo900@yahoo.com

which the computer is joined. The same modification also allows Active Directory to use more than the first 15 bytes of the relative distinguished name when constructing the service principal name. Computers with these modified computer names will register their names in DNS correctly but an additional procedure is required to enable correct registration of the DNS host name (dNSHostName) and service principal Name (servicePrincipalName) attributes of the computer object in Active Directory. To allow a computer to use a different DNS name 1. Right-click Active Directory Users and Computers, point to View, and then click Advanced Features. 2. Right-click the name of the domain, and then click Properties. 3. On the Security tab, click Add, click the Self group, click Add, and then click OK. 4. Click Advanced, click Self, and then click View/Edit. 5. On the Properties tab, in Apply onto, click Computer Objects. 6. Under Permissions, click Write dNSHostName, and then click the Allow check box. By modifying default security in this way, there is a possibility that a computer joined to the selected domain could be operated by a malicious user and may be able to advertise itself under a different name through the service principal name attribute.
What are the FSMO roles and explain their functions?

Schema master Domain naming master RID master PDC emulator Infrastructure daemon
Schema Master The schema master is responsible for performing updates to the directory schema. This DC is the only one that can process updates to the directory schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. There is only one schema master per directory. Domain Naming Master The Domain Naming Master is responsible for making changes to the forest-wide domain name space of the directory. This DC is the only one that can add or remove a domain from the directory. RID Master The RID master is responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move. When a DC creates a security principal object such as a user or group, it attaches a unique SID to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.
Sanjo900@yahoo.com
Each Windows 2000 DC in a domain is allocated a pool of RIDs that can be assigned to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain-RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. There is one RID master per domain in a directory. PDC Emulator FSMO Role The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage. The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their inbound time partner. In a Windows 2000 domain, the PDC emulator role holder retains the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator.
Note that the PDC emulator role becomes unnecessary as down-level workstations, member servers, and domain controllers are all upgraded to Windows 2000, in which case the following information applies: Windows 2000 clients (workstations and member servers) and down-level clients that have installed the distributed services client package do not perform directory writes (such as password changes) preferentially at the DC that has advertised itself as the PDC; they use any DC for the domain. Once backup domain controllers (BDCs) in down-level domains are upgraded to Windows 2000, the PDC emulator receives no down-level replica requests. Windows 2000 clients (workstations and member servers) and down-level clients that have installed the distributed services client package use the Active Directory to locate network resources. They do not require the Windows NT Browser service.
Infrastructure FSMO Role When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global
Sanjo900@yahoo.com

Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, crossdomain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log.
How will you place the FSMO roles?

Place the RID and PDC emulator roles on the same domain controller. Good communication from the PDC to the RID master is desirable as downlevel clients and applications target the PDC, making it a large consumer of RIDs. As a general rule, the infrastructure master should be located on a nonglobal catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site.
Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are: o Single domain forest: In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain. o Multidomain forest where every domain controller holds the global catalog: If every domain controller in the domain also hosts the global catalog, then there are no phantoms or work for the infrastructure master to do. The infrastructure master may be placed on any domain controller in the domain. At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled. Additionally, the Domain Naming master FSMO should also be a global catalog server.
Configure DNS Dynamic Update in Windows 2000

The DNS service allows client computers to dynamically update their resource records in DNS and improves DNS administration. You can use DDNS in conjunction with DHCP to update resource records when a computer's IP address is changed. How Windows 2000-Based Computers Update Their DNS Names Windows 2000 computers try to dynamically register host address (A) and pointer (PTR) resource records. All computers register records based on their full computer name. Dynamic updates can be sent for any of the following reasons or events: An IP address is added, removed, or modified for any one of the installed network connections.
Sanjo900@yahoo.com

An IP address lease changes or renews. For example, if you use the ipconfig /renew command. You use the ipconfig /registerdns command to manually force a refresh of the client name registration in DNS. At startup time, when the computer is turned on. When one of these events triggers a dynamic update, the DHCP Client service (not the DNS Client service) sends updates. This process is designed so that if a change to the IP address information occurs because of DHCP, corresponding updates in DNS are performed to synchronize name-toaddress mappings for the computer. The DHCP Client service performs this function for all network connections used on the system, including connections that are not configured to use DHCP. Dynamic updates are sent or refreshed periodically. By default, Windows 2000 sends a refresh once every 24 hours. If the update occurs and there are no changes to zone data, the zone remains at its current version and no changes are written. NOTE: Names are not removed from DNS zones if they become inactive or if they are not updated within the refresh interval (24 hours). DNS does not use a mechanism to release or tombstone names, although DNS clients do attempt to delete or update old name records when a new name or address change is applied. When the DHCP Client service registers A and PTR resource records for a Windows 2000 computer, it uses a default caching Time-To-Live (TTL) value of 15 minutes for host records. This value determines how long other DNS servers and clients cache a computer's records when they are included in a query response. How to Allow Only Secure Dynamic Updates 1. Click Start, point to Programs, point to Administrative Tools, and then click DNS. 2. Under DNS, expand the applicable DNS server, expand Forward Lookup Zones (or Reverse Lookup Zones) , and then click the applicable zone. 3. On the Action menu, click Properties. 4. On the General tab, verify that the zone type is Active Directory-integrated. 5. In the Allow dynamic updates? box, click Only secure updates. The secure dynamic update functionality is supported only for Active Directory-integrated zones. How to Configure DNS Dynamic Update for DHCP Clients By default, Windows 2000-based DHCP clients are configured to request that the client register the A resource record and the server register the PTR resource record. By default, the name that is used in the DNS registration is a concatenation of the computer name and the primary DNS suffix. To change this default name, open the TCP/IP properties of your network connection. To change the dynamic update defaults on the dynamic update client: 1. Right-click the connection that you want to configure, and then click Properties. 2. Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click the DNS tab. By default, Register this connection's address in DNS is selected and Use this connection's DNS suffix in DNS registration is not selected. This default configuration causes the client to request that the client register the A resource record and the server
Sanjo900@yahoo.com

register the PTR resource record. In this case, the name to be used in DNS registration is a concatenation of the computer name and primary DNS suffix of the computer. 3. Click to select the Use this connection's DNS suffix check box in DNS registration. If you select this check box, the client requests that the server update the PTR record by using the name that is a concatenation of the computer name and the connection-specific DNS suffix. PTR record, which uses the name that is a concatenation of the computer name and the primary DNS suffix. 4. To configure the client to make no requests for DNS registration, click to clear the Register this connection's address in DNS check box. If you clear this check box, the client does not attempt to register any A or PTR DNS records that correspond to this connection. DNS Dynamic Update on Statically Configured and Remote Access Clients Statically configured clients and remote access clients do not communicate with the DHCP server. Statically configured Windows 2000-based clients dynamically update their A and PTR resource records every time they start in case the records become corrupted in the DNS database. Remote access clients dynamically update A and PTR resource records when a dial-up connection is made. They also attempt to unregister the A and PTR resource records when the user closes down the connection. How to Configure DNS Dynamic Update on Multiple-Homed Clients If a dynamic update client is multiple-homed (if it has more than one adapter and an associated IP address), it registers all of its IP addresses with DNS by default. If you do not want the client to register all of its IP addresses, you can configure it to not register one or more IP addresses in the network connection properties. To prevent the computer from registering all its IP addresses: 1. Right-click My Network Places, and then click Properties. 2. Click the connection that you want to configure, and then click Properties. 3. Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click the DNS tab. 4. Click to clear the Register this connection's address in DNS check box. You can also configure the computer to register its domain name in DNS. For example, if you have a client that is connected to two different networks, you can configure the client to have a different domain name on each network. How to Configure DNS Dynamic Update on a Windows 2000 DNS Client Computer To configure DNS dynamic update on a Windows 2000 DNS client computer: 1. Click Start, point to Settings, and then click Network and Dial-up Connections. 2. Right-click the network connection that you want to configure, and then click Properties. 3. Click either the General tab (for the local area connection) or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties. 4. Click Advanced, and then click the DNS tab.
Sanjo900@yahoo.com

5. To use DNS dynamic update to register both the IP addresses for this connection and the full computer name of the computer, click to select the Register this connection's addresses in DNS check box. This check box is selected by default. 6. To configure a connection-specific DNS suffix, type the DNS suffix in the DNS suffix for this connection box. 7. To use DNS dynamic update to register the IP addresses and the connection-specific domain name for this connection, click to select the Use this connection's DNS suffix in DNS registration check box. This check box is selected by default. How to Configure DNS Dynamic Update on a Windows 2000 DNS Server To enable DNS dynamic update on a Windows 2000 DNS server: 1. Click Start, point to Programs, point to Administrative Tools, and then click DNS. 2. Click the appropriate zone under either Forward Lookup Zones or Reverse Lookup Zones. 3. On the Action menu, click Properties. 4. On the General tab, verify that the zone type is either Primary or Active Directoryintegrated. 5. If the zone type is Primary, click Yes in the Allow dynamic updates? list. 6. If the zone types is Active Directory-integrated, click either Yes or Only secure updates in the Allow dynamic updates? list, depending on whether you want DNS dynamic updates to be secure. How to Configure DNS Dynamic Update on a Windows 2000 DHCP Server To configure DNS dynamic update for a Windows 2000 DHCP server: 1. Click Start, point to Programs, point to Administrative Tools, and then click DHCP. 2. Click the appropriate DHCP server or a scope on the appropriate DHCP server. 3. On the Action menu, click Properties. 4. Click the DNS tab. 5. To enable DNS dynamic update for DHCP clients that support it, click to select the Automatically update DHCP client information in DNS check box. This check box is selected by default. 6. To enable DNS dynamic update for DHCP clients that do not support it, click to select the Enable updates for DNS clients that do not support dynamic updates check box. This check box is selected by default. How to Enable DNS Dynamic Updates on a DHCP Server Windows 2000 DHCP and DNS servers now support dynamic updates to a DNS server. Windows 2000 clients can dynamically update their forward lookup records themselves with the DNS server after the clients obtain a new IP address from a DHCP server. In Windows 2000 DHCP server, you can dynamically update the DNS records for pre-Windows 2000 clients that cannot do it for themselves. This feature currently works only with the Windows 2000 DHCP and DNS servers. To enable a DHCP server to dynamically update the DNS records of its clients: 1. Select the scope or DHCP server on which you want to permit dynamic DNS updates. 2. On the Action menu, click Properties, and then click the DNS tab.
Sanjo900@yahoo.com

3. Click to select the Automatically Update DHCP Client Information In DNS check box. 4. To update a client's DNS records based on the type of DHCP request that the client makes and only when it is requested, click Update DNS Only If DHCP Client Requests. 5. To always update a client's forward and reverse lookup records, click Always Update DNS. 6. Click to select the Discard Forward Lookups When Leases Expire check box to have the DHCP server delete the Host resource record for a client when its DHCP lease expires and is not renewed. 7. Click to select the Enable Updates For DNS Clients That Do Not Support Dynamic Updates check box to enable the DHCP server to update the forward and reverse lookup records for clients that cannot update their own forward lookup records. If you do not select this check box, the DHCP server does not automatically update the DNS records of nonWindows 2000 clients.
Create and Configure a Site Link in Active Directory in Windows 2000

For the site link to become active, there must be at least two sites available in Active Directory. A Site Link object represents a set of sites that can communicate at uniform cost through an intersite transport. For IP transport, a typical site link connects just two sites and corresponds to an actual WAN link. An IP site link that connects more than two sites might correspond to an asynchronous transfer mode (ATM) backbone that connects more than two clusters of buildings on a large campus, or several offices in a large metropolitan area that are connected through leased lines and IP routers. How to Create a Site Link To create a new site link: 1. Click Active Directory Sites and Services. 2. Expand the Inter-Site Transports node, right-click IP (or click SMTP if you want to use SMTP as the inter-site transport protocol), and then click New Site Link. If you have only one site in Active Directory, you receive a message that states that two sites are required for the site link to work. Click OK to continue.
How to Create a DNS Entry for the Web Server

Create an alias or CNAME record for the DNS server on which you configured IIS. This step ensures that external host computers can connect to your Web server by using the "www" host name. To do this: 1. Start the DNS snap-in. 2. Under DNS, expand Server1 (where Server1 is the host name of the DNS server). 3. Expand Forward Lookup Zones. 4. Under Forward Lookup Zones, right-click the zone that you want (for example, Microsoft.com), and then click New Alias. 5. In the Alias name box, type www. 6. In the Fully qualified name for target host box, type the fully qualified host name of the DNS server on which IIS is installed. For example, type dns.microsoft.com, and then click OK.
Sanjo900@yahoo.com

Audit Active Directory Objects in Windows 2000
An audit entry in the Security log contains the following information: The action that was performed. The user who performed the action. The success or failure of the event and the time that the event occurred.
When you audit Active Directory events, Windows 2000 writes an event to the Security log on the domain controller. If a user tries to log on to the domain using a domain user account and the logon attempt is unsuccessful, the event is recorded on the DC and not on the computer on which the logon attempt was made. This is because it is the domain controller that tried to authenticate the logon attempt. How to Configure an Audit Policy Setting for a Domain Controller Auditing is turned off by default. To audit all DCs, Enable auditing on Domain Controllers OU To configure an audit policy setting for a domain controller, follow these steps: 1. Start Directory Users and Computers. 2. Click Advanced Features on the View menu. 3. Right-click Domain Controllers, and then click Properties. 4. Click the Group Policy tab, click Default Domain Controller Policy, and then click Edit. 5. Click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy. 6. In the right pane, right-click Audit Directory Services Access, and then click Security. 7. Click Define These Policy Settings, and then click to select one or both of the following check boxes: o Success: Click to select this check box to audit successful attempts for the event category. o Failure: Click to select this check box to audit failed attempts for the event category. 8. Right-click any other event category that you want to audit, and then click Security. Click OK How to Configure Auditing for Specific Active Directory Objects You can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the types of access and the users whose access that you want to audit. To configure auditing for specific Active Directory objects, follow these steps: 1. 2. 3. 4. 5. Open Active Directory Users and Computers. Select Advanced Features on the View menu. Right-click the Active Directory object that you want to audit, and then click Properties. Click the Security tab, and then click Advanced. Click the Auditing tab, and then click Add. Enter the name of either the user or the group whose access you want to audit
Sanjo900@yahoo.com

6. Click to select either the Successful check box or the Failed check box for the actions that you want to audit, and then click OK.
How to Configure a Secondary Name Server in Windows 2000

Identify the Secondary Name Server On the primary DNS server, identify an additional name server: Open DNS MMC. In the console tree, click Host name (where Host name is the host name of the DNS server). In the console tree, click Forward Lookup Zones. Right-click the zone that you want (for example, example.com), and then click Properties. Click the Name Servers tab, and then click Add. In the Server name box, type the host name of the server that you want to add, for example, namesvr2.example.com. 7. In the IP address box, type the IP address of the name server that you want to add (for example, 192.168.0.22), and then click Add. 8. Click OK, and then click OK. 9. In the console tree, click Reverse Lookup Zones, right-click the zone that you want, and then click Properties. 10. Click the Name Servers tab, and then click Add. 11. In the Server name box, type the host name of the server that you want to add, for example, namesvr2.example.com. 12. In the IP address box, type the IP address of the name server that you want to add (for example, 192.168.0.22), and then click Add. 13. Click OK, and then click OK. Install DNS on the Secondary Name Server 1. To install the DNS service through Add/Remove Programs. Configure the Forward Lookup Zone To configure the forward lookup zone on the secondary name server: 1. Open the DNS MMC in the Secondary Name Server. 2. In the console tree, under DNS, click Host name (where Host name is the host name of the DNS server). 3. In the console tree, click Forward Lookup Zones. 4. Right-click Forward Lookup Zones, and then click New Zone. 5. When the New Zone Wizard starts, click Next to continue. 6. Click Standard secondary, and then click Next. 7. In the Name box, type the name of the zone (for example, example.com), and then click Next. 8. On the Master DNS Servers page, type the IP address of the primary name server for this zone, click Add, click Next, and then click Finish. Configure the Reverse Lookup Zone To configure the reverse lookup zone on the secondary name server: 1. 2. 3. 4. 5. 6.
Sanjo900@yahoo.com

Click Start, point to Programs, point to Administrative Tools, and then click DNS. In the console tree, click Host name (where Host name is the host name of the DNS server). In the console tree, click Reverse Lookup Zones. Right-click Reverse Lookup Zones, and then click New Zone. When the New Zone Wizard starts, click Next to continue. Click Standard secondary, and then click Next. In the Network ID box, type the network ID (for example, type 192.168.0), and then click Next. 7. On the Zone File page, click Next, and then click Finish. 1. 2. 3. 4. 5. 6.
Troubleshooting: The DNS server does not load the zone

When you select a zone on the secondary name server, the following error message may be displayed in the right pane of the DNS window: Zone not loaded by DNS Server The DNS server encountered an error while attempting to load the zone. The transfer of zone data from the master server failed. This behavior can occur when zone transfers are disabled. To resolve this issue, follow these steps: 1. 2. 3. 4. On the primary name server open DNS MMC. In the console tree, click MainServer1 In the console tree, click Forward Lookup Zones. Under Forward Lookup Zones, right-click the zone that you want (for example, example.com), and then click Properties. 5. Click the Zone Transfers tab. 6. Click to select the Allow zone transfers check box, and then click one of the following options: To any server Only to servers listed on the Name Servers tab Only to the following servers 7. Click Apply, and then click OK.
How to set up a One-Way Non-Transitive Trust in Windows 2000

Windows 2000 domains in the same forest share transitive trust relationships with one another. There is an implicit transitive trust between the root domains in each tree in the Windows 2000 forest. A two-way implicit transitive trust also exists between all contiguous domains in a single tree. There may be times when you need to create explicit trust relationships between domains. Windows 2000 allows you to configure one-way transitive trusts between domains. Configure a One-way Trust Perform the following steps to configure the one-way trust: 1. On a domain controller in the trusted domain, start the Active Directory Domains and Trusts console. 2. In the Domains that trust this domain pane, click Add.
Sanjo900@yahoo.com

3. In the Add Trusting Domain dialog box, type the name of the trusting domain, type a password, and then type the password again in the Confirm password box. 4. Click OK. 5. In the Active Directory dialog box, click OK to verify the trust. 6. Enter a user name and password of a user that has permissions to modify trust relationships in the trusting domain. You receive a message that states that the trusting domain has been added and the trust verified. 7. Quit the Active Directory Domains and Trusts console. 8. On a domain controller in the trusting domain, start the Active Directory Domains and Trusts console. 9. Right-click the trusting domain and click Properties. 10. In the Domains trusted by this domain box, click Add. 11. In the Add Trusted Domain dialog box, type the name of the trusted domain and a password, and then type the password again in the Confirm Password dialog box. 12. Click OK. NOTE: The DNS infrastructure must be in place so that domain controllers from each domain can find one another. You can configure Windows NT 4.0 domain trusts by using Windows NT 4.0 User Manager for Domains.
How to create a Container to List Printers in Active Directory

By default, printers are not displayed when you use My Network Places to browse Active Directory. The ADSI Edit tool in Support Tools can be used to add a container in which to the list printers that are published in Active Directory. By doing so, users can either find the folder that contains the printers in My Network Places or add a network place to the folder that contains the printers. To create a Printers container in which to list your printers in Active Directory: 1. Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit. 2. Expand Domain NC [DomainName], and then click DC=Domain, DC=com. 3. On the Action menu, point to New, and then click Object. 4. In the Select a class box, click container, and then click Next. 5. In the Value box, type Printers, and then click Next. 6. Click Finish. A CN=Printers container appears in the right pane of ADSI Edit. 7. Right-click CN=Printers, and then click Properties. 8. Click the Attributes tab. 9. In the Select a property to view box, click showInAdvancedViewOnly, and then click Clear. 10. In the Edit Attribute box, type false, click Set, and then click OK. 11. Quit ADSI Edit. 12. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Sanjo900@yahoo.com
The Printers container that you created appears in the list of directory objects. 13. On the View menu, click Advanced Features. 14. On the View menu, click Users, Groups, and Computers as containers. 15. Move the printers that you want to the Printers container. 16. Quit Active Directory Users and Computers. Note: The procedure in this article requires that printers are published in Active Directory.
How to publish a printer in AD

1. Log on to the computer as an administrator. 2. Click Start, point to Settings, and then click Printers. 3. In the Printers folder, right-click the printer that you want to publish in Active Directory, and then click Properties. 4. Click the Sharing tab, click Share As, and then either type a share name or accept the default name. Use only letters and numbers; do not use spaces, punctuation, or special characters. 5. Click to select the List in the Directory check box, and then click OK. 6. Close the Printers folder. NOTE: If you want to make this printer available to users who are running different versions of Windows, you must install additional drivers. To do so, click Additional Drivers on the Sharing tab of the Printer properties, and then select the appropriate items in the list.
How to replace the current primary DNS Server with a new Primary DNS Server in Windows 2000
When an existing DNS domain structure is in place, it may be necessary to replace the current primary DNS server with a new Windows 2000 DNS server. First install DNS on new windows 2000 Server and transfer the records
Transfer Records from the Current DNS Server 1. Open the DNS MMC and double-click W2K-DNS (the server name) to expand it. 2. Right-click Forward Lookup Zones, click New Zone to start the wizard, and then click Next. 3. Click Standard Secondary for the zone type, click Next, type the zone name (E.g. "microsoft.edu"), and then click Next. 4. Type the IP address of the current primary DNS server (in this example, 192.168.0.2), click Add, click Next, and then click Finish. 5. Right-click Reverse Lookup Zones, click New Zone to start the wizard, click Next, click Standard Secondary for the zone type, and then click Next. 6. In the Network ID box, type 192.168.0, and then click Next. 7. Type the IP address of the current primary DNS server (in this example, 192.168.0.2), click Add, click Next, and then click Finish.
Sanjo900@yahoo.com
Change the Role of a DNS Server to Primary Server After you transfer all of the records have been transferred, you must remove the old DNS server from the network, and set the DNS server as the primary DNS server. To set the DNS server as the primary DNS server 1. Open the DNS MMC and double-click W2K-DNS (the server name) to expand it. 2. Double-click Forward Lookup Zones, right-click the Microsoft.edu zone, and then click Properties. 3. Click the General tab, click Change under Type, and then click either Standard Primary or Active Directory Integrated as the new type, depending on whether or not this computer is a domain controller (DC). Click OK. 4. Change the setting under Allow Dynamic Updates to Yes if this server is for a Windows 2000 Domain. The server is now set as a primary DNS server for the DNS domain space. It may be necessary to change the IP address of the new server to match the IP address that the old DNS server used. This should be done to prevent having to make changes on all clients or secondary servers to point to a new IP address for the primary DNS server
Troubleshooting: You Are Unable to Transfer the Zone File

1. Verify the existing DNS server allows zone transfers. 2. Verify that the new DNS server IP address is allowed for zone transfers. 3. If the zone file is locked, the transfer should occur after a maximum of 10 minutes.
How to Verify the Creation of SRV Records for a Domain Controller

Using DNS Manager After you install Active Directory on a server running the Microsoft DNS service, you can use the DNS Manager Microsoft Management Console (MMC) snap-in to verify that the appropriate zones and resource records are created for each DNS zone. Active Directory creates its SRV records in the following folders: _msdcs/dc/_sites/default-first-site-name/_tcp _msdcs/dc/_tcp In these locations, an SRV record is displayed for the following services: _kerberos _ldap Using Nslookup 1. From your DNS server, type nslookup at a command prompt. 2. Type set type=all, and then press ENTER.
Sanjo900@yahoo.com

3. Type _ldap._tcp.dc._msdcs.domainname (where domainname is the name of your domain), and then press ENTER. Nslookup returns one or more SRV service location records in the following format Hostname.domainname Internet address = ipaddress Where hostname is the host name of a domain controller, domainname is the domain to which the domain controller belongs, and ipaddress is the DCs IP.
Configure the Windows 2000 Domain Name System to Age Records

When any records are orphaned, dynamic DNS on a Windows 2000-based server does not age these records by renaming them or by moving computers to different subnets out of their zones, unless the server is configured to perform this task. Orphans can occur if a group of computers are installed from an image, and then renamed at a later time on another subnet. The reverse look up pointers may not be deleted if the computer is disconnected from the network immediately after the installation. The automatic deletion of these records is possible by enabling the Aging and Scavenging feature on the DNS server. Enable Aging and Scavenging You need to enable the Aging and Scavenging feature at a server level, and optionally set the Aging feature on zones if you need different aging periods: 1. 2. 3. 4. Open the DNS manager. In the left pane, under the DNS icon, right-click the server name. Click Set Aging/Scavanging for all zones. Click to select the Scavenge Stale Resource Records check box, and then set the interval that you want the Aging feature to use.
To set the Aging feature on an individual zone: 1. Right-click the zone, and then click Properties. 2. Click Aging. 3. Click to select the Scavenge Stale Resource Records check box, and then set the interval that you want the Aging feature to use. If the Aging feature is not enabled at the server level, and you attempt to enable the Aging feature at the zone level, the Aging feature does not work. After you select the appropriate aging periods and you enable the Scavenging feature on the server, outdated records are scavenged. Additionally, you can initiate the Scavenging feature if you right-click the server name in the left pane, click Scavenge Stale Resource Records, and then click YES when asked if you want to scavenge.
How to move Windows 2000 DNS Zones to Another Windows 2000-based Server
To move zone files from one server to another, follow these steps:
Sanjo900@yahoo.com

To use the following method, the Windows 2000 DNS Server service must be installed on a new Windows 2000-based server. The DNS Server service should not be configured yet. 1. On the DNS server that is currently hosting the DNS zone(s), change any Active Directoryintegrated zones to standard primary. This action creates the zone files that are needed for the destination DNS server. 2. Stop the DNS Server service on both DNS servers. 3. Manually copy the entire contents of the %SystemRoot%\System32\DNS folder from the source server to the destination server. 4. On the current DNS server, start Registry Editor. 5. Locate and click the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Zones 6. Export the Zones key to a registry file. 7. On the destination DNS server, double-click the registry file to import the Zones key into the registry. 8. Bring the current DNS server down and transfer its IP address to the destination DNS server. 9. On the destination DNS server, start the DNS Server service. To initiate the registration of the server's A and PTR resource records, run the following command at a command prompt: Ipconfig/registerdns 10. If this server is also a domain controller, stop and restart the Net Logon service to register the Service (SRV) records, or run the following command at a command prompt: Netdiag/fix 11. The standard zones that were previously Active Directory-integrated can be converted back to Active Directory-integrated on the replacement DNS server if it is a domain controller. 12. Verify that the SOA resource records on each zone contain the correct name for the primary server and that the NS resource records for the zone(s) are correct. The steps outlined in this article do not migrate the following DNS server settings: Interfaces, Forwarders, Advanced, Root Hints, Logging, Security
The host's "A" record is registered in DNS after you choose not to register the connection's address.
In Windows 2000, if you clear the Register this connection's address in DNS check box under Advanced TCP/IP Settings for a network interface, the IP address may register an A record for the host name in its primary DNS suffix zone. For example, this behavior may occur if you have the following configuration: The DNS service is installed on the server. The DNS server zone is example.com, where the example.com zone can be updated dynamically. The server host name is Server1.example.com, where Server1 has two network adapters that have IP addresses of 10.1.1.1 and 10.2.2.2.
If you click to clear the Register this connection's address in DNS check box on the network adaptor that has the IP address of 10.2.2.2 and then you delete the host record for Server1.example.com 10.2.2.2, the host record for Server1.example.com 10.2.2.2 is dynamically added back to the zone late. The unwanted registration of this record can be reproduced if you restart the DNS service on the server.
Sanjo900@yahoo.com
This is because, when the DNS service is installed on a computer that is running Windows 2000, it listens to all of the network interfaces that are configured by using TCP/IP. When DNS causes an interface to listen for DNS queries, the interface tries to register the host A record in the zone that matches its primary DNS suffix. The interface tries to register the host A record regardless of the settings that have been configured in the TCP/IP properties. This behavior is by design and can take place under the following circumstances: The DNS service is installed on the server whose configuration you are trying to change. The DNS zone that matches the primary DNS suffix of the server is enabled to update dynamically.
To resolve this, remove the interface from the list of interfaces that the DNS server listens on. To do so, follow these steps: 1. 2. 3. 4. 5. Start the DNS Management Microsoft Management Console (MMC). Right-click the DNS server, and then click Properties. Click the Interfaces tab. Under Listen on, click to select the Only the following IP addresses check box. Type the IP addresses that you want the server to listen on. Include only the IP addresses of the interfaces for which you want a host A record registered in DNS. 6. Click OK, and then quit the DNS Management MMC.
Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops
The client computer does not send dynamic Domain Name System (DNS) updates to the DNS server even though the Register this connection's address in DNS option is selected. You receive the following error forcing DNS registration: IPCONFIG /REGISTERDNS Windows 2000 IP Configuration Error: The system cannot find the file specified. : Refreshing DNS names
This is because: Dynamic DNS registration relies on the DHCP client service to perform dynamic updates. When you disable or set the DHCP client service to start manually, it prevents dynamic DNS updates from occurring. Even if the has a static IP, the DHCP client service must be running for dynamic DNS updates to occur. To resolve this issue, you must configure the DHCP client service to start automatically when your computer system starts.
Explain ADS Database Garbage Collection Process?
Sanjo900@yahoo.com

Garbage Collection is a process that is designed to free space within the Active Directory database. This process runs independently on every DC with a default lifetime interval of 12 hours. The Garbage Collection process has 3 main steps 1. Removing "tombstones" from the database. Tombstones are remains of objects that have been previously deleted.
(**When an object is deleted, it is not actually removed from the Active Directory database. It is marked for deletion at a later date. This then gets replicated to other DCs. When the tombstoneLifetime is over, the object is deleted.)
2. Deletion of any unnecessary log files. 3. The process launches a defragmentation thread to claim additional free space. There are two ways to defragment the Active Directory database in Windows 2000. Online Defragmentation method that runs as part of the garbage collection process. The only advantage to this method is that the server does not need to be taken offline for it to run. However, this method does not shrink the Active Directory database file (Ntds.dit). Offline Defragmentation: This is done by taking the server offline and use Ntdsutil.exe to defragment the database. This approach requires that the ADS database be started in repair mode. The advantage to this method is that the database is resized, unused space is removed, and the size is reflected by the Ntds.dit file.
How will you remove DC Server Object (In ADS Sites and Services) which is not removed After Demotion?
After demoting a DC, the object that represents the server in the Active Directory Sites and Services Manager snap-in remains. This issue occurs because the server object is a "container" in the Active Directory and may hold child objects that represent configuration data for other services installed on your computer. Because of this, the Dcpromo utility does not automatically remove the server object.
If the server object contains any child objects named "NTDS Settings," these are objects that represent the server as a DC and should be automatically removed by the demotion process. If this does not work, these objects must be removed by using the Ntdsutil utility before you delete the server object.
After verifying that all other services with a dependency on the server object have been removed an administrator can delete the server in Active Directory Sites and Services Manager. NOTE: This process may not finish successfully for either of the following reasons: If you receive a message that states the server is a container that contains other objects, verify that the appropriate decommissioning of services has completed before continuing.
Sanjo900@yahoo.com

If you receive a message that states the DSA object cannot be deleted, you may be attempting to delete an active DC.
How to Configure an Authoritative Time Server in Windows 2000?

Windows includes the W32Time Time service tool that is required by the Kerberos authentication protocol. The purpose of the Time service is to ensure that all computers that are running Windows 2000 in an organization use a common time. Windows-based computers use the following hierarchy by default: All client PCs and member servers nominate the authenticating DC as their in-bound time Server. DCs may nominate the PDC operations master as their in-bound time partner but may use a parent DC based on stratum numbering. All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
PDC operations master at the root of the forest becomes authoritative for the organization. This PDC can be configured to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative by using the following net time command: Net time /setsntp: server_list To reset the local computer's time against the authoritative time server for the domain: Net time /domain_name /set Net stop w32time W32tm once Net start w32time SNTP defaults to using UDP port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers. Administrators can also configure an internal time server as authoritative by using the net time command. If the administrator directs the command to the operations master, it may be necessary to reboot the server for the changes to take effect.
3. How will you remove Orphaned Domains from Active Directory?

Typically, when the last DC for a domain is demoted, the administrator selects this server is the last DC in the domain option in the DCPromo tool, which removes the domain meta-data from Active Directory.
Sanjo900@yahoo.com

Note: The administrator must verify that replication has occurred since the demotion of the last DC before manually removing the domain meta-data. Using the NTDSUTIL tool improperly can result in partial or complete loss of Active Directory functionality.
1. Determine the DC that holds the Domain Naming Master FSMO role. 2. Verify that all servers for the specified domain have been demoted. 3. At the command prompt: ntdsutil metadata cleanup connections connect to server servername (Servername is the name of the DC holding the Domain Naming Master FSMO Role) If an error occurs, verify that the DC being used in the connection is available and that the credentials you supplied have administrative permissions on the server. Quit Metadata Cleanup menu is displayed Select operation target List domains A list of domains in the forest is displayed, each with an associated number Select domain number Where number is the number associated with the domain to be removed Quit The Metadata Cleanup menu is displayed. Remove selected domain You should receive confirmation that the removal was successful. Quit You should receive confirmation that the connection disconnected successfully.
Loop back Processing of Group Policy

Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply GPOs that depend only on which computer the user logs on to.
Sanjo900@yahoo.com

To set user configuration per computer: In the Group Policy Microsoft Management Console (MMC), click Computer Configuration. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option. This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. Loopback is supported only in a purely Windows 2000 based environment. Both the computer account and the user account must be in Active Directory. Usually users in their OU have GPOs applied in order during logon, regardless of which computer they log on to. In some cases, this processing order may not be appropriate (E.g., when you do not want applications assigned to users to be installed while they are logged on to the computers in some specific OU). With the Group Policy loopback, you can specify some other ways to retrieve the list of GPOs for any user who logs on to any of the computers in this specific OU: Merge Mode Here, first the GPO for users is applied. Then the GPO for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. Replace Mode In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.
SRV Records Missing After Implementing Active Directory and Domain Name System
When you implement Active Directory and Domain Name System (DNS), SRV records may be missing in the DNS Management console or database. This behavior occurs when the following conditions exist: The DNS server is configured as a Dynamic Host Configuration Protocol (DHCP) client. The DNS zone has a name other than your Active Directory domain name. The zone is not enabled to allow dynamic updates.
To resolve this issue, verify that all of the following conditions exist: Configure your DNS server to use a static Internet Protocol (IP) address. Create a forward lookup zone named after your Active Directory.
Sanjo900@yahoo.com

Enable your domain zone to allow dynamic updates.
If all of these conditions exist and you still do not see your SRV records, stop and start the Netlogon service. This action forces the DC to re-register the appropriate SRV records. Using the netdiag /fix command on the DC will verify that all SRV records that are in the Netlogon.dns file are registered on the primary DNS server.
Group Policy May Not Be Applied to Users Belonging to Many Groups

If a user is member of many groups either directly or because of group nesting, Kerberos authentication may not work. The Group Policy object (GPO) may not be applied to the user and the user may not be validated to use network resources. Because: The Kerberos token has a fixed size. If a user is a member of a group either directly or by membership in another group, the security ID (SID) for that group is added to the user's token. For a SID to be added to the user's token, it must be communicated by using the Kerberos token. If the required SID information exceeds the size of the token, authentication does not succeed. The number of groups varies, but the limit is approximately 70 to 80 groups. For many operations, Windows NTLM authentication succeeds; the Kerberos authentication problem may not be evident without analysis. However, operations that include GPO application do not work at all. To resolve this problem, obtain the latest service pack for Windows 2000.
Questions about Windows 2000 DNS

What are the common mistakes that are made when administrators set up DNS on network that contains a single Windows 2000 or Windows Server 2003 DC? The most common mistakes are: The DC is not pointing to itself for DNS resolution on all network interfaces. The "." zone exists under forward lookup zones in DNS. Other computers on the local area network (LAN) do not point to the Windows 2000 DNS server for DNS. Why do I have to point my DC to itself for DNS? The Netlogon service on the DC registers a number of records in DNS that enable other DCs and computers to find Active Directory-related information. If the DC is pointing to the Internet service provider's (ISP) DNS server, Netlogon does not register the correct records for Active Directory, and errors are generated in Event Viewer. The preferred DNS setting for the DC is itself; no other DNS
Sanjo900@yahoo.com

servers should be listed. The only exception to this rule is with additional DCs. Additional DCs in the domain must point to the first DC (which runs DNS) that was installed in the domain and then to themselves as secondary. What does a DC register in DNS? The Netlogon service registers all the SRV records for that DC. These records are displayed as the _msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your domain name. Other computers look for these records to find Active Directory-related information. Why can't I use WINS for name resolution like it is used in Microsoft Windows NT 4.0? A Windows 2000 DC does not register Active Directory-related information with a WINS server; it only registers this information with a DNS server that supports dynamic updates such as a Windows 2000 DNS server. Other Windows 2000-based computers do not query WINS to find Active Directory-related information. If I remove the ISP's DNS server settings from the DC, how does it resolve names such as Microsoft.com on the Internet? As long as the "." zone does not exist under forward lookup zones in DNS, the DNS service uses the root hint servers. The root hint servers are well-known servers on the Internet that help all DNS servers resolve name queries. What is the "." zone in my forward lookup zone? This setting designates the Windows 2000 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet. Do I need to configure forwarders in DNS? By default, Windows 2000 DNS use the root hint servers on the Internet; however, you can configure forwarders to send DNS queries directly to your ISP's DNS server or other DNS servers. In most cases, when you configure forwarders, DNS performance and efficiency increases, but this configuration can also introduce a point of failure if the forwarding DNS server is experiencing problems. The root hint server can provide a level of redundancy in exchange for slightly increased DNS traffic on your Internet connection. Should I point the other Windows 2000-based and Windows Server 2003-based computers on my LAN to my ISP's DNS servers? No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the DC in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 DC running DNS. If you are using DHCP, make sure that you view scope option #15 for the correct DNS server settings for your LAN. Do I need to point computers that are running Windows NT 4.0 or Microsoft Windows 95,
Sanjo900@yahoo.com

Microsoft Windows 98, or Microsoft Windows 98 Second Edition to the Windows 2000 or Windows Server 2003 DNS server? Legacy operating systems continue to use NetBIOS for name resolution to find a DC; however it is recommended that you point all computers to the Windows 2000 or Windows Server 2003 DNS server for name resolution. What if my Windows 2000 or Windows Server 2003 DNS server is behind a proxy server or firewall? If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall. What should I do if the DC points to itself for DNS, but the SRV records still do not appear in the zone? Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools from the Windows 2000 Server CD-ROM to run Netdiag.exe. How do I set up DNS for other DCs in the domain that are running DNS? For each additional DC that is running DNS, the preferred DNS setting is the parent DNS server (first DC in the domain), and the alternate DNS setting is the actual IP address of network interface. How do I set up DNS for a child domain? To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server. Set the child DNS server to point to itself only.
Domain Replication and the knowledge consistency checker

Since widows 2000 has multi master replication, maintaining consistency is a problem. KCC creates connections dynamically between the DCs and triggers replication. As the number of DCs increases, replication consumes more and more network bandwidth. The KCC balances the need for consistency against bandwidth limitation using the timely contact rule. This means that no DC is allowed to be more than 3 connections from any other DC. The KCC maintains domain consistency automatically. You can manually force the KCC to run immediately using the Repadmin.exe tool. To force the KCC on the server named server1.mydomain.com, you would issue the following command. Repadmin /kcc server1.mydomain.com Intersite replication relaxes the timely contact rule since replication between sites usually occurs over slower links. The KCC can be optimized for your particular intersite replication needs.
Sanjo900@yahoo.com

Bridgehead servers perform directory replication between two sites. Only two designated DCs talk to each other. These DCs are called bridgehead servers. If you have DCs from multiple domains, you will have a bridgehead server for each domain. Each Active Directory site also has one DC that takes the role of Inter-Site Topology Generator (ISTG), which reviews and generates the connection object for the bridgehead servers in each site. There is only one DC with this role in each site, even if you have multiple domains. The first DC in the site becomes the ISTG for the site by default. You can't controller which DC is the ISTG, but you can know which one is the ISTG: Open the Active Directory Sites and Services console. Select the site object. In the right pane right-click the NTDS Site Settings object and select Properties. The current role owner will appear in the Server box under Inter-Site Topology Generator on the Site Settings tab.
If the DC holding the ISTG role is offline for more than 60 minutes, another DC in the site will automatically take over this role.
Responding to operations master failures

Some of the operations master roles are crucial to the operation of your network. Others can be unavailable for quite some time before their absence becomes a problem If an operations master is not available due to computer failure or network problems, you can seize the operations master role. In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again.
SCHEMA MASTER FAILURE
Temporary loss of the schema operations master will be visible only if we are trying to modify the schema or install an application that modifies the schema during installation. A DC whose schema master role has been seized must never be brought back online. To seize the schema master role 1. 2. 3. 4. 5. Click Start, click Run, and then type cmd. At the command prompt, type ntdsutil. At the ntdsutil prompt, type roles. At the fsmo maintenance prompt, type connections. At the server connections prompt, type connect to server, followed by the fully qualified domain name. 6. At the server connections prompt, type quit.
Sanjo900@yahoo.com

7. At the fsmo maintenance prompt, type seize schema master. 8. At the fsmo maintenance prompt, type quit. 9. At the ntdsutil prompt, type quit. DOMAIN NAMING MASTER FAILURE Temporary loss of the schema operations master will be visible only if we are trying to add a domain to the forest or remove a domain from the forest. A DC whose domain naming master role has been seized must never be brought back online. RELATIVE ID MASTER FAILURE Temporary loss of the schema operations master will be visible if you are creating objects and the domain in which you are creating the objects runs out of RIDs. A DC whose relative identifier master role has been seized must never be brought back online. PDC EMULATOR FAILURE The loss of the PDC emulator affects network users. Therefore, when the PDC emulator is not available, you may need to immediately seize the role. If the current PDC emulator master will be unavailable for an unacceptable length of time and its domain has clients without Windows 2000 client software, or if it contains Windows NT backup DCs, seize the PDC emulator master role to the standby operations master. When the original PDC emulator master is returned to service, you can return the role to the original DC. INFRASTRUCTURE MASTER FAILURE Temporary loss of the infrastructure master is not visible to network users or administrators either, unless they have recently moved or renamed a large number of accounts. If the infrastructure master will be unavailable for an unacceptable length of time, you can seize the role to a DC that is not a GC but is well connected to a GC, ideally in the same site as the current GC.
Explain about ADS Database

Active Directory includes 4 files. 1. NTDS.DIT This is the AD database and stores all AD objects. Default location is SystemRoot%\ntds\NTDS.DIT. Active Directory's database engine is the Extensible Storage Engine which is based on the Jet database and can grow up to 16 TB. NTDS.DIT, consists of the following tables
Sanjo900@yahoo.com

Schema Table The types of objects that can be created in the Active Directory, relationships between them, and the attributes on each type of object. This table is fairly static and much smaller than the data table. Link Table contains linked attributes, which contain values referring to other objects in the Active Directory. Take the MemberOf attribute on a user object. That attribute contains values that reference groups to which the user belongs. This is also far smaller than the data table. Data Table users, groups, application-specific data, and any other data stored in the Active Directory.
From a different perspective, Active Directory has three types of data Schema information Definitional details about objects and attributes that one CAN store in the AD. Replicates to all DCs. Static in nature. Configuration information Configuration data about forest and trees. Replicates to all DCs. Static as your forest is. Domain information Object information for a domain. Replicates to all DCs within a domain. The object portion becomes part of GC. The attribute values only replicates within the domain.
2. EDB.LOG This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log. Where nnnn is the increasing number starting from 1 3. EDB.CHK This is the checkpoint file used to track the data not yet written to database file. This indicates the starting point from which data is to be recovered from the logfile, in case of failure. 4. Res1.log and Res2.log This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction log files enough room to shutdown if the other spaces are being used.
How will you do an Offline Defragmentation of Active Directory?

Active Directory routinely performs online database defragmentation, but this is limited to the disposal of tombstoned objects. The database file cannot be compacted while Active Directory is mounted. To defrag ntds.dit offline: Back up System State in the backup wizard. Reboot and select Directory Services Restore Mode At the command prompt: Ntdsutil
Sanjo900@yahoo.com

Files Info This will display current information about the path and size of the Active Directory database and its log files. Compact to D:\DbBackup\ You must specify a directory path and if the path name has spaces, the command will not work unless you use quotation marks Quit (till you reach the command prompt) A new compacted database named Ntds.dit can be found in D:\DbBackup Copy the new ntds.dit file over the old ntds.dit file. You have successfully compacted the Active Directory database.
Explain GC?
By default, a GC is created automatically on the first DC in the forest. It stores a full replica of all objects in the directory for its host domain and a partial replica of all objects of every other domain in the forest. The replica is partial because it stores only some attributes for each objects. The GC performs two key directory roles: It enables network logon by providing universal group membership information to a DC when a logon process is initiated. It enables finding directory information regardless of which domain in the forest actually contains the data.
When a user logs on to the network, the GC provides universal group membership information for the account sending the logon request to the DC. If a GC is not available the user is only able to log on to the local computer unless he is in the Domain Admins group. The GC is designed to respond to queries about objects with maximum speed and minimum network traffic. Because a single GC contains information about objects in all domains in the forest, a query about an object can be resolved by a GC in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain boundaries. Active Directory defines a base set of attributes for each object in the directory. Each object and some of its attributes (such as universal group memberships) are stored in the GC. Using Active Directory Schema, you can specify additional attributes to be kept in the GC.
GC and infrastructure master should not be on the same Server. Why?

The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a GC. GCs receive regular updates for objects in all domains through replication, so the GC's data will always be up-to-date. If
Sanjo900@yahoo.com

the infrastructure master finds data that is out-of-date, it requests the updated data from a GC. The infrastructure master then replicates that updated data to the other DCs in the domain. Important 3. If the infrastructure master and GC are on the same DC, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so will never replicate any changes to the other DCs in the domain. 4. If all of the DCs in a domain are also hosting the GC, all of the DCs will have the current data and it does not matter which DC holds the infrastructure master role.
Explain Active Directory schema?

The Active Directory schema is the set of definitions that defines the kinds of objects, and the types of information about those objects, that can be stored in Active Directory. The definitions are themselves stored as objects so that Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory. There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata. Attributes are defined separately from classes. Each attribute is defined only once and can be used in multiple classes. For example, the Description attribute is used in many classes, but is defined once in the schema, assuring consistency. Classes, also referred to as object classes; describe the possible directory objects that can be created. Each class is a collection of attributes. When you create an object, the attributes store the information that describes the object. The User class, for example, is composed of many attributes, including Network Address, Home Directory, and so on. Every object in Active Directory is an instance of an object class. Active Directory does not support deletion of schema objects; however, objects can be marked as deactivated, providing many of the benefits of deletion. The structure and content of the schema is controlled by the DC that holds the schema operations master role. A copy of the schema is replicated to all DCs in the forest. The use of this common schema ensures data integrity and consistency throughout the forest. Explain Kerberos V5 authentication process? Kerberos V5 is the primary security protocol for authentication within a domain. The Kerberos V5 protocol verifies both the identity of the user and network services. This dual verification is known as mutual authentication.
HOW KERBEROS V5 WORKS
Sanjo900@yahoo.com

The Kerberos V5 authentication mechanism issues tickets (A set of identification data for a security principle, issued by a DC for purposes of user authentication. Two forms of tickets in Windows 2000 are ticket-granting tickets (TGTs) and service tickets) for accessing network services. These tickets contain encrypted data, including an encrypted password, which confirms the user's identity to the requested service. An important service within Kerberos V5 is the Key Distribution Center (KDC) (A Kerberos V5 service that runs on a DC. It issues ticket-granting tickets (TGTs) and service tickets for obtaining network authentication in a domain). The KDC runs on each DC as part of Active Directory, which stores all client passwords and other account information. The Kerberos V5 authentication process works as follows: 1. The user on a client system, using a password authenticates to the KDC. 2. The KDC issues a special ticket-granting ticket (A ticket issued by the Kerberos V5 Key Distribution Center (KDC) for purposes of obtaining a service ticket from the ticket-granting service (TGS) to the client. The client system uses this TGT to access the ticket-granting service (TGS), which is part of the Kerberos V5 authentication mechanism on the DC. 3. The TGS then issues a service ticket to the client. 4. The client presents this service ticket to the requested network service. The service ticket proves both the user's identity to the service and the service's identity to the user.
KERBEROS V5 AND DCS

The Kerberos V5 services are installed on each DC, and a Kerberos client is installed on each Windows 2000 workstation and server. Every DC acts as a KDC. A Windows 2000 system uses a DNS lookup to locate the nearest available DC. That DC then functions as the preferred KDC for that user during the user's logon session. If the preferred KDC becomes unavailable, the Windows 2000 system locates an alternate KDC to provide authentication.
What are the Single master operations?

Active Directory supports multimaster replication of the directory data between all DCs in the domain. Some changes are impractical to perform in multimaster fashion, so only one DC, called the operations master, accepts requests for such changes. Because the operations master roles can be moved to other DCs within the domain or forest, these roles are sometimes referred to as Flexible Single Master Operations. In any Active Directory there are five operations master roles. Some roles must appear in every forest. Other roles must appear in every domain in the forest. FOREST-WIDE OPERATIONS MASTER ROLES
Sanjo900@yahoo.com

Every Active Directory forest must have the following roles: Schema master Domain naming master
There can be only one schema master and one domain naming master for the entire forest. Schema master The schema master DC controls all updates and modifications to the schema. Domain naming master Domain Naming Master DC controls the addition or removal of domains in the forest. DOMAIN-WIDE OPERATIONS MASTER ROLES Every domain in the forest must have the following roles: Relative ID master Primary DC (PDC) emulator Infrastructure master
E0ach domain in the forest can have only one RID master, PDC Emulator, and Infrastructure Master. Relative ID master The RID master allocates pool of relative IDs to each DC in its domain. Whenever a DC creates a user, group, or computer object, it assigns a unique security ID to that object. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain), and a relative ID that is unique for each security ID created in the domain. To move an object between domains (using Movetree.exe), you must initiate the move on the DC acting as the relative ID master of the domain that currently contains the object. PDC emulator For pre-W2K clients, the PDC emulator acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the BDCs. In native-mode, the PDC emulator receives preferential replication of password changes performed by other DCs in the domain. If a password was recently changed, that change takes time to replicate to every DC in the domain. If a logon authentication fails at another DC due to a bad password, that DC will forward the authentication request to the PDC emulator before rejecting the log on attempt.
Sanjo900@yahoo.com

Infrastructure master The infrastructure master is responsible for updating the group-to-user references whenever the members of groups are renamed or changed. At any time, there can be only one DC acting as the infrastructure master in each domain. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the group's domain is responsible for updating the group so it knows the new name or location of the member. The infrastructure master distributes the update via multimaster replication. There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency.
How the Local User Accounts Are Handled When a Server Is Promoted to a DC
When a server is promoted to a DC, the server no longer uses the local SAM database to store users and groups. When the promotion is complete, DC will store users, groups, and computer accounts in Active Directory database. The SAM database is present, but it is inaccessible when the server is running in Normal mode. But SAM database is used when you boot into Directory Services Restore Mode or the Recovery Console. If this new DC is the first DC in a new domain, all of the local user accounts in the SAM database are migrated to the Active Directory. All permissions that had been assigned to the local users, such as, NTFS permissions, are retained.
Can we run DC promo on a server in which NAT is installed?

When you attempt to promote or demote a DC with dcromo, you may receive the following error message: Active Directory Installation failed The operation failed because: Failed to modify the necessary properties for the machine account Servername$ The specified server cannot perform the requested operation. This can happen when the server is using Network Address Translation: and it can be caused by the H.323/LDAP Proxy Service. To resolve this behavior, install SP1 or disable the H.323/LDAP proxy service with the following command: Do not use NAT on a network with other DCs, DNS servers, Gateways, DHCP servers, or Systems configured for static IP because of possible conflict with other services. Do not connect NAT directly to a corporate network because Kerberos authentication, IPSec, and Internet Key Encryption (IKE) will not work.
Sanjo900@yahoo.com

Enable Debug Logging in the Microsoft Directory Synchronization Services Tool
When you troubleshoot synchronization issues in the MSDSS tool, you can enable debug logging to capture detailed information about the synchronization process. Enabling Detailed MSDSS Logging, go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msdss\
Create a new REG_DWORD key DebugLogLevel and set value as 1 and restart the computer 1 activates logging, 0 turns logging off. The logging information is placed in the %Systemroot%\System32\Directory Synchronization\Session Logs folder. The log files are labeled as "Session#-#.log"
Replication Access Was Denied" Error Message When Attempting to Synchronize DCs
When you use the Active Directory Sites and Services snap-in from a child domain to force replication from a parent domain or another child domain at the same level, you may receive the following error message: The following error occurred during the attempt to synchronize the DCs: Replication Access was denied Domains in Active Directory are natural security boundaries. Administrative permissions do not flow down; they need to be assigned. When a child domain is created, the Enterprise Admin global group is added to the built-in Administrators group of the child domain. This allows the administrator of the parent domain to administer and force replication from either the parent domain or the child domain, but the administrator in the child domain is only able to force replication from within his or her own domain. To resolve this issue, give the administrator in the child domain permissions to the parent domain from which you want to force replication. Add his to Administrators group in parent domain
Repeat these steps from each domain that you want to assign administrative permissions to. Keep in mind that parent domains are able to manage all of their child domains but you need to perform the steps described in this article for any child domains that want to manage the parent domain or other child domains on the same level.
Auditing Does Not Report Security Event for Resetting Password on DC
Sanjo900@yahoo.com

If you choose to audit success and failure with the "Audit account management" policy, the auditing does not report the expected success event in the Security log when an administrator resets the user password on a DC. This problem occurs because Remote Procedure Call (RPC) impersonation does not succeed when the Security service tries to send a message to the Eventlog service. SP2 will solve this problem.
RPC Error Messages Returned for Active Directory Replication When Time Is Out of Synchronization
When you are viewing the status of Active Directory replication between two DCs, the following messages may be displayed for the result of the last replication attempt: The RPC server is unavailable. -orThe RPC server is too busy to complete this operation. These error messages may be reported in the Event log through Replication Monitor. By default, W2K computers synchronize time with a time server. If the time server is not available and the time difference between DCs drifts beyond the skew allowed by Kerberos, authentication between the two DCs may not succeed and the RPC error messages can result. Synchronies time amongst DCs using net time Net time \\mypdc /set /y This synchronizes the local computer time with the server named Mypdc. The /set - Time not only be queried, but synchronized with the specified server. The /y switch skips the confirmation for changing the time on the local computer
How to Change the Recovery Console Administrator Password on a DC

When you promote a Windows 2000 Server-based computer to a DC, you are prompted to type a Directory Service Restore Mode Administrator password. This password is also used by Recovery Console, and is separate from the Administrator password that is stored in Active Directory after a completed promotion. The Administrator password that you use when you start Recovery Console or when you press F8 to start Directory Service Restore Mode is stored in the SAM on the local computer. The SAM-based account and password is computer specific and they are not replicated to other DCs in the domain. To change the local Administrator password that you use when you start Recovery Console or when you start Directory Service Restore Mode, use one of the following methods.
Sanjo900@yahoo.com

Method 1 In a DC use the %systemroot%\system32\Setpwd.exe (SP2 or Later) utility to change the SAMbased Administrator password. To change the SAM Administrator password on a remote DC, type the following command Setpwd /s: servername Method 2 Restart the DC in Directory Service Restore Mode. Use the command net user administrator * or Local User and Groups
Who can "Log On locally" to a DC

By default Account Operators, Administrators, Backup Operators, Print Operators, Server Operators, Internet Guest Account, and Terminal Services User Account are assigned the log on locally right
How Conflicts Are Resolved in Active Directory Replication

All computers that provide multi-master updates must deal with potential conflicts that may arise when concurrent updates originating on two separate master replicas are inconsistent. There are three types of conflicts: Attribute value: An object's attribute is set concurrently to one value at one master, and another value at a second master. Add/move under a deleted container object or the deletion of a non-leaf object: Essentially, this conflict is a situation in which one master records the deletion of a container object, while another master records the placement of another object subordinate to that deleted object. Sibling name conflict: This conflict occurs when one replica attempts to move an object into a container in which another replica has concurrently moved another object with the same relative display name (RDN).
Active Directory orders all update by assigning a globally unique stamp to the originating update. If there is a conflict, the ordering of stamps allows a consistent resolution. This approach is used in the following ways: Attribute value: The value whose update operation has the larger stamp wins. Add/move under a deleted container object or the deletion of a non-leaf object: After resolution at all replicas, the container object is deleted, and the leaf object is made a child of the folder's special Lost&Found container. Stamps are not involved in this resolution. Sibling name conflict: The object with the larger stamp keeps the RDN. The sibling object is assigned a unique RDN by the computer. This does not conflict with any client-assigned value [using a reserved character (the asterisk), the RDN, and the object's GUID].
Sanjo900@yahoo.com
How to Modify the Default Intra-Site DC Replication Interval

When a DC writes a change to its local copy of the Active Directory, a timer is started that determines when the DC's replication partners should be notified of the change. By default, this interval is 5 minutes. When this interval elapses, the DC initiates a notification to each intra-site replication partner that it has changes that need to be propagated. Another configurable parameter determines the number of seconds to pause between notification. This parameter prevents simultaneous replies by the replication partners. By default, this interval is 30 seconds. Both of these intervals can be modified by editing the registry. To modify the delay between the change to the Active Directory and first replication partner notification, use Registry Editor to modify value data for the "Replicator notify pause after modify (secs)" DWORD value in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
The default value data for the "Replicator notify pause after modify (secs)" DWORD value is 0x12c, which in hexadecimal format is 300 decimal (5 minutes). To modify the notification delay between DCs, use Registry Editor to modify value data for the "Replicator notify pause between DSAs (secs)" DWORD value in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
The default value data for the "Replicator notify pause between DSAs (secs)" DWORD value is 0x1e, which in hexadecimal format is 30 decimal (30 seconds).
Resetting Computer Accounts in Windows 2000 and Windows XP

For each Windows 2000/XP PC that is a member of a domain, there is a discrete communication channel, known as the secure channel, with a DC. The secure channel's password is stored along with the computer account on all DCs. Default computer account password change period is every 30 days. If the computer account's password and the LSA secret are not synchronized, the Netlogon service logs one or both of the following errors messages: The session setup from the computer DOMAINMEMBER failed to authenticate. The name of the account referenced in the security database is DOMAINMEMBER$. The following error occurred: Access is denied. NETLOGON Event ID 3210: Failed to authenticate with \\DOMAINDC, a Windows NT DC for domain DOMAIN. The Netlogon service on the DC logs the following error message when the password is not synchronized: NETLOGON Event 5722: The session setup from the computer %1 failed to authenticate. The name of the account referenced in the security database is %2. The following error occurred: %n%3
Sanjo900@yahoo.com

We can reset computer password using Active Directory Users and Computers MMC. Right-click the computer object and then click Reset Account. Resetting the password for DCs using this method is not allowed. Resetting a computer account breaks that computer's connection to the domain and requires it to rejoin the domain. This will prevent an established computer from connecting to the domain and should only be used for a computer that has just been rebuilt.
Distinguishing a DC from a Windows 2000 Member Server

The \NTDS registry key exists in the HKLM\SYSTEM\CCS\SERVICES portion of the registry. The SYSVOL and NETLOGON shares exist. (The SYSVOL share and its contents exist after demotion of a DC.) NBTSTAT shows that the 1C name (Domain) has been registered. Type nbtstat -n from a command prompt and note the presence of the 1C name. The computer role from the NET ACCOUNTS utility lists the computer role as "PRIMARY" and standalone servers as "SERVERS." Type net accounts from the command prompt. The NET START command indicates that the Kerberos Key Distribution Center (KDC) service is running. Type net start |more. The computer responds to LDAP queries (specifically, to port 389 or 3268). The "Connect to server %S" command in Ntdsutil.exe functions only against Windows 2000 DCs. The Change button on the Network Identification tab in My Computer is disabled when Windows 2000 is configured as a DC. A note appears indicating this. Run Netdiag (a Resource Kit utility) and observe the "Machine is a Primary DC" entry in the output. Type netdiag /v from the command prompt.
The Role of the Inter-Site Topology Generator in Active Directory Replication

The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between DCs. This article describes the role of one server per site, known as the Inter-Site Topology Generator, which is responsible for managing the inbound replication connection objects for all bridgehead servers in the site in which it is located.
When the KCC on each DC generates the intra-site topology for the site in which it resides, the KCC create a connection object in the Active Directory only when a connection object is required for the local computer. These changes propagate to other DCs through the normal replication process. Each DC uses the same algorithm to compute the replication topology, and in a state of equilibrium between DCs, each should arrive at the same result in respect to what the replication topology should be. In the process, each DC creates its own connection objects. Connection objects for bridgehead servers for inter-site replication are created differently. The KCC on one DC in each site is responsible for reviewing the inter-site topology and creating inbound replication connection objects as necessary for bridgehead servers in the site in which it resides. This DC is known as the Inter-Site Topology Generator (ISTG). The DC holding this role may not necessarily be a bridgehead server. When the ISTG determines that a connection object needs to be modified on a given bridgehead server in the site, the ISTG makes the change to its local Active Directory copy. As part of the normal intra-site replication process, these changes propagate to the bridgehead servers in the site. When
Sanjo900@yahoo.com

the KCC on the bridgehead server reviews the topology after receiving these changes, it translates the connection objects into replication links that Active Directory uses to replicate data from remote bridgehead servers. The current owner of the ISTG role is communicated through the normal Active Directory replication process. Initially, the first server in the site becomes the ISTG for the site. The role does not change as additional DCs are added to the site until the current ISTG becomes unavailable. The current ISTG notifies every other DC in the site that it is still present by writing the "interSiteTopologyGenerator" attribute on the NTDS Settings object under its DC object in the Configuration naming context in Active Directory at a specified interval. As this attribute gets propagated to other DCs by Active Directory replication, the KCC on each of these computers monitors this attribute to verify that it has been written within a specified amount of time. If the amount of time elapses without a modification, a new ISTG takes over. In the event that a new ISTG needs to be established, each DC orders the list of servers in ascending order by their Globally Unique Identifier (GUID). The DC that is next highest in the list of servers from the current owner takes over the role, starts to write the "interSiteTopologyGenerator" attribute, and performs the necessary KCC processes to manage inbound connection objects for bridgehead servers. As DCs evaluate which server should assume the ISTG role, the selection begins again with the first DC listed in the site if the current server is the last server in the list. In the event that two DCs in the site believe that they own the ISTG role, there may be temporary state of inbound replication connection objects being created by two computers. However, once replication occurs and all DCs receive the change identifying the new ISTG, the KCC on the ISTG adjusts the topology as appropriate.

Active Directory Overview

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Active Directory Overview

Uploaded by

Copyright:

Available Formats

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

What is Active Directory?

Introducing domain trees and forests

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

Explain the role of Global Catalog Server in a Domain?

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

GC and infrastructure master should not be on the same Server. Why?

Explain Active Directory schema?

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

Explain Sites. What are the advantages of Sites?

Minimum Requirement for Installing AD

How will you verify whether the AD installation is proper?

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

Explain User and Computer naming in AD?

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

What are the FSMO roles and explain their functions?

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

How will you place the FSMO roles?

Configure DNS Dynamic Update in Windows 2000

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

Create and Configure a Site Link in Active Directory in Windows 2000

How to Create a DNS Entry for the Web Server

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

How to Configure a Secondary Name Server in Windows 2000

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

Troubleshooting: The DNS server does not load the zone

How to set up a One-Way Non-Transitive Trust in Windows 2000

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

How to create a Container to List Printers in Active Directory

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

How to publish a printer in AD

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

Troubleshooting: You Are Unable to Transfer the Zone File

How to Verify the Creation of SRV Records for a Domain Controller

Sanjo Thomas, CCNA, MCSE, MCDBA

This is a rough copy. Corrections required - Sanjo

Configure the Windows 2000 Domain Name System to Age Records