44053619-interview-q
TRANSCRIPT
-
8/12/2019 44053619-Interview-q
1/32
WINDOWS SERVER INTERVIEW QUESTIONS
1) What are different file systems in Windows NT based Systems---Fat , Fat 32, Ntfs
2) Difference between FAT 1, Fat 32 and NTFS file systems----
Properties of FAT16
S!""orts "artition si#es of !" to 2$1 %& !nder 'S-D(S and *$+ %& !nderWindows NT *$+$
ach "artition may contain a maim!m of .,.3 files
/estricted to .12 entries in the root directory of the hard dri0e and 12
entries in the root "artition of a flo""y dis
No b!ilt-in s!""ort for lon file names - Windows 4.54 6FAT writes
additional entries to a modified file allocation table containin the lon filename 7!" to 2.. characters)8 this red!ces the maim!m n!mber of entriesinto the root directory
Advantages
9om"atible with o"eratin systems other than D(S 7incl!din Windows 4.,Windows 4, and Windows NT)
No si#e o0erhead
Disadvantages
:are cl!ster si#e res!lts in "oor !se of dri0e s"ace for lare "artitions No com"ression a0ailable !nder Windows NT
'inimal sec!rity - may only set the read only and hidden attrib!tes of files
;"datin the FAT table is slow - "erformance decreases as "artition si#esbecome reater than a few h!ndred '&
Properties of FAT!
Theoretical maim!m "artition si#e of 2+* %&
ach "artition may contain a maim!m of 2,+4
-
8/12/2019 44053619-Interview-q
2/32
Small cl!ster si#e 7as small as *=)
/elocatable root directory allows for reater n!mber of entries
The file allocation table 7FAT) and master boot record 7'&/) may be relocated
&ac!" co"ies of the FAT and '&/ may be created with the "ro"er tool
'ay disable writin to the secondary FAT8 can r!n directly from the secondary
FAT if the "rimary FAT lies on a bad cl!ster
Disadvantages
(nly com"atible with Windows 4. (S/254 - not accessible if FAT 32
"artition is booted from media formatted !nder any o"eratin system otherthan 'icrosoft Windows 4. (S/2 or Windows 4
Some si#e o0erhead - best !sed with larer hard dri0es
Not com"atible with many eistin dis !tilities
Properties of NTFS
>artition s!""ort for !" to 1 eabytes
92 le0el sec!rity 7s!itable for o0ernment !se) :on file names s!""orted
Advantages
Small cl!ster si#e
>erformance does not derade as "artition si#e increases
9om"ression on the directory and file le0els
A!tomatic bad cl!ster rema""in
:ittle need for dri0e re"air !tilities
Disadvantages
(nly com"atible with Windows NT, 2+++, or ?>
:are o0erhead - sho!ld not be !sed with dri0es smaller than *++ '&
Not "ossible to format a remo0able disette 7flo""y5@i"59D-/) with theNTFS file system
"#$ster Si%e vs& Partition Si%e
The table below shows the "artition and cl!ster si#e differences of each of the filesystem ty"es$
NOTE' FAT 1 "artition si#es reater than 2$1 %& are only s!""orted !nder
Windows NT *$+$
Partition Si%e"#$ster Si%e FAT16
"#$ster Si%e FAT!
"#$ster Si%e NTFS
1 '& - 12< '& 2= .12 bytes
12 '& - 2.. '& *= .12 bytes
2. '& - .11 '& = .12 bytes
.12 '& - 1+23 '& 1= * =& 1=
-
8/12/2019 44053619-Interview-q
3/32
1+2* '& - 2+* '& 32= * =& 2=
2+* '& - *+4 '& *= * =& *=
*+4 '& - 142 '& * =& =
142 '& - 13* '& =& 1=
13* '& - 32WD for
another com" always
The ad0antae is that yo! ha0e a
dedicated ser0er to lo5trac all !sersand shares 0ia Acti0e Directoryand yo!
can also !se this ser0erfor other thinss!ch as a SE: ser0erand5or S&S etc$$$
The disad0antae to this is the cost andmaintanence re!ired to ee" this
confi!ration r!nnin$
A Worro!" has not dedicated ser0er7s)
to trac !sers and s!ch, itGs all done 0iaeach client machine on the :AN, this
incl!des shared obHects and !ser loons$Ad0antae, chea"er to r!n and maintain
as yo! only need two machines r!nninin the same worro!" to be called a
worro!"
1$ (ne location for all !ser acco!nts,
ro!"s and com"!ters, "asswords aresame for all com"!ters$
2$ asier and !icer to maintain3$ Scales easier if yo! add more !sers
and com"!ters
Disad0antaes1$ /e!ires a windows ser0er
2$ 9om"le to set !"
Ad0antaes
1$ ;sef!l for small networs 71+ or lesscom"!ters)
2$ 6ery easy to set!"3$ No additional nowlede re!ired
*$ No ser0er re!ired$
Disad0antaes1$ Need to set!" acco!nt and "assword
on each and e0ery machine$2$ >asswords can become o!t of sync, if
chaned on one com"!ter and not others
3$ No easily scalable$ f !sin more than1+ com"!ters, the n!mber of acco!nts to
set !" increases a lot more
http://www.ntcompatible.com/thread29911-1.htmlhttp://www.ntcompatible.com/thread29911-1.htmlhttp://www.ntcompatible.com/thread29911-1.htmlhttp://www.ntcompatible.com/thread29911-1.htmlhttp://www.ntcompatible.com/thread29911-1.htmlhttp://www.ntcompatible.com/thread29911-1.htmlhttp://www.ntcompatible.com/thread29911-1.htmlhttp://www.ntcompatible.com/thread29911-1.htmlhttp://www.ntcompatible.com/thread29911-1.htmlhttp://www.ntcompatible.com/thread29911-1.html -
8/12/2019 44053619-Interview-q
4/32
*$ 'ore time re!ired to set!" for new!sersI
.$ f !sin file sharin, yo! may reachthe 1+ ma sim!ltaneo!s connections
limit
*) Difference between Winnt*$+ Domain and Win2 ADS domain 'odel$----
Win !(( Win !(((
Ntfs . .$2
/ename J 'ost m"ortant No rename
32 trillio + mil
:are dis 'ini
&etter remote connec Not m!ch
S S .
.) Which is the latest S> for Winnt*$+---
Ans KS>-a
) What are >D9 and &D9B Cihliht the difference between >D9 and &D9---
A >D9 is a >rimary Domain 9ontroller, and a &D9 is a &ac!" Domain 9ontroller$ Lo!
m!st install a >D9 before any other domain ser0ers$ The >rimary Domain 9ontrollermaintains the master co"y of the directory database and 0alidates !sers$ A &ac!"
Domain 9ontroller contains a co"y of the directory database and can 0alidate !sers$f the >D9 fails then a &D9 can be "romoted to a >D9$ >ossible data loss is !ser
chanes that ha0e not yet been re"licated from the >D9 to the &D9$ A >D9 can bedemoted to a &D9 if one of the &D9Gs is "romoted to the >D9$
-
8/12/2019 44053619-Interview-q
5/32
A## t,ese fi#es 2UST *e in t,e root dire+tor3 of t,e s3ste4 partition
Fi#e Fi#e
Attri*$tes
F$n+tion
Nt#dr C8 / 8 S o :oads (S
/oot&ini/ 8 S
o &!ilds OS 0oader V5&((
Operating S3ste4 Se#e+tionmen!
/ootse+t&dos C o :oaded by Ntldr if another (S
7'S-D(S, Windows 4., (S52 1$ ) isselected instead of Windows NT$
o 9ontains a co"y of the boot
sector that was on hard dis beforeinstallin Windows NT
NTdete+t&+o4 C8 / 8 S o ;sed to eamine a0ailable
hardware and to b!ild a hardware list$nformation is "assed bac to Ntldr to
be added to reistry later in boot
NT*ootdd&s3s C8 / 8 S o (nly on systems bootin from
&(S-disabled S9S hard dis,
o Dri0er accesses de0ices
attached to S9S ada"ter d!rinWindows NT boot se!ence$
11) What are the two ty"es of diss systemsB
Ans &asic and Dynamic
12) What are the different 0ersions of Win2 (SBAnsK Win 2+++ >ro, Win 2 ser0er, Ad0 Sr0, Data 9entre
13) What is latest S> for win2B
Ans KSer0ice >ac *
1*) What are FS'( rolesB "lain each FS'( roles
Overvie) of FS2O Ro#es
There are fi0e different FS'( roles and they each "lay a different f!nction in mainActi0e Directory worK
-
8/12/2019 44053619-Interview-q
6/32
PD" E4$#ator- This role is the most hea0ily !sed of all FS'( roles and has
the widest rane of f!nctions$ The domain controller that holds the >D9m!lator role is cr!cial in a mied en0ironment where Windows NT *$+ &D9s
are still "resent$ This is beca!se the >D9 m!lator role em!lates the f!nctionsof a Windows NT *$+ >D9$ &!t e0en if yo!G0e mirated all yo!r Windows NT
*$+ domain controllers to Windows 2+++ or Windows Ser0er 2++3, the domain
controller that holds the >D9 m!lator role still has a lot to do$ For eam"le,the >D9 m!lator is the root time ser0er for synchroni#in the clocs of allWindows com"!ters in yo!r forest$ tGs critically im"ortant that com"!ter
clocs are synchroni#ed across yo!r forest beca!se if theyGre o!t by too m!chthen =erberos a!thentication can fail and !sers wonGt be able to lo on to the
networ$ Another f!nction of the >D9 m!lator is that it is the domaincontroller to which all chanes to %ro!" >olicy are initially made$ For
eam"le, if yo! create a new %ro!" >olicy (bHect 7%>() then this is firstcreated in the directory database and within the SLS6(: share on the >D9
m!lator, and from there the %>( is re"licated to all other domain controllersin the domain$ Finally, all "assword chanes and acco!nt loco!t iss!es are
handled by the >D9 m!lator to ens!re that "assword chanes are re"licated"ro"erly and acco!nt loco!t "olicy is effecti0e$ So e0en tho!h the >D9
m!lator em!lates an NT >D9 7which is why this role is called >D9 m!lator),it also does a whole lot of other st!ff$ n fact, the >D9 m!lator role is the
most hea0ily !tili#ed FS'( role so yo! sho!ld mae s!re that the domaincontroller that holds this role has s!fficiently beefy hardware to handle the
load$ Similarly, if the >D9 m!lator role fails then it can "otentially ca!se the
most "roblems, so the hardware it r!ns on sho!ld be fa!lt tolerant andreliable$ Finally, e0ery domain has its own >D9 m!lator role, so if yo! ha0e
N domains in yo!r forest then yo! will ha0e N domain controllers with the
>D9 m!lator role as well$
RID 2aster - This is another domain-s"ecific FS'( role, that is, e0erydomain in yo!r forest has eactly one domain controller holdin the /D
'aster role$ The "!r"ose of this role is to re"lenish the "ool of !n!sed relati0e
Ds 7/Ds) for the domain and "re0ent this "ool from becomin eha!sted$/Ds are !sed !" whene0er yo! create a new sec!rity "rinci"le 7!ser orcom"!ter acco!nt) beca!se the SD for the new sec!rity "rinci"le is
constr!cted by combinin the domain SD with a !ni!e /D taen from the"ool$ So if yo! r!n o!t of /DS, yo! wonGt be able to create any new !ser or
com"!ter acco!nts, and to "re0ent this from ha""enin the /D 'astermonitors the /D "ool and enerates new /Ds to re"lenish it when it falls
beneath a certain le0el$
Infrastr$+t$re 2aster- This is another domain-s"ecific role and its "!r"oseis to ens!re that cross-domain obHect references are correctly handled$ For
eam"le, if yo! add a !ser from one domain to a sec!rity ro!" from adifferent domain, the nfrastr!ct!re 'aster maes s!re this is done "ro"erly$
As yo! can !ess howe0er, if yo!r Acti0e Directory de"loyment has only a
sinle domain, then the nfrastr!ct!re 'aster role does no wor at all, ande0en in a m!lti-domain en0ironment it is rarely !sed ece"t when com"le!ser administration tass are "erformed, so the machine holdin this role
doesnGt need to ha0e m!ch horse"ower at all$
S+,e4a 2aster - While the first three FS'( roles described abo0e aredomain-s"ecific, the Schema 'aster role and the one followin are forest-
s"ecific and are fo!nd only in the forest root domain 7the first domain yo!
create when yo! create a new forest)$ This means there is one and only oneSchema 'aster in a forest, and the "!r"ose of this role is to re"licate schema
-
8/12/2019 44053619-Interview-q
7/32
chanes to all other domain controllers in the forest$ Since the schema ofActi0e Directory is rarely chaned howe0er, the Schema 'aster role will rarely
do any wor$ Ty"ical scenarios where this role is !sed wo!ld be when yo!de"loy chane Ser0er onto yo!r networ, or when yo! !"rade domain
controllers from Windows 2+++ to Windows Ser0er 2++3, as these sit!ationsboth in0ol0e main chanes to the Acti0e Directory schema$
Do4ain Na4ing 2aster- The other forest-s"ecific FS'( role is the DomainNamin 'aster, and this role resides too in the forest root domain$ TheDomain Namin 'aster role "rocesses all chanes to the names"ace, for
eam"le addin the child domain 0anco!0er$mycom"any$com to the forestroot domain mycom"any$com re!ires that this role be a0ailable, so yo! canGt
add a new child domain or new domain tree, chec to mae s!re this role isr!nnin "ro"erly$
To s!mmari#e then, the Schema 'aster and Domain Namin 'aster roles are fo!ndonlyin the forest root domain, while the remainin roles are fo!nd in each domain of
yo!r forest$ Now letGs loo at best "ractices for assinin these roles to differentdomain controllers in yo!r forest or domain$
1. W,at is t,e $se of PD" e4$#ator in *ot, Native and 2i7ed 4ode
PD" e4$#ator
&y defa!lt, Windows 2+++ 7Win2=) networs o"erate in a mied mode, which lets
both Win2= and Windows NT domain controllers coeist$ D!rin miration to Win2=,the mied mode "ro0ides the f!nctionality that lets NT domain controllers offer
domain ser0ices$ After yo! !"rade all NT domain controllers to Win2=, switch frommied mode to nati0e mode, which doesnMt s!""ort NT domain controllers$ Cowe0er,
before yo! switch to nati0e mode, yo! need to !nderstand the differences betweenthe two modes$ De"endin on yo!r orani#ation, when yo! con0ert to nati0e mode
can be a critical decision with maHor im"lications$ tMs a one-way con0ersionthereMs
no oin bac$
'ied 'odeK n mied mode, a Win2= domain assins a domain controller to act as a>D9 for NT &D9s$ &y defa!lt, the first domain controller in a Win2= domain acts as a
>D9 em!lator$ There can be only one >D9 em!lator in a domain, and yo! can assinthe role to any domain controller in a domain$ The >D9 em!lator "erforms se0eral
im"ortant tass in mied mode, incl!dinK
m!latin as a >D9 and re"licatin acco!nt information to &D9s$
Candlin acco!nt modifications, incl!din "assword chanes$
Actin as a master browser for NT clients$
>ro0idin NT :AN 'anaer 7NT:') a!thentication ser0ices$
S!""ortin Acti0e Directory 7AD) re"lication to Win2= domain controllers andNT:' re"lication to &D9s$
f a Win2= site in mied mode contains Win2= clients, mae s!re thereMs at least oneWin2= domain controller in that site beca!se the Win2= clients first attem"t to locate
Win2= domain controllers !sin DNS$ f a client doesnMt find a Win2= domaincontroller, itMll try to !se NT:' to lo on to an NT domain controller$ (b0io!sly, NT
doesnMt s!""ort ro!" "olicies so yo!r Win2= client !sers wonMt be able to taead0antae of either the ro!" "olicies or the loon scri"ts$ & & &
-
8/12/2019 44053619-Interview-q
8/32
1
-
8/12/2019 44053619-Interview-q
9/32
Windows 2+++ s!""orts the followin ty"es of 0ol!mes which can only be created ondynamic dissK
Si4p#e Vo#$4es- Formatted "artition on a hard dri0e$ Cas no fa!lt
tolerance$
Spanned Vo#$4es- Formatted "artition or dis s"ace on more than one
"artition or hard dri0e that a""ears as one 0ol!me$ n Windows NT, this iscalled a 0ol!me set$ Cas no fa!lt tolerance$ The system or boot "artitionscannot be incl!ded in a s"anned 0ol!me$ FAT, FAT32 and NTFS file systems
may be incl!ded$ S"ace from two to thirty two dynamic diss can be incl!ded$f one dis on the s"anned 0ol!me fails, all data is lost, and no "art of a
s"anned 0ol!me may be remo0ed witho!t destroyin the entire 0ol!me$
Striped Vo#$4es- Also called dis stri"in or a stri"ed set in Windows NT, itis when two areas of dis s"ace which are identical in si#e ha0e half the
information written on one area and the other half written on the secondarea$ This effecti0ely do!bles the dis access s"eed, b!t "ro0ides no fa!lt
tolerance$ n Windows NT, this is called a stri"e set which is created on abasic dis$
2irrored Vo#$4es- Also nown as /AD 1 or a mirror set on Windows NT,
this is a fa!lt tolerance method where data is stored on two 0ol!mes 7that
a""ear as one) rather than a sinle 0ol!me$ This costs access time, b!t isfa!lt tolerant$
RAID8 Vo#$4es- /e!ire three or more areas of formatted dri0e s"ace$%eneratin "arity information can cost "rocessor time$
2*) What are local, lobal and ;ni0ersal ro!"s in ADS domain
2.) What is the database for ADS ser0icesB
2) What is Sys0ol !sed forB
The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and
rearse oints in the file systems that e!ist on each domain controller in a domain"
SYSVOL rovides a standard location to store imortant elements of #rou $olicy
o%&ects (#$Os) and scrits so that the 'ile elication service ('S) can distri%ute themto other domain controllers within that domain"
Note:
(nly the %ro!" >olicy tem"late 7%>T) is re"licated by SLS6(:$ The %ro!" >olicy
container 7%>9) is re"licated thro!h Acti0e Directory re"lication$ To be effecti0e,both "arts m!st be a0ailable on a domain controller$
F/S monitors SLS6(: and, if a chane occ!rs to any file stored on SLS6(:, then
F/S a!tomatically re"licates the chaned file to the SLS6(: folders on the otherdomain controllers in the domain$
The day-to-day o"eration of SLS6(: is an a!tomated "rocess that does not re!ire
any h!man inter0ention other than watchin for alerts from the monitorin system$
-
8/12/2019 44053619-Interview-q
10/32
(ccasionally, yo! miht "erform some system maintenance as yo! chane yo!rnetwor$
This obHecti0e describes the basic tass re!ired for manain SLS6(: in order to
maintain ca"acity and "erformance of SLS6(:, for hardware maintenance, or fordata orani#ation$
htt"K55technet2$microsoft$com5WindowsSer0er5en5:ibrary5..1f+123-2a:'(N to !ery and control re"lication and to 0iew the location of the FS'(
roles
Lo! can !se the DSADiag!tility to dis"lay the c!rrent list of cached ser0ers that
DSAccess is !sin 7and th!s s!""lyin to DS>roy) and also to force DSAccess torefresh the ser0er list$ DSADia, which is a0ailable from htt"K55www$einternals$com,
is a sinle eec!table file$ To !se the !tility, yo! m!st "lace the file in thePechsr0rPbin directory$ ec!tin DSADia from a command window
2) What are different ty"es bac!" in windows 2+++BANSK Normal, co"y, Differential, ncremental, Daily
24) "lain by means of a scenario where wo!ld re!ire a tree, 9hild domain,
Additional Domain 9ontrollerB
3+) What is T9>5>B
http://technet2.microsoft.com/WindowsServer/en/Library/551f0123-26a7-4ce5-be71-173e7aa79bd31033.mspxhttp://technet2.microsoft.com/WindowsServer/en/Library/551f0123-26a7-4ce5-be71-173e7aa79bd31033.mspxhttp://technet2.microsoft.com/WindowsServer/en/Library/551f0123-26a7-4ce5-be71-173e7aa79bd31033.mspxhttp://technet2.microsoft.com/WindowsServer/en/Library/551f0123-26a7-4ce5-be71-173e7aa79bd31033.mspx -
8/12/2019 44053619-Interview-q
11/32
31) What is Distrib!ted File SystemBThe Distrib!ted File System is !sed to b!ild a hierarchical 0iew of m!lti"le file
ser0ers and shares on the networ$ nstead of ha0in to thin of a s"ecific machinename for each set of files, the !ser will only ha0e to remember one name8 which will
be the GeyG to a list of shares fo!nd on m!lti"le ser0ers on the networ$ Thin of itas the home of all file shares with lins that "oint to one or more ser0ers that
act!ally host those shares$ DFS has the ca"ability of ro!tin a client to the closesta0ailable file ser0er by !sin Acti0e Directory site metrics$ t can also be installed ona cl!ster for e0en better "erformance and reliability$ 'edi!m to lare si#ed
orani#ations are most liely to benefit from the !se of DFS - for smaller com"anies
it is sim"ly not worth settin !" since an ordinary file ser0er wo!ld be H!st fine$32) What is !nattended installation in 2+++B
33) What are the Different ty"es of /ADB
ANsK /AD + to ./AD + 7Stri""ed)
/AD 1 'irrored/AD 2
/AD 3
/AD */AD .
3*) What do yo! mean by 9l!sterinB
3.) What is the Difference between (; Q %ro!"B
Organi%ationa# Units
An orani#ational !nit is an administrati0e-le0el container, de"icted in Fi!re $1,
that is !sed to loically orani#e obHects in Acti0e Directory$ The conce"t of the
orani#ational !nit is deri0ed from the :ihtweiht Directory Access >rotocol 7:DA>)standard !"on which Acti0e Directory was b!ilt, altho!h there are some conce"t!aldifferences between "!re :DA> and Acti0e Directory$
Fig$re 6&1A+tive Dire+tor3 organi%ationa# str$+t$re&
(bHects within Acti0e Directory can be loically "laced into (;s as
defined by the administrator$ Altho!h all !ser obHects are "laced in the ;sers folderby defa!lt and com"!ter obHects are "laced in the 9om"!ters folder, they can be
mo0ed at any time$
NOTE
The defa!lt ;sers and 9om"!ters folders in Acti0e Directory are not technicallyorani#ational !nits$ /ather, they are technically defined as 9ontainer class obHects$
t is im"ortant to !nderstand this "oint beca!se these 9ontainer class obHects do notbeha0e in the same way as orani#ational !nits$ To be able to "ro"erly !tili#e
ser0ices s!ch as %ro!" >olicies that de"end on the f!nctionality of (;s, it isrecommended that yo! mo0e yo!r !ser and com"!ter obHects into an (; str!ct!re$
http://popup%28%27/content/images/sam6_0672321548/elementLinks/06fig01.jpg')http://popup%28%27/content/images/sam6_0672321548/elementLinks/06fig01.jpg')http://popup%28%27/content/images/sam6_0672321548/elementLinks/06fig01.jpg')http://popup%28%27/content/images/sam6_0672321548/elementLinks/06fig01.jpg') -
8/12/2019 44053619-Interview-q
12/32
-
8/12/2019 44053619-Interview-q
13/32
9ro$p 2e4*ers,ip Vie)a*#e *3 UsersWhereas (; 0isibility is restricted
to administrators !sin s"ecial administrati0e tools, ro!"s can be 0iewed byall !sers enaed in domain acti0ities$ For eam"le, !sers who are settin
sec!rity on a local share can a""ly "ermissions to sec!rity ro!"s that ha0ebeen set !" on the domain le0el$
2e4*ers,ip in 2$#tip#e 9ro$ps(;s are similar to a file systemGs folder
str!ct!re$ n other words, a file can reside in only one folder or (; at a time$%ro!" membershi", howe0er, is not ecl!si0e$ A !ser can become a member
of any one of a n!mber of ro!"s, and her membershi" in that ro!" can bechaned at any time$
9ro$ps as Se+$rit3 Prin+ipa#sach sec!rity ro!" in Acti0e Directory has
a !ni!e Sec!rity D 7SD) associated with it !"on creation$ (;s do not ha0eassociated Access 9ontrol ntries 7A9s) and conse!ently cannot be a""lied
to obHect-le0el sec!rity$ This is one of the most sinificant differences beca!sesec!rity ro!"s allow !sers to rant or deny sec!rity access to reso!rces
based on ro!" membershi"$ Note, howe0er, that the ece"tion to this isdistrib!tion ro!"s, which are not !sed for sec!rity$
2ai#8Ena*#ed 9ro$p F$n+tiona#it3Thro!h distrib!tion ro!"s and 7with
the latest 0ersion of 'icrosoft chane) mail-enabled sec!rity ro!"s, !serscan send a sinle e-mail to a ro!" and ha0e that e-mail distrib!ted to all the
members of that ro!"$ The ro!"s themsel0es become distrib!tion lists,while at the same time bein a0ailable for sec!rity-based a""lications$ This
conce"t is elaborated f!rther in the ODistrib!tion %ro!" DesinO section later
in this cha"ter$
9ro$p T3pes' Se+$rit3 or Distri*$tion
%ro!"s in a Windows $NT Ser0er 2++3 come in two fla0orsK sec!rity and
distrib!tion$ n addition, ro!"s can be orani#ed into different sco"esK machinelocal, domain local, lobal, and !ni0ersal$
Se+$rit3 9ro$ps
The ty"e of ro!" that administrators are most familiar with is the sec!rity ro!"$
This ty"e of ro!" is !sed to a""ly "ermissions to reso!rces en masse so that larero!"s of !sers can be administered more easily$ Sec!rity ro!"s can be established
for each de"artment in an orani#ation$ For eam"le, !sers in the 'aretin
de"artment can be i0en membershi" in a 'aretin sec!rity ro!", as shown inFi!re $3$ This ro!" is then allowed to ha0e "ermissions on s"ecific directories in
the en0ironment$
Fig$re 6&Se+$rit3 gro$p per4ission s,aring&
This conce"t sho!ld be familiar to anyone who is !sed toadministerin down-le0el Windows networs s!ch as NT or Windows2+++$ As yo! will soon see, howe0er, some f!ndamental chanes in
Windows $NT Ser0er 2++3 chane the way that these ro!"sf!nction$
As "re0io!sly mentioned, sec!rity ro!"s ha0e a !ni!e Sec!rity D 7SD) associatedwith them, m!ch in the same way that indi0id!al !sers in Acti0e Directory ha0e an
SD$ The !ni!eness of the SD is !tili#ed to a""ly sec!rity to obHects and reso!rces
http://popup%28%27/content/images/sam6_0672321548/elementLinks/06fig03.jpg')http://popup%28%27/content/images/sam6_0672321548/elementLinks/06fig03.jpg')http://popup%28%27/content/images/sam6_0672321548/elementLinks/06fig03.jpg')http://popup%28%27/content/images/sam6_0672321548/elementLinks/06fig03.jpg') -
8/12/2019 44053619-Interview-q
14/32
in the domain$ This conce"t also e"lains why yo! cannot sim"ly delete and renamea ro!" to ha0e the same "ermissions that the old ro!" "re0io!sly maintained$
Distri*$tion 9ro$ps
The conce"t of distrib!tion ro!"s in Windows $NT Ser0er 2++3 was introd!ced in
Windows 2+++ alon with its im"lementation of Acti0e Directory$ ssentially, adistrib!tion ro!" is a ro!" whose members are able to recei0e Sim"le 'ail
Transfer >rotocol 7S'T>) mail messaes that are sent to the ro!"$ Any a""licationthat can !se Acti0e Directory for address boo loo!"s can !tili#e this f!nctionality in
Windows $NT Ser0er 2++3$
Distrib!tion ro!"s are often conf!sed with mail-enabled ro!"s, a conce"t in
en0ironments with chane 2+++$ n addition, in most cases distrib!tion ro!"s arenot !tili#ed in en0ironments witho!t chane 2+++ beca!se their f!nctionality is
limited to infrastr!ct!res that can s!""ort them$
NOTE
n en0ironments with chane 2+++, distrib!tion ro!"s can be !tili#ed to create e-mail distrib!tion lists that cannot be !tili#ed to a""ly sec!rity$ Cowe0er, if se"aration
of sec!rity and e-mail f!nctionality is not re!ired, yo! can mae sec!rity ro!"smail-enabled$
2ai#8Ena*#ed 9ro$ps
With the introd!ction of chane 2+++ into an Acti0e Directory en0ironment comes
a new conce"tK mail-enabled ro!"s$ These ro!"s are essentially sec!rity ro!"sthat are referenced by an e-mail address, and can be !sed to send S'T> messaes
to the members of the ro!"$ This ty"e of f!nctionality becomes "ossible only with
the incl!sion of chane 2+++ or hiher$ chane 2+++ act!ally etends the forestschema to allow for chane-related information, s!ch as S'T> addresses, to beassociated with each ro!"$
'ost orani#ations will find that mail-enabled sec!rity ro!"s satisfy most of their
needs, both sec!rity-wise and e-mailJwise$ For eam"le, a sinle ro!" called
'aretin that contains all !sers in that de"artment co!ld also be mail-enabled toallow chane !sers to send e-mails to e0eryone in the de"artment$
9ro$p S+ope
There are fo!r "rimary sco"es of ro!"s in Acti0e Directory$ ach sco"e is !sed for
different "!r"oses, b!t all sim"ly ser0e to ease administration and "ro0ide a way to0iew or "erform f!nctions on lare ro!"s of !sers at a time$ The ro!" sco"es are
as followsK
'achine local ro!"s
Domain local ro!"s
%lobal ro!"s
;ni0ersal ro!"s
-
8/12/2019 44053619-Interview-q
15/32
%ro!" sco"e can become one of the most conf!sin as"ects of Acti0e Directory, andit can often re!ire a doctorate deree in A""lied &io%ro!"oloy to sort it all o!t$
Cowe0er, if certain desin criteria are a""lied to ro!" membershi" and creation, theconce"t becomes more "alatable$
2a+,ine 0o+a# 9ro$ps
'achine local ro!"s are essentially ro!"s that are b!ilt into the o"eratin system
and can be a""lied only to obHects local to the machine in which they eist$ n otherwords, they are the defa!lt local ro!"s s!ch as >ower ;sers, Administrators, and
the lie created on a standalone system$ &efore networin sim"lified administration,local ro!"s were !sed to control access to the reso!rces on a ser0er$ The downside
to this a""roach was that !sers needed to ha0e a se"arate !ser acco!nt on eachmachine that they wanted to access$ n a domain en0ironment, !tili#in these ro!"s
for "ermissions is not recommended beca!se the administrati0e o0erhead wo!ld beo0erwhelmin$
NOTE
Domain controllers in an Acti0e Directory forest do not contain local ro!"s$ Whenthe dc"romo command is r!n on a ser0er to "romote it to a domain controller, all
local ro!"s and acco!nts are deleted in fa0or of domain acco!nts$ ssentially, the
local ro!"s and !sers are re"laced with a co"y of the domain ro!"s and !sers$ Anys"ecial "ermissions !sin local !sers m!st be rea""lied !sin domain acco!nts$
Do4ain 0o+a# 9ro$ps
Domain local ro!"s, a term that may seem contradictory at first, are domain-le0el
ro!"s that can be !sed to establish "ermissions on reso!rces in the domain inwhich they reside$ ssentially, domain local ro!"s are the e0ol!tion of the old
Windows NT local ro!"s$
Domain local ro!"s can contain members from anywhere in an Acti0e Directory
forest or any tr!sted domain o!tside the forest$ A domain local ro!" can containmembers from any of the followinK
%lobal ro!"s
;ser acco!nts
;ni0ersal ro!"s 7in AD Nati0e mode only)
(ther domain local ro!"s 7nested, in Nati0e mode only)
Domain local ro!"s are "rimarily !sed for access to reso!rces beca!se different
domain local ro!"s are created for each reso!rce and then other acco!nts and5orro!"s are added to them$ This hel"s to readily determine which !sers and ro!"sha0e access to a reso!rce$
9#o*a# 9ro$ps
%lobal ro!"s are the reincarnation of the NT lobal ro!", b!t with slihtly different
characteristics$ These ro!"s can contain the followin ty"es of obHectsK
-
8/12/2019 44053619-Interview-q
16/32
;ser acco!nts
%lobal ro!"s from their own domain 7Nati0e mode only)
%lobal ro!"s are "rimarily !sef!l in sortin !sers into easily identifiable ro!"insand !sin them to a""ly "ermissions to reso!rces$ What se"arates lobal ro!"s
from !ni0ersal ro!"s, howe0er, is that lobal ro!"s sto" their membershi"
re"lication at the domain bo!ndary, limitin re"lication o!tside the domain$
Universa# 9ro$ps
The conce"t of !ni0ersal ro!"s was new with the release of Windows 2+++ and has
become e0en more !sef!l in Windows $NT Ser0er 2++3$ ;ni0ersal ro!"s are H!stthat!ni0ersal$ They can contain obHects from any tr!sted domain and can be !sed
to a""ly "ermissions to any reso!rce in the domain$
;ni0ersal ro!"s are a0ailable only in Nati0e Windows $NT Ser0er 2++3 or Windows
2+++ modes and cannot be !sed in nterim or Windows NT 'ied mode$ This isbeca!se Windows NT* bac!" domain controllers 7&D9s) cannot re"licate the
f!nctionality "resent in !ni0ersal ro!"s$
Altho!h sim"ly main all ro!"s within a domain into !ni0ersal ro!"s may seem
"ractical, the limitin factor has always been that membershi" in !ni0ersal ro!"s isre"licated across the entire forest$ To mae matters worse, Windows 2+++ Acti0e
Directory !ni0ersal ro!" obHects contained a sinle m!lti-entry attrib!te that
defined membershi"$ This meant that any time membershi" was chaned in a!ni0ersal ro!", the entire ro!" membershi" was re-re"licated across the forest$
9onse!ently, !ni0ersal ro!"s were limited in f!nctionality$
Windows $NT Ser0er 2++3 introd!ces the conce"t of incremental !ni0ersal ro!"membershi" re"lication, which accom"lishes re"lication of membershi" in !ni0ersal
ro!"s on a member-by-member basis$ This drastically red!ces the re"licationeffects that !ni0ersal ro!"s ha0e on an en0ironment and maes the conce"t of
!ni0ersal ro!"s more feasible for distrib!ted en0ironments$
3) What is the Difference between &asic Dis Q Dynamic disB
/asi+ Dis:s- A standard dis with standard "artitions 7"rimary and
etended)$
D3na4i+ Dis:s- Diss that ha0e dynamic mo!ntin ca"ability to addadditional local or remote "artitions or directories to a dis dri0e$ These are
called dynamic 0ol!mes$ This is new with the Windows 2+++ o"eratin systemand is not s!""orted by any other o"eratin systems$ Any 0ol!me that is on
more than one hard dri0e m!st be created with dynamic diss$ A dis canonly be con0erted from dynamic to basic by first deletin all the 0ol!mes in
the dynamic dis$
3
-
8/12/2019 44053619-Interview-q
17/32
,osts fi#e, stored on the com"!terGs filesystem, is !sed to loo !" the nternet>rotocoladdress of a de0ice connected to a com"!ter networ$ The hosts file
describes a many-to-one ma""in of de0ice names to > addresses$ When accessina de0ice by name, the networin system will attem"t to locate the name within the
hosts file if it eists$ Ty"ically, this is !sed as a first means of locatin the address ofa system, before accessin the nternetdomain name system$ The reason for this is
that the hosts file is stored on the com"!ter itself and does not re!ire any networaccess to be !sed,
04,ost
A local hosts file!sed by 'icrosoftWins 9lients s!ch as 'icrosoft Windows 4or
Windows NTto "ro0ide ma""ins of > addresses to NT com"!ter names 7Net&(Sname)$ The lmhost file is enerally located in either root Windows directory or the
WindowsPSystem32Pdri0ersPetc directory and is called O#4,ost&sa4O$ The lmhost filewill liely already contain data in the file, s!ch as commented instr!ctions and
eam"les similar to the below eam"le$
12
-
8/12/2019 44053619-Interview-q
18/32
There are 1* s"ecial "ermissions for folders, which incl!de detailed control o0ercreatin, modifyin, readin, and deletin s!bfolders and files contained within the
folder where the "ermissions are established$
NTFS "ermissions are associated with the obHect, so the "ermissions are always
connected with the obHect d!rin a rename, mo0e, or archi0e of the obHect$
Share "ermissions are only associated with the folder that is bein shared$ For
eam"le, if there are . s!bfolders below the folder that is shared, only the initialshared folder can ha0e share "ermissions confi!red on it$ NTFS "ermissions can be
established on e0ery file and folder within the data storae str!ct!re, e0en if a folderis not shared$
Share "ermissions are confi!red on the Sharin tab of the shared folder$ (n thistab, yo! will ha0e a >ermissions b!tton, which e"oses the share "ermissions when
selected, as shown in Fi!re 3$
-
8/12/2019 44053619-Interview-q
19/32
Fig$re 'Share "ermissions on a shared folder
As yo! can see, the share "ermissions standard list of o"tions is not as rob!st as the
NTFS "ermissions$ The share "ermissions only "ro0ide F!ll 9ontrol, 9hane, and/ead$ There are no s"ecial "ermissions a0ailable for share "ermissions, so the
standard "ermissions are as ran!lar as yo! can o for this set of access control$
The share "ermissions are not "art of the folder or file, so when the share name ischaned, the folder is mo0ed, or the folder is baced !", the share "ermissions are
not incl!ded$ This maes for a fraile control of the share "ermissions if the folder ismodified$
34) What is Symmetric Q asymmetric "rocessinB
A3s44etri+K one 9>; does the wor of the system, the other 9>;s ser0ice
!ser re!ests$
S344etri+K All "rocessors can be !sed by the system and !sers alie$ No9>; is s"ecial$
The asymmetric 0ariant is "otentially more wastef!l, since it is rare that the systemre!ires a whole 9>; H!st to itself$ This a""roach is more common on 0ery lare
machines with many "rocessors, where the Hobs the system has to do is !itediffic!lt and warrants a 9>; to itself$
*+) What is ro!tin Q remote accessB*1) What S 6>N Q What is the difference between >>T> Q :2T>B
*2) What is the mean by s!bnetB
-
8/12/2019 44053619-Interview-q
20/32
s$*netA s!bnet 7short for Os!bnetworO) is an identifiably se"arate "art of an orani#ationGs
networ$ Ty"ically, a s!bnet may re"resent all the machines at one eora"hiclocation, in one b!ildin, or on the same local area networ 7:AN)$ Ca0in an
orani#ationGs networ di0ided into s!bnets allows it to be connected to the nternetwith a sinle shared networ address$ Witho!t s!bnets, an orani#ation co!ld et
m!lti"le connections to the nternet, one for each of its "hysically se"arates!bnetwors, b!t this wo!ld re!ire an !nnecessary !se of the limited n!mber ofnetwor n!mbers the nternet has to assin$ t wo!ld also re!ire that nternet
ro!tin tables on ateways o!tside the orani#ation wo!ld need to now abo!t and
ha0e to manae ro!tin that co!ld and sho!ld be handled within an orani#ation$
The nternet is a collection of networs whose !sers comm!nicate with each other$
ach comm!nication carries the address of the so!rce and destination networs andthe "artic!lar machine within the networ associated with the !ser or host com"!ter
at each end$ This address is called the > address7nternet >rotocol address)$ This32-bit > address has two "artsK one "art identifies the networ 7with the network
number) and the other "art identifies the s"ecific machine or host within the networ7with the host number)$ An orani#ation can !se some of the bits in the machine or
host "art of the address to identify a s"ecific s!bnet$ ffecti0ely, the > address thencontains three "artsK the networ n!mber, the s!bnet n!mber, and the machine
n!mber$
The standard "roced!re for creatin and identifyin s!bnets is "ro0ided in nternet
T,e IP Address
The 32-bit > address 7we ha0e a se"arate definition of it with > address) is often
de"icted as a dot address7also called dotted quad notation) - that is, fo!r ro!"s 7or!ads) of decimal n!mbers se"arated by "eriods$ CereGs an eam"leK
13+$.$.$2.
ach of the decimal n!mbers re"resents a strin of eiht binary diits$ Th!s, the
abo0e > address really is this strin of +s and 1sK
1+++++1+$+++++1+1$+++++1+1$+++11++1
As yo! can see, we inserted "eriods between each eiht-diit se!ence H!st as we
did for the decimal 0ersion of the > address$ (b0io!sly, the decimal 0ersion of the >address is easier to read and thatGs the form most commonly !sed$
Some "ortion of the > address re"resents the networ n!mber or address and some
"ortion re"resents the local machine address 7also nown as the host numberoraddress)$ > addresses can be one of se0eral classes, each determinin how many
bits re"resent the networ n!mber and how many re"resent the host n!mber$ Themost common class !sed by lare orani#ations 79lass &) allows 1 bits for the
networ n!mber and 1 for the host n!mber$ ;sin the abo0e eam"le, hereGs howthe > address is di0idedK
--Networ address--U--Cost address--U13+$. $ .$2.
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212495,00.htmlhttp://searchvb.techtarget.com/sDefinition/0,,sid8_gci212381,00.htmlhttp://searchvb.techtarget.com/sDefinition/0,,sid8_gci212381,00.htmlhttp://searchsmb.techtarget.com/sDefinition/0,,sid44_gci211994,00.htmlhttp://whatis.techtarget.com/definition/0,,sid9_gci212850,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212495,00.htmlhttp://searchvb.techtarget.com/sDefinition/0,,sid8_gci212381,00.htmlhttp://searchvb.techtarget.com/sDefinition/0,,sid8_gci212381,00.htmlhttp://searchsmb.techtarget.com/sDefinition/0,,sid44_gci211994,00.htmlhttp://whatis.techtarget.com/definition/0,,sid9_gci212850,00.html -
8/12/2019 44053619-Interview-q
21/32
f yo! wanted to add s!bnettin to this address, then some "ortion 7in this eam"le,eiht bits) of the host address co!ld be !sed for a s!bnet address$ Th!sK
--Networ address--U--S!bnet address--U--Cost address--U
13+$. $ . $ 2.
To sim"lify this e"lanation, weG0e di0ided the s!bnet into a neat eiht bits b!t anorani#ation co!ld choose some other scheme !sin only "art of the third !ad or
e0en "art of the fo!rth !ad$
T,e S$*net 2as:
(nce a "acet has arri0ed at an orani#ationGs atewayor connection "oint with its!ni!e networ n!mber, it can be ro!ted within the orani#ationGs internal ateways
!sin the s!bnet n!mber as well$ The ro!ter nows which bits to loo at 7and whichnot to loo at) by looin at a s!bnet mas$ A mas is sim"ly a screen of n!mbers
that tells yo! which n!mbers to loo at !nderneath$ n a binary mas, a O1O o0er an!mber says O:oo at the n!mber !nderneathO8 a O+O says ODonGt loo$O ;sin a
mas sa0es the ro!ter ha0in to handle the entire 32 bit address8 it can sim"ly loo
at the bits selected by the mas$
;sin the "re0io!s eam"le 7which is a 0ery ty"ical case), the combined networn!mber and s!bnet n!mber occ!"y 2* bits or three of the !ads$ The a""ro"riate
s!bnet mas carried alon with the "acet wo!ld beK
2..$2..$2..$+
(r a strin of all 1Gs for the first three !ads 7tellin the ro!ter to loo at these) and+Gs for the host n!mber 7which the ro!ter doesnGt need to loo at)$ S!bnet masin
allows ro!ters to mo0e the "acets on more !icly$f yo! ha0e the Hob of creatin s!bnets for an orani#ation 7an acti0ity called
subnetting) and s"ecifyin s!bnet mass, yo!r Hob may be sim"le or com"licated
de"endin on the si#e and com"leity of yo!r orani#ation and other factors$
Ans K S!bnets are "art of a networ
*3) What is NATB
Networ Address Translation allows a sinle de0ice, s!ch as a ro!ter, to act as an
aent between the nternet 7or O"!blic networO) and a local 7or O"ri0ateO) networ$This means that only a sinle, !ni!e > address is re!ired to re"resent an entire
ro!" of com"!ters$ &!t the shortae of > addresses is only one reason to !se NAT
**) "lain the "roced!re for miratin from Windows NT*$+ to Windows 2+++B
Upgrading fro4 Win NT to Win !((( Do4ains
1$ ;"rade the >D9 in the master domain that will be the root domain$ ;"rade
the >D9 to Windows 2+++$2$ ;se mied mode for acti0e directory$
3$ ;"rade &D9s and ser0ers to Windows 2+++$
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212176,00.htmlhttp://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci212176,00.html -
8/12/2019 44053619-Interview-q
22/32
" ;"date client com"!ters in the domain to Windows 2+++ or install DirectorySer0ice 9lient onm$
.$ Follow the same "roced!re for each s!cceedin domain down thro!h the
domain tree$$ (nce all !"dates are com"lete, the m!lti"le domains may be mered into one
or reconfi!red !sin Windows 2+++ tools$
When the NT Domain controller is !"raded to Windows 2+++, the followin chanes
are madeK
The >D9 com"!ter acco!nt is "laced in the domain controllerGs AD containerobHect$
9om"!ter acco!nts are "laced in the 9om"!ters AD container obHect$
;ser acco!nts, lobal ro!"s, local ro!"s, and created ro!"s are "laced in
the ;sers AD container obHect$
Defa!lt ro!"s are "!t in the &!ilt-in AD container obHect$
*.) Cow to enable a!ditin in files Q folderBANSK Thro!h ro!" >olicy
*) What is software Distrib!tionB
htt"K55www$microsoft$com5technet5"rodtechnol5windows2+++ser05howto5instmain$ms"
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/instmain.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/instmain.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/instmain.mspxhttp://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/instmain.mspx -
8/12/2019 44053619-Interview-q
23/32
Software nstallation and 'aintenance for the Windows 2++3 o"eratin systemallows administrators to manae software for their orani#ations, incl!din
a""lications, ser0ice "acs, and o"eratin system !"rades$
*
-
8/12/2019 44053619-Interview-q
24/32
E#i4inate pi#ing onto ne) do4ain +ontro##ers& There is "otential for a
"roblem when an NT* "rimary domain controller 7>D9) is !"raded toWindows Ser0er 2++3$ n this circ!mstance, all eistin Windows 2+++ and
?> desto"s will !se the newly "romoted >D9 as a loon ser0er$ n WindowsSer0er 2++3, domain controllers can be confi!red to res"ond to modern
Windows clients as if they were still classic NT domain controllers !ntil
s!fficient domain controllers are a0ailable to handle local a!thentication$ Thisfeat!re is also a0ailable in Windows 2+++ S>2 and later$
DNS diagnosti+s& >ro"er DNS confi!ration is critical for "ro"er Acti0eDirectory o"eration$ The Domain 9ontroller "romotion !tility now "erforms a
s!ite of DNSdianostics to ens!re that a s!itable DNSser0er is a0ailable toreister the ser0ice locator reso!rce records associated with a Windows
domain controller$
Fe)er g#o*a# +ata#og re*$i#ds&Addin or remo0in an attrib!te from the%lobal 9atalo no loner re!ires a com"lete synchroni#ation cycle$ This
minimi#es the re"lication traffic ca!sed by addin an attrib!te to the %9$
2anage4ent +onso#e en,an+e4ents& The Acti0e Directory ;sers and9om"!ters console now "ermits dra-and-dro" mo0e o"erations and
modifyin "ro"erties on m!lti"le obHects at the same time$ There is also theca"ability of creatin and storin c!stom LDAP!eries to sim"lify manain
lare n!mbers of obHects$ The new ''9 2$+ console incl!des scri"tin s!""ortthat can eliminate the need to !se the console entirely$
Rea#8ti4e 0DAP&S!""ort was added for /F9 2.4, V:DA>03K tensions for
Dynamic Directory Ser0ices$ This "ermits "!ttin time-sensiti0e informationin Acti0e Directory, s!ch as a !serGs c!rrent location$ Dynamic entries
a!tomatically time o!t and are deleted if they are not refreshed$
En,an+ed 0DAP se+$rit3&S!""ort was added for diest a!thentication asdescribed in /F9 224, VA!thentication 'ethods for LDAP$ This maes it
easier to interate Acti0e Directory into non-Windows en0ironments$ S!""ortwas also added for /F9 23+, V:DA>03K tension for Trans"ort :ayer
Sec!rity$ This "ermits !sin sec!re connections when sendin LDAP
7:ihtweiht Directory Access >rotocol) !eries to a domain controller$ S+,e4a en,an+e4ents& The ability was added to associate an a!iliary
schema class to indi0id!al obHects rather than to an entire class of obHects$This association can be dynamic, main it "ossible to tem"orarily assin new
attrib!tes to a s"ecific obHect or obHects$ Attrib!tes and obHect classes canalso be declared def!nct to sim"lify reco0erin from "rorammin errors$
0DAP $er3 en,an+e4ents&The LDAPsearch mechanism was e"anded to
"ermit searchin for indi0id!al entries in a m!lti0al!ed Distin!ished Name7DN) attrib!te$ This is called anAttribute Scoped Query, or ASE$ For eam"le,
an ASE co!ld be !sed to !icly list e0ery ro!" to which a s"ecific !ser
belons$ S!""ort was also added for 6irt!al :ist 6iews, a new LDAPcontrolthat "ermits lare data sets to be 0iewed in order instead of "ain thro!h a
random set of information$ This chane "ermits Windows Ser0er 2++3 to
show al"habetically sorted lists of !sers and ro!"s in "ic lists$
Interopera*i#it3& S!""ort was added for /F9 2erson LDAP (bHect 9lass$ This enhances intero"erability with
Netsca"e and NetWare directory ser0ices, both of which !se theinet(r>erson obHect class to create ;ser obHects$
Speedier do4ain +ontro##er pro4otions& The ca"ability was added for!sin a ta"e bac!" of the Acti0e Directory database to "o"!late the
database on a new domain controller$ This reatly sim"lifies domain controller
de"loyments in sit!ations where it is not "ractical to shi" an entire ser0er$
-
8/12/2019 44053619-Interview-q
25/32
S+a#a*i#it3&The maim!m n!mber of obHects that can be stored in Acti0e
Directory was increased to o0er one billion$
Do4ain Str$+t$re and Re#ations,ips
TermsK
Do4ain tree - A hierarchial ro!" of one or more domains with one rootdomain$ On#3 one do4ain is re$ired to 4a:e a tree&
Parent do4ain- (ne domain abo0e another in a domain tree$
",i#d do4ain - (ne domain below another in a domain tree$ The child
inherits the domain name of its "arent in a DNS hierarchial namin
con0ention$ am"leK Ochild$"arent$root$comO$
Forest root do4ainThe first domain created in a forest$
Tree root- The first domain created in a tree$
Tr$sts and Tr$st Re#ations,ips
Tr!st relationshi" is a descri"tion of the !ser access between two domains consistinof a one way and a two way tr!st$ TermsK
One )a3 tr$st - When one domain allows access to !sers on anotherdomain, b!t the other domain does not allow access to !sers on the first
domain$
T)o )a3 tr$st - When two domains allow access to !sers on the otherdomain$
Tr$sting do4ain - The domain that allows access to !sers on another
domain$
Tr$sted do4ain- The domain that is tr!sted, whose !sers ha0e access to
the tr!stin domain$
Transitive tr$st- A tr!st which can etend beyond two domains to othertr!sted domains in the tree$
Intransitive tr$st - A one way tr!st that does not etend beyond twodomains$
E7p#i+it tr$st- A tr!st that an administrator creates$ t is not transiti0e and
is one way only$
"ross8#in: tr$st- An e"licit tr!st between domains in different trees or inthe same tree when a descendent5ancestor 7child5"arent) relationshi" does
not eist between the two domains$
Windows 2+++ only s!""orts the followin ty"es of tr!stsK
Two way transiti0e tr!sts (ne way non-transiti0e tr!sts$
This means the two way non transiti0e tr!st s!""orted by Windows NT is no loner
s!""orted$ The way to deal with this is to create two one way tr!sts in Windows
2+++$
-
8/12/2019 44053619-Interview-q
26/32
"ontro##ers
The "roram Od+pro4o&e7eO is !sed to mae a Windows 2+++ domain memberser0er a domain controller or demote it from domain controller stat!s bac to a
member ser0er$ t can be !sed to add a domain controller for an eistin domain orcreate a domain controller for a new domain$
TermsK
Forest root +ontro##er - The first domain controller created when Acti0e
Directory is first installed on any com"!ter if there are no "re0io!sly installedcontrollers a0ailable on the networ$
A+tive Dire+tor3 Tr$sts
Windo)s NT 5&( does not s$pport transitive tr$sts$ All windows 2+++ Acti0e
Directory tr!sts are transiti0e by defa!lt with tr!sts eistin between "arents andchildren$ Transiti0e tr!sts do not eist between children e0en if they are of the same
"arent$ Transiti0e tr!sts etend !" and down thro!h "arents to children torandchildren and so on$ Administrators may create e7p#i+it tr$stsbetween any
two domains$
t is ood "olicy for the administrator to set !" a root domain with the administrator
acco!nt$ This will allow all child domains to be controlled from that domain$
Do4ain "ontro##er Data Rep#i+ation
/e"licated data between domain controllers containsK
S+,e4a
"onfig$ration data - Forest, tree, and domain information$ Do4ain data - nformation abo!t all domain obHects sent to domain
controllers in the domain$
Do4ain "ontro##ers
Windows NT !ses a >rimary Domain 9ontroller 7>D9) and &ac!" Domain 9ontrollers
7>D9) to control the o"erations of its domains$ The &D9 or &D9s bac !" the
o"erations of the >D9 in the e0ent that it fails$ Data is constantly re"licated betweenthese controllers$ Windows 2+++ has chaned this method of controllin the domain$
Windows 2+++ may be o"erated in one of two modesK
Native 4ode- n this mode Acti0e Directory interfaces only with Windows
2+++ domain controllers and directory ser0ice client software$ Windows 2+++is more efficient in nati0e mode$ n this case, the >D9 em!lator will et
"assword chanes faster$
2i7ed 4ode- ;sed to s!""ort domains where there are still Windows NTdomain controllers$ 'ied mode occ!rs when Acti0e Directory interfaces with
NT *$+ &D9s or ones witho!t Windows 2+++ Directory Ser0ice client software$
-
8/12/2019 44053619-Interview-q
27/32
n mied mode, com"!ters witho!t Windows 2+++ client software m!stcontact the >D9 em!lator to chane !ser acco!nt information
A domain cannot be chaned from nati0e mode to mied mode$ An NT domain
controller cannot be added to a Windows 2+++ networ r!nin in nati0e mode$
1$ local ro!"2$ domain local ro!"
3$ domain lobal ro!"*$ domain !ni0esal ro!"
/emember that OlocalO, OlobalO, O!ni0ersalO refers to where these ro!"s may be
assined "ermissions and are not related to the ro!" membershi" itself$ &!t letGsdefine each of them nowK
1$ :ocal ro!"K The members of this ro!" ty"e can be assined "ermissions onlylocaly on the com"!ter where the ro!" eist$ t cannot be !sed to assin
"ermissions on the domain and this ro!" is not nown by other com"!ters$
Cowe0er, it can contain local sec!rity acco!nts 7created on the same com"!ter - inthe local sec!rity database SA') or other domains members acco!nts 7when themachine5com"!ter is "art of a domain) from any domain$
am"leK when yo! Hoin the com"!ter to a domain, the domain administratoracco!nt is a!tomaticaly added to the local Administrators ro!"$ ThatGs why a
domain administrator can handle administrati0e tass on any domain clientcom"!ter$ &!t yo! cannot !se this local OAdministratorsO ro!" to assin "ermissions
on any other com"!ter5reso!rce on the domain$ Lo! will !se this ro!" only locally
on the com"!ter it eists$ OAdministratorsO membershi" co!ld be domain1P!ser1,domain2P!ser2, local!ser3, etc$
2$ Domain :ocal ro!"K can ha0e as their members, acco!nts, lobal ro!"s, and
!ni0ersal ro!"s F/(' ANL D('AN, as well as domain local ro!"s from the samedomain$ This ro!"s can belon to another domain local ro!"s and assined
"ermissions only in the same domain$ 9an be con0erted to !ni0ersal sco"e, as lonas it does not ha0e as its member another ro!" ha0in domain local sco"e$
am"leK S!""ose yo! were the networ administratorfor a three domains networ$
Now yo! ha0e to i0e "ermissions to some !sers from domain2 and domain3 toreso!rces located in domain1$ What yo! doB Well $$$ Lo! can create a domain local
ro!" in the domain1 and then assin the res"ecti0e !sers from domain2 anddomain3 to the ro!" yo! ha0e H!st created in domain1$ Then !se this ro!" to
assin "ermissions to reso!rces inside domain1 only$ Lo! will not be able to assin"ermissions for this ro!" in other domains reso!rcesII Cowe0er, yo! did add !sers
from other domains$
3$ Domain %lobal ro!"K can ha0e as their members acco!nts and lobal ro!"sF/(' TC SA' D('AN$ 9an be con0erted to !ni0ersal sco"e, as lon as it is not a
member of any other ro!" ha0in lobal sco"e$
am"leK Lo! create a Oro!"1O in the Odomain1O domain$ Then yo! add acco!nts,
other lobal ro!"s from the same domain to it$ Lo! can !se this ro!" to assin"ermissions to reso!rces located on other domains or for other domain
http://www.experts-exchange.com/Security/Q_21044157.htmlhttp://www.experts-exchange.com/Security/Q_21044157.htmlhttp://www.experts-exchange.com/Security/Q_21044157.htmlhttp://www.experts-exchange.com/Security/Q_21044157.html -
8/12/2019 44053619-Interview-q
28/32
administrators to assin "ermissions to yo!r domain !sers in their own domainsreso!rces$
*$ Domain ;n0ersal ro!"K can ha0e as their members acco!nts F/(' ANL D('AN,
lobal ro!"s from any domain and !ni0ersal ro!"s F/(' ANL D('AN$ This ro!"cannot be con0erted to any other ro!" sco"e$
am"le5Some more detailK This is the less restricti0e ro!"$ For someadministrators it miht be a better sol!tion for easy administration$ Cowe0er the !se
of ;ni0ersal %ro!" ha0e a bi im"act on acti0e directory "erformance beca!se the
!ni0ersal ro!" memebershi" is stored on the lobal catalo$ There miht alo occ!r"roblems with the loin$ When a !ser loin, if the !ser belons to a ;ni0ersal ro!",
a lobal catalo most be fo!nd otherwise the !ser wo!ld not be able to loin$ f the!ser doesnGt belon to a !ni0ersal ro!", cached credentials are !sed if a lobal
catalo cannot be fo!nd$ n that case, if the !ser had ne0er before loed in, cachedcredentials doesnGt eist, therefore the !ser will not be able to loin also$
The followin con0ersion can be made between ro!"s ty"esK
Z %lobal to !ni0ersal KK this is only allowed if the ro!" is not a member of anotherro!" ha0in lobal sco"e$Z Domain local to !ni0ersal KK Cowe0er, the ro!" bein con0erted cannot ha0e as its
member another ro!" ha0in domain local sco"e$
Note1K f yo! ha0e m!lti"le forests, !sers defined in only one forest cannot be "lacedinto ro!"s defined in another forest, and ro!"s defined in only one forest cannot
be assined "ermissions in another forest$
Note2K %ro!" nestin is a0ailable only when in Nati0e mode$ n mied mode,!ni0ersal ro!"s cannot be !sed$ There are also some differences abo!t the way the
>D9 em!lator wors$ &!t yo! will learn abo!t it $$$ tGs related with AD a!thentication
and with the mster o"eration roles$
Now, why add a lobal ro!" to domain local ro!"B This is beca!se itGs a best
"ractice to always assin "ermissions to ro!"s and not to !sers indi0id!aly$ willtry to i0e yo! a "ractical a""roach$
:etGs ass!me aain that yo! are a networ administrator for a com"any with .+!sers$ f yo! were to assin "ermissions for a networ reso!rce itGs better 7from the
administratorGs "oint of 0iew) to define "ermissions only once 7for a ro!") thanassinin "ermissions for e0ery time a !ser ha0e to be i0en access$ So, thatGs the
reason why e0en ha0in a sinle !ser, yo! "!t it inside a ro!" and then assin"ermissions to the ro!" itself$ n the f!t!re when yo! need to assin "ermissions to
other !sers, yo! H!st add them to the ro!" and !s!aly, they will ha0e to lo-off andlo-in aain$ DonGt yo! aree B K)
Now the A % D: > conce"t oes all arro!nd this$ tGs H!st a bit more eneric and does
mae a lot sense when in an en0ironement with m!lti"le domains II So yo! "!tA99(;NT inside a %:(&A: %/(;>$ Then the %:(&A: %/(;> yo! "!t it inside the
D('AN :(9A: %/(;> and finaly, yo! assin >/'SS(NS$
(ne "ractical eam"leK There are 2 domains 7dom1 and dom2)$ Lo! are
-
8/12/2019 44053619-Interview-q
29/32
administerin dom1$ f the dom2 administrator tells yo! that some of his !sers needaccess to some reso!rces located in yo!r domain 7in dom1)$ Lo! say to the dom2
administrator to create a lobal ro!" in domain dom2 and "!t the !sers inside it$Then yo! tae that lobal ro!" in "!t it inside a domain local ro!" and assin
"ermissions for this domain local ro!" to the s"ecified reso!rces in yo!r domain$Now, for e0erytime the dom2 administrator wants to add5remo0e a !ser he H!st need
to remo0e the !ser5!sers from the lobal ro!" in his domain 7beca!se he doesnGtha0e "ermission on dom1 domain)$
f yo! were assinin !sers to a domain local ro!", e0ery time the dom2
administrator wanted to add a !ser, he will ha0e to contact yo! and only yo! wo!ldbe the "erson allowed to mae the chane beca!se only yo! ha0e "ermissions in
yo!r domain 7it miht be the case)$
some ad0antaesK1$ Lo!, as dom1 domain administrator assin "ermissions only once$
2$ yo! will not ha0e to worry in the f!t!re if the dom2 domain administrator wants toadd5remo0e !sers from the !sers list witch miht ha0e access to s"ecified reso!rces$
A+tive Dire+tor3 Users and "o4p$ters- Acti0e Directory ;sers and9om"!ters is a 'icrosoft 'anaement 9onsole sna"-in$ t is started by
selectin OStartO, O>roramsO, OAdministrati0e ToolsO, and OActi0e Directory;sers and 9om"!tersO$ (nly members of the Domain Admins or nter"rise
Admins ro!" can !se this tool$ This tool is !sed to create, confi!re, locate,mo0e, and delete obHects incl!dinK
o ;ser 7a!tomatically "!blished) - Domain !ser acco!nts may be co"ied$
o %ro!" 7a!tomatically "!blished)
o 9om"!ter 7Those in the domain are a!tomatically "!blished)
o 9ontact 7a!tomatically "!blished)
o Domain
o (rani#ational ;nit 7a!tomatically "!blished)
o Shared folder
o >rinter 7'ost are a!tomatically "!blished) - Windows NT shared
"rinters are not "!blished a!tomatically$
Tabs from the (; >ro"erties dialo boK
o %ro!" "olicy - %ro!" "olicy obHect selectionsK
Windows Settins
Sec!rity Settins
>!blic ey "olicies
A!tomatic certificate re!est men! itemsK
Action
New
A!tomatic 9ertificate/e!est
A+tive Dire+tor3 Do4ains and Tr$sts
A+tive Dire+tor3 Sites and Servi+es
-
8/12/2019 44053619-Interview-q
30/32
D"PRO2ODomain controller manaement tool which is r!n from the
command line$
0DIFDEb!l schema modification tool$
"SVDEb!l schema !"date tool$ >arametersK
o -B - Cel"
o -i - 'ode for command$ 9hoices are im"ort, e"ort, or modify$
o -f - File nameo -0 - 6erbose mode
o -" - S"ecify the "ort for the socet$ The :DA> defa!lt is 34$
A+tive Dire+tor3 "onne+tor -AD".t sim"lifies administration amon
m!lti"le directory ser0ices$ The AD9 can aid Windows 2+++ im"lementationswhere chane Ser0er is de"loyed$ t can re"licate Acti0e Directory
information, and chane Ser0er .$. information as well$ t comes withWindows 2+++ and chane 2+++$ tK
o ;ses :DA> to "erfrom re"lication$
o (nly re"licates chanes$
o Costs all acti0e Acti0e Directory re"lication com"onents$
o S!""orts m!lti"le connections on one ser0er$
o 'a"s obHects for re"lication$
/e!irementsK
o Windows 2+++ Ser0er
o A0ailable T9> >ort
o 'icrosoft chane Ser0er .$. or 2+++$
o :DA> 0ersion 3
"onne+tion agree4entsconfi!re directory synchroni#ation betweenchane and Acti0e Directory and one or more are s!""orted with AD9$
tems !sed to confi!re a connection areementK
o Ser0er name
o Tarer containers
o (bHects to be synchroni#ed
o Synchroni#ation sched!le
AD9 nstallationK
1. AD9 re!ires a ser0ice !ser acco!nt and "assword$
2. >!t the Windows 2+++ Ser0er installation 9D/(' in the com"!ter$
3. nter the directory P6al!eaddP'SFTP'mtPAD9$
4. Do!ble clic on set!"$ee$5. Select the O'icrosoft Acti0e Directory 9onnector Ser0ice com"onentO
to install AD9 and theO'icrosoft Acti0e Directory 9onnector'anaement com"onentO to install the ability to manae the ser0ice$
The 'anaement com"onent can be installed on Windows 2+++
>rofessional com"!ters to allow AD9 manaement from them$6. 9hoose a directory to install the com"onents to$
7. nter the acco!nt name and "assword for the ser0ice to !se$
8. 9ontin!e and finish the installation$
-
8/12/2019 44053619-Interview-q
31/32
AD9 9onfi!rationK
9. /!n the Administrati0e tool, OActi0e Directory 9onnector 7AD9)
'anaementO$10. /iht clic the ser0er to confi!re and select O"ro"ertiesO to see
the "ro"erties dialo bo$ This is !sed to confi!re connection
areements between Acti0e Directory and the chane .$. directoryser0ice$ The followin tabs eist in the boK
%eneral - Select re"lication direction as OTwo wayO, OFromchane to WindowsO, or OFrom Windows to chaneO$ Set
the connection name, and the ser0er to r!n the connectionareement$ For slow networ connections, the areement can
!se chane Ser0erGs Site Rep#i+ation Servi+e -SRS.$
9onnections - 9onfi!re the bridehead ser0ers to handle theconnection$ The ser0ers recei0in !"dates only re!ire write
"ermission$ Select the Windows ser0er name, the Windowsa!thentication "rotocol, the chane ser0er, The chane
ser0er "ort, and the chane ser0er a!thentication "rotocol$
Sched!le - Set synchroni#ation sched!le$ The reistrey settinat
;?0O"A0?2A"
-
8/12/2019 44053619-Interview-q
32/32
9reate a New Windows ;ser Acco!nt
AD9 0ent loin le0elsK
o None - (nly lo critical e0ents
o 'inim!m - :o :DA> session errors, s!ccess or fail!re of added or
remo0ed !ser acco!nts$
o 'edi!m - :o directory obHect e0ents and "roy errors$
o 'aim!m
The Administrati0e tool OActi0e Directory 9onnector 'anaementO is !sed toset !" e0ent loin$ AD9 0ent :oin cateoriesK
o /e"lication
o Acco!nt 'anaement - 0ents while writin to or deletin an obHects$
o Attrib!te 'a""in - 0ents while attrib!tes are ma""ed between AD
and chane$
o Ser0ice 9ontroller - 0ents when the AD9 ser0ice is sto""ed or
started$
o :DA> ("erations - 0ents when :DA> accesses the directory$