Interview Based Question AD DNS FSMO GPO

ACTIVE DIRECTORY ndash DNS ndash FSMO ndash GROUP POLICY

What Is Active Directory

Active Directory consists of a series of components that constitute both its logical structure and its physical structure It provides a way for organizations to centrally manage and store their user objects computer objects group membership and define security boundaries in a logical database structure

Purpose of Active Directory

Active Directory stores information about users computers and network resources and makes the resources accessible to users and applications It provides a consistent way to name describe locate access manage and secure information about these resources

Functions of Active Directory

Active Directory provides the following functions

Centralizes control of network resourcesBy centralizing control of resources such as servers shared files and printers only authorized users can access resources in Active Directory

Centralizes and decentralizes resource managementAdministrators have Centralized Administration with the ability to delegate administration of subsets of the network to a limited number of individuals giving them greater granularity in resource management

Store objects securely in a logical structureActive Directory stores all of the resources as objects in a secure hierarchical logical structure

Optimizes network trafficThe physical structure of Active Directory enables you to use network bandwidth more efficiently For example it ensures that when users log on to the network the authentication authority that is nearest to the user authenticates them reducing the amount of network traffic

Sites within Active Directory

Sites are defined as groups of well-connected computers When you establish sites domain controllers within a single site communicate frequently This communication minimizes the latency within the site that is the time required for a change that is made on one domain controller to be replicated to other domain controllers You create sites to optimize the use of bandwidth between domain controllers that are in different locations

1

Operations Master Roles

When a change is made to a domain the change is replicated across all of the domain controllers in the domain Some changes such as those made to the schema are replicated across all of the domains in the forest This replication is called multimaster replication

During multimaster replication a replication conflict can occur if originating updates are performed concurrently on the same object attribute on two domain controllers To avoid replication conflicts Active Directory uses single master replication which designates one domain controller as the only domain controller on which certain directory changes can be made This way changes cannot occur at different places in the network at the same time Active Directory uses single master replication for important changes such as the addition of a new domain or a change to the forest-wide schema

Operations that use single-master replication are arranged together in specific roles in a forest or domain These roles are called operations master roles For each operations master role only the domain controller that holds that role can make the associated directory changes The domain controller that is responsible for a particular role is called an operations master for that role Active Directory stores information about which domain controller holds a specific role

Forest-wide Roles

Forest-wide roles are unique to a forest forest-wide roles are

Schema masterControls all updates to the schema The schema contains the master list of object classes and attributes that are used to create all Active Directory objects such as users computers and printers

Domain naming masterControls the addition or removal of domains in the forest When you add a new domain to the forest only the domain controller that holds the domain naming master role can add the new domain

There is only one schema master and one domain naming master in the entire forest

Domain-wide Roles

Domain-wide roles are unique to each domain in a forest the domain-wide roles are

Primary domain controller emulator (PDC) Acts as a Windows NT PDC to support any backup domain controllers (BDCs) running Microsoft Windowsreg NT within a mixed-mode domain This type of domain has domain controllers that run Windows NT 40 The PDC emulator is the first domain controller that you create in a new domain

2

Relative identifier master (RID)When a new object is created the domain controller creates a new security principal that represents the object and assigns the object a unique security identifier (SID) This SID consists of a domain SID which is the same for all security principals created in the domain and a RID which is unique for each security principal created in the domain The RID master allocates blocks of RIDs to each domain controller in the domain The domain controller then assigns a RID to objects that are created from its allocated block of RIDs

Infrastructure masterwhen objects are moved from one domain to another the infrastructure master updates object references in its domain that point to the object in the other domain The object reference contains the objectrsquos globally unique identifier (GUID) distinguished name and a SID Active Directory periodically updates the distinguished name and the SID on the object reference to reflect changes made to the actual object such as moves within and between domains and the deletion of the object

The global catalog contains

The attributes that are most frequently used in queries such as a userrsquos first name last name and logon name

The information that is necessary to determine the location of any object in the directory

The access permissions for each object and attribute that is stored in the global catalog If you search for an object that you do not have the appropriate permissions to view the object will not appear in the search results Access permissions ensure that users can find only objects to which they have been assigned access

A global catalog server is a domain controller that in addition to its full writable domain directory partition replica also stores a partial read-only replica of all other domain directory partitions in the forest Taking a user object as an example it would by default have many different attributes such as first name last name phone number and many more The GC will by default only store the most common of those attributes that would be used in search operations (such as a userrsquos first and last names or login name for example) The partial attributes that it has for that object would be enough to allow a search for that object to be able to locate the full replica of the object in active directory This allows searches done against a local GC and reduces network traffic over the WAN in an attempt to locate objects somewhere else in the network

Domain Controllers always contain the full attribute list for objects belonging to their domain If the Domain Controller is also a GC it will also contain a partial replica of objects from all other domains in the forest

Active Directory uses DNS as the name resolution service to identify domains and domain host computers during processes such as logging on to the network

3

Similar to the way a Windows NT 40 client will query WINS for a NetBIOS DOMAIN[1B] record to locate a PDC or a NetBIOS DOMAIN[1C] record for domain controllers a Windows 2000 2003 or Windows XP client can query DNS to find a domain controller by looking for SRV records

Integration of DNS and Active Directory

The integration of DNS and Active Directory is essential because a client computer in a Windows 2000 network must be able to locate a domain controller so that users can log on to a domain or use the services that Active Directory provides Clients locate domain controllers and services by using A resource records and SRV records The A resource record contains the FQDN and IP address for the domain controller The SRV record contains the FQDN of the domain controller and the name of the service that the domain controller provides

What Are Active Directory Integrated Zones

One benefit of integrating DNS and Active Directory is the ability to integrate DNS zones into an Active Directory database A zone is a portion of the domain namespace that has a logical grouping of resource records which allows zone transfers of these records to operate as one unit

Active Directory Integrated Zones

Microsoft DNS servers store information that is used to resolve host names to IP addresses and IP addresses to host names in a database file that has the extension dns for each zone

Active Directory integrated zones are primary zones that are stored as objects in the Active Directory database If zone objects are stored in an Active Directory domain partition they are replicated to all domain controllers in the domain

What Are DNS Zones

A zone starts as a storage database for a single DNS domain name If other domains are added below the domain used to create the zone these domains can either be part of the same zone or belong to another zone Once a subdomain is added it can then either be

Managed and included as part of the original zone records or

Delegated away to another zone created to support the subdomain

4

Types of Zones

1There are two types of zones forward lookup and reverse lookup Forward lookup zones contain information needed to resolve names within the DNS domain They must include SOA and NS records and can include any type of resource record except the PTR resource record Reverse lookup zones contain information needed to perform reverse lookups They usually include SOA NS PTR and CNAME records

With most queries the client supplies a name and requests the IP address that corresponds to that name This type of query is typically described as a forward lookup Active Directory requires forward lookup zones

However what if a client already has a computers IP address and wants to determine the DNS name for the computer This is important for programs that implement security based on the connecting FQDN and is used for TCPIP network troubleshooting The DNS standard provides for this possibility through reverse lookups

Once you have installed Active Directory you have two options for storing your zones when operating the DNS server at the new domain controller

Standard Zone

Zones stored this way are located in dns text files that are stored in the SystemRootSystem32Dns folder on each computer operating a DNS server Zone file names correspond to the name you choose for the zone when creating it such as Examplemicrosoftcomdns if the zone name was examplemicrosoftcom

This type offers the choice of using either a Standard Primary zone or a Standard Secondary zone

Standard Primary Zone

For standard primary-type zones only a single DNS server can host and load the master copy of the zone If you create a zone and keep it as a standard primary zone no additional primary servers for the zone are permitted Only one server is allowed to accept dynamic updates also known as DDNS and process zone changes The standard primary model implies a single point of failure

Standard Secondary Zone

A secondary name server gets the data for its zones from another name server (either a primary name server or another secondary name server) for that zone across the network The data in a Secondary zone is Read only and updated information must come from additional zone transfers The process of obtaining this zone information (ie the database file) across the network is referred to as a zone transfer Zone transfers occur over TCP port 53

Secondary servers can provide a means to offload DNS query traffic in areas of the network where a zone is heavily queried and used Additionally if a primary server is down a secondary server can provide some name resolution in the zone until the primary server is available

5

Note A Standard Primary zone will not replicate its information to any other DNS servers but may allow zone transfers to Secondary zones Win2003 also supports stub zones A secondary or stub zone cannot be hosted on a DNS server that hosts a primary zone for the same domain name

Directory-integrated Zone

Zones stored this way are located in the Active Directory tree under the domain object container Each directory-integrated zone is stored in a dnsZone container object identified by the name you choose for the zone when creating it Active Directory integrated zones will replicate this information to other domain controllers in that domain

Note If DNS is running on a Windows 2000 server that is not a domain controller it will not be able to use an Active Directory integrated zones or replicate with other domain controllers since it does not have Active Directory installed

DNS Records

After you create a zone additional resource records need to be added to it The most common resource records (RRs) to be added are

Table 1 Record Types

Name Description

Host (A) For mapping a DNS domain name to an IP address used by a computer

Alias (CNAME) For mapping an alias DNS domain name to another primary or canonical name

Mail Exchanger (MX)

For mapping a DNS domain name to the name of a computer that exchanges or forwards mail

Pointer (PTR) For mapping a reverse DNS domain name based on the IP address of a computer that points to the forward DNS domain name of that computer

Service location (SRV)

For mapping a DNS domain name to a specified list of DNS host computers that offer a specific type of service such as Active Directory domain controllers

Other resource records as needed

6

Q1 What does the logical component of the Active Directory structure include

Objects-Resources are stored in the Active Directory as objects

Sub category object class

An object is really just a collection of attributes A user object for example is made up of attributes such as name password phone number group membership and so on The attributes that make up an object are defined by an object class The user class for example specifies the attributes that make up the user object

The Active Directory Schema-

The classes and the attributes that they define are collectively referred to as the Active Directory Schemamdashin database terms a schema is the structure of the tables and fields and how they are related to one another You can think of the Active Directory Schema as a collection of data (object classes) that defines how the real data of the directory (the attributes of an object) is organized and stored

Domains

The basic organizational structure of the Windows Server 2003 networking model is the domain A domain represents an administrative boundary The computers users and other objects within a domain share a common security database

Trees

Multiple domains are organized into a hierarchical structure called a tree Actually even if you have only one domain in your organization you still have a tree The first domain you create in a tree is called the root domain The next domain that you add becomes a child domain of that root This expandability of domains makes it possible to have many domains in a tree Figure 1-1 shows an example of a tree Microsoftcom was the first domain created in Active Directory in this example and is therefore the root domain

7

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

WestMicrosoftcomEastMicrosoftcom

Figure 1-1 A tree is a hierarchical organization of multiple domainsAll domains in a tree share a common schema and a contiguous namespace In the example shown in Figure 1-1 all of the domains in the tree under the microsoftcom root domain share the namespace microsoftcom Using a single tree is fine if your organization is confined within a single DNS namespace However for organizations that use multiple DNS namespaces your model must be able to expand outside the boundaries of a single tree This is where the forest comes in

Forest

A forest is a group of one or more domain trees that do not form a contiguous namespace but may share a common schema and global catalog There is always at least one forest on a network and it is created when the first Active Directoryndashenabled computer (domain controller) on a network is installed

This first domain in a forest called the forest root domain is special because it holds the schema and controls domain naming for the entire forest It cannot be removed from the forest without removing the entire forest itself Also no other domain can ever be created above the forest root domain in the forest domain hierarchy

Figure 1-2 shows an example of a forest with two trees Each tree in the forest has its own namespace In the figure microsoftcom is one tree and contosocom is a second tree Both are in a forest named microsoftcom (after the first domain created)

Figure 1-2 Trees in a forest share the same schema but not the same namespace

8

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Root domain of microsoftcom forest amp tree

Contosocom

WestcontosocomEastcontosocom

Root domain of Contosocom forest

A forest is the outermost boundary of Active Directory the directory cannot be larger than the forest However you can create multiple forests and then create trust relationships between specific domains in those forests this would let you grant access to resources and accounts that are outside of a particular forest

Organizational Units

Organizational Units (OUs) provide a way to create administrative boundaries within a domain Primarily this allows you to delegate administrative tasks within the domain

OUs serve as containers into which the resources of a domain can be placed You can then assign administrative permissions on the OU itself Typically the structure of OUs follows an organizationrsquos business or functional structure For example a relatively small organization with a single domain might create separate OUs for departments within the organization

Q2 What does the physical structure of active directory contain

Physical structures include domain controllers and sites

Q3What is nesting

The creation of an OU inside another OU

IMP - once you go beyond about 12 OUs deep in a nesting structure you start running into significant performance issues

Q4 What is trust relationship and how many types of trust relationship is there in exchange 2003

Since domains represent security boundaries special mechanisms called trust relationships allow objects in one domain (called the trusted domain) to access resources in another domain (called the trusting domain)

Windows Server 2003 supports six types of trust relationships

Parent and child trusts Tree-root trusts External trusts Shortcut trusts Realm trusts Forest trusts

9

Q5 What is a site

A Windows Server 2003 site is a group of domain controllers that exist on one or more IP subnets (see Lesson 3 for more on this) and are connected by a fast reliable network connection Fast means connections of at least 1Mbps In other words a site usually follows the boundaries of a local area network (LAN) If different LANs on the network are connected by a wide area network (WAN) yoursquoll likely create one site for each LAN

Q6 What is the use of site

Sites are primarily used to control replication traffic Domain controllers within a site are pretty much free to replicate changes to the Active Directory database whenever changes are made Domain controllers in different sites compress the replication traffic and operate based on a defined schedule both of which are intended to cut down on network traffic

More specifically sites are used to control the following

Workstation logon traffic Replication traffic Distributed File System (DFS)

Distributed File System (DFS) is a server component that provides a unified naming convention for folders and files stored on different servers on a network DFS lets you create a single logical hierarchy for folders and files that is consistent on a network regardless of where on the network those items are actually stored Files represented in the DFS might be stored in multiple locations on the network so it makes sense that Active Directory should be able to direct users to the closest physical location of the data they need To this end DFS uses site information to direct a client to the server that is hosting the requested data within the site If DFS does not find a copy of the data within the same site as the client DFS uses the site information in Active Directory to determine which file server that has DFS shared data is closest to the client

File Replication Service (FRS)

Every domain controller has a built-in collection of folders named SYSVOL (for System Volume) The SYSVOL folders provide a default Active Directory location for files that must be replicated throughout a domain You can use SYSVOL to replicate Group Policy Objects startup and shutdown scripts and logon and logoff scripts A Windows Server 2003 service named File Replication Service (FRS) is responsible for replicating files in the SYSVOL folders between domain controllers FRS uses site boundaries to govern the replication of items in the SYSVOL folders

Q7 What are the objects a site contains

Sites contain only two types of objects The first type is the domain controllers contained in the site The second type of object is the site links configured to connect the site to other sites

10

Q8What is a Site link

Within a site replication happens automatically For replication to occur between sites you must establish a link between the sites There are two components to this link the actual physical connection between the sites (usually a WAN link) and a site link object The site link object is created within Active Directory and determines the protocol used for transferring replication traffic (Internet Protocol [IP] or Simple Mail Transfer Protocol [SMTP]) The site link object also governs when replication is scheduled to occur

Q9 Explain Replication in Active directory

Windows Server 2003 uses a replication model called multimaster replication in which all replicas of the Active Directory database are considered equal masters You can make changes to the database on any domain controller and the changes will be replicated to other domain controllers in the domain

Domain controllers in the same site replicate on the basis of notification When changes are made on a domain controller it notifies its replication partners (the other domain controllers in the site) the partners then request the changes and replication occurs Because of the high-speed low-cost connections assumed within a site replication occurs as needed rather than according to a schedule

You should create additional sites when you need to control how replication traffic occurs over slower WAN links For example suppose you have a number of domain controllers on your main LAN and a few domain controllers on a LAN at a branch location Those two LANs are connected to one another with a slow (256K) WAN link You would want replication traffic to occur as needed between the domain controllers on each LAN but you would want to control traffic across the WAN link to prevent it from affecting higher priority network traffic To address this situation you would set up two sitesmdash one site that contained all the domain controllers on the main LAN and one site that contained all the domain controllers on the remote LAN

Q10 What are the different types of replication

Single site (called intrasite replication) Replication between sites (called intersite replication)

Intrasite Replication Intrasite replication sends replication traffic in an uncompressed format This is because of the assumption that all domain controllers within the site are connected by high-bandwidth links Not only is the traffic uncompressed but replication occurs according to a change notification mechanism This means that if changes are made in the domain those changes are quickly replicated to the other domain controllers

Intersite Replication Intersite replication sends all data compressed This shows an appreciation for the fact that the traffic will probably be going across slower WAN links (as opposed to the LAN connectivity intrasite replication assumes) but it increases the server load because compressiondecompression is added to the processing requirements In addition to the compression the replication can be scheduled for times that are more appropriate to your organization For example you may decide to allow replication only during slower times of the

11

day Of course this delay in replication (based on the schedule) can cause inconsistency between servers in different sites

Q11 What is LDAP

LDAP Lightweight Directory Access Protocol is an Internet protocol that email and other programs use to look up information from a server

An LDAP-aware directory service (such as Active Directory) indexes all the attributes of all the objects stored in the directory and publishes them LDAP-aware clients can query the server in a wide variety of ways

Q12What types of naming convention active directory uses

Active Directory supports several types of names for the different formats that can accessActive DirectoryThese names include

Relative Distinguished Names

The relative distinguished name (RDN) of an object identifies an object uniquely but only within its parent container Thus the name uniquely identifies the object relative to the other objects within the same container In the example

CN=wjglennCN=UsersDC=contosoDC=com

the relative distinguished name of the object is CN=wjglenn The relative distinguished name of the parent organizational unit is Users For most objects the relative distinguished name of an object is the same as that objectrsquos Common Name attribute Active Directory creates the relative distinguished name automatically based on information provided when the object is created Active Directory does not allow two objects with the same relative distinguished name to exist in the same parent container

The notations used in the relative distinguished name (and in the distinguished name discussed in the next section) use special notations called LDAP attribute tags to identify each part of the name The three attribute tags used include

DC The Domain Component (DC) tag identifies part of the DNS name of the domain such as COM or ORG OU The Organizational Unit (OU) tag identifies an organizational unit container CN The Common Name (CN) tag identifies the common name configured for an Active Directory object

Distinguished Names

Each object in the directory has a distinguished name (DN) that is globally unique and identifies not only the object itself but also where the object resides in the overall object hierarchy You can think of the distinguished name as the relative distinguished name of an

12

object concatenated with the relative distinguished names of all parent containers that make up the path to the object

An example of a typical distinguished name would be

This distinguished name would indicate that the user object wjglenn is in the Users container which in turn is located in the contosocom domain If the wjglenn object is moved to another container its DN will change to reflect its new position in the hierarchy Distinguished names are guaranteed to be unique in the forest similar to the way that a fully qualified domain name uniquely identifies an objectrsquos placement in a DNS hierarchy You cannot have two objects with the same distinguished name

User Principal Names

The user principal name that is generated for each object is in the form username domain_name Users can log on with their user principal name and an administrator can define suffixes for user principal names if desired User principal names should be unique but Active Directory does not enforce this requirement Itrsquos best however to formulate a naming convention that avoids duplicate user principal names

Canonical Names

An objectrsquos canonical name is used in much the same way as the distinguished namemdash it just uses a different syntax The same distinguished name presented in the preceding section would have the canonical name

contosocomUserswjglenn

As you can see there are two primary differences in the syntax of distinguished names and canonical names The first difference is that the canonical name presents the root of the path first and works downward toward the object name The second difference is that the canonical name does not use the LDAP attribute tags (eg CN and DC)

Q13 What is multimaster replication

Active Directory follows the multimaster replication which every replica of the Active Directory partition held on every domain is considered an equal master Updates can be made to objects on any domain controller and those updates are then replicated to other domain controllers

Q14Which two operations master roles should be available when new security principals are being created and named

Domain naming master and the relative ID master

13

Q15 What are different types of groups

Security groups Security groups are used to group domain users into a single administrative unit Security groups can be assigned permissions and can also be used as e-mail distribution lists Users placed into a group inherit the permissions assigned to the group for as long as they remain members of that group Windows itself uses only security groups

Distribution groups These are used for nonsecurity purposes by applications other than Windows One of the primary uses is within an e-mail

As with user accounts there are both local and domain-level groups Local groups are stored in a local computerrsquos security database and are intended to control resource access on that computer Domain groups are stored in Active Directory and let you gather users and control resource access in a domain and on domain controllers

Q16 What is a group scope and what are the different types of group scopes

Group scopes determine where in the Active Directory forest a group is accessible and what objects can be placed into the group Windows Server 2003 includes three group scopes global domain local and universal

Global groups are used to gather users that have similar permissions requirements Global groups have the following characteristics

1 Global groups can contain user and computer accounts only from the domain in which the global group is created2 When the domain functional level is set to Windows 2000 native or Windows Server 2003 (ie the domain contains only Windows 2000 or 2003 servers) global groups can also contain other global groups from the local domain3 Global groups can be assigned permissions or be added to local groups in any domain in a forest

Domain local groups exist on domain controllers and are used to control access to resources located on domain controllers in the local domain (for member servers and workstations you use local groups on those systems instead) Domain local groups share the following characteristics

1 Domain local groups can contain users and global groups from any domain in a forest no matter what functional level is enabled2 When the domain functional level is set to Windows 2000 native or Windows Server 2003 domain local groups can also contain other domain local groups and universal groups

Universal groups are normally used to assign permissions to related resources in multiple domains Universal groups share the following characteristics

1 Universal groups are available only when the forest functional level is set to Windows 2000 native or Windows Server 20032 Universal groups exist outside the boundaries of any particular domain and are managed by Global Catalog servers3 Universal groups are used to assign permissions to related resources in multiple domains

14

4 Universal groups can contain users global groups and other universal groups from any domain in a forest5 You can grant permissions for a universal group to any resource in any domain

Q17 What are the items that groups of different scopes can contain in mixed and native mode domains

Q18 What is group nesting

Placing of one group in another is called as group nesting

For example suppose you had juniorlevel administrators in four different geographic locations as shown in Figure 4-10 You could create a separate group for each location (named something like Dallas JuniorAdmins) Then you could create a single group named Junior Admins and make each of the location-based groups a member of the main group This approach would allow you to set permissions on a single group and have those permissions flow down to the members yet still be able to subdivide the junior administrators by location

Q19 How many characters does a group name contain

64

Q20 Is site part of the Active Directory namespace

NO - When a user browses the logical namespace computers and users are grouped into domains and OUs without reference to sites However site names are used in the Domain Name System (DNS) records so sites must be given valid DNS names

15

Q21 What is DFS

The Distributed File System is used to build a hierarchical view of multiple file servers and shares on the network Instead of having to think of a specific machine name for each set of files the user will only have to remember one name which will be the key to a list of shares found on multiple servers on the network Think of it as the home of all file shares with links that point to one or more servers that actually host those shares

DFS has the capability of routing a client to the closest available file server by using Active Directory site metrics It can also be installed on a cluster for even better performance and reliability

Understanding the DFS TerminologyIt is important to understand the new concepts that are part of DFS Below is an definition of each of them

Dfs root You can think of this as a share that is visible on the network and in this share you can have additional files and folders

Dfs link A link is another share somewhere on the network that goes under the root When a user opens this link they will be redirected to a shared folder

Dfs target (or replica) This can be referred to as either a root or a link If you have two identical shares normally stored on different servers you can group them together as Dfs Targets under the same link

The image below shows the actual folder structure of what the user sees when using DFS and load balancing

Figure 1 The actual folder structure of DFS and load balancing

Windows 2003 offers a revamped version of the Distributed File System found in Windows 2000 which has been improved to better performance and add additional fault tolerance load balancing and reduced use of network bandwidth It also comes with a powerful set of command-line scripting tools which can be used to make administrative backup and restoration tasks of the DFS namespaces easier The client windows operating system consists of a DFS client which provides additional features as well as caching

16

Q22 What are the types of replication in DFS

There are two types of replication Automatic - which is only available for Domain DFS Manual - which is available for stand alone DFS and requires all files to be replicated manually

Q23 Which service is responsible for replicating files in SYSVOL folder

Q24 What all can a site topology owner do

The site topology owner is the name given to the administrator (or administrators) that oversee the sitetopology The owner is responsible for making any necessary changes to the site as the physical network grows and changes The site topology ownerrsquos responsibilities include

Making changes to the site topology based on changes to the physical network topology Tracking subnetting information for the network This includes IP addresses subnet masks and the locations of the subnets Monitoring network connectivity and setting the costs for links between sites

Q1 What is DNS

DNS provides name registration and name to address resolution capabilities And DNS drastically lowers the need to remember numeric IP addresses when accessing hosts on the Internet or any other TCPIP-based network

Before DNS the practice of mapping friendly host or computer names to IP addresses was handled via host files Host files are easy to understand These are static ASCII text files that simply map a host name to an IP address in a table-like format Windows ships with a HOSTS file in the winntsystem32driversetc subdirectory

The fundamental problem with the host files was that these files were labor intensive A host file is manually modified and it is typically centrally administrated

The DNS system consists of three components DNS data (called resource records) servers (called name servers) and Internet protocols for fetching data from the servers

17

Q2 Which are the four generally accepted naming conventions

NetBIOS Name (for instance SPRINGERS01)

TCPIP Address (121133244)

Host Name (Abbey)

Media Access Control (MAC)mdashthis is the network adapter hardware address

Q3 How DNS really works

DNS uses a clientserver model in which the DNS server maintains a static database of domain names mapped to IP addresses The DNS client known as the resolver perform queries against the DNS servers The bottom line DNS resolves domain names to IP address using these steps

Step 1 A client (or ldquoresolverrdquo) passes its request to its local name server For example the URL term wwwidgbookscom typed into Internet Explorer is passed to the DNS server identified in the client TCPIP configuration This DNS server is known as the local name server

Step 2 If as often happens the local name server is unable to resolve the request other name servers are queried so that the resolver may be satisfied

Step 3 If all else fails the request is passed to more and more higher-level name servers until the query resolution process starts with far-right term (for instance com) or at the top of the DNS tree with root name servers

18

Below is the Steps explained with the help of a chart

Figure 8-5 How DNS works

Q4 Which are the major records in DNS

1 Host or Address Records (A)- map the name of a machine to its numeric IP address In clearer terms this record states the hostname and IP address of a certain machine Have three fields Host Name Domain Host IP Address

Eg- ericfoobarbazcom IN A 363616

It is possible to map more than one IP address to a given hostname This often happens for people who run a firewall and have two 19thernet cards in one machine All you must do is add a second A record with every column the same save for the IP address

19

2 Aliases or Canonical Name Records (CNAME)

ldquoCNAMErdquo records simply allow a machine to be known by more than one hostname There must always be an A record for the machine before aliases can be added The host name of a machine that is stated in an A record is called the canonical or official name of the machine Other records should point to the canonical name Here is an example of a CNAME

wwwfoobarbazcom IN CNAME ericfoobarbazcom

You can see the similarities to the previous record Records always read from left to right with the subject to be queried about on the left and the answer to the query on the right A machine can have an unlimited number of CNAME aliases A new record must be entered for each alias

You can add A or CNAME records for the service name pointing to the machines you want to load balance

3 Mail Exchange Records (MX)

MXrdquo records are far more important than they sound They allow all mail for a domain to be routed to one host This is exceedingly useful ndash it abates the load on your internal hosts since they do not have to route incoming mail and it allows your mail to be sent to any address in your domain even if that particular address does not have a computer associated with it For example we have a mail server running on the fictitious machine ericfoobarbazcom For convenience sake however we want our email address to be ldquouserfoobarbazcomrdquo rather than ldquouserericfoobarbazcomrdquo This is accomplished by the record shown below

foobarbazcom IN MX 10 ericfoobarbazcom

The column on the far left signifies the address that you want to use as an Internet email address The next two entries have been explained thoroughly in previous records The next column the number ldquo10rdquo is different from the normal DNS record format It is a signifier of priority Often larger systems will have backup mail servers perhaps more than one Obviously you will only want the backups receiving mail if something goes wrong with the primary mail server You can indicate this with your MX records A lower number in an MX record means a higher priority and mail will be sent to the server with the lowest number (the lowest possible being 0) If something happens so that this server becomes unreachable the computer delivering the mail will attempt every other server listed in the DNS tables in order of priority

Obviously you can have as many MX records as you would like It is also a good idea to include an MX record even if you are having mail sent directly to a machine with an A record Some sendmail programs only look for MX records

It is also possible to include wildcards in MX records If you have a domain where your users each have their own machine running mail clients on them mail could be sent directly to each machine Rather than clutter your DNS entry you can add an MX record like this one

This would make any mail set to any individual workstation in the foobarbazcom domain go through the server ericfoobarbazcom

20

One should use caution with wildcards specific records will be given precedence over ones containing wildcards

4 Pointer Records (PTR)

Although there are different ways to set up PTR records we will be explaining only the most frequently used method called ldquoin-addrarpardquo

In-addrarpa PTR records are the exact inverse of A records They allow your machine to be recognized by its IP address Resolving a machine in this fashion is called a ldquoreverse lookuprdquo It is becoming more and more common that a machine will do a reverse lookup on your machine before allowing you to access a service (such as a World Wide Web page) Reverse lookups are a good security measure verifying that your machine is exactly who it claims to be In-addrarpa records look as such

613636in-addrarpa IN PTR ericfoobarbazcom

As you can see from the example for the A record in the beginning of this document the record simply has the IP address in reverse for the host name in the last column

A note for those who run their own name servers although Allegiance Internet is capable of pulling zones from your name server we cannot pull the inverse zones (these in-addrarpa records) unless you have been assigned a full class C network If you would like us to put PTR records in our name servers for you you will have to fill out the online web form on the supportallegianceinternetcom page

5 Name Server Records (NS)

NS records are imperative to functioning DNS entries They are very simple they merely state the authoritative name servers for the given domain There must be at least two NS records in every DNS entry NS records look like this

foobarbazcom IN NS dravenfoobarbazcom

There also must be an A record in your DNS for each machine you enter as A NAME server in your domain

If Allegiance Internet is doing primary and secondary names service we will set up these records for you automatically with ldquonsealgxnetrdquo and ldquonsfalgxnetrdquo as your two authoritative name servers

6 Start Of Authority Records (SOA)

The ldquoSOArdquo record is the most crucial record in a DNS entry It conveys more information than all the other records combined This record is called the start of authority because it denotes the DNS entry as the official source of information for its domain Here is an example of a SOA record then each part of it will be explained

foobarbazcom IN SOA dravenfoobarbazcom hostmasterfoobarbazcom (

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

The first column contains the domain for which this record begins authority for The next two entries should look familiar The ldquodravenfoobarbazcomrdquo entry is the primary name server for the domain The last entry on this row is actually an email address if you substituted a ldquordquo for the first ldquordquo There should always be a viable contact address in the SOA record

The next entries are a little more unusual then what we have become used to The serial number is a record of how often this DNS entry has been updated Every time a change is made to the entry the serial number must be incremented Other name servers that pull information for a zone from the primary only pull the zone if the serial number on the primary name serverrsquos entry is higher than the serial number on itrsquos entry In this way the name servers for a domain are able to update themselves A recommended way of using your serial number is the YYYYMMDDNN format shown above where the NN is the number of times that day the DNS has been changed

Also a note for Allegiance Internet customers who run their own name servers even if the serial number is incremented you should still fill out the web form and use the comment box when you make changes asking us to pull the new zones

All the rest of the numbers in the record are measurements of time in seconds The ldquorefreshrdquo number stands for how often secondary name servers should check the primary for a change in the serial number ldquoRetryrdquo is how long a secondary server should wait before trying to reconnect to primary server if the connection was refused ldquoExpirerdquo is how long the secondary server should use its current entry if it is unable to perform a refresh and ldquominimumrdquo is how long other name servers should cache or save this entry

There can only be one SOA record per domain Like NS records Allegiance Internet sets up this record for you if you are not running your own name server

Quick Summary of the major records in DNS

Record Type Definition

Host (A) Maps host name to IP address in a DNS zone Has three fields Domain Host Name Host IP Address

Aliases (CNAME) Canonical name resource record that creates an alias for a host name CNAME records are typically used to hide implementation details from clients Fields include Domain Alias Name For Host DNS Name

Nameservers (NS) Identifies the DNS name servers in the DNS domain NS records appear in all DNS zones and reverse zones Fields include Domain Name Server DNS Name

Pointer (PTR) Maps IP address to host name in a DNS reverse zone Fields include IP Address Host DNS Name

22

Mail Exchange (MX) Specifies a mail exchange server for a DNS domain name Note that the term ldquoexchangerdquo does not refer to Microsoft Exchange a BackOffice e-mail application However to connect Microsoft Exchange to the Internet via the Internet Mail Server (IMS) the MX record must be correctly configured by your ISP

A mail exchange server is a host that will either process or forward mail for the DNS domain name Processing the mail means either delivering it to the addressee or passing it to a different type of mail transport Forwarding the mail means sending it to its final destination server sending it using Simple Mail Transfer Protocol to another mail server that is closer to the final destination or queuing it for a specified amount of time

Fields include Domain Host Name (Optional) Mail Exchange Server DNS Name Preference Number

Q5What is a DNS zone

A zone is simply a contiguous section of the DNS namespace Records for a zone are stored and managed together Often subdomains are split into several zones to make manageability easier For example supportmicrosoftcom and msdnmicrosoftcom are separate zones where support and msdn are subdomains within the Microsoftcom domain

Q6 Name the two Zones in DNS

DNS servers can contain primary and secondary zones A primary zone is a copy of a zone where updates can be made while a secondary zone is a copy of a primary zone For fault tolerance purposes and load balancing a domain may have several DNS servers that respond to requests for the same information

The entries within a zone give the DNS server the information it needs to satisfy requests from other computers or DNS servers

Q7 How many SOA record does each zone contain

Each zone will have one SOA record This records contains many miscellaneous settings for the zone such as who is responsible for the zone refresh interval settings TTL (Time To Live) settings and a serial number (incremented with every update)

Q8 Short summary of the records in DNS

The NS records are used to point to additional DNS servers The PTR record is used for reverse lookups (IP to name) CNAME records are used to give a host multiple names MX records are used when configuring a domain for email

23

Q9 What is an AD-integrated zone

AD-integrated zones store the zone data in Active Directory and use the same replication process used to replicate other data between domain controllers The one catch with AD-integrated zones is that the DNS server must also be a domain controller Overloading DNS server responsibilities on your domain controllers may not be something you want to do if you plan on supporting a large volume of DNS requests

Q10What is a STUB zone

A stub zone is a copy of a zone that contains only those resource records necessary to identify

the authoritative Domain Name System (DNS) servers for that zone A stub zone is used to

resolve names between separate DNS namespaces This type of resolution may be necessary

when a corporate merger requires that the DNS servers for two separate DNS namespaces

resolve names for clients in both namespaces

The master servers for a stub zone are one or more DNS servers authoritative for the child

zone usually the DNS server hosting the primary zone for the delegated domain name

Q11 What does a stub zone consists of

A stub zone consists of

bull The start of authority (SOA) resource record name server (NS) resource records and the

glue A resource records for the delegated zonebull The IP address of one or more master servers that can be used to update the stub zone

Q12 How the resolution in a stub zone takes place

When a DNS client performs a recursive query operation on a DNS server hosting a stub

zone the DNS server uses the resource records in the stub zone to resolve the query The

DNS server sends an iterative query to the authoritative DNS servers specified in the NS

resource records of the stub zone as if it were using NS resource records in its cache If the

DNS server cannot find the authoritative DNS servers in its stub zone the DNS server hosting

the stub zone attempts standard recursion using its root hints

The DNS server will store the resource records it receives from the authoritative DNS servers

listed in a stub zone in its cache but it will not store these resource records in the stub zone

itself only the SOA NS and glue A resource records returned in response to the query are

stored in the stub zone The resource records stored in the cache are cached according to the

Time-to-Live (TTL) value in each resource record The SOA NS and glue A resource records 24

which are not written to cache expire according to the expire interval specified in the stub

zones SOA record which is created during the creation of the stub zone and updated during

transfers to the stub zone from the original primary zone

If the query was an iterative query the DNS server returns a referral containing the servers

specified in the stub zone

Q 13What is the benefits of Active Directory Integration

For networks deploying DNS to support Active Directory directory-integrated primary zones

are strongly recommended and provide the following benefits

Multimaster update and enhanced security based on the capabilities of Active Directory

In a standard zone storage model DNS updates are conducted based upon a single-master update model In this model a single authoritative DNS server for a zone is designated as the primary source for the zone

This server maintains the master copy of the zone in a local file With this model the primary server for the zone represents a single fixed point of failure If this server is not available update requests from DNS clients are not processed for the zone

With directory-integrated storage dynamic updates to DNS are conducted based upon a multimaster update model

In this model any authoritative DNS server such as a domain controller running a DNS server is designated as a primary source for the zone Because the master copy of the zone is maintained in the Active Directory database which is fully replicated to all domain controllers the zone can be updated by the DNS servers operating at any domain controller for the domain

With the multimaster update model of Active Directory any of the primary servers for the directory-integrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network

Also when using directory-integrated zones you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree This feature provides granulated access to either the zone or a specified RR in the zone

For example an ACL for a zone RR can be restricted so that dynamic updates are only allowed for a specified client computer or a secure group such as a domain administrators group This security feature is not available with standard primary zones

Note that when you change the zone type to be directory-integrated the default for updating the zone changes to allow only secure updates Also while you may use ACLs on DNS-related Active Directory objects ACLs may only be applied to the DNS client service

25

Directory replication is faster and more efficient than standard DNS replication

Because Active Directory replication processing is performed on a per-property basis only relevant changes are propagated This allows less data to be used and submitted in updates for directory-stored zones

Note Only primary zones can be stored in the directory A DNS server cannot store secondary zones in the directory It must store them in standard text files The multimaster replication model of Active Directory removes the need for secondary zones when all zones are stored in Active Directory

Q14 What is Scavenging

DNS scavenging is the process whereby resource records are automatically removed if they are not updated after a period of time Typically this applies to only resource records that were added via DDNS but you can also scavenge manually added also referred to as static records DNS scavenging is a recommended practice so that your DNS zones are automatically kept clean of stale resource records

Q15 What is the default interval when DNS server will kick off the scavenging process

The default value is 168 hours which is equivalent to 7 days

DNS QampA corner

Q1 How do I use a load balancer with my name servers

Just wanted to ask a question about load balanced DNS serversgt via an external network load balancing appliance (ie - F5s Big IPgt Ciscos Content Switches Local Directors)gt The main question being the configuration whether to use 2gt MasterPrimary Servers or is it wiser to use 1 Primary and 1gt Secondary The reason is that I feel there are two configurationsgt that could be setup One in which only the resolvers query thegt virtual IP address on the load balancing appliance or actuallygt configure your NS records to point to the Virtual Address so that allgt queries ie - both by local queries directly from local users andgt also queries from external DNS servers Ive included a textgt representation of the physical configuration Have you evergt heard or architected such a configuration

26

Theres usually not much need to design solutions like these since mostname server implementations will automatically choose the name serverthat responds most quickly In other words if DNS 1 fails remotename servers will automatically try DNS 2 and vice versa

However it can be useful for resolvers In that case you dont need toworry about NS records (since resolvers dont use them) just setting upa virtual IP address

gt Also Is there any problems in running two MasterPrimaries

Just that youd have to synchronize the zone data between the twomanually

Q2 How does reverse mapping work

How can reverse lookup possibly work on the Internet - how can a localgt resolver or ISPs Dns server find the pointer records please Eg I rungt nslookup 1611141206 amp get a reply for a Compaq servergt - how does it know where to look Is there a giant reverse lookup zone ingt the sky

Yes actually there is in-addrarpa

If a resolver needs to reverse map say 1611141206 to a domain name it first inverts the octets of the IP address and appends in-addrarpa So in this case the IP address would become the domain name 2061114161in-addrarpa

Then the resolver sends a query for PTR records attached to that domain name If necessary the resolution process starts at the root name servers The root name servers refer the querier to the 161in-addrarpa name servers run by an organization called ARIN the American Registry for Internet Numbers These name servers refer the querier to 1114161in-addrarpa name servers run by Compaq And finally these name servers map the IP address to inmailcompaqcom

27

Q3 What are the pros and cons of running slaves versus caching-only name servers

gt Question I am in the process of setting up dns servers in several locations for my gt business I have looked into having a primary master server running in my server gt room and adding slave servers in the other areas I then thought I could just gt setup a primary and a single slave server and run caching only servers in the other gt areas What are the pros and cons of these two options or should I run a slave gt server in every location and still have a caching server with it I just dont gt know what the best way would be Please help

The main advantage of having slaves everywhere is that you have asource of your own zone data on each name server So if you havea community of hosts near each slave that look up domain names inyour zones the local name server can answer most of their queries

On the other hand administering slaves is a little more work thanadministering caching-only name servers and a little greater burdenon the primary master name server

Q4 Can I set a TTL on a specific record

gt Is it possible to setup ttl values for individual records in bind

Sure You specify explicit TTLs in a records TTL field between the ownerfield and the class field

fooexample 300 IN A 10001

Q5 Can I use an A record instead of an MX record

gt I have a single machine running DNS mail and web for a domaingt and Im not sure that I have DNS setup properly If the machinegt that is running the mail is the name of the domain does there needgt to be an MX record for mail

Technically no Nearly all mailers will look up A records for adomain name in a mail destination if no MX records exist

gt If an MX record is not needed how would you put in an MXgt record for a backup mailserver

You cant If you want to use a backup mailer you need to useMX records

gt www cname 19216801 gt mail cname 19216801gt pop cname 19216801gt smtp cname 19216801

28

These CNAME records are all incorrect CNAME records createan alias from one domain name to another so the field after CNAMEmust contain a domain name not an IP address For examplewww CNAME fooexample

Q6 What are a zones NS records used for

gt Could you elaborate a little bit on why do we need to put NS records forgt the zone we are authoritative for gt The parent name server handles these already Is there any problem if ourgt own NS records have lower TTLs than the records from parent name server

Thats a good question The NS records from your zone data file are used for several things

- Your name servers returns them in responses to queries in the authority section of the DNS message Moreover the set of NS records that comes directly from your name server supersedes the set that a querier gets from your parent zones name servers so if the two sets are different yours wins

- Your name servers use the NS records to determine where to send NOTIFY messages

- Dynamic updaters determine where to send updates using the NS records which they often get from the authoritative name servers

Q7 Do slaves only communicate with their masters over TCP

gt When the slave zone checks in with the master zone for the serial number isgt all this traffic happening on TCP For example if you have acls blockinggt udp traffic but allowing tcp traffic will the transfer work or will it failgt due to the slaves inability to query for the SOA record on udp

No The refresh query (for the zones SOA record) is usually done over UDP

Q8 Whats the largest number I can use in an MX record

gt Could you tell us the highest possible number we can use for the MX gt preference

Preference is an unsigned 16-bit number so the largest number youcan use is 65535

Q9 Why are there only 13 root name servers

gt Im very wondering why there are only 13 root servers on globallygt Some documents explain that one of the reason is technical limit on Domain gt Name System (without any detailed explanation)gt From my understanding it seems that some limitation of NS record numbersgt in DNS packet that specified by certain RFCs or just Internet policy stuffgtgt Which one is proper reason

29

Its a technical limitation UDP-based DNS messages can be up to 512 byteslong and only 13 NS records and their corresponding A records will fit into a DNS message that size

IMP informationhttpwwwmenandmicecomonline_docs_and_faqglossaryglossarytochtm

Q1Which is the FIVE FSMO roles

Schema Master Forest Level One per forest

Domain Naming Master Forest Level One per forest

PDC Emulator Domain Level One per domain

RID Master Domain Level One per domain

Infrastructure Master Domain Level One per domain

Q2 What are their functions

1 Schema Master (Forest level)

The schema master FSMO role holder is the Domain Controller responsible for performing updates to the active directory schema It contains the only writable copy of the AD schema This DC is the only one that can process updates to the directory schema and once the schema update is complete it is replicated from the schema master to all other DCs in the forest There is only one schema master in the forest

2 Domain Naming Master (Forest level)

The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory This DC is the only one that can add or remove a domain from the directory and that is its major purpose It can also add or remove cross references to domains in external directories There is only one domain naming master in the active directory or forest

3 PDC Emulator (Domain level)

In a Windows 2000 domain the PDC emulator server role performs the following functions Password changes performed by other DCs in the domain are replicated

preferentially to the PDC emulator first Authentication failures that occur at a given DC in a domain because of an incorrect

password are forwarded to the PDC emulator for validation before a bad password failure message is reported to the user Account lockout is processed on the PDC emulator Time synchronization for the domainGroup Policy changes are preferentially written to the PDC emulator

Additionally if your domain is a mixed mode domain that contains Windows NT 4 BDCs then the Windows 2000 domain controller that is the PDC emulator acts as a Windows NT 4 PDC to the BDCs

There is only one PDC emulator per domain

Note Some consider the PDC emulator to only be relevant in a mixed mode domain This is not true Even after you have changed your domain to native mode (no more

30

NT 4 domain controllers) the PDC emulator is still necessary for the reasons above

4 RID Master (Domain level)

The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain It is also responsible for removing an object from its domain and putting it in another domain during an object move

When a DC creates a security principal object such as a user group or computer account it attaches a unique Security ID (SID) to the object This SID consists of a domain SID (the same for all SIDs created in a domain) and a relative ID (RID) that makes the object unique in a domain

Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the security principals it creates When a DCs allocated RID pool falls below a threshold that DC issues a request for additional RIDs to the domains RID master The domain RID master responds to the request by retrieving RIDs from the domains unallocated RID pool and assigns them to the pool of the requesting DC

There is one RID master per domain in a directory

5 Infrastructure Master (Domain level)

The DC that holds the Infrastructure Master FSMO role is responsible for cross domain updates and lookups When an object in one domain is referenced by another object in another domain it represents the reference by the GUID the SID (for references to security principals) and the distinguished name (DN) of the object being referenced The Infrastructure role holder is the DC responsible for updating an objects SID and distinguished name in a cross-domain object reference

When a user in DomainA is added to a group in DomainB then the Infrastructure master is involved Likewise if that user in DomainA who has been added to a group in DomainB then changes his username in DomainA the Infrastructure master must update the group membership(s) in DomainB with the name change

There is only one Infrastructure master per domain

Q3 What if a FSMO server fails

Schema Master No updates to the Active Directory schema will be possible Since schema updates are rare (usually done by certain applications and possibly an Administrator adding an attribute to an object) then the malfunction of the server holding the Schema Master role will not pose a critical problem

Domain Naming Master The Domain Naming Master must be available when adding or removing a domain from the forest (ie running DCPROMO) If it is not then the domain cannot be added or removed It is also needed when promoting or demoting a server tofrom a Domain Controller Like the Schema Master this functionality is only used on occasion and is not critical unless you are modifying

31

your domain or forest structure

PDC Emulator The server holding the PDC emulator role will cause the most problems if it is unavailable This would be most noticeable in a mixed mode domain where you are still running NT 4 BDCs and if you are using downlevel clients (NT and Win9x) Since the PDC emulator acts as a NT 4 PDC then any actions that depend on the PDC would be affected (User Manager for Domains Server Manager changing passwords browsing and BDC replication)In a native mode domain the failure of the PDC emulator isnt as critical because other domain controllers can assume most of the responsibilities of the PDC emulator

RID Master The RID Master provides RIDs for security principles (users groups computer accounts) The failure of this FSMO server would have little impact unless you are adding a very large number of users or groupsEach DC in the domain has a pool of RIDs already and a problem would occur only if the DC you adding the usersgroups on ran out of RIDs

Infrastructure Master This FSMO server is only relevant in a multi-domain environment If you only have one domain then the Infrastructure Master is irrelevant Failure of this server in a multi-domain environment would be a problem if you are trying to add objects from one domain to another

Q4 Where are these FSMO server roles found

The first domain controller that is installed in a Windows 2000 domain by default holds all five of the FSMO server roles Then as more domain controllers are added to the domain the FSMO roles can be moved to other domain controllers

Q5 Can you Move FSMO roles

Yes moving a FSMO server role is a manual process it does not happen automatically But what if you only have one domain controller in your domain That is fine If you have only one domain controller in your organization then you have one forest one domain and of course the one domain controller All 5 FSMO server roles will exist on that DC There is no rule that says you have to have one server for each FSMO server role

Q6 Where to place the FSMO roles

Assuming you do have multiple domain controllers in your domain there are some best practices to follow for placing FSMO server roles

32

The Schema Master and Domain Naming Master should reside on the same server and that machine should be a Global Catalog server Since all three are by default on the first domain controller installed in a forest then you can leave them as they areNote According to MS the Domain Naming master needs to be on a Global Catalog Server If you are going to separate the Domain Naming master and Schema master just make sure they are both on Global Catalog servers

IMP- Why Infrastructure Master should not be on the same server that acts as a Global Catalog serverThe Infrastructure Master should not be on the same server that acts as a Global Catalog

serverThe reason for this is the Global Catalog contains information about every object in the forest When the Infrastructure Master which is responsible for updating Active Directory information about cross domain object changes needs information about objects not in its domain it contacts the Global Catalog server for this information If they both reside on the same server then the Infrastructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it constantly updated This would result in the Infrastructure Master never replicating changes to other domain controllers in its domainNote In a single domain environment this is not an issue

Microsoft also recommends that the PDC Emulator and RID Master be on the same server This is not mandatory like the Infrastructure Master and the Global Catalog server above but is recommended Also since the PDC Emulator will receive more traffic than any other FSMO role holder it should be on a server that can handle the load

It is also recommended that all FSMO role holders be direct replication partners and they have high bandwidth connections to one another as well as a Global Catalog server

Q7What permissions you should have in order to transfer a FSMO role

Before you can transfer a role you must have the appropriate permissions depending on which role you plan to transfer

Schema Master member of the Schema Admins group

Domain Naming Master member of the Enterprise Admins group

PDC Emulatormember of the Domain Admins group andor the Enterprise Admins group

RID Mastermember of the Domain Admins group andor the Enterprise Admins group

Infrastructure Mastermember of the Domain Admins group andor the Enterprise Admins group

FSMO TOOLS

Q8 Tools to find out what servers in your domainforest hold what server roles

33

1 Active Directory Users and Computers- use this snap-in to find out where the domain level FSMO roles are located (PDC Emulator RID Master Infrastructure Master) and also to change the location of one or more of these 3 FSMO roles

Open Active Directory Users and Computers right click on the domain you want to view the FSMO roles for and click Operations Masters A dialog box (below) will open with three tabs one for each FSMO role Click each tab to see what server that role resides on To change the server roles you must first connect to the domain controller you want to move it to Do this by right clicking Active Directory Users and Computers at the top of the Active Directory Users and Computers snap-in and choose Connect to Domain Controller Once connected to the DC go back into the Operations Masters dialog box choose a role to move and click the Change buttonWhen you do connect to another DC you will notice the name of that DC will be in the field below the Change button (not in this graphic)

34

2 Active Directory Domains and Trusts - use this snap-in to find out where the Domain Naming Master FSMO role is and to change its location

The process is the same as it is when viewing and changing the Domain level FSMO roles in Active Directory Users and Computers except you use the Active Directory Domains and Trusts snap-in Open Active Directory Domains and Trusts right click Active Directory Domains and Trusts at the top of the tree and choose Operations Master When you do you will see the dialog box below Changing the server that houses the Domain Naming Master requires that you first connect to the new domain controller then click the Change button You can connect to another domain controller by right clicking Active Directory Domains and Trusts at the top of the Active Directory Domains and Trusts snap-in and choosing Connect to Domain Controller

3 Active Directory Schema - this snap-in is used to view and change the Schema Master FSMO role However the Active Directory Schema snap-in is not part of the default Windows 2000 administrative tools or installation You first have to install the Support Tools from the Support directory on the Windows 2000 server CD or install the Windows 2000 Server Resource Kit Once you install the support tools you can open up a blank Microsoft Management Console (start run mmc) and add the snap-in to the console Once the snap-in is open right click Active Directory Schema at the top of the tree and choose Operations Masters You will see the dialog box below Changing the server the Schema Master resides on requires you first connect to another domain controller and then click the Change button

You can connect to another domain controller by right clicking Active Directory Schema at the top of the Active Directory Schema snap-in and choosing Connect to Domain Controller

35

4Netdom

The easiest and fastest way to find out what server holds what FSMO role is by using the Netdom command line utility Like the Active Directory Schema snap-in the Netdom utility is only available if you have installed the Support Tools from the Windows 2000 CD or the Win2K Server Resource Kit

To use Netdom to view the FSMO role holders open a command prompt window and typenetdom query fsmo and press enter You will see a list of the FSMO role servers

36

5 Active Directory Relication Monitor another tool that comes with the Support Tools is the Active Directory Relication Monitor Open this utility from Start Programs Windows 2000 Support Tools Once open click Edit Add Monitored Server and add the name of a Domain Controller Once added right click the Server name and choose properties Click the FSMO Roles tab to view the servers holding the 5 FSMO roles (below) You cannot change roles using Replication Monitor but this tool has many other useful purposes in regard to Active Directory information It is something you should check out if you havent already

Finally you can use the Ntdsutilexe utility to gather information about and change servers for FSMO roles Ntdsutilexe a command line utility that is installed with Windows 2000 server is rather complicated and beyond the scope of this document

6 DUMPFSMOS

Command-line tool to query for the current FSMO role holders

Part of the Microsoft Windows 2000 Server Resource Kit

Downloadable from httpwwwmicrosoftcomwindows200037

techinforeskitdefaultasp

Prints to the screen the current FSMO holders

Calls NTDSUTIL to get this information

7 NLTEST

Command-line tool to perform common network administrative tasks

Type ldquonltest rdquo for syntax and switches

Common uses

Get a list of all DCs in the domain

Get the name of the PDC emulator

Query or reset the secure channel for a server

Call DsGetDCName to query for an available domain controller

8 Adcheck (470k) (3rd party)

A simple utility to view information about AD and FSMO roles

httpwwwsvropscomsvropsdownloadszipfilesADcheckmsi

Q9 How to Transfer and Seize a FSMO Role

httpsupportmicrosoftcomdefaultaspxscid=kben-usQ255504

38

GROUP POLICY

Q1 What are Group Policies

Group Policies are settings that can be applied to Windows computers users or both In Windows 2000 there are hundreds of Group Policy settings Group Policies are usually used to lock down some aspect of a PC Whether you dont want users to run Windows Update or change their Display Settings or you want to insure certain applications are installed on computers - all this can be done with Group Policies

Group Policies can be configured either Locally or by Domain Polices Local policies can be accessed by clicking Start Run and typing gpeditmsc They can also be accessed by opening the Microsoft Management Console (Start Run type mmc) and adding the Group Policy snap-in You must be an Administrator to configuremodify Group Policies Windows 2000 Group Policies can only be used on Windows 2000 computers or Windows XP computers They cannot be used on Win9x or WinNT computers

Q2 Domain policy gets applied to whom

Domain Policies are applied to computers and users who are members of a Domain and these policies are configured on Domain Controllers You can access Domain Group Polices by opening Active Directory Sites and Services (these policies apply to the Site level only) or Active Directory Users and Computers (these policies apply to the Domain andor Organizational Units)

Q3 From Where to create a Group Policy

To create a Domain Group Policy Object open Active Directory Sites and Services and right click Default-First-Site-Name or another Site name choose properties then the Group Policy tab then click the New button Give the the GPO a name then click the Edit button to configure the policiesFor Active Directory Users and Computers it the same process except you right click the Domain or an OU and choose properties

Q4 Who can CreateModify Group Policies

You have to have Administrative privileges to createmodify group policies The following table shows who can createmodify group policies

Policy Type Allowable GroupsUsers

Site Level Group Policies Enterprise Administrators andor Domain Administrators in the root domain The root domain is the first domain created in a tree or forest The Enterprise Administrators group is found only in the root domain

Domain Level Group Policies

Enterprise Administrators Domain Administrators or members of the built-in group - Group Policy Creator Owners By default only the Administrator user account is a

39

member of this group

OU Level Group Policies Enterprise Administrators Domain Administrators or members of the Group Policy Creator Owners By default only the Administrator user account is a member of this group

Additionally at the OU level users can be delegated control for the OU Group Policies by starting the Delegate Control Wizard (right click the OU and choose Delegate Control) However the wizard only allows the delegated user to Link already created group policies to the OU If you want to give the OU administrators control over creatingmodifying group policies add them to the Group Policy Creator Owners group for the domain

Local Group Policies The local Administrator user account or members of the local Administrators group

Q5 How are Group Policies Applied

Group Polices can be configured locally at the Site level the Domain level or at the Organizational Unit (OU) level Group Policies are applied in a Specific Order LSDO - Local policies first then Site based policies then Domain level policies then OU polices then nested OU polices (OUs within OUs) Group polices cannot be linked to a specific user or group only container objects

In order to apply Group Polices to specific users or computers you add users (or groups) and computers to container objects Anything in the container object will then get the policies linked to that container Sites Domains and OUs are considered container objects

Computer and User Active Directory objects do not have to put in the same container object For example Sally the user is an object in Active Directory Sallys Windows 2000 Pro PC is also an object in Active Directory Sally the user object can be in one OU while her computer object can be another OU It all depends on how you organize your Active Directory structure and what Group Policies you want applied to what objects

40

User and Computer Policies

There are two nodes in each Group Policy Object that is created A Computer node and a User Node They are called Computer Configuration and User Configuration (see image above) The polices configured in the Computer node apply to the computer as a whole Whoever logs onto that computer will see those policiesNote Computer policies are also referred to as machine policies

User policies are user specific They only apply to the user that is logged on When creating Domain Group Polices you can disable either the Computer node or User node of the Group Policy Object you are creating By disabling a node that no policies are defined for you are decreasing the time it takes to apply the policesTo disable the node polices After creating a Group Policy Object click that Group Policy Object on the Group Policy tab then click the Properties button You will see two check boxes at the bottom of the General tab

Its important to understand that when Group Policies are being applied all the policies for a node are evaluated first and then applied They are not applied one after the other For example say Sally the user is a member of the Development OU and the Security OU When Sally logs onto her PC the policies set in the User node of the both the Development OU and the Security OU Group Policy Objects are evaluated as a whole and then applied to Sally the user They are not applied Development OU first and then Security OU (or visa- versa)The same goes for Computer policies When a computer boots up all the Computer node polices for that computer are evaluated then applied

41

When computers boot up the Computer policies are applied When users login the User policies are applied When user and computer group policies overlap the computer policy wins

Note IPSec and EFS policies are not additive The last policy applied is the policy the usercomputer will have

When applying multiple Group Policies Objects from any container Group Policies are applied from bottom to top in the Group Policy Object list The top Group Policy in the list is the last to be applied In the above image you can see three Group Policy Objects associated with the Human Resources OU These polices would be applied No Windows Update first then No Display Settings then No ScreenSaver If there were any conflicts in the policy settings the one above it would take precedence

Q6How to disable Group Policy Objects

When you are creating a Group Policy Object the changes happen immediately There is no saving of GPOs To prevent a partial GPO from being applied disable the GPO while you are configuring it To do this click the Group Policy Object on the Group Policy tab and under the Disable column double click - a little check will appear Click the Edit button make your changes then double click under the Disable column to re-enable the GPO Also if you want to temporarily disable a GPO for troubleshooting reasons this is the place to do it You can also click the Options button on the Group Policy tab and select the Disabled check box

42

Q7 When does the group policy Scripts run

Startup scripts are processed at computer bootup and before the user logs inShutdown scripts are processed after a user logs off but before the computer shuts down

Login scripts are processed when the user logs inLogoff scripts are processed when the user logs off but before the shutdown script runs

Q8 When the group policy gets refreshedapplied

Group Policies can be applied when a computer boots up andor when a user logs in However policies are also refreshed automatically according to a predefined schedule This is called Background Refresh

Background refresh for non DCs (PCs and Member Servers) is every 90 mins with a +- 30 mininterval So the refresh could be 60 90 or 120 mins For DCs (Domain Controllers) background refresh is every 5 minsAlso every 16 hours every PC will request all group policies to be reapplied (user and machine) These settings can be changed under Computer and User Nodes Administrative TemplatesSystem Group Policy

Q9 Which are the policies which does not get affected by background refresh

Policies not affected by background refresh These policies are only applied at logon time

Folder RedirectionSoftware InstallationLogon Logoff Startup Shutdown Scripts

Q9 How to refresh Group Policies suing the command line

Seceditexe is a command line tool that can be used to refresh group policies on a Windows 2000 computer To use secedit open a command prompt and type

secedit refreshpolicy user_policy to refresh the user policiessecedit refreshpolicy machine_policy to refresh the machine (or computer) policies

These parameters will only refresh any user or computer policies that have changed since the last refresh To force a reload of all group policies regardless of the last change use

secedit refreshpolicy user_policy enforcesecedit refreshpolicy machine_policy enforce

43

Gpupdateexe is a command line tool that can be used to refresh group policies on a Windows XP computer It has replaced the secedit command To use gpupdate open a command prompt andtype

gpupdate targetuser to refresh the user policiesgpupdate targetmachine to refresh the machine (or computer) policies

As with secedit these parameters will only refresh any user or computer policies that have changed since the last refresh To force a reload of all group policies regardless of the last change use

gpupdate force

Notice the force switch applies to both user and computer policies There is no separation of the two like there is with secedit

Q10 What is the Default Setting for Dial-up users

Win2000 considers a slow dial-up link as anything less than 500kbps When a user logs into a domain on a link under 500k some policies are not applied

Windows 2000 will automatically detect the speed of the dial-up connection and make a decision about applying Group Policies

Q11 Which are the policies which get applied regardless of the speed of the dial-up connection

Some policies are always applied regardless of the speed of the dial-up connection These are

Administrative TemplatesSecurity SettingsEFS RecoveryIPSec

Q12 Which are the policies which do not get applied over slow links

IE Maintenance SettingsFolder RedirectionScriptsDisk Quota settingsSoftware Installation and Maintenance

These settings can be changed under Computer and User Nodes Administrative TemplatesSystem Group Policy

44

If the user connects to the domain using Logon Using Dial-up Connection from the logon screen once the user is authenticated the computer policies are applied first followed by the user policies

If the user connects to the domain using Network and Dial-up Connections after they logon the policies are applied using the standard refresh cycle

Q13 Which are the two types of default policies

There are two default group policy objects that are created when a domain is created The Default Domain policy and the Default Domain Controllers policy

Default Domain Policy - this GPO can be found under the group policy tab for that domain It is the first policy listed The default domain policy is unique in that certain policies can only be applied at the domain level

If you double click this GPO and drill down to Computer Configuration Windows Settings Security Settings Account Policies you will see three policies listed

Password PolicyAcount Lockout PolicyKerberos Policy

These 3 policies can only be set at the domain level If you set these policies anywhere else- Site or OU they are ignored However setting these 3 policies at the OU level will have the effect of setting these policies for users who log on locally to their PCs Login to the domain you get the domain policy login locally you get the OU policy

If you drill down to Computer Configuration Windows Settings Security Settings Local Policies Security Options there are 3 policies that are affected by Default Domain Policy

Automatically log off users when logon time expiresRename Adminsitrator Account - When set at the domain level it affects the Domain Administrator account onlyRename Guest Account - When set at the domain level it affects the Domain Guest account only

The Default Domain Policy should be used only for the policies listed above If you want to create additional domain level policies you should create additional domain level GPOsDo not delete the Default Domain Policy You can disable it but it is not recommended

Default Domain Controllers Policy - This policy can be found by right clicking the Domain Controllers OU choosing Properties then the Group Policy tab This policy affects all Domain Controllers in the domain regardless of where you put the domain controllers That is no matter where you put your domain controllers in Active Directory (whatever OU you put them in) they will still process this policy

Use the Default Domain Controllers Policy to set local policies for your domain controllers eg Audit Policies Event Log settings who can logon locally and so on

45

Q14How to restore Group policy setting back to default

The following command would replace both the Default Domain Security Policy and DefaultDomain Controller Security Policy You can specify Domain or DC instead of Both to onlyrestore one or the other

gt dcgpofix targetBoth

Note that this must be run from a domain controller in the target domain where you want to reset the GPO

If youve ever made changes to the default GPOs and would like to revert back to the originalsettings the dcgpofix utility is your solution dcgpofix works with a particular version ofschema If the version it expects to be current is different from what is in Active Directory itnot restore the GPOs You can work around this by using the ignoreschema switch whichrestore the GPO according to the version dcgpofix thinks is current The only time you mightexperience this issue is if you install a service pack on a domain controller (dc1) that extendsschema but have not installed it yet on a second domain controller (dc2) If you try to run

dcgpofix from dc2 you will receive the error since a new version of the schema and thedcgpofix utility was installed on dc1

Resolving GPOs from Multiple Sources

Because GPOs can come from different sources to apply to a single user or computer there must be a way of determining how those GPOs are combined GPOs are processed in the following order

1 Local GPO The local GPO on the computer is processed and all settings specified in that GPO are applied

2 Site GPOs GPOs linked to the site in which the computer resides are processed Settings made at this level override any conflicting settings made at the preceding level If multiple GPOs are linked to a site the site administrator can control the order in which those GPOs are processed

3 Domain GPOs GPOs linked to the domain in which the computer resides are processed and any settings are applied Settings made at the domain level override conflicting settings applied at the local or site level Again the administrator can control the processing order when multiple GPOs are linked to the domain4 OU GPOs GPOs linked to any OUs that contain the user or computer object are processed Settings made at the OU level override conflicting settings applied at the domain local or site level It is possible for a single object to be in multiple OUs In this case GPOs linked to the highest level OU in the Active Directory hierarchy are processed first followed by the next highest level OU and so on If multiple GPOs are linked to a single

46

Q15 What are the two exceptions to control the inheritance of the group policy

No Override When you link a GPO to a container you can configure a No Override option that prevents settings in the GPO from being overridden by settings in GPOs linked to child containers This provides a way to force child containers to conform to a particular policy Block Inheritance You can configure the Block Inheritance option on a container to prevent the container from inheriting GPO settings from its parent containers However if a parent container has the No Override option set the child container cannot block inheritance from this parent

Q16 How to Redirect New User and Computer Accounts

By default new user and computer accounts are created in the Users and Computers containers respectively You cannot link a GPO to either of these built-in containers Even though the built-in containers inherit GPOs linked to the domain you may have a situation that requires user accounts and computer accounts to be stored in an OU to which you can link a GPO Windows Server 2003 includes two new tools that let you redirect the target locationfor new user and computer accounts You can use redirusrexe to redirect user accounts and redircompexe to redirect computer accounts Once you choose the OU for redirection new user and computer accounts are createddirectly in the new target OU where the appropriate GPOs are linked For example you could create an OU named New Users link an appropriate GPO to the OU and then redirect the creation of new-users accounts to the New Users OU Any new users created would immediately be affected by the settings in the GPO Administrators could then move the new user accounts to a more appropriate location later You can find both of these tools in the windirsystem32 folder on any computer running Windows Server 2003 You can learn more about using these tools in Knowledge Base article 324949 ldquoRedirecting the Users and Computers Containers in Windows Server 2003 Domainsrdquo in the Microsoft Knowledge Base at httpsupportmicrosoftcom

Q17 What permissions should a administrator have to manage GPOs

Editing GPOs linked to sites requires Enterprise Administrative permissionsEditing GPOs linked to domains requires Domain AdministrativeEditing GPOs linked to OUs requires permissions for the OU

Q18 What is the client requirement for supporting GPOs

For client computers to accept Group Policy settings they must be members of Active Directory Support for Group Policy for key operating systems includes the following

Windows 9598Me do not support Group Policy Windows NT 40 and earlier versions do not support Group Policy Windows 2000 Professional and Server support many of the Group Policy settings available in Windows Server 2003 but not all Unsupported settings are ignored

47

Windows XP Professional Windows XP 64-bit Edition and Windows Server 2003 fully support Group Policy

48

- Purpose of Active Directory
- Functions of Active Directory
- Sites within Active Directory
- - Operations Master Roles
  - - Forest-wide Roles
    - Domain-wide Roles
    - Integration of DNS and Active Directory
    - - What Are Active Directory Integrated Zones
      - Active Directory Integrated Zones
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 2: Interview Based Question AD DNS FSMO GPO

Operations Master Roles

When a change is made to a domain the change is replicated across all of the domain controllers in the domain Some changes such as those made to the schema are replicated across all of the domains in the forest This replication is called multimaster replication

During multimaster replication a replication conflict can occur if originating updates are performed concurrently on the same object attribute on two domain controllers To avoid replication conflicts Active Directory uses single master replication which designates one domain controller as the only domain controller on which certain directory changes can be made This way changes cannot occur at different places in the network at the same time Active Directory uses single master replication for important changes such as the addition of a new domain or a change to the forest-wide schema

Operations that use single-master replication are arranged together in specific roles in a forest or domain These roles are called operations master roles For each operations master role only the domain controller that holds that role can make the associated directory changes The domain controller that is responsible for a particular role is called an operations master for that role Active Directory stores information about which domain controller holds a specific role

Forest-wide Roles

Forest-wide roles are unique to a forest forest-wide roles are

Schema masterControls all updates to the schema The schema contains the master list of object classes and attributes that are used to create all Active Directory objects such as users computers and printers

Domain naming masterControls the addition or removal of domains in the forest When you add a new domain to the forest only the domain controller that holds the domain naming master role can add the new domain

There is only one schema master and one domain naming master in the entire forest

Domain-wide Roles

Domain-wide roles are unique to each domain in a forest the domain-wide roles are

Primary domain controller emulator (PDC) Acts as a Windows NT PDC to support any backup domain controllers (BDCs) running Microsoft Windowsreg NT within a mixed-mode domain This type of domain has domain controllers that run Windows NT 40 The PDC emulator is the first domain controller that you create in a new domain

2

3

What Are DNS Zones

4

Types of Zones

Standard Zone

5

DNS Records

Name Description

Mail Exchanger (MX)

6

Domains

Trees

7

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Forest

8

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Contosocom

Q3What is nesting

9

Q5 What is a site

10

11

Q11 What is LDAP

Distinguished Names

12

Canonical Names

13

14

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 3: Interview Based Question AD DNS FSMO GPO

3

What Are DNS Zones

4

Types of Zones

Standard Zone

5

DNS Records

Name Description

Mail Exchanger (MX)

6

Domains

Trees

7

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Forest

8

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Contosocom

Q3What is nesting

9

Q5 What is a site

10

11

Q11 What is LDAP

Distinguished Names

12

Canonical Names

13

14

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 4: Interview Based Question AD DNS FSMO GPO

What Are DNS Zones

4

Types of Zones

Standard Zone

5

DNS Records

Name Description

Mail Exchanger (MX)

6

Domains

Trees

7

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Forest

8

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Contosocom

Q3What is nesting

9

Q5 What is a site

10

11

Q11 What is LDAP

Distinguished Names

12

Canonical Names

13

14

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 5: Interview Based Question AD DNS FSMO GPO

Types of Zones

Standard Zone

5

DNS Records

Name Description

Mail Exchanger (MX)

6

Domains

Trees

7

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Forest

8

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Contosocom

Q3What is nesting

9

Q5 What is a site

10

11

Q11 What is LDAP

Distinguished Names

12

Canonical Names

13

14

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 6: Interview Based Question AD DNS FSMO GPO

DNS Records

Name Description

Mail Exchanger (MX)

6

Domains

Trees

7

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Forest

8

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Contosocom

Q3What is nesting

9

Q5 What is a site

10

11

Q11 What is LDAP

Distinguished Names

12

Canonical Names

13

14

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 7: Interview Based Question AD DNS FSMO GPO

Domains

Trees

7

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Forest

8

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Contosocom

Q3What is nesting

9

Q5 What is a site

10

11

Q11 What is LDAP

Distinguished Names

12

Canonical Names

13

14

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 8: Interview Based Question AD DNS FSMO GPO

Forest

8

Microsoftcom

salesmicrosoftcom

RNDMicrosoftcom

Contosocom

Q3What is nesting

9

Q5 What is a site

10

11

Q11 What is LDAP

Distinguished Names

12

Canonical Names

13

14

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 9: Interview Based Question AD DNS FSMO GPO

Q3What is nesting

9

Q5 What is a site

10

11

Q11 What is LDAP

Distinguished Names

12

Canonical Names

13

14

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 10: Interview Based Question AD DNS FSMO GPO

Q5 What is a site

10

11

Q11 What is LDAP

Distinguished Names

12

Canonical Names

13

14

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 11: Interview Based Question AD DNS FSMO GPO

11

Q11 What is LDAP

Distinguished Names

12

Canonical Names

13

14

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 12: Interview Based Question AD DNS FSMO GPO

Q11 What is LDAP

Distinguished Names

12

Canonical Names

13

14

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 13: Interview Based Question AD DNS FSMO GPO

Canonical Names

13

14

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 14: Interview Based Question AD DNS FSMO GPO

14

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 15: Interview Based Question AD DNS FSMO GPO

64

15

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 16: Interview Based Question AD DNS FSMO GPO

Q21 What is DFS

16

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 17: Interview Based Question AD DNS FSMO GPO

Q1 What is DNS

17

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 18: Interview Based Question AD DNS FSMO GPO

Host Name (Abbey)

18

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 19: Interview Based Question AD DNS FSMO GPO

19

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 20: Interview Based Question AD DNS FSMO GPO

20

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 21: Interview Based Question AD DNS FSMO GPO

1996111901 Serial

10800 Refresh

21

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 22: Interview Based Question AD DNS FSMO GPO

3600 Retry

3600000 Expire

86400 ) Minimum

22

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 23: Interview Based Question AD DNS FSMO GPO

23

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 24: Interview Based Question AD DNS FSMO GPO

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 25: Interview Based Question AD DNS FSMO GPO

25

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 26: Interview Based Question AD DNS FSMO GPO

DNS QampA corner

26

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 27: Interview Based Question AD DNS FSMO GPO

27

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 28: Interview Based Question AD DNS FSMO GPO

28

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 29: Interview Based Question AD DNS FSMO GPO

29

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 30: Interview Based Question AD DNS FSMO GPO

30

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 31: Interview Based Question AD DNS FSMO GPO

31

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 32: Interview Based Question AD DNS FSMO GPO

32

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 33: Interview Based Question AD DNS FSMO GPO

FSMO TOOLS

33

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 34: Interview Based Question AD DNS FSMO GPO

34

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 35: Interview Based Question AD DNS FSMO GPO

35

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 36: Interview Based Question AD DNS FSMO GPO

4Netdom

36

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 37: Interview Based Question AD DNS FSMO GPO

6 DUMPFSMOS

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 38: Interview Based Question AD DNS FSMO GPO

7 NLTEST

Common uses

38

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 39: Interview Based Question AD DNS FSMO GPO

GROUP POLICY

39

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 40: Interview Based Question AD DNS FSMO GPO

40

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 41: Interview Based Question AD DNS FSMO GPO

41

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 42: Interview Based Question AD DNS FSMO GPO

42

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 43: Interview Based Question AD DNS FSMO GPO

43

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 44: Interview Based Question AD DNS FSMO GPO

gpupdate force

44

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 45: Interview Based Question AD DNS FSMO GPO

45

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 46: Interview Based Question AD DNS FSMO GPO

46

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 47: Interview Based Question AD DNS FSMO GPO

47

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Page 48: Interview Based Question AD DNS FSMO GPO

48

    - Domain-wide Roles
        
        What Are DNS Zones
        
        Types of Zones
        
        Standard Zone
        
        
        
        
        DNS Records

Date post:	13-Apr-2015
Category:	Documents
Upload:	nshah061
View:	28 times
Download:	2 times

Interview Based Question AD DNS FSMO GPO

Documents