Notes: EPS - Basic Questions - Rahul Dhongade: 1) What Is Active Directory

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

Notes : EPS | Basic Questions | Rahul Dhongade

1) What is Active Directory Active Directory is a directory service used to store information about the network resources across a domain. An Active Directory (AD) structure is a hierarchical framework of objects. The objects fall into three broad categories - resources (e.g. printers , services (e.g. e-mail ), and users (accounts, or users and groups). The AD provides information on the objects, organizes the objects, controls access, and sets security. 2) What are FSMO Roles? Explain Each Role Windows 2000/2003 Multi-Master Model A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact. For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring. Windows 2000/2003 Single-Master Model To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain. In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are: Schema Master: The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

Infrastructure Master: When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role. 3) Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain. 4) What is a Global Catalog The Global Catalog (GC) has two primary functions. First, it acts as a domain controller that stores object data and manages queries about objects and their most common attributes (called the Global Catalog Partial Attribute Set, or PAS). Second, it provides data that permits network logon. In single domain controller environments, the Active Directory and GC reside on the same server. Where multiple domain controllers exist, as we discuss later, it is often advisable to move the GC to its own dedicated domain controller. All domain trees have a GC, and must reside on a domain controller. 5) What are Group Policies Group policies are used by administrators to configure and control user environment settings. Group Policy Objects (GPOs) are used to configure group policies which are applied to sites, domains, and organizational units (OUs). 6) What is the difference between a Domain and Workgroup Windows has two modes of operation - Workgroup and Domain. Depending on the environment that your computer is in, you will be running in one of these two modes. Most home and small business environments will be Workgroup, and most mid- to large businesses will run in domain mode. There are different features and capabilities depending on each, and each serve a purpose Workgroups can be best understood as a loosely connected group of computers. They rely on each other for nothing, but they are there to share resources should the need arise. There is no centralized management and so there is a low barrier to use. By default, Windows XP is in this mode. Domains, on the other hand, provide centralized management and security. User access is controlled from a separate server called a domain controller and there is a trust built between systems in a domain. There are much more robust differences as well. Workgroup A workgroup is best understood as a peer-to-peer network. That is, each computer is sustainable on its own. It has its own user list, its own access control and its own resources. In order for a user to access resources on another workgroup computer, that exact user must be setup on the other computer. In addition, workgroups offer little security outside of basic access control. Windows

share permissions are very basic and do not offer any kind of granularity for who can access what, etc. Workgroups are more than adequate, though, for most small business and home use. Domain A domain is a trusted group of computers that share security, access control and have data passed down from a centralized domain controller server or servers. Domain Controllers handle all aspects of granting users permission to login. They are the gatekeeper. In addition, most modern domains use Active Directory which allows and even more centralized point for software distribution, user management and computer controls. 7) What is the relationship between tree and a forest Forests, trees, and domains The framework that holds the objects is viewed at a number of levels. At the top of the structure is the Forest - the collection of every object, its attributes and rules (attribute syntax) in the AD. The forest holds one or more transitive, trust-linked Trees. A tree holds one or more Domains and domain trees, again linked in a transitive trust hierarchy. Domains are identified by their DNS name structure, the namespace. A domain has a single DNS name. The objects held within a domain can be grouped into containers called Organizational Units (OUs). OUs give a domain a hierarchy, ease its administration, and can give a semblance of the structure of the AD's company in organizational or geographical terms. OUs can contain OUs indeed, domains are containers in this sense - and can hold multiple nested OUs. Microsoft recommends as few domains as possible in AD and a reliance on OUs to produce structure and improve the implementation of policies and administration. The OU is the common level at which to apply group policies , which are AD objects themselves called Group Polic y Objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the lowest level at which administrative powers can be delegated. As a further subdivision AD supports the creation of Sites, which are physical, rather than logical, groupings defined by one or more IP subnets. Sites distinguish between locations connected by low-speed (e.g. WAN , VPN ) and high-speed (e.g. LAN ) connections. Sites can contain one or more domains and domains can contain one or more sites. This is important to control network traffic generated by replication. The actual division of the company's information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business, by geographica l location, or by IT roles. These models are also often used in combination.

8) What is the file name of Active directory and where is it stored File name : NTDS.DIT Location : %SystemRoot%\ntds

9) What are the different types of backups explain them The Backup utility supports five methods of backing up data on your computer or network. Copy backup A copy backup copies all the files you select, but does not mark each file as having been backed up (in other words, the archive attribute is not cleared). Copying is useful if you want to back up files between normal and incremental backups because copying does not affect these other backup operations. Daily backup Daily backup copies all the files that you select that have been modified on the day the daily backup is performed. The backed-up files are not marked as having been backed up (in other words, the archive attribute is not cleared). Differential backup A differential backup copies files that have been created or changed since the last normal or incremental backup. It does not mark files as having been backed up (in other words, the archive attribute is not cleared). If you are performing a combination of normal and differential backups, restoring files and folders requires that you have the last normal as well as the last differential backup. Incremental backup An incremental backup backs up only those files that have been created or changed since the last normal or incremental backup. It marks files as having been backed up (in other words, the archive attribute is cleared). If you use a combination of normal and incremental backups, you will need to have the last normal backup set as well as all incremental backup sets to restore your data. Normal backup A normal backup copies all the files you select and marks each file as having been backed up (in other words, the archive attribute is cleared). With normal backups, you only need the most recent copy of the backup file or tape to restore all of the files. You usually perform a normal backup the first time you create a backup set. Backing up your data using a combination of normal backups and incremental backups requires the least amount of storage space and is the quickest backup method. However, recovering files can be time-consuming and difficult because the backup set might be stored on several disks or tapes. Backing up your data using a combination of normal backups and differential backups is more time-consuming, especially if your data changes frequently, but it is easier to restore the data because the backup set is usually stored on only a few disks or tapes.

10) What is the difference between NTFS and FAT file system file allocation table. FAT is ancient in computer terms. Because of its age, most operating systems-including Windows NT, Windows 98, MacOS, and some versions of UNIX-offer support for FAT. Microsoft created the new technology file system (NTFS) to compensate for the features it felt FAT lacked. These features include increased fault tolerance, enhanced security, and so on. Compatibility Before you decide which type of file system to use on a partition, you must consider compatibility. If multiple operating systems will access the partition, you must use a file system that all operating systems can read. Usually, this means using FAT, because of its universal compatibility. Only Windows NT supports NTFS partitions. Keep in mind, however, that this limitation applies only to the local machine. For example, if Windows NT and Windows 98 are loaded on the same machine and both operating systems require access to a common partition, you must format that partition as FAT. However, if Windows NT is the only operating system on the PC, you can format the partition as NTFS, even if computers running other operating systems will access the partition across the network. Volume size Another determining factor is the physical size of your partition. FAT supports partition sizes only up to 2 GB. If your partition size is larger than 2 GB, you must either format it as NTFS or break it into smaller partitions. Keep in mind that NTFS has more overhead than FAT. If your partition size is smaller than 200 MB, you should use FAT to avoid losing a major chunk of disk space to the overhead associated with NTFS. The maximum size of an NTFS partition is 16 EB (exabytes-an exabyte is 2^64 bytes, or 1,024 terabytes). Fault tolerance Once you've considered your partition size and compatibility issues, you have some flexibility in determining which file system is right for you. When making this decision, you should consider fault tolerance. Windows NT offers software support for several alternate diskaccess methods that increase speed and/or fault tolerance. These options include disk striping and disk striping with parity. Many of these options require NTFS. If you're planning to use a hardware-based stripe set, you can use either file system. Even without these advanced fault -tolerant options, NTFS includes built -in fault-tolerant capabilities well beyond the capabilities of FAT. For example, when NTFS writes a change to the hard disk, it makes a record of the change in a log file. In the event of a power failure or a disk error, Windows NT can use these log files to repair your data. NTFS also repairs hard disk errors automatically without displaying an error message. When Windows NT writes a file to an NTFS partition, it keeps a copy of the f ile in memory. It then reads back the file to make sure it matches the copy stored in memory. If the copies don't match, Windows NT marks that section of the hard disk as corrupted and won't try to use it again. It then uses the copy of the file stored in memory to rewrite the file to an alternate location on the hard disk. The FAT file system doesn't offer any of these safety features. While FAT does maintain two copies of the file-allocation table, in case one copy is damaged, it's incapable of automatic ally fixing errors. Instead, you must run a utility such as Scandisk. Security As we mentioned before, NTFS has a built -in security system. You can grant various permissions to directories and to individual files. These permissions protect files and direc tories locally and remotely. For example, if someone were to sit down at a PC containing restricted files, NTFS would protect those files. If you're using FAT, you're dependent on share permissions for security. Share permissions will protect a file across the network, but they offer no local protection. A person trying to access restricted files could simply sit down at the local PC and gain full access to these files. Another disadvantage to share permissions is that they can be messy to manage. Suppose you have hundreds of users on a server, each with his or her own directories. You could potentially end up with hundreds of shares-and some of them may overlap, which creates additional complications. File compression Another advantage to NTFS is its native support for file compression. NTFS compression is much better than its predecessors. It offers you the chance to compress individual files and directories of your choice. Because it compresses individual files, a minor hard disk problem won't foul up your compression scheme and make you lose everything. Compressing individual files and directories also lets you limit compression to seldom-used files. By doing so, you won't slow your operating system by making it decompress files each time it needs to acc ess them.

The system partition This article may seem to say that NTFS is superior to FAT and that unless you have a small partition or need compatibility with other operating systems, you should always use NTFS. However, this isn't the case. As we mentioned earlier, NTFS partitions are accessible only via Windows NT. If you have a fatal error with Windows NT, you can't simply boot a system disk to a command prompt and fix a problem on an NTFS partition. To get around this problem, Microsoft recommends ins talling a second copy of Windows NT on your hard disk and using this copy to repair problems that occur on NTFS partitions. Unfortunately, this method has some serious drawbacks. For starters, a second copy of Windows NT could consume up to 150 MB, depending on which options you choose to load. Second, during the boot process, both copies share common files. Therefore, if your system partition (the partition your PC boots from) is formatted as NTFS and has a problem, you may not be able to boot either copy of Windows NT to fix the problem. While you may think the odds of a system partition error are slim, remember that many changes you might make to your disk partitions result in having to manually update the Boot.ini file. If you incorrectly update this file, Windows NT will become unbootable. Since this is an initial boot file on the system partition, every installed copy of Windows NT would share this file. A better solution is to format your system partition as FAT. If you're concerned about security, simply make the system partition small and don't place anything other than the Windows NT system files on it. Remember, a FAT partition is safe from a security standpoint, as long as no unauthorized person has physical access to the machine. 11)Converting to NTFS If you've read this article and wish you could use NTFS on some of your partitions that already contain data, you can easily convert a partition to NTFS. To do so, open an MS-DOS Prompt window and type the following command: CONVERT drive: /FS:NTFS For example, if you want to convert your D drive to NTFS, you'd replace the word drive with the letter D, as follows: CONVERT D: /FS:NTFS 12) How do you install Active Directory Procedure To install Active Directory on Windows Server 2003 1. Click Start, click Run, type dcpromo, and then click OK. 2. On the first page of the Active Directory Installation Wizard, click Next. Note: If this is the first time you have installed Active Directory, you can click Active Directory Help to learn more about Active Directory before clicking Next.