Win Admin interview question
description
Transcript of Win Admin interview question
Can I deploy non-MSI software with GPO? Yes, you can. Apart from MSI packages, GPO also supports deployment of ZAP files
How frequently is the client policy refreshed ? By default, group policy is updated in the background every 90 minutes.You can specify an update rate from 0to 44,640minutes (31 days). If you select 0minutes, the computer tries to update Group Policy every 7seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.
The refresh interval can be configured manually using group policy - GPO --> Computer Configuration --> Administrative Templates --> System --> Group Policy --> Set Group Policy refresh interval for Computers
How does the Group Policy No Override and Block Inheritance work ? No Override - This prevents child containers from overriding policies set at higher levels
Block Inheritance - Stops containers inheriting policies from parent containers
Why cant you restore a DC that was backed up 4 months ago? The reason is 'Tombstoning' .If a domain controller was restored from a backup that was older than the tombstone lifetime, then the domain controller might contain deleted objects, and because the tombstones are deleted from the replica, the deletion event does not replicate into the restored domain controller. This is why Backup does not allow you to restore data from a backup that is older than the tombstone lifetime.
More details about tombstoning -http://www.systemadminguide.in/2013/11/active-directory-tombstone.html
I want to look at the RID allocation table for a DC. What do I do? Dcdiag.exe /TEST:RidManager /v | find /i "Available RID Pool for the Domain"
Can you connect Active Directory to other 3rd-party Directory Services? Name a few options. Microsoft Identity Integration Server (MIIS)
Forefront Identity Manager (FIM)
Can you explain Netlogon services ? The Netlogon services help the client servers to connect to the Domain
What is urgent replication in AD ? Normally, a change in a DC (say DC1) is notified to its replication partner(say DC2) after 15 seconds. Once the change is notified, DC2 makes the change in its database. DC2 then notifies its replication partner after another 15 seconds. If it's a multi-site setup, the 15 seconds delay would cost a big delay for the final recipient DC. Suppose if the change was an 'Account Lock Out', this big delay will be a pain. Here comes Urgent notification. Urgent notification bypasses the change notification delay and processes the change immediately across all DCs.
How to migrate AD location to another ? (from C:\AD to D:\AD) First, stop the Active Directory Domain Services
Open Command Prompt with Admin privilege
Run ntdsutil tool
In the ntdsutil prompt, type Activate instance ntds
Then type files
In the next prompt (file maintenance), type move db to D:\AD
Once the database is moved, move the logs using the command move logs to D:\AD
Once completed, start theActive Directory Domain Services
What is the schema version of Windows 2008 R2 ? Windows 2003 R2 - 31
Windows 2008 - 44
Windows 2008 R2 - 47
Windows 2012 - 56
Windows 2012 R2 - 69
Whats the number of permitted unsuccessful logons for Administrator account? Unlimited - Only for Administrator, not for others in Administrators group
Difference between Everyone and Authenticated users? Authenticated Users - Include all Users and Computers whose identities have been authenticated.
Everyone - For Windows 2003 and above, 'Everyone' includes all Authenticated Users including Guest accounts. Before Windows 2003, 'Everyone' includes all Authenticated Users , Guest accounts and Anonymous account.
How many passwords by default are remembered when you check Enforce Password History Remembered? 24
What is an IP Helper address feature and why is it required in a DHCP environment ? IP helper-address helps to implement DHCP relay agent in Cisco routers
This is configured at the network interface of the router containing the DHCP client
The IP helper-address intercepts the DHCP discover message from the client and unicasts it to the DHCP server after adding 'Option 82'.
With the help of Option 82, the DHCP server identifies the client network and assigns an IP from that network.
What is FRS and DFS-R ? File Replication Service (FRS), introduced in Windows 2000 server to replicate DFS and Sysvol folder in DC. FRS is no longer used in new versions.
Distributed File System Replication (DFS-R), introduced in Windows 2008R2, came out as a replacement to FRS for replicating DFS and Sysvol.
What is group policy preference ? Group policy preference is a set of new settings that were released with Windows 2008, that allows IT administrators to do anything they want to configure in a corporate environment.
What is the use of LDP.exe This is a part of Windows Support tools which helps us to make any LDAP searches against the Active Directory
How to replace a failed RAID controller ? This depends on the type of controller used. If you are using modern RAID controllers and are trying to replace with the same model, then the RAID should work without any issues as the RAID configuration or metadata is stored in the disk array. But you should ensure that you are using the same model from vendor or a model which is compatible with the failed controller.
What is the difference between RAID 1 and RAID 5 ? RAID 1 - Mirroring - This RAID configuration gives you maximum redundancy as the same data is written into two disks at a time. But this solution will be costly as you always need to have disks double of what you actually require. Minimum 2 disks required.
RAID 5 - This RAID is the most popular RAID configuration. This works on the parity principle. Minimum 3 disks required. Even if one disk fail, the data of the failed disk can be calculated from the parity stored in the other 2 disks.
In RAID 5, which activity is faster - Read or Write ? Good Read performance but slower Write operations due to parity calculation.
RAID 0 and RAID 1 has got excellent Read and Write performance.
Can we setup an AD site without a DC ? Yes..
What is DAS ? How is it connected to the server ? DAS is Direct Attached Storage. DAS is available with many vendors. When a server has exhausted all its storage resource, we can connect a DAS solution to it. DAS can be connected to a server using SAS cable.
How is an iscsi device connected to a server ? An iscsi device can be connected using the iqn number.
How can I add new HDD space to an existing drive ? Convert the drive from Basic to Dynamic
What happens when a standalone host is taken into maintenance mode ? The activity will wait until all VMs are shutdown.
What if all GC in the environment are down ? GC is required for multi domain forests - In a single domain infrastructure, the DCs will not contact the GC for authenticating. But in multi domain infrastructure, GC is required for authentication.
Universal Group Membership evaluation - Universal Group Membership which exists in a multi domain forests works only with GC.
UPN resolution - The users cannot login to the domain using the username [email protected]
How to update Dell server BIOS ? Dell provides the update in different file formats. One for Windows , one for linux...If it is a VMware server, then download the Non-Packaged exe format from Dell website and copy it to a DOS bootable USB drive. Shutdown the server and boot from USB drive and execute the file.
DSET Dell Server E-Support Tool (DSET) provides the ability to collect hardware, storage and operating system information from Dell PowerEdge server.
How to upgrade ESXi 5.1 to ESXi 5.5 ? Using vSphere update manager
Upgrade interactively using the ESXi installer ISO image on CD/DVD or Flash drive
Using vSphere Auto Deploy
Using esxcli command-line interface
Maximum number of LUNs that can be attached to a host (ESXi 5.0)256
Maximum number of vCPUs that can be assigned to a VM (ESXi 5.0)32
What are the uses of ntdsutil tool?Some of the main uses of ntdsutil toolAuthoritative Restore - Authoritatively restores the Active Directory database or AD LDS instance
ifm - Create installation media for writable and RODC setups (Offline DC provisioning)
metadata cleanup - Cleans up objects of decommissioned servers
roles - Transfers and seizes operations master roles
set DSRM password - Resets DSRM administrator password
snapshot - Manages snapshots of the volumes that contain the Active Directory database and log files
FSMO roles and its failure scenarioshttp://www.systemadminguide.in/2013/07/fsmo-roles-in-nutshell.html
IPv6 addresses and its DNS record128 bit address
Represented as 8 groups of 4 hexadecimel digits seperated by colons
Represented by AAAA record in DNS
Uses DHCP v6 for addressing
Loadbalancer vs ClusteringClusteringCluster is a group of resources that are trying to achieve a common objective, and are aware of one another.
Clustering usually involves setting up the resources (servers usually) to exchange details on a particular channel (port) and keep exchanging their states, so a resources state is replicated at other places as well.
It usually also includes load balancing, wherein, the request is routed to one of the resources in the cluster as per the load balancing policy
Load BalancingUsed to forward requests to either one server or other, but one server does not use the other servers resources. Also, one resource does not share its state with other resources.
Software installation using group policyThis can be done using 2 methodsAssigning
Publishing
Assign : If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is completed.
If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is completed.
Publish : You can publish a program distribution to users.
When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there.
msi packages are used for installation. Normal exe would not work.
Windows cannot install the software while the user is already logged on. The user need to log off and log in
Group policy security filtering for users. Which all users are in there by default. Members of Authenticated Users groupSecurity filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO)
In order for the GPO to apply to a given user or computer, that user or computer must have both Read and Apply Group Policy (AGP) permissions on the GPO, either explicitly, or effectively through group membership
By default, all GPOs have Read and AGP both Allowed for the Authenticated Users group.
The Authenticated Users group includes both users and computers. This is how all authenticated users receive the settings of a new GPO when it is applied to an organizational unit, domain or site
Relevance of host file and its locationCame before the concept of DNS
An FQDN is first checked in Host file
Location : C:\Windows\System32\Drivers\etc
L3 switch vs RoutersL3 switches just have the ethernet ports only whereas the routers have WAN interfaces
QoS is not available with L3 switches whereas in routers it can be enabled
Routers have expansion slots and cards that allow them to use different media types, like serial connections for T1 and T3 circuits
Routers are more intelligent in handling packets
L3 switches does not support NAT
VLAN vs SubnetVLAN works at layer 2 while subnet is at layer 3
Subnets are more concerned about IP addresses.
VLANs bring more network efficiency
Subnets have weaker security than VLANs as all the subnet uses the same physical network
Contents of System state backupRegistry
COM+ Class Registration database
Boot files, including the system files
System files that are under Windows File Protection
Active Directory directory service (If it is domain controller)
SYSVOL directory (If it is domain controller)
Cluster service information (If it is a part of a cluster)
IIS Metadirectory (If it is an IIS server)
Certificate Services database (If it is a certificate server)
Incremental vs Differential backupsIncremental backup - Will take the backup of files whose archive bits are set and resets it after backup
Differential backup - Will take the backup of files whose archive bits are set but does not reset it after backup
RobocopyMicrosoft tool used for copying files effectively
It has plenty of options to manage the copy process
How do you patch microsoft applications? Frequency of patches released by MicrosoftThe Microsoft applications can be patched using WSUS
In WSUS, we can create several computer groups to manage this patch process.
MS patches are released once in a month
Explain GPO, GPC & GPTGPO - Group Policy Object : Refers to the policy that is configured at the Active Directory level and is inherited by the domain member computers. You can configure a GPO at the site level, domain level or OU level. GPO stores policy settings in two locations GPC and GPT
GPO behaviour : Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO
GPC - Group Policy Container :This is the AD portion of the group policy. This can be viewed using ADSI edit. It stores version information, status information, and other policy information. When you create a new GPO, an AD object of class groupPolicyContainer gets created under the System\Policies container within your AD domain
GPT - Group Policy Template : The GPT is where the GPO stores the actual settings. It stores software policy script, and deployment information.
GPT is stored in SYSVOL share (\\DomainNameHere\SYSVOL\Policies) whereas GPC is stored in the AD
What is CPU affinity in VMware? Its impact on DRS?CPU refers to a logical processor on a hyperthreaded system and refers to a core on a non-hyperthreaded system
By setting CPU affinity for each VM, you can restrict the assignment of VMs to a subset of available processors
The main use of setting CPU affinity is when there are display intensive workloads which requires additional threads with vCPUs.
DRS will not work with CPU affinity
http://frankdenneman.nl/2011/01/11/beating-a-dead-horse-using-cpu-affinity/
VMversion 4 vs VMversion 7Version 4Runs on ESX 3.x
Max supported RAM 64 GB
Max vCPUs 4
MS cluster is not supported
4 NICs/VM
No USB Support
Version 7Runs on vSphere 4.x
Max supported RAM 256 GB
Max vCPUs 8
MS cluster is supported
10 NICs/VM
USB support
What happens to the VMs if a standalone host is taken to maintenance mode?In case of standalone servers , VMware recommends that VMs should be powered off before putting the server in maintenance mode
If we put the standalone host in maintenance mode without powering off the VMs, it will remain in the entering maintenance mode state until the VMs are all shutdown
When all the VMs are powered down, the host status changes to under maintenance
http://pubs.vmware.com/vsphere-4-esx-vcenter/index.jsp#using_drs_clusters_to_manage_resources/c_using_maintenance_mode.html
What is new in Windows server 2012Server core improvements: no need of fresh installation, you can add/remove GUI from server manager
Remotely manage servers , add/remove roles etc using Server manager-manage 2008 and 2008 R2 with WMF 3.0 installation, installed by default in Server 2012
Remote server administration tools available for windows 8 to manage Windows server 2012 infrastructure
Powershell v3
Hyper-V 3.0supports upto 64 processors and 1 TB RAM per virtual machine
upto 320 logical hardware processors and 4 TB RAM per host
Shared nothing live migration, move around VMs without shared storage
ReFS(Resilient file system), upgraded version of NTFS- supports larger file and directory sizes. Removes the 255 character limitation on long file names and paths, the limit on the path/filename size is now 32K characters!
Improved CHKDSK utility that will fix disk corruptions in the background without disruption
How does the backup software recognize that a file has changed since last backup?The files use a bit called archive bit for tracking any change in the file.
The backup softwares normally checks the archive bit of the file to determine whether the file has to be backed up or not
How can you edit a vm template?The VM templates cannot be modified as such
First , the VM template have to be converted to a virtual machine
After making necessary machines in the virtual machine, convert the virtual machine back to template
VMware configuration maximums
ESXi 5.5ESXi 5.1ESXi 5.0ESXi 4.x
VMs
vCPU6464328
RAM1 TB1 TB1 TB255 GB
vNIC10101010
VMDK size62 TB1 TB1 TB2 TB for 8MB block
Hosts
Logical CPU320160160160
Memory4 TB2 TB2 TB1 TB
LUNs256256256256
LUN size64 TB64 TB64 TB64 TB
Virtual Machines512512512320
What is the major difference between Windows server 2008 and windows server 2012 in terms of AD promotion?
In Win 2012, dcpromo has been depreciated. In order to make a Windows server 2012 to a domain controller, the ADDS service has to be installed from the server manager. After installation, run the post-deployment configuration wizard from server manager to promote the server as ADVMware hardware version comparison
What is vSAN? It is a hypervisor-converged storage solution built by aggregating the local storage attached to the ESXi hosts managed by a vCenter.
Recommended iSCSI configuration? A separate vSwitch, and a separate network other than VMtraffic network for iSCSI traffic. Dedicated physical NICs should be connected to vSwitch configured for iSCSI traffic.
What is iSCSI port binding ? Port binding is used in iSCSI when multiple VMkernel ports for iSCSI reside in the same broadcast domain and IP subnet, to allow multiple paths to an iSCSI array that broadcasts a single IP address.
iSCSI port binding considerations ? Array Target iSCSI ports must reside in the same broadcast domain and IP subnet as the VMkernel port.
All VMkernel ports used for iSCSI connectivity must reside in the same broadcast domain and IP subnet.
All VMkernel ports used for iSCSI connectivity must reside in the same vSwitch.
Currently, port binding does not support network routing.
Recommended iSCSI configuration of a 6 NIC infrastructure ? (Answer changes as per the infrastructure requirements) 2 NICs for VM traffic
2 NICs for iSCSI traffic
1 NIC for vMotion
1 NIC for management network
Post conversion steps in P2V Adjust the virtual hardware settings as required
Remove non present device drivers
Remove all unnecessary devices such as serial ports, USB controllers, floppy drives etc..
Install VMware tools
Which esxtop metric will you use to confirm latency issue of storage ? esxtop --> d --> DAVG
What are standby NICs These adapters will only become Active if the defined Active adapters have failed.
Path selection policies in ESXi Most Recently Used (MRU)
Fixed
Round Robin
Which networking features are recommended while using iSCSI traffic iSCSI port binding
Jumbo Frames
Ports used by vCenter 80,443,902
What is 'No Access' role Users assigned with the 'No Access' role for an object, cannot view or change the object in any way
When is a swap file created When the guest OS is first installed in the VM
The active directory group, where the members will be ESXi administrators by default. ESX Admins
Which is the command used in ESXi to manage and retrieve information from virtual machines ? vmware-cmd
Which is the command used in ESXi to view live performance data? esxtop
Command line tool used in ESXi to manage virtual disk files? vmkfstools
Port used for vMotion 8000
Log file location of VMware host \var\log\vmware
Can you map a single physical NIC to multiple virtual switches ? No
Can you map a single virtual switch to multiple physical NICs? Yes. This method is called NIC teaming.
VMKernel portgroup can be used for: vMotion
Fault Tolerance Logging
Management traffic
Major difference between ESXi 5.1 and ESXi 5.5 free versions Till ESXi 5.1 free version there was a limit to the maximum physical memory to 32 GB. But from 5.5 onwards this limit has been lifted.
What is IPAM server in Windows server 2012? IPAM is IP Address Management server in Windows Server 2012. Itenables central management of both DHCP and DNS servers. It can also be used to discover, monitor, and audit DHCP and DNS servers.
How to promote a server to domain controller in Windows server 2012? DCPROMO was the conventional tool used to promote a normal server to DC. This is now deprecated in Server 2012.
In Server 2012, you can convert a server into DC using the server manager console. Under Server Manager, add a new role "Active Directory Domain Services"
Windows 2003 vs Windows 2008
RODC
WDS instead of RIS
Services have been changed as roles - server manager
Introduction of hyper V- only on 64 bit versions
Enhanced event viewer
Bitlocker feature
Server core installation without GUI
MMC 3.0, with three pane view
Key management services(KMS) to activate Windows OS without connecting to Microsoft site
Performance enhancement using technologies like Windows SuperFetch,ReadyBoost and Readydrive
Windows Aero user interface
Instant search
Support for IPv6 in DNS
ESX vs ESXi
ESXi has no service console which is a modified version of RHEL
ESXi is extremely thin hence results in fast installation + fast boot
ESXi can be purchased as an embedded hypervisor on hardware
ESXi has builtin server health status check
ESXi 4.1 vs ESXi 5.0 - Migration
Local upgrade from CD
VMware update manager (only supports upgrade of ESX/ESXi 4.x to ESXi 5.0)
ESXi 4.1 vs ESXi 5.0 - Features
vSphere Auto deploy
Storage DRS
HA - Primary/secondary concept changed to master/slave
Profile driven storage
VMFS version - 3 5
ESXi firewall
VMware hardware version - 7 8
VMware tools version - 4.1 5
vCPU - 8 32
vRAM - 256 1 TB
VMs per host - 320 512
RAM per host - 1TB 2TB
USB 3.0 support
vApp
FSMO roles
Schema Master
Domain naming master
Infrastructure master
PDC Emulator
RID master
GPO
GPO
Templates (ADMX)
Block inheritance
Enforced
Loopback policy
Forest and Domain concepts
OSI layer
Application Layer
Presentation Layer
Sessions Layer
Transport Layer
Network Layer
DataLink layer
Physical Layer
ASA - site to site VPN
HA 5.0
Uses an agent called FDM - Fault domain manager
HA now talks directly to hostd instead of using vcenter agent vpxa
Master/slave concept
Master monitors availability of hosts/VMs
manages VM restarts after host failure
maintains list of all VMs in each host
restarting failed VMs
exchanging state with vcenter
monitor state of slaves
Slavemonitor running VMs and send status to master and performs restart on request from master
monitors master node health
if master fails, participates in election
Two different heartbeat mechanisms - Network heartbeat and datastore heartbeat
Network heartbeatSends between slave and master per second
When slave is not receiving heartbeat from master, checks whether it is isolated or master is isolated or has failed
Datastore heartbeatTo distinct between isolation and failure
Uses Power On file in datastore to determine isolation
This mechanism is used only when master loses network connectivity with hosts
2 datastores are chosen for this purpose
Isolation responsePowerOff
Leave Powered On
Shutdown
vMotionvMotion enables live migration of running virtual machines from one host to another with zero downtime
PrerequisitesHost must be licensed for vMotion
Configure host with at least one vMotion n/w interface (vmkernel port group)
Shared storage (this has been compromised in 5.1)
Same VLAN and VLAN label
GigaBit ethernet network required between hosts
Processor compatibility between hosts
vMotion does not support migration of applications clustered using Microsoft clustering service
No CD ROM attached
No affinity is enabled
vmware tools should be installed
RAIDRedundant Array of Independent disks
A category of disk drives that uses 2 or more drives in a combination for redundancy and performance
Most common RAIDs: RAID 0(Striped), RAID 1(Mirroring), RAID 5
Backup typesBackup typesFull backup - Will take the backup of all selected files and reset the archive bit
Copy backup - Will take the backup of all selected files but does not reset the archive bit
Incremental backup - Will take the backup of files whose archive bits are set and resets it after backup
Differential backup - Will take the backup of files whose archive bits are set but does not reset it after backup
2003 2008 migration
Can be done only by logging in to Windows 2003 server
Min of Windows 2003 SP1 required
Can be migrated only to same version, except for Windows server 2003 standard which can be migrated to either standard or enterprise
Extra space of 30 GB required prior migration
Cannot upgrade to server core
Perform forestprep and domainprep to 2008 using 2008 cd before migrating. (Copy sources/adprep folder for this)
ESXi update manager
Global Catalog
Global catalog (GC) is a role handled by domain controllers in an Active directory model.
The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.
Partial copy refers to the set of attributes that are most used for searching every object in every domain.
All domain controllers can be promoted as a GC.
GC helps in faster search of AD objects.
The replicas that are replicated to the global catalog also include the access permissions for each object and attribute.
If you are searching for an object that you do not have permission to access, you do not see the object in the list of search results. Users can find only objects to which they are allowed access.
Global catalog server clients depend on DNS to provide the IP address of global catalog servers. DNS is required to advertise global catalog servers for domain controller location.
By default, first DC of in a forest will be a global catalog server
Basic networking concepts
RODCNew feature in Windows 2008
Only have the read only copy of directory database
RODC will have all the objects of a normal DC in read only mode. But this doesnt include passwords. RODC does not store password of accounts.
Updates are replicated to RODC by writable DC
Password caching : A feature which enables RODC to cache password of the logged in users.
Password Replication Policy: Determines whether the password can be cached or not.
DNS can be integrated with RODC but will not directly register client updates. For any DNS change, the RODC refers the client to DNS server that hosts a primary or AD integrated zone
NAS vs SANBoth used as storage solution
NAS can be used by any device connected using LAN whereas SAN is used only by server class devices with SCSI
NAS is file based whereas SAN is block based storage
NAS is cheap while SAN is expensive
SAN is comparatively faster than NAS
What is DRS? Types of DRSDistributed Resource Scheduler
It is a feature of a cluster
DRS continuously monitors utilization across the hosts and moves virtual machines to balance the computing capacity
DRS uses vMotion for its functioning
Types of DRSFully automated - The VMs are moved across the hosts automatically. No admin intervention required.
Partially automated - The VMs are moved across the hosts automatically during the time of VM bootup. But once up, vCenter will provide DRS recommendations to admin and has to perform it manually.
Manual - Admin has to act according to the DRS recommendations
DRS prerequisitesShared storage
Processor compatibility of hosts in the DRS cluster
vMotion prerequisites
vMotion is not working. What are the possible reasons?Ensure vMotion is enabled on all ESX/ESXi hosts
Ensure that all vmware pre requisites are met
Verify if the ESXi/ESX host can be reconnected or if reconnecting the ESX/ESXi host resolves the issue
Verify that time is synchronized across environment
Verify that the required disk space is available
What happens if a host is taken to maintenance modeHosts are taken to maintenance mode during the course of maintenance
In a single ESX/ESXi setup, all the VMs need to be shutdown before getting into maintenance mode
In a vCenter setup If DRS is enabled, the VMs will be migrated to other hosts automatically.
How will you clone a VM in an ESXi without vCenterUsing vmkftools
Copy the vmdk file and attach to a new VM
Using VMware converter
Explain traverse folderAllows or denies moving through a restricted folder to reach files and folders beneath the restricted folder in the folder hierarchy.
Traverse folder takes effect only when the group or user is not granted the "Bypass traverse checking user" right in the Group Policy snap-in. This permission does not automatically allow running program files.
The netlogon service in DC is responsible for registering SRV
records in the DNS server under _tcp.dc._msdcs.domain.com. It then
registers the SRV records of Domain Controller under
_sites.dc._msdcs.domain.com. based on their site location.
When a client first tries to login to an AD network, the client
sends a DNS request for finding the DC's under,
_ldap._tcp.dc._msdcs.domain.com. From the list, it chooses a DC
server randomly for authenticating. Then the client sends an LDAP
ping to the DC asking for the site it is based on with respect to
the IP address of the client. The DC then returns the site which
the client's IP address is most related to, along with the current
site and a flag DSClosestFlag which would be either 0 or 1 based on
whether the current authenticated DC is the closest to the client.
If this flag indicates that the client is not authenticated to the
closest DC, the client sends a site specific DNS query for finding
the DC from _ldap._tcp._sitename._sites.dc._msdcs.domain.com.
Unique Sequence Number (USN)
USN is an AD database change tracking number. Any change or
transaction made in a DC is represented by a USN increment. The USN
of DCs in the same domain need not be same.
The USN of a DC is particular only to that DC, also the USN of
other DCs will be tracked in theHWMV table of a DC.
Server Object GUID (DSA GUID)
DSA (Directory System Agent) GUID is used in USNs to track
originating writes. It is also used by DC to identify its
replication partners. The value of DSA GUID is stored in objectGUID
attribure of the NTDS settings object. DSA GUID is created when AD
is initially installed on a DC and will not change during its
lifetime until or unless the DC is removed from the domain
controller. DSA GUID ensures that the DC is recognizable even in
case of a DC rename.
Server Database GUID (Invocation GUID)
AD database has its own GUID which is used to identify the database
version. The value of Invocation GUID is stored in
invocationIdattribute of NTDS settings object. Unlike DSA GUID,
Invocation GUID is changed during an AD restore process to ensure
replication consistency.
Coming to the USN rollback scenario:
Cause
USN Rollback is mainly caused by restoring a DC using non Microsoft
restore process like Norton's Ghost, VMware snapshot etc.. or when
we perform a V2V of an existing DC.
Explanation
When we restore DC using the conventional methods of AD
restoration, the Invocation ID of the DC will be reset which in
turn resets the USN to make the DC understand that the database is
restored. The Invocation ID tracks the version of the database of
DC. The previous Invocation ID will be marked as retired. When we
use methods other than the conventional restoration methods, this
ID will not be reset. This prevents other DC from replicating with
the rolledback DC, the changes made after the image was
taken.
In this scenario, other DCs will believe that the rolled back DC
will be holding updated data and will not replicate, which makes
the AD data inconsistent.
ResolutionForcefully demote the DC
Remove metadata using metadata cleanup
Seize FSMO roles
Re promote the server
What is Sysvol ?
Sysvol is a special folder which is available in C:\Windows\SYSVOL
directory in all domain controllers within the domain. This special
folder contains the domain's Group Policy settings, default
profiles and logon/logoff/startup/shutdown scripts.
When a user login to a client machine, it pulls all the group
policy settings and logon scripts available at its local DC's
SYSVOL folder. For this reason, this folders keeps on replicating
between each other either using DFS-R (Distributed File System
Replication Service) or the primitive FRS (File Replication
Service). Sysvol directory can be accessed using :
\\domain-name\SYSVOL or
\\DC-name\SYSVOL
Contents of SYSVOL
If you access the location C:\Windows\SYSVOL, you will see 4
folders - domain, staging, staging areas & sysvol.
First we will discuss about, sysvol and domain folders. The folder
'sysvol' is a Junction Point (a kind of soft link) to the folder
'domain'. That means the actual contents will be in 'domain' folder
whereas 'sysvol' acts as a fake folder where you could browse as a
normal folder.
Sysvol is the folder where you end up when you access \\domain
name\SYSVOL or \\DC name\SYSVOL.This folder contains Policies,
scripts & StarterGPOs folders.
Policies folder contains all the group policy objects in the
domain. For every new GPOs, a new folder with unique GUID will be
created in this folder. These are called Group Policy Templates
(GPT). If you make any changes to a particular group policy, the
changes are made in this folder. Scripts folder contains all
scripts used.
Now comes the staging folder and staging areas.
Staging folder acts like a queue for changed files and folders
which needs to be replicated to other sysvols in the domain. This
change will be normally due to some group policy changes. In short,
the folder will be empty if there are no group policy updates. Once
the update is replicated the contents in this folder will be
deleted as well.Active Directory Recycle Bin
This is a new feature of Windows 2008 R2 which is disabled by
default. This feature will be available only if your forest
functional level is Windows 2008 R2 and above. Once you enable this
feature, it cannot be disabled.
How to enable?There is no GUI to enable AD recycle bin
Open powershell execute the below: Import-Module ActiveDirectory
Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "globomantics.local" -whatif
What makes AD Recycle Bin special ?
Normal Deletion process : An object is deleted, it is moved to Deleted Objects container after changing the object attribute IsDeleted to True (Tombstoning). Most of the attributes of the object will be striped off at this point. The striped off object could be retained during TSL and will be deleted permanently after TSL.
AD Recycle Bin process : All the above process stands correct for AD recycle bin as well but except the attribute striping. When an AD object is deleted with recycle bin enabled, the system preserves all of the object's attributes.
In short, if you want the attributes of the deleted objects to be available after tombstone reanimation, enable AD recycle Bin.
AD Recycle Bin processAn object has been removed from AD andit is now 'logically deleted' from AD
The deleted object is moved to Deleted Objects container and will remain in the container throughout the duration of the Deleted object lifetime. Within this period the object can be recovered using AD recycle bin or authoritative restore
After the deleted object lifetime period, the logically deleted object will become recycled object(which is same as a Tombstoned object).
The recycled object will remain in Deleted Container until the Recycled object lifetime expires after which the object will be physically deleted with the help of garbage collection process.
Active Directory Tombstone
When an object is removed from Active Directory, it is said to be
tombstoned.Tombstone is something which a Domain Controller uses to
notify other Domain Controllers about an object deletion.
The object which is tombstoned will be retained in AD for a
specific amount of time defined by the TombStone Lifetime (TSL).
When an object is tombstoned, the object is moved to a special
container named Deleted Objects and will be invisible to normal
directory operations.
Within the TSL, the object can be retreived anytime which is called
as Tombstone reanimation. But the retrieved object will lose some
of its properties like its group membership details.
After TSL, the garbage collection process which runs every 12 hours
deletes the object permanently from Active Directory
Find TSL for your domainOpen adsiedit.msc
Select Configuration partition
Right click CN=Directory Service and select Properties
In the Attribute column look for tombstoneLifetimevalue
This value will be the TSL for your domain. If the value is , the TSL will be the default value for that server class.
Default TSL
Windows 2000 - 60 daysWindows 2003 SP1 - 180 daysWindows 2003 R2
- 60 days
Windows 2008 and above - 180 days
AD REPLICATION
Intrasite replication replicates changes made in one DC to all
other DCs in the same site. AD replications are
generallypulloperations. For example (A site with two DCs : DC1
& DC2) , If a change is made on DC1 then DC1 will inform DC2
about the change.
After this notification, the DC2 will pull the changes from the DC1
thereby making its AD data up to date.
Replication interval
When a DC write a change to its local copy of the AD, a timer is
started that determines when the DC's replication partner should be
notified of the change. By default, this interval is 15 seconds in
Windows 2003 and later.
Active Directory Partitions
Active Directory database is divided into partitions or naming
contexts (NC):
Schema NC- This contains schema details and this will be replicated
to each DC in the forest.
Configuration NC- This contains forest wide configuration
information and this will bereplicated to each DC in the
forest
Domain NC- This contains most commonly accessed AD data and this
will be replicated to each DC in the domain
Each of these NCs are replicated separately to the DCs.
There are two kind of write operations that AD need to
replicate:
Orginating write: Any change made on a DC is an orginating write
for that DC
Replicated write: Any change which came as part of replication is a
replicated write
AD changes are managed through several Replication metadata:
Update Sequence Number (USN)
Each DC maintains a USN which is specific to that DC. Any change
made in the DC (orginated write) or replicated to DC (replicated
write) will be followed by a USN increment. The USN numbers of DCs
in the same domain need not be same therefore the USN of one DC has
no meaning to any other DCs in terms of comparing one change to
another.
For Eg: Current USN value of DC1 is 3000 and DC2 is 4000. Suppose a
change is made on DC1, its USN will be incremented to 3001. DC1
will notify DC2 about the change and will pull the new change. When
the change is pulled, DC2 will increment its value to 4001.
High watermark vector (HWMV)
USN is only a method to track the changes made on the DC. But each
DC needs a way to keep track the changes that have already been
replicated, otherwise each DC would be sending the entire Active
Directory database across the wire at every replication.
To prevent this, each Active Directory DC maintains a value called
the High WaterMark Vector (HWMV) for other domain controllers that
it is replicating with. Each DC will associate this high watermark
vector with the Globally Unique Identifier (GUID) of the remote DC,
to prevent any confusion if a remote domain controller is renamed
or removed from the directory.
Let us discuss some replication scenarios here:
Scenario 1:
2 Domain controllers
USN of DC1 = 3000
USN of DC2 = 4500
A new object is created in DC1, the USN gets incremented to 3001.
DC1 notifies DC2 about the new change. DC2 replies back with the HWMV value of DC1 in DC2
DC1 compares the HWMV value and understands that DC2 is not updated with the change 3001. DC1 sends this change to DC2 and DC2 will commit the change and update its local USN
The above scenario looks fine in a 2 DC scenario but could create
severe replication loops in 3 or more DC scenario.
Up-to-dateness Vector (UTDV)
If a change is made in DC1 then the change is replicated to DC2 and
DC3. When this change is received in DC2, it will inform DC1 and
DC3 about the same change and will end up in a loop.
In order to avoid this situation another metadata is stored by the
DC called theUp To Dateness Vector(UTDV).
UTDV stores the highest orginating update USN the local DC has
received from other DCs.Every DC keeps a HWMV table and UTDV for
each AD partition to store the latest USN of its replication
partners.Whenever DC1 contacts DC2 for replication, DC2 will send
the HWMV of DC1 in DC2 along with highest orginating USN that DC2
have in its UTDV table.
Scenario 2
3 Domain controllers
USN of DC1 = 3001
USN of DC2 = 4501
USN of DC3 = 7000
Suppose a change is made in DC3 which increments the USN of DC3 to 7001. DC3 informs this change to DC1 and DC2
Now starts the role of UTDV. DC2 notifies DC1 about the new change it received from DC3. DC1 then replies DC2 with the HWMV of DC2 in DC1along with highest orginating USN DC1 have in its UTDV table (Here 7002 DC1 received from DC3).
DC2 compares HWMV and understands that its HWMV in DC1 is outdated. Therefore it takes all corresponding transactions for the missing USN.
But when it takes the missing transaction, after comparing the UTDV it received from DC1 and the orginating USN of the change in DC2, DC2 understands that the change need not be replicated to DC1.
KCC (Knowledge consistency checker) is responsible for
generating site replication toplolgies between domain controllers.
KCC runs in each DC of a domain and creates a
connection object for each DC in AD. It is responsible for all
intra-site replication.
In case of an inter-site scenario, there will be a bridge-head server to manage site-site replication. Here, the connection objects for the bridge-head servers are created in a seperate way. ISTG (Inter-Site Topology Generator) is responsible for creating connection objects in bridge-head servers. ISTG is nothing but a KCC server(DC), which is responsible for reviewing the inter-site topology and creating inbound replication connection objects as necessary for bridgehead servers in the site in which it resides.The domain controller holding this role may not necessarily also be a bridgehead server.
Scenario
I've an environment with Windows 2003 & Windows 2008 servers
inWindows 2000 Native mode. If I try to add any AD group in a
folder security group of a Windows 2008 server, the AD group name
won't get resolved.
i.e, ultimately you will fail to set folder permissions to these AD
groups. But when I try to do the same from Windows 2003 server, it
gets added.
Resolution
InWindows 2000 Native mode, Windows 2008 server cannot set folder
permissions to AD group. In order to resolve this issue, raise the
domain functional level toWindows 2003 serveror higher considering
the domain controllers in the domain
Enable replication - tombstone lifetime exceededStep 1
Run therepadmin /showreplcommand on the domain controller that
received the error to determine which domain controller has been
disconnected for longer than a tombstone lifetime.
Step 2
Modifying the registry
1. Click Start, click Run, type regedit, and then click OK.
2. Navigate
toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
3. In the details pane, create or edit the registry entry as
follows:
If the registry entry exists in the details pane, modify the entry
as follows:
a. In the details pane, right-clickAllow Replication With Divergent
and Corrupt Partner, and then click Modify.
b. In the Value data box, type 1, and then click OK.
If the registry entry does not exist, create the entry as
follows:
a. Right-click Parameters, click New, and then clickDWORD
Value.
b. Type the nameAllow Replication With Divergent and Corrupt
Partner, and then press ENTER.
c. Double-click the entry. In the Value data box, type1, and then
click OK.
Active Directory Backup and Restore in Windows 2008 aking
backup
1. Open command prompt and executewbadmin start systemstatebackup
-backuptarget:e:\
- In Windows 2008, need to install the Windows server backup
feature, as it is not installed by default.
2. Confirm that the backup is successful using the commandwbadmin
get versions
Restoration
1. Restart the server inDirectory Service Restore Mode (DSRM)
2. Get the version ID of the available backup usingwbadmin get
versions
3. Run the restoration using the commandwbadmin start
systemstaterecovery -version:versionID"
Making the Restoration Authoritative
1. At a command prompt, typentdsutil, and then press ENTER.
2. Typeauthoritative restore, and then press ENTER.
3. You will be prompted as "Active Instance not set. To set an
active instance use "Activate Instance ".
4. Typeactivate instance ntdsand then press ENTER
5. Then type the commandrestore subtree dc=Domain_Name,dc=xxx
and then press ENTER:
Note: In windows 2008,Restore databasecommand is not supported as
it may cause some serious problems.
Active Directory Global Catalog Server Global catalog (GC) is a role handled by domain controllers in an Active directory model. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.
Partial copy refers to the set of attributes that are most used for searching every object in every domain.
All domain controllers can be promoted as a GC.
GC helps in faster search of AD objects.
The replicas that are replicated to the global catalog also include the access permissions for each object and attribute.
If you are searching for an object that you do not have permission to access, you do not see the object in the list of search results. Users can find only objects to which they are allowed access.
Global catalog server clients depend on DNS to provide the IP address of global catalog servers. DNS is required to advertise global catalog servers for domain controller location.
By default, first DC of in a forest will be a global catalog server
FSMO - Expansion and its relevance
FSMO is the short representation of Flexible Single Master
Operations. Each of these word has its own significance. Operation
Master is a set of roleswhich handles a separate operation. So why
Flexible & Single used?
Single is used since each role works independently on a Single DC. Since these operations master roles can be moved across the DCs, it is called Flexible and thats why the name Flexible Single Master Operations. The terms Operations Master, Single Master Operation are also used interchangeably for FSMO.
FSMO roles need not be installed separately. It will be installed automatically during the domain creation. And by default, it will be available in the first DC of the forest. All the roles can be moved to any DC in the forest. But there are some criterias for this which will be explained later.
FSMO Roles
There are 5 FSMO roles. These roles can be classified as Forest wide role and Domain wide role.
Forest wide roles: -
Schema Master
Domain Naming Master
There will be only one Schema Master andDomain Naming Master across the forest.
Domain wide roles:
Infrastructure Master
PDC Emulator
RID Master
These roles are domain specific and has to be there for each domain.
Schema Master
This role manages the schema of the forest.
Any updates or modifications to the existing schema will be managed by this role.
Not dependent on Global Catalog server
Since this role is not used often once domains are setup, it is fine to place this role in a DC which does not have much of processing capability
Since schema master role is required as long as the forest exists, it is recommended to place this role in the root domain.
If Schema Master is down ?No impact on the domain. Domain will work as usual.
But if the admin tries to perform any schema related change, error will occur.
Domain Naming Master
Manages the addition and removal of domains in a forest.
It is recommended to make a DC with Domain Naming Master a Global Catalog server
Since this role is not used often once domains are setup, it is fine to place this role in a DC which does not have much of processing capability
Since Domain Naming Master role is required as long as the forest exists, it is recommended to place this role in the root domain.
If Domain Naming Master role is down?No impact on the domain. The work of the domain will continue as always.
New domains cannot be added. Existing domains cannot be deleted.
Infrastructure Master
When an object in one domain is referencedin another domain, it represents the reference by the GUID,SID and the DN of the object being referenced (Phantom Object).
Responsible inupdating thiscross domain references
Plays animportant role when there are multiple domains. But no relevance when it is a single domain environment.
Do not hold Infrastructure Master role in a DC holding Global Catalog role unless all the DCs in the environment holds the GC role.
If infrastructure master role is down?No impact in a single domain environment.
If there are multiple domains, any change in an object which is referenced by another object in another domain will not be reflected.
Why Infrastructure Master should not be a GC ?
PDC Emualtor
Gives backward compatibility with legacy systems such as Windows NT
Responsible for handling password changes in a domain
Manages account lock out. Whenever authentication fails a lock out counter will be incremented by the PDC.
Responsible for keeping domain time in sync. DC holding this role will be the most credible and authoritative time server in the domain.
Responsible in updating group policy
It is always better to hold DC which connects the most number of users a PDC emulator as user login often need to contact this DC for authenticating.
If PDC Emulator is down?
Users will not be able to change password
Can lead to unsynced time which can lead to logon failures
Group policy update issues
RID Master
RID master is responsible in allocating the RIDs to the DCs
Each object will have an SID which is a combination of Domain SID and RID
Initially, each DC will have a pool of 500 RIDs
Once the RIDs allocated to a DC gets drained, the DC contacts the RID master for a new pool of RIDs
If RID master is down?
Not of much impact if the DCs have enough RIDs available in its pool
New objects will not be created if RIDs gets drained
Why Infrastructure Master should not be a Global Catalog server?Infrastructure Master role is responsible for managing any cross domain references. When we discuss about cross domain references, its essential to discuss about Phantom objects.
An AD group is something which can hold members of its own
domain and groups from other domain(Eg: Global group and Universal
group). For a group in one domain to contain members from another
domain, a pointer or cross-domain reference is required. This
cross-domain reference is called a Phantom object.
The phantom object needs to be updated regularly. Each DC is
responsible for updating its own phantom objects. For all DCs in
the domain, this task is done by the DC holding the Infrastructure
Master (IM) role. But except for DCs holding GC role as it doesnt
require the cross reference since it already holds a partial
replica of all objects in the forest. Phantom object will have the
GUID, Distinguished Name(DN) and SID of the object which is being
referenced.
Process of updating Phantom objectsSuppose an object X in Domain A
is referred in another Domain B. When a change is made to X, the
below activities take place.
Change is made to X (say, it is changed to another OU in the same domain A)
GC of Domain A gets updated instantly
Since GC of domain B holds a partial replica of all other domains of the same forest, this update will be marked in the GC of domain B.
The Infrastructure Master (IM) always checks the Phantom objects in its own domain partition against the GC
Since GC of domain B is updated with the new change, the IM finds that the domain partition it holds is outdated and hence it updates its own domain partition and then updates the Phantom object
Now what happens if IM is on a GC ?The domain partition of the IM will be always up to date since the server is a GC
Therefore the IM will not find any outdated objects in its own domain partition and thereby not updating the phantom object
No impact if there is only domain in the forest
An IM can be on a GC when:All the DCs in the domain are global catalog servers
If there is only one domain in the forest
The content of the system state backup includes:
Registry
COM+ Class Registration database
Boot files, including the system files
System files that are under Windows File Protection
Active Directory directory service (If it is domain controller)
SYSVOL directory (If it is domain controller)
Cluster service information (If it is a part of a cluster)
IIS Metadirectory (If it is an IIS server)
Certificate Services database (If it is a certificate server)