Can I deploy non-MSI software with GPO? Yes, you can. Apart from MSI packages, GPO also supports deployment of ZAP files

How frequently is the client policy refreshed ? By default, group policy is updated in the background every 90 minutes.You can specify an update rate from 0to 44,640minutes (31 days). If you select 0minutes, the computer tries to update Group Policy every 7seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.

The refresh interval can be configured manually using group policy - GPO --> Computer Configuration --> Administrative Templates --> System --> Group Policy --> Set Group Policy refresh interval for Computers

How does the Group Policy No Override and Block Inheritance work ? No Override - This prevents child containers from overriding policies set at higher levels

Block Inheritance - Stops containers inheriting policies from parent containers

Why cant you restore a DC that was backed up 4 months ago? The reason is 'Tombstoning' .If a domain controller was restored from a backup that was older than the tombstone lifetime, then the domain controller might contain deleted objects, and because the tombstones are deleted from the replica, the deletion event does not replicate into the restored domain controller. This is why Backup does not allow you to restore data from a backup that is older than the tombstone lifetime.

More details about tombstoning -http://www.systemadminguide.in/2013/11/active-directory-tombstone.html

I want to look at the RID allocation table for a DC. What do I do? Dcdiag.exe /TEST:RidManager /v | find /i "Available RID Pool for the Domain"

Can you connect Active Directory to other 3rd-party Directory Services? Name a few options. Microsoft Identity Integration Server (MIIS)

Forefront Identity Manager (FIM)

Can you explain Netlogon services ? The Netlogon services help the client servers to connect to the Domain

What is urgent replication in AD ? Normally, a change in a DC (say DC1) is notified to its replication partner(say DC2) after 15 seconds. Once the change is notified, DC2 makes the change in its database. DC2 then notifies its replication partner after another 15 seconds. If it's a multi-site setup, the 15 seconds delay would cost a big delay for the final recipient DC. Suppose if the change was an 'Account Lock Out', this big delay will be a pain. Here comes Urgent notification. Urgent notification bypasses the change notification delay and processes the change immediately across all DCs.

How to migrate AD location to another ? (from C:\AD to D:\AD) First, stop the Active Directory Domain Services

Open Command Prompt with Admin privilege

Run ntdsutil tool

In the ntdsutil prompt, type Activate instance ntds

Then type files

In the next prompt (file maintenance), type move db to D:\AD

Once the database is moved, move the logs using the command move logs to D:\AD

Once completed, start theActive Directory Domain Services

What is the schema version of Windows 2008 R2 ? Windows 2003 R2 - 31

Windows 2008 - 44

Windows 2008 R2 - 47

Windows 2012 - 56

Windows 2012 R2 - 69

Whats the number of permitted unsuccessful logons for Administrator account? Unlimited - Only for Administrator, not for others in Administrators group

Difference between Everyone and Authenticated users? Authenticated Users - Include all Users and Computers whose identities have been authenticated.

Everyone - For Windows 2003 and above, 'Everyone' includes all Authenticated Users including Guest accounts. Before Windows 2003, 'Everyone' includes all Authenticated Users , Guest accounts and Anonymous account.

How many passwords by default are remembered when you check Enforce Password History Remembered? 24

What is an IP Helper address feature and why is it required in a DHCP environment ? IP helper-address helps to implement DHCP relay agent in Cisco routers

This is configured at the network interface of the router containing the DHCP client

The IP helper-address intercepts the DHCP discover message from the client and unicasts it to the DHCP server after adding 'Option 82'.

With the help of Option 82, the DHCP server identifies the client network and assigns an IP from that network.

What is FRS and DFS-R ? File Replication Service (FRS), introduced in Windows 2000 server to replicate DFS and Sysvol folder in DC. FRS is no longer used in new versions.

Distributed File System Replication (DFS-R), introduced in Windows 2008R2, came out as a replacement to FRS for replicating DFS and Sysvol.

What is group policy preference ? Group policy preference is a set of new settings that were released with Windows 2008, that allows IT administrators to do anything they want to configure in a corporate environment.

What is the use of LDP.exe This is a part of Windows Support tools which helps us to make any LDAP searches against the Active Directory

How to replace a failed RAID controller ? This depends on the type of controller used. If you are using modern RAID controllers and are trying to replace with the same model, then the RAID should work without any issues as the RAID configuration or metadata is stored in the disk array. But you should ensure that you are using the same model from vendor or a model which is compatible with the failed controller.

What is the difference between RAID 1 and RAID 5 ? RAID 1 - Mirroring - This RAID configuration gives you maximum redundancy as the same data is written into two disks at a time. But this solution will be costly as you always need to have disks double of what you actually require. Minimum 2 disks required.

RAID 5 - This RAID is the most popular RAID configuration. This works on the parity principle. Minimum 3 disks required. Even if one disk fail, the data of the failed disk can be calculated from the parity stored in the other 2 disks.

In RAID 5, which activity is faster - Read or Write ? Good Read performance but slower Write operations due to parity calculation.

RAID 0 and RAID 1 has got excellent Read and Write performance.

Can we setup an AD site without a DC ? Yes..

What is DAS ? How is it connected to the server ? DAS is Direct Attached Storage. DAS is available with many vendors. When a server has exhausted all its storage resource, we can connect a DAS solution to it. DAS can be connected to a server using SAS cable.

How is an iscsi device connected to a server ? An iscsi device can be connected using the iqn number.

How can I add new HDD space to an existing drive ? Convert the drive from Basic to Dynamic

What happens when a standalone host is taken into maintenance mode ? The activity will wait until all VMs are shutdown.

What if all GC in the environment are down ? GC is required for multi domain forests - In a single domain infrastructure, the DCs will not contact the GC for authenticating. But in multi domain infrastructure, GC is required for authentication.

Universal Group Membership evaluation - Universal Group Membership which exists in a multi domain forests works only with GC.

UPN resolution - The users cannot login to the domain using the username abc@example.com

How to update Dell server BIOS ? Dell provides the update in different file formats. One for Windows , one for linux...If it is a VMware server, then download the Non-Packaged exe format from Dell website and copy it to a DOS bootable USB drive. Shutdown the server and boot from USB drive and execute the file.

DSET Dell Server E-Support Tool (DSET) provides the ability to collect hardware, storage and operating system information from Dell PowerEdge server.

How to upgrade ESXi 5.1 to ESXi 5.5 ? Using vSphere update manager

Upgrade interactively using the ESXi installer ISO image on CD/DVD or Flash drive

Using vSphere Auto Deploy

Using esxcli command-line interface

Maximum number of LUNs that can be attached to a host (ESXi 5.0)256

Maximum number of vCPUs that can be assigned to a VM (ESXi 5.0)32

What are the uses of ntdsutil tool?Some of the main uses of ntdsutil toolAuthoritative Restore - Authoritatively restores the Active Directory database or AD LDS instance

ifm - Create installation media for writable and RODC setups (Offline DC provisioning)

metadata cleanup - Cleans up objects of decommissioned servers

roles - Transfers and seizes operations master roles

set DSRM password - Resets DSRM administrator password

snapshot - Manages snapshots of the volumes that contain the Active Directory database and log files

FSMO roles and its failure scenarioshttp://www.systemadminguide.in/2013/07/fsmo-roles-in-nutshell.html

IPv6 addresses and its DNS record128 bit address

Represented as 8 groups of 4 hexadecimel digits seperated by colons

Represented by AAAA record in DNS

Uses DHCP v6 for addressing

Loadbalancer vs ClusteringClusteringCluster is a group of resources that are trying to achieve a common objective, and are aware of one another.

Clustering usually involves setting up the resources (servers usually) to exchange details on a particular channel (port) and keep exchanging their states, so a resources state is replicated at other places as well.

It usually also includes load balancing, wherein, the request is routed to one of the resources in the cluster as per the load balancing policy

Load BalancingUsed to forward requests to either one server or other, but one server does not use the other servers resources. Also, one resource does not share its state with other resources.

Software installation using group policyThis can be done using 2 methodsAssigning

Publishing

Assign : If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is completed.

If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is completed.

Publish : You can publish a program distribution to users.

When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there.

msi packages are used for installation. Normal exe would not work.

Windows cannot install the software while the user is already logged on. The user need to log off and log in

Group policy security filtering for users. Which all users are in there by default. Members of Authenticated Users groupSecurity filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO)

In order for the GPO to apply to a given user or computer, that user or computer must have both Read and Apply Group Policy (AGP) permissions on the GPO, either explicitly, or effectively through group membership

By default, all GPOs have Read and AGP both Allowed for the Authenticated Users group.

The Authenticated Users group includes both users and computers. This is how all authenticated users receive the settings of a new GPO when it is applied to an organizational unit, domain or site

Relevance of host file and its locationCame before the concept of DNS

An FQDN is first checked in Host file

Location : C:\Windows\System32\Drivers\etc

L3 switch vs RoutersL3 switches just have the ethernet ports only whereas the routers have WAN interfaces

QoS is not available with L3 switches whereas in routers it can be enabled

Routers have expansion slots and cards that allow them to use different media types, like serial connections for T1 and T3 circuits

Routers are more intelligent in handling packets

L3 switches does not support NAT

VLAN vs SubnetVLAN works at layer 2 while subnet is at layer 3

Subnets are more concerned about IP addresses.

VLANs bring more network efficiency

Subnets have weaker security than VLANs as all the subnet uses the same physical network

Contents of System state backupRegistry

COM+ Class Registration database

Boot files, including the system files

System files that are under Windows File Protection

Active Directory directory service (If it is domain controller)

SYSVOL directory (If it is domain controller)

Cluster service information (If it is a part of a cluster)

IIS Metadirectory (If it is an IIS server)

Certificate Services database (If it is a certificate server)

Incremental vs Differential backupsIncremental backup - Will take the backup of files whose archive bits are set and resets it after backup

Differential backup - Will take the backup of files whose archive bits are set but does not reset it after backup

RobocopyMicrosoft tool used for copying files effectively

It has plenty of options to manage the copy process

How do you patch microsoft applications? Frequency of patches released by MicrosoftThe Microsoft applications can be patched using WSUS

In WSUS, we can create several computer groups to manage this patch process.

MS patches are released once in a month

Explain GPO, GPC & GPTGPO - Group Policy Object : Refers to the policy that is configured at the Active Directory level and is inherited by the domain member computers. You can configure a GPO at the site level, domain level or OU level. GPO stores policy settings in two locations GPC and GPT

GPO behaviour : Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO

GPC - Group Policy Container :This is the AD portion of the group policy. This can be viewed using ADSI edit. It stores version information, status information, and other policy information. When you create a new GPO, an AD object of class groupPolicyContainer gets created under the System\Policies container within your AD domain

GPT - Group Policy Template : The GPT is where the GPO stores the actual settings. It stores software policy script, and deployment information.

GPT is stored in SYSVOL share (\\DomainNameHere\SYSVOL\Policies) whereas GPC is stored in the AD

What is CPU affinity in VMware? Its impact on DRS?CPU refers to a logical processor on a hyperthreaded system and refers to a core on a non-hyperthreaded system

By setting CPU affinity for each VM, you can restrict the assignment of VMs to a subset of available processors

The main use of setting CPU affinity is when there are display intensive workloads which requires additional threads with vCPUs.

DRS will not work with CPU affinity

http://frankdenneman.nl/2011/01/11/beating-a-dead-horse-using-cpu-affinity/

VMversion 4 vs VMversion 7Version 4Runs on ESX 3.x

Max supported RAM 64 GB

Max vCPUs 4

MS cluster is not supported

4 NICs/VM

No USB Support

Version 7Runs on vSphere 4.x

Max supported RAM 256 GB

Max vCPUs 8

MS cluster is supported

10 NICs/VM

USB support

What happens to the VMs if a standalone host is taken to maintenance mode?In case of standalone servers , VMware recommends that VMs should be powered off before putting the server in maintenance mode

If we put the standalone host in maintenance mode without powering off the VMs, it will remain in the entering maintenance mode state until the VMs are all shutdown

When all the VMs are powered down, the host status changes to under maintenance

http://pubs.vmware.com/vsphere-4-esx-vcenter/index.jsp#using_drs_clusters_to_manage_resources/c_using_maintenance_mode.html

What is new in Windows server 2012Server core improvements: no need of fresh installation, you can add/remove GUI from server manager

Remotely manage servers , add/remove roles etc using Server manager-manage 2008 and 2008 R2 with WMF 3.0 installation, installed by default in Server 2012

Remote server administration tools available for windows 8 to manage Windows server 2012 infrastructure

Powershell v3

Hyper-V 3.0supports upto 64 processors and 1 TB RAM per virtual machine

upto 320 logical hardware processors and 4 TB RAM per host

Shared nothing live migration, move around VMs without shared storage

ReFS(Resilient file system), upgraded version of NTFS- supports larger file and directory sizes. Removes the 255 character limitation on long file names and paths, the limit on the path/filename size is now 32K characters!

Improved CHKDSK utility that will fix disk corruptions in the background without disruption

How does the backup software recognize that a file has changed since last backup?The files use a bit called archive bit for tracking any change in the file.

The backup softwares normally checks the archive bit of the file to determine whether the file has to be backed up or not

How can you edit a vm template?The VM templates cannot be modified as such

First , the VM template have to be converted to a virtual machine

After making necessary machines in the virtual machine, convert the virtual machine back to template

VMware configuration maximums

ESXi 5.5ESXi 5.1ESXi 5.0ESXi 4.x

VMs

vCPU6464328

RAM1 TB1 TB1 TB255 GB

vNIC10101010

VMDK size62 TB1 TB1 TB2 TB for 8MB block

Hosts

Logical CPU320160160160

Memory4 TB2 TB2 TB1 TB

LUNs256256256256

LUN size64 TB64 TB64 TB64 TB

Virtual Machines512512512320

What is the major difference between Windows server 2008 and windows server 2012 in terms of AD promotion?

In Win 2012, dcpromo has been depreciated. In order to make a Windows server 2012 to a domain controller, the ADDS service has to be installed from the server manager. After installation, run the post-deployment configuration wizard from server manager to promote the server as ADVMware hardware version comparison

What is vSAN? It is a hypervisor-converged storage solution built by aggregating the local storage attached to the ESXi hosts managed by a vCenter.

Recommended iSCSI configuration? A separate vSwitch, and a separate network other than VMtraffic network for iSCSI traffic. Dedicated physical NICs should be connected to vSwitch configured for iSCSI traffic.

What is iSCSI port binding ? Port binding is used in iSCSI when multiple VMkernel ports for iSCSI reside in the same broadcast domain and IP subnet, to allow multiple paths to an iSCSI array that broadcasts a single IP address.

iSCSI port binding considerations ? Array Target iSCSI ports must reside in the same broadcast domain and IP subnet as the VMkernel port.

All VMkernel ports used for iSCSI connectivity must reside in the same broadcast domain and IP subnet.

All VMkernel ports used for iSCSI connectivity must reside in the same vSwitch.

Currently, port binding does not support network routing.

Recommended iSCSI configuration of a 6 NIC infrastructure ? (Answer changes as per the infrastructure requirements) 2 NICs for VM traffic

2 NICs for iSCSI traffic

1 NIC for vMotion

1 NIC for management network

Post conversion steps in P2V Adjust the virtual hardware settings as required

Remove non present device drivers

Remove all unnecessary devices such as serial ports, USB controllers, floppy drives etc..

Install VMware tools

Which esxtop metric will you use to confirm latency issue of storage ? esxtop --> d --> DAVG

What are standby NICs These adapters will only become Active if the defined Active adapters have failed.

Path selection policies in ESXi Most Recently Used (MRU)

Fixed

Round Robin

Which networking features are recommended while using iSCSI traffic iSCSI port binding

Jumbo Frames

Ports used by vCenter 80,443,902

What is 'No Access' role Users assigned with the 'No Access' role for an object, cannot view or change the object in any way

When is a swap file created When the guest OS is first installed in the VM

The active directory group, where the members will be ESXi administrators by default. ESX Admins

Which is the command used in ESXi to manage and retrieve information from virtual machines ? vmware-cmd

Which is the command used in ESXi to view live performance data? esxtop

Command line tool used in ESXi to manage virtual disk files? vmkfstools

Port used for vMotion 8000

Log file location of VMware host \var\log\vmware

Can you map a single physical NIC to multiple virtual switches ? No

Can you map a single virtual switch to multiple physical NICs? Yes. This method is called NIC teaming.

VMKernel portgroup can be used for: vMotion

Fault Tolerance Logging

Management traffic

Major difference between ESXi 5.1 and ESXi 5.5 free versions Till ESXi 5.1 free version there was a limit to the maximum physical memory to 32 GB. But from 5.5 onwards this limit has been lifted.

What is IPAM server in Windows server 2012? IPAM is IP Address Management server in Windows Server 2012. Itenables central management of both DHCP and DNS servers. It can also be used to discover, monitor, and audit DHCP and DNS servers.

How to promote a server to domain controller in Windows server 2012? DCPROMO was the conventional tool used to promote a normal server to DC. This is now deprecated in Server 2012.

In Server 2012, you can convert a server into DC using the server manager console. Under Server Manager, add a new role "Active Directory Domain Services"

Windows 2003 vs Windows 2008

RODC

WDS instead of RIS

Services have been changed as roles - server manager

Introduction of hyper V- only on 64 bit versions

Enhanced event viewer

Bitlocker feature

Server core installation without GUI

MMC 3.0, with three pane view

Key management services(KMS) to activate Windows OS without connecting to Microsoft site

Performance enhancement using technologies like Windows SuperFetch,ReadyBoost and Readydrive

Windows Aero user interface

Instant search

Support for IPv6 in DNS

ESX vs ESXi

ESXi has no service console which is a modified version of RHEL

ESXi is extremely thin hence results in fast installation + fast boot

ESXi can be purchased as an embedded hypervisor on hardware

ESXi has builtin server health status check

ESXi 4.1 vs ESXi 5.0 - Migration

Local upgrade from CD

VMware update manager (only supports upgrade of ESX/ESXi 4.x to ESXi 5.0)

ESXi 4.1 vs ESXi 5.0 - Features

vSphere Auto deploy

Storage DRS

HA - Primary/secondary concept changed to master/slave

Profile driven storage

VMFS version - 3 5

ESXi firewall

VMware hardware version - 7 8

VMware tools version - 4.1 5

vCPU - 8 32

vRAM - 256 1 TB

VMs per host - 320 512

RAM per host - 1TB 2TB

USB 3.0 support

vApp

FSMO roles

Schema Master

Domain naming master

Infrastructure master

PDC Emulator

RID master

GPO

GPO

Templates (ADMX)

Block inheritance

Enforced

Loopback policy

Forest and Domain concepts

OSI layer

Application Layer

Presentation Layer

Sessions Layer

Transport Layer

Network Layer

DataLink layer

Physical Layer

ASA - site to site VPN

HA 5.0

Uses an agent called FDM - Fault domain manager

HA now talks directly to hostd instead of using vcenter agent vpxa

Master/slave concept

Master monitors availability of hosts/VMs

manages VM restarts after host failure

maintains list of all VMs in each host

restarting failed VMs

exchanging state with vcenter

monitor state of slaves

Slavemonitor running VMs and send status to master and performs restart on request from master

monitors master node health

if master fails, participates in election

Two different heartbeat mechanisms - Network heartbeat and datastore heartbeat

Network heartbeatSends between slave and master per second

When slave is not receiving heartbeat from master, checks whether it is isolated or master is isolated or has failed

Datastore heartbeatTo distinct between isolation and failure

Uses Power On file in datastore to determine isolation

This mechanism is used only when master loses network connectivity with hosts

2 datastores are chosen for this purpose

Isolation responsePowerOff

Leave Powered On

Shutdown

vMotionvMotion enables live migration of running virtual machines from one host to another with zero downtime

PrerequisitesHost must be licensed for vMotion

Configure host with at least one vMotion n/w interface (vmkernel port group)

Shared storage (this has been compromised in 5.1)

Same VLAN and VLAN label

GigaBit ethernet network required between hosts

Processor compatibility between hosts

vMotion does not support migration of applications clustered using Microsoft clustering service

No CD ROM attached

No affinity is enabled

vmware tools should be installed

RAIDRedundant Array of Independent disks

A category of disk drives that uses 2 or more drives in a combination for redundancy and performance

Most common RAIDs: RAID 0(Striped), RAID 1(Mirroring), RAID 5

Backup typesBackup typesFull backup - Will take the backup of all selected files and reset the archive bit

Copy backup - Will take the backup of all selected files but does not reset the archive bit

Incremental backup - Will take the backup of files whose archive bits are set and resets it after backup

Differential backup - Will take the backup of files whose archive bits are set but does not reset it after backup

2003 2008 migration

Can be done only by logging in to Windows 2003 server

Min of Windows 2003 SP1 required

Can be migrated only to same version, except for Windows server 2003 standard which can be migrated to either standard or enterprise

Extra space of 30 GB required prior migration

Cannot upgrade to server core

Perform forestprep and domainprep to 2008 using 2008 cd before migrating. (Copy sources/adprep folder for this)

ESXi update manager

Global Catalog

Global catalog (GC) is a role handled by domain controllers in an Active directory model.

The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.

Partial copy refers to the set of attributes that are most used for searching every object in every domain.

All domain controllers can be promoted as a GC.

GC helps in faster search of AD objects.

The replicas that are replicated to the global catalog also include the access permissions for each object and attribute.

If you are searching for an object that you do not have permission to access, you do not see the object in the list of search results. Users can find only objects to which they are allowed access.

Global catalog server clients depend on DNS to provide the IP address of global catalog servers. DNS is required to advertise global catalog servers for domain controller location.

By default, first DC of in a forest will be a global catalog server

Basic networking concepts

RODCNew feature in Windows 2008

Only have the read only copy of directory database

RODC will have all the objects of a normal DC in read only mode. But this doesnt include passwords. RODC does not store password of accounts.

Updates are replicated to RODC by writable DC

Password caching : A feature which enables RODC to cache password of the logged in users.

Password Replication Policy: Determines whether the password can be cached or not.

DNS can be integrated with RODC but will not directly register client updates. For any DNS change, the RODC refers the client to DNS server that hosts a primary or AD integrated zone

NAS vs SANBoth used as storage solution

NAS can be used by any device connected using LAN whereas SAN is used only by server class devices with SCSI

NAS is file based whereas SAN is block based storage

NAS is cheap while SAN is expensive

SAN is comparatively faster than NAS

What is DRS? Types of DRSDistributed Resource Scheduler

It is a feature of a cluster

DRS continuously monitors utilization across the hosts and moves virtual machines to balance the computing capacity

DRS uses vMotion for its functioning

Types of DRSFully automated - The VMs are moved across the hosts automatically. No admin intervention required.

Partially automated - The VMs are moved across the hosts automatically during the time of VM bootup. But once up, vCenter will provide DRS recommendations to admin and has to perform it manually.

Manual - Admin has to act according to the DRS recommendations

DRS prerequisitesShared storage

Processor compatibility of hosts in the DRS cluster

vMotion prerequisites

vMotion is not working. What are the possible reasons?Ensure vMotion is enabled on all ESX/ESXi hosts

Ensure that all vmware pre requisites are met

Verify if the ESXi/ESX host can be reconnected or if reconnecting the ESX/ESXi host resolves the issue

Verify that time is synchronized across environment

Verify that the required disk space is available

What happens if a host is taken to maintenance modeHosts are taken to maintenance mode during the course of maintenance

In a single ESX/ESXi setup, all the VMs need to be shutdown before getting into maintenance mode

In a vCenter setup If DRS is enabled, the VMs will be migrated to other hosts automatically.

How will you clone a VM in an ESXi without vCenterUsing vmkftools

Copy the vmdk file and attach to a new VM

Using VMware converter

Explain traverse folderAllows or denies moving through a restricted folder to reach files and folders beneath the restricted folder in the folder hierarchy.

Traverse folder takes effect only when the group or user is not granted the "Bypass traverse checking user" right in the Group Policy snap-in. This permission does not automatically allow running program files.

The netlogon service in DC is responsible for registering SRV records in the DNS server under _tcp.dc._msdcs.domain.com. It then registers the SRV records of Domain Controller under _sites.dc._msdcs.domain.com. based on their site location.

When a client first tries to login to an AD network, the client sends a DNS request for finding the DC's under, _ldap._tcp.dc._msdcs.domain.com. From the list, it chooses a DC server randomly for authenticating. Then the client sends an LDAP ping to the DC asking for the site it is based on with respect to the IP address of the client. The DC then returns the site which the client's IP address is most related to, along with the current site and a flag DSClosestFlag which would be either 0 or 1 based on whether the current authenticated DC is the closest to the client. If this flag indicates that the client is not authenticated to the closest DC, the client sends a site specific DNS query for finding the DC from _ldap._tcp._sitename._sites.dc._msdcs.domain.com.

Unique Sequence Number (USN)

USN is an AD database change tracking number. Any change or transaction made in a DC is represented by a USN increment. The USN of DCs in the same domain need not be same.
The USN of a DC is particular only to that DC, also the USN of other DCs will be tracked in theHWMV table of a DC.

Server Object GUID (DSA GUID)

DSA (Directory System Agent) GUID is used in USNs to track originating writes. It is also used by DC to identify its replication partners. The value of DSA GUID is stored in objectGUID attribure of the NTDS settings object. DSA GUID is created when AD is initially installed on a DC and will not change during its lifetime until or unless the DC is removed from the domain controller. DSA GUID ensures that the DC is recognizable even in case of a DC rename.

Server Database GUID (Invocation GUID)

AD database has its own GUID which is used to identify the database version. The value of Invocation GUID is stored in invocationIdattribute of NTDS settings object. Unlike DSA GUID, Invocation GUID is changed during an AD restore process to ensure replication consistency.

Coming to the USN rollback scenario:

Cause

USN Rollback is mainly caused by restoring a DC using non Microsoft restore process like Norton's Ghost, VMware snapshot etc.. or when we perform a V2V of an existing DC.

Explanation
When we restore DC using the conventional methods of AD restoration, the Invocation ID of the DC will be reset which in turn resets the USN to make the DC understand that the database is restored. The Invocation ID tracks the version of the database of DC. The previous Invocation ID will be marked as retired. When we use methods other than the conventional restoration methods, this ID will not be reset. This prevents other DC from replicating with the rolledback DC, the changes made after the image was taken.
In this scenario, other DCs will believe that the rolled back DC will be holding updated data and will not replicate, which makes the AD data inconsistent.

ResolutionForcefully demote the DC

Remove metadata using metadata cleanup

Seize FSMO roles

Re promote the server

What is Sysvol ?

Sysvol is a special folder which is available in C:\Windows\SYSVOL directory in all domain controllers within the domain. This special folder contains the domain's Group Policy settings, default profiles and logon/logoff/startup/shutdown scripts.


When a user login to a client machine, it pulls all the group policy settings and logon scripts available at its local DC's SYSVOL folder. For this reason, this folders keeps on replicating between each other either using DFS-R (Distributed File System Replication Service) or the primitive FRS (File Replication Service). Sysvol directory can be accessed using :
\\domain-name\SYSVOL or
\\DC-name\SYSVOL

Contents of SYSVOL

If you access the location C:\Windows\SYSVOL, you will see 4 folders - domain, staging, staging areas & sysvol.

First we will discuss about, sysvol and domain folders. The folder 'sysvol' is a Junction Point (a kind of soft link) to the folder 'domain'. That means the actual contents will be in 'domain' folder whereas 'sysvol' acts as a fake folder where you could browse as a normal folder.

Sysvol is the folder where you end up when you access \\domain name\SYSVOL or \\DC name\SYSVOL.This folder contains Policies, scripts & StarterGPOs folders.


Policies folder contains all the group policy objects in the domain. For every new GPOs, a new folder with unique GUID will be created in this folder. These are called Group Policy Templates (GPT). If you make any changes to a particular group policy, the changes are made in this folder. Scripts folder contains all scripts used.

Now comes the staging folder and staging areas.

Staging folder acts like a queue for changed files and folders which needs to be replicated to other sysvols in the domain. This change will be normally due to some group policy changes. In short, the folder will be empty if there are no group policy updates. Once the update is replicated the contents in this folder will be deleted as well.Active Directory Recycle Bin

This is a new feature of Windows 2008 R2 which is disabled by default. This feature will be available only if your forest functional level is Windows 2008 R2 and above. Once you enable this feature, it cannot be disabled.

How to enable?There is no GUI to enable AD recycle bin

Open powershell execute the below: Import-Module ActiveDirectory

Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "globomantics.local" -whatif

What makes AD Recycle Bin special ?

Normal Deletion process : An object is deleted, it is moved to Deleted Objects container after changing the object attribute IsDeleted to True (Tombstoning). Most of the attributes of the object will be striped off at this point. The striped off object could be retained during TSL and will be deleted permanently after TSL.

AD Recycle Bin process : All the above process stands correct for AD recycle bin as well but except the attribute striping. When an AD object is deleted with recycle bin enabled, the system preserves all of the object's attributes.

In short, if you want the attributes of the deleted objects to be available after tombstone reanimation, enable AD recycle Bin.

AD Recycle Bin processAn object has been removed from AD andit is now 'logically deleted' from AD

The deleted object is moved to Deleted Objects container and will remain in the container throughout the duration of the Deleted object lifetime. Within this period the object can be recovered using AD recycle bin or authoritative restore

After the deleted object lifetime period, the logically deleted object will become recycled object(which is same as a Tombstoned object).

The recycled object will remain in Deleted Container until the Recycled object lifetime expires after which the object will be physically deleted with the help of garbage collection process.

Active Directory Tombstone

When an object is removed from Active Directory, it is said to be tombstoned.Tombstone is something which a Domain Controller uses to notify other Domain Controllers about an object deletion.
The object which is tombstoned will be retained in AD for a specific amount of time defined by the TombStone Lifetime (TSL). When an object is tombstoned, the object is moved to a special container named Deleted Objects and will be invisible to normal directory operations.

Within the TSL, the object can be retreived anytime which is called as Tombstone reanimation. But the retrieved object will lose some of its properties like its group membership details.
After TSL, the garbage collection process which runs every 12 hours deletes the object permanently from Active Directory

Find TSL for your domainOpen adsiedit.msc

Select Configuration partition

Right click CN=Directory Service and select Properties

In the Attribute column look for tombstoneLifetimevalue

This value will be the TSL for your domain. If the value is , the TSL will be the default value for that server class.

Default TSL

Windows 2000 - 60 daysWindows 2003 SP1 - 180 daysWindows 2003 R2 - 60 days
Windows 2008 and above - 180 days

AD REPLICATION

Intrasite replication replicates changes made in one DC to all other DCs in the same site. AD replications are generallypulloperations. For example (A site with two DCs : DC1 & DC2) , If a change is made on DC1 then DC1 will inform DC2 about the change.
After this notification, the DC2 will pull the changes from the DC1 thereby making its AD data up to date.

Replication interval

When a DC write a change to its local copy of the AD, a timer is started that determines when the DC's replication partner should be notified of the change. By default, this interval is 15 seconds in Windows 2003 and later.

Active Directory Partitions

Active Directory database is divided into partitions or naming contexts (NC):

Schema NC- This contains schema details and this will be replicated to each DC in the forest.

Configuration NC- This contains forest wide configuration information and this will bereplicated to each DC in the forest

Domain NC- This contains most commonly accessed AD data and this will be replicated to each DC in the domain

Each of these NCs are replicated separately to the DCs.

There are two kind of write operations that AD need to replicate:

Orginating write: Any change made on a DC is an orginating write for that DC
Replicated write: Any change which came as part of replication is a replicated write

AD changes are managed through several Replication metadata:

Update Sequence Number (USN)
Each DC maintains a USN which is specific to that DC. Any change made in the DC (orginated write) or replicated to DC (replicated write) will be followed by a USN increment. The USN numbers of DCs in the same domain need not be same therefore the USN of one DC has no meaning to any other DCs in terms of comparing one change to another.

For Eg: Current USN value of DC1 is 3000 and DC2 is 4000. Suppose a change is made on DC1, its USN will be incremented to 3001. DC1 will notify DC2 about the change and will pull the new change. When the change is pulled, DC2 will increment its value to 4001.


High watermark vector (HWMV)
USN is only a method to track the changes made on the DC. But each DC needs a way to keep track the changes that have already been replicated, otherwise each DC would be sending the entire Active Directory database across the wire at every replication.
To prevent this, each Active Directory DC maintains a value called the High WaterMark Vector (HWMV) for other domain controllers that it is replicating with. Each DC will associate this high watermark vector with the Globally Unique Identifier (GUID) of the remote DC, to prevent any confusion if a remote domain controller is renamed or removed from the directory.

Let us discuss some replication scenarios here:

Scenario 1:
2 Domain controllers
USN of DC1 = 3000
USN of DC2 = 4500

A new object is created in DC1, the USN gets incremented to 3001.

DC1 notifies DC2 about the new change. DC2 replies back with the HWMV value of DC1 in DC2

DC1 compares the HWMV value and understands that DC2 is not updated with the change 3001. DC1 sends this change to DC2 and DC2 will commit the change and update its local USN

The above scenario looks fine in a 2 DC scenario but could create severe replication loops in 3 or more DC scenario.

Up-to-dateness Vector (UTDV)
If a change is made in DC1 then the change is replicated to DC2 and DC3. When this change is received in DC2, it will inform DC1 and DC3 about the same change and will end up in a loop.
In order to avoid this situation another metadata is stored by the DC called theUp To Dateness Vector(UTDV).

UTDV stores the highest orginating update USN the local DC has received from other DCs.Every DC keeps a HWMV table and UTDV for each AD partition to store the latest USN of its replication partners.Whenever DC1 contacts DC2 for replication, DC2 will send the HWMV of DC1 in DC2 along with highest orginating USN that DC2 have in its UTDV table.

Scenario 2
3 Domain controllers
USN of DC1 = 3001
USN of DC2 = 4501
USN of DC3 = 7000

Suppose a change is made in DC3 which increments the USN of DC3 to 7001. DC3 informs this change to DC1 and DC2

Now starts the role of UTDV. DC2 notifies DC1 about the new change it received from DC3. DC1 then replies DC2 with the HWMV of DC2 in DC1along with highest orginating USN DC1 have in its UTDV table (Here 7002 DC1 received from DC3).

DC2 compares HWMV and understands that its HWMV in DC1 is outdated. Therefore it takes all corresponding transactions for the missing USN.

But when it takes the missing transaction, after comparing the UTDV it received from DC1 and the orginating USN of the change in DC2, DC2 understands that the change need not be replicated to DC1.

KCC (Knowledge consistency checker) is responsible for generating site replication toplolgies between domain controllers. KCC runs in each DC of a domain and creates a
connection object for each DC in AD. It is responsible for all intra-site replication.

In case of an inter-site scenario, there will be a bridge-head server to manage site-site replication. Here, the connection objects for the bridge-head servers are created in a seperate way. ISTG (Inter-Site Topology Generator) is responsible for creating connection objects in bridge-head servers. ISTG is nothing but a KCC server(DC), which is responsible for reviewing the inter-site topology and creating inbound replication connection objects as necessary for bridgehead servers in the site in which it resides.The domain controller holding this role may not necessarily also be a bridgehead server.

Scenario

I've an environment with Windows 2003 & Windows 2008 servers inWindows 2000 Native mode. If I try to add any AD group in a folder security group of a Windows 2008 server, the AD group name won't get resolved.
i.e, ultimately you will fail to set folder permissions to these AD groups. But when I try to do the same from Windows 2003 server, it gets added.

Resolution

InWindows 2000 Native mode, Windows 2008 server cannot set folder permissions to AD group. In order to resolve this issue, raise the domain functional level toWindows 2003 serveror higher considering the domain controllers in the domain

Enable replication - tombstone lifetime exceededStep 1
Run therepadmin /showreplcommand on the domain controller that received the error to determine which domain controller has been disconnected for longer than a tombstone lifetime.

Step 2
Modifying the registry

1. Click Start, click Run, type regedit, and then click OK.

2. Navigate toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

3. In the details pane, create or edit the registry entry as follows:
If the registry entry exists in the details pane, modify the entry as follows:
a. In the details pane, right-clickAllow Replication With Divergent and Corrupt Partner, and then click Modify.
b. In the Value data box, type 1, and then click OK.

If the registry entry does not exist, create the entry as follows:
a. Right-click Parameters, click New, and then clickDWORD Value.
b. Type the nameAllow Replication With Divergent and Corrupt Partner, and then press ENTER.
c. Double-click the entry. In the Value data box, type1, and then click OK.

Active Directory Backup and Restore in Windows 2008 aking backup

1. Open command prompt and executewbadmin start systemstatebackup -backuptarget:e:\
- In Windows 2008, need to install the Windows server backup feature, as it is not installed by default.
2. Confirm that the backup is successful using the commandwbadmin get versions

Restoration

1. Restart the server inDirectory Service Restore Mode (DSRM)
2. Get the version ID of the available backup usingwbadmin get versions
3. Run the restoration using the commandwbadmin start systemstaterecovery -version:versionID"

Making the Restoration Authoritative

1. At a command prompt, typentdsutil, and then press ENTER.
2. Typeauthoritative restore, and then press ENTER.
3. You will be prompted as "Active Instance not set. To set an active instance use "Activate Instance ".
4. Typeactivate instance ntdsand then press ENTER
5. Then type the commandrestore subtree dc=Domain_Name,dc=xxx
and then press ENTER:
Note: In windows 2008,Restore databasecommand is not supported as it may cause some serious problems.

Active Directory Global Catalog Server Global catalog (GC) is a role handled by domain controllers in an Active directory model. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.

Partial copy refers to the set of attributes that are most used for searching every object in every domain.

All domain controllers can be promoted as a GC.

GC helps in faster search of AD objects.

The replicas that are replicated to the global catalog also include the access permissions for each object and attribute.

If you are searching for an object that you do not have permission to access, you do not see the object in the list of search results. Users can find only objects to which they are allowed access.

Global catalog server clients depend on DNS to provide the IP address of global catalog servers. DNS is required to advertise global catalog servers for domain controller location.

By default, first DC of in a forest will be a global catalog server

FSMO - Expansion and its relevance

FSMO is the short representation of Flexible Single Master Operations. Each of these word has its own significance. Operation Master is a set of roleswhich handles a separate operation. So why Flexible & Single used?

Single is used since each role works independently on a Single DC. Since these operations master roles can be moved across the DCs, it is called Flexible and thats why the name Flexible Single Master Operations. The terms Operations Master, Single Master Operation are also used interchangeably for FSMO.

FSMO roles need not be installed separately. It will be installed automatically during the domain creation. And by default, it will be available in the first DC of the forest. All the roles can be moved to any DC in the forest. But there are some criterias for this which will be explained later.

FSMO Roles

There are 5 FSMO roles. These roles can be classified as Forest wide role and Domain wide role.

Forest wide roles: -

Schema Master

Domain Naming Master

There will be only one Schema Master andDomain Naming Master across the forest.

Domain wide roles:

Infrastructure Master

PDC Emulator

RID Master

These roles are domain specific and has to be there for each domain.

Schema Master

This role manages the schema of the forest.

Any updates or modifications to the existing schema will be managed by this role.

Not dependent on Global Catalog server

Since this role is not used often once domains are setup, it is fine to place this role in a DC which does not have much of processing capability

Since schema master role is required as long as the forest exists, it is recommended to place this role in the root domain.

If Schema Master is down ?No impact on the domain. Domain will work as usual.

But if the admin tries to perform any schema related change, error will occur.

Domain Naming Master

Manages the addition and removal of domains in a forest.

It is recommended to make a DC with Domain Naming Master a Global Catalog server

Since this role is not used often once domains are setup, it is fine to place this role in a DC which does not have much of processing capability

Since Domain Naming Master role is required as long as the forest exists, it is recommended to place this role in the root domain.

If Domain Naming Master role is down?No impact on the domain. The work of the domain will continue as always.

New domains cannot be added. Existing domains cannot be deleted.

Infrastructure Master

When an object in one domain is referencedin another domain, it represents the reference by the GUID,SID and the DN of the object being referenced (Phantom Object).

Responsible inupdating thiscross domain references

Plays animportant role when there are multiple domains. But no relevance when it is a single domain environment.

Do not hold Infrastructure Master role in a DC holding Global Catalog role unless all the DCs in the environment holds the GC role.

If infrastructure master role is down?No impact in a single domain environment.

If there are multiple domains, any change in an object which is referenced by another object in another domain will not be reflected.

Why Infrastructure Master should not be a GC ?

PDC Emualtor

Gives backward compatibility with legacy systems such as Windows NT

Responsible for handling password changes in a domain

Manages account lock out. Whenever authentication fails a lock out counter will be incremented by the PDC.

Responsible for keeping domain time in sync. DC holding this role will be the most credible and authoritative time server in the domain.

Responsible in updating group policy

It is always better to hold DC which connects the most number of users a PDC emulator as user login often need to contact this DC for authenticating.

If PDC Emulator is down?

Users will not be able to change password

Can lead to unsynced time which can lead to logon failures

Group policy update issues

RID Master

RID master is responsible in allocating the RIDs to the DCs

Each object will have an SID which is a combination of Domain SID and RID

Initially, each DC will have a pool of 500 RIDs

Once the RIDs allocated to a DC gets drained, the DC contacts the RID master for a new pool of RIDs

If RID master is down?

Not of much impact if the DCs have enough RIDs available in its pool

New objects will not be created if RIDs gets drained

Why Infrastructure Master should not be a Global Catalog server?Infrastructure Master role is responsible for managing any cross domain references. When we discuss about cross domain references, its essential to discuss about Phantom objects.

An AD group is something which can hold members of its own domain and groups from other domain(Eg: Global group and Universal group). For a group in one domain to contain members from another domain, a pointer or cross-domain reference is required. This cross-domain reference is called a Phantom object.
The phantom object needs to be updated regularly. Each DC is responsible for updating its own phantom objects. For all DCs in the domain, this task is done by the DC holding the Infrastructure Master (IM) role. But except for DCs holding GC role as it doesnt require the cross reference since it already holds a partial replica of all objects in the forest. Phantom object will have the GUID, Distinguished Name(DN) and SID of the object which is being referenced.
Process of updating Phantom objectsSuppose an object X in Domain A is referred in another Domain B. When a change is made to X, the below activities take place.

Change is made to X (say, it is changed to another OU in the same domain A)

GC of Domain A gets updated instantly

Since GC of domain B holds a partial replica of all other domains of the same forest, this update will be marked in the GC of domain B.

The Infrastructure Master (IM) always checks the Phantom objects in its own domain partition against the GC

Since GC of domain B is updated with the new change, the IM finds that the domain partition it holds is outdated and hence it updates its own domain partition and then updates the Phantom object

Now what happens if IM is on a GC ?The domain partition of the IM will be always up to date since the server is a GC

Therefore the IM will not find any outdated objects in its own domain partition and thereby not updating the phantom object

No impact if there is only domain in the forest

An IM can be on a GC when:All the DCs in the domain are global catalog servers

If there is only one domain in the forest

The content of the system state backup includes:

Registry

COM+ Class Registration database

Boot files, including the system files

System files that are under Windows File Protection

Active Directory directory service (If it is domain controller)

SYSVOL directory (If it is domain controller)

Cluster service information (If it is a part of a cluster)

IIS Metadirectory (If it is an IIS server)

Certificate Services database (If it is a certificate server)