Search This Blog

How do you view all the GCs in the forest?

DSQUERY server can be used to locate global catalogs

To search the entire forest

dsquery server -forest -isgc

To locate global catalogs in your current (logon) domain

dsquery server -isgc

To locate global catalogs in a specific domain

dsquery server -domain NISHANT.BIZ -isgc

Here, you search for global catalog servers in the tech.cpandl.com domain.

You can also search for global catalog servers by site, but to do this, you must know the full site name, and cannot use wildcards. For example, if you wanted to find all the global catalog servers for Default-First-Site-Name, you would have to type

dsquery server -site Default-First-Site-Name .

The resulting output is a list of DNs for global catalogs, such as

"CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=NISHANT,DC=BIZ"


How to Add or Remove the Global Catalog?

You can use the Active Directory Sites and Services snap-in to add or remove the global catalog.

  1. Open Active Directory Sites and Services. (Click Start, click Administrative Tools, and then click Active Directory Sites and Services.
  2. In the console tree, click the server object to which you want to add the global catalog or from which you want to remove the global catalog. (Active Directory Sites and Services\Sites\SiteName\Servers)
  3. In the details pane, right-click NTDS Settings of the selected server object, and then click Properties.
  4. Select the Global Catalog check box to add the global catalog, or clear the check box to remove the global catalog.

What is the Global Catalog?

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest . The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.

Common Global Catalog Scenarios

The following events require a global catalog server:

  • Forest-wide searches. The global catalog provides a resource for searching an AD DS forest. Forest-wide searches are identified by the LDAP port that they use. If the search query uses port 3268, the query is sent to a global catalog server.
  • User logon. In a forest that has more than one domain, two conditions require the global catalog during user authentication:
    • In a domain that operates at the Windows 2000 native domain functional level or higher, domain controllers must request universal group membership enumeration from a global catalog server.
    • When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name.
  • Universal Group Membership Caching : In a forest that has more than one domain, in sites that have domain users but no global catalog server, Universal Group Membership Caching can be used to enable caching of logon credentials so that the global catalog does not have to be contacted for subsequent user logons. This feature eliminates the need to retrieve universal group memberships across a WAN link from a global catalog server in a different site.
  • Exchange Address Book lookups . Servers running Microsoft Exchange Server rely on access to the global catalog for address information. Users use global catalog servers to access the global address list (GAL).

How do you view replication properties for AD partitions and DCs?

You can use the Active Directory Replication Status Tool (ADREPLSTATUS) or Repadmin command line tool to view the replication.


How do you create a new application partition?

You can create an application directory partition by using the create nc option in the domain management (partition management in windows 2008) menu of Ntdsutil. When creating an application directory partition using LDP or ADSI, provide a description in the description attribute of the domain DNS object that indicates the specific application that will use the partition. For example, if the application directory partition will be used to store data for a Microsoft accounting program, the description could be Microsoft accounting application. Ntdsutil does not facilitate the creation of a description.

To create or delete an application directory partition

The sample commands below were written for Windows Server 2008. If you're using Windows 2003, you don’t need to include the ACTIVE INSTANCE NTDS command, and you would use DOMAIN MANAGEMENT instead of PARTITION MANAGEMENT.

ntdsutil: activate instance ntds
Active instance set to "ntds".
ntdsutil: partition management
partition management: connections
Connected to \\server1.contoso.com using credentials of locally logged on user.
server connections: connect to server server1.contoso.com
Disconnecting from \\ server1.contoso.com...
Binding to server1.contoso.com ...
Connected to server1.contoso.com using credentials of locally logged on user.

server connections: quit
partition management: list
Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts and language support are loaded Found 5 Naming Context(s)
0 - CN=Configuration,DC= contoso,DC=com
1 - CN=Schema,CN=Configuration,DC= contoso,DC=com
2 - DC=contoso,DC=com
3 - DC=DomainDnsZones,DC=contoso,DC=com
4 - DC=ForestDnsZones,DC=contoso,DC=com
partition management: create nc dc=app1,dc=contoso,dc=com
server1.contoso.com
adding object dc=app1,dc=contoso,dc=com
partition management: list
Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts and language support are loaded Found 5 Naming Context(s)
0 - CN=Configuration,DC= contoso,DC=com
1 - CN=Schema,CN=Configuration,DC= contoso,DC=com
2 - DC=contoso,DC=com
3 - DC=DomainDnsZones,DC=contoso,DC=com
4 - DC=ForestDnsZones,DC=contoso,DC=com
5 - DC=app1,DC=contoso,DC=com

Create an application directory partition by using the DnsCmd command

Use the following syntax:

DnsCmd ServerName /CreateDirectoryPartition FQDN of partition

To create an application directory partition that is named CustomDNSPartition on a domain controller that is named DC-1, follow these steps:

  1. Click Start, click Run, type cmd, and then click OK.
  2. Type the following command, and then press ENTER: dnscmd DC-1 /createdirectorypartition CustomDNSPartition.contoso.com

When the application directory partition has been successfully created, the following information appears:

DNS Server DC-1 created directory partition: CustomDNSPartition.contoso.com Command completed successfully.

Configure an additional domain controller DNS server to host the application directory partition

Configure an additional domain controller that is acting as a DNS server to host the new application directory partition that you created. To do this, use the following syntax with the DnsCmd command:

DnsCmd ServerName /EnlistDirectoryPartition FQDN of partition

To configure the example domain controller that is named DC-2 to host this custom application directory partition, follow these steps:

  1. Click Start, click Run, type cmd, and then click OK.
  2. Type the following command, and then press ENTER: dnscmd DC-2 /enlistdirectorypartition CustomDNSPartition.contoso.com

DNS Server DC-2 enlisted directory partition: CustomDNSPartition.contoso.com Command completed successfully.


What are application partitions? When do I use them?

An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.

Application directory partitions are usually created by the applications that will use them to store and replicate data. TAPI is an example it. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.

Application directory partitions can contain any type of object, except security principals. The data in it can be replicated to different domain controllers in a forest (for redundancy, availability, or fault tolerance).


What is Active Directory Naming Context or Directory Partition?

Each domain controller in a domain forest controlled by Active Directory Domain Services includes directory partitions. Directory partitions are also known as naming contexts. A directory partition is a contiguous portion of the overall directory that has independent replication scope and scheduling data. By default, the Active Directory Domain Service for an enterprise contains the following partitions:

  1. Schema Partition - One per forest. The schema naming context contains the definitions of all objects that can be instantiated in Active Directory. It also stores the definitions of all attributes that can be a part of objects in Active Directory. Every domain controller has one fully writeable copy of the schema directory partition, although schema updates are allowed only on the domain controller that is the schema operations master.
  2. Configuration Partition - One per forest. It stores forest-wide configuration data that is required for the proper functioning of Active Directory as a directory service. The configuration partition contains replication topology and other configuration data that must be replicated throughout the forest. Every domain controller has one fully writeable copy of the configuration directory partition.
  3. Domain Partition - One per domain. The domain partition contains the directory objects, such as users and computers, and other objects for that domain. All domain controllers that are joined to the domain share a full writeable copy of the domain directory partition. Additionally, all domain controllers in the forest that host the global catalog also host a partial read-only copy of every other domain naming context in the forest.

Windows Server 2003 introduces the Application Directory Partition, which provides the ability to control the scope of replication and allow the placement of replicas in a manner more suitable for dynamic data.


How to recover a deleted file from SYSVOL folder?

Microsoft Windows 2003 Server domain controllers use the File Replication service (FRS) to automatically replicate data between domain controllers. In Windows 2003 Server, the contents of the Sysvol folder are replicated to all the domain controllers in your organization. The Sysvol folder stores logon scripts, default domain profiles, and system policies. If a change is made to a logon script, a default domain profile, or a system policy, the change is replicated to all the domain controllers. This practice keeps the Sysvol folder content the same in all the domain controllers.

Note You have to stop the NT File Replication Service (NTFRS) service, and then set the startup type for NTFRS to Manual on the domain controller where you want to perform the non-authoritative restore. This prevents the service from starting unintentionally while this operation is performed.

To force a non-authoritative restore of the data in the Sysvol folder on a domain controller, follow these steps.

Start a command prompt. To do this, click Start, click Run, type cmd, and then click OK.

  1. At the command prompt, type net stop ntfrs, and then press ENTER.
  2. Click Start, click Run, type services.msc, and then click OK.
  3. In the Services snap-in, double-click File Replication, click Manual under Startup Type, click Apply, and then click OK.
  4. Click Start, click Run, type regedit, and then click OK.
  5. Locate and then click the BurFlags value under the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
  6. IF the key that is mentioned in step 6 does not exist, create it. To do this, click Edit, click New, click DWORD Value, type BurFlags, and then click OK.
  7. In the right pane, right-click BurFlags, click Modify, In the Edit DWORD Value dialog box, type D2 to complete a nonauthoritative restore or type D4 to complete an authoritative restore, and then click OK.
  8. Locate and then expand the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Sysvol Seeding\Domain System Volume (Sysvol share)
    Note: If this registry entry does not exist, you must create it.
  9. On the Edit menu, click New, click String Value, type Replica Set Parent, and then click OK.
  10. In the right pane, right-click Replica Set Parent, click Modify, type the name of a domain controller that has the Sysvol data that you want to replicate in the Value data box, and then click OK.
  11. Quit Registry Editor.
  12. At a command prompt, type net start ntfrs, and then press ENTER.
  13. Click Start, click Run, type services.msc, and then click OK.
  14. In the Services snap-in, double-click File Replication, click Automatic under Startup Type, click Apply, and then click OK.

What is the SYSVOL folder?

System Volume (SYSVOL) is a shared directory that stores the server copy of the domain public files (Policies and scripts) that must be shared for common access and replication throughout a domain. It must be located in NTFS volume (because junctions are used within the SYSVOL folder structure)


Where is the AD database held? What other files are related to AD?

The Active Directory Database is Stored in %SYSTEM ROOT%\NDTS folder. Main database file for active directory isntds.dit. Along with this file there are other files also present in this folder. These files are created when you run dcpromo. These are the main files controlling the AD structure

  • ntds.dit : This is the main database file for active directory.
  • edb.log : Transaction performed to ad stored in this file.
  • res1.log : Used as reserve space in the case when drive had low space.
  • res2.log : Same as res1.log.
  • edb.chk : This file records the transactions committed to ad database.

When a change is made to the AD database, triggering a write operation, AD records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down; all transactions are saved to the database.

During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the shutdown statement isn't present, AD will use the edb.log file to update the AD database.

The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we've discussed


How to verify an Active Directory installation?

Default containers : These are created automatically when the first domain is created. Open Active Directory Users and Computers, and then verify that the following containers are present: Computers, Users, and ForeignSecurityPrincipals.

Default domain controllers organizational unit : This holds the first domain controller, and additionally serves as the default container for new domain controllers. Open Active Directory Users and Computers, and then verify this organizational unit.

Default-First-Site-Name : During the promotion of a server to domain controller, the Dcpromo.exe program determines the site of which the domain controller can become a member. If the domain controller that is being created is the first in a new forest, a default site named "Default-First-Site-Name" is created and the domain controller becomes a member of this site. You can verify this item by using Active Directory Sites and Services.

Active Directory database : The Active Directory database is your Ntds.dit file. Verify its existence in the %Systemroot%\Ntds folder.

Global catalog server : The first domain controller becomes a global catalog server, by default

Shared system volume : A domain controller should have a shared system volume located in the %Systemroot%\Sysvol\Sysvol folder. To verify this item, use the net share command.

NETLOGON D:\Windows\SYSVOL\sysvol\DOMAIN.COM\SCRIPTS

SYSVOL D:\Windows\SYSVOL\sysvol

SRV resource records : You must have a DNS server installed and configured for Active Directory and the associated client software to function correctly. Active Directory creates its SRV RRs in the following folders:

_Msdcs/Dc/_Sites/Default-first-site-name/_Tcp

_Msdcs/Dc/_Tcp

In these locations, an SRV RR is displayed for the following services:

_kerberos

_ldap


What is New in Windows Server 2016 Active Directory?

Privileged access management: Privileged access management (PAM) helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of attacks. It provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM). PAM introduces:

  • A new bastion Active Directory forest, the bastion forest has a special PAM trust with an existing forest. It provides a new Active Directory environment that is known to be free of any malicious activity, and isolation from an existing forest for the use of privileged accounts.
  • New processes in MIM to request administrative privileges, along with new workflows based on the approval of requests.
  • New shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests. The shadow security principals have an attribute that references the SID of an administrative group in an existing forest. This allows the shadow group to access resources in an existing forest without changing any access control lists (ACLs).
  • An expiring links feature, which enables time-bound membership in a shadow group. A user can be added to the group for just enough time required to perform an administrative task. The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime.
  • KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound memberships in administrative groups.
  • New monitoring capabilities to help you easily identify who requested access, what access was granted, and what activities were performed.

Requirements

  • Microsoft Identity Manager
  • Active Directory forest functional level of Windows Server 2012 R2 or higher.

Azure AD Join: Azure Active Directory Join enhances identity experiences for enterprise, business and EDU customers- with improved capabilities for corporate and personal devices.

Microsoft Passport: Microsoft Passport is a new key-based authentication approach organizations and consumers. The user logs on to the device with a biometric or PIN log on information that is linked to a certificate or an asymmetrical key pair. The Identity Providers (IDPs) validate the user by mapping the public key of the user to IDLocker and provides log on information through One Time Password (OTP), Phonefactor or a different notification mechanism.

Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels: The Windows Server 2003 domain and forest functional levels continue to be supported, but organizations should raise the functional level to Windows Server 2008 (or higher if possible) to ensure SYSVOL replication compatibility and support in the future. In addition, there are many other benefits and features available at the higher functional levels higher.


What is New in Windows Server 2012 R2 Active Directory?

  • Join personal devices to the workplace : Windows Server 2012 R2 allows users to join their personal devices, both Windows devices and iOS devices, to Active Directory. When a personal device is Workplace-Joined, it will provide second-factor authentication and single sign-on (SSO) to corporate resources and applications.
  • Provide users access to application and services from anywhere: Windows Server 2012 R2 includes a new Remote Access role service, called Web Application Proxy, which can be used to provide external access to application and services from anywhere.
  • Managing risk with multi-factor access control and multi-factor authentication: Enabling users to join personal devices to the workplace and providing access to applications and services from anywhere comes with additional risks. Windows Server 2012 R2 includes enhancements to AD FS that are intended to manage these risks.


What is New in Windows Server 2012 Active Directory?

  • GUI for Recycle Bin
  • GUI for Fine-Grained Password Policies
  • Dynamic Access Control (DAC): Windows Server 2008 R2 brought the File Classification Infrastructure (FCI). This version's DAC adds far greater functionality to the (optional) second layer of FCI resource authorization.
  • Windows PowerShell History Viewer
  • Windows PowerShell Cmdlets for Active Directory Replication and Topology
  • Active Directory-Based Activation (ADBA)
  • Flexible Authentication Secure Tunneling (FAST)
  • Virtual Snapshot and Cloning Support
  • ADPREP Integrated into DC Promotion
  • Active Directory Federation Services (ADFS) Now In-Box: Adding ADFS no longer requires a separate installation. ADFS also gains multiple improvements. Watch this space, because you'll be seeing and using more ADFS in the years to come.
  • Domain Join via DirectAccess : Computers can now be domain-joined over the Internet. You'll need DirectAccess first. Trust me: You'll want it.
  • Kerberos Constrained Delegation (KCD) Across Domains
  • Group Managed Service Accounts (GMSAs) : MSAs in Windows Server 2008 R2 made administering service accounts easier. GMSAs in this version extend their support to clustered and load-balanced services.

What is New in Windows Server 2008 R2 Active Directory?

  • Active Directory Recycle Bin
  • Active Directory module for Windows PowerShell
  • Active Directory Administrative Center
  • Active Directory Best Practices Analyzer
  • Active Directory Web Services
  • Authentication mechanism assurance: Authentication mechanism assurance makes it possible for applications to control resource access based on authentication strength and method
  • Offline domain join
  • Managed Service Accounts
  • Active Directory Management Pack: The Active Directory Management Pack enables proactive monitoring of availability and performance of AD DS with Systems Center Operations Manager 2007.
  • Bridgehead Server Selection: The bridgehead server selection process enables domain controllers to load balance incoming connections. The new logic for bridgehead server selection allows for even distribution of workload among bridgehead servers


What is New in Windows Server 2008 Active Directory?

AD DS includes many new features that are not available in previous versions of Windows Server Active Directory. These new features make it possible for organizations to deploy AD DS more simply and securely and to administer it more efficiently.

  • AD DS: Auditing
  • AD DS: Fine-Grained Password Policies
  • AD DS: Read-Only Domain Controllers
  • AD DS: Restartable Active Directory Domain Services
  • AD DS: Database Mounting Tool (Snapshot Viewer or Snapshot Browser)
  • AD DS: User Interface Improvements
  • AD DS: Owner Rights

How do you change the Directory Service Restore Mode aka DSRM password?

In Windows Server 2003 onwards, Directory Service Restore Mode password can be changed by Ntdsutil utility. Steps are as follows -

  1. Click, Start, click Run, type ntdsutil, and then click OK.
  2. At the Ntdsutil command prompt, type set dsrm password.
  3. At the DSRM command prompt, type one of the following lines:

    To reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password.

    -or-

    To reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password.

  4. At the DSRM command prompt, type q.
  5. At the Ntdsutil command prompt, type q to exit.

Why we need netlogon?

It maintains a secure channel between the computer and the domain controller for authenticating users and services. If this service is stopped the computer may not authenticate users and services, and the domain controller can’t register DNS records.


What is the default Active Directory Built in groups?

Groups in the Builtin container

- Account Operators
- Administrators
- Backup Operators
- Guests
- Incoming Forest Trust Builders
- Network Configuration Operators
- Performance Monitor Users
- Performance Log Users
- Pre-Windows 2000 Compatible Access
- Print Operators
- Remote Desktop Users
- Replicator
- Server Operators
- Users

Groups in the Users container

- Cert Publishers
- DnsAdmins (If installed with DNS)
- DnsUpdateProxy (If installed with DNS)
- Domain Admins
- Domain Computers
- Domain Controllers
- Domain Guests
- Domain Users
- Enterprise Admins (only appears in the forest root domain)
- Group Policy Creator Owners
- IIS_WPG (installed with IIS)
- RAS and IAS Servers
- Schema Admins (only appears in the forest root domain)


What is AD DS Best Practices Analyzer?

Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) is a server management tool that can help you implement best practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your Windows Server 2008 R2 domain controllers, and it reports best practice violations.

You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface.


What is AD Administrative Center?

Active Directory Administrative Center provides administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI). Administrators can use Active Directory Administrative Center to perform common Active Directory object management tasks (such as user, computer, group, and organization units management) through both data-driven and task-oriented navigation.

Administrators can use the enhanced Active Directory Administrative Center GUI to customize Active Directory Administrative Center to suite their particular directory service administering requirements.


What is the Active Directory Management Gateway Service?

Windows Server 2008 R2 introduces a web service interface for application accessibility to Active Directory (AD), and the Windows Server 2008 R2 AD PowerShell cmdlets use this service.

ADMGS provides this web service interface for Windows Server 2003 SP2 and Windows Server 2008 domain controllers (DCs). The service lets Server 2008 R2 AD PowerShell cmdlets and other applications work against the DCs with ADMGS installed.


What is Active Directory Federation Services?

Active Directory Federation Services (AD FS) simplifies access to systems and applications using a claims-based access (CBA) authorization mechanism to maintain application security. AD FS supports Web single-sign-on (SSO) technologies that help information technology (IT) organizations collaborate across organizational boundaries.

AD FS 2.0 is a downloadable Windows Server 2008 update that is the successor to AD FS 1.0, which was first delivered in Windows Server 2003 R2, and AD FS 1.1, which was made available as a server role in Windows Server 2008 and Windows Server 2008 R2. Previous versions of AD FS are referred to collectively as AD FS 1.x.


What is AD Certificate Services?

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.


What is SPN?

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. services.


What is Native Mode?

When all the domain controllers in a given domain are running Windows 2000 Server. This mode allows organizations to take advantage of new Active Directory features such as Universal groups, nested group membership, and inter-domain group membership.


What is Mixed Mode?

Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain controllers present. Nested groups are not supported in mixed mode.


What is RSOP?

One challenge of Group Policy administration is to understand the cumulative effect of a number of Group Policy objects (GPOs) on any given computer or user, or how changes to Group Policy, such as reordering the precedence of GPOs or moving a computer or user to a different organizational unit (OU) in the directory, might affect the network. The Resultant Set of Policy (RSoP) snap-in offers administrators one solution. Administrators use the RSoP snap-in to see how multiple Group Policy objects affect various combinations of users and computers, or to predict the effect of Group Policy settings on the network.


What do you understand by Trust in Active Directory?

To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created.

The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains.

Trusts in Windows 2000 (native mode)

  • One-way trust: One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
  • Two-way trust: Two domains allow access to users on both domains.
  • Trusting domain: The domain that allows access to users from a trusted domain.
  • Trusted domain: The domain that is trusted; whose users have access to the trusting domain.
  • Transitive trust: A trust that can extend beyond two domains to other trusted domains in the forest.
  • Intransitive trust: A one way trust that does not extend beyond two domains.
  • Explicit trust: A trust that an admin creates. It is not transitive and is one way only.
  • Cross-link trust: An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.

Windows 2000 Server supports the following types of trusts:

  • Two-way transitive trusts.
  • One-way intransitive trusts.

Additional trusts can be created by administrators. These trusts can be shortcut.

Windows Server 2003 offers a new trust type - the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive.


What do you understand by Group Scope in Active Directory?

Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.

Can contain users, computers, global groups and universal groups from any domain in the forest and any trusted domain, and domain local groups from the same domain. Can be a member of any domain local group in the same domain.

Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be used to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.

Can contain users, computers and groups from same domain but NOT universal groups. Can be a member of global groups of the same domain, domain local groups or universal groups of any domain in the forest or trusted domains.

Universal Group: These groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.

Can contain users and groups (global and universal) from any domain in the forest. Universal groups do not care about trust. Universal groups can be a member of domain local groups or other universal groups but NOT global groups.


What are the Groups types available in active directory?

Security groups : Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.

Distribution groups : Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to distribution groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups.


What System State data contains?

  • Startup files
  • Registry
  • Com + Registration Database
  • Memory Page file
  • System files
  • AD information
  • Cluster Service information
  • SYSVOL Folder

What is lost & found folder in ADS?

It’s the folder where you can find the objects missed due to conflict. Ex: you created a user in OU which is deleted in other DC & when replication happen ADS didn’t find the OU then it will put that in Lost & Found Folder.


What Intra-site and Inter-site Replication?

Intra-site is the replication with in the same site & inter-site the replication between sites. Inter-site replication occurs between BHS (Bridge Head Servers) in one site and BHS in another site


Which is service in your windows is responsible for replication of Domain controller to another domain controller?

KCC generates the replication topology. Use SMTP / RPC to replicate changes.


Can GC Server and Infrastructure place in single server If not explain why?

No, As Infrastructure master does the same job as the GC. It does not work together.


How many passwords by default are remembered when you check "Enforce Password History Remembered", what is the maximum?

By default, user’s last 6 passwords are remembered, maximum is 24.

The Enforce password history policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused.

The possible values for this Group Policy setting are:

  • A user-defined number from 0 through 24.
  • Not defined.

What’s the number of permitted unsuccessful logons on Administrator account?

Unlimited, though, that it’s the Administrator account, not any account that’s part of the Administrators group.


How to configure Certificate Templates?

You can create a new certificate template by duplicating an existing template and using the existing template's properties as the default for the new template. Different applications and types of certification authorities (CAs) support different certificate templates. For example, some certificate templates can only be issued and managed by enterprise CAs running Windows Server 2003, and some may require that the CA be running Windows Server 2008. Review the list of default certificate templates, and examine their properties to identify the existing certificate template that most closely meets your needs. This will minimize the amount of configuration work that you need to do.

To create a new certificate template

  • Open the Certificate Templates snap-in.
  • Right-click the template to copy from, and then click Duplicate Template.
  • Choose the minimum version of CA that you want to support.
  • Type a new name for this certificate template.
  • Make any necessary changes, and click OK.

What is Certificate Template?

Enterprise certification authorities (CAs) use certificate templates to define the format and content of certificates, to specify which users and computers can enroll for which types of certificates, and to define the enrollment process, such as autoenrollment, enrollment only with authorized signatures, and manual enrollment. Associated with each certificate template is a discretionary access control list (DACL) that defines which security principals have permissions to read and configure the template, as well as to enroll or autoenroll for certificates based on the template. The certificate templates and their permissions are defined in Active Directory Domain Services (AD DS) and are valid within the forest. If more than one enterprise CA is running in the Active Directory forest, permission changes will affect all enterprise CAs.


What is merging and replace mode in loopback processing?

Normal user Group Policy processing specifies that computers located in their organizational unit have the GPOs applied in order during computer startup. Users in their organizational unit have GPOs applied in order during logon, regardless of which computer they log on to.

In some cases, this processing order may not be appropriate. For example, when you do not want applications that have been assigned or published to the users in their organizational unit to be installed when the user is logged on to a computer in a specific organizational unit. With the Group Policy loopback support feature, you can specify two other ways to retrieve the list of GPOs for any user of the computers in this specific organizational unit:

  • Merge Mode : In this mode, when the user logs on, the user's list of GPOs is typically gathered by using the GetGPOList function. The GetGPOList function is then called again by using the computer's location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs. In this example, the list of GPOs for the computer is added to the user's list.
  • Replace Mode : In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.

What are the Loopback policies?

Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.

To set user configuration per computer, follow these steps:

1. In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.

2. Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.

This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used. For example, computers in public areas, in laboratories, and in classrooms.

When users work on their own workstations, you may want Group Policy settings applied based on the location of the user object. Therefore, we recommend that you configure policy settings based on the organizational unit in which the user account resides. However, there may be instances when a computer object resides in a specific organizational unit, and the user settings of a policy should be applied based on the location of the computer object instead of the user object.

Note: You cannot filter the user settings that are applied by denying or removing the AGP and Read rights from the computer object specified for the loopback policy.


What is LSDOU?

It’s group policy inheritance model, where the policies are applied to :-

Local machines, Sites, Domains and Organizational Units.


I am trying to create a new universal user group. Why can’t I?

Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.


What are the differences between Enterprise Admins and Domain Admins groups in AD?

Enterprise Admins : Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution.

Domain Admins : Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.


What is the Netlogon folder?

Sysvol is an important component of Active Directory. The Sysvol folder is shared on an NTFS volume on all the domain controllers in a particular domain. Sysvol is used to deliver the policy and logon scripts to domain members.

By default, sysvol includes 2 folders, the scripts folder is shared with the name NETLOGON

  1. Policies - (Default location - %SystemRoot%\Sysvol\Sysvol\domain_name\Policies)
  2. Scripts - (Default lcation - %SystemRoot%\Sysvol\Sysvol\domain_name\Scripts)

What is DR of ADS Server Failed?

Restoring AD DS after reinstalling the operating system

If you reinstall the operating system, you can restore AD DS in one of the following ways:

  • Use Dcpromo to reinstall AD DS and allow replication from another, healthy domain controller in the domain to update the domain controller.
  • Restore AD DS from backup (nonauthoritative restore). Then, allow replication from another, healthy domain controller in the domain to update the domain controller. This method requires less replication than reinstalling AD DS.
  • Install AD DS from installation media. This method, called install from media (IFM), requires that you have created installation media that can be used to install AD DS.

What is AD Database white space?

After an object is deleted it will remain in the directory for the tombstone-lifetime (60 or 180 days by default). The tombstone-lifetime assures that the tombstone will be replicated to every DC, so that every DC knows that the object is deleted. This is the reason why you cannot use a backup to restore Active Directory which is older than the tombstone-lifetime - it would reintroduce objects which have been deleted prior.

The garbage collection process one every domain controller takes care that tombstones which are older than the tombstone-lifetime are deleted permanently. The garbage-collection process runs by default every 12 hours on each DC. You can also configure other periods by modifying the garbageCollPeriod Attribute of the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com Object.

However, the object is permanently deleted now, but the NTDS.dit Databasefile which contains the Active Directory will not decrease its size. Instead the new "Whitespace" will be used for new objects. The only possibility to release the Whitespace in the database is to perform an offline defragmentation using NTDSUtil in the Directory Services Restore Mode.


How to force the Garbage Collection?

You can initiate garbage collection manually by using a published LDAP control. This doesn’t alter the what objects are collected, nor does it alter how may go into the dumpster. It simply says to do garbage collection right then rather than waiting until the next 12hour interval has passed.

You can use LDP.EXE to do the garbage collection control. Here are the steps:

1. In Ldp.exe, when you click Browse on the Modify menu, leave the Distinguished name box empty.

2. In the Edit Entry Attribute box, type “DoGarbageCollection” (without the quotation marks),

3. In the Values box, type “1” (without the quotation marks).

4. Set the Operation value set to Add and click the Enter button, and then click Run.

It’s possible that the garbage collection you start using the above method could stop in favor of more important tasks like AD replication in the same way as the scheduled garbage collection does. If that happens you can simply repeat the garbage collection steps above until all of the objects are removed.

The process for completing garbage collection has changed in Windows Server 2003 to improve storage conditions in the directory database. Garbage collection removes a maximum of 5,000 objects per pass to avoid indefinitely delaying other directory service tasks. However, the rate at which remaining tombstones are deleted when more than 5,000 tombstones have expired has increased from Windows 2000 Server to Windows Server 2003, as follows:

Windows 2000 Server: If collection stops because of the 5,000-object limit (rather than by running out of objects to collect), the next garbage collection pass is scheduled for half the normal garbage collection interval (by default, every 6 hours instead of 12 hours). Garbage collection continues running at this accelerated pace until all objects have been collected.

Windows Server 2003: Rather than waiting a set time to remove a subsequent set of 5,000 tombstones, a domain controller continues deleting tombstones according to CPU availability. If no other process is using the CPU, garbage collection proceeds. Removing tombstones in this way keeps the database size from increasing inordinately as a result of the inability of garbage collection to fully complete removal of all tombstones during a garbage collection interval.


Explain Active Directory database garbage collection process

Garbage collection is a housekeeping process that is designed to free space within the Active Directory database. This process runs on every domain controller in the enterprise with a default lifetime interval of 12 hours. You can change this interval by modifying the garbageCollPeriod attribute in the enterprise-wide DS configuration object (NTDS).

The path of the object in the Contoso.com domain would resemble the following:

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=CONTOSO,DC=COM

Use an Active Directory editing tool to set the garbageCollPeriod attribute. Supported tools include Adsiedit.msc, Ldp.exe, and Active Directory Service Interfaces (ADSI) scripts.

When an object is deleted, it is not removed from the Active Directory database. Instead, the object is instead marked for deletion at a later date. This mark is then replicated to other domain controllers. Therefore, the garbage collection process starts by removing the remains of previously deleted objects from the database. These objects are known as tombstones. Next, the garbage collection process deletes unnecessary log files. Finally, the process starts a defragmentation thread to claim additional free space.

What is the difference between online and offline de-fragmentation?

The size of NTDS.DIT will often be different sizes across the domain controllers in a domain. Remember that Active Directory is a multi-master independent model where updates are occurring in each of the domain controllers with the changes being replicated over time to the other domain controllers.

The changed data is replicated between domain controllers, not the database, so there is no guarantee that the files are going to be the same size across all domain controllers.

Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a directory online defragmentation every 12 hours by default as part of the garbage-collection process. This defragmentation only moves data around the database file (NTDS.DIT) and doesn’t reduce the file’s size - the database file cannot be compacted while Active Directory is mounted.

An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller than the NTDS.DIT file on its peers.

However, defragmenting the NTDS.DIT file isn’t something you should really need to do. Normally, the database self-tunes and automatically tombstoning the records then sweeping them away when the tombstone lifetime has passed to make that space available for additional records.

Defragging the NTDS.DIT file probably won’t help your AD queries go any faster in the long run.

So why defrag it in the first place?

One reason you might want to defrag your NTDS.DIT file is to save space, for example if you deleted a large number of records at one time.
To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the following steps:
Back up Active Directory (AD).
Reboot the server, select the OS option, and press F8 for advanced options.
Select the Directory Services Restore Mode option, and press Enter. Press
Enter again to start the OS.
Server will start in safe mode, with no DS running.
Use the local SAM’s administrator account and password to log on.
You’ll see a dialog box that says you’re in safe mode. Click OK.
From the Start menu, select Run and type cmd.exe
In the command window, you’ll see the following text. (Enter the commands in bold.)
C:\> ntdsutil
ntdsutil: files
file maintenance:info

....
file maintenance:compact to c:\temp

You’ll see the defragmentation process. If the process was successful, enter quit to return to the command prompt.

Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the commands in bold.)

C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit

Restart the computer, and boot as normal.

One last thing you need to perform this operation on every DC because changed data is replicated between domain controllers, not the database itself.

What is Active Directory De-fragmentation?

De-fragmentation of AD means separating used space and empty space created by deleted objects and reduces directory size (only in offline De-fragmentation)

What will happen if you do not perform the FSMO role seize in time?

FSMO Role Loss implications:

Schema: The schema cannot be extended. However, in the short term no one will notice a missing Schema Master unless you plan a schema upgrade during that time.

Domain Naming: Unless you are going to run DCPROMO, then you will not miss this FSMO role.

RID: Chances are good that the existing DCs will have enough unused RIDs to last some time, unless you're building hundreds of users or computer object per week.

PDC Emulator: Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time synchronization in the domain, you will probably not be able to change or troubleshoot group policies and password changes will become a problem.

Infrastructure: Group memberships may be incomplete. If you only have one domain, then there will be no impact.

Why it is recommended to never turn a DC back on after the role has been seized from it?

With the PDC Emulator and Infrastructure roles, this doesn't apply; they're able to recover just fine from a seizure. With the rest (RID, Schema, and Naming), it's not that you can't transfer back. It's that the recommendation is to never turn a DC back on after the role has been seized from it. The risk is that the two DCs both think they own the role; divergent schema changes, overlapping RIDs, and overlapping domains in the forest are the potential results.

How difficult it is to create these scenarios is another matter entirely (knowledge of the seizure will replicate to the old role holder and it will cease thinking it's the master - broken replication/connectivity is needed to create any risk); the recommendation to not bring the old DC back online is made due to an abundance of caution on Microsoft's part.

If you have to seize a RID, Naming, or Schema master's role, the safe course is to do metadata cleanup and reinstall the OS.

How can I forcibly transfer (seize) some or all of the FSMO Roles from one DC to another?

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are online and operational is called Transferring.

However, when the original FSMO role holder went offline or became non operational for a long period of time, the administrator might consider moving the FSMO role from the original, non-operational holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a different DC is called Seizing.

To seize the FSMO roles by using Ntdsutil, follow these steps:

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
2. Type roles, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server, where is the name of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. Type seize, where is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master:
7. You will receive a warning window asking if you want to perform the seize. Click on Yes.

fsmo maintenance:Seize infrastructure master

Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE) data 1722 Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holder could not be contacted.)
[Depending on the error code this may indicate a connection, ldap, or role transfer error.]
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=netDomain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

fsmo maintenance:

Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

8. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
9. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global Catalog server (unless every domain controller is Global Catalog server). If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.

Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be used again.

Another consideration before performing the seize operation is the administrator's group membership, as this table lists:

  • Schema: Schema Admins
  • Domain Naming: Enterprise Admins
  • RID: Domain Admins
  • PDC Emulator: Domain Admins
  • Infrastructure: Domain Admins

How can I determine who are the current FSMO Roles holders in my domain/forest?

How to find out which DC is holding which FSMO role? Well, one can accomplish this task by many means. Here a list of few available methods.

Method #1: Know the default settings

The FSMO roles were assigned to one or more DCs during the DCPROMO process. The following table summarizes the FSMO default locations:

FSMO Role

Number of DCs holding this role

Original DC holding the FSMO role

Schema

One per forest

The first DC in the first domain in the forest (i.e. the Forest Root Domain)

Domain Naming

One per forest

RID

One per domain

The first DC in a domain (any domain, including the Forest Root Domain, any Tree Root Domain, or any Child Domain)

PDC Emulator

One per domain

Infrastructure

One per domain

Method #2: Use the GUI

The FSMO role holders can be easily found by use of some of the AD snap-ins. Use this table to see which tool can be used for what FSMO role:

FSMO Role

Which snap-in should I use?

Schema

Schema snap-in

Domain Naming

AD Domains and Trusts snap-in

RID

AD Users and Computers snap-in

PDC Emulator

Infrastructure

Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI

To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:

1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.
2. Right-click the Active Directory Users and Computers icon again and press Operation Masters.
3. Select the appropriate tab for the role you wish to view.
4. When you're done click close.

Finding the Domain Naming Master via GUI

To find out who currently holds the Domain Naming Master Role:

1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.
2. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.
3. When you're done click close.

Finding the Schema Master via GUI

To find out who currently holds the Schema Master Role:

1. Register the Schmmgmt.dll library by pressing Start > RUN and typing: regsvr32 schmmgmt.dll
2. Press OK. You should receive a success confirmation.
3. From the Run command open an MMC Console by typing MMC.
4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. Click the Active Directory Schema icon. After it loads right-click it and press Operation Masters.
8. Press the Close button.

Method #3 : Use the Ntdsutil command

The FSMO role holders can be easily found by use of the Ntdsutil command.

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
2. Type roles, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server , where is the name of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again.

At the select operation target: prompt, type List roles for connected server, and then press ENTER again.

select operation target: List roles for connected server

Server "server100" knows about 5 roles

Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net

Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net


select operation target:

8. Type q 3 times to exit the Ntdsutil prompt.

Method #4: Use the Netdom command

The FSMO role holders can be easily found by use of the Netdom command.

  1. On any domain controller, click Start, click Run, type CMD in the Open box, and then click OK.
  2. In the Command Prompt window, type netdom query /domain:<domain> fsmo
  3. Close the CMD window.

Which FSMO role is responsible for changing group policy?

PDC Emulator.

Which FSMO role is responsible for adding removing domain controller in Domain?

Domain Naming Master

What is the impact of Losing FSMO Role?

PDC Emulator (Domain Role)

Any Domain Controller performing an Operations Master (FSMO) function will not be the end of your environment; but each does have a potential for impact given a sufficient window of absence. In usual circumstances, however, the most crippling role to lose is the PDC Emulator.

In a mixed-mode environment, when the PDC Emulator goes down, you lose the bridgehead server for Windows NT 4.0 networks involved in trust relationships with that Active Directory domain. You also lose any down-level updating of the SAM for your Windows NT 4.0 Backup Domain Controllers, therefore Active Directory account changes such as password changes, login name changes etc. are never communicated.

Regardless of the mode or functional-level of the domain, you stand the risk of losing time-synch within the domain. The more complex and distributed the domain/forest, the greater the potential of Kerberos failures as the clocks fall apart from one-another on the Domain Controllers or clients which were directly dependent upon the defunct PDC Emulator.

Any Domain sitting above Mixed Mode would still also be susceptible to password changes not being communicated across the domain in a timely fashion.

RID Master (Domain Role)

If the Domain Controller performing as the RID Master goes down or becomes inaccessible, Windows 2000 and above domain controllers will have no place to acquire new RID pool assignments. As this function is only called upon sporadically , unless you are adding security principals in bulk, this outage may not become apparent for some time.

A more noticeable occurrence may be the failure of the movetree.exe command to function properly as it relies upon the RID Master present in the domain that the object is coming from to actually perform the move.

Infrastructure Master (Domain Role)

In the event that the Infrastructure Master Role holder is lost, the ramifications will vary based upon whether the forest is in itself a single domain, or if it contains multiple domains. If everything within your Active Directory forest is contained within a single domain, the Infrastructure Master really doesn’t have anything to do as there are no cross-domain references to be maintained.

In a forest with multiple domains, the Infrastructure Master Role holder plays a more vital role by maintaining cross-domain references (i.e. users from Domain A are members of a group in Domain B). Now the kicker here, any server in Domain B that is a Global Catalog Server will be automatically maintained due to the intercommunications of the GC processes forest-wide. This would make for an intermittent issue as some servers would have stale phantom references and others would be up-to-date.

Domain Naming Master (Forest Role)

If the Domain Naming Master role holder is lost, domains won’t be able to be added or removed from the Active Directory forest. DCPROMO is also affected, meaning that servers can neither be promoted nor demoted.

Though the loss of this role holder impacts some more common operations performed within an Active Directory forest and its contained domains, it is still doesn’t create highly visible issues within your environment.

Schema Master (Forest Role)

All Domain Controllers contain a copy of the Active Directory Schema. This Schema is essentially a template or listing of the various Active Directory object types and available attributes present within a given forest. This template is used to refresh the Active Directory database where the actual objects are stored.

The loss of the Schema Master Role holder in an Active Directory puts the forest into a state of stasis so no extensions (addition of object types and/or attributes) to the Schema can be made. This would impair activities such upgrading an Active Directory domain from Windows Server 2000 to Windows Server 2003, installing Microsoft Exchange, and/or adding new attributes to an object. All things considered, as this sort of activity does not happen on a daily basis, a forest could survive the loss of this role holder and continue with minimal inconvenience in most cases.

Brief all the FSMO Roles

A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.

To prevent conflicting updates the Active Directory performs updates to certain objects in a single-master fashion.

In a single-master model, only one DC in the entire directory is allowed to process updates. In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:

PDC Emulator FSMO Role

The PDC emulator is necessary to synchronize time in an enterprise. Windows includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of them in-bound time partner.

In a Windows domain, the PDC emulator role holder retains the following functions:

• Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.

• Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.

• Account lockout is processed on the PDC emulator.

• The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

RID Master FSMO Role

The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.

When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.

The RID master gives every DC a pool of 500 RIDs at a time. When a new domain account or group is created, the DC assigns the new account a SID and a RID that's taken from its local allocated RID pool. When a DC's RID pool begins to run low (Pre–Windows 2000 SP4 20%, Post–Windows 2000 SP4 50%), it automatically asks the RID master for another block of RIDs. Therefore, a post–Windows 2000 SP4 DC with a default pool size of 500 requests a new pool when 250 RIDs have been consumed. To check the RID allocation with Dcdiag, type the following at a command prompt:

dcdiag.exe /test:ridmanager /v

Infrastructure FSMO Role

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.

NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server, it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log.

If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

When the Recycle Bin optional feature is enabled, every DC is responsible to update its cross-domain object references when the referenced object is moved, renamed, or deleted. In this case, there are no tasks associated with the Infrastructure FSMO role, and it is not important which domain controller owns the Infrastructure Master role.

Domain Naming Master FSMO Role

The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory (that is, the Partitions\Configuration naming context or LDAP://CN=Partitions, CN=Configuration, DC=<domain>). This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories.

Schema Master FSMO Role

The schema master FSMO role holder is the DC responsible for performing updates to the directory schema (that is, the schema naming context or LDAP://cn=schema,cn=configuration,dc=<domain>). This DC is the only one that can process updates to the directory schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. There is only one schema master per directory.

What is domain controller?

A domain controller is a server that has Active Directory Domain Services installed. By default, a domain controller stores one domain directory partition consisting of information about the domain in which it is located, plus the schema and configuration directory partitions for the entire forest. A domain controller can also store one or more application directory partitions. There are also specialized domain controller roles that perform specific functions in an AD DS environment. These specialized roles include global catalog servers and operations masters.

What are domain, trees, and forest?

A domain is defined as a logical group of network objects (computers, users, devices) that share the same active directory database, security policies, and trust relationships with other domains. In this way, each domain is an administrative boundary for objects. A single domain can span multiple physical locations or sites and can contain millions of objects.

Domain trees are collections of domains that are grouped together in hierarchical structures. When you add a domain to a tree, it becomes a child of the tree root domain. The domain to which a child domain is attached is called the parent domain.

A child domain might in turn have its own child domain. The name of a child domain is combined with the name of its parent domain to form its own unique Domain Name System (DNS) name such as Corp.nwtraders.msft. In this manner, a tree has a contiguous namespace.

A forest is a complete instance of Active Directory. Each forest acts as a top-level container in that it houses all domain containers for that particular Active Directory instance. A forest can contain one or more domain container objects, all of which share a common logical structure, global catalog, directory schema, and directory configuration, as well as automatic two-way transitive trust relationships. The first domain in the forest is called the forest root domain. The name of that domain refers to the forest, such as Nwtraders.msft. By default, information in Active Directory is shared only within the forest. In this way, the forest is a security boundary for the information that is contained in that instance of Active Directory.

What is Active Directory Domain Services?

In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS).

What are Active Directory Logical and Physical Components?

Active directory physical structure is a hierarchal structure which fallows

Forests -> Trees -> Domains -> Child Domains -> Grand Child etc.

Active directory is logically divided into partitions

  • Configuration partition
  • Schema Partition
  • Domain partition
  • Application Partition (only in windows 2003 not available in windows 2000)