What do you understand by Group Scope in Active Directory?

Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.

Can contain users, computers, global groups and universal groups from any domain in the forest and any trusted domain, and domain local groups from the same domain. Can be a member of any domain local group in the same domain.

Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be used to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.

Can contain users, computers and groups from same domain but NOT universal groups. Can be a member of global groups of the same domain, domain local groups or universal groups of any domain in the forest or trusted domains.

Universal Group: These groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.

Can contain users and groups (global and universal) from any domain in the forest. Universal groups do not care about trust. Universal groups can be a member of domain local groups or other universal groups but NOT global groups.

What are the Groups types available in active directory?

Security groups : Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.

Distribution groups : Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to distribution groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups.

What System State data contains?

• Startup files
• Registry
• Com + Registration Database
• Memory Page file
• System files
• AD information
• Cluster Service information
• SYSVOL Folder

How to configure Certificate Templates?

You can create a new certificate template by duplicating an existing template and using the existing template's properties as the default for the new template. Different applications and types of certification authorities (CAs) support different certificate templates. For example, some certificate templates can only be issued and managed by enterprise CAs running Windows Server 2003, and some may require that the CA be running Windows Server 2008. Review the list of default certificate templates, and examine their properties to identify the existing certificate template that most closely meets your needs. This will minimize the amount of configuration work that you need to do.

To create a new certificate template

• Open the Certificate Templates snap-in.
• Right-click the template to copy from, and then click Duplicate Template.
• Choose the minimum version of CA that you want to support.
• Type a new name for this certificate template.
• Make any necessary changes, and click OK.

What is Certificate Template?

Enterprise certification authorities (CAs) use certificate templates to define the format and content of certificates, to specify which users and computers can enroll for which types of certificates, and to define the enrollment process, such as autoenrollment, enrollment only with authorized signatures, and manual enrollment. Associated with each certificate template is a discretionary access control list (DACL) that defines which security principals have permissions to read and configure the template, as well as to enroll or autoenroll for certificates based on the template. The certificate templates and their permissions are defined in Active Directory Domain Services (AD DS) and are valid within the forest. If more than one enterprise CA is running in the Active Directory forest, permission changes will affect all enterprise CAs.

Why cannot you restore a DC that was backed up 4 months ago?

When restoring a backup file, Active Directory generally requires that the backup file be no more than 180 days old. If attempt to you restore a backup that is expired, you may encounter problems due to “lingering objects”.

How do you backup AD?

Backing up Active Directory is essential to maintain the proper health of the Active Directory database. Backing up the Active Directory is done on one or more of your Active Directory domain Controllers (or DCs), and is performed by backing up the System State on those servers. The System State contains the local Registry, COM+ Class Registration Database, the System Boot Files, certificates from Certificate Server (if it’s installed), Cluster database (if it’s installed), NTDS.DIT, and the SYSVOL folder.

Windows Server 2003

You can backup Active Directory by using the NTBACKUP tool that comes built-in with Windows Server 2003, or use any 3rd-party tool that supports this feature.

Method #1: Using NTBACKUP

1. Open NTBACKUP by either going to Run, then NTBACKUP and pressing Enter or by going to Start -> Accessories -> System Tools.

2. If you are prompted by the Backup or Restore Wizard, I suggest you un-check the "Always Start in Wizard Mode" checkbox, and click on the Advanced Mode link.

3. Inside NTBACKUP's main window, click on the Backup tab.

4. Click to select the System State checkbox. Note you cannot manually select components of the System State backup. It's all or nothing.

5. Enter a backup path for the BKF file. If you're using a tape device, make sure NTBACKUP is aware and properly configured to use it.

6. Press Start Backup.

7. The Backup Job Information pops out, allowing you to configure a scheduled backup job and other settings. For the System State backup, do not change any of the other settings except the schedule, if so desired. When done, press Start Backup.

8. After a few moments of configuration tasks, NTBACKUP will begin the backup job.

9. When the backup is complete, review the output and close NTBACKUP.

10. Next, you need to properly label and secure the backup file/tape and if possible, store a copy of it on a remote and secure location.

Method #2: Using the Command Prompt

1. You can use the command line version of NTBACKUP in order to perform backups from the Command Prompt.

2. For example, to create a backup job named "System State Backup Job" that backs up the System State data to the file D:\system_state_backup.bkf, type:

ntbackup backup systemstate /J "System State Backup Job" /F "D:\system_state_backup.bkf"

Windows Server 2008

Before you can backup Server 2008 you need to install the backup features from the Server Manager.

1. To install the backup features click Start → Server Manager.

2. Next click Features → Add Features

3. Scroll to the bottom and select both the Windows Server Backup and the Command Line Tools.

In Server 2008, there isn’t an option to backup the System State data through the normal backup utility . We need to go “command line” to backup Active Directory.

1. Open up your command prompt by clicking Start and type “cmd” and hit enter.

2. In your command prompt type “wbadmin start systemstatebackup -backuptarget:e:” and press enter.

Note: You can use a different backup target of your choosing

3. Type “y” and press enter to start the backup process.

When the backup is finished running you should get a message that the backup completed successfully. If it did not complete properly you will need to troubleshoot.

Windows Server 2008 R2

1. Open Windows Server Backup

2. In action panel click Backup Once

3. Different Options is Selected, click Next

4. Choose Custom, click Next

5. Click Add Items

6. Select System State, click Next

7. Specify Backup Destination, Local drive (Apart from System Volume) or Network Share

8. Click Backup to start System State Backup

9. You may close the wizard and the backup operation will continue to run in background.

What tool would I use to try to grab security related packets from the wire?

Network tap is best solution for grabbing data packet in a network. It is a hardware device which provides a way to access the data flowing across a computer network. Computer networks, including the Internet, are collections of devices, such as computers, routers, and switches that are connected to each other.

Network taps are commonly used for security applications because they are non-obtrusive, are not detectable on the network, can deal with full-duplex and non-shared networks, and will usually pass-through traffic even if the tap stops working or loses power.

What is the difference between Windows Server 2003 and Windows Server 2008 boot process?

Steps	Windows Server 2003 Boot Process	Windows Server 2008 Boot Process
1	Power On -> BOIS Loaded -> POST	Power On -> BOIS Loaded -> POST
2	BIOS Looks for the MBR on the bootable device	BIOS Looks for the MBR on the bootable device
3	Through the MBR the boot sector is located and the NTLDR is loaded	Through the MBR the boot sector is located and the BOOTMGR is loaded
4	NTLDR reads BOOT.INI from the system volume to determine the boot drive	BOOTMGR reads the BCD (boot configuration database) file from the \boot directory
5	NTLDR loads and executes NTDETECT.COM from the system volume to perform BIOS hardware detection	BOOTMGR transfer control to the Windows Loader (winload.exe) or winresume.exe in case the system was hibernated.
6	NTLDR reads the registry files, selects a hardware profile, control set, and loads drivers flagged as "boot" defined in the system hive, then passes control to NTOSKRNL.EXE	Windows Loader loads drivers that are set to start at boot and then passes control to NTOSKRNL.EXE