Windows 2000 Active Directory Faq

8/8/2019 Windows 2000 Active Directory Faq

http://slidepdf.com/reader/full/windows-2000-active-directory-faq 1/43

Windows 2000 Active Directory Faq's

• What is the Active Directory?• A number of Active Directory descriptions. • What is X.500 andLDAP?• What is the Global Catalog?• How do I configure a server as a Global Catalog?• What is the Schema?• What is a domain tree?• What is a domain forest?• What is a Kerberos trust?• How do I create a new Active Directory Site?• How do I move a server to a different site?• How can a server belong to more than one site?• How can I backup the Active Directory/System State?• How can I restore the Active Directory?• What are the FSMO roles in Windows 2000?• How can I change the RID master FSMO?• How can I change the PDC emulator FSMO?• How can I change the Infrastructure master FSMO?• How can I change the Domain naming master FSMO?• How can I change the Schema master FSMO?• What is Multi-master replication?• How can I move objects within my Forest?• How do I allow modifications to the Schema?• What are Tombstone objects?• How do I switch my 2000 domain to native mode?• How can I force replication between two domain controllers in a site?• How can I change replication schedule between two domain controllers in a site?• Can I rename a site?• What DNS entries are added when a Windows 2000 domain is created?• How can I manually defragment the Active Directory?• How can I audit the Active Directory?• How can I automate a server upgrade to a Domain Controller during installation?• How do I enable circular logging for the Active Directory?• I can't add a 4.0 BDC to my Windows 2000. • I can't have spaces in my Windows 2000 NetBIOS domain name, why?

What is the Active Directory?

The Active Directory is Microsoft's implementation of a 'Directory Service' and adirectory service is basically something that stores data in an organized format and hasthe mechanisms needed to publish and access the dat

http://www.win2ktech.com/faq/faqs2k/actdirfaq.htm#activedirectory1%23activedirectory1










































































Active Directory is not a Microsoft innovation, but rather an implementation of anexisting model (X.500), an existing communication mechanism (LDAP) and an existinglocation technology (DNS), and each of these are covered in the FA

Before the details of Active Directory are considered, it is important to have an overview

of what it is trying to achieve. A directory in its most basic sense is just a container for other information, such as a telephone directory has various entries, and each entry hasvalues. An example would be a name, address and telephone number that would make upa single entry in the directory.

Name: WayneAddress: 2 Win2ktech Way, ( yeah right :-))CalgaryTel: 696 9696E-mail: [email protected]

In a large directory these entries may be grouped by location or by their type, e.g.lawyers, pest control, etc, or both which would lead to a hierarchy of each type of personin each location. The actual telephone directory would be a directory service as itcontains not only the data but also a means to access and use it. The telephone operator would also constitute a directory service as it has access to the data and presents it to youwhere you can request data and an answer to your query is given.

Active Directory is a type of Directory Service, it holds information about all resourceson the network and clients can query the Active Directory for information about anyaspect of the network. Active Directory has a number of powerful features:

•

Information is stored in a secure form - each object in the ActiveDirectory has an Access Control List (ACL) which has a list of resourcesthat may access it and to what degree.• A flexible mechanism for queries based on a global catalog that isgenerated by the Active Directory. Any client that supports ActiveDirectory can query the catalog.• Replication of the directory to all Domain Controllers in thedomain means easier accessibility, higher availability and fault tolerance• Extensible design means new object types can be added to thedirectory or existing objects built on. For example a salary attribute could

be added the user object.• Communication can be carried out over a number of protocols dueto its X.500 foundation. These include LDAP version 2 and 3, and theHTTP• Domain Naming System (DNS) used for the naming and locationof domain controllers rather that NetBIOS names• Information is partitioned in the Directory by domain to avoidreplicating excessive amounts of information

mailto:[email protected]

mailto:[email protected]



The last point regarding partitioning the information in the Directory into different storesdoes not mean that the Active Directory cannot be queried for information from other domains. Global catalogs are used which contain information about every object in theenterprise forest allowing forest wide searches.

[Back to The Top]

A number of Active Directory descriptions.

Below are some definitions for the active directory:

ONE SENTENCE SUMMARY OF DNS AND ACTIVE DIRECTORY:

A dns server is used by a client to provide the address of the client's nearest domaincontroller, which has a copy of Active Directory, which the client then uses to locatewhatever object it's looking for.

ONE PARAGRAPH SUMMARY OF DNS AND ACTIVE DIRECTORY:

First a client contacts a dns (domain name system) server which looks up the client'sdomain, and provides him with the address of the closest dc in that domain. The client

proceeds to contact the dc which can then authenticate him. Once authenticated, the clientcan search Active Directory (a database on the dc) to find objects the client is looking for,like an address for mail, a file, printer, or list of users in a group, etc. If the client cannotcontact a dns server, it won't be able to find its domain controller, since only the dnsserver has the address of it.

ONE PAGE SUMMARY OF DNS AND ACTIVE DIRECTORY:

When dcpromo is performed on a W2K machine named, say, "fido" for the first timecreating a new domain, say, "narnia", dcpromo creates two different kinds of "domains".First it creates a domain on the dns server, in our example: "narniextest.microsoft.com".This will be found on the extest dns servers, which are in exlab's minilab in bldg 43.Exlab maintains these as community dns servers to save testers the trouble of installing adns server every time they want to install W2K. Simplified a little, the dns domain on theextest master dns servers looks like this:

extest.microsoft.comnarniextest.microsoft.com

bigthud dc 172.30.224.34blackie dc 172.20.32.13etc. (this is very approximate, but functionally identical)

Clients contact the dns server and it looks up the client's domain. Looking for "narnia"the dns server also discovers "bigthud" and "blackie", both dc's of "narnia". Let's say"bigthud" is the closest dc to the client. The dns server would send the client the addressof the dc "bigthud", namely, 172.30.224.34. The client connects and accesses the Active

http://www.win2ktech.com/faq/faqs2k/actdirfaq.htm#HTheTop%23HTheTop




Directory domain database stored on "bigthud" to find objects (like printers, file servers,users, groups, organizational units, etc) in the "narnia" domain. "bigthud" also storeslinks to other domains in the tree "com". Thus, the client can search a whole tree of domains.

If the search needs to go beyond the client's tree of domains, then a version of ActiveDirectory listing the objects in the whole forest is also available. It is called the GlobalCatalog. The GC can be kept on any dcs in the forest you may choose, or all, but it doesnot have to be kept on all.

GC is a shorthand way to access an object ANYWHERE in the forest, but it only provides a few of its attributes, you have to go to the domain AD (always on a dc in thatdomain) to get the whole object. The GC can be configured to provide whatever objectattributes you choose, too, not just a rigid default set of them.

To help in creating objects in AD, the dc also keeps a copy of the classes and hierarchy of

classes for the whole forest, too. For example, if we had a class of "baseball players", anda derived class "pitchers" (which is just a player with a few records added of strikeoutsand no-hitters, etc) then the class structure would be kept in AD in the part called the"Schema". If we then created an actual group of players we would use our Schemaclasses to make the players as objects (instances of the classes) in Active Directory. Wecan also add more classes, eg: "football players" and "quarterbacks" to the Schema, andwe call that freedom an "extensible Schema".

The schema is a part of the W2K "configuration namespace" kept on all dcs in a forest. Anamespace is a range of labels you put on things, eg: a supermarket "aisle" namespace:aisle=cookies, shelf=top, item=oreo. The configuration namespace in W2K consists of a

number of defined items such as physical locations, W2k "sites" (a site is a child of aforest, and can contain machines from any domain, only condition being that allmachines in a site have fast reliable net connections for dc replication), and "subnets"which are IP address groupings assigned to sites which help further speed up ADreplication amongst dc's, eg: "your dc rocks if it's in the IP subnet and W2K site where itsfriends are".

Active Directory employs LDAP (Lightweight Directory Access Protocol, a standardInternet protocol that many applications use) to access its records. Why? Because itsrecords are STORED on the dc in "LDAP distinguished name format". But what isLDAP distinguished name format? In the following LDAP distinguished name formatexample "fred" is a user in the "programming" organizational unit in "narnia" domain in"extest" domain in "microsoft" domain in "com" domain:

cn=fred,ou=programming,dc=narnia,dc=extest,dc=microsoft,dc=com

where cn stands for common name, ou stands for organizational unit, and dc in this casestands for "domain component", NOT domain controller. This is how "fred" appears in



Active Directory, and a client such as an administrator can access attributes about fredusing that syntax, assuming the client has security permissions to do so.

The client's actions are straightforward, as long as the client talks LDAP to ActiveDirectory. However, an action may be done from a client running an application that uses

a different name format. To support this, there are two other name formats that can beused (with a little translating) to access Active Directory:

1. "LDAP URL":Example:LDAP://server1.narniextest.microsoft.com/cn=fred,ou=programming,dc=narnia,dc=extest,dc=microsoft,dc=com.

2. "Active Directory Canonical name":Example:narniextest.microsoft.com/programming/fred. This last one, "Active Directory Canonical

name" is what you'll see in user interfaces in W2K.

[Back to The Top]

What is X.500 and LDAP?

X.500 is the most common protocol that is used for Directory Management and thereare currently 2 main standards, the 1988 and 1993 standards with the 1993 standard

providing a number of advances over the older standard. The Windows NT 5.0implementation of its Directory Services is derived from the 1993 X.500 standard asdescribed below.

The X.500 model uses a hierarchical approach to the objects in the name space with aroot at the top of the namespace with children coming off of it. Domains in Windows2000 are DNS names, for example win2ktech.com is a domain name,legal.win2ktech.com is a child domain of win2ktech.com. Child domains are coveredelsewhere.

The example shows a root of the directory service and then a number of children. In thiscase the first layer or children represent countries, however there are no rules and youmay break these down however you want. Imagine each country as a child domain of theroot, for example usroot.com and england.root.com. Each child domain can then be

broken into a number of organizations. These organizations can be broken down further into organizational units and various privileges/policies can be applied to eachOrganization unit. Each Organizational Unit has a number of objects such as users,computers, groups etc.

While the directory service is based on X.500, the access mechanism actually uses LDAP(Lightweight Directory Access Protocol) which solves a number of problems with X.500.





[Back to The Top]

What is the Schema?

The Schema is a blueprint of all objects in the domain and when first created a default

Schema exists which contains definitions for users, computers, domains etc. Because of this, you can only have one schema per domain as you cannot have multiple definitionsof the same object.

The default schema definition is defined in the SCHEMINI file that also contains theinitial structure for the NTDS.DIT (storage for the Directory data). This file is located inthe %systemroot%\ntds directory. This file is a plain ASCII format file and can be typedout.

[Back to The Top]

What is a domain tree?

In Windows 2000 one domain can be a child of another domain, e.g. child.domain.comis a child of domain.com (a child domain always has the complete domain name of the

parent in it), and a child domain and its parent share a two way transitive trust.

When you have a domain as a child of another, a domain tree is formed. A domain treehas to have a contiguous name space.

Notice in the second diagram the lack of contiguous names means they are not part of the

tree

The name of the tree is the root domain name, so in the example the tree would bereferred to as root.com. Since the domains are DNS names and inherit the parent part of the name, if a part of the tree is renamed, then all of its children will implicitly also berenamed, for example if parent ntfacom of sales.ntfacom was renamed to backoffice.comthe child would be renamed to sales.backoffice.com. This is not actually currently

possible though.

Domain trees can currently only be created during the server to Domain Controller promotion process with DCPROMO.EXE, this may change in the future.

There are a number of advantages in placing domains in a tree. The first and most usefulis that all members of a tree have kerberos transitive trusts with its parent and all itschildren. These transitive trusts also mean that any user or group in a domain tree can begranted access to any object in the entire tree. This also means that a single network logon can be used at any workstation in the domain tree.

[Back to The Top]









What is a domain forest?

You may have a number of separate domain trees in your organization that you wouldlike to share resources and this can be accomplished by joining trees to form a forest.

A forest is a collection of trees that do not have to form a contiguous name space(however each tree still has to be contiguous). This may be useful if your company hasmultiple root dns addresses.

As can be seen from the example, the two root domains are joined via a transitive, two-way Kerberos trusts as in the trust created between a child and its parent. Forests alwayscontain the entire domain tree of each domain and it is not possible to create a forestcontaining only parts of a domain tree.

Forests are created during the server to Domain Controller promotion process withDCPROMO and can currently not be created at any other time, this will change in thenext version.

You are not limited to only 2 domain trees in a forest, you can add as many trees as youwant and all domains within the forest will be able to grant access to objects for any user within the forest. Again this cuts back on having to manually manage the trustrelationships. The effect of creating a forest is the following:

• All trees have a common Global Catalog containing specificinformation about every object in the forest•

The trees all contain a common schem Microsoft has not yetconfirmed the action if 2 trees have difference schemas before they are joined. I assume the changes will be merged

• Searches in a forest will perform a deep search of the entire tree of the domain the request is initiated from and use the Global Catalog entriesfor the rest of the forest

You may of course choose not to join trees to become a forest and may instead createnormal trusts between individual elements of the tree's.

[Back to The Top]

What is a Kerberos trust?

Windows NT 4.0 trust relationships are not transitive so if domain2 trusts domain1, anddomain3 trusts domain2, domain3 does not trust domain1.





This is not the case with the trust relationships used to connect members of a tree/forestin Windows 2000, trust relationships used in a tree are two-way, transitive Kerberostrusts which means any domain in a tree implicitly trusts every other domain in thetree/forest. This removes the need for time-consuming administration of the trusts as theyare created automatically when a domain joins a tree.

Kerberos is the primary security protocol for Windows NT. Kerberos verifies both theidentity of the user and the integrity of the session dat The Kerberos services are installedon each domain controller, and a Kerberos client is installed on each Windows NTworkstation and server. A user's initial Kerberos authentication provides the user a singlelogon to enterprise resources. Kerberos is not a Microsoft protocol and is based onversion 5.0 of Kerberos. For more information see IETF RFCs (Requests For Comments)1510 and 1964. These documents are available on the web from http://www.isi.edu/rfc-editor/rfc.html .

[Back to The Top]

How do I create a new Active Directory Site?

Active Directory has the concept of sites which can be used to group servers intocontainers which mirror the physical topology of your network, and allow you toconfigure replication between domain controllers (among other things). A number of TCP/IP subnets can also be mapped to sites which the allow new servers to automatically

join the correct site depending on their IP address and for clients to easily find a domaincontroller closest to them.

When you create the first domain controller a default site, Default-First-Site-Name is

created to which the domain controller is assigned. Subsequent domain controllers arealso added to this site however they can then be moved. This site can be renamed if youwish.

Sites are administered and created using the "Active Directory Sites and ServicesManager" MMC snap-in. To create a new site perform the following:

1. Start the Active Directory Sites and Services MMC snap-in (Start -Programs - Administrative Tools - Active Directory Sites and ServicesManager)2. Right click on the Site branch and select New - Site from the

displayed context menu3. Enter a name for the site, e.g. NewYork. The name must be 63characters or less and cannot contain . or space characters. You must alsoselect a site link (by default there will only be one,DEFAULTIPSITELINK or type IP).4. Click OK

Now the site is created you can assign various IP subnets to it as follows:

http://www.isi.edu/rfc-editor/rfc.html








1. Start the Active Directory Sites and Services MMC snap-in (Start -Programs - Administrative Tools - Active Directory Sites and ServicesManager)2. Expand the Sites branch3. Right click on Subnets and select New - Subnet

4. You used to have to enter the name of subnet of the form<network>/<bits masked>, e.g. 200.200.201.0/24 would be network 200.200.201.0 with subnet mask 255.255.255.0. This proved tocomplicated so you now just enter the address and mask. Select the Site toassociate the subnet with, e.g. Australi5. Click OK

You now have a subnet linked to a site. You can assign multiple subnets to a site if youwish.

If you are confused about the bits masked in the subnet name it can be between 22 and 32

and is just the number of bits set in the subnet mask. The subnet mask is made up of 4sets of 8 bits. To convert the subnet mask to bits you can use the illustration below.

Therefore the subnet mask 255.255.255.0 would be11111111.11111111.11111111.00000000 in binary which therefore uses 8+8+8 bits (24)to define the subnet mask. A subnet mask of 255.255.252.0 would be11111111.11111111.11111100.00000000 which is 8+8+6 or 22.

[Back to The Top]

How do I move a server to a different site?

If your sites and subnets are configured then new servers will automatically get added tothe site that owns the subnet however you can also manually move a server to a differentsite:

1. Start the Active Directory Sites and Services MMC snap-in (Start -Programs - Administrative Tools - Active Directory Sites and ServicesManager)2. Expand the Sites container.3. Expand the site that currently contains the server, expand theServers container

4. Right click on the server and select Move from the context menu5. You will be shown a list of all sites. Select the new target site andclick OK

The move will take immediate effect.

[Back to The Top]







How can a server belong to more than one site?

By default a server will belong to one site however you may want to configure a server to belong to multiple sites.

Bear in mind sites are used for replication, for clients to find resources and to cut downon traffic on inter-site connections so just modifying the site membership may cause performance problems.

To configure a server to have multiple site membership perform the following:

1. Logon to the server who should join multiple sites2. Start the registry editor (regedt32.exe not regedit.exe)3. Move toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesNetlogon\Parameters

4. Select "Add Value" from the Edit menu5. Enter a name of SiteCoverage and of type REG_MULTI_SZ. Click OK 6. Enter the names of the sites to join, each on a new line, e.g.AustraliaLondonPress Shift-Enter to move to the next line. Click OK 7. Close the registry editor

The above does not create the objects in the Active Directory to evaluate the sites andthese need to be added manually.

[Back to The Top]

How can I backup the Active Directory/System State?

The Active Directory is backed up using the NTBACKUP.EXE utility. The ActiveDirectory is part of the machines System State which is defined as follows:

For all Windows 2000 machines the System State includes the registry, class registrationdatabase and the system boot files. For a Windows 2000 Server that is a certificate server it also contains the Certificate Services database. Finally for a Windows 2000 machine

that is a domain controller it includes the Active Directory and the SYSVOL directoryalso.

To backup the System State using the Backup Wizard perform the following:

1. Start NTBACKUP.EXE2. NTBACKUP.EXE will start in the Welcome screen. Click the'Backup Wizard' button





3. Click Next to the introduction dialog4. In the dialog that asks what to backup select 'Only back up theDistributed Service Set' and click Next5. You should then continue as per normal by selecting the backupmedia etc.

If you don't want to use the wizard it can be manually backed up as follows:

1. Start NTBACKUP.EXE2. Select the Backup tab3. Check the 'System State' box (and any other drives)4. Select the backup destination5. Click 'Start Backup'6. Confirm the backup description and click 'Start Backup'7. The backup will then begin

To backup only the System State from the command line use the commandC:\> ntbackup backup systemstate /f d:\active.bkf

Of course this is the most basic backup to file and you can use more complex options.

[Back to The Top]

How can I restore the Active Directory?

The Active Directory cannot be restored to a domain controller while the DirectoryService is running so to restore perform the following:

1. Reboot the computer 2. At the boot menu select "Windows 2000 Server" but do NOT pressEnter. Press F8 for advanced optionsOS Loader V5.0

Windows NT Advanced Options MenuPlease select an option:

Safe ModeSafe Mode with NetworkingSafe Mode with Command Prompt

Enable Boot LoggingEnable VGA ModeLast Known Good ConfigurationDirectory Services Restore Mode (Windows NT domain

controllers only)Debugging Mode

Use | and | to move the highlight to your choice.Press Enter to choose.





3. Scroll down and select "Directory Services Restore Mode(Windows NT domain controllers only)"4. Press Enter 5. You will be taken back to the boot menu and now press Enter toWindows 2000 Server (notice at the bottom of the screen in red the text

'Directory Services Restore Mode (Windows NT domain controllers only)'will be shown)

The computer will boot into a special safe mode and will not start the Directory Service.Be warned that during this time the machine will not act as a domain controller and will

perform not perform authentication etc.

1. Start NTBACKUP.EXE2. Select the Restore tab3. Select the backup media and select "System State"4. Click 'Start Restore'

5. Click OK to the confirmationOnce you have restored the backup reboot the computer and start in normal mode to startusing the restored information. You may find a hang after the restore has completed and Ifound a 30 minute wait on some machines.

[Back to The Top]

What are the FSMO roles in Windows 2000?

In Windows 2000 all domain controllers are equal and through a process known as

multi-master replication changes are replicated to all domain controllers in the domain.However in keeping with George Orwell's Animal Farm some Domain Controllers aremore equal than others.

Multi-master replication resolves conflicts however in some situations it is better to stopthe conflict before it happens and to this end there are five difference Flexible SingleMaster of Operations (FSMO) roles (formally known as Floating Single Master of Operations as the roles were originally going to be dynamically changeable) eachmanaging an aspect of the domain/forest. These roles can be moved between domaincontrollers but not dynamically, they must be manually moved in the same manner as aBDC has to be manually promoted to a PDC.

There are two types of roles, some are per domain, some are per forest. Only a domaincontroller in the domain can hold a domain specific FSMO role, any domain controller inthe forest can hold a forest FSMO role. Domain controllers cannot hold FSMO roles inother domains/forests.

These roles are assigned in different GUI ways or using the NTDSUTIL utility.





The five roles are defined below:

Role name Description Per domain/forestSchema master At the heart of the Active Directory is

the schema which is like the blueprintof all objects/containers. Since theschema has to be the same throughoutthe entire forest only one machine canauthorize modifications to the schem

One per forest

Domain namingmaster

To add a domain to the forest its namehas to be verifiably unique and so theDomain naming master FSMO's of theforest is contacted to authorize thedomain name operation.

One per forest

RID master Any domain controller can create new

objects (such as a user, group, computer account) however after creating 512user objects the domain controller mustcontact the domains RID master for another 512 RID's (it actually contactswhen it has less than 100 RID's left, thismeans the RID master can beunavailable for short periods of timewithout causing object creation

problems). This is to ensure each objecthas a unique RID.

When a DC creates a security principalobject it attaches a unique SID to theobject. The SID is created using thedomain SID and a relative ID (the RID).

The RID master has to be availablewhen attempting to move objects

between domains with the resource kitmovetree utility.

One per domain

PDC emulator For backwards compatibility reasonsone domain controller in each 2000

domain must emulate a PDC for the benefit of 4.0 and 3.5 domaincontrollers and clients.

One per domain

Infrastructuremaster

When a user and group are in differentdomains there can be a lag betweenchanges to the user (e.g. name) and itsdisplay in the group. The infrastructure

One per domain



master of the groups domain isresponsible for fixing up the group-to-user reference to reflect the rename. Theinfrastructure master performs is fixupslocally and relies upon replication to

bring all other replicas of the domain upto date.

[Back to The Top]

How can I change the RID master FSMO?

The RID master is defined here .

To modify the role perform the following:

1. Start the Active Directory Users and Computers MMC snap-in onthe Domain Controller (Start - Programs - Administrative Tools - ActiveDirectory Users and Computers)2. In the left hand pane right click on the domain and select 'Connectto Domain Controller'3. Select the domain controller you wish to make the FSMO roleowner and click OK.4. Right click on the domain again and select 'Operations Masters'from the context menu5. Select the 'RID Pool' tab6. The current machine holding the RID master FSMO role will beshown. To change click 'Change..'7. Click OK to the confirmation dialog.8. A dialog confirming the role change will be displayed.

This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold

C:\> ntdsutilntdsutil: rolesfsmo maintenance: connectionsserver connections: connect to server <server name> server connections: quit

fsmo maintenance: transfer rid master

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDSSettings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win2ktech,DC=com Domain - CN=NTDSSettings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win2ktech,DC=com PDC - CN=NTDS







Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win2ktech,DC=com RID - CN=NTDSSettings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win2ktech,DC=com Infrastructure - CN=NTDSSettings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win2ktech,DC=com

fsmo maintenance: quitntdsutil: quit

[Back to The Top]

How can I change the PDC emulator FSMO?

The PDC emulator is defined here.


1. Start the Active Directory Users and Computers MMC snap-in onthe Domain Controller (Start - Programs - Administrative Tools - ActiveDirectory Users and Computers)2. In the left hand pane right click on the domain and select 'Connectto Domain Controller'3. Select the domain controller you wish to make the FSMO roleowner and click OK.4. Right click on the domain again and select 'Operations Masters'from the context menu5. Select the 'PDC' tab6. The current machine holding the PDC emulator FSMO role will be

shown. To change click 'Change..'7. Click OK to the confirmation dialog.8. A dialog confirming the role change will be displayed.



fsmo maintenance: transfer pdc










Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win2ktech,DC=com RID - CN=NTDSSettings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win2ktech,DC=com Infrastructure - CN=NTDSSettings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win2ktech,DC=com


[Back to The Top]

How can I change the Infrastructure master FSMO?

The Infrastructure master is defined here .


1. Start the Active Directory Users and Computers MMC snap-in onthe Domain Controller (Start - Programs - Administrative Tools - ActiveDirectory Users and Computers)2. In the left hand pane right click on the domain and select 'Connectto Domain Controller'3. Select the domain controller you wish to make the FSMO roleowner and click OK.4. Right click on the domain again and select 'Operations Masters'from the context menu5. Select the 'Infrastructure' tab6. The current machine holding the Infrastructure FSMO role will be

shown. To change click 'Change..'7. Click OK to the confirmation dialog.8. A dialog confirming the role change will be displayed.



fsmo maintenance: transfer infrastructure master









,CN=Configuration,DC=win2ktech,DC=com RID - CN=NTDSSettings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win2ktech,DC=com Infrastructure - CN=NTDSSettings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win2ktech,DC=com


[Back to The Top]

How can I change the Schema master FSMO?

The Schema master is defined here .

To modify the role perform you must use the 'Active Directory Schema Manager' andyou must first register the .dll for the MMC snap-in

C:\> regsvr32 schmmgmt.dll

You can now start the Schema Manager via the Resource Kit Tools console or bycreating a custom MMC and add the Active Directory Schema snap-in to it (Start - Run -MMC - Console menu - Add/Remove Snap-in - Add - Active Directory Schema - Add -Close - OK)

1. Start the Active Directory Schema MMC snap-in on the DomainController (using on of the methods above)2. In the left hand pane right click on 'Active Directory Schema' andselect 'Change Domain Controller' from the context menu3. Enter the domain controller to connect to.4. Right click on 'Active Directory Domains Schema' and select'Operations Master' from the context menu5. The current machine holding the Domain name operations FSMOrole will be shown. To change click 'Change..'You can also set the registry to allow changes to the Schema by checkingthe Schema modification box. Also notice this machine is already theschema master.6. Click OK to the confirmation dialog.7. A dialog confirming the role change will be displayed.

To modify the role from the command line enter the commands in bold

C:\> ntdsutilntdsutil: rolesfsmo maintenance: connectionsserver connections: connect to server <server name> server connections: quitfsmo maintenance: transfer schema master










Server "titanic" knows about 5 roles Schema - CN=NTDSSettings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tech,DC=com Domain - CN=NTDSSettings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si

tes,CN=Configuration,DC=win2ktech,DC=com PDC - CN=NTDSSettings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win2ktech,DC=com RID - CN=NTDSSettings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win2ktech,DC=com Infrastructure - CN=NTDSSettings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=win2ktech,DC=com


[Back to The Top]

What is Multi-master replication?

In a Windows 2000 domain, all domain controllers are equal which means changes can be made on ANY domain controller and each servers complete domain directory has to be kept up-to-date with each other through a process of multi-master replication.

Each time a change is made to the Active Directory the servers Update Sequence Number, or USN, where the change is implemented is incremented by one and this USNis also stored along with the change to the property of the object modified. These changeshave to be replicated to all domain controllers in the domain and the Update Sequence

Number provides the key to the multi-master replication.

Update Sequence Number increments are atomic in operation which means that theincrement to the USN and the actual change occurs simultaneously, if one part fails thewhole change fails which means its not possible for a change to be made without theUSN to be incremented, which means changes will never be "lost". Each domaincontroller keeps track of the highest USN's of the other domain controllers that itreplicates with so it can calculate which changes it needs to be replicated on eachreplication cycle.

At the start of the replication cycle each server checks its Update Sequence Number tableand then queries the domain controllers it replicates with for their latest USN's. For example the table below represents the USN table for server A

DC B DC C DC D54 23 53

Server A then queries the domain controllers for their current USN's and gets thefollowing:





DC B DC C DC D58 23 64

From this server A can calculate the changes it needs from each server:

DC B DC C DC D55,56,57,58 Up-to-date 54-64

It would then query each server for the changes needed.

It is possible for multiple changes to the same property of an object to occur, andcollisions are detected via a Property Version Number (PVN) which every property has.These work like the USN's and each time a property is modified, the PVN is incremented

by one.

In the event of a modification to the same property of the same object then the changewith the highest PVN takes precedence, and if the PVN's are the same for a propertyupdate then a collision has occurred. If the PVN's match then the time stamp is used toresolve any conflicts. Each change is time stamped and this highlights the need for thedomain controllers time to be accurate with one-an-other. In the highly unlikely eventthat the PVN's match AND the time stamp is the same then a binary buffer comparison iscarried out with the larger buffer size change taking precedence. Property Version

Numbers are only incremented on original writes and not on replication writes (unlikeUSN's) and are not server specific but rather travels with the property.

A propagation-dampening scheme is also use to stop changes being repeatedly sent toother servers which already have the change and to this end each server keeps a table of up-to-date vectors which are the highest originating writes that are received from eachcontroller and take the form of:

<the change>,<domain controller making the original change>,<USN of thechange>

For example

<object win2k , property Password xxx>,Titanic,54

Domain controllers then also send this information with the USN's so they can calculateif they already have the change the other domain controllers are trying to replicate.

[Back to The Top]

How can I move objects within my Forest?





The Windows 2000 Resource Kit ships with the MOVETREE.EXE utility which can beused to move organization units, users or computers between domains in a single forest.This is useful for the consolidation of domains or to reflect organization restructuring.

Certain objects cannot be moved with MOVETREE such as Local and Domain Global

groups and if the container they are in is moved these objects will be placed in an"orphan" container in the "LostAndFound" container in the source domain.

Associated data is not moved with MOVETREE such as policies, profiles, logon scriptsand personal dat To accomplish the movement of these items you should write customscripts using the 'Remote Administration Scripts'.

The syntax of MOVETREE is

MoveTree [/start | /continue | /check] [/s Src DSA] [/d Dst DSA] [/sdnSrcDN] [/ddn DstDN] [/u Domain\Username] [/p Password] [/quiet]

/start Start a move tree operation with /check option by default. Instead, you could beable to use /startnocheck to start a movetree operation without any check.

/continue Continue a failed move tree operation./check Check the whole tree before actually move

any object./s <SrcDSA> Source server's fully qualified primary

DNS name. Required

/d <DstDSA> Destination server's fully qualified primary DNS name. Required/sdn <SrcDN> Source sub-tree's root DN. Required in

Start and Check case. Optional inContinue case

/ddn <DstDN> Destination sub-tree's root DN. RDN plusDestinaton Parent DN. Required

/u <Domain\UserName> Domain Name and User Account Name.Optional

/p <Password> Password. Optional

/quiet Quiet Mode. Without Any Screen Output.Optional

You should first run in /check mode as this will perform a test without actually performing the move. Any errors will be displayed and also written to the filemovetree.err in your current directory. If the test is OK run with the /start option.

An example use would be

http://www.win2ktech.com/faq/faqs2k/actdirfaq.htm#dsa%23dsa

http://www.win2ktech.com/faq/faqs2k/various7.html#dsa

http://www.win2ktech.com/faq/faqs2k/actdirfaq.htm#dsa%23dsa

http://www.win2ktech.com/faq/faqs2k/various7.html#dsa



C:\> movetree /check /s titanic.market.win2ktech.com /d pluto.legal.win2ktech.com /sdn OU=testing,DC=Market,DC=Win2ktech,DC=COM

/ddn OU=test2,DC=Legal,DC=Win2ktech,DC=COM

This would move the OU testing from domain market.win2ktech.com to test2 in domainlegal.win2ktech.com.

[Back to The Top]

How do I allow modifications to the Schema?

The Schema is extensible which means it can be changed but modifying the Schema is adangerous task as it will affect the entire domain Forest (since a forest shares a commonschema) and someone at Microsoft once said the following:

"If you find you have to change the schema find another way. If you still have to, look again. If after all that you find you still need to change the schema you better make sure

your managers are fully aware of the implications"

That being said to allow modifications there are two ways.

If you want to use the GUI first register the .dll for the MMC snap-in (if you haven't allready)

C:\> regsvr32 schmmgmt.dll

You can now start the Schema Manager via the Resource Kit Tools console or bycreating a custom MMC and add the Active Directory Schema snap-in to it (Start - Run -

MMC - Console menu - Add/Remove Snap-in - Add - Active Directory Schema - Add -Close - OK)

1. Start the Active Directory Schema MMC snap-in on the DomainController (using on of the methods above)2. In the left hand pane right click on 'Active Directory Schema' andselect 'Operations Master' from the context menu3. The current machine holding the Domain name operations FSMOrole will be shown.Check the "The Schema may be modified on this server" box.4. Click OK to the confirmation dialog.

This can also be accomplished by directly editing the registry

1. Start the registry editor (regedit.exe)2. Move toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters





3. Double click on 'Schema Update Allowed' (of typeREG_DWORD)4. Set to 1.5. Click OK 6. Close the registry editor

Other related FAQ items:

• What is the Schema?• What are the FSMO roles in Windows 2000?

[Back to The Top]

What are Tombstone objects?

Because of the complex replication available in Windows 2000 and the Active Directory

just deleting an object would result in it potentially being recreated at the next replicationinterval and so deleted objects are 'Tombstoned' instead. This basically marks them asdeleted and applies to all objects.

Objects marked as tombstoned are actually deleted 60 days after their original tombstonestatus setting, however this time can be changed by modifying tombstonelifetime under cd=DirectoryServices,cn=WindowsNT,cn=Services,cn=Configuration,dc=DomainNamehowever it is not advised.

[Back to The Top]

How do I switch my 2000 domain to native mode?

Windows 2000 domains have two modes, mixed and native. Mixed mode domainsallow Windows NT 4.0 Backup Domain Controllers to participate in a Windows 2000domain.

In native mode only 2000 based domain controllers can participate in the domain and 4.0 based Backup Domain Controllers will no longer be able to act as domain controllers.Also the switch to native mode allows use of the new "Universal" groups which unlikeglobal groups can be nested inside each other. Older NetBIOS based clients will still beable to logon using the NetBIOS domain name even in native mode.

To perform the switch perform the following:

1. Start the Active Directory Domains and Trusts MMC snap-in2. Right click on the domain you want to convert to native mode andselect Properties3. Select the General tab4. Click the 'Change Mode' button











5. Click Yes to the confirmation6. Click Apply to the main dialog7. A success message will be displayed. Click OK 8. Reboot the machine (although I have been told a reboot is notneeded).

You will need to check all other domain controllers in the domain and when the domainoperation mode says "Native Mode" (instead of mixed mode) reboot them. This can take15 minutes (or more if contact is not able to be made).

If a domain controller cannot be contacted (if on a remote site and only connects periodically) when you make the change the remote DC will switch mode the next timereplication occurs.

[Back to The Top]

How can I force replication between two domain controllers in a site?

In Windows NT 4.0 replication between domain controllers could be forced usingServer Manager. Replication can also be forced with Windows 2000 domain controllersas follows.

1. Start the Active Directory Sites and Services MMC snap-in2. Expand the sites branch which will show the various sites3. The default site 'Default-First-Site-Name' may be your only site.Expand the site containing the domain controllers4. Expand the servers

5. Select the server who you want to replicate to and expand it6. Double click on NTDS Settings for the server 7. Right click on the server you want to replicate from8. Select 'Replicate Now' from the context menu9. Replication will occur. Click OK to the confirmation dialog.

This would replicate from TITANIC to the VENUS domain controller

The replication is one way and if you want two way replication you will need to replicatein each direction.

[Back to The Top]

How can I change replication schedule between two domain controllers in a site?

By default domain controllers will replicate once an hour but this can be changed asfollows. This is only for domain controllers in a single site, cross site replication isconfigured differently.







1. Start the Active Directory Sites and Services MMC snap-in2. Expand the sites branch which will show the various sites3. The default site 'Default-First-Site-Name' may be your only site.Expand the site containing the domain controllers4. Expand the servers

5. Select the server who you want to configure replication to andexpand it6. Double click on NTDS Settings for the server 7. Right click on the server you want set replication from8. Select 'Properties' from the context menu9. Select the 'Active Directory Service connection' tab10. Click the 'Change Schedule...' button11. Modify the replication as required. Click OK 12. Click Apply then OK

This replication schedule is one way and would to be repeated for the other direction.

[Back to The Top]

Can I rename a site? - Windows 2000

Basically yes. When you install your first domain controller it creates a default site of Default-First-Site-Name which is not very helpful and can be changed as follows:

1. Start the Active Directory Sites and Services MMC snap-in (Start -Programs - Administrative Tools - Active Directory Sites and Services)2. Expand the Sites branch

3. Right click on the site you wish to rename (e.g. Default-First-Site- Name) and select rename (or just select the site and press F2)4. Enter the new name and press Enter

That's it!

[Back to The Top]

What DNS entries are added when a Windows 2000 domain is created?

Windows 2000 domains rely heavily on DNS entries however the entries are created

automatically providing you have enable dynamic update on the relevant DNS zones.Below are explanations of what the entries are used for:

_ldap._tcp.<DNSDomainName>Allows a client to localte a Windows 2000 domain controller in the domain named by<DNSDomainName>. A client searching for a DC in domain win2ktech.com wouldquery the DNS server for _ldap._tcp.win2ktech.com







_ldap._tcp.<SiteName>._sites.<DNSDomainName>This allows a client to find a Windows 2000 domain controller in the Domain and sitespecified, e.g. _ldap._tcp.london._sites.win2ktech.com for a DC in the London site of win2ktech.com

_ldap._tcp.pdc._ms-dcs.<DNSDomainName>Allows a client to find the Primary Domain Controller (PDC) FSMO role holder of amixed-mode domain. Only the PDC of the domain registers this record.

_ldap._tcp.gc._msdcs.<DNSTreeName>Allows a client to find a Global Catalog (GC) server. Only domain controllers serving asGC servers for the tree will register this name. Should a server cease to be a GC it willderegister the record.

_ldap._tcp.<site>._sites.gc._msdcs.<DNSTreeName>Allows a client to find a Global Catalog (GC) server in the specified site, e.g.

_ldap._tcp.london._sites.gc._msdcs.win2ktech.com.

_ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName>Allows a client to find a domain controller in a domain based on its Globally UniqueIDentifier (GUID). A GUID is a 128-bit (8 byte) number this is generated automaticallyfor referencing objects in the Active Directory.

<DNSDomainName>Allows clients to find a Domain Controller by a normal Host record.

Example DNS screen for a domain

[Back to The Top]How can I manually defragment the Active Directory? - Windows 2000 only

By default Windows 2000 servers running directory services will perform a directoryonline defragmentation every 12 hours (by default) as part of the garbage collection

process. This defragmentation only moves data around the database file (NTDS.DIT) anddoes not reduce its size.

To create a new, smaller NTDS.DIT and offline defragmentation must be performed asfollows:

1. Backup the Active Directory (as seen in ' How can I backup theActive Directory/System State? ')2. Reboot the server, select the OS option and press F8 for advancedoptions. Select the 'Directory Services Restore Mode' option and pressEnter. Press Enter again to start the operating system.










3. Windows 2000 will start in safe mode with no directory servicerunning. Logon using the Administrator account and password if theLOCAL SAM.4. A dialog informing you are in safe mode will be displayed. Click OK

5. From the Start menu select Run and typeCMD.EXE6. A command window will be displayed. Type the words in red:C:\> ntdsutilntdsutil: filesfile maintenance: info....file maintenance: compact to c:\temp 7. The progress of the defragmentation will be shown. If successfultype quit twice to return to the command prompt8. Now replace the old NTDS.DIT with the new compressed versionC:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit

9. Restart the computer and boot as normalBelow is an example of the entire procedure

Microsoft Windows 2000 [Version 5.00.2031](C) Copyright 1985-1999 Microsoft Corp.

D:\> ntdsutilntdsutil: filesfile maintenance: info

Drive Information:

C:\ FAT (Fixed Drive ) free(1.2 Gb) total(1.9 Gb)D:\ NTFS (Fixed Drive ) free(152.4 Mb) total(1.9 Gb)

DS Path Information:

Database : D:\WINNT\NTDS\ntds.dit - 8.1 MbBackup dir : D:\WINNT\NTDS\dsadatbakWorking dir: D:\WINNT\NTDSLog dir : D:\WINNT\NTDS - 30.0 Mb totalres2.log - 10.0 Mbres1.log - 10.0 Mbedb.log - 10.0 Mbfile maintenance: compact to c:\tempOpening database [Current].Using Temporary Path: C:\Executing Command: D:\WINNT\system32\esentutl.exe /d"D:\WINNT\NTDS\ntds.dit" //o /l"D:\WINNT\NTDS" /s"D:\WINNT\NTDS" /t"c:\temp\ntds.dit" /!10240 /p

Initiating DEFRAGMENTATION mode...Database: D:\WINNT\NTDS\ntds.ditLog files: D:\WINNT\NTDS



System files: D:\WINNT\NTDSTemp. Database: c:\temp\ntds.dit

Defragmentation Status ( % complete )

0 10 20 30 40 50 60 70 80 90 100|----|----|----|----|----|----|----|----|----|----|...................................................

Note:It is recommended that you immediately perform a full backupof this database. If you restore a backup made before thedefragmentation, the database will be rolled back to the stateit was in at the time of that backup.

Operation completed successfully in 17.896 seconds.

Spawned Process Exit code 0x0(0)

If compaction was successful you either need tocopy "c:\temp\ntds.dit" to "D:\WINNT\NTDS\ntds.dit"or run:D:\WINNT\system32\ntdsutil.exe files "set path DB \"c:\temp\"" quit quitfile maintenance: quitntdsutil: quit

D:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.ditOverwrite D:\WINNT\ntds\ntds.dit? (Yes/No/All): y1 file(s) copied.

[Back to The Top]

How can I audit the Active Directory?

It is possible to configure auditing on the Active Directory to produce both successfuland failed entries in the Directory Service event log.

To configure perform the following:

1. Start the 'Active Directory Users and Computers' MMC snap-in(Start - Programs - Administrative Tools - Active Directory Users andComputers)2. From the View menu select 'Advanced Features'3. Expand the domain, right click on the 'Domain Controllers'container and select Properties from the context menu4. Select the 'Group Policy' tab5. Select 'Default Domain Controllers Policy' and click Edit6. Expand the Computer Configuration branch, the Windows Settings

branch, Security Settings branch, and finally the Local Policies branch7. Select 'Audit Policy'8. In the right hand window it will show auditing levels





9. Double click 'Audit Directory Service Access'10. Check the relevant boxes (e.g. Audit success, audit fail). Click OK 11. Close the Group Policy window12. Click OK to the main Domain Controllers Properties dialog13. Close the Active Directory and Users MMC snap-in

The logs can be viewed in the Security Log (using Event Viewer). The policy changemay take a while to take effect as domain controllers poll for policy changes every fiveminutes. Other domain controllers in the enterprise receive the changes at this interval

plus the time of replication.

[Back to The Top]

How can I automate a server upgrade to a Domain Controller during installation?

Its possible to run the DCPROMO.EXE utility automatically during an unattended

installation using the following method:

The Dcpromo process can be scripted by using the dcpromo /answer:%path_to_answer_file% command. In the following example, the [DCInstall] sectionand parameters are added directly to the unattended answer file. The parameters for theDCInstall section are detailed in the Unattend.doc supplied with the resource kit but

below are the main entries:

AdministratorPassword The new password for the domain Administrator accountAutoConfigDNS Indicates if the wizard should configure DNSChildName Name of the child part of domain

CreateOrJoin Specifies if the domain will join an existing forest or create anew one

DatabasePath Location for the Active Directory database

DNSOnNetwork Used when a new forest of domains is being installed and noDNS client is configured on the computer

DomainNetBiosName NetBIOS name for the domain

IsLastDCInDomain Only valid when demoting an existing domain controller to amember server

LogPath Path for the DS logs NewDomainDNSName Name of the new tree or when a new forest is being createdParentDomainDNSName Specifies name of parent domainPassword Password for username being used to promote server RebootOnSuccess Whether an automatic reboot should be performedReplicaDomainDNSName Name of the domain to be replicated fromReplicaOrMember Specifies if a 3.51 or 4.0 BDC being upgraded should become





a replica domain controller or be demoted to a regular member server.

ReplicaOrNewDomain Specifies if this is a new DC in a new domain or if its a replicaof existing domain

SiteName Name of the site, by default this is "Default-First-Site"SysVolPath Path of SYSVOLTreeOrChild If this is a new tree of child of existing domainUserDomain Domain for the user being used in promotionUserName Name of user performing the upgrade

Because this process occurs after setup, the answer file created is named $winnt$.inf andis copied to the \system32 folder. Because the parameters are in this file, you must addthe following text to the [GUIRunOnce] section of the unattended Setup answer file:

[GUIRunOnce] "DCpromo /answer:%systemroot%\system32\$winnt$.inf"

Once the Dcpromo process completes, password information is removed from the$winnt$.inf file. To make this process easier because the Run-once command does notexecute until someone logs on to the computer, you can add the following text to theunattended answer file:[GUIUnattended]Autologon = yes ; automatically logs on the administrator accountAutoLogoncount = n ; number of times to perform auto-admin logon

Easy :-) Don't use items like %systemroot% or %windir% etc as they are not understoodduring unattended installations.

You can just create a [DCInstall] section directly in your unattend.txt file and to avoidhaving multiple unattended setup files.

[DCInstall]AdministratorPassword = testerCreateOrJoin = CreateDomainNetBiosName = win2ktechNewDomainDNSName = win2ktech.comRebootOnSuccess = YesReplicaOrNewDomain = DomainSiteName = "home"TreeOrChild = Tree

The script above would create a new forest with domain win2ktech.com at the top withthe created domain controller in site London. Default locations for the SYSVOL, logsand Active Directory files will be used. The new domain Administrator account passwordwould be cartman (Southpark rules!).



You can of course use this outside of an unattended installation if you wish after you'veinstalled by just typing:

DCPROMO /answer:<DCInstall answer filename>

A small dialog saying DCPROMO is running in unattended mode will be displayed andthen it will reboot.

[Back to The Top]

How do I enable circular logging for the Active Directory?

Active Directory can record either sequential or circular logs, although sequential is thedefault and is preferred. Circular logs overwrite transactions at specific intervals, whereassequential logs are never overwritten (but data in sequential log files whose transactionshave been committed to the database are deleted during garbage collection intervals.)

Sequential log files are not overwritten with new dat They grow until they reach aspecified size. Once all the transactions in a log file are committed to the database, thislog file is no longer needed. Active Directory’s garbage collection process deletesunnecessary log files every 12 hours (the default garbage collection interval). If your server never stays up longer than 12 hours between reboots, the old log files are never cleaned up and they take up more and more space on the disk (but you have bigger

problems).

Some administrators prefer circular logging because it helps minimize the amount of logged data stored to the physical disk. Imagine circular logs as a donut with new dataoverwriting the oldest as needed. You must edit the registry to enable circular logging.

1. Start regedt32.exe2. Move toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters3. If the value CircularLogging does not exist select New - Stringvalue from the Edit menu and enter a name of CircularLogging4. Double click CircularLoggin and set to 1 to enable (0 for disableand sequential log files)5. Close the registry editor 6. Restart the directory service via a reboot for the change to takeeffect

[Back to The Top]

I can't add a 4.0 BDC to my Windows 2000.







A 4.0 BDC in a Windows 2000 is a supported configuration however a problem existswhen the 4.0 BDC machine account tries to be created.

The Machine Account for This Computer either does not exist or is inaccessible.

If you attempt to add the computer account from an already installed Windows NT 4.0- based BDC using the Srvmgr tool, the following message occurs:

The Network Request is not supported.

The following error message is logged on the Windows 2000-based PDC:

Source: SAMEVENT ID: 12298DESCRIPTION:The Account "COMPUTER$" Cannot be converted to be a domaincontroller account as its object class attribute in the directory is not a computer or is not

derived from computer. If this is caused by an attempt to install a pre Windows 2000Domain, then you should recreate the account for the domain controller with the correctobject class.

To workaround this problem use the SRVMGR tool that is shipped with Windows 2000to create the account.

[Back to The Top]

I can't have spaces in my Windows 2000 NetBIOS domain name, why?

In a Windows NT 4.0 based domain a space is a legal character in the NetBIOS domainname. Windows 2000 domains are DNS based are therefore DNS names however a NetBIOS name is also given for backwards compatibility. DNS does not allow a space ina name and so to keep consistency Microsoft have now removed the space as a legalcharacter in a 2000 NetBIOS domain name.

It can contain the following special characters:

! @ # $ % ^ & ( ) - _ ' { } . ~The Following characters are not allowed:

\ * + = | : ; " ? < > ,

[Back to The Top]

This page was last updated on Monday, May 22, 2000.1. Typical questions asked in NT/2000 interview

2. 1.What is the difference between NT and Win2000.







3. What is the difference between WinNT DNS,DHCP and Win2000DNS,DHCP ?

4. What are the seven layers of OSI Model?

5. What is TCP/IP?

6. What is the difference between Netbios name and hostnameresolution ?

7. What are the features of Active directory ? What are the8. different roles of active directory ( FSMO ROLES)

9. What is the size of SAM database in NT and how many objectscan be created in WinNT /Win2k

10. What is Dynamic DNS and how does it register with DHCP.

11. What are the new features of Windows 2000.

12. Can you rename a domain in Win2k environment?

13. What is the backup policy that is taken in your company andwhat is the software that is used for taking backup...

14. How do you Update Antivirus on all machines (is it a15. Auto update or manual update)

16. What is system state data in Win2k?

17. How do you repair a Blue screen in Win NT?

18. How is the Auditing carried out on Workstations?

19. What are the features of Active directory .

20. By default what is the trust relationship in Win2k .

21. What is native mode in Win2k and can we have prewin2kenvironment ( Winnt, win95,98 ,ME etc ) in native mode?

22. What is a global catalog server?



23. Where do you promote a BDC to PDC?

24. By default when Win2k is installed what is the role it assumes

and how do you promote it to Domain Controller?

25. What is a LDAP Protocol ?

26. What are EFS, DFS and Kerberos in Win2k?

27. What is a forest , Tree , Organization Unit and site in Win2k ?

28. Can you establish Trust relationship between a WIn2k and inNT machine in native mode environment ?

29. What are the file systems supported by Win2k

30. What is the tool used to manage disk management tasks?

31. What is the different between a Basic disc and Dynamic Disk ?Can you revert from Dynamic Disk to Basic disk

32. What are the different levels of RAID that can be setup?

33. What is a system Policy in WinNT ?

34. Where do you create a group Policy in Win2k

35. How do you setup Disk Quotas in Win2k

36. What is a subnet mask, Default gateway m Router ?

37. How do you Configure Auditing in Windows2k and what toolsdo you use to View the results

38. What are the 5 different type of Backup stratergy followed?

39. What is ERD and how is it created in Win NT /2000?

40. What is the data that is backed up when you backup systemstate data in Win2k ?



41. How is VPN Setup in Windows2000

42. What is the tool used to measure the perfomance in Win2kServer

43. What are the prerequisites for installing Active directory ?

44. What are the filesystems supported by Win NT

45. How do you debug a Blue screen?

46. Does your company has microsoft support ?

47. How do you troubleshoot a NTLDR , NTDETECT missing issuesin WinNT/2000?

48. How do you change the boot time in WinNT/2000 ?

49. What is the regular maintainance on Winnt Server ( Event Log,chkdisk, rdisk )

50. In what format are the mails stored on Client side?

51. What are the four domain models defined by Microsoft relatingto NT4.0?

52. what is the difference and advantage and disadvantagesbetween a workgroup and domain model

53. What is LAN and WAN ?

54. What is the difference between a Local group and GlobalGroup?

55. What is a Hosts and LM Hosts file and how is it useful ?

Typical questions asked in NT/2000 interview



1. What is the difference between NT and Win2000.

2. What is the difference between WinNT DNS,DHCP and Win2000DNS,DHCP ?

3. What are the seven layers of OSI Model?

Application, Presentation, Session, Transport, Network, Data link, Physical

4. What is TCP/IP?

TCP/IP is set of protocols

5. What is the difference between Netbios name and hostname

resolution ?

6. What are the features of Active directory ? What are thedifferent roles of active directory ( FSMO ROLES)

7. How do you carry out a Migration from NT4.0 to Windows2000

There are two ways:• Domain upgrade – sometimes referred to as in-place upgrade

We can define domain upgrade as the process of upgrading the software on the PrimaryDomain Controller (PDC) of a domain, and upgrading some or all of the Backup DomainControllers (BDCs), from Windows NT 4.0 to Windows 2000 Server.Use DCPromo.exe

8. What is the size of SAM database in NT and how many objects canbe created in WinNT /Win2k

9 How do u implement group policy and what is the differencebetween software deployment and Publishing in AD ?

10. Where does u change the role AD FSMO Roles?

11. What is Dynamic DNS and how does it register with DHCP.

12. What are the new features of Windows 2000.

13. Can you rename a domain in Win2k environment?



14. What is the backup policy that is taken in your company and what is thesoftware that is used for taking backup...

Daily Full backup.Veritas backup Tool

15. How do you Update Antivirus on all machines (is it aAuto update or manual update)

Auto Update using Mcafee Orchestrator 2.0

16. What is system state data in Win2k?

17. How do you repair a Blue screen in Win NT?

18. How is OS hardening done on Servers?

Applying service pack, hot fixes and patches.Through Group policy

19. How is the Auditing carried out on Workstations?

20. How is RAS setup in NT and how is the permissions given for aNT user.

21.What are the features of Active directory .

22. By default what is the trust relationship in Win2k .23. What is native mode in Win2k and can we have prewin2kenvironment ( Winnt, win95,98 ,ME etc ) in native mode?

No, only in Mixed mode we can have Pre-windows 2000

24. What is a global catalog server?

25. Where do you promote a BDC to PDC?

Server manager

26. By default when Win2k is installed what is the role it assumesand how do you promote it to Domain Controller?

27. What is a LDAP Protocol ?

28. What are EFS, DFS and Kerberos in Win2k?



EFS: Extended File systemDFS: Distributed File systemKerberos: Windows 2000 authentication method

29. What is a forest , Tree , Organization Unit and site in Win2k ?

30. Can you establish Trust relationship between a WIn2k and WinNTmachine in native mode environment ?

31. What are the file systems supported by Win2k

32. What is the tool used to manage disk management tasks?

33. What is the different between a Basic disc and Dynamic Disk ?Can you revert from Dynamic Disk to Basic disk

34. What are the different levels of RAID that can be setup?35 What are the different roles played by a DNS Server?

36. What is a zone in DNS?

37. What is the tool used to move an object within a domain.(Movetree.exe )

38. What is delegation in AD and what are the benefits ?

39. What is a system Policy in WinNT ?40 What is folder redirection and how is it accomplished

41. Where do you create a group Policy in Win2k

42. How do you setup Disk Quotas in Win2k

43. What is a subnet mask, Default gateway m Router ?

44. How do you Configure Auditing in Windows2k and what tools doyou use to View the results

45. What are the 5 different type of Backup stratergy followed?

46. What is ERD andhow is it created in Win NT /2000?

47. What is the data that is backed up when you backup systemstate data in Win2k ?



48 . How is VPN Setup in Windows2000

49. What is a WINS Server and what is the role in NT/2000environment

50 . What is IP Sec in Win2k

51. What is the tool used to manage IIS

52. How do you secure IIS Website ?

53. How do you setup Multiple websites using a Single IPAddress?

54. What are certificate services in Win2k

55. How do you setup RIS and what are the reuirements on clientends

56. How many Licenses are provided by default when you setupTerminal services and what are the

two different modes that a Terminal services can be setup?

57. What is the tool used to measure the perfomance in Win2kServer

58. How do you authorize DHCP Server in AD?

59 . What are the prerequisites for installing Active directory?

60 . What are the filesystems supported by Win NT

61. How do you remotely start and stop the services in IIS andControl panel on a remote machine

62. How do you debug a Blue screen?

63, Does your company has microsoft support ?

64. Have you subscribed to Technet, MSDN ?

65. How do you troubleshoot a NTLDR , NTDETECT missing issues inWinNT/2000?



66. How do you change the boot time in WinNT/2000 ?

67.What is the regular maintainance on Winnt Server ( Event Log,chkdisk, rdisk )

68.What is the difference between Exchange 5.5 and Exchange 2000?

69.Which are the services in Exchange Server

70.What are storage groups in Exchange 2k and how many mailbox per storage group can be setup

per storage group in Exch 2k .

71.What are connectors in Exchange Server and What are thedifferent type of connectors in Exchange

72. What is a Site in terms on Exchange Server and Windows2000?

73.What is circular logging in Exchange2000?

74.What are the different authentication methods used in IIS ?Where do you Configure this in IIS ?

75.What are the 4 steps invloved in getting a IP Address from aDHCP server ?

76. what is a Push and Pull partners in terms if WINS Server ?

77. How do you backup a WINS database and in what format is itstored ?

78.What is the difference between WINNT DHCP and WIN2K DHCP ?

79.In MS Exchange, is there any option to forward all my incominge-mails to another e-mail address

80. In what format are the mails and Public folder data stored onExchange Server ?

81.In what format are the mails stored on Client side?

82. What is Clustering and what are the different methodolgy in



which clustering can be implemented

83. What are the four domain models defined by Microsoft relatingto NT4.0?

84. what is the difference and advantage and disadvantagesbetween a workgroup and domain model

85. What is a Trust Relationship and how is it established in NT4.0

86. What is LAN and WAN ?

87. What is the difference between a Local group and GlobalGroup?

88. What is Distributed File System and different types of DFSmodel and how is it implemented in

Win2k ?

89. What is a Hosts and LM Hosts file and how is it useful ?

90. What is B-node, P-node, H-node , and M-node in terms of WINS?

91. what is AT Command and how do you schedule Automated Backup in

NT4.0 ?92.What is ISINTEG and ESEUTIL in Exchange Server ?

93.What is the use of Exchange Service Account in Exchange Sever ?

94.What are the pre-requisites for Exchange server installation?

95.Can my Exchange Server check POP3 mail?

96.One user has deleted some items (also from the deleted itemsfolder). Can I get them back?

97.What do I need to connect Exchange Server to the Internet?

98.What is a Forward Lookup Zone and Reverse Lookup Zone in DNS?

99. What is a Virtual Directory in IIS?



100. Where are the permissions assigned for RAS User ?

Windows 2000 Active Directory Faq

Documents

Transcript of Windows 2000 Active Directory Faq