pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

System Administrator InterviewQuestions and Answers

Search

Labels: Active Directory

What is an enforced group policy object?Enforced Group Policy Object (GPO): A Group Policy Object (GPO) that is specifically associatedwith a scope of management (SOM) so that the associated GPO has a higher GPO precedencecompared to non-enforced GPOs that are associated with the same SOM and compared to allGPOs that are associated with descendant SOMs. An enforced GPO cannot be blocked by adescendant SOM using the gpOptions attribute.

The “Enforced” within the GPMC controls how the Group Policy Object and the settings within theGroup Policy Object are handled with regard to precedence of the settings. In short, when allGPOs apply from Active Directory, those GPOs that are linked to organizational units (OUs) havethe highest precedence, then those linked to the domain, and finally those linked to ActiveDirectory sites. Local GPOs on the target endpoint have the weakest precedence of all. What thismeans is that if there is a conflicting setting within two GPOs at different levels, the setting withinthe highest precedence GPO will “win” and be applied over the setting in the GPO that has lowerprecedence.

+4 Recommend this on Google

Active Directory (44)L2 (5)Wintel (4)Group Policy (1)L3 (1)Networking (1)

Topics

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

Bootable CD - All Windowsspotmau.com

Boot Up Any Computer, Fix and Install Windows Easily!

What is the order in which GPOs are applied?The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the sameprecedence. Settings that are applied later can override settings that are applied earlier.

Order of processing settings

Group Policy settings are processed in the following order:

1. Local Group Policy object - Each computer has exactly one Group Policy object that isstored locally. This processes for both computer and user Group Policy processing.

2. Site - Any GPOs that have been linked to the site that the computer belongs to are processednext. Processing is in the order that is specified by the administrator, on the Linked GroupPolicy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with thelowest link order is processed last, and therefore has the highest precedence.

3. Domain - Processing of multiple domain-linked GPOs is in the order specified by theadministrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO withthe lowest link order is processed last, and therefore has the highest precedence.

4. Organizational units - GPOs that are linked to the organizational unit that is highest in theActive Directory hierarchy are processed first, then GPOs that are linked to its child organizationalunit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the useror computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOscan be linked. If several GPOs are linked to an organizational unit, their processing is in the orderthat is specified by the administrator, on the Linked Group Policy Objects tab for theorganizational unit in GPMC. The GPO with the lowest link order is processed last, and thereforehas the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to theorganizational unit of which the computer or user is a direct member are processed last, whichoverwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then theearlier and later settings are merely aggregated.)

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

Labels: Active Directory

Exceptions to the default order of processing settings

The default order for processing settings is subject to the following exceptions:

A GPO link may be enforced, or disabled, or both. By default, a GPO link is neitherenforced nor disabled.A GPO may have its user settings disabled, its computer settings disabled, or allsettings disabled. By default, neither user settings nor computer settings are disabledon a GPO.An organizational unit or a domain may have Block Inheritance set. By default, BlockInheritance is not set.

+2 Recommend this on Google

Labels: Active Directory

What are GPOs?Group Policy Object (GPO) is a collection of settings that control the working environmentof user accounts and computer accounts. GPOs defines registry-based polices, securityoptions, software installation and maintenance options, scripts options, and folder redirectionoptions.

Microsoft provides a program snap-in that allows you to use the Group Policy MicrosoftManagement Console (MMC). The selections result in a Group Policy Object. Group Policy ObjectEditor can be thought of as an application whose document type is the Group Policy object, justas a word processor might use .doc or .txt files.

There are two kinds of Group Policy objects: local and nonlocal. Local Group Policy objects arestored on individual computers. Only one local Group Policy object exists on a computer, and ithas a subset of the settings that are available in a nonlocal Group Policy object. Local GroupPolicy object settings can be overwritten by nonlocal settings if they are in conflict; otherwise, bothgroups of settings apply. For more information, see Local Group Policy.

Nonlocal Group Policy objects, which are stored on a domain controller, are available only in anActive Directory environment. They apply to users and computers in the site, domain, ororganizational unit with which the Group Policy object is associated.

▼ 2013 (46)▼ March (25)

What is anenforcedgroup policyobject?

What is theorder inwhichGPOs areapplied?

What areGPOs?

What AreLingeringObjects?

Why cannotyou restorea DC thatwas backedup 4 m...

How do youchange theDS Restore

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

+1 Recommend this on Google

Labels: Active Directory, L3

What Are Lingering Objects?When restoring a backup file, Active Directory generally requires that the backup file be no morethan 180 days old. If attempt to you restore a backup that is expired, you may encounter problemsdue to “lingering objects”.

A lingering object is a deleted AD object that re-appears (“lingers”) on the restoreddomain controller (DC) in its local copy of Active Directory. This can happen if, after thebackup was made, the object was deleted on another DC more than 180 days ago.

When a DC deletes an object it replaces the object with a tombstone object. The tombstoneobject is a placeholder that represents the deleted object. When replication occurs, the tombstoneobject is transmitted to the other DCs, which causes them to delete the AD object as well.

Tombstone objects are kept for 180 days, after which they are garbage-collected and removed.

If a DC is restored from a backup that contains an object deleted elsewhere, the object will re-appear on the restored DC. Because the tombstone object on the other DCs has been removed,the restored DC will not receive the tombstone object (via replication), and so it will never benotified of the deletion. The deleted object will “linger” in the restored local copy of Active Directory.

How to Remove Lingering Objects

Windows Server 2003 and 2008 have the ability to manually remove lingering objects using theconsole utility console utility REPADMIN.EXE. Use the command:

REPADMIN.EXE /removelingeringobjects .

+1 Recommend this on Google

Why cannot you restore a DC that was backed up 4 monthsago?When restoring a backup file, Active Directory generally requires that the backup file be no morethan 180 days old. If attempt to you restore a backup that is expired, you may encounter problems

DS Restoreadminpassword?

How do youbackup AD?

How do youconfigure a"stand-byoperationmaster"...

What is thedifferencebetweentransferringa FSMO...

I want to lookat the RIDallocationtable for aD...

What is thedifferencebetweenLDIFDEandCSVDE?U...

What are theDS*commands?

How wouldyou find allusers thathave notlogged ...

What do youdo to installa newWindows2003 R2DC...

What do youdo to installa newWindows2003 DC

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

Labels: Active Directory, L2, Wintel

due to “lingering objects”.

+1 Recommend this on Google

Labels: Active Directory

How do you change the DS Restore admin password?

1. Click, Start, click Run, type ntdsutil, and then click OK.

2. At the Ntdsutil command prompt, type set dsrm password.

3. At the DSRM command prompt, type one of the following lines:

o To reset the password on the server on which you are working, type reset password on servernull. The null variable assumes that the DSRM password is being reset on the local computer.Type the new password when you are prompted. Note that no characters appear while you typethe password.

-or-

o To reset the password for another server, type reset password on server servername, whereservername is the DNS name for the server on which you are resetting the DSRM password. Typethe new password when you are prompted. Note that no characters appear while you type thepassword.

4. At the DSRM command prompt, type q.

5. At the Ntdsutil command prompt, type q to exit.

To Reset the DSRM Administrator Password

+1 Recommend this on Google

How do you backup AD?Backing up Active Directory is essential to maintain the proper health of the Active Directorydatabase. Backing up the Active Directory is done on one or more of your Active Directory domain

2003 DCin...

What istombstonelifetimeattribute?

Name someOU designconsiderations.

What toolwould I useto try to grabsecurityrela...

Can I get userpasswordsfrom the ADdatabase?

How can youforciblyremove ADfrom aserver, and...

What can youdo topromote aserver toDC if you'r...

What are therequirements forinstallingAD on a n...

What is theISTG? Whohas thatrole bydefault?

What is theKCC?

What is ActiveDirectoryNamingContext orDirecto...

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

Controllers (or DCs), and is performed by backing up the System State on those servers. TheSystem State contains the local Registry, COM+ Class Registration Database, the System BootFiles, certificates from Certificate Server (if it’s installed), Cluster database (if it’s installed),NTDS.DIT, and the SYSVOL folder.

Windows Server 2003

You can backup Active Directory by using the NTBACKUP tool that comes built-in with WindowsServer 2003, or use any 3rd-party tool that supports this feature.

Method #1: Using NTBACKUP

1. Open NTBACKUP by either going to Run, then NTBACKUP and pressing Enter or by going toStart -> Accessories -> System Tools.

2. If you are prompted by the Backup or Restore Wizard, I suggest you un-check the "AlwaysStart in Wizard Mode" checkbox, and click on the Advanced Mode link.

3. Inside NTBACKUP's main window, click on the Backup tab.

4. Click to select the System State checkbox. Note you cannot manually select components ofthe System State backup. It's all or nothing.

5. Enter a backup path for the BKF file. If you're using a tape device, make sure NTBACKUP isaware and properly configured to use it.

6. Press Start Backup.

7. The Backup Job Information pops out, allowing you to configure a scheduled backup job andother settings. For the System State backup, do not change any of the other settings except theschedule, if so desired. When done, press Start Backup.

8. After a few moments of configuration tasks, NTBACKUP will begin the backup job.

9. When the backup is complete, review the output and close NTBACKUP.

10. Next, you need to properly label and secure the backup file/tape and if possible, store a copyof it on a remote and secure location.

Method #2: Using the Command Prompt

1. You can use the command line version of NTBACKUP in order to perform backups from theCommand Prompt.

2. For example, to create a backup job named "System State Backup Job" that backs up the

Directo...

► February (21)

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

System State data to the file D:\system_state_backup.bkf, type:

ntbackup backup systemstate /J "System State Backup Job" /F "D:\system_state_backup.bkf"

Windows Server 2008

Before you can backup Server 2008 you need to install the backup features from the ServerManager.

1. To install the backup features click Start → Server Manager.

2. Next click Features → Add Features

3. Scroll to the bottom and select both the Windows Server Backup and the Command Line Tools.

In Server 2008, there isn’t an option to backup the System State data through the normalbackup utility . We need to go “command line” to backup Active Directory.

1. Open up your command prompt by clicking Start and type “cmd” and hit enter.

2. In your command prompt type “wbadmin start systemstatebackup -backuptarget:e:” andpress enter.

Note: You can use a different backup target of your choosing

3. Type “y” and press enter to start the backup process.

When the backup is finished running you should get a message that the backup completedsuccessfully. If it did not complete properly you will need to troubleshoot.

Windows Server 2008 R2

1. Open Windows Server Backup

2. In action panel click Backup Once

3. Different Options is Selected, click Next

4. Choose Custom, click Next

5. Click Add Items

6. Select System State, click Next

7. Specify Backup Destination, Local drive (Apart from System Volume) or Network Share

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

Labels: Active Directory, L2, Wintel

8. Click Backup to start System State Backup

9. You may close the wizard and the backup operation will continue to run in background.

+1 Recommend this on Google

How do you configure a "stand-by operation master" forany of the roles?No utilities or special steps are required to designate a domain controller as a standbyoperations master. However, the current operations master and the standby operationsmaster should be well connected . “Well connected” means that the network connectionbetween them must support at least a 10-megabit transmission rate and be available at all times.In addition, creating a manual connection object between the standby domain controller and theoperations master will ensure direct replication between the two operations masters. By makingthe operations master and the standby operations master direct replication partners, you reducethe chance of data loss in the event of a role seizure, which reduces the chance of directorycorruption.

To ensure that the current operations master role holder and the standby operations master arereplication partners, you can manually create connection objects between the two domaincontrollers. Even if a connection object is generated automatically, we recommend that youmanually create a connection object on both the operations master and the standby operationsmaster. The replication system can alter automatically created connection objects anytime.Manually created connections remain the same until an administrator changes them.

You can use this procedure to create the following:

A manual connection object that designates the standby server as the From Server onthe NTDS Settings object of the operations masterA manual connection object that designates the operations master server as the FromServer on the NTDS Settings object of the standby server

Administrative credentials

Membership in Domain Admins, or equivalent, is the minimum required to complete thisprocedure.

1. Click Start, point to Administrative Tools, and then click Active Directory Sites and

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

Labels: Active Directory

1. Click Start, point to Administrative Tools, and then click Active Directory Sites andServices.

2. Expand the site name in which the current operations master role holder is located todisplay the Servers folder.

3. Expand the Servers folder to see a list of the servers in that site.4. To create a connection object from the standby server on the current operations master,

expand the name of the operations master server on which you want to create theconnection object to display its NTDS Settings object.

5. Right-click NTDS Settings, click New, and then click Connection.6. In the Find Active Directory Domain Controllers dialog box, select the name of the

standby server from which you want to create the connection object, and then click OK.7. In the New Object-Connection dialog box, enter an appropriate name for the connection

object or accept the default name, and then click OK.8. To create a connection object from the current operations master to the standby server,

repeat steps 4 through 7, but in step 4, expand the name of the standby server. In step 6,select the name of the current operations master.

+1 Recommend this on Google

Labels: Active Directory

What is the difference between transferring a FSMO roleand seizing one? Which one should you NOT seize? Why?Seizing an FSMO can be a destructive process and should only be attempted if the existing serverwith the FSMO is no longer available.

If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable,DO NOT seizes the Schema Master role.

If you are going to seize the Schema Master, you must permanently disconnect thecurrent Schema Master from the network.

If you seize the Schema Master role, the boot drive on the original Schema Master must becompletely reformatted and the operating system must be cleanly installed, if you intend to returnthis computer to the network.

pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API

Older PostsHome

Subscribe to: Posts (Atom)

+1 Recommend this on Google

Labels: Active Directory

I want to look at the RID allocation table for a DC. What doI do?In Command prompt type

C:\>dcdiag /test:ridmanager /s:<dcname> /v

Here dcname is the name of our DC

+1 Recommend this on Google

Simple template. Powered by Blogger.