Professional Documents
Culture Documents
What is the difference between Windows 2000 Active Directory and Windows 2003 Active
Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is
meant by ADS and ADS services in Windows 2003?
Windows 2003 Active Directory introduced a number of new security features, as well as
convenience features such as the ability to rename a domain controller and even an entire domain
- see Microsoft's website for more details.
Windows Server 2003 also introduced numerous changes to the default settings that can be
affected by Group Policy - you can see a detailed list of each available setting and which OS is
required to support it by downloading the Group Policy Settings Reference.
ADS stands for Automated Deployment Services, and is used to quickly roll out identicallyconfigured servers in large-scale enterprise environments. You can get more information from
the ADS homepage.
The benefits of AD over NT4 directory services ?
Active Directory marked a shift in the way that Microsoft manages directory services, moving
from the flat and fairly restrictive namespaces used by NT4 domains and moving to an actual
hierarchical directory structure. There's a sample chapter from theWindows 2000 technical
reference available here that will give you a good introduction into the major differences
between the NT4 and Active Directory directory services.
I want to setup a DNS server and Active Directory domain. What do I do first? If I install
the DNS service first and name the zone 'name.org' can I name the AD domain 'name.org'
too?
Not only can you have a DNS zone and an Active Directory domain with the same name, it's
actually the preferred way to go if at all possible. You can install and configure DNS before
installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo)
itself install DNS on your server in the background.
What is the best way to migrate Exchange 2000 mailboxes to Exchange 2003?
The nice folks at MSExchange.org have put together a pretty detailed tutorial on how to migrate
from Exchange 2000 to Exchange 2003 on new hardware. The MSExchange site also hosts
online forums that are frequented by Exchange MVPs who can help you with any specific errors
that you run into along the way.
How do I design two Active Directory domains in a client network?
For Windows Server 2003, your best bet is going to be theDeployment Kit. The section on
"Deploying Network Services" will assist you in designing and installing your DNS servers, and
the section on "Designing and Deploying Directory and Security Services" will assist you with
WINS server running, yes?) contains the records that you expect for the 2000 domain controller,
and that your clients have the correct address configured for the WINS server.
Posted by Anuj Sharma at 6:52:00 PM 0 comments
Wednesday, October 15
Server 2008 Questions And Answers
Q.What are some of the new tools and features provided by Windows Server 2008?
A.Windows Server 2008 now provides a desktop environment similar to Microsoft Windows
Vista and includes tools also found in Vista, such as the new backup snap-in and the BitLocker
drive encryption feature. Windows Server 2008 also provides the new IIS7 web server and the
Windows Deployment Service.
Q.What are the different editions of Windows Server 2008?
A.The entry-level version of Windows Server 2008 is the Standard Edition. The Enterprise
Edition provides a platform for large enterprisewide networks. The Datacenter Edition provides
support for unlimited Hyper-V virtualization and advanced clustering services. The Web Edition
is a scaled-down version of Windows Server 2008 intended for use as a dedicated web server.
The Standard, Enterprise, and Datacenter Editions can be purchased with or without the Hyper-V
virtualization technology.
Q.What two hardware considerations should be an important part of the planning process for a
Windows Server 2008 deployment?
A.Any server on which you will install Windows Server 2008 should have at least the minimum
hardware requirement for running the network operating system. Server hardware should also be
on the Windows Server 2008 Hardware Compatibility List to avoid the possibility of hardware
and network operating system incompatibility.
Q.How does the activation process differ on Windows Server 2008 as compared to Windows
Server 2003?
A.You can select to have activation happen automatically when the Windows Server 2008
installation is complete. Make sure that the Automatically Activate Windows When I'm Online
check box is selected on the Product Key page.
Q.What are the options for installing Windows Server 2008?
A.You can install Windows Server 2008 on a server not currently configured with NOS, or you
can upgrade existing servers running Windows 2000 Server and Windows Server 2003.
Q.How do you configure and manage a Windows Server 2008 core installation?
A.This stripped-down version of Windows Server 2008 is managed from the command line.
Q.Which Control Panel tool enables you to automate the running of server utilities and other
applications?
A.The Task Scheduler enables you to schedule the launching of tools such as Windows Backup
and Disk Defragmenter.
Q.What are some of the items that can be accessed via the System Properties dialog box?
A.You can access virtual memory settings and the Device Manager via the System Properties
dialog box.
Q.Which Windows Server utility provides a common interface for tools and utilities and
provides access to server roles, services, and monitoring and drive utilities?
A.The Server Manager provides both the interface and access to a large number of the utilities
and tools that you will use as you manage your Windows server.
Q.How are local user accounts and groups created?
A.Local user accounts and groups are managed in the Local Users and Groups node in the Server
Manager. Local user accounts and groups are used to provide local access to a server.
Q.When a child domain is created in the domain tree, what type of trust relationship exists
between the new child domain and the tree's root domain?
A.Child domains and the root domain of a tree are assigned transitive trusts. This means that the
root domain and child domain trust each other and allow resources in any domain in the tree to
be accessed by users in any domain in the tree.
Q.What is the primary function of domain controllers?
A.The primary function of domain controllers is to validate users to the network. However,
domain controllers also provide the catalog of Active Directory objects to users on the network.
Q.What are some of the other roles that a server running Windows Server 2008 could fill on the
network?
A.A server running Windows Server 2008 can be configured as a domain controller, a file server,
a print server, a web server, or an application server. Windows servers can also have roles and
features that provide services such as DNS, DHCP, and Routing and Remote Access.
Q.Which Windows Server 2008 tools make it easy to manage and configure a server's roles and
features?
A.The Server Manager window enables you to view the roles and features installed on a server
and also to quickly access the tools used to manage these various roles and features. The Server
Manager can be used to add and remove roles and features as needed.
Q.What Windows Server 2008 service is used to install client operating systems over the
network?
A.Windows Deployment Services (WDS) enables you to install client and server operating
systems over the network to any computer with a PXE-enabled network interface.
Q.What domain services are necessary for you to deploy the Windows Deployment Services on
your network?
A.Windows Deployment Services requires that a DHCP server and a DNS server be installed in
the domain.
Q.How is WDS configured and managed on a server running Windows Server 2008?
A.The Windows Deployment Services snap-in enables you to configure the WDS server and add
boot and install images to the server.
Q.What utility is provided by Windows Server 2008 for managing disk drives, partitions, and
volumes?
A.The Disk Manager provides all the tools for formatting, creating, and managing drive volumes
and partitions.
Q.What is the difference between a basic and dynamic drive in the Windows Server 2008
environment?
A.A basic disk embraces the MS-DOS disk structure; a basic disk can be divided into partitions
(simple volumes). Dynamic disks consist of a single partition that can be divided into any
number of volumes. Dynamic disks also support Windows Server 2008 RAID implementations.
Q.What is RAID?
A.RAID, or Redundant Array of Independent Disks, is a strategy for building fault tolerance into
your file servers. RAID enables you to combine one or more volumes on separate drives so that
they are accessed by a single drive letter. Windows Server 2008 enables you to configure RAID
0 (a striped set), RAID 1 (a mirror set), and RAID 5 (disk striping with parity).
Q.What is the most foolproof strategy for protecting data on the network?
A.Regular backups of network data provides the best method of protecting you from data loss.
Q.What conceptual model helps provide an understanding of how network protocol stacks such
as TCP/IP work?
A.The OSI model, consisting of the application, presentation, session, transport, network, data
link, and physical layers, helps describe how data is sent and received on the network by protocol
stacks.
Q.What protocol stack is installed by default when you install Windows Server 2008 on a
network server?
A.TCP/IP (v4 and v6) is the default protocol for Windows Server 2008. It is required for Active
Directory implementations and provides for connectivity on heterogeneous networks.
Q.When TCP/IP is configured on a Windows server (or domain client), what information is
required?
A.You must provide at least the IP address and the subnet mask to configure a TCP/IP client for
an IPv4 client, unless that client obtains this information from a DHCP server. For IPv6 clients,
the interface ID is generated automatically from the MAC hardware address on the network
adapter. IPv6 can also use DHCP as a method to configure IP clients on the network.
Q.What are two command-line utilities that can be used to check TCP/IP configurations and IP
connectivity, respectively?
A.The ipconfig command can be used to check a computer's IP configuration and also renew the
client's IP address if it is provided by a DHCP server. ping can be used to check the connection
between the local computer and any computer on the network, using the destination computer's
IP address.
Q.What term is used to refer to the first domain created in a new Active Directory tree?
A.The first domain created in a tree is referred to as the root domain. Child domains created in
the tree share the same namespace as the root domain.
Q.How is a server running Windows Server 2008 configured as a domain controller, such as the
domain controller for the root domain or a child domain?
A.Installing the Active Directory on a server running Windows Server 2008 provides you with
the option of creating a root domain for a domain tree or of creating child domains in an existing
tree. Installing Active Directory on the server makes the server a domain controller.
Q.What are some of the tools used to manage Active Directory objects in a Windows Server
2008 domain?
A.When the Active Directory is installed on a server (making it a domain controller), a set of
Active Directory snap-ins is provided. The Active Directory Users and Computers snap-in is
used to manage Active Directory objects such as user accounts, computers, and groups. The
Active Directory Domains and Trusts snap-in enables you to manage the trusts that are defined
between domains. The Active Directory Sites and Services snap-in provides for the management
of domain sites and subnets.
Q.How are domain user accounts created and managed?
A.The Active Directory Users and Computers snap-in provides the tools necessary for creating
user accounts and managing account properties. Properties for user accounts include settings
related to logon hours, the computers to which a user can log on, and the settings related to the
user's password.
Q.What type of Active Directory objects can be contained in a group?
A.A group can contain users, computers, contacts, and other nested groups.
Q.What type of group is not available in a domain that is running at the mixed-mode functional
level?
A.Universal groups are not available in a mixed-mode domain. The functional level must be
raised to Windows 2003 or Windows 2008 to make these groups available.
Q.What types of Active Directory objects can be contained in an Organizational Unit?
A.Organizational Units can hold users, groups, computers, contacts, and other OUs. The
Organizational Unit provides you with a container directly below the domain level that enables
you to refine the logical hierarchy of how your users and other resources are arranged in the
Active Directory.
Q.What are Active Directory sites?
A.Active Directory sites are physical locations on the network's physical topology. Each regional
domain that you create is assigned to a site. Sites typically represent one or more IP subnets that
are connected by IP routers. Because sites are separated from each other by a router, the domain
controllers on each site periodically replicate the Active Directory to update the Global Catalog
on each site segment.
Q.How can client computer accounts be added to the Active Directory?
A.Client computer accounts can be added through the Active Directory Users and Computers
snap-in. You can also create client computer accounts via the client computer by joining it to the
domain via the System Properties dialog box. This requires a user account that has administrative
privileges, such as members of the Domain Administrator or Enterprise Administrator groups.
Q.What firewall setting is required to manage client computers such as Vista clients and
Windows 2008 member servers?
A.The Windows Firewall must allow remote administration for a computer to be managed
remotely.
Q.Can servers running Windows Server 2008 provide services to clients when they are not part
of a domain?
A.Servers running Windows Server 2008 can be configured to participate in a workgroup. The
server can provide some services to the workgroup peers but does not provide the security and
management tools provided to domain controllers.
Q.What does the use of Group Policy provide you as a network administrator?
A.Group Policy provides a method of controlling user and computer configuration settings for
Active Directory containers such as sites, domains, and OUs. GPOs are linked to a particular
container, and then individual policies and administrative templates are enabled to control the
environment for the users or computers within that particular container.
Q.What tools are involved in managing and deploying Group Policy?
A.GPOs and their settings, links, and other information such as permissions can be viewed in the
Group Policy Management snap-in.
Q.How do you deal with Group Policy inheritance issues?
A.GPOs are inherited down through the Active Directory tree by default. You can block the
inheritance of settings from upline GPOs (for a particular container such as an OU or a local
computer) by selecting Block Inheritance for that particular object. If you want to enforce a
higher-level GPO so that it overrides directly linked GPOs, you can use the Enforce command on
the inherited (or upline) GPO.
Q.How can you make sure that network clients have the most recent Windows updates installed
and have other important security features such as the Windows Firewall enabled before they can
gain full network access?
A.You can configure a Network Policy Server (a service available in the Network Policy and
Access Services role). The Network Policy Server can be configured to compare desktop client
settings with health validators to determine the level of network access afforded to the client.
Tuesday, August 19
How a Kerberos Logon Works
As most of you are aware, Windows includes a new authentication package, which is Microsoft's
implementation of MIT's Kerberos protocol. This protocol is much more secure than NTLM and
NTLMv2. And with that, I'm going to show you how a client logon happens with Kerberos.
Bob comes into work in the morning, grabs his coffee, and sits down at his workstation. He looks
at the Windows 2000 professional logon at the logon screen, hits ctrl+alt+del, and proceeds to
type his username, password, and after being authenticated by a Windows 2000 domain
controller, logs onto his domain. He starts Microsoft Outlook, to take a look at this morning's
pile of email. This seems like a simple process, but that's far from the truth. Let's take a look at
what happened in the past few seconds.
Domain Logon Authentication
When Bob pressed "Enter" after typing his password, the Kerberos client on his workstation
converted his password to an encryption key. Kerberos is based on the concept of symmetric
encryption keys, which means that the same key is used to encrypt and decrypt a message. This
is also referred to as a shared private key.
After the Kerberos client converted Bob's password to an encryption key, it's saved in the
workstation's credential cache. The workstation then sent an authentication request to the
Domain Controller, or KDC (Key Distribution Center is a Kerberos term, used to describe the
service that distributes the "keys to the kingdom"). The authentication request identifies Bob, and
names the service that he's requesting access to, and some pre-authentication data, that proves
that Bob knows the password. The first portion of the authentication request identifies Bob, and
asks for access to the TGS(Ticket Granting Service). The TGS is the service on the KDC that
issues tickets for access to other services. All of the services within the Kerberos domain trust
the TGS, so they know if a ticket was issued by the TGS, that the user successfully authenticated
himself, and is really who he claims to be..
The second part of the authentication request contains the pre-authentication data, and is a
generic timestamp, encrypted with Bob's long-term key (or password in this case)
When the KDC receives the authentication request, it checks the local AD database for Bob's
password. Decrypts the pre-authentication info that was sent in the package, and if the timestamp
is within the permissible guidelines (allowable clock difference, usually of 5 minutes or so),
sends Bob a TGT (Ticket Granting Ticket) that he's going to use to access the TGS in the future.
But even this process isn't so simple (Kerberos is much more complicated than NTLM). To
accomplish this task, the KDC creates a session key for itself and Bob to use in their future
communications, then it encrypts that session key with Bob's password, and embeds another
copy of the session key and some authorization info about Bob (This authorization info is the list
of Bob's SID's (SID history, group membership, and Bob's own SID) which is used where ACL's
are applied.). It encrypts all of this with it's own long-term key. (The portion that was encrypted
with the KDC's long-term key is the actual TGT) The Kerberos implementation in Windows
2000 places the SIDS in the TGT in a field that is defined as optional in the RFC's, which Win2k
uses for access control information, which extends Kerberos from not only authentication, but a
piece of the access control puzzle as well.
When Bob's workstation receives a reply from the KDC, it decrypts the session ticket with Bob's
password, and stores this in the credentials cache. This is the authentication info that Bob's
workstation will use to communicate with the KDC from now on, the next time Bob logs on, the
session ticket will be completely different, as the KDC doesn't reuse it's session keys. The
workstation also extracts the TGT, which will still be encrypted with the KDC's long-term key,
(which Bob's workstation doesn't know) and stores the encrypted TGT in it's credentials cache.
What does all of this have to do with the way I access resources?" you might ask. I'm going to
give you a bonus, here's how resource access works in the same domain, with the user being
authenticated by Kerberos. Authentication works a bit differently when you are traversing trusts.
I will show you that process in an upcoming article.
uses the session key to decrypt the authenticator section of the message. If everything checks out
OK, it creates a session key for Bob to utilize when talking to FILESERV1.
The KDC now constructs a message to Bob in 2 parts. The first part is the actual session key for
Bob to use when talking to the FILESERV1 file server, which is then encrypted in Bob's logon
session key. The second part is the session key that Bob is going to use to talk to the
FILESERV1 server, but it's encrypted in FILESERV1's long-term key. This message is sent to
Bob's workstation
When Bob's machine gets this message, it decrypts the first part of the message and saves the
session key for FILESERV1 in it's credentials cache. Then, it pulls the second portion of the
message out (which is encrypted in FILESERV1's long term key, which by the way, Bob's
workstation does not know the key by which it was encrypted) and also stores it in it's credentials
cache.
Now Bob's workstation is going to access the FILESERV1 server. Bob's machine sends
FILESERV1 a Kerberos App Request, which sends the has in it an authenticator encrypted in the
session key that the KDC gave to Bob to use when talking to FILESERV1, and the encrypted
ticket that the KDC gave to Bob, which is the Bob-FILESERV1 session key, encrypted in
FILESERV1's long-term key, that the KDC stores in the Database.
When FILESERV1 receives this message, FILESERV1 decrypts the ticket with it's own longterm key, and is able to read the session key that the KDC gave to Bob for use with FILESERV1.
It then decrypts the rest of Bob's message with the session key, viola', an authenticated session is
established.
I know this seems extremely complicated, but in relative terms of authentication, it's a simple,
and secure process. I'm more than satisfied with Microsoft's implementation of Kerberos in
Windows 2000, I think it's a long needed building block for a secure OS. We won't see full
benefit of Kerberos, until all of our clients are Win2k, since AD servers still support the old
NTLM, and NTLM2 authentication protocols, but I think that day is coming soon....
There is another set of events that occurs after this exchange, that set of events refers to access
control, I'll also explain that in another article
Posted by Anuj Sharma at 9:29:00 PM 0 comments
Tuesday, August 12
number of signal units per second that are required to represent those bits.
baud rate = bit rate / N
where N is no-of-bits represented by each signal shift
What is Bandwidth?
Every line has an upper limit and a lower limit on the frequency of signals it can carry. This
limited range is called the bandwidth.
What are the types of Transmission media?
Signals are usually transmitted over some transmission media that are broadly classified in to
two categories.
Guided Media:These are those that provide a conduit from one device to another that include
twisted-pair, coaxial cable and fiber-optic cable. A signal traveling along any of these media is
directed and is contained by the physical limits of the medium. Twisted-pair and coaxial cable
use metallic that accept and transport signals in the form of electrical current. Optical fiber is a
glass or plastic cable that accepts and transports signals in the form of light.
Unguided Media: This is the wireless media that transport electromagnetic waves without using
a physical conductor. Signals are broadcast either through air. This is done through radio
communication, satellite communication and cellular telephony.
What is Project 802?
It is a project started by IEEE to set standards to enable intercommunication between equipment
from a variety of manufacturers. It is a way for specifying functions of the physical layer, the
data link layer and to some extent the network layer to allow for interconnectivity of major LAN
protocols.It consists of the following:
802.1 is an internetworking standard for compatibility of different LANs and MANs across
protocols.
802.2 Logical link control (LLC) is the upper sublayer of the data link layer which is nonarchitecture-specific, that is remains the same for all IEEE-defined LANs.
Media access control (MAC) is the lower sublayer of the data link layer that contains some
distinct modules each carrying proprietary information specific to the LAN product being used.
The modules are Ethernet LAN (802.3), Token ring LAN (802.4), Token bus LAN (802.5).
802.6 is distributed queue dual bus (DQDB) designed to be used in MANs.
What are the data units at different layers of the TCP / IP protocol suite?
The data unit created at the application layer is called a message, at the transport layer the data
unit created is called either a segment or an user datagram, at the network layer the data unit
created is called the datagram, at the data link layer the datagram is encapsulated in to a frame
and finally transmitted as signals along the transmission media.
What is difference between ARP and RARP?
The address resolution protocol (ARP) is used to associate the 32 bit IP address with the 48 bit
physical address, used by a host or a router to find the physical address of another host on its
network by sending a ARP query packet that includes the IP address of the receiver.
The reverse address resolution protocol (RARP) allows a host to discover its Internet address
when it knows only its physical address.
What is the minimum and maximum length of the header in the TCP segment and IP
datagram?
The header should have a minimum length of 20 bytes and can have a maximum length of 60
bytes.
What is the range of addresses in the classes of internet addresses?
Class A 0.0.0.0 - 127.255.255.255
Class B 128.0.0.0 - 191.255.255.255
Class C 192.0.0.0 - 223.255.255.255
Class D 224.0.0.0 - 239.255.255.255
Class E 240.0.0.0 - 247.255.255.255
What is the difference between TFTP and FTP application layer protocols?
The Trivial File Transfer Protocol (TFTP) allows a local host to obtain files from a remote host
but does not provide reliability or security. It uses the fundamental packet delivery services
offered by UDP.
The File Transfer Protocol (FTP) is the standard mechanism provided by TCP / IP for copying a
file from one host to another. It uses the services offer by TCP and so is reliable and secure. It
establishes two connections (virtual circuits) between the hosts, one for data transfer and another
for control information.
What are major types of networks and explain?
Server-based network
Peer-to-peer network
Peer-to-peer network, computers can act as both servers sharing resources and as clients using
the resources.
Server-based networks provide centralized control of network resources and rely on server
computers to provide security and network administration
region, but knowing nothing about the internal structure of other regions.
What is silly window syndrome?
It is a problem that can ruin TCP performance. This problem occurs when data are passed to the
sending TCP entity in large blocks, but an interactive application on the receiving side reads 1
byte at a time.
What are Digrams and Trigrams?
The most common two letter combinations are called as digrams. e.g. th, in, er, re and an. The
most common three letter combinations are called as trigrams. e.g. the, ing, and, and ion.
Expand IDEA.
IDEA stands for International Data Encryption Algorithm.
What is wide-mouth frog?
Wide-mouth frog is the simplest known key distribution center (KDC) authentication protocol.
What is Mail Gateway?
It is a system that performs a protocol translation between different electronic mail delivery
protocols.
What is IGP (Interior Gateway Protocol)?
It is any routing protocol used within an autonomous system.
What is EGP (Exterior Gateway Protocol)?
It is the protocol the routers in neighboring autonomous systems use to identify the set of
networks that can be reached within or via each autonomous system.
What is autonomous system?
It is a collection of routers under the control of a single administrative authority and that uses a
common Interior Gateway Protocol.
What is BGP (Border Gateway Protocol)?
It is a protocol used to advertise the set of networks that can be reached with in an autonomous
system. BGP enables this information to be shared with the autonomous system. This is newer
than EGP (Exterior Gateway Protocol).
What is Gateway-to-Gateway protocol?
It is a protocol formerly used to exchange routing information between Internet core routers.
of different sizes and may occupy more than one row or column of the grid. In addition, the rows
and columns may have different sizes.
What advantage do Java's layout managers provide over traditional windowing systems?
Java uses layout managers to lay out components in a consistent manner across all windowing
platforms. Since Java's layout managers aren't tied to absolute sizing and positioning, they are
able to accommodate platform-specific differences among windowing systems.
What are the problems faced by Java programmers who don't use layout managers?
Without layout managers, Java programmers are faced with determining how their GUI will be
displayed across multiple windowing systems and finding a common sizing and positioning that
will work within the constraints imposed by each windowing system.
What is the difference between static and non-static variables?
A static variable is associated with the class as a whole rather than with specific instances of a
class. Non-static variables take on unique values with each object instance.
What is the difference between the paint() and repaint() methods?
The paint() method supports painting via a Graphics object. The repaint() method is used to
cause paint() to be invoked by the AWT painting thread.
What is the purpose of the File class?
The File class is used to create objects that provide access to the files and directories of a local
file system.
What restrictions are placed on method overloading?
Two methods may not have the same name and argument list but different return types.
What restrictions are placed on method overriding?
Overridden methods must have the same name, argument list, and return type. The overriding
method may not limit the access of the method it overrides. The overriding method may not
throw any exceptions that may not be thrown by the verridden method.
What is casting?
There are two types of casting, casting between primitive numeric types and casting between
object references. Casting between numeric types is used to convert larger values, such as double
values, to smaller values, such as byte values. Casting between object references is used to refer
to an object by a compatible class, interface, or array type reference.
Name Container classes.
Window, Frame, Dialog, FileDialog, Panel, Applet, or ScrollPane
What class allows you to read objects directly from a stream?
The ObjectInputStream class supports the reading of objects from input streams.
How are this() and super() used with constructors?
this() is used to invoke a constructor of the same class. super() is used to invoke a superclass
constructor.
How is it possible for two String objects with identical values not to be equal under the ==
operator?
The == operator compares two objects to determine if they are the same object in memory. It is
possible for two String objects to have the same value, but located indifferent areas of memory.
What an I/O filter?
An I/O filter is an object that reads from one stream and writes to another, usually altering the
data in some way as it is passed from one stream to another.
What is the Set interface?
The Set interface provides methods for accessing the elements of a finite mathematical set. Sets
do not allow duplicate elements.
What is the List interface?
The List interface provides support for ordered collections of objects.
What is the purpose of the enableEvents() method?
The enableEvents() method is used to enable an event for a particular object. Normally, an event
is enabled when a listener is added to an object for a particular event. The enableEvents() method
is used by objects that handle events by overriding their event-dispatch methods.
What is the difference between the File and RandomAccessFile classes?
The File class encapsulates the files and directories of the local file system. The
RandomAccessFile class provides the methods needed to directly access data contained in any
part of a file.
What interface must an object implement before it can be written to a stream as an object?
An object must implement the Serializable or Externalizable interface before it can be written to
a stream as an object.
What is the ResourceBundle class?
The ResourceBundle class is used to store locale-specific resources that can be loaded by a
program to tailor the program's appearance to the particular locale in which it is being run.
What is the difference between a Scrollbar and a ScrollPane?
A Scrollbar is a Component, but not a Container. A ScrollPane is a Container. A ScrollPane
handles its own events and performs its own scrolling.
What is a Java package and how is it used?
A Java package is a naming context for classes and interfaces. A package is used to create a
separate name space for groups of classes and interfaces. Packages are also used to organize
related classes and interfaces into a single API unit and to control accessibility to these classes
and interfaces.
What are the Object and Class classes used for?
The Object class is the highest-level class in the Java class hierarchy. The Class class is used to
represent the classes and interfaces that are loaded by a Java program.
What is Serialization and deserialization?
Serialization is the process of writing the state of an object to a byte stream. Deserialization is the
What is polymorphism?
Polymorphism allows methods to be written that needn't be concerned about the specifics of the
objects they will be applied to. That is, the method can be specified at a higher level of
abstraction and can be counted on to work even on objects of yet unconceived classes.
What is design by contract?
The design by contract specifies the obligations of a method to any other methods that may use
its services and also theirs to it. For example, the preconditions specify what the method required
to be true when the method is called. Hence making sure that preconditions are. Similarly,
postconditions specify what must be true when the method is finished, thus the called method has
the responsibility of satisfying the post conditions.
In Java, the exception handling facilities support the use of design by contract, especially in the
case of checked exceptions. The assert keyword can be used to make such contracts.
What are use cases?
A use case describes a situation that a program might encounter and what behavior the program
should exhibit in that circumstance. It is part of the analysis of a program. The collection of use
cases should, ideally, anticipate all the standard circumstances and many of the extraordinary
circumstances possible so that the program will be robust.
What is the difference between interface and abstract class?
o interface contains methods that must be abstract; abstract class may contain
concrete methods.
o interface contains variables that must be static and final; abstract class may
contain non-final and final variables.
o members in an interface are public by default, abstract class may contain nonpublic members.
o interface is used to "implements"; whereas abstract class is used to "extends".
o interface can be used to achieve multiple inheritance; abstract class can be used
as a single inheritance.
o interface can "extends" another interface, abstract class can "extends" another
class and "implements" multiple interfaces.
o interface is absolutely abstract; abstract class can be invoked if a main() exists.
o interface is more flexible than abstract class because one class can
Tuesday, August 5
ADS MORE INTERVIEW QUESTIONS
What is an Active Directory (AD)?
The Microsoft Windows 2003 Active Directory glossary defines an Active Directory as a
structure supported by Windows 2003 that lets any object on a network be tracked and located.
Active Directory is the directory service used in Windows 2003 Server and provides the
foundation for Windows 2003 distributed networks. A directory service provides the methods
for storing directory data and making this data available to network users and administrators. For
example, Active Directory stores information about user accounts, such as names, phone
numbers, and so on, and enables other authorized users on the same network to access this
information.
The AD, or Active Directory, is a database based on the LDAP (Lightweight Directory Access
Protocol) standard, which makes the information contained within the AD easily available to
other applications across different platforms. The AD contains user accounts, computer accounts,
organizational units, security groups, and group policy object - all of which have a unique name
and a unique path. All unique objects in the AD use a domain contained within the AD as a
means of authentication.
What is a domain?
The Microsoft Windows 2003 Active Directory glossary defines a domain as a single security
boundary of a Windows NT-based computer network. Active Directory is made up of one or
more domains. On a standalone workstation, the domain is the computer itself. A domain can
span more than one physical location. Every domain has its own security policies and security
relationships with other domains. When multiple domains are connected by trust relationships
and share a common schema, configuration, and global catalog, they constitute a domain tree.
Multiple domain trees can be connected together to create a forest.
What is a tree?
The Microsoft Windows 2003 Active Directory glossary defines a tree as a set of Windows NT
domains connected together through transitive, bidirectional trust, sharing a common schema,
configuration, and global catalog. The domains must form a contiguous hierarchical namespace
such that if a.com is the root of the tree, b.a.com is a child of a.com, c.b.a.com is a child of
b.a.com, and so on.
What is a forest?
The Microsoft Windows 2003 Active Directory glossary defines a forest as a group of one or
more Active Directory trees that trust each other. All trees in a forest share a common schema,
configuration, and global catalog. When a forest contains multiple trees, the trees do not form a
contiguous namespace. All trees in a given forest trust each other through transitive bidirectional
trust relationships. Unlike a tree, a forest does not need a distinct name. A forest exists as a set of
cross-referenced objects and trust relationships known to the member trees. Trees in a forest
form a hierarchy for the purposes of trust.
What is a schema?
The Microsoft Windows 2003 Active Directory glossary defines a schema as the definition of
an entire database; the universe of objects that can be stored in the directory is defined in
the schema. For each object class, the schema defines what attributes an instance of the class
must have, what additional attributes it may have, and what object class can be a parent of the
current object base.
What is a global catalog (GC)?
The Microsoft Windows 2003 Active Directory glossary defines a global catalog (GC) as the
global catalog contains a partial replica of every Windows 2003 domain in the directory. The GC
lets users and applications find objects in an Active Directory domain tree given one or more
attributes of the target object. It also contains the schema and configuration of directory
partitions. This means the global catalog holds a replica of every object in the Active Directory,
but with only a small number of their attributes. The attributes in the global catalog are those
most frequently used in search operations (such as a users first and last names, logon names, and
so on), and those required to locate a full replica of the object. The GC allows users to find
objects of interest quickly without knowing what domain holds them and without requiring a
contiguous extended namespace in the enterprise. The global catalog is built automatically by the
Active Directory replication system.
What is an organizational unit (OU)?
The Microsoft Windows 2003 Active Directory glossary defines an organizational unit as a
container object that is an Active Directory administrative partition. OUs can contain users,
groups, resources, and other OUs. Organizational Units enable the delegation of administration
to distinct subtrees of the directory.
What is a group policy?
The Microsoft Windows 2003 Active Directory glossary states that a group policy refers to
applying policy to groups of computers and/or users contained within Active Directory
containers. The type of policy includes not only registry-based policy found in Windows NT
Server 4.0, but is enabled by Directory Services to store many types of policy data, for example:
file deployment, application deployment, logon/logoff scripts and startup/shutdown scripts,
domain security, Internet Protocol security (IPSec), and so on. The collections of policies are
referred to as Group Policy objects (GPOs).
A group policy object (GPO) is defined as a virtual collection of policies. It is given a unique
name, such as a globally unique identifier (GUID). GPOs store group policy settings in two
locations: a Group Policy container (GPC) (preferred) and a Group Policy template (GPT). The
GPC is an Active Directory object that stores version information, status information, and other
policy information (for example, application objects). The GPT is used for file-based data and
stores software policy, script, and deployment information. The GPT is located on the system
volume folder of the domain controller. A GPO can be associated with one or more Active
Directory containers, such as a site, domain, or organizational unit. Multiple containers can be
associated with the same GPO, and a single container can have more than one associated GPO.
A GPO is broken into two major sections, the Computer Configuration and the User
Configuration. The Computer Configuration holds policies that are relevant only to the machine
itself. The Computer Configuration can control printers, network settings, Startup and Shutdown
scripts. One of the more useful policies based under the Computer Configuration setting is the
loopback policy, which allows User Configurations policies to be applied to a computer,
regardless of the user (unless the user is denied the GPO). Under the
User Configuration, logon and logoff scripts can be configured, folders can be redirected, and
security settings can be tweaked.
What is an access control list (ACL)?
The Microsoft Windows 2003 Active Directory glossary defines an access control list as a set
of data associated with a file, directory, or other resource that defines the permissions that users
and/or groups have for accessing it. In the Active Directory service, an ACL is a list of access
control entries (ACEs) stored with the object it protects. In the Windows NT operating system,
an ACL is stored as a binary value, called a security descriptor.
What is an access control entry (ACE)?
The Microsoft Windows 2003 Active Directory glossary states that each ACE contains a
security identifier (SID), which identifies the principal (user or group) to whom the ACE applies,
and information on what type of access the ACE grants or denies.
P01 - Can we add a Server within Windows Server 2003 in a 2000 Domain ?
Yes, DC under Windows Server 2000 and Windows Server 2003 can cohexist.
Before doing this you have to prepare the AD schema ,with adprep /forestprep
Browse.
5. On the Shared System Volume page, type the location in which
you want to install the SYSVOL folder, or click Browse.
6. On the Directory Services Restore Mode Administrator
Password page, type and confirm the Directory Services
Restore Mode password and click Next.
7. Review the Summary page, and then click Next.
8. When prompted, restart the computer.
Q03 - How to rename a Domain Controler ?
1. In the Control Panel, double-click System.
2. In the System Properties dialog box click Change.
3. When prompted, confirm that you want to rename the domain
controller.
4. Enter the full computer name and click OK.
Active Directory Database Your Ntds.dit file is the Active Directory database. Verify that it
resides in the %Systemroot%\Ntds folder.
Global Catalog Server
By default, the first domain controller becomes a global catalog server. To verify this item:
1. Click Start, click Administrative Tools, and then click Active Directory Sites and Services.
2. Double-click Sites, expand Servers, and then select your domain controller.
3. Double-click the domain controller to expand the server contents.
4. Below the server, an NTDS Settings object is displayed. Right-click the object, and then click
Properties.
5. On the General tab, make sure that the Global Catalog check box is selected (this is the default
setting).
Root Domain
To verify this role, use the net accounts command. The computer role should be "primary" or
"backup," depending on whether the computer is the first domain controller in the domain.
Shared System Volume
A Windows Server 2003 domain controller should have a shared system volume located in the
%Systemroot%\Sysvol\Sysvol folder.
SRV Resource Records You must have a DNS server installed and configured for Active
Directory and the associated client software to function correctly. Use the DNS Manager MMC
snap-in to verify that the correct zones and resource records are created for each DNS zone.
Active Directory creates its SRV RRs in the following folders:
o _Msdcs/Dc/_Sites/Default-first-site-name/_Tcp
o _Msdcs/Dc/_Tcp
In these locations, an SRV RR is displayed for the following services:
o _kerberos
o _ldap
Q06 - How to create a child domain ?
You can't use a DC which manage the root domain as DC for a child domain, setup a new server
and then follow the instructions :
1. Run dcpromo.
2. On the Domain Controller Type page, Click Child domain in an existing domain tree.
3. Type the user name, password, and user domain of the user account you want to use.
4. Verify the parent domain, and then type the new child domain name.
Q07 - How to create a new tree ? 1. Run dcpromo.
2. On the Domain Controller Type page, click Domain tree in an existing forest.
3. Type the user name, password, and user domain of the user account you want to use.
4. Type the full DNS name for the new domain.
Q10 - How to Determine the RID, PDC, and Infrastructure FSMO Holders of a Selected Domain
?
1. Click Start, click Run, type dsa.msc, and then click OK.
2. Right-click the selected Domain Object in the top left pane, and then click Operations Masters.
3. Click the PDC tab to view the server holding the PDC master role.
4. Click the Infrastructure tab to view the server holding the Infrastructure master role.
5. Click the RID Pool tab to view the server holding the RID master role.
Q11 - How to Determine the Schema FSMO Holder in a Forest ? 1. Click Start, click Run, type mmc, and then click OK.
2. On the Console menu, click Add/Remove Snap-in, click Add, double-click Active Directory
Schema, click Close, and then click OK.
3. Right-click Active Directory Schema in the top left pane, and then click Operations Masters to
view the server holding the schema master rle.
Q12 - How to create a trust relationship beetween two forest ? - to
1. Open Active Directory Domains and Trusts.
2. Click Properties for forest root domain shortcut trust domain, external trust domain, or realm
trust domain.
3. Click New Trust, then Next, on the Trust tab.
4. Click Next on the Welcome page.
5. Type DNS name on the appropriate Trust Name page and click Next.
6. Select the desired trust type on the Trust Type Page and click Next.
7. Select the desired trust direction on the Direction of Trust page,then follow wizard
instructions.
Q13 - How to check trust relationships ? Using Active Directory Domains and Trusts:
1. Right-click the desired domain and click Properties.
2. Click the desired trust, then click Properties.
3. Click Validate, click No, do not.
4. Repeat steps 1 through 3 for the other domain in the relationship.
Using netdom:
NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /Verify
Q14 - How to delete trust relationships ? Using Active Directory Domains and Trusts:
IP or SMTP, depending on which protocol the site link you will use, and then click New Site
Link.
2. In the Name box, type a name for the link.
3. Click two or more sites to connect, click Add, and then click OK.
To configure site links, perform the following steps:
1. Open Active Directory Sites and Services, expand Sites, expand Inter-Site Transports, and
then click IP or SMTP, depending on which protocol the site link is configured to use.
2. Right-click the site link, and then click Properties.
3. On the General page of the Properties dialog box, change the values for site associations, cost,
replication interval, and schedule as required, and then click OK.
4. Perform one of the following as appropriate:
In the Sites not in this site link box, click the site you want to add, and then click Add.
In the Sites in this site link box, click the site you want removed and then click Remove.
In the Cost box, enter a value for the cost of replication.
5. Click Change Schedule, select the block of time you want to schedule, and then click either
Replication Not Available or Replication Available, and then click OK.
If you want to Create a Site Link Bridge
Before you can create new site link bridges, you must first disable default bridging of all site
links to permit the creation of new site link bridges.
To disable default bridging of all site links, perform the following steps:
1. Open Active Directory Sites and Services, expand Sites, expand Inter-Site Transports, rightclick either IP or SMTP, depending on the protocol for which you want to disable bridging of all
site links, and then click Properties.
2. In the Properties dialog box, clear the Bridge all site links check box, and then click OK.
To create a site link bridge, perform the following steps:
1. Open Active Directory Sites and Services, expand Sites, expand Inter-Site Transports, rightclick either IP or SMTP, depending on the protocol that
you want to create a site link bridge for, and then click New Site Link Bridge.
2. In the Name box, type a name for the site link bridge.
3. Click two or more site links to be bridged, click Add, and then click OK.
Q18 - How to Manage a Site Topology ?
How to Manage a Site Topology ?
To create a preferred bridgehead server, perform the following steps:
1. Open Active Directory Sites and Services, expand Sites, expand the site that contains the
server that you want to configure, expand Servers, and then in the console tree, right-click the
domain controller that you want to make a preferred bridgehead server, and then click Properties.
2. Choose the intersite transport or transports to designate the computer a preferred bridgehead
server, click Add, and then click OK.
To determine the domain controller that holds the role of the intersite topology generator in the
The drive letter on which the %SystemRoot% folder is located must be the same as when it was
backed up.
The %SystemRoot% folder must be the same folder as when it was backed up.
If sysvol or other Active Directory databases were located on another volume, they must exist
and have the same drive letters also. The size of the volume does not matter.
Q23 - How to restore AD ?
There is different methods, depending with the state of your AD : Normal : if you have lost only
one DC, you have to restore DC and then datas Authoritative : with many DCs, you can restaure
whatever you want and select it.
How to Perform a Normal Restore
To perform a primary restore, you must be a member of the Administrators group on the local
computer, or you must have been delegated the appropriate permissions. If the computer is in a
domain, members of the Domain Admins group can perform this procedure.
To perform a primary restore of Active Directory, perform the following steps:
1. Restart your domain controller in Directory Services Restore Mode.
2. Start the Backup utility.
3. On the Welcome to the Backup or Restore Wizard page, click Advanced Mode.
4. On the Welcome to Backup Utility Advanced Mode page, on the Restore and Manage Media
tab, select what you want to restore, and then click Start Restore.
5. In the Warning dialog box, click OK.
6. In the Confirm Restore dialog box, click Advanced.
7. In the Advanced Restore Options dialog box, click When restoring replicated data sets, mark
the restored data as the primary data for all replicas, and then click OK twice. Important
Selecting this option ensures that the File Replication Service (FRS) data is
replicated to the other servers. Select this option only when you want to restore the first replica
set to the network.
8. In the Restore Progress dialog box, click Close.
9. In the Backup Utility dialog box, click Yes.
Warning
When you restore the system state data, the Backup utility erases the system state data that is on
your computer and replaces it with the system state data that you are restoring, including system
state data that is not related to Active Directory. Depending on how old the system state data is,
you may lose configuration changes that you recently made to the computer. To minimize this
risk, back up the system state data regularly.
How to Perform an Authoritative Restore
Unlike a normal restore, an authoritative restore requires the use of a separate command-line
tool, Ntdsutil. No backup utilities, including the Windows Server 2003 system utilities, can
perform an authoritative restore.
GPOs.
To delegate administrative control for creating GPOs, perform the following steps:
1. Open Group Policy Management.
2. Browse to the forest and domain in which you want to delegate administrative control for
creating GPOs, and then click Group Policy Objects.
3. In the details pane, on the Delegation tab, click Add.
4. In the Select User, Computer, or Group dialog box, in the Enter the object name to select
(examples) box, type the security principal, click Check Names, and then click OK.
To delegate administrative control for editing GPOs, perform the following steps:
1. Open Group Policy Management.
2. Browse to the forest and domain in which you want to delegate administrative control for
editing GPOs, and then click the link.
3. In the details pane, on the Delegation tab, click Add.
4. In the Select User, Computer, or Group dialog box, in the Enter the object name to select
(examples) box, type the security principal, click Check Names, and then click OK.
5. In the Add Group or User dialog box, in the Permissions box, select the appropriate
permission, and then click OK.
Q50 - I can't add another DC to the AD Domain. What can I check ?
Steps for fixing the problem when DCPROMO does not find the domain.
1. Verify that the existing domain controller is pointing to a Windows 2000 DNS server. Do not
point it to any external ISP DNS servers.
2. Open the DNS MMC, double click forwarders so that you can see the zone for your domain.
3. Right click on this zone and select properties. Verify that your zone is set to allow dynamic
updates, if not change it so that it does.
4. Double click your zone to expand it. You should have 4 subfolders (_MSDCS, _SITES, _TCP,
_UDP) and a few records.
5. If the zones do not exist you should open a command prompt.
6. Type IPconfig /registerdns and enter
7. Type net stop netlogon
8. Type net start netlogon (restarting netlogon will force the service to register its SRV records
with the DNS zone thus create the missing subfolders. The records that will be registered are in
winnt\system32\config\netlogon.dns).
9. After restarting netlogon go back into your DNS zone and verify that you have the subfolders
that were mentioned in 4. above.
10. If the folders are not there you may want to try running netdiag.exe /fix from the support
tools. Or try restarting netlogon again.
11. On the DC that you are trying to promote verify that it is pointing to the Windows 2000 DNS
server that we have been working on for DNS.
Posted by Anuj Sharma at 7:51:00 PM 0 comments
In order to ensure that domain controllers dont duplicate ID numbers, AD includes a special
Flexible Single Master Operations (FSMO) role in each domain, called the RID master. The RID
masters job is to allocate each domain controller with a unique range of RIDs. Because all RIDs
stem from this single source and the RID master doesnt issue overlapping pools to different
domain controllers, each domain controller has a unique range of spare ID numbers to use
when creating new objects.
As part of its role in ensuring uniqueness for each AD object, the RID master is also responsible
for removing the entries for domain objects that are moved to another domain. However, you
should note that the RID from the removed object is never reused in the domain.
SID Construction
The unique number assigned to each domain object is called a Security Identifier (SID). A
typical SID looks like this:
S-1-5-21-917267712-1342860078-1792151419-500
RID Management
You cant directly affect the allocation of RIDs except through a few documented workarounds
to specific operating system (OS) problems. You can view certain RID attributes directly in AD.
(It is possible for a domain controller to use up its allocated RID pool more quickly than it
can request a new one. For example, if youre migrating thousands of users to a domain
controller that has poor connectivity to the RID master, the domain controller might run
out of RIDs. For more information about this problem, see the Microsoft article RID Pool
Allocation and Sizing Changes in Windows 2000 SP4.)
AD contains several attributes that contain information about RIDs; these attributes, in fact, are
the sources that DisplayRID queries for its output. The major attributes are:
FsmoRoleOwnerContains the fully qualified domain name of the current holder of the RID
master role.
RidAvailablePoolDefines the number of security principals that the domain can contain (a
fixed value
currently just over 1 billion), and the number of RIDs that have been allocated already.
RidAllocationPoolDefines the current pool for a domain controller, and its next pool.
RidNextRidThe next RID that will be used on the domain controller.
RidPreviousAllocationPoolThe current pool of RIDs used to create new SIDs; this value
includes the
value of RidNextRid.
RidUsedPool and NextRidUnused attributes that are still defined in AD.
Posted by Anuj Sharma at 11:54:00 PM 0 comments
Starting Up
When the client computer starts, its Netlogon service starts automatically (in the default
configuration). This service implements the DsGetDcName application programming interface
(API), which is used to locate a domain controller
The client begins by collecting a number of pieces of information that will be used to locate a
domain controller. This information includes the clients local IP address, which is used to
determine the clients Active Directory site membership, the desired domain name, and a DNS
server address.
Finding the Domain Controllers
Netlogon then queries the configured DNS server. Netlogon retrieves the service resource (SRV)
records and host (A) records from DNS that correspond to the domain controllers for the desired
domain. The general form for the queried SRV records is _service._protocol.domainname, where
service is the domain service, protocol is the TCP/IP protocol, and domainname is the desired
Active Directory fully qualified domain name (FQDN). For example, because Active Directory
is a Lightweight Directory Access Protocol (LDAP)-compliant directory service, clients query
for _ldap._tcp.domainname (or or _ldap._tcp.dc._msdcs.domainname when locating the nearest
domain controller).
Each domain controller in a domain will register its host name with the SRV record, so the
clients query results will be a list of domain controller host names. The client also retrieves the
associated A records, providing the client with the IP address of every domain controller in the
domain. The client then sends an LDAP search query, via the User Datagram Protocol (UDP), to
each domain controller.
Selecting a Domain Controller
After the client locates a domain controller, the client uses LDAP to access Active Directory on a
domain controller, preferably one in the clients own subnet. The domain controller uses the
clients IP address to identify the clients Active Directory site. If the domain controller is not in
the closest site, then the domain controller returns the name of the clients site, and the client
tries to find a domain controller in that site by querying DNS. If the client has already attempted
to find a domain controller in that site, then the client will continue using the current, nonoptimal
domain controller. Once the client finds a domain controller it likes, it caches that domain
controllers information, and the client will continue to use that domain controller for future
contacts (unless the domain
Use of Netdom command NetDom examples Sample workstation or member server operations Adding
a workstation or member server to a domain Add the workstation mywksta to the Windows NT 4.0
domain microsoft: NETDOM ADD /d:microsoft mywksta /ud:mydomain\admin /pd:password Add the
workstation mywksta to the Windows 2000 domain devgroup.microsoft.com in the organizational unit
(OU) Dsys/workstations: NETDOM ADD /d:devgroup.microsoft.com mywksta
/OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com Note If /OU is not specified the account is
created in the Computers container. Joining a workstation or member server to a domain Join mywksta
to the devgroup.microsoft.com domain in the Dsys/workstations organizational unit. NETDOM JOIN
/d:devgroup.microsoft.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com In addition
to adding the computer account to the domain, the workstation is modified to contain the appropriate
shared secret to complete the Join operation. Removing a workstation or member server from a domain
To remove mywksta from the mydomain domain and have the workstation be part of a workgroup:
NETDOM REMOVE /d:mydomain mywksta /ud:mydomain\admin /pd:password Moving a workstation or
member server from one domain to another To move mywksta from its current domain into the
mydomain domain: NETDOM MOVE /d:mydomain mywksta /ud:mydomain\admin /pd:password If the
destination is a Windows 2000 domain, the SIDHistory for the workstation is updated, retaining the
security permissions that the computer account had previously. Resetting the secure channel for a
workstation, member server, or Windows NT 4.0 BDC To reset the secure channel secret maintained
between mywksta and devgroup.microsoft.com (regardless of OU): NETDOM RESET
/d:devgroup.microsoft.com mywksta To reset the secure channel between the Windows NT 4.0 PDC for
Northamerica and the backup domain controller NABDC: NETDOM RESET /d:Northamerica NABDC
Forcing a secure channel session between a member and a specific domain controller Members may
often establish secure channel sessions with non-local domain controllers. To force a secure channel
session between a member and a specific domain controller, add the /Server option to the RESET
command: NETDOM RESET /d:devgroup.microsoft.com mywksta /Server:mylocalbdc Verifying a
workstation or member server secure channel To verify the secure channel secret maintained between
mywksta and devgroup.microsoft.com: NETDOM VERIFY /d:devgroup.microsoft.com mywksta Sample
domain TRUST operations Establishing a trust relationship When used with the TRUST command, the
/d:domain parameter always refers to the trusted domain. To have the Windows NT 4.0 resource
domain USA-Chicago trust the Windows NT 4.0 account domain Northamerica: NETDOM TRUST
/d:Northamerica USA-Chicago NetDom examples Page 1 of 4
mk:@MSITStore:C:\Program%20Files\Support%20Tools\w2rksupp.chm::/topics/netdom_exa...
1/22/2005 /ADD /Ud:Northamerica\admin /Pd:* /Uo:USA-Chicago\admin /Po:* >Password for
Northamerica\admin: xxxx >Password for USA-Chicago\admin: yyyy The user must have credentials for
both domains. /Pd: can be used to specify the password for Northamerica\admin while /Po: can be used
to specify the password for USA-Chicago\admin. If passwords are not provided on the command line,
the user will be prompted for both. The /TWOWAY option can be appended to specify a bidirectional
trust: NETDOM TRUST /d:marketing.microsoft.com engineering.microsoft.com /ADD /TWOWAY
/Uo:admin@engineering.microsoft.com /Ud:admin@marketing.microsoft.com Establishing a trust
relationship with a non-Windows Kerberos realm To establish a one-way trust so that Northamerica
trusts the non-Windows Kerberos realm ATHENA: NETDOM TRUST /d:ATHENA Northamerica /ADD
/PT:password /REALM The /d option specifies the TRUSTED domain and /REALM indicates that this is a
non-Windows Kerberos realm. The order of the domains is not important and credentials to the
Windows 2000 domain can be supplied if needed. Note that verifying a specific trust relationship will
usually require credentials unless the user has domain admin privileges on both domains. To allow the
Kerberos realm ATHENA to trust the Northamerica domain: NETDOM TRUST /d:Northamerica ATHENA
/ADD To make the trust bi-directional, you can specify /TWOWAY. Changing the trust from ATHENA to
Northamerica to transitive (non-Windows Kerberos trusts are created nontransitive) NETDOM TRUST
Northamerica /d:ATHENA /TRANS:yes Displaying the transitive state NETDOM TRUST Northamerica
/d:ATHENA /TRANS The order of the two domains above is not important (either can be the nonWindows Kerberos domain). Breaking a trust relationship To undo the trust that USA-Chicago has for
Northamerica, NETDOM TRUST /d:Northamerica USA-Chicago /REMOVE To break a two-way trust
relationship NETDOM TRUST /d:marketing.microsoft.com Engineering.microsoft.com /REMOVE
/TWOWAY /Uo:admin@engineering.microsoft.com /Ud:admin@marketing.microsoft.com Verifying a
specific trust relationship To verify the one-way trust that USA-Chicago has for Northamerica: NETDOM
TRUST /d:Northamerica USA-Chicago /VERIFY To verify a two-way trust between the Northamerica and
Europe domains: NETDOM TRUST /d:Northamerica EUROPE /VERIFY /TWOWAY The verify command
checks that the appropriate shared secrets are synchronized between the two items involved in the
trust. Resetting a specific trust relationship To reset the secure channel for the one-way trust between
Northamerica and USA-Chicago: NETDOM TRUST /d:Northamerica USA-Chicago
/Ud:Northamerica\admin /RESET The reset command synchronizes the appropriate shared secrets if
they are not already synchronized. Verifying Kerberos functionality To verify Kerberos authentication
between a workstation and a service located in domain devgroup.microsoft.com: NETDOM TRUST
/d:devgroup.microsoft.com NetDom examples Page 2 of 4
mk:@MSITStore:C:\Program%20Files\Support%20Tools\w2rksupp.chm::/topics/netdom_exa...
1/22/2005 [workstation] /VERIFY /KERBEROS If the workstation parameter is omitted, the current
workstation is used. The NETDOM TRUST command with the /Verify /Kerberos options attempts to get a
session ticket for the Kerberos Admin service in the target domain. If successful, it can be concluded that
all Kerberos operations (for example KDC referrals) are operating correctly between the workstation and
the target domain. Note The operation can not be executed remotely; it must be run on the workstation
being tested. Sample domain QUERY operations Viewing domain membership List all the workstations in
the domain Northamerica: NETDOM QUERY /d:Northamerica WORKSTATION List all of the Servers in
Northamerica: NETDOM QUERY /d:Northamerica SERVER List all the domain controllers in the domain
Northamerica: NETDOM QUERY /d:Northamerica DC List all of the OUs in devgroup.microsoft.com:
NETDOM QUERY /d:devgroup.microsoft.com OU List the PDC for Northamerica: NETDOM QUERY
/d:Northamerica PDC List the current PDC Emulator for devgroup.microsoft.com: NETDOM QUERY
/d:devgroup.microsoft.com FSMO Secure channel batch repair The QUERY command can be used in
conjunction with the /Verify and /Reset options to perform these operations all together. The output of
the QUERY command can be piped to the NETDOM VERIFY or NETDOM RESET command. List all servers
and verify secure channel secret: NETDOM QUERY /d:Northamerica SERVER /VERIFY List all workstations
and reset any unsynchronized secure channel secrets: NETDOM QUERY /d:Northamerica WORKSTATION
/RESET Viewing domain trusts To view all the direct trust relationships for the domain Northamerica:
NETDOM QUERY /d:Northamerica /Ud:Northamerica\admin DOMAIN /Direct To view all the direct and
indirect trust relationships for the domain Northamerica: NETDOM QUERY /d:Northamerica
/Ud:Northamerica\admin DOMAIN To view all trust relationships and check their status: NETDOM
QUERY /d:devgroup.microsoft.com DOMAIN /VERIFY Sample domain TIME operations Viewing domain
controller time status To verify the current time for all domain controllers in devgroup.microsoft.com:
NETDOM TIME /d:devgroup.microsoft.com To verify the time for a specific server: NETDOM TIME
/d:devgroup.microsoft.com dc1.devgroup.microsoft.com Synchronizing time The /Synch switch may be
used to resynchronize a specified domain controller or all domain controllers that are out of synch:
NetDom examples Page 3 of 4
mk:@MSITStore:C:\Program%20Files\Support%20Tools\w2rksupp.chm::/topics/netdom_exa...
1/22/2005 NETDOM TIME /d:devgroup.microsoft.com /SYNCH Specifying a domain controller: NETDOM
TIME /d:devgroup.microsoft.com dc1.devgroup.microsoft.com /SYNCH Renaming the domain name for
a Windows NT 4.0 BDC Changing the name of a Windows NT 4.0 domain is a complex process and
requires: Renaming the domain name on the Windows NT 4.0 PDC. Modifying all Windows NT 4.0 BDCs.
Rejoining all Members (workstations and servers). Deleting and Reestablishing all Trusts. The following
NETDOM syntax is provided to support the modifications necessary to rejoin a BDC to the renamed
domain. (step 2 above): NETDOM RENAME /d:newdomainname BDCServer Windows 2000 Domain
Manager (Netdom.exe) NetDom syntax NetDom examples Page 4 of 4
mk:@MSITStore:C:\Program%20Files\Support%20Tools\w2rksupp.chm::/topics/netdom_exa...
1/22/2005
posted by ramu a system administrator at 5:17 am no comments:
* SMTP port 25
* HTTP port 80