Explore topic-wise InterviewSolutions in .

Not all DNS servers are SCAVENGING servers, you can configure/promote DNS SERVER to Scavenging servers.
Zone PARAMETER on advanced settings that enables you to specify a restricted list of IP ADDRESSES for DNS servers that are enabled to perform scavenging.

Not all DNS servers are Scavenging servers, you can configure/promote DNS server to Scavenging servers.
Zone parameter on advanced settings that enables you to specify a restricted list of IP addresses for DNS servers that are enabled to perform scavenging.

Every DNS RECORD time stamp been UPDATED While the time of computer restart
A periodic refresh is sent by the computer every 24 hours.
Network services make refresh attempts, like DHCP servers, which renew client address, cluster servers, which register and update records for a cluster, and the Net Logon service, which can register and update RESOURCE records that are used by AD domain controllers So that the record not taken as a stale DNS record.

Every DNS record time stamp been updated While the time of computer restart
A periodic refresh is sent by the computer every 24 hours.
Network services make refresh attempts, like DHCP servers, which renew client address, cluster servers, which register and update records for a cluster, and the Net Logon service, which can register and update resource records that are used by AD domain controllers So that the record not taken as a stale DNS record.

Default value for SCAVENGING is seven days (the minimum ALLOWED value for this is one HOUR)
scavenging time on DNS zone is the server to determine when a zone becomes available for scavenging
So 7 + 7, every 14 days

Default value for Scavenging is seven days (the minimum allowed value for this is one hour)
scavenging time on DNS zone is the server to determine when a zone becomes available for scavenging
So 7 + 7, every 14 days

Scavenging must be ENABLED on DNS server and on the zone you want to scavenging.
DNS records must be dynamically added to ZONES or you can MANUALLY MODIFIED the timestamp configuration.

Scavenging must be enabled on DNS server and on the zone you want to scavenging.
DNS records must be dynamically added to zones or you can manually modified the timestamp configuration.

1. CHECK the primary DNS configuration on the system, Primary DNS server should be REACHABLE from client in order to REGISTER DNS RECORD.
2. Register this connections addresses in DNS should be selected on network card properties (advance options where you configure the IP Address).
3. Also Check the DHCP configuration if the managed through DHCP.

Simple way is restart the system which trigger the DNS Dynamic Update, we can user the below COMMAND to force DNS Dynamic Update

IPCONFIG /registerdns

You can ALSO restart the netlogon service on service.msc

Simple way is restart the system which trigger the DNS Dynamic Update, we can user the below command to force DNS Dynamic Update

Ipconfig /registerdns

You can also restart the netlogon service on service.msc

The record CREATED dynamically by client/server on DNS zone, automatically added to ZONES when COMPUTERS start on the network.

The record created dynamically by client/server on DNS zone, automatically added to zones when computers start on the network.

ENABLE BurFlags REGISTRY to D2 or D4

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at STARTUP

BurFlags

• D2, for nonauthoritative mode restore
• D4, for an authoritative mode restore

Enable BurFlags registry to D2 or D4

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup

BurFlags

IN D4 restore a copy of SYSVOL that is restored from backup is authoritative for the domain. After the necessary configurations have been made, ACTIVE Directory marks the local SYSVOL as authoritative and it is replicated to the other domain CONTROLLERS within the domain.

IN D4 restore a copy of SYSVOL that is restored from backup is authoritative for the domain. After the necessary configurations have been made, Active Directory marks the local SYSVOL as authoritative and it is replicated to the other domain controllers within the domain.

D2 is the DEFAULT method for restoring SYSVOL and occurs automatically when you do a non-authoritative restore of the Active Directory

When you non-authoritatively restore the SYSVOL, the local copy of SYSVOL on the restored domain controller is COMPARED with that of its replication partners. After the domain controller restarts, it REPLICATES the any necessary changes, bringing it up-to-date with the other domain controllers within the domain.

D2 is the default method for restoring SYSVOL and occurs automatically when you do a non-authoritative restore of the Active Directory

When you non-authoritatively restore the SYSVOL, the local copy of SYSVOL on the restored domain controller is compared with that of its replication partners. After the domain controller restarts, it replicates the any necessary changes, bringing it up-to-date with the other domain controllers within the domain.

1. USN JOURNAL wrap ERROR on sysvol
2. Morphed FOLDER on Sysvol
3. FRS replication issues
4. Sysvol SHARE not sharing on.

Netlogon FOLDER CONTAIN logon/logoff/startup/shutdown SCRIPTS which is inside the SYSVOL folder.

Netlogon folder contain logon/logoff/startup/shutdown scripts which is inside the Sysvol folder.

Although GPOS are LINKED to the site, domain, or OUs, and they cannot be linked to the SECURITY groups directly, applying permissions to the GPO can filter its scope. The policies in a non-local GPO APPLY only to users who have the Read and Apply Group Policy permissions set to Allow By specifying appropriate permissions to the security groups, the ADMINISTRATORS can filter a GPO’s scope for the computers and users.

Although GPOs are linked to the site, domain, or OUs, and they cannot be linked to the security groups directly, applying permissions to the GPO can filter its scope. The policies in a non-local GPO apply only to users who have the Read and Apply Group Policy permissions set to Allow By specifying appropriate permissions to the security groups, the administrators can filter a GPO’s scope for the computers and users.

• A policy setting is CONFIGURED (Enabled or Disabled) for a parent OU, and the same policy setting is not configured for its child OUS. The child OUs inherit the parent’s policy
• A policy setting is configured (Enabled or Disabled) for a parent OU, and the same policy setting is configured for its child OUs. The child OUs settings OVERRIDE the settings inherited from the parent’s OU
• If any policy is not configured, no inheritance TAKES place
• COMPATIBLE policy settings configured at the parent and child OUs are accumulated.
• Incompatible policy settings from the parent OU are not inherited.

Group POLICY INHERITANCE:

The group POLICIES are INHERITED from parent to child within a domain. They are not inherited from parent domain to child domain.

Group Policy Inheritance:

The group policies are inherited from parent to child within a domain. They are not inherited from parent domain to child domain.

The following are the exceptions with regard to the above-mentioned settings:

 No Override:

Any GPO can be SET to No Override. If the No Override configuration is set to a GPO, no policy configured in the GPO can be overridden. If more than one GPO has been set to No Override, then the one that is the highest in the Active DIRECTORY hierarchy takes precedence

Block Policy INHERITANCE: 

The Block Policy Inheritance option can be applied to the site, domain, or OU. It deflects all group policy settings that reach the site, domain, or OU from the object higher in the hierarchy. However, the GPOs configured with the No Override option are always applied.

The following are the exceptions with regard to the above-mentioned settings:

 No Override:

Any GPO can be set to No Override. If the No Override configuration is set to a GPO, no policy configured in the GPO can be overridden. If more than one GPO has been set to No Override, then the one that is the highest in the Active Directory hierarchy takes precedence

Block Policy Inheritance: 

The Block Policy Inheritance option can be applied to the site, domain, or OU. It deflects all group policy settings that reach the site, domain, or OU from the object higher in the hierarchy. However, the GPOs configured with the No Override option are always applied.

• The LOCAL group policy object is applied first
• Then, the group policy objects linked to sites are applied
• If multiple GPOs EXIST for a SITE, they are applied in the order specified by an administrator
• GPOs linked to the domains are applied in the specified order
• Finally, GPOs linked to OUS are applied

The OU group policy objects are set from the largest to the smallest organizational unit, i.e., first the parent OU and then the child OU.

By default, a policy applied later overwrites a policy that was applied earlier. Hence, the SETTINGS in a child OU can override the settings in the parent OU

Group policy settings are cumulative if they are compatible with each other. In case they conflict with each other, the GPO processed later takes precedence.

The OU group policy objects are set from the largest to the smallest organizational unit, i.e., first the parent OU and then the child OU.

By default, a policy applied later overwrites a policy that was applied earlier. Hence, the settings in a child OU can override the settings in the parent OU

Group policy settings are cumulative if they are compatible with each other. In case they conflict with each other, the GPO processed later takes precedence.

Non-local GPOs are used to CONTROL policies on an Active Directory-based network. A Windows 2000/2003 server needs to be configured as a domain controller on the network to use a non-local GPO. The non-local GPOs must be linked to a site, domain, or organizational unit (OU) to apply group policies to the user or computer objects.

The non-local GPOs are stored in %systemroot%SYSVOLPOLICIESADM, where is the GPO’s globally unique identifier. Two non-local GPOs are created by default when the Active Directory is installed:

1. Default Domain POLICY: This GPO is linked to the domain and it affects all USERS and computers in the domain.

2. Default Domain Controllers Policy: This GPO is linked to the Domain Controllers OU and it affects all domain controllers PLACED in this OU. MULTIPLE GPOs.

Non-local GPOs are used to control policies on an Active Directory-based network. A Windows 2000/2003 server needs to be configured as a domain controller on the network to use a non-local GPO. The non-local GPOs must be linked to a site, domain, or organizational unit (OU) to apply group policies to the user or computer objects.

The non-local GPOs are stored in %systemroot%SYSVOLPOLICIESADM, where is the GPO’s globally unique identifier. Two non-local GPOs are created by default when the Active Directory is installed:

1. Default Domain Policy: This GPO is linked to the domain and it affects all users and computers in the domain.

2. Default Domain Controllers Policy: This GPO is linked to the Domain Controllers OU and it affects all domain controllers placed in this OU. Multiple GPOs.

Local GPOs are USED to control policies on a local server running Windows 2000/2003 Server. On each Windows 2000/2003 server, a local GPO is stored. The local GPO affects only the computer on which it is stored.

By DEFAULT, only SECURITY Settings nodes are configured. The rest of the settings are either DISABLED or not enabled. The local GPO is stored in the %systemroot%SYSTEM32GROUPPOLICY folder.

Local GPOs are used to control policies on a local server running Windows 2000/2003 Server. On each Windows 2000/2003 server, a local GPO is stored. The local GPO affects only the computer on which it is stored.

By default, only Security Settings nodes are configured. The rest of the settings are either disabled or not enabled. The local GPO is stored in the %systemroot%SYSTEM32GROUPPOLICY folder.

GROUP policy object (GPO) is a collection of group policy settings. It can be CREATED using a Windows UTILITY known as the Group Policy snap-in. GPO affects the user and computer accounts located in sites, domains, and ORGANIZATIONAL UNITS (OUs). The Windows 2000/2003 operating systems support two types of GPOs, local and non-local (Active Directory-based) GPOs.

Group policy object (GPO) is a collection of group policy settings. It can be created using a Windows utility known as the Group Policy snap-in. GPO affects the user and computer accounts located in sites, domains, and organizational units (OUs). The Windows 2000/2003 operating systems support two types of GPOs, local and non-local (Active Directory-based) GPOs.

GROUP policies SPECIFY how PROGRAMS, network resources, and the operating system work for users and computers in an organization. They are collections of user and computer configuration SETTINGS that are applied on the users and computers (not on groups). For better administration of group policies in the Windows environment, the group policy objects (GPOs) are used.

Group policies specify how programs, network resources, and the operating system work for users and computers in an organization. They are collections of user and computer configuration settings that are applied on the users and computers (not on groups). For better administration of group policies in the Windows environment, the group policy objects (GPOs) are used.

Backup of one DOMAIN CONTROLLER can’t be restoring to other domain controller, should be RESTORED to same domain controller.

Backup of one domain controller can’t be restoring to other domain controller, should be restored to same domain controller.

Minimum requirement is to BACK up two DOMAIN controllers in each domain, one should be an operations MASTER role HOLDER DC, no NEED to backup RID Master (relative ID) because RID master should not be restored.

Minimum requirement is to back up two domain controllers in each domain, one should be an operations master role holder DC, no need to backup RID Master (relative ID) because RID master should not be restored.

You can authoritatively restore only OBJECTS from configuration and DOMAIN partition. Authoritative restores of schema-naming CONTEXTS are not SUPPORTED.

You can authoritatively restore only objects from configuration and domain partition. Authoritative restores of schema-naming contexts are not supported.

An authoritative restore is NEXT step of the non-authoritative restore process. We have do non-authoritative restore before you can perform an authoritative restore. The main difference is that an authoritative restore has the ability to increment the version number of the ATTRIBUTES of all OBJECTS or an individual object in an entire directory, this will make it authoritative restore an object in the directory. This can be used to restore a single DELETED user/group and event an entire OU.

In a non-authoritative restore, after a domain controller is back online, it will contact its replication partners to determine any changes since the time of the last backup. However the version number of the object attributes that you want to be authoritative will be higher than the existing version NUMBERS of the attribute, the object on the restored domain controller will appear to be more recent and therefore, restored object will be replicated to other domain controllers in the Domain.

An authoritative restore is next step of the non-authoritative restore process. We have do non-authoritative restore before you can perform an authoritative restore. The main difference is that an authoritative restore has the ability to increment the version number of the attributes of all objects or an individual object in an entire directory, this will make it authoritative restore an object in the directory. This can be used to restore a single deleted user/group and event an entire OU.

In a non-authoritative restore, after a domain controller is back online, it will contact its replication partners to determine any changes since the time of the last backup. However the version number of the object attributes that you want to be authoritative will be higher than the existing version numbers of the attribute, the object on the restored domain controller will appear to be more recent and therefore, restored object will be replicated to other domain controllers in the Domain.

Just start the domain CONTROLLER in Directory Services RESTORE Mode and PERFORM SYSTEM state restore from backup

Just start the domain controller in Directory Services Restore Mode and perform system state restore from backup

Non-authoritative restore is restore the domain CONTROLLER to its state at the time of backup, and allows normal replication to overwrite RESTORED domain controller with any CHANGES that have occurred after the backup.

After system state restore, domain controller QUERIES its replication partners and GET the changes after backup date, to ensure that the domain controller has an accurate and updated copy of the Active Directory database.

Non-authoritative restore is the default method for restoring Active Directory, just a restore of system state is non-authoritative restore and mostly we use this for Active Directory data loss or corruption.

Non-authoritative restore is restore the domain controller to its state at the time of backup, and allows normal replication to overwrite restored domain controller with any changes that have occurred after the backup.

After system state restore, domain controller queries its replication partners and get the changes after backup date, to ensure that the domain controller has an accurate and updated copy of the Active Directory database.

Non-authoritative restore is the default method for restoring Active Directory, just a restore of system state is non-authoritative restore and mostly we use this for Active Directory data loss or corruption.

1. AUTHORITATIVE RESTORE
2. Non-authoritative restore

System STATE backup will backup the ACTIVE DIRECTORY, NTbackup can be USED to backup active directory.

System state backup will backup the Active Directory, NTbackup can be used to backup active directory.

You can only CONFIGURE the Application PARTITION manually to USE with AD integrated APPLICATIONS.

You can only configure the Application partition manually to use with AD integrated applications.

Schema Partition – It store details about objects and attributes. Replicates to all domain controllers in the FOREST

DN location is CN=Schema,CN=Configuration,DC=Domainname, DC=com

Configuration Partition – It store details about the AD configuration information LIKE, Site, site-link, subnet and other replication topology information. Replicates to all domain controllers in the Forest

DN Location is CN=Configuration,DC=Domainname,DC=com

Domain Partitions – OBJECT information for a domain like user, computer, group, printer and other Domain SPECIFIC information. Replicates to all domain controllers within a domain

DN Location is DC=Domainname,DC=com

Application Partition – information about applications in Active Directory. Like AD integrated DNS is used there are two application partitions for DNS ZONES – ForestDNSZones and DomainDNSZones, see more

Schema Partition – It store details about objects and attributes. Replicates to all domain controllers in the Forest

DN location is CN=Schema,CN=Configuration,DC=Domainname, DC=com

Configuration Partition – It store details about the AD configuration information like, Site, site-link, subnet and other replication topology information. Replicates to all domain controllers in the Forest

DN Location is CN=Configuration,DC=Domainname,DC=com

Domain Partitions – object information for a domain like user, computer, group, printer and other Domain specific information. Replicates to all domain controllers within a domain

DN Location is DC=Domainname,DC=com

Application Partition – information about applications in Active Directory. Like AD integrated DNS is used there are two application partitions for DNS zones – ForestDNSZones and DomainDNSZones, see more

• SCHEMA
• CONFIGURATION
• DOMAIN
• APPLICATION PARTITION

ACTIVE DIRECTORY partition is how and where the AD information logically STORED.

Active Directory partition is how and where the AD information logically stored.

• NTDS.DIT
• EDB.LOG
• EDB.Che
• Res1.log and Res2.log

All AD changes didn’t write DIRECTLY to NTDS.DIT database FILE, first write to EDB.Log and from log file to database, EDB.Che used to track the database UPDATE from log file, to know what changes are copied to database file.

NTDS.DIT: NTDS.DIT is the AD database and store all AD objects, Default location is the %system root%nrdsnrds.dit, Active Directory database engine is the extensible storage engine which us based on the Jet database

EDB.Log: EDB.Log is the transaction log file when EDB.Log is full, it is renamed to EDB Num.log where num is the increasing number starting from 1, like EDB1.Log

EDB.Che: EDB.Che is the checkpoint file used to trace the data not yet written to database file this indicate the starting point from which data is to be recovered from the log file in case if failure

Res1.log and Res2.log: RES is reserved transaction log file which provide the transaction log file enough time to shutdown if the disk didn’t have enough space.

All AD changes didn’t write directly to NTDS.DIT database file, first write to EDB.Log and from log file to database, EDB.Che used to track the database update from log file, to know what changes are copied to database file.

NTDS.DIT: NTDS.DIT is the AD database and store all AD objects, Default location is the %system root%nrdsnrds.dit, Active Directory database engine is the extensible storage engine which us based on the Jet database

EDB.Log: EDB.Log is the transaction log file when EDB.Log is full, it is renamed to EDB Num.log where num is the increasing number starting from 1, like EDB1.Log

EDB.Che: EDB.Che is the checkpoint file used to trace the data not yet written to database file this indicate the starting point from which data is to be recovered from the log file in case if failure

Res1.log and Res2.log: Res is reserved transaction log file which provide the transaction log file enough time to shutdown if the disk didn’t have enough space.

NETDOM QUERY FSMO.

Netdom query FSMO.

• Schema Master
• Domain Naming Master
• Infrastructure Master
• RID Master
• PDC
• Schema Master and Domain Naming Master are forest wide role and only available one on each Forest, Other roles are Domain wide and one for each Domain.
• AD replication is MULTI master replication and change can be DONE in any Domain Controller and will get replicated to others Domain Controllers, except above file roles, this will be flexible single master operations (FSMO), these changes only be done on dedicated Domain Controller so it’s single master replication.

HTTP://www.windowstricks.in/2014/01/can-i-restore-schema-partition.html

http://www.windowstricks.in/2014/01/can-i-restore-schema-partition.html

Domain CONTROLLER is the SERVER which HOLDS the AD database, All AD changes GET replicated to other DC and vise vase.

Domain Controller is the server which holds the AD database, All AD changes get replicated to other DC and vise vase.

TREE is a HIERARCHICAL ARRANGEMENT of windows Domain that SHARE a contiguous name space.

Tree is a hierarchical arrangement of windows Domain that share a contiguous name space.