Interview Question for active directory and exchange

Exchange Interview Q-n-A

Q.1 What does the .edb and .stm file contain in Exchange 2000?

Answer:The .Edb File Contains All The Folders, Tables And Indexes

For Messaging Data And Mapi Messages And Attachments

The Stm File (New To Exchange 2000) Contains Internet Content In Its

Native Format.

Note:- (*.Edb + *.Stm) + (*.Log) = Database

Q.2 Where is the Directory Service database stored in Exchange 5.5?

Answer: Dir.edb

Q.3 Mention the types of Routing Group Connectors in Exchange 2000?

Answer:

A Routing Group is a collection of Exchange servers that communicate with each other directly over the same internal network or reliable connection.

When multiple Routing Groups must be created, each individual group must be connected using one of three available Exchange connection types:

<>· <>Routing Group Connector This connector is the default connector type. It can be used to connect a single or multiple Exchange bridgehead server for load balancing of message traffic.

<>· <>SMTP Connector The SMTP connector uses the Simple Mail Transport Protocol to connect and communicate with remote Routing Groups, non-Exchange mail systems, and the Internet mail host.

<>· <>X.400 Mail Connector Limited to a single local and remote host, the X.400 connector is primarily designed for communications between Exchange Server 2003 and X.400 mail systems.

<> Mixed Mode<>

When Exchange Server 2003 is in a mixed environment, Routing Groups can consist of only servers that had been installed directly into the Administrative Group where the Routing Group resides. Additional servers from other Administrative Groups cannot be added to the Routing Group.

Native Mode<><>

After the functional level has been raised to Native Mode, Exchange servers can be managed and moved between Routing Groups.

Also, Routing Groups in a single Administrative Group can contain servers from other Administrative Groups.

Q.4 What are the features of Active Directory in Windows 2000?

Answer: Features of Active Directory in Windows 2000 can be categorised as

Manageability :-Centralized Management, Group Policy, Global Catalog,IntelliMirror Desktop Management,

Automated Software Distribution, Active Directory Service Interfaces, Backward Compatibility,

Delegated Administration,Multi-Master Replication

Security :-Kerberos Authentication, Smart Card Support, Transitive Domain Trust,PKI/x.509,LDAP over SSL,

Required Authentication Mechanism ,Attribute-Level Security, Spanning Security Groups,LDAP ACL Support

Interoperability:-DirSync Support, Active Directory Connectors, Open APIs,Native LDAP,DNS Naming, Open Change History,

DEA Platform, DEN Platform, Extensible Schema

Q.5 What are the features of Exchange 2003 over Exchange 2000?

Answer: - Better Anti-spam tools - comprehensive set of filters

Improved Queue management

Smoother integration with IIS

Enhanced OWA. Now includes a spell checker and X509 certificates

Outlook Mobile Access (OMA), which functions like OWA for devices

Cached replication of Outlook 2003. Cached mode creates a local data file

that Outlook uses for all foreground activity. It then contacts the

Exchange server in the background.

Volume Shadow Copy Service for Database Backups/Recovery

Mailbox Recovery Center

Recovery Storage Group

Front-end and back-end Kerberos authentication

Distribution lists are restricted to authenticated users

Queues are centralized on a per-server basis

Move log files and queue data using Exchange System Manager

Multiple Mailbox Move tool

Dynamic distribution lists

1,700 Exchange-specific events using Microsoft Operations Manager (requires Microsoft Operations Manager)

Deployment and migration tools

Q.7 How to restore Group policies?

Answer:-

A GPO is a container for policies that are applied on a domain. When you configure a domain, the domain creates a Default Domain Policy for itself. Each GPO that you create has a GUID. When you create a new user-defined GPO, the %SystemRoot%\Sysvol folder contains a folder that has the GUID as its name. This folder represents the newly created GPO. If you accidentally delete a GPO, the corresponding folder is automatically removed from the Sysvol folder. Back up the system state every day so that you can restore the policy files if you accidentally delete the GPO.

Method 1: Copy all the old policy files to a new GPO

To copy all the old policy files to a new GPO, follow these steps.



Note To copy files from the old GPO to a new GPO, you must have the most recent system state backup that contains the Sysvol folder and the old GPO. Also, you must know the GUID of the old GPO.

1.	Restore the system state to an alternative location. To do this, follow these steps: <><>
2.	Use Active Directory Users and Computers to create a new GPO. To do this, follow these steps: <><>
3.	Copy all the policy files from the temporary folder to the newly created GPO. To do this, follow these steps: <><>

Q.8 What is the function of NNTP service in Exchange 2000?

Answer:-While installing Exchange 2000, the system creates a default Network News Transfer Protocol (NNTP) virtual

server. You can use this virtual server to house a feed from other newsgroups

This Default NNTP virtual server can be used to create feeds to a Public Folder for storage (Internet Newsgroups).

For other storage media (either a file system or remote share), you must create a new virtual server.

Network News Transfer Protocol

Because Network News Transfer Protocol (NNTP) is growing in popularity, it would be wise for us to take a brief look at the architecture of this protocol. We'll then discuss the more pragmatic aspects of administering NNTP on your network.

NNTP Architecture

NNTP specifies a way to distribute, query, retrieve, and post news articles on the Internet. A client wanting to retrieve a subset of articles from the database is called a subscriber. NNTP allows a subscriber to request a subset of articles rather than requiring the retrieval of all articles from the database. Before NNTP was developed, two methods of distributing news items were popular: Internet mailing lists and the Usenet news system.

An Internet mailing list, commonly known as a list server, distributes news by the use of distribution e-mail lists. A subscriber sends a message to the distribution list, and the message is e-mailed to all of the members of the list. But sending a separate copy of an e-mail to each subscriber can consume a large amount of disk space, bandwidth, and CPU resources. In addition, it can take from several minutes to several hours for the message to be fully distributed, depending on the size of the list and the physical resources available to propagate it. Maintaining the subscriber list also involves significant administrative effort, unless a third-party program is used to automate this function.

Storing and retrieving messages from a central location instead of sending an email to each subscriber can significantly reduce the use of these resources. The Usenet news system provides this alternative. In addition, Usenet allows a subscriber to select only those messages he or she wants to read and also provides indexing, cross-referencing, and message expiration.

NNTP is modeled on the Usenet news specifications in RFC 850, but it is designed to make fewer demands on the structure, content, and storage of the news articles. It runs as a background service on one host and can accept connections from other hosts on the LAN or over the Internet.

When a subscriber connects to an NNTP server, the subscriber issues the NEWSGROUPS command to determine whether any new newsgroups have been created on the server. If so, the server notifies the subscriber and gives the subscriber the opportunity to subscribe to the new newsgroups. After this, the subscriber is connected to the desired newsgroup and can use the NEWNEWS command to ask the server whether any new articles have been posted since the subscriber's last connection. The subscriber receives a list of new articles from the server and can request transmission of some or all of those articles. Finally, the subscriber can either reply to a news article or post a new article to the server by using the POST command.

NNTP uses TCP for its connections and SMTP-like commands and responses. The default TCP port for NNTP is 119. An NNTP command consists of a command word followed in some cases by a parameter, and commands are not case sensitive. Each line can contain only one command and may not exceed 512 characters, including spaces, punctuation, and the trailing CR–LF (carriage return/line feed) command. Commands cannot be continued on the next line.

Responses from the server can take the form of a text response or a status response. Text responses are displayed in the subscriber's client program, whereas status responses are interpreted by the client program before any display occurs.

Q.9.What is Recepient Update Service in Exchange 2000?

Answer:- Recipient Update Service (RUS) is a very important component in your Exchange installation, it is RUS that is

responsible for updating address lists and email addresses in your Active Directory

Default Exchange organization will have two RUS objects

(a) Enterprise Configuration RUS :-responsible for the updating of the email addresses for the

system objects such as the MTA & System Attendant.

(b) Domain RUS :-responsible for the updating of the address information for recipient objects

in the domain that it is responsible for

Q.10 The function of the Default SMTP Virtual Server in Exchange 2000?

Answer:-

SMTP virtual server plays a critical role in mail delivery.

SMTP virtual servers provide the Exchange mechanisms for managing SMTP.

the default SMTP virtual server sends messages within a routing group.

Additionally, if the server is a domain controller, Active Directory uses

this virtual server for SMTP directory replication. An SMTP virtual server is defined by a unique combination of an IP address and port number.

The default SMTP virtual server uses all available IP addresses on the server and uses port 25 for inbound connections. A single physical server can host many virtual servers.

Q.1 What is the Active Directory?

Ans: Active Directory stores information about resources on the network and makes it easy for users to locate, manage and use their resources.

Q.2 where is the Active Directory database located?

Ans: The Active Directory database is located in the

“%systemroot%\NTDS\NTDS.DIT”

It is based on Jet database.

Q.3 What is the Active Directory Schema?

Ans: 1. It is dynamically updatable.

2. It is dynamically available.

3. DACL.

Q.4 What is LDAP? What is the port for LDAP?

Ans: LDAP is a method of communication in Active Directory. LDAP is a directory service protocol that is used to query and update Active Directory.

Q.5 What is a tree?

Ans: A collection of domains which share a common namespace.

Q.6 What is the function of “%systemroot%\system32\dssec.dat” fie?

Ans: To delegate the right to unlock locked user accounts to a user or group in Active Directory, you must first make the right visible.

The %Systemroot%\System32\Dssec.dat file contains filters that control the whether a right is revealed, and can be written. Open Dssec.dat in Notepad and find [User]. Within [User], the lockoutTime entry is listed alphabetically. Change the mask from 7 to 0, yielding lockoutTime=0.

NOTE: The mask values appears to be:

0 - Read and Write of property unfiltered

1 - Read of property filtered

2 - Write of property filtered

7 - Filter out property.

Q.7 What are the core services in Exchange 5.5? Exlplain the order of starting the services?

Ans:   1. Directory service(DS): “net start msexchangeds”

       2. Information Store(IS): “net start msexchangeis”

       3. Message Transfer Agent(MTA): “net start msexchangemta”

       4. Internet Mail Connector(IMC): “net start msexchangeimc”

       5. “net start msexchangees”

Q.8 What is the size of Transaction log file?

Ans: 5 MB (Exxxx.log)

Q.9 IMC service in Exchange 5.5 does not start. Explain the necessary steps you would take to check and resolve the problem?

Ans: 1. Incorrectly configured Address Space.

2. Use a blank space in the Address Space field which will lets the Internet Mail Connector send mail to all recipients and provides a basic configuration on which to build after you know your service works. If you have entered anything in this box, try removing it and see if the IMC starts.

Q10. What are the core services in Exchange 2000? Explain the process of starting the services?

Ans: The core services are

<>1. Microsoft Exchange MTA Stack(msexchangemta).<>

<>2. Microsoft Exchange Information store(msexchangeis).<>

<>3. Microsoft Exchange Routing Engine(reSvc).<>

<>4. Microsoft Exchange Sysytem Attendant(msexchangesa).<>

<>5. Network News Transfer Protocol(NNTPSvc)<>

<>6. Simple Mail Transfer Protocol(SMTPSvc).<>

Q11. Explain the Hierarchy of the Exchange Management Console Program?

Ans: Organisation Name

à Global Settings

àRecepients

àAdministrative Groups

àTools

<><>

Q12. What is the latest service pack for Exchange 5.5 and Exchange 2000?

Ans: Exchange 5.5: SP4

Exchange 2000: SP4

Exchange 2003: SP2

Q14. What is RUS? Which service is responsible for the RUS?

Ans: The Recipient Update Service (RUS) is a component in the Exchange 2000 System Attendant service. The RUS creates and maintains Exchange 2000-specific attribute values in the Active Directory.

If you create a mailbox for a user, the RUS is responsible for the automatic generation of the user’s Simple Mail Transfer Protocol (SMTP) address and any other proxy addresses that you have defined for your recipients. However, in Active Directory Users and Computers tool, the proxy addresses are not displayed immediately because a short latency period occurs before the Recipient Update Service produces the new e-mail addresses. This latency occurs even if you have configured the RUS to run continuously.

After you install Exchange 2000, two instances of RUS are created:

1. The enterprise configuration RUS,
2. The domain RUS

There is only one instance of the enterprise RUS in the organization. You must have a RUS for each domain that contains mailbox-enabled users.

Each instance of the Domain RUS associates one Exchange 2003 computer(where the RUS runs) with one Windows 2000 or Windows 2003 Server Domain controller(where AD objects are updated).

Only one RUS can be associated with any Active Directory domain controller.

If you have multiple sites, you can also add multiple instances of the RUS for each domain. In this scenario, an instance of the RUS is hosted on a DC in each site, and mailbox creation does not depend on the inter-site replication schedule of the AD.

If you create a new mailbox-enabled user, that user cannot log on to their mailbox until the RUS has generated the new proxy e-mail addresses. If you set the RUS to run on a schedule, that user may have to wait a short period before they can use Exchange 2003.

To update addresses immediately, you can force the RUS to run manually.

Q15. What is a recipient policy, e-mail policy and mailbox manager policy?

Ans: Recipient policies are used in Exchange 2000 server to automatically control the generation of e-mail addresses for recipient objects

The following are recipient objects,

<>1. Mail-enables users<>

<>2. Contacts<>

<>3. Groups<>

<>4. Public Folders.<>

Recipient policies are similar to the “Site-Addressing” feature in Exchange 5.5, but are more flexible. For e.g. recipient policies allow you to create multiple addresses for a given address type.

They provide a set of LDAP-based filter rules. These rules allow you to select the set of recipients to which the recipient policy will apply.

Mailbox manager policy is the policy in which the Exchange Administrator has the ability to control the content of user’s mailbox.

Recipient policies are a set of configurable rules that run on a schedule and evaluate all the messaging-enabled objects in your Active Directory forest. The policy uses the rules to filter all of the objects and to selectively apply e-mail addresses of specific types to those instances that fit the predefined rules.

Q16. What is edb.chk file used for?

Ans: The checkpoint files are used to keep a track of transactions that are committed to the database after backup.

Q17. What is eseutil/d, eseutil/p, eseutil/g used for?

Ans: 1. Eseutil /d : Defragmentation

3. Eseutil /p : Repair

4. Eseutil /g : Integrity check

Q17. What is the temp.edb file?

Ans: The file TEMP.EDB is used to store transactions that are in progress. TEMP.EDB is also used for some transient storage during online compaction.

Q18. Explain the “LDIFDE” utility?

Ans: It allows you to import and export Active Directory content in LDIF format. LDIF files are composed of blocks of entries. An entry can add, modify, or delete an object. The first line of an entry is the distinguished name. The second line contains a changetype, which can be add, modify, or delete. If it is an object addition, the rest of the entry contains the attributes that should be initially set on the object (one per line). For object deletions, you do not need to specify any other attributes. And for object modifications, you need to specify at least three more lines. The first should contain the type of modification you want to perform on the object. This can be add (to set a previously unset attribute or to add a new value to a multivalued attribute), replace (to replace an existing value), or delete (to remove a value). The modification type should be followed by a colon and the attribute you want to perform the modification on. The next line should contain the name of the attribute followed by a colon, and the value for the attribute. For example, to replace the last name attribute with the value Smith, you'd use the following LDIF

dn: cn=jsmith,cn=users,dc=rallencorp,dc=com 

changetype: modify

replace: sn

sn: Smith

-

Modification entries must be followed by a line that only contains a hyphen (-). You can put additional modification actions following the hyphen, each separated by another hyphen. Here is a complete LDIF example that adds a jsmith user object and then modifies the givenName and sn attributes for that object:

dn: cn=jsmith,cn=users,dc=rallencorp,dc=com

changetype: add

objectClass: user

samaccountname: jsmith

sn: JSmith

useraccountcontrol: 512

dn: cn=jsmith,cn=users,dc=rallencorp,dc=com

changetype: modify

add: givenName

givenName: Jim

-

replace: sn

sn: Smith

-

Q13. Explain the Anatomy of a Domain, trust and a forest in the Active Directory?

Ans: 1. Anatomy of a Domain.

Domains are represented by domainDNS objects.

Q14. What are the 3 NC’s in a forest?

Ans: 1. The Forest Root Domain.

2. The Configuration NC.

3. The Schema NC.

Q15. What are the different partitions associated with a Forest?

Ans: 1. Configuration NC : Contains data that is applicable across all of the domains and, thus, is replicated to all domain controllers in the forest. Some of this data includes the site topology, list of partitions, published services, display specifiers, and extended rights.

<>2. Schema NC<> : Contains the objects that describe how data can be structured and stored in Active Directory. The classSchema objects in the Schema NC represent class definitions for objects. The attributeSchema objects describe what data can be stored with classes. The Schema NC is replicated to all domain controllers in a forest.

<>3. Domain NC : As described earlier, a domain is a naming context that holds domain-specific data including user, group, and computer objects.<>

<>4. Application partitions : Configurable partitions that can be rooted anywhere in the forest and can be replicated to any domain controller in the forest. These are not available with Windows 2000.<>

Q16. After successfully demoting a DC/removing the forest which commands help determine if all entries have been removed?

Ans: 

> netsh wins server \\<WINSServerName> show name <ForestDNSName> 1c

> nslookup <DomainControllerDNSName>

> nslookup -type=SRV _ldap._tcp.gc._msdcs.<ForestDNSName>

<>Ø            <>nslookup <ForestDNSName>

Q17. What are the steps to remove a Domain from a Forest?

Ans: 1. Start from the last DC of the Domain.

<>2.      Run “<>dcpromo”, and select the option “This server is the last domain controller in the domain”.

Note : If the domain you want to remove has subdomains, you have to remove the subdomains before proceeding.

<>3.      After all domain controllers have been demoted and depending on how our environment is configured, you may need to remove WINS and NS entries that were associated with the domain controllers and domain unless they were automatically removed via WINS deregistration and DDNS during the demotion process.<>

<>4.      Remove any trusts established for the domain.<>

Q18. You want to completely remove a domain that was orphaned because "This server is the last domain controller in the domain" was not selected when demoting the last domain controller, the domain was forcibly removed, or the last domain controller in the domain was decommissioned improperly. Explain the procedure?

Ans: The following ntdsutil commands (in bold) would forcibly remove the emea.rallencorp.com domain from the rallencorp.com forest. Replace with the hostname of the Domain Naming Flexible Single Master Operation (FSMO) for the forest:

<>Ø      <>ntdsutil "meta clean" "s o t" conn "con to server <DomainControllerName>" q q

      metadata cleanup: "s o t" "list domains"

      Found 4 domain(s)

      0 - DC=rallencorp,DC=com

      1 - DC=amer,DC=rallencorp,DC=com

      2 - DC=emea,DC=rallencorp,DC=com

      3 - DC=apac,DC=rallencorp,DC=com

    Select operation target: sel domain 2

     No current site

     Domain - DC=emea,DC=rallencorp,DC=com

     No current server

     No current Naming Context

    Select operation target: q

     metadata cleanup: remove sel domain

You will receive a message indicating whether the removal was successful.

Note: Removing an orphaned domain consists of removing the domain object for the domain (e.g., dc=emea,dc=rallencorp,dc=com), all of its child objects, and the associated crossRef object in the Partitions container. You need to target the Domain Naming FSMO when using the ntdsutil command because that server is responsible for creation and removal of domains.

In the solution, shortcut parameters were used to reduce the amount of typing necessary. If each parameter were typed out fully, the commands would look as follows:

<>Ø      <>ntdsutil "metadata cleanup" "select operation target" connections "connect to  server <DomainControllerName>" quit quit

       metadata cleanup: "select operation target" "list domains"

         Found 4 domain(s)

         0 - DC=rallencorp,DC=com

         1 - DC=amer,DC=rallencorp,DC=com

         2 - DC=emea,DC=rallencorp,DC=com

         3 - DC=apac,DC=rallencorp,DC=com

         Select operation target: select domain 2

         No current site 

         Domain - DC=emea,DC=rallencorp,DC=com

         No current server

         No current Naming Context

         Select operation target: quit

         metadata cleanup: remove selected domain

Q19. You want to find the NetBIOS name of a domain. Although Microsoft has moved to using DNS for primary name resolution, the NetBIOS name of a domain is still important, especially with down-level clients that are still based on NetBIOS instead of DNS for naming. How can you achieve this?

Ans: A. Using Graphical User Interface:

<>1. Open the Active Directory Domains and Trusts snap-in.<>

<>2. Right-click the domain you want to view in the left pane and select Properties<>.

<>3. The NetBIOS name will be shown in the<> "Domain name (pre-Windows 2000)" field.

B. Using a Command-line Interface:

            1.  > dsquery * cn=partitions,cn=configuration,<ForestRootDN> -filter[RETURN] "(&(objectcategory=crossref)(dnsroot=<DomainDNSName>)(netbiosname=*))" -attr[RETURN]netbiosname

Note: Each domain has a crossRef object that is used by Active Directory to generate referrals. Referrals are necessary when a client performs a query and the directory server handling the request does not have the matching object(s) in its domain. The NetBIOS name of a domain is stored in the domain's crossRef object in the Partitions container in the Configuration NC. Each crossRef object has a dnsRoot attribute, which is the fully qualified DNS name of the domain. The netBIOSName attribute contains the NetBIOS name for the domain.

Q20. You want to rename a domain due to organizational changes or legal restrictions because of an acquisition. Renaming a domain is a very involved process and should be done only when absolutely necessary. Changing the name of a domain can have an impact on everything from DNS, replication, and GPOs to DFS and Certificate Services. A domain rename also requires that all domain controllers and member computers in the domain are rebooted! Is it possible in Windows 2000?

Ans: Under Windows 2000, there is no supported process to rename a domain. There is one workaround for mixed-mode domains in which you revert the domain and any of its child domains back to Windows NT domains. This can be done by demoting all Windows 2000 domain controllers and leaving the Windows NT domain controllers in place. You could then reintroduce Windows 2000 domain controllers and use the new domain name when setting up Active Directory.

A domain rename procedure is supported if a forest is running all Windows Server 2003 domain controllers and is at the Windows Server 2003 forest functional level.

The tool is “rendom.exe”.

Q21. You want to create a one-way or two-way nontransitive trust from an AD domain to a Windows NT domain.How do we create a Trust Between a Windows NT Domain and an AD Domain ?

Ans. Using a graphical user interface:

<>1. Open the Active Directory Domains and Trusts snap-in.<>

<>2. In the left pane, right-click the domain you want to add a trust for and select Properties.<>

<>3. Click on the Trusts tab.<>

<>4. Click the New Trust button.<>

<>5. After the New Trust Wizard opens, click Next.<>

<>6. Type the NetBIOS name of the NT domain and click Next.<>

<>7. Assuming the NT domain was resolvable via its NetBIOS name, the next screen will ask for the Direction of Trust. Select Two-way, One-way incoming, or One-way outgoing, and click Next.<>

<>8. If you selected Two-way or One-way Outgoing, you'll need to select the scope of authentication, which can be either Domain-wide or Selective, and click Next.<>

<>9. Enter and re-type the trust password and click Next.<>

<>10.Click Next twice to finish.<>

<> <>Using a command-line interface

> netdom trust <NT4DomainName> /Domain:<ADDomainName> /ADD[RETURN]

         [/UserD:<ADDomainName>\ADUser> /PasswordD:*][RETURN]

         [/UserO:<NT4DomainName>\NT4User> /PasswordO:*][RETURN]

         [/TWOWAY]

For example, to create a trust from the NT4 domain RALLENCORP_NT4 to the AD domain RALLENCORP, use the following command:

> netdom trust RALLENCORP_NT4 /Domain:RALLENCORP /ADD[RETURN]

         /UserD:RALLENCORP\administrator /PasswordD:*[RETURN]

         /UserO:RALLENCORP_NT4\administrator /PasswordO:*

You can make the trust bidirectional, i.e., two-way, by adding a /TwoWay switch to the example.

Q 22 .How to Create a Transitive Trust Between Two AD Forests ?

Ans: Using a graphical user interface

<>1. Open the Active Directory Domains and Trusts snap-in.<>

<>2. In the left pane, right click the forest root domain and select Properties.<>

<>3. Click on the Trusts tab.<>

<>4. Click the New Trust button.<>

<>5. After the New Trust Wizard opens, click Next.<>

<>6. Type the DNS name of the AD forest and click Next.<>

<>7. Select Forest trust and click Next.<>

<>8. Complete the wizard by stepping through the rest of the configuration screens.<>

<> <>

<> <>

<> <> Using a command-line interface

> netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive /ADD[RETURN]

         [/UserD:<Forest2AdminUser> /PasswordD:*][RETURN]

         [/UserO:<Forest1AdminUser> /PasswordO:*]

For example, to create a two-way forest trust from the AD forest rallencorp.com to the AD forest othercorp.com, use the following command:

> netdom trust rallencorp.com /Domain:othercorp.com /Twoway /Transitive /ADD[RETURN]

         /UserD:administrator@othercorp.com /PasswordD:*[RETURN]

         /UserO:administrator@rallencorp.com /PasswordO:*

Note: A new type of trust called a forest trust was introduced in Windows Server 2003. Under Windows 2000, if you wanted to create a fully trusted environment between two forests, you would have to set up individual external two-way trusts between every domain in both forests. If you have two forests with three domains each and wanted to set up a fully trusted model, you would need nine individual trusts. Figure 2-4 illustrates how this would look.

<> <>Figure 2-4. Trusts necessary for two Windows 2000 forests to trust each other

With a forest trust, you can define a single one-way or two-way transitive trust relationship that extends to all the domains in both forests. You may want to implement a forest trust if you merge or acquire a company and you want all of the new company's Active Directory resources to be accessible for users in your Active Directory environment and vice versa. Figure 2-5 shows a forest trust scenario. To create a forest trust, you need to use accounts from the Enterprise Admins group in each forest.

<> <>Figure 2-5. Trust necessary for two Windows Server 2003 forests to trust each other

<> <>

<> <>

<> <>

<> <>

<><>Q23. You want to create a shortcut trust between two AD domains in the same forest or in different forests. Shortcut trusts can make the authentication process more efficient between two domains in a forest.

Q.23 How to View the Trusts for a Domain ?

<> <>Problem

You want to view the trusts for a domain.

<> <>Solution

<> <>Using a graphical user interface

<>1. <>Open the Active Directory Domains and Trusts snap-in.

<>2. <>In the left pane, right-click the domain you want to view and select Properties.

<>3. <>Click on the Trusts tab.

<> <>Using a command-line interface

netdom query trust /Domain:<DomainDNSName>

<> <>Q.23 How to Verify a Trust ?

<> <>Problem

You want to verify that a trust is working correctly. This is the first diagnostics step to take if users notify you that authentication to a remote domain appears to be failing.

<> <>Solution

<> <>Using a graphical user interface

For the Windows 2000 version of the Active Directory Domains and Trusts snap-in:

<>1. <>In the left pane, right-click on the trusting domain and select Properties.

<>2. <>Click the Trusts tab.

<>3. <>Click the domain that is associated with the trust you want to verify.

<>4. <>Click the Edit button.

<>5. <>Click the Verify button.

For the Windows Server 2003 version of the Active Directory Domains and Trusts snap-in:

<>1. <>In the left pane, right-click on the trusting domain and select Properties.

<>2. <>Click the Trusts tab.

<>3. <>Click the domain that is associated with the trust you want to verify.

<>4. <>Click the Properties button.

<>5. <>Click the Validate button.

<> <>Using a command-line interface

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify /verbose[RETURN]

   [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]

   [/UserD:<TrustedDomainUser> /PasswordD:*]

<> <>Q25. How to Reset a Trust ?

<> <>Problem

You want to reset a trust password. If you've determined a trust is broken, you need to reset it, which will allow users to authenticate across it again.

<> <>Solution

<> <>Using a graphical user interface

Follow the same directions as Recipe 2.20. The option to reset the trust will only be presented if the Verify/Validate did not succeed.

<> <>Using a command-line interface

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Reset /verbose[RETURN]

   [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]

   [/UserD:> /PasswordD:*]

<> <>Q26. How to Remove a Trust ?

<> <>Problem

You want to remove a trust. This is commonly done when the remote domain has been decommissioned or access to it is no longer required.

<> <>Solution

<> <>Using a graphical user interface

<>1. <>Open the Active Directory Domains and Trusts snap-in.

<>2. <>In the left pane, right-click on the trusting domain and select Properties.

<>3. <>Click the Trusts tab.

<>4. <>Click on the domain that is associated with the trust you want to remove.

<>5. <>Click the Remove button.

<>6. <>Click OK.

<> <>Using a command-line interface

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Remove /verbose[RETURN]

   [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]

   [/UserD:<TrustedDomainUser> /PasswordD:*]

Q27 .How to Find Duplicate SIDs in a Domain ?

<> <>Problem

You want to find any duplicate SIDs in a domain. Generally, you should never find duplicate SIDs in a domain, but it is possible in some situations, such as when the relative identifier (RID) FSMO role owner has to be seized or you are migrating users from Windows NT domains.

<> <>Solution

<> <>Using a command-line interface

To find duplicate SIDs run the following command, replacing with a domain controller or domain name:

> ntdsutil "sec acc man" "co to se <DomainControllerName>" "check dup sid" q q

The following message will be returned:

Duplicate SID check completed successfully. Check dupsid.log for any duplicates

The dupsid.log file will be in the directory where you started ntdsutil.

If you want to delete any objects that have duplicate SIDs, you can use the following command:

> ntdsutil "sec acc man" "co to se <DomainControllerName>" "clean dup sid" q q

Like the check command, the clean command will generate a message like the following upon completion:

Duplicate SID cleanup completed successfully. Check dupsid.log for any duplicate

Q.28 How to Find the Domain Controllers for a Domain?

<> <>Problem

You want to find the domain controllers in a domain.

<> <>Solution

<> <>Using a graphical user interface

<>1. <>Open the Active Directory Users and Computers snap-in.

<>2. <>Connect to the target domain.

<>3. <>Click on the Domain Controllers OU.

<>4. <>The list of domain controllers for the domain will be present in the right pane.

<> <>Using a command-line interface

> netdom query dc /Domain:

<> <>Q29. How to Find a Domain Controller's Site?

<> <>Problem

You need to determine the site of which a domain controller is a member.

<> <>Solution

<> <>Using a graphical user interface

<>1. <>Open LDP and from the menu, select Connection -Connect.

<>2. <>For Server, enter the name of a domain controller (or leave blank to do a serverless bind).

<>3. <>For Port, enter 389.

<>4. <>Click OK.

<>5. <>From the menu select Connection <><>Bind.

<>6. <>Enter credentials of a domain user.

<>7. <>Click OK.

<>8. <>From the menu, select Browse <><>Search.

<>9. <>For BaseDN, type the distinguished name of the Sites container (e.g., cn=sites,cn=configuration,dc=rallencorp, dc=com).

<>10. <>For Scope, select Subtree.

<>11. <>For Filter, enter:

(&(objectcategory=server)(dnsHostName=))

<>12. <>Click Run.

<> <>Using a command-line interface

> nltest /dsgetsite /server: 

<> <>Q 30. How to Move a Domain Controller to a Different Site?

<> <>Problem

You want to move a domain controller to a different site.

<> <>Solution

<> <>Using a graphical user interface

<>1. <>Open the Active Directory Sites and Services snap-in.

<>2. <>In the left pane, expand the site that contains the domain controller.

<>3. <>Expand the Servers container.

<>4. <>Right-click on the domain controller you want to move and select Move.

<>5. <>In the Move Server box, select the site to which the domain controller will be moved and click OK.

<> <>Using a command-line interface

When using the dsmove command you must specify the DN of the object you want to move. In this case, it needs to be the distinguished name of the server object for the domain controller. The value for the -newparent option is the distinguished name of the Servers container you want to move the domain controller to.

> dsmove "" -newparent ""

For example, the following command would move dc2 from the Default-First-Site-Name site to the Raleigh site.

> dsmove "cn=dc2,cn=servers,cn=Default-First-Site-Name,cn=sites,cn=configuration,[RETURN] 

rallencorp" -newparent "cn=servers,cn=Raleigh,cn=sites,cn=configuration,rallencorp

<> <>Q31. How to Find the Global Catalog Servers in a Forest?

<> <>Problem

You want a list of the global catalog servers in a forest.

<> <>Solution

<> <>Using a graphical user interface

<>1. <>Open LDP and from the menu select Connection <><>Connect.

<>2. <>For Server, enter the name of a DC.

<>3. <>For Port, enter 389.

<>4. <>Click OK.

<>5. <>From the menu select Connection <><>Bind.

<>6. <>Enter credentials of a domain user.

<>7. <>Click OK.

<>8. <>From the menu select Browse <><>Search.

<>9. <>For BaseDN, type the DN of the Sites container (e.g., cn=sites,cn=configuration,dc=rallencorp, dc=com).

<>10. <>For Scope, select Subtree.

<>11. <>For Filter, enter (&(objectcategory=ntdsdsa)(options=1)).

<>12. <>Click Run.

<> <>Using a command-line interface

> dsquery server -forest -isgc

<> <>Q32. How to Find Domain Controllers and Global Catalogs via DNS?

<> <>Problem

You want to find domain controllers or global catalogs using DNS lookups.

<> <>Solution

Domain controllers and global catalog servers are represented in DNS as SRV records. You can query SRV records using nslookup by setting the type=SRV, such as the following:

> nslookup

Default Server:  dns01.rallencorp.com

Address:  10.1.2.3

> set type=SRV

You then need to issue the following query to retrieve all domain controllers for the specified domain.

> _ldap._tcp.<DomainDNSName>

You can issue a similar query to retrieve global catalogs, but since they are forest-wide, the query is based on the forest name.

> _gc._tcp.<ForestDNSName>

You can even find the domain controllers or global catalogs that are in a particular site or that cover a particular site by querying the following:

> _ldap._tcp.<SiteName>._sites.<DomainDNSName>

> _gc._tcp.<SiteName>._sites.<ForestDNSName>

See Recipe 11.18 for more information on site coverage.

<> <>Q33. How about Finding the FSMO Role Holders ????

<> <>3.25.1 Problem

You want to find the domain controllers that are acting as one of the FSMO roles.

<> <>3.25.2 Solution

<> <>3.25.2.1 Using a graphical user interface

For the Schema Master:

<>1. <>Open the Active Directory Schema snap-in.

<>2. <>Right-click on Active Directory Schema in the left pane and select Operations Master.

For the Domain Naming Master:

<>1. <>Open the Active Directory Domains and Trusts snap-in.

<>2. <>Right-click on Active Directory Domains and Trusts in the left pane and select Operations Master.

For the PDC Emulator, RID Master, and Infrastructure Master:

<>1. <>Open the Active Directory Users and Computers snap-in.

<>2. <>Make sure you've targeted the correct domain.

<>3. <>Right-click on Active Directory Users and Computers in the left pane and select Operations Master.

<>4. <>There are individual tabs for the PDC, RID, and Infrastructure roles.

<> <>3.25.2.2 Using a command-line interface

In the following command, you can leave out the /Domain option to query the domain you are currently logged on.

> netdom query fsmo /Domain:<DomainDNSName>

For some reason, this command returns a "The parameter is incorrect" error on Windows Server 2003. Until that is resolved, you can use the dsquery server command shown here, where can be schema, name, infr, pdc, or rid:

> dsquery server -hasfsmo <Role>

<> <>Q34. How to Transfer a FSMO Role?

<> <>3.26.1 Problem

You want to transfer a FSMO role to a different domain controller. This may be necessary if you need to take a current FSMO role holder down for maintenance.

<> <>3.26.2 Solution

<> <>3.26.2.1 Using a graphical user interface

<>1. <>Use the same directions as described in Recipe 3.25 for viewing a specific FSMO, except target (i.e., right-click and select Connect to Domain Controller) the domain controller you want to transfer the FSMO to before selecting Operations Master.

<>2. <>Click the Change button.

<>3. <>Click OK twice.

<>4. <>You should then see a message stating whether the transfer was successful.

<> <>3.26.2.2 Using a command-line interface

The following would transfer the PDC Emulator role to . See the discussion to see about transferring the other roles.

> ntdsutil roles conn "co t s <NewRoleOwner>" q "transfer PDC" q q

<> <>Q35. How to Seize a FSMO Role?

<> <>3.27.1 Problem

You need to seize a FSMO role because the current role holder is down and will not be restored.

<> <>3.27.2 Solution

<> <>3.27.2.1 Using a command-line interface

The following would seize the PDC Emulator role to :

> ntdsutil roles conn "co t s <NewRoleOwner>" q "seize PDC" q q

Any of the other roles can be transferred as well using ntdsutil by replacing "transfer PDC" in the previous solution with one of the following:

<>· <>"seize domain naming master"

<>· <>"seize infrastructure master"

<>· <>"seize RID master"

<>· <>"seize schema master"

<> <>Q36. How on Finding the PDC Emulator FSMO Role Owner via DNS?

<> <>3.28.1 Problem

You want to find the PDC Emulator for a domain using DNS.

<> <>3.28.2 Solution

<> <>3.28.2.1 Using a command-line interface

> nslookup -type=SRV _ldap._tcp.pdc._msdcs.<DomainDNSName>

<> <>Q37. How toView the Attributes of an Object using LDP?

<> <>4.2.1 Problem

You want to view one or more attributes of an object using LDP

<> <>4.2.2 Solution

<> <>4.2.2.1 Using a graphical user interface

<>1. <>Open LDP.

<>2. <>From the menu, select Connection <><>Connect.

<>3. <>For Server, enter the name of a domain controller or domain that contains the object.

<>4. <>For Port, enter 389.

<>5. <>Click OK.

<>6. <>From the menu, select Connection <><>Bind.

<>7. <>Enter credentials of a user that can view the object (if necessary).

<>8. <>Click OK.

<>9. <>From the menu, select View <><>Tree.

<>10. <>For BaseDN, type the DN of the object you want to view.

<>11. <>For Scope, select Base.

<>12. <>Click OK.

<> <>4.2.2.2 Using a command-line interface

> dsquery * "<ObjectDN>" -scope base -attr *

For Windows 2000, use this command:

> enumprop "LDAP://<ObjectDN>"

<> <>Q38. How to Use LDAP Controls?

<> <>4.3.1 Problem

You want to use an LDAP control as part of an LDAP operation.

<> <>4.3.2 Solution

<> <>4.3.2.1 Using a graphical user interface

<>1. <>Open LDP.

<>2. <>From the menu, select Options <><>Controls.

<>3. <>For the Windows Server 2003 version of LDP, select the control you want to use under Load Predefined. The control should automatically be added to the list of Active Controls.

For the Windows 2000 version of LDP, you'll need to type the object identifier (OID) of the control under Object Identifier.

<>4. <>Enter the value for the control under Value.

<>5. <>Select whether the control is server- or client-side under Control Type.

<>6. <>Check the box beside Critical if the control is critical.

<>7. <>Click the Check-in button.

<>8. <>Click OK.

<>9. <>At this point, you will need to invoke the LDAP operation (for example, Search) that will use the control. In the dialog box for any operation, be sure that the "Extended" option is checked before initiating the operation.

<> <>Q39. How to use LDP for Searching for Objects in a Domain?

<> <>4.5.1 Problem

You want to find objects that match certain criteria in a domain.

<> <>4.5.2 Solution

<> <>4.5.2.1 Using a graphical user interface

<>1. <>Open LDP.

<>2. <>From the menu, select Connection <><>Connect.

<>3. <>For Server, enter the name of a domain controller (or leave blank to do a serverless bind).

<>4. <>For Port, enter 389.

<>5. <>Click OK.

<>6. <>From the menu, select Connection <><>Bind.

<>7. <>Enter credentials of a user.

<>8. <>Click OK.

<>9. <>From the menu, select Browse <><>Search.

<>10. <>For BaseDN, type the base distinguished name where the search will start.

<>11. <>For Scope, select the appropriate scope.

<>12. <>For Filter, enter an LDAP filter.

<>13. <>Click Run.

<> <>4.5.2.2 Using a command-line interface

> dsquery * <BaseDN> -scope <Scope> -filter "<Filter>" -attr "<AttrList>"

<> <>

<> <>

<> <>Q40. How to use LDP for searching the Global Catalog?

<> <>4.6.1 Problem

You want to perform a forest-wide search using the global catalog.

<> <>4.6.2 Solution

<> <>4.6.2.1 Using a graphical user interface

<>1. <>Open LDP.

<>2. <>From the menu, select Connection <><>Connect.

<>3. <>For Server, enter the name of a global catalog server.

<>4. <>For Port, enter 3268.

<>5. <>Click OK.

<>6. <>From the menu, select Connection <><>Bind.

<>7. <>Enter credentials of a user.

<>8. <>Click OK.

<>9. <>From the menu, select Browse <><>Search.

<>10. <>For BaseDN, type the base distinguished name where to start the search.

<>11. <>For Scope, select the appropriate scope.

<>12. <>For Filter, enter an LDAP filter.

<>13. <>Click Run.

<> <>4.6.2.2 Using a command-line interface

> dsquery *  -gc -scope  -filter "" -attr ""

<> <>Q41 .How to Delegate Control of an OU?

<> <>5.9.1 Problem

You want to delegate administrative access of an OU to allow a group of users to manage objects in the OU.

<> <>5.9.2 Solution

<> <>5.9.2.1 Using a graphical user interface

<>1. <>Open the Active Directory Users and Computers snap-in.

<>2. <>If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK.

<>3. <>In the left pane, browse to the target OU, right-click on it, and select Delegate Control.

<>4. <>Select the users and/or groups to delegate control to by using the Add button and click Next.

<>5. <>Select the type of privilege to grant the users/groups and click Next.

<>6. <>Click Finish.

<> <>5.9.2.2 Using a command-line interface

ACLs can be set via a command-line with the dsacls utility from the Support Tools. See Recipe 14.10 for more information.

<> <>Q42. How to Link a GPO to an OU?

<> <>5.11.1 Problem

You want to apply the settings in a GPO to the users and/or computers within an OU, also known as linking the GPO to the OU.

<> <>5.11.2 Solution

<> <>5.11.2.1 Using a graphical user interface

<>1. <>Open the Group Policy Management (GPMC) snap-in.

<>2. <>Expand Forest in the left pane.

<>3. <>Expand Domain and navigate down to the OU in the domain you want to link the GPO to.

<>4. <>Right-click on the OU and select either Create and Link a GPO Here (if the GPO does not already exist) or Link an Existing GPO (if you have already created the GPO).

<> <>Q43. How to Create a Site?

<> <>11.1.1 Problem

You want to create a site.

<> <>11.1.2 Solution

<> <>11.1.2.1 Using a graphical user interface

<>1. <>Open the Active Directory Sites and Services snap-in.

<>2. <>Right-click on the Sites container and select New Site.

<>3. <>Beside Name, enter the name of the new site.

<>4. <>Under Link Name, select a site link for the site.

<>5. <>Click OK twice.

<> <>11.1.2.2 Using a command-line interface

Create an LDIF file called create_site.ldf with the following contents:

dn: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: site

dn: cn=Licensing Site Settings,cn=<SiteName>,cn=sites,cn=configuration, <ForestRootDN>

changetype: add

objectclass: licensingSiteSettings

dn: cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: nTDSSiteSettings

dn: cn=Servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: serversContainer

then run the following command:

> ldifde -v -i -f create_site.ldf

<> <>Q44. How to Create a Subnet?

<> <>11.4.1 Problem

You want to create a subnet.

<> <>11.4.2 Solution

<> <>11.4.2.1 Using a graphical user interface

<>1. <>Open the Active Directory Sites and Services snap-in.

<>2. <>Right-click on the Subnets container and select New Subnet.

<>3. <>Enter the Address and Mask and then select which site the subnet is part of.

<>4. <>Click OK.

<> <>11.4.2.2 Using a command-line interface

Create an LDIF file called create_subnet.ldf with the following contents:

dn: cn=<Subnet>,cn=subnets,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: subnet

siteObject: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

then run the following command:

> ldifde -v -i -f create_subnet.ldf

<> <>Q45. How to Create a Site Link ?

<> <>11.7.1 Problem

You want to create a site link to connect two or more sites together.

<> <>11.7.2 Solution

<> <>11.7.2.1 Using a graphical user interface

<>1. <>Open the Active Directory Sites and Services snap-in.

<>2. <>Expand the Sites container.

<>3. <>Expand the Inter-Site Transports container.

<>4. <>Right-click on IP (or SMTP) and select New Site Link.

<>5. <>For Name, enter the name for the site link.

<>6. <>Under Site is not in this site link, select at least two sites and click the Add button.

<>7. <>Click OK.

<> <>11.7.2.2 Using a command-line interface

The following LDIF would create a site link connecting the SJC and Dallas sites:

dn: cn=Dallas-SJC,cn=IP,cn=inter-site 

transports,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: siteLink

siteObject: cn=SJC,cn=sites,cn=configuration,<ForestRootDN>

siteObject: cn=Dallas,cn=sites,cn=configuration,<ForestRootDN>

If the LDIF file were named create_site_link.ldf, you'd then run the following command:

> ldifde -v -i -f create_site_link.ldf

<> <>

<> <>

<> <>Q46 .How to Create a Site Link Bridge ?

<> <>11.12.1 Problem

You want to create a site link bridge because you've disabled site link transitivity.

<> <>11.12.2 Solution

<> <>11.12.2.1 Using a graphical user interface

<>1. <>Open the Active Directory Sites and Services snap-in.

<>2. <>In the left pane, expand Sites <><>Inter-Site Transports.

<>3. <>Right-click either the IP or SMTP folder depending which protocol you want to create a site link bridge for.

<>4. <>Select New Site Link Bridge.

<>5. <>Highlight two or more sites in the left box.

<>6. <>Click the Add button.

<>7. <>Click OK.

<> <>11.12.2.2 Using a command-line interface

Create an LDIF file called create_site_link_bridge.ldf with the following contents, where and refer to the site links to be bridged:

dn: cn=<BridgeName>,cn=IP,cn=inter-site 

transports,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: siteLinkBridge

siteLinkList: cn=<Link1>,cn=IP,cn=Inter-site Transports,cn=sites,cn=configuration,

<ForestRootDN>

siteLinkList: cn=<Link2>,cn=IP,cn=Inter-site Transports,cn=sites,cn=configuration,

<ForestRootDN>

Then run the following command:

> ldifde -v -i -f create_site_link_bridge.ldf

<> <>Q47. How to Find the Bridgehead Servers for a Site?

<> <>11.13.1 Problem

You want to find the bridgehead servers for a site.

<> <>11.13.2 Solution

<> <>11.13.2.1 Using a graphical user interface

<>1. <>Open the Replication Monitor from the Support Tools (replmon.exe).

<>2. <>From the menu, select View <><>Options.

<>3. <>In the left pane, right-click on Monitored Servers and select Add Monitored Server.

<>4. <>Use the Add Monitored Server Wizard to add a server in the site you want to find the bridgehead server(s) for.

<>5. <>In the left pane, right-click on the server and select Show BridgeHead Servers <><>In This Server's Site.

<> <>11.13.2.2 Using a command-line interface

> repadmin /bridgeheads [<ServerName>] [/verbose]

The /bridgeheads option is valid only with the Windows Server 2003 version of repadmin. There is no such option in the Windows 2000 version.

<> <>11.13.2.3 Using VBScript

<> <>Q48. How to Move a Domain Controller to a Different Site?

<> <>Problem

You want to move a domain controller to a different site. This may be necessary if you promoted the domain controller without first adding its subnet to Active Directory. In that case, the domain controller will be added to the Default-First-Site-Name site.

<> <>Solution

<> <>Using a graphical user interface

<>1. <>Open the Active Directory Sites and Services snap-in.

<>2. <>In the left pane, expand Sites, expand the site where the server you want to move is contained, and expand the Servers container.

<>3. <>Right-click on the server you want to move and select Move.

<>4. <>Select the site to move the server to.

<>5. <>Click OK.

<> <>Using a command-line interface

> dsmove "cn=<ServerName>,cn=servers,cn=<CurrentSite>,[RETURN]

cn=sites,cn=configuration,<ForestRootDN>" -newparent "cn=servers,cn=<NewSite>,[RETURN]

cn=sites,cn=configuration,<ForestRootDN>"

<> <>Q49. How to Configure a Domain Controller to Cover Multiple Sites?

<> <>11.17.1 Problem

You want to configure a domain controller to cover multiple sites, which will cause clients in those sites to use that domain controller for authentication and directory lookups.

<> <>11.17.2 Solution

<> <>11.17.2.1 Using a graphical user interface

<>1. <>Run regedit.exe from the command line or Start <><>Run.

<>2. <>In the left pane, expand HKEY_LOCAL_MACHINE <><>SYSTEM <><>CurrentControlSet <><>Services <><>Netlogon <><>Parameters.

<>3. <>If the SiteCoverage value does not exist, right-click on Parameters in the left pane and select New <><>Multi-String Value. For the name, enter SiteCoverage.

<>4. <>In the right pane, double-click on the value and on a separate line, enter each site the server should cover.

<>5. <>Click OK.

<> <>11.17.2.2 Using a command-line interface

> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN]

"SiteCoverage" /t REG_MULTI_SZ /d <Site1>\0<Site2>

<> <>

<> <>

<> <>Q50. How to Trigger the KCC?

<> <>11.27.1 Problem

You want to trigger the KCC.

<> <>11.27.2 Solution

<> <>11.27.2.1 Using a graphical user interface

<>1. <>Open the Active Directory Sites and Services snap-in.

<>2. <>In the left pane, browse to the NTDS Settings object for the server you want to trigger the KCC for.

<>3. <>Right-click on NTDS Settings, select All Tasks, and Check Replication Topology.

<>4. <>Click OK.

<> <>11.27.2.2 Using a command-line interface

> repadmin /kcc <DomainControllerName>

<> <>Q51. How to Determine if the KCC Is Completing Successfully?

<> <>11.28.1 Problem

You want to determine if the KCC is completing successfully.

<> <>11.28.2 Solution

<> <>11.28.2.1 Using a graphical user interface

<>1. <>Open the Event Viewer of the target domain controller.

<>2. <>Click on the Directory Service log.

<>3. <>In the right pane, click on the Source heading to sort by that column.

<>4. <>Scroll down to view any events with Source: NTDS KCC.

<> <>11.28.2.2 Using a command-line interface

The following command will display any KCC errors found in the Directory Service log:

> dcdiag /v /test:kccevent /s:<DomainControllerName>

<> <>Q51. How to Disable the KCC for a Site?

<> <>11.29.1 Problem

You want to disable the KCC for a site and generate your own replication connections between domain controllers.

<> <>11.29.2 Solution

<> <>11.29.2.1 Using a graphical user interface

<>1. <>Open ADSI Edit.

<>2. <>Connect to the Configuration Naming Context if it is not already displayed.

<>3. <>In the left pane, browse the Configuration Naming Context <><>Sites.

<>4. <>Click on the site you want to disable the KCC for.

<>5. <>In the right pane, double-click CN=NTDS Site Settings.

<>6. <>Modify the options attribute. To disable only intra-site topology generation, enable the 00001 bit (decimal 1). To disable inter-site topology generation, enable the 10000 bit (decimal 16). To disable both, enable the 10001 bits (decimal 17).

<>7. <>Click OK.

<> <>11.29.2.2 Using a command-line interface

You can disable the KCC for by using the ldifde utility and an LDIF file that contains the following:

dn: cn=NTDS Site Settings,<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: modify

replace: options

options: <OptionsValue>

-

If the LDIF file were named disable_kcc.ldf, you would run the following command:

> ldifde -v -i -f disable_kcc.ldf

<> <>Q52 . How to Change the Interval at Which the KCC Runs?

<> <>11.30.1 Problem

You want to change the interval at which the KCC runs.

<> <>11.30.2 Solution

<> <>11.30.2.1 Using a graphical user interface

<>1. <>Run regedit.exe from the command line or Start <><>Run.

<>2. <>Expand HKEY_LOCAL_MACHINE <><>SYSTEM <><>CurrentControlSet <><>Services <><>NTDS <><>Parameters.

<>3. <>Right-click on Parameters and select New <><>DWORD Value.

<>4. <>Enter the following for the name: Repl topology update period (secs).

<>5. <>Double-click on the new value and under Value data enter the KCC interval in number of seconds (900 is the default).

<>6. <>Click OK.

<> <>11.30.2.2 Using a command-line interface

> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Repl topology[RETURN] 

update period (secs)" /t REG_DWORD /d <NumSecs>

<> <>Q53. How to Determine if Two Domain Controllers Are in Sync?

<> <>12.1.1 Problem

You want to determine if two domain controllers are in sync and have no objects to replicate to each other.

<> <>12.1.2 Solution

<> <>12.1.2.1 Using a command-line interface

By running the following two commands you can compare the up-to-dateness vector on the two DCs:

> repadmin /showutdvec <DC1Name> <NamingContextDN>

> repadmin /showutdvec <DC2Name> <NamingContextDN>

The Windows 2000 version of repadmin used a different syntax to accomplish the same thing. Here is the equivalent syntax:

> repadmin /showvector <NamingContextDN> <DC1Name>

> repadmin /showvector <NamingContextDN> <DC2Name>

<> <>

<> <>Q54.How to View the Replication Status of Several Domain Controllers

<> <>12.2.1 Problem

You want to take a quick snap-shot of replication activity for one or more domain controllers.

<> <>12.2.2 Solution

<> <>12.2.2.1 Using a command-line interface

The following command will show the replication status of all the domain controllers in the forest:

> repadmin /replsum

You can also use * as a wildcard character to view the status of a subset of domain controllers. The following command will display the replication status of only the servers that begin with the name dc-rtp:

> repadmin /replsum dc-rtp*

<> <>Q55 . How to View Unreplicated Changes Between Two Domain Controllers?

<> <>12.3.1 Problem

You want to find the unreplicated changes between two domain controllers.

<> <>12.3.2 Solution

<> <>12.3.2.1 Using a graphical user interface

<>1. <>Open the Replication Monitor from the Support Tools (replmon.exe).

<>2. <>From the menu, select View <><>Options.

<>3. <>On the General tab, check the box beside Show Transitive Replication Partners and Extended Data.

<>4. <>Click OK.

<>5. <>In the left pane, right-click on Monitored Servers and select Add Monitored Server.

<>6. <>Use the Add Monitored Server Wizard to add one of the domain controllers you want to compare (I'll call it dc1).

<>7. <>In the left pane, under the server you just added, expand the naming context that you want to check for unreplicated changes.

<>8. <>Right-click on the other domain controller you want to compare (I'll call it dc2) and select Check Current USN and Un-replicated Objects.

<>9. <>Enter credentials if necessary and click OK.

<>10. <>If some changes have not yet replicated from dc2 to dc1, a box will pop up that lists the unreplicated objects.

<>11. <>To find out what changes have yet to replicate from dc1 to dc2, repeat the same steps except add dc2 as a monitored server and check for unreplicated changes against dc1.

<> <>12.3.2.2 Using a command-line interface

Run the following two commands to find the differences between two domain controllers. Use the /statistics option to view a summary of the changes:

> repadmin /showchanges <DC1Name> <DC2GUID> <NamingContextDN>

> repadmin /showchanges <DC2Name> <DC1GUID> <NamingContextDN>

The Windows 2000 version of repadmin has a different syntax to accomplish the same thing. Here is the equivalent syntax:

> repadmin /getchanges <NamingContextDN> <DC1Name> <DC2GUID>

> repadmin /getchanges <NamingContextDN> <DC2Name> <DC1GUID>

<> <>Q 56.How to Force Replication from One Domain Controller to Another

<> <>12.4.1 Problem

You want to force replication between two partners.

<> <>12.4.2 Solution

<> <>12.4.2.1 Using a graphical user interface

<>1. <>Open the Active Directory Sites and Services snap-in.

<>2. <>Browse to the NTDS Setting object for the domain controller you want to replicate to.

<>3. <>In the right pane, right-click on the connection object to the domain controller you want to replicate from and select Replicate Now.

<> <>12.4.2.2 Using a command-line interface

The following command will perform a replication sync of the naming context specified by from to :

> repadmin /replicate <DC1Name> <DC2Name> <NamingContextDN>

The Windows 2000 version of repadmin has a different syntax to accomplish the same thing. Here is the equivalent syntax:

> repadmin /sync <NamingContextDN> <DC1Name> <DC2GUID>

<> <>Q57. How to Change the Intra-Site Replication Interval?

<> <>12.5.1 Problem

You want to change the number of seconds that a domain controller in a site waits before replicating within the site.

<> <>12.5.2 Solution

<> <>12.5.2.1 Using a graphical user interface

<>1. <>Run regedit.exe from the command line or Start <><>Run.

<>2. <>Expand HKEY_LOCAL_MACHINE <><>SYSTEM <><>CurrentControlSet <><>Services <><>NTDS <><>Parameters.

<>3. <>If a value entry for Replicator notify pause after modify (secs) does not exist, right-click on Parameters and select New <><>DWORD Value. For the name, enter: Replicator notify pause after modify (secs).

<>4. <>Double-click on the value and enter the number of seconds to wait before notifying intra-site replication partners.

<>5. <>Click OK.

<> <>12.5.2.2 Using a command-line interface

With the following command, change to the number of seconds to set the intra-site replication delay to:

> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Replicator[RETURN] 

notify pause after modify (secs)" /t REG_DWORD /d <NumSeconds>

<> <>

<> <>

<> <>

<> <>Q58. How to Change the Inter-Site Replication Interval ?

<> <>12.6.1 Problem

You want to set the schedule for replication for a site link.

<> <>12.6.2 Solution

These solutions assume the IP transport, but the SMTP transport could be used as well.

<> <>12.6.2.1 Using a graphical user interface

<>1. <>Open the Active Directory Sites and Services snap-in.

<>2. <>Expand the Inter-Site Transport container.

<>3. <>Click on the IP container.

<>4. <>In the right pane, double-click on the site link you want to modify the replication interval for.

<>5. <>Enter the new interval beside Replicate every.

<>6. <>Click OK.

<> <>12.6.2.2 Using a command-line interface

To change the replication interval, create an LDIF file named set_link_rep_interval.ldf with the following contents:

dn: cn=<LinkName>,cn=ip,cn=Inter-Site Transports,cn=sites, 

cn=configuration,<ForestRootDN>

changetype: modify

replace: replInterval

replInterval: <NewInterval>

-

then run the following command:

> ldifde -v -i -f set_link_rep_interval.ldf

<> <>

<> <>Q59. How to Check for Potential Replication Problems?

<> <>12.8.1 Problem

You want to determine if replication is succeeding.

<> <>12.8.2 Solution

The following two commands will help identify problems with replication on a source domain controller:

> dcdiag /test:replications

> repadmin /showrepl /errorsonly

<> <>12.8.3 Discussion

For a more detailed report, you can use the Replication Monitor (replmon.exe). The Generate Status Report option will produce a lengthy report of site topology, replication information, and provide details on any errors encountered. The Directory Service event log can also be an invaluable source of replication and KCC problems.

<> <>Q60. How to Find Conflict Objects ?

<> <>12.11.1 Problem

You want to find conflict objects that are a result of replication collisions.

<> <>12.11.2 Solution

<> <>12.11.2.1 Using a graphical user interface

<>1. <>Open LDP.

<>2. <>From the menu, select Connection <><>Connect.

<>3. <>For Server, enter the name of a domain controller (or leave blank to do a serverless bind).

<>4. <>For Port, enter 389 or 3268 for the global catalog.

<>5. <>Click OK.

<>6. <>From the menu, select Connection <><>Bind.

<>7. <>Enter credentials (if necessary) of a user that can view the object.

<>8. <>Click OK.

<>9. <>From the menu, select Browse <><>Search.

<>10. <>For BaseDN, type the base DN from where you want to start the search.

<>11. <>For Scope, select the appropriate scope.

<>12. <>For Filter, enter (|(cn=*\0ACNF:*)(ou=*\0ACNF:*)).

<>13. <>Click Run.

<> <>12.11.2.2 Using a command-line interface

The following command finds all conflict objects within the whole forest:

> dsquery * forestroot -gc -attr distinguishedName -scope subtree -filter[RETURN]

"(|(cn=*\0ACNF:*)(ou=*\0ACNF:*))"

<> <>Q61. How to View Object Metadata?

<> <>12.12.1 Problem

You want to view metadata for an object. The object's replPropertyMetaData attribute stores metadata information about the most recent updates to every attribute that has been set on the object.

<> <>12.12.2 Solution

<> <>12.12.2.1 Using a graphical user interface

<>1. <>Open LDP.

<>2. <>From the menu, select Connection <><>Connect.

<>3. <>For Server, enter the name of a domain controller or domain that contains the object.

<>4. <>For Port, enter 389.

<>5. <>Click OK.

<>6. <>From the menu, select Connection <><>Bind.

<>7. <>Enter credentials (if necessary) of a user that can view the object.

<>8. <>Click OK.

<>9. <>From the menu, select Browse <><>Replication <><>View Metadata.

<>10. <>For Object DN, type the distinguished name of the object you want to view.

<>11. <>Click OK.

<> <>12.12.2.2 Using a command-line interface

In the following command, replace with the distinguished name of the object for which you want to view metadata:

> repadmin /showobjmeta <DomainControllerName> <ObjectDN>

This command was called /showmeta in the Windows 2000 version of repadmin. Also, the parameters are switched in that version, where comes before .

1. What's the difference between local, global and universal groups?

Domain local groups assign access permissions to global domain groups

for local domain resources. Global groups provide access to resources

in other trusted domains. Universal groups grant access to resources in

all trusted domains.

2. I am trying to create a new universal user group. Why can't I?

Universal groups are allowed only in native-mode Windows Server 2003

environments. Native mode requires that all domain controllers be

promoted to Windows Server 2003 Active Directory.

3. What is LSDOU?

It's group policy inheritance model, where the policies are applied

to Local machines, Sites, Domains and Organizational Units.

4. Why doesn't LSDOU work under Windows NT?

If the NTConfig.pol file exist, it has the highest priority among the

numerous policies.

5. Where are group policies stored?

%SystemRoot%System32\GroupPolicy

6. What is GPT and GPC?

Group policy template and group policy container.

7. Where is GPT stored?

%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID

8. You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority?

The computer settings take priority.

9. You want to set up remote installation procedure, but do not want

the user to gain access over it. What do you do? 

gponame-> User Configuration-> Windows Settings-> Remote Installation Services->

Choice Options is your friend.

10. What's contained in administrative template conf.adm? 

Microsoft NetMeeting policies

11. How can you restrict running certain applications on a machine?

Via group policy, security settings for the group, then Software

Restriction Policies.

12. You need to automatically install an app, but MSI file is not available. What do you do?

A .zap text file can be used to add applications using the Software

Installer, rather than the Windows Installer.

13. What's the difference between Software Installer and Windows Installer?

The former has fewer privileges and will probably require user

Intervention. Plus, it uses .zap files.

14. What can be restricted on Windows Server 2003 that wasn't there in previous products?

Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.

15. What does IntelliMirror do?

It helps to reconcile desktop settings, applications, and stored files

for users, particularly those who move between workstations or those

who must periodically work offline.

16. Where is secedit?

It's now gpupdate.

<>17.     <>You want to create a new group policy but do not wish to inherit.

Make sure you check Block inheritance among the options when creating

the policy.

<>18.     <>What is "tattooing" the Registry?

The user can view and modify user preferences that are not stored in

maintained portions of the Registry. If the group policy is removed or

changed, the user preference will persist in the Registry.

19. How do you fight tattooing in NT/2000 installations?

You can't.

20. How do you fight tattooing in 2003 installations?

 User Configuration - Administrative Templates - System - Group Policy -

enable - Enforce Show Policies Only.

21. What does IntelliMirror do?

 It helps to reconcile desktop settings,applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.

22. What's the major difference between FAT and NTFS on a local machine?

 FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.

23. How do FAT and NTFS differ in approach to user shares?

 They don't, both have support for sharing.

24. Explan the List Folder Contents permission on the folder in NTFS.

Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.

25. I have a file to which the user has access, but he has no folder permission to read it. Can he access it?

 It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can't drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run... window.

26. For a user in several groups, are Allow permissions restrictive or permissive? 

Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.

27. For a user in several groups, are Deny permissions restrictive or permissive? 

Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.

28. What hidden shares exist on Windows Server 2003 installation?

Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

29. What's the difference between standalone and fault-tolerant DFS (Distributed File System) installations?

 The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.

30. We're using the DFS fault-tolerant installation, but cannot access it from a Win98 box.

 Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.

31. Where exactly do fault-tolerant DFS shares store information in Active Directory?

 In Partition Knowledge Table, which is then replicated to other domain controllers.

32. Can you use Start->Search with DFS shares?

 Yes.

33. What problems can you have with DFS installed? 

Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.

34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS.

 Yeah, you can't. Install a standalone one.

35. Is Kerberos encryption symmetric or asymmetric?

 Symmetric.

36. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? 

Time stamp is attached to the initial client request, encrypted with the shared key.

37. What hashing algorithms are used in Windows 2003 Server?

 RSA Data Security's Message Digest 5 (MD5), produces a 128-bit hash, and the

Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.

38. What third-party certificate exchange protocols are used by Windows 2003 Server? 

Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities.

39. What's the number of permitted unsuccessful logons on Administrator account?

 Unlimited. Remember, though, that it's the Administrator account, not any account that's part of the Administrators group.

40. If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists,specifically the ones using NTLMv1?

 A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes.

41. What's the difference between guest accounts in Server 2003 and other editions? 

More restrictive in Windows Server 2003.

42. How many passwords by default are remembered when you check "Enforce Password History Remembered"?

 User's last 6 passwords.

Interview Question ‘N’ Answer Bank

Q.1 What is the latest Service Pack for Exchange 2000/Exchange 2003

Ans : Service Pack 3./ Service Pack 1

Q.2 What are the versions of ISA servers and their service packs?

Ans : ISA Server 2000 SP1

ISA Server 2004 SP1

Q.3 What are the core services that run a ISA server?

Ans : Microsoft ISA Server Control

Microsoft Web Proxy

Q.4 What is the function of the .edb and .stm files in Exchange 2000?

Ans: .edb files :-

Q.5 What is the core function of the Active directory Connector in Exchange 2000?

Ans: The ADC is the service that lets you perform directory synchronization between the Exchange Server 5.5 DS and AD. The ADC uses connection agreements (CAs) to define individual configurations for replication.

Q.6 What is the SRS service in Exchange 2000?

Ans : The SRS is an Exchange 2000 service that allows integration with Exchange Server 5.5 sites. The SRS runs on an Exchange 2000 server but presents itself as an Exchange Server 5.5 DS to other Exchange Server 5.5 servers. You can use the SRS only if you're running Exchange 2000 in mixed mode.

<> <>The SRS in Intrasite Replication :-

Figure 1.

<><>

Figure 1 shows an Exchange Server 5.5 site (i.e., a site that contains only Exchange Server 5.5 servers) with a CA homed against one of the servers, S4. The CA to the AD is well defined because it has a valid source of Exchange Server 5.5 directory information. The ADC obtains information from the Exchange Server 5.5 DS on server S4.

But what happens when you upgrade the server S4 from Exchange Server 5.5 to Exchange 2000? Upgrading compromises the integrity of the CA because S4 doesn't have an Exchange Server 5.5 DS (because Exchange 2000 uses AD), and the CA becomes unusable. Your only option is to rehome the Exchange Server 5.5 end of the CA to another server (e.g., server S5). This action would reestablish the integrity of the CA, but you would need to rehome this CA when you subsequently upgrade server S5 to Exchange 2000. This rehoming activity could repeat itself for some time unless you initially homed your CA against a server that you knew would be the last one in the site you migrate to Exchange 2000.

Retaining CA integrity. Let's assume that server S4 is the first Exchange Server 5.5 server in the site you're upgrading to Exchange 2000. This assumption satisfies one of the rules for enabling the SRS: You're upgrading the first server in the site. When you perform the upgrade in this situation, the SRS (which is the Exchange Server 5.5 DS in disguise) becomes active. And because the SRS takes part in Exchange Server 5.5 directory replication just like any other Exchange Server 5.5 service, it has a valid view of the Exchange Server 5.5 directory in its SRS database.

Figure 2.

<><>

Figure 2 shows the SRS active on S4.

Because the SRS is active on server S4, you can retain the existing CA that is homed against S4. Because the SRS is there, you have a valid source of Exchange Server 5.5 directory information, so you don't need to manually rehome the CA. Having one server that you know can always provide a source of Exchange Server 5.5 directory information is a big plus.

When you home a CA against a regular Exchange Server 5.5 server, you must bind the Exchange Server 5.5 end of the CA against the Lightweight Directory Access Protocol (LDAP) of the Exchange Server 5.5 DS. The ADC uses LDAP to access the Exchange Server 5.5 DS. By default, the Exchange Server 5.5 LDAP listens on port 389, but you can enable LDAP on another port (e.g., if you're running an Exchange Server 5.5 server on a Windows 2000 domain controller). AD on a Win2K domain controller also listens on port 389, and as Win2K is starting up, it seizes control of port 389 before the Exchange Server 5.5 DS can get to it.

The SRS behaves similarly. The SRS runs only on a Win2K system, and this system might be a domain controller. A CA always wants to connect to a source of Exchange Server 5.5 directory information over LDAP. To avoid confusion, the Exchange engineering team designed the SRS so that it offers its LDAP service from port 379. Therefore, if you had previously homed your CA against an Exchange Server 5.5 DS on port 389, you must modify the CA so that it now points to port 379 to get to the SRS DS. "More Tips for Using the Active Directory Connector," Reader to Reader, April 2000, explains how to change the LDAP port.

This modification requires only that you use the CA management tool to redirect the CA to a different port after the upgrade to Exchange 2000. However, this modification is a small change to an existing CA, compared with rehoming the CA to an altogether different server.

Within an Exchange Server 5.5 site, an Exchange Server 5.5 server communicates with other Exchange Server 5.5 servers to keep the information in its DS consistent with the information in the other Exchange Server 5.5 servers' directories. This behavior is the essence of intrasite replication. The component responsible for controlling this process is the Knowledge Consistency Checker (KCC)—which is on every Exchange Server 5.5 server. The KCC maintains a table of all Exchange Server 5.5 servers that take part in the replication chain.

As you upgrade many Exchange Server 5.5 servers in the site to Exchange 2000, most servers won't have the SRS enabled. In these cases, the upgrade code removes the entry for each respective server from the KCC table. For example, for the systems you see in Figure 2 (presuming that they're not bridgehead servers), the code removes servers S1, S2, S3, and S5 from the Exchange Server 5.5 intrasite replication chain. (More precisely, the code removes the servers' directory service agent—DSA—object from the KCC table.) Removing the servers' DSA ensures that they no longer take part in Exchange Server 5.5 intrasite replication because they're no longer Exchange Server 5.5 servers. If the upgrade process didn't remove these DSA objects from the KCC table, you'd see many errors in the event log, signifying that Exchange Server 5.5 directory replication failed against the newly upgraded servers.

The SRS in Intersite Replication :-

When you upgrade an Exchange Server 5.5 directory replication bridgehead server to Exchange 2000, the bridgehead server must maintain a means for communicating site information to its Exchange Server 5.5 bridgehead replication partner. The SRS provides this means because it appears to the replication partner as an Exchange Server 5.5 DS to communicate with.

Figure 3.

<><>

Two Exchange Server 5.5 directory replication bridgehead servers (S9 and S1) communicating across a DRC.

When you upgrade server S1 from Exchange Server 5.5 to Exchange 2000, as Figure 4 shows, the SRS becomes indispensable because once again, it reduces the administrative effort associated with upgrading servers. Because the pure Exchange Server 5.5 site (i.e., Site B) has no CA, all site and topology information for Site B must come from traditional Exchange Server 5.5 directory replication.

In the absence of an SRS service, you need to rehome Exchange Server 5.5 DRCs onto different servers as you upgrade bridgehead servers from Exchange Server 5.5. In this example, upgrading server S1 to Exchange 2000 without an SRS service would require rehoming the DRC to another server in the site (e.g., S2).

Components of the SRS even optimize CAs and DRCs. If a CA becomes available to Site B, Exchange can deliver directory information into that site two ways: across a DRC and through a CA. Exchange Server 5.5 directory replication is object-based, whereas replication through a CA is attribute-based. Therefore, using CAs to provide directory information is more efficient than using DRCs because attribute-based replication involves less data on the wire. If you use a CA, as Figure 5 shows, the SRS disables the DRC between the two Exchange Server 5.5 sites and uses ADC-based replication instead.

You can see that, with respect to intersite replication, the SRS is a useful tool. Without it, the management of DRCs would increase administrative overhead. The SRS proves its worth just for managing CAs within a site, but coupled with managing connections between Exchange Server 5.5 bridgehead servers, it's essential.

Behind a Bridgehead Server Upgrade :-

<><>

<><>

When you upgrade server S1 to Exchange 2000, the Setup program modifies the existing local dir.edb database (i.e., the traditional Exchange Server 5.5 DS), copies the new executables for the SRS service from the installation CD-ROM, and creates several objects in AD's configuration-naming context. (The configuration-naming context contains all Exchange 2000 configuration information.)

Specifically, an instance of an object of class ms-Exch-Site-Replication-Service within the Exchange tree in the AD configuration-naming context represents the SRS. Figure 6 shows an example of a default SRS object, Microsoft DSA, from ADSI Edit. ADSI Edit, part of the Microsoft Windows 2000 Resource Kit, is a useful tool for looking at objects, attributes, and their values in AD.

In this case (i.e., when S1 is the first Exchange 2000 server in the site), the Setup process also creates a Configuration Connection Agreement (ConfigCA) between AD and the new SRS service installed locally. The SRS takes on the ownership of the DRC to server S9. Because the SRS object in AD has a legacyExchangeDN attribute of /o=/ou=/cn=/cn=Servers/cn=S1/cn=Microsoft DSA and is a mail-enabled object, the SRS becomes the destination for replication messages from server S9. In fact, you can use any transport (e.g., X.400, RPCs) to send mail to the SRS object. Figure 7 shows the value of the mail attribute of the SRS. As you can see, this attribute has an SMTP address (i.e., STOISDN-SRS@cpqcorp.com), which means that any other Exchange Server 5.5 DS can send directory information to it over an SMTP connector.

The SRS connects to bridgehead server S9 over a DRC and to AD through a ConfigCA. The ConfigCA is two-way, replicating configuration information for the Exchange Server 5.5 view of Site A from the SRS to AD and back-replicating information for administrative group A (the Exchange 2000 view of the site) from AD to the SRS.