Windows 2008 interview questions
What is Active Directory Domain Services 2008?
Active Directory Domain Services (AD DS), formerly known as Active
Directory Directory Services, is the central location for configuration
information, authentication requests, and information about all of the
objects that are stored within your forest. Using Active Directory, you
can efficiently manage users, computers, groups, printers, applications,
and other directory-enabled objects from one secure, centralized
location.
What is the SYSVOL folder?
The Sysvol folder on a Windows domain controller is used to
replicate file-based data among domain controllers. Because junctions
are used within the Sysvol folder structure, Windows NT file system
(NTFS) version 5.0 is required on domain controllers throughout a
Windows distributed file system (DFS) forest.
This is a quote from microsoft themselves, basically the domain
controller info stored in files like your group policy stuff is
replicated through this folder structure
What’s New in Windows Server 2008 Active Directory Domain Services?
Active Directory Domain Services in Windows Server 2008 provides a
number of enhancements over previous versions, including these:
Auditing—AD DS auditing has been enhanced
significantly in Windows Server 2008. The enhancements provide more
granular auditing capabilities through four new auditing categories:
Directory Services Access, Directory Services Changes, Directory
Services Replication, and Detailed Directory Services Replication.
Additionally, auditing now provides the capability to log old and new
values of an attribute when a successful change is made to that
attribute.
Fine-Grained Password Policies—AD DS in Windows
Server 2008 now provides the capability to create different password and
account lockout policies for different sets of users in a domain. User
and group password and account lockout policies are defined and applied
via a Password Setting Object (PSO). A PSO has attributes for all the
settings that can be defined in the Default Domain Policy, except
Kerberos settings. PSOs can be applied to both users and groups.
Read-Only Domain Controllers—AD DS in Windows
Server 2008 introduces a new type of domain controller called a
read-only domain controller (RODC). RODCs contain a read-only copy of
the AD DS database. RODCs are covered in more detail in Chapter 6,
“Manage Sites and Replication.”
Restartable Active Directory Domain Services—AD DS
in Windows Server 2008 can now be stopped and restarted through MMC
snap-ins and the command line. The restartable AD DS service reduces the
time required to perform certain maintenance and restore operations.
Additionally, other services running on the server remain available to
satisfy client requests while AD DS is stopped.
AD DS Database Mounting Tool—AD DS in Windows
Server 2008 comes with a AD DS database mounting tool, which provides a
means to compare data as it exists in snapshots or backups taken at
different times. The AD DS database mounting eliminates the need to
restore multiple backups to compare the AD data that they contain and
provides the capability to examine any change made to data stored in AD
DS.
What is the Global Catalog?
A global catalog server is a domain controller. It is a master
searchable database that contains information about every object in
every domain in a forest. The global catalog contains a complete replica
of all objects in Active Directory for its host domain, and contains a
partial replica of all objects in Active Directory for every other
domain in the forest.
It has two important functions:
Provides group membership information during logon and authentication
Helps users locate resources in Active Directory
What are RODCs? And what are the major benefits of using RODCs?
A read-only domain controller (RODC) is a new type of domain
controller in the Windows Server® 2008 operating system. With an RODC,
organizations can easily deploy a domain controller in locations where
physical security cannot be guaranteed. An RODC hosts read-only
partitions of the Active Directory® Domain Services (AD DS) database.
Before the release of Windows Server 2008, if users had to
authenticate with a domain controller over a wide area network (WAN),
there was no real alternative. In many cases, this was not an efficient
solution. Branch offices often cannot provide the adequate physical
security that is required for a writable domain controller. Furthermore,
branch offices often have poor network bandwidth when they are
connected to a hub site. This can increase the amount of time that is
required to log on. It can also hamper access to network resources.
Beginning with Windows Server 2008, an organization can deploy an
RODC to address these problems. As a result, users in this situation can
receive the following benefits:
* Improved security
* Faster logon times
* More efficient access to resources on the network
Inadequate physical security is the most common reason to consider
deploying an RODC. An RODC provides a way to deploy a domain controller
more securely in locations that require fast and reliable authentication
services but cannot ensure physical security for a writable domain
controller.
However, your organization may also choose to deploy an RODC for
special administrative requirements. For example, a line-of-business
(LOB) application may run successfully only if it is installed on a
domain controller. Or, the domain controller might be the only server in
the branch office, and it may have to host server applications.
In such cases, the LOB application owner must often log on to the
domain controller interactively or use Terminal Services to configure
and manage the application. This situation creates a security risk that
may be unacceptable on a writable domain controller.
An RODC provides a more secure mechanism for deploying a domain
controller in this scenario. You can grant a nonadministrative domain
user the right to log on to an RODC while minimizing the security risk
to the Active Directory forest.
You might also deploy an RODC in other scenarios where local storage
of all domain user passwords is a primary threat, for example, in an
extranet or application-facing role.
Repadmin.exe: Replication Diagnostics Tool
This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.
Administrators can use Repadmin to view the replication topology
(sometimes referred to as RepsFrom and RepsTo) as seen from the
perspective of each domain controller. In addition, Repadmin can be used
to manually create the replication topology (although in normal
practice this should not be necessary), to force replication events
between domain controllers, and to view both the replication metadata
and up-to-dateness vectors.
Repadmin.exe can also be used for monitoring the relative health of
an Active Directory forest. The operations replsummary, showrepl,
showrepl /csv, and showvector /latency can be used to check for
replication problems.
NETDOM is a command-line tool that allows management of Windows
domains and trust relationships. It is used for batch management of
trusts, joining computers to domains, verifying trusts, and secure
channels.
No comments:
Post a Comment