Active Directory Q& A
Q: What is global catalog and why is it important ?
Ans: Global Catalog Servers contain a partial replica for every object in Active Directory. A Global CatalogServer is used to find objects in any domain in the forest. Any Domain Controller can be made into aGlobal Catalog Server.
Q: what does system state backup contain
Ans: The system state contains a number of items:
- System Registry
- COM + Database
- Certificate Services
- Active Directory
- SysVol
- IIS Metabase
Some of these items are only included if the specified service is installed (AD, IIS, Certificates). (Details are online. TechNet: Server 2003/2003R2. MSDN: Server 2003/2003R2.TechNet forums:Server 2008. MSDN: Server 2008 and upwards)
If you need to restore a server, you will need this state to recover the registry, or your AD Domain, or IIS sites.
You can restore system state to the same server, or another server with identical hardware. Microsoft does not support restoring system state to different hardware (see this article), however it is possible in some occasions, and with some parts of the system state, for example the IIS metabase. In that guess its really a case of try it an see, but its not a recommended solution..
Q: How group policy order of precedence ?
Ans: Order of processing settings
This section provides details about the order in which Group Policy settings for users and computers are processed. For information about where the processing of policy settings fits into the framework of computer startup and user logon, see steps 3 and 8 in Startup and logon, in this topic.
Group Policy settings are processed in the following order:
- Local Group Policy object—Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
- Site—Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on theLinked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
- Domain—Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
- Organizational units—GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
Q: What is FMSO roles ?
Ans: Flexible Single Master Operation Roles (FSMO)
Active Directory has five special roles which are vital for the smooth running of AD as a multimaster system. Some functions of AD require there is an authoritative master to which all Domain Controllers can refer to. These roles are installed automatically and there is normally very little reason to move them, however if you de-commission a DC and DCPROMO fails to run correctly or have a catastrophic failure of a DC you will need to know about these roles to recover or transfer them to another DC.
The forest wide roles must appear once per forest, the domain wide roles must appear once per domain.
The Roles
There are five FSMO roles, two per forest, three in every Domain. A brief summary of the role is below.
Forest Wide Roles:
Schema Master
The schema is shared between every Tree and Domain in a forest and must be consistent between all objects. The schema master controls all updates and modifications to the schema.
Domain Naming
When a new Domain is added to a forest the name must be unique within the forest. The Domain naming master must be available when adding or removing a Domain in a forest.
Domain Wide Roles:
Relative ID (RID) Master
Allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the Domain.
When moving objects between domains you must start the move on the DC which is the RID master of the domain that currently holds the object.
PDC Emulator
The PDC emulator acts as a Windows NT PDC for backwards compatibility, it can process updates to a BDC.
It is also responsible for time synchronising within a domain.
It is also the password master (for want of a better term) for a domain. Any password change is replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad password the logon request is passed to the PDC emulator to check the password before rejecting the login request.
Infrastructure Master
The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The global catalogue is used to compare data as it receives regular updates for all objects in all domains.
Any change to user-group references are updated by the infrastructure master. For example if you rename or move a group member and the member is in a different domain from the group the group will temporarily appear not to contain that member.
Comments