Active Directory Q& A

Q: ​What is global catalog and why is it important​ ? 





Ans: Global Catalog Servers contain a partial replica for every object in Active Directory. A Global CatalogServer is used to find objects in any domain in the forest. Any Domain Controller can be made into aGlobal Catalog Server.

Q: what does system state backup contain

Ans: The system state contains a number of items:
  • System Registry
  • COM + Database
  • Certificate Services
  • Active Directory
  • SysVol
  • IIS Metabase
Some of these items are only included if the specified service is installed (AD, IIS, Certificates). (Details are online. TechNet: Server 2003/2003R2. MSDN: Server 2003/2003R2.TechNet forums:Server 2008. MSDN: Server 2008 and upwards)
If you need to restore a server, you will need this state to recover the registry, or your AD Domain, or IIS sites.
You can restore system state to the same server, or another server with identical hardware. Microsoft does not support restoring system state to different hardware (see this article), however it is possible in some occasions, and with some parts of the system state, for example the IIS metabase. In that guess its really a case of try it an see, but its not a recommended solution..
Q: How group policy order of precedence ?

Ans:  Order of processing settings
This section provides details about the order in which Group Policy settings for users and computers are processed. For information about where the processing of policy settings fits into the framework of computer startup and user logon, see steps 3 and 8 in Startup and logon, in this topic.
Group Policy settings are processed in the following order:
  1. Local Group Policy object—Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
  2. Site—Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on theLinked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
  3. Domain—Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
  4. Organizational units—GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.

    At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)


Q: What is FMSO roles ?
Ans:  Flexible Single Master Operation Roles (FSMO)
Active Directory has five special roles which are vital for the smooth running of AD as a multimaster system. Some functions of AD require there is an authoritative master to which all Domain Controllers can refer to. These roles are installed automatically and there is normally very little reason to move them, however if you de-commission a DC and DCPROMO fails to run correctly or have a catastrophic failure of a DC you will need to know about these roles to recover or transfer them to another DC.
The forest wide roles must appear once per forest, the domain wide roles must appear once per domain.

The Roles

There are five FSMO roles, two per forest, three in every Domain. A brief summary of the role is below.

Forest Wide Roles:

  • Schema Master

The schema is shared between every Tree and Domain in a forest and must be consistent between all objects. The schema master controls all updates and modifications to the schema.

  • Domain Naming

When a new Domain is added to a forest the name must be unique within the forest. The Domain naming master must be available when adding or removing a Domain in a forest.

Domain Wide Roles:

  • Relative ID (RID) Master

Allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the Domain.
When moving objects between domains you must start the move on the DC which is the RID master of the domain that currently holds the object.

  • PDC Emulator

The PDC emulator acts as a Windows NT PDC for backwards compatibility, it can process updates to a BDC.
It is also responsible for time synchronising within a domain.
It is also the password master (for want of a better term) for a domain. Any password change is replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad password the logon request is passed to the PDC emulator to check the password before rejecting the login request.

  • Infrastructure Master

The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The global catalogue is used to compare data as it receives regular updates for all objects in all domains.
Any change to user-group references are updated by the infrastructure master. For example if you rename or move a group member and the member is in a different domain from the group the group will temporarily appear not to contain that member.

Comments

Post a Comment

Popular posts from this blog

How to install XIbo?

Image
How to install Xibo on Windows 10 64 bit What is Xibo? XIbo is open source signage software, Xibo Digital Signage is a low-cost, high performance solution to launch your business, workplace or organisation into the future. Xibo doesn’t just replicate print media, but actively increases engagement allowing you to deliver your message more effectively than ever before What is  Digital signage?  Digital signage is a sub-segment of electronic signage. Digital displays use technologies such as LCD, LED, projection and e-paper to display digital images, video, web pages, weather data, restaurant menus, or text.  Wikipedia How to install Xibo on Windows 10. It is very easy to install the Xibo on windows 10 x64 bit os with docker. Below is the step to install the Xibo. ð   Step 1.   Download the docker for windows 10 x64,  Link to download Docker ð   Step 2. Install the Docker. Double-click  Docker for Windows Installer  to run the installer
Read more

How to install - Snipe-IT, Free IT Asset manager software

Image
 Snipe-IT, IT Free Asset manager Software. S nipe-IT was made for IT asset management, to enable IT departments to track who has which laptop, when it was purchased, which software licenses and accessories. Pre-requisite 1) Wamp Webserver - Download Link 2)  composer  - Download Link Step 1.  Install Composer 2) Install Wamp  create database snipeit; show databases; Create user snipe_user; grant all on snipeit.* to 'snipe_user' @ 'localhost' identified by 'password123' ; Extract and configure Snipe-IT and run composer https://snipeitapp.com/download Download and exact Snipe-IT to c:\wamp\www\snipe-it. Edit  .env.example See the  Configuration  options for more information on how to configure your Snipe-IT installation. Save your edited  env.example  as  .env Open command prompt then change directory to  c:\wamp\www\snipe-it\ . Then ru
Read more

Get information about SSL protocols

Image
  Get the information about the SSL version using and strength by utilizting the SSL Disagnos SSL Diagnos is used to test SSL strength; Get information about SSL protocols (pct, ssl2, ssl3, tls, dtls) and cipher suites. It can also be used for testing and rating ciphers on SSL clients. It has also specific support for pop3s, sip, smtp and explicit ftps. Tests for heartbleed (including dtls). Furthermore a separate tool, SSLPressure, not using openssl can be used to check the whole spectrum of possible SSL protocols on a server. Can also be used for testing ssl for mssql-servers (was added since nessus did not support this) and contains mitm poc for stripping ssl from mssql-connections. Features SSL scanner including rating of SSL cipher suite strength for server and clients Test SSL strength in for example https, smtp, sip, pop3s, ftps Can be used for OWASP-CM-001 Uses OpenSSL to test ssl2, ssl3, tls, dtls, explicit ftps Tests renegotiation and availability
Read more