Windows Server Support Interview Questions and Answers (L2)

What is the difference between Authorized DHCP and Non Authorized DHCP? 
To avoid problems in the network causing by Mis-configured DHCP servers, server in windows 2000 must
be validated by AD before starting service to clients. If an authorized DHCP finds any DHCP server in
the network it stops serving the clients 

Difference between inter-site and intra-site replication. Protocols using for replication. 
Intra-site replication can be done between the domain controllers in the same site. Inter-site
replication can be done between two different sites over WAN links
BHS (Bridge Head Servers) is responsible for initiating replication between the sites. Inter-site
replication can be done B/w BHS in one site and BHS in another site.
We can use RPC over IP or SMTP as a replication protocols where as Domain partition is not possible to
replicate using SMTP 

How to monitor replication 

We can use Replmon tool from support tools 

Storage Types:-
Microsoft Windows XP, Windows 2000 and Windows Server 2003 offer two types of disk storage: basic
and dynamic. 

Basic Disk Storage

Basic storage uses normal partition tables supported by MS-DOS, Microsoft Windows 95, Microsoft
Windows 98, Microsoft Windows Millennium Edition (Me), Microsoft Windows NT, Microsoft Windows
2000, Windows Server 2003 and Windows XP. A disk initialized for basic storage is called a basic disk. A
basic disk contains basic volumes, such as primary partitions, extended partitions, and logical drives.
Additionally, basic volumes include multidisc volumes that are created by using Windows NT 4.0 or
earlier, such as volume sets, stripe sets, mirror sets, and stripe sets with parity. Windows XP does not
support these multidisc basic volumes. Any volume sets, stripe sets, mirror sets, or stripe sets with
parity must be backed up and deleted or converted to dynamic disks before you install Windows XP
Professional. 

Dynamic Disk Storage

Dynamic storage is supported in Windows XP Professional, Windows 2000 and Windows Server 2003. A
disk initialized for dynamic storage is called a dynamic disk. A dynamic disk contains dynamic volumes,
such as simple volumes, spanned volumes, striped volumes, mirrored volumes, and RAID-5 volumes.
With dynamic storage, you can perform disk and volume management without the need to restart
Windows. 

Note: Dynamic disks are not supported on portable computers or on Windows XP Home Edition-based
computers. 
You cannot create mirrored volumes or RAID-5 volumes on Windows XP Home Edition, Windows XP
Professional, or Windows XP 64-Bit Edition-based computers. However, you can use a Windows XP
Professional-based computer to create a mirrored or RAID-5 volume on remote computers that are
running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server, or
the Standard, Enterprise and Data Center versions of Windows Server 2003.
Storage types are separate from the file system type. A basic or dynamic disk can contain any
combination of FAT16, FAT32, or NTFS partitions or volumes. 

A disk system can contain any combination of storage types. However, all volumes on the same disk
must use the same storage type. 

To convert a Basic Disk to a Dynamic Disk: 

Use the Disk Management snap-in in Windows XP/2000/2003 to convert a basic disk to a dynamic disk.
To do this, follow these steps:
1. Log on as Administrator or as a member of the Administrators group. 
2. Click Start, and then click Control Panel. 
3. Click Performance and Maintenance, click Administrative Tools, and then double-click Computer
Management. You can also right-click My Computer and choose Manage if you have My Computer
displayed on your desktop. 
4. In the left pane, click Disk Management. 
5. In the lower-right pane, right-click the basic disk that you want to convert, and then click Convert to
Dynamic Disk. You must right-click the gray area that contains the disk title on the left side of the
Details pane. 
6. Select the check box that is next to the disk that you want to convert (if it is not already selected),
and then click OK. 
7. Click Details if you want to view the list of volumes in the disk. Click Convert. 
8. Click yes when you are prompted to convert the disk, and then click OK. 

Warning: After you convert a basic disk to a dynamic disk, local access to the dynamic disk is limited to
Windows XP Professional, Windows 2000 and Windows Server 2003. Additionally, after you convert a
basic disk to a dynamic disk, the dynamic volumes cannot be changed back to partitions. You must first
delete all dynamic volumes on the disk and then convert the dynamic disk back to a basic disk. If you
want to keep your data, you must first back up the data or move it to another volume. 

Dynamic Storage Terms

Brief explanation of RAID Levels 

RAID 0 – Striping

RAID 1- Mirroring (minimum 2 HDD required)

RAID 5 – Striping With Parity (Minimum 3 HDD required)

RAID levels 1 and 5 only gives redundancy 

A volume is a storage unit made from free space on one or more disks. It can be formatted with a file
system and assigned a drive letter. Volumes on dynamic disks can have any of the following layouts:
simple, spanned, mirrored, striped, or RAID-5. 
A simple volume uses free space from a single disk. It can be a single region on a disk or consist of
multiple, concatenated regions. A simple volume can be extended within the same disk or onto
additional disks. If a simple volume is extended across multiple disks, it becomes a spanned volume. 

A spanned volume is created from free disk space that is linked together from multiple disks. You can
extend a spanned volume onto a maximum of 32 disks. A spanned volume cannot be mirrored and is not
fault-tolerant. 

A striped volume is a volume whose data is interleaved across two or more physical disks. The data on
this type of volume is allocated alternately and evenly to each of the physical disks. A striped volume
cannot be mirrored or extended and is not fault-tolerant. Striping is also known as RAID-0. 

A mirrored volume is a fault-tolerant volume whose data is duplicated on two physical disks. All of the
data on one volume is copied to another disk to provide data redundancy. If one of the disks fails, the
data can still be accessed from the remaining disk. A mirrored volume cannot be extended. Mirroring is
also known as RAID-1. 

A RAID-5 volume is a fault-tolerant volume whose data is striped across an array of three or more
disks. Parity (a calculated value that can be used to reconstruct data after a failure) is also striped
across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on that failed
disk can be re-created from the remaining data and the parity. A RAID-5 volume cannot be mirrored or
extended. 

The system volume contains the hardware-specific files that are needed to load Windows (for
example, Ntldr, Boot.ini, and Ntdetect.com). The system volume can be, but does not have to be, the
same as the boot volume. 
The boot volume contains the Windows operating system files that are located in the %Systemroot%
and %Systemroot%\System32 folders. The boot volume can be, but does not have to be, the same as the
system volume. 

What are the different backup strategies are available 

Normal Backup
Incremental Backup
Differential Backup
Daily Backup
Copy Backup 

The Backup utility supports five methods of backing up data on your computer or network.

Normal backup
A normal backup copies all selected files and marks each file as having been backed up (in other words,
the archive attribute is cleared). With normal backups, you need only the most recent copy of the
backup file or tape to restore all of the files. You usually perform a normal backup the first time you
create a backup set.
Incremental backup
An incremental backup backs up only those files created or changed since the last normal or
incremental backup. It marks files as having been backed up (in other words, the archive attribute is
cleared). If you use a combination of normal and incremental backups, you will need to have the last
normal backup set as well as all incremental backup sets in order to restore your data.

Differential backup
A differential backup copies file created or changed since the last normal or incremental backup. It
does not mark files as having been backed up (in other words, the archive attribute is not cleared). If
you are performing a combination of normal and differential backups, restoring files and folders
requires that you have the last normal as well as the last differential backup.

Daily backup
A daily backup copies all selected files that have been modified the day the daily backup is performed.
The backed-up files are not marked as having been backed up (in other words, the archive attribute is
not cleared).

Copy backup
A copy backup copies all selected files but does not mark each file as having been backed up (in other
words, the archive attribute is not cleared). Copying is useful if you want to back up files between
normal and incremental backups because copying does not affect these other backup operations.

What is a global catalog 

Global catalog is a role, which maintains Indexes about objects. It contains full information of the
objects in its own domain and partial information of the objects in other domains. Universal Group
membership information will be stored in global catalog servers and replicate to all GC’s in the forest. 

What is Active Directory and what is the use of it 

Active directory is a directory service, which maintains the relationship between resources and
enabling them to work together. Because of AD hierarchal structure windows 2000 is more scalable,
reliable. Active directory is derived from X.500 standards where information is stored is hierarchal tree
like structure. Active directory depends on two Internet standards one is DNS and other is LDAP.
Information in Active directory can be queried by using LDAP protocol 

what is the physical and logical structure of AD? 

Active directory physical structure is a hierarchal structure which fallows Forests—Trees—Domains—
Child Domains—Grand Child—etc

Active directory is logically divided into 3 partitions 

1.Configuration partition 2. Schema Partition 3. Domain partition 4. Application Partition (only in

windows 2003 not available in windows 2000)

Out of these Configuration, Schema partitions can be replicated between the domain controllers in the
in the entire forest. Whereas Domain partition can be replicated between the domain controllers in the
same domain 
What is the process of user authentication (Kerberos V5) in windows 2000? 
After giving logon credentials an encryption key will be generated, this is used to encrypt the time
stamp of the client machine. User name and encrypted timestamp information will be provided to
domain controller for authentication. Then Domain controller decrypts the encrypted time stamp
information based on the password information stored in AD for that user. If user time stamp matches
to its time stamp. It will provide logon session key and Ticket granting ticket to client in an encrypted
format. Again client decrypts and if produced time stamp information is matching then it will use logon
session key to logon to the domain. Ticket granting ticket will be used to generate service granting
ticket when accessing network resources 

What are the port numbers for Kerberos, LDAP and Global Catalog? 

Kerberos – 88, LDAP – 389, Global Catalog – 3268 

what is the use of LDAP (X.500 standard?) 

LDAP is a directory access protocol, which is used to exchange directory information from server to
clients or from server to servers 

what are the problems that are generally come across DHCP? 
Scope is full with IP addresses no IP’s available for new machines
If scope options are not configured properly e.g. default gateway 
Incorrect creation of scopes etc 

What is the role responsible for time synchronization? 

PDC Emulator is responsible for time synchronization. Time synchronization is important because
Kerberos authentication depends on time stamp information

what is TTL & how to set TTL time in DNS? 

TTL is Time to live setting used for the amount of time that the record should remain in cache when
name resolution happened.

We can set TTL in SOA (start of authority record) of DNS 

How to take DNS and WINS, DHCP backup 

%System root%/system32/DNS
%System root%/system32/WINS
%System root%/system32/DHCP 

What is recovery console 

Recovery console is a utility used to recover the system when it is not booting properly or not at all
booting. We can perform following operations from recovery console

We can copy, rename, or replace operating system files and folders

Enable or disable service or device startup the next time that start computer
Repair the file system boot sector or the Master Boot Record
Create and format partitions on drives 
What is DFS & its usage 

DFS is a distributed file system used to provide common environment for users to access files and
folders even when they are shared in different servers physically.
There are two types of DFS-domain DFS and Stand alone DFS. We cannot provide redundancy for
standalone DFS in case of failure. Domain DFS is used in a domain environment which can be accessed
by /domain name/root1 (root 1 is DFS root name). Stand alone DFS can be used in workgroup
environment which can be accessed through /server name/root1 (root 1 is DFS root name). Both the
cases we need to create DFS root (Which appears like a shared folder for end users) and DFS links (A
logical link which is pointing to the server where the folder is physically shared)

The maximum number of Dfs roots per server is 1. 

The maximum numbers of Dfs root replicas are 31.
The maximum number of Dfs roots per domain is unlimited. 
The maximum number of Dfs links or shared folders in a Dfs root is 1,000 

How many root replicas can be created in DFS? 

31 

What is the difference between Domain DFS and Standalone DFS? 

There are two types of DFS-domain DFS and Stand alone DFS. We cannot provide redundancy for
standalone DFS in case of failure. Domain DFS is used in a domain environment which can be accessed
by /domain name/root1 (root 1 is DFS root name). Stand alone DFS can be used in workgroup
environment which can be accessed through /server name/root1 (root 1 is DFS root name).

What is RIS and what are its requirements 

RIS is a remote installation service, which is used to install operation system remotely.

Client requirements:-
PXE DHCP-based boot ROM version 1.00 or later NIC, or a network adapter that is supported by the RIS
boot disk.
Should meet minimum operating system requirements
Software Requirements
Below network services must be active on RIS server or any server in the network
Domain Name System (DNS Service)
Dynamic Host Configuration Protocol (DHCP)
Active directory “Directory” service 

High Level 

Can we establish trust relationship between two forests? 

In Windows 2000 it is not possible. In Windows 2003 it is possible 

What is FSMO Roles 

Flexible single master operation (FSMO) roles are 

Domain Naming Master
Schema Master
PDC Emulator
Infrastructure Master
RID Master 

Brief all the FSMO Roles 

Windows 2000/2003 Multi-Master Model

A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing
changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can
potentially lead to problems once the data is replicated to the rest of the enterprise. One way
Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle
discrepancies in values by resolving to the DC to which changes were written last (that is, "the last
writer wins"), while discarding the changes in all other DCs. Although this resolution method may be
acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last
writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try
to resolve it after the fact. 
For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active
Directory updates from occurring. 
Windows 2000/2003 Single-Master Model
To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain
objects in a single-master fashion. 

In a single-master model, only one DC in the entire directory is allowed to process updates. This is
similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as
Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given
domain. 

In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five
FSMO roles are: 

Schema Master: The schema master domain controller controls all updates and modifications to the
schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs
in the directory. To update the schema of a forest, you must have access to the schema master. There
can be only one schema master in the whole forest. 

Domain naming master: The domain naming master domain controller controls the addition or removal
of domains in the forest. This DC is the only one that can add or remove a domain from the directory.
It can also add or remove cross references to domains in external directories. There can be only one
domain naming master in the whole forest. 
Infrastructure Master: When an object in one domain is referenced by another object in another
domain, it represents the reference by the GUID, the SID (for references to security principals), and
the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for
updating an object's SID and distinguished name in a cross-domain object reference. At any one time,
there can be only one domain controller acting as the infrastructure master in each domain. 

Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global
Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating
object information because it does not contain any references to objects that it does not hold. This is
because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-
domain object references in that domain will not be updated and a warning to that effect will be
logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all
the domain controllers have the current data, and it is not important which domain controller holds the
infrastructure master role (or there is no requirement of Infrastructure master role)

Relative ID (RID) Master: 

The RID master is responsible for processing RID pool requests from all domain controllers in a
particular domain. When a DC creates a security principal object such as a user or group, it attaches a
unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in
a domain), and a relative ID (RID) that is unique for each security Principal SID created in a domain.
Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it
creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional
RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs
from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one
time, there can be only one domain controller acting as the RID master in the domain. 

PDC Emulator: 

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the
W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All
Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the
time service is to ensure that the Windows Time service uses a hierarchical relationship that controls
authority and does not permit loops to ensure appropriate common time usage. 

PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest
becomes authoritative for the enterprise, and should be configured to gather the time from an external
source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound
time partner. 
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions: 
Password changes performed by other DCs in the domain are replicated preferentially to the PDC
emulator. 
Authentication failures that occur at a given DC in a domain because of an incorrect password are
forwarded to the PDC emulator before a bad password failure message is reported to the user. 

Account lockout is processed on the PDC emulator. 

Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC
Emulator's SYSVOL share, unless configured not to do so by the administrator. 

The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC
or earlier PDC performs for Windows NT 4.0-based or earlier clients. 

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and
domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003.
The PDC emulator still performs the other functions as described in a Windows 2000/2003
environment. 

At any one time, there can be only one domain controller acting as the PDC emulator master in each
domain in the forest. 

How to manually configure FSMO Roles to separate DC’s 

How can I determine who are the current FSMO Roles holders in my domain/forest?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO
(Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. 

The five FSMO roles are:

• Schema master - Forest-wide and one per forest. 

• Domain naming master - Forest-wide and one per forest. 

• RID master - Domain-specific and one for each domain. 

• PDC - PDC Emulator is domain-specific and one for each domain. 

• Infrastructure master - Domain-specific and one for each domain. 

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or
actually, on the same DC) as has been configured by the Active Directory installation process. However,
there are scenarios where an administrator would want to move one or more of the FSMO roles from
the default holder DC to a different DC. The transferring method is described in the Transferring FSMO
Roles article, while seizing the roles from a non-operational DC to a different DC is described in the
Seizing FSMO Roles article. 

In order to better understand your AD infrastructure and to know the added value that each DC might
possess, an AD administrator must have the exact knowledge of which one of the existing DCs is holding
a FSMO role, and what role it holds. With that knowledge in hand, the administrator can make better
arrangements in case of a scheduled shut-down of any given DC, and better prepare him or herself in
case of a non-scheduled cease of operation from one of the DCs.

How to find out which DC is holding which FSMO role? Well, one can accomplish this task by many
means. This article will list a few of the available methods.
Method #1: Know the default settings

The FSMO roles were assigned to one or more DCs during the DCPROMO process. The following table
summarizes the FSMO default locations:

FSMO Role:- Number of DCs holding this role Original DC holding the FSMO role
Schema:-One per forest The first DC in the first domain in the forest (i.e. the Forest Root Domain)
Domain Naming:- One per forest 
RID:- One per domain The first DC in a domain (any domain, including the Forest Root Domain, any
Tree Root Domain, or any Child Domain)
PDC Emulator One per domain 
Infrastructure One per domain 

Method #2: Use the GUI

The FSMO role holders can be easily found by use of some of the AD snap-ins. Use this table to see
which tool can be used for what FSMO role:

FSMO Role Which snap-in should I use?

Schema:- Schema snap-in
Domain Naming:-AD Domains and Trusts snap-in
RID :-AD Users and Computers snap-in
PDC Emulator 
Infrastructure 

Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI

To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and Infrastructure
Master FSMO Roles:

1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder. 
2. Right-click the Active Directory Users and Computers icon again and press Operation Masters. 
3. Select the appropriate tab for the role you wish to view. 
4. When you're done click close. 

Finding the Domain Naming Master via GUI

To find out who currently holds the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder. 
2. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters. 
3. When you're done click close. 
Finding the Schema Master via GUI
to find out who currently holds the Schema Master Role:

1. Register the Schmmgmt.dll library by pressing Start > RUN and typing: 
2. Press OK. You should receive a success confirmation. 
3. From the Run command open an MMC Console by typing MMC. 
4. On the Console menu, press Add/Remove Snap-in. 
5. Press Add. Select Active Directory Schema. 
6. Press Add and press Close. Press OK. 
7. Click the Active Directory Schema icon. After it loads right-click it and press Operation Masters. 
8. Press the Close button. 

Method #3: Use the Ntdsutil command

The FSMO role holders can be easily found by use of the Ntdsutil command.

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory
functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK. 
2. Type roles, and then press ENTER. 

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type?, and then
press ENTER.
3. Type connections, and then press ENTER. 
4. Type connect to server, where is the name of the server you want to use, and then press ENTER. 
5. At the server connections: prompt, type q, and then press ENTER again. 
6. At the FSMO maintenance: prompt, type Select operation target, and then press ENTER again. 

At the select operation target: prompt, type List roles for connected server, and then press ENTER
again. 

select operation target: List roles for connected server

Server "server100" knows about 5 roles

Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,

CN=Configuration,DC=dpetri,DC=net

Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,

CN=Configuration,DC=dpetri,DC=net

PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,

CN=Configuration,DC=dpetri,DC=net

RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,

CN=Configuration,DC=dpetri,DC=net

Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,

CN=Sites,CN=Configuration,DC=dpetri,DC=net

select operation target:

8. Type q 3 times to exit the Ntdsutil prompt. 

Note: You can download THIS nice batch file that will do all this for you (1kb).

Another Note: Microsoft has a nice tool called Dumpfsmos.cmd, found in the Windows 2000 Resource
Kit (and can be downloaded here: Download Free Windows 2000 Resource Kit Tools). This tool is
basically a one-click Ntdsutil script that performs the same operation described above.

Method #4: Use the Netdom command

The FSMO role holders can be easily found by use of the Netdom command.

Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You must either download it
separately (from here Download Free Windows 2000 Resource Kit Tools) or by obtaining the correct
Support Tools pack for your operating system. The Support Tools pack can be found in the
\Support\Tools folder on your installation CD (or you can Download Windows 2000 SP4 Support Tools,
Download Windows XP SP1 Deploy Tools). 

1. On any domain controller, click Start, click Run, type CMD in the Open box, and then click OK. 
2. In the Command Prompt window, type netdom query /domain:monu fsmo (where is the name of
YOUR domain). 

Close the CMD window.

Note: You can download THIS nice batch file that will do all this for you (1kb).

Method #5: Use the Replmon tool

The FSMO role holders can be easily found by use of the Replmon command. 

Just like Netdom, Replmon.exe is a part of the Windows 2000/XP/2003 Support Tools. Replmon can be
used for a wide verity of tasks, mostly with those that are related with AD replication. But Replmon
can also provide valuable information about the AD, about any DC, and also about other objects and
settings, such as GPOs and FSMO roles. Install the package before attempting to use the tool.

1. On any domain controller, click Start, click Run, type REPLMON in the Open box, and then click OK. 
2. Right-click Monitored servers and select Add Monitored Server. 
3. In the Add Server to Monitor window, select the Search the Directory for the server to add. Make
sure your AD domain name is listed in the drop-down list. 
4. In the site list select your site, expand it, and click to select the server you want to query. Click
Finish. 
5. Right-click the server that is now listed in the left-pane, and selects Properties. 
6. Click on the FSMO Roles tab and read the results. 
7. Click Ok when you're done. 

How can I forcibly transfer (seize) some or all of the FSMO Roles from one DC to another?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO
(Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. 

The five FSMO roles are:

• Schema master - Forest-wide and one per forest. 

• Domain naming master - Forest-wide and one per forest. 
• RID master - Domain-specific and one for each domain. 
• PDC - PDC Emulator is domain-specific and one for each domain. 
• Infrastructure master - Domain-specific and one for each domain. 

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or
actually, on the same DC) as has been configured by the Active Directory installation process. However,
there are scenarios where an administrator would want to move one or more of the FSMO roles from
the default holder DC to a different DC. 

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are
online and operational is called Transferring, and is described in the Transferring FSMO Roles article.

However, when the original FSMO role holder went offline or became non operational for a long period
of time, the administrator might consider moving the FSMO role from the original, non-operational
holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a
different DC is called Seizing, and is described in this article.

If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since
none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator FSMO
role might become a problem unless you fix it in a reasonable amount of time), so it is not a problem
to them to be unavailable for hours or even days. 

If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable
computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most
cases, should be performed only if the original FSMO role owner will not be brought back into the
environment. Only seize a FSMO role if absolutely necessary when the original role holder is not
connected to the network.
What will happen if you do not perform the seize in time? This table has the info:

FSMO Role Loss implications

Schema The schema cannot be extended. However, in the short term no one will notice a missing
Schema Master unless you plan a schema upgrade during that time.

Domain Naming Unless you are going to run DCPROMO, then you will not miss this FSMO role.

RID Chances are good that the existing DCs will have enough unused RIDs to last some time, unless
you're building hundreds of users or computer object per week.

PDC Emulator Will be missed soon. NT 4.0 BDCs will not be able to replicate, there will be no time
synchronization in the domain, you will probably not be able to change or troubleshoot group policies
and password changes will become a problem.

Infrastructure Group memberships may be incomplete. If you only have one domain, then there will be
no impact.

Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original domain controller
must not be activated in the forest again. It is necessary to reinstall Windows if these servers are to be
used again. 

The following table summarizes the FSMO seizing restrictions:

FSMO Role Restrictions
Schema Original must be reinstalled
Domain Naming 
RID 
PDC Emulator Can transfer back to original
Infrastructure 

Another consideration before performing the seize operation is the administrator's group membership,
as this table lists:
FSMO Role Administrator must be a member of
Schema Schema Admins
Domain Naming Enterprise Admins
RID Domain Admins
PDC Emulator 
Infrastructure 
To seize the FSMO roles by using Ntdsutil, follow these steps:

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory
functionality.

1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK. 
2. Type roles, and then press ENTER. 

Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then
press ENTER.

3. Type connections, and then press ENTER. 

4. Type connect to server , where is the name of the server you want to use, and then press ENTER. 
5. At the server connections: prompt, type q, and then press ENTER again. 
6. Type seize , where is the role you want to seize. For example, to seize the RID Master role, you
would type seize rid master: 

Options are: 

7. You will receive a warning window asking if you want to perform the seize. Click on Yes. 
fsmo maintenance: Seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002 (UNAVAILABLE)
data 1722 
Win32 error returned is 0x20af(The requested FSMO operation failed. The current FSMO holde

r could not be contacted.)

)

Depending on the error code this may indicate a connection,Ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=netDomain - CN=NTDS
Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
fsmo maintenance:

Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize
all roles. Determine which roles are to be on which remaining domain controllers so that all five roles
are not on only one server.

8. Repeat steps 6 and 7 until you've seized all the required FSMO roles. 
9. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool. 

Note: Do not put the Infrastructure Master (IM) role on the same domain controller as the Global
Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object
information because it does not contain any references to objects that it does not hold. This is
because a GC server holds a partial replica of every object in the forest. 

What is the difference between authoritative and non-authoritative restore 

In authoritative restore, Objects that are restored will be replicated to all domain controllers in the
domain. This can be used specifically when the entire OU is disturbed in all domain controllers or
specifically restore a single object, which is disturbed in all DC’s

In non-authoritative restore, Restored directory information will be updated by other domain

controllers based on the latest modification time. 

What is Active Directory De-fragmentation? 

De-fragmentation of AD means separating used space and empty space created by deleted objects and
reduces directory size (only in offline De-fragmentation) 

Difference between online and offline de-fragmentation 

The size of NTDS.DIT will often be different sizes across the domain controllers in a domain. Remember
that Active Directory is a multi-master independent model where updates are occurring in each of the
domain controllers with the changes being replicated over time to the other domain controllers. 

The changed data is replicated between domain controllers, not the database, so there is no guarantee
that the files are going to be the same size across all domain controllers. 

Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a directory
online defragmentation every 12 hours by default as part of the garbage-collection process. This
defragmentation only moves data around the database file (NTDS.DIT) and doesn’t reduce the file’s
size - the database file cannot be compacted while Active Directory is mounted. 

Active Directory routinely performs online database defragmentation, but this is limited to the disposal
of tombstoned objects. The database file cannot be compacted while Active Directory is mounted (or
online). 
An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller than the
NTDS.DIT file on its peers. 

However, defragmenting the NTDS.DIT file isn’t something you should really need to do. Normally, the
database self-tunes and automatically tomb stoning the records then sweeping them away when the
tombstone lifetime has passed to make that space available for additional records. 

Defragging the NTDS.DIT file probably won’t help your AD queries go any faster in the long run. 

So why defrag it in the first place? 

One reason you might want to defrag your NTDS.DIT file is to save space, for example if you deleted a
large number of records at one time. 
To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the following
steps: 
Back up Active Directory (AD). 
Reboot the server, select the OS option, and press F8 for advanced options. 
Select the Directory Services Restore Mode option, and press Enter. Press 
Enter again to start the OS. 
W2K will start in safe mode, with no DS running. 
Use the local SAM’s administrator account and password to log on. 
You’ll see a dialog box that says you’re in safe mode. Click OK. 
From the Start menu, select Run and type cmd.exe 
In the command window, you’ll see the following text. (Enter the commands in bold.) 
C:\> ntdsutil
ntdsutil: files
file maintenance:info

....
file maintenance:compact to c:\temp 

You’ll see the defragmentation process. If the process was successful, enter quit to return to the
command prompt. 

Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the commands in bold.) 

C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit 

Restart the computer, and boot as normal.

What is tombstone period 

Tombstones are nothing but objects marked for deletion. After deleting an object in AD the objects
will not be deleted permanently. It will be remain 60 days by default (which can be configurable) it
adds an entry as marked for deletion on the object and replicates to all DC’s. After 60 days object will
be deleted permanently from all Dc’s. 
What Are Lingering Objects?

A lingering object is a deleted AD object that re-appears (“lingers”) on the restored domain controller
(DC) in its local copy of Active Directory. This can happen if, after the backup was made, the object
was deleted on another DC more than than 180 days ago.

When a DC deletes an object it replaces the object with a tombstone object. The tombstone object is a
placeholder that represents the deleted object. When replication occurs, the tombstone object is
transmitted to the other DCs, which causes them to delete the AD object as well.

Tombstone objects are kept for 180 days, after which they are garbage-collected and removed.

If a DC is restored from a backup that contains an object deleted elsewhere, the object will re-appear
on the restored DC. Because the tombstone object on the other DCs has been removed, the restored
DC will not receive the tombstone object (via replication), and so it will never be notified of the
deletion. The deleted object will “linger” in the restored local copy of Active Directory.

What is white space and Garbage Collection? 

refer question 7 

What are the monitoring tools used for Server and Network Health.

How to define alert mechanism 

Spot Light , SNMP Need to enable . 

How to deploy the patches and what are the software’s used for this process 
Using SUS (Software update services) server we can deploy patches to all clients in the network. We
need to configure an option called “Synchronize with Microsoft software update server” option and
schedule time to synchronize in server. We need to approve new update based on the requirement.
Then approved update will be deployed to clients
We can configure clients by changing the registry manually or through Group policy by adding WUAU
administrative template in group policy 

What is Clustering. Briefly define & explain it 

Clustering is a technology, which is used to provide High Availability for mission critical applications.
We can configure cluster by installing MCS (Microsoft cluster service) component from Add remove
programs, which can only available in Enterprise Edition and Data center edition. 
In Windows we can configure two types of clusters 
NLB (network load balancing) cluster for balancing load between servers. This cluster will not provide
any high availability. Usually preferable at edge servers like web or proxy.

Server Cluster: This provides High availability by configuring active-active or active-passive cluster. In

2 node active-passive cluster one node will be active and one node will be stand by. When active
server fails the application will FAILOVER to stand by server automatically. When the original server
backs we need to FAILBACK the application 

Quorum: A shared storage need to provide for all servers which keeps information about clustered
application and session state and is useful in FAILOVER situation. This is very important if Quorum disk
fails entire cluster will fail.

Heartbeat: Heartbeat is a private connectivity between the servers in the cluster, which is used to
identify the status of other servers in cluster. 
How to configure SNMP 

SNMP can be configured by installing SNMP from Monitoring and Management tools from Add and
Remove programs.
For SNMP programs to communicate we need to configure common community name for those
machines where SNMP programs (eg. DELL OPEN MANAGER) running. This can be configured from
services.msc--- SNMP service -- Security 

Is it possible to rename the Domain name & how? 

In Windows 2000 it is not possible. In windows 2003 it is possible. On Domain controller by going to
MYCOMPUTER properties we can change. 

What is SOA Record 

SOA is a Start Of Authority record, which is a first record in DNS, which controls the startup behavior of
DNS. We can configure TTL, refresh, and retry intervals in this record. 

What is a Stub zone and what is the use of it. 

Stub zones are a new feature of DNS in Windows Server 2003 that can be used to streamline name
resolution, especially in a split namespace scenario. They also help reduce the amount of DNS traffic
on your network, making DNS more efficient especially over slow WAN links. 

What are the different types of partitions present in AD? 

Active directory is divided into three partitions
Configuration Partition—replicates entire forest
Schema Partition—replicates entire forest
Domain Partition—replicate only in domain
Application Partition (Only in Windows 2003) 

What are the (two) services required for replication 

File Replication Service (FRS)
Knowledge Consistency Checker (KCC) 

Knowledge consistency checker- it generates the replication topology by specifying

what domain controllers will replicate to which other domain controllers in the site. The KCC maintains
a list of connections, called replication topology, to other domain controllers in the site. The KCC
ensures that changes to any object are replicated to all site domain controllers and updates go through
no more than three connections. Also an administrator can configure connection objects.

Can we use a Linux DNS Sever in 2000 Domain? 

We can use, But the BIND version should be 8 or greater 
What is the difference between IIS Version 5 and IIS Version 6? 

Refer Question 1 

What is ASR (Automated System Recovery) and how to implement it 

ASR is a two-part system; it includes ASR backup and ASR restore. The ASR Wizard, located in Backup,
does the backup portion. The wizard backs up the system state, system services, and all the disks that
are associated with the operating system components. ASR also creates a file that contains information
about the backup, the disk configurations (including basic and dynamic volumes), and how to perform a
restore. 

You can access the restore portion by pressing F2 when prompted in the text-mode portion of setup.
ASR reads the disk configurations from the file that it creates. It restores all the disk signatures,
volumes, and partitions on (at a minimum) the disks that you need to start the computer. ASR will try
to restore all the disk configurations, but under some circumstances it might not be able to. ASR then
installs a simple installation of Windows and automatically starts a restoration using the backup
created by the ASR Wizard. 

What are the different levels that we can apply Group Policy 
We can apply group policy at SITE level---Domain Level---OU level 

What is Domain Policy, Domain controller policy, Local policy and Group policy 
Domain Policy will apply to all computers in the domain, because by default it will be associated with
domain GPO, Where as Domain controller policy will be applied only on domain controller. By default
domain controller security policy will be associated with domain controller GPO. Local policy will be
applied to that particular machine only and effects to that computer only. 

What is the use of SYSVOL FOLDER? 

Policies and scripts saved in SYSVOL folder will be replicated to all domain controllers in the domain.
FRS (File replication service) is responsible for replicating all policies and scripts 

What is folder redirection? 

Folder Redirection is a User group policy. Once you create the group policy and link it to the
appropriate folder object, an administrator can designate which folders to redirect and where To do
this, the administrator needs to navigate to the following location in the Group Policy Object: 

User Configuration\Windows Settings\Folder Redirection 

In the Properties of the folder, you can choose Basic or Advanced folder redirection, and you can
designate the server file system path to which the folder should be redirected. 

The %USERNAME% variable may be used as part of the redirection path, thus allowing the system to
dynamically create a newly redirected folder for each user to whom the policy object applies. 
What different modes in windows 2003 (Mixed, native & interim….etc) 

What are the domain and forest function levels in a Windows Server 2003-basedActive Directory?

Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000 to
activate new Active Directory features after all the domain controllers in the domain or forest are
running the Windows Server 2003 operating system. 

When a computer that is running Windows Server 2003 is installed and promoted to a domain
controller, new Active Directory features are activated by the Windows Server 2003 operating system
over its Windows 2000 counterparts. Additional Active Directory features are available when all domain
controllers in a domain or forest are running Windows Server 2003 and the administrator activates the
corresponding functional level in the domain or forest. 

To activate the new domain features, all domain controllers in the domain must be running Windows
Server 2003. After this requirement is met, the administrator can raise the domain functional level to
Windows Server 2003 (read Raise Domain Function Level in Windows Server 2003 Domains for more
info).

To activate new forest-wide features, all domain controllers in the forest must be running Windows
Server 2003, and the current forest functional level must be at Windows 2000 native or Windows Server
2003 domain level. After this requirement is met, the administrator can raise the domain functional
level (read Raise Forest Function Level in Windows Server 2003 Active Directory for more info).

Note: Network clients can authenticate or access resources in the domain or forest without being
affected by the Windows Server 2003 domain or forest functional levels. These levels only affect the
way that domain controllers interact with each other.

Important:-

raising the domain and forest functional levels to Windows Server 2003 is a nonreversible task and
prohibits the addition of Windows NT 4.0–based or Windows 2000–based domain controllers to the
environment. Any existing Windows NT 4.0 or Windows 2000–based domain controllers in the
environment will no longer function. Before raising functional levels to take advantage of advanced
Windows Server 2003 features, ensure that you will never need to install domain controllers running
Windows NT 4.0 or Windows 2000 in your environment.

When the first Windows Server 2003–based domain controller is deployed in a domain or forest, a set of
default Active Directory features becomes available. The following table summarizes the Active
Directory features that are available by default on any domain controller running Windows Server 2003:

Feature Functionality

Multiple selection of user objects Allows you to modify common attributes of multiple user objects at
one time.
Drag and drop functionality Allows you to move Active Directory objects from container to container by
dragging one or more objects to a location in the domain hierarchy. You can also add objects to group
membership lists by dragging one or more objects (including other group objects) to the target group.
Efficient search capabilities/Search functionality is object-oriented and provides an efficient search
that minimizes network traffic associated with browsing objects.
Saved queries Allows you to save commonly used search parameters for reuse in Active Directory Users
and Computers
Active Directory command-line tools Allows you to run new directory service commands for
administration scenarios.
InetOrgPerson class:- The inetOrgPerson class has been added to the base schema as a security
principal and can be used in the same manner as the user class.
Application directory partitions Allows you to configure the replication scope for application-specific
data among domain controllers. For example, you can control the replication scope of Domain Name
System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest
participate in DNS zone replication.
Ability to add additional domain controllers by using backup media Reduces the time it takes to add an
additional domain controller in an existing domain by using backup media.
Universal group membership caching Prevents the need to locate a global catalog across a wide area
network (WAN) when logging on by storing universal group membership information on an
authenticating domain controller.
Secure Lightweight Directory Access Protocol (LDAP) traffic Active Directory administrative tools sign
and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes
from a known source and that it has not been tampered with.
Partial synchronization of the global catalog Provides improved replication of the global catalog when
schema changes/add attributes to the global catalog partial attribute set. Only the new attributes are
replicated, not the entire global catalog.
Active Directory quotas can be specified in Active Directory to control the number of objects, a user,
group, or computer can own in a given directory partition. Members of the Domain Administrators and
Enterprise Administrators groups are exempt from quotas.

When the first Windows Server 2003–based domain controller is deployed in a domain or forest, the
domain or forest operates by default at the lowest functional level that is possible in that environment.
This allows you to take advantage of the default Active Directory features while running versions of
Windows earlier than Windows Server 2003.

When you raise the functional level of a domain or forest, a set of advanced features becomes
available. For example, the Windows Server 2003 interim forest functional level supports more features
than the Windows 2000 forest functional level, but fewer features than the Windows Server 2003 forest
functional level supports. Windows Server 2003 is the highest functional level that is available for a
domain or forest. The Windows Server 2003 functional level supports the most advanced Active
Directory features; however, only Windows Server 2003 domain controllers can operate in that domain
or forest.
If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain
controllers that are running versions of Windows earlier than Windows Server 2003 into that domain.
This applies to the forest functional level as well.

Domain Functional Level

Domain functionality activates features that affect the whole domain and that domain only. The four
domain functional levels, their corresponding features, and supported domain controllers are as
follows:
Windows 2000 mixed (Default)
• Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows Server 2003 
• Activated features: local and global groups, global catalog support 

Windows 2000 native

• Supported domain controllers: Windows 2000, Windows Server 2003
• Activated features: group nesting, universal groups, SidHistory, converting groups between security
groups and distribution groups, you can raise domain levels by increasing the forest level settings 

Windows Server 2003 interim

• Supported domain controllers: Windows NT 4.0, Windows Server 2003 
• Supported features: There are no domain-wide features activated at this level. All domains in a
forest are automatically raised to this level when the forest level increases to interim. This mode is
only used when you upgrade domain controllers in Windows NT 4.0 domains to Windows Server 2003
domain controllers. 

Windows Server 2003

• Supported domain controllers: Windows Server 2003 
• Supported features: domain controller rename, logon timestamp attribute updated and replicated.
User password support on the InetOrgPerson object Class. Constrained delegation, you can redirect the
Users and Computers containers. 

Domains that are upgraded from Windows NT 4.0 or created by the promotion of a Windows Server
2003-based computer operate at the Windows 2000 mixed functional level. Windows 2000 domains
maintain their current domain functional level when Windows 2000 domain controllers are upgraded to
the Windows Server 2003 operating system. You can raise the domain functional level to either
Windows 2000 native or Windows Server 2003.

After the domain functional level is raised, domain controllers that are running earlier operating
systems cannot be introduced into the domain. For example, if you raise the domain functional level to
Windows Server 2003, domain controllers that are running Windows 2000 Server cannot be added to
that domain. 

The following describes the domain functional level and the domain-wide features that are activated
for that level. Note that with each successive level increase, the feature set of the previous level is
included.

Forest Functional Level

Forest functionality activates features across all the domains in your forest. Three forest functional
levels, the corresponding features, and their supported domain controllers are listed below. 

Windows 2000 (default)

• Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server 2003 

• New features: Partial list includes universal group caching, application partitions, install from media,
quotas, rapid global catalog demotion, Single Instance Store (SIS) for System Access Control Lists (SACL)
in the Jet Database Engine, Improved topology generation event logging. No global catalog full sync
when attributes are added to the PAS Windows Server 2003 domain controller assumes the Intersite
Topology Generator (ISTG) role. 

Windows Server 2003 interim

• Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the "Upgrade from a
Windows NT 4.0 Domain" section of this article. 

• Activated features: Windows 2000 features plus Efficient Group Member Replication using Linked
Value Replication, Improved Replication Topology Generation. ISTG Aliveness no longer replicated.
Attributes added to the global catalog. Ms-DS-Trust-Forest-Trust-Info. Trust-Direction, Trust-Attributes,
Trust-Type, Trust-Partner, Security-Identifier, ms-DS-Entry-Time-To-Die, Message Queuing-Secured-
Source, Message Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-Rate-Unit 

Windows Server 2003

• Supported domain controllers: Windows Server 2003 
• Activated features: all features in Interim Level, Defunct schema objects, Cross Forest Trust, Domain
Rename, Dynamic auxiliary classes, InetOrgPerson objectClass change, Application Groups, 15-second
intrasite replication frequency for Windows Server 2003 domain controllers upgraded from Windows
2000 

After the forest functional level is raised, domain controllers that are running earlier operating systems
cannot be introduced into the forest. For example, if you raise forest functional levels to Windows
Server 2003, domain controllers that are running Windows NT 4.0 or Windows 2000 Server cannot be
added to the forest. 

Different Active Directory features are available at different functional levels. Raising domain and
forest functional levels is required to enable certain new features as domain controllers are upgraded
from Windows NT 4.0 and Windows 2000 to Windows Server 2003

Domain Functional Levels: Windows 2000 Mixed mode, Windows 2000 Native mode, Windows server
2003 and Windows server 2003 interim (Only available when upgrades directly from Windows NT 4.0 to
Windows 2003)

Forest Functional Levels: Windows 2000 and Windows 2003 

Ipsec usage and difference window 2000 & 2003. 

Microsoft doesn’t recommend Internet Protocol security (IPSec) network address translation (NAT)
traversal (NAT-T) for Windows deployments that include VPN servers and that are located behind
network address translators. When a server is behind a network address translator, and the server uses
IPSec NAT-T, unintended side effects may occur because of the way that network address translators
translate network traffic

If you put a server behind a network address translator, you may experience connection problems
because clients that connect to the server over the Internet require a public IP address. To reach
servers that are located behind network address translators from the Internet, static mappings must be
configured on the network address translator. For example, to reach a Windows Server 2003-based
computer that is behind a network address translator from the Internet, configure the network address
translator with the following static network address translator mappings: 

• Public IP address/UDP port 500 to the server's private IP address/UDP port 500.

• Public IP address/UDP port 4500 to the server's private IP address/UDP port 4500.

These mappings are required so that all Internet Key Exchange (IKE) and IPSec NAT-T traffic that is sent
to the public address of the network address translator is automatically translated and forwarded to
the Windows Server 2003-based computer

How to create application partition windows 2003 and its usage? 

An application directory partition is a directory partition that is replicated only to specific domain
controllers. A domain controller that participates in the replication of a particular application directory
partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can
host a replica of an application directory partition.

Applications and services can use application directory partitions to store application-specific data.
Application directory partitions can contain any type of object, except security principals. TAPI is an
example of a service that stores its application-specific data in an application directory partition.

Application directory partitions are usually created by the applications that will use them to store and
replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can
manually create or manage application directory partitions using the Ntdsutil command-line tool. 

Is it possible to do implicit transitive forest to forest trust relationship in windows 2003? 

Implicit Transitive trust will not be possible in windows 2003. Between forests we can create explicit
trust

Two-way trust 

One-way: incoming

One-way: Outgoing 

what is universal group membership cache in windows 2003? 

Information is stored locally once this option is enabled and a user attempts to log on for the first time.
The domain controller obtains the universal group membership for that user from a global catalog.
Once the universal group membership information is obtained, it is cached on the domain controller for
that site indefinitely and is periodically refreshed. The next time that user attempts to log on, the
authenticating domain controller running Windows Server 2003 will obtain the universal group
membership information from its local cache without the need to contact a global catalog.
By default, the universal group membership information contained in the cache of each domain
controller will be refreshed every 8 hours. 
GPMC & RSOP in windows 2003? 

GPMC is tool which is used for managing group policies and display information like how many policies
applied, on which OU’s the policies applied, What are the settings enabled in each policy, Who are the
users effecting by these polices, who is managing these policies. GPMC will display all the above
information. 

RSoP provides details about all policy settings that are configured by an Administrator, including
Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings,
Scripts, and Group Policy Software Installation.

When policies are applied on multiple levels (for example, site, domain, domain controller, and
organizational unit), the results can conflict. RSoP can help you determine a set of applied policies and
their precedence (the order in which policies are applied). 

Assign & Publish the applications in GP & how? 

Through Group policy you can Assign and Publish the applications by creating .msi package for that
application. With Assign option you can apply policy for both user and computer. If it is applied to
computer then the policy will apply to user who logs on to that computer. If it is applied on user it will
apply where ever he logs on to the domain. It will be appear in Start menu—Programs. Once user click
the shortcut or open any document having that extension then the application install into the local
machine. If any application program files missing it will automatically repair.

With Publish option you can apply only on users. It will not install automatically when any application
program files are corrupted or deleted. 

How to use recovery console? 

The Windows 2000 Recovery Console is a command-line console that you can start from the Windows
2000 Setup program. Using the Recovery Console, you can start and stop services, format drives, read
and write data on a local drive (including drives formatted to use NTFS), and perform many other
administrative tasks. The Recovery Console is particularly useful if you need to repair your system by
copying a file from a floppy disk or CD-ROM to your hard drive, or if you need to reconfigure a service
that is preventing your computer from starting properly. Because the Recovery Console is quite
powerful, it should only be used by advanced users who have a thorough knowledge of Windows 2000.
In addition, you must be an administrator to use the Recovery Console. 
There are two ways to start the Recovery Console:
If you are unable to start your computer, you can run the Recovery Console from your Windows 2000
Setup disks or from the Windows 2000 Professional CD (if you can start your computer from your CD-
ROM drive). 
As an alternative, you can install the Recovery Console on your computer to make it available in case
you are unable to restart Windows 2000. You can then select the Recovery Console option from the list
of available operating systems 
PPTP protocol for VPN in windows 2003? 

Point-to-Point-Tunneling Protocol (PPTP) is a networking technology that supports multiprotocol virtual

private networks (VPN), enabling remote users to access corporate networks securely across the
Microsoft Windows NT® Workstation, Windows® 95, and Windows 98 operating systems and other point-
to-point protocol (PPP)-enabled systems to dial into a local Internet service provider to connect
securely to their corporate network through the Internet