Interview Question for active directory and exchange

Sunday, August 30, 2009

Interview Question for active directory and exchange



Q.7 Where are the NTFRS transactions stored?

Ans : In the Ntfrs.jdb Jet database and in a set of log files in the default paths %SystemRoot%\Ntfrs\Jet\Log.

Q.8 What are the different MS Exchange server 5.5. files that are installed after running setup?

Ans : 1. Private Information Store ( C:\exchsrvr\MDBDATA)

2. Public Information Store (C:\exchsrvr\MDBDATA)

3. Information Store Logs (C:\exchsrvr\MDBDATA)

4. Directory Service (C:\exchsrvr\DSADATA)

5. Directory Service Logs (C:\exchsrvr\DSADATA)

6. MTA (C:\exchsrvr\MDBDATA)

Q.9 What are the core MS exchange 5.5 services/components?

Ans :- 1. Directory Service (DS)à Microsoft Exchange Directory

2. Microsoft Exchange Event Service

3. Information Store (IS)à Microsoft Exchange Information Store

4. Message Transfer Agent (MTA)àMicrosoft Exchange Message Transfer Agent

5. System Attendant (SA)à Microsoft Exchange System Attendant.

Q.10 What is the latest Service Pack for Windows NT Server 4.0?

Ans : Service pack 6a

Q.11 What is the latest Service Pack for Windows 2000 Server?

Ans : Windows 2000 Service Pack 4

Q.12 What is the IIS version on Win2K servers/W2K3 servers?

Ans : IIS 5.0 On Windows 2000 Server

IIS 6.0 On Windows 2003 Server

Q.13 What is the TCP/IP port for A Global Catalogue Server (GC)?

Ans : Port 3268

Q.14 Explain the Active Directory Log files?

Ans : The key files are:

  • ntds.dit
  • edb.log
  • res1.log
  • res2.log
  • edb.chk

When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.

During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database.

The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in %systemroot%\NTDS, along with the other files we’ve discussed. During the installation of AD (by running DCpromo), you can specify that the log files and database files be installed in different locations, as shown in Figure 1.

<><>

Figure 1. The default locations for the Active Directory database and log files.

.1 What does the .edb and .stm file contain in Exchange 2000?

Answer:The .Edb File Contains All The Folders, Tables And Indexes

For Messaging Data And Mapi Messages And Attachments

The Stm File (New To Exchange 2000) Contains Internet Content In Its

Native Format.

Note:- (*.Edb + *.Stm) + (*.Log) = Database

Q.2 Where is the Directory Service database stored in Exchange 5.5?

Answer: Dir.edb

Q.3 Mention the types of Routing Group Connectors in Exchange 2000?

ANSWER: Sanjay Sir Please Help ......

A Routing Group is a collection of Exchange servers that communicate with each other directly over the same internal network or reliable connection.

When multiple Routing Groups must be created, each individual group must be connected using one of three available Exchange connection types:

<>· <>Routing Group Connector This connector is the default connector type. It can be used to connect a single or multiple Exchange bridgehead server for load balancing of message traffic.

<>· <>SMTP Connector The SMTP connector uses the Simple Mail Transport Protocol to connect and communicate with remote Routing Groups, non-Exchange mail systems, and the Internet mail host.

<>· <>X.400 Mail Connector Limited to a single local and remote host, the X.400 connector is primarily designed for communications between Exchange Server 2003 and X.400 mail systems.

<> <>Mixed Mode

When Exchange Server 2003 is in a mixed environment, Routing Groups can consist of only servers that had been installed directly into the Administrative Group where the Routing Group resides. Additional servers from other Administrative Groups cannot be added to the Routing Group.

<> <>Native Mode

After the functional level has been raised to Native Mode, Exchange servers can be managed and moved between Routing Groups.

Also, Routing Groups in a single Administrative Group can contain servers from other Administrative Groups.



Q.4 What are the features of Active Directory in Windows 2000?

ANSWER: Features of Active Directory in Windows 2000 Can be Categorized as

Manageability:-Centralized Management, Group Policy, Global Catalog, IntelliMirror Desktop Management,

Automated Software Distribution, Active Directory Service Interfaces, Backward Compatibility,

Delegated Administration,Multi-Master Replication

Security :-Kerberos Authentication, Smart Card Support, Transitive Domain Trust,PKI/x.509,LDAP over SSL,

Required Authentication Mechanism ,Attribute-Level Security, Spanning Security Groups, DAP ACL Support

Interoperability:-DirSync Support, Active Directory Connectors, Open APIs,Native LDAP,DNS Naming, Open Change History,

DEA Platform, DEN Platform, Extensible Schema



Q.5 What are the features of Exchange 2003 over Exchange 2000?

Answer:-Better Anti-spam tools - comprehensive set of filters

Improved Queue management

Smoother integration with IIS

Enhanced OWA. Now includes a spell checker and X509 certificates

Outlook Mobile Access (OMA), which functions like OWA for devices

Cached replication of Outlook 2003. Cached mode creates a local data file

that Outlook uses for all foreground activity. It then contacts the

Exchange server in the background.

Volume Shadow Copy Service for Database Backups/Recovery

Mailbox Recovery Center

Recovery Storage Group

Front-end and back-end Kerberos authentication

Distribution lists are restricted to authenticated users

Queues are centralized on a per-server basis

Move log files and queue data using Exchange System Manager

Multiple Mailbox Move tool

Dynamic distribution lists

1,700 Exchange-specific events using Microsoft Operations Manager (requires Microsoft Operations Manager)

Deployment and migration tools

Q.5 How will you upgrade from Exchange 2000 to Exchange 2003?

Answer:-http://www.microsoft.com/technet/prodtechnol/exchange/2003/upgrade.mspx

Q.6 What are the precautions to be taken before a disaster recovery in exchnage 2000?

Answer:-http://www.microsoft.com/downloads/details.aspx?FamilyID=6E55DD49-8A6C-4F30-947E-BDE95917F585&displaylang=en

Q.7 How to restore Group policies?

Answer:-

http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/dcgpofix.asp

dcgpofix

Backup and Restore

From GPMC, it is easy to perform backup and restore operations. Backup and restore operation options are context-sensitive, depending on where you are within the Group Policy Objects node.

Backup Individual GPO(s)

  1. Click on the Group Policy Objects note to display all GPOs in the domain.
  2. Select the target GPO(s) for backup. For multiple GPOs:
    1. For a range of GPOs, select the first GPO, press SHIFT and click on the last GPO.
    2. For multiple non-contiguous GPOs, select the first GPO, press CTRL and click on other GPOs.
  3. Right-click and select Backup...
  4. On the next window, speficy the backup directory and description and click Back Up.
  5. Click OK when done.

Backup All GPOs

This operation is normally performed by domain administrators.

  1. Select the Group Policy Object node.
  2. Right-click and select Backup All...
  3. Specify the backup directory and description and click Back Up.
  4. Click OK when done.

Restore GPO

  1. Within the Group Policy Object node, select the target GPO.
  2. Right-click and select Restore from Backup... This will launch the Restore Group Policy Object Wizard.
  3. Click Next.
  4. Specify the correct backup folder location.
  5. If multiple backups have been done, choose the correct backup version. The Source GPO window displays the GPO name, backup timestamp and description. You can also check the settings on the source GPO by clicking on the View Settings... button.
  6. Click Next.
  7. Click Finish when ready to restore.
  8. Click OK when done. You have now restored the GPO.

Also check following link

http://support.microsoft.com/default.aspx?scid=kb;en-us;842252

Sanjay Sir .

Q.8 what is the function of NNTP service in Exchange 2000?

Answer:-While installing Exchange 2000, the system creates a default Network News Transfer Protocol (NNTP) virtual

server. You can use this virtual server to house a feed from other newsgroups

This Default NNTP virtual server can be used to create feeds to a Public Folder for storage (Internet Newsgroups).

For other storage media (either a file system or remote share), you must create a new virtual server.

NOTE:- Sir , Please Add Ur Inputs.....

<> <>Network News Transfer Protocol

Because Network News Transfer Protocol (NNTP) is growing in popularity, it would be wise for us to take a brief look at the architecture of this protocol. We'll then discuss the more pragmatic aspects of administering NNTP on your network.

NNTP Architecture

NNTP specifies a way to distribute, query, retrieve, and post news articles on the Internet. A client wanting to retrieve a subset of articles from the database is called a subscriber. NNTP allows a subscriber to request a subset of articles rather than requiring the retrieval of all articles from the database. Before NNTP was developed, two methods of distributing news items were popular: Internet mailing lists and the Usenet news system.

An Internet mailing list, commonly known as a list server, distributes news by the use of distribution e-mail lists. A subscriber sends a message to the distribution list, and the message is e-mailed to all of the members of the list. But sending a separate copy of an e-mail to each subscriber can consume a large amount of disk space, bandwidth, and CPU resources. In addition, it can take from several minutes to several hours for the message to be fully distributed, depending on the size of the list and the physical resources available to propagate it. Maintaining the subscriber list also involves significant administrative effort, unless a third-party program is used to automate this function.

Storing and retrieving messages from a central location instead of sending an email to each subscriber can significantly reduce the use of these resources. The Usenet news system provides this alternative. In addition, Usenet allows a subscriber to select only those messages he or she wants to read and also provides indexing, cross-referencing, and message expiration.

NNTP is modeled on the Usenet news specifications in RFC 850, but it is designed to make fewer demands on the structure, content, and storage of the news articles. It runs as a background service on one host and can accept connections from other hosts on the LAN or over the Internet.

When a subscriber connects to an NNTP server, the subscriber issues the NEWSGROUPS command to determine whether any new newsgroups have been created on the server. If so, the server notifies the subscriber and gives the subscriber the opportunity to subscribe to the new newsgroups. After this, the subscriber is connected to the desired newsgroup and can use the NEWNEWS command to ask the server whether any new articles have been posted since the subscriber's last connection. The subscriber receives a list of new articles from the server and can request transmission of some or all of those articles. Finally, the subscriber can either reply to a news article or post a new article to the server by using the POST command.

NNTP uses TCP for its connections and SMTP-like commands and responses. The default TCP port for NNTP is 119. An NNTP command consists of a command word followed in some cases by a parameter, and commands are not case sensitive. Each line can contain only one command and may not exceed 512 characters, including spaces, punctuation, and the trailing CR–LF (carriage return/line feed) command. Commands cannot be continued on the next line.

Responses from the server can take the form of a text response or a status response. Text responses are displayed in the subscriber's client program, whereas status responses are interpreted by the client program before any display occurs.

Q.9.What is Recipient Update Service in Exchange 2000?

Answer: - Recipient Update Service (RUS) is a very important component in your Exchange installation, it is RUS that is responsible for updating address lists and email addresses in your Active Directory

Default Exchange organization will have two RUS objects



(a) Enterprise Configuration RUS:-responsible for the updating of the email addresses for the system objects such as the MTA & System Attendant.



(b) Domain RUS:-responsible for the updating of the address information for recipient objects

in the domain that it is responsible for

Q.10 The function of the Default SMTP Virtual Server in Exchange 2000?

Answer:-SMTP virtual server plays a critical role in mail delivery.

SMTP virtual servers provide the Exchange mechanisms for managing SMTP.

The default SMTP virtual server sends messages within a routing group.

Additionally, if the server is a domain controller, Active Directory uses

this virtual server for SMTP directory replication. An SMTP virtual server is defined by a unique combination of an IP address and port number.

The default SMTP virtual server uses all available IP addresses on the server and uses port 25 for inbound connections.

A single physical server can host many virtual servers

<> <>1 Backing Up Active Directory

<> <>16.1.1 Problem

You want to back up Active Directory to tape or disk.

<> <>16.1.2 Solution

Back up the System State, which includes the Active Directory-related files on the domain controller. Here are the directions for backing up the System State using the NtBackup utility that comes installed on Windows 2000 and Windows Server 2003 computers:

<> <>16.1.2.1 Using a graphical user interface

<>1. <>Go to Start <><>All Programs (or Programs for Windows 2000) <><>Accessories <><>System Tools <><>Backup.

<>2. <>Click the Advanced Mode link.

<>3. <>Click the Backup tab.

<>4. <>Check the box beside System State.

<>5. <>Check the box beside any other files, directories, or drives you would also like to back up.

<>6. <>For Backup destination, select either File or Tape depending on where you want to back up the data to.

<>7. <>For Backup media or file name, type either the name of a file or select the tape to save the backup to.

<>8. <>Click the Start Backup button twice.

<> <>16.1.2.2 Using a command-line interface

The NtBackup utility supports several command-line parameters that you can use to initiate backups without ever bringing up the GUI.

For the complete list of supported commands on Windows 2000, see MS KB 300439 (How to Use Command Line Parameters With the "Ntbackup" Command).

For the complete list of supported commands on Windows Server 2003, see MS KB 814583 (HOW TO: Use Command Line Parameters with the Ntbackup Command in Windows Server 2003).

<> <>2 Restarting a Domain Controller in Directory Services Restore Mode

<> <>16.2.1 Problem

You want to restart a domain controller in DS Restore Mode.

<> <>16.2.2 Solution

To enter DS Restore Mode, you must reboot the server at the console. Press F8 after the power-on self test (POST), which will bring up a menu, as shown in Figure 16-1. From the menu, select Directory Services Restore Mode.

<> <>Figure 16-1. Boot options

<> <>3.Resetting the Directory Service Restore Mode Administrator Password

<> <>16.3.1 Problem

You want to reset the DS Restore Mode administrator password. This password is set individually (i.e., not replicated) on each domain controller, and is initially configured when you promote the domain controller into a domain.

<> <>16.3.2 Solution

<> <>16.3.2.1 Using a graphical user interface

<>1. <>For this to work you must be booted into DS Restore Mode (see Recipe 16.2 for more information).

<>2. <>Go to Start <><>Run.

<>3. <>Type compmgmt.msc and press Enter.

<>4. <>In the left pane, expand System Tools <><>Local Users and Computers.

<>5. <>Click on the Users folder.

<>6. <>In the right pane, right-click on the Administrator user and select Set Password.

<>7. <>Enter the new password and confirm, then click OK.

<> <>16.3.2.2 Using a command-line interface

With the Windows Server 2003 version of ntdsutil, you can change the DS Restore Mode administrator password of a domain controller while it is live (i.e., not in DS Restore Mode). Another benefit of this new option is that you can run it against a remote domain controller. Here is the sample output when run against domain controller DC1.

> ntdsutil "set dsrm password" "reset password on server DC1"
ntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server DC1
Please type password for DS Restore Mode Administrator Account: **********
Please confirm new password: **********
Password has been set successfully.

Microsoft added a new command in Windows 2000 Service Pack 2 and later called setpwd. It works similarly to the Windows Server 2003 version of ntdsutil by allowing you to reset the DS Restore Mode password while a domain controller is live. It can also be used remotely.

<> <>4 Performing a Non authoritative Restore

<> <>16.4.1 Problem

You want to perform a nonauthoritative restore of a domain controller. This can be useful if you want to quickly restore a domain controller that failed due to a hardware problem.

<> <>16.4.2 Solution

<> <>16.4.2.1 Using a graphical user interface

<>1. <>You must first reboot into Directory Services Restore Mode (see Recipe 16.2 for more information).

<>2. <>Open the NT Backup utility; go to Start <><>All Programs (or Programs for Windows 2000) <><>Accessories <><>System Tools <><>Backup.

<>3. <>Click the Advanced Mode link.

<>4. <>Under the Welcome tab, click the Restore Wizard button and click Next.

<>5. <>Check the box beside System State and any other drives you want to restore and click Next.

<>6. <>Click the Advanced button.

<>7. <>Select Original location for Restore files to.

<>8. <>For the How to Restore option, select Replace existing files and click Next.

<>9. <>For the Advanced Restore Options, be sure that the following are checked: Restore Security Settings, Restore junction points, and Preserve existing mount volume points. Then click Next.

<>10. <>Click Finish.

<>11. <>Restart the computer.

<> <>5 Performing an Authoritative Restore of an Object or Sub tree

<> <>16.5.1 Problem

You want to perform an authoritative restore of one or more objects, but not the entire Active Directory database.

<> <>16.5.2 Solution

Follow the same steps as Recipe 16.4, except after the restore has completed, do not restart the computer.

To restore a single object, run the following:

> ntdsutil "auth restore" "restore object cn=jsmith,ou=Sales,dc=rallencorp,dc=com" q

To restore an entire subtree, run the following:

> ntdsutil "auth restore" "restore subtree ou=Sales,dc=rallencorp,dc=com" q

Restart the computer.

There are some issues related to restoring user, group, computer, and trust objects that you should be aware of. See MS KB 216243 and MS KB 280079 for more information.

<> <>6 Performing a Complete Authoritative Restore

<> <>16.6.1 Problem

You want to perform a complete authoritative restore of the Active Directory database because something very bad has happened.

<> <>16.6.2 Solution

Follow the same steps as Recipe 16.4, except after the restore has completed, do not restart the computer.

Run the following command to restore the entire database:

> ntdsutil "auth restore" "restore database" q

Restart the computer.

<> <>7 Checking the DIT File's Integrity

<> <>16.7.1 Problem

You want to check the integrity and semantics of the DIT file to verify there is no corruption or bad entries.

<> <>16.7.2 Solution

<> <>16.7.2.1 Using a command-line interface

First, reboot into Directory Services Restore Mode. Then run the following commands:

> ntdsutil files integrity q q
> ntdsutil "semantic database analysis" "verbose on" go

<> <>8 Moving the DIT Files

<> <>16.8.1 Problem

You want to move the Active Directory DIT files to a new drive to improve performance or capacity.

<> <>16.8.2 Solution

<> <>16.8.2.1 Using a command-line interface

First, reboot into DS Restore Mode. Then, run the following commands, in which is the new location where you want to move the files (e.g., d:\NTDS):

> ntdsutil files "move db to <DriveAndFolder>" q q
> ntdsutil files "move logs to <DriveAndFolder>" q q

<> <>9 Repairing or Recovering the DIT

<> <>16.9.1 Problem

You need to repair or perform a soft recovery of the Active Directory DIT because a power failure or some other failure caused the domain controller to enter an unstable state.

<> <>16.9.2 Solution

<> <>16.9.2.1 Using a command-line interface

First, reboot into DS Restore Mode.

Run the following command to perform a soft recovery of the transaction log files:

> ntdsutil files recover q q

If you continue to experience errors, you may need to run a repair, which does a low level repair of the database, but can result in loss of data:

> ntdsutil files repair q q

If either the recover or repair are successful, you should then check the integrity (see Recipe 16.7).

<> <>10 Performing an Online Defrag Manually

<>Text Box:  	This recipe must be run against a Windows Server 2003 domain controller.<>

<> <>16.10.1 Problem

You want to initiate an online defragmentation. This can be useful if you want to expedite the defrag process after deleting a bunch of objects.

<> <>16.10.2 Solution

<> <>16.10.2.1 Using a graphical user interface

<>1. <>Open LDP.

<>2. <>From the menu, select Connection <><>Connect.

<>3. <>For Server, enter the name of the target domain controller.

<>4. <>For Port, enter 389.

<>5. <>Click OK.

<>6. <>From the menu, select Connection <><>Bind.

<>7. <>Enter credentials of a user from one of the administrator groups.

<>8. <>Click OK.

<>9. <>From the menu, select Browse <><>Modify.

<>10. <>Leave the Dn blank.

<>11. <>For Attribute, enter DoOnlineDefrag.

<>12. <>For Values, enter 180.

<>13. <>For Operation, select Add.

<>14. <>Click Enter.

<>15. <>Click Run.

<> <>16.10.2.2 Using a command-line interface

Create an LDIF file called online_defrag.ldf with the following contents:

dn:
changetype: modify
replace: DoOnlineDefrag
DoOnlineDefrag: 180
 
 

<> <>11 Determining How Much Whitespace Is in the DIT

<> <>16.11.1 Problem

You want to find the amount of whitespace in your DIT. A lot of whitespace in the DIT may mean that you could regain enough space on the disk to warrant performing an offline defrag.

<> <>16.11.2 Solution

<> <>16.11.2.1 Using a graphical user interface

<>1. <>Run regedit.exe from the command line or Start <><>Run.

<>2. <>Expand HKEY_LOCAL_MACHINE <><>SYSTEM <><>CurrentControlSet <><>Services <><>NTDS <><>Diagnostics.

<>3. <>In the right pane, double-click on 6 Garbage Collection.

<>4. <>For Value data, enter 1.

<>5. <>Click OK.

<> <>16.11.2.2 Using a command-line interface
> reg add HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics /v "6 Garbage[RETURN] 
Collection" /t REG_DWORD /d 1
 

<> <>12 Performing an Offline Defrag to Reclaim Space

<> <>16.12.1 Problem

You want to perform an offline defrag of the Active Directory DIT to reclaim whitespace in the DIT file.

<> <>16.12.2 Solution

<> <>16.12.2.1 Using a command-line interface

<>1. <>First, reboot into Directory Services Restore Mode.

<>2. <>Next, check the integrity of the DIT, as outlined in Recipe 16.7.

<>3. <>Now, you are ready to perform the defrag. Run the following command to create a compacted copy of the DIT file. You should check to make sure the drive on which, you create the copy has plenty of space. A rule of thumb is that it should have at least 115% of the size of the current DIT available.

> ntdsutil files "compact to <TempDriveAndFolder>" q q

<>4. <>Next, you need to delete the transaction log files in the current NTDS directory.

> del <CurrentDriveAndFolder>\*.log

<>5. <>You may want to keep a copy of the original DIT file for a short period of time to ensure nothing catastrophic happens to the compacted DIT. If you are going to copy or move the original version, be sure you have enough space in its new location.

<>6.     <>> move <CurrentDriveAndFolder>\ntds.dit <TempDriveAndFolder>\ntds_orig.dit
> move <TempDriveAndFolder>\ntds.dit <CurrentDriveAndFolder>\ntds.dit

<>7. <>Repeat the steps in Recipe 16.7 to ensure the new DIT is not corrupted. If it is clean, reboot into normal mode and monitor the event log. If no errors are reported in the event log, make sure the domain controller is backed up as soon as possible.

<> <>13 Changing the Garbage Collection Interval

<> <>16.13.1 Problem

You want to change the default garbage collection interval.

<> <>16.13.2 Solution

<> <>16.13.2.1 Using a graphical user interface

<>1. <>Open ADSI Edit.

<>2. <>In the left pane, expand cn=Configuration <><>cn=Services <><>cn=Windows NT.

<>3. <>Right-click on cn=Directory Service and select Properties.

<>4. <>Edit the garbageColPeriod attribute and set it to the interval in hours that the garbage collection process should run (the default is 12 hours).

<>5. <>Click OK.

<> <>16.13.2.2 Using a command-line interface

Create an LDIF file called change_garbage_period.ldf with the following contents:

dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,<ForestRootDN>
changetype: modify
replace: garbageCollPeriod
garbageCollPeriod: <IntervalInHours>
-

then run the following command:

> ldifde -v -i -f change_garbage_period.ldf
 
 

<> <>14 Logging the Number of Expired Tombstone Objects

<> <>16.14.1 Problem

You want to log the number of expired tombstone objects that are removed from Active Directory during each garbage-collection cycle.

<> <>16.14.2 Solution

<> <>16.14.2.1 Using a graphical user interface

<>1. <>Run regedit.exe from the command line or Start <><>Run.

<>2. <>Expand HKEY_LOCAL_MACHINE <><>SYSTEM <><>CurrentControlSet <><>Services <><>NTDS <><>Diagnostics.

<>3. <>In the right pane, double-click on 6 Garbage Collection.

<>4. <>For Value data, enter 3.

<>5. <>Click OK.

<> <>16.14.2.2 Using a command-line interface
> reg add HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics /v "6 Garbage[RETURN] 
Collection" /t REG_DWORD /d 3
<> <>16.14.2.3 Using VBScript
' This code enables garbage collection logging.
' ------ SCRIPT CONFIGURATION ------
strDCName = ""
intValue = 3  
' ------ END CONFIGURATION ---------
 
const HKLM = &H80000002
strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"
set objReg = GetObject("winmgmts:\\" & strDCName & "\root\default:StdRegProv")
objReg.SetDWORDValue HKLM, strNTDSReg, "6 Garbage Collection," intValue
WScript.Echo "Garbage Collection logging enabled"
 

<> <>15 Determining the Size of the Active Directory Database

<> <>16.15.1 Problem

You want to determine the size of the Active Directory database.

<> <>16.15.2 Solution

<> <>16.15.2.1 Using a command-line interface

If you are in DS Restore Mode, you can use ntdsutil to report the size of the Active Directory database:

> ntdsutil files info

If you are not in DS Restore Mode and run this command, you will receive the following error message:

*** Error: Operation only allowed when booted in DS restore mode
        "set SAFEBOOT_OPTION=DSREPAIR" to override - NOT RECOMMENDED!

As you can see, it is possible to override this failure by setting the SAFEBOOT_OPTION environment variable to DSREPAIR, but I do not recommend this unless you know what you are doing. By setting that environment variable, the ntdsutil command will not stop you from performing other commands. This can be very dangerous.

Another method, which is safer and easier, is to bring up a command shell by going to Start <><>Run, typing cmd.exe, and pressing Enter. Then type cd , where is the full path to the ntds.dit file. Finally, run the dir command; the output will show the size of the files.

then run the following command:

> ldifde -v -i -f online_defrag.ldf

<> <>16 Searching for Deleted Objects

<> <>16.16.1 Problem

You want to search for deleted objects.

<> <>16.16.2 Solution

<> <>16.16.2.1 Using a graphical user interface

<>1. <>Open LDP.

<>2. <>From the menu, select Connection <><>Connect.

<>3. <>For Server, enter the name of a domain controller you want to target (or leave blank to do a serverless bind).

<>4. <>For Port, enter 389.

<>5. <>Click OK.

<>6. <>From the menu, select Connection <><>Connect.

<>7. <>Enter credentials of a user that is an administrator for the domain.

<>8. <>Click OK.

<>9. <>From the menu, select Options <><>Controls.

<>10. <>For Windows Server 2003, select the Return Deleted Objects control under Load Predefined.

<>11. <>For Windows 2000, type 1.2.840.113556.1.4.417 for the Object Identifier and click the Check In button.

<>12. <>Click OK.

<>13. <>From the menu, select Browse <><>Search.

<>14. <>For BaseDN, enter: cn=Deleted Objects,.

<>15. <>For Scope, select One Level.

<>16. <>For Filter, enter: (isDeleted=TRUE).

<>17. <>Click the Options button.

<>18. <>Under Search Call Type, select Extended.

<>19. <>Click OK.

<>20. <>Click Run.

<> <>16.16.2.2 Using a command-line interface

As of this writing, none of the standard command-line tools provide a way to search for deleted objects.

<> <>17 Restoring a Deleted Object

<>Text Box:  	This recipe must be run against a Windows Server 2003 domain controller.<>

<> <>16.17.1 Problem

You want to restore an object that was previously deleted.

<> <>16.17.2 Solution

<> <>16.17.2.1 Using a graphical user interface

<>1. <>Open LDP.

<>2. <>From the menu, select Connection <><>Connect.

<>3. <>For Server, enter the name of a domain controller (or leave blank to do a serverless bind).

<>4. <>For Port, enter 389.

<>5. <>Click OK.

<>6. <>From the menu, select Connection <><>Bind.

<>7. <>Enter credentials of a user that can restore the deleted object (only administrators for the domain by default).

<>8. <>Click OK.

<>9. <>From the menu, select Options <><>Controls.

<>10. <>Select Return deleted objects from the Load Predefined selection.

<>11. <>Click OK.

<>12. <>From the menu, select Browse <><>Modify.

<>13. <>For Dn, enter the distinguished name of the deleted object you want to restore.

<>14. <>For Attribute, enter distinguishedName.

<>15. <>For Values, enter the original DN of the object.

<>16. <>For Operation, select Replace.

<>17. <>Click Enter.

<>18. <>For Attribute, enter isDeleted.

<>19. <>For Values, remove any text.

<>20. <>For Operation, select Delete.

<>21. <>Click Enter.

<>22. <>Add mandatory attributes as necessary:

<>23. <>For Attribute, enter .

<>24. <>For Values, enter .

<>25. <>For Operation, select Add.

<>26. <>Check the box beside Extended.

<>27. <>Click Run.

<>28. <>The results will be displayed in the right pane.

<> <>18 Modifying the Tombstone Lifetime for a Domain

<> <>16.18.1 Problem

You want to change the default tombstone lifetime for a domain.

<> <>16.18.2 Solution

<> <>16.18.2.1 Using a graphical user interface

<>1. <>Open ADSI Edit.

<>2. <>In the left pane, expand cn=Configuration <><>cn=Services <><>cn=Windows NT.

<>3. <>Right-click on cn=Directory Service and select Properties.

<>4. <>Set the tombstoneLifetime attribute to the number of days that tombstone objects should remain in Active Directory before getting removed completely (the default is 60 days).

<>5. <>Click OK.

<> <>16.18.2.2 Using a command-line interface

Create an LDIF file called change_tombstone_lifetime.ldf with the following contents:

dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,<ForestRootDN>
changetype: modify
replace: tombstoneLifetime
tombstoneLifetime: <NumberOfDays>
-

then run the following command:

<>Ø      <>ldifde -v -i -f change_tombstone_lifetime.ldf
 

<> <>DNS in Windows 2000

<> <>Introduction

Active Directory is tightly coupled with the Domain Name System (DNS). Both clients and domain controllers use DNS to locate domain controllers in a particular site or that serve a particular function. Each domain controller requires numerous resource records to be present in DNS so it can advertise its services as a domain controller, global catalog server, PDC Emulator, etc. For a detailed description of each of these records plus much more on DNS, see Chapter 6 in Active Directory, Second Edition (O'Reilly).

One of the innovative uses of Active Directory is as a store of DNS data. Instead of using the antiquated primary and secondary zone transfer method or even the more recent NOTIFY method (RFC 1996) to replicate zone data between servers, AD-integrated zones store the zone data in Active Directory and use the same replication process used to replicate other data between domain controllers. The one catch with AD-integrated zones is that the DNS server must also be a domain controller. Overloading DNS server responsibilities on your domain controllers may not be something you want to do if you plan on supporting a large volume of DNS requests.

<> <>The Anatomy of a DNS Object

The only time DNS data is stored in Active Directory is if you have a zone that is AD-integrated. When using standard primary and secondary zones that are not AD-integrated, the DNS data is stored locally in the file system of each DNS server in zone files. If you have an AD-integrated zone under Windows 2000, a container is created in the following location: cn=,cn=MicrosoftDNS,cn=System,, where is the name of the zone. For Windows Server 2003, you can use application partitions to store DNS data in an alternate location. By default, there are three options:

<>· <>Store DNS data on all domain controllers in a domain (only option for Windows 2000).

<>· <>Store DNS data on all domain controllers that are DNS servers in the domain.

<>· <>Store DNS data on all domain controllers that are DNS servers in the forest.

The default location for the second option is dc=DomainDNSZones, and for the third option, it is dc=ForestDNSZones,. These two locations are actually application partitions that are replicated only to the domain controllers that are DNS servers in the domain or forest, respectively.

Inside the MicrosoftDNS container, is a dnsZone object for each AD-integrated zone. Inside of the dnsZone container are dnsNode objects, which stores all resource records associated with a particular node. In the following textual representation of an A record, the dc1.rallencorp.com name is considered a node (generally the left side of the resource record).

dc1.rallencorp.com. 600 IN A 6.10.57.21

There could be multiple resource records associated with the dc1.rallencorp.com name, so Microsoft decided to implement each distinct name as a dnsNode object. The dnsNode object has a dnsRecord attribute, which is multivalued and contains all of the resource records associated with that node. Unfortunately, the contents of that attribute are stored in a binary format and are not directly readable.

Table 13-1 and Table 13-2 contain some of the interesting attributes that are available on dnsZone and dnsNode objects, respectively.

<>
<> <>Table 13-1. Attributes of dnsZone objects



Attribute

Description

Dc

Relative distinguished name of the zone.

dnsProperty

Binary formatted string that stores configuration information about the zone.

msDS-Approx-Immed-Subordinates

Approximate number of nodes contained within the zone. This is new to Windows Server 2003.







<>
<> <>Table 13-2. Attributes of dnsNode objects



Attribute

Description

dc

Relative distinguished name of the node.

dnsRecord

Binary formatted multivalued attribute that stores the resource records associated with the node.

dnsTombstoned

Boolean that indicates whether the node is marked for deletion. FALSE means it is not and TRUE means that it is.







<> <>1 Creating a Forward Lookup Zone

<> <>13.1.1 Problem

You want to create a forward lookup zone. A forward lookup zone maps names to IP addresses or other names.

<> <>13.1.2 Solution

<> <>13.1.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

<>3. <>Expand the server in the left pane and click on Forward Lookup Zones.

<>4. <>Right-click on Forward Lookup Zones and select New Zone.

<>5. <>Click Next.

<>6. <>Select the zone type and click Next.

<>7. <>If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to. Click Next after you make your selection. (This only applies for Windows Server 2003).

<>8. <>Enter the zone name and click Next.

<>9. <>Fill out the information for the remaining screens. They will vary depending on if you are creating a primary, secondary, or stub zone.

<> <>13.1.2.2 Using a command-line interface

The following command creates an AD-Integrated zone:

> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary

<> <>2 Creating a Reverse Lookup Zone

<> <>13.2.1 Problem

You want to create a reverse lookup zone. A reverse lookup zone maps IP addresses to names.

<> <>13.2.2 Solution

<> <>13.2.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

<>3. <>Expand the server in the left pane and click on Reverse Lookup Zones.

<>4. <>Right-click on Reverse Lookup Zones and select New Zone.

<>5. <>Click Next.

<>6. <>Select the zone type and click Next.

<>7. <>If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to. Click Next after you make your selection. (This only applies for Windows Server 2003).

<>8. <>Type the Network ID for the reverse zone or enter a reverse zone name to use.

<>9. <>Fill out the information for the remaining screens. They will vary depending on if you are creating a primary, secondary, or stub zone.

<> <>13.2.2.2 Using a command-line interface

The following command creates an AD-integrated reverse zone:

> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary

<> <>3 Viewing a Server's Zones

<> <>13.3.1 Problem

You want to view the zones on a server.

<> <>13.3.2 Solution

<> <>13.3.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>Right-click on DNS in the left pane and select Connect to DNS Server.

<>3. <>Enter the server you want to connect to and click Enter.

<>4. <>In the left pane, expand the server and click Forward Lookup Zones and Reverse Lookup Zones to view the supported zones.

<> <>13.3.2.2 Using a command-line interface
> dnscmd <DNSServerName> /enumzones
<> <>13.3.2.3 Using VBScript
' This code lists the zones that are supported by the specified server.
' ------ SCRIPT CONFIGURATION ------
strServer = "<DNSServerName>"  ' e.g. dc1.rallencorp.com
' ------ END CONFIGURATION ---------
 
set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
set objZones = objDNS.ExecQuery("Select * from MicrosoftDNS_Zone " & _
                                "Where DnsServerName = '" & _
                                objDNSServer.Name & "'") 
WScript.Echo "Zones on " & objDNSServer.Name
for each objZone in objZones
   WScript.Echo " " & objZOne.Name
next

<> <>13.3.3 Discussion

<> <>13.3.3.1 Using a graphical user interface

When you click on either the Forward Lookup Zones or Reverse Lookup Zones in the left pane, the right pane contains a Type column that displays the zone type for each zone.

<> <>13.3.3.2 Using a command-line interface

When using the /enumzones switch without any more parameters, it displays all zones on the server. You can specify additional filters that limit the types of zones returned. With the Windows 2000 version of dnscmd, you can specify up to two filters:

Filter1:
    /Primary
    /Secondary
    /Cache
    /Auto-Created
Filter2:
    /Forward
    /Reverse

With the Windows Server 2003 version of dnscmd, the filter behavior has changed. Instead of having two levels of criteria you can specify one or more of the following:

/Primary
/Secondary
/Forwarder
/Stub
/Cache
/Auto-Created
/Forward
/Reverse
/Ds
/File
/DomainDirectoryPartition
/ForestDirectoryPartition
/CustomDirectoryPartition
/LegacyDirectoryPartition
/DirectoryPartition 

<> <>4 Converting a Zone to an AD-Integrated Zone

<> <>13.4.1 Problem

You want to convert a primary zone to an AD-integrated zone. This causes the contents of the zone to be stored and replicated in Active Directory instead of in a text file.

<> <>13.4.2 Solution

<> <>13.4.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>Right-click on DNS in the left pane and select Connect to DNS Server.

<>3. <>Enter the server you want to connect to and click Enter.

<>4. <>If you want to convert a forward zone, expand the Forward Lookup Zone folder. If you want to convert a reverse zone, expand the Reverse Lookup Zone folder.

<>5. <>Click on the zone you want to convert, then right-click it and select Properties.

<>6. <>Beside Type, click the Change button.

<>7. <>Check the box beside Store the zone in Active Directory.

<>8. <>Click OK twice.

<> <>13.4.2.2 Using a command-line interface
> dnscmd <ServerName> /zoneresettype <ZoneName> /DsPrimary
 

<> <>5 Moving AD-Integrated Zones into an Application Partition

<>Text Box:  	This recipe requires the Windows Server 2003 domain functional level.<>

<> <>13.5.1 Problem

You want to move AD-integrated zones into an application partition.

<> <>13.5.2 Solution

<> <>13.5.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

<>3. <>Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones depending on the type of zone.

<>4. <>Click on the name of the zone.

<>5. <>Right-click on the zone and select Properties.

<>6. <>Click on the Change button beside Replication.

<>7. <>Select the application partition you want to move the zone into.

<>8. <>Click OK twice.

<> <>13.5.2.2 Using a command-line interface

The following command will move a zone to the default application partition that replicates across all domain controllers that are DNS servers in the domain:

> dnscmd  /zonechangedirectorypartition <ZoneName> /domain

<> <>6 Delegating Control of a Zone

<> <>13.6.1 Problem

You want to delegate control of managing the resource records in a zone.

<> <>13.6.2 Solution

<> <>13.6.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

<>3. <>Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones depending on the type of zone.

<>4. <>Click on the name of the zone.

<>5. <>Right-click on the zone and select Properties.

<>6. <>Click on the Security tab.

<>7. <>Click the Add button.

<>8. <>Use the Object Picker to locate the user or group to which you want to delegate control.

<>9. <>Under Permissions, check the Full Control box.

<>10. <>Click OK.

<> <>13.6.2.2 Using a command-line interface

The following command grants full control over managing the resource records in an AD-Integrated zone:

> dsacls dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN> /G[RETURN]
 <UserOrGroup>:GA;;
 

<> <>7 Creating and Deleting Resource Records

<> <>13.7.1 Problem

You want to create and delete resource records.

<> <>13.7.2 Solution

<> <>13.7.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

<>3. <>If you want to add or delete a record in a forward zone, expand the Forward Lookup Zone folder. If you want to add or delete a record for a reverse zone, expand the Reverse Lookup Zone folder.

To create a resource record, do the following:

<>4. <>In the left pane, right-click the zone and select the option that corresponds to the record type you want to create—e.g., New Host (A).

<>5. <>Fill in all required fields.

<>6. <>Click OK.

To delete a resource record, do the following:

<>7. <>In the left pane, click on the zone the record is in.

<>8. <>In the right pane, right-click on the record you want to delete and select Delete.

<>9. <>Click Yes to confirm.

<> <>13.7.2.2 Using a command-line interface

To add a resource record, use the following command:

> dnscmd <DNSServerName> /recordadd <ZoneName> <NodeName> <RecordType> <RRData>

The following command adds an A record in the rallencorp.com zone:

> dnscmd dc1 /recordadd rallencorp.com wins01 A 19.25.52.2.25

To delete a resource record, use the following command:

> dnscmd <DNSServerName> /recorddelete <ZoneName> <NodeName> <RecordType> <RRData>

The following command deletes an A record in the rallencorp.com zone:

> dnscmd dc1 /recorddelete rallencorp.com wins01 A 19.25.52.2.25
 

<> <>8 Querying Resource Records

<> <>13.8.1 Problem

You want to query resource records.

<> <>13.8.2 Solution

<> <>13.8.2.1 Using a graphical user interface

The DNS Management snap-in does not provide an interface for searching resource records.

<> <>13.8.2.2 Using a command-line interface

In the following command, replace with the type of resource record you want to find (e.g., A, CNAME, SRV) and with the name or IP address of the record to match:

> nslookup -type=<RecordType> <RecordName>
<> <>13.8.2.3 Using VBScript
' This code prints the resource records that match
' the specified name
' ------ SCRIPT CONFIGURATION ------
strQuery = "<RecordName>"
' ------ END CONFIGURATION ---------
 
set objDNS = GetObject("winMgmts:root\MicrosoftDNS")
set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
set objRRs = objDNS.ExecQuery(" select * " & _
                              " from MicrosoftDNS_ResourceRecord" & _
                              " where  OwnerName = """ & strQuery & """" & _
                              " Or  DomainName = """ & strQuery & """" & _
                              " Or RecordData = """ & strQuery & """")
if objRRs.Count <>
   WScript.Echo "No matches found for " & strHostName & " of " _ 
                & strRecordType & " type"
else
   for each objRR in objRRs
      WScript.Echo objRR.TextRepresentation
   next
end if

<> <>13.8.3 Discussion

<> <>13.8.3.1 Using a command-line interface

You can leave off the -type switch and the command will find any A, PTR, and CNAME records that match . You can also run nslookup from interactive mode, which can be entered by typing nslookup at a command prompt with no additional parameters.

<> <>9 Modifying the DNS Server Configuration

<> <>13.9.1 Problem

You want to modify the DNS Server settings.

<> <>13.9.2 Solution

<> <>13.9.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

<>3. <>Click on the server, right-click on it, and select Properties.

<>4. <>There will be several tabs you can choose from to edit the server settings.

<>5. <>Click OK to commit the changes after you've completed your modifications.

<> <>13.9.2.2 Using a command-line interface

With the following command, replace with the name of the setting to modify and with the value to set:

> dnscmd <DNSServerName> /config  /<Setting> <Value>
 

<> <>10 Scavenging Old Resource Records

<> <>13.10.1 Problem

You want to scavenge old resource records. DNS scavenging is the process whereby resource records are automatically removed if they are not updated after a period of time. Typically, this applies to only resource records that were added via DDNS, but you can also scavenge manually added, also referred to as static, records. DNS scavenging is a recommended practice so that your DNS zones are automatically kept clean of stale resource records.

<> <>13.10.2 Solution

The following solutions will show how to enable automatic scavenging on all AD-integrated zones.

<> <>13.10.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

<>3. <>Click on the server, right-click on it, and select Set Aging/Scavenging for all zones.

<>4. <>Check the box beside Scavenge stale resource records.

<>5. <>Configure the No-Refresh and Refresh intervals as necessary and click OK.

<>6. <>Check the box beside Apply these settings to the existing Active Directory-integrated zones and click OK.

<>7. <>Right-click on the server again and select Properties.

<>8. <>Select the Advanced tab.

<>9. <>Check the box beside Enable automatic scavenging of stale resource records.

<>10. <>Configure the scavenging period as necessary.

<>11. <>Click OK.

<> <>13.10.2.2 Using a command-line interface
> dnscmd <DNSServerName> /config /ScavengingInterval <ScavengingMinutes>
> dnscmd <DNSServerName> /config /DefaultAgingState 1
> dnscmd <DNSServerName> /config /DefaultNoRefreshInterval <NoRefreshMinutes>
> dnscmd <DNSServerName> /config /DefaultRefreshInterval <RefreshMinutes>
> dnscmd <DNSServerName> /config ..AllZones /aging 1
 

<> <>11 Clearing the DNS Cache

<> <>13.11.1 Problem

You want to clear the DNS cache. The DNS cache contains resource records that are cached for a period of time in memory so that repeated requests for the same record can be returned immediately. There are two types of DNS cache. One pertains to the resolver on any Windows client (servers and workstations), and the other to the cache used by the Microsoft DNS server.

<> <>13.11.2 Solution

To flush the client resolver cache, use the following command:

> ipconfig /flushdns

To flush the DNS server cache, use any of the following solutions.

<> <>13.11.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>Right-click on DNS in the left pane and select Connect to DNS Server.

<>3. <>Enter the server you want to connect to and click Enter.

<>4. <>Right-click on the server and select Clear Cache.

<> <>13.11.2.2 Using a command-line interface

The following command will clear the cache on . You can leave out to run against the local server:

> dnscmd <DNSServerName> /clearcache
 

<> <>12 Verifying That a Domain Controller Can Register Its Resource Records

<> <>13.12.1 Problem

You want to verify DNS is configured correctly so that a domain controller can register its resource records, which are needed for clients to be able to locate various AD services.

<> <>13.12.2 Solution

<> <>13.12.2.1 Using a command-line interface

<>Text Box:  	This test is available only with the Windows Server 2003 version of dcdiag.<>

With the following dcdiag command, replace dc1 with the DNS name of the domain the domain controller is in. This command has to be run directly on the domain controller you want to test.

> dcdiag /test:RegisterInDNS /DnsDomain:dc1
 
   Starting test: RegisterInDNS
      DNS configuration is sufficient to allow this domain controller to
      dynamically register the domain controller Locator records in DNS.
 
      The DNS configuration is sufficient to allow this computer to dynamically
      register the A record corresponding to its DNS name.
 
      ......................... dc1 passed test RegisterInDNS

<> <>13 Registering a Domain Controller's Resource Records

<> <>13.13.1 Problem

You want to manually force registration of a domain controller's resource records. This may be necessary if you've made some configuration changes on your DNS servers to allow your domain controllers to start dynamically registering resource records.

<> <>13.13.2 Solution

<> <>13.13.2.1 Using a command-line interface
> nltest /dsregdns /server:<DomainControllerName>
 

<> <>14 Preventing a Domain Controller from Dynamically Registering All Resource Records

<> <>13.14.1 Problem

You want to prevent a domain controller from dynamically registering its resource records using DDNS. If you manually register domain controllers' resource records, you'll want to prevent those domain controllers from attempting to dynamically register them. If you do not disable them from sending dynamic update requests, you may see annoying error messages on your DNS servers that certain DDNS updates are failing.

<> <>13.14.2 Solution

<> <>13.14.2.1 Using a command-line interface
> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN]
UseDynamicDNS /t REG_DWORD /d 0
The operation completed successfully.
 
> net stop netlogon
The Net Logon service is stopping.
The Net Logon service was stopped successfully.
 
> del %SystemRoot%\system32\config\netlogon.dnb
 
> net start netlogon
The Net Logon service is starting.......
The Net Logon service was started successfully.
 

<> <>15 Preventing a Domain Controller from Dynamically Registering Certain Resource Records

<> <>13.15.1 Problem

You want to prevent a domain controller from dynamically registering certain resource records. It is sometimes advantageous to prevent certain resource records from being dynamically registered. For example, if you want to reduce the load on the PDC Emulator for a domain, you could prevent some of its SRV records from being published, which would reduce the amount of client traffic the server receives.

<> <>13.15.2 Solution

<> <>13.15.2.1 Using a command-line interface

This command will disable the Ldap, Gc, and GcIpAddress resource records from being dynamically registered:

> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN]
 DnsAvoidRegisterRecords /t REG_MULTI_SZ /d Ldap\0Gc\0GcIpAddress
The operation completed successfully.
 
> net stop netlogon
The Net Logon service is stopping.
The Net Logon service was stopped successfully.
 
> del %SystemRoot%\system32\config\netlogon.dnb
 
> net start netlogon
The Net Logon service is starting.......
The Net Logon service was started successfully.
 

<> <>16 Deregistering a Domain Controller's Resource Records

<> <>13.16.1 Problem

You want to manually deregister a domain controller's resource records.

<> <>13.16.2 Solution

<> <>13.16.2.1 Using a command-line interface

With the following nltest command, replace with the FQDN of the domain controller you want to deregister and with the FQDN of the domain of which the domain controller is a member:

> nltest /dsderegdns:<DomainControllerName> /Dom:<DomainDNSName>
 
 

<> <>17 Allowing Computers to Use a Different Domain Suffix from Their AD Domain

<> <>13.17.1 Problem

You want to allow computers to use a different domain suffix than their AD domain.

<> <>13.17.2 Solution

<>Text Box:  	The following solutions work only for Windows Server 2003 domains. Read the Discussion for a workaround for Windows 2000.<>

<> <>13.17.2.1 Using a graphical user interface

<>1. <>Open ADSI Edit.

<>2. <>Connect to the domain you want to edit.

<>3. <>Right-click on the domainDNS object and select Properties.

<>4. <>Edit the msDS-AllowedDNSSuffixes attribute and enter the DNS suffix you want to add.

<>5. <>Click OK.

<> <>13.17.2.2 Using a command-line interface

Create an LDIF file called add_dns_suffix.ldf with the following contents:

dn: <DomainDN>
changetype: modify
add: msDS-AllowedDNSSuffixes
msDS-AllowedDNSSuffixes: <DNSSuffix>
-

then run the following command:

> ldifde -v -i -f add_dns_suffix.ldf.ldf
 

Q.1 What is the role of the “MDBDATA” folder in Exchange 2000?

Answer: - It contains the transaction log files and the EDB/STM databases.

Q.2 What is the role of the “MTADATA” folder in Exchange 2000?

Answer: - Any message that goes to the message transfer agent (MTA) is written to the “MTADATA” directory on an NTFS partition and passed to the Store.exe process.

Q.3 Is there a way to know what emails have been sent or received into one mailbox without accessing the users mailbox?

Answer: - Check the “Archive all messages sent or received by mailboxes on this store” checkbox.

Thus “Message Archiving” has been enabled.

Q.4 Is there a way to suspend an Exchange 2000 mailbox without affecting logging into network?

Answer: - Delete the user’s mailbox.

Q.5 What is the basic role of transaction log files in Exchange 2000?

Answer: - The log files you see in the mdbdata directory are used to restore a previous nights database backups to the point of failure, in the event that the server fails. When you back up the store the log files are purged and are of no use anymore assuming the backup was valid.

Q.6 Recently moved E2K over to a new server(W2K+SP4). Have E2K+SP3 and post-SP3 Rollup installed. The store.exe process starts small (100MB or so) and slowly, but surely, takes more and more RAM until there's only about 30MB left.

Once that happens, the SMTP VM queues start backing up until the store basically stops responding. Only rebooting seems to help and this is necessary approx. every 30 hours.

Answer: - 1. If you have over 1Gb of memory, try the /3GB switch in Boot.ini to allow more memory for Store.exe.

2. Groupsheild for exchange, as it does a background scan on the mailbox and public stores. This causes store.exe to use up all the virtual memory and the information store fall over.

Q.7 How does one grant permissions for a user to send and receive mails to a particular DL ( e.g Emp of ICICI Bank@UK )?

Answer: - To enable sending:

<>1. <>Go to ADàFindàEmp of ICICI Bank@UK

<>2. <>PropertiesàExchange General Tab

<>3. <>Message RestrictionsàAccept messages:Only from

<>4. <>Add

<>5. <>ApplyàOK

To enable receiving:

<>1. <>Go to ADàFindàEmp of ICICI Bank@UK

<>2. <>PropertiesàMembers

<>3. <>Add

<>4. <>ApplyàOK

Q.8 How would you define a SMTP Queue? What is the default location?

Answer:- The SMTP queue is simply a directory with files representing mail items in it. The default (when installing on drive C:\) is

C:\Program Files\Exchsrvr\Mailroot\Vsi 1

Q.9 What are the 3 directories inside the above location?

Answer: - The 3 directories are

<>1. <>Pickup

<>2. <>Queue

<>3. <>Badmail.

Q.10 What does the “Badmail” folder comprise of? Can one delete the “Badmail” folder?If yes how?

Answer: - The Badmail folder contains messages that cannot be delivered into your organisation, and also cannot be returned back to the sender. Therefore, the folder typically contains spam, and the files within the folder can usually just be deleted.

DO NOT OPEN THE BadMail FOLDER. Depending on how much spam the Small Business Server 2000 computer processes, this folder may contain several hundred thousand files. If you open this folder, the server may appear to have stopped responding.

2.. Right-click the BadMail folder, click Rename, and then change the name

to BadMailOld.

3.. In the VSI 1 folder, create a new folder that is named BadMail.

4.. Permanently delete the BadMailOld folder. To do this, click the

BadMailOld folder, hold down the SHIFT key, and then press DELETE.

5.. Click Yes when you are prompted with the question of whether you want

to delete the BadMailOld folder. Deleting this folder may take a long time,depending on the number of files in this folder

Q.12 What is the quickest way to find all hidden mailboxes on the system in Exchange 2000?

Answer: - Hidden mailboxes are identified by the fact that the attribute msExchHideFromAddressLists is set to a value of TRUE. All we have to do is perform a custom LDAP query against our AD to search for users with the above attribute set accordingly.

This can easily be done with Active Directory Users & Computers:

1. Bring up Active Directory Users & Computers.

2. Right-click your domain name at the top, and choose Find.

3. In the Find combo box at the top, select Custom Search.

4. Click the Advanced tab.

5. Paste in the following LDAP query and then click Find Now.

(&(objectclass=user)(msExchHideFromAddressLists=TRUE))

The list of hidden mailboxes will then be displayed. Don't forget that this will include System Mailboxes. Be sure to leave those alone!

Q. 13 Explain “Messages awaiting Directory Lookup” and how would you troubleshoot the same?

Answer: - Description: This queue contains messages to recipients who have not yet been resolved against the Microsoft Active Directory service. Messages are also held in this queue while distribution lists are expanded.

Troubleshooting: 1. Generally, messages accumulate in this queue because the advanced queuing engine cannot categorize the message.

2. The advanced queuing engine may not be able to access the global catalog servers or to access the recipient information.

3. Or, the global catalog servers are unreachable or are performing slowly.

4. Increase diagnostic logging for the MSExchangeDSAccess service and for the MSExchangeTransport service to collect information about Categorizer components.

Q.14 Why do we need to “Run cleanup Agent”?

Answer: - 1. To see the orphaned mailbox.

2. To connect to a recreated account so as to retrieve mail.

Q.15

.1 What does the .edb and .stm file contain in Exchange 2000?

Answer:The .Edb File Contains All The Folders, Tables And Indexes

For Messaging Data And Mapi Messages And Attachments

The Stm File (New To Exchange 2000) Contains Internet Content In Its

Native Format.

Note:- (*.Edb + *.Stm) + (*.Log) = Database

Q.2 Where is the Directory Service database stored in Exchange 5.5?

Answer: Dir.edb

Q.3 Mention the types of Routing Group Connectors in Exchange 2000?

ANSWER: Sanjay Sir Please Help ......

A Routing Group is a collection of Exchange servers that communicate with each other directly over the same internal network or reliable connection.

When multiple Routing Groups must be created, each individual group must be connected using one of three available Exchange connection types:

<>· <>Routing Group Connector This connector is the default connector type. It can be used to connect a single or multiple Exchange bridgehead server for load balancing of message traffic.

<>· <>SMTP Connector The SMTP connector uses the Simple Mail Transport Protocol to connect and communicate with remote Routing Groups, non-Exchange mail systems, and the Internet mail host.

<>· <>X.400 Mail Connector Limited to a single local and remote host, the X.400 connector is primarily designed for communications between Exchange Server 2003 and X.400 mail systems.

<> <>Mixed Mode

When Exchange Server 2003 is in a mixed environment, Routing Groups can consist of only servers that had been installed directly into the Administrative Group where the Routing Group resides. Additional servers from other Administrative Groups cannot be added to the Routing Group.

<> <>Native Mode

After the functional level has been raised to Native Mode, Exchange servers can be managed and moved between Routing Groups.

Also, Routing Groups in a single Administrative Group can contain servers from other Administrative Groups.



Q.4 What are the features of Active Directory in Windows 2000?

ANSWER: Features of Active Directory in Windows 2000 Can be Categorised as

Manageability :-Centralized Management,Group Policy,Global Catalog,IntelliMirror Desktop Management,

Automated Software Distribution,Active Directory Service Interfaces,Backward Compatibility,

Delegated Administration,Multi-Master Replication

Security :-Kerberos Authentication,Smart Card Support,Transitive Domain Trust,PKI/x.509,LDAP over SSL,

Required Authentication Mechanism ,Attribute-Level Security,Spanning Security Groups,LDAP ACL Support

Interoperability:-DirSync Support,Active Directory Connectors,Open APIs,Native LDAP,DNS Naming,Open Change History,

DEA Platform,DEN Platform,Extensible Schema



Q.5 What are the features of Exchange 2003 over Exchange 2000?

Answer:-Better Anti-spam tools - comprehensive set of filters

Improved Queue management

Smoother integration with IIS

Enhanced OWA. Now includes a spell checker and X509 certificates

Outlook Mobile Access (OMA), which functions like OWA for devices

Cached replication of Outlook 2003. Cached mode creates a local data file

that Outlook uses for all foreground activity. It then contacts the

Exchange server in the background.

Volume Shadow Copy Service for Database Backups/Recovery

Mailbox Recovery Center

Recovery Storage Group

Front-end and back-end Kerberos authentication

Distribution lists are restricted to authenticated users

Queues are centralized on a per-server basis

Move log files and queue data using Exchange System Manager

Multiple Mailbox Move tool

Dynamic distribution lists

1,700 Exchange-specific events using Microsoft Operations Manager (requires Microsoft Operations Manager)

Deployment and migration tools

Q.5 How will you upgrade from Exchange 2000 to Exchange 2003?

Answer:-http://www.microsoft.com/technet/prodtechnol/exchange/2003/upgrade.mspx

Q.6 What are the precautions to be taken before a disaster recovery in exchnage 2000?

Answer:-http://www.microsoft.com/downloads/details.aspx?FamilyID=6E55DD49-8A6C-4F30-947E-BDE95917F585&displaylang=en

Q.7 How to restore Group policies?

Answer:-

http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/dcgpofix.asp

dcgpofix

Backup and Restore

From GPMC, it is easy to perform backup and restore operations. Backup and restore operation options are context-sensitive, depending on where you are within the Group Policy Objects node.

Backup Individual GPO(s)

  1. Click on the Group Policy Objects note to display all GPOs in the domain.
  2. Select the target GPO(s) for backup. For multiple GPOs:
    1. For a range of GPOs, select the first GPO, press SHIFT and click on the last GPO.
    2. For multiple non-contiguous GPOs, select the first GPO, press CTRL and click on other GPOs.
  3. Right-click and select Backup...
  4. On the next window, speficy the backup directory and description and click Back Up.
  5. Click OK when done.

Backup All GPOs

This operation is normally performed by domain administrators.

  1. Select the Group Policy Object node.
  2. Right-click and select Backup All...
  3. Specify the backup directory and description and click Back Up.
  4. Click OK when done.

Restore GPO

  1. Within the Group Policy Object node, select the target GPO.
  2. Right-click and select Restore from Backup... This will launch the Restore Group Policy Object Wizard.
  3. Click Next.
  4. Specify the correct backup folder location.
  5. If multiple backups have been done, choose the correct backup version. The Source GPO window displays the GPO name, backup timestamp and description. You can also check the settings on the source GPO by clicking on the View Settings... button.
  6. Click Next.
  7. Click Finish when ready to restore.
  8. Click OK when done. You have now restored the GPO.

Also check following link

http://support.microsoft.com/default.aspx?scid=kb;en-us;842252

Sanjay Sir .



Q.8 what is the function of NNTP service in Exchange 2000?

Answer:-While installing Exchange 2000, the system creates a default Network News Transfer Protocol (NNTP) virtual

server. You can use this virtual server to house a feed from other newsgroups

This Default NNTP virtual server can be used to create feeds to a Public Folder for storage (Internet Newsgroups).

For other storage media (either a file system or remote share), you must create a new virtual server.

NOTE:- Sir , Please Add Ur Inputs.....

<> <>Network News Transfer Protocol

Because Network News Transfer Protocol (NNTP) is growing in popularity, it would be wise for us to take a brief look at the architecture of this protocol. We'll then discuss the more pragmatic aspects of administering NNTP on your network.

NNTP Architecture

NNTP specifies a way to distribute, query, retrieve, and post news articles on the Internet. A client wanting to retrieve a subset of articles from the database is called a subscriber. NNTP allows a subscriber to request a subset of articles rather than requiring the retrieval of all articles from the database. Before NNTP was developed, two methods of distributing news items were popular: Internet mailing lists and the Usenet news system.

An Internet mailing list, commonly known as a list server, distributes news by the use of distribution e-mail lists. A subscriber sends a message to the distribution list, and the message is e-mailed to all of the members of the list. But sending a separate copy of an e-mail to each subscriber can consume a large amount of disk space, bandwidth, and CPU resources. In addition, it can take from several minutes to several hours for the message to be fully distributed, depending on the size of the list and the physical resources available to propagate it. Maintaining the subscriber list also involves significant administrative effort, unless a third-party program is used to automate this function.

Storing and retrieving messages from a central location instead of sending an email to each subscriber can significantly reduce the use of these resources. The Usenet news system provides this alternative. In addition, Usenet allows a subscriber to select only those messages he or she wants to read and also provides indexing, cross-referencing, and message expiration.

NNTP is modeled on the Usenet news specifications in RFC 850, but it is designed to make fewer demands on the structure, content, and storage of the news articles. It runs as a background service on one host and can accept connections from other hosts on the LAN or over the Internet.

When a subscriber connects to an NNTP server, the subscriber issues the NEWSGROUPS command to determine whether any new newsgroups have been created on the server. If so, the server notifies the subscriber and gives the subscriber the opportunity to subscribe to the new newsgroups. After this, the subscriber is connected to the desired newsgroup and can use the NEWNEWS command to ask the server whether any new articles have been posted since the subscriber's last connection. The subscriber receives a list of new articles from the server and can request transmission of some or all of those articles. Finally, the subscriber can either reply to a news article or post a new article to the server by using the POST command.

NNTP uses TCP for its connections and SMTP-like commands and responses. The default TCP port for NNTP is 119. An NNTP command consists of a command word followed in some cases by a parameter, and commands are not case sensitive. Each line can contain only one command and may not exceed 512 characters, including spaces, punctuation, and the trailing CR–LF (carriage return/line feed) command. Commands cannot be continued on the next line.

Responses from the server can take the form of a text response or a status response. Text responses are displayed in the subscriber's client program, whereas status responses are interpreted by the client program before any display occurs.

Q.9.What is Recepient Update Service in Exchange 2000?

Answer:- Recipient Update Service (RUS) is a very important component in your Exchange installation, it is RUS that is

responsible for updating address lists and email addresses in your Active Directory

Default Exchange organization will have two RUS objects



(a) Enterprise Configuration RUS :-responsible for the updating of the email addresses for the

system objects such as the MTA & System Attendant.



(b) Domain RUS :-responsible for the updating of the address information for recipient objects

in the domain that it is responsible for

Q.10 The function of the Default SMTP Virtual Server in Exchange 2000?

Answer:-SMTP virtual server plays a critical role in mail delivery.

SMTP virtual servers provide the Exchange mechanisms for managing SMTP.

the default SMTP virtual server sends messages within a routing group.

Additionally, if the server is a domain controller, Active Directory uses

this virtual server for SMTP directory replication . An SMTP virtual server is defined by a

unique combination of an IP address and port number.

The default SMTP virtual server uses all available IP addresses on the server and

uses port 25 for inbound connections.

A single physical server can host many virtual servers

 

<> <>
<> <>
<> <>
<> <>
<> <>
<> <>
<> <>

<><>





READ MORE - Interview Question for active directory and exchange

 
 
 

Popular Posts