Question # 80
List the GC key directory roles?
Answer:-
* It enables network logon by providing universal group membership information to a DC when a logon process is initiated.
* It enables finding directory information regardless of which domain in the forest actually contains the data.
Question # 81
Define Replication in Active Directory?
Answer:-
Site streamlines replication of directory information and reduces replication traffic.
Site membership is determined differently for domain controllers and clients. A client determines it is in when it is turned on, so its site location will often be dynamically updated. A domain controller's site location is established by which site its Server object belongs to in the directory, so its site location will be consistent unless the domain controller's Server object is intentionally moved to a different site.
Question # 82
Define the global catalog key directory roles?
Answer:-
When a user logs on to the network, the global catalog provides universal group membership information for the account sending the logon request to the domain controller. If there is only one domain controller in the domain, the domain controller and the global catalog are the same server. If there are multiple domain controllers in the network, the global catalog is hosted on the domain controller configured as such. If a global catalog is not available when a user initiates a network logon process, the user is only able to log on to the local computer.
Question # 83
What is the role of Global Catalog Server in a Domain?
Answer:-
By default, a global catalog is created automatically on the initial domain controller in the forest. It stores a full replica of all objects in the directory for its host domain and a partial replica of all objects contained in the directory of every other domain in the forest. The replica is partial because it stores some, but not all, of the property values for every object in the forest.
Question # 84
Suppose if a user is a member of the Domain Admins group, Did he able to log on to the network even when a global catalog is not available?
Answer:-
The global catalog is designed to respond to queries about objects anywhere in the forest with maximum speed and minimum network traffic. Because a single global catalog contains information about objects in all domains in the forest, a query about an object can be resolved by a global catalog in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain
boundaries.
You can optionally configure any domain controller to host a global catalog, based on your organization's requirements for servicing logon requests and search queries. After additional domain controllers are installed in the domain, you can change the default location of the global catalog to another domain controller using Active Directory Sites and Services.
Question # 85
Do you know why GC and infrastructure master should not be on the same server?
Answer:-
The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog's data will always be up-to-date. If the infrastructure master finds data that is out-of-date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain.
* If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so will never replicate any changes to the other domain controllers in the domain.
* If all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.
Question # 86
Define the Domain naming master role?
Answer:-
Domain Naming Master DC controls the addition or removal of domains in the forest.
Question # 87
Define Schema master role?
Answer:-
The schema master DC controls all updates and modifications to the schema.
Question # 88
Define Forest-Wide operations master roles?
Answer:-
Every Active Directory forest must have the following roles:
* Schema master
* Domain naming master
There can be only one schema master and one domain naming master for the entire forest.
Question # 89
Define Domain-Wide operations master roles?
Answer:-
Every domain in the forest must have the following roles:
* Relative ID master
* Primary DC (PDC) emulator
* Infrastructure master
Each domain in the forest can have only one RID master, PDC Emulator, and Infrastructure Master.
Question # 90
Define Relative ID master role?
Answer:-
The RID master allocates pool of relative IDs to each DC in its domain. Whenever a DC creates a user, group, or computer object, it assigns a unique security ID to that object. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain), and a relative ID that is unique for each security ID created in the domain. To move an object between domains (using Movetree.exe), you must initiate the move on the DC acting as the relative ID master of the domain that currently contains the object.
Question # 91
Define PDC emulator role?
Answer:-
For pre-W2K clients, the PDC emulator acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the BDCs.
In native-mode, the PDC emulator receives preferential replication of password changes performed by other DCs in the domain. If a password was recently changed, that change takes time to replicate to every DC in the domain. If a logon authentication fails at another DC due to a bad password, that DC will forward the authentication request to the PDC emulator before rejecting the log on attempt.
Question # 92
Define the Infrastructure master role?
Answer:-
The infrastructure master is responsible for updating the group-to-user references whenever the members of groups are renamed or changed. At any time, there can be only one DC acting as the infrastructure master in each domain. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the group's domain is responsible for updating the group so it knows the new name or location of the member. The infrastructure master distributes the update via multi-master replication.
There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency.
Question # 93
Define the single master operations?
Answer:-
Active Directory supports multi-master replication of the directory data between all DCs in the domain. Some changes are impractical to perform in multi-master fashion, so only one DC, called the operations master, accepts requests for such changes. Because the operations master roles can be moved to other DCs within the domain or forest, these roles are sometimes referred to as Flexible Single Master Operations. In any Active Directory there are five operations master roles. Some roles must appear in every forest. Other roles must appear in every domain in the forest.
Question # 94
List the FSMO roles?
Answer:-
* Schema master
* Domain naming master
* RID master
* PDC emulator
* Infrastructure daemon
Question # 95
Describe the Infrastructure FSMO role?
Answer:-
When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.
Question # 96
How to place the FSMO roles?
Answer:-
* Place the RID and PDC emulator roles on the same domain controller. Good communication from the PDC to the RID master is desirable as down-level clients and applications target the PDC, making it a large consumer of RIDs.
* As a general rule, the infrastructure master should be located on a non-global catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site.
Question # 97
How to responding operations master failures?
Answer:-
Some of the operations master roles are crucial to the operation of your network. Others can be unavailable for quite some time before their absence becomes a problem If an operations master is not available due to computer failure or network problems, you can seize the operations master role.
In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again.
Question # 98
Define the Schema master failure?
Answer:-
Temporary loss of the schema operations master will be visible only if we are trying to modify the schema or install an application that modifies the schema during installation. A DC whose schema master role has been seized must never be brought back online.
Question # 99
How to create a container to list printers in Active Directory?
Answer:-
To create a Printers container in which to list your printers in Active Directory:
1) Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
2) Expand Domain NC [Domain Name], and then click DC=Domain, DC=com.
3) On the Action menu, point to New, and then click Object.
4) In the Select a class box, click container, and then click Next.
5) In the Value box, type Printers, and then click Next.
6) Click Finish.
A CN=Printers container appears in the right pane of ADSI Edit.
1) Right-click CN=Printers, and then click Properties.
2) Click the Attributes tab.
3) In the Select a property to view box, click "show In Advanced View Only", and then click Clear.
4) In the Edit Attribute box, type false, click Set, and then click OK.
5) Quit ADSI Edit.
6) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. The Printers container that you created appears in the list of directory objects.
7) On the View menu, click Advanced Features.
8) On the View menu, click Users, Groups, and Computers as containers.
9) Move the printers that you want to the Printers container.
10) Quit Active Directory Users and Computers.
Question # 100
How to publish a printer in AD?
Answer:-
1) Log on to the computer as an administrator.
2) Click Start, point to Settings, and then click Printers.
3) In the Printers folder, right-click the printer that you want to publish in Active Directory, and then click Properties.
4) Click the Sharing tab, click Share As, and then either type a share name or accept the default name. Use only letters and numbers; do not use spaces, punctuation, or special characters.
5) Click to select the List in the Directory check box, and then click OK.
6) Close the Printers folder.
Question # 101
How to configure an authoritative time server in Windows 2000?
Answer:-
Windows includes the W32Time time service tool that is required by the Kerberos authentication protocol. The purpose of the Time service is to ensure that all computers that are running Windows 2000 in an organization use a common time.
Windows-based computers use the following hierarchy by default:
• All client PCs and member servers nominate the authenticating DC as their in-bound time Server.
• DCs may nominate the PDC operations master as their in-bound time partner but may use a parent DC based on stratum numbering. • All PDC operations masters follow the hierarchy of domains in the selection of their inbound time partner.
PDC operations master at the root of the forest becomes authoritative for the organization. This PDC can be configured to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative by using the following net time command:
Net time /setsntp: server_list
To reset the local computer's time against the authoritative time server for the domain: Net time /domain_name /set
Net stop w32time W32tm -once
Net start w32time
SNTP defaults to using UDP port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers. Administrators can also configure an internal time server as authoritative by using the net time command. If the administrator directs the command to the operations master, it may be necessary to reboot the server for the changes to take effect.
Question # 102
What is Loop back Processing of group policy?
Answer:-
Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loop back feature to apply GPOs that depend only on which computer the user logs on to.
Question # 103
What is Kerberos V5 authentication process?
Answer:-
Kerberos V5 is the primary security protocol for authentication within a domain. The Kerberos V5 protocol verifies both the identity of the user and network services. This dual verification is known as mutual authentication.
Question # 104
Do you know how Kerberos V5 works?
Answer:-
The Kerberos V5 authentication mechanism issues tickets (A set of identification data for a security principle, issued by a DC for purposes of user authentication. Two forms of tickets in Windows 2000 are ticket-granting tickets (TGTs) and service tickets) for accessing network services. These tickets contain encrypted data, including an encrypted password, which confirms the user's identity to the requested service.
Question # 105
How to change the recovery console administrator password on a DC?
Answer:-
1) In a DC use the %systemroot%system32Setpwd.exe (SP2 or Later) utility to change the SAM-based Administrator password. To change the SAM Administrator password on a remote DC, type the following command
Setpwd /s: servername
2) Restart the DC in Directory Service Restore Mode. Use the command net user administrator * or Local User and Groups Who can "Log On locally" to a DC
By default Account Operators, Administrators, Backup Operators, Print Operators, Server Operators, Internet Guest Account, and Terminal Services User Account are assigned the log on locally right.
Question # 106
Define user accounts in Active Directory?
Answer:-
In Active Directory, each user account has a user logon name, a pre-Windows 2000 user logon name (SAM account name), and a user principal name suffix. Active Directory suggests a pre-Windows 2000 user logon name using the first 20 bytes of the user logon name.
Question # 107
Define computer acccounts in Active Directory?
Answer:-
Each computer account created in Active Directory has a relative distinguished name, a preWindows 2000 computer name (SAM account name), a primary DNS suffix, a DNS host name and a service principal name. This computer name is used as the LDAP relative distinguished name.
Active Directory suggests the pre-Windows 2000 name using the first 15 bytes of the relative distinguished name. This can be changed at any time. The primary DNS suffix defaults to the full DNS name of the domain to which the computer is joined. The DNS host name is built from the first 15 characters of the relative distinguished name + the primary DNS suffix. The service principal name is built from the DNS host name. The service principal name is used in the process of mutual authentication between the client and the server hosting a particular service. The client finds a computer account based on the service principal name of the service to which it is trying to connect.
Question # 108
How to seize the schema master role?
Answer:-
1) Click Start, click Run, and then type cmd.
2) At the command prompt, type ntdsutil.
3) At the ntdsutil prompt, type roles.
4) At the fsmo maintenance prompt, type connections.
5) At the server connections prompt, type connect to server, followed by the fully qualified domain name.
6) At the server connections prompt, type quit.
7) At the fsmo maintenance prompt, type seize schema master.
8) At the fsmo maintenance prompt, type quit.
9) At the ntdsutil prompt, type quit.
Question # 109
How will you remove Orphaned Domains from Active Directory?
Answer:-
Typically, when the last DC for a domain is demoted, the administrator selects this server is the last DC in the domain option in the DC Promo tool, which removes the domain metadata from Active Directory.
1) Determine the DC that holds the Domain Naming Master FSMO role.
2) Verify that all servers for the specified domain have been demoted.
3) At the command prompt:
* ntdsutil
* metadata cleanup
* connections
* connect to server servername
Question # 110
How to configure auditing for specific active directory objects?
Answer:-
You can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the types of access and the users whose access that you want to audit. To configure auditing for specific Active Directory objects, follow these steps:
1) Open Active Directory Users and Computers.
2) Select Advanced Features on the View menu.
3) Right-click the Active Directory object that you want to audit, and then click Properties.
4) Click the Security tab, and then click Advanced.
5) Click the Auditing tab, and then click Add.
6) Enter the name of either the user or the group whose access you want to audit. Click to select either the Successful check box or the Failed check box for the actions that you want to audit, and then click OK.
Question # 111
How to configure a one-way trust?
Answer:-
Perform the following steps to configure the one-way trust:
1) On a domain controller in the trusted domain, start the Active Directory Domains and Trusts console.
2) In the Domains that trust this domain pane, click Add.
3) In the Add Trusting Domain dialog box, type the name of the trusting domain, type a password, and then type the password again in the Confirm password box.
4) Click OK.
5) In the Active Directory dialog box, click OK to verify the trust.
6) Enter a user name and password of a user that has permissions to modify trust relationships in the trusting domain.
Question # 112
Distinguishing a DC from a Windows 2000 member server?
Answer:-
* The NTDS registry key exists in the HKLMSYSTEMCCSSERVICES portion of the registry.
* The SYSVOL and NETLOGON shares exist. (The SYSVOL share and its contents exist after demotion of a DC.)
* NBTSTAT shows that the 1C name (Domain) has been registered. Type nbtstat -n from a command prompt and note the presence of the 1C name.
* The computer role from the NET ACCOUNTS utility lists the computer role as "PRIMARY" and standalone servers as "SERVERS." Type net accounts from the command prompt.
* The NET START command indicates that the Kerberos Key Distribution Center (KDC) service is running. Type net start |more.
* The computer responds to LDAP queries (specifically, to port 389 or 3268).
* The "Connect to server %S" command in Ntdsutil.exe functions only against Windows 2000 DCs.
* The Change button on the Network Identification tab in My Computer is disabled when Windows 2000 is configured as a DC. A note appears indicating this.
* Run Netdiag (a Resource Kit utility) and observe the "Machine is a Primary DC" entry in the output. Type netdiag /v from the command prompt.
Question # 113
How to create Third-Party Microsoft installer package?
Answer:-
If you want to install a third-party program by using this method, you must install a copy of Veritas Software Console by Seagate Software at a location that is accessible by the reference computer. This program is available on the Windows 2000 CD-ROM in Valueadd3rdpartyMgmtWinstleSwiadmle.msi. This includes a copy of WinINSTALL limited edition, which allows for basic functionality.
Question # 114
Define Attribute value?
Answer:-
An object's attribute is set concurrently to one value at one master, and another value at a second master.
Question # 115
Do you know what are the common mistakes that are made when administrators set up DNS on network that contains a single Windows 2000 or Windows Server 2003 DC?
Answer:-
The most common mistakes are:
* The DC is not pointing to itself for DNS resolution on all network interfaces.
* The "." zone exists under forward lookup zones in DNS.
* Other computers on the local area network (LAN) do not point to the Windows 2000 DNS server for DNS.
Question # 116
Do you know why do I have to point my DC to itself for DNS?
Answer:-
The Netlogon service on the DC registers a number of records in DNS that enable other DCs and computers to find Active Directory-related information. If the DC is pointing to the Internet service provider's (ISP) DNS server, Netlogon does not register the correct records for Active Directory, and errors are generated in Event Viewer. The preferred DNS setting for the DC is itself; no other DNS servers should be listed. The only exception to this rule is with additional DCs. Additional DCs in the domain must point to the first DC (which runs DNS) that was installed in the domain and then to themselves as secondary.
Question # 117
Do you know what does a DC register in DNS?
Answer:-
The Netlogon service registers all the SRV records for that DC. These records are displayed as the _msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your domain name. Other computers look for these records to find Active Directory-related information.
Question # 118
Tell me why can't I use WINS for name resolution like it is used in Microsoft Windows NT 4.0?
Answer:-
A Windows 2000 DC does not register Active Directory-related information with a WINS server; it only registers this information with a DNS server that supports dynamic updates such as a Windows 2000 DNS server. Other Windows 2000-based computers do not query WINS to find Active Directory-related information.
Question # 119
Suppose if I remove the ISP's DNS server settings from the DC, how does it resolve names such as Microsoft.com on the Internet?
Answer:-
As long as the "." zone does not exist under forward lookup zones in DNS, the DNS service uses the root hint servers. The root hint servers are well-known servers on the Internet that help all DNS servers resolve name queries.
Question # 120
Do you know what is the "." zone in my forward lookup zone?
Answer:-
This setting designates the Windows 2000 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet.
Question # 121
Tell me do I need to configure forwarders in DNS?
Answer:-
By default, Windows 2000 DNS use the root hint servers on the Internet; however, you can configure forwarders to send DNS queries directly to your ISP's DNS server or other DNS servers. In most cases, when you configure forwarders, DNS performance and efficiency increases, but this configuration can also introduce a point of failure if the forwarding DNS server is experiencing problems. The root hint server can provide a level of redundancy in exchange for slightly increased DNS traffic on your Internet connection.
Question # 122
How to synchronies time amongst DCs using net time?
Answer:-
* Net time mypdc /set /y
* This synchronizes the local computer time with the server named Mypdc.
* The /set - Time not only be queried, but synchronized with the specified server.
* The /y switch skips the confirmation for changing the time on the local computer
Question # 123
Tell me do I need to point computers that are running Windows NT 4.0 or Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows 98 Second Edition to the Windows 2000 or Windows Server 2003 DNS server?
Answer:-
Legacy operating systems continue to use NetBIOS for name resolution to find a DC; however it is recommended that you point all computers to the Windows 2000 or Windows Server 2003 DNS server for name resolution.
Question # 124
Tell me should I point the other Windows 2000-based and Windows Server 2003-based computers on my LAN to my ISP's DNS servers?
Answer:-
No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the DC in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 DC running DNS. If you are using DHCP, make sure that you view scope option #15 for the correct DNS server settings for your LAN.
Question # 125
Tell me what if my Windows 2000 or Windows Server 2003 DNS server is behind a proxy server or firewall?
Answer:-
If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall.
Question # 126
Tell me what should I do if the DC points to itself for DNS, but the SRV records still do not appear in the zone?
Answer:-
Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools from the Windows 2000 Server CD-ROM to run Netdiag.exe.
Question # 127
How do I set up DNS for other DCs in the domain that are running DNS?
Answer:-
For each additional DC that is running DNS, the preferred DNS setting is the parent DNS server (first DC in the domain), and the alternate DNS setting is the actual IP address of network interface.
Question # 128
Do you know how to set up DNS for a child domain?
Answer:-
To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server. Set the child DNS server to point to itself only.
Question # 129
How to configure DNS dynamic update in Windows 2000?
Answer:-
The DNS service allows client computers to dynamically update their resource records in DNS and improves DNS administration. You can use DDNS in conjunction with DHCP to update resource records when a computer's IP address is changed.
Question # 130
How Windows 2000-Based Computers Update Their DNS Names?
Answer:-
Windows 2000 computers try to dynamically register host address (A) and pointer (PTR) resource records. All computers register records based on their full computer name. Dynamic updates can be sent for any of the following reasons or events:
* An IP address is added, removed, or modified for any one of the installed network connections.
* An IP address lease changes or renews. For example, if you use the ipconfig /renew command.
* You use the ipconfig /registered command to manually force a refresh of the client name registration in DNS.
* At startup time, when the computer is turned on.
When one of these events triggers a dynamic update, the DHCP Client service (not the DNS Client service) sends updates. This process is designed so that if a change to the IP address information occurs because of DHCP, corresponding updates in DNS are performed to synchronize name-to-address mappings for the computer. The DHCP Client service performs this function for all network connections used on the system, including connections that are not configured to use DHCP.
Question # 131
How to configure DNS dynamic update on a Windows 2000 DNS client computer?
Answer:-
1) Click Start, point to Settings, and then click Network and Dial-up Connections.
2) Right-click the network connection that you want to configure, and then click Properties.
3) Click either the General tab (for the local area connection) or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.
4) Click Advanced, and then click the DNS tab.
5) To use DNS dynamic update to register both the IP addresses for this connection and the full computer name of the computer, click to select the Register this connection's addresses in DNS check box. This check box is selected by default.
6) To configure a connection-specific DNS suffix, type the DNS suffix in the DNS suffix for this connection box.
7) To use DNS dynamic update to register the IP addresses and the connection-specific domain name for this connection, click to select the Use this connection's DNS suffix in DNS registration check box. This check box is selected by default.
Question # 132
How to configure DNS Dynamic Update on a Windows 2000 DNS Server?
Answer:-
1) Click Start, point to Programs, point to Administrative Tools, and then click DNS.
2) Click the appropriate zone under either Forward Lookup Zones or Reverse Lookup Zones.
3) On the Action menu, click Properties.
4) On the General tab, verify that the zone type is either Primary or Active Directory integrated.
5) If the zone type is Primary, click Yes in the Allow dynamic updates? list.
6) If the zone types is Active Directory-integrated, click either Yes or Only secure updates in the Allow dynamic updates? list, depending on whether you want DNS dynamic updates to be secure.
Question # 133
How to Configure DNS Dynamic Update on a Windows 2000 DHCP Server?
Answer:-
1) Click Start, point to Programs, point to Administrative Tools, and then click DHCP.
2) Click the appropriate DHCP server or a scope on the appropriate DHCP server.
3) On the Action menu, click Properties.
4) Click the DNS tab.
5) To enable DNS dynamic update for DHCP clients that support it, click to select the Automatically update DHCP client information in DNS check box. This check box is selected by default.
6) To enable DNS dynamic update for DHCP clients that do not support it, click to select the Enable updates for DNS clients that do not support dynamic updates check box. This check box is selected by default.
Question # 134
How to enable DNS Dynamic Updates on a DHCP Server?
Answer:-
1) Select the scope or DHCP server on which you want to permit dynamic DNS updates.
2) On the Action menu, click Properties, and then click the DNS tab.
3) Click to select the Automatically Update DHCP Client Information In DNS check box.
4) To update a client's DNS records based on the type of DHCP request that the client makes and only when it is requested, click Update DNS Only If DHCP Client Requests.
5) To always update a client's forward and reverse lookup records, click Always Update DNS.
6) Click to select the Discard Forward Lookups When Leases Expire check box to have the DHCP server delete the Host resource record for a client when its DHCP lease expires and is not renewed.
7) Click to select the Enable Updates For DNS Clients That Do Not Support Dynamic Updates check box to enable the DHCP server to update the forward and reverse lookup records for clients that cannot update their own forward lookup records. If you do not select this check box, the DHCP server does not automatically update the DNS records of non-Windows 2000 clients.
Question # 135
How to create a DNS entry for the Web Server?
Answer:-
1) Start the DNS snap-in.
2) Under DNS, expand Server1 (where Server1 is the host name of the DNS server). Expand Forward Lookup Zones.
4) Under Forward Lookup Zones, right-click the zone that you want (for example, Microsoft.com), and then click New Alias.
5) In the Alias name box, type www.
6) In the Fully qualified name for target host box, type the fully qualified host name of the DNS server on which IIS is installed. For example, type dns.microsoft.com, and then click OK.
Question # 136
How to configure a secondary Name Server in Windows 2000?
Answer:-
1) Open DNS MMC.
2) In the console tree, click Host name (where Host name is the host name of the DNS server).
3) In the console tree, click Forward Lookup Zones.
4) Right-click the zone that you want (for example, example.com), and then click Properties.
5) Click the Name Servers tab, and then click Add.
6) In the Server name box, type the host name of the server that you want to add, for example, namesvr2.example.com.
7) In the IP address box, type the IP address of the name server that you want to add (for example, 192.168.0.22), and then click Add.
8) Click OK, and then click OK.
9) In the console tree, click Reverse Lookup Zones, right-click the zone that you want, and then click Properties.
10) Click the Name Servers tab, and then click Add.
11) In the Server name box, type the host name of the server that you want to add, for example, namesvr2.example.com.
12) In the IP address box, type the IP address of the name server that you want to add (for example, 192.168.0.22), and then click Add.
13) Click OK, and then click OK.
Question # 137
How to configure the Forward Lookup Zone?
Answer:-
1) Open the DNS MMC in the Secondary Name Server.
2) In the console tree, under DNS, click Host name (where Host name is the host name of the DNS server).
3) In the console tree, click Forward Lookup Zones.
4) Right-click Forward Lookup Zones, and then click New Zone.
5) When the New Zone Wizard starts, click Next to continue.
6) Click Standard secondary, and then click Next.
7) In the Name box, type the name of the zone (for example, example.com), and then click Next.
8) On the Master DNS Servers page, type the IP address of the primary name server for this zone, click Add, click Next, and then click Finish.
Question # 138
How to configure the Reverse Lookup Zone?
Answer:-
1) Click Start, point to Programs, point to Administrative Tools, and then click DNS.
2) In the console tree, click Host name (where Host name is the host name of the DNS server).
3) In the console tree, click Reverse Lookup Zones.
4) Right-click Reverse Lookup Zones, and then click New Zone.
5) When the New Zone Wizard starts, click Next to continue.
6) Click Standard secondary, and then click Next. In the Network ID box, type the network ID (for example, type 192.168.0), and then click Next.
7) On the Zone File page, click Next, and then click Finish.
Question # 139
How to configure the Windows 2000 Domain Name System to age records?
Answer:-
When any records are orphaned, dynamic DNS on a Windows 2000-based server does not age these records by renaming them or by moving computers to different subnets out of their zones, unless the server is configured to perform this task. Orphans can occur if a group of computers are installed from an image, and then
renamed at a later time on another subnet. The reverse look up pointers may not be deleted if the computer is disconnected from the network immediately after the installation. The automatic deletion of these records is possible by enabling the Aging and Scavenging feature on the DNS server.
Question # 140
How to enable Aging and Scavenging?
Answer:-
1) Open the DNS manager.
2) In the left pane, under the DNS icon, right-click the server name.
3) Click Set Aging/Scavanging for all zones.
4) Click to select the Scavenge Stale Resource Records check box, and then set the interval that you want the Aging feature to use.
Question # 141
How to set the Aging feature on an individual zone?
Answer:-
1) Right-click the zone, and then click Properties.
2) Click Aging.
3) Click to select the Scavenge Stale Resource Records check box, and then set the interval that you want the Aging feature to use.
If the Aging feature is not enabled at the server level, and you attempt to enable the Aging feature at the zone level, the Aging feature does not work. After you select the appropriate aging periods and you enable the Scavenging feature on the server, outdated records are scavenged.
Question # 142
How to allow only secure dynamic updates?
Answer:-
1) Click Start, point to Programs, point to Administrative Tools, and then click DNS.
2) Under DNS, expand the applicable DNS server, expand Forward Lookup Zones (or Reverse Lookup Zones) , and then click the applicable zone.
3) On the Action menu, click Properties.
4) On the General tab, verify that the zone type is Active Directory-integrated.
5) In the Allow dynamic updates? box, click Only secure updates.
Question # 143
How to create a Site link in Active Directory?
Answer:-
To create a new site link:
1) Click Active Directory Sites and Services.
2) Expand the Inter-Site Transports node, right-click IP (or click SMTP if you want to
use SMTP as the inter-site transport protocol), and then click New Site Link. If you have only one site in Active Directory, you receive a message that states that two sites are required for the site link to work. Click OK to continue.
Question # 144
How to create a Third-Party MSI package in Active Directory?
Answer:-
1) Start with a clean PC, or one that is representative of the computers in your network.
2) Start Discover to take a picture of the representative PC's software configuration. This is the Before snapshot.
3) Install a program on the PC on which you took the Before snapshot.
4) Reboot the PC.
5) Run the new program to verify that it works.
6) Quit the program.
7) Start Discover and take an After snapshot of the PC's new configuration. Discover compares the Before and the After snapshots and notes the changes. It creates a Microsoft Installer package with information about how to install that program on such a PC in the future.
8) (Optional) Use Veritas Software Console to customize the Microsoft Installer package.
9) Clean the reference computer to prepare to run Discover again.
10) (Optional) Perform a test installation of the program on non-production workstations.
Question # 145
Define clean PC in Active Directory?
Answer:-
A clean PC is defined as a computer with only the following items on it before you run Discover:
* The operating system
* The service packs for the operating system
If you install Veritas Software Console on the computer, it is by definition no longer a clean PC. You must install Veritas Software Console somewhere, but not on the clean PC.
Question # 146
Can you connect active directory to other 3rd-party directory services? name a few options?
Answer:-
Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictionaries used by SAP, Domino etc with the help of MIIS (Microsoft Identity Integration Server)