Sunday, 2 December 2012

Get members from group

In any environment if the employee leaves the company you have to disable the user account in active directory, all the disabled users are still there in the Distribution list and security groups and have to remove the disabled user account manually

If you want to know all the disabled users from the active directory group use the below command
This command will list the members from the active directory group with the status

Find the command to get the members status from the group (Account disabled or not)

Group name: sales_executes

Syntax:

dsquery group -samid “<Group Name>” | dsget group -members
 
Example:

dsquery group -samid <Group name> | dsget group -members |
Posted by at No comments:

move the DNS zone from Domain Partition to Application partition

After the implementation of the Application directory partition, you can move the DNS zones from Domain Partition to Application partition, before that you have to have full understanding of Application directory partition, like the different types of Active Directory Zone Replication scopes and which one suitable for the requirement
Procedure it very simple however proper planning is require to move the DNS zones from Domain Partition to Application directory partition
1. Take the backup of the Zone which you going to move, it can be useful for role back
2. Right click the Zone which you going to move and select the properties
3. In Replication, it will be showing the current replication scope you can change the scope by clicking the change button
4. It will open the change Zone Replication Scope

5. You can select the Zone Replication Scope as per the requirement.
For Forest-wide DNS application directory partition you have to select the first option
- To all DNS servers in the Active Directory forest domain.com
For Domain-wide DNS application directory partition you have to select the second option
- To all DNS servers in the Active Directory Domain domain.com
For Domain partition you have to select the third option (Active directory integrated zone)
- To all Domain controllers in the Active Directory Domain domain.com
For Custom DNS application directory partition you have to select the last option, this can be selectable if you have any Custom DNS application directory partition
- To all Domain controllers specified scope of the following application directory partition
Posted by at No comments:

DNS server 2008 features

Compare to windows 2003, Windows 2008 have more features and improvement, I will discuss the improvement related to DNS in this article, Microsoft done the improvement that really required for the IT environment, Windows 2008 DNS features are listed below

Background zone loading: If you are an administrator for an large environment you would have seen this issue, after the DNS server restart it take some time to load the DNS zones, till that time server will not respond to an DNS query from client (even server will not respond to the nslookup) you have to wait for the server to load the zones, this issue has been rectified in Windows 2008 DNS server, since zone data loaded in the background while the time of DNS server restart and DNS server respond to the client query very quickly.

IP version 6 support: The Windows 2008 DNS Server fully supports the longer addresses of the IPv6 specification.

Support for read-only domain controllers (RODCs): We able to modify the Primary DNS zone, what about the primary zone in read only domain controller, we can’t modify or update the primary zone on read only domain controller, yes Windows 2008 server provides primary read-only zones on RODCs.

Global single names: Not required to add DNS suffixes for the name resolution for the various domain names, GlobalNames zone provides single-label name resolution for large enterprise networks, if your environment doesn’t have WINS or planning on deploying IPv6-only in your environment then you Need to Deploy the GlobalNames Zone, it’s useful when using DNS name suffixes to provide single-label name resolution is not practical.

Global query block list: Clients of such protocols as the Web Proxy Auto-Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP) that rely on DNS name resolution to resolve well-known host names are vulnerable to malicious users who use dynamic update to register host computers that pose as legitimate servers. The DNS Server role in Windows Server 2008 provides a global query block list that can help reduce this vulnerability.

DNS Security Extensions (DNSSEC): DNSSEC works by digitally signing these records for DNS lookup using public-key cryptography. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party.
The following DNSSEC related features are introduced in Windows Server 2008 R2:
  • The ability to sign a zone (that is, to provide the zone a digital signature)
  • The ability to host signed zones
  • New support for the DNSSEC protocol
  • New support for DNSKEY, RRSIG, NSEC, and DS resource records.
A key feature of DNSSEC is that it enables you to sign a DNS zone – which means that all the records for that zone are also signed.The DNS client can take advantage of the digital signature added to the resource records to confirm that they are valid. This is typical of what you see in other areas where you have deployed services that depend on PKI. The DNS client can validate that the response hasn’t been changed using the public/private key pair. In order to do this, the DNS client has to be configured to trust the signer of the signed zone.
The new Windows Server 2008 R2 DNSSEC support enables you to sign file-based and Active Directory integrated zones through an offline zone signing tool. I know it would have been easier to have a GUI interface for this. When configured with a trust anchor, a DNS server is able to validate DNSSEC responses received on behalf of the client. However, in order to prove that a DNS answer is correct, you need to know at least one key or DS record that is correct from sources other than the DNS. These starting points are called trust anchors.
Another change in the Windows 7 and Windows Server 2008 R2 DNS client is that it acts as a security-aware stub resolver. This means that the DNS client will let the DNS server handle the security validation tasks, but it will consume the results of the security validation efforts performed by the DNS server. The DNS clients take advantage of the NRPT to determine when they should check for validation results. After the client confirms that the response is valid, it will return the results of the DNS query to the application that triggered the initial DNS query.

DNS Cache Locking: Using the DNS Cache locking in Windows Server 2008 R2 enables you to control the ability to overwrite information contained in the DNS cache. If you turned on the DNS cache locking then DNS server will not allow cached records to be overwritten for the duration of the time to live (TTL) value. This helps protect your DNS server from cache poisoning.
Posted by at No comments:

DNS Glue record

What are glue records?

If the nameserver (NS) is a subdomain of the domain you want to configure, e.g. you want to set ns1.yourdomain.com and ns2.yourdomain.com as nameserver for yourdomain.com, then your domain will need "Glue records".
The glue record is an A-record to your nameserver's IP, stored in the parent NS,
mostly the NS for the top level domain (.com.au, .com,.net ...)
For a more complete explanation have a look on Wikipedia
Posted by at No comments:

DNS interview questions-2003 server


DNS Interview Questions and Answer

DNS Interview Questions and Answer
1. Secure services in your network require reverse name resolution to make it more difficult to launch successful attacks against the services. To set this up, you configure a reverse lookup zone and proceed to add records. Which record types do you need to create?
PTR Records
2. What is the main purpose of a DNS server?
DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa
3. SOA records must be included in every zone. What are they used for?
SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers.
4. By default, if the name is not found in the cache or local hosts file, what is the first step the client takes to resolve the FQDN name into an IP address?
Performs a recursive search through the primary DNS server based on the network interface configuration
5. What is the main purpose of SRV records?
SRV records are used in locating hosts that provide certain network services.
6. Before installing your first domain controller in the network, you installed a DNS server and created a zone, naming it as you would name your AD domain. However, after the installation of the domain controller, you are unable to locate infrastructure SRV records anywhere in the zone. What is the most likely cause of this failure?
The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates.
7. Which of the following conditions must be satisfied to configure dynamic DNS updates for legacy clients?
The zone to be used for dynamic updates must be configured to allow dynamic updates. The DHCP server must support, and be configured to allow, dynamic updates for legacy clients.
8. At some point during the name resolution process, the requesting party received authoritative reply. Which further actions are likely to be taken after this reply?
After receiving the authoritative reply, the resolution process is effectively over.
9. Your company uses ten domain controllers, three of which are also used as DNS servers. You have one companywide AD-integrated zone, which contains several thousand resource records. This zone also allows dynamic updates, and it is critical to keep this zone up-to-date.
Replication between domain controllers takes up a significant amount of bandwidth. You are looking to cut bandwidth usage for the purpose of replication. What should you do?
Change the replication scope to all DNS servers in the domain.
10. You are administering a network connected to the Internet. Your users complain that everything is slow. Preliminary research of the problem indicates that it takes a considerable amount of time to resolve names of resources on the Internet. What is the most likely reason for this?
DNS servers are not caching replies.. Local client computers are not caching replies… The cache.dns file may have been corrupted on the server.
Posted by at No comments:

Lingaring Objects removal step by step



Contents
Lingering Object 1
Event ID 1388. 1
Event ID 1988. 1
Find Lingering Objects?. 2
Remove Lingering Objects steps: 2
Steps to find GUID: 3
Requirements. 3

 

Lingering Object

Lingering objects are objects that exist on one or more DCs that do not exist on other DCs hosting the same partition. They may be introduced in any partition except the schema. They are essentially object delete operations that do not successfully replicateto a DCs/GCs that host the partition of the deleted object. Eventually the tombstoned (deleted) object will be garbage collected which destroys all knowledge of the delete and purges the object from the database. They can be introduced through a few mechanisms:
·         Failing replication for more than the tombstone lifetime (TSL)
·         System state restores using a backup that is older than TSL
·         Dcpromos using IFM media that is older than TSL.

Event ID 1388

This event indicates that a destination domain controller that does not have strict replication consistency enabled has received a request to update an object that does not reside in the local copy of the Active Directory database. In response, the destination domain controller has requested the full object from the source replication partner. In this way, a lingering object has been replicated ("reanimated") to the destination domain controller.

Event ID 1988

This event indicates that a destination domain controller that has strict replication consistency enabled has received a request to update an object that does not exist in its local copy of the Active Directory database. In response, the destination domain controller has blocked replication of the directory partition containing that object from that source domain controller. The event text identifies the source domain controller and the outdated (lingering) object. An example version of the event text is as follows:

Find Lingering Objects?

Use repadmin for this with the /removelingeringobjects /Advisory_Modeto find these objects.
You need a good Source DC to start this.  Basically, we are going to check to see if on a different DC there are additional objects in comparison to our source DC.  An event 1946 will be created for each Lingering object identified.
It means the lingering object is detected.
When the detection finished, there is an event log with the Event ID 1942 in Directory Services.

Remove Lingering Objects steps:

If replication of a lingering object has been detected, you can remove the object from Active Directory, along with any read-only replicas of the object, by identifying the domain controllers that might store this object (including global catalog servers) and running a repadmin command to remove lingering objects against these servers (repadmin /removelingeringobjects). This command is available on domain controllers that are running the version of Repadmin.exe that is included with Windows Support Tools in Windows Server 2003.
If the lingering object is present in a writable or read-only directory partition on a domain controller running Windows Server 2003 or Windows Server 2003 with Service Pack 1 (SP1), you can remove lingering objects by running the repadmin /removelingeringobjectscommand against that target domain controller.
To remove lingering objects, do the following:

1.       Use the event text to identify the following:
2.       Directory partition of the object
3.       Source domain controller that attempted replication of the lingering object
4.       Use Repadmin to Identify the GUID of an Authoritative Domain Controller
5.       Use Repadmin to Remove Lingering Objects

Steps to find GUID:

Use Repadmin to Identify the GUID of an Authoritative Domain Controller
To perform the procedure that removes lingering objects, you must identify the globally unique identifier (GUID) of an up-to-date domain controller that has a writable replica of the directory partition that contains the lingering object that has been reported. The directory partition is identified in the event message.
The object GUID of a domain controller is stored in the objectGUID attribute of the NTDS Settings object.

Requirements

·         Administrative credentials: To complete this procedure, you must be a member of the Domain Admins group in the domain of ServerName.
·         Tool: Repadmin.exe (Windows Support Tools).

So a sample command would be:

C:\>Repadmin /removeLingeringObjects wtec-dc1 f5cc63b8-cdc1-4d43-8709-22b0e07b48d1 dc=xxxx,dc=xxxx,dc=xxxx,dc=xxxx


·         After running the Repadmin command, check the event log for the events noted previously to ensure the lingering objects are removed.
·         Back to CONDC01, there are a lot of Event log of Directory Services. The Event ID is 1945.
·         When all the lingering objects were deleted, there is an event log with the Event ID 1939 in Directory Services.
Posted by at No comments:

Active Directory interview questions

What is the order in which GPOs are applied ?
Group Policy settings are processed in the following order:
1.Local Group Policy object : Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
2.Site : Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
3.Domain: Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
4.Organizational units : GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then POs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC.
The GPO with the lowest link order is processed last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
How to backup/restore Group Policy objects ?
Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group Policy Management console. Now, navigate through the console tree to Group Policy Management | Forest: | Domains | | Group Policy Objects.
When you do, the details pane should display all of the group policy objects that are associated with the domain. In Figure A there are only two group policy objects, but in a production environment you may have many more. The Group Policy Objects container stores all of the group policy objects for the domain.
Now, right-click on the Group Policy Objects container, and choose the Back Up All command from the shortcut menu. When you do, Windows will open the Back Up Group Policy Object dialog box.
As you can see in Figure B, this dialog box requires you to provide the path to which you want to store the backup files. You can either store the backups in a dedicated folder on a local drive, or you can place them in a folder on a mapped network drive. The dialog box also contains a Description field that you can use to provide a description of the backup that you are creating.
You must provide the path to which you want to store your backup of the group policy objects.
To initiate the backup process, just click the Back Up button. When the backup process completes, you should see a dialog box that tells you how many group policy objects were successfully backed up. Click OK to close the dialog box, and you’re all done.
When it comes to restoring a backup of any Group Policy Object, you have two options. The first option is to right-click on the Group Policy Object, and choose the Restore From Backup command from the shortcut menu. When you do this, Windows will remove all of the individual settings from the Group Policy Object, and then implement the settings found in the backup.
Your other option is to right-click on the Group Policy Object you want to restore, and choose the Import Settings option. This option works more like a merge than a restore.
Any settings that presently reside within the Group Policy Object are retained unless there is a contradictory settings within the file that is being imported.
You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that?
go to Start->programs->Administrative tools->Active Directory Users and Computers
Right Click on Domain->click on preoperties
On New windows Click on Group Policy
Select Default Policy->click on Edit
on group Policy console
go to User Configuration->Administrative Template->Start menu and Taskbar
Select each property you want to modify and do the same
What?s the difference between software publishing and assigning?
Assign Users :The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application.
Assign Computers :The software application is advertised and installed when it is safe to do so, such as when the computer is next restarted.
Publish to users : The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application. Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers.
What are administrative templates?
Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment. Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines.
An ADM file is a text file with a specific syntax which describes both the interface and the registry values which will be changed if the policy is enabled or disabled.
ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged into a unified “namespace” in GPEdit and presented to the administrator under the Administrative Templates node (for both machine and user policy).
Can I deploy non-MSI software with GPO?
create the fiile in .zap extension.
Name some GPO settings in the computer and user parts ?
Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some GPO settings in the computer and user parts.
A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for?
make sure user not be member of loopback policy as in loopback policy it doesn’t effect user settings only computer policy will applicable. if he is member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer.
How can I override blocking of inheritance ?
What can I do to prevent inheritance from above?
Name a few benefits of using GPMC.
How frequently is the client policy refreshed ?
90 minutes give or take.
Where is secedit ?
It’s now gpupdate.
What can be restricted on Windows Server 2003 that wasn’t there in previous products ?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.
You want to create a new group policy but do not wish to inherit.
Make sure you check Block inheritance among the options when creating the policy.
How does the Group Policy ‘No Override’ and ‘Block Inheritance’ work ?
Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and multiple GP’s for each level. Obviously it may be that some policy settings conflict hence the application order of Site – Domain – Organization Unit and within each layer you set order for all defined policies but you may want to force some polices to never be overridden (No Override) and you may want some containers to not inherit settings from a parent container (Block Inheritance).
A good definition of each is as follows:
No Override – This prevents child containers from overriding policies set at higher levels
Block Inheritance – Stops containers inheriting policies from parent containers
No Override takes precedence over Block Inheritance so if a child container has Block Inheritance set but on the parent a group policy has No Override set then it will get applied.
Also the highest No Override takes precedence over lower No Override’s set.
To block inheritance perform the following:
  1. Start the Active Directory Users and Computer snap-in (Start – Programs – Administrative Tools – Active Directory Users and Computers)
  2. Right click on the container you wish to stop inheriting settings from its parent and select
  3. Select the ‘Group Policy’ tab
  4. Check the ‘Block Policy inheritance’ option
  5. Click Apply then OK
To set a policy to never be overridden perform the following:
  1. Start the Active Directory Users and Computer snap-in (Start - - Administrative Tools – Active Directory Users and Computers)
  2. Right click on the container you wish to set a Group Policy to not be overridden and select Properties
  3. Select the ‘Group Policy’ tab
  4. Click Options
  5. Check the ‘No Override’ option
  6. Click OK
  7. Click Apply then OK
Posted by at No comments:
Subscribe to: Comments (Atom)