Interview Question for active directory and exchange
Suggestive & Informative Recipes from Ad Cookbook
Interview Questions
Q.1 What is the Active Directory?
Ans: Active Directory stores information about resources on the network and makes it easy for users to locate, manage and use their resources.
Q.2 Where is the Active Directory database located?
Ans: The Active Directory database is located in the
“%systemroot%\NTDS\NTDS.DIT”
It is based on Jet database.
Q.3 What is the Active Directory Schema?
Ans: 1. It is dynamically updatable.
2. It is dynamically available.
3. DACL.
Q.4 What is LDAP? What is the port for LDAP?
Ans: LDAP is a method of communication in Active Directory. LDAP is a directory service protocol that is used to query and update Active Directory.
Q.5 What is a tree?
Ans: A collection of domains which share a common namespace.
Q.6 What is the function of “%systemroot%\system32\dssec.dat” fie?
Ans: To delegate the right to unlock locked user accounts to a user or group in Active Directory, you must first make the right visible.
The %Systemroot%\System32\Dssec.dat file contains filters that control the whether a right is revealed, and can be written. Open Dssec.dat in Notepad and find [User]. Within [User], the lockoutTime entry is listed alphabetically. Change the mask from 7 to 0, yielding lockoutTime=0.
NOTE: The mask values appears to be:
0 - Read and Write of property unfiltered1 - Read of property filtered2 - Write of property filtered7 - Filter out property. Q.7 What are the core services in Exchange 5.5? Exlplain the order of starting the services? Ans: 1. Directory service(DS): “net start msexchangeds”
2. Information Store(IS): “net start msexchangeis” 3. Message Transfer Agent(MTA): “net start msexchangemta” 4. Internet Mail Connector(IMC): “net start msexchangeimc” 5. “net start msexchangees” Q.8 What is the size of Transaction log file?
Ans: 5 MB (Exxxx.log)
Q.9 IMC service in Exchange 5.5 does not start. Explain the necessary steps you would take to check and resolve the problem?
Ans: 1. Incorrectly configured Address Space.
2. Use a blank space in the Address Space field which will lets the Internet Mail Connector send mail to all recipients and provides a basic configuration on which to build after you know your service works. If you have entered anything in this box, try removing it and see if the IMC starts.
Q10. What are the core services in Exchange 2000? Explain the process of starting the services?
Ans: The core services are
<>1. Microsoft Exchange MTA Stack(msexchangemta).
<>2. Microsoft Exchange Information store(msexchangeis).
<>3. Microsoft Exchange Routing Engine(reSvc).
<>4. Microsoft Exchange Sysytem Attendant(msexchangesa).
<>5. Network News Transfer Protocol(NNTPSvc)
<>6. Simple Mail Transfer Protocol(SMTPSvc).
Q11. Explain the Hierarchy of the Exchange Management Console Program?
Ans: Organisation Name
à Global Settings
àRecepients
àAdministrative Groups
àTools
<>
<>
Q12. What is the latest service pack for Exchange 5.5 and Exchange 2000?
Ans: Exchange 5.5 : SP4
Exchange 2000 : SP3
Q14. What is RUS? Which service is responsible for the RUS?
Ans: The Recipient Update Service(RUS) is a component in the Exchange 2000 System Attendant service. The RUS creates and maintains Exchange 2000-specific attribute values in the Active Directory.
If you create a mailbox for a user, the RUS is responsible for the automatic generation of the user’s Simple Mail Transfer Protocol(SMTP) address and any other proxy addresses that you have defined for your recipients. However, in Active Directory Users and Computers tool, the proxy addresses are not displayed immediately because a short latency period occurs before the Recipient Update Service produces the new e-mail addresses. This latency occurs even if you have configured the RUS to run continuously.
After you install Exchange 2000, two instances of RUS are created:
- The enterprise configuration RUS,
- The domain RUS
There is only one instance of the enterprise RUS in the organization. You must have a RUS for each domain that contains mailbox-enabled users.
Each instance of the Domain RUS associates one Exchange 2003 computer(where the RUS runs) with one Windows 2000 or Windows 2003 Server Domain controller(where AD objects are updated).
Only one RUS can be associated with any Active Directory domain controller.
If you have multiple sites, you can also add multiple instances of the RUS for each domain. In this scenario, an instance of the RUS is hosted on a DC in each site, and mailbox creation does not depend on the inter-site replication schedule of the AD.
If you create a new mailbox-enabled user, that user cannot log on to their mailbox until the RUS has generated the new proxy e-mail addresses. If you set the RUS to run on a schedule, that user may have to wait a short period before they can use Exchange 2003.
To update addresses immediately, you can force the RUS to run manually.
Q15. What is a recipient policy, e-mail policy and mailbox manager policy?
Ans: Recipient policies are used in Exchange 200o server to automatically control the generation of e-mail addresses for recipient objects
The following are recipient objects,
<>1. Mail-enables users
<>2. Contacts
<>3. Groups
<>4. Public Folders.
Recipient policies are similar to the “Site-Addressing” feature in Exchange 5.5, but are more flexible. For e.g. recipient policies allow you to create multiple addresses for a given address type.
They provide a set of LDAP-based filter rules. These rules allow you to select the set of recipients to which the recipient policy will apply.
Mailbox manager policy is the policy in which the Exchange Administrator has the ability to control the content of user’s mailbox.
Recipient policies are a set of configurable rules that run on a schedule and evaluate all the messaging-enabled objects in your Active Directory forest. The policy uses the rules to filter all of the objects and to selectively apply e-mail addresses of specific types to those instances that fit the predefined rules.
Q16. What is edb.chk file used for?
Ans: The checkpoint files are used to keep a track of transactions that are committed to the database after backup.
Q17. What is eseutil/d, eseutil/p, eseutil/g used for?
Ans: 1. Eseutil /d : Defragmentation
- Eseutil /p : Repair
- Eseutil /g ; Integrity check
Q17. What is the temp.edb file?
Ans: The file TEMP.EDB is used to store transactions that are in progress. TEMP.EDB is also used for some transient storage during online compaction.
Q18. Explain the “LDIFDE” utility?
Ans: It allows you to import and export Active Directory content in LDIF format. LDIF files are composed of blocks of entries. An entry can add, modify, or delete an object. The first line of an entry is the distinguished name. The second line contains a changetype, which can be add, modify, or delete. If it is an object addition, the rest of the entry contains the attributes that should be initially set on the object (one per line). For object deletions, you do not need to specify any other attributes. And for object modifications, you need to specify at least three more lines. The first should contain the type of modification you want to perform on the object. This can be add (to set a previously unset attribute or to add a new value to a multivalued attribute), replace (to replace an existing value), or delete (to remove a value). The modification type should be followed by a colon and the attribute you want to perform the modification on. The next line should contain the name of the attribute followed by a colon, and the value for the attribute. For example, to replace the last name attribute with the value Smith, you'd use the following LDIF
dn: cn=jsmith,cn=users,dc=rallencorp,dc=com changetype: modifyreplace: snsn: Smith- Modification entries must be followed by a line that only contains a hyphen (-). You can put additional modification actions following the hyphen, each separated by another hyphen. Here is a complete LDIF example that adds a jsmith user object and then modifies the givenName and sn attributes for that object:
dn: cn=jsmith,cn=users,dc=rallencorp,dc=comchangetype: addobjectClass: usersamaccountname: jsmithsn: JSmithuseraccountcontrol: 512 dn: cn=jsmith,cn=users,dc=rallencorp,dc=comchangetype: modifyadd: givenNamegivenName: Jim-replace: snsn: Smith- Q13. Explain the Anatomy of a Domain, trust and a forest in the Active Directory?
Ans: 1. Anatomy of a Domain.
Domains are represented by domainDNS objects.
Q14. What are the 3 NC’s in a forest?
Ans: 1. The
2. The Configuration NC.
3. The Schema NC.
Q15. What are the different partitions associated with a
Ans: 1. Configuration NC : Contains data that is applicable across all of the domains and, thus, is replicated to all domain controllers in the forest. Some of this data includes the site topology, list of partitions, published services, display specifiers, and extended rights.
<>2.
<>3.
<>4. Application partitions : Configurable partitions that can be rooted anywhere in the forest and can be replicated to any domain controller in the forest. These are not available with Windows 2000.
Q16. After successfully demoting a DC/removing the forest which commands help determine if all entries have been removed?
Ans: > netsh wins server \\<WINSServerName> show name <ForestDNSName> 1c
> nslookup <DomainControllerDNSName>
> nslookup -type=SRV _ldap._tcp.gc._msdcs.<ForestDNSName>
<>Ø <>nslookup <ForestDNSName>
Q17. What are the steps to remove a Domain from a Forest ? Ans: 1. Start from the last DC of the Domain.
<>2. Run “<>dcpromo”, and select the option “This server is the last domain controller in the domain”.
Note : If the domain you want to remove has subdomains, you have to remove the subdomains before proceeding.
<>3. After all domain controllers have been demoted and depending on how our environment is configured, you may need to remove WINS and NS entries that were associated with the domain controllers and domain unless they were automatically removed via WINS deregistration and DDNS during the demotion process.<>4. Remove any trusts established for the domain. Q18. You want to completely remove a domain that was orphaned because "This server is the last domain controller in the domain" was not selected when demoting the last domain controller, the domain was forcibly removed, or the last domain controller in the domain was decommissioned improperly. Explain the procedure?
Ans: The following ntdsutil commands (in bold) would forcibly remove the emea.rallencorp.com domain from the rallencorp.com forest. Replace
<>Ø <>ntdsutil "meta clean" "s o t" conn "con to server <DomainControllerName>" q q
metadata cleanup: "s o t" "list domains"
Found 4 domain(s) 0 - DC=rallencorp,DC=com 1 - DC=amer,DC=rallencorp,DC=com 2 - DC=emea,DC=rallencorp,DC=com 3 - DC=apac,DC=rallencorp,DC=com Select operation target: sel domain 2
No current site Domain - DC=emea,DC=rallencorp,DC=com No current server No current Naming ContextSelect operation target: q
metadata cleanup: remove sel domain
You will receive a message indicating whether the removal was successful.
Note: Removing an orphaned domain consists of removing the domain object for the domain (e.g., dc=emea,dc=rallencorp,dc=com), all of its child objects, and the associated crossRef object in the Partitions container. You need to target the Domain Naming FSMO when using the ntdsutil command because that server is responsible for creation and removal of domains.
In the solution, shortcut parameters were used to reduce the amount of typing necessary. If each parameter were typed out fully, the commands would look as follows:
<>Ø <>ntdsutil "metadata cleanup" "select operation target" connections "connect to server <DomainControllerName>" quit quit
metadata cleanup: "select operation target" "list domains"
Found 4 domain(s) 0 - DC=rallencorp,DC=com 1 - DC=amer,DC=rallencorp,DC=com 2 - DC=emea,DC=rallencorp,DC=com 3 - DC=apac,DC=rallencorp,DC=com Select operation target: select domain 2 No current site Domain - DC=emea,DC=rallencorp,DC=com No current server No current Naming Context Select operation target: quit metadata cleanup: remove selected domain
Q19. You want to find the NetBIOS name of a domain. Although Microsoft has moved to using DNS for primary name resolution, the NetBIOS name of a domain is still important, especially with down-level clients that are still based on NetBIOS instead of DNS for naming. How can you achieve this?
Ans: A. Using Graphical User Interface:
<>1. Open the Active Directory Domains and Trusts snap-in.
<>2. Right-click the domain you want to view in the left pane and select Properties.<>
<>3. The NetBIOS name will be shown in the "Domain name (pre-Windows 2000)" field.
B. Using a Command-line Interface:
1. > dsquery * cn=partitions,cn=configuration,<ForestRootDN> -filter[RETURN] "(&(objectcategory=crossref)(dnsroot=<DomainDNSName>)(netbiosname=*))" -attr[RETURN]netbiosname
Note: Each domain has a crossRef object that is used by Active Directory to generate referrals. Referrals are necessary when a client performs a query and the directory server handling the request does not have the matching object(s) in its domain. The NetBIOS name of a domain is stored in the domain's crossRef object in the Partitions container in the Configuration NC. Each crossRef object has a dnsRoot attribute, which is the fully qualified DNS name of the domain. The netBIOSName attribute contains the NetBIOS name for the domain.
Q20. You want to rename a domain due to organizational changes or legal restrictions because of an acquisition. Renaming a domain is a very involved process and should be done only when absolutely necessary. Changing the name of a domain can have an impact on everything from DNS, replication, and GPOs to DFS and Certificate Services. A domain rename also requires that all domain controllers and member computers in the domain are rebooted! Is it possible in Windows 2000?
Ans: Under Windows 2000, there is no supported process to rename a domain. There is one workaround for mixed-mode domains in which you revert the domain and any of its child domains back to Windows NT domains. This can be done by demoting all Windows 2000 domain controllers and leaving the Windows NT domain controllers in place. You could then reintroduce Windows 2000 domain controllers and use the new domain name when setting up Active Directory.
A domain rename procedure is supported if a forest is running all Windows Server 2003 domain controllers and is at the Windows Server 2003 forest functional level.
The tool is “rendom.exe”.
Q21. You want to create a one-way or two-way nontransitive trust from an AD domain to a Windows NT domain.How do we create a Trust Between a Windows NT Domain and an AD Domain ?
Ans. Using a graphical user interface:
<>1. Open the Active Directory Domains and Trusts snap-in.
<>2. In the left pane, right-click the domain you want to add a trust for and select Properties.
<>3. Click on the Trusts tab.
<>4. Click the New Trust button.
<>5. After the New Trust Wizard opens, click Next.
<>6. Type the NetBIOS name of the NT domain and click Next.
<>7. Assuming the NT domain was resolvable via its NetBIOS name, the next screen will ask for the Direction of Trust. Select Two-way, One-way incoming, or One-way outgoing, and click Next.
<>8. If you selected Two-way or One-way Outgoing, you'll need to select the scope of authentication, which can be either Domain-wide or Selective, and click Next.
<>9. Enter and re-type the trust password and click Next.
<>10. Click Next twice to finish.
Using a command-line interface
> netdom trust <NT4DomainName> /Domain:<ADDomainName> /ADD[RETURN] [/UserD:<ADDomainName>\ADUser> /PasswordD:*][RETURN] [/UserO:<NT4DomainName>\NT4User> /PasswordO:*][RETURN] [/TWOWAY] For example, to create a trust from the NT4 domain RALLENCORP_NT4 to the AD domain RALLENCORP, use the following command:
> netdom trust RALLENCORP_NT4 /Domain:RALLENCORP /ADD[RETURN] /UserD:RALLENCORP\administrator /PasswordD:*[RETURN] /UserO:RALLENCORP_NT4\administrator /PasswordO:* You can make the trust bidirectional, i.e., two-way, by adding a /TwoWay switch to the example.
Q 22 .How to Create a Transitive Trust Between Two AD Forests ?
Ans: Using a graphical user interface
<>1. Open the Active Directory Domains and Trusts snap-in.
<>2. In the left pane, right click the forest root domain and select Properties.
<>3. Click on the Trusts tab.
<>4. Click the New Trust button.
<>5. After the New Trust Wizard opens, click Next.
<>6. Type the DNS name of the AD forest and click Next.
<>7. Select
<>8. Complete the wizard by stepping through the rest of the configuration screens.
Using a command-line interface
> netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive /ADD[RETURN] [/UserD:<Forest2AdminUser> /PasswordD:*][RETURN] [/UserO:<Forest1AdminUser> /PasswordO:*] For example, to create a two-way forest trust from the AD forest rallencorp.com to the AD forest othercorp.com, use the following command:
> netdom trust rallencorp.com /Domain:othercorp.com /Twoway /Transitive /ADD[RETURN] /UserD:administrator@othercorp.com /PasswordD:*[RETURN] /UserO:administrator@rallencorp.com /PasswordO:* Note: A new type of trust called a forest trust was introduced in Windows Server 2003. Under Windows 2000, if you wanted to create a fully trusted environment between two forests, you would have to set up individual external two-way trusts between every domain in both forests. If you have two forests with three domains each and wanted to set up a fully trusted model, you would need nine individual trusts. Figure 2-4 illustrates how this would look.
Figure 2-4. Trusts necessary for two Windows 2000 forests to trust each other
With a forest trust, you can define a single one-way or two-way transitive trust relationship that extends to all the domains in both forests. You may want to implement a forest trust if you merge or acquire a company and you want all of the new company's Active Directory resources to be accessible for users in your Active Directory environment and vice versa. Figure 2-5 shows a forest trust scenario. To create a forest trust, you need to use accounts from the
Figure 2-5. Trust necessary for two Windows Server 2003 forests to trust each other
<>
<>Q23. You want to create a shortcut trust between two AD domains in the same forest or in different forests. Shortcut trusts can make the authentication process more efficient between two domains in a forest.
Q.23 How to View the Trusts for a Domain ?
Problem
You want to view the trusts for a domain.
Solution
Using a graphical user interface
<>1. <>Open the Active Directory Domains and Trusts snap-in.
<>2. <>In the left pane, right-click the domain you want to view and select Properties.
<>3. <>Click on the Trusts tab.
Using a command-line interface
netdom query trust /Domain:<DomainDNSName> Q.23 How to Verify a Trust ?
Problem
You want to verify that a trust is working correctly. This is the first diagnostics step to take if users notify you that authentication to a remote domain appears to be failing.
Solution
Using a graphical user interface
For the Windows 2000 version of the Active Directory Domains and Trusts snap-in:
<>1. <>In the left pane, right-click on the trusting domain and select Properties.
<>2. <>Click the Trusts tab.
<>3. <>Click the domain that is associated with the trust you want to verify.
<>4. <>Click the Edit button.
<>5. <>Click the Verify button.
For the Windows Server 2003 version of the Active Directory Domains and Trusts snap-in:
<>1. <>In the left pane, right-click on the trusting domain and select Properties.
<>2. <>Click the Trusts tab.
<>3. <>Click the domain that is associated with the trust you want to verify.
<>4. <>Click the Properties button.
<>5. <>Click the Validate button.
Using a command-line interface
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify /verbose[RETURN] [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN] [/UserD:<TrustedDomainUser> /PasswordD:*] Q25. How to Reset a Trust ?
Problem
You want to reset a trust password. If you've determined a trust is broken, you need to reset it, which will allow users to authenticate across it again.
Solution
Using a graphical user interface
Follow the same directions as Recipe 2.20. The option to reset the trust will only be presented if the Verify/Validate did not succeed.
Using a command-line interface
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Reset /verbose[RETURN] [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN] [/UserD: Q26. How to Remove a Trust ?
Problem
You want to remove a trust. This is commonly done when the remote domain has been decommissioned or access to it is no longer required.
Solution
Using a graphical user interface
<>1. <>Open the Active Directory Domains and Trusts snap-in.
<>2. <>In the left pane, right-click on the trusting domain and select Properties.
<>3. <>Click the Trusts tab.
<>4. <>Click on the domain that is associated with the trust you want to remove.
<>5. <>Click the Remove button.
<>6. <>Click OK.
Using a command-line interface
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Remove /verbose[RETURN]
[/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]
[/UserD:<TrustedDomainUser> /PasswordD:*]
Q27 .How to Find Duplicate SIDs in a Domain ?
Problem
You want to find any duplicate SIDs in a domain. Generally, you should never find duplicate SIDs in a domain, but it is possible in some situations, such as when the relative identifier (RID) FSMO role owner has to be seized or you are migrating users from Windows NT domains.
Solution
Using a command-line interface
To find duplicate SIDs run the following command, replacing
> ntdsutil "sec acc man" "co to se <DomainControllerName>" "check dup sid" q q The following message will be returned:
Duplicate SID check completed successfully. Check dupsid.log for any duplicates The dupsid.log file will be in the directory where you started ntdsutil.
If you want to delete any objects that have duplicate SIDs, you can use the following command:
> ntdsutil "sec acc man" "co to se <DomainControllerName>" "clean dup sid" q q Like the check command, the clean command will generate a message like the following upon completion:
Duplicate SID cleanup completed successfully. Check dupsid.log for any duplicate Q.28 How to Find the Domain Controllers for a Domain?
Problem
You want to find the domain controllers in a domain.
Solution
Using a graphical user interface
<>1. <>Open the Active Directory Users and Computers snap-in.
<>2. <>Connect to the target domain.
<>3. <>Click on the Domain Controllers OU.
<>4. <>The list of domain controllers for the domain will be present in the right pane.
Using a command-line interface
> netdom query dc /Domain: Q29. How to Find a Domain Controller's Site?
Problem
You need to determine the site of which a domain controller is a member.
Solution
Using a graphical user interface
<>1. <>Open LDP and from the menu, select Connection -Connect.
<>2. <>For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
<>3. <>For Port, enter 389.
<>4. <>Click OK.
<>5. <>From the menu select Connection 
Bind.<><>
<>6. <>Enter credentials of a domain user.
<>7. <>Click OK.
<>8. <>From the menu, select Browse Search.<><>
<>9. <>For BaseDN, type the distinguished name of the Sites container (e.g., cn=sites,cn=configuration,dc=rallencorp, dc=com).
<>10. <>For Scope, select Subtree.
<>11. <>For Filter, enter:
(&(objectcategory=server)(dnsHostName= <>12. <>Click Run.
Using a command-line interface
> nltest /dsgetsite /server: Q 30. How to Move a Domain Controller to a Different Site?
Problem
You want to move a domain controller to a different site.
Solution
Using a graphical user interface
<>1. <>Open the Active Directory Sites and Services snap-in.
<>2. <>In the left pane, expand the site that contains the domain controller.
<>3. <>Expand the Servers container.
<>4. <>Right-click on the domain controller you want to move and select Move.
<>5. <>In the Move Server box, select the site to which the domain controller will be moved and click OK.
Using a command-line interface
When using the dsmove command you must specify the DN of the object you want to move. In this case, it needs to be the distinguished name of the server object for the domain controller. The value for the -newparent option is the distinguished name of the Servers container you want to move the domain controller to.
> dsmove " For example, the following command would move dc2 from the Default-First-Site-Name site to the
> dsmove "cn=dc2,cn=servers,cn=Default-First-Site-Name,cn=sites,cn=configuration,[RETURN]
rallencorp" -newparent "cn=servers,cn=Raleigh Q31. How to Find the Global Catalog Servers in a Forest ?
Problem
You want a list of the global catalog servers in a forest.
Solution
Using a graphical user interface
<>1. <>Open LDP and from the menu select Connection Connect.<><>
<>2. <>For Server, enter the name of a DC.
<>3. <>For Port, enter 389.
<>4. <>Click OK.
<>5. <>From the menu select Connection Bind.<><>
<>6. <>Enter credentials of a domain user.
<>7. <>Click OK.
<>8. <>From the menu select Browse Search.<><>
<>9. <>For BaseDN, type the DN of the Sites container (e.g., cn=sites,cn=configuration,dc=rallencorp, dc=com).
<>10. <>For Scope, select Subtree.
<>11. <>For Filter, enter (&(objectcategory=ntdsdsa)(options=1)).
<>12. <>Click Run.
Using a command-line interface
> dsquery server -forest -isgc Q32. How to Find Domain Controllers and Global Catalogs via DNS?
Problem
You want to find domain controllers or global catalogs using DNS lookups.
Solution
Domain controllers and global catalog servers are represented in DNS as SRV records. You can query SRV records using nslookup by setting the type=SRV, such as the following:
> nslookupDefault Server: dns01.rallencorp.com
Address: 10.1.2.3
> set type=SRV You then need to issue the following query to retrieve all domain controllers for the specified domain.
> _ldap._tcp.<DomainDNSName> You can issue a similar query to retrieve global catalogs, but since they are forest-wide, the query is based on the forest name.
> _gc._tcp.<ForestDNSName> You can even find the domain controllers or global catalogs that are in a particular site or that cover a particular site by querying the following:
> _ldap._tcp.<SiteName>._sites.<DomainDNSName>> _gc._tcp.<SiteName>._sites.<ForestDNSName> See Recipe 11.18 for more information on site coverage.
Q33. How about Finding the FSMO Role Holders ????
3.25.1 Problem
You want to find the domain controllers that are acting as one of the FSMO roles.
3.25.2 Solution
3.25.2.1 Using a graphical user interface
<>1. <>Open the Active Directory Schema snap-in.
<>2. <>Right-click on Active Directory Schema in the left pane and select Operations Master.
For the Domain Naming Master:
<>1. <>Open the Active Directory Domains and Trusts snap-in.
<>2. <>Right-click on Active Directory Domains and Trusts in the left pane and select Operations Master.
For the PDC Emulator, RID Master, and Infrastructure Master:
<>1. <>Open the Active Directory Users and Computers snap-in.
<>2. <>Make sure you've targeted the correct domain.
<>3. <>Right-click on Active Directory Users and Computers in the left pane and select Operations Master.
<>4. <>There are individual tabs for the PDC, RID, and Infrastructure roles.
3.25.2.2 Using a command-line interface
In the following command, you can leave out the /Domain
> netdom query fsmo /Domain:<DomainDNSName> For some reason, this command returns a "The parameter is incorrect" error on Windows Server 2003. Until that is resolved, you can use the dsquery server
> dsquery server -hasfsmo <Role> Q34. How to Transfer a FSMO Role?
3.26.1 Problem
You want to transfer a FSMO role to a different domain controller. This may be necessary if you need to take a current FSMO role holder down for maintenance.
3.26.2 Solution
3.26.2.1 Using a graphical user interface
<>1. <>Use the same directions as described in Recipe 3.25 for viewing a specific FSMO, except target (i.e., right-click and select Connect to Domain Controller) the domain controller you want to transfer the FSMO to before selecting Operations Master.
<>2. <>Click the Change button.
<>3. <>Click OK twice.
<>4. <>You should then see a message stating whether the transfer was successful.
3.26.2.2 Using a command-line interface
The following would transfer the PDC Emulator role to
> ntdsutil roles conn "co t s <NewRoleOwner>" q "transfer PDC" q q Q35. How to Seize a FSMO Role?
3.27.1 Problem
You need to seize a FSMO role because the current role holder is down and will not be restored.
3.27.2 Solution
3.27.2.1 Using a command-line interface
The following would seize the PDC Emulator role to
> ntdsutil roles conn "co t s <NewRoleOwner>" q "seize PDC" q q Any of the other roles can be transferred as well using ntdsutil by replacing "transfer PDC" in the previous solution with one of the following:
<>· <>"seize domain naming master"
<>· <>"seize infrastructure master"
<>· <>"seize RID master"
<>· <>"seize schema master"
Q36. How on Finding the PDC Emulator FSMO Role Owner via DNS?
3.28.1 Problem
You want to find the PDC Emulator for a domain using DNS.
3.28.2 Solution
3.28.2.1 Using a command-line interface
> nslookup -type=SRV _ldap._tcp.pdc._msdcs.<DomainDNSName> Q37. How toView the Attributes of an Object using LDP?
4.2.1 Problem
You want to view one or more attributes of an object using LDP
4.2.2 Solution
4.2.2.1 Using a graphical user interface
<>1. <>Open LDP.
<>2. <>From the menu, select Connection Connect.<><>
<>3. <>For Server, enter the name of a domain controller or domain that contains the object.
<>4. <>For Port, enter 389.
<>5. <>Click OK.
<>6. <>From the menu, select Connection Bind.<><>
<>7. <>Enter credentials of a user that can view the object (if necessary).
<>8. <>Click OK.
<>9. <>From the menu, select View Tree.<><>
<>10. <>For BaseDN, type the DN of the object you want to view.
<>11. <>For Scope, select Base.
<>12. <>Click OK.
4.2.2.2 Using a command-line interface
> dsquery * "<ObjectDN>" -scope base -attr * For Windows 2000, use this command:
> enumprop "LDAP://<ObjectDN>" Q38. How to Use LDAP Controls?
4.3.1 Problem
You want to use an LDAP control as part of an LDAP operation.
4.3.2 Solution
4.3.2.1 Using a graphical user interface
<>1. <>Open LDP.
<>2. <>From the menu, select Options Controls.<><>
<>3. <>For the Windows Server 2003 version of LDP, select the control you want to use under Load Predefined. The control should automatically be added to the list of Active Controls.
For the Windows 2000 version of LDP, you'll need to type the object identifier (OID) of the control under Object Identifier.
<>4. <>Enter the value for the control under Value.
<>5. <>Select whether the control is server- or client-side under Control Type.
<>6. <>Check the box beside Critical if the control is critical.
<>7. <>Click the Check-in button.
<>8. <>Click OK.
<>9. <>At this point, you will need to invoke the LDAP operation (for example, Search) that will use the control. In the dialog box for any operation, be sure that the "Extended" option is checked before initiating the operation.
Q39. How to use LDP for Searching for Objects in a Domain?
4.5.1 Problem
You want to find objects that match certain criteria in a domain.
4.5.2 Solution
4.5.2.1 Using a graphical user interface
<>2. <>From the menu, select Connection Connect.<><>
<>3. <>For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
<>4. <>For Port, enter 389.
<>5. <>Click OK.
<>6. <>From the menu, select Connection Bind.<><>
<>7. <>Enter credentials of a user.
<>8. <>Click OK.
<>9. <>From the menu, select Browse Search.<><>
<>10. <>For BaseDN, type the base distinguished name where the search will start.
<>11. <>For Scope, select the appropriate scope.
<>12. <>For Filter, enter an LDAP filter.
<>13. <>Click Run.
4.5.2.2 Using a command-line interface
> dsquery * <BaseDN> -scope <Scope> -filter "<Filter>" -attr "<AttrList>" Q40. How to use LDP for searching the Global Catalog?
4.6.1 Problem
You want to perform a forest-wide search using the global catalog.
4.6.2 Solution
4.6.2.1 Using a graphical user interface
<>1. <>Open LDP.
<>2. <>From the menu, select Connection Connect.<><>
<>3. <>For Server, enter the name of a global catalog server.
<>4. <>For Port, enter 3268.
<>5. <>Click OK.
<>6. <>From the menu, select Connection Bind.<><>
<>7. <>Enter credentials of a user.
<>8. <>Click OK.
<>9. <>From the menu, select Browse Search.<><>
<>10. <>For BaseDN, type the base distinguished name where to start the search.
<>11. <>For Scope, select the appropriate scope.
<>12. <>For Filter, enter an LDAP filter.
<>13. <>Click Run.
4.6.2.2 Using a command-line interface
> dsquery * Q41 .How to Delegate Control of an OU?
5.9.1 Problem
You want to delegate administrative access of an OU to allow a group of users to manage objects in the OU.
5.9.2 Solution
5.9.2.1 Using a graphical user interface
<>1. <>Open the Active Directory Users and Computers snap-in.
<>2. <>If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK.
<>3. <>In the left pane, browse to the target OU, right-click on it, and select Delegate Control.
<>4. <>Select the users and/or groups to delegate control to by using the Add button and click Next.
<>5. <>Select the type of privilege to grant the users/groups and click Next.
<>6. <>Click Finish.
5.9.2.2 Using a command-line interface
ACLs can be set via a command-line with the dsacls utility from the Support Tools. See Recipe 14.10 for more information.
Q42. How to Link a GPO to an OU?
5.11.1 Problem
You want to apply the settings in a GPO to the users and/or computers within an OU, also known as linking the GPO to the OU.
5.11.2 Solution
5.11.2.1 Using a graphical user interface
<>1. <>Open the Group Policy Management (GPMC) snap-in.
<>2. <>Expand
<>3. <>Expand Domain and navigate down to the OU in the domain you want to link the GPO to.
<>4. <>Right-click on the OU and select either Create and Link a GPO Here (if the GPO does not already exist) or Link an Existing GPO (if you have already created the GPO).
Q43. How to Create a Site?
11.1.1 Problem
11.1.2 Solution
11.1.2.1 Using a graphical user interface
<>1. <>Open the Active Directory Sites and Services snap-in.
<>2. <>Right-click on the Sites container and select New Site.
<>3. <>Beside Name, enter the name of the new site.
<>4. <>Under Link Name, select a site link for the site.
<>5. <>Click OK twice.
11.1.2.2 Using a command-line interface
Create an LDIF file called create_site.ldf with the following contents:
dn: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>changetype: addobjectclass: site dn: cn=Licensing Site Settings,cn=<SiteName>,cn=sites,cn=configuration, <ForestRootDN>changetype: addobjectclass: licensingSiteSettings dn: cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>changetype: addobjectclass: nTDSSiteSettings dn: cn=Servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>changetype: addobjectclass: serversContainer then run the following command:
> ldifde -v -i -f create_site.ldf Q44. How to Create a Subnet?
11.4.1 Problem
11.4.2 Solution
11.4.2.1 Using a graphical user interface
<>1. <>Open the Active Directory Sites and Services snap-in.
<>2. <>Right-click on the Subnets container and select New Subnet.
<>3. <>Enter the Address and Mask and then select which site the subnet is part of.
<>4. <>Click OK.
11.4.2.2 Using a command-line interface
Create an LDIF file called create_subnet.ldf with the following contents:
dn: cn=<Subnet>,cn=subnets,cn=sites,cn=configuration,<ForestRootDN>changetype: addobjectclass: subnetsiteObject: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN> then run the following command:
> ldifde -v -i -f create_subnet.ldf Q45. How to Create a Site Link ?
11.7.1 Problem
You want to create a site link to connect two or more sites together.
11.7.2 Solution
11.7.2.1 Using a graphical user interface
<>1. <>Open the Active Directory Sites and Services snap-in.
<>2. <>Expand the Sites container.
<>3. <>Expand the Inter-SiteTransports container.
<>4. <>Right-click on IP (or SMTP) and select New Site Link.
<>5. <>For Name, enter the name for the site link.
<>6. <>Under Site is not in this site link, select at least two sites and click the Add button.
<>7. <>Click OK.
11.7.2.2 Using a command-line interface
The following LDIF would create a site link connecting the SJC and Dallas sites:
dn: cn=Dallas-SJC,cn=IP,cn=inter-site transports,cn=sites,cn=configuration,<ForestRootDN>changetype: addobjectclass: siteLinksiteObject: cn=SJC,cn=sites,cn=configuration,<ForestRootDN>siteObject: cn=Dallas If the LDIF file were named create_site_link.ldf, you'd then run the following command:
> ldifde -v -i -f create_site_link.ldf Q46 .How to Create a Site Link Bridge
11.12.1 Problem
You want to create a site link bridge because you've disabled site link transitivity.
11.12.2 Solution
11.12.2.1 Using a graphical user interface
<>1. <>Open the Active Directory Sites and Services snap-in.
<>2. <>In the left pane, expand Sites Inter-Site Transports.<><>
<>3. <>Right-click either the IP or SMTP folder depending which protocol you want to create a site link bridge for.
<>4. <>Select New
<>5. <>Highlight two or more sites in the left box.
<>6. <>Click the Add button.
<>7. <>Click OK.
11.12.2.2 Using a command-line interface
Create an LDIF file called create_site_link_bridge.ldf with the following contents, where
dn: cn=<BridgeName>,cn=IP,cn=inter-site transports,cn=sites,cn=configuration,<ForestRootDN>changetype: addobjectclass: siteLinkBridgesiteLinkList: cn=<Link1>,cn=IP,cn=Inter-site Transports,cn=sites,cn=configuration,<ForestRootDN>siteLinkList: cn=<Link2>,cn=IP,cn=Inter-site Transports,cn=sites,cn=configuration,<ForestRootDN> Then run the following command:
> ldifde -v -i -f create_site_link_bridge.ldf Q47. How to Find the Bridgehead Servers for a Site?
11.13.1 Problem
You want to find the bridgehead servers for a site.
11.13.2 Solution
11.13.2.1 Using a graphical user interface
<>1. <>Open the Replication Monitor from the Support Tools (replmon.exe).
<>2. <>From the menu, select View Options.<><>
<>3. <>In the left pane, right-click on Monitored Servers and select Add Monitored Server.
<>4. <>Use the Add Monitored Server Wizard to add a server in the site you want to find the bridgehead server(s) for.
<>5. <>In the left pane, right-click on the server and select Show BridgeHead Servers In This Server's Site.<><>
11.13.2.2 Using a command-line interface
> repadmin /bridgeheads [<ServerName>] [/verbose] The /bridgeheads option is valid only with the Windows Server 2003 version of repadmin. There is no such option in the Windows 2000 version.
11.13.2.3 Using VBScript
Q48. How to Move a Domain Controller to a Different Site?
Problem
You want to move a domain controller to a different site. This may be necessary if you promoted the domain controller without first adding its subnet to Active Directory. In that case, the domain controller will be added to the Default-First-Site-Name site.
Solution
Using a graphical user interface
<>1. <>Open the Active Directory Sites and Services snap-in.
<>2. <>In the left pane, expand Sites, expand the site where the server you want to move is contained, and expand the Servers container.
<>3. <>Right-click on the server you want to move and select Move.
<>4. <>Select the site to move the server to.
<>5. <>Click OK.
Using a command-line interface
> dsmove "cn=<ServerName>,cn=servers,cn=<CurrentSite>,[RETURN]
cn=sites,cn=configuration,<ForestRootDN>" -newparent "cn=servers,cn=<NewSite>,[RETURN]
cn=sites,cn=configuration,<ForestRootDN>" Q49. How to Configure a Domain Controller to Cover Multiple Sites?
11.17.1 Problem
You want to configure a domain controller to cover multiple sites, which will cause clients in those sites to use that domain controller for authentication and directory lookups.
11.17.2 Solution
11.17.2.1 Using a graphical user interface
<>1. <>Run regedit.exe from the command line or Start Run.<><>
<>2. <>In the left pane, expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Netlogon Parameters.<><><><><><><><><><>
<>3. <>If the SiteCoverage value does not exist, right-click on Parameters in the left pane and select New Multi-String Value. For the name, enter SiteCoverage.<><>
<>4. <>In the right pane, double-click on the value and on a separate line, enter each site the server should cover.
<>5. <>Click OK.
11.17.2.2 Using a command-line interface
> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN]
"SiteCoverage" /t REG_MULTI_SZ /d <Site1>\0<Site2> Q50. How to Trigger the KCC?
11.27.1 Problem
11.27.2 Solution
11.27.2.1 Using a graphical user interface
<>1. <>Open the Active Directory Sites and Services snap-in.
<>2. <>In the left pane, browse to the NTDS Settings object for the server you want to trigger the KCC for.
<>3. <>Right-click on NTDS Settings, select All Tasks, and Check Replication Topology.
<>4. <>Click OK.
11.27.2.2 Using a command-line interface
> repadmin /kcc <DomainControllerName> Q51. How to Determine if the KCC Is Completing Successfully?
11.28.1 Problem
You want to determine if the KCC is completing successfully.
11.28.2 Solution
11.28.2.1 Using a graphical user interface
<>1. <>Open the Event Viewer of the target domain controller.
<>2. <>Click on the Directory Service log.
<>3. <>In the right pane, click on the Source heading to sort by that column.
<>4. <>Scroll down to view any events with Source: NTDS KCC.
11.28.2.2 Using a command-line interface
The following command will display any KCC errors found in the Directory Service log:
> dcdiag /v /test:kccevent /s:<DomainControllerName> Q51. How to Disable the KCC for a Site?
11.29.1 Problem
You want to disable the KCC for a site and generate your own replication connections between domain controllers.
11.29.2 Solution
11.29.2.1 Using a graphical user interface
<>2. <>Connect to the Configuration Naming Context if it is not already displayed.
<>3. <>In the left pane, browse the Configuration Naming Context Sites.<><>
<>4. <>Click on the site you want to disable the KCC for.
<>5. <>In the right pane, double-click CN=NTDS SiteSettings.
<>6. <>Modify the options attribute. To disable only intra-site topology generation, enable the 00001 bit (decimal 1). To disable inter-site topology generation, enable the 10000 bit (decimal 16). To disable both, enable the 10001 bits (decimal 17).
<>7. <>Click OK.
11.29.2.2 Using a command-line interface
You can disable the KCC for
dn: cn=NTDS Site Settings,<SiteName>,cn=sites,cn=configuration,<ForestRootDN>changetype: modifyreplace: optionsoptions: <OptionsValue>- If the LDIF file were named disable_kcc.ldf, you would run the following command:
> ldifde -v -i -f disable_kcc.ldf Q52 . How to Change the Interval at Which the KCC Runs?
11.30.1 Problem
You want to change the interval at which the KCC runs.
11.30.2 Solution
11.30.2.1 Using a graphical user interface
<>1. <>Run regedit.exe from the command line or Start Run.<><>
<>2. <>Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NTDS Parameters.<><><><><><><><><><>
<>3. <>Right-click on Parameters and select New DWORD Value.<><>
<>4. <>Enter the following for the name: Repl topology update period (secs).
<>5. <>Double-click on the new value and under Value data enter the KCC interval in number of seconds (900 is the default).
<>6. <>Click OK.
11.30.2.2 Using a command-line interface
> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Repl topology[RETURN]
update period (secs)" /t REG_DWORD /d <NumSecs> Q53. How to Determine if Two Domain Controllers Are in Sync?
12.1.1 Problem
You want to determine if two domain controllers are in sync and have no objects to replicate to each other.
12.1.2 Solution
12.1.2.1 Using a command-line interface
By running the following two commands you can compare the up-to-dateness vector on the two DCs:
> repadmin /showutdvec <DC1Name> <NamingContextDN>> repadmin /showutdvec <DC2Name> <NamingContextDN> The Windows 2000 version of repadmin used a different syntax to accomplish the same thing. Here is the equivalent syntax:
> repadmin /showvector <NamingContextDN> <DC1Name>> repadmin /showvector <NamingContextDN> <DC2Name> Q54.How to View the Replication Status of Several Domain Controllers
12.2.1 Problem
You want to take a quick snap-shot of replication activity for one or more domain controllers.
12.2.2 Solution
12.2.2.1 Using a command-line interface
The following command will show the replication status of all the domain controllers in the forest:
> repadmin /replsum You can also use * as a wildcard character to view the status of a subset of domain controllers. The following command will display the replication status of only the servers that begin with the name dc-rtp:
> repadmin /replsum dc-rtp* Q55 . How to View Unreplicated Changes Between Two Domain Controllers?
12.3.1 Problem
You want to find the unreplicated changes between two domain controllers.
12.3.2 Solution
12.3.2.1 Using a graphical user interface
<>1. <>Open the Replication Monitor from the Support Tools (replmon.exe).
<>2. <>From the menu, select View Options.<><>
<>3. <>On the General tab, check the box beside Show Transitive Replication Partners and Extended Data.
<>4. <>Click OK.
<>5. <>In the left pane, right-click on Monitored Servers and select Add Monitored Server.
<>6. <>Use the Add Monitored Server Wizard to add one of the domain controllers you want to compare (I'll call it dc1).
<>7. <>In the left pane, under the server you just added, expand the naming context that you want to check for unreplicated changes.
<>8. <>Right-click on the other domain controller you want to compare (I'll call it dc2) and select Check Current USN and Un-replicated Objects.
<>9. <>Enter credentials if necessary and click OK.
<>10. <>If some changes have not yet replicated from dc2 to dc1, a box will pop up that lists the unreplicated objects.
<>11. <>To find out what changes have yet to replicate from dc1 to dc2, repeat the same steps except add dc2 as a monitored server and check for unreplicated changes against dc1.
12.3.2.2 Using a command-line interface
Run the following two commands to find the differences between two domain controllers. Use the /statistics option to view a summary of the changes:
> repadmin /showchanges <DC1Name> <DC2GUID> <NamingContextDN>> repadmin /showchanges <DC2Name> <DC1GUID> <NamingContextDN> The Windows 2000 version of repadmin has a different syntax to accomplish the same thing. Here is the equivalent syntax:
> repadmin /getchanges <NamingContextDN> <DC1Name> <DC2GUID>> repadmin /getchanges <NamingContextDN> <DC2Name> <DC1GUID> Q 56.How to Force Replication from One Domain Controller to Another
12.4.1 Problem
You want to force replication between two partners.
12.4.2 Solution
12.4.2.1 Using a graphical user interface
<>1. <>Open the Active Directory Sites and Services snap-in.
<>2. <>Browse to the NTDS Setting object for the domain controller you want to replicate to.
<>3. <>In the right pane, right-click on the connection object to the domain controller you want to replicate from and select Replicate Now.
12.4.2.2 Using a command-line interface
The following command will perform a replication sync of the naming context specified by
> repadmin /replicate <DC1Name> <DC2Name> <NamingContextDN> The Windows 2000 version of repadmin has a different syntax to accomplish the same thing. Here is the equivalent syntax:
> repadmin /sync <NamingContextDN> <DC1Name> <DC2GUID> Q57. How to Change the Intra-Site Replication Interval?
12.5.1 Problem
You want to change the number of seconds that a domain controller in a site waits before replicating within the site.
12.5.2 Solution
12.5.2.1 Using a graphical user interface
<>1. <>Run regedit.exe from the command line or Start Run.<><>
<>2. <>Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NTDS Parameters.<><><><><><><><><><>
<>3. <>If a value entry for Replicator notify pause after modify (secs) does not exist, right-click on Parameters and select New DWORD Value. For the name, enter: Replicator notify pauseafter modify (secs).<><>
<>4. <>Double-click on the value and enter the number of seconds to wait before notifying intra-site replication partners.
<>5. <>Click OK.
12.5.2.2 Using a command-line interface
With the following command, change
> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Replicator[RETURN]
notify pause after modify (secs)" /t REG_DWORD /d <NumSeconds> Q58. How to Change the Inter-Site Replication Interval ?
12.6.1 Problem
You want to set the schedule for replication for a site link.
12.6.2 Solution
These solutions assume the IP transport, but the SMTP transport could be used as well.
12.6.2.1 Using a graphical user interface
<>1. <>Open the Active Directory Sites and Services snap-in.
<>2. <>Expand the Inter-Site Transport container.
<>3. <>Click on the IP container.
<>4. <>In the right pane, double-click on the site link you want to modify the replication interval for.
<>5. <>Enter the new interval beside Replicate every.
<>6. <>Click OK.
12.6.2.2 Using a command-line interface
To change the replication interval, create an LDIF file named set_link_rep_interval.ldf with the following contents:
dn: cn=<LinkName>,cn=ip,cn=Inter-Site Transports,cn=sites, cn=configuration,<ForestRootDN>changetype: modifyreplace: replIntervalreplInterval: <NewInterval>- then run the following command:
> ldifde -v -i -f set_link_rep_interval.ldf Q59. How to Check for Potential Replication Problems?
12.8.1 Problem
You want to determine if replication is succeeding.
12.8.2 Solution
The following two commands will help identify problems with replication on a source domain controller:
> dcdiag /test:replications> repadmin /showrepl /errorsonly 12.8.3 Discussion
For a more detailed report, you can use the Replication Monitor (replmon.exe). The Generate Status Report option will produce a lengthy report of site topology, replication information, and provide details on any errors encountered. The Directory Service event log can also be an invaluable source of replication and KCC problems.
Q60. How to Find Conflict Objects ?
12.11.1 Problem
You want to find conflict objects that are a result of replication collisions.
12.11.2 Solution
12.11.2.1 Using a graphical user interface
<>1. <>Open LDP.
<>2. <>From the menu, select Connection Connect.<><>
<>3. <>For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
<>4. <>For Port, enter 389 or 3268 for the global catalog.
<>5. <>Click OK.
<>6. <>From the menu, select Connection Bind.<><>
<>7. <>Enter credentials (if necessary) of a user that can view the object.
<>8. <>Click OK.
<>9. <>From the menu, select Browse Search.<><>
<>10. <>For BaseDN, type the base DN from where you want to start the search.
<>11. <>For Scope, select the appropriate scope.
<>12. <>For Filter, enter (|(cn=*\0ACNF:*)(ou=*\0ACNF:*)).
<>13. <>Click Run.
12.11.2.2 Using a command-line interface
The following command finds all conflict objects within the whole forest:
> dsquery * forestroot -gc -attr distinguishedName -scope subtree -filter[RETURN]
"(|(cn=*\0ACNF:*)(ou=*\0ACNF:*))" Q61. How to View Object Metadata?
12.12.1 Problem
You want to view metadata for an object. The object's replPropertyMetaData attribute stores metadata information about the most recent updates to every attribute that has been set on the object.
12.12.2 Solution
12.12.2.1 Using a graphical user interface
<>1. <>Open LDP.
<>2. <>From the menu, select Connection Connect.<><>
<>3. <>For Server, enter the name of a domain controller or domain that contains the object.
<>4. <>For Port, enter 389.
<>5. <>Click OK.
<>6. <>From the menu, select Connection Bind.<><>
<>7. <>Enter credentials (if necessary) of a user that can view the object.
<>8. <>Click OK.
<>9. <>From the menu, select Browse Replication View Metadata.<><><><>
<>10. <>For Object DN, type the distinguished name of the object you want to view.
<>11. <>Click OK.
12.12.2.2 Using a command-line interface
In the following command, replace
> repadmin /showobjmeta <DomainControllerName> <ObjectDN> This command was called /showmeta in the Windows 2000 version of repadmin. Also, the parameters are switched in that version, where
Q62.
No comments:
Post a Comment