Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

What Is a Tombstone?
When Active Directory deletes an object from the directory, it does not physically remove the object from the database. Instead, Active Directory marks the object as deleted by setting the object’s isDeleted attribute to TRUE, stripping most of the attributes from the object, renaming the object, and then moving the object to a special container in the object’s naming context (NC) named CN=Deleted Objects. The object, now called a tombstone, is invisible to normal directory operations.

From the Windows Server 2003 Installation CD, it is located on \SUPPORT\TOOLS\SUPTOOLS.MSI
You do not need to follow this step, if using Windows Server 2008.

Process to Restore the Deleted Object
Run LDP.exe.
On LDP window, click Connection menu, click Connect, type the appropriate server name and port.
Click Connection menu, click Bind, and type the Administrator account and password.

Click Options menu, click Controls.
On Load Predefined, select Return deleted objects.
This option will show the Deleted Objects container that is hidden by default.

Click View menu, click Tree, and then select the distinguished name of the domain name.
On the left, select DC=Microship,DC=com.
Then expand the Deleted Objects container, and find the deleted object.

Right click on the nameoftheuser account, then click Modify.

In the Attribute box, type isDeleted. Under Operation, click Delete, and then click Enter.
In the Attribute box, type distinguishedName, in the Values box, type CN=name of the user ,OU=OUName,DC=DCName,DC=com. Under operation, click Replace, and then click Enter.
Select the Extended check box, and then click Run.

The result of restoring deleted objects using Tombstone Reanimation procedure is not perfect. You will restore a disabled account with all attributes has been stripped. You have to set the password and enable the account.

How can you determine what GPO was and was not applied for a user in a Windows AD Domain.

start->Run->cmd-> type

gpresult /?

gpresult /R

By using the /R switch with nothing else, summary data for the various policies and settings will be printed to your command prompt.

gpresult /V

This is the same as the /R command, only the results will be verbose

 GPRESULT /R
 GPRESULT /H GPReport.html
 GPRESULT /USER targetusername /V
 GPRESULT /S system /USER targetusername /SCOPE COMPUTER /Z
 GPRESULT /S system /U username /P password /SCOPE USER /V

·                 What is Active Directory?

http://en.wikipedia.org/wiki/Active_DirectoryActive Directory (AD) is a directory service implemented by Microsoft for Windows domain networks. It is included in most Windows Server operating systems.
An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software.http://msdn.microsoft.com/en-us/library/aa746492(v=vs.85).aspxIn Windows 2000, Active Directory has three partitions. These are also known as naming contexts: domain, schema, and configuration. The domain partition contains users, groups, contacts, computers, organizational units, and many other object types. Because Active Directory is extensible, you can also add your own classes and/or attributes. The schema partition contains classes and attribute definitions. The configuration partition includes configuration data for services, partitions, and sites.http://msdn.microsoft.com/en-us/library/aa362244(v=vs.85).aspxActive Directory Domain Services provide secure, structured, hierarchical data storage for objects in a network such as users, computers, printers, and services. Active Directory Domain Services provide support for locating and working with these objects.

·                 What is LDAP?

http://msdn.microsoft.com/en-us/library/aa367008(v=vs.85).aspx

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-ldap.html

The Lightweight Directory Access Protocol (LDAP) is a set of open protocols used to access centrally stored information over a network. It is based on the X.500 standard for directory sharing, but is less complex and resource-intensive. For this reason, LDAP is sometimes referred to as "X.500 Lite." The X.500 standard is a directory that contains hierarchical and categorized information, which could include information such as names, addresses, and phone numbers.

Like X.500, LDAP organizes information in a hierarchal manner using directories. These directories can store a variety of information and can even be used in a manner similar to the Network Information Service (NIS), enabling anyone to access their account from any machine on the LDAP enabled network.

In many cases, LDAP is used as a virtual phone directory, allowing users to easily access contact information for other users. But LDAP is more flexible than a traditional phone directory, as it is capable of referring a querent to other LDAP servers throughout the world, providing an ad-hoc global repository of information. Currently, however, LDAP is more commonly used within individual organizations, like universities, government departments, and private companies.

LDAP is a client/server system. The server can use a variety of databases to store a directory, each optimized for quick and copious read operations. When an LDAP client application connects to an LDAP server, it can either query a directory or attempt to modify it. In the event of a query, the server either answers the query locally, or it can refer the querent to an LDAP server which does have the answer. If the client application is attempting to modify information within an LDAP directory, the server verifies that the user has permission to make the change and then adds or updates the information.

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s2-ldap-applications.html

28.3.3. LDAP Client Applications

There are graphical LDAP clients available which support creating and modifying directories, but they are not included with Red Hat Enterprise Linux. One such application is LDAP Browser/Editor — A Java-based tool available online at http://www.iit.edu/~gawojar/ldap/.

Other LDAP clients access directories as read-only, using them to reference, but not alter, organization-wide information. Some examples of such applications are Sendmail, Mozilla,Gnome Meeting, and Evolution.

·                 Where is the AD database held? What other folders are related to AD?

 AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure

ntds.dit

edb.log

res1.log

res2.log

edb.chk

The Active Directory ESE database, NTDS.DIT, consists of the following tables:

·         Schema table
the types of objects that can be created in the Active Directory, relationships between them, and the optional and mandatory attributes on each type of object. This table is fairly static and much smaller than the data table.

·         Link table 
contains linked attributes, which contain values referring to other objects in the Active Directory. Take the MemberOf attribute on a user object. That attribute contains values that reference groups to which the user belongs. This is also far smaller than the data table.

·         Data table
users, groups, application-specific data, and any other data stored in the Active Directory. The data table can be thought of as having rows where each row represents an instance of an object such as a user, and columns where each column represents an attribute in the schema such as GivenName.

·                 AD-related roles in Windows Server 2008/R2.

The Server 2008 roles are as follows:

• Active Directory Certificate Services. Provides the services for creating and managing public key certificates used in most aspects of security today, including HTTP Security (HTTPS), which is vital to many Windows Roles; Wireless network security; VPNs; IPsec; Encrypting File System (EFS); and other software security systems that require encryption or digital signatures.
• Active Directory Domain Services. Previously known as just Active Directory, AD Domain Services stores information about users, computers, and other devices on the network in a security boundary known as a domain. With resources and users being  members of a domain or trusted hierarchy of domains known as a forest, access to company wide information is secure and no burden on the user.
• Active Directory Federation Services (ADFS). Provides Web single-sign-on (SSO) capabilities across separate organizations, allowing authentication across multiple Web applications in various companies using a single user account. ADFS accomplishes this by securely federating, or sharing, user identities and access rights, in the form of digital claims, between partner organizations once a federation trust has been established.
• Active Directory Lightweight Directory Services. Previously known as Active Directory Application Mode (ADAM), Active Directory Lightweight Directory Services provides a directory service that organizations can use to store information specific to an application that is separate from the organization's main AD. Active Directory Lightweight Directory Services runs as a non-OS service and doesn't require deployment on a DC, with multiple Active Directory Lightweight Directory Services instances supported on a single server.
• Active Directory Rights Management Services. Provides very granular protection on supported documents via AD RMS-enabled applications to not only protect documents and other digital information but also to control the actions that authorized consumers of the information can do.
• Application Server. Comprises a number of components that are responsible for the deployment and managing of .NET Framework 3.0 applications. These components include the .NET Framework, Web Server (IIS) Support, Message Queuing, COM+ Network Access, TCP Port Sharing, Distributed Transactions and Windows Process Activation Service Support.
• Dynamic Host Configuration Protocol (DHCP) Server. Allows servers to assign or lease IP addresses to computers and other devices that are enabled as DHCP clients on the network.
• DNS Server. DNS is used to resolve host names to IP addresses, both IPv4 and IPv6.
• Fax Server. Sends and receives faxes, and allows you to manage fax resources such as jobs, settings, reports, and fax devices on this computer or on the network.
• File Services. Provides technologies for storage management, which includes control of the types of files stored on a server via file screens and powerful quotas, file replication, distributed namespace management, NFS, and support for UNIX clients.
• Hyper-V. Provides the services that you can use to create and manage virtual machines (VMs) and their resources. Hyper-V will ship within 180 days of the Server 2008 launch, but a beta version is supplied with the 2008 RTM.
• Network Policy and Access Services. Delivers a variety of methods to provide users with local and remote network connectivity, to connect network segments, and to allow network administrators to centrally manage network access and client health policies. With Network Access Services, you can deploy VPN servers, dial-up servers, routers, and 802.11 protected wireless access. You can also deploy RADIUS servers and proxies, and use Connection Manager Administration Kit to create remote access profiles that allow client computers to connect to your network.
• Print Services. Enables the management of print servers and printers. A print server reduces administrative and management workload by centralizing printer management tasks. Also part of Print Services is the Print Management Console, which streamlines the management of all aspects of printer server management including the ability to remotely scan a subnet for printers and automatically create the necessary print queues and shares.
• Terminal Services. Enables users to access Windows-based programs that are installed on a terminal server or to access the Windows desktop from almost any computing device that supports the RDP protocol. Users can connect to a terminal server to run programs and to use network resources on that server. Server 2008 has technologies that allow the RDP traffic necessary for communication with a terminal server from a client to be encapsulated in HTTPS packets, which means all communication is via port 443 so no special holes are required in the firewall for access to terminal servers within an organization from the Internet.
• Universal Description, Discovery, and Integration (UDDI) Services. UDDI Services provides description, discovery, and integration capabilities for sharing information about Web services within an organization's intranet, between business partners on an extranet, or on the Internet.
• Web Server (IIS). Enables sharing of information on the Internet, intranets, or extranets. It's a unified Web platform that integrates IIS 7.0, ASP.NET, and Windows Communication Foundation. IIS 7.0 also features enhanced security, simplified diagnostics, and delegated administration.
• Windows Deployment Services (WDS). Used to install and configure Windows OSs that are stored in the Windows Imagine format remotely on computers via Pre-boot Execution Environment (PXE) boot ROMs.
•                What are the new Domain and Forest Functional Levels in Windows Server 2008/R2?
• http://technet.microsoft.com/en-us/library/cc787290(v=ws.10).aspx
  In Active Directory Domain Services (AD DS), domain controllers can run different versions of Windows Server operating systems. The functional level of a domain or forest depends on which versions of Windows Server operating systems are running on the domain controllers in the domain or forest. The functional level of a domain or forest controls which advanced features are available in the domain or forest.
  Raising the functional level allows the introduction of advanced features but also limits the versions of Windows Server that can run on domain controllers in the environment. AD DS has two types of functional levels:
  • Domain functional level. Six domain functional levels are available: 
    
    Windows 2000 mixed (the default in Windows Server 2003)
    
    Windows 2000 native
    
    Windows Server 2003 interim
    
    Windows Server 2003
    
    Windows Server 2008 
    
    Windows Server 2008 R2 
  Setting the functional level for a domain enables features that affect the entire domain and that domain only. If all domain controllers in a domain are running Windows Server 2008 R2 and the functional level is set to Windows Server 2008 R2, all domain-wide features are available.
  
  
  Forest functional level. Five forest functional levels are available: 
  
  Windows 2000 (the default in Windows Server 2003 and Windows Server 2008)
  
  Windows Server 2003 interim
  
  Windows Server 2003 (the default in Windows Server 2008 R2)
  
  Windows Server 2008 
  
  Windows Server 2008 R2 
  
  Setting the functional level for a forest enables features across all the domains within a forest. If all domain controllers in a forest are running Windows Server 2008 R2 and the functional level is set to Windows Server 2008 R2, all forest-wide features are available.
   ·                 What is the SYSVOL folder?
  
  
  Sysvol is an important component of Active Directory. The Sysvol folder is shared on an NTFS volume on all the domain controllers in a particular domain. Sysvol is used to deliver the policy and logon scripts to domain members.
   By default sysvol includes 2 folders
  
   1.Policies - (Default location - %SystemRoot%\Sysvol\Sysvol\domain_name\Policies)
   2.Scripts - (Default lcation - %SystemRoot%\Sysvol\Sysvol\domain_name\Scripts)
  
  
  
  
  
  ·                 What are the AD naming contexts (partitions)s and replication issues for each NC?
  http://msdn.microsoft.com/en-us/library/ms677604(v=vs.85).aspx
  There are three predefined Naming Contexts (NC) 
  
  1. Domain Naming Context
  2. Configuration Naming Context 
  3. Schema Naming Context
  
  
  1. Domain Naming Context - One per domain. The domain naming context stores users, computers, groups, and other objects for that domain. All domain controllers that are joined to the domain share a full writeable copy of the domain directory partition. Additionally, all domain controllers in the forest that host the global catalog also host a partial read-only copy of every other domain naming context in the forest. 
  
  2. Configuration Naming Context - One per forest. It stores forest-wide configuration data that is required for the proper functioning of Active Directory as a directory service. Information that Active Directory uses to construct the directory tree hierarchy is also stored in the configuration directory partition, as is network-wide, service-specific information that applications use to connect to instances of services in the forest. Every domain controller has one fully writeable copy of the configuration directory partition. 
  
  3. Schema Naming Context - One per forest. The schema naming context contains the definitions of all objects that can be instantiated in Active Directory. It also stores the definitions of all attributes that can be a part of objects in Active Directory. Every domain controller has one fully writeable copy of the schema directory partition, although schema updates are allowed only on the domain controller that is the schema operations master. 
  
  
   ·                 What are application partitions?
  http://technet.microsoft.com/en-us/library/cc784421(v=ws.10).aspx
  An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.
  Applications and services can use application directory partitions to store application-specific data. Application directory partitions can contain any type of object, except security principals. TAPI is an example of a service that stores its application-specific data in an application directory partition.
  Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
  The Telephony Application Programming Interface (TAPI) is a Microsoft Windows API, which provides computer telephony integration and enables PCs running Microsoft Windows to use telephone services.
  
  
  ·                 What applications or services use AD application partitions? Name a couple.
  . TAPI is an example of a service that stores its application-specific data in an application directory partition.
  http://technet.microsoft.com/en-us/library/cc754292.aspx
  AD DNS
  
  
  ·                 How do you create a new application partition?
  http://support.microsoft.com/kb/884116

  Create an application directory partition by using the DnsCmd command

  Use the DnsCmd command to create an application directory partition. To do this, use the following syntax:
  DnsCmd ServerName /CreateDirectoryPartition FQDN of partition
  To create an application directory partition that is named CustomDNSPartition on a domain controller that is named DC-1, follow these steps:
  1.       Click Start, click Run, type cmd, and then click OK.
  2.       Type the following command, and then press ENTER:
  dnscmd DC-1 /createdirectorypartition CustomDNSPartition.contoso.com
  When the application directory partition has been successfully created, the following information appears:
  DNS Server DC-1 created directory partition: CustomDNSPartition.contoso.com Command completed successfully.
  
  
   ·                 What are the requirements for installing AD on a new server?
•  Install Windows Server 2008 or Windows Server 2008 R2. 
  Verify that a Domain Name System (DNS) infrastructure is in place. Before you add Active Directory Domain Services (AD DS) to create a domain or forest, be sure that a DNS infrastructure is in place on your network. When you install AD DS, you can include DNS server installation, if it is needed. When you create a new domain, a DNS delegation is created automatically during the installation process.
  
  If a DNS infrastructure is not in place when you install an additional domain controller in a domain, then the option to install DNS server on that domain controller will not be available. 
  Configure appropriate TCP/IP and DNS server addresses.
  Verify that Adprep.exe operations are complete. Before you can add AD DS to a server that is running Windows Server 2008 or Windows Server 2008 R2 in an existing Active Directory environment, you must prepare the environment by running Adprep.exe. For more information about running Adprep.exe, see Running Adprep.exe.
  In Windows Server 2008, Adprep.exe is available in the /sources/adprep folder of the installation DVD. In Windows Server 2008 R2, Adprep.exe is located in the /support/adprep folder
  In order to install a read-only domain controller (RODC), there must be a writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the domain. The Active Directory Domain Services Installation Wizard makes a DC Locator call during forest examination with specific options to find a writable domain controller (using the DS_WRITABLE_REQUIRED flag) that runs Windows Server 2008 or Windows Server 2008 R2 (using the DS_DIRECTORY_SERVICE_6_REQUIRED flag). If the call succeeds and a domain controller that matches these options is found, the check box to install an RODC is enabled. For more information about these options, see DsGetDcName Function (http://go.microsoft.com/fwlink/?LinkId=100509).
  When you use an answer file to perform an unattended installation of AD DS, specify a [DCINSTALL] section in the answer file with appropriate parameters. For a list of entries for the [DCINSTALL] section of the answer file, see Appendix of Unattended Installation Parameters.
  The drives that store the database, log files, and SYSVOL folder for Active Directory Domain Services (AD DS) must be placed on a local fixed volume. SYSVOL must be placed on a volume that is formatted with the NTFS file system. For security purposes, the Active Directory database and log files should be placed on a volume that is formatted with NTFS. 
  
  Traditionally, the Active Directory database and log files are placed on disk drives that are physically local to the domain controller computer. As an option, you can place the Active Directory database and log files on a nonlocal storage device if the device appears to be “local” to the GetDriveType function that Dcpromo.exe uses and it does not have advanced rollback, undo, or snapshot features enabled. For more information about the GetDriveType function, see GetDriveType Function (http://go.microsoft.com/fwlink/?LinkId=102448).
  
  You must perform all backups and restores of AD DS, including rolling the contents of AD DS “back in time,” by using system state backups that are created by supported backup application programming interfaces (APIs) and methods. 

·                 What can you do to promote a server to DC if you're in a remote location with slow WAN link?

Best solution in this scenario is to install DC from media, a new feature introduced with windows 2003 server. You have to take the system state backup of current Global Catalog server, burn it on the CD/DVD and send it to the destination (remote location). On the remote server which needs to be promoted to be DC restore files to Alternate Location and Run, type dcpromo /adv.

·                 How do you view replication properties for AD partitions and DCs?

By using replication monitor 

Go to start > run > type repadmin

Go to start > run > type replmon

The Replmon graphical user interface (GUI) tool is included when you install Windows Server 2003 Support Tools from the product CD or from the Microsoft Download Center

·                 What is the Global Catalog?

http://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

http://technet.microsoft.com/en-us/library/cc736934(v=ws.10).aspx

A global catalog is a domain controller that stores a copy of all Active Directory objects in a forest. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest, as shown in the following figure.

·                 How do you view all the GCs in the forest?

Global Catalog in the NTDS Settings Properties dialog box in Active Directory Sites and Services

DSQUERY server can be used to locate global catalogs

To search the entire forest

dsquery server -forest -isgc

To locate global catalogs in your current (logon) domain

dsquery server –isgc

To locate global catalogs in a specific domain

dsquery server -domain tech.cpandl.com -isgc

Here, you search for global catalog servers in the tech.cpandl.com domain.

You can also search for global catalog servers by site, but to do this, you must know the full site name, and cannot use wildcards. For example, if you wanted to find all the global catalog servers for Default-First-Site-Name, you would have to type

dsquery server –site Default-First-Site-Name .

The resulting output is a list of DNs for global catalogs, such as

"CN=CORPSVR02,CN=Servers,CN=Default-First-Site- 
Name,CN=Sites,CN=Configuration,DC=cpandl,DC=com"

·                 Why not make all DCs in a large forest as GCs?

The reason that all DCs are not GCs to start is that in
large (or even Giant) forests the DCs would all have to hold
a reference to every object in the entire forest which could
be quite large and quite a replication burden

·                 Talk about GCs and Universal Groups.

Universal Groups

Universal groups allow users (and groups) from multiple domains to have membership in a single group that is available throughout the Active Directory forest. This is useful in a forest with multiple Active Directory domains to simplify resource access permissions. If users or groups from different domains need access to resources that are located in multiple domains, a universal group can be used to allow for that access.

 ·                 Describe the time synchronization mechanism in AD.

Time protocols determine how closely two computers’ clocks are synchronized. A time protocol is responsible for determining the best available time information and converging the clocks to ensure that a consistent time is maintained on separate systems.

The Windows Time service uses the Network Time Protocol (NTP) to help synchronize time across a network. NTP is an Internet time protocol that includes the discipline algorithms necessary for synchronizing clocks. NTP is a more accurate time protocol than the Simple Network Time Protocol (SNTP) that is used in some versions of Windows; however W32Time continues to support SNTP to enable backward compatibility with computers running SNTP-based time services, such as Windows 2000.

·                 What is ADSIEDIT? What is NETDOM? What is REPADMIN?

ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: 
· ADSIEDIT.DLL 
· ADSIEDIT.MSC 

Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts

NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels 

·                 What is DCDIAG? When would you use it?

http://technet.microsoft.com/en-us/library/cc776854(v=ws.10).aspx

This command-line tool analyzes the state of one or all domain controllers in a forest and reports any problems to assist in troubleshooting. DCDiag.exe consists of a variety of tests that can be run individually or as part of a suite to verify domain controller health.

·                 What are sites? What are they used for?

http://technet.microsoft.com/en-us/library/cc782048(v=ws.10).aspx

Sites in Active Directory® represent the physical structure, or topology, of your network. Active Directory uses topology information, stored as site and site link objects in the directory, to build the most efficient replication topology. You use Active Directory Sites and Services to define sites and site links. A site is a set of well-connected subnets. Sites differ from domains; sites represent the physical structure of your network, while domains represent the logical structure of your organization.

·                 What's the difference between a site link's schedule and interval?

Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges from 15 - 10,080 mins. The default interval is 180 mins.

·                 What is the KCC?

The KCC is a built-in process that runs on all domain controllers. It is a dynamic-link library that modifies data in the local directory in response to systemwide changes, which are made known to the KCC by changes to the data within Active Directory. The KCC generates and maintains the replication topology for replication within sites and between sites.

The KCC has two major functions:

·         Configures replication connections (connection objects) between domain controllers. Each connection object defines incoming replication from a replication partner. Within a site, each KCC generates its own connections. For replication between sites, a single KCC per site generates all connections between sites.

·         Converts the connection objects that represent inbound replication to the local domain controller into the replication agreements that are actually used by the replication engine.

By default, the KCC reviews and makes modifications to the Active Directory replication topology every 15 minutes to ensure propagation of data, either directly or transitively, by creating and deleting connection objects as needed. The KCC recognizes changes that occur in the environment and ensures that domain controllers are not orphaned in the replication topology.

·                 What is the ISTG? Who has that role by default?

Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role. By Default the first Server has this role. If that server can no longer preform this role then the next server with the highest GUID then takes over the role of ISTG

·                 What is GPO?

http://technet.microsoft.com/en-us/library/hh147307(v=ws.10).aspx

Group Policy is simply the easiest way to reach out and configure computer and user settings on networks based on Active Directory Domain Services (AD DS). If your business is not using Group Policy, you are missing a huge opportunity to reduce costs, control configurations, keep users productive and happy, and harden security. Think of Group Policy as “touch once, configure many.”

·                 Describe the way GPO is applied throughout the domain

Group Policy settings are processed in the following order:

1. Local Group Policy object—Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing. 
2. Site—Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
3. Domain—Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
4. Organizational units—GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed. 
   
   At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

·                 What can you do to prevent inheritance from above?

If multiple GPOs attempt to set a setting to conflicting values, the GPO with the highest precedence sets the setting. GPO processing is based on a last writer wins model, and GPOs that are processed later have precedence over GPOs that are processed sooner. Group Policy objects are processed according to the following order:

• The local Group Policy object (LPGO) is applied.
• GPOs linked to sites.
• GPOs linked to domains
• GPOs linked to organizational units. In the case of nested organizational units, GPOs associated with parent organizational units are processed prior to GPOs associated with child organizational units. 

How can you override blocking of inheritance?

To enforce the Group Policy settings in a specific GPO, you can specify the No Override option. If you specify this option, policy settings in GPOs that are in lower-level Active Directory containers cannot override the policy. For example, if you define a GPO at the domain level, and you specify the No Override option, the policies that the GPO contains apply to all organizational units in that domain. Lower-level organizational units will not override the policy applied at the domain level.

To block inheritance of Group Policy from parent Active Directory containers, you can specify the Block inheritance option. For example, if you specify the Block inheritance option for an organizational unit, it prevents the application of policy at that level from higher-level Active Directory containers such as a higher-level organizational unit or domain.

Be aware that the No Override option always takes precedence over the Block inheritance option.

A local GPO cannot specify the No Override or Block inheritance option.

·                 Name some of the major changes in GPO in Windows Server 2008.

http://technet.microsoft.com/en-us/library/dd367853(v=ws.10).aspx

The following changes are available in Windows Server® 2008 R2 and in Windows® 7 with Remote Server Administration Tools (RSAT):

• Windows PowerShell Cmdlets for Group Policy: Ability to manage Group Policy from the Windows PowerShell™ command line and to run PowerShell scripts during logon and startup
• Group Policy Preferences: Additional types of preference items
• Starter Group Policy Objects: Improvements to Starter GPOs
• Administrative Template Functionality: Improved user interface
• Administrative Template Settings: New and changed policy settings

What are ADM files? What replaced them in Windows Server 2008?

An ADM template is a file that is designed to be used within Group Policy to define a Registry setting and its’ value. There are 5 default ADM templates that come with Windows Server 2003 and XP, but these files can only handle so many Registry settings. If you want to have more Registry settings available in your GPO, then you have an option of creating a custom ADM template

Since Windows Server 2008/Vista/7 do not use ADM templates, what would happen when you try to mix custom ADM templates and ADMX/ADML files?

The ADMX/ADML files will generate the default GPO settings that fall under Administrative Templates. The custom ADM templates that reside in the ADMs folder under the GPOs sysvol location will show up under the Classic Administrative Templates (ADM) folder, which is located under the Administrative Templates nodes in the GPO editor

What are GPO Preferences?

Open the GPMC. To open the GPMC, click Start, click Administrative Tools, and then click Group Policy Management.

In the GPMC console tree, expand Group Policy Objects in the forest and domain containing the GPO that you want to edit.

Right-click the GPO that you want to edit, and then click Edit.

In the console tree, expand Computer Configuration or User Configuration, expand Preferences, and then expand or click items as needed. Click an item in the console tree to view the associated settings in the details pane.