I review for BookLook Bloggers

Thursday, February 26, 2015

VMware Virtual SAN VSAN Fundamentals

VMware Virtual SAN VSAN Fundamentals

VMware Virtual SAN VSAN Fundamentals

How can I check a system's current NTP configuration?

In the command line, type
w32tm /query /configuration
w32tm /query /status
Time /T 
w32tm /query /configuration gives you the configuration you have set up.
w32tm /query /status gives you information such as:
  • stratum
  • leap indicator
  • precision
  • last sync
  • NTP server
  • poll interval
time /T outputs the current system time.
Note: w32tm /query was first made available in the Windows Time client versions of Windows Vista, and Windows Server 2008. See Windows Time Service Tools and Settings

Locking Down Windows Server 2008 Terminal Services

Introduction

Some of the greatest enhancements to Terminal Services in its Windows Server 2008 implementation pertain to its overall security. Being one of the most prolifically used forms of remote server access by both administrators and users alike, this is not too much of a surprise and is greatly welcomed. In this article we will go through several things you can do to make your Terminal Server environment more secure.
Advertisement

Using Two-Factor Authentication

Do you remember watching the Little Rascal’s when you were growing up? If so, then you remember that every time someone wanted to walk into a He-Man Woman Hater’s club meeting, they first had to give a special knock on the door, followed by presenting the super secret official club handshake. Even a group of rambunctious seven year olds knew the importance of having two forms of authentication, so it makes that much more sense that we would want to do the same when thinking about network security.
There are several different forms of two factor authentication available, but the most common that is supported by Terminal Services is the use of Smart Cards. In using a smart card, a user not only has to provide valid logon credentials, but they must also be able to physically connect the smart card to the device they are using as a remote terminal.
In order to require smart card authentication, you must create a Group Policy Object that can be applied to your Terminal Server. In the GPO, browse to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options and enable the Interactive Logon: Require Smart Card setting. Also, you will need to enable Smart Cards to be redirected to the Terminal Server by placing a check in the Smart Cards checkbox on the Local Resources tab of the Remote Desktop Connection client on user workstations.

Figure 1

Enforce Network Level Authentication for All Clients

In previous implementations of Terminal Services authentication to the server was achieved by connecting to a session on the server and entering login credentials into the Windows Server logon screen. This may seem fairly trivial, but from a security perspective being able to achieve a session logon screen can disclose information about our network (domain name, computer name) or leave our server vulnerable to a denial of service attack to anybody who happens to have that servers’ public IP address.
Network Level Authentication (NLA) is a feature introduced in version 6.0 of the Remote Desktop Connection Client which allows a user to enter their logon credentials prior to being displayed a Windows Server logon screen. Windows Server 2008 allows us to utilize this ability and require all connecting clients to use it.

Figure 2
In order to use NLA, you must be using a Windows 2008 Server, and your connecting clients must support CredSSP (Windows XP SP3, Windows Vista, Windows 7) as well as be running Remote Desktop Connection 6.0 or higher.  You can configure your Terminal Server to require its clients to use NLA in a few different locations:
  • During the initial Terminal Services role installation process, when you are presented with the Specify Authentication Method for Terminal Server screen, select the Allow connections only from computers running Remote Desktop with Network Level Authentication option.
  • Access the Terminal Services Configuration MMC Snap-In, right click the terminal server connection being used by your clients and select properties, and select the Allow connections only from computers running Remote Desktop with Network Level Authentication option.
  • Create a Group Policy Object, browse to Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security, enable the Require user authentication for remote connections by using Network Level Authentication setting, and apply it to an OU containing the terminal server.

Change the Default RDP Port

By default, a Terminal Server uses port 3389 for RDP traffic. By default, every single competent hacker in the world knows that a Terminal Server uses port 3389 for RDP traffic. That being the case, one of the quickest changes you can make to your terminal server environment to detour potential intruders is to change this default port assignment.
In order to change the default RDP port for a Terminal Server, open regedit and browse toHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. Locate the PortNumber key and replace the hex value 00000D3D (which is equivalent to 3389) to the appropriate hex value for the port you wish to use.
Alternatively, you can change the port number used by your Terminal Server on a per connection basis. While still using regedit, browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\connection name. Again, locate the PortNumber key and replace the hex value in place with the value you wish to use.
Keep in mind that when changing this setting on your server, all connecting clients will need to be sure they are connecting to the Terminal Server with the new port extension tagged on to the servers IP address. For example, connecting to a Terminal Server with an internal IP address of 192.168.0.1 which is now using the non-standard port 8888 would require a user to enter 192.168.0.1:8888 into the Remote Desktop Connection client.

Figure 3

Use Easy Print and Limiting Redirected Printers

Printing from devices locally attached to client workstations has always been a downfall of Terminal Services prior to Windows Server 2008. In order to do this, you had to ensure the exact same version of the printers’ driver was installed on both the client and server, and even then this didn’t always work. From a security standpoint, we never want to install any more drivers to our system than we absolutely have to. Each driver installed to the server has the potential to broaden its attack surface.
Windows Server 2008 has introduced a feature called Easy Print which radically changes the way locally-attached printers are handled. In essence, TS Easy Print is a driver that serves as a proxy that all print data is redirected through. When a client prints to a device using the Easy Print driver, the data and print settings are converted to a universal format that is sent to the Terminal Server for processing. In doing this, after clicking print the print dialog box is launched from the client and not in the terminal session. This means that no drivers have to be installed to the Terminal Server in order to process print jobs from locally-attached print devices.
In order to configure Easy Print you will need to ensure that all locally-attached print devices have logical printers configured on the client workstations that are set to use the Easy Print driver. The Easy Print feature is supported by all Windows XP SP3, Windows Vista, and Windows 7 clients running Remote Desktop Connection 6.1 or later, and .NET Framework 3 SP1.

Figure 4
Once you have configured the locally-attached devices at the workstation level, it is a good idea to ensure that it is the only printer being redirected to the Terminal Server is the printer using TS Easy Print, which should be set as the default printer. You can do this by creating a Group Policy Object and browsing to Computer Configuration\ Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection, and enabling the Redirect only the default client printer option.

Limit Users Accounts

If you hire someone to plow your fields then typically all you need to do is give that person the keys to the tractor… not the keys to the combine, the barn, and the four-wheel drive. That is not just because they don’t need a combine to do the task at hand, but because you don’t really want to see your brand new John Deere turn up missing or find it in a ditch. Using that same train of thought, we have to keep in mind that when a user is connecting to and working directly from a server they may inherently have access to several things they don’t need, and in order to create a more secure environment we need to limit this. This not only protects against a users’ credentials being compromised, but also protects against a legitimate user with illegitimate intentions. A couple of things we can do include:

Use Specific Accounts for Terminal Users

It is not uncommon for a user to work locally with certain applications and then access a Terminal Server for access to other applications. Using the same user account for both local and terminal access is easier from a management standpoint, but it also makes things easier from the viewpoint of an attacker who simply has to compromise one set of credentials to access a multitude of applications. Creating a separate user account for Terminal Server access and limiting its permission set to only the necessary applications will greatly mitigate the impact of this type of compromise.

Use Software Restriction Policies

Software Restriction Policies are by no means a new development, but they are something I find drastically underutilized. Software Restriction Policies can be configured to allow or deny the use of certain applications and are commonly used in public computer or kiosk environments, although they are great in Terminal Server environments as well.
Creating Software Restriction Policies is a bit beyond the scope of this article, but you can read more about it atMicrosoft TechNet.

Monitor User Access to Terminal Servers with Group

By default, only members of a Terminal Servers Remote Desktop Users group (and Domain/Local Administrators) can log on to that Terminal Server. It is highly recommended that you document and regularly audit the members of this group. If a user doesn’t NEED to log in to a Terminal Server, then remove them from the Remote Desktop Users group.

Configure Additional Security with Group Policy

A great deal of security enhancements for Terminal Server environments are available through Group Policy. Here are a few of my favorites:

1.  Restrict Terminal Services Users to a Single Remote Session

In most cases there is no need for a single user to initiate multiple sessions on a Terminal Server. Allowing this can result in an environment that is vulnerable to a denial of service attack should a users credentials be compromised. You can configure this setting by browsing to Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections within your GPO.

2. Do Not Allow Drive Redirection

Unless you have a specific need for it, allowing a user to access local drives from a Terminal Server session can create a very unsecure channel of communications. With this ability, not only can a user copy data to a Terminal Server, but that data may be of a malicious nature and could possibly even be executed on the server.
You can configure this setting by browsing to Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection within your GPO.

3. Set Time Limit for Disconnected Sessions

In general, it’s not a good idea for a user to exit a session without fully logging off. Should someone gain control of this session they may walk right into a piece of sensitive data or find themselves already authenticated to another network application. A great way to combat this is to set a very low time limit for disconnected sessions. Once this time limit is reached the session will be terminated.
You can configure this setting by browsing to Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits within your GPO.

4. Disable Microsoft Windows Installer

Simply put, only administrators should be installing applications to a Terminal Server. In most cases users would not be able to install applications in the first place since they should not be logging on with administrative access. However, if certain users are required to have elevated priveleges, you can limit their ability to install some programs by disabling the Microsoft Windows Installer.
You can configure this setting by browsing to Computer Configuration\Administrative Templates\Windows Components\Windows Installer within your GPO. It is important that you configure this setting to Enabled rather than Always. Doing this ensures that you can still publish applications to the Terminal Server via Group Policy. Using the Always option prohibits this from occurring.

5. Folder Redirection

If I had a dollar for every time I’ve logged into a Terminal Server and found sensitive or mission critical data sitting on a users local desktop I would be sitting on a beach somewhere writing this article rather than in my office. Even though as network administrators we provide multiple public and private locations for data storage, some users cannot resist the impulse and convenience of storing data on their desktop. As an alternative to sending our network users to the stockades (tempting isn’t it?), we can simply trick them by redirecting their Desktop to an appropriate storage location on a file server.
You can configure this setting by browsing to User Configuration\Windows Settings\Folder Redirection within your GPO. The user desktop is by no means the only folder that we can redirect, and I recommend looking through all of the available to folders and redirecting whatever you think is appropriate for your environment.

6. Prohibit Access to the Control Panel

Just as with the Microsoft Installer, users should not have access to this in general. However, if you do have users who require administrative privileges then you can limit their access to the system control panel by configuring this setting.
You can configure this setting by browsing to User Configuration\Administrative Templates\Control Panel within your GPO.

Enable Auditing

When I was in college we had the “benefit” of a communal refrigerator. Most of the dorm’s tenants respected the golden rule of not eating food that was not yours, but I fondly remember an occasion during my freshman year where food started turning up missing. This went on for quite a while and there was not really a lot we could do in terms of preventing this from happening while still using the service. That being the case, a few of us decided to take a more passive approach to solving this security issue by putting a freshly baked batch of brownies in the communal fridge. Sure enough, we found the culprit by keeping an eye on who spent the majority of the next day in the bathroom. I guess that laxative brownie recipe did come in handy.
The point of that story is that in a lot of situations, we aren’t going to be able to prevent a security breach, but with an effective audit strategy in place we can find out when the breach occurred, how it occurred, and sometimes even who did it. It’s important that we select the appropriate items to audit on our Terminal Server so that we get the information we need without being overloaded with too much information. Microsoft recommends the following auditing settings:
  • Audit Account Logon Events - No Auditing
  • Audit Account Management - Audit Success and Failure
  • Audit Directory Services Access - No Auditing
  • Audit Logon Events - Audit Success and Failure
  • Audit Object Access - Audit Failure
  • Audit Policy Change - Audit Success and Failure
  • Audit Privilege Use - Audit Failure
  • Audit Process Tracking - Audit Failure
  • Audit System Events - Audit Success and Failure
Along with this, you can also use Connection Auditing within Terminal Services. This allows you to audit several Terminal Server specific items. In order to view and configure these settings open the Terminal Services Configuration snap-in, right-click the connection you wish to enable auditing for and click Properties. Go to the Security tab, click Advanced, and type the user name of the account you wish to enable auditing for. At this point you can select one of the listed options.

Figure 5

Conclusion

This article is by no means all inclusive guide for everything you need to know about Terminal Server security, but it does encompass several of the big things you need to do and a lot of things I often see overlooked. Terminal Services has come a long way since its original inception and where as security was once thought of as a weak point, this is no longer the case when the proper configuration changes are made.

MacEnterprise: Packaging for Distribution


Building Installer packages for software distribution

by Greg Neagle, MacEnterprise.org

Packing things up

Previously in MacTech, we looked at modifying Firefox in order to implement custom default preferences. This involved modifying several files inside the application bundle. If you made similar modifications for your environment, you'd then be faced with the next task: distributing the modified application to all your managed machines.
There are many ways to distribute software to Mac OS X machines, but most commercial products - Apple's and third-parties' - rely on Apple Installer packages to install and update software. This can be a convenient approach when the software you want to distribute is already packaged in that format, but you'll find there are several situations in which you need to create your own Installer packages:
1. The software is not distributed in Apple package format by the vendor, and your software distribution mechanism does not support the alternate format.
2. The vendor uses the Apple package format but the package will not install without user input - or, stated a different way, the package cannot be installed "silently".
3. You need to make changes in the files that are distributed, or distribute additional files.
4. You have internally-developed software that must be distributed. If you're lucky, your internal developer will package it for you. If you're not lucky, or you are the developer, then you need to do it.
Therefore, packaging software for distribution is a common task for OS X administrators. Fortunately, there are a lot of available tools to help you with this task.

Packaging Tools

A partial and by no means complete list of packaging and related tools for OS X in no particular order:
PackageMaker
This is Apple's utility for creating packages. It is available as part of the Xcode Tools, and also included with the Server Admin Tools. It can create every package format supported by Apple: old-style bundle packages, new-style flat packages, metapackages, distribution packages, and hybrid packages that work on multiple OS versions. The link above is for the 10.5.5 release of the Server Admin Tools; there may well be a newer release by the time this article reaches print.
Pros: PackageMaker is a supported Apple tool and is free. Many of the other tools rely on PackageMaker for at least some of their functionality.
Cons: It's hard to use, and had a history of buggy releases.
Iceberg
Iceberg is freeware by Stéphan Sudre, licensed with a BSD-style license. Capable and well-documented, Iceberg is very popular among Mac OS X administrators. It can create packages and metapackages, but not the newer distribution packages and flat packages.
Pros: Easy to use and free. It supports creation of packages from filesystem snapshots, as well as manual assembly of package contents.
Cons: Iceberg's installer installs a StartupItem that launches an always-on background task. This makes some admins uncomfortable.
LANrev InstallEase
LANrev, the maker of a cross-platform system management tool, recently made their InstallEase package creation utility freely available.
Pros: Ease of use, the ability to export Iceberg project files, and the creation of "uninstall" packages - packages that will uninstall software installed by another package. Creation of packages from filesystem snapshots.
Cons: It does not work standalone. To actually create packages, you must have Apple's PackageMaker and/or Iceberg installed as well.
Casper Composer SE
Composer is a $100 utility from JAMF Software. Part of the Casper Suite of OS X client management tools, Composer is also available separately. Casper Composer creates packages based on filesystem snapshots. When used with the Casper suite, it can create installation packages with extra abilities such as installing default preferences into users' home directories.
Pros: Easy to use. Good documentation.
Cons: It's not free. Casper Composer requires Apple's PackageMaker to build standard Apple packages. Composer's special package features work only with other tools in the Casper Suite.
Helpful tools:
logGen
logGen is freeware from the University of Michigan, by Phil Holland and Dave Pugh. It is a command-line utility for finding filesystem changes. You could use it as part of a package creation workflow together with pkgGen (described below) and PackageMaker.
pkgGen
This is a script by Zack Smith that parses the output of logGen and creates a "fauxroot" directory containing all the files and directories found by logGen. This fauxroot directory can then be used by PackageMaker or Iceberg to create an Installer package. The workflow would look something like:
  • Run logGen to create a "before" snapshot.
  • Install and configure software.
  • Run logGen to create an "after" snapshot and differences list.
  • Edit the differences list to remove unwanted items.
  • Run pkgGen with the edited difference list to create a fauxroot directory with copies of all needed files and directories.
  • Run PackageMaker and use the fauxroot directory to create your package.

Example Packaging Workflow

Let's use one of the tools to build an installation package for our modified Firefox. I'll use LANrev InstallEase for this example.
We'll start by assuming you already have an appropriately modified version of Firefox on your system, and have downloaded and activated a copy of InstallEase from LANrev's website.
Launch InstallEase.

Click Start to begin. You may optionally check No longer show this screen to skip the introduction in the future.

Since the Firefox application is self-contained within its own application bundle, we can save a bunch of time and create the package manually. You can do this any time you already know which files and folders you need. Select Manually and click Continue.

Ignore the confusing messages about snapshots; by choosing to create a package manually, you skipped the snapshot process. You are now looking at an empty package. Add the Firefox application to the package by simply dragging it in from the Finder:

After dropping Firefox into InstallEase's window, it should look like this:

You can examine the contents of the Firefox app bundle if you'd like, and make changes to the owner, group, and permissions of all the included files and folders if you wish. When you are satisfied, click Continue.

You have several options, and they are not exclusive - you can select as many as you want.
  • Apple Installer (.pkg): This is the default. You'll need Apple's PackageMaker utility installed to use this.
  • Uninstaller package for Apple Installer (.pkg): this is an interesting feature of InstallEase. It uses the installation package information to create a special package that contains a post-install script that removes the files and folders defined in the package. You can then use any software distribution system that relies on Apple's Installer (or command-line installer tool) to remove software as well.
  • Iceberg project (.packproj): Creates a project file for use with Iceberg. This allows you to use Iceberg to edit package options before creating the actual package.
  • Disk image with added files and folders (.dmg): this is mostly useful for use with LANrev's other tools - it creates a disk image that simply contains all the files and folders you've added to the package.
For this sample workflow, all we need and want is a standard Apple Installer package, so click Create.... You'll be asked where to save the package and for a filename. In most cases, you'll be asked to authenticate as an administrator. After a few moments, you should see something like this:

You are done with this simple example and now have a package that will install your custom version of Firefox.
Note that you had no chance to specify any package options, like whether or not the package requires a restart or if the package can be installed only on the startup disk. If you need to specify additional options, you are probably better off saving an Iceberg project and finishing your editing in Iceberg before creating the final package.

Another Example

Let's do a slightly more complicated example, this time using filesystem snapshots. Again we'll use InstallEase, but the process is similar in Iceberg and Casper Composer.
Launch InstallEase and select Automatically as the package creation method.

Click Continue.

Choose the source for the snapshot. In almost every case it will be the startup disk. In this example, the startup disk is named "Leopard". InstallEase by default ignores a lot of items on the disk when making snapshots to reduce the number of false positives. You can view and edit the list of excluded items by clicking the Adjust File Filter... button.

For this example, we'll leave everything at the default settings. Click OK to dismiss the exclusion editor, and click Take Snapshot to start the "before" snapshot.

You'll wait several minutes as InstallEase scans the disk and records information about exisiting filesystem items. Note that it was scanning my FileVault-protected home directory at the moment I took the screenshot. More on that in a bit. When it's done scanning the disk, you'll see this:

Now it's time to install your software. For this example, we'll install TextWrangler 2.3. Normally this is a drag-and-drop install, and so would need to be repackaged to be able to be pushed out with ARD or most other installation methods.

Download the TextWrangler 2.3 disk image from Bare Bones' website and open the disk image. Install the app by dragging it to the Applications folder, authenticating as an admin when requested.
If you were to package TextWrangler now, you'd have a working application, but you'd be missing the command line tools that come with the application. Worse, when your users launched TextWrangler for the first time, they'd be asked for an admin password in order to install the command line tools. To prevent that, we'll do it in advance and add it to the installation package. Launch /Applications/TextWrangler.app, and you should see this:

Authenticate as an administrator, then quit TextWrangler. Now we can return to InstallEase and click Take Snapshot. After InstallEase scans the disk for changes, you should see something like this:

I've turned down most of the disclosure triangles so you can see what InstallEase has found. Note that it found not only the main TextWrangler application in the Applications folder, but found the command line tool (/usr/bin/edit) and its man page. Without a snapshot utility, it might have been difficult to determine what items were actually installed when the command line tools were added.
We'll want to make a few changes before proceeding. First, InstallEase found changes in my home directory. Unfortunately, since I have a FileVault protected home directory, all it found was a changed "gneagle.sparseimage", so I don't know exactly what changed, but I'm fairly certain I don't care, so I'm going to remove /Users and everything below it.
You may be tempted to edit the exclusion list to always exclude /Users. Resist that temptation. Some software installs items in /Users/Shared which you'll want to capture. Also, it might be useful to see what files are created in a user's home directory on the first launch of an application. (In which case, using an account with a FileVault-protected home directory to install that software is probably a bad idea.) You probably won't want to include user files in an installation package, but you may need to manage them some other way or at least be aware of them.
There's another change to make before we build the package. Note that the TextWrangler application is owned by gneagle. That won't prevent TextWrangler for working on other systems, but it really would be better if we set the ownership to root or a local admin account to match other installed applications.

Here are the changes completed: the /Users folder and its contents have been removed, and the ownership of TextWrangler has been changed to root. Note that TextWrangler is actually an application bundle, so you actually have to expand the contents and change the ownership of every included item individually, which quickly gets tedious. Unfortunately, there seems to be no easy way to propagate changes recursively. We can now click Continue and choose our package formats and create the package just like in the first example.

Packing it in

No matter what tool you use, the basic concepts behind creating installation packages for OS X are the same. Different tools have different options and abilities - you may need to experiment with a few to find the ones that meet your needs.


Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached atgregneagle@mac.com.

Wintel Interview Questions and Answers

1) Differences b/w Conditional Forwarding and Stub Zones.

Ans:- Both do the same thing like forwarding the requests to appropriate name servers who are authoritative for the domains in the queries. However, there is difference in both, Stub Zone are Dynamic and Conditional forwarder are static.
Conditional Forwarding –   Where you want DNS clients in separate networks to resolve each others’ names without having to query DNS servers on the Internet, such as in the case of a company merger, you should configure the DNS servers in each network to forward queries for names in the other network. DNS servers in one network will forward names for clients in the other network to a specific DNS server that will build up a large cache of information about the other network. When forwarding in this way, you create a direct point of contact between two networks’ DNS servers, reducing the need for recursion.
Stub Zone- Stub-Zones are dynamic -A stub zone is like a secondary zone in that it obtains its resource records from other name servers (one or more master name servers). A stub zone is also read-only like a secondary zone, so administrators can’t manually add, remove, or modify resource records on it. But the differences end here, as stub zones are quite different from secondary zones in a couple of significant ways.First, while secondary zones contain copies of all the resource records in the corresponding zone on the master name server, stub zones contain only three kinds of resource records:
  • A copy of the SOA record for the zone.
  • Copies of NS records for all name servers authoritative for the zone.
  • Copies of A records for all name servers authoritative for the zone.
2) How AD Replication Works ?
3) How DNS is important in AD replication?
Ans:- Once DC gets its replication Partner Hostname then it queries DNS for IP Address. Also, _MSDCS zone is required for Domain Controller Locator that enables the client to locate the DC.
For complete details
4) Ports Required for Domain Controllers to communicate.
5) What is GPT and GPC?
Ans:- A GPO (Group Policy Object) is a collection of Group Policy settings, it consists of GPC and GPT.
GPC (Group Policy Container) contains the information of property of GPO like Security Filtering, GPO Status, GPO GUID etc.
GPT (Group Policy Template) contains the data of GPO in Sysvol folder that can be checked after the configuration of the GPO that what settings have been configured to the client.
6) What is new in Microsoft Clustering 2008?
7)  What is Majority Node Set?
Ans:- A majority node set is a single quorum resource, from a server cluster perspective; however, the data is actually stored on multiple disks across the cluster. Each cluster node stores the configuration on a local disk it can have access to when it starts up. By default, the location is pointed to %systemroot%\cluster\ResourceGUID
If the configuration of the cluster changes, that change is replicated across the different disks
8) What is NLB?
Ans:- NLB (Network Load Balance)  is a Microsoft implementation of clustering and load balancing that is intended to provide high availability and high reliability, as well as high scalability.
9) Difference Between Unicast and Multicast
Ans:-

Unicast

Unicast is a one-to one connection between the client and the server. Unicast uses IP delivery methods such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), which are session-based protocols. When a Windows Media Player client connects using unicast to a Windows Media server, that client has a direct relationship to the server. Each unicast client that connects to the server takes up additional bandwidth. For example, if you have 10 clients all playing 100-kilobits per second (Kbps) streams, those clients as a group are taking up 1,000 Kbps. If you have only one client playing the 100 Kbps stream, only 100 Kbps is being used.

Multicast

Multicast is a true broadcast. The multicast source relies on multicast-enabled routers to forward the packets to all client subnets that have clients listening. There is no direct relationship between the clients and Windows Media server. The Windows Media server generates an .nsc (NetShow channel) file when the multicast station is first created. Typically, the .nsc file is delivered to the client from a Web server. This file contains information that the Windows Media Player needs to listen for the multicast. This is similar to tuning into a station on a radio. Each client that listens to the multicast adds no additional overhead on the server. In fact, the server sends out only one stream per multicast station. The same load is experienced on the server whether only one client or 1,000 clients are listening
10) What is new in Windows 2008 AD?
Ans:-
Read-Only Domain Controllers
Fine-Grained Password Policies
Restartable Active Directory Service
Backup and Recovery
SYSVOL Replication with DFS-R
Auditing Improvements
UI Improvements
11) How to configure RODC to replicate password of users?
Ans:- You can add users in the PASSWORD REPLICATION POLICY tab of RODC computer properties
12) What is the issue we face while recovering AD from VMware snapshot?
13) Difference between Authoritative and Non-authoritative restore in AD?
14) What is new in Authoritative restoration in windows 2008?
15)  What is new in Windows Cluster 2008?
16) What is Strict Replication?
Ans:-
Strict Replication is a mechanism developed by Microsoft developers for Active Directory Replication. If a domain controller has the Strict Replication enabled then that domain controller will not get “Lingering Objects” from a domain controller which was isolated for more than the TombStone Life Time. TSL is 180 days by default on a Forest created with Windows Server 2003 SP1. A domain controller shouldn’t be outof sync for more than this period. Lingering Objects may appear on other domain controllers if replication happens with the outdated domain controllers. These domain controllers will not replicate with the outdated domain controllers if you have set the below mentioned registry key.You must set the following registry setting on all the domain controllers to enable the Strict Replication:
  •   KEY Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
  •   Registry Entry: Strict Replication Consistency
  •   Value: 1 (enabled), 0 (disabled)
  •   Type: REG_DWORD
17) What is Super Scope in DHCP?
Ans:-
superscope is an administrative feature of Dynamic Host Configuration Protocol (DHCP) servers running Windows Server 2008 that you can create and manage by using the DHCP Microsoft Management Console (MMC) snap-in. By using a superscope, you can group multiple scopes as a single administrative entity. With this feature, a DHCP server can:
  • Support DHCP clients on a single physical network segment (such as a single Ethernet LAN segment) where multiple logical IP networks are used. When more than one logical IP network is used on each physical subnet or network, such configurations are often called multinets.
  • Support remote DHCP clients located on the far side of DHCP and BOOTP relay agents (where the network on the far side of the relay agent uses multinets).
In multinet configurations, you can use DHCP superscopes to group and activate individual scope ranges of IP addresses used on your network. In this way, the DHCP server can activate and provide leases from more than one scope to clients on a single physical network.
Superscopes can resolve specific types of DHCP deployment issues for multinets, including situations in which:
  • The available address pool for a currently active scope is nearly depleted, and more computers need to be added to the network. The original scope includes the full addressable range for a single IP network of a specified address class. You need to use another range of IP addresses to extend the address space for the same physical network segment.
  • Clients must be migrated over time to a new scope (such as to renumber the current IP network from an address range used in an existing active scope to a new scope that contains another range of IP addresses).
  • You want to use two DHCP servers on the same physical network segment to manage separate logical IP networks.
18) What is the requirement to configure Full memory Dump in windows?
Ans:-
To generate a complete memory dump file:
  1. Click Start > right-click Computer and select Properties in the menu.
  2. Click Advanced > Settings > Startup and Recovery > Settings > Write debugging information > Complete memory dump.
  3. Click OK twice.
19) Which DNS record is required for Replication?
Ans:- Host A records of replication partners (Domain Controllers), Srv Records to find out the Domain Controllers  GUID in _msdcs zone (DC Locator)
20) Tools to analyze Memory Dump?
Ans:-
Windows Debugger (WinDbg.exe) tool
Dumpchk,exe
21) Tools to troubleshoot Group Policy issues?
Ans:- You can use AD inbuilt features to troubleshoot group policy issue like RSOP.msc or can run RSOP by selecting users in Active Directory users and computers, gpresult -v, gpt.ini in sysvol under Group Policy GUID folder can be checked to find out the GPO settings configured
22) What AD parameters can be added to enable the Monitoring for AD?
23) How to troubleshoot AD replication issues?
Ans:- It can be troubleshooted by repmon command that generates the error result in eventvwr. DNS can be checked between two destination. Network/Firewall issue
24) Booting sequence in windows 2008?
Here’s the brief description of Windows Server 2008 Boot process.
  1. System is powered on
  2. The CMOS loads the BIOS and then runs POST
  3. Looks for the MBR on the bootable device
  4. Through the MBR the boot sector is located and the BOOTMGR is loaded
  5. BOOTMGR looks for active partition
  6. BOOTMGR reads the BCD file from the \boot directory on the active partition
  7. The BCD (boot configuration database) contains various configuration parameters( this information was previously stored in the boot.ini)
  8. BOOTMGR transfer control to the Windows Loader (winload.exe) or winresume.exe in case the system was hibernated.
  9. Winloader loads drivers that are set to start at boot and then transfers the control to the windows kernel.

25) How to edit Schema in AD?
Ans:- Firstly, schmmgmt.dll has to be register. Then ADSIEdit tool can be used to edit schema.
26) Difference between Windows 2003 & Windows 2008 boot process
Ans:-
Windows 2003 Boot Process:
1.POST
2.The MBR reads the boot sector which is the first sector of the active partition.
3.Ntldr looks path of os from boot.ini
4.Ntldr to run ntdedetect.com to get information about installed hardware.
5.Ntldr reads the registry files then select a hardware profile, control set and loads device
drivers.
6.After that Ntoskrnl.exe takes over and starts winlogon.exe which starts lsass.exe
Windows Server 2008 Boot process.
  1. System is powered on
  2. The CMOS loads the BIOS and then runs POST
  3. Looks for the MBR on the bootable device
  4. Through the MBR the boot sector is located and the BOOTMGR is loaded
  5. BOOTMGR looks for active partition
  6. BOOTMGR reads the BCD file from the \boot directory on the active partition
  7. The BCD (boot configuration database) contains various configuration parameters( this information was previously stored in the boot.ini)
  8. BOOTMGR transfer control to the Windows Loader (winload.exe) or winresume.exe in case the system was hibernated.
  9. Winloader loads drivers that are set to start at boot and then transfers the control to the windows kernel.

27) Name of utilities that is being used to check multipathing
Ans:- FCInfo utility or Storage Explorer (windows 2008) can be used to check the same.
28) How to create Host A record remotely?
Ans:-  dnscmd command can be used for creating a Resource Record on DNS server. Below is the command:
dnscmd [<ServerName>] /recordadd <ZoneName> <NodeName> <RRType> <RRData>
29) What is glue record?
Ans:-
Name servers in delegations are identified by name, rather than by IP address. This means that a resolving name server must issue another DNS request to find out the IP address of the server to which it has been referred. If the name given in the delegation is a subdomain of the domain for which the delegation is being provided, there is a circular dependency. In this case the name server providing the delegation must also provide one or more IP addresses for the authoritative name server mentioned in the delegation. This information is called glue. The delegating name server provides this glue in the form of records in the additional section of the DNS response, and provides the delegation in the answer section of the response.
For example, if the authoritative name server for example.org is ns1.example.org, a computer trying to resolve www.example.org first resolves ns1.example.org. Since ns1 is contained in example.org, this requires resolving example.org first, which presents a circular dependency. To break the dependency, the name server for the top level domain org includes glue along with the delegation for example.org. The glue records are address records that provide IP addresses for ns1.example.org. The resolver uses one or more of these IP addresses to query one of the domain’s authoritative servers, which allows it to complete the DNS query.
30) What is Loopback Group Policy?
Ans:- Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.
31) Difference between Windows 2003 and Windows 2008
32) TCP/UDP ports used in Windows?
33) Types of RAID