What are the logActive Directory Partitions? Logical partition of ntds.dit

The information stored in the directory (in the Ntds.dit file) is logically partitioned into four categories:

  • Schema partition
  • Configuration partition
  • Domain partition
  • Application Directory partition

Mnemonic – SCDA


What are DC roles?

Domain Controller Roles

  • Global Catalog Server
  • Single Master Operations

Global Catalog Server – A global catalog server is a DC that stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.

The global catalog performs three key functions:

  1. It enables users to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated.
  2. It enables finding directory information regardless of which domain in the forest actually contains the data.
  3. It resolves UPNs when the authenticating domain controller does not have knowledge of the account.

Single Master Operations

Every Active Directory forest must have domain controllers that fulfill two of the five single master operations roles. The forest-wide roles are:

  • Schema master
  • Domain naming master

Every Active Directory domain must have domain controllers that fulfill three of the five single master operations roles. The domain-wide roles are:

  • Relative identifier (RID) master
  • Primary domain controller (PDC) emulator
  • Infrastructure master

Ports required:

Global Catalog Server  3268(TCP), 3269(TCP)

LDAP   389(TCP and UDP)

Kerberos  88(UDP)

RPC  135(TCP)


Schema Master –  controls all updates and modifications to the schema. To update the schema of a forest, you must be a member of the schema Administrator group, and you must enable the schema to be modified in the schema console.

Domain Naming Master – controls the addition or removal of domains in the forest.

RID Master – allocates sequences of RIDs to each of the various domain controllers in its domain. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security identifier (SID). The SID consists of a domain SID that is the same for all SIDs that are created in the domain and a RID that is unique for each SID that is created in the domain.

PDC Emulator -In a Windows Server 2003 domain in native mode, the PDC emulator receives preferential replication of password changes that are performed by other domain controllers in the domain. If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at another domain controller because of a bad password, that domain controller will forward the authentication request to the PDC emulator before it rejects the logon request.

Infrastructure Master – is responsible for updating the group-to-user references whenever group memberships are changed.

If modifications to user accounts and group memberships are made in different domains, there is a delay between the time that you rename a user account and the time when a group that contains that user will display the new name of the user account. The infrastructure master of the group’s domain is responsible for this update; it distributes the update through multimaster replication.


What is the structure classificatio of AD?

Logical Structure –  [DOTfS]  The logical structure of Active Directory is flexible and provides a method for designing a directory hierarchy that makes sense to both its users and those who manage it. The logical components of the Active Directory structure include:

  • Domains
  • Organizational units
  • Trees and Forests
  • Schema

Physical Structure

  • Sites
  • Domain Controllers

New in ADDS 2016

  • Privileged access management (PAM)
  • Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
  • Connecting domain-joined devices to Azure AD for Windows 10 experiences
  • Enable Microsoft Passport for Work in your organization
  • Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels


Microsoft Passport is a new key-based authentication approach organizations and consumers, that goes beyond passwords

Azure Active Directory Join enhances identity experiences for enterprise, business and EDU customers- with improved capabilities for corporate and personal devices.

provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM). PAM introduces:

A new bastion Active Directory forest, which is provisioned by MIM. The bastion forest has a special PAM trust with an existing forest. It provides a new Active Directory environment that is known to be free of any malicious activity, and isolation from an existing forest for the use of privileged accounts.

New processes in MIM to request administrative privileges, along with new workflows based on the approval of requests.

New shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests. The shadow security principals have an attribute that references the SID of an administrative group in an existing forest. This allows the shadow group to access resources in an existing forest without changing any access control lists (ACLs).

An expiring links feature, which enables time-bound membership in a shadow group. A user can be added to the group for just enough time

required to perform an administrative task. The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime.

KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound memberships in administrative groups. For example, if you are added to a time-bound group A, then when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have remaining in group A. If you are also a member of another time-bound group B, which has a lower TTL than group A, then the TGT lifetime is equal to the time you have remaining in group B.

New monitoring capabilities to help you easily identify who requested access, what access was granted, and what activities were performed

What are the types of backups?

Normal Backup

  • Default type of backup performed by Backup utility
  • Backs up all selected files and folders and clears the archive attribute on each
  • This type of backup can be inefficient because it does not take into account whether files have changed

Incremental Backup

  • Backs up only files that have changed since last normal or incremental backup
  • Clears the archive attributes of the files
  • Reduces the size of backup jobs
  • Restore process is more complicated
  • Normal backup and incremental backups must be restored in order

Differential Backup

  • Backs up only files that have changed since last normal or incremental backup
  • Does not clear the archive attributes of those files
  • A second differential backup will back up the same files since the first backup is not recorded by the archive attributes
  • Reduces the size of backup jobs compared to normal backups but not incremental backups
  • Restore process requires only the normal backup and the latest differential backup