Saturday 27 April 2013

Active Directory Question and Answer


Active Directory Question and Answer

1. What is Active Directory ?

Active Directory is a database which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administer the complete Network which connect with AD.

2. What is domain ?

A domain is a named collection of hosts and subdomains, registered with a unique name by the InterNIC.

3. What is domain controller ?

A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination

4. What is LDAP ?

Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.

5. What is KCC ?

KCC ( knowledge consistency checker ) is used to generate replication topology for inter site replication and for intra site replication with in a site replication traffic is done via remote procedure calls over ip, while between site it is done through either RPC or SMTP.
6. Where is the AD database held? What other folders are related to AD?

The AD data base is store in c:\windows\ntds\NTDS.DIT.

7. What is the use of SYSVOL folder?

The SYSVOL folder stores the server's copy of the domain's public files. The contents such as group policy, users etc of the SYSVOL folder are replicated to all domain controllers in the domain.

8.What is LSDOU ?

It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units

9. What is lost & found folder in ADS ?

It’s the folder where you can find the objects missed due to conflict. Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.

10. What is Garbage collection ?

Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours

11. What System State data contains ?

1.    Contains Start-up files,

2.    Registry

3.    Com + Registration Database

4.    Memory Page file

5.    System files

6.    AD information

7.    Cluster Service information

8.    SYSVOL Folder

12. What is the use of LDAP ?

LDAP is designed to allow for the transfer of information between domain controllers and to allow users to query information about objects within the directory.

13. What is the purpose of replication in AD ?

The purpose of replication is to distribute the data stored within the directory throughout the organization for increased availability, performance, and data protection. Systems administrators can tune replication to occur based on their physical network infrastructure and other constraints.

14. What is global catalog ?

The Global Catalog is a database that contains all of the information pertaining to objects within all domains in the Active Directory environment.

15. What is DNS Zones ?

A DNS zone is a portion of the DNS namespace over which a specific DNS server has authority.

16. What is a site ?

one or more well-connected highly reliable and fast TCP/IP subnets. A site allows administrator to configure active directory access and replication topology to take advantage of the physical network.

17. What is Active Directory Schema ?

The Active Directory schema contains formal definitions of every object class that can be created in an Active Directory forest. it also contains formal definitions of every attribute that can exist in an Active Directory Object.

18. What are the benefits of AD integrated DNS ?

1.    A few advantages that Active Directory-integrated zone implementations have over standard primary zone implementation are :

2.    Active Directory replication is faster, which means that the time needed to transfer zone data between zones is furless.

3.    The Active Directory replication topology is used for Active Directory replication, and for Active Directory- integrated zone replication. There is no longer a need for DNS replication when DNS and Active Directory are integrated.

19. What is File Replication Service (FRS)

File Replication Service is a Microsoft service which replicates folders stored in sysvol shared folders on domain controllers and distributed file system shared folders. This service is a part of Microsoft's Active Directory Service.

20. Explain different zone involved in DNS Server?

DNS has two different Zones Forward Lookup Zone and Reverse Lookup Zone. There two Zones are categorized into three zones and are as follows:

Primary zone: It contains the read and writable copy of the DNS Database.

Secondary Zone: It acts as a backup for the primary zone and contains the read only copy of the DNS database.

Stub zone: It is also read-only like a secondary zone; stub zone contains only SOA, copies of NS and A records for all name servers authoritative for the zone

21. What is the difference between local, global and universal groups ?

Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.

22. What is RPC protocol ?

A protocol RPC (Remote Procedure Call) used to allow communications between system process on remote computers. The RPC protocol is used by the Active Directory for intra-site replication.

23. What is Resource Record ?

Resource Record (RR) is a DNS entry that specifies the availability of specific DNS services. For Example, an MX record specifies the IP address of a mail server, and Host (A) records specify the IP addresses of workstations on the network.

24. What is a Tree ?

A set of Active Directory domains that share a common namespace and are connected by a transitive two-way trust. Resources can be shared between the domains in an Active Directory.

25. What is REPADMIN ?

This command-line tool assists administrators in diagnosing replication problems between windows domain controllers. Administrators can use Repadmin to view the replication topology as seen from the perspective of each domain controller.

 

Wednesday 27 March 2013

LOG Parser – IIS LOGS Analysis

LOG Parser – IIS LOGS Analysis

In this post I will show some examples how to collect information from IIS Logfiles. For this porpuse I will use LogParser version 2.2.
From command prompt run LogParser.exe /? for Help menu.
C:\Program Files\Log Parser 2.2>LogParser.exe /?
Microsoft (R) Log Parser Version 2.2.10
Copyright (C) 2004 Microsoft Corporation. All rights reserved.
Usage:   LogParser [-i:<input_format>] [-o:<output_format>] <SQL query> |
                   file:<query_filename>[?param1=value1+...]
                   [<input_format_options>] [<output_format_options>]
                   [-q[:ON|OFF]] [-e:<max_errors>] [-iw[:ON|OFF]]
                   [-stats[:ON|OFF]] [-saveDefaults] [-queryInfo]
         LogParser -c -i:<input_format> -o:<output_format> <from_entity>
                   <into_entity> [<where_clause>] [<input_format_options>]
                   [<output_format_options>] [-multiSite[:ON|OFF]]
                   [-q[:ON|OFF]] [-e:<max_errors>] [-iw[:ON|OFF]]
                   [-stats[:ON|OFF]] [-queryInfo]
 -i:<input_format>   :  one of IISW3C, NCSA, IIS, IISODBC, BIN, IISMSID,
                        HTTPERR, URLSCAN, CSV, TSV, W3C, XML, EVT, ETW,
                        NETMON, REG, ADS, TEXTLINE, TEXTWORD, FS, COM (if
                        omitted, will guess from the FROM clause)
 -o:<output_format>  :  one of CSV, TSV, XML, DATAGRID, CHART, SYSLOG,
                        NEUROVIEW, NAT, W3C, IIS, SQL, TPL, NULL (if omitted,
                        will guess from the INTO clause)
 -q[:ON|OFF]         :  quiet mode; default is OFF
 -e:<max_errors>     :  max # of parse errors before aborting; default is -1
                        (ignore all)
 -iw[:ON|OFF]        :  ignore warnings; default is OFF
 -stats[:ON|OFF]     :  display statistics after executing query; default is
                        ON
 -c                  :  use built-in conversion query
 -multiSite[:ON|OFF] :  send BIN conversion output to multiple files
                        depending on the SiteID value; default is OFF
 -saveDefaults       :  save specified options as default values
 -restoreDefaults    :  restore factory defaults
 -queryInfo          :  display query processing information (does not
                        execute the query)
Examples:
 LogParser "SELECT date, REVERSEDNS(c-ip) AS Client, COUNT(*) FROM file.log
            WHERE sc-status<>200 GROUP BY date, Client" -e:10
 LogParser file:myQuery.sql?myInput=C:\temp\ex*.log+myOutput=results.csv
 LogParser -c -i:BIN -o:W3C file1.log file2.log "ComputerName IS NOT NULL"

Help:
 -h GRAMMAR                  : SQL Language Grammar
 -h FUNCTIONS [ <function> ] : Functions Syntax
 -h EXAMPLES                 : Example queries and commands
 -h -i:<input_format>        : Help on <input_format>
 -h -o:<output_format>       : Help on <output_format>
 -h -c                       : Conversion help
Lets begin
I use this template and just change de SQL query’s.
Run in command prompt just in one line,
LogParser.exe -i:W3C "One of the SQl sentences in examples below" -o:CSV
Examples Of SQL Query’s for multiple situations.
The hard is to get some valid SQL query’s that cover multiple situations, below you can find some of them that I think interesting to be used daily.
SQL query’s are in different lines to get reading easier , and also some information was cleared from the output because is irrelevant to this post and to extensive, but you can get a picture of the final result. I’ve also copied the logs from my server, to my laptop.
Number of Hits per Client IP, including a Reverse DNS lookup
SELECT c-ip As Machine, REVERSEDNS(c-ip) As Name, COUNT(*) As Hits
FROM H:\LOGSIIS\W3SVC1\U*.* GROUP BY Machine ORDER BY Hits DESC
Out Put
Machine,Name,Hits
 10.xxx.xxx.x1,10.xxx.xxx.x1,505923
 10.xxx.xxx.x2,10.xxx.xxx.x2,443922

Statistics:
 -----------
 Elements processed: 1114134
 Elements output:    53
 Execution time:     156.64 seconds (00:02:36.64)
Top 25 File Types
SELECT TOP 25 EXTRACT_EXTENSION(cs-uri-stem) As Extension, COUNT(*)
As Hits FROM H:\LOGSIIS\W3SVC1\* GROUP BY Extension ORDER BY Hits DESC
Out Put
Extension,Hits
 gif,70954
 aspx,56951
 css,14300
 js,9342
 vbs,3994
 swf,6
 png,5
 pdf,1

Statistics:
 -----------
 Elements processed: 1114134
 Elements output:    24
 Execution time:     2.39 seconds
Top 25 URLs Hits
SELECT TOP 25 cs-uri-stem as Url, COUNT(*) As Hits FROM H:\LOGSIIS\W3SVC1\*
GROUP BY cs-uri-stem ORDER By Hits DESC
Out Put
Url,Hits
 /,949949
 /Report/lgx_Engine/lgx_LoadPicture.aspx,5893
 /Connect/lgx_Engine/lgx_LoadPicture.aspx,4263
 /Report/lgx_Engine/lgx_Utils/lgx_Logon/lgx_Revive.aspx,3671
 /lgx_images/months/w2d30.gif,3237
 /lgx_images/months/w4d31.gif,3236
 /lgx_images/months/w1d31.gif,3207
 /lgx_images/months/w6d31.gif,3207
 /lgx_images/months/w0d31.gif,3200
 /lgx_images/months/w3d29.gif,3141
 /Report/rdPage.aspx,3141
 /lgx_images/months/w4d30.gif,3129
Statistics:
 -----------
 Elements processed: 1114134
 Elements output:    25
 Execution time:     2.07 seconds
Number of hits per Method (GET, POST, etc)
SELECT cs-method As Method, COUNT(*) As Hits FROM H:\LOGSIIS\W3SVC1\* GROUP BY Method
Output
Method,Hits
 GET,1088636
 POST,24746
 OPTIONS,593
 HEAD,147
 PROPFIND,12
Statistics:
 -----------
 Elements processed: 1114134
 Elements output:    5
 Execution time:     2.46 seconds
Number of requests made by user
SELECT TOP 25 cs-username As User, COUNT(*) as Hits FROM H:\LOGSIIS\W3SVC1\*
WHERE User Is Not Null GROUP BY User
Output
UP BY User" -o:CSV
 User,Hits
 MyDomain\username1,237
 MyDomain\username14,3
 MyDomain\username11,25
Statistics:
 -----------
 Elements processed: 1114134
 Elements output:    25
 Execution time:     2.28 seconds
Extract Values from Query String (d and t) and use them for Aggregation
SELECT TOP 25 EXTRACT_VALUE(cs-uri-query,'d')
as Query_D, EXTRACT_VALUE(cs-uri-query,'t')
as Query_T, COUNT(*) As Hits FROM H:\LOGSIIS\W3SVC1\*
WHERE Query_D IS NOT NULL
GROUP BY Query_D, Query_T ORDER By Hits DESC
Output
 URL,Max,Min,Average
 /Control/,13782,13782,13782
 /Translate/lgx_Engine/lgx_Frame.aspx,327972,0,13066
 /Translate/lgx_Engine/lgx_Detail.aspx,191354,15,11080
 /Translate/_Scripts/Transaction/TrackingFrameSet.aspx,10125,10125,10125
 /Trade/lgx_Engine/lgx_SubmitPage.aspx,17594,0,7757
 /Translate/lgx_Engine/lgx_Gateway.aspx,84567,15,7679
 /Connect/lgx_Engine/lgx_Menu.aspx,42471,0,3309
 /Home/_Temp/14425.gif,9328,15,3176
 /Trade/_Scripts/ReferencePriceListForm.aspx,5281,890,3085
Statistics:
 -----------
 Elements processed: 1114134
 Elements output:    25
 Execution time:     2.62 seconds
List the count of each Status and Substatus code
SELECT TOP 25 STRCAT(TO_STRING(sc-status), STRCAT('.', TO_STRING(sc-substatus)))
As Status, COUNT(*) AS Hits FROM H:\LOGSIIS\W3SVC1\*
GROUP BY Status ORDER BY Status ASC
Output
Status,Hits
 200.0,773106
 301.0,110
 302.0,1926
 304.0,43803
 401.1,21296
 401.2,245000
 403.14,77
 404.0,28778
 404.15,1
 500.0,17
 500.22,6
 500.24,14
Statistics:
 -----------
 Elements processed: 1114134
 Elements output:    12
 Execution time:     4.00 seconds
List the count of each Status code
SELECT sc-status As Status, COUNT(*) As Number FROM H:\LOGSIIS\W3SVC1\*
GROUP BY Status ORDER BY Status
Output
Status,Number
 200,773106
 301,110
 302,1926
 304,43803
 401,266296
 403,77
 404,28779
 500,37
Statistics:
 -----------
 Elements processed: 1114134
 Elements output:    8
 Execution time:     2.04 seconds
List all the requests by user agent
SELECT cs(User-Agent) As UserAgent, COUNT(*) as Hits FROM H:\LOGSIIS\W3SVC1\*
GROUP BY UserAgent ORDER BY Hits DESC" -o:CSV
Output
UserAgent,Hits
 ,949846
 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;
 +.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2),32945
 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;
 +.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022
 ;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+.NET4.0C),24775
 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+chromeframe/11.0.696.68;+.NET+CLR+1.1.4322;
 +.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.0450
 6.648;+.NET+CLR+3.5.21022;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2),22805
 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;
 +.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3
 .5.21022;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+.NET4.0C),21243
 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;
 +.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022
 ;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2),16795
 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;
 +.NET4.0C;+.NET4.0E;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729),79
 66
 Statistics:
 -----------
 Elements processed: 1114134
 Elements output:    54
 Execution time:     2.02 seconds
List all the Win32 Error codes that have been logged
SELECT sc-win32-status As Win32-Status, WIN32_ERROR_DESCRIPTION(sc-win32-status)
as Description, COUNT(*) AS Hits FROM H:\LOGSIIS\W3SVC1\*
WHERE Win32-Status<>0 GROUP BY Win32-Status
ORDER BY Win32-Status ASC
Output
Win32-Status,Description,Hits
 2,The system cannot find the file specified.,26914
 5,Access is denied.,244993
 22,The device does not recognize the command.,11
 50,The request is not supported.,20
 64,The specified network name is no longer available.,2771
 121,The semaphore timeout period has expired.,1
 995,The I/O operation has been aborted because of either a thread exit or an application request.,6
 2148074252,The logon attempt failed,22
 2148074254,No credentials are available in the security package,21251
 3221225581,ErrorCode=-1073741715 (0xc000006d) - Unknown error message,2
 3221225585,ErrorCode=-1073741711 (0xc0000071) - Unknown error message,2
Statistics:
 -----------
 Elements processed: 1114134
 Elements output:    11
 Execution time:     2.11 seconds