21 Jan

What is a Domain?

A domain is like a virtual "kingdom" in a computer network. Think of it as a central rulebook that
controls who can enter, what they can do, and what resources they can use. In this kingdom, all
computers, users, printers, and other devices are members of the domain. The domain
provides centralized management, which means all the rules, settings, and permissions are
controlled from one place.

What is a Domain Controller?

A Domain Controller (DC) is the "king" or "manager" of the domain. It’s a server that keeps
track of all the users, computers, and rules in the domain. It checks whether a user is allowed to
log in and what they can do once logged in. The Domain Controller uses a database called
Active Directory to store all this information.

Analogy: In our office building example, the Domain Controller is like the security team that
checks your ID, verifies your identity, and tells you which floors you’re allowed to visit.

What is ADDS (Active Directory Domain Services)?

Active Directory Domain Services (ADDS) is the "brain" of the Domain Controller. It is a
service that manages and stores information about all the objects in the domain (users, groups,
devices, etc.). It also enforces security policies and enables users to access resources.

Analogy: ADDS is like a directory or a database that the security team (Domain Controller)
uses to verify who you are and what you’re allowed to do in the office building.

Why Create a Domain Instead of a Workgroup?

A workgroup is a simple way to connect computers, where every machine acts independently.
However, in a large network, managing users and resources becomes chaotic without
centralized control. A domain solves this by offering centralized management, better security,
and scalability.
 Analogy: A workgroup is like a neighborhood where each house manages its own rules and
security. A domain, on the other hand, is like a gated community where a central authority
manages security and access for all houses.

Key Advantages of Domains:

1. Centralized control over users and computers.

2. Better security with unified policies.
3. Scalability for larger networks.
4. Single Sign-On (SSO) for users across all resources.

What is DNS (Domain Name System)?

DNS is like the phonebook of the internet. It translates human-readable domain names (like
www.google.com ) into IP addresses (like 142.250.64.78 ) that computers use to communicate.

Analogy: Imagine you want to call your friend John. You don’t remember his phone number,
but you look it up in your phonebook. DNS does the same for websites and services.

What is DHCP (Dynamic Host Configuration Protocol)?

DHCP is a service that automatically assigns IP addresses to devices on a network. Without

DHCP, you would have to manually configure the IP address for every device, which is time-
consuming and error-prone.

Analogy: DHCP is like a receptionist at a hotel who assigns you a room number when you
check in. Each guest gets a unique room number (IP address), and the receptionist keeps
track of who is staying where.

What is a Member of a Domain?

A member of a domain is any device (like a computer or printer) or user account that is
registered with the domain. Members follow the rules set by the Domain Controller and can
access shared resources based on their permissions.

Analogy: A member of a domain is like an employee in the office building. They have a
badge (credentials) that gives them access to certain floors (resources) based on their role.
What is Kerberos and its Significance?

Kerberos is a secure method for authenticating users and devices in a domain. It is a key part
of Active Directory that ensures users don’t have to repeatedly enter their credentials when
accessing different resources. Kerberos uses tickets to prove a user’s identity without sending
passwords over the network.

How It Works:
1. A user logs in and gets a "ticket" from the Kerberos server.
2. This ticket is presented to other services or devices to access resources without
entering credentials again.
Analogy: Kerberos is like getting an all-access pass at an amusement park. You show the
pass at every ride, and it proves you’ve already paid and are allowed to enter.

Significance:

1. Enhances security by avoiding password transmission.

2. Speeds up resource access with Single Sign-On (SSO).
3. Is widely trusted and used in enterprise environments.

What is SRV and its Use?

SRV (Service Record) is a type of DNS record used to locate services like the Domain
Controller in a network. When a device or application needs to find a specific service (e.g.,
Kerberos authentication or LDAP), it looks up the SRV record in DNS.

How It Works:
1. A device queries DNS for an SRV record.
2. The SRV record tells the device where the service is located (e.g., the IP address and
port of the Domain Controller).
Analogy: SRV is like asking the reception desk in a large office where a specific
department (e.g., HR) is located. The receptionist gives you the room number and floor.

Significance:

1. Ensures devices can automatically find essential services in a domain.

2. Simplifies network configuration and management.
3. Is critical for Active Directory to function properly.
What is SSO (Single Sign-On) and Single Point of Authentication?

SSO (Single Sign-On) allows users to log in once and access multiple resources without
entering their credentials repeatedly. This is achieved through a centralized authentication
system, like Kerberos, which verifies the user’s identity and grants access to authorized
services.

Single Point of Authentication means that all authentication requests are handled by a
single system, typically the Domain Controller. This simplifies the login process and
enhances security by ensuring all access control is managed centrally.
Analogy: SSO is like a master key that opens all the doors in your office building. Once
you’ve unlocked the main door, you don’t need to carry separate keys for every room.

Benefits:

1. Convenience: Users only need to remember one set of credentials.

2. Efficiency: Reduces time spent logging in to multiple services.
3. Security: Centralized control ensures consistent enforcement of security policies.

How It Works:

1. A user logs in to the Domain Controller and gets authenticated.

2. The system issues a token or ticket (e.g., Kerberos ticket).
3. The token is used to access multiple services without entering credentials again.

Example in Real Life: When you log in to your email on a company’s network and can also
access file servers, printers, and internal websites without logging in again, that’s SSO in
action.

Why Use .local Instead of .com or .in for Domain Names?

When creating a domain name, it’s common to use .local for internal networks instead of
.com or .in . Here’s why:

1. Avoid Website Domain Conflicts:

If you use .com or .in (e.g., example.com ) for your internal domain and that domain
exists on the internet, your internal users might face issues accessing the external
website with the same name. Using .local prevents this conflict because .local is
reserved for internal networks.
 2. Conflict of LAN/WAN:
LAN (Local Area Network): Your internal network.
WAN (Wide Area Network): The internet.
Using .com can confuse your DNS system when it tries to decide whether a request is
for the internal network or the internet. .local makes it clear that the request is
internal.
3. Request Forwarding:
With .com , DNS might unnecessarily forward requests to external servers if it doesn’t
know whether to resolve them locally or globally. .local ensures all requests stay
within the LAN.
4. Website Hosting Conflict:
If you host a website internally with the same name as your domain (e.g.,
example.com ), external users might not be able

Question Asked By Sir

When we log in to the system using member there is an authentication process on the backend
now how will the member know that domain controller is the authenticating server or how will it
know which server is the domain controller?
Answer
When we create the domain controller and when dns is configured on the DC then a record
named SRV(Service) Record is created which is used to locate services related and used by
the Domain Controller itself.
Now this SRV record is used when any user on any computer belonging to the domain is
logging in to the system.
'Kerberos' is a authentication protocol used to verify the credentials of users when they log in to
the system.
So SRV Record along with Kerberos is used to authenticate the credentials
And DNS is used to call up the SRV Record which is then used to complete authentication of
the user trying to sign-in

22 Jan
Setup
3 VM
VM1 - 10.0.0.1(Preferred DNS Bhi Ye Hi Rahega Sabme)
VM2 - 10.0.0.2
VM3 - 10.0.0.3
DNS
Domain Name System
Used In Name And IP Resolution
Additional
OS Info Can Be Known By Typing 'winver' in Win+R
Setting Up Full Names In Host/Client
Go to the place where you change hostname
Click on more and then enter the DNS Suffix(Eg.IT.LOCAL)
Adding DNS
Go to server manager
Click on 'Add Roles And Features'
Select 'DNS'
Done
Shortcut Of Opening DNS Tab
Go to Control Panel
Go to Admin Tools
Select 'DNS' and right click and open Properties
Copy the '.msc' name
This .msc name is the shortcut used to open the DNS tab.
Zones

Forward Lookup Zones

Used for Name To IP Resolution
Uses Host Entry/Records For Resolution
Practical - Forward Lookup Zone
Creating Zones
Go to DNS in VM1
Right Click On Forward Lookup Zones
Click On 'Create New Zone'
Click 'Primary Zone'(Because First Time)
Enter Domain Name In Zone Name Space -> IT.LOCAL
Next
Select 'Allow Both....' Option
Finish
Now go to each Client PC and run 'ipconfig /registerdns' to update the systems
Creating Host Records
Prerequisites
1.First Ensure All The DNS Suffix Names Are Given
2.All The Machines To Be Used Have Proper IP And Their Preffered DNS Is The IP Of VM1
3.Ensure All The Systems Are Pinging With Each Other
Steps
Run 'ipconfig /registerdns' in Client PC Before Going Ahead
Ping Each PC With Each Other Before Going Ahead
Go to VM1
Go to CMD
Run
nslookup VM2.IT.LOCAL
nslookup VM3.IT.LOCAL
You will see output with the IP of the hostname you entered.
Output Example

Practical Ka Use Kya?

By creating and configuring all these you will be able to lookup for PC using 'Full Name' and
you can ping between PC using 'Full Name' and IP Addresses Both.
Kahi Atko Practical Main Toh
Sab Steps Vapas Check Karo
Reverse Lookup Zones
Used for IP To Name Resolution
Uses Pointer Records For Resolution
Practical - Reverse Lookup Zones
Creating Zones
Go to DNS in VM1
Right Click On Reverse Lookup Zones
Click On 'Create New Zone'
Click 'Primary Zone'(Because First Time)
Select IPV4
Enter First Three Octets(10.0.0 In This Example)
Click Next
Click Next
Select 'Allow Both....' Option
Finish
Now go to each Client PC and run 'ipconfig /registerdns' to update the systems
Creating Pointer Records
Prerequisites
1.First Ensure All The DNS Suffix Names Are Given
2.All The Machines To Be Used Have Proper IP And Their Preffered DNS Is The IP Of VM1
3.Ensure All The Systems Are Pinging With Each Other
Steps
Go to each Client PC and run 'ipconfig /registerdns' before going ahead
Ping Each PC With Each Other Before Going Ahead
Go to Client VM(VM-2,3)
Go to CMD(Make Sure It Is Administrator)
Run 'ipconfig /registerdns'(Do Not Forget This Step)
Now Go to Host VM(VM-1)
Go to CMD
Run
nslookup 10.0.0.2
nslookup 10.0.0.3
This will result in the full names of the PC with given IP
Output Example

Practical Ka Use Kya?

This practical will set up the lookup for PC with their IP and will help in getting the full names of
the PC.
Kahi Atko Practical Main Toh
Sab Steps Vapas Check Karo
23 Jan
Installing ADDS And Promotion To Domain Controller
Already Learnt
No Need To Select DNS While Adding Roles And Features Because It Will Be Selected By
Default

Extra
You can join domain using IT instead of IT.LOCAL but don't do it because it takes time.

29 Jan
ADDS Ke Pehle User Banaye Toh ADDS Install Karne Ke Baad Unn User Pe Kya Impact
Padega
Computer Management Main Locla Users And Groups Main Users Banaye
Uske Baad ADDS Banaya Aur Domain Controller Main Promote Kiya
Toh Iske Baad Users Transfer Ho Jayege ADUC Ke Users Wale Folder Main
Users Kyu Banate Hai?
Permission Allocation
Resource Allocation And Distribution
Domain Ka Fayda
SSO
Single Sign On
Ek Baar Sign In Karne Ka Fir Resources Pe Access Mil Jayega
Single Point Of Authentication
Authentication Ke Liye Ek Hi Source Rahega:Domain Controller
How To Create A User Same As Administrator
Go to Users In ADUC
Find Administrators In Users
Right Click -> Copy
Now enter the name of the User you want to create
This new user will be like a duplicate of the Administrator with a different name
Jab Administrator Ka Password Bhul Jaye Toh Ye User Backup Ke Liye Kaam
Aajayega Aur Hum Iss User Se Login Karke Administrator Ka Password Change Kar
Sakte Hai
UPN
User Principal Name
[email protected]
Name used at login
FQDN
krish.abc.com
Name which defines the absolute path of your user and which domain he/she is.
Disconnecting Network Adapter
VM Ke Settings Main Jao
Network Adapter Main Jao
Connected Wala Tick Hata Do
Red Cross Aajayega Matlab Disconnected
Removing ADDS
Demoting Domain Controller
Server Manager Pe Jao
Manage -> Remove Roles And Features
Wizard Khulega Usme Next Karo Aur ADDS Ki Tick Hatao
Tab Ek Wizard Khulega Usme Demote Domain Controller Pe Dabao
Removing Roles And Features
Server Manager Pe Jao
Manage -> Remove Roles And Features
Wizard Khulega Usme Next Karo Aur ADDS Ki Tick Hatao
Adding Virtual Adapter
Go to Device Manager
Of the top heading right click and select Add Legacy Hardware
Click Next
Select Second 'I Will Install Hardware From A List'
Select 'Network Adapter' From The List
Select 'Microsoft' in the left section
Select 'Loopback' adapter in the right section
Click Next
Go to ncpa.cpl and find the new adapter and assign ip to it.
Verification Of ADDS and Domains
 Agar Ye SRV Records Hai System Main Toh Matlab Domain Controller Aur ADDS
Setup Hogaya
tcp aur udp folder main srv records hoge
Recover Deleted SRV Records
Go to Services.msc
Restart netlogon service
Deleted SRV Records will be recovered
Check Logs Of ADDS Installation
Go to C:/Windows/debug and open DCPROMO file
Isme Logs Mil Jayege Ki Kab Konsi Service Install Hui Thi Along With Date And Time
Event Viewer
 Isme server main hue events/activities dikhege with their intensity or impact on the PC.
Warning Aur Critical Matlab Kuch Serious
Information matlab 'No Issue'
Firewall Filter Services

Preffered DNS
Agar preffered dns na rakho toh domain controller ke aakhri step pe prerequisite check
main error aayega.
Loopback Address
127.0.0.1 ka ping successfull aayega regardless of the physical adapter ka state.
Kyuki vo network adapter ke driver ka check karta hai naa ki actual adapter ka.
ADUC
Users banane ke liye OU banane ka
 Toh thoda structured rahega aur accordingly hum uspe policy apply kar sakte hai.
Kyuki OU ka kaam hi hai khud pe policy apply karwana with user stored in it.
Restricting Users From Logging In
Create User 'A2'
Go to Properties
Go to Account
Click 'Log On To.'
Select 'This Computer Only'
Type 'VM2' or any other client computer name
Now click OK and then login into 'A2' in VM3
You will be restricted from logging into VM3.
Practical 1
Objective
We have 3 VM(VM1,VM2,VM3)
VM1 - Domain Controller
VM2 - Member Bana Hua Hai
VM3 - Not On Domain
Steps - Creating Error
VM1 Domain Controller Bana Dege
VM2 Ko Member Bana Diya Hai
Uss Ke Baad VM2 Main Koi User(Eg.Krish) Se Login Karege Aur VM1 Ke ADUC
Main Jaa Ke Computers Folder Check Karege Aur VM2 Verify Karege Ki Member
Hai Ya Nahi
Ab VM2 Ko Shut Down Kar Dege
Fir VM3 Main Jaake Pehle Name Change Kar Dege VM2 Kar Ke Restart Karege.
Uske Baad VM3(Jo Ab VM2 Ke Naam Se Hai) Usko Domain Join Karayege
IT.LOCAL Karke Aur System restart Karege
Fir VM3 Main Normal User Se Login Karke VM1 Main ADUC Main Jaake
Computers Wale Folder Main Check Karege Ki VM2 Ka Member Vaise Ka Vaise
Hi Hai
Iska Logic - Isme VM2 Ka VM2 Hi Raha Computers Wale Folder Main Kyuki
Hostname/PC Name Same Hi Raha Hai Bas Password Update Ho Gaya
VM3 Ko Shut Down Karege Aur VM2 Main Krish User Se Login Karege Toh 'THe
Trust Relationship.....' Error Aayega Matlab Abhi Tak Sahi Chal Raha Hai
Steps - Solution
Ab VM2 Main .\administrator(Local Administrator Account) Se Login Karege Aur
Domain Name Main IT.LOCAL Ka Local Hata Ke Join Karayege.
 Fir System Restart Karke VM1 Ke ADUC Main Jaake Verify Karege Computers
Wale Folder Main Ki Member Bana Hua Hai Ya Nahi
Iska Logic - Isme VM2 Ka VM2 Hi Raha Computers Wale Folder Main Kyuki
Hostname/PC Name Same Hi Raha Hai Bas Password Update Ho Gaya
VM3 Main Login Karne Ka Administrator Ke Through Uske Baad Naam Change
Karke VM3 Karke Domain Join Karege Sirf IT Karke.
Observation - Ab Jo Member Bana Hua Tha Uska Naam VM3 Hogaya Aur VM2
VM Ka PC Nahi Hai
Ab VM2 Main Jaa Ke IT.LOCAL Ka Local Hata Ke Domain Join Karao
Ab VM1 Main Jaake ADUC Ke Computers Main Check Karege Toh Yaha VM3
Aur VM2 Computer Alag Se Bana Hua Hoga
IMP 2
Agar VM2 member bana hua hai aur agar ham domain name change karne wali jagah
pe IT.LOCAL jo likha hua hai usko IT karde aur enter maare toh automatically log in ho
jayega without any credentials only because VM2 member hai uska

11 Feb
IMP 3
Scenario
Agar Domain Controller Band Hai Toh Kaise Koi Member Login Kar Paa Raha
Hai Apne System Main?
Solution
Domain Controller Ko Band Karke VM2 Aur VM3 Main Krish User Se Login Karke
Verify Karlo Login Ho Jayega
Fir VM3 Main .\administrator se login karo
secpol.msc main Local Policies main jaane ka
Usme Security Options main jaa ne ka.
'Interactive Logon:Number of previous logons to cache' <- Jitne logon isme
defined hoga utni baar domain controller band hone ke bawajood hum user login
kar payege.
Max Limit Iski 50 Hai.
Isme Zero Login Kardo Aur Kisi User Se Login Karo Fir 'There Are Currently No
Logon Servers To Accept This Request' Ka Error Aayega.
IMP 4
Scenario
Client VM Se User Bananeka Rather Than DC Se.
Procedure
 Client VM Main Add Roles And Features Main ADDS Role Add Karneka
Uske Baad Manage Main 'ADUC' Aa Jayega
IMP 5
Scenario
OU Delegation
Procedure
Same As Previous Semester
IMP 6
Scenario
Users Home Folder
Procedure
Create folder 'Data1' in VM2 Local Disk C:
Share Folder And Assign Full Access To Everyone In Sharing Tab
Go to VM1
Create User H1
Go to Properties
Go to Profile Tab
Go to Home Folder And Select Connect
Enter '\VM2\Data1\H1' <- In Short Enter The Path Of Data1 Folder Created
Select 'Z' as Data Drive To Avoid Any Conflict
Now Login Through H1 In VM2(Client)
Go to This PC You Will See A Drive Under Network Section
Now this folder will act as the home directory for the H1 user regardless of the VM
you login into.
Keywords
Easy Availability

12 Feb
Group Policy
A User Can Login Anywhere In The Premises Of Domain So It Is Not Secure To Allow
It All Permissions.
So Group Policy Can Be Used To Add Restrictions On User And Where And What It
Can Access Or Use.
Users are made as per its application and unqiue purpose.
Console
Platform from where we can configure tools related.
 Subjective means Microsoft Console means a platform where we can perform
configuration settings on the system.
Restricting Control Panel
Go To VM1
Go to Group Policy Management
Find Group Policy Objects Folder
'Default Domain Controllers Policy' <- Click Karo Aur Details Main Unique ID Dikhegi
Iss Unique ID Ke Naam Se Ek Folder Hoga 'SYSVOL' Naam Ke Folder Main Jaha Iski
Policies Hogi
Same Goes For 'Default Domain Policy'
Yaha Pe Right Click Karo Group Policy Objects Pe Aur New GPO Choose Karo
GPO Ka Naam 'Restricting Control Panel' Karo Aur Enter Maro Aur Iski Bhi Ek Unique
ID Hogi.
Ab New GPO Pe Right Click Karo Aur Edit Select Karo Aur Naya Tab Khulega
Doubt - Iss Naye Tab Main User Configuration Aur Computer Configuration Ka
Difference Samjhne Ka
Ab User Configuration Main Policy Main Jao Aur Fir Administrative Templates Main Jao
Control Panel Select Karo
Usme 'Prohibit Access To Control Panel And PC Settings' Ko Configure Karna Hoga
Fir Double Tap Karneka Aur Uss Policy Ko Enable Karne Aur Apply Karo
CMD Main Jaa Ke 'gpupdate /force' run karo.
Uske Baad Default Domain Policy Main Jao IT.LOCAL Ke Under Aur Accounts(Isme 3
Users Banaye Hai) OU Pe Right Click Karke 'Link Existing GPO' Select Karo Aur Abhi
Jo Nayi GPO Banayi Usko Select Karlo
Iss Se Uss OU Ke Under Ke Saare Users Pe Ye Policy Apply Hojayegi
Uss OU Ke 2 Users Pe Apply Karna Hai Aur Ek Ko Nahi
Toh Vo GPO Pe Chalejao
Baadme Security Filering Main Authenticated Users Ko Select Karke Remove
Karo Aur Jiss User Pe Tumko Ye Policy Apply Karni Hai Uska Naam Daaldo.
Toh Jo User Mentioned Hoga Unpe Hi Apply Hogi Policy Baaki Sab Pe Nahi

14 Feb
Task - Backup Server
Requirements - Server Platform,Domain Aur Domain Members Chahiye
Client VM Ke Administrator Se Login Ho Jao
ADDS Wala Role Add Karlo
 Fir Domain Controller Wale Wizard Main Aane Ke Baad 'Add a new domain to an
exisiting domain'(First Option Select Karna Hai)
Fir Baaki Sab Steps Same Rahege
Fir System Restart Ho Jayega
Fir CMD Main 'net accounts' command run karo aur bottom right main BACKUP likha
hoga.
Fir Domain Controller Main Jaa Ke Ye Command Run Karo Ge Toh Vaha PRIMARY
dikhega.
Backup Server Ki Thodi Theory
Task - Changing Backup Server To Primary Server
'netdom query fsmo' ye run karke 5 roles aayege jo by default Domain Controller(VM1)
ke pass hoge iss practical main vo sab roles VM2 ko assign karne hoge
Backup Servers Multiple Ho Sakte Hai Lekin Primary Ek Hi Hoga
Abhi Backup Server(VM-2) Main Aa Jao
cmd Main 'ntdsutil' run karo
Fir roles rype karo
Extra
fsmo maintenance - flexible single master operations
Fir '?' likho query ke liye
Baadme 'connections' likho
? karo query ke liye
Fir 'Connect To Server VM2' karo toh roles VM2 se connect hoge
Fir 'quit' enter karo toh ek step back aa jaoge
? karo query ke liye
Aakhri ke paach command 5 roles transfer ka hoga
Commands
Transfer infrastructure master
Transfer naming master
Transfer PDC
Transfer RID Master
Transfer schema master
Fir quit karke net accounts run karoge toh PRIMARY hojayega
Fir 'netdom query fsmo' run karo aur VM2 show hoga
Fir VM1 main 'net accounts' run karege toh BACKUP hogaya hoga automatically.

17 Feb
Server Upgrade Karte Waqt Role Transfer Karte Hai Vo Pehla Tareeka Tha
Dusri Method Of Transferring Role

Primary Server Down Hogaya Hai Toh Server Seize Karege

Matlab Backup Server Ko Forcefully Primary Kardege
VM1 Band Karo
VM2 Main Sites And Services Main Jao
Fir Sites Main Jao
Usme Inter-Site Transports -> Subnets -> Default First Site Name -> Servers -> VM1
Main Pohoch Jao
Usme NTDS Settings Main Jao Aur Replicate Now Karna Hai Jo Dikh Raha Hai Usko
Right Click Karke
Error Aayega Kyuki Abhi Koi Object Nahi Hai
Fir VM2 Wale Folder Main Jao Aur NTDS Settings Wale Folder Main Jao
Khali Hoga
FIr Right Click Karo Usme All Tasks Usme Check Replication Topology Pe Click Karo
Aur Object Aajeyega
Ab VM1 Wale Folder Main Jaa Ke Check Replication Wale Step Ko FIr Se Karo Aur Jo
Pehle Error Aaya Tha Vo Ab Nahi Aayega
Iske Baad cmd Main Jao
net accounts
netdom query fsmo
Run karo
Ye Dono Main Karo
Fir VM1 Ko Band Kardena VM2 Main Jaane Se Pehle
Ab VM2 Main cmd main Jao Aur
ntdsutil
Roles
Connections
Connect To Server VM2
Quit
Ab Ye 5 Command Run Karo Aage 'Seize Laga Ke'
Infrastructure Master
Naming Master
PDC
RID Master
Schema Master
Ab Dheere Dheere Sab Roles Transfer Ho Jayege
 Warning
Ab VM1 Abandon Hogaya Hai Toh Iss Process Ke Baad Usko Run Karna
Recommended Nahi Hai Vo Unstable Hoga
Sir Ne VM1 Run Kiya Toh Yaha VM2 Main Schema Master Aur Naming Master VM1
Ko Transfer Hogaya
Ye Effect Hai Uske Unstable Behaviour Ka

25 Feb
RODC
Read Only Domain Controller
Situation
Ek Gaanv Hai Jaha 50 Employee Hai Lekin Vaha IT Admin Jane Ke Liye Taiyar Nahi
Hai Toh Uss Gaanv Ke Employee Management Aur User Authentication Ke Liye Hum
Uss Gaanv Main RODC Server Banadege Toh Vaha Ke Employee Kuch Kar Na Paye
Aur Sirf Authentication Ke Liye Use Hoga RODC Server.
Task-RODC
VM2 Ko Pehle Domain Se Nikal Dena Uske Baad Shuru Karna
VM1 Usme RO Naam Ka OU Banao Usme R1 Wala User Banao
R1 Ko Read Only Domain Controller Wale Group Main Daalo
Ab Domain Controllers Wale Folder Main Right Click Karke 'Pre-Create....' Wala
Option Choose Karlo
Ab Next Karo Aur Selected Option Main Next Karo
VM2 Likh Ke Enter Maaro
Ab Set Pe Click Karo Aur Usme Check Names Main R1 Karo Aur Enter Maardo
Ab Domain Controller Wale Folder Main VM2 Ki Entry Hogi
Ab VM2 Main Login Karo
ADDS Install Kardo
Domain Controller Promote Wale Step Main Pehla Option Select Karo Aur Domain
Select Karne Ka Button Hoga Usme Administrator Aur Password VM1 Ka Daal Dena
Aur Neeche Change Ka Button Hoga Uspe Click Karo
Yaha Pe '[email protected]' aur password daaldo
Next Karo
Warning Aayegi 'A Pre-created RODC.....' -> Iska Matlab Ye Server Sirf RODC Bann
Sakta Hai
Ab DSRM Main VM Ka Password Daal Do Aur Next Karo
Ab Next Click Karke Any Domain Controller Default Selected Hoga Aur Fir Next Karo
Ab Next Next Karke Finish Karo Fir System Restart Hoga
 Ab Server Main R1 Se Login Karo
OU Create Karne Ka Try Karo Batch2 Naam Ka Usme User B1 Banao
Ab Same OU Aur User VM1 Main Nahi Banega Kyuki Replication Nahi Hai Dono Main
Task - Smart Work
VM1 Main Jao Aur Manage Main Jaa Ke Add Server
Vaha Pe Name Main VM2 Daal Do
Baadme Vaha Ek Button Hoga Usko Click Karo Toh VM2 Right Side Pe Chale Jayega
Fir Ok Karo
Ab Tumhe Server Manager Ke Right Side All Servers Ka Option Dikh Raha Hoga Uspe
Click Karo
Right Side Tumhe VM2 Dikh Raha Hoga
Uspe Right Click Karo Aur Dekho
Tum Yaha Se Remotely Vaha Ki Cheeze Change Kar Sakte Ho

27 Feb
DSRM
Directory Service Restore Mode
Ntds.dit
New Technology Directory Service . Directory Tree
Backup SYSROOT Folder Main Hota Hai
Practical - DSRM Ka Password Bhul Gaye Toh
Add Feature 'Windows Server Backup' In VM1(DC)
Local Disk C Main Se 20GB Shrink Karke Ek Naya Partition Banao
Fir Windows Server Backup Kholo(wbadmin.msc)
Fir Local Backup Pe Right Click Karo Aur Backup Once Select Karo
Jo Bhi Aaya Welcome Screen Pe Uspe Next Karna
Different Options Choose Karo Aur Next
Custom Choose Karo Aur Next
Add Items Select Karo
System State Select Karna Hai Kyuki Isme Active Directory Related Sab Objects Hote
Hai
Next Karo
Local Drives Select Karo
Ab Yaha Pe Automatically Tumhari New Partition Wali Disk Dikh Jayegi
Next Fir Backup Hojayega
Ab CMD Main Jao Fir 'ntdsutils' Main Jao
 FIr 'Set DSRM Password' Type Karo Aur Enter
? use karte rehna query ke liye
Fir 'Reset Password On Server VM1' Enter Karo
Fir Naya Password Type Karo Jo Bhi Rakhna Hai Do Baar
Ab Quit Karke Bahar Nikal Jao Aur Backup Check Karlo
Ab 'msconfig' main Boot Main Jaake Safe Boot Select Karo Aur Active Directory Repair
Select Karo
Aur Restart Karo Fir Vo Safe Boot Main Boot Hoga
Ab Login Ke Waqt Local Administrator Se Login Karo(.\admininstrator) Aur Password
Vohi Jo Naya DSRM Main Rakha Tha CMD Ke Through
Ab 'msconfig' main safe boot off karna hai aur normally restart karo
Ab Dekhege Backup Kyu Kiya Tha
Koi Bhi Ek Bane Hue User Ko Delete Karo
Ab Safe Mode Main Boot Karo Same Pehle Jaise Kiya Tha Vaise
Local Administrator Se Login Karo
Ek Baar Safe Mode Hata Do Aur Exit Without Restart Karna
Ab 'wbadmin.msc' main aa jao
Ab Right Side Main Tumhara Backup Dikh Raha Hoga
Local Backup Pe Right Click Karke Recover Karo
Wizard Main "This Server" Selected Rakho
Fir Next Karo
Next Karo Vapas
System State Select Karo
Original Local Selected Rakho Fir Next Karo
Aur Next Karke Recover Karo
Ye Recover Karne Ke Baad Vo User Jo Delete Kiya Tha Vo Vapas Aajyega

28 Feb
Practical - DC Clone
VM1(DC) Main Jao
ADUC Main Jao
Domain Controllers Folder Main Jao
Right Click Karo Aur Add To Group Karo
Clone Type Karo Aur Check Names Karke Enter Karo
Ab Ek Command Run Karna Hai Jo Sir Ne De Ke Rakha Hai
2nd Command Run Karna Hai(New-ADDSCLone.... Jaisa Kuch Hai)
 Ab Ek File Banegi C Drive Main Windows Folder Main NTDS Folder Main clone.xml
type kuch naam hoga
Ye File Bann Ne Ke Baad VM1 Band Kardena
VM1 Ko Export Karege D Drive Main Export Folder Main
Ab Naya Machine Banayege Import Se Vohi Jagah Se Jaha Export Kiya Tha
Copy With Unique ID Dhyan Rakhna
Iska Logic
Ye Cloned VM Use Hoga Experimental Aur R&D Purposes Ke Liye
Error While DC Cloning
3 Mar
Password Policy
Go to gpmc.msc
Find 'Default Domain Policy'
RIght Click Edit
Go to Windows Configuration
Go to Policies -> Windows Settings -> Security Settings -> Account Policy -> Password
Policy

Practical - How To Change Password Of A User Created In ADUC

Login User Through VM2
Press Ctrl+Alt+Insert And Select Change A Password
Now then change password
Practical - Fine-grain password policy
Scenario
Changing password policy for a particular user
Practical
Go to Active Directory Administrative Center under Tools
Choose List View
 Expand IT.LOCAL
Expand System
Select Password Settings and right click and select 'New' and select 'Password
Settings'
Give 'testing' name and '1' in precedence(priority)
Change Minimum Password Age To 5
Now click on Add in bottom right of the wizard and add the user you want to
enforce the new customized policy on.
Now run 'gpupdate /force' in cmd
Now the user you added here will work according to the customized password
policy and every other user will follow the default domain policy
Practical - Remote Desktop Connection
Scenario

4 Mar
Windows Deployment Server
Windows Deployment Services (WDS) is a role in Windows Server that allows
network-based installation of Windows operating systems.
It works closely with Active Directory Domain Services (AD DS) to streamline the
deployment of Windows clients and servers across a network.

Prerequisites
ADDS And Domain Controller Properly Configured(Done)
DHCP Configured(Ek Scope Banake Rakho 100 Se 150 Ka)
25 GB Ka Partition Banalo
WDS Feature Add Kardo
Open Windows Deployment Services from Tools
Practical
Windows Deployment Services Console Main Jao
Usme Servers Main VM1 Pe Right Click Karke Configure Server Karo
Next Karo
Fir Jo Selected Hai Vo Rehne Do
Fir Next Karo Aur Path Dekhlena Ek Baar Kyuki Vaha Pe ISO Transfer Karni Padegi
Doubt

Fir Next Karte Jana Bas Isme Respond To All Client Computers Select Karlena
Fir Finish Karke VM1 Pe Right Click Karke All Tasks Main Start Karna Aur DHCP Main
Jana
PXE Client Naya Bana Hai
Ab Scope Properties Main Jao
Both Choose Karo
Ok Karo
Ab WDS Main Aa Jao
Aage Badhne Ke Pehle D Drive Honi Chahiye
Ab WDS Main Jao
Install Images Main Jao
Vaha New Image Karo Aur Fir Ek Name Dedo Accordingly Aur Uske Baad Next Karke
Browse Karo Aur D Drive Main Sources Folder Main Jao Aur Usme install.vim file
choose karlo
Ab Select Karne Ka Aayega 4 Options
Unka Matlab

Sirf 2nd Option Choose Karna Hai Baaki Untick Kardena

Ab Next Next Karke Installation Shuru Kardo
Ab Finish Hone Ke Baad
Boot Images Main Jao Aur New Boot Images Main boot.vim image select karlo aur
usko add kardo
 Fir Ek Naya VM Banao Usme I Will Install An Operating System Later Aur Baaki Sab
Same Rakhna Bas Network Main Bridge Kardena
VM Banne Ke Baad Run Karo Usme Thoda Loading Hoga Aur F12 Dabane Bolega
Tab Turant Daba Dena Fir Contacting Server Aayega Thodi Der Lagegi Aur Ye Aayega

Fir Run Hoga Like Usual

5 Mar
DFS
Distributed File System
Practical - Creating Problem And Understanding Scenario
VM2 Aur VM3 ek ek folder banao dono main aur eveyone ke liye share kardo with full
control
Ab Koi Client VM Main Chale Jao(Sir Ne Windows 10 Use Kiya Hai)
Ab Iss Scenario Main Humko Har Ek Server Ka IP Yaad Rakhna Padega Aur
Considering Ki Corporate Main Bohot Saare Folders Hoge Aur Unke Bohot Sare
Servers Toh Tab DFS Kaam Aayega.
Practical - Actual DFS
VM1 Main DFS Namespace Feature Add Karo
DFS Management Main Jao
Usme Namespace Pe Right Click Karke Add New Namespace
Baadme vm1.it.local likho namespace server tab main aur next karo
 Fir 'Data' naam rakho aur iss data ke madad se client pura merged folders aur shared
servers access kar payega aur next karo
Ab tumhe name dikhega jis se client access kar payega (Eg.\\IT.LOCAL\Data) fir next
karo
Ab Create karlo
Ab Jo Namespace bana hai uspe double tap karo aur right click karo
Fir New Folder Select Karlo
Abhi Ke Liye ABC Name Dedo Aur Folder Target Main '\VM3\ABC' aur '\VM2\XYZ' add
kardo.
Disk Quota
Home Folder Banalo Pehle
Teen Users Ko Ek Hi Folder Assign Kardo
Folder Ka Path Banate Waqt -> \\vm1\test%username%
Ab Isme Vo User Ko Puri Drive Jisme Test Folder Banaya Hai Uska Access Mil Jayega
Humko uspe restriction lana padega
Ab Uss Drive Main Jaa Ke Right Click Karke Properties Main Jaa Ke Quota Main
'Enable Quota Management'
Fir Dono Tick On Rakhna Ab Limit Disk Space To 10GB Aur Set Warning Level To 9.5
GB
Ab Teeno Users Disk Ka 10 GB Hi Use Kar Payege.
Aur 9.5 GB Usage Pe Warning Aajayega

6 Mar
Map Drive
Simple Folder Share Karo VM1 Se
Uske Baad VM2 Se Access Karo
Win+R Main \\ matlab network folder ko access kar rahe hai aur '\' single slash matlab
local resource ko access kar rahe hai
Ab VM2 Se Shared Folder Access Karo Aur Folder Pe Right Click Karke Map Network
Drive Karo Fir Drive Letter Ka Option Milega
Abhi Ke Liye Z choose karlo map kardo
Ab vo folder ko Z letter assign hojayega aur restart ke baad bhi vaha pe hi rahega
FSRM
File Server Resource Manager
File Screening(FSRM Feature)
Certificates Ka Kuch Tha
7 Mar
EFS
Scenario
A1 user ne ek personal file create ki hogi aur vo kisi aur ko uska access nahi
milega unless ki uske pass certificate ho
Actual Practical
VM2 Main A1 Main Login Karke Ek Folder Banao Aur Usme Main Ek Text File
Banao
Fir Windows R Karke mmc likha
Fir File Main Jaa Ke Add Snap-In Main Jao
Ab Certificates Ko Add Kardo
Fir File Main Jaa Ke Certificates Ke Naam Se Save Kardo
Toh Baar Baar Certificates Dhund Na Nahi Padega
Ab Uss Folder Ko Encrypt Karo
Folder Ke Properties Main Jao Fir Advanced Main Jaa Ke Encrypt Karo Aur Apply
To All Subfolder,Files Wala Select Karo
Ab File Aur Folder Ko Certificate Mil Jayega
Ab Certificates(Desktop Wala) Main Personal Main Jao Refresh Karo Toh
Certificate Generate Ho Gaya Hoga
Ab Usko Open Karo
Uske Details Tab Main Tumko Certificate Ka Unique Number Mil Jayega
Abhi As Of Now Tum Uss Folder Ko Sirf A1 Se Access Kar Sakte Ho.
A2 Se Login Karke Check Karlo Text File Open Karneka Fir 'Access Is Denied'
Milega
Abhi Agar A2 Ko Access Deni Hai Toh A1 Se Certificate Import Karna Hoga Aur
A2 Se Export Karna Hoga
Toh Pehle A1 Ke Certificates Tab Main Jaa Ke Uss Particular Certificate Ko Right
Click Karke Export Karo Fir Location Choose Karlena
Ab A2 Main Login Karo Aur Jaise Certificates Ka Shortcut Banaya Tha MMC Se
Waise Bana Do Pehle
Ab A2 Main Jaa Ke Jaha Certificate Export Kiya Tha Vaha Jaake Uss Certificate
Pe Double Tap Karo Aur Import Karo
Ab A2 Ke Paas A1 Ke Uss Particular File Aur Folder Ka Certificate Mil Jayega Aur
Vo Uss Encrypted File Ko Access Kar Payega
Unique Scenario
Samjho Tumne A1 Main Login Karke Certificates Ke List Main Se Vo Folder Wala
Certificate Delete Kar Diya Toh A1 Bhi Uss File Ko Access Nahi Kar Payega
 Chaahe A1 Ne Hi Uss Folder Ko Banaya Aur Encrypt Kiya
Agar delete hone ke baad a1 ko access dilana hai toh tumko A1 se login karke
vapas certificate ko import karna padega toh hi usko access mil payega file aur
folder ka

10 Mar
Software Management Using GPO
Sir Ne Ek Folder Main .msi file hai usko ek folder main store karke uss folder ko share
kar diya hai
Ek Nayi Group Policy Create Karneka Software Managment Naam Se
Ab Uspe Edit Karke
User Main Jaa Ke Software Settings Main Jaa Ke Software Installation Main Right
Click Karke New Main Package Select Karo
Ab Uss Software Ko Browse Karke Select Karo
Assigned Select Karo
Aur Ab Jo Nayi File Bani Hogi Software Installation Main Uspe Right Click Karke
Properties Main Gaye Deployment Tab Main 'Install this application at logon' ko tick
karna
Ab Apply Karke cmd main gpupdate /force run karlo
Ab gpmc.msc wale tab main chale jao aur Ab Accounts Ya Koi Bhi OU Pe Right Click
Karke Assign An Existing GPO Main Software Management Select Karlege
Ab Accounts Wale Kisi OU Se Login Karege Toh Login Pe Hi Backend Pe 7ZIP Install
Hojayega
Reset Default Domain Controllers Policy To Default Settings
Assume ki bohot saari policies main changes kiye hai
Abhi ke liye control panel restrict karne wali policy ko enable karde ge dono policies
main(default domain and default domain controller)
Now run dcgpofix in cmd
Yes/No ka puchega do baar toh do baar yes karna fir restart kardena system toh jo bhi
policies modify ki thi vo reset hojayegi

11 Mar
12 Mar
Sub Domain And Child Domain

First time domain banate hai vo forest root banta hai

Child Domain banana hai matlab 'Central Gov.' aur child domain ya sub domain matlab
'State Gov.'
Ye Banate hai Administrative Rights ko delegate karne ke liye kyuki central government har
jagah nahi pohoch sakti
Iske Liye Vm2 Ko Member Banao
Usme ADDS install karo
Ab Domain Controller Promotion Wale Wizard Main Jao Aur First Step Pe Add A New
Domain(2nd Option) Select Karo Aur New Domain Name Main CH Karo Aur Enter Karo
DSRM Main Jo Password Dalna Hai Vo Dalo
Ab DNS Server Ko Untick Karna Toh Domain Ka DNS Server Ka Role Main Domain
Controller(VM1) ko milega
Ab Next Next Karke Jaane Do Aur System Restart Karo
Domain Naming Master Aur Schema Master Wale Role Dono Forest Root Ka Role VM1 Ko
Milega Baaki Sab VM2(Child Domain) Ko Milega
This below mentioned screenshot can be a proof of proper installation of the child domain

Schema Master Ka Kaam

Schema Master matlab city ka main architect matlab vo blueprint decide karega jiss
hisaab se sheher main buildings banegi,drainage system kaise hoga
Ussi hisaab se entire domain main kon kya kar payega aur kis hierarchy main kaam
chalega uska lena dena Schema Master ka kaam hai
Domain Naming Master Ka Kaam
 Imagine this as the registry office.
Domain main same naam wale koi entries na ho jiss duplicate entries ke kaaran
domain main name ka koi bhi conflict ho uska kaam Domain Naming Master hai
PDC
Saare members aur computers main time synchronization ka kaam hai PDC ka.
RID
Sabhi new objects ko SID dene ka kaam RID ka hai
Infrastructure Master
Pass
Child Domain Main Enterprise Admins Aur Schema Admins Wala Group Nahi Milega

SRV Records Of Child Domain

DNS Ke Yeh Sabhi Records 'ntds.dit' file main hi hoga jaha ADDS ka database hota hai
Ab ntds.dit file ko access karne ke liye ADSI Edit Main Jao aur fir connect to main schema
select karo aur on karo 'Select a well known naming context' main
Isme Alag Alag Schemas Ko Explore Karwaya
Hierarchy
Forest Root Main Child Domain Se Login Nahi Kar Sakte Lekin Child Domain Main
Forest Root Ke Admin Se Login Kar Sakte Hai
Configuring DNS In ADSI Edit
DNS Has Two Divisions
1.Domain DNS(Domain Wide Replication) and 2.Forest Root DNS(Forest Wide
Replication)
First we will open Domain DNS Files inside the ntds.dit file
Enter the below mentioned code inside the 'Connect To' wizard in ADSI Edit
Enter this and expand 'microsoftdns' and here you will see the files.
Now we will see the files of msdcs matlab Forest DNS
 Forest Wide DNS Ki Entries Ke Liye Ye Wala Command ADSI Edit Main Connect To
Wale Wizard Main Run Karo
Dc=it,dc=local add karna
Isme Same Microsoft DNS Main msdcs.it.local main forest wide dns files milegi
Agle lecture main configuration schema ko explore karege

18 Mar
Active Directory Snapshot
Samjho tumne koi progress ki hai Active Directory feature install karne ke baad toh voh
sab progress save ho toh uss point pe snapshot le lege
Ek OU Banao HR Naam with 3 users
Go to cmd
ntdsutil
? karke ek baar check karlo kya options hai
Activate Instance ntds aur enter maro
Snapshot command likhlo
Ab 'Create' Likho
Snapshot ban jayega
Ab List All karo check karne ke liye
Abhi 2 cheeze aa rahi hogi
Jiske aage C: hoga vo apna snap
Ab iss snapshot ko mount karege
Toh uske left main jo number hai vo 'Mount number ' aur run karo
Ab file manager main mount ho gaya hoga snap
Ab quit karke bahar aajao ntdsutil ke aur cmd ke main page pe aajao
Ab 'dsamain -dbpath "NTDS Folder Ka Path Jo Mounted Snapshot Main Hai
Vo\ntds.dit -ldapport 3000' ye command run karo
Ye command mounted snapshot ke ntds.dit file ko open karega
Ab ADUC Main jaa ke kuch banao naya ou 'New' naam ka aur usme do users banado
Ab ADUC ke IT.LOCAL pe right click karo aur Change Domain Controller Select karo
'This domain controller' wala option select karo aur type here main Entry likho
'vm1.it.local:30000' aur enter karo aur ok karo ab snapshot revert hogaya hoga matlab
 jo bhi entries snapshot ke baad banayi vo nahi dikhegi ab
Ye snapshot sirf moderation ke liye kaam aata hai naa ki revert karne ke liye

19 Mar
Child Domain With DNS Setup At Child Domain Itself
Group Scopes Explained
S1 S2 - Users of child domain
A1 A2 - Users of forest root
Ek group banaya hai usko Domain Local type diya hai aur usme koi bhi user add kar
sakte hai
Aur ek group banaya hai usko Global scope diya hai usme A1 hi add kar sakte hai
kyuki usme Local Domain ke users hi add kar sakte hai
Domain Local Group Ka Use Scenario
Forest root main ek folder share kiya aur usko Child Domain ke users ko access
dena hai toh Domain Local wale group ko access de dege toh S1 S2 ko bhi uss
folder ka access mil jayega
Global Group Ka Use Scenario
A1 user ko child domain ka administrator banana hai jo ki global group se hi hoga
A1 ko global group main add karo aur child domain wale administrators wale
group main A1 ko add karo
Ab A1 se login karo child domain main.
Samjho Central Government(Forest Root) aur State Gov(Domain Local) hai
Ab tum central government main ho aur tumhe A1 naam ke user ko State
Government main add karna hai as a head of some department,
Toh iss case main tum A1 ko child domain ka admin banayege

20 Mar
Routing
Scenario
Teen PC Hai jisme se do pc alag alag network pe hai
PC-1 10.0.0.1(VM1)
PC-3 192.168.1.1(VM3)
PC2 - Router banega
Ye sab same switch main hai
Practical
VM1 Aur VM3 Main IP Dedo
 Ab VM2 Main Jaake Ek Naya Adapter Add Karo
Ab VM2 main do adapter hoge
Ek apapter main 10.0.0.100 ip dedo aur dusre main 192.168.1.100 dege
VM2 Main Remote Access Wala Role Add Karna
Next Next Karke Routing Select Karna(2nd Option)
Also 1st Option Bhi Select Hojayega Automatically
Ab VM2 Se VM1 Aur VM3 Pe Ping Maaro
Aur VM1 Se VM3 Pe Ping Maaro(Failure Aayega)
VM2 Main "Routing And Remote Access" tool ko open karo
VM2(Local) pe right click karo aur usme 'Configure and enable routing and
remote access' pe click karo
Ab Next Karo Aur LAN Routing Select Karo
Ab Next Karke Finish Karo
Ab Isme Left Side IPV4 ke under General Main Jaake Dekho
Ab VM1 Main Gateway 10.0.0.100 dena hai
Aur Aapas Main Sab PC Ko Ping Karke Check Karo

24 Mar