active directory interview questions with answers

5/26/2018 Active Directory Interview Questions With Answers

1/367

Active Directory Interview questionswith answers

Learn about basic Active directory functionality.Happy learning!!!

Below are the Active Directory Interview Questions and answers. However there are more Interview question:

Wintel /AD Interview uestions"http//yourco#puter.in/wintel"interview"questions"and"answers

Windows $luster Interview questions "http//yourco#puter.in/windows"cluster"interview"questions"and"

answers

%ersonal Interview uestions"http//yourco#puter.in/personal"interview"questions"answers

What is &lobal $atalog and its function'

The global catalog is a distributed data repository that contains a searchable partial representation o! every ob"ect in

every domain in a multidomain Active Directory Domain #ervices $AD D#% !orest. The global catalog is stored on

domain controllers that have been designated as global catalog servers and is distributed through multimaster

replication. #earches that are directed to the global catalog are !aster because they do not involve re!errals to

di!!erent domain controllers.

The global catalog provides the ability to locate ob"ects !rom any domain without having to &now the domain name. A

global catalog server is a domain controller that in addition to its !ull writable domain directory partition replica also

stores a partial read'only replica o! all other domain directory partitions in the !orest.

(orest"wide searches.The global catalog provides a resource !or searching an AD D# !orest. (orest'wide

searches are identi!ied by the )DA* port that they use. I! the search query uses port +,- the query is sent

to a global catalog server.

)ser logon.In a !orest that has more than one domain two conditions require the global catalog during

user authentication: /niversal 0roup 1embership 2aching: In a !orest that has more than one domain in

sites that have domain users but no global catalog server /niversal 0roup 1embership 2aching can be

used to enable caching o! logon credentials so that the global catalog does not have to be contacted !or

subsequent user logons. This !eature eliminates the need to retrieve universal group memberships across a

3A4 lin& !rom a global catalog server in a di!!erent site.
http://yourcomputer.in/wintel-interview-questions-and-answers/http://yourcomputer.in/wintel-interview-questions-and-answers/http://yourcomputer.in/wintel-interview-questions-and-answers/http://yourcomputer.in/windows-cluster-interview-questions-and-answers/http://yourcomputer.in/windows-cluster-interview-questions-and-answers/http://yourcomputer.in/windows-cluster-interview-questions-and-answers/http://yourcomputer.in/personal-interview-questions-answers/http://yourcomputer.in/personal-interview-questions-answers/http://yourcomputer.in/windows-cluster-interview-questions-and-answers/http://yourcomputer.in/windows-cluster-interview-questions-and-answers/http://yourcomputer.in/personal-interview-questions-answers/http://yourcomputer.in/wintel-interview-questions-and-answers/


2/367

o In a domain that operates at the 3indows ,555 native domain !unctional level or higher domain

controllers must request universal group membership enumeration !rom a global catalog server.

o 3hen a user principal name $/*4% is used at logon and the !orest has more than one domain a

global catalog server is required to resolve the name.

67change Address Boo& loo&ups. #ervers running 1icroso!t 67change #erver rely on access to the global

catalog !or address in!ormation. /sers use global catalog servers to access the global address list $0A)%.

What are the co#ponents of Logical AD'

The logical parts o! Active Directory include !orests trees domains 8/s and global catalogs.

Do#ain9It is still a logical group o! users and computers that share the characteristics o! centralied security and

administration. A domain is still a boundary !or security 9 this means that an administrator o! a domain is an

administrator !or only that domain and no others by de!ault.

*ree9 a tree is a collection o! Active Directory domains that share a contiguous namespace.

(orest9 a !orest is the largest unit in Active Directory and is a collection o! trees that share a common #chema. In a

!orest all trees are connected by transitive two'way trust relationships thus allowing users in any tree access to

resources in another !or which they have been given appropriate permissions and rights. By de!ault the !irst domain

created in a !orest is re!erred to as the root domain.

What are the different %artition in AD and e+plain all'

The Active Directory database is logically separated into directory partitions:

#chema partition

2on!iguration partition

Domain partition

Application partition

6ach partition is a unit o! replication and each partition has its own replication topology. ;eplication occurs between

replicas o! directory partition. 1inimum two directory partitions are common among all domain controllers in the same

!orest: the schema and con!iguration partitions. All domain controllers which are in the same domain in addition

share a common domain partition.


3/367

,che#a %artition

8nly one schema partition e7ists per !orest. The schema partition is stored on all domain controllers in a !orest. The

schema partition contains de!initions o! all ob"ects and attributes that you can create in the directory and the rules !or

creating and manipulating them. #chema in!ormation is replicated to all domain controllers in the attribute de!initions.

$onfiguration %artition

There is only one con!iguration partition per !orest. #econd on all domain controllers in a !orest the con!iguration

partition contains in!ormation about the !orest'wide active directory structure including what domains and sites e7ist

which domain controllers e7ist in each !orest and which services are available. 2on!iguration in!ormation is replicated

to all domain controllers in a !orest.

Do#ain %artition

1any domain partitions can e7ist per !orest. Domain partitions are stored on each domain controller in a given

domain. A domain partition contains in!ormation about users groups computers and organiational units. The

domain partition is replicated to all domain controllers o! that domain. All ob"ects in every domain partition in a !orest

are stored in the global catalog with only a subset o! their attribute values.

Application %artition

Application partitions store in!ormation about application in Active Directory. 6ach application determines how it

stores categories and uses application speci!ic in!ormation. To prevent unnecessary replication to speci!ic

application partitions you can designate which domain controllers in a !orest host speci!ic application partitions.

/nli&e a domain partitions an application partition cannot store security principal ob"ects such as user accounts. In

addition the data in an application partition is not stored in the global catalog.

As an e7ample o! application partition i! you use a Domain 4ame #ystem $D4#% that is integrated with Active

Directory you have two application partitions !or D4# ones < (orestD4#=ones and DomainD4#=ones:
http://yourcomputer.in/wp-content/uploads/2013/01/schema.jpg


4/367

(orestD4#=ones is part o! a !orest. All domain controllers and D4# servers in a !orest receive a replica o!

this partition. A !orest'wide application partition stores the !orest one data.

DomainD4#=ones is unique !or each domain. All domain controllers that are D4# servers in that domain

receive a replica o! this partition. The application partitions store the domain D4# one in the

DomainD4#=ones>domain name?.

6ach domain has a DomainD4#=ones partition but there is only one (orestD4#=ones partition. 4o D4# data is

replicated to the global catalog server.

Different types of Dis- partition'

How #any types of AID and e+plain any advantage and disadvantage'

http:@@yourcomputer.in@what'is'raid'con!iguration'in'windows@

AID Levels and *ypes

;AID an acronym o! edundant Array of Independent 0Ine+pensive1 Dis-sis the tal& o! the day. These are an

array o! dis& to give more power per!ormance !ault tolerance and accessibility to the data as a single storage

system. Its not mere combination o! dis&s but all the dis&s are combined providing standard 1TB( $mean time be!ore

!ailure% reliability scheme otherwise chances are per!ormance would be a!!ected drastically i! dis&s are not combined

as a single storage unit.

AID Levels

All the ;AID types and models are commonly classi!ied as ;AID levels since ;AID represented by a highernumber is regarded to be superior more e!!icient high'per!ormance array than the low numbered ;AID. Hence

high security !eature o! ;AID also depends on the ;AID level you are using. ;AID arrays not only provide the

users with ma7imum security and reliability but also ma&e sure that i! a dis& !ails no data is lost. The in'depth

&nowledge about ;AID levels would help you through buying o! ;AID servers.)ets brie!ly discuss here the main

;AID levels and classes:

AID 2 3 ,triping

It is the ,tripped Dis- Arraywith no !ault tolerance and it requires at least , drives to be implemented. Due to no

redundancy !eature ;AID 5 is considered to be the lowest ran&ed ;AID level. #triped data mapping technique is

implemented !or high per!ormance at low cost. The I@8 per!ormance is also improved as it is loaded across manychannels. ;egeneration ;ebuilding and !unctional redundancy are some salient !eatures o! ;AID 5.

AID 4 3 5irroring

It is the 5irroring 0,hadowing1 Arraymeant to provide high per!ormance. ;AID C controller is able to per!orm ,

separate parallel reads or writes per mirrored pair. It also requires at least , drives to implement a non'redundant dis&

array. High level o! availability access and reliability can be achieved by entry'level ;AID C array. 3ith !ull

redundancy !eature available need o! readability is almost negligible. 2ontroller con!igurations and storage

subsystem design is the easiest and simplest amongst all ;AID levels.
http://yourcomputer.in/what-is-raid-configuration-in-windows/http://yourcomputer.in/what-is-raid-configuration-in-windows/


5/367

AID 264

It is the ;AID array providing high data trans!erence per!ormance with at least dis&s needed to implement the ;AID

5EC level. Its a unique combination o! stripping and mirroring with all the best !eatures o! ;AID 5 and ;AID C

included such as !ast data access and !ault tolerance at single drive level. The multiple stripe segments have added

high I@8 rates to the ;AID per!ormance and it is the best solution !or ma7imum reliability.

AID 7 08$$1

It is the combination o! Inherently %arallel 5apping and %rotection AID array . Its also &nown as 622 ;AID

because each data word bit is written to data dis& which is veri!ied !or correct data or correct dis& error when the

;AID dis& is read. Due to special dis& !eatures required ;AID , is not very popular among the corporate data

storage masses despite the e7tremely high data trans!erence rates.

AID

;AID + wor&s on the %arallel *ransfer with %aritytechnique. The least number o! dis&s required to implement the

;AID array is + dis&s. In the ;AID + data bloc&s are striped and written on data drives and then the stripe parity is

generated saved and a!terwards used to veri!y the dis& reads. ;ead and write data trans!er rate is very high in ;AID

+ array and dis& !ailure causes insigni!icant e!!ects on the overall per!ormance o! the ;AID.

AID 9

;AID requires a minimum o! + drives to be implemented. It is composed o! independent dis&s with shared parity to

protect the data. Data transaction rate !or ;ead is e7ceptionally high and highly aggregated. #imilarly the low ratio o!

parity dis&s to data dis&s indicates high e!!iciency.

AID :

;AID# F is Independent Distributed parity bloc-o! data dis&s with a minimum requirement o! at least + drives to

be implemented and 4'C array capacity. It helps in reducing the write inherence !ound in ;AID . ;AID F array o!!ers

highest data transaction ;ead rate medium data transaction 3rite rate and good cumulative trans!er rate.

AID ;

;AID# - is Independent Data Dis- array with Independent Distributed parity. It is &nown to be an e7tension o!

;AID level F with e7tra !ault tolerance and distributed parity scheme added. ;AID - is the best available ;AID array!or mission critical applications and data storage needs though the controller design is very comple7 and overheads

are e7tremely high.

AID ed Asynchrony array!or high I@8 and data trans!er rates and is considered to be the most

manageable ;AID controller available. The overall write per!ormance is also &nown to be F5 to 5 better and

improved than the single spindle array levels with no e7tra data trans!erence required !or parity handling. ;AID G is

registered as a standard trademar& o! #torage 2omputer 2orporation.

AID 42

;AID C5 is classi!ied as the !uturistic ;AID controller with e7tremely high ;eliability and per!ormance embedded in a

single ;AID controller. The minimum requirement to !orm a ;AID level C5 controller is data dis&s. Theimplementation o! ;AID C5 is based on a striped array o! ;AID C array segments with almost the same !ault

tolerance level as ;AID C. ;AID C5 controllers and arrays are suitable !or uncompromising availability and e7tremely

high throughput required systems and environment.


6/367

3ith all the signi!icant ;AID levels discussed here brie!ly another important point to add is that whichever level o!

;AID is used regular and consistent data bac&up maintenance using tape storage is must as the regular tape storage

is best media to recover !rom lost data scene.

What is (,5= oles'

2lic& here to &now about (#18 in detail

How to find which server hold which role'

4etdom query (#18

How we can replication #onitoring'

The Active Directory ;eplication 1onitor replmon.e7e is part o! the 3indows ,555 #upport /tilities available on the

3indows ,555 #erver 2D in the J#/**8;TJT88)# !older. *rimary uses o! replmon :

2hec& !or replication errors

;un the K22 Knowledge 2onsistency 2hec&er to chec& replication topology

#ynchronie each directory partition with all servers

0enerate status reports on replication in!o on servers

)ist domain controllers

2hec& 0roup *olicy 8b"ect status

2hoose per!ormance counters to be monitored

)ist server hosting 0lobal 2atalog

)ist bridgehead servers

Display trust relationships )ist AD meta'data in!o

How we can diagnosis any issue related to ad replication'

What is intersite and Intra site replication e+plain'

http:@@technet.microso!t.com@en'us@library@ccGFF$3#.C5%.asp7

What is Authoritative and ?on authorities restoration'
http://yourcomputer.in/fsmo-roles/http://yourcomputer.in/fsmo-roles/http://technet.microsoft.com/en-us/library/cc755994(WS.10).aspxhttp://yourcomputer.in/fsmo-roles/http://technet.microsoft.com/en-us/library/cc755994(WS.10).aspx


7/367

Active Directory is bac&ed up as part o! system state a collection o! system components that depend on each other.

Lou must bac& up and restore system state components together.

2omponents that comprise the system state on a domain controller include:

,yste# ,tart"up (iles 0boot files1. These are the !iles required !or 3indows ,555 #erver to start. ,yste# registry.

$lass registration database of $o#ponent ,ervices.The 2omponent 8b"ect 1odel $281% is a binary

standard !or writing component so!tware in a distributed systems environment.

,@,=L. The system volume provides a de!ault Active Directory location !or !iles that must be shared !or

common access throughout a domain. The #L#M8) !older on a domain controller contains:

o 46T)8084 shared !olders. These usually host user logon scripts and 0roup *olicy ob"ects

$0*8s% !or non'3indows ,555based networ& clients.

o /ser logon scripts !or 3indows ,555 *ro!essionalbased clients and clients that are running

3indows F 3indows or 3indows 4T .5.

o 3indows ,555 0*8s.

o (ile system "unctions.

o (ile ;eplication service $(;#% staging directories and !iles that are required to be available and

synchronied between domain controllers.

Active Directory.Active Directory includes:

o 4tds.dit: The Active Directory database.

o 6db.ch&: The chec&point !ile.

o 6dbN.log: The transaction logs each C5 megabytes $1B% in sie.

o ;esC.log and ;es,.log: ;eserved transaction logs.

?oteI! you use Active Directory'integrated D4# then the one data is bac&ed up as part o! the Active Directory

database. I! you do not use Active Directory'integrated D4# you must e7plicitly bac& up the one !iles. However i!

you bac& up the system dis& along with the system state one data is bac&ed up as part o! the system dis&.I! you

installed 3indows 2lustering or 2erti!icate #ervices on your domain controller they are also bac&ed up as part o!

system state.

?on"authoritative restore of Active Directory

A non'authoritative restore returns the domain controller to its state at the time o! bac&up then allows normal

replication to overwrite that state with any changes that have occurred a!ter the bac&up was ta&en. A!ter you restore


8/367

the system state the domain controller queries its replication partners. The replication partners replicate any changes

to the restored domain controller ensuring that the domain controller has an accurate and updated copy o! the Active

Directory database.

4on'authoritative restore is the de!ault method !or restoring Active Directory and you will use it in most situations that

result !rom Active Directory data loss or corruption. To per!orm a non'authoritative restore you must be able to start

the domain controller in Directory #ervices ;estore 1ode.

?on"authoritative restore of ,@,=L

3hen you non'authoritatively restore the #L#M8) the local copy o! #L#M8) on the restored domain controller is

compared with that o! its replication partners. A!ter the domain controller restarts it contacts its replication partners

compares #L#M8) in!ormation and replicate the any necessary changes bringing it up'to'date with the other

domain controllers within the domain.

*er!orm a non'authoritative restore o! #L#M8) i! at least one other !unctioning domain controller e7ists in thedomain. This is the de!ault method !or restoring #L#M8) and occurs automatically i! you per!orm a non'authoritative

restore o! the Active Directory.

I! no other !unctioning domain controller e7ists in the domain then per!orm a primary restore o! the #L#M8). A

primary restore builds a new (ile ;eplication service $(;#% database by loading the data present under #L#M8) on

the local domain controller. This method is the same as a non'authoritative restore e7cept that the #L#M8) is

mar&ed primary.

Authoritative restore of Active Directory

An authoritative restore is an e7tension o! the non'authoritative restore process. Lou must per!orm the steps o! a

non'authoritative restore be!ore you can per!orm an authoritative restore. The main di!!erence is that an authoritative

restore has the ability to increment the version number o! the attributes o! all ob"ects in an entire directory all ob"ects

in a subtree or an individual ob"ect $provided that it is a lea! ob"ect% to ma&e it authoritative in the directory. ;estore

the smallest unit necessary !or e7ample do not restore the entire directory in order to restore a single subtree.

As with a non'authoritative restore a!ter a domain controller is bac& online it will contact its replication partners to

determine any changes since the time o! the last bac&up. However because the version number o! the ob"ect

attributes that you want to be authoritative will be higher than the e7isting version numbers o! the attribute held on

replication partners the ob"ect on the restored domain controller will appear to be more recent and there!ore will be

replicated out to the rest o! the domain controllers within the environment.

/nli&e a non'authoritative restore an authoritative restore requires the use o! a separate tool 4tdsutil.e7e. 4o

bac&up utilities< including the 3indows ,555 #erver system tools< can per!orm an authoritative restore.


9/367

An authoritative restore will not overwrite new ob"ects that have been created a!ter the bac&up was ta&en. Lou can

authoritatively restore only ob"ects !rom the con!iguration and domain'naming conte7ts. Authoritative restores o!

schema'naming conte7ts are not supported.

*er!orm an authoritative restore when human error is involved such as when an administrator accidentally deletes a

number o! ob"ects and that change replicates to the other domain controllers and you cannot easily recreate the

ob"ects. To per!orm an authoritative restore you must start the domain controller in Directory #ervices ;estore 1ode.

Authoritative restore of ,@,=L

By authoritatively restoring the #L#M8) you are speci!ying that the copy o! #L#M8) that is restored !rom bac&up is

authoritative !or the domain. A!ter the necessary con!igurations have been made Active Directory mar&s the local

#L#M8) as authoritative and it is replicated to the other domain controllers within the domain.

The authoritative restore o! #L#M8) does not occur automatically a!ter an authoritative restore o! Active Directory.

Additional steps are required.

As with Active Directory authoritative restore you typically per!orm an authoritative restore o! #L#M8) when human

error is involved and the error has replicated to other domain controllers. (or e7ample you might per!orm an

authoritative restore o! #L#M8) i! an administrator has accidentally deleted an ob"ect that resides in #L#M8) such

as a 0roup *olicy ob"ect.

http:@@yourcomputer.in@authoritative'vs'non'authoritative'restoration'o!'active'directory

http:@@technet.microso!t.com@en'us@library@bbG,G5.asp7

How to restore the AD

http:@@technet.microso!t.com@en'us@library@bbG,G5.asp7

What is *o#bstone period'

The tombstone li!etime in an Active Directory !orest determines how long a deleted ob"ect $called a OtombstoneP% is

retained in Active Directory Domain #ervices $AD D#%. The tombstone li!etime is determined by the value o!

the to#bstoneLifeti#eattribute on the Directory #ervice ob"ect in the con!iguration directory partition.

In 1icroso!t 3indows #erver ,55+ ;, the de!ault tombstone li!etime $T#)% value remains at -5 days.

?ote In 3indows #erver ,55+ #ervice *ac& C the de!ault T#) value has increased !rom -5 days to C5 days.

What are Lingering =bBects'

)ingering ob"ects can occur i! a domain controller does not replicate !or an interval o! time that is longer than the

tombstone li!etime $T#)%. The domain controller then reconnects to the replication topology. 8b"ects that are deleted
http://yourcomputer.in/authoritative-vs-non-authoritative-restoration-of-active-directoryhttp://technet.microsoft.com/en-us/library/bb727048.aspxhttp://technet.microsoft.com/en-us/library/bb727048.aspxhttp://yourcomputer.in/authoritative-vs-non-authoritative-restoration-of-active-directoryhttp://technet.microsoft.com/en-us/library/bb727048.aspxhttp://technet.microsoft.com/en-us/library/bb727048.aspx


10/367

!rom the Active Directory directory service when the domain controller is o!!line can remain on the domain controller

as lingering ob"ects.

What is the difference between 722 and 722C'

http:@@yourcomputer.in@di!!erence'between'windows',55+'and',55@

,55 is combination o! vista and windows ,55+r,.#ome new services are introduced in it

C. ;8D2 one new domain controller introduced in it

;ead'only Domain controllers.R

,. 3D# $windows deployment services% instead o! ;I# in ,55+ server

+. shadow copy !or each and every !olders

.boot sequence is changed

F.installation is +, bit where as ,55+ it is C- as well as +, bit thats why installation o! ,55 is !aster

-.services are &nown as role in itG. 0roup policy editor is a separate option in ads

,% The main di!!erence between ,55+ and ,55 is Mirtualiation management.

,55 has more inbuilt components and updated third party drivers 1icroso!t introduces new !eature with ,& that is

Hyper'M 3indows #erver ,55 introduces Hyper'M $M !or Mirtualiation% but only on -bit versions. 1ore and more

companies are seeing this as a way o! reducing hardware costs by running several Svirtual servers on one physical

machine. I! you li&e this e7citing technology ma&e sure that you buy an edition o! 3indows #erver ,55 that includes

Hyper'M then launch the #erver 1anger add ;oles.

+% In 3indows #erver ,55 1icroso!t is introducing new !eatures and technologies some o! which were not available

in 3indows #erver ,55+ with #ervice *ac& C $#*C% that will help to reduce the power consumption o! server and

client operating systems minimie environmental byproducts and increase server e!!iciency.

1icroso!t 3indows #erver ,55 has been designed with energy e!!iciency in mind to provide customers with ready

and convenient access to a number o! new power'saving !eatures. It includes updated support !or Advanced

2on!iguration and *ower Inter!ace $A2*I% processor power management $**1% !eatures including support !or

processor per!ormance states $*'states% and processor idle sleep states on multiprocessor systems. These !eatures

simpli!y power management in 3indows #erver ,55 $3#5% and can be managed easily across servers and clients

using 0roup *olicies.

What Is ,trict eplication and How Do @ou 8nable'
http://yourcomputer.in/difference-between-windows-2003-and-2008/http://yourcomputer.in/difference-between-windows-2003-and-2008/


11/367

#trict ;eplication is a mechanism developed by 1icroso!t developers !or Active Directory ;eplication. I! a domain

controller has the #trict ;eplication enabled then that domain controller will not get O)ingering 8b"ectsP !rom a domain

controller which was isolated !or more than the Tomb#tone )i!e Time. T#) is C5 days by de!ault on a (orest created

with 3indows #erver ,55+ #*C. A domain controller shouldnt be outo! sync !or more than this period. )ingering

8b"ects may appear on other domain controllers i! replication happens with the outdated domain controllers. These

domain controllers will not replicate with the outdated domain controllers i! you have set the below mentioned registry

&ey.Lou must set the !ollowing registry setting on all the domain controllers to enable the #trict ;eplication:

8@ ?a#eHK6L)82A)1A2HI46J#L#T61J2urrent2ontrol#etJ#ervicesJ4TD#J*arameters

egistry 8ntry#trict ;eplication 2onsistency

alueC $enabled% 5 $disabled%

Type;60D38;D

What are the new feature of Win722C'

How #any flavours of Win-7-C'

Windows ,erver 722C

Web 8dition

Windows ,erver 722C

,tandard 8dition

Windows ,erver 722C

8nterprise 8dition

Windows ,erver 72

Datacenter 8ditio

,upersedes

3indows #erver ,55+

3eb 6dition

3indows #erver ,55+

;, #tandard 6dition

3indows #erver ,55+

;, #tandard 7-

6dition

3indows #erver ,55+;,

6nterprise 6dition

3indows #erver ,55+ ;,

6nterprise 7- 6dition

3indows #erver ,55+

Datacenter 6ditio

3indows #erver ,55+

Datacenter 7- 6ditio

Hyper"

virtuali>ation

technology 4ot included IncludedC IncludedC IncludedC

=, instances

per#itted per

server license

8ne instance $physical or

virtual%

8ne physical instance

plus one virtual

instance,8ne physical instance and

up to virtual instances,/nlimited number o!

instances

5a+i#u# server

A5 supported+

+,'bit: 0B

-'bit: +,0B

+,'bit: 0B

-'bit: +,0B

+,'bit: -0B

-'bit: ,TB

+,'bit: -0B

-'bit: ,TB

5a+i#u# nu#ber -


12/367

of $%)s

Hot swap A5

and $%)s 4o 4o 4o Les

$luster ,ervice

0failover1 4o 4o

Les up to C- nodes per

cluster

Les up to C- nodes

cluster

*er#inal ,erver 4o LesF Les Les

?etwor- Access

%rotection 4o Les- Les Les

).,. esti#ated

retail priceG

/#UG5 per server

$ available only without

Hyper'M%

/#U55 per server

$/#UGG, without Hyper'

M%

/#U+555 per server

$/#U,G, without Hyper'

M%

/#U+555 per proces

$/#U,G, per proces

without Hyper'M%

$ALs or 8+ternal

$onnector

required 4o Les Les Les

How you find the server hold DH$%'

How to configure the DH$% server'

If user are not getting I% fro# the DH$% servers what step you ta-e to fi+ the issue'

What is the process of user getting I% fro# DH$% ,erver'

D8;A *;826##

DI#28M6;:3hen a client is con!igured with the ip setting to obtain Ip address automatically. Then the client

will search !or DH2* server and the /D* Broadcast to the server about the DH2* discover

8((6;: DH2* #erver will o!!ers a scope o! ip address available in the pool.

;6Q/6#T: In response to the o!!er the 2lient will requests !or an ip address.

A2K483)6D06:In response to the request server will responds with all Ip address 1as& 0ty Dns and

wins in!o along with the ac&nowledgment pac&et.


13/367

DH2* 1essage Types

DH2*DI#28M6;

This DH2* message type is used by the DH2* client to discover DH2* servers.

DH2*8((6;

This DH2* message type is used by the DH2* server to respond to a received DH2*DI#28M6; message

and also o!!ers con!iguration details at that time.

DH2*;6Q/6#T

This message comes !rom a client and to the DH2* server to convey three various messages. The !irst is to

request con!iguration details !rom one speci!ic DH2* server and speci!ically re"ecting o!!ers !rom any other

potential DH2* servers. #econdly it can be used !or veri!ication o! previously used I* address a!ter a

system has undergone a reboot. )astly it can be used to e7tend the lease o! a speci!ic I* address.

How we can sei>e roles'

How we can transfers roles fro# one D$ to another'

What is -erbores and its process'

http:@@technet.microso!t.com@en'us@library@bbG,FC-.asp7

What contain syste# state bac-up'

(ollowing system components as #ystem #tate data:

;egistry

281E class registration database

Boot !iles including the system !iles

2erti!icate services database

Active Directory

The system volume

I! the wor&station is a domain controller the !ollowing components are bac&ed up:

Active directory $4TD#%

The system volume $#L#M8)%
http://technet.microsoft.com/en-us/library/bb742516.aspxhttp://technet.microsoft.com/en-us/library/bb742516.aspx


14/367

I! the wor&station is a certi!icate server then the related data is also bac&ed up. 1any security and other disasters

can be !i7ed by restoring #ystem #tate to a good con!iguration.

How you can ta-e the bac-up of D$'

Did you aware of I*IL %rocess'

8+pain the process in I*IL li-e Incident 5anage#ntE $hange 5anage#ent and %roble# 5g#t'

How you do the pactching'

Did you -now ,$=5 and its configuration'

What is the tic-eting tool used'

How to upgrade the =/,'

What are all the different #ode of =/,'

Kernel 1ode

In Kernel mode the e7ecuting code has complete and unrestricted access to the underlying hardware. It can e7ecute

any 2*/ instruction and re!erence any memory address. Kernel mode is generally reserved !or the lowest'level most

trusted !unctions o! the operating system. 2rashes in &ernel mode are catastrophic they will halt the entire *2.

/ser 1ode

In /ser mode the e7ecuting code has no ability to directly access hardware or re!erence memory. 2ode running in

user mode must delegate to system A*Is to access hardware or memory. Due to the protection a!!orded by this sort

o! isolation crashes in user mode are always recoverable. 1ost o! the code running on your computer will e7ecute in

user mode.

What are all the files contain AD Database'

3indows ,555 Active Directory data store the actual database !ile is #ystem;ootJntdsJ4TD#.DIT. The ntds.dit

!ile is the heart o! Active Directory including user accounts. Active Directorys database engine is the 67tensible

#torage 6ngine $ 6#6 % which is based on the Vet database used by 67change F.F and 3I4#. The 6#6 has thecapability to grow to C- terabytes which would be large enough !or C5 million ob"ects. Bac& to the real world. 8nly the

Vet database can maniuplate in!ormation within the AD datastore.

(or in!ormation on domain controller con!iguration to optimie Active Directory see=pti#i>e Active Directory Dis-

%erfor#ance

The Active Directory 6#6 database 4TD#.DIT consists o! the !ollowing tables:
http://web.archive.org/web/20060111135435/http:/www.windowsnetworking.com/nt/nt2000/atips/atips80.shtmlhttp://web.archive.org/web/20060111135435/http:/www.windowsnetworking.com/nt/nt2000/atips/atips80.shtmlhttp://web.archive.org/web/20060111135435/http:/www.windowsnetworking.com/nt/nt2000/atips/atips80.shtmlhttp://web.archive.org/web/20060111135435/http:/www.windowsnetworking.com/nt/nt2000/atips/atips80.shtmlhttp://web.archive.org/web/20060111135435/http:/www.windowsnetworking.com/nt/nt2000/atips/atips80.shtml


15/367

#chema table

the types o! ob"ects that can be created in the Active Directory relationships between them and the optional and

mandatory attributes on each type o! ob"ect. This table is !airly static and much smaller than the data table.

)in& table

contains lin&ed attributes which contain values re!erring to other ob"ects in the Active Directory. Ta&e the 1ember8!

attribute on a user ob"ect. That attribute contains values that re!erence groups to which the user belongs. This is also

!ar smaller than the data table.

Data table

users groups application'speci!ic data and any other data stored in the Active Directory. The data table can be

thought o! as having rows where each row represents an instance o! an ob"ect such as a user and columns where

each column represents an attribute in the schema such as 0iven4ame.

Any idea about virtuali>ation technology'

What is virtual #e#ory'

The purpose o! virtual memory is to enlarge the address space the set o! addresses a program can utilie. (or

e7ample virtual memory might contain twice as many addresses as main memory. A program using all o! virtual

memory there!ore would not be able to !it in main memory all at once. 4evertheless the computer could e7ecute

such a program by copying into main memory those portions o! the program needed at any given point during

e7ecution.

To !acilitate copying virtual memory into real memory the operating system divides virtual memory intopages each

o! which contains a !i7ed number o! addresses. 6ach page is stored on a dis& until it is needed. 3hen the page is

needed the operating system copies it !rom dis& to main memory translating the virtual addresses into real

addresses.

I#portant port nos li-e (*%E *alnetE D% and D?,'

What is heart beat'

What is the difference between ?*(, and share per#issions' What is ,,'

Are you aware of olu#e shadow copy please e+paing'

$an we use a Linu+ D?, ,ever in 7222 Do#ain'

&%5$ F ,=% in windows 722'


16/367

How to use recovery console'

How to ta-e D?, and WI?,E DH$% bac-up ' What is the use of ter#inal services'

And its #ode How is Active Directory scalable'

What is #ulti#aster replication'

5ulti#aster eplication

Active Directory uses multimaster replication to accomplish the synchroniation o! directory in!ormation. True

multimaster replication can be contrasted with other directory services that use a master-slave approach to updates

wherein all updates must be made to the master copy o! the directory and then be replicated to the slave copies. This

system is adequate !or a directory that has a small number o! copies and !or an environment where all o! the changes

can be applied centrally. But this approach does not scale beyond small'sied organiations nor does it address the

needs o! decentralied organiations. 3ith Active Directory no one domain controller is the master. Instead alldomain controllers within a domain are equivalent. 2hanges can be made to any domain controller unli&e a single'

master system where changes must be made to one server. In the single'master system the primary server

replicates the updated in!ormation to all other directory servers in the domain.

3ith multimaster replication it is not necessary !or every domain controller to replicate with every other domain

controller. Instead the system implements a robust set o! connections that determines which domain controllers

replicate to which other domain controllers to ensure that networ&s are not overloaded with replication tra!!ic and that

replication latency is not so long that it causes inconvenience to users. The set o! connections through which

changes are replicated to domain controllers in an enterprise is called the replication topology.

1ultimaster update capability provides high availability o! write access to directory ob"ects because several servers

can contain writable copies o! an ob"ect. 6ach domain controller in the domain can accept updates independently

without communicating with other domain controllers. The system resolves any con!licts in updates to a speci!ic

directory ob"ect. I! updates cease and replication continues all copies o! an ob"ect eventually reach the same value.

The manner in which a directory service stores in!ormation directly determines the per!ormance and scalability o! the

directory service. Directory services must handle a large number o! queries compared to the number o! updates they

must process. A typical ratio o! queries to updates is :C. By creating multiple copies o! the directory and &eeping

the copies consistent the directory service can handle more queries per second.

1ultimaster replication provides the !ollowing advantages over single'master replication:

I! one domain controller becomes inoperable other domain controllers can continue to update the directory.

In single'master replication i! the primary domain controller becomes inoperable directory updates cannot

ta&e place. (or e7ample i! the !ailed server holds your password and your password has e7pired you

cannot reset your password and there!ore you cannot log on to the domain.


17/367

#ervers that are capable o! ma&ing changes to the directory which in 3indows ,555 are domain controllers

can be distributed across the networ& and can be located in multiple physical sites.

Define each of the following na#es D?E D?E &)IDE )%?. What is the pri#ary reason for defining an =)'

What is the difference between a site lin- and a connection obBect'

What is the booting process'

C. (irst is the *8#T this stands !or *ower 8n #el! Test !or the computer. This process tests memory as well

as a number o! other subsystems. Lou can usually monitor this as it runs each test. A!ter that is complete

the system will run *8#T !or any device that has a BI8# $Basic Input'8utput #ystem%. An A0* has its ownBI8# as do some networ& cards and various other devices.

,. 8nce the *8#T is complete and the BI8# is sure that everything is wor&ing properly the BI8# will then

attempt to read the 1B; $1aster Boot ;ecord%. This is the !irst sector o! the !irst hard drive $called the

1aster or HD5%. 3hen the 1B; ta&es over it means that 3indows is now in control.

+. The 1B; loo&s at the B88T #62T8; $the !irst sector o! the active partition%. That is where 4T)D; is

located 4T)D; is the B88T )8AD6; !or 3indows W*. 4T)D; will allow memory addressing initiate the

!ile system read the boot.ini and load the boot menu. 4T)D; has to be in the root o! the active partition as

do 4TD6T62T.281 B88T.I4I B88T#62T.D8# $!or multi'8# booting% and 4TB88TDD.#L# $i! you

have #2#I adapters%

. 8nce W* is selected !rom the Boot 1enu 4T)D; will run 4TD6T62T.281 B88T.I4I and

B88T#62T.D8# to get the proper 8# selected and loaded. The system starts in C-'bit real mode and then

moves into +,'bit protected mode.

F. 4T)D; will then load 4T8#K;4).6W6 and HA).D)). 6!!ectively these two !iles are windows W*. They

must be located in #ystem;oot#ystem+,.

-. 4T)D; reads the registry chooses a hardware pro!ile and authories device drivers in that e7act order.

G. At this point 4T8#K;4).6W6 ta&es over. It starts 3I4)8084.6W6 that in turn starts )#A##.6W6 this is

the program that display the )ogon screen so that you can logon.

Which co##and use to create the application directory partition'

Dns2md ServerName@6nlistDirectory*artition FQDN of partition

Default settings for password policy


18/367

What will we be the ne+t action plan if we get a hardware alert'

What will be the ne+t action plan if a custo#er reports that a server is down'

What is Loopbac- &roup %olicy'

Ans:' 0roup *olicy applies to the user or computer in a manner that depends on where both the user and the

computer ob"ects are located in Active Directory. However in some cases users may need policy applied to them

based on the location o! the computer ob"ect alone. Lou can use the 0roup *olicy loopbac& !eature to apply 0roup

*olicy 8b"ects $0*8s% that depend only on which computer the user logs on to.

*$%/)D% ports used in Windows'

Ans:'http:@@yourcomputer.in@list'port'numbers'windows@

Also clic& this lin& !or more AD questionshttp:@@yourcomputer.in@wintel'interview'questions'and'answers

What is dhcp ?

Dynamic Host Configuration Protocol (DHCP) is a network protocol that

enables a server to automatically assign an IP address to a computer from a

defined range of numbers (i.e., a scope) configured for a given network.

What is the dhcp process for client machine?

1. A user turns on a computer with a DHCP client.

2.The client computer sends a broadcast request (called aDISCOVER or

DHCPDISCOVER), looking for a DHCP server to answer.

3.The router directs the DISCOVER packet to the correct DHCP server.
http://yourcomputer.in/list-port-numbers-windows/http://yourcomputer.in/list-port-numbers-windows/http://yourcomputer.in/wintel-interview-questions-and-answers/http://yourcomputer.in/wintel-interview-questions-and-answers/http://yourcomputer.in/list-port-numbers-windows/http://yourcomputer.in/wintel-interview-questions-and-answers/


19/367

4.The server receives the DISCOVER packet. Based on availability and

usage policies set on the server, the server determines an appropriate

address (if any) to give to the client. The server then temporarily reserves that

address for the client and sends back to the client an OFFER (or

DHCPOFFER) packet, with that address information. The server also

configures the clients DNS servers, WINS servers, NTP servers, and

sometimes other services as well.

5.The client sends a REQUEST (or DHCPREQUEST) packet, letting the

server know that it intends to use the address.

6. The server sends an ACK (or DHCPACK) packet, confirming that the client

has a been given a lease on the address for a server-specified period of time.

What is dhcp scope ?

DHCP scopes are used to define ranges of addresses from which a DHCP

server can assign IP addresses to clients.

Types of scopes in windows dhcp ?

Normal Scope Allows A, B and C Class IP address ranges to be specified

including subnet masks, exclusions and reservations. Each normal scope

defined must exist within its own subnet.

Multicast Scope Used to assign IP address ranges for Class D networks.

Multicast scopes do not have subnet masks, reservation or other TCP/IP


20/367

options.

Multicast scope address ranges require that a Time To Live (TTL) value be

specified (essentially the number of routers a packet can pass through on the

way to its destination).

Superscope Essentially a collection of scopes grouped together such that

they can be enabled and disabled as a single entity.

What is Authorizing DHCP Servers in Active Directory ?

If a DHCP server is to operate within an Active Directory domain (and is not

running on a domain controller) it must first be authorized.

This can be achieved either as part of the DHCP Server role installation, or

subsequently using either DHCP console or at the command prompt using the

netsh tool.

If the DHCP server was not authorized during installation, invoke the DHCP

console (Start -> All Programs -> Administrative Tools -> DHCP),

right click on the DHCP to be authorized and select Authorize. To achieve the

same result from the command prompt, enter the following command:

netsh dhcp server serverID initiate auth

In the above command syntax, serverID is replaced by the IP address or full

UNC name of system on which the DHCP server is installed.


21/367

What ports are used by DHCP and the DHCP clients ?

Requests are on UDP port 68, Server replies on UDP 67 .

List some Benefits of using DHCP

DHCP provides the following benefits for administering your TCP/IP-based

network:

Safe and reliable configuration.DHCP avoids configuration errors caused by

the need to manually type in values at each computer. Also, DHCP helps

prevent address conflicts caused by a previously assigned IP address being

reused to configure a new computer on the network.

Reduces configuration management.

Using DHCP servers can greatly decrease time spent to configuring and

reconfiguring computers on your network. Servers can be configured to supply

a full range of additional configuration values when assigning address leases.

These values are assigned using DHCP options. Also, the DHCP lease

renewal process helps assure that where client configurations need to be

updated often (such as users with mobile or portable computers who change

locations frequently), these changes can be made efficiently

andautomatically by clients communicating directly with DHCP servers.

The following section covers issues that affect the use of the DHCP Server

service with other services or network configurations. UsingDNS servers with


22/367

DHCP Using Routing and Remote Access servers with DHCP Multihomed

DHCP servers.

Describe the process of installing a DHCP server in an AD

infrastructure ?

Open Windows Components Wizard. Under Components , scroll to and click

Networking Services. Click Details . Under Subcomponents of Networking

Services , click Dynamic Host Configuration Protocol (DHCP) and then click

OK .

Click Next . If prompted, type the full path to the Windows Server 2003

distribution files, and then click Next. Required files are copied to your hard

disk.

How to authorize a DHCP server in Active Directory Open DHCP ?.

In the console tree, click DHCP

. On the Action menu, click Manage authorized servers.

. The Manage Authorized Servers dialog box appears. Click Authorize.

. When prompted, type the name or IP address of the DHCP server to be

authorized, and then click OK.

What is DHCPINFORM?

DHCPInform is a DHCP message used by DHCP clients to obtain DHCP

options. While PPP remote access clients do not use DHCP to obtain IP


23/367

addresses for the remote access connection, Windows 2000 and Windows 98

remote access clients use the DHCPInform message to obtain DNS server IP

addresses, WINS server IP addresses, and a DNS domain name.

The DHCPInform message is sent after the IPCP negotiation is concluded.

The DHCPInform message received by the remote access server is then

forwarded to a DHCP server. The remote access server forwards

DHCPInform messages only if it has been configured with the DHCP Relay

Agent.

Describe the integration between DHCP and DNS?

Traditionally, DNS and DHCP servers have been configured and managed

one at a time. Similarly, changing authorization rights for a particular user on a

group of devices has meant visiting each one and making configuration

changes.

DHCP integration with DNS allows the aggregation of these tasks across

devices, enabling a companys network services to scale in step with the

growth of network users, devices, and policies, while reducing administrative

operations and costs. This integration provides practical operational

efficiencies that lower total cost of ownership.

Creating a DHCP network automatically creates an associated DNS zone, for

example, reducing the number of tasks required of network administrators.


24/367

And integration of DNS and DHCP in the same database instance provides

unmatched consistency between service and management views of IP

address-centric network services da


25/367


26/367


27/367

InterviewFAQNo:1 Source to prepare for job interviews.

InterviewFAQ

Dot Net

SAP

Testing

JAVA

Microsoft

Windows Server Group Policy Interview Questions 23. Sep

/

Active Directory

/

No Comments

Below is the list of Windows Server Group Policy Interview Questions Asked

in Windows System Administrator / L1/l2/l3 Support Engineer Interviews.

What is group policy in active directory ? What are Group Policy objects

(GPOs)?

Group Policy objects, other than the local Group Policy object, are virtual
http://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/dot-nethttp://interviewfaq.co.in/dot-nethttp://interviewfaq.co.in/saphttp://interviewfaq.co.in/software-testing-faqhttp://interviewfaq.co.in/java-2http://interviewfaq.co.in/windowshttp://interviewfaq.co.in/windowshttp://interviewfaq.co.in/windows-server-group-policy-interview-questions.htmlhttp://interviewfaq.co.in/windows/active-directoryhttp://interviewfaq.co.in/windows-server-group-policy-interview-questions.html#commentshttp://interviewfaq.co.in/author/ifaqadminhttp://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/dot-nethttp://interviewfaq.co.in/saphttp://interviewfaq.co.in/software-testing-faqhttp://interviewfaq.co.in/java-2http://interviewfaq.co.in/windowshttp://interviewfaq.co.in/windows-server-group-policy-interview-questions.htmlhttp://interviewfaq.co.in/windows/active-directoryhttp://interviewfaq.co.in/windows-server-group-policy-interview-questions.html#comments


28/367

objects. The policy setting information of a GPO is actually stored in two

locations: the Group Policy container and the Group Policy template.

The Group Policy container is an Active Directory container that stores GPO

properties, including information on version, GPO status, and a list

of components that have settings in the GPO.

The Group Policy template is a folder structure within the file system that

stores Administrative Template-based policies, security settings, script files,

and information regarding applications that are available for Group Policy

Software Installation.

The Group Policy template is located in the system volume folder (Sysvol) in

the Policies subfolder for its domain.

What is the order in which GPOs are applied ?

Group Policy settings are processed in the following order:

1.Local Group Policy object : Each computer has exactly one Group Policy

object that is stored locally. This processes for both computer and user Group

Policy processing.

2.Site : Any GPOs that have been linked to the site that the computer belongs

to are processed next. Processing is in the orderthat is specified by the

administrator, on the Linked Group Policy Objects tab for the site in Group


29/367

Policy Management Console (GPMC). The GPO with the lowest link order is

processed last, and therefore has the highest precedence.

3.Domain: Processing of multiple domain-linked GPOs is in the

order specified by the administrator, on the Linked Group Policy Objects tab

for the domain in GPMC. The GPO with the lowest link order is processed

last, and therefore has the highest precedence.

4.Organizational units : GPOs that are linked to the organizational unit that is

highest in the Active Directory hierarchy are processed first, then POs that are

linked to its child organizational unit, and so on. Finally, the GPOs that are

linked to the organizational unit that contains the user or computer are

processed.

At the level of each organizational unit in the Active Directory hierarchy, one,

many, or no GPOs can be linked. If several GPOs are linked to an

organizational unit, their processing is in the order that is specified by the

administrator, on the Linked Group Policy Objects tab for the organizational

unit in GPMC.

The GPO with the lowest link order is processed last, and therefore has the

highest precedence.

This order means that the local GPO is processed first, and GPOs that are

linked to the organizational unit of which the computer or user is a direct


30/367

member are processed last, which overwrites settings in the earlier GPOs if

there are conflicts. (If there are no conflicts, then the earlier and later settings

are merely aggregated.)

How to backup/restore Group Policy objects ?

Begin the process by logging on to a Windows Server 2008 domain controller,

and opening the Group Policy Management console. Now, navigate through

the console tree to Group Policy Management | Forest: | Domains | | Group

Policy Objects.

When you do, the details pane should display all of the group policy objects

that are associated with the domain. In Figure A there are only two group

policy objects, but in a production environment you may have many more. The

Group Policy Objects container stores all of the group policy objects for the

domain.

Now, right-click on the Group Policy Objects container, and choose the Back

Up All command from the shortcut menu. When you do, Windows will open

the Back Up Group Policy Object dialog box.

As you can see in Figure B, this dialog box requires you to provide the path to

which you want to store the backup files. You can either store the backups in

a dedicated folder on a local drive, or you can place them in a folder on a


31/367

mapped network drive. The dialog box also contains a Description field that

you can use to provide a description of the backup that you are creating.

You must provide the path to which you want to store your backup of the

group policy objects.

To initiate the backup process, just click the Back Up button. When the

backup process completes, you should see a dialog box that tells you how

many group policy objects were successfully backed up. Click OK to close the

dialog box, and youre all done.

When it comes to restoring a backup of any Group Policy Object, you have

two options. The first option is to right-click on the Group Policy Object, and

choose the Restore From Backup command from the shortcut menu. When

you do this, Windows will remove all of the individual settings from the Group

Policy Object, and then implement the settings found in the backup.

Your other option is to right-click on the Group Policy Object you want to

restore, and choose the Import Settings option. This option works more like a

merge than a restore.

Any settings that presently reside within the Group Policy Object are retained

unless there is a contradictory settings within the file that is being imported.

You want to standardize the desktop environments (wallpaper, My

Documents, Start menu, printers etc.) on the computers in one


32/367

department. How would you do that?

go to Start->programs->Administrative tools->Active Directory Users and

Computers

Right Click on Domain->click on preoperties

On New windows Click on Group Policy

Select Default Policy->click on Edit

on group Policy console

go to User Configuration->Administrative Template->Start menu and Taskbar

Select each property you want to modify and do the same

What?s the difference between software publishing and assigning?

Assign Users :The software application is advertised when the user logs on. It

is installed when the user clicks on the software application icon via the start

menu, or accesses a file that has been associated with the software

application.

Assign Computers :The software application is advertised and installed when

it is safe to do so, such as when the computer is nextrestarted.

Publish to users : The software application does not appear on the start menu

or desktop. This means the user may not know that the software is available.

The software application is made available via the Add/Remove Programs

option in control panel, or by clicking on a file that has been associated with


33/367

the application. Published applications do not reinstall themselves in the event

of accidental deletion, and it is not possible to publish to computers.

What are administrative templates?

Administrative Templates are a feature of Group Policy, a Microsoft

technology for centralised management of machines and users in an Active

Directory environment. Administrative Templates facilitate the management of

registry-based policy. An ADM file is used to describe both the user interface

presented to the Group Policy administrator and the registry keys that should

be updated on the target machines.

An ADM file is a text file with a specific syntax which describes both the

interface and the registry values which will be changed if the policy is enabled

or disabled.

ADM files are consumed by the Group Policy Object Editor (GPEdit).

Windows XP Service Pack 2 shipped with five ADM files (system.adm,

inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged

into a unified namespace in GPEdit and presented to the administrator under

the Administrative Templates node (for both machine and user policy).

Can I deploy non-MSI software with GPO?

create the fiile in .zap extension.


34/367

Name some GPO settings in the computer and user parts ?

Group Policy Object (GPO) computer=Computer Configuration, User=User

ConfigurationName some GPO settings in the computer and user parts.

A user claims he did not receive a GPO, yet his user and computer

accounts are in the right OU, and everyone else there gets the GPO.

What will you look for?

make sure user not be member of loopback policy as in loopback policy it

doesnt effect user settings only computer policy will applicable. if he is

member of gpo filter grp or not?

You may also want to check the computers event logs. If you find event ID

1085 then you may want to download the patch to fix this and reboot the

computer.

How can I override blocking of inheritance ?

What can I do to prevent inheritance from above?

Name a few benefits of using GPMC.

How frequently is the client policy refreshed ?

90 minutes give or take.

Where is secedit?

Its now gpupdate.


35/367

What can be restricted on Windows Server 2003 that wasnt there in

previous products ?

Group Policy in Windows Server 2003 determines a users right to modify

network and dial-up TCP/IP properties. Users may be selectively restricted

from modifying their IP address and other network configuration parameters.

You want to create a new group policy but do not wish to inherit.

Make sure you check Block inheritanceamong the options when creating

the policy.

How does the Group Policy No Override and Block Inheritance work ?

Group Policies can be applied at multiple levels (Sites, domains,

organizational Units) and multiple GPs for each level. Obviously it may be

that some policy settings conflict hence the application order of Site Domain

Organization Unit and within each layer you set order for all defined policies

but you may want to force some polices to never be overridden (No Override)

and you may want some containers to not inherit settings from a parent

container (Block Inheritance).

A good definition of each is as follows:

No Override This prevents child containers from overriding policies set at

higher levels


36/367

Block Inheritance Stops containers inheriting policies from parent containers

No Override takes precedence over Block Inheritance so if a child container

has Block Inheritance set but on the parent a group policy has No Override

set then it will get applied.

Also the highest No Override takes precedence over lower No Overrides set.

To block inheritance perform the following:

1. Start the Active Directory Users and Computer snap-in (Start

Programs Administrative Tools Active Directory Users and Computers)

2. Right click on the container you wish to stop inheriting settings from its

parent and select

3. Select the Group Policy tab

4. Check the Block Policy inheritance option

5. Click Apply then OK

To set a policy to never be overridden perform the following:

1. Start the Active Directory Users and Computer snap-in (Start - -

Administrative Tools Active Directory Users and Computers)

2. Right click on the container you wish to set a Group Policy to not be

overridden and select Properties


37/367

3. Select the Group Policy tab

4. Click Options

5. Check the No Override option

6. Click OK

7. Click Apply then OK

Previous Page 1234Next Page

1icroso!t publisher !ree trial

Healthcare insurance !or individuals

1anual Testing Answers

Tent starter pac&s

The )ist

4e7t

Copyright2014 Theme design by the Bluth Company www.bluth.is
http://interviewfaq.co.in/windows/active-directory/http://interviewfaq.co.in/windows/active-directory/page/3http://interviewfaq.co.in/windows/active-directory/page/4http://interviewfaq.co.in/windows/active-directory/page/3http://interviewfaq.co.in/windows/active-directory/page/15http://interviewfaq.co.in/windows/active-directory/page/3http://www.alexa.com/data/details/main?url=http://interviewfaq.co.inhttp://interviewfaq.co.in/windows/active-directory/http://interviewfaq.co.in/windows/active-directory/http://interviewfaq.co.in/windows/active-directory/http://interviewfaq.co.in/windows/active-directory/page/3http://interviewfaq.co.in/windows/active-directory/page/4http://interviewfaq.co.in/windows/active-directory/page/3http://interviewfaq.co.in/windows/active-directory/page/15http://interviewfaq.co.in/windows/active-directory/page/3


38/367


39/367


40/367


InterviewFAQ

Dot Net

SAP

Testing

JAVA

Microsoft

Windows Active directory Interview Questions User

Submitted Part 10 21. Sep /

Active Directory

/

No Comments

What is sites ? What are they used for ?

One or more well-connected (highly reliable and fast) TCP/IP subnets.

A site allows administrators to configure Active Directory access and

replication topology to take advantage of the physical network.
http://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/dot-nethttp://interviewfaq.co.in/dot-nethttp://interviewfaq.co.in/saphttp://interviewfaq.co.in/software-testing-faqhttp://interviewfaq.co.in/java-2http://interviewfaq.co.in/windowshttp://interviewfaq.co.in/windowshttp://interviewfaq.co.in/windows-active-directory-interview-questions-user-submitted-part-10.htmlhttp://interviewfaq.co.in/windows-active-directory-interview-questions-user-submitted-part-10.htmlhttp://interviewfaq.co.in/windows/active-directoryhttp://interviewfaq.co.in/windows-active-directory-interview-questions-user-submitted-part-10.html#commentshttp://interviewfaq.co.in/author/ifaqadminhttp://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/dot-nethttp://interviewfaq.co.in/saphttp://interviewfaq.co.in/software-testing-faqhttp://interviewfaq.co.in/java-2http://interviewfaq.co.in/windowshttp://interviewfaq.co.in/windows-active-directory-interview-questions-user-submitted-part-10.htmlhttp://interviewfaq.co.in/windows-active-directory-interview-questions-user-submitted-part-10.htmlhttp://interviewfaq.co.in/windows/active-directoryhttp://interviewfaq.co.in/windows-active-directory-interview-questions-user-submitted-part-10.html#comments


41/367

A Site object in Active Directory represents a physical geographic location that

hosts networks. Sites contain objects called Subnets.

Sites can be used to Assign Group Policy Objects, facilitate the discovery of

resources, manage active directory replication, and manage network link

traffic.

Sites can be linked to other Sites. Site-linked objects may be assigned a cost

value that represents the speed, reliability, availability, or other real property of

a physical resource. Site Links may also be assigned a schedule.

Trying to look at the Schema, how can I do that ?

register schmmgmt.dll using this command

c:windowssystem32>regsvr32 schmmgmt.dll

Open mmc > add snapin > add Active directory schema

name it as schema.msc

Open administrative tool > schema.msc

What is the port no of Kerbrose ?

88

What is the port no of Global catalog ?

3268

What is the port no of LDAP ?

389


42/367

Explain Active Directory Schema ?

Windows 2000 and Windows Server 2003 Active Directory uses a database

set of rules called Schema. The Schema is defines as the formal definition of

all object classes, and the attributes that make up those object classes, that

can be stored in the directory. As mentioned earlier, the Active Directory

database includes a default Schema, which defines many object classes,

such as users, groups, computers, domains, organizational units, and so on.

These objects are also known as Classes. The Active Directory Schema can

be dynamically extensible, meaning that you can modify the schema by

defining new object types and their attributes and by defining new attributes

for existing objects. You can do this either with the Schema Manager snap-in

tool included with Windows 2000/2003 Server, or programmatically.

How can you forcibly remove AD from a server, and what do youdo

later? ? Can I get user passwords from the AD database?

Dcpromo /forceremoval , an administrator can forcibly remove Active

Directory and roll back the system without having to contact or replicate any

locally held changes to another DC in the forest. Reboot the server then After

you use the dcpromo /forceremoval command, all the remaining metadata for

the demoted DC is not deleted on the surviving domain controllers, and

therefore you must manually remove it by using the NTDSUTIL command.


43/367

In the event that the NTDS Settings object is not removed correctly you can

use the Ntdsutil.exe utility to manually remove the NTDS Settings object. You

will need the following tool: Ntdsutil.exe, Active Directory Sites and Services,

Active Directory Users and Computers

What are the FSMO roles? Who has them by default? What happens

when each one fails?

Flexible Single Master Operation (FSMO) role. Currently there are five FSMO

roles:

Schema master

Domain naming master

RID master

PDC emulator

Infrastructure master

What is domain tree ?

Domain Trees: A domain tree comprises several domains that share a

common schema and configuration, forming a contiguous namespace.

Domains in a tree are also linked together by trust relationships. Active

Directory is a set of one or more trees.

Trees can be viewed two ways. One view is the trust relationships between

domains. The other view is the namespace of the domain tree.


44/367

What is forests ?

A collection of one or more domain trees with a common schema and implicit

trust relationships between them. This arrangement would be used if you have

multiple root DNS addresses.

How to Select the Appropriate Restore Method ?

You select the appropriate restore method by considering:

Circumstances and characteristics of the failure. The two major categories of

failure, From an Active Directory perspective, are Active Directory data

corruption and hardware failure.

Active Directory data corruption occurs when the directory contains corrupt

data that has been replicated to all domain controllers or when a large portion

of the Active Directory hierarchy has been changed accidentally (such as

deletion of an OU) and this change has replicated to other domain controllers.

Where are the Windows NT Primary Domain Controller (PDC) and its

Backup Domain Controller (BDC) in Server 2003?

The Active Directory replaces them. Now all domain controllers share a

multimaster peer-to-peer read and write relationship that hosts copies of the

Active Directory.

What is Global Catalog?


45/367

The Global Catalog authenticates network user logons and fields inquiries

about objects across a forest or tree. Every domain has at least one GC that

is hosted on a domain controller. In Windows 2000, there was typically one

GC on every site in order to prevent user logon failures across the network.

How long does it take for security changes to be replicated among the domain controllers?

Security-related modifications are replicated within a site immediately. These

changes include account and individual user lockout policies, changes to

password policies, changes to computer account passwords, and

modifications to the Local Security Authority (LSA).

When should you create a forest?

Organizations that operate on radically different bases may require separate

trees with distinct namespaces. Unique trade or brand names often give rise

to separate DNS identities. Organizations merge or are acquired and naming

continuity is desired. Organizations form partnerships and joint ventures.

While access to common resources is desired, a separately defined tree can

enforce more direct administrative and security restrictions.

Describe the process of working with an external domain name ?

If it is not possible for you to configure your internal domain as a subdomain of

your external domain, use a stand-alone internal domain. This way, your

internal and external domain names are unrelated. For example, an


46/367

organization that uses the domain name contoso.com for their external

namespace uses the name corp.internal for their internal namespace.

The advantage to this approach is that it provides you with a unique internal

domain name. The disadvantage is that this configuration requires you to

manage two separate namespaces. Also, using a stand-alone internal domain

that is unrelated to your external domain might create confusion for users

because the namespaces do not reflect a relationship between resources

within and outside of your network.

In addition, you might have to register two DNS names with an Internet name

authority if you want to make the internal domain publicly accessible.

Previous Page 12345Next Page

1anual Testing

Interview uestion

Answers

#ecurity #ystem 3indows Wp

;egistering

;estore windows 7p

#o!tware Testing

http://interviewfaq.co.in/windows/active-directory/page/2http://interviewfaq.co.in/windows/active-directory/http://interviewfaq.co.in/windows/active-directory/page/2http://interviewfaq.co.in/windows/active-directory/page/4http://interviewfaq.co.in/windows/active-directory/page/5http://interviewfaq.co.in/windows/active-directory/page/4http://interviewfaq.co.in/windows/active-directory/page/15http://interviewfaq.co.in/windows/active-directory/page/4http://www.alexa.com/data/details/main?url=http://interviewfaq.co.inhttp://interviewfaq.co.in/windows/active-directory/page/2http://interviewfaq.co.in/windows/active-directory/page/2http://interviewfaq.co.in/windows/active-directory/http://interviewfaq.co.in/windows/active-directory/page/2http://interviewfaq.co.in/windows/active-directory/page/4http://interviewfaq.co.in/windows/active-directory/page/5http://interviewfaq.co.in/windows/active-directory/page/4http://interviewfaq.co.in/windows/active-directory/page/15http://interviewfaq.co.in/windows/active-directory/page/4


47/367


48/367


49/367


InterviewFAQ

Dot Net

SAP

Testing

JAVA

Microsoft

Windows Active directory Interview Questions User

Submitted Part 8 21. Sep /

Active Directory

/

No Comments

Got a list of some Active Directory Interview Questions submitted by User :

Noel.

What is the default size of ntds.dit ?

10 MB in Server 2000 and 12 MB in Server 2003 .
http://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/dot-nethttp://interviewfaq.co.in/dot-nethttp://interviewfaq.co.in/saphttp://interviewfaq.co.in/software-testing-faqhttp://interviewfaq.co.in/java-2http://interviewfaq.co.in/windowshttp://interviewfaq.co.in/windowshttp://interviewfaq.co.in/windows-active-directory-interview-questions-user-submitted-part-8.htmlhttp://interviewfaq.co.in/windows-active-directory-interview-questions-user-submitted-part-8.htmlhttp://interviewfaq.co.in/windows/active-directoryhttp://interviewfaq.co.in/windows-active-directory-interview-questions-user-submitted-part-8.html#commentshttp://interviewfaq.co.in/author/ifaqadminhttp://interviewfaq.co.in/http://interviewfaq.co.in/http://interviewfaq.co.in/dot-nethttp://interviewfaq.co.in/saphttp://interviewfaq.co.in/software-testing-faqhttp://interviewfaq.co.in/java-2http://interviewfaq.co.in/windowshttp://interviewfaq.co.in/windows-active-directory-interview-questions-user-submitted-part-8.htmlhttp://interviewfaq.co.in/windows-active-directory-interview-questions-user-submitted-part-8.htmlhttp://interviewfaq.co.in/windows/active-directoryhttp://interviewfaq.co.in/windows-active-directory-interview-questions-user-submitted-part-8.html#comments


50/367

Where is the AD database held and What are other folders related to

AD ?

AD Database is saved in %systemroot%/ntds. You can see other files also in

this folder. These are the main files controlling the AD structure.

ntds.dit

edb.log

res1.log

res2.log

edb.chk

When a change is made to the Win2K database, triggering a write operation,

Win2K records the transaction in the log file (edb.log). Once written to the log

file, the change is then written to the AD database. System performance

determines how fast the systemwrites the data to the AD database from the

log file. Any time the system is shut down, all transactions are saved to the

database.

During the installation of AD, Windows creates two files: res1.log and res2.log.

The initial size of each is 10MB. These files are used to ensure that changes

can be written to disk should the system run out of free disk space. The

checkpoint file (edb.chk) records transactions committed to the AD database


51/367

(ntds.dit). During shutdown, a shutdown statement is written to the edb.chk

file.

Then, during a reboot, AD determines that all transactions in the edb.log file

have been committed to the AD database. If, for some reason, the edb.chk file

doesnt exist on reboot or the shutdown statement isnt present, AD will use

the edb.log file to update the AD database. The last file in our list of files to

know is the AD database itself, ntds.dit. By default, the file is located inNTDS,

along with the other files weve discussed

What FSMO placement considerations do you know of ?

Windows 2000/2003 Active Directory domains utilize a Single Operation

Master method called FSMO (Flexible Single Master Operation), as described

in Understanding FSMO Roles in Active Directory.

In most cases an administrator can keep the FSMO role holders (all 5 of

them) in the same spot (or actually, on the same DC) as has been configured

by the Active Directory installation process.

However, there are scenarios where an administrator would want to move one

or more of the FSMO roles from the default holder DC to a different DC.

Windows Server 2003 Active Directory is a bit different than the Windows

2000 version when dealing with FSMO placement.


52/367

In this article I will only deal with Windows Server 2003 Active Directory, but

you should bear in mind that most considerations are also true when planning

Windows 2000 AD FSMO roles

What do you do to install a new Windows 2003 R2 DC in a Windows 2003

AD?

If youre installing Windows 2003 R2 on an existing Windows 2003 server with

SP1 installed, you require only the second R2 CD-ROM.

Insert the second CD and the r2auto.exe will display the Windows 2003 R2

Continue Setup screen. If youre installing R2 on a domain controller (DC),

you must first upgrade the schema to the R2 version (this is a minor change

and mostly related to the new Dfs replication engine).

To update the schema, run the Adprep utility, which youll find in the

Componentsr2adprep folder on the second CD-ROM.

Before running this command, ensure all DCs are running Windows 2003 or

Windows 2000 with SP2 (or later).

Heres a sample execution of the Adprep /forestprep

command:

D:CMPNENTSR2ADPREP>adprep /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 domain controllers in the forest


53/367

should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE

265089, or to Windows 2000 SP2 (or later).

QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent

potential domain controller corruption.

[User Action] If ALL your existing Windows 2000 domain controllers meet this

requirement, type C and then press ENTER to continue. Otherwise, type any

other key and press ENT ER to quit.

C Opened Connection to SAV

DALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading

schema to version 31 Connecting to SAVDALDC01Logging in as current

user using SSPI Importing directory from file

C:WINDOWSsystem32sch31.ldf Loading entries 139 entries modified

successfully.

The command has completed successfully Adprep successfully updated the

forest-wide information.

After running Adprep, install R2 by performing these steps:

1. Click the Continue Windows Server 2003 R2 Setup link, as the

figureshows.

2. At the Welcome to the Windows Server 2003 R2 Setup Wizard

screen, click Next.


54/367


55/367

The following OU design recommendations address delegation and scope

issues:

Applying Group Policy An OU is the lowest-level Active Directory container to

which you can assign Group Policy settings.

Delegating administrative authority

usually dont go more than 3 OU levels

Previous Page23456Next Page

1icroso!t publisher !ree trial Tent starter pac&s

Database (rom 1anual Testing

)icense Key

#tatement

Answers


How do you view replication properties for AD partitions and DCs?

By using replication monitor
http://interviewfaq.co.in/windows/active-directory/page/3http://interviewfaq.co.in/windows/active-directory/http://interviewfaq.co.in/windows/active-directory/page/3http://interviewfaq.co.in/windows/active-directory/page/2http://interviewfaq.co.in/windows/active-directory/page/3http://interviewfaq.co.in/windows/active-directory/page/5http://interviewfaq.co.in/windows/active-directory/page/6http://interviewfaq.co.in/windows/active-directory/page/5http://interviewfaq.co.in/windows/active-directory/page/15http://interviewfaq.co.in/windows/active-directory/page/5http://faqspoint.com/wp-content/uploads/2012/06/Windows-Server-Active-Directory-Interview-Questions-Answers.jpg?9d7bd4http://www.alexa.com/data/details/main?url=http://interviewfaq.co.inhttp://interviewfaq.co.in/windows/active-directory/page/3http://interviewfaq.co.in/windows/active-directory/http://interviewfaq.co.in/windows/active-directory/page/3http://interviewfaq.co.in/windows/active-directory/page/2http://interviewfaq.co.in/windows/active-directory/page/3http://interviewfaq.co.in/windows/active-directory/page/5http://interviewfaq.co.in/windows/active-directory/page/6http://interviewfaq.co.in/windows/active-directory/page/5http://interviewfaq.co.in/windows/active-directory/page/15http://interviewfaq.co.in/windows/active-directory/page/5


56/367

go to start > run > type repadmin

go to start > run > type replmon

Why cant you restore a DC that was backed up 4 months ago?

Because of the tombstone life which is set to only 60 days.

Different modes of AD restore ?

A nonauthoritative restore is the default method for restoring Active Directory.

To perform a nonauthoritative restore, you must be able to start t