wintel ad interview questions
TRANSCRIPT
-
7/28/2019 Wintel AD Interview Questions
1/36
Windows Active Directory
Workgroup: It is group of computers, to access a system we have to create login name in each system
to access a file in that system. If we want to login in another system again
We have to create our login name in that system.
Domain : It is group of systems in a network. User name will be created in the Domain and we can
login in any system in that network and access any file in any system.
What is a DC?
A DC is a Domain Controller that contains the copy of Active Directory
for a domain.
What is the primary function of domain controllers?
The primary function of domain controllers is to validate users to the network. However, domain
controllers also provide the catalog of Active Directory objects to users on the network.
What is ADC ?Additional Domain Controller
ADC is a copy of DC. If the DC fails ADC can be converted as DC.
It gives Load Balancing and Fault Tolerance.
Group : collection of users is group. It is used to give permissions, access rights to a
collection of users.
OU Organizatoinal Unit : Its like a container , contains users, groups, computers and other
OUs,. Its used to create Departments or Branches.- Delegate administrative rights to a user in that OU.
Windows 2003 Versions :
Standard : Max RAM 4 GB
Enterprise : 64 GB
Web Edision : 4 GB , cant run DCPROMO, so no DC, Clusters
Data center : 512 GB
What is Global Catalog?
It stores all objects in the directory for its host domain and a partial information of all objects of every
other domain in the forest. The information is partial because it stores only some attributes for each
objects.
The GC performs two key directory roles:
1. It gives universal group membership information when a user logs in to a DC
2. We can search and locate users information in any domain in the forest.
When a user logs on to the network, the GC provides universal group membership
information for the account sending the logon request to the DC. If a GC is not available the
user is only able to log on to the local computer.
1
-
7/28/2019 Wintel AD Interview Questions
2/36
If a user is a member of the Domain Admins group, they are able to log on to the network
even when a global catalog is not available.
What is Active Directory?
AD is a database. It stores information about users,groups,printers,network resources and
make the resources accessible to users and computers.
1 .It helps to centrally manage, organize and control access to resources.2. It gives User logon, Authentication services
3. Users can search and locate objects in the forest.
File Name of Active Directory = Ntds.Dit File Size 40 MB Max Size 16 TB
New Technology Directory Service . Directory Information Tree
Active Directory includes 4 files.
Ntds.Dit, EDB.LOG, EDB.chk, Res1.log and Res2.log
Location C: %systemroot%\ntds\ntds.dit,EDB.log, EDB.chk, Res1.log and Res2.log
Minimum Requirement for Installing AD
1. Windows Server, Advanced Server, Datacenter Server
2. Minimum Disk space of 200MB for AD and 50MB for log files3. NTFS partition
4. TCP/IP Installed and Configured to use DNS
5. Administrative privilege for creating a domain in existing network
What is LDAP? LDAP Port number 389
Light Weight Directory Access Protocol
LDAP is the directory service protocol used to access AD.
used to exchange directory information from Server to Clients or from Server to Servers
How will you verify whether the AD installation is proper?
Verifying Database and Log files
Make sure that the following files are there at C>%systemroot%\ntds
Ntds.dit, Edb.*, Res*.log
Active Directory includes 4 files.
1. NTDS.DIT
This is the AD database and stores all AD objects. Default location isSystemRoot%\ntds\NTDS.DIT.
2. Verifying SYSVOL folder in C:/systemroot/sysvol/sysvol
If SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO,
etc will not be replicated between DCs.
2
-
7/28/2019 Wintel AD Interview Questions
3/36
Verify the following folders created in SYSVOL folder
Domain
Staging
Staging areas ,Sysvol
Then verify the 2 shares
>net shareIt should show two shares, NETLOGON and SYSVOL
What is the use of SYSVOL folder
Group Policies and scripts saved in SYSVOL folder will be replicated to all domaincontrollers in the domain.
FRS (File replication service) is responsible for replicating all policies and scripts.
3. Verify SRV Resource Records
After AD is installed, the DC will register SRV records in DNS when it restarts. We can
check this using DNS MMC or nslookup command.
Using MMC
If the SRV records are registered, the following folders will be there in the domainfolder in Forward Lookup Zone.
msdcssites
tcp
udp
Using nslookup>nslookup
>ls t SRV DomainIf the SRV records are properly created, they will be listed.
EDB.LOG
This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log.
Where nnnn is the increasing number starting from 1
EDB.CHK
This is the checkpoint file used to track the data not yet written to database file. This
indicates the starting point from which data is to be recovered from the logfile, in case offailure.
Res1.log and Res2.log
This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction logfiles enough room to shutdown if the other spaces are being used.
Explain ADS Database Garbage Collection Process?
Garbage Collection is a process to free space within the Active Directory database.
3
-
7/28/2019 Wintel AD Interview Questions
4/36
This process runs in DC for every 12 hours.
The Garbage Collection process has 3 main steps
1. Removing "tombstones" from the database. Tombstones are deleted objects.
(Tombstones ::When an object is deleted, it is not actually removed from the Active Directory database.
It is marked for deletion at a later date. When the Tombstone Lifetime is over, the object is deleted.)
2. Deletion of any unnecessary log files.
3. The process launches a Online defragmentation to create space.this method does not shrink the Active Directory database file (Ntds.dit).
There are two ways to defragment the Active Directory database .
Online Defragmentation method that runs as part of the garbage collection process. The only
advantage to this method is that the server does not need to be taken offline for it to run.
This method does not shrink the Active Directory database file (Ntds.dit).
This process runs in DC for every 12 hours.
Offline Defragmentation: This is done by taking the server offline and use Ntdsutil.exe todefragment the database. Start the server in repair mode. In this method the database size is
reduced.
To defrag ntds.dit offline:
Back up System State in the backup wizard.Reboot and select Directory Services Restore Mode
At the command prompt type :
NtdsutilFiles
Info
This will display current information about the path and size of the Active Directory database
and its log files.
Compact to D:\DbBackup\
You must specify a directory path and if the path name has spaces, the command will notwork unless you use quotation marks
Quit (till you reach the command prompt)
A new compacted database named Ntds.dit can be found in D:\DbBackup
Copy the new ntds.dit file over the old ntds.dit file. You have successfully compacted theActive Directory database.
Active directory 3 partitions
4
-
7/28/2019 Wintel AD Interview Questions
5/36
1.Configuration partition
2. Schema Partition
3. Domain partition
4. Application Partition (only in windows 2003 not available in windows 2000)
What is the Physical structure of ADPhysical structure is - Forests TreesDomainsChild DomainsGrand Child
What are they components on Active Directory?
There are two types of components are there
One is logical structures - Domains, Organization Units, Tress and Forest
Second one is Physical structures - Sites and Domain Controller
Command to Install Active Directory
Start RUN type DCPROMO
When installing or removing Active Directory the following log files are created in
%system root%\Debug folder.
Dcpromoui.log
Dcpromos.log
Dcpromo.log
Introducing domain trees and forests
TREES
Tree is a hierarchical arrangement of W2K domains that share a contiguous name space. Thefirst domain in a domain tree is called the root domain. Additional domains in the same
domain tree are child domains. A domain immediately above another domain in the same
domain tree is referred to as the parent of the child domain.
FORESTS
A forest consists of multiple domain trees. The domain trees in a forest do not form a
contiguous namespace but share a common schema and GC.
A common schema
Common configuration information
A common global catalog
Explain schema?
Schema is collection of Objects and its Classes.Example :
Object = User Name
5
-
7/28/2019 Wintel AD Interview Questions
6/36
Attribute : Home Dir, Home Address
Schema oblect can not be deleted. objects can be marked as deactivated,
This is managed by Schema Master.
Explain Sites. What are the advantages of Sites?
Site consists of one or more IP subnets connected by a high speed link.
Uses of Sites
Service requestsWhen a client requests a service from a domain controller, it directs the request to a
domain controller in the same site. Selecting a domain controller that is well-connected
to the client makes handling the request more efficient.
Replication
Site streamlines replication of directory information and reduces replication traffic
GC and infrastructure master should not be on the same Server. Why?
The infrastructure master is responsible for updating references from objects in its domain to
objects in other domains. The infrastructure master compares its data with that of a global
catalog. Global catalogs receive regular updates for objects in all domains through replication,so the global catalog's data will always be up-to-date. If the infrastructure master finds data
that is out-of-date, it requests the updated data from a global catalog. The infrastructure
master then replicates that updated data to the other domain controllers in the domain.
Important
1.If the infrastructure master and global catalog are on the same domain controller, the
infrastructure master will not function. The infrastructure master will never find data
that is out of date, so will never replicate any changes to the other domain controllersin the domain.
2.
If all of the domain controllers in a domain are also hosting the global catalog, all ofthe domain controllers will have the current data and it does not matter which domain
controller holds the infrastructure master role.
FOREST-WIDE OPERATIONS MASTER ROLES
There can be only one schema master and one domain naming master for the entire forest.
Schema master
Domain naming master
6
-
7/28/2019 Wintel AD Interview Questions
7/36
Schema master
The schema master DC controls all updates and modifications to the schema.
Domain naming master
Domain Naming Master DC controls the addition or removal of domains in the forest.
DOMAIN-WIDE OPERATIONS MASTER ROLES
Every domain in the forest must have the following roles:
Relative ID masterPrimary DC (PDC) emulator
Infrastructure master
What is FSMO
Flexible Single MasterOperations.
What are the FSMO roles .
Schema masterDomain naming master
RID master
PDC emulatorInfrastructure daemon
Schema Master
The schema master is responsible for performing updates to the directory schema.
This DC is the only one that can process updates to the directory schema. Once the Schema update iscomplete, it is replicated from the schema master to all other DCs in the directory. There is only one
schema master per directory.
Domain Naming Master
This DC is the only one that can add or remove a domain from the directory.
RID Master
The RID master gives relative Ids to all DCs in the domain
When we create a user or group, it gives a ID to each User. SID,
Each user has a SID. This SID consists of a domain SID and a relative ID (RID) ,Domain ID is given to the Domain, RID is the ID given to the user.
ACL Access Control List
Each file has a ACL , it maintains the list of SIDs who has the access rights to access the file.
So the SID is used by files to give access permissions.
7
-
7/28/2019 Wintel AD Interview Questions
8/36
PDC Emulator FSMO Role s
Time Synchronize
Password changes
Authentication FailuresAccount Lockouts
The PDC emulator is necessary to synchronize the time in All Windows 2000-based computers withinan enterprise use a common time.
Password changes performed by other DCs in the domain are replicated preferentially
to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect
password are forwarded to the PDC emulator before a bad password failure message isreported to the user.
Account lockout is processed on the PDC emulator.
ator receives no down-level replica requests.
InfraStructure Master
It is responsible for updating Group Membership Information when a group is added, modified,
Schema master, Domain master - One per forest
RID ,PDC Emulator ,Infrastructure - One per domain
How to find out FSMO roles in server :
Schema Master
Cmd run type Regsvr32 schmmgmt.dllYou should receive a success confirmation.Click ok
Type MMCOn the Console menu, press Add/Remove Snap-in
Choose AD schema from in list and add it.Press Add and press Close. Press OK.
Click the Active Directory Schema icon. After it loads right-click it and press
Operation Masters.
To find out the Domain Naming Master Role:
1.
8
-
7/28/2019 Wintel AD Interview Questions
9/36
Open the Active Directory Domains and Trusts snap-in from the Administrative Tools
folder.2.
Right-click the Active Directory Domains and Trusts icon again and press Operation
Masters.3.
When you're done click Close.
Finding the RID Master, PDC Emulator, and Infrastructure Masters
1.Open the Active Directory Users and Computers snap-in from the Administrative
Tools folder.
.Right-click the Active Directory Users and Computers icon again and press Operation
Masters.
3.
Select the appropriate tab for the role you wish to view.4.
When you're done click Close.
To find from CMD prompt :
Type : Netdom command.
9
-
7/28/2019 Wintel AD Interview Questions
10/36
Do not place the infrastructure master on a global catalog server
The Infrastructure Master (IM) role should be held by a domain controller that is not aGlobal Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will
stop updating object information because it does not contain any references to objects that itdoes not hold. This is because a Global Catalog server holds a partial replica of every object in
the forest. As a result, cross-domain object references in that domain will not be updated and
a warning to that effect will be logged on that DC's event log.
How will you place the FSMO roles?
Place the RID and PDC emulator roles on the same domain controller. Good
communication from the PDC to the RID master is desirable as downlevel clients and
applications target the PDC, making it a large consumer of RIDs.As a general rule, the infrastructure master should be located on a nonglobal catalog
server that has a direct connection object to some global catalog in the forest,
preferably in the same Active Directory site.
At the forest level, the schema master and domain naming master roles should be
placed on the same domain controller as they are rarely used and should be tightlycontrolled. Additionally, the Domain Naming master FSMO should also be a global
catalog server.
Responding to operations master failures
SCHEMA MASTER FAILURE
This failure will be visible if we are trying to modify the schema or install an application
that modifies the schema during installation.
Seize this Schema master from other DC.
A DC whose schema master role has been seized must never be brought back online.
To seize the schema master role
10
-
7/28/2019 Wintel AD Interview Questions
11/36
1.Click Start, click Run, and then type cmd.
2.
At the command prompt, type ntdsutil.3.
At the ntdsutil prompt, type roles.
4.At the fsmo maintenance prompt, type connections.
5.
At the server connections prompt, type connect to server, followed by the fully
qualified domain name.6.
At the server connections prompt, type quit.
7.At the fsmo maintenance prompt, type seize schema master.
8.
At the fsmo maintenance prompt, type quit.
9.At the ntdsutil prompt, type quit.
DOMAIN NAMING MASTER FAILURE
We can not add a domain, we cant run DCPromo command to add a new domain
if Domain operations master is failed .
So we can seize it from other DC or Additional DC.
RELATIVE ID MASTER FAILURE
We cannot add users if RID is failed.So we can seize it from other DC or Additional DC.
PDC EMULATOR FAILURE
Time Sync will not happen, it will affect Replications.
Password changes, account lockout will not happen.
Group policies changes will not be updated.
The loss of the PDC emulator affects network users. Therefore, when the PDC emulator is not
available, you may need to immediately seize the role.
INFRASTRUCTURE MASTER FAILURE
We can find this problem when we move or rename a group of accounts or groups.
So we can seize it from other DC or Additional DC.
How will you remove Orphaned Domains from Active Directory?
Typically, when the last DC for a domain is demoted, the administrator selects this server is
11
-
7/28/2019 Wintel AD Interview Questions
12/36
the last DC in the domain option in the DCPromo tool, which removes the domain metadata
from Active Directory.
1. Determine the DC that holds the Domain Naming Master FSMO role.
2. Verify that all servers for the specified domain have been demoted.3. At the command prompt:
ntdsutil
metadata cleanupconnectionsconnect to server servername
(Servername is the name of the DC holding the Domain Naming Master FSMO Role)
Quit
Metadata Cleanup menu is displayed
Select operation target
List domains
A list of domains in the forest is displayed, each with an associated number
Select domain number
Where number is the number associated with the domain to be removed
QuitThe Metadata Cleanup menu is displayed.
Remove selected domain
You should receive confirmation that the removal was successful.
Quit
You should receive confirmation that the connection disconnected successfully.
Audit Active Directory Objects
Audit : to check who logged in the server.
An audit entry in the Security log contains the following information:
The action that was performed.
The user who performed the action.
The success or failure of the event and the time that the event occurred.
When you audit Active Directory events, Windows 2003 writes an event to the Security log on
the domain controller. If a user tries to log on to the domain using a domain user account and
12
-
7/28/2019 Wintel AD Interview Questions
13/36
the logon attempt is unsuccessful, the event is recorded on the DC and not on the computer
on which the logon attempt was made. This is because it is the domain controller that tried toauthenticate the logon attempt.
How to Configure an Audit Policy Setting for a Domain Controller
Auditing is turned off by default. To audit all DCs, Enable auditing on Domain Controllers OU
To configure an audit policy setting for a domain controller, follow these steps:
1.
Start Directory Users and Computers.2.
Click Advanced Features on the View menu.
3.Right-click Domain Controllers, and then click Properties.
4.
Click the Group Policy tab, click Default Domain Controller Policy, and then click
Edit.5.
Click Computer Configuration, double-click Windows Settings, double-click
Security Settings, double-click Local Policies, and then double-click Audit Policy.6.
In the right pane, right-click Audit Directory Services Access, and then click
Security.7.
Click Define These Policy Settings, and then click to select one or both of the
following check boxes:o
Success: Click to select this check box to audit successful attempts for theevent category.
oFailure: Click to select this check box to audit failed attempts for the event
category.
8.Right-click any other event category that you want to audit, and then click Security.
Click OK
How to Configure Auditing for Specific Active Directory Objects
You can configure auditing for specific objects, such as users, computers, organizational units,or groups, by specifying both the types of access and the users whose access that you wantto audit.
To configure auditing for specific Active Directory objects, follow these steps:
1.
Open Active Directory Users and Computers.2.
Select Advanced Features on the View menu.
3.
13
-
7/28/2019 Wintel AD Interview Questions
14/36
Right-click the Active Directory object that you want to audit, and then click
Properties.4.
Click the Security tab, and then click Advanced.
5.Click the Auditing tab, and then click Add.
Enter the name of either the user or the group whose access you want to audit
6.Click to select either the Successful check box or the Failed check box for the actions
that you want to audit, and then click OK.
How to publish a printer in AD
1.
Log on to the computer as an administrator.
2.
Click Start, point to Settings, and then click Printers.3.
In the Printers folder, right-click the printer that you want to publish in Active
Directory, and then click Properties.4.
Click the Sharing tab, click Share As, and then either type a share name or accept
the default name.Use only letters and numbers; do not use spaces, punctuation, or special characters.
5.
Click to select the List in the Directory check box, and then click OK.
6.Close the Printers folder.
NOTE: If you want to make this printer available to users who are running different versions
of Windows, you must install additional drivers. To do so, click Additional Drivers on theSharing tab of the Printer properties, and then select the appropriate items in the list.
How to Configure an Authoritative Time Server in Windows 2000?
The purpose of the Time service is to ensure that all computers
In the organization use a common time.
Windows includes the W32Time Time service tool that is required by the Kerberos
authentication protocol.
To reset the local computer's time against the authoritative time server for the domain:
Net time /domain_name /set
Net stop w32timeW32time update
14
-
7/28/2019 Wintel AD Interview Questions
15/36
Net start w32time
SNTP defaults to using UDP port 123. If this port is not open to the Internet, you cannot
synchronize your server to Internet SNTP servers.
What is universal group membership cache in windows 2003.
When a user logs in first time , The DC gets the users universal group membership information
From the Global Catalog and stores it in its cache. Next time when the user logs in the DC willGet t he Universal group membership information from its local cache. It will not contact the GC.
It reduces the network traffic.
By default, the universal group membership information will be refreshed every 8 hours.
Group policy : Its a set of rules and settings applied to users or computers.
Uses
Configure user's desktopsConfigure local security on computers
Install applications
Run start-up/shut-down or logon/logoff scriptsConfigure Internet Explorer settings
Redirect special folders
Group Policy Location :
C:\WINDOWS\SYSVOL\sysvol\domain.com\Policies
Command to apply Group policy GPUpdate
Group Policy is applied in the following order:
Local system > Site > Domain > OU > Child OU
Group Policy sections
Computer configuration contains the settings that configure the computer prior
to the user logon.
User configuration contains the settings that configure the user after the logon.
You cannot choose to apply the setting on a single user, all users, includingadministrator, are affected by the settings.
Within these two section you can find more sub-folders:
Software settings and Windows settings both of computer and user are
settings that configure local DLL files on the machine.
Administrative templates are settings that configure the local registry of the
machine. You can add more options to administrative templates by right clicking it
and choose .ADM files. Many programs that are installed on the computer addtheir .ADM files to %systemroot%\inf folder so you can add them to the
Administrative Templates.
15
-
7/28/2019 Wintel AD Interview Questions
16/36
Assign & Publish the applications in GP & how?
Through Group policy you can Assign and Publish the applications by creating .msi
package for that application
With Assign option you can apply policy for both user and computer. If it is applied to
computer then the policy will apply to user who logs on to that computer. If it is
applied on user it will apply where ever he logs on to the domain. It will be appear inStart menuPrograms. Once user click the shortcut or open any document having thatextension then the application install into the local machine. If any application
program files missing it will automatically repair.
With Publish option you can apply only on users. It will not install automatically when
any application program files are corrupted or deleted.
GPMC & RSOP in windows 2003?
GPMC is tool which will be used for managing group policies and will display
information like how many policies applied, on which OUs the policies applied, What
are the settings enabled in each policy, Who are the users effecting by these polices,who is managing these policies. GPMC will display all the above information.
Configuring Group Policy :
1.
Group Policy Object Editor snap-in in MMC - or - use gpedit.msc from the Run
command.2.
Active Directory Users and Computers snap in - or dsa.msc to invoke the Group
Policy tab on every OU or on the Domain.3.
Active Directory Sites and Services - or dssite.msc to invoke the Group Policytab on a site.
4.
Group Policy Management Console - or gpmc.msc - this utility is NOT included in
Windows 2003 server and needs to be separately installed. You can download it
from HERENote that if you'd like to use the GPMC tool on Windows XP, you need to install it on
computers running Windows XP SP2. Installing it on computers without SP2 will generate
errors due to unsupported and newer .ADM files.
RSoPResultant set of policies -provides details about all policy settings that are configured
by an Administrator, including Administrative Templates, Folder Redirection, InternetExplorer Maintenance, Security Settings, Scripts, and Group Policy Software
Installation.
When policies are applied on multiple levels (for example, site, domain, domaincontroller, and organizational unit), the results can conflict. RSoP can help you
determine a set of applied policies and their precedence (the order in which policies
are applied).
Group Policy inherited from AD is refreshed on the computers by several ways:
16
-
7/28/2019 Wintel AD Interview Questions
17/36
1. Logon to computer (If the settings are of "user settings" in GPO)
2. Restart of the computer (If the settings are of "computer settings" in GPO)3. Every 60 to 90 minutes, the computers query their DC for updates.
4. Manually by using gpupdate command. You can add the /force switch to force all
settings and not only the delta.Note: Windows 2000 doesn't support the Gpupdate command so you need run a
different command instead:
for computer settings.
for user settings.
In both commands you can use the /enforce that is similar to the /force in gpupdate.
If any configuration change requires a logoff or a restart message will appear:You can force logoff or reboot using gpupdate switches.
How to check that the GP was deployed
To be sure that GP was deployed correctly, you can use several ways. The term for the
results is called RSoP Resultant Sets of Policies.
1. Use gpresult command in the command prompt.
The default result is for the logged on user on that machine. You can also choose tocheck what is the results for other users on to that machine. If you use /v or /z switches
you will get very detailed information.
Suppose there are 4 group policies applied in an OU, the last policy will be applied
First.
What is Domain Policy, Domain controller policy, Local policy .
Domain Policy will apply to all computers in the domain,
Domain controller policy will be applied only on domain controller.
Local policy will be applied to that particular machine only and effects to that computer only.
Block/Enforce inheritance
Block will block group policies. We cant apply GP in that OU.
Enforce - It will force to apply GP even Block is configured.
You can block policy inheritance to an OU if you dont want the settings from upper GPOs
to configure your OU.
To block GPO inheritance, simply right click your OU and choose "Block Inheritance".
Blocking inheritance will block all upper GPOs.
In case you need one of the upper GPOs to configure all downstream OUs and overcome
Block inheritance, use the Enforce option of a link. Enforcing a GPO is a powerful option
and rarely should be used.
17
-
7/28/2019 Wintel AD Interview Questions
18/36
You can see in this example that when you look at Computers OU, three different GPOsare inherited to it.
In this example you can see that choosing "Block inheritance" will reject all upper GPOs.
Now, if we configure the "Default domain policy" with the Enforce option, it will overcome
the inheritance blocking.
Loop back Processing of Group Policy
We can use the loopback Group Policy to apply only on which computer the user logs on to.
To set user configuration per computer:
In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
Locate Administrative Templates, click System, click Group Policy, and then enable the
Loopback Policy option.
Usually users in their OU have GPOs applied in order during logon, regardless of which
computer they log on to. In some cases, this processing order may not be appropriate (E.g.,when you do not want applications assigned to users to be installed while they are logged on
to the computers in some specific OU).
With the Group Policy loopback, you can specify some other ways to retrieve the list of GPOs
for any user who logs on to any of the computers in this specific OU:
Merge Mode
Here, first users policy is applied. Then computer policy is added
Computer's GPOs is the effective policy..
Replace Mode
In this mode, the user's policy is not applied. Only computer policy is object is used.
Explain Kerberos V5 authentication process?
Kerberos V5 is the primary security protocol for authentication within a domain. The
Kerberos V5 protocol verifies both the identity of the user and network services. This dualverification is known as mutual authentication.
Users Login process
1.The user on a client system, using a password authenticates to the KDC.
2.
The KDC issues a special ticket-granting ticket (A ticket issued by the Kerberos V5Key Distribution Center (KDC) for purposes of obtaining a service ticket from the
ticket-granting service (TGS) to the client. The client system uses this TGT to access
the ticket-granting service (TGS), which is part of the Kerberos V5 authentication
18
-
7/28/2019 Wintel AD Interview Questions
19/36
mechanism on the DC.
3.The TGS then issues a service ticket to the client.
4.
The client presents this service ticket to the requested network service. The serviceticket proves both the user's identity to the service and the service's identity to the
user.
Group Types
Security Group : Used to assign permissions. When we add users we will select
This option.
Distribution Group : Used to send mails to a group of users .
to send a mail to 100 users .
Group Scopes
Domain Local Group : It gives rights to local users, global and universal users to access sharedfolder and printers in its Domain.
Global Group : Its gives access rights to users in other trusted domains.
It cant contain Domain local or Universal groups.
Universal Group : It gives access rights to users in all Trusted Domain And forest toForest.
3 major Account Policies1. Possword policy
2. Account lockout policy3. Kerberos Policy
Roaming User Profile : User will get the same desktop and settings in any system they login.
DNS Domain Name System
Location C:\systemroot\system32\DNS.Edb
DNS converts host name to IP address
Resolves host name to IP address
Use
Clients systems use DNS server to locate Domain Controllers when users login.And uses DNS to access AD resources in the network.
Without DNS server Client computers can not locate DC, Other Servers and AD resources.
DNS Zones :
Forward Lookup Zone : contains host name to Ip address mappings
Reverse Lookup zone : contains Ip address to host name mappings
Standard Primary ZoneStandard Secondary Zone
19
-
7/28/2019 Wintel AD Interview Questions
20/36
Active Directory Zone : DNS entries are stored in Active Directory , not in zone file.
DNS Records
A record Contains Host name to Ip Address mappings.
PTR record - contains IP address to Host name mappings
Cname Alias name.Used to give additional name to a host,MX record used to map DNS domain name to host name of Mail Server.SRV record used to map service to a server. Service locator.
SOA Start of Authority
It contains Serial Number , Primary server name, responsible person name
Refresh, Retry, Expire Time, TTL.
Zone Transfer
If the Serial Number increases Zone Transfer will happen from Primary DNS server
To Secondary DNS server.
Advantages of Active Directory Integrated Zones :1. Incremental Zone Transfer it transfers only new changes not entire data
So it reduces network traffic.
2. It supports both secure and Dynamic updates.3. It will be replicated to all domain wide, forest wide through replication.
TTL Time To Live
DNS resolves host name to IP address to client systems and stores the results in
its cache. If same query comes next time, DNS server will give the answer from its
Cached information without contacting other DNS servers.These Information will be stored in the Cache for a specified amount of Time.
That is called as TTL. After that it will be Cleared from the cache.
Ipconfig/registerdns
To manually Register Server's A and PTR resource records, run this command at
a command prompt:
Net Logon service
If the server is a Domain Controller, stop and restart the Net Logon service toregister the Service (SRV) records in the DNS server.
NSLOOKUP : DNS diagnostic Tool from the command promt.
What a DC registers in DNS?
The Netlogon service registers all the SRV records for that DC. These records are displayedas the _msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your
domain name. Other computers look for these records to find Active Directory-related
information.
DNS Dynamic Update : Client systems and servers will register their host names and
Ip addresses in DNS server without administrators intervention.
20
-
7/28/2019 Wintel AD Interview Questions
21/36
How to Allow Only Secure Dynamic Updates
1.
Click Start, point to Programs, point to Administrative Tools, and then click DNS.
2.Under DNS, expand the applicable DNS server, expand Forward Lookup Zones (or
Reverse Lookup Zones) , and then click the applicable zone.
3.On the Action menu, click Properties.4.
On the General tab, verify that the zone type is Active Directory-integrated.
5. In the Allow dynamic updates? box, click Only secure updates.
The secure dynamic update functionality is supported only for Active Directory-integrated
zones.
Stub Zone : It is created in remote places ,branch offices to increase speed of login process
File access speed.
It has only read only copy of SOA record, NS , A record.It reduces network traffic and Bandwidth utilization.
How to Configure DNS Dynamic Update for DHCP Clients
By default, DHCP clients are configured to request that the client
register the A resource record and the server register the PTR resource record. By default, thename that is used in the DNS registration is a concatenation of the computer name and the
primary DNS suffix. To change this default name, open the TCP/IP properties of your network
connection.
To enable DNS dynamic update on a Windows DNS server:
1.Click Start, point to Programs, point to Administrative Tools, and then click DNS.
2.
Click the appropriate zone under either Forward Lookup Zones or Reverse LookupZones.
3.
On the Action menu, click Properties.4.
On the General tab, verify that the zone type is either Primary or Active Directory-
integrated.5.
If the zone type is Primary, click Yes in the Allow dynamic updates? list.
6.
If the zone types is Active Directory-integrated, click either Yes or Only secureupdates in the Allow dynamic updates? list, depending on whether you want DNS
dynamic updates to be secure.
Why can't I use WINS for name resolution like it is used in Microsoft Windows NT
4.0?
21
-
7/28/2019 Wintel AD Interview Questions
22/36
A Windows 2000 DC does not register Active Directory-related information with a WINS
server; it only registers this information with a DNS server that supports dynamic updatessuch as a Windows 2000 DNS server. Other Windows 2000-based computers do not query
How to Configure DNS Dynamic Update on a Windows DHCP Server
To configure DNS dynamic update for a DHCP server:
1.Click Start, point to Programs, point to Administrative Tools, and then click DHCP.
2.
Click the appropriate DHCP server or a scope on the appropriate DHCP server.3.
On the Action menu, click Properties.
4.Click the DNS tab.
5.
To enable DNS dynamic update for DHCP clients that support it, click to select the
Automatically update DHCP client information in DNS check box. This check boxis selected by default.
6.
To enable DNS dynamic update for DHCP clients that do not support it, click to selectthe Enable updates for DNS clients that do not support dynamic updates check
box. This check box is selected by default.
How to Enable DNS Dynamic Updates on a DHCP Server
DHCP and DNS servers now support dynamic updates to a DNS server.
clients can dynamically update their forward lookup records themselves withthe DNS server after the clients obtain a new IP address from a DHCP server.
In DHCP server, you can dynamically update the DNS records for pre-Windows
2000 clients that cannot do it for themselves. This feature currently works only with the
Scavenging : Removing old unwanted records from DNS server.
Enable Aging and Scavenging
You need to enable the Aging and Scavenging feature at a server level, and optionally set theAging feature on zones if you need different aging periods:
1.
Open the DNS manager.2.
In the left pane, under the DNS icon, right-click the server name.
3.Click Set Aging/Scavanging for all zones.
4.
Click to select the Scavenge Stale Resource Records check box, and then set the
22
-
7/28/2019 Wintel AD Interview Questions
23/36
interval that you want the Aging feature to use.
To set the Aging feature on an individual zone:
1.Right-click the zone, and then click Properties.
2.
Click Aging.3.Click to select the Scavenge Stale Resource Records check box, and then set the
interval that you want the Aging feature to use.
left pane, click Scavenge Stale Resource Records, and then click YES when asked if youwant to scavenge.
How to move DNS Zones to Another DNS Server
To move zone files from one server to another, follow these steps:
To use the following method, the DNS Server service must be installed on anew server. The DNS Server service should not be configured yet.
1.On the DNS server that is currently hosting the DNS zone(s), change any Active
Directory-integrated zones to standard primary. This action creates the zone files that
are needed for the destination DNS server.2.
Stop the DNS Server service on both DNS servers.
3.Manually copy the entire contents of the %SystemRoot%\System32\DNS folder from
the source server to the destination server.4.
On the current DNS server, start Registry Editor.5.
Locate and click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Zones
6.
Export the Zones key to a registry file.7.
On the destination DNS server, double-click the registry file to import the Zones key
into the registry.8.
Bring the current DNS server down and transfer its IP address to the destination DNS
server.
9.On the destination DNS server, start the DNS Server service. To initiate the
registration of the server's A and PTR resource records, run the following command at
a command prompt:
Ipconfig/registerdns
10.If this server is also a domain controller, stop and restart the Net Logon service to
23
-
7/28/2019 Wintel AD Interview Questions
24/36
register the Service (SRV) records, or run the following command at a command
prompt: Netdiag/fix
11.The standard zones that were previously Active Directory-integrated can be converted
back to Active Directory-integrated on the replacement DNS server if it is a domaincontroller.
12.Verify that the SOA resource records on each zone contain the correct name for the
primary server and that the NS resource records for the zone(s) are correct.The steps outlined in this article do not migrate the following DNS server settings:Interfaces, Forwarders, Advanced, Root Hints, Logging, Security
Port numbers
FTP-21, Telnet 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389,Global Catalog 3268DHCP client - 67 , DHCP server- 68
DNS Interview Questions and Answer
1. Secure services in your network require reverse name resolution to make it more difficult tolaunch successful attacks against the services. To set this up, you configure a reverse lookup
zone and proceed to add records. Which record types do you need to create?
Ans : PTR Records
2. What is the main purpose of a DNS server?
DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa
3. SOA records must be included in every zone. What are they used for?
SOA records contain a TTL value, used by default in all resource records in the zone.SOA records contain the e-mail address of the person who is responsible for maintaining
the zone. SOA records contain the current serial number of the zone, which is used in zonetransfers.
4. By default, if the name is not found in the cache or local hosts file, what is the first step the client
takes to resolve the FQDN name into an IP address?
Performs a recursive search through the primary DNS server based on the network interface
configuration
What is the main purpose of SRV records?
SRV records are used in locating hosts that provide certain network services
5. Before installing your first domain controller in the network, you installed a DNS server and
created a zone, naming it as you would name your AD domain. However, after the installation ofthe domain controller, you are unable to locate infrastructure SRV records anywhere in the zone.
What is the most likely cause of this failure?
24
-
7/28/2019 Wintel AD Interview Questions
25/36
The zone you created was not configured to allow dynamic updates.
The local interface on the DNS server was not configured to allow dynamic updates.
6. Which of the following conditions must be satisfied to configure dynamic DNS updates for
legacy clients?
The zone to be used for dynamic updates must be configured to allow dynamic updates.
The DHCP server must support, and be configured to allow, dynamic updates for legacyclients.
7. At some point during the name resolution process, the requesting party received authoritative
reply. Which further actions are likely to be taken after this reply?
After receiving the authoritative reply, the resolution process is effectively over.
8. Your company uses ten domain controllers, three of which are also used as DNS servers. You
have one companywide AD-integrated zone, which contains several thousand resource records.
This zone also allows dynamic updates, and it is critical to keep this zone up-to-date.
Replication between domain controllers takes up a significant amount of bandwidth. You arelooking to cut bandwidth usage for the purpose of replication. What should you do?
Change the replication scope to all DNS servers in the domain.
9. You are administering a network connected to the Internet. Your users complain that everything
is slow. Preliminary research of the problem indicates that it takes a considerable amount of timeto resolve names of resources on the Internet. What is the most likely reason for this?
DNS servers are not caching replies.. Local client computers are not caching repliesThe cache.dns file may have been corrupted on the server.
What is the purpose of deploying local DNS servers?
A domain DNS server provides for the local mapping of fully qualified domain names to IP addresses.
Because the DNS is a distributed database, the local DNS servers can provide record information toremote DNS servers to help resolve remote requests related to fully qualified domain names on your
network.
DHCP Dynamic Host Configuration Protocol
DHCP client uses port 67
DHCP server uses port 68.
25
-
7/28/2019 Wintel AD Interview Questions
26/36
Location C:\systemroot\system32\dhcp.edb
DHCP used to automatically assign Ip address to clients with Subnet emask, Default Gateway
And DNS Server.
How DHCP Works
DHCP server PING process to test the available IP address. If it is a successful ping means theIP address is already used by a system. So DHCP server will not give that IP to the client.
If ping request fails and gets time out result, It means IP address is not used by system ,
And DHCP server will give that IP to client system.
Lease Process of DHCP server
It is called as DORA
D- Discover client system will broadcast packets to identify the DHCP server, this packet
Will contain the source MAC Address.
O- Offer Once this packet is received by DHCP server, The server will send the packet
containing Source IP and Source MAC.R Request - Client System now contact DHCP server directly and request for IP Address.
A Acknowledge DHCP server will send an Acknowledgement packet with a IP
Address.
Disadvantage
Your machine name does not change when you get a new IP address. The DNS (Domain Name System)
name is associated with your IP address and therefore does change. This only presents a problem if other
clients try to access your machine by its DNS name.
DHCP Relay AgentIt is used to give Ip address to a subnet which does not have a DHCP server.
It will be placed outside of our local network.
Scope : It is a range of IP address a DHCP server will assign to clients in a single subnet.
Superscope : It is a collection of scopes. It contains more that one scope.
It is used give Ip address to systems in multiple subnets.
A superscope allows a DHCP server to provide leases from more than one scope to clients on a singlephysical network. Before you can create a superscope, you must use DHCP Manager to define all scopes
to be included in the superscope. Scopes added to a superscope are called member scopes. Superscopes
can resolve DHCP service issues in several different ways
Superscopes can resolve DHCP service issues in several different ways; these issues include situationsin which:
Support is needed for DHCP clients on a single physical network segmentsuch as a single
Ethernet LAN segmentwhere multiple logical IP networks are used. When more than one
26
-
7/28/2019 Wintel AD Interview Questions
27/36
logical IP network is used on a physical network, these configurations are also known as
multinets.
The available address pool for a currently active scope is nearly depleted and more computers
need to be added to the physical network segment.
Clients need to be migrated to a new scope.
Support is needed for DHCP clients on the other side of BOOTP relay agents, where the network
on the other side of the relay agent has multiple logical subnets on one physical network. For
more information, see Supporting BOOTP Clients later in this chapter.
A standard network with one DHCP server on a single physical subnet is limited to leasing
addresses to clients on the physical subnet.
Multicast Scope: It is assigned to one IP address , It is used to transmit Multimedia data
Like Radio Speech or TV programs. The purpose is to send data once and the data to be
Delivered to all computers on the network. It uses Class D ip address.
it can be used to send messages to a group of computers at the same time.
1 :: To negate rogue DHCP servers from running with a domain, what is required for yourzDHCP
server to function?
The DHCP server must be authorized in the Active Directory before it can function in the domain.
2 :: How can you configure the DHCP server so that it provides certain devices with the same IP address
each time the address is renewed?
You can create a reservation for the device (or create reservations for a number of devices). To create a
reservation, you need to know the MAC hardware address of the device. You can use the ipconfig ornbstat command-line utilities to determine the MAC address for a network device such as a computer or
printer.
3 :: What TCP/IP configuration parameters can be provided to a DHCP client?
The DHCP server can supply a DHCP client an IP address and subnet mask. It also can optionally
include the default gateway address, the DNS server address, and the WINS server address to the client.
4 :: How is the range of IP addresses defined for a Windows Server 2008 DHCP server?
The IP addresses supplied by the DHCP server are held in a scope. A scope that contains more than one
subnet of IP addresses is called a superscope. IP addresses in a scope that you do not want to lease can
be included in an exclusion range.
WINS Windows Internet Name Service
It converts NETBIOS name to Ip Addresses.
DNS server converts Host name to Ip address.
27
http://interviewquestionsanswers.org/__To-negate-rogue-DHCP-servers-from-running-with-a-domain-what-is-required-for-your-DHCP-server-to-funhttp://interviewquestionsanswers.org/__To-negate-rogue-DHCP-servers-from-running-with-a-domain-what-is-required-for-your-DHCP-server-to-funhttp://interviewquestionsanswers.org/__To-negate-rogue-DHCP-servers-from-running-with-a-domain-what-is-required-for-your-DHCP-server-to-funhttp://interviewquestionsanswers.org/__How-can-you-configure-the-DHCP-server-so-that-it-provides-certain-devices-with-the-same-IP-address-ehttp://interviewquestionsanswers.org/__How-can-you-configure-the-DHCP-server-so-that-it-provides-certain-devices-with-the-same-IP-address-ehttp://interviewquestionsanswers.org/__What-TCP-IP-configuration-parameters-can-be-provided-to-a-DHCP-clienthttp://interviewquestionsanswers.org/__How-is-the-range-of-IP-addresses-defined-for-a-Windows-Server-2008-DHCP-serverhttp://interviewquestionsanswers.org/__To-negate-rogue-DHCP-servers-from-running-with-a-domain-what-is-required-for-your-DHCP-server-to-funhttp://interviewquestionsanswers.org/__To-negate-rogue-DHCP-servers-from-running-with-a-domain-what-is-required-for-your-DHCP-server-to-funhttp://interviewquestionsanswers.org/__How-can-you-configure-the-DHCP-server-so-that-it-provides-certain-devices-with-the-same-IP-address-ehttp://interviewquestionsanswers.org/__How-can-you-configure-the-DHCP-server-so-that-it-provides-certain-devices-with-the-same-IP-address-ehttp://interviewquestionsanswers.org/__What-TCP-IP-configuration-parameters-can-be-provided-to-a-DHCP-clienthttp://interviewquestionsanswers.org/__How-is-the-range-of-IP-addresses-defined-for-a-Windows-Server-2008-DHCP-server -
7/28/2019 Wintel AD Interview Questions
28/36
NetBios name is 16 charectors15 character system name
1 character service name ( DNS,DHCP,DC )
Command to check a systems NetBios Name :
Nbtstat N
Ipconfig all
WINS server uses LMHOST file which contains all systems Netbios name and its IP addresses.
Path C:\windows\system32\drivers\etc\lmhost.sam
When a new system is added in the network, the LMHost file should be manually updated by
the system administrator.It should be created in all systems.
But DNS server is using Dynamic DNS method, when a new system is added it will updatehost name and IP address Automatically.
RAID Redantant Array of InExpensice Disks
Basic Disk can contain 4 Primary Partitions.
Dynamic Disk No limitations.
NTFS file system
- Gives folder , file level security
- Supports file Encryptions
- Faster file Access Speed- Supports Compression
- Supports Disk Quota- Reduces Disk Fragmentations
Different Volume types
Simple Volume
Spanned VolumeStripped Volume - 0
Mirrored Volume - 1
RAID-5 Volume - 5
Raid 0 - Stripped Volume
3 Hard Disks will be used. If one hard fails we cant recover data. We should restore from Backups.We can use 100% space from all 3 disks.
Raid -1 - Mirrored Volume
2 Hard Disks will be used.
All data will be copied to the second Disk.
28
-
7/28/2019 Wintel AD Interview Questions
29/36
If one hard fails we can recover data from other Hard disk
We can use 50% space .
RAID-5 Volume
3 to 32 Disks can be used.
Out of 3 disks 1 disk will be used for Parity Information. It takes 33% of space.If the parity info damaged, we cant recover the failed hard disk.
Parity Information is used to recover the data from a failed hard disk.
RAID-6 Volume
Minimum 4 Hard Disks. 2 disks used for Dual Parity.If one Parity fails we can use other parity disk to recover data.
What is the ISTG Who has that role by default?
The first server in the site becomes the ISTG for the site, The domain controller holding this role maynot necessarily also be a bridgehead server.
Windows Server 2008
What are RODCs? And what are the major benefits of using RODCs?
A read-only domain controller (RODC) is a new type of domain controller in the Windows Server
2008 operating system. With an RODC, organizations can easily deploy a domain controllerin locations where physical security cannot be guaranteed. An RODC hosts read-only
partitions of the Active Directory Domain Services (AD DS) database.
What are the different editions of Windows Server 2008?
The entry-level version of Windows Server 2008 is the Standard Edition. The Enterprise Edition
provides a platform for large enterprisewide networks. The Datacenter Edition provides support forunlimited Hyper-V virtualization and advanced clustering services. The Web Edition is a scaled-down
version of Windows Server 2008 intended for use as a dedicated web server. The Standard, Enterprise,
and Datacenter Editions can be purchased with or without the Hyper-V virtualization technology.
What two hardware considerations should be an important part of the planning process for a
Windows Server 2008 deployment?
Any server on which you will install Windows Server 2008 should have at least the minimum hardware
requirement for running the network operating system. Server hardware should also be on the Windows
Server 2008 Hardware Compatibility List to avoid the possibility of hardware and network operatingsystem incompatibility.
What are the options for installing Windows Server 2008?
You can install Windows Server 2008 on a server not currently configured with NOS, or you can
upgrade existing servers running Windows 2000 Server and Windows Server 2003.
29
-
7/28/2019 Wintel AD Interview Questions
30/36
How do you configure and manage a Windows Server 2008 core installation?
This stripped-down version of Windows Server 2008 is managed from the command line.
Whats New in Windows Server 2008 Active Directory Domain Services?
Active Directory Domain Services in Windows Server 2008 provides a number of enhancements over
previous versions, including these:
AuditingAD DS auditing has been enhanced significantly in Windows Server 2008. The
enhancements provide more granular auditing capabilities through four new auditing categories:
Directory Services Access, Directory Services Changes, Directory Services Replication, and Detailed
Directory Services Replication. Additionally, auditing now provides the capability to log old and new
values of an attribute when a successful change is made to that attribute.
Fine-Grained Password PoliciesAD DS in Windows Server 2008 now provides the capability to
create different password and account lockout policies for different sets of users in a domain. User and
group password and account lockout policies are defined and applied via a Password Setting Object
(PSO). A PSO has attributes for all the settings that can be defined in the Default Domain Policy, except
Kerberos settings. PSOs can be applied to both users and groups.
Read-Only Domain ControllersAD DS in Windows Server 2008 introduces a new type of domain
controller called a read-only domain controller (RODC). RODCs contain a read-only copy of the AD DS
database. RODCs are covered in more detail in Chapter 6, Manage Sites and Replication.
Restartable Active Directory Domain ServicesAD DS in Windows Server 2008 can now be
stopped and restarted through MMC snap-ins and the command line. The restartable AD DS service
reduces the time required to perform certain maintenance and restore operations. Additionally, other
services running on the server remain available to satisfy client requests while AD DS is stopped.
AD DS Database Mounting ToolAD DS in Windows Server 2008 comes with a AD DS database
mounting tool, which provides a means to compare data as it exists in snapshots or backups taken at
different times. The AD DS database mounting eliminates the need to restore multiple backups to
compare the AD data that they contain and provides the capability to examine any change made to data
stored in AD DS.
Hyper-V
What are RODCs? And what are the major benefits of using RODCs?
A read-only domain controller (RODC) is a new type of domain controller in the Windows Server
2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations
30
-
7/28/2019 Wintel AD Interview Questions
31/36
where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active
Directory Domain Services (AD DS) database.
Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a
wide area network (WAN), there was no real alternative. In many cases, this was not an efficient
solution. Branch offices often cannot provide the adequate physical security that is required for a
writable domain controller. Furthermore, branch offices often have poor network bandwidth when theyare connected to a hub site. This can increase the amount of time that is required to log on. It can also
hamper access to network resources.
Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems.
As a result, users in this situation can receive the following benefits:
Major benefits
* Improved security
* Faster logon times
* More efficient access to resources on the network
What does an RODC do?
Inadequate physical security is the most common reason to consider deploying an RODC. An RODC
provides a way to deploy a domain controller more securely in locations that require fast and reliable
authentication services but cannot ensure physical security for a writable domain controller.
However, your organization may also choose to deploy an RODC for special administrative
requirements. For example, a line-of-business (LOB) application may run successfully only if it is
installed on a domain controller. Or, the domain controller might be the only server in the branch office,
and it may have to host server applications.
In such cases, the LOB application owner must often log on to the domain controller interactively or use
Terminal Services to configure and manage the application. This situation creates a security risk that
may be unacceptable on a writable domain controller.
An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You
can grant a nonadministrative domain user the right to log on to an RODC while minimizing the security
risk to the Active Directory forest.
You might also deploy an RODC in other scenarios where local storage of all domain user passwords is
a primary threat, for example, in an extranet or application-facing role.
What is REPADMIN?
Repadmin.exe: Replication Diagnostics Tool
31
-
7/28/2019 Wintel AD Interview Questions
32/36
This command-line tool assists administrators in diagnosing replication problems between Windows
domain controllers.
Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom
and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used
to manually create the replication topology (although in normal practice this should not be necessary), to
force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.
Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest. The
operations replsummary, showrepl, showrepl /csv, and showvector /latency can be used to check for
replication problems.
What is NETDOM?
NETDOM is a command-line tool that allows management of Windows domains and trust relationships.
It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure
channels
KCC
The KCC is a built-in process that runs on all domain controllers and generates replication topology for
the Active Directory forest. The KCC creates separate replication topologies depending on whether
replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically
adjusts the topology to accommodate new domain controllers, domain controllers moved to and from
sites, changing costs and schedules, and domain controllers that are temporarily unavailable.
How do you view replication properties for AD?
By using Active Directory Replication Monitor.
Start> Run> Replmon
What are sites What are they used for?
One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to
configure Active Directory access and replication topology to take advantage of the physical network.
What Windows Server 2008 service is used to install client operating systems over the network?
Windows Deployment Services (WDS) enables you to install client and server operating systems over
the network to any computer with a PXE-enabled network interface.
What domain services are necessary for you to deploy the Windows Deployment Services on your
network?
32
http://systadmin.blogspot.com/search/label/Active%20Directoryhttp://systadmin.blogspot.com/search/label/Active%20Directory -
7/28/2019 Wintel AD Interview Questions
33/36
Windows Deployment Services requires that a DHCP server and a DNS server be installed in the
domain
How is WDS configured and managed on a server running Windows Server 2008?
The Windows Deployment Services snap-in enables you to configure the WDS server and add boot and
install images to the server.
What protocol stack is installed by default when you install Windows Server 2008 on a network
server?
TCP/IP (v4 and v6) is the default protocol for Windows Server 2008. It is required for Active Directoryimplementations and provides for connectivity on heterogeneous networks
What are some of the tools used to manage Active Directory objects in a Windows Server 2008
domain?
When the Active Directory is installed on a server (making it a domain controller), a set of Active
Directory snap-ins is provided.
The Active Directory Users and Computers snap-in is used to manage Active Directory objects such
as user accounts, computers, and groups.
The Active Directory Domains and Trusts snap-in enables you to manage the trusts that are definedbetween domains.
The Active Directory Sites and Services snap-in provides for the management of domain sites and
subnets.
New Features in Windows Server 2008
Self-healing NTFS file system : In WS2K8, a new system service works in the background that can
detect a file system error, and perform a healing process without anyone taking the server down.
Clean service shutdown. One of Windows' historical problems concerns its system shutdown
procedure. In XP, once shutdown begins, the system starts a 20-second timer. After that time is up, itsignals the user whether she wants to terminate the application herself,
In WS2K8, that 20-second countdown has been replaced with a service that will keep applications giventhe signal all the time they need to shut down, as long as they continually signal back that they're indeed
shutting down
Virtualization : Microsoft's Hyper-V hypervisor-based virtualization technology
Server Core
Many server administrators, especially those used to working in a Linux environment, instinctivelydislike having to install a large, feature-packed operating system to run a particular specialized server.
33
http://serverwatch.webopedia.com/TERM/h/hypervisor.htmlhttp://serverwatch.webopedia.com/TERM/v/virtualization.htmlhttp://serverwatch.webopedia.com/TERM/h/hypervisor.htmlhttp://serverwatch.webopedia.com/TERM/v/virtualization.html -
7/28/2019 Wintel AD Interview Questions
34/36
Server 2008 offers a Server Core installation, which provides the minimum installation required to carry
out a specific server role, such as for a DHCP,DNS orprint server.
the Server Core installation option installs only what is required to have a manageable server for the AD
DS, AD LDS, AD CS, DHCP Server, DNS Server, File Services, Print Services, Web Server and Hyper-V server roles, less maintenance is required than on a full installation of Windows Server 2008.
IISIIS 7, the Web server bundled with Server 2008, is a big upgrade from the previous version. "There aresignificant changes in terms of security and the overall implementation which make this version very
attractive
Windows PowerShell
Microsoft's new(ish) command line shell and scripting language has proved popular with some server
administrators, especially those used to working in Linux environments. Included in Server 2008,
PowerShell can make some jobs quicker and easier to perform than going through the GUI
Read Only Domain Controllers (RODC)
It's hardly news that branch offices often lack skilled IT staff to administer their servers, but they also
face another, less talked about problem. While corporate data centers are often physically secured,servers at branch offices rarely have the same physical security protecting them. This makes them a
convenient launch pad for attacks back to the main corporate servers. RODC provides a way to make an
Active Directory database read-only.
Network Access Protection
Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewalland in compliance with corporate security policies and that those that are not can be remediated is
useful. However, similar functionality has been and remains available from third parties.
New password policies. No longer is there a restriction of one password policy per domain.
Group Policy database. Server 2008 adds a searchable database for group policy managers, so adminsno longer have to track this manually.
Active Directory Rights Management Services (AD RMS). This was available in Server 2003 butonly as an add-on purchase. The new version adds new features to limit access to certain files.
Windows Remote Shell (WinRS). This is a more advanced version of Terminal Services that allowsconnections to many remote computers at a time, all from a single console.
The Print Management Console (PMC). First making its debut in Windows Server 2003 R2, this new
release is a native function and is available as a snap-on addition for the Microsoft Management Console(MMC). This handy utility lets an administrator see every printer in the entire organization, and map
printers to specific user groups.
34
http://serverwatch.webopedia.com/TERM/D/DHCP.htmlhttp://serverwatch.webopedia.com/TERM/D/DNS.htmlhttp://serverwatch.webopedia.com/TERM/p/print_server.htmlhttp://serverwatch.webopedia.com/TERM/D/DHCP.htmlhttp://serverwatch.webopedia.com/TERM/D/DNS.htmlhttp://serverwatch.webopedia.com/TERM/p/print_server.html -
7/28/2019 Wintel AD Interview Questions
35/36
RemoteApp & Desktop Connections (RAD)
RemoteApp was introduced with Windows Server 2008. It allows end-users to launch a single
application on a remote server via RDP. Desktop Connections are common sessions on a Terminal
Server.
Virtual Desktop Infrastructure (VDI)
Desktop Virtualization is a new feature in Windows Server 2008 R2.
VSS Writer
Windows Server Backup is scheduled to run nightly but will often fail intermittently and then
consistently. From a command line one can see the status of the Volume Shadow Copy writers bytyping vssadmin list writers . A number of the writers will show:
State: [5] Waiting for completion
Last error: No error
Stopping and starting the Volume Shadow Copy service does not change the status. A reboot of theserver does fix the issue but is not a good solution. The easiest thing to fix the status is to run a Backup
Once of just the C drive to either a local or remote drive. Once completed the writers all go back to
Stable, No Error.
Migrating from 2003 to 2008
1 . Provide a static IP address to the Windows Server 2008 box you intend to use as Domain Controller
2. Prepare your Active Directory environment for the first Windows Server 2008 Domain Controller by
running adprep.exe with the needed switches.
3. Make the Windows Server 2008 box an extra Domain Controller for your existing domain by running
dcpromo.exe
4. Make the new server a Global Catalog server
5 . When your Windows Server 2003 Domain Controller is the only DNS Server, convert your DNSzone into an Active Directory Integrated Zone. Install DNS on the new server and it will automatically
be populated. If another server is your DNS Server you need not do anything with DNS
6. Migrate any data you'd want to migrate to the new Windows Server 2008 box (except for the
SYSVOL and NETLOGON shares, these will be copied automatically)
7. Migrate any Server roles you'd want to migrate to the new Windows Server 2008 box (think about
Certificate services, DHCP, Print Server and any business specific application at this moment)
35
http://4sysops.com/archives/windows-server-2008-terminal-services-new-features-part-2/http://4sysops.com/archives/windows-server-2008-terminal-services-new-features-part-2/ -
7/28/2019 Wintel AD Interview Questions
36/36
8. Transfer all the FSMO roles from the Windows Server 2003 Active Directory Domain Controller to
the Windows Server 2008 Domain Controller.
9 . Get rid of your Windows Server 2003 box as a Domain Controller by demoting is using
dcpromo.exe
10. Optional: (see step 4) When your current Domain Controller is DNS Server and you don't want it to
be anymore be sure to change this information on your clients (change DHCP option, when DHCP isavailable) and reconfigure your DNS zones not to include the old server anymore.
11. Remote the Windows Server 2003 box from the domain and delete its computer account from Active
Directory.
12. Get rid of your Windows Server 2003 box..Transitioning your Active Directory will not require you to configure anything on the desktops of your users andyour users can start using the server right away, since each Active Directory Domain Controller stores a copy ofthe Active Directory information, like users, computers, etc. and the NETLOGON and SYSVOL shares
Backup Types
1, Normal backup - It copy all the files marked in to be backed up
2, Incremental backup - only those files that have been created or changed since last incremental
or normal backup. It will remove the archieve.
3, Decremental backup - The only copies files that have been created or changed since the last normal
or incremental backup. It will not remove the archieve.
4, copy backup - It copy all the files u have selected
5, Daily backup - It copy all the files u have selected that have been modified on the day
36