wintel ad interview questions

7/28/2019 Wintel AD Interview Questions

1/36

Windows Active Directory

Workgroup: It is group of computers, to access a system we have to create login name in each system

to access a file in that system. If we want to login in another system again

We have to create our login name in that system.

Domain : It is group of systems in a network. User name will be created in the Domain and we can

login in any system in that network and access any file in any system.

What is a DC?

A DC is a Domain Controller that contains the copy of Active Directory

for a domain.

What is the primary function of domain controllers?

The primary function of domain controllers is to validate users to the network. However, domain

controllers also provide the catalog of Active Directory objects to users on the network.

What is ADC ?Additional Domain Controller

ADC is a copy of DC. If the DC fails ADC can be converted as DC.

It gives Load Balancing and Fault Tolerance.

Group : collection of users is group. It is used to give permissions, access rights to a

collection of users.

OU Organizatoinal Unit : Its like a container , contains users, groups, computers and other

OUs,. Its used to create Departments or Branches.- Delegate administrative rights to a user in that OU.

Windows 2003 Versions :

Standard : Max RAM 4 GB

Enterprise : 64 GB

Web Edision : 4 GB , cant run DCPROMO, so no DC, Clusters

Data center : 512 GB

What is Global Catalog?

It stores all objects in the directory for its host domain and a partial information of all objects of every

other domain in the forest. The information is partial because it stores only some attributes for each

objects.

The GC performs two key directory roles:

1. It gives universal group membership information when a user logs in to a DC

2. We can search and locate users information in any domain in the forest.

When a user logs on to the network, the GC provides universal group membership

information for the account sending the logon request to the DC. If a GC is not available the

user is only able to log on to the local computer.

1


2/36

If a user is a member of the Domain Admins group, they are able to log on to the network

even when a global catalog is not available.

What is Active Directory?

AD is a database. It stores information about users,groups,printers,network resources and

make the resources accessible to users and computers.

1 .It helps to centrally manage, organize and control access to resources.2. It gives User logon, Authentication services

3. Users can search and locate objects in the forest.

File Name of Active Directory = Ntds.Dit File Size 40 MB Max Size 16 TB

New Technology Directory Service . Directory Information Tree

Active Directory includes 4 files.

Ntds.Dit, EDB.LOG, EDB.chk, Res1.log and Res2.log

Location C: %systemroot%\ntds\ntds.dit,EDB.log, EDB.chk, Res1.log and Res2.log

Minimum Requirement for Installing AD

1. Windows Server, Advanced Server, Datacenter Server

2. Minimum Disk space of 200MB for AD and 50MB for log files3. NTFS partition

4. TCP/IP Installed and Configured to use DNS

5. Administrative privilege for creating a domain in existing network

What is LDAP? LDAP Port number 389

Light Weight Directory Access Protocol

LDAP is the directory service protocol used to access AD.

used to exchange directory information from Server to Clients or from Server to Servers

How will you verify whether the AD installation is proper?

Verifying Database and Log files

Make sure that the following files are there at C>%systemroot%\ntds

Ntds.dit, Edb.*, Res*.log

Active Directory includes 4 files.

1. NTDS.DIT

This is the AD database and stores all AD objects. Default location isSystemRoot%\ntds\NTDS.DIT.

2. Verifying SYSVOL folder in C:/systemroot/sysvol/sysvol

If SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO,

etc will not be replicated between DCs.

2


3/36

Verify the following folders created in SYSVOL folder

Domain

Staging

Staging areas ,Sysvol

Then verify the 2 shares

>net shareIt should show two shares, NETLOGON and SYSVOL

What is the use of SYSVOL folder

Group Policies and scripts saved in SYSVOL folder will be replicated to all domaincontrollers in the domain.

FRS (File replication service) is responsible for replicating all policies and scripts.

3. Verify SRV Resource Records

After AD is installed, the DC will register SRV records in DNS when it restarts. We can

check this using DNS MMC or nslookup command.

Using MMC

If the SRV records are registered, the following folders will be there in the domainfolder in Forward Lookup Zone.

msdcssites

tcp

udp

Using nslookup>nslookup

>ls t SRV DomainIf the SRV records are properly created, they will be listed.

EDB.LOG

This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log.

Where nnnn is the increasing number starting from 1

EDB.CHK

This is the checkpoint file used to track the data not yet written to database file. This

indicates the starting point from which data is to be recovered from the logfile, in case offailure.

Res1.log and Res2.log

This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction logfiles enough room to shutdown if the other spaces are being used.

Explain ADS Database Garbage Collection Process?

Garbage Collection is a process to free space within the Active Directory database.

3


4/36

This process runs in DC for every 12 hours.

The Garbage Collection process has 3 main steps

1. Removing "tombstones" from the database. Tombstones are deleted objects.

(Tombstones ::When an object is deleted, it is not actually removed from the Active Directory database.

It is marked for deletion at a later date. When the Tombstone Lifetime is over, the object is deleted.)

2. Deletion of any unnecessary log files.

3. The process launches a Online defragmentation to create space.this method does not shrink the Active Directory database file (Ntds.dit).

There are two ways to defragment the Active Directory database .

Online Defragmentation method that runs as part of the garbage collection process. The only

advantage to this method is that the server does not need to be taken offline for it to run.

This method does not shrink the Active Directory database file (Ntds.dit).

This process runs in DC for every 12 hours.

Offline Defragmentation: This is done by taking the server offline and use Ntdsutil.exe todefragment the database. Start the server in repair mode. In this method the database size is

reduced.

To defrag ntds.dit offline:

Back up System State in the backup wizard.Reboot and select Directory Services Restore Mode

At the command prompt type :

NtdsutilFiles

Info

This will display current information about the path and size of the Active Directory database

and its log files.

Compact to D:\DbBackup\

You must specify a directory path and if the path name has spaces, the command will notwork unless you use quotation marks

Quit (till you reach the command prompt)

A new compacted database named Ntds.dit can be found in D:\DbBackup

Copy the new ntds.dit file over the old ntds.dit file. You have successfully compacted theActive Directory database.

Active directory 3 partitions

4


5/36

1.Configuration partition

2. Schema Partition

3. Domain partition

4. Application Partition (only in windows 2003 not available in windows 2000)

What is the Physical structure of ADPhysical structure is - Forests TreesDomainsChild DomainsGrand Child

What are they components on Active Directory?

There are two types of components are there

One is logical structures - Domains, Organization Units, Tress and Forest

Second one is Physical structures - Sites and Domain Controller

Command to Install Active Directory

Start RUN type DCPROMO

When installing or removing Active Directory the following log files are created in

%system root%\Debug folder.

Dcpromoui.log

Dcpromos.log

Dcpromo.log

Introducing domain trees and forests

TREES

Tree is a hierarchical arrangement of W2K domains that share a contiguous name space. Thefirst domain in a domain tree is called the root domain. Additional domains in the same

domain tree are child domains. A domain immediately above another domain in the same

domain tree is referred to as the parent of the child domain.

FORESTS

A forest consists of multiple domain trees. The domain trees in a forest do not form a

contiguous namespace but share a common schema and GC.

A common schema

Common configuration information

A common global catalog

Explain schema?

Schema is collection of Objects and its Classes.Example :

Object = User Name

5


6/36

Attribute : Home Dir, Home Address

Schema oblect can not be deleted. objects can be marked as deactivated,

This is managed by Schema Master.

Explain Sites. What are the advantages of Sites?

Site consists of one or more IP subnets connected by a high speed link.

Uses of Sites

Service requestsWhen a client requests a service from a domain controller, it directs the request to a

domain controller in the same site. Selecting a domain controller that is well-connected

to the client makes handling the request more efficient.

Replication

Site streamlines replication of directory information and reduces replication traffic

GC and infrastructure master should not be on the same Server. Why?

The infrastructure master is responsible for updating references from objects in its domain to

objects in other domains. The infrastructure master compares its data with that of a global

catalog. Global catalogs receive regular updates for objects in all domains through replication,so the global catalog's data will always be up-to-date. If the infrastructure master finds data

that is out-of-date, it requests the updated data from a global catalog. The infrastructure

master then replicates that updated data to the other domain controllers in the domain.

Important

1.If the infrastructure master and global catalog are on the same domain controller, the

infrastructure master will not function. The infrastructure master will never find data

that is out of date, so will never replicate any changes to the other domain controllersin the domain.

2.

If all of the domain controllers in a domain are also hosting the global catalog, all ofthe domain controllers will have the current data and it does not matter which domain

controller holds the infrastructure master role.

FOREST-WIDE OPERATIONS MASTER ROLES

There can be only one schema master and one domain naming master for the entire forest.

Schema master

Domain naming master

6


7/36

Schema master

The schema master DC controls all updates and modifications to the schema.

Domain naming master

Domain Naming Master DC controls the addition or removal of domains in the forest.

DOMAIN-WIDE OPERATIONS MASTER ROLES

Every domain in the forest must have the following roles:

Relative ID masterPrimary DC (PDC) emulator

Infrastructure master

What is FSMO

Flexible Single MasterOperations.

What are the FSMO roles .

Schema masterDomain naming master

RID master

PDC emulatorInfrastructure daemon

Schema Master

The schema master is responsible for performing updates to the directory schema.

This DC is the only one that can process updates to the directory schema. Once the Schema update iscomplete, it is replicated from the schema master to all other DCs in the directory. There is only one

schema master per directory.

Domain Naming Master

This DC is the only one that can add or remove a domain from the directory.

RID Master

The RID master gives relative Ids to all DCs in the domain

When we create a user or group, it gives a ID to each User. SID,

Each user has a SID. This SID consists of a domain SID and a relative ID (RID) ,Domain ID is given to the Domain, RID is the ID given to the user.

ACL Access Control List

Each file has a ACL , it maintains the list of SIDs who has the access rights to access the file.

So the SID is used by files to give access permissions.

7


8/36

PDC Emulator FSMO Role s

Time Synchronize

Password changes

Authentication FailuresAccount Lockouts

The PDC emulator is necessary to synchronize the time in All Windows 2000-based computers withinan enterprise use a common time.

Password changes performed by other DCs in the domain are replicated preferentially

to the PDC emulator.

Authentication failures that occur at a given DC in a domain because of an incorrect

password are forwarded to the PDC emulator before a bad password failure message isreported to the user.

Account lockout is processed on the PDC emulator.

ator receives no down-level replica requests.

InfraStructure Master

It is responsible for updating Group Membership Information when a group is added, modified,

Schema master, Domain master - One per forest

RID ,PDC Emulator ,Infrastructure - One per domain

How to find out FSMO roles in server :

Schema Master

Cmd run type Regsvr32 schmmgmt.dllYou should receive a success confirmation.Click ok

Type MMCOn the Console menu, press Add/Remove Snap-in

Choose AD schema from in list and add it.Press Add and press Close. Press OK.

Click the Active Directory Schema icon. After it loads right-click it and press

Operation Masters.

To find out the Domain Naming Master Role:

1.

8


9/36

Open the Active Directory Domains and Trusts snap-in from the Administrative Tools

folder.2.

Right-click the Active Directory Domains and Trusts icon again and press Operation

Masters.3.

When you're done click Close.

Finding the RID Master, PDC Emulator, and Infrastructure Masters

1.Open the Active Directory Users and Computers snap-in from the Administrative

Tools folder.

.Right-click the Active Directory Users and Computers icon again and press Operation

Masters.

3.

Select the appropriate tab for the role you wish to view.4.

When you're done click Close.

To find from CMD prompt :

Type : Netdom command.

9


10/36

Do not place the infrastructure master on a global catalog server

The Infrastructure Master (IM) role should be held by a domain controller that is not aGlobal Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will

stop updating object information because it does not contain any references to objects that itdoes not hold. This is because a Global Catalog server holds a partial replica of every object in

the forest. As a result, cross-domain object references in that domain will not be updated and

a warning to that effect will be logged on that DC's event log.

How will you place the FSMO roles?

Place the RID and PDC emulator roles on the same domain controller. Good

communication from the PDC to the RID master is desirable as downlevel clients and

applications target the PDC, making it a large consumer of RIDs.As a general rule, the infrastructure master should be located on a nonglobal catalog

server that has a direct connection object to some global catalog in the forest,

preferably in the same Active Directory site.

At the forest level, the schema master and domain naming master roles should be

placed on the same domain controller as they are rarely used and should be tightlycontrolled. Additionally, the Domain Naming master FSMO should also be a global

catalog server.

Responding to operations master failures

SCHEMA MASTER FAILURE

This failure will be visible if we are trying to modify the schema or install an application

that modifies the schema during installation.

Seize this Schema master from other DC.

A DC whose schema master role has been seized must never be brought back online.

To seize the schema master role

10


11/36

1.Click Start, click Run, and then type cmd.

2.

At the command prompt, type ntdsutil.3.

At the ntdsutil prompt, type roles.

4.At the fsmo maintenance prompt, type connections.

5.

At the server connections prompt, type connect to server, followed by the fully

qualified domain name.6.

At the server connections prompt, type quit.

7.At the fsmo maintenance prompt, type seize schema master.

8.

At the fsmo maintenance prompt, type quit.

9.At the ntdsutil prompt, type quit.

DOMAIN NAMING MASTER FAILURE

We can not add a domain, we cant run DCPromo command to add a new domain

if Domain operations master is failed .

So we can seize it from other DC or Additional DC.

RELATIVE ID MASTER FAILURE

We cannot add users if RID is failed.So we can seize it from other DC or Additional DC.

PDC EMULATOR FAILURE

Time Sync will not happen, it will affect Replications.

Password changes, account lockout will not happen.

Group policies changes will not be updated.

The loss of the PDC emulator affects network users. Therefore, when the PDC emulator is not

available, you may need to immediately seize the role.

INFRASTRUCTURE MASTER FAILURE

We can find this problem when we move or rename a group of accounts or groups.

So we can seize it from other DC or Additional DC.

How will you remove Orphaned Domains from Active Directory?

Typically, when the last DC for a domain is demoted, the administrator selects this server is

11


12/36

the last DC in the domain option in the DCPromo tool, which removes the domain metadata

from Active Directory.

1. Determine the DC that holds the Domain Naming Master FSMO role.

2. Verify that all servers for the specified domain have been demoted.3. At the command prompt:

ntdsutil

metadata cleanupconnectionsconnect to server servername

(Servername is the name of the DC holding the Domain Naming Master FSMO Role)

Quit

Metadata Cleanup menu is displayed

Select operation target

List domains

A list of domains in the forest is displayed, each with an associated number

Select domain number

Where number is the number associated with the domain to be removed

QuitThe Metadata Cleanup menu is displayed.

Remove selected domain

You should receive confirmation that the removal was successful.

Quit

You should receive confirmation that the connection disconnected successfully.

Audit Active Directory Objects

Audit : to check who logged in the server.

An audit entry in the Security log contains the following information:

The action that was performed.

The user who performed the action.

The success or failure of the event and the time that the event occurred.

When you audit Active Directory events, Windows 2003 writes an event to the Security log on

the domain controller. If a user tries to log on to the domain using a domain user account and

12


13/36

the logon attempt is unsuccessful, the event is recorded on the DC and not on the computer

on which the logon attempt was made. This is because it is the domain controller that tried toauthenticate the logon attempt.

How to Configure an Audit Policy Setting for a Domain Controller

Auditing is turned off by default. To audit all DCs, Enable auditing on Domain Controllers OU

To configure an audit policy setting for a domain controller, follow these steps:

1.

Start Directory Users and Computers.2.

Click Advanced Features on the View menu.

3.Right-click Domain Controllers, and then click Properties.

4.

Click the Group Policy tab, click Default Domain Controller Policy, and then click

Edit.5.

Click Computer Configuration, double-click Windows Settings, double-click

Security Settings, double-click Local Policies, and then double-click Audit Policy.6.

In the right pane, right-click Audit Directory Services Access, and then click

Security.7.

Click Define These Policy Settings, and then click to select one or both of the

following check boxes:o

Success: Click to select this check box to audit successful attempts for theevent category.

oFailure: Click to select this check box to audit failed attempts for the event

category.

8.Right-click any other event category that you want to audit, and then click Security.

Click OK

How to Configure Auditing for Specific Active Directory Objects

You can configure auditing for specific objects, such as users, computers, organizational units,or groups, by specifying both the types of access and the users whose access that you wantto audit.

To configure auditing for specific Active Directory objects, follow these steps:

1.

Open Active Directory Users and Computers.2.

Select Advanced Features on the View menu.

3.

13


14/36

Right-click the Active Directory object that you want to audit, and then click

Properties.4.

Click the Security tab, and then click Advanced.

5.Click the Auditing tab, and then click Add.

Enter the name of either the user or the group whose access you want to audit

6.Click to select either the Successful check box or the Failed check box for the actions

that you want to audit, and then click OK.

How to publish a printer in AD

1.

Log on to the computer as an administrator.

2.

Click Start, point to Settings, and then click Printers.3.

In the Printers folder, right-click the printer that you want to publish in Active

Directory, and then click Properties.4.

Click the Sharing tab, click Share As, and then either type a share name or accept

the default name.Use only letters and numbers; do not use spaces, punctuation, or special characters.

5.

Click to select the List in the Directory check box, and then click OK.

6.Close the Printers folder.

NOTE: If you want to make this printer available to users who are running different versions

of Windows, you must install additional drivers. To do so, click Additional Drivers on theSharing tab of the Printer properties, and then select the appropriate items in the list.

How to Configure an Authoritative Time Server in Windows 2000?

The purpose of the Time service is to ensure that all computers

In the organization use a common time.

Windows includes the W32Time Time service tool that is required by the Kerberos

authentication protocol.

To reset the local computer's time against the authoritative time server for the domain:

Net time /domain_name /set

Net stop w32timeW32time update

14


15/36

Net start w32time

SNTP defaults to using UDP port 123. If this port is not open to the Internet, you cannot

synchronize your server to Internet SNTP servers.

What is universal group membership cache in windows 2003.

When a user logs in first time , The DC gets the users universal group membership information

From the Global Catalog and stores it in its cache. Next time when the user logs in the DC willGet t he Universal group membership information from its local cache. It will not contact the GC.

It reduces the network traffic.

By default, the universal group membership information will be refreshed every 8 hours.

Group policy : Its a set of rules and settings applied to users or computers.

Uses

Configure user's desktopsConfigure local security on computers

Install applications

Run start-up/shut-down or logon/logoff scriptsConfigure Internet Explorer settings

Redirect special folders

Group Policy Location :

C:\WINDOWS\SYSVOL\sysvol\domain.com\Policies

Command to apply Group policy GPUpdate

Group Policy is applied in the following order:

Local system > Site > Domain > OU > Child OU

Group Policy sections

Computer configuration contains the settings that configure the computer prior

to the user logon.

User configuration contains the settings that configure the user after the logon.

You cannot choose to apply the setting on a single user, all users, includingadministrator, are affected by the settings.

Within these two section you can find more sub-folders:

Software settings and Windows settings both of computer and user are

settings that configure local DLL files on the machine.

Administrative templates are settings that configure the local registry of the

machine. You can add more options to administrative templates by right clicking it

and choose .ADM files. Many programs that are installed on the computer addtheir .ADM files to %systemroot%\inf folder so you can add them to the

Administrative Templates.

15


16/36

Assign & Publish the applications in GP & how?

Through Group policy you can Assign and Publish the applications by creating .msi

package for that application

With Assign option you can apply policy for both user and computer. If it is applied to

computer then the policy will apply to user who logs on to that computer. If it is

applied on user it will apply where ever he logs on to the domain. It will be appear inStart menuPrograms. Once user click the shortcut or open any document having thatextension then the application install into the local machine. If any application

program files missing it will automatically repair.

With Publish option you can apply only on users. It will not install automatically when

any application program files are corrupted or deleted.

GPMC & RSOP in windows 2003?

GPMC is tool which will be used for managing group policies and will display

information like how many policies applied, on which OUs the policies applied, What

are the settings enabled in each policy, Who are the users effecting by these polices,who is managing these policies. GPMC will display all the above information.

Configuring Group Policy :

1.

Group Policy Object Editor snap-in in MMC - or - use gpedit.msc from the Run

command.2.

Active Directory Users and Computers snap in - or dsa.msc to invoke the Group

Policy tab on every OU or on the Domain.3.

Active Directory Sites and Services - or dssite.msc to invoke the Group Policytab on a site.

4.

Group Policy Management Console - or gpmc.msc - this utility is NOT included in

Windows 2003 server and needs to be separately installed. You can download it

from HERENote that if you'd like to use the GPMC tool on Windows XP, you need to install it on

computers running Windows XP SP2. Installing it on computers without SP2 will generate

errors due to unsupported and newer .ADM files.

RSoPResultant set of policies -provides details about all policy settings that are configured

by an Administrator, including Administrative Templates, Folder Redirection, InternetExplorer Maintenance, Security Settings, Scripts, and Group Policy Software

Installation.

When policies are applied on multiple levels (for example, site, domain, domaincontroller, and organizational unit), the results can conflict. RSoP can help you

determine a set of applied policies and their precedence (the order in which policies

are applied).

Group Policy inherited from AD is refreshed on the computers by several ways:

16


17/36

1. Logon to computer (If the settings are of "user settings" in GPO)

2. Restart of the computer (If the settings are of "computer settings" in GPO)3. Every 60 to 90 minutes, the computers query their DC for updates.

4. Manually by using gpupdate command. You can add the /force switch to force all

settings and not only the delta.Note: Windows 2000 doesn't support the Gpupdate command so you need run a

different command instead:

for computer settings.

for user settings.

In both commands you can use the /enforce that is similar to the /force in gpupdate.

If any configuration change requires a logoff or a restart message will appear:You can force logoff or reboot using gpupdate switches.

How to check that the GP was deployed

To be sure that GP was deployed correctly, you can use several ways. The term for the

results is called RSoP Resultant Sets of Policies.

1. Use gpresult command in the command prompt.

The default result is for the logged on user on that machine. You can also choose tocheck what is the results for other users on to that machine. If you use /v or /z switches

you will get very detailed information.

Suppose there are 4 group policies applied in an OU, the last policy will be applied

First.

What is Domain Policy, Domain controller policy, Local policy .

Domain Policy will apply to all computers in the domain,

Domain controller policy will be applied only on domain controller.

Local policy will be applied to that particular machine only and effects to that computer only.

Block/Enforce inheritance

Block will block group policies. We cant apply GP in that OU.

Enforce - It will force to apply GP even Block is configured.

You can block policy inheritance to an OU if you dont want the settings from upper GPOs

to configure your OU.

To block GPO inheritance, simply right click your OU and choose "Block Inheritance".

Blocking inheritance will block all upper GPOs.

In case you need one of the upper GPOs to configure all downstream OUs and overcome

Block inheritance, use the Enforce option of a link. Enforcing a GPO is a powerful option

and rarely should be used.

17


18/36

You can see in this example that when you look at Computers OU, three different GPOsare inherited to it.

In this example you can see that choosing "Block inheritance" will reject all upper GPOs.

Now, if we configure the "Default domain policy" with the Enforce option, it will overcome

the inheritance blocking.

Loop back Processing of Group Policy

We can use the loopback Group Policy to apply only on which computer the user logs on to.

To set user configuration per computer:

In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.

Locate Administrative Templates, click System, click Group Policy, and then enable the

Loopback Policy option.

Usually users in their OU have GPOs applied in order during logon, regardless of which

computer they log on to. In some cases, this processing order may not be appropriate (E.g.,when you do not want applications assigned to users to be installed while they are logged on

to the computers in some specific OU).

With the Group Policy loopback, you can specify some other ways to retrieve the list of GPOs

for any user who logs on to any of the computers in this specific OU:

Merge Mode

Here, first users policy is applied. Then computer policy is added

Computer's GPOs is the effective policy..

Replace Mode

In this mode, the user's policy is not applied. Only computer policy is object is used.

Explain Kerberos V5 authentication process?

Kerberos V5 is the primary security protocol for authentication within a domain. The

Kerberos V5 protocol verifies both the identity of the user and network services. This dualverification is known as mutual authentication.

Users Login process

1.The user on a client system, using a password authenticates to the KDC.

2.

The KDC issues a special ticket-granting ticket (A ticket issued by the Kerberos V5Key Distribution Center (KDC) for purposes of obtaining a service ticket from the

ticket-granting service (TGS) to the client. The client system uses this TGT to access

the ticket-granting service (TGS), which is part of the Kerberos V5 authentication

18


19/36

mechanism on the DC.

3.The TGS then issues a service ticket to the client.

4.

The client presents this service ticket to the requested network service. The serviceticket proves both the user's identity to the service and the service's identity to the

user.

Group Types

Security Group : Used to assign permissions. When we add users we will select

This option.

Distribution Group : Used to send mails to a group of users .

to send a mail to 100 users .

Group Scopes

Domain Local Group : It gives rights to local users, global and universal users to access sharedfolder and printers in its Domain.

Global Group : Its gives access rights to users in other trusted domains.

It cant contain Domain local or Universal groups.

Universal Group : It gives access rights to users in all Trusted Domain And forest toForest.

3 major Account Policies1. Possword policy

2. Account lockout policy3. Kerberos Policy

Roaming User Profile : User will get the same desktop and settings in any system they login.

DNS Domain Name System

Location C:\systemroot\system32\DNS.Edb

DNS converts host name to IP address

Resolves host name to IP address

Use

Clients systems use DNS server to locate Domain Controllers when users login.And uses DNS to access AD resources in the network.

Without DNS server Client computers can not locate DC, Other Servers and AD resources.

DNS Zones :

Forward Lookup Zone : contains host name to Ip address mappings

Reverse Lookup zone : contains Ip address to host name mappings

Standard Primary ZoneStandard Secondary Zone

19


20/36

Active Directory Zone : DNS entries are stored in Active Directory , not in zone file.

DNS Records

A record Contains Host name to Ip Address mappings.

PTR record - contains IP address to Host name mappings

Cname Alias name.Used to give additional name to a host,MX record used to map DNS domain name to host name of Mail Server.SRV record used to map service to a server. Service locator.

SOA Start of Authority

It contains Serial Number , Primary server name, responsible person name

Refresh, Retry, Expire Time, TTL.

Zone Transfer

If the Serial Number increases Zone Transfer will happen from Primary DNS server

To Secondary DNS server.

Advantages of Active Directory Integrated Zones :1. Incremental Zone Transfer it transfers only new changes not entire data

So it reduces network traffic.

2. It supports both secure and Dynamic updates.3. It will be replicated to all domain wide, forest wide through replication.

TTL Time To Live

DNS resolves host name to IP address to client systems and stores the results in

its cache. If same query comes next time, DNS server will give the answer from its

Cached information without contacting other DNS servers.These Information will be stored in the Cache for a specified amount of Time.

That is called as TTL. After that it will be Cleared from the cache.

Ipconfig/registerdns

To manually Register Server's A and PTR resource records, run this command at

a command prompt:

Net Logon service

If the server is a Domain Controller, stop and restart the Net Logon service toregister the Service (SRV) records in the DNS server.

NSLOOKUP : DNS diagnostic Tool from the command promt.

What a DC registers in DNS?

The Netlogon service registers all the SRV records for that DC. These records are displayedas the _msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your

domain name. Other computers look for these records to find Active Directory-related

information.

DNS Dynamic Update : Client systems and servers will register their host names and

Ip addresses in DNS server without administrators intervention.

20


21/36

How to Allow Only Secure Dynamic Updates

1.

Click Start, point to Programs, point to Administrative Tools, and then click DNS.

2.Under DNS, expand the applicable DNS server, expand Forward Lookup Zones (or

Reverse Lookup Zones) , and then click the applicable zone.

3.On the Action menu, click Properties.4.

On the General tab, verify that the zone type is Active Directory-integrated.

5. In the Allow dynamic updates? box, click Only secure updates.

The secure dynamic update functionality is supported only for Active Directory-integrated

zones.

Stub Zone : It is created in remote places ,branch offices to increase speed of login process

File access speed.

It has only read only copy of SOA record, NS , A record.It reduces network traffic and Bandwidth utilization.

How to Configure DNS Dynamic Update for DHCP Clients

By default, DHCP clients are configured to request that the client

register the A resource record and the server register the PTR resource record. By default, thename that is used in the DNS registration is a concatenation of the computer name and the

primary DNS suffix. To change this default name, open the TCP/IP properties of your network

connection.

To enable DNS dynamic update on a Windows DNS server:

1.Click Start, point to Programs, point to Administrative Tools, and then click DNS.

2.

Click the appropriate zone under either Forward Lookup Zones or Reverse LookupZones.

3.

On the Action menu, click Properties.4.

On the General tab, verify that the zone type is either Primary or Active Directory-

integrated.5.

If the zone type is Primary, click Yes in the Allow dynamic updates? list.

6.

If the zone types is Active Directory-integrated, click either Yes or Only secureupdates in the Allow dynamic updates? list, depending on whether you want DNS

dynamic updates to be secure.

Why can't I use WINS for name resolution like it is used in Microsoft Windows NT

4.0?

21


22/36

A Windows 2000 DC does not register Active Directory-related information with a WINS

server; it only registers this information with a DNS server that supports dynamic updatessuch as a Windows 2000 DNS server. Other Windows 2000-based computers do not query

How to Configure DNS Dynamic Update on a Windows DHCP Server

To configure DNS dynamic update for a DHCP server:

1.Click Start, point to Programs, point to Administrative Tools, and then click DHCP.

2.

Click the appropriate DHCP server or a scope on the appropriate DHCP server.3.

On the Action menu, click Properties.

4.Click the DNS tab.

5.

To enable DNS dynamic update for DHCP clients that support it, click to select the

Automatically update DHCP client information in DNS check box. This check boxis selected by default.

6.

To enable DNS dynamic update for DHCP clients that do not support it, click to selectthe Enable updates for DNS clients that do not support dynamic updates check

box. This check box is selected by default.

How to Enable DNS Dynamic Updates on a DHCP Server

DHCP and DNS servers now support dynamic updates to a DNS server.

clients can dynamically update their forward lookup records themselves withthe DNS server after the clients obtain a new IP address from a DHCP server.

In DHCP server, you can dynamically update the DNS records for pre-Windows

2000 clients that cannot do it for themselves. This feature currently works only with the

Scavenging : Removing old unwanted records from DNS server.

Enable Aging and Scavenging

You need to enable the Aging and Scavenging feature at a server level, and optionally set theAging feature on zones if you need different aging periods:

1.

Open the DNS manager.2.

In the left pane, under the DNS icon, right-click the server name.

3.Click Set Aging/Scavanging for all zones.

4.

Click to select the Scavenge Stale Resource Records check box, and then set the

22


23/36

interval that you want the Aging feature to use.

To set the Aging feature on an individual zone:

1.Right-click the zone, and then click Properties.

2.

Click Aging.3.Click to select the Scavenge Stale Resource Records check box, and then set the

interval that you want the Aging feature to use.

left pane, click Scavenge Stale Resource Records, and then click YES when asked if youwant to scavenge.

How to move DNS Zones to Another DNS Server

To move zone files from one server to another, follow these steps:

To use the following method, the DNS Server service must be installed on anew server. The DNS Server service should not be configured yet.

1.On the DNS server that is currently hosting the DNS zone(s), change any Active

Directory-integrated zones to standard primary. This action creates the zone files that

are needed for the destination DNS server.2.

Stop the DNS Server service on both DNS servers.

3.Manually copy the entire contents of the %SystemRoot%\System32\DNS folder from

the source server to the destination server.4.

On the current DNS server, start Registry Editor.5.

Locate and click the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Zones

6.

Export the Zones key to a registry file.7.

On the destination DNS server, double-click the registry file to import the Zones key

into the registry.8.

Bring the current DNS server down and transfer its IP address to the destination DNS

server.

9.On the destination DNS server, start the DNS Server service. To initiate the

registration of the server's A and PTR resource records, run the following command at

a command prompt:

Ipconfig/registerdns

10.If this server is also a domain controller, stop and restart the Net Logon service to

23


24/36

register the Service (SRV) records, or run the following command at a command

prompt: Netdiag/fix

11.The standard zones that were previously Active Directory-integrated can be converted

back to Active Directory-integrated on the replacement DNS server if it is a domaincontroller.

12.Verify that the SOA resource records on each zone contain the correct name for the

primary server and that the NS resource records for the zone(s) are correct.The steps outlined in this article do not migrate the following DNS server settings:Interfaces, Forwarders, Advanced, Root Hints, Logging, Security

Port numbers

FTP-21, Telnet 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389,Global Catalog 3268DHCP client - 67 , DHCP server- 68

DNS Interview Questions and Answer

1. Secure services in your network require reverse name resolution to make it more difficult tolaunch successful attacks against the services. To set this up, you configure a reverse lookup

zone and proceed to add records. Which record types do you need to create?

Ans : PTR Records

2. What is the main purpose of a DNS server?

DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa

3. SOA records must be included in every zone. What are they used for?

SOA records contain a TTL value, used by default in all resource records in the zone.SOA records contain the e-mail address of the person who is responsible for maintaining

the zone. SOA records contain the current serial number of the zone, which is used in zonetransfers.

4. By default, if the name is not found in the cache or local hosts file, what is the first step the client

takes to resolve the FQDN name into an IP address?

Performs a recursive search through the primary DNS server based on the network interface

configuration

What is the main purpose of SRV records?

SRV records are used in locating hosts that provide certain network services

5. Before installing your first domain controller in the network, you installed a DNS server and

created a zone, naming it as you would name your AD domain. However, after the installation ofthe domain controller, you are unable to locate infrastructure SRV records anywhere in the zone.

What is the most likely cause of this failure?

24


25/36

The zone you created was not configured to allow dynamic updates.

The local interface on the DNS server was not configured to allow dynamic updates.

6. Which of the following conditions must be satisfied to configure dynamic DNS updates for

legacy clients?

The zone to be used for dynamic updates must be configured to allow dynamic updates.

The DHCP server must support, and be configured to allow, dynamic updates for legacyclients.

7. At some point during the name resolution process, the requesting party received authoritative

reply. Which further actions are likely to be taken after this reply?

After receiving the authoritative reply, the resolution process is effectively over.

8. Your company uses ten domain controllers, three of which are also used as DNS servers. You

have one companywide AD-integrated zone, which contains several thousand resource records.

This zone also allows dynamic updates, and it is critical to keep this zone up-to-date.

Replication between domain controllers takes up a significant amount of bandwidth. You arelooking to cut bandwidth usage for the purpose of replication. What should you do?

Change the replication scope to all DNS servers in the domain.

9. You are administering a network connected to the Internet. Your users complain that everything

is slow. Preliminary research of the problem indicates that it takes a considerable amount of timeto resolve names of resources on the Internet. What is the most likely reason for this?

DNS servers are not caching replies.. Local client computers are not caching repliesThe cache.dns file may have been corrupted on the server.

What is the purpose of deploying local DNS servers?

A domain DNS server provides for the local mapping of fully qualified domain names to IP addresses.

Because the DNS is a distributed database, the local DNS servers can provide record information toremote DNS servers to help resolve remote requests related to fully qualified domain names on your

network.

DHCP Dynamic Host Configuration Protocol

DHCP client uses port 67

DHCP server uses port 68.

25


26/36

Location C:\systemroot\system32\dhcp.edb

DHCP used to automatically assign Ip address to clients with Subnet emask, Default Gateway

And DNS Server.

How DHCP Works

DHCP server PING process to test the available IP address. If it is a successful ping means theIP address is already used by a system. So DHCP server will not give that IP to the client.

If ping request fails and gets time out result, It means IP address is not used by system ,

And DHCP server will give that IP to client system.

Lease Process of DHCP server

It is called as DORA

D- Discover client system will broadcast packets to identify the DHCP server, this packet

Will contain the source MAC Address.

O- Offer Once this packet is received by DHCP server, The server will send the packet

containing Source IP and Source MAC.R Request - Client System now contact DHCP server directly and request for IP Address.

A Acknowledge DHCP server will send an Acknowledgement packet with a IP

Address.

Disadvantage

Your machine name does not change when you get a new IP address. The DNS (Domain Name System)

name is associated with your IP address and therefore does change. This only presents a problem if other

clients try to access your machine by its DNS name.

DHCP Relay AgentIt is used to give Ip address to a subnet which does not have a DHCP server.

It will be placed outside of our local network.

Scope : It is a range of IP address a DHCP server will assign to clients in a single subnet.

Superscope : It is a collection of scopes. It contains more that one scope.

It is used give Ip address to systems in multiple subnets.

A superscope allows a DHCP server to provide leases from more than one scope to clients on a singlephysical network. Before you can create a superscope, you must use DHCP Manager to define all scopes

to be included in the superscope. Scopes added to a superscope are called member scopes. Superscopes

can resolve DHCP service issues in several different ways

Superscopes can resolve DHCP service issues in several different ways; these issues include situationsin which:

Support is needed for DHCP clients on a single physical network segmentsuch as a single

Ethernet LAN segmentwhere multiple logical IP networks are used. When more than one

26


27/36

logical IP network is used on a physical network, these configurations are also known as

multinets.

The available address pool for a currently active scope is nearly depleted and more computers

need to be added to the physical network segment.

Clients need to be migrated to a new scope.

Support is needed for DHCP clients on the other side of BOOTP relay agents, where the network

on the other side of the relay agent has multiple logical subnets on one physical network. For

more information, see Supporting BOOTP Clients later in this chapter.

A standard network with one DHCP server on a single physical subnet is limited to leasing

addresses to clients on the physical subnet.

Multicast Scope: It is assigned to one IP address , It is used to transmit Multimedia data

Like Radio Speech or TV programs. The purpose is to send data once and the data to be

Delivered to all computers on the network. It uses Class D ip address.

it can be used to send messages to a group of computers at the same time.

1 :: To negate rogue DHCP servers from running with a domain, what is required for yourzDHCP

server to function?

The DHCP server must be authorized in the Active Directory before it can function in the domain.

2 :: How can you configure the DHCP server so that it provides certain devices with the same IP address

each time the address is renewed?

You can create a reservation for the device (or create reservations for a number of devices). To create a

reservation, you need to know the MAC hardware address of the device. You can use the ipconfig ornbstat command-line utilities to determine the MAC address for a network device such as a computer or

printer.

3 :: What TCP/IP configuration parameters can be provided to a DHCP client?

The DHCP server can supply a DHCP client an IP address and subnet mask. It also can optionally

include the default gateway address, the DNS server address, and the WINS server address to the client.

4 :: How is the range of IP addresses defined for a Windows Server 2008 DHCP server?

The IP addresses supplied by the DHCP server are held in a scope. A scope that contains more than one

subnet of IP addresses is called a superscope. IP addresses in a scope that you do not want to lease can

be included in an exclusion range.

WINS Windows Internet Name Service

It converts NETBIOS name to Ip Addresses.

DNS server converts Host name to Ip address.

27
http://interviewquestionsanswers.org/__To-negate-rogue-DHCP-servers-from-running-with-a-domain-what-is-required-for-your-DHCP-server-to-funhttp://interviewquestionsanswers.org/__To-negate-rogue-DHCP-servers-from-running-with-a-domain-what-is-required-for-your-DHCP-server-to-funhttp://interviewquestionsanswers.org/__To-negate-rogue-DHCP-servers-from-running-with-a-domain-what-is-required-for-your-DHCP-server-to-funhttp://interviewquestionsanswers.org/__How-can-you-configure-the-DHCP-server-so-that-it-provides-certain-devices-with-the-same-IP-address-ehttp://interviewquestionsanswers.org/__How-can-you-configure-the-DHCP-server-so-that-it-provides-certain-devices-with-the-same-IP-address-ehttp://interviewquestionsanswers.org/__What-TCP-IP-configuration-parameters-can-be-provided-to-a-DHCP-clienthttp://interviewquestionsanswers.org/__How-is-the-range-of-IP-addresses-defined-for-a-Windows-Server-2008-DHCP-serverhttp://interviewquestionsanswers.org/__To-negate-rogue-DHCP-servers-from-running-with-a-domain-what-is-required-for-your-DHCP-server-to-funhttp://interviewquestionsanswers.org/__To-negate-rogue-DHCP-servers-from-running-with-a-domain-what-is-required-for-your-DHCP-server-to-funhttp://interviewquestionsanswers.org/__How-can-you-configure-the-DHCP-server-so-that-it-provides-certain-devices-with-the-same-IP-address-ehttp://interviewquestionsanswers.org/__How-can-you-configure-the-DHCP-server-so-that-it-provides-certain-devices-with-the-same-IP-address-ehttp://interviewquestionsanswers.org/__What-TCP-IP-configuration-parameters-can-be-provided-to-a-DHCP-clienthttp://interviewquestionsanswers.org/__How-is-the-range-of-IP-addresses-defined-for-a-Windows-Server-2008-DHCP-server


28/36

NetBios name is 16 charectors15 character system name

1 character service name ( DNS,DHCP,DC )

Command to check a systems NetBios Name :

Nbtstat N

Ipconfig all

WINS server uses LMHOST file which contains all systems Netbios name and its IP addresses.

Path C:\windows\system32\drivers\etc\lmhost.sam

When a new system is added in the network, the LMHost file should be manually updated by

the system administrator.It should be created in all systems.

But DNS server is using Dynamic DNS method, when a new system is added it will updatehost name and IP address Automatically.

RAID Redantant Array of InExpensice Disks

Basic Disk can contain 4 Primary Partitions.

Dynamic Disk No limitations.

NTFS file system

- Gives folder , file level security

- Supports file Encryptions

- Faster file Access Speed- Supports Compression

- Supports Disk Quota- Reduces Disk Fragmentations

Different Volume types

Simple Volume

Spanned VolumeStripped Volume - 0

Mirrored Volume - 1

RAID-5 Volume - 5

Raid 0 - Stripped Volume

3 Hard Disks will be used. If one hard fails we cant recover data. We should restore from Backups.We can use 100% space from all 3 disks.

Raid -1 - Mirrored Volume

2 Hard Disks will be used.

All data will be copied to the second Disk.

28


29/36

If one hard fails we can recover data from other Hard disk

We can use 50% space .

RAID-5 Volume

3 to 32 Disks can be used.

Out of 3 disks 1 disk will be used for Parity Information. It takes 33% of space.If the parity info damaged, we cant recover the failed hard disk.

Parity Information is used to recover the data from a failed hard disk.

RAID-6 Volume

Minimum 4 Hard Disks. 2 disks used for Dual Parity.If one Parity fails we can use other parity disk to recover data.

What is the ISTG Who has that role by default?

The first server in the site becomes the ISTG for the site, The domain controller holding this role maynot necessarily also be a bridgehead server.

Windows Server 2008

What are RODCs? And what are the major benefits of using RODCs?

A read-only domain controller (RODC) is a new type of domain controller in the Windows Server

2008 operating system. With an RODC, organizations can easily deploy a domain controllerin locations where physical security cannot be guaranteed. An RODC hosts read-only

partitions of the Active Directory Domain Services (AD DS) database.

What are the different editions of Windows Server 2008?

The entry-level version of Windows Server 2008 is the Standard Edition. The Enterprise Edition

provides a platform for large enterprisewide networks. The Datacenter Edition provides support forunlimited Hyper-V virtualization and advanced clustering services. The Web Edition is a scaled-down

version of Windows Server 2008 intended for use as a dedicated web server. The Standard, Enterprise,

and Datacenter Editions can be purchased with or without the Hyper-V virtualization technology.

What two hardware considerations should be an important part of the planning process for a

Windows Server 2008 deployment?

Any server on which you will install Windows Server 2008 should have at least the minimum hardware

requirement for running the network operating system. Server hardware should also be on the Windows

Server 2008 Hardware Compatibility List to avoid the possibility of hardware and network operatingsystem incompatibility.

What are the options for installing Windows Server 2008?

You can install Windows Server 2008 on a server not currently configured with NOS, or you can

upgrade existing servers running Windows 2000 Server and Windows Server 2003.

29


30/36

How do you configure and manage a Windows Server 2008 core installation?

This stripped-down version of Windows Server 2008 is managed from the command line.

Whats New in Windows Server 2008 Active Directory Domain Services?

Active Directory Domain Services in Windows Server 2008 provides a number of enhancements over

previous versions, including these:

AuditingAD DS auditing has been enhanced significantly in Windows Server 2008. The

enhancements provide more granular auditing capabilities through four new auditing categories:

Directory Services Access, Directory Services Changes, Directory Services Replication, and Detailed

Directory Services Replication. Additionally, auditing now provides the capability to log old and new

values of an attribute when a successful change is made to that attribute.

Fine-Grained Password PoliciesAD DS in Windows Server 2008 now provides the capability to

create different password and account lockout policies for different sets of users in a domain. User and

group password and account lockout policies are defined and applied via a Password Setting Object

(PSO). A PSO has attributes for all the settings that can be defined in the Default Domain Policy, except

Kerberos settings. PSOs can be applied to both users and groups.

Read-Only Domain ControllersAD DS in Windows Server 2008 introduces a new type of domain

controller called a read-only domain controller (RODC). RODCs contain a read-only copy of the AD DS

database. RODCs are covered in more detail in Chapter 6, Manage Sites and Replication.

Restartable Active Directory Domain ServicesAD DS in Windows Server 2008 can now be

stopped and restarted through MMC snap-ins and the command line. The restartable AD DS service

reduces the time required to perform certain maintenance and restore operations. Additionally, other

services running on the server remain available to satisfy client requests while AD DS is stopped.

AD DS Database Mounting ToolAD DS in Windows Server 2008 comes with a AD DS database

mounting tool, which provides a means to compare data as it exists in snapshots or backups taken at

different times. The AD DS database mounting eliminates the need to restore multiple backups to

compare the AD data that they contain and provides the capability to examine any change made to data

stored in AD DS.

Hyper-V

What are RODCs? And what are the major benefits of using RODCs?

A read-only domain controller (RODC) is a new type of domain controller in the Windows Server

2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations

30


31/36

where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active

Directory Domain Services (AD DS) database.

Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a

wide area network (WAN), there was no real alternative. In many cases, this was not an efficient

solution. Branch offices often cannot provide the adequate physical security that is required for a

writable domain controller. Furthermore, branch offices often have poor network bandwidth when theyare connected to a hub site. This can increase the amount of time that is required to log on. It can also

hamper access to network resources.

Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems.

As a result, users in this situation can receive the following benefits:

Major benefits

* Improved security

* Faster logon times

* More efficient access to resources on the network

What does an RODC do?

Inadequate physical security is the most common reason to consider deploying an RODC. An RODC

provides a way to deploy a domain controller more securely in locations that require fast and reliable

authentication services but cannot ensure physical security for a writable domain controller.

However, your organization may also choose to deploy an RODC for special administrative

requirements. For example, a line-of-business (LOB) application may run successfully only if it is

installed on a domain controller. Or, the domain controller might be the only server in the branch office,

and it may have to host server applications.

In such cases, the LOB application owner must often log on to the domain controller interactively or use

Terminal Services to configure and manage the application. This situation creates a security risk that

may be unacceptable on a writable domain controller.

An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You

can grant a nonadministrative domain user the right to log on to an RODC while minimizing the security

risk to the Active Directory forest.

You might also deploy an RODC in other scenarios where local storage of all domain user passwords is

a primary threat, for example, in an extranet or application-facing role.

What is REPADMIN?

Repadmin.exe: Replication Diagnostics Tool

31


32/36

This command-line tool assists administrators in diagnosing replication problems between Windows

domain controllers.

Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom

and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used

to manually create the replication topology (although in normal practice this should not be necessary), to

force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.

Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest. The

operations replsummary, showrepl, showrepl /csv, and showvector /latency can be used to check for

replication problems.

What is NETDOM?

NETDOM is a command-line tool that allows management of Windows domains and trust relationships.

It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure

channels

KCC

The KCC is a built-in process that runs on all domain controllers and generates replication topology for

the Active Directory forest. The KCC creates separate replication topologies depending on whether

replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically

adjusts the topology to accommodate new domain controllers, domain controllers moved to and from

sites, changing costs and schedules, and domain controllers that are temporarily unavailable.

How do you view replication properties for AD?

By using Active Directory Replication Monitor.

Start> Run> Replmon

What are sites What are they used for?

One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to

configure Active Directory access and replication topology to take advantage of the physical network.

What Windows Server 2008 service is used to install client operating systems over the network?

Windows Deployment Services (WDS) enables you to install client and server operating systems over

the network to any computer with a PXE-enabled network interface.

What domain services are necessary for you to deploy the Windows Deployment Services on your

network?

32
http://systadmin.blogspot.com/search/label/Active%20Directoryhttp://systadmin.blogspot.com/search/label/Active%20Directory


33/36

Windows Deployment Services requires that a DHCP server and a DNS server be installed in the

domain

How is WDS configured and managed on a server running Windows Server 2008?

The Windows Deployment Services snap-in enables you to configure the WDS server and add boot and

install images to the server.

What protocol stack is installed by default when you install Windows Server 2008 on a network

server?

TCP/IP (v4 and v6) is the default protocol for Windows Server 2008. It is required for Active Directoryimplementations and provides for connectivity on heterogeneous networks

What are some of the tools used to manage Active Directory objects in a Windows Server 2008

domain?

When the Active Directory is installed on a server (making it a domain controller), a set of Active

Directory snap-ins is provided.

The Active Directory Users and Computers snap-in is used to manage Active Directory objects such

as user accounts, computers, and groups.

The Active Directory Domains and Trusts snap-in enables you to manage the trusts that are definedbetween domains.

The Active Directory Sites and Services snap-in provides for the management of domain sites and

subnets.

New Features in Windows Server 2008

Self-healing NTFS file system : In WS2K8, a new system service works in the background that can

detect a file system error, and perform a healing process without anyone taking the server down.

Clean service shutdown. One of Windows' historical problems concerns its system shutdown

procedure. In XP, once shutdown begins, the system starts a 20-second timer. After that time is up, itsignals the user whether she wants to terminate the application herself,

In WS2K8, that 20-second countdown has been replaced with a service that will keep applications giventhe signal all the time they need to shut down, as long as they continually signal back that they're indeed

shutting down

Virtualization : Microsoft's Hyper-V hypervisor-based virtualization technology

Server Core

Many server administrators, especially those used to working in a Linux environment, instinctivelydislike having to install a large, feature-packed operating system to run a particular specialized server.

33
http://serverwatch.webopedia.com/TERM/h/hypervisor.htmlhttp://serverwatch.webopedia.com/TERM/v/virtualization.htmlhttp://serverwatch.webopedia.com/TERM/h/hypervisor.htmlhttp://serverwatch.webopedia.com/TERM/v/virtualization.html


34/36

Server 2008 offers a Server Core installation, which provides the minimum installation required to carry

out a specific server role, such as for a DHCP,DNS orprint server.

the Server Core installation option installs only what is required to have a manageable server for the AD

DS, AD LDS, AD CS, DHCP Server, DNS Server, File Services, Print Services, Web Server and Hyper-V server roles, less maintenance is required than on a full installation of Windows Server 2008.

IISIIS 7, the Web server bundled with Server 2008, is a big upgrade from the previous version. "There aresignificant changes in terms of security and the overall implementation which make this version very

attractive

Windows PowerShell

Microsoft's new(ish) command line shell and scripting language has proved popular with some server

administrators, especially those used to working in Linux environments. Included in Server 2008,

PowerShell can make some jobs quicker and easier to perform than going through the GUI

Read Only Domain Controllers (RODC)

It's hardly news that branch offices often lack skilled IT staff to administer their servers, but they also

face another, less talked about problem. While corporate data centers are often physically secured,servers at branch offices rarely have the same physical security protecting them. This makes them a

convenient launch pad for attacks back to the main corporate servers. RODC provides a way to make an

Active Directory database read-only.

Network Access Protection

Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewalland in compliance with corporate security policies and that those that are not can be remediated is

useful. However, similar functionality has been and remains available from third parties.

New password policies. No longer is there a restriction of one password policy per domain.

Group Policy database. Server 2008 adds a searchable database for group policy managers, so adminsno longer have to track this manually.

Active Directory Rights Management Services (AD RMS). This was available in Server 2003 butonly as an add-on purchase. The new version adds new features to limit access to certain files.

Windows Remote Shell (WinRS). This is a more advanced version of Terminal Services that allowsconnections to many remote computers at a time, all from a single console.

The Print Management Console (PMC). First making its debut in Windows Server 2003 R2, this new

release is a native function and is available as a snap-on addition for the Microsoft Management Console(MMC). This handy utility lets an administrator see every printer in the entire organization, and map

printers to specific user groups.

34
http://serverwatch.webopedia.com/TERM/D/DHCP.htmlhttp://serverwatch.webopedia.com/TERM/D/DNS.htmlhttp://serverwatch.webopedia.com/TERM/p/print_server.htmlhttp://serverwatch.webopedia.com/TERM/D/DHCP.htmlhttp://serverwatch.webopedia.com/TERM/D/DNS.htmlhttp://serverwatch.webopedia.com/TERM/p/print_server.html


35/36

RemoteApp & Desktop Connections (RAD)

RemoteApp was introduced with Windows Server 2008. It allows end-users to launch a single

application on a remote server via RDP. Desktop Connections are common sessions on a Terminal

Server.

Virtual Desktop Infrastructure (VDI)

Desktop Virtualization is a new feature in Windows Server 2008 R2.

VSS Writer

Windows Server Backup is scheduled to run nightly but will often fail intermittently and then

consistently. From a command line one can see the status of the Volume Shadow Copy writers bytyping vssadmin list writers . A number of the writers will show:

State: [5] Waiting for completion

Last error: No error

Stopping and starting the Volume Shadow Copy service does not change the status. A reboot of theserver does fix the issue but is not a good solution. The easiest thing to fix the status is to run a Backup

Once of just the C drive to either a local or remote drive. Once completed the writers all go back to

Stable, No Error.

Migrating from 2003 to 2008

1 . Provide a static IP address to the Windows Server 2008 box you intend to use as Domain Controller

2. Prepare your Active Directory environment for the first Windows Server 2008 Domain Controller by

running adprep.exe with the needed switches.

3. Make the Windows Server 2008 box an extra Domain Controller for your existing domain by running

dcpromo.exe

4. Make the new server a Global Catalog server

5 . When your Windows Server 2003 Domain Controller is the only DNS Server, convert your DNSzone into an Active Directory Integrated Zone. Install DNS on the new server and it will automatically

be populated. If another server is your DNS Server you need not do anything with DNS

6. Migrate any data you'd want to migrate to the new Windows Server 2008 box (except for the

SYSVOL and NETLOGON shares, these will be copied automatically)

7. Migrate any Server roles you'd want to migrate to the new Windows Server 2008 box (think about

Certificate services, DHCP, Print Server and any business specific application at this moment)

35
http://4sysops.com/archives/windows-server-2008-terminal-services-new-features-part-2/http://4sysops.com/archives/windows-server-2008-terminal-services-new-features-part-2/


36/36

8. Transfer all the FSMO roles from the Windows Server 2003 Active Directory Domain Controller to

the Windows Server 2008 Domain Controller.

9 . Get rid of your Windows Server 2003 box as a Domain Controller by demoting is using

dcpromo.exe

10. Optional: (see step 4) When your current Domain Controller is DNS Server and you don't want it to

be anymore be sure to change this information on your clients (change DHCP option, when DHCP isavailable) and reconfigure your DNS zones not to include the old server anymore.

11. Remote the Windows Server 2003 box from the domain and delete its computer account from Active

Directory.

12. Get rid of your Windows Server 2003 box..Transitioning your Active Directory will not require you to configure anything on the desktops of your users andyour users can start using the server right away, since each Active Directory Domain Controller stores a copy ofthe Active Directory information, like users, computers, etc. and the NETLOGON and SYSVOL shares

Backup Types

1, Normal backup - It copy all the files marked in to be backed up

2, Incremental backup - only those files that have been created or changed since last incremental

or normal backup. It will remove the archieve.

3, Decremental backup - The only copies files that have been created or changed since the last normal

or incremental backup. It will not remove the archieve.

4, copy backup - It copy all the files u have selected

5, Daily backup - It copy all the files u have selected that have been modified on the day

36

wintel ad interview questions

Documents