Windows-Interview-Questions.docx

8/16/2019 Windows-Interview-Questions.docx

1/77

KCC

The KCC is a built-in process that runs on all domain controllers and generates replication

topology for the Active Directory forest. The KCC creates separate replication topologies

depending on whether replication is occurring within a site (intrasite) or between sites (intersite).

The KCC also dynamically adusts the topology to accommodate new domain controllers!

domain controllers moved to and from sites! changing costs and schedules! and domain

controllers that are temporarily unavailable.

How do you view replication properties for AD?

"y using Active Directory #eplication $onitor.

%tart&' #un&' #eplmon

What are sites What are they used for?

ne or more well-connected (highly reliable and fast) TC*+ subnets. A site allows

administrators to configure Active Directory access and replication topology to ta,e advantage of

the physical networ,.

Name some OU design considerations?

design reuires balancing reuirements for delegating administrative rights & independent of

/roup olicy needs & and the need to scope the application of /roup olicy. The following

design recommendations address delegation and scope issues0

Applying /roup olicy An is the lowest-level Active Directory container to which you can

assign /roup olicy settings. Delegating administrative authority usually don1t go more than 2 levels

http0**technet.microsoft.com*en-us*library*cc342567.asp8

What are !"O #oles? $ist them%

9smo roles are server roles in a 9orest

There are five types of 9%$ roles

5-%chema master

:-Domain naming master

2-#id master 6-DC ;mullator


2/77

$icrosoft.com. >ow microsoft has a server named server5 in that domain! which happens to the

be parent domain. %o it1s 9?D> is server5.microsoft.com. +f you add an additional domain

server and name it server:! then it1s 9?D> is server:.microsoft.com.

>ow $icrosoft is big so it has offices in ;urope and Asia. %o they ma,e child domains for them

and their 9?D> would loo, li,e this0 europe.microsoft.com @ asia.microsoft.com. >ow lets say

each of them have a server in those child domains named server5. Their 9?D> would then loo,

li,e this0 server5.europe.microsoft.com @ server5.asia.microsoft.com..

What are Active Directory )roups?

/roups are containers that contain user and computer obects within them as members. =hen

security permissions are set for a group in the Access Control ist on a resource! all members of

that group receive those permissions. Domain /roups enable centraliBed administration in a

domain. All domain groups are created on a domain controller.

+n a domain! Active Directory provides support for different types of groups and group scopes.

The group type determines the type of tas, that you manage with the group. The group scopedetermines whether the group can have members from multiple domains or a single domain.

)roup *ypes

"ecurity groups0 se %ecurity groups for granting permissions to gain access to resources.

%ending an e-mail message to a group sends the message to all members of the group. Therefore

security groups share the capabilities of distribution groups.

Distri'ution groups0 Distribution groups are used for sending e-main messages to groups of

users. ou cannot grant permissions to security groups. ;ven though security groups have all the

capabilities of distribution groups! distribution groups still reuires! because some applications

can only read distribution groups.

)roup "copes

/roup scope normally describe which type of users should be clubbed together in a way which is

easy for there administration. Therefore! in domain! groups play an important part. ne group

can be a member of other group(s) which is normally ,nown as /roup nesting. ne or more

groups can be member of any group in the entire domain(s) within a forest.

Domain $ocal )roup0 se this scope to grant permissions to domain resources that are

located in the same domain in which you created the domain local group. Domain local groups

can e8ist in all mi8ed! native and interim functional level of domains and forests. Domain local

group memberships are not limited as you can add members as user accounts! universal andglobal groups from any domain. Eust to remember! nesting cannot be done in domain local group.

A domain local group will not be a member of another Domain ocal or any other groups in the

same domain.

)lo'al )roup0 sers with similar function can be grouped under global scope and can be

given permission to access a resource (li,e a printer or shared folder and files) available in local

or another domain in same forest. To say in simple words! /lobal groups can be use to grant


3/77

permissions to gain access to resources which are located in any domain but in a single forest as

their memberships are limited. ser accounts and global groups can be added only from the

domain in which global group is created. >esting is possible in /lobal groups within other

groups as you can add a global group into another global group from any domain. 9inally to

provide permission to domain specific resources (li,e printers and published folder)! they can be

members of a Domain ocal group. /lobal groups e8ist in all mi8ed! native and interim

functional level of domains and forests.

Universal )roup "cope0 these groups are precisely used for email distribution and can be

granted access to resources in all trusted domain as these groups can only be used as a security

principal (security group type) in a windows :777 native or windows server :772 domain

functional level domain. niversal group memberships are not limited li,e global groups. All

domain user accounts and groups can be a member of universal group. niversal groups can be

nested under a global or Domain ocal group in any domain.

What are the types of 'ac+up? ,-plain each?+ncremental

A FnormalG incremental bac,up will only bac, up files that have been changed since the last

bac,up of any type. This provides the uic,est means of bac,up! since it only ma,es copies of

files that have not yet been bac,ed up. 9or instance! following our full bac,up on 9riday!

$onday1s tape will contain only those files changed since 9riday. Tuesday1s tape contains only

those files changed since $onday! and so on. The downside to this is obviously that in order to

perform a full restore! you need to restore the last full bac,up first! followed by each of the

subseuent incremental bac,ups to the present day in the correct order. %hould any one of these

bac,up copies be damaged (particularly the full bac,up)! the restore will be incomplete.

Differential

A cumulative bac,up of all changes made after the last full bac,up. The advantage to this is the

uic,er recovery time! reuiring only a full bac,up and the latest differential bac,up to restore

the system. The disadvantage is that for each day elapsed since the last full bac,up! more data

needs to be bac,ed up! especially if a maority of the data has been changed.

What is the "."/O$ folder?

The =indows %erver :772 %ystem Holume (%%H) is a collection of folders and reparse

points in the file systems that e8ist on each domain controller in a domain. %%H provides a

standard location to store important elements of /roup olicy obects (/s) and scripts so thatthe 9ile #eplication service (9#%) can distribute them to other domain controllers within that

domain.

ou can go to %%H folder by typing 0 IsystemrootI*sysvol

http://systadmin.blogspot.com/search/label/Backuphttp://systadmin.blogspot.com/search/label/Backuphttp://systadmin.blogspot.com/search/label/Backuphttp://systadmin.blogspot.com/search/label/Backuphttp://systadmin.blogspot.com/search/label/Backuphttp://systadmin.blogspot.com/search/label/Backup


4/77

What is the 0"*) Who has that role 'y default?

The first server in the site becomes the +%T/ for the site! The domain controller holding this role

may not necessarily also be a bridgehead server.

What is the order in which )1Os are applied?

ocal! %ite! Domain!

What are some of the new tools and features provided 'y Windows "erver 2334?

=indows %erver :774 now provides a des,top environment similar to $icrosoft =indows Hista

and includes tools also found in Hista! such as the new bac,up snap-in and the "itoc,er drive

encryption feature. =indows %erver :774 also provides the new ++%3 web server and the

=indows Deployment %ervice.

=hat are the different editions of =indows %erver :774J

The entry-level version of =indows %erver :774 is the %tandard ;dition. The ;nterprise ;dition

provides a platform for large enterprisewide networ,s. The Datacenter ;dition provides support

for unlimited yper-H virtualiBation and advanced clustering services. The =eb ;dition is a

scaled-down version of =indows %erver :774 intended for use as a dedicated web server. The

%tandard! ;nterprise! and Datacenter ;ditions can be purchased with or without the yper-H

virtualiBation technology.

What two hardware considerations should 'e an important part of the planning process for

a Windows "erver 2334 deployment?

Any server on which you will install =indows %erver :774 should have at least the minimum

hardware reuirement for running the networ, operating system. %erver hardware should also be

on the =indows %erver :774 ardware Compatibility ist to avoid the possibility of hardware

and networ, operating system incompatibility.

What are the options for installing Windows "erver 2334?

ou can install =indows %erver :774 on a server not currently configured with >%! or you can

upgrade e8isting servers running =indows :777 %erver and =indows %erver :772.

How do you configure and manage a Windows "erver 2334 core installation?

This stripped-down version of =indows %erver :774 is managed from the command line.

http://systadmin.blogspot.com/search/label/group%20policyhttp://systadmin.blogspot.com/search/label/group%20policy


5/77

Which Control 1anel tool ena'les you to automate the running of server utilities and other

applications?

The Tas, %cheduler enables you to schedule the launching of tools such as =indows "ac,up and

Dis, Defragmenter.

What are some of the items that can 'e accessed via the "ystem 1roperties dialog 'o-?

ou can access virtual memory settings and the Device $anager via the %ystem roperties

dialog bo8.

When a child domain is created in the domain tree& what type of trust relationship e-ists

'etween the new child domain and the trees root domain?

Child domains and the root domain of a tree are assigned transitive trusts. This means that the

root domain and child domain trust each other and allow resources in any domain in the tree to be accessed by users in any domain in the tree.

What is the primary function of domain controllers?

The primary function of domain controllers is to validate users to the networ,. owever! domain

controllers also provide the catalog of Active Directory obects to users on the networ,.

What are some of the other roles that a server running Windows "erver 2334 could fill on

the networ+?

A server running =indows %erver :774 can be configured as a domain controller! a file server! a

print server! a web server! or an application server. =indows servers can also have roles and

features that provide services such as D>%! DC! and #outing and #emote Access.

Which Windows "erver 2334 tools ma+e it easy to manage and configure a servers roles

and features?

The %erver $anager window enables you to view the roles and features installed on a server and

also to uic,ly access the tools used to manage these various roles and features. The %erver

$anager can be used to add and remove roles and features as needed.

What Windows "erver 2334 service is used to install client operating systems over the

networ+?

=indows Deployment %ervices (=D%) enables you to install client and server operating systems

over the networ, to any computer with a L;-enabled networ, interface.


6/77

What domain services are necessary for you to deploy the Windows Deployment "ervices

on your networ+?

=indows Deployment %ervices reuires that a DC server and a D>% server be installed in the

domain

How is WD" configured and managed on a server running Windows "erver 2334?

The =indows Deployment %ervices snap-in enables you to configure the =D% server and add

boot and install images to the server.

What is the difference 'etween a 'asic and dynamic drive in the Windows "erver 2334

environment?

A basic dis, embraces the $%-D% dis, structureM a basic dis, can be divided into partitions

(simple volumes).Dynamic dis,s consist of a single partition that can be divided into any number of volumes.

Dynamic dis,s also support =indows %erver :774 #A+D implementations.

What is #A0D in Windows "erver 2334?

#A+D! or #edundant Array of +ndependent Dis,s! is a strategy for building fault tolerance into

your file servers. #A+D enables you to combine one or more volumes on separate drives so that

they are accessed by a single drive letter. =indows %erver :774 enables you to configure #A+D

7 (a striped set)! #A+D 5 (a mirror set)! and #A+D < (dis, striping with parity).

What conceptual model helps provide an understanding of how networ+ protocol stac+s

such as *C1501 wor+?

The %+ model! consisting of the application! presentation! session! transport! networ,! data lin,!

and physical layers! helps describe how data is sent and received on the networ, by protocol

stac,s.

What protocol stac+ is installed 'y default when you install Windows "erver 2334 on a

networ+ server?

TC*+ (v6 and vN) is the default protocol for =indows %erver :774. +t is reuired for Active

Directory implementations and provides for connectivity on heterogeneous networ,s.

How is a server running Windows "erver 2334 configured as a domain controller& such as

the domain controller for the root domain or a child domain?


7/77

+nstalling the Active Directory on a server running =indows %erver :774 provides you with the

option of creating a root domain for a domain tree or of creating child domains in an e8isting

tree. +nstalling Active Directory on the server ma,es the server a domain controller.

What are some of the tools used to manage Active Directory o'6ects in a Windows "erver

2334 domain?

=hen the Active Directory is installed on a server (ma,ing it a domain controller)! a set of

Active Directory snap-ins is provided. The Active Directory sers and Computers snap-in is

used to manage Active Directory obects such as user accounts! computers! and groups. The

Active Directory Domains and Trusts snap-in enables you to manage the trusts that are defined

between domains. The Active Directory %ites and %ervices snap-in provides for the management

of domain sites and subnets.

How are domain user accounts created and managed?

The Active Directory sers and Computers snap-in provides the tools necessary for creating user

accounts and managing account properties. roperties for user accounts include settings related

to logon hours! the computers to which a user can log on! and the settings related to the user1s

password.

What type of Active Directory o'6ects can 'e contained in a group?

A group can contain users! computers! contacts! and other nested groups.

What type of group is not availa'le in a domain that is running at the mi-ed7mode

functional level?

niversal groups are not available in a mi8ed-mode domain. The functional level must be raised

to =indows :772 or =indows :774 to ma,e these groups available.

What types of Active Directory o'6ects can 'e contained in an Organi8ational Unit?

rganiBational nits can hold users! groups! computers! contacts! and other s. The

rganiBational nit provides you with a container directly below the domain level that enables

you to refine the logical hierarchy of how your users and other resources are arranged in the

Active Directory.

What are Active Directory sites in Windows "erver 2334?

Active Directory sites are physical locations on the networ,1s physical topology. ;ach regional

domain that you create is assigned to a site. %ites typically represent one or more + subnets that


8/77

are connected by + routers. "ecause sites are separated from each other by a router! the domain

controllers on each site periodically replicate the Active Directory to update the /lobal Catalog

on each site segment.

Can servers running Windows "erver 2334 provide services to clients when they are not

part of a domain?

%ervers running =indows %erver :774 can be configured to participate in a wor,group. The

server can provide some services to the wor,group peers but does not provide the security and

management tools provided to domain controllers.

What does the use of )roup 1olicy provide you as a networ+ administrator?

/roup olicy provides a method of controlling user and computer configuration settings for

Active Directory containers such as sites! domains! and s. /s are lin,ed to a particular

container! and then individual policies and administrative templates are enabled to control the

environment for the users or computers within that particular container.

What tools are involved in managing and deploying )roup 1olicy?

/s and their settings! lin,s! and other information such as permissions can be viewed in the

/roup olicy $anagement snap-in.

How do you deal with )roup 1olicy inheritance issues?

/s are inherited down through the Active Directory tree by default. ou can bloc, theinheritance of settings from upline /s (for a particular container such as an or a local

computer) by selecting "loc, +nheritance for that particular obect. +f you want to enforce a

higher-level / so that it overrides directly lin,ed /s! you can use the ;nforce command on

the inherited (or upline) /.

How can you ma+e sure that networ+ clients have the most recent Windows updates

installed and have other important security features such as the Windows irewall ena'led

'efore they can gain full networ+ access?

ou can configure a >etwor, olicy %erver (a service available in the >etwor, olicy and

Access %ervices role). The >etwor, olicy %erver can be configured to compare des,top client

settings with health validators to determine the level of networ, access afforded to the client.

What is the purpose of deploying local DN" servers?


9/77

A domain D>% server provides for the local mapping of fully ualified domain names to +

addresses. "ecause the D>% is a distributed database! the local D>% servers can provide record

information to remote D>% servers to help resolve remote reuests related to fully ualified

domain names on your networ,.

0n terms of DN"& what is a caching7only server?

A caching-only D>% server supplies information related to ueries based on the data it contains

in its D>% cache. Caching-only servers are often used as D>% forwarders. "ecause they are not

configured with any Bones! they do not generate networ, traffic related to Bone transfers.

How the range of 01 addresses is defined for a Windows "erver 2334 DHC1 server?

The + addresses supplied by the DC server are held in a scope. A scope that contains more

than one subnet of + addresses is called a superscope. + addresses in a scope that you do not

want to lease can be included in an e8clusion range.

• +nterview ?uestion

system administrator interview 9uestion with

answers 1art 2

osted on May 7, 2009. 9iled under0 +nterview ?uestion O Tags0 +nterview ?uestion O

=elcome to system administrator interview uestion with answers art :M if you have read part 5of these article then please go on or else also please read system administrator interview9uestion with answers 1art :

5. Can a wor,station computer be configured to browse the +nternet and yet >T have a defaultgatewayJ

+f we are using public ip address! we can browse the internet. +f it is having an intranet address agateway is needed as a router or firewall to communicate with internet.

:. =hat is C+D#J

C+D# (Classless +nter-Domain #outing! sometimes ,nown as supernetting) is a way to allocateand specify the +nternet addresses used in inter-domain routing more fle8ibly than with theoriginal system of +nternet rotocol (+) address classes. As a result! the number of available+nternet addresses has been greatly increased. C+D# is now the routing system used by virtuallyall gateway hosts on the +nternet1s bac,bone networ,. The +nternet1s regulating authorities nowe8pect every +nternet service provider (+%) to use it for routing.

http://systadmin.wordpress.com/category/interview-question/http://systadmin.wordpress.com/2009/05/07/system-administrator-interview-question-with-answers-part-2/http://systadmin.wordpress.com/2009/05/07/system-administrator-interview-question-with-answers-part-2/http://systadmin.wordpress.com/category/interview-question/http://systadmin.wordpress.com/tag/interview-question/http://systadmin.wordpress.com/tag/interview-question/http://systadmin.wordpress.com/2009/03/19/system-administrator-interview-question-with-answer-part-1/http://systadmin.wordpress.com/2009/03/19/system-administrator-interview-question-with-answer-part-1/http://systadmin.wordpress.com/category/interview-question/http://systadmin.wordpress.com/2009/05/07/system-administrator-interview-question-with-answers-part-2/http://systadmin.wordpress.com/2009/05/07/system-administrator-interview-question-with-answers-part-2/http://systadmin.wordpress.com/category/interview-question/http://systadmin.wordpress.com/tag/interview-question/http://systadmin.wordpress.com/2009/03/19/system-administrator-interview-question-with-answer-part-1/http://systadmin.wordpress.com/2009/03/19/system-administrator-interview-question-with-answer-part-1/


10/77


11/77

e. AD integrated Bones are stored as part of the active directory and support domain-wide orforest-wide replication through application pertitions in AD.

N. ow do + clear the D>% cache on the D>% serverJ

/o to cmd prompt and type Fipconfig*flushdnsG without uotes

3. =hat is >ATJ

>AT (>etwor, Address Translation) is a techniue for preserving scarce +nternet + addresses.9or more details go to $icrosoft lin,

4. ow do you configure >AT on =indows :772J

9or above answer go to below lin,

Configure >AT

S. ow to configure special ports to allow inbound connectionsJ

a. Clic, %tart! Administrative Tools! and then clic, #outing and #emote Access to open the#outing and #emote Access management console.

b. ocate the interface that you want to configure.

c. #ight-clic, the interface and then select roperties from the shortcut menu.

d. Clic, the %pecial orts tab.

e. nder rotocol! select TC or D and then clic, the Add button.

f. ;nter the port number of the incoming traffic in +ncoming ort.

g. %elect n This Address ool ;ntry! and provide the public + address of the incoming traffic.

h. ;nter the port number of the private networ, resource in utgoing ort.

i. ;nter the private networ, resource1s private + address in rivate Address.

. Clic, K.

D>% +nterview ?uestions and Answer

5. %ecure services in your networ, reuire reverse name resolution to ma,e it more difficultto launch successful attac,s against the services. To set this up! you configure a reverseloo,up Bone and proceed to add records. =hich record types do you need to createJ

http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.htmlhttp://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html


12/77

:. =hat is the main purpose of a D>% serverJ

2. %A records must be included in every Bone. =hat are they used forJ

6. "y default! if the name is not found in the cache or local hosts file! what is the first step

the client ta,es to resolve the 9?D> name into an + addressJ


13/77

% server was not configured to allow dynamic updates.

3. The Bone to be used for dynamic updates must be configured to allow dynamic updates.The DC server must support! and be configured to allow! dynamic updates for legacyclients.

4. After receiving the authoritative reply! the resolution process is effectively over.

S. Change the replication scope to all D>% servers in the domain.

57. D>% servers are not caching replies.. ocal client computers are not caching repliesThe cache.dns file may have been corrupted on the server.

What is DHC1;s purpose?

DC1s purpose is to enable individual computers on an + networ, to e8tract theirconfigurations from a server (the PDC server1) or servers! in particular! servers that have noe8act information about the individual computers until they reuest the information. The overall purpose of this is to reduce the wor, necessary to administer a large + networ,. The mostsignificant piece of information distributed in this manner is the + address.

What protocol and port does DHC1 use?

DC! li,e "T runs over D! utiliBing ports N3 and N4.

What is )lo'al Catalog? The /lobal Catalog authenticates networ, user logons and fieldsinuiries about obects across a forest or tree. ;very domain has at least one /C that is hosted ona domain controller. +n =indows :777! there was typically one /C on every site in order to prevent user logon failures across the networ,.

What is "tu' ame %ystem (D>%) servers for that Bone. A stub Bone is used to resolvenames between separate D>% namespaces. This type of resolution may be necessary when acorporate merger reuires that the D>% servers for two separate D>% namespaces resolve namesfor clients in both namespaces.

A stub Bone consists of0


14/77

• The start of authority (%A) resource record! name server (>%) resource records! and the

glue A resource records for the delegated Bone.

• The + address of one or more master servers that can be used to update the stub Bone.

The master servers for a stub Bone are one or more D>% servers authoritative for the child Bone!usually the D>% server hosting the primary Bone for the delegated domain name.

Where is the file of Active Directory data file stored?

Active Directory data store in I%ystem#ootIUntdsU>TD%.D+T. The ntds.dit file is the heart ofActive Directory including user accounts

What are the types of records in DN"?

To see the records of D>% %erver chec,s this path - DN" #ecords

What is DHC1 and at which port DHC1 wor+?

Dynamic ost Configuration rotocol (DC) is a networ, protocol that enables a server toautomatically assign an + address to a computer from a defined range of numbers (i.e.! a scope)configured for a given networ,. DC assigns an + address when a system is started

DC client uses port N3 and the DC server uses port N4.

What is DO#A process in DHC1 and How it wor+s?

DC (D)iscover DC ()ffer DC (#)euestDC (A)c,nowledge

5) Client ma,es a D "roadcast to the server about the DC discovery.

:) DC offers to the client.

2) +n response to the offer Client reuests the server.

6) %erver responds all the +p Add*mas,*gty*dns*wins info along with the ac,nowledgement pac,et.

What is "uper "cope in DHC1?

A superscope allows a DC server to provide leases from more than one scope to clients on asingle physical networ,. "efore you can create a superscope! you must use DC $anager todefine all scopes to be included in the superscope. %copes added to a superscope are called

http://systadmin.wordpress.com/2009/03/21/dns-records-commonly-used-records/http://systadmin.wordpress.com/2009/03/21/dns-records-commonly-used-records/


15/77

member scopes. %uperscopes can resolve DC service issues in several different waysM theseissues include situations in which0

• %upport is needed for DC clients on a single physical networ, segmentRsuch as a

single ;thernet A> segmentRwhere multiple logical + networ,s are used. =hen more

than one logical + networ, is used on a physical networ,! these configurations are also,nown as multinets.

• The available address pool for a currently active scope is nearly depleted and more

computers need to be added to the physical networ, segment.

• Clients need to be migrated to a new scope.

• %upport is needed for DC clients on the other side of "T relay agents! where the

networ, on the other side of the relay agent has multiple logical subnets on one physicalnetwor,. 9or more information! see F%upporting "T ClientsG later in this chapter.

• A standard networ, with one DC server on a single physical subnet is limited to

leasing addresses to clients on the physical subnet.

What is "tu' 8one DN"?

A stub Bone is a copy of a Bone that contains only those resource records necessary to identify theauthoritative Domain >ame %ystem (D>%) servers for that Bone. A stub Bone is used to resolvenames between separate D>% namespaces. This type of resolution may be necessary when acorporate merger reuires that the D>% servers for two separate D>% namespaces resolve namesfor clients in both namespaces.

A stub Bone consists of0

• The start of authority (%A) resource record! name server (>%) resource records! and the

glue A resource records for the delegated Bone.

• The + address of one or more master servers that can be used to update the stub Bone.

The master servers for a stub Bone are one or more D>% servers authoritative for the child Bone!usually the D>% server hosting the primary Bone for the delegated domain name

What is Active Directory? Active Directory is a networ,-based obect store and service thatlocates and manages resources! and ma,es these resources available to authoriBed users andgroups. An underlying principle of the Active Directory is that everything is considered an obect Rpeople! servers! wor,stations! printers! documents! and devices. ;ach obect has certainattributes and its own security access control list (AC).

What;s the difference 'etween forward loo+up 8one and reverse loo+up 8one in DN"?


16/77

9orward loo,up is name-to-+ addressM the reverse loo,up is + address-to-name.

How to transfer roles in Active Directory?

sing >tdsutil.e8e we can transfer roles in Active Directory. To ,now more regarding role

transfer clic, this lin+%

How to 'ac+up Active Directory and which main file you ta+e in 'ac+ing of Active

Directory?

=e can ta,e bac,up with >tbac,up utility.

Active Directory is bac,ed up as part of system state! a collection of system components thatdepend on each other. ou must bac,up and restore system state components together.

Components that comprise the system state on a domain controller include0

• "ystem "tart7up iles ='oot files>% These are the files reuired for =indows :777 %erver

to start.

• "ystem registry%

• Class registration data'ase of Component "ervices% The Component bect $odel

(C$) is a binary standard for writing component software in a distributed systemsenvironment.

• "."/O$% The system volume provides a default Active Directory location for files that

must be shared for common access throughout a domain. The %%H folder on adomain controller contains0

o >;T/> shared folders. These usually host user logon scripts and /roup

olicy obects (/s) for non-=indows :777based networ, clients.

o ser logon scripts for =indows :777 rofessionalbased clients and clients that

are running =indows ST 6.7.

o =indows :777 /s.

o 9ile system unctions.

o 9ile #eplication service (9#%) staging directories and files that are reuired to be

available and synchroniBed between domain controllers.

• Active Directory% Active Directory includes0

http://articles.techrepublic.com.com/5100-10878_11-5081138.htmlhttp://articles.techrepublic.com.com/5100-10878_11-5081138.html


17/77

o >tds.dit0 The Active Directory database.

o ;db.ch,0 The chec,point file.

o ;db.log0 The transaction logs! each 57 megabytes ($") in siBe.

o #es5.log and #es:.log0 #eserved transaction logs.


18/77

What is Active Directory Domain Services 2008?

Active Directory Domain Services (AD DS), formerly known as Active Directory

Directory Services, is the central location for congration information,

athentication re!ests, an" information a#ot all of the o#$ects that are store"

within yor forest% &sing Active Directory, yo can e'ciently manage sers,comters, gros, rinters, alications, an" other "irectoryena#le" o#$ects from

one secre, centrali*e" location%

What is the S+S-. fol"er?

/he Sysvol fol"er on a Win"ows "omain controller is se" to relicate le#ase"

"ata among "omain controllers% ecase $nctions are se" within the Sysvol fol"er

strctre, Win"ows 1/ le system (1/S) version 3%0 is re!ire" on "omain

controllers throghot a Win"ows "istri#te" le system (DS) forest%

/his is a !ote from microsoft themselves, #asically the "omain controller info

store" in les like yor gro olicy st4 is relicate" throgh this fol"er strctre

What5s 1ew in Win"ows Server 2008 Active Directory Domain Services?

Active Directory Domain Services in Win"ows Server 2008 rovi"es a nm#er of

enhancements over revios versions, incl"ing these6

A"iting7AD DS a"iting has #een enhance" signicantly in Win"ows Server 2008%

/he enhancements rovi"e more granlar a"iting caa#ilities throgh for new

a"iting categories6 Directory Services Access, Directory Services hanges,

Directory Services 9elication, an" Detaile" Directory Services 9elication%

A""itionally, a"iting now rovi"es the caa#ility to log ol" an" new vales of anattri#te when a sccessfl change is ma"e to that attri#te%

ine:raine" ;asswor" ;olicies7AD DS in Win"ows Server 2008 now rovi"es the

caa#ility to create "i4erent asswor" an" accont lockot olicies for "i4erent sets

of sers in a "omain% &ser an" gro asswor" an" accont lockot olicies are

"ene" an" alie" via a ;asswor" Setting -#$ect (;S-)% A ;S- has attri#tes for all

the settings that can #e "ene" in the Defalt Domain ;olicy, e


19/77

9estarta#le Active Directory Domain Services7AD DS in Win"ows Server 2008 can

now #e stoe" an" restarte" throgh @@ snains an" the comman" line% /he

restarta#le AD DS service re"ces the time re!ire" to erform certain maintenance

an" restore oerations% A""itionally, other services rnning on the server remain

availa#le to satisfy client re!ests while AD DS is stoe"%

AD DS Data#ase @onting /ool7AD DS in Win"ows Server 2008 comes with a AD

DS "ata#ase monting tool, which rovi"es a means to comare "ata as it e


20/77

E Bmrove" secrity

E aster logon times

E @ore e'cient access to resorces on the network

What "oes an 9-D "o?

Bna"e!ate hysical secrity is the most common reason to consi"er "eloying an

9-D% An 9-D rovi"es a way to "eloy a "omain controller more secrely in

locations that re!ire fast an" relia#le athentication services #t cannot ensre

hysical secrity for a writa#le "omain controller%

Cowever, yor organi*ation may also choose to "eloy an 9-D for secial

a"ministrative re!irements% or e


21/77


22/77


23/77

What is the difference 'etween transferring a

fsmo role and sei8ing one which one should

you not sei8e why?%eiBing an 9%$ can be a destructive process and should only be attempted if the e8istingserver with the 9%$ is no longer available.

+f the domain controller that is the %chema $aster 9%$ role holder is temporarily unavailable!DO NO* sei8e the "chema !aster role.

+f you are going to seiBe the %chema $aster! you must permanently disconnect the current%chema $aster from the networ,.

+f you seiBe the %chema $aster role! the boot drive on the original %chema $aster must becompletely reformatted and the operating system must be cleanly installed! if you intend toreturn this computer to the networ,.

>T;0 The "oot artition contains the system files (U%ystem2:). The %ystem artition is the partition that contains the startup files! >TDetect.com! >TD#! "oot.ini! and possibly >tbootdd.sys.

The Active Directory +nstallation =iBard (Dcpromo.e8e) assigns all < 9%$ roles to the firstdomain controller in the forest root domain. The first domain controller in each new child or treedomain is assigned the three domain-wide roles. Domain controllers continue to own 9%$roles until they are reassigned by using one of the following methods0

• =hat is an + addressJ

• =hat is a subnet mas,J

• =hat is A#J

• =hat is A# Cache oisoningJ

http://wiki.answers.com/Q/What_is_the_difference_between_transferring_a_fsmo_role_and_seizing_one_which_one_should_you_not_seize_whyhttp://wiki.answers.com/Q/What_is_the_difference_between_transferring_a_fsmo_role_and_seizing_one_which_one_should_you_not_seize_why


24/77

• =hat is the A>Ding processJ

• =hat is a default gatewayJ =hat happens if + donVt have oneJ

• Can a wor,station computer be configured to browse the +nternet and yet >T have a

default gatewayJ

• =hat is a subnetJ

• =hat is A+AJ

• =hat is an #9CJ >ame a few if possible (not necessarily the numbers! ust the ideas

behind them)

• =hat is #9C 5S54J

• =hat is C+D#J

• ou have the following >etwor, +D0 5S:.55etwor, +D0 525.55:.7.7. ou need at least ame a few tools

• ow do + ,now the path that a pac,et ta,es to the destinationJ

• =hat does the ping 5S:.5N4.7.5 -l 5777 -n 577 command doJ

• =hat is DCJ =hat are the benefits and drawbac,s of using itJ

• Describe the steps ta,en by the client and DC server in order to obtain an + address.

• =hat is the DC>ACK and when do + get oneJ >ame : scenarios.

• =hat ports are used by DC and the DC clientsJ

• Describe the process of installing a DC server in an AD infrastructure.

• =hat is DC+>9#$J

• Describe the integration between DC and D>%.


25/77

• =hat options in DC do you regularly use for an $% networ,J

• =hat are ser Classes and Hendor Classes in DCJ

• ow do + configure a client machine to use a specific ser ClassJ

• =hat is the "T protocol used for! where might you find it in =indows networ,

infrastructureJ

• D>% Bones & describe the differences between the 6 types.

• D>% record types & describe the most important ones.

• Describe the process of wor,ing with an e8ternal domain name

•

Describe the importance of D>% to AD.

• Describe a few methods of finding an $L record for a remote domain on the +nternet.

• =hat does WDisable #ecursionW in D>% meanJ

• =hat could cause the 9orwarders and #oot ints to be grayed outJ

• =hat is a W%ingle abel domain nameW and what sort of issues can it causeJ

• =hat is the Win-addr.arpaW Bone used forJ

• =hat are the reuirements from D>% to support ADJ

• ow do you manually create %#H records in D>%J

• >ame 2 benefits of using AD-integrated Bones.

• =hat are the benefits of using =indows :772 D>% when using AD-integrated BonesJ

• ou installed a new AD domain and the new (and first) DC has not registered its %#H

records in D>%. >ame a few possible causes.

• =hat are the benefits and scenarios of using %tub BonesJ

• =hat are the benefits and scenarios of using Conditional 9orwardingJ


26/77

• =hat are the differences between =indows Clustering! >etwor, oad "alancing and

#ound #obin! and scenarios for each useJ

• ow do + wor, with the ost name cache on a client computerJ

• ow do + clear the D>% cache on the D>% serverJ

• =hat is the ::6.7.5.:6 address used forJ

• =hat is =+>% and when do we use itJ

• Can you have a $icrosoft-based networ, without any =+>% server on itJ =hat are the

WconsiderationsW regarding not using =+>%J

• Describe the differences between =+>% push and pull replications.

• =hat is the difference between tombstoning a =+>% record and simply deleting itJ

• >ame the >et"+% names you might e8pect from a =indows :772 DC that is registered

in =+>%.

• Describe the role of the routing table on a host and on a router.

• =hat are routing protocolsJ =hy do we need themJ >ame a few.

• =hat are router interfacesJ =hat types can they beJ

• +n =indows :772 routing! what are the interface filtersJ

• =hat is >ATJ

• =hat is the real difference between >AT and ATJ

• ow do you configure >AT on =indows :772J

• ow do you allow inbound traffic for specific hosts on =indows :772 >ATJ

• =hat is H>J =hat types of H> does =indows :777 and beyond wor, with nativelyJ

• =hat is +A%J +n what scenarios do we use itJ

• =hatVs the difference between $i8ed mode and >ative mode in AD when dealing with

##A%J


27/77


28/77

• What is the :lo#al atalog?

• Cow "o yo view all the :s in the forest?

• Why not make all Ds in a large forest as :s?

• /rying to look at the Schema, how can B "o that?

• What are the Sort /ools? Why "o B nee" them?

• What is .D;? What is 9F;.@-1? What is ADSBFDB/? What is 1F/D-@? Whatis 9F;AD@B1?

• What are sites? What are they se" for?

• WhatKs the "i4erence #etween a site linkKs sche"le an" interval?

• What is the =?

• What is the BS/:? Who has that role #y "efalt?

• What are the re!irements for installing AD on a new server?

• What can yo "o to romote a server to D if yoKre in a remote location withslow WA1 link?

• Cow can yo forci#ly remove AD from a server, an" what "o yo "o later? Lan B get ser asswor"s from the AD "ata#ase?

• What tool wol" B se to try to gra# secrity relate" ackets from the wire?

• 1ame some -& "esign consi"erations%

• What is tom#stone lifetime attri#te?

• What "o yo "o to install a new Win"ows 200J D in a Win"ows 2000 AD?

• What "o yo "o to install a new Win"ows 200J 92 D in a Win"ows 200J AD?

•

Cow wol" yo n" all sers that have not logge" on since last month?

• What are the DSE comman"s?

• WhatKs the "i4erence #etween .DBDF an" SDF? &sage consi"erations?

• What are the S@- roles? Who has them #y "efalt? What haens wheneach one fails?


29/77

• What S@- lacement consi"erations "o yo know of?

• B want to look at the 9BD allocation ta#le for a D% What "o B "o?

• WhatKs the "i4erence #etween transferring a S@- role an" sei*ing one?Which one shol" yo 1-/ sei*e? Why?

• Cow "o yo congre a Mstan"#y oeration masterM for any of the roles?

• Cow "o yo #ack AD?

• Cow "o yo restore AD?

• Cow "o yo change the DS 9estore a"min asswor"?

• Why canKt yo restore a D that was #acke" N months ago?

• What are :;-s?

• What is the or"er in which :;-s are alie"?

• 1ame a few #enets of sing :;@%

• What are the :; an" the :;/? Where can B n" them?

• What are :;- links? What secial things can B "o to them?

• What can B "o to revent inheritance from a#ove?

• Cow can B overri"e #locking of inheritance?

• Cow can yo "etermine what :;- was an" was not alie" for a ser? 1amea few ways to "o that%

• A ser claims he "i" not receive a :;-, yet his ser an" comter accontsare in the right -&, an" everyone else there gets the :;-% What will yo lookfor?

• 1ame a few "i4erences in ista :;-s

• 1ame some :;- settings in the comter an" ser arts%

• What are a"ministrative temlates?

• WhatKs the "i4erence #etween software #lishing an" assigning?

• an B "eloy non@SB software with :;-?


30/77

• +o want to stan"ar"i*e the "eskto environments (wallaer, @yDocments, Start men, rinters etc%) on the comters in one "eartment%Cow wol" yo "o that?

Windows Server 2003 Interview Questions & Answers

O% Cow "o yo "o#le#oot a Win 200J server #o


31/77

(A.)%

U% Where are the Win"ows 1/ ;rimary Domain ontroller (;D) an" its ackDomain ontroller (D) in Server 200J?

/he Active Directory relaces them% 1ow all "omain controllers share a mltimaster

eertoeer rea" an" write relationshi that hosts coies of the Active Directory%

8% Cow long "oes it take for secrity changes to #e relicate" among the "omaincontrollers?

Secrityrelate" mo"ications are relicate" within a site imme"iately% /hesechanges incl"e accont an" in"ivi"al ser lockot olicies, changes to asswor"olicies, changes to comter accont asswor"s, an" mo"ications to the .ocalSecrity Athority (.SA)%

R% What5s new in Win"ows Server 200J regar"ing the D1S management?

When D romotion occrs with an e


32/77

/he O>R%23N%E%E netmask is assigne" to Win"ows machines rnning R8G2000G; ifthe DC; server is not availa#le% /he name for the technology is A;B;A (Atomatic;rivate Bnternet ;rotocol A""ressing)%

We5ve installe" a new Win"ows#ase" DC; server, however, the sers "o not seem

to #e getting DC; leases o4 of it% /he server mst #e athori*e" rst with theActive Directory%

Cow can yo force the client to give the "hc lease if yo have access to theclient ;?

icong Grelease

What athentication otions "o Win"ows 2000 Servers have for remote clients?

;A;, S;A;, CA;, @SCA; an" FA;%

What are the networking rotocol otions for the Win"ows clients if for some reasonyo "o not want to se /;GB;?

1W.ink (1ovell), 1etF&B, Ale/alk (Ale)%

What is "ata link layer in the -SB reference mo"el resonsi#le for?

Data link layer is locate" a#ove the hysical layer, #t #elow the network layer% /aking raw "ata #its an" ackaging them into frames% /he network layer will #eresonsi#le for a""ressing the frames, while the hysical layer is reonsi#le forretrieving an" sen"ing raw "ata #its%

What is #in"ing or"er?

/he or"er #y which the network rotocols are se" for clientservercommnications% /he most fre!ently se" rotocols shol" #e at the to%

Cow "o crytograhy#ase" keys ensre the vali"ity of "ata transferre" across thenetwork?

Fach B; acket is assigne" a checksm, so if the checksms "o not match on #othreceiving an" transmitting en"s, the "ata was mo"ie" or corrte"%

Shol" we "eloy B;SF#ase" secrity or certicate#ase" secrity?

/hey are really two "i4erent technologies% B;Sec secres the /;GB; commnicationan" rotects the integrity of the ackets% erticate#ase" secrity ensres thevali"ity of athenticate" clients an" servers%

What is .@C-S/S le?

Bt5s a le store" on a host machine that is se" to resolve 1etB-S to secic B;


33/77

a""resses%

What5s the "i4erence #etween forwar" look an" reverse look in D1S?

orwar" look is nametoa""ress, the reverse look is a""resstoname%

Cow can yo recover a le encryte" sing FS?

&se the "omain recovery agent%

5. =hat is Active Directory schemaJ

:. =hat are the domain functional level in =indows %erver :772J

2. =hat are the forest functional level in =indows %erver :772J

6. =hat is global catalog serverJ


34/77

obect store. The Active directory sees as obects wor,stations! people! servers devices or

documents and they all have their own characteristics and access control list or AC.

5S.

:7. 2%@ What is the meaning of )lo'al Catalog?

:5. A@ A /lobal Catalog is something that each domain has! and it is used for authenticating

the user on the networ,! on windows :777 networ, logon1s were protected from failures

by assigning a /lobal Catalog to every site.

::.

:2. %@ What is the use for DHC1?

:6. A@ DC is used for the DC servers! personal computers can get their configurationfrom a DC server on an + configuration. The server ,nows nothing about the personal

computers until they ma,e a reuest for information. sually the most common

information sent is + address and DC is used to ma,e a large networ, administration

easier.

: networ, where multiple logical + networ,s e8ist

%uper %cope is very useful here. These types of networ,s are also named multinets.

:S. b) there is also need for a %uper %cope when the address pool for the current scope

becomes empty and there is a need for new computers on the physical networ,.

27. c) when clients have to move on another scope.

25. d) when DC clients from the other side of the relay agents ("T) or the networ,

has many logical subnets.


35/77

2:. e) when standard networ,s are limited to leasing addresses for the clients.

22. %@ How can we switch the roles in an Active Directory?

26. A@ %witching or transferring roles in an Active Directory can be made with the use of

>tdsutil.e8e.

2% servers in that specific Bone (D>%X Domain >ame %ervers) is called a %tub Bone. +t

also resolves names for D>% namespaces! thing reuired when names must be resolved

from two different D>% namespaces. The %tub Bone contains0 the master server1s + that

is used for updating the %tub Bone and the %A (%tart of Authority)! the >% (name server)and the glue A delegated Bone records.

24.

2S. %@ What main file is used for Active Directory 'ac+up and how it is made?

67. A@ Active Directory bac,up is made using >Tbac,up utility. The bac,up is made once

with the system state and they are restored also together because they depend on each

other. The system state has different components li,e0

65. a) The registry

6:. b) "oot files or startup files (files reuired by the operating system to start).

62. c) The component services

66. d) The system volume or the %%H folder this is a folder that contains files that are

shared on a domain.

6


36/77

64. A@ es and + can e8plain how. A system administrator is responsible for an entire networ,

which means he*she must ta,e care of multiple things in the same time which is not an

easy tas,. +n order to achieve this! an administrator must have high organiBation s,ills

and a high technical ,nowledge and he*she must prevent the problems from happening so

that he*she won1t have to be forced to fi8 them.

6S.


37/77

N:. ::%@ 0s it possi'le for a computer to 'e a'le to 'rowse the internet without having a

default gateway?

N2. A@ es it is as long as we use a public + address. The gateway is reuired as a router or

firewall when using an intranet address.

N6.

N% then we must select the abc.local domain the right

clic, and we must go to ther >ew #ecords and the %#H ( choose location).

32.

36. :%@ 0n how much time are the security changes applied on the domain controllers?

3


38/77

34. A@ 9iles are deleted constantly by end users but the bac,up can restore them. Anyhow

before using the bac,up we must chec, if the user didn1t move the file by mista,e in

another place.

3S.

47. :E%@ Where is the storage place of the environmental settings and documents from

the roaming profile?

45. A@ These documents and settings are deposited locally until the user1s log off! when they

are moved into the shared folder from the server so the log on at a fresh system may ta,e

a while because of this.

4:.

42. :4%@ What are the classes that we can find in the Active Directory of Windows"erver 233?

46. A0 =e can find0

4%. Also

companies are sometimes acuired and get under other influences but the continuity must

be preserved for the names.


39/77

S:.

S2. 23%@ Can you e-plain to us a'out you e-perience in the past regarding windows

administration?

S6. A@ + have ten years of e8perience in this field! + was passionate about computers sincechildhood and + installed many operating systems at home and inside organiBations

including these versions of windows0 ST! $illenium! :777! :772 %erver!

L! %even! Hista. + also managed these systems and performed maintenance! + wor,ed

with different applications from the windows environment.

S


40/77

57%. +t has all the advantages for server usage.

=indows :777 is a little more professional than L! but they are both coming with

different versions for every user taste. =hile L has ome version! rofessional or

;nterprise! =indows :777 has rofessional and %erver editions. The ome version of L

comes with minimal features because the target clients are beginners.

573.

574. 2%@ What are the things that ma+e Uni- different from Windows?

57S. A@ The code loading runtime of ni8 is different from the one that =indows has.

=e must become aware of how the system e8actly wor,s before we ma,e a dynamically

loading module. ni8 has the shared obects with the .so e8tension that encapsulate lines

of code that the programs will use and the functions names. These function names

become the references of those functions in the memory of the program when the file is

combined with the program. +n =indows the .dll file (dynamic-lin, library file) doesn1t

have references and the code of the files does not lin, to the memory of the program but

they get through a loo,up table which points to data or functions. ni8 has ust one type

of library file! with the .a e8tension and the code of many obect file is contained within

with the .o e8tension. =hen the lin, is created for a shared obect file the definition of the

identifier may not be found! so the obect code from the library will be included.

Ad#msAdmin.msc Active Directory #ights $anagement %ervicesAdsiedit.msc AD%+ ;ditABman.msc AuthoriBation $anagerCertmgr.msc Certmgr (Certificates)Certtmpl.msc Certificates Template ConsoleCluAdmin.msc 9ailover Cluster $anagementCome8p.msc Component %ervicesCompmgmt.msc Computer $anagement

Devmgmt.msc Device $anagerDfsmgmt.msc D9% $anagementDhcpmgmt.msc DC $anagerDis,mgmt.msc Dis, $anagementDnsmgmt.msc D>% $anagerDomain.msc Active Directory Domains And TrustsDsa.msc Active Directory sers And ComputersDssite.msc Active Directory %ites And %ervices


41/77

;ventvwr.msc ;vent Hiewer9smgmt.msc %hared 9olders9srm.msc 9ile %erver #esource $anager98sadmin.msc $icrosoft 9a8 %ervice $anager/pedit.msc ocal /roup olicy ;ditor

usrmgr.msc ocal sers And /roups >apclcfg.msc >A Client Configuration >fsmgmt.msc %ervices 9or >etwor, 9ile %ystem >ps.msc >etwor, olicy %ervercsp.msc nline #espondererfmon.msc #eliability And erformance $onitor,iview.msc ;nterprise K+rintmanagement.msc rint $anagement#emoteprograms.msc T% #emoteApp $anagement#sop.msc #esultant %et of olicy%ecpol.msc ocal %ecurity olicy

%erver$anager.msc %erver $anager%torage$gmt.msc %hare And %torage $anagement%ervices.msc %ervices%tor;8pl.msc %torage ;8plorerTapimgmt.msc TelephonyTas,schd.msc Tas, %chedulerTmp.msc Trusted latform $odule (T$) $anagementTsadmin.msc Terminal %ervices $anagementTsconfig.msc Terminal %ervices ConfigurationTsgateway.msc T% /ateway $anagerTsmmc.msc #emote Des,topsddi.msc DD+ %ervices Console=badmin.msc =indows %erver "ac,up=dsmgmt.msc =indows Deployment %ervices=insmgmt.msc =+>% $anager=mi$gmt.msc =$+ Control

#ead more0 http0**www.placementpapers.us*microsoft*442-windowsYserverY:774YrunYcommandsYadministrators.htmlZi8BB5c8/77 nder Creative Commons icense0 Attribution

Windows "erver 233 Active Directory and

"ecurity 9uestions

"y admin O December 3! :772

5. What;s the difference 'etween local& glo'al and universal groups? Domain localgroups assign access permissions to global domain groups for local domain resources.

http://www.placementpapers.us/microsoft/883-windows_server_2008_run_commands_administrators.html#ixzz1cYPxjG00http://www.placementpapers.us/microsoft/883-windows_server_2008_run_commands_administrators.html#ixzz1cYPxjG00http://creativecommons.org/licenses/by/3.0http://creativecommons.org/licenses/by/3.0http://www.techinterviews.com/author/admin/http://www.placementpapers.us/microsoft/883-windows_server_2008_run_commands_administrators.html#ixzz1cYPxjG00http://www.placementpapers.us/microsoft/883-windows_server_2008_run_commands_administrators.html#ixzz1cYPxjG00http://creativecommons.org/licenses/by/3.0http://www.techinterviews.com/author/admin/


42/77

/lobal groups provide access to resources in other trusted domains. niversal groupsgrant access to resources in all trusted domains.

:. 0 am trying to create a new universal user group% Why can;t 0? niversal groups areallowed only in native-mode =indows %erver :772 environments. >ative mode reuires

that all domain controllers be promoted to =indows %erver :772 Active Directory.

2. What is $"DOU? +t1s group policy inheritance model! where the policies are applied to$ocal machines! "ites! Domains and OrganiBational Units.

6. Why doesn;t $"DOU wor+ under Windows N*? +f the NTConfig.pol file e8ist! it hasthe highest priority among the numerous policies.


43/77

5N. Where is secedit ? +t1s now gpupdate.

53. .ou want to create a new group policy 'ut do not wish to inherit . $a,e sure youchec, loc+ inheritance among the options when creating the policy.

54. What is ItattooingI the #egistry? The user can view and modify user preferences thatare not stored in maintained portions of the #egistry. +f the group policy is removed orchanged! the user preference will persist in the #egistry.

5S. How do you fight tattooing in N*52333 installations? ou can1t.

:7. How do you fight tattooing in 233 installations? ser Configuration - AdministrativeTemplates - %ystem - /roup olicy - enable - ;nforce %how olicies nly.

:5. What does 0ntelli!irror do? +t helps to reconcile des,top settings! applications! andstored files for users! particularly those who move between wor,stations or those who

must periodically wor, offline.

::. What;s the ma6or difference 'etween A* and N*" on a local machine? 9AT and9AT2: provide no security over locally logged-on users. nly native >T9% providese8tensive permission control on both remote and local files.

:2. How do A* and N*" differ in approach to user shares? They don1t! both havesupport for sharing.

:6. ,-plan the List Folder Contents permission on the folder in N*". %ame as #ead @;8ecute! but not inherited by files within a folder. owever! newly created subfolders

will inherit this permission.

:


44/77

:S. What;s the difference 'etween standalone and fault7tolerant D" =Distri'uted ile"ystem> installations? The standalone server stores the Dfs directory tree structure ortopology locally. Thus! if a shared folder is inaccessible or if the Dfs root server is down!users are left with no lin, to the shared resources. A fault-tolerant root node stores the Dfstopology in the Active Directory! which is replicated to other domain controllers. Thus!

redundant root nodes may include multiple connections to the same data residing indifferent shared folders.

27. We;re using the D" fault7tolerant installation& 'ut cannot access it from a WinF4'o-. se the >C path! not client! only :777 and :772 clients can access %erver :772fault-tolerant shares.

25. Where e-actly do fault7tolerant D" shares store information in Active Directory? +n artition Knowledge Table! which is then replicated to other domain controllers.

2:. Can you use "tart7J"earch with D" shares? es.

22. What pro'lems can you have with D" installed? Two users opening the redundantcopies of the file at the same time! with no file-loc,ing involved in D9%! changing thecontents and then saving. nly one file will be propagated through D9%.

26. 0 run !icrosoft Cluster "erver and cannot install fault7tolerant D". eah! you can1t.+nstall a standalone one.

2


45/77

65. What;s the difference 'etween guest accounts in "erver 233 and other editions? $ore restrictive in =indows %erver :772.

6:. How many passwords 'y default are remem'ered when you chec+ I,nforce1assword History #emem'eredI? ser1s last N passwords.

62. What is Active Directory?

The =indows directory service that stores information about all obects on the computer

networ, and ma,es this information easy for administrators and users to find and apply.

=ith the Active Directory! users can gain access to resources anywhere on the networ,

with a single logon. %imilarly! administrators have a single point of administration for all

obects on the networ,! which can be viewed in a hierarchical structure.

What is the campus Windows AD Domain?

Active Directory is the directory service in a =indows networ,. The directory service

stores information about networ, resources and ma,es the resources accessible to usersand applications. Andrew =indows includes the ad.cmu.edu forest root domain. This is

the top level naming structure. Andrew =indows also includes the andrew.ad.cmu.edu

domain within the forest.

66. What is a forest?

A forest refers to an organiBational structure that is a group of one or more trusted

=indows trees. A forest shares a schema and global catalog servers. A single tree can also

be called a forest.

6etware! this is a great migration strategy. Departments

interested in single sign-on andrew accounts! cross-departmental information sharing!

automating machine installs via #+% and /1s! >T6 departments! domains with limited

support personnel! and departments running stand-alone =indows :777 or :772 %ervers

are some of the reasons to consider the AD domain.

63. How can I do a remote install of an operating system?

$any newer computers support the L; standard that is built in the latest networ,

adapters that will let you install an operating system. "ecause no CD is reuired you can

build many machines much faster. ou can also have software deployed that you1ve

defined in a /roup olicy bect.


46/77

64. What is the purpose of the AD password reset?

+f you are accessing an Active Directory resource (such as a shared folder) from a non-

Kerberos computer (=inS8! =in>T) or a non-domain machine! you are reuired to reset

your Active Directory password. Client $achines use Kerberos referrals to get

credentials from the Andrew >+L KDC1s.Therefore! machines that can not understand

the Kerberos referrals need to directly set the Active Directory password.

6S. Can I have my own AD infrastructure?

D>% %upport for ;8ternal 9orests will be available via >et#eg! and the forest structure

will reside under Fwin.cmu.eduG. %end Domain reuest to netdev\andrew.cmu.eduM

%pecifing Domain name (e.g. e8ample.win.cmu.edu) andDomain Controllers (e.g.

dc5.e8ample.win.cmu.edu! dc:.e8ample.win.cmu.edu).


47/77

%)! a uery process in which the friendly D>% domain

name of a host computer is searched to find its +nternet rotocol (+) address.

N7. *lo(al catalog

N5. A domain controller that contains a partial replica of every domain in Active Directory. A

global catalog holds a replica of every obect in Active Directory! but with a limited

number of each obect1s attributes. The global catalog stores those attributes most

freuently used in search operations (such as a user1s first and last names) and those

attributes reuired to locate a full replica of the obect. The Active Directory replication

system builds the global catalog automatically. The attributes replicated into the global

catalog include a base set defined by $icrosoft. Administrators can specify additional

properties to meet the needs of their installation.

N:. *lo(al catalog server

N2. A domain controller that holds a copy of the global catalog for the forest.

N6. *lo(al group


48/77

N


49/77

3S. +f one or a few processes have a high access rate to data on one trac, of a storage dis,!

then they may monopoliBe the device by repeated reuests to that trac,. This generally

happens with most common device scheduling algorithms (+9! %%T9! C-%CA>! etc).

igh-density multisurface dis,s are more li,ely to be affected by this than low density

ones.

47. 3- What is (usy waiting?

45. The repeated e8ecution of a loop of code while waiting for an event to occur is called

busy-waiting. The C is not engaged in any real productive activity during this period!

and the process does not progress toward completion.

4:. 4- What are the typical elements of a process image?

ser data0 $odifiable part of user space. $ay include program data! user stac, area! and

programs that may be modified.

ser program0 The instructions to be e8ecuted.

%ystem %tac,0 ;ach process has one or more +9 stac,s associated with it. sed to store

parameters and calling addresses for procedure and system calls.

rocess control "loc, (C")0 +nfo needed by the % to control processes.

42. 5-What are turnaround time and response time?

46. Turnaround time is the interval between the submission of a ob and its completion.

#esponse time is the interval between submission of a reuest! and the first response to

that reuest.

4


50/77

• What is Active Directory?

An active directory is a directory structure used on $icrosoft =indows based computers and

servers to store information and data about networ,s and domains. +t is primarily used for online

information and was originally created in 5SSN. +t was first used with =indows :777.

An active directory (sometimes referred to as an AD) does a variety of functions including the

ability to rovide information on obects! helps organiBe these obects for easy retrieval and

access! allows access by end users and administrators and allows the administrator to set security

up for the directory.

Active Directory is a hierarchical collection of networ, resources that can contain users!

computers! printers! and other Active Directories. Active Directory %ervices (AD%) allow

administrators to handle and maintain all networ, resources from a single location . Active

Directory stores information and settings in a central database

• What is LDA?

The ightweight Directory Access rotocol! or DA ! is an application protocol for uerying

and modifying directory services running over TC*+. Although not yet widely implemented!

DA should eventually ma,e it possible for almost any application running on virtually any

computer platform to obtain directory information! such as email addresses and public ,eys.

"ecause DA is an open protocol! applications need not worry about the type of server hosting

the directory.

• !an you connect Active Directory to other 3rd"#arty DirectoryServices? $a%e a ew o#tions'

-es you can connect other vendors Directory %ervices with $icrosoft1s version.

-es! you can use dirL$ or DA to connect to other directories (ie. ;-directory from >ovell

or >D% (>ovel directory %ystem).

-es you can Connect Active Directory to other 2rd -party Directory %ervices such as dictonaries

used by %A! Domino etc with the help of $++% ( $icrosoft +dentity +ntegration %erver )

• Where is the AD data(ase held? What other olders are related toAD?

AD Database is saved in IsystemrootI*ntds. ou can see other files also in this folder. These

are the main files controlling the AD structure

ntds.dit


51/77

edb.log

res5.log

res:.log

edb.ch,

=hen a change is made to the =in:K database! triggering a write operation! =in:K records the

transaction in the log file (edb.log). nce written to the log file! the change is then written to the

AD database. %ystem performance determines how fast the system writes the data to the AD

database from the log file. Any time the system is shut down! all transactions are saved to the

database.

During the installation of AD! =indows creates two files0 res5.log and res:.log. The initial siBe

of each is 57$". These files are used to ensure that changes can be written to dis, should thesystem run out of free dis, space. The chec,point file (edb.ch,) records transactions committed

to the AD database (ntds.dit). During shutdown! a FshutdownG statement is written to the edb.ch,

file. Then! during a reboot! AD determines that all transactions in the edb.log file have been

committed to the AD database. +f! for some reason! the edb.ch, file doesn1t e8ist on reboot or the

shutdown statement isn1t present! AD will use the edb.log file to update the AD database.

The last file in our list of files to ,now is the AD database itself! ntds.dit. "y default! the file is

located inU>TD%! along with the other files we1ve discussed

• What is the S)S*+L older?

- All active directory data base security related information store in %%H folder and its only

created on >T9% partition.

- The %ysvol folder on a =indows domain controller is used to replicate file-based data among

domain controllers. "ecause unctions are used within the %ysvol folder structure! =indows >T

file system (>T9%) version C! Configuration >C! Domain >C

"chema NC This >C is replicated to every other domain controller in the forest. +t contains


52/77

information about the Active Directory schema! which in turn defines the different obect classes

and attributes within Active Directory.

Configuration NC Also replicated to every other DC in the forest! this >C contains forest-wide

configuration information pertaining to the physical layout of Active Directory! as well as

information about display specifiers and forest-wide Active Directory uotas.

Domain NC This >C is replicated to every other DC within a single Active Directory domain.

This is the >C that contains the most commonly-accessed Active Directory data0 the actual users!

groups! computers! and other obects that reside within a particular Active Directory domain.

• What are a##lication #artitions? When do I use the%

Application directory partitions0 These are specific to =indows %erver :772 domains.

An application directory partition is a directory partition that is replicated only to specific

domain controllers. A domain controller that participates in the replication of a particular

application directory partition hosts a replica of that partition. nly Domain controllers running

=indows %erver :772 can host a replica of an application directory partition.

• ,ow do you create a new a##lication #artition

http0**wi,i.answers.com*?*owYdoYyouYcreateYaYnewYapplicationYpartition

• ,ow do you view re#lication #ro#erties or AD #artitions and D!s?

"y using replication monitor

go to start ' run ' type replmon

• What is the -lo(al !atalo.?

The global catalog contains a complete replica of all obects in Active Directory for its ost

domain! and contains a partial replica of all obects in Active Directory for every other domain in

the forest.

The global catalog is a distributed data repository that contains a searchable! partial

representation of every obect in every domain in a multidomain Active Directory forest. The

global catalog is stored on domain controllers that have been designated as global catalog serversand is distributed through multimaster replication. %earches that are directed to the global catalog

are faster because they do not involve referrals to different domain controllers.

+n addition to configuration and schema directory partition replicas! every domain controller in a

=indows :777 %erver or =indows %erver :772 forest stores a full! writable replica of a single

domain directory partition. Therefore! a domain controller can locate only the obects in its


53/77

domain. ocating an obect in a different domain would reuire the user or application to provide

the domain of the reuested obect.

The global catalog provides the ability to locate obects from any domain without having to

,now the domain name. A global catalog server is a domain controller that! in addition to its full!

writable domain directory partition replica! also stores a partial! read-only replica of all other

domain directory partitions in the forest. The additional domain directory partitions are partial

because only a limited set of attributes is included for each obect. "y including only the

attributes that are most used for searching! every obect in every domain in even the largest forest

can be represented in the database of a single global catalog server.

• ,ow do you view all the -!s in the orest?

C0U'repadmin*showreps

domainYcontroller

#

ou can use #eplmon.e8e for the same purpose.

#

AD %ites and %ervices and nsloo,up gc.Ymsdcs.I%;#D>%D$A+>I

• Why not %a/e all D!s in a lar.e orest as -!s?

The reason that all DCs are not /Cs to start is that in large (or even /iant) forests the DCs would

all have to hold a reference to every obect in the entire forest which could be uite large and

uite a replication burden.

9or a few hundred! or a few thousand users even! this not li,ely to matter unless you have really

poor =A> lines.

• Tryin. to loo/ at the Sche%a how can I do that?

adsiedit.e8e

option to view the schema

register schmmgmt.dll using this command

c0UwindowsUsystem2:'regsvr2: schmmgmt.dll

pen mmc &' add snapin &' add Active directory schema

name it as schema.msc


54/77

pen administrative tool &' schema.msc

• What are the Su##ort Tools? Why do I need the%?

%upport Tools are the tools that are used for performing the complicated tas,s easily. These can

also be the third party tools. %ome of the %upport tools include DebugHiewer!DependencyHiewer! #egistry$onitor! etc. -edit by Casuehead + beleive this uestion is

reffering to the =indows %erver :772 %upport Tools! which are included with $icrosoft

=indows %erver :772 %ervice ac, :. They are also available for download here0

http0**www.microsoft.com*downloads*details.asp8JfamilyidXSNA2etdiag.e8e

>etdom.e8e

>tfrsutl.e8e

ortry.e8e

#epadmin.e8e

#eplmon.e8e

%etspn.e8e

J What is #,1$!ON? What is AD"0,D0*? What is N,*DO!? What is #,1AD!0N?

AD"0,dit is a $icrosoft $anagement Console ($$C) snap-in that acts as a low-level editor for

Active Directory. +t is a /raphical ser +nterface (/+) tool. >etwor, administrators can use it

for common administrative tas,s such as adding! deleting! and moving obects with a directory

service. The attributes for each obect can be edited or deleted by using this tool. AD%+;dit uses

the AD%+ application programming interfaces (A+s) to access Active Directory. The following

are the reuired files for using this tool0


55/77

AD"0,D0*%D$$

AD"0,D0*%!"C

#egarding system reuirements! a connection to an Active Directory environment and $icrosoft

$anagement Console ($$C) is necessary

A@ #eplmon is the first tool you should use when troubleshooting Active Directory replication

issues. As it is a graphical tool! replication issues are easy to see and somewhat easier to

diagnose than using its command line counterparts. The purpose of this document is to guide you

in how to use it! list some common replication errors and show some e8amples of when

replication issues can stop other networ, installation actions.

for more go to http0**www.techtutorials.net*articles*replmonYhowtoYa.html

N,*DO! is a command-line tool that allows management of =indows domains and trust

relationships. +t is used for batch management of trusts! oining computers to domains! verifying

trusts! and secure channels

A0

;nables administrators to manage Active Directory domains and trust relationships from the

command prompt.

Netdom is a command-line tool that is built into =indows %erver :774. +t is available if you

have the Active Directory Domain %ervices (AD D%) server role installed. To use netdom! you

must run the netdom command from an elevated command prompt. To open an elevated

command prompt! clic, "tart! right-clic, Command 1rompt! and then clic, #un as

administrator.

#;AD$+>.;L; is a command line tool used to monitor and troubleshoot replication on a

computer running =indows. This is a command line tool that allows you to view the replication

topology as seen from the perspective of each domain controller.

#;AD$+> is a built-in =indows diagnostic command-line utility that wor,s at the Active

Directory level. Although specific to =indows! it is also useful for diagnosing some ;8change

replication problems! since ;8change %erver is Active Directory based.

#;AD$+> doesn1t actually fi8 replication problems for you. "ut! you can use it to help

determine the source of a malfunction.

• What are sites? What are they used or?


56/77

Active directory sites! which consist of well-connected networ,s defined by + subnets that help

define the physical structure of your AD! give you much better control over replication traffic

and authentication traffic than the control you get with =indows >T 6.7 domains.

sing Active Directory! the networ, and its obects are organiBed by constructs such as domains!

trees! forests! trust relationships! organiBational units (s)! and sites.

• What1s the dierence (etween a site lin/1s schedule and interval?

%chedule enables you to list wee,days or hours when the site lin, is available for replication to

happen in the give interval. +nterval is the re occurrence of the inter site replication in given

minutes. +t ranges from 5< & 57!747 mins. The default interval is 547 mins.

• What is the !!?

The KCC is a built-in process that runs on all domain controllers and generates replication

topology for the Active Directory forest. The KCC creates separate replication topologiesdepending on whether replication is occurring within a site (intrasite) or between sites (intersite).

The KCC also dynamically adusts the topology to accommodate new domain controllers!

domain controllers moved to and from sites! changing costs and schedules! and domain

controllers that are temporarily unavailable.

• What is the IST-? Who has that role (y deault?

+ntersite Topology /enerator (+%T/)! which is responsible for the connections among the sites.

"y default =indows :772 9orest level functionality has this role. "y Default the first %erver has

this role. +f that server can no longer preform this role then the ne8t server with the highest/+D then ta,es over the role of +%T/.

•

What are the re4uire%ents or installin. AD on a new server?

] An >T9% partition with enough free space (:


57/77

] An operational D>% server (which can be installed on the DC itself)

] A Domain name that you want to use

] The =indows :777 or =indows %erver :772 CD media (or at least the i24N folder)

9rom the etri +T Knowledge base. 9or more info! follow this lin,0

http0**www.petri.co.il*activeYdirectoryYinstallationYreuirements.htm

• What can you do to #ro%ote a server to D! i you1re in a re%otelocation with slow WA$ lin/?

9irst available in =indows :772! you will create a copy of the system state from an e8isting DC

and copy it to the new remote server. #un FDcpromo *advG. ou will be prompted for the

location of the system state files

• ,ow can you orci(ly re%ove AD ro% a server and what do you dolater? 5 !an I .et user #asswords ro% the AD data(ase?

Demote the server using dcpromo *forceremoval! then remove the metadata from Active

directory using ndtsutil. There is no way to get user passwords from AD that + am aware of! but

you should still be able to change them.

Another way out too

#estart the DC is D%#$ mode

a. ocate the following registry sub,ey0

K;YCAY$AC+>;U%%T;$UCurrentControl%etUControlUroductptions

b. +n the right-pane! double-clic, 1roduct*ype.

c. Type "erverN* in the /alue data bo8! and then clic, OK .

#estart the server in normal mode

its a member server now but AD entries are still there. romote teh server to a fa,e domain say

A"C.com and then remove gracefully using DCpromo. ;lse after restart you can also use

ntdsutil to do metadata as told in teh earlier post


58/77

• What tool would I use to try to .ra( security related #ac/ets ro%the wire?

you must use sniffer7detecting tools to help stop the snoops. L A good pac,et sniffer would be

FetherealG

www.ethereal.com

• $a%e so%e +6 desi.n considerations ?

design reuires balancing reuirements for delegating administrative rights & independent of

/roup olicy needs & and the need to scope the application of /roup olicy. The following

design recommendations address delegation and scope issues0

Applying )roup 1olicy An is the lowest-level Active Directory container to which you can

assign /roup olicy settings.

Delegating administrative authority

usually don1t go more than 2 levels

• What is to%(stone lieti%e attri(ute?

The number of days before a deleted obect is removed from the directory services. This assists

in removing obects from replicated servers and preventing restores from reintroducing a deleted

obect. This value is in the Directory %ervice obect in the configuration >+C by default :777 (N7

days) :772 (547 days)

•

What do you do to install a new Windows 2003 D! in a Windows2000 AD?

+f you plan to install windows :772 server domain controllers into an e8isting windows :777

domain or upgrade a windows :777 domain controllers to windows server :772! you first need to

run the Adprep.e8e utility on the windows :777 domain controllers currently holding the schema

master and infrastructure master roles. The adprep * forestprer command must first be issued on

the windows :777 server holding schema master role in the forest root doman to prepare the

e8isting schema to support windows :772 active directory. The adprep *domainprep commandmust be issued on the sever holding the infrastructure master role in the domain where :777

server will be deployed.

• What do you do to install a new Windows 2003 72 D! in a Windows2003 AD?


59/77

A% +f you1re installing =indows :772 #: on an e8isting =indows :772 server with %5

installed! you reu

Windows-Interview-Questions.docx

Documents

Transcript of Windows-Interview-Questions.docx