Windows Interview Stuff

8/16/2019 Windows Interview Stuff

1/15

Windows: Interview Q & A: L1 & L2 Interview question

Active Directory

Active Directory is a centralized and standardized system, stores information about objects in anetwork and makes this information available to users and network administrators.

Domain Controller

In an Active Directory forest, the domain controller is a server that contains a writable copy ofthe Active Directory database, participates in Active Directory replication, and controls access tonetwork resources.

Global catalog server

A global catalog server is a domain controller that stores information about all objects in theforest. ike all domain controllers, a global catalog server stores full, writable replicas of theschema and configuration directory partitions and a full, writable replica of the domain directorypartition for the domain that it is hosting. In addition, a global catalog server stores a partial,read!only replica of every other domain in th e forest. "artial replicas are stored on Global #atalogservers so that searches of the entire directory can be achieved without re$uiring referrals fromone domain controller to another."artial information of other domains. "artial information nothing but classes and attributes %firstname and last name and phones and addresses& attribute level security improvement in '(()*.OU:

+ rganizational -nits+, are administrative!level containers on a computer, it allows administratorsto organize groups of users together so that any changes, security privileges or any otheradministrative tasks could be accomplished more efficiently.

Domain:

indows Domain is a logical grouping of computers that share common security and user accountinformation.

ForestA indows forest is a group of one or more trusted indows trees. /he trees do not need to havecontiguous D01 names. A forest shares a schema and global catalog servers. A single tree canalso be called a forest.

Tree:

https://draft.blogger.com/nullhttps://draft.blogger.com/nullhttps://draft.blogger.com/nullhttps://draft.blogger.com/nullhttps://draft.blogger.com/nullhttps://draft.blogger.com/null


2/15

A indows tree is a group of one or more trusted indows domains with contiguous D01domains. 2/rusted3 means that an authenticated account from one domain isn4t rejected byanother domain. 2#ontiguous D01 domains3 means that they all have the same root D01 name.

Site:Sites are manually defined groupings of subnets. Objects in a site share the same global catalog servers, and

can have a common set of group policies applied to them.Schema:

The schema defines what attributes, objects, classes, and rules are available in the Active Directory.

SID (Security Identifier):The SID is a uni ue name !alphanumeric character string" that is used to identify an object, such as a user or a

group of users.

Group Policy

Group policy Architecture:


3/15

Group Policy objects (GPO):

A G" is a collection of Group "olicy settings, stored at the domain level as a virtual objectconsisting of a Group "olicy container %G"#& and a Group "olicy template %G"/&."assword history will store#omputer #onfiguration5 indows 1ettings51ecurity 1ettings5Account "olicies5"assword "olicy

Group Policy Container (GPC)/he Group "olicy container %G"#& is an Active Directory container that contains G" properties,such as version information, G" status, plus a list of other component settings.Group Policy Template (GPT)/he Group "olicy template %G"/& is a file system folder that includes policy data specified by .admfiles, security settings, script files, and information about applications that are available forinstallation. /he G"/ is located in the system volume folder %1ys6ol& in the domain 5"olicies sub!folder.Filterin the !cope o" a GPO7y default, a G" affects all users and computers that are contained in the linked site, domain, ororganizational unit. /he administrator can further specify the computers and users that areaffected by a G" by using membership in security groups.1tarting with indows '(((, the administrator can add both computers and users to securitygroups. /hen the administrator can specify which security groups are affected by the G" byusing the Access #ontrol ist editor.

#no$le% e Consistency Chec&er (#CC)

/he 8nowledge #onsistency #hecker %8##& is a indows component that automatically generatesand maintains the intra!site and inter!site replication topology.Intrasite 9eplication9eplication that happens between controllers inside one site. All of the subnets inside the siteshould be connected by high speed network wires.Intersite 9eplicationIntersite replication is replication between sites and must be set up by an administrator. 1imple:ail /ransfer "rotocol %1:/"& may be used for replication between sites.

Active Directory 'eplication9eplication must often occur both %intrasite& within sites and %Intersite& between sites to keepdomain and forest data consistent among domain controllers that store the same directorypartitionsA%prep e*eAdprep.e;e is a command!line tool used to prepare a :icrosoft indows '((( forest or a

indows '((( domain for the installation of indows 1erver '(() domain controllers


4/15


5/15

script files, and information regarding applications that are available for software installation. It isreplicated using the Bile 9eplication 1ervice %B91&.

Bile 9eplication 1ervice %B91&In indows '(((, the 1C16 share is used to authenticate users. /he 1C16 share includesgroup policy information which is replicated to all local domain controllers. Bile replication service%B91& is used to replicate the 1C16 share. /he +Active Directory -sers and #omputers+ tool isused to change the file replication service schedule.

.in lo on

A component of the indows operating system that provides interactive logon support, inlogonis the service in which the Group "olicy engine runs.

ightweight Directory Access "rotocol % DA"&

It defines how clients and servers e;change information about a directory. DA" version ' andversion ) are used by indows '((( 1erver?s Active Directory.An DA" -9 names the server holding Active Directory services and the Attributed 0ame of the object. Bor

e;ample

LDAP://SomeServer.Myco.Com/CN=jamessmith,CN=Sys,CN=Product,CN

=Division,DC=myco,DC=domain-contro er

U!/


6/15

What is an ACL or access-control list?

A list of security protections that applies to an object. !An object can be a file, process, event, or anything elsehaving a security descriptor."

What is an ACE or access-control entry?

A#$ contains a set of access rights and a security identifier !SID" that identifies a trustee for whom the rightsare allowed, denied, or audited.

Ble;ible 1ingle :aster perations %B1: &

0ulti0aster Operation:

In indows '((( E '((), every domain controller can receive changes, and the changes arereplicated to all other domain controllers. /he day!to!day operations that are associated withmanaging users, groups, and computers are typically multimaster operations.

/here is a set of Ble;ible 1ingle :aster perations %B1: & which can only be done on a singlecontroller. An administrator determines which operations must be done on the master controller./hese operations are all set up on the master controller by default and can be transferred later.B1: operations types include

!chema 0aster: /he schema master domain controller controls all updates and modifications tothe schema. /here can be only one schema master in the whole forest.Domain namin master: /he domain naming master domain controller controls the addition orremoval of domains in the forest and responsibility of ensuring that domain names are uni$ue inthe forest. /here can be only one domain naming master in the whole forest.

,n"rastructure 0aster

1ynchronizes cross!domain group membership changes. /he infrastructure master cannot run ona global catalog server %unless all D#s are also G#s.&

/he infrastructure is responsible for updating references from objects in its domain to objects inother domains. At any one time, there can be only one domain controller acting as theinfrastructure master in each domain.


7/15

/his works when we are renaming any group member ship object this role takes care.

0ote /he Infrastructure :aster %I:& role should be held by a domain controller that is not aGlobal #atalog server %G#&. If the Infrastructure :aster runs on a Global #atalog server it willstop updating object information because it does not contain any references to objects that itdoes not hold. /his is because a Global #atalog server holds a partial replica of every object inthe forest. As a result, cross!domain object references in that domain will not be updated and awarning to that effect will be logged on that D#?s event log. If all the domain controllers in adomain also host the global catalog, all the domain controllers have the current data, and it is notimportant which domain controller holds the infrastructure master role.'elative ,D (',D) 0aster: It assigns 9ID and 1ID to the newly created object like -sers and computers. If 9ID master isdown %u can create security objects up to 9ID pools are available in D#s& else u can4t create anyobject one it1Ds down

hen a D# creates a security principal object such as a user or group, it attaches a uni$ue1ecurity ID %1ID& to the object. /his 1ID consists of a domain 1ID %the same for all 1IDs createdin a domain&, and a relative ID %9ID& that is uni$ue for each security principal 1ID created in adomain.PDC +mulator 1 hen Active Directory is in mi;ed mode, the computer Active Directory is onacts as a indows 0/ "D#. /he first server that becomes a indows '((( domain controllertakes the role of "D# emulator by default.

Bunctions performed by the "D# emulator-ser account changes and password changes.1A: directory replication re$uests.Domain master browser re$uestsAuthentication re$uests.G"/ime synchronization

0ew Active Directory features in indows 1erver '(()

F 0ultiple selection o" user objects .

F Dra 1an%1%rop "unctionality

F +""icient search capabilities 1earch functionality is object!oriented and provides anefficient search that minimizes


8/15

F !ave% 2ueries 1ave commonly used search parameters for reuse in Active Directory -sersand #omputers

F Active Directory comman%1line tools

F ,netOr Person class /he inet rg"erson class has been added to the base schema as asecurity principal and can be used in the same manner as the user class. /he user"asswordattribute can also be used to set the account password.

F Ability to a%% a%%itional %omain controllers usin bac&up me%ia 9educe the time ittakes to add an additional domain controller in an e;isting domain by using backup media.

F Universal roup membership cachin "revent the need to locate a global catalog acrossa A0 when logging on by storing universal group membership information on anauthenticating domain controller.

F !ecure -DAP tra""ic Active Directory administrative tools sign and encrypt all DA" trafficby default. 1igning DA" traffic guarantees that the packaged data comes from a known

source and that it has not been tampered with.F Active Directory 2uotas uotas can be specified in Active Directory to control the number

of objects a user, group, or computer can own in a given directory partition. DomainAdministrators and


9/15

A directory partition" or namin& context" is a conti&uous Active Directory su treereplicated on one" or more" Windows 2000 domain controllers in a forest. y default"each domain controller has a replica of three partitions( the schema partition the,on/&uration partition and a Domain partition.

Schema partitionIt contains all class and attri utes de/nitions for the forest. There is one schemadirectory partition per forest.Confguration partitionIt contains replication con/&uration information )and other information- for the forest.

There is one con/&uration directory partition per forest.Domain partitionIt contains all o ects that are stored y one domain. There is one domain directorypartition for each domain in the forest.

Application Directory PartitionApplication directory partitions are most often used to store dynamic data. An applicationpartition can not contain security principles )users" &roups" and computers-.The 1,,&enerates and maintains the replication topolo&y for an application directory partition

Application: The application partition is a new feature introduced in Windows $erver200%. This partition contains application speci/c o ects. The o ects or data thatapplications and services store here can comprise of any o ect type excludin& securityprinciples. $ecurity principles are sers" 3roups" and ,omputers. The applicationpartition typically contains DN$ 4one o ects" and dynamic data from other networ5services such as 6emote Access $ervice )6A$-" and Dynamic 7ost ,on/&uration 8rotocol)D7,8-.Dynamic Data:A dynamic entry is an o ect in the directory which has an associated time#to#live )TT9-value. The TT9 for an entry is set when the entry is created.$ecurity 8rinciples # ! ects that can have permissions assi&ned to them and eachcontain security identi/ers. The followin& o ects are security principles(o -ser

#omputerGroupRPC:Active Directory uses 68, over I8 to transfer oth intersite and intrasite replication

etween domain controllers. To 5eep data secure while in transit" 68, over I8 replicationuses oth the 1er eros authentication protocol and data encryption.SM P:


10/15

If you have a site that has no physical connection to the rest of your networ5" ut thatcan e reached usin& the $imple Mail Transfer 8rotocol )$MT8-" that site has mail# asedconnectivity only. $MT8 replication is used only for replication etween sites. :ou alsocannot use $MT8 replication to replicate etween domain controllers in the same domain;only inter#domain replication is supported over $MT8 )that is" $MT8 can e used onlyfor inter#site" inter#domain replication-. $MT8 replication can e used only for schema"con/&uration" and &lo al catalo& partial replica replication. $MT8 replication o servesthe automatically &enerated replication schedule.Changing o! ntds"dit fle !rom one Drive to another>. 7oot the domain controller in Directory 1ervices 9estore mode and log on with the Directory

1ervices 9estore mode administrator account and password %this is the password you assignedduring the Dcpromo process&.

'. At a command prompt, type nt%sutil e*e . Cou receive the following promptntdsutil

). /ype "iles to receive the following promptfile maintenance

H. /ype in"o . 0ote the path of the database and log files.. /o move the database, type move %b to 3s %where s is the target folder&.

J. /o move the log files, type move lo s to 3s %where s is the target folder&.K. /ype 2uit twice to return to the command prompt.@. 9eboot the computer normally.

D01

D01 %Domain 0ame system&

Domain 0ame 1ystem %D01& is a database system that translates a computer?s fully $ualifieddomain name into an I" address.

The local D/! resolver/he following graphic shows an overview of the complete D01 $uery process.

D01 Lones

For$ar% loo&up 4one ! 0ame to I" address map.'everse loo&up 4one ! I" address to name map.

"rimary Lones ! It =olds 9ead and rite copies of all resource records %A, 01, M196&.


11/15

!econ%ary 5ones ! which hold read only copies of the "rimary Lones.

!tub 5ones#onceptually, stub zones are like secondary zones in that they have a read only copy of aprimary zone. 1tub zones are more efficient and create less replication traffic.1tub Lones only have ) records, the 1 A for the primary zone, 01 record and a =ost %A&record. /he idea is that if a client $ueries a record in the 1tub Lone, your D01 server can referthat $uery to the correct 0ame 1erver because it knows its =ost %A& record.

ueries

uery types are,nverse ! Getting the name from the I" address. /hese are used by servers as a security

check.,terative ! 1erver gives its best answer. /his type of in$uiry is sent from one server toanother.'ecursive ! #annot refer the $uery to another name server.Con%itional For$ar%inAnother classic use of forwards is where companies have subsidiaries, partners or people theyknow and contact regularly $uery. Instead of going the long!way around using the root hints,the network administrators configure #onditional BorwardersPurpose o" 'esource 'ecor%s

ithout resource records D01 could not resolve $ueries. /he mission of a D01 uery is to

locate a server that is Authoritative for a particular domain. /he easy part is for theAuthoritative server to check the name in the $uery against its resource records.

!OA (start o" authority) recor% each zone has one 1 A record that identifies which D01server is authoritative for domains and sub domains in the zone.

/! (name server) recor% An 01 record contains the B D0 and I" address of a D01 serverauthoritative for the zone.


12/15

PT' (pointer) recor% the opposite of an A record, a "/9 record is used to resolve the I"address of a host into its B D0.

!'6 (service) recor% An 196 record is used by D01 clients to locate a server that is runninga particular serviceNfor e;ample, to find a domain controller so you can log on to the network.196 records are key to the operation of Active Directory.

07 (mail e*chan e) recor% An :O record points to one or more computers that process1:/" mail for an organization or site.

.here D/! resource recor%s $ill be store%:After running D#"9 : , A te;t file containing the appropriate D01 resource records for thedomain controller is created. /he file called 0etlogon.dns is created in the systemroot

51ystem)'5config folder and contains all the records needed to register the resource recordsof the domain controller. 0etlogon.dns is used by the indows '((( 0et ogon service and tosupport Active Directory for non! indows '((( D01 servers.

Proce%ures "or chan in a !erver8s ,P A%%ress

nce D01 and replication are setup, it is generally a bad idea to change a servers I" address%at least according to :icrosoft&. Pust be sure that is what you really want to do before startingthe process. It is a bit kin to changing the Internal I"O number of A 0ovell server, but it can bedone.

>. #hange the 1erver4s I" address

'. 1top the 0


13/15

A. #heck to see that the servers can ping each other.

7. :ake sure that both servers4 D01 entries for each other point to the proper I" addresses

#. If server A says it replicated fine, but server 7 says it couldn4t contact 1erver A, check theD01 setup on 1erver 7. #hances are it has a record for 1erver A pointing to the wrong place.

D. 9un 0etdiag and see if it reports any errors or problems.

Trust 'elationshipOne $ay trust 1 hen one domain allows access to users on another domain, but the otherdomain does not allow access to users on the first domain.T$o $ay trust 1 hen two domains allow access to users on the other domain.Trustin %omain 1 /he domain that allows access to users on another domain.Truste% %omain 1 /he domain that is trusted, whose users have access to the trusting

domain.Transitive trust 1 A trust which can e;tend beyond two domains to other trusted domains inthe tree.,ntransitive trust 1 A one way trust that does not e;tend beyond two domains.+*plicit trust 1 A trust that an administrator creates. It is not transitive and is one way only.Cross1lin& trust 1 An e;plicit trust between domains in different trees or in the same treewhen a descendentQancestor %childQparent& relationship does not e;ist between the twodomains.Forest trust ! hen two forests have a functional level of indows '((), you can use a foresttrust to join the forests at the root.!hortcut trust ! hen domains that authenticate users are logically distant from one another,the process of logging on to the network can take a long time. Cou can manually add a shortcuttrust between two domains in the same forest to speed authentication. 1hortcut trusts aretransitive and can either be one way or two way.

indows '((( only supports the following types of trusts/wo way transitive trusts

ne way non!transitive trusts.

What is the difference bet een authoritati!e and non-authoritati!e restore

In authoritative restore, Objects that are restored will be replicated to all domain controllers in thedomain. This can be used specifically when the entire O% is disturbed in all domain controllers orspecifically restore a single object, which is disturbed in all D#&s

In non'authoritative restore, (estored directory information will be updated by other domaincontrollers based on the latest modification time.What is Clusterin"# $riefly define % e&'lain it

#lustering is a technology, which is used to provide )igh Availability for mission critical applications.*e can configure cluster by installing +#S !+icrosoft cluster service" component from Add remove


14/15

programs, which can only available in $nterprise $dition and Data center edition.In *indows we can configure two types of clusters

- !networ/ load balancing" cluster for balancing load between servers. This cluster will not provideany high availability. %sually preferable at edge servers li/e web or pro0y.

Ser!er Cluster: This provides )igh availability by configuring active'active or active'passive cluster.In 1 node active'passive cluster one node will be active and one node will be stand by. *hen activeserver fails the application will 2AI-O3$( to stand by server automatically. *hen the original serverbac/s we need to 2AI- A#4 the application

uorum: A shared storage need to provide for all servers which /eeps information about clusteredapplication and session state and is useful in 2AI-O3$( situation. This is very important if 5uorumdis/ fails entire cluster will fails

eartbeat: )eartbeat is a private connectivity between the servers in the cluster, which is used toidentify the status of other servers in cluster.What is S*A +ecord

SOA is a Start Of Authority record, which is a first record in D S, which controls the startup behaviorof D S. *e can configure TT-, refresh, and retry intervals in this record.

What is a Stub ,one and hat is the use of it#Stub 6ones are a new feature of D S in *indows Server 1778 that can be used to streamline nameresolution, especially in a split namespace scenario. They also help reduce the amount of D S trafficon your networ/, ma/ing D S more efficient especially over slow *A lin/s.What is di#erence $etween Server %&&' vs %&&() introduces 7yper#= )= for =irtuali4ation- ut onlyon ?* it versions. More and more companies are seein& this as a way of reducin&hardware costs y runnin& several @virtual' servers on one physical machine.-2. $erver ,ore )provides the minimum installation re uired to carry out a speci/c serverrole" such as for a D7,8" DN$ or print server-%. etter security.*. 6ole# ased installation.B. 6ead !nly Domain ,ontrollers )6!D,-.?. Cnhanced terminal services.

. Networ5 Access 8rotection E Microsoft's system for ensurin& that clients connectin& to$erver 200> are patched" runnin& a /rewall and in compliance with corporate securitypolicies.>. 8ower $hell E Microsoft's command line shell and scriptin& lan&ua&e has provedpopular with some server administrators.F. II$ .


15/15

located in remote ranch oGces. The main diHerence etween 200% and 200> is=irtuali4ation" mana&ement. 200> has more in# uild components and updated third partydrivers.

Windows Interview Stuff

Documents

Transcript of Windows Interview Stuff