SlideShare a Scribd company logo

Ctive directory interview question and answers

Download as DOCX, PDF
sankar palla, profile picture
sankar palla

Active Directory is a centralized database that stores information about a network. It allows for centralized management of users, computers, printers, and other network resources. A domain controller is a server that authenticates users and authorizes access to resources on the network. Active Directory uses protocols like LDAP and KCC to enable replication and management of directory data across multiple domain controllers. Application partitions allow specific Active Directory data to be replicated only to designated domain controllers, providing redundancy.

Self Improvement
1 of 20
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
ctive Directory Interview Question and Answers >What is Active Directory? Active Directory is a Meta Data. Active Directory is a data base which stores a data base like your user information, computer information and also other network object info. It has capabilities to manage and administer the complete Network which connect with AD. >What is domain? Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user needs only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The ‘domain’ is simply your computer address not to confuse with an URL. A domain address might look something like 211.170.469. >What is domain controller? A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination. >What is LDAP? Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2. >What is KCC? KCC (knowledge consistency checker) is used to generate replication topology for inter site replication and for intra-site replication. Within a site replication traffic is done via remote procedure calls over ip, while between sites it is done through either RPC or SMTP. >Where is the AD database held? What other folders are related toAD? The AD data base is store in c:windowsntdsNTDS.DIT. >What is the SYSVOL folder? The sysVOL folder stores the server’s copy of the domain’s public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain. >Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003? The Active Directory replaces them. Now all domain controllers share a multi master peer-to- peer read and write relationship that hosts copies of the Active Directory.
>Cannot create a new universal user group. Why? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory. >What is LSDOU? Its group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units. >Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exists, it has the highest priority among the numerous policies. >How many number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group. > What’s the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003. > How many passwords by default are remembered when you check“Enforce Password History Remembered”? User’s last 6 passwords. > Can GC Server and Infrastructure place in single server? No, As Infrastructure master does the same job as the GC. It does not work together. > Which is service in your windows is responsible for replication of Domain controller to another domain controller. KCC generates the replication topology. Use SMTP / RPC to replicate changes. Active Directory Page 2 > What Intrasite and Intersite Replication? Intrasite is the replication within the same site & intersite the replication between sites. > What is lost & found folder in ADS? It’s the folder where you can find the objects missed due to conflict. Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.
> What is Garbage collection? Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours. > What System State data contains? Contains Startup files, Registry Com + Registration Database Memory Page file System files AD information Cluster Service information SYSVOL Folder >What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003? Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy – you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference. ADS stands for Automated Deployment Services, and is used to quickly roll out identically- configured servers in large-scale enterprise environments. You can get more information from the ADS homepage. >I want to setup a DNS server and Active Directory domain. What do I do first? If I install the DNS service first and name the zone ‘name.org’ can I name the AD domain ‘name.org’ too? Not only can you have a DNS zone and an Active Directory domain with the same name, it’s actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background. >How do I determine if user accounts have local administrative access? You can use the net local group administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong. >Why am I having trouble printing with XP domain users? In most cases, the inability to print or access resources in situations like this one will boil down
to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients’ wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie. >What is the ISTG? Who has that role by default? Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG). Active Directory Page 3 >What is difference between Server 2003 vs 2008? 1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several ‘virtual’ servers on one physical machine.) 2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server) 3. Better security. 4. Role-based installation. 5. Read Only Domain Controllers (RODC). 6. Enhanced terminal services. 7. Network Access Protection – Microsoft’s system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies. 8. Power Shell – Microsoft’s command line shell and scripting language has proved popular with some server administrators. 9. IIS 7. 10. Bit locker – System drive encryption can be a sensible security measure for servers located in remote branch offices. The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers. 11. Windows Aero. >What are the requirements for installing AD on a new server? 1 The Domain structure. 2 The Domain Name. 3 storage location of the database and log file. 4 Location of the shared system volume folder.
5 DNS config Method. 6 DNS configuration. >What is LDP? LDP: Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network. >What are the Groups types available in active directory ? Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups. Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups. >Explain about the groups scope in AD? Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain. Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests. Universal Group Scope: These groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security
principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain. ctive Directory Page 4 >What is REPLMON? The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication. >What is ADSIEDIT ? ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT. >What is NETDOM ? NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels. >What is REPADMIN? This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors. >How to take backup of AD ? For taking backup of active directory you have to do this : first go START -> PROGRAM - >ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC.
>What are the DS* commands ? The following DS commands: the DS family built in utility . DSmod – modify Active Directory attributes. DSrm – to delete Active Directory objects. DSmove – to relocate objects DSadd – create new accounts DSquery – to find objects that match your query attributes. DSget – list the properties of an object >What are the requirements for installing AD on a new server? An NTFS partition with enough free space. An Administrator’s username and password. The correct operating systemversion. A NIC Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway). A network connection (to a hub or to another computer via a crossover cable) . An operational DNS server (which can be installed on the DC itself) . A Domain name that you want to use . The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) . Active Directory Page 5 >Explain about Trust in AD ? To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains. Trusts in Windows 2000 (native mode) One-way trust – One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. Two-way trust – Two domains allow access to users on both domains. Trusting domain – The domain that allows access to users from a trusted domain. Trusted domain – The domain that is trusted; whose users have access to the trusting domain. Transitive trust – A trust that can extend beyond two domains to other trusted domains in the forest. Intransitive trust – A one way trust that does not extend beyond two domains. Explicit trust – A trust that an admin creates. It is not transitive and is one way only. Cross-link trust – An explicit trust between domains in different trees or in the same tree when
a descendant/ancestor (child/parent) relationship does not exist between the two domains. Windows 2000 Server – supports the following types of trusts: Two-way transitive trusts. One-way intransitive trusts. Additional trusts can be created by administrators. These trusts can be: >What is tombstone lifetime attribute ? The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC. >What are application partitions? When do I use them ? AN application diretcory partition is a directory partition that is replicated only to specific domain controller.Only domain controller running windows Server 2003 can host a replica of application directory partition. Using an application directory partition provides redundany,availability or fault tolerance by replicating data to specific domain controller pr any set of domain controllers anywhere in the forest. >How do you create a new application partition ? Use the DnsCmd command to create an application directory partition. To do this, use the following syntax: DnsCmd ServerName /CreateDirectoryPartition FQDN of partition >How do you view all the GCs in the forest? C:>repadmin /showreps domain_controller where domain_controller is the DC you want to query to determine whether it?s a GC. The output will include the text DSA Options: IS_GC if the DC is a GC. >Can you connect Active Directory to other3rd-party Directory Services? Name a few options. Yes, you can use dirXML or LDAP to connect to other directories. In Novel you can use E-directory. Active Directory Page 6 >What is IPSec Policy IPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec Policy can be deployed via Group policy to the Windows Domain controllers 7 Servers.
>What are the different types of Terminal Services ? User Mode & Application Mode. >What is the System Startup process ? Windows 2K boot process on a Intel architecture. 1. Power-On Self Tests (POST) are run. 2. The boot device is found, the Master Boot Record (MBR) is loaded into memory, and its program is run. 3. The active partition is located, and the boot sector is loaded. 4. The Windows 2000 loader (NTLDR) is then loaded. The boot sequence executes the following steps: 1. The Windows 2000 loader switches the processor to the 32-bit flat memory model. 2. The Windows 2000 loader starts a mini-file system. 3. The Windows 2000 loader reads the BOOT.INI file and displays the operating system selections (boot loader menu). 4. The Windows 2000 loader loads the operating systemselected by the user. If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other operating systems, NTLDR loads BOOTSECT.DOS and gives it control. 5. NTDETECT.COMscans the hardware installed in the computer, and reports the list to NTLDR for inclusion in the Registry under the HKEY_LOCAL_MACHINE_HARDWARE hive. 6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information collected by NTDETECT.COM. Windows NT enters the Windows load phases. >How do you change the DS Restore admin password ? In Windows 2000 Server, you used to have to boot the computer whose password you wanted to change in Directory Restore mode, then use either the Microsoft Management Console (MMC) Local User and Groups snap-in or the command net user administrator * to change the Administrator password. Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you reset the Directory Service Restore Mode password without having to reboot the computer. (Microsoft refreshed Setpwd in SP4 to improve the utility?s scripting options.)
In Windows Server 2003, you use the Ntdsutil utility to modify the Directory Service Restore Mode Administrator password. To do so, follow these steps: 1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe). 2. Start the Directory Service Restore Mode Administrator password-reset utility by entering the argument ?set dsrm password? at the ntdsutil prompt: ntdsutil: set dsrm password. 3. Run the Reset Password command, passing the name of the server on which to change the password, or use the null argument to specify the local machine. For example, to reset the password on server testing, enter the following argument at the Reset DSRM Administrator Password prompt: Reset DSRM Administrator Password: reset password on server testing To reset the password on the local machine, specify null as the server name: Reset DSRM Administrator Password: reset password on server null 4. You?ll be prompted twice to enter the new password. You?ll see the following messages: 5. Please type password for DS Restore Mode Administrator Account: 6. Please confirm new password: Password has been set successfully. 7. Exit the password-reset utility by typing ?quit? at the following prompts: 8. Reset DSRM Administrator Password: quit ntdsutil: quit Active Directory Page 7 >How do I use Registry keys to remove a user from a group? In Windows Server 2003, you can use the dsmod command-line utility with the -delmbr switch to remove a group member from the command line. You should also look into the freeware utilities available from www.joeware.net . ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory. >Why are my NT4 clients failing to connect to the Windows 2000 domain? Since NT4 relies on NetBIOS for name resolution, verify that your WINS server (you do have a WINS server running, yes?) contains the records that you expect for the 2000 domain controller, and that your clients have the correct address configured for the WINS server. >How do you view replication properties for AD partitions and DCs? By using replication monitor go to start > run > type repadmin go to start > run > type replmon
>Why can’t you restore a DC that was backed up 4 months ago? Because of the tombstone life which is set to only 60 days. >Different modes of AD restore ? A nonauthoritative restore is the default method for restoring Active Directory. To perform a nonauthoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller. An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. If you do not want to replicate the changes that have been made subsequent to the last backup operation, you must perform an authoritative restore. In this one needs to stop the inbound replication first before performing the An authoritative restore. >How do you configure a stand-by operation master for any of the roles? # Open Active Directory Sites and Services. # Expand the site name in which the standby operations master is located to display the Servers folder. # Expand the Servers folder to see a list of the servers in that site. # Expand the name of the server that you want to be the standby operations master to display its NTDS Settings. # Right-click NTDS Settings, click New, and then click Connection. # In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK. # In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK. Home » Microsoft Windows » Interview Question and Answers » Active Directory Interview Question and Answers » Active Directory Page 8 Active Directory Page 8 >What’s the difference between transferring a FSMO role and seizing ? Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available. If you perform a seizure of the FSMO roles from a DC, you need to ensure two things: the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you’ll have a problem.
An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another live DC During the process, the current DC holding the role(s) is updated, so it becomes aware it is no longer the role holder >I want to look at the RID allocation table for a DC. What do I do? dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC) >What is BridgeHead Server in AD ? A bridgehead server is a domain controller in each site, which is used as a contact point to receive and replicate data between sites. For intersite replication, KCC designates one of the domain controllers as a bridgehead server. In case the server is down, KCC designates another one from the domain controller. When a bridgehead server receives replication updates from another site, it replicates the data to the other domain controllers within its site. >What is the default size of ntds.dit ? 10 MB in Server 2000 and 12 MB in Server 2003 . >Where is the AD database held and What are other folders related to AD ? AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure. ntds.dit edb.log res1.log res2.log edb.chk When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the systemwrites the data to the AD database from the log file. Any time the systemis shut down, all transactions are saved to the database. During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database. The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located inNTDS, along with the other files we’ve discussed
>What FSMO placement considerations do you know of ? Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles Active Directory Page 9 >What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD? If you’re installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen. If you’re installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which you’ll find in the Componentsr2adprep folder on the second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later). Here’s a sample execution of the Adprep /forestprep command: D:CMPNENTSR2ADPREP>adprep /forestprep ADPREP WARNING: Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later). QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain controller corruption. [User Action] If ALL your existing Windows 2000 domain controllers meet this requirement,
type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit. C Opened Connection to SAV DALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to version 31 Connecting to “SAVDALDC01″ Logging in as current user using SSPI Importing directory from file “C:WINDOWSsystem32sch31.ldf” Loading entries… 139 entries modified successfully. The command has completed successfully Adprep successfully updated the forest-wide information. After running Adprep, install R2 by performing these steps: 1. Click the “Continue Windows Server 2003 R2 Setup” link, as the figureshows. 2. At the “Welcome to the Windows Server 2003 R2 Setup Wizard” screen, click Next. 3. You’ll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if the underlying OS wasn’t installed from R2 media (e.g., a regular Windows 2003 SP1 installation). Enter the R2 key and click Next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003 using a volume-license version key, then you can’t use a retail or Microsoft Developer Network (MSDN) R2 key. 4. You’ll see the setup summary screen which confirms the actions to be performed (e.g., Copy files). Click Next. 5. After the installation is complete, you’ll see a confirmation dialog box. Click Finish >What is OU ? Organization Unit is a container object in which you can keep objects such as user accounts, groups, computer, printer . applications and other (OU). In organization unit you can assign specificpermission to the user’s. organization unit can also be used to create departmental limitation. >Name some OU design considerations ? OU design requires balancing requirements for delegating administrative rights – independent of Group Policy needs – and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues: Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. Delegating administrative authority usually don’t go more than 3 OU levels >What is sites ? What are they used for ? One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.
A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called Subnets. Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule. >Trying to look at the Schema, how can I do that ? register schmmgmt.dll using this command c:windowssystem32>regsvr32 schmmgmt.dll Open mmc –> add snapin –> add Active directory schema name it as schema.msc Open administrative tool –> schema.msc Active Directory Page 10 >What is the port no of Kerbrose ? 88 >What is the port no of Global catalog ? 3268 >What is the port no of LDAP ? 389 >Explain Active Directory Schema ? Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called “Schema”. The Schema is defines as the formal definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory. As mentioned earlier, the Active Directory database includes a default Schema, which defines many object classes, such as users, groups, computers, domains, organizational units, and so on. These objects are also known as “Classes”. The Active Directory Schema can be dynamically extensible, meaning that you can modify the schema by defining new object types and their attributes and by defining new attributes for existing objects. You can do this either with the Schema Manager snap-in tool included with Windows 2000/2003 Server, or programmatically. >How can you forcibly remove AD from a server, and what do you do later? ? Can I get user passwords from the AD database? Dcpromo /forceremoval , an administrator can forcibly remove Active Directory and roll back
the system without having to contact or replicate any locally held changes to another DC in the forest. Reboot the server then After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command. In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers >What are the FSMO roles? Who has them by default? What happens when each one fails? Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles: Schema master Domain naming master RID master PDC emulator Infrastructure master >What is domain tree ? Domain Trees: A domain tree comprises several domains that share a common schema and configuration, forming a contiguous namespace. Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees. Trees can be viewed two ways. One view is the trust relationships between domains. The other view is the namespace of the domain tree. >What is forests ? A collection of one or more domain trees with a common schema and implicit trust relationships between them. This arrangement would be used if you have multiple root DNS addresses. >How to Select the Appropriate Restore Method ? You select the appropriate restore method by considering: Circumstances and characteristics of the failure. The two major categories of failure, From an Active Directory perspective, are Active Directory data corruption and hardware failure. Active Directory data corruption occurs when the directory contains corrupt data that has been replicated to all domain controllers or when a large portion of the Active Directory hierarchy has been changed accidentally (such as deletion of an OU) and this change has replicated to other domain controllers. Active Directory Page 11 >Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to- peer read and write relationship that hosts copies of the Active Directory. >What is Global Catalog? The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network. >How long does it take for security changes to be replicated among the domain controllers? Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA). >When should you create a forest? Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions. >Describe the process of working with an external domain name ? If it is not possible for you to configure your internal domain as a subdomain of your external domain, use a stand-alone internal domain. This way, your internal and external domain names are unrelated. For example, an organization that uses the domain name contoso.com for their external namespace uses the name corp.internal for their internal namespace. The advantage to this approach is that it provides you with a unique internal domain name. The disadvantage is that this configuration requires you to manage two separate namespaces. Also, using a stand-alone internal domain that is unrelated to your external domain might create confusion for users because the namespaces do not reflect a relationship between resources within and outside of your network. In addition, you might have to register two DNS names with an Internet name authority if you want to make the internal domain publicly accessible. >How do you view all the GCs in the forest? C:>repadmin /showreps domain_controller OR You can use Replmon.exe for the same purpose.
OR AD Sites and Services and nslookup gc._msdcs. To find the in GC from the command line you can try using DSQUERY command. dsquery server -isgc to find all the GC’s in the forest you can try dsquery server -forest -isgc. > What are the physical components of Active Directory? Domain controllers and Sites. Domain controllers are physical computers which are running Windows Server operating system and Active Directory data base. Sites are a network segment based on geographical location and which contains multiple domain controllers in each site. > What are the logical components of Active Directory? Domains, Organizational Units, trees and forests are logical components of Active Directory. > What are the Active Directory Partitions? Active Directory database is divided into different partitions such as Schema partition, Domain partition, and Configuration partition. Apart from these partitions, we can create Application partition based on the requirement. > What is group nesting? Adding one group as a member of another group is called ‘group nesting’. This will help for easy administration and reduced replication traffic. > What is the feature of Domain Local Group? Domain local groups are mainly used for granting access to network resources.A Domain local group can contain accounts from any domain, global groups from any domain and universal groups from any domain. For example, if you want to grant permission to a printer located at Domain A, to 10 users from Domain B, then create a Global group in Domain B and add all 10 users into that Global group. Then, create a Domain local group at Domain A, and add Global group of Domain B to Domain local group of Domain A, then, add Domain local group of Domain A to the printer(of Domain A) security ACL. Active Directory Page 12 >How will you take Active Directory backup ?
Active Directory is backed up along with System State data. System state data includes Local registry, COM+, Boot files, NTDS.DIT and SYSVOL folder. System state can be backed up either using Microsoft’s default NTBACKUP tool or third party tools such as Symantech NetBackup, IBM Tivoli Storage Manager etc. > Do we use clustering in Active Directory ? Why ? No one installs Active Directory in a cluster. There is no need of clustering a domain controller. Because Active Directory provides total redundancy with two or more servers. > What is Active Directory Recycle Bin ? Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to restore accidentally deleted Active Directory objects without using a backed up AD database, rebooting domain controller or restarting any services. > How do you check currently forest and domain functional levels? Say both GUI and Command line. To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain name and take properties. Both domain and forest functional levels will be listed there. TO find out forest and domain functional levels, you can use DSQUERY command. > Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory ? All versions of Windows Server Active Directory use Kerberos 5. > Name few port numbers related to Active Directory ? Kerberos 88, LDAP 389, DNS 53, SMB 445 > What is an FQDN ? FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of a domain name system which points to a device in the domain at its left most end. For example in system. > Have you heard of ADAC ? ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2, which provides enhanced data management experience to the admin. ADAC helps administrators to perform common Active Directory object management task across multiple domains with the same ADAC instance. > How many objects can be created in Active Directory? (both 2003 and 2008)
As per Microsoft, a single AD domain controller can create around 2.15 billion objects during its lifetime. > Explain the process between a user providing his Domain credentialto his workstation and the desktop being loaded? Or how the AD authentication works ? When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm. The KDC looks up the user’s master key (KA), which is based on the user’s password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows. The client computer receives the information from the KDC and runs the user’s password through a one-way hashing function, which converts the password into the user’s KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.

More Related Content

PDF
Active directory interview_questions
subhashmr
 
PPT
Windows Server 2008 Active Directory Guide
webhostingguy
 
PDF
Windows server 2008 step by-step guide for dns in small networks
Ochiroo Dorj
 
PDF
MCITP
Naqib Khan
 
PDF
Windows Server 2008 R2 Active Directory ADFS Claims Base Identity for Windows...
Tũi Wichets
 
PPT
active-directory-domain-services
202066
 
DOC
Server interview[1]
sourav nanda
 
PPT
Active directory installation windows 2003 1
tameemyousaf
 
Active directory interview_questions
subhashmr
 
Windows Server 2008 Active Directory Guide
webhostingguy
 
Windows server 2008 step by-step guide for dns in small networks
Ochiroo Dorj
 
MCITP
Naqib Khan
 
Windows Server 2008 R2 Active Directory ADFS Claims Base Identity for Windows...
Tũi Wichets
 
active-directory-domain-services
202066
 
Server interview[1]
sourav nanda
 
Active directory installation windows 2003 1
tameemyousaf
 

What's hot (20)

PPTX
Failover cluster
Chinmoy Jena
 
ODP
Cl310
Juliette Ponnet
 
PPT
Windows Server 2008 (Active Directory Yenilikleri)
ÇözümPARK
 
PDF
Server 2008 r2 ppt
Raj Solanki
 
PPTX
WINDOWS SERVER 2008
Tawose Olamide Timothy
 
PPTX
Windows Server 2008 Active Directory
anilinvns
 
PPTX
MCSA Installing & Configuring Windows Server 2012 70-410
omardabbas
 
DOCX
Windows server Interview question and answers
Availity Fore Support Services pvt ltd
 
ODP
Cl207
Juliette Ponnet
 
PPT
0505 Windows Server 2008 一日精華營 PartI
Timothy Chen
 
PPTX
Active Directory
rainrjcahili
 
PDF
Active directory job_interview_preparation_guide
abdulkalamattari
 
ODP
Cl116
Juliette Ponnet
 
ODP
Cl115
Juliette Ponnet
 
PPT
Chapter01 Introduction To Windows Server 2003
Raja Waseem Akhtar
 
PPT
Mcts chapter 4
Sadegh Nakhjavani
 
PPT
Cl107
Juliette Ponnet
 
PPT
Active Directory Services
Varun Arora
 
PDF
Microsoft Windows Server 2012 R2 Overview - Presented by Atidan
David J Rosenthal
 
ODP
Cl309
Juliette Ponnet
 
Failover cluster
Chinmoy Jena
 
Cl310
Juliette Ponnet
 
Windows Server 2008 (Active Directory Yenilikleri)
ÇözümPARK
 
Server 2008 r2 ppt
Raj Solanki
 
WINDOWS SERVER 2008
Tawose Olamide Timothy
 
Windows Server 2008 Active Directory
anilinvns
 
MCSA Installing & Configuring Windows Server 2012 70-410
omardabbas
 
Windows server Interview question and answers
Availity Fore Support Services pvt ltd
 
Cl207
Juliette Ponnet
 
0505 Windows Server 2008 一日精華營 PartI
Timothy Chen
 
Active Directory
rainrjcahili
 
Active directory job_interview_preparation_guide
abdulkalamattari
 
Cl116
Juliette Ponnet
 
Cl115
Juliette Ponnet
 
Chapter01 Introduction To Windows Server 2003
Raja Waseem Akhtar
 
Mcts chapter 4
Sadegh Nakhjavani
 
Cl107
Juliette Ponnet
 
Active Directory Services
Varun Arora
 
Microsoft Windows Server 2012 R2 Overview - Presented by Atidan
David J Rosenthal
 
Cl309
Juliette Ponnet
 
Ad

Similar to Ctive directory interview question and answers (20)

DOCX
Windows admin interview questions
Harikiran Raju
 
PDF
29041329 interview-questions-for-server-2003
rafiq123
 
PPTX
Activedirecotryfundamentals
Shekhar Singh
 
PPTX
Installing And configuring active directory .pptx
tallawanbealynne
 
PDF
Active Directory
Jessica Henderson
 
PPTX
Ad ds ws2008 r2
MICTT Palma
 
PDF
Active directory interview_questions
Umesh Sawant
 
PPT
Ads Overview En
raj240969
 
PPT
Ads Overview En
raj240969
 
PPT
Active directoryfinal
Rafał Kucharski
 
PDF
Final domain control policy
BhagyashriJadhav16
 
PPTX
BITIC-27 Proyecto 3 BITIC 3 2022 Andres Labera ADDS.pptx
RodrigoOrtz4
 
DOC
Technical interview questions -networking
rafiq123
 
PPTX
Introduction_of_ADDS
Harsh Sethi
 
PPTX
02-Active Directory Domain Services.pptx
AdiWidyanto2
 
PDF
Introduction to System and network administrations
girmayou1
 
PPT
Active directory - an introduction
pepoluan
 
DOCX
What is active directory
rajasekar1712
 
PPTX
Microsoft Active Directory.pptx
masbulosoke
 
DOCX
Windows sys admin interview questions
Student
 
Windows admin interview questions
Harikiran Raju
 
29041329 interview-questions-for-server-2003
rafiq123
 
Activedirecotryfundamentals
Shekhar Singh
 
Installing And configuring active directory .pptx
tallawanbealynne
 
Active Directory
Jessica Henderson
 
Ad ds ws2008 r2
MICTT Palma
 
Active directory interview_questions
Umesh Sawant
 
Ads Overview En
raj240969
 
Ads Overview En
raj240969
 
Active directoryfinal
Rafał Kucharski
 
Final domain control policy
BhagyashriJadhav16
 
BITIC-27 Proyecto 3 BITIC 3 2022 Andres Labera ADDS.pptx
RodrigoOrtz4
 
Technical interview questions -networking
rafiq123
 
Introduction_of_ADDS
Harsh Sethi
 
02-Active Directory Domain Services.pptx
AdiWidyanto2
 
Introduction to System and network administrations
girmayou1
 
Active directory - an introduction
pepoluan
 
What is active directory
rajasekar1712
 
Microsoft Active Directory.pptx
masbulosoke
 
Windows sys admin interview questions
Student
 
Ad

Recently uploaded (20)

PDF
The Spotlight Effect No One Is Thinking About You as Much as You Think - by M...
Meenakshi Khakat
 
PPTX
show1- motivational ispiring positive thinking
SheKrish1
 
PPTX
Learn how to use Portable Grinders Safely
MushtaqHussain95
 
PPTX
Presentation on interview preparation.pt
vaishnavinampally6
 
PPTX
Attitudes presentation for psychology.pptx
nckanth1906
 
PDF
My 'novel' Account of Human Possibility pdf.pdf
BS Murthy
 
PPTX
Learn about numerology and do tarot reading
SjSap
 
PPTX
Identity Development in Adolescence.pptx
Sandhya Bhatt
 
PDF
The Zeigarnik Effect by Meenakshi Khakat.pdf
Meenakshi Khakat
 
PPTX
cấu trúc sử dụng mẫu Cause - Effects.pptx
PhngThoTrnh7
 
PPT
proper hygiene for teenagers for secondary students .ppt
FemaroseTelan
 
PPT
cypt-cht-healthy-relationships-part1-presentation-v1.1en.ppt
IRVINGACACIO3
 
PPTX
Understanding the Self power point presentation
MikaelaZofia
 
PDF
Top 10 Visionary Entrepreneurs to Watch in 2025
timeiconic007
 
PPTX
Chapter-7-The-Spiritual-Self-.pptx-First
lazomarjorieestraves
 
PPTX
SELF ASSESSMENT -SNAPSHOT.pptx an index of yourself by Dr NIKITA SHARMA
NikkySharma5
 
PDF
Attachment Theory What Childhood Says About Your Relationships.pdf
Meenakshi Khakat
 
PDF
Red Light Wali Muskurahat – A Heart-touching Hindi Story
Mohd Salman
 
PDF
SEX-GENDER-AND-SEXUALITY-LESSON-1-M (2).pdf
jemmgomez09
 
PDF
The Power of Pausing Before You React by Meenakshi Khakat
Meenakshi Khakat
 
The Spotlight Effect No One Is Thinking About You as Much as You Think - by M...
Meenakshi Khakat
 
show1- motivational ispiring positive thinking
SheKrish1
 
Learn how to use Portable Grinders Safely
MushtaqHussain95
 
Presentation on interview preparation.pt
vaishnavinampally6
 
Attitudes presentation for psychology.pptx
nckanth1906
 
My 'novel' Account of Human Possibility pdf.pdf
BS Murthy
 
Learn about numerology and do tarot reading
SjSap
 
Identity Development in Adolescence.pptx
Sandhya Bhatt
 
The Zeigarnik Effect by Meenakshi Khakat.pdf
Meenakshi Khakat
 
cấu trúc sử dụng mẫu Cause - Effects.pptx
PhngThoTrnh7
 
proper hygiene for teenagers for secondary students .ppt
FemaroseTelan
 
cypt-cht-healthy-relationships-part1-presentation-v1.1en.ppt
IRVINGACACIO3
 
Understanding the Self power point presentation
MikaelaZofia
 
Top 10 Visionary Entrepreneurs to Watch in 2025
timeiconic007
 
Chapter-7-The-Spiritual-Self-.pptx-First
lazomarjorieestraves
 
SELF ASSESSMENT -SNAPSHOT.pptx an index of yourself by Dr NIKITA SHARMA
NikkySharma5
 
Attachment Theory What Childhood Says About Your Relationships.pdf
Meenakshi Khakat
 
Red Light Wali Muskurahat – A Heart-touching Hindi Story
Mohd Salman
 
SEX-GENDER-AND-SEXUALITY-LESSON-1-M (2).pdf
jemmgomez09
 
The Power of Pausing Before You React by Meenakshi Khakat
Meenakshi Khakat
 

Ctive directory interview question and answers

  • 1. ctive Directory Interview Question and Answers >What is Active Directory? Active Directory is a Meta Data. Active Directory is a data base which stores a data base like your user information, computer information and also other network object info. It has capabilities to manage and administer the complete Network which connect with AD. >What is domain? Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user needs only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The ‘domain’ is simply your computer address not to confuse with an URL. A domain address might look something like 211.170.469. >What is domain controller? A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination. >What is LDAP? Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2. >What is KCC? KCC (knowledge consistency checker) is used to generate replication topology for inter site replication and for intra-site replication. Within a site replication traffic is done via remote procedure calls over ip, while between sites it is done through either RPC or SMTP. >Where is the AD database held? What other folders are related toAD? The AD data base is store in c:windowsntdsNTDS.DIT. >What is the SYSVOL folder? The sysVOL folder stores the server’s copy of the domain’s public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain. >Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003? The Active Directory replaces them. Now all domain controllers share a multi master peer-to- peer read and write relationship that hosts copies of the Active Directory.
  • 2. >Cannot create a new universal user group. Why? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory. >What is LSDOU? Its group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units. >Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exists, it has the highest priority among the numerous policies. >How many number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group. > What’s the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003. > How many passwords by default are remembered when you check“Enforce Password History Remembered”? User’s last 6 passwords. > Can GC Server and Infrastructure place in single server? No, As Infrastructure master does the same job as the GC. It does not work together. > Which is service in your windows is responsible for replication of Domain controller to another domain controller. KCC generates the replication topology. Use SMTP / RPC to replicate changes. Active Directory Page 2 > What Intrasite and Intersite Replication? Intrasite is the replication within the same site & intersite the replication between sites. > What is lost & found folder in ADS? It’s the folder where you can find the objects missed due to conflict. Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.
  • 3. > What is Garbage collection? Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours. > What System State data contains? Contains Startup files, Registry Com + Registration Database Memory Page file System files AD information Cluster Service information SYSVOL Folder >What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003? Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy – you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference. ADS stands for Automated Deployment Services, and is used to quickly roll out identically- configured servers in large-scale enterprise environments. You can get more information from the ADS homepage. >I want to setup a DNS server and Active Directory domain. What do I do first? If I install the DNS service first and name the zone ‘name.org’ can I name the AD domain ‘name.org’ too? Not only can you have a DNS zone and an Active Directory domain with the same name, it’s actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background. >How do I determine if user accounts have local administrative access? You can use the net local group administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong. >Why am I having trouble printing with XP domain users? In most cases, the inability to print or access resources in situations like this one will boil down
  • 4. to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients’ wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie. >What is the ISTG? Who has that role by default? Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG). Active Directory Page 3 >What is difference between Server 2003 vs 2008? 1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several ‘virtual’ servers on one physical machine.) 2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server) 3. Better security. 4. Role-based installation. 5. Read Only Domain Controllers (RODC). 6. Enhanced terminal services. 7. Network Access Protection – Microsoft’s system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies. 8. Power Shell – Microsoft’s command line shell and scripting language has proved popular with some server administrators. 9. IIS 7. 10. Bit locker – System drive encryption can be a sensible security measure for servers located in remote branch offices. The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers. 11. Windows Aero. >What are the requirements for installing AD on a new server? 1 The Domain structure. 2 The Domain Name. 3 storage location of the database and log file. 4 Location of the shared system volume folder.
  • 5. 5 DNS config Method. 6 DNS configuration. >What is LDP? LDP: Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network. >What are the Groups types available in active directory ? Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups. Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups. >Explain about the groups scope in AD? Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain. Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests. Universal Group Scope: These groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security
  • 6. principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain. ctive Directory Page 4 >What is REPLMON? The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication. >What is ADSIEDIT ? ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT. >What is NETDOM ? NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels. >What is REPADMIN? This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors. >How to take backup of AD ? For taking backup of active directory you have to do this : first go START -> PROGRAM - >ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC.
  • 7. >What are the DS* commands ? The following DS commands: the DS family built in utility . DSmod – modify Active Directory attributes. DSrm – to delete Active Directory objects. DSmove – to relocate objects DSadd – create new accounts DSquery – to find objects that match your query attributes. DSget – list the properties of an object >What are the requirements for installing AD on a new server? An NTFS partition with enough free space. An Administrator’s username and password. The correct operating systemversion. A NIC Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway). A network connection (to a hub or to another computer via a crossover cable) . An operational DNS server (which can be installed on the DC itself) . A Domain name that you want to use . The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) . Active Directory Page 5 >Explain about Trust in AD ? To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains. Trusts in Windows 2000 (native mode) One-way trust – One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. Two-way trust – Two domains allow access to users on both domains. Trusting domain – The domain that allows access to users from a trusted domain. Trusted domain – The domain that is trusted; whose users have access to the trusting domain. Transitive trust – A trust that can extend beyond two domains to other trusted domains in the forest. Intransitive trust – A one way trust that does not extend beyond two domains. Explicit trust – A trust that an admin creates. It is not transitive and is one way only. Cross-link trust – An explicit trust between domains in different trees or in the same tree when
  • 8. a descendant/ancestor (child/parent) relationship does not exist between the two domains. Windows 2000 Server – supports the following types of trusts: Two-way transitive trusts. One-way intransitive trusts. Additional trusts can be created by administrators. These trusts can be: >What is tombstone lifetime attribute ? The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC. >What are application partitions? When do I use them ? AN application diretcory partition is a directory partition that is replicated only to specific domain controller.Only domain controller running windows Server 2003 can host a replica of application directory partition. Using an application directory partition provides redundany,availability or fault tolerance by replicating data to specific domain controller pr any set of domain controllers anywhere in the forest. >How do you create a new application partition ? Use the DnsCmd command to create an application directory partition. To do this, use the following syntax: DnsCmd ServerName /CreateDirectoryPartition FQDN of partition >How do you view all the GCs in the forest? C:>repadmin /showreps domain_controller where domain_controller is the DC you want to query to determine whether it?s a GC. The output will include the text DSA Options: IS_GC if the DC is a GC. >Can you connect Active Directory to other3rd-party Directory Services? Name a few options. Yes, you can use dirXML or LDAP to connect to other directories. In Novel you can use E-directory. Active Directory Page 6 >What is IPSec Policy IPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec Policy can be deployed via Group policy to the Windows Domain controllers 7 Servers.
  • 9. >What are the different types of Terminal Services ? User Mode & Application Mode. >What is the System Startup process ? Windows 2K boot process on a Intel architecture. 1. Power-On Self Tests (POST) are run. 2. The boot device is found, the Master Boot Record (MBR) is loaded into memory, and its program is run. 3. The active partition is located, and the boot sector is loaded. 4. The Windows 2000 loader (NTLDR) is then loaded. The boot sequence executes the following steps: 1. The Windows 2000 loader switches the processor to the 32-bit flat memory model. 2. The Windows 2000 loader starts a mini-file system. 3. The Windows 2000 loader reads the BOOT.INI file and displays the operating system selections (boot loader menu). 4. The Windows 2000 loader loads the operating systemselected by the user. If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other operating systems, NTLDR loads BOOTSECT.DOS and gives it control. 5. NTDETECT.COMscans the hardware installed in the computer, and reports the list to NTLDR for inclusion in the Registry under the HKEY_LOCAL_MACHINE_HARDWARE hive. 6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information collected by NTDETECT.COM. Windows NT enters the Windows load phases. >How do you change the DS Restore admin password ? In Windows 2000 Server, you used to have to boot the computer whose password you wanted to change in Directory Restore mode, then use either the Microsoft Management Console (MMC) Local User and Groups snap-in or the command net user administrator * to change the Administrator password. Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you reset the Directory Service Restore Mode password without having to reboot the computer. (Microsoft refreshed Setpwd in SP4 to improve the utility?s scripting options.)
  • 10. In Windows Server 2003, you use the Ntdsutil utility to modify the Directory Service Restore Mode Administrator password. To do so, follow these steps: 1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe). 2. Start the Directory Service Restore Mode Administrator password-reset utility by entering the argument ?set dsrm password? at the ntdsutil prompt: ntdsutil: set dsrm password. 3. Run the Reset Password command, passing the name of the server on which to change the password, or use the null argument to specify the local machine. For example, to reset the password on server testing, enter the following argument at the Reset DSRM Administrator Password prompt: Reset DSRM Administrator Password: reset password on server testing To reset the password on the local machine, specify null as the server name: Reset DSRM Administrator Password: reset password on server null 4. You?ll be prompted twice to enter the new password. You?ll see the following messages: 5. Please type password for DS Restore Mode Administrator Account: 6. Please confirm new password: Password has been set successfully. 7. Exit the password-reset utility by typing ?quit? at the following prompts: 8. Reset DSRM Administrator Password: quit ntdsutil: quit Active Directory Page 7 >How do I use Registry keys to remove a user from a group? In Windows Server 2003, you can use the dsmod command-line utility with the -delmbr switch to remove a group member from the command line. You should also look into the freeware utilities available from www.joeware.net . ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory. >Why are my NT4 clients failing to connect to the Windows 2000 domain? Since NT4 relies on NetBIOS for name resolution, verify that your WINS server (you do have a WINS server running, yes?) contains the records that you expect for the 2000 domain controller, and that your clients have the correct address configured for the WINS server. >How do you view replication properties for AD partitions and DCs? By using replication monitor go to start > run > type repadmin go to start > run > type replmon
  • 11. >Why can’t you restore a DC that was backed up 4 months ago? Because of the tombstone life which is set to only 60 days. >Different modes of AD restore ? A nonauthoritative restore is the default method for restoring Active Directory. To perform a nonauthoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller. An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. If you do not want to replicate the changes that have been made subsequent to the last backup operation, you must perform an authoritative restore. In this one needs to stop the inbound replication first before performing the An authoritative restore. >How do you configure a stand-by operation master for any of the roles? # Open Active Directory Sites and Services. # Expand the site name in which the standby operations master is located to display the Servers folder. # Expand the Servers folder to see a list of the servers in that site. # Expand the name of the server that you want to be the standby operations master to display its NTDS Settings. # Right-click NTDS Settings, click New, and then click Connection. # In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK. # In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK. Home » Microsoft Windows » Interview Question and Answers » Active Directory Interview Question and Answers » Active Directory Page 8 Active Directory Page 8 >What’s the difference between transferring a FSMO role and seizing ? Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available. If you perform a seizure of the FSMO roles from a DC, you need to ensure two things: the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you’ll have a problem.
  • 12. An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another live DC During the process, the current DC holding the role(s) is updated, so it becomes aware it is no longer the role holder >I want to look at the RID allocation table for a DC. What do I do? dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC) >What is BridgeHead Server in AD ? A bridgehead server is a domain controller in each site, which is used as a contact point to receive and replicate data between sites. For intersite replication, KCC designates one of the domain controllers as a bridgehead server. In case the server is down, KCC designates another one from the domain controller. When a bridgehead server receives replication updates from another site, it replicates the data to the other domain controllers within its site. >What is the default size of ntds.dit ? 10 MB in Server 2000 and 12 MB in Server 2003 . >Where is the AD database held and What are other folders related to AD ? AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure. ntds.dit edb.log res1.log res2.log edb.chk When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the systemwrites the data to the AD database from the log file. Any time the systemis shut down, all transactions are saved to the database. During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database. The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located inNTDS, along with the other files we’ve discussed
  • 13. >What FSMO placement considerations do you know of ? Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory. In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles Active Directory Page 9 >What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD? If you’re installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen. If you’re installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which you’ll find in the Componentsr2adprep folder on the second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later). Here’s a sample execution of the Adprep /forestprep command: D:CMPNENTSR2ADPREP>adprep /forestprep ADPREP WARNING: Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later). QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain controller corruption. [User Action] If ALL your existing Windows 2000 domain controllers meet this requirement,
  • 14. type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit. C Opened Connection to SAV DALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to version 31 Connecting to “SAVDALDC01″ Logging in as current user using SSPI Importing directory from file “C:WINDOWSsystem32sch31.ldf” Loading entries… 139 entries modified successfully. The command has completed successfully Adprep successfully updated the forest-wide information. After running Adprep, install R2 by performing these steps: 1. Click the “Continue Windows Server 2003 R2 Setup” link, as the figureshows. 2. At the “Welcome to the Windows Server 2003 R2 Setup Wizard” screen, click Next. 3. You’ll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if the underlying OS wasn’t installed from R2 media (e.g., a regular Windows 2003 SP1 installation). Enter the R2 key and click Next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003 using a volume-license version key, then you can’t use a retail or Microsoft Developer Network (MSDN) R2 key. 4. You’ll see the setup summary screen which confirms the actions to be performed (e.g., Copy files). Click Next. 5. After the installation is complete, you’ll see a confirmation dialog box. Click Finish >What is OU ? Organization Unit is a container object in which you can keep objects such as user accounts, groups, computer, printer . applications and other (OU). In organization unit you can assign specificpermission to the user’s. organization unit can also be used to create departmental limitation. >Name some OU design considerations ? OU design requires balancing requirements for delegating administrative rights – independent of Group Policy needs – and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues: Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. Delegating administrative authority usually don’t go more than 3 OU levels >What is sites ? What are they used for ? One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.
  • 15. A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called Subnets. Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule. >Trying to look at the Schema, how can I do that ? register schmmgmt.dll using this command c:windowssystem32>regsvr32 schmmgmt.dll Open mmc –> add snapin –> add Active directory schema name it as schema.msc Open administrative tool –> schema.msc Active Directory Page 10 >What is the port no of Kerbrose ? 88 >What is the port no of Global catalog ? 3268 >What is the port no of LDAP ? 389 >Explain Active Directory Schema ? Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called “Schema”. The Schema is defines as the formal definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory. As mentioned earlier, the Active Directory database includes a default Schema, which defines many object classes, such as users, groups, computers, domains, organizational units, and so on. These objects are also known as “Classes”. The Active Directory Schema can be dynamically extensible, meaning that you can modify the schema by defining new object types and their attributes and by defining new attributes for existing objects. You can do this either with the Schema Manager snap-in tool included with Windows 2000/2003 Server, or programmatically. >How can you forcibly remove AD from a server, and what do you do later? ? Can I get user passwords from the AD database? Dcpromo /forceremoval , an administrator can forcibly remove Active Directory and roll back
  • 16. the system without having to contact or replicate any locally held changes to another DC in the forest. Reboot the server then After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command. In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers >What are the FSMO roles? Who has them by default? What happens when each one fails? Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles: Schema master Domain naming master RID master PDC emulator Infrastructure master >What is domain tree ? Domain Trees: A domain tree comprises several domains that share a common schema and configuration, forming a contiguous namespace. Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees. Trees can be viewed two ways. One view is the trust relationships between domains. The other view is the namespace of the domain tree. >What is forests ? A collection of one or more domain trees with a common schema and implicit trust relationships between them. This arrangement would be used if you have multiple root DNS addresses. >How to Select the Appropriate Restore Method ? You select the appropriate restore method by considering: Circumstances and characteristics of the failure. The two major categories of failure, From an Active Directory perspective, are Active Directory data corruption and hardware failure. Active Directory data corruption occurs when the directory contains corrupt data that has been replicated to all domain controllers or when a large portion of the Active Directory hierarchy has been changed accidentally (such as deletion of an OU) and this change has replicated to other domain controllers. Active Directory Page 11 >Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?
  • 17. The Active Directory replaces them. Now all domain controllers share a multimaster peer-to- peer read and write relationship that hosts copies of the Active Directory. >What is Global Catalog? The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network. >How long does it take for security changes to be replicated among the domain controllers? Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA). >When should you create a forest? Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions. >Describe the process of working with an external domain name ? If it is not possible for you to configure your internal domain as a subdomain of your external domain, use a stand-alone internal domain. This way, your internal and external domain names are unrelated. For example, an organization that uses the domain name contoso.com for their external namespace uses the name corp.internal for their internal namespace. The advantage to this approach is that it provides you with a unique internal domain name. The disadvantage is that this configuration requires you to manage two separate namespaces. Also, using a stand-alone internal domain that is unrelated to your external domain might create confusion for users because the namespaces do not reflect a relationship between resources within and outside of your network. In addition, you might have to register two DNS names with an Internet name authority if you want to make the internal domain publicly accessible. >How do you view all the GCs in the forest? C:>repadmin /showreps domain_controller OR You can use Replmon.exe for the same purpose.
  • 18. OR AD Sites and Services and nslookup gc._msdcs. To find the in GC from the command line you can try using DSQUERY command. dsquery server -isgc to find all the GC’s in the forest you can try dsquery server -forest -isgc. > What are the physical components of Active Directory? Domain controllers and Sites. Domain controllers are physical computers which are running Windows Server operating system and Active Directory data base. Sites are a network segment based on geographical location and which contains multiple domain controllers in each site. > What are the logical components of Active Directory? Domains, Organizational Units, trees and forests are logical components of Active Directory. > What are the Active Directory Partitions? Active Directory database is divided into different partitions such as Schema partition, Domain partition, and Configuration partition. Apart from these partitions, we can create Application partition based on the requirement. > What is group nesting? Adding one group as a member of another group is called ‘group nesting’. This will help for easy administration and reduced replication traffic. > What is the feature of Domain Local Group? Domain local groups are mainly used for granting access to network resources.A Domain local group can contain accounts from any domain, global groups from any domain and universal groups from any domain. For example, if you want to grant permission to a printer located at Domain A, to 10 users from Domain B, then create a Global group in Domain B and add all 10 users into that Global group. Then, create a Domain local group at Domain A, and add Global group of Domain B to Domain local group of Domain A, then, add Domain local group of Domain A to the printer(of Domain A) security ACL. Active Directory Page 12 >How will you take Active Directory backup ?
  • 19. Active Directory is backed up along with System State data. System state data includes Local registry, COM+, Boot files, NTDS.DIT and SYSVOL folder. System state can be backed up either using Microsoft’s default NTBACKUP tool or third party tools such as Symantech NetBackup, IBM Tivoli Storage Manager etc. > Do we use clustering in Active Directory ? Why ? No one installs Active Directory in a cluster. There is no need of clustering a domain controller. Because Active Directory provides total redundancy with two or more servers. > What is Active Directory Recycle Bin ? Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to restore accidentally deleted Active Directory objects without using a backed up AD database, rebooting domain controller or restarting any services. > How do you check currently forest and domain functional levels? Say both GUI and Command line. To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain name and take properties. Both domain and forest functional levels will be listed there. TO find out forest and domain functional levels, you can use DSQUERY command. > Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory ? All versions of Windows Server Active Directory use Kerberos 5. > Name few port numbers related to Active Directory ? Kerberos 88, LDAP 389, DNS 53, SMB 445 > What is an FQDN ? FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of a domain name system which points to a device in the domain at its left most end. For example in system. > Have you heard of ADAC ? ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2, which provides enhanced data management experience to the admin. ADAC helps administrators to perform common Active Directory object management task across multiple domains with the same ADAC instance. > How many objects can be created in Active Directory? (both 2003 and 2008)
  • 20. As per Microsoft, a single AD domain controller can create around 2.15 billion objects during its lifetime. > Explain the process between a user providing his Domain credentialto his workstation and the desktop being loaded? Or how the AD authentication works ? When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm. The KDC looks up the user’s master key (KA), which is based on the user’s password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows. The client computer receives the information from the KDC and runs the user’s password through a one-way hashing function, which converts the password into the user’s KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.