1.Explain three main features of Active Directory?

Active Directory enables single sign on to access resources on the network such as desktops, shared
files, printers etc. Active Directory provides advanced security for the entire network and network
resources. Active Directory is more scalable and flexible for administration.
2.What do you mean by Active Directory functional levels? How does it help an organization’s
network functionality?
Functional levels help the coexistence of Active Directory versions such as, Windows NT, Windows
2000 Server, Windows Server 2003 and Windows Server 2008. The functional level of a domain or
forest controls which advanced features are available in the domain or forest. Although lowest
functional levels help to coexist with legacy Active Directory, it will disable some of the new features of
Active Directory. But if you are setting up a new Active Directory environment with latest version of
Windows Server and AD, you can set to the highest functional level, thus all the new AD functionality
will be enabled.
3.What are the Domain and Forest functional levels of Windows Server 2003 AD?
Windows Server 2003 Domain Functional Levels: Windows 2000 mixed (Default), Windows 2000
native, Windows Server 2003 interim, and Windows Server 2003.
Forest Functional Levels: Windows 2000 (default), Windows Server 2003 interim, Windows Server.
4. What are the Domain and Forest functional levels of Windows Server 2008 AD?
Windows Server 2008 Domain Functional Levels: Windows 2000 Native, Windows Server 2003,
Windows Server 2008, Windows Server 2008 R2.
Forest Functional Levels: Windows 2000, Windows Server 2008, Windows Server 2008 R2.
5. How to add additional Domain Controller in a remote site with slower WAN link?
It is possible to take a backup copy of existing Domain Controller, and restore it in Windows Server
machine in the remote locations with slower WAN link.

6. How do we install Active Directory in Windows 7 Computer?

Active Directory is designed for Server Operating System, and it cannot be installed on Windows but
we can install adminpack tools for server component.

7.What are the prerequisites to install Active Directory in a Server?

Windows Server Operating System.
Free hard disk space with NTFS partition.
Administrator’s privilege on the computer.
Network connection with IP address, Subnet Mask, Gateway and DNS address.A DNS server, that can
be installed along with first Domain Controller. Windows Server installation CD or i386 folder.

8. What is FSMO role? (Or what are Single Master Operations / Flexible Single Master
Operations/Operations Master Role/SMO/OMR?)
Flexible Single-Master Operation (FSMO) roles, manage an aspect of the domain or forest to prevent
conflicts, which are handled by Single domain controllers in domain or forest. The tasks which are not
suited to multi-master replication.
There are 5 FSMO roles, and Schema Master and Domain naming master roles are handled by a
single domain controller in a forest, and PDC, RID master and Infrastructure master roles are handled
by a single domain controller in each domain.

9.Explain Infrastructure Master Role. What will be the impact if DC with Infrastructure Master
Role goes down?
Infrastructure master role is a domain-specific role and its purpose is to ensure that cross-domain
object references are correctly handled. For example, if you add a user from one domain to a security
group from a different domain, the Infrastructure Master makes sure this is done properly.
Infrastructure master does not have any functions to do in a single domain environment. If the Domain
controller with Infrastructure master role goes down in a single domain environment, there will be no
impact at all. Whereas in a complex environment with multiple domains it may impact creation and
modification of groups and group authentication.

10. What are the two forest specific FSMO roles?

Schema Master Role and Domain Naming Master role.
11. Which FSMO role directly impacting the consistency of Group Policy?
PDC Emulator

12. I want to promote a new additional Domain Controller in an existing domain. Which are the
groups I should be a member of?
You should be a member of Enterprise Admins group or the Domain Admins group. Also you should
be member of local Administrators group of the member server which you are going to promote as
additional Domain Controller.

13. Tell me one easiest way to check all the 5 FSMO roles
Try netdom query /domain:YourDomain FSMO command. It will list all the FSMO role handling domain
controllers.

14. Can I configure two RID masters in a domain?

No, there should be only one Domain Controller handling RID master role in a Domain.

15. Can I configure two Infrastructure Master Role in a forest? If yes, please explain.
There should be only one Domain Controller handling Infrastructure master role in a domain. Hence if
you have two domains in a forest, you can configure two Infrastructure masters one in each domain.

16.What will be the impact on the network if Domain Controller with PDC Emulator crashes?
If PDC emulator crashes, there will be immediate impact on the environment. User authentication will
fail as password changes won’t get effected, and there will be frequent account lock out issues.
Network time synchronization will be impacted. It will also impact DFS consistency and Group policy
replication as well.

17. What are the physical components of Active Directory?

Domain controllers and Sites,Domain controllers are physical computers which is running Windows
Server operating system and Active Directory data base. Sites are a network segment based on
geographical location and which contains multiple domain controllers in each site.

18. What are the logical components of Active Directory?

Domains, Organizational Units, trees and forests are logical components of Active Directory.

19.What are the Active Directory Partitions? (Or what are Active Directory Naming Contexts? Or
what is AD NC?)
Active Directory database is divided into different partitions such as Schema partition, Domain
partition, and Configuration partition.Apart from these partitions, we can create Application partition
based on the requirement.

20.What is group nesting?

Adding one group as a member of another group is called ‘group nesting’. This will help for easy
administration and reduced replication traffic.

21.Explain Group Types and Group Scopes?

Group types are categorized based on its nature. There are two group types: Security Groups and
Distribution Groups. Security groups are used to apply permissions to resources whereas distribution
groups are used to create Exchange server email communication groups. Group scopes are
categorized based on the usage. There are three group types: Domain Local Group, Global Group and
Universal Group.

22.What is the feature of Domain Local Group?

Domain local groups are mainly used for granting access to network resources. A Domain local group
can contain accounts from any domain, global groups from any domain and universal groups from any
domain. For example, if you want to grant permission to a printer located at Domain A, to 10 users
from Domain B, then create a Global group in Domain B and add all 10 users into that Global group.
Then, create a Domain local group at Domain A, and add Global group of Domain B to Domain local
group of Domain A, then, add Domain local group of Domain A to the printer(of Domain A) security
ACL.

23.How will you take Active Directory backup?

Active Directory is backed up along with System State data. System state data includes Local registry,
COM+, Boot files, NTDS.DIT and SYSVOL folder. System state can be backed up either using
Microsoft’s default NTBACKUP tool or third party tools such as SymantechNetBackup, IBM Tivoli
Storage Manager etc.

24.What are the Active Directory Restore types?

There are two types of Active Directory restores, Authoritative restore and Non-Authoritative restore.

25.How is Authoritative Restore different from non-Authoritative Restore?

Non-Authoritative means, a normal restore of a single Domain controller in case that particular domain
controller OS or hardware crashed. After non-authoritative restoration completed, compares its data
base with peer domain controllers in the network and accepts all the directory changes that have been
made since the backup. This is done through multi master replication.
Whereas, in Authoritative restore, a restored data base of a Domain controller forcefully replicated to
all the other domain controllers. Authoritative restore is performed to recover an active directory
resource or object (eg. an Organizational Unit) which accidentally deleted and it needs to be restored.

26. Explain me, how to restore Active Directory using command line?
We can use NTDSUTIL command line to perform Authoritative restore of Active Directory. First, start a
domain controller in ‘Directory Service Restore Mode. Then restore the System State data of Domain
controller using NTBACKUP tool. This is non-authoritative restore. Once non-authoritative restore is
completed, we have to perform authoritative restore immediately before restarting the Domain
Controller.
Open command prompt and type NTDSUTIL and enter, then type authoritative restore and press
enter, then type restore database and press enter, click OK and then click Yes. This will restore all the
data in authoritative restore mode. If you want to restore only a specific object or sub-tree, you can
type below command instead of ‘restore database’.
restore subtree ou=OU_Name,dc=Domain_Name,dc=xyz

27.Tell me few switches of NTDSUTIL command.

Authoritative restore, Configurable settings, Partition management, Set DSRM Password etc

28.What is a tombstone? What is the tombstone lifetime period?

A tombstone is a container objects for deleted items from Active Directory database, even if objects
are deleted, it will be kept hidden in the active directory data base for a specific period. This period is
known as tombstone lifetime. Tombstone lifetime is 180 days on Windows Server 2003 SP1 and later
versions of Windows Server.

29.What do you understand by Garbage Collection? Explain.

Garbage collection is a process of Active Directory. This process starts by removing the remains of
previously deleted objects from the database. These objects are known as tombstones. Then, the
garbage collection process deletes unnecessary log files. And the process starts a defragmentation
thread to claim additional free space. The garbage collection process is running on all the domain
controllers in an interval of 12 hours.

30. What is Lost and Found Container?

In multimaster replication method, replication conflicts can happen.Objects with replication conflicts will
be stored in a container called ‘Lost and found’ container. This container also used to store orphaned
user accounts and other objects.
31.Where can I locate Lost and Found Container?
Lost and Found container can be viewed by enabling advanced features from View menu of Active
Directory User and Computers MMC.

32. Is Lost and Found Container included in Windows Server 2008 AD?
Yes, it is included.

33. Have you ever installed Active Directory in a production environment?

Tel interviewer yes,don’t so no and tell them this, yes we had set up an additional domain for a new
subsidiary of the firm, and I was a member of the team who handled installation and configuration of
domain controllers for the sub domain.[or] I was supporting an existing Active Directory network
environment of the company, but I have installed and configured Active Directory in test environment
several occasions.

34. Do we use clustering in Active Directory? Why?

No one installs Active Directory in a cluster. There is no need of clustering a domain controller.
Because Active Directory provides total redundancy with two or more servers.

35.What is Active Directory Recycle Bin?

Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to restore accidentally
deleted Active Directory objects without using a backed up AD database, rebooting domain controller
or restarting any services.

36.What is RODC? Why do we configure RODC?

Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System. RODC
is a read only copy of Active Directory database and it can be deployed in a remote branch office
where physical security cannot be guaranteed. RODC provides more improved security and faster log
on time for the branch office.

37. How do you check currently forest and domain functional levels? Say both GUI and
Command line.
To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain
name and take properties. Both domain and forest functional levels will be listed there. TO find out
forest and domain functional levels, you can use DSQUERY command.

38. Explain Knowledge Consistency Checker (KCC).

KCC can be expanded as Knowledge Consistency Checker. It is a protocol process running on all
domain controllers, and it generates and maintains the replication topology for replication within sites
and between sites.

39.What are the tools used to check and troubleshoot replication of Active Directory?
We can use command line tools such as repadmin and dcdiag. GUI tool REPLMON can also be used
for replication monitoring and troubleshooting.

40.What is SYSVOL folder used for?

SYSVOL is a folder exits on each domain controller, which contains Active Directory related files and
folders. SYSVOL mainly stores important elements of Group Policy Objects and scripts, and it is being
replicated among domain controllers using File Replication Service (FRS).

41. What is the use of Kerberos in Active Directory? Which port is used for Kerberos
communication?
Kerberos is a network authentication protocol. Active Directory uses Kerberos for user and resource
authentication and trust relationship functionality. Kerberos uses port number 88.
42. Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory?
All versions of Windows Server Active Directory use Kerberos 5.
43. Name few port numbers related to Active Directory.

Kerberos 88,

LDAP 389

DNS 53

SMB 445.

44.What is an FQDN?
FQDN can be expanded as Fully Qualified Domain Name. It is a hierarchy of a domain name system
which points to a device in the domain at its left most end.

45. Tell me few DS commands and its usage.

Dsadd – to add an object to the directory, Dsget – displays requested properties of an object in AD,
Dsmove – Used to move one object from one location to another in the directory, DSquery – To query
specific objects.

46. Explain Active Directory tree and forest.

A tree in Active Directory is a collection of one or more domains which are interconnected and sharing
global resources each other. If a tree has more than one domain, it will have contiguous namespace.
When we add a new domain in an existing tree, it will be called a child domain.
A forest is a collection of one or more trees which trust each other and sharing a common schema.It
also shares common configuration and global catalog. When a forest contains more than one tree, the
trees will not form a contiguous namespace.

47. What are Intersite and Intrasite replication?

Replication between domain controllers inside a single site is called Intrasite replication, where as
replication between domain controllers located in different sites is called Intersite replication. Intrasite
replication will be very frequent, where as Intersite replication will be with specific interval and in a
controlled fashion just to preserve network bandwidth.

48. What is shortcut trust?

Shortcut trust is a manually created transitive trust which is configured to enable fast and optimized
authentication process. For example, If we create short cut trust between two domains of different
trees, they can quickly authenticate each other without traveling through the entire parent domains.
shortcut trust can be either one-way or two-way.

49. What is selective Authentication?

Selective authentication is generally used in forest trust and external trusts. Selective authentication is
a security setting which allows administrators to grant access to shared resources in their
organization’s forest to a limited set of users in another organization’s forest. Selective authentication
method can decide which groups of users in a trusted forest can access shared resources in the
trusting forest.

50. Give me brief explanation of different types of Active Directory trusts.

Trusts can be categorized by its nature. There can be two-way trust or one-way trust, implicit or explicit
trust, transitive or non-transitive trust. Trust can be categorized by types, such as parent and child, tree
root trust, external trust, realm trust forest trust and shortcut trust.

51.what is ADAC?
ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2,
which provides enhanced data management experience to the admin. ADAC helps administrators to
perform common Active Directory object management task across multiple domains with the same
ADAC instance.

52. What is the use of ADSIEDIT? How do we install it in Windows Server 2003 AD?
ADSIEDIT- Active Directory Service Interfaces Editor is a GUI tool which is used to perform advanced
AD object and attribute management. This Active Directory tool helps us to view objects and attributes
that are not visible through normal Active Directory Management Consoles. ADSIEDIT can be
downloaded and installed along with Windows Server 2003 Support Tools.

53.I am unable to create a Universal security group in my Active Directory? What will be the
possible reason?
This is due to domain functional level. If domain functional level of Windows Server 2003 AD is
Windows 2000 Mixed, Universal Group option will be greyed out. You need to raise domain functional
level to Windows 2000 native or above.

54. What is ADMT? What is it used for?

ADMT – Active Directory Migration Tool, is a tool which is used for migrating Active Directory objects
from one domain to another. ADMT is an effective tool that simplifies the process of migrating users,
computers, and groups to new domains.

55. What do you mean by Lingering Objects in AD? How to remove Lingering Objects?
When a domain controller is disconnected for a period that is longer than the tombstone life time, one
or more objects that are deleted from Active Directory on all other domain controllers may remain on
the disconnected domain controller. Such objects are called lingering objects. Lingering objects can be
removed from Windows Server 2003 or 2008 using REPADMIN utility.

56.Explain Global Catalog. What kind of AD infrastructure makes most use of Global Catalog?
The Global catalog is a container which contains a searchable partial replica of all objects from all
domains of the forest, and full replica of all objects from the domain where it is situated. The global
catalog is stored on domain controllers that have been designated as global catalog servers and is
distributed through multimaster replication. Global catalogs are mostly used in multidomain, multisite
and complex forest environment, whereas Global catalog does not function in a single domain forest.

57. Global Catalog and Infrastructure master roles cannot be configure in same Domain
Controller. Why?

1. GC holds group membership of universal group. while Infrastructure hold group information in
domain level.
2. We can’t set infrastructure master and GC together on same DC.If infrastructure master and GC is
on the same server then infrastructure will not function because it will never find the data that is out of
date.

58.How do you check all the GCs in the forest?

C:\>repadmin /showreps domain_controller OR you can use Replmon.exe for the same purpose.
OR AD Sites and Services and nslookupgc._msdcs.
To find the in GC from the command line you can try using DSQUERY command.
dsquery server -isgc to find all the gc’s in the forest you can try dsquery server -forest -isgc.

59. What is LDAP?

(Lightweight Directory Access Protocol) A protocol used to access a directory listing. LDAP support is
implemented in Web browsers and e-mail programs, which can query an LDAP-compliant directory.
LDAP is a sibling protocol to HTTP and FTP and uses the ldap:// prefix in its URL. LDAP is a simplified
version of the DAP protocol, which is used to gain access to X.500 directories. It is easier to code the
query in LDAP than in DAP, but LDAP is less comprehensive. For example, DAP can initiate searches
on other servers if an address is not found, while LDAP cannot in its initial specification. See
DSML and ADSI

60. Which is default location of Active Directory? What are the main files related to AD?
The actual database file, is %SystemRoot%\ntds\NTDS.DIT

61. What is NETDOM command line tool used for?

Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2.
It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also
available if you install the Active Directory Domain Services Tools that are part of the Remote Server
Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client
and Server Computers Locally and Remotely
To use netdom, you must run the netdom command from an elevated command prompt. To open an
elevated command prompt, click Start, right-click Command Prompt, and then click Run as
administrator.

62.What are FSMO roles? Explain?

There are five FSMO roles are:

Schema master – Forest-wide and one per forest.
Domain naming master- Forest-wide and one per forest.
RID master – Domain-specific and one for each domain.
PDC- PDC Emulator is domain-specific and one for each domain.
Infrastructure master -Domain-specific and one for each domain.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or
actually, on the same DC) as has been configured by the Active Directory installation process.
However, there are scenarios where an administrator would want to move one or more of the FSMO
roles from the default holder DC to a different DC.

Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are
online and operational is called Transferring, and is described in the Transferring FSMO Roles article.

However, when the original FSMO role holder went offline or became non-operational for a long period
of time, the administrator might consider moving the FSMO role from the original, non-operational
holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a
different DC is called Seizing, and is described in this article.

If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since
none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator
FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a
problem to them to be unavailable for hours or even days.

If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable
computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most
cases, should be performed only if the original FSMO role owner will not be brought back into the
environment. Only seize a FSMO role if absolutely necessary when the original role holder is not
connected to the network.

63. What is ISTG? What is role of ISTG in Active Directory?

Windows 2000 Domain controllers each create Active Directory Replication connection objects
representing inbound replication from intra-site replication partners. For inter-site replication, one
domain controller per site has the responsibility of evaluating the inter-site replication topology and
creating Active Directory Replication Connection objects for appropriate bridgehead servers within its
site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology
Generator (ISTG).ISTG is used for replication between sites i.e. intersite replication . It selects the
bridge head server automatically which will be authorized to replicate information to other bridge head
server of other site. If the bridge head server goes down then due to ISTG a new server takes its place
and administrator need not to intervene and there is no problem in replication.

64. Tell me the order of GPO as it applied.

Local, Site, Domain, OU Group Policy settings are processed in the following order:

1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored locally.
This processes for both computer and user Group Policy processing.

2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed next.
Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab
for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is
processed last, and therefore has the highest precedence.

3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the administrator,
on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is
processed last, and therefore has the highest precedence.

4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the Active
Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and
so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer
are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can
be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is
specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in
GPMC. The GPO with the lowest link order is processed last, and therefore has the highest
precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational
unit of which the computer or user is a direct member are processed last, which overwrites settings in
the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are
merely aggregated.)

65. What are the uses of CSVDE and LDIFDE?

The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format that may be
used for performing batch operations against directories that conform to the LDAP standards. LDIF
can be used to export and import data, allowing batch operations such as add, create, and modify to
be performed against the Active Directory. A utility program called LDIFDE is included in Windows
2000 to support batch operations based on the LDIF file format standard. This article is designed to
help you better understand how the LDIFDE utility can be used to migrate directories.

CSVDE is the type of program that you learn for a specific task and then forget about. Therefore, what
you need are a few tried and tested examples to get started. The classic job for CSVDE is to import
user accounts into a Windows domain. While I often use CSVDE to create users on my test network,
my main use for CSVDE is to research LDAP names. What I do is a quick export of Active Directory
into a .csv file. I then open that .csv export file with Excel and study the LDAP fields in the first row of
the spreadsheet.

66. What are the replication intervals for Intersite and intrasite replication? Is there any change
in 2003 and 2008?

Replication between two sites is known as Intersite Replication. Since bandwidth two different sites is
usually very limited, so intersite replication is used to manage and control replication traffic.
Only one domain controller will be used per site to replicate to another site (process called as intersite
replication) it could be a bridge head server (selected DC to do replication from the site) or DC
selected by ISTG protocol if enabled. There would be lot of DCs in intrasite replication within a site.

67. What is Active Directory application partition? What are the uses of it?
Schema Partition
Only one schema partition exists per forest. The schema partition is stored on all domain controllers in
a forest. It contains definitions of all objects and attributes that can be created in the directory, and the
rules for creating and manipulating them. Schema information is replicated to all domain controllers in
the attribute definitions.

Configuration Partition
There is only one configuration partition per forest. Second on all domain controllers in a forest, the
configuration partition contains information about the forest-wide active directory structure including
what domains and sites exist, which domain controllers exist in each forest, and which services are
available. Configuration information is replicated to all domain controllers in a forest.

Domain Partition

Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in
a given domain. A domain partition contains information about users, groups, computers, and
organizational units. The domain partition is replicated to all domain controllers of that domain. All
objects in every domain partition in a forest are stored in the global catalog with only a subset of their
attribute values.

Application Partition

Application partitions store information about applications in Active Directory. Each application
determines how it stores, categorizes, and uses application specific information. To prevent
unnecessary replication to specific application partitions, users can designate which domain controllers
in a forest host specific application partitions. Unlike a domain partition, an application partition cannot
store security principal objects, such as user accounts. In addition, the data in an application partition
is not stored in the global catalog.
As an example of application partition, if a Domain Name System (DNS) that is integrated with Active
Directory is used, there are two application partitions for DNS zones – ForestDNSZones and
DomainDNSZones:

 ForestDNSZones is part of a forest. All domain controllers and DNS servers in a forest receive
a replica of this partition. A forest-wide application partition stores the forest zone data.
 DomainDNSZones are unique for each domain. All domain controllers that are DNS servers in
that domain receive a replica of this partition. The application partitions store the domain DNS
zone in the DomainDNSZones<domain name>.

68.What is difference between Server 2003 vs 2008?

1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for virtualization) but only on 64bit
versions. More and more companies are seeing this as a way of reducing hardware costs by running
several ‘virtual’ servers on one physical machine.)
2. Server Core (provides the minimum installation required to carry out a specific server role, such as
for a DHCP, DNS or print server)
3. Better security.
4. Role-based installation.
5. Read Only Domain Controllers (RODC).
6. Enhanced terminal services.
7. Network Access Protection – Microsoft’s system for ensuring that clients connecting to Server 2008
are patched, running a firewall and in compliance with corporate security policies.
8. PowerShell – Microsoft’s command line shell and scripting language has proved popular with some
server administrators.
9. IIS 7 .
10. Bitlocker – System drive encryption can be a sensible security measure for servers located in
remote branch offices. The main difference between 2003 and 2008 is Virtualization, management.
2008 has more in-build components and updated third party drivers.
11. Windows Aero.

69. What are the requirements for installing AD on a new server?

1 The Domain structure.
2 The Domain Name .
3 storage location of the database and log file.
4 Location of the shared system volume folder.
5 DNS configMethode.
6 DNS configuration.

70. What is LDP?

LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering
is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for
establishing a full mesh of LSPs between all of the routers on the network.

71. What is DNS ?

A zone is a contiguous portion of DNS namespace managed by one or more name servers. Zones
contain resource records that specify the name of the DNS server authoritative for the zone (SOA
record), the names and IP addresses of all name servers in the zone (NS records), the names and IP
addresses of other hosts (A records), aliases for hosts (CNAME records), and so on.

In the original implementation of DNS found in RFCs 1034 and 1035, two different types of zones were
defined:

 Primary zones, which store their zone information in a writable text file on the name server.
 Secondary zones, which store their zone information in a read-only text file on the name server.


72. What is Stub Zones ?

A stub zone is like a secondary zone in that it obtains its resource records from other name servers
(one or more master name servers). A stub zone is also read-only like a secondary zone, so
administrators can’t manually add, remove, or modify resource records on it. But the differences end
here, as stub zones are quite different from secondary zones in a couple of significant ways.
First, while secondary zones contain copies of all the resource records in the corresponding zone on
the master name server, stub zones contain only three kinds of resource records:

 A copy of the SOA record for the zone.

 Copies of NS records for all name servers authoritative for the zone.
 Copies of A records for all name servers authoritative for the zone.

It is hold information business impact link like gmail or yahoo because all important URL information
will be hold.

If your bridge head server is down all query will be work with stub zone.

Type RRvalue Description

A 1 Host’s IP address
 NS 2 Host’s or domain’s name server(s)

CNAME 5 Host’s canonical name, host identified by an alias domain name

PTR 12 Host’s domain name, host identified by its IP address

HINFO 13 Host information

MX 15 Host’s or domain’s mail exchanger

AXFR 252 Request for zone transfer

ANY 255 Request for all records

73. What is DHCP and how to work?

DHCP is a dynamic host configuration Protocol, dynamic host configuration protocol assing the
ip(Internet protocol) address inside the network or dhcp used to assign ip address to host or
workstation on the network. Dynamic Host configuration Protocol different IP address every time it
connect to the network (How to work DHCP server).

It Provide IP address in any system in the follwing four step :-

1) Dynamic Host Configuration protocol Lease Request.

2) Dynamic Host Configuration Protocol Lease Offer.

3) Dynamic Host Configuration Protocol Lease Selection.

4) Dynamic Host Configuration Protocol Lease acknowledgment.

74. What is default lease period for DHCP Server

Ans : 8 days

 Reviewing important DHCP terms

You should memorize the DHCP terms listed in Table 1, because you need to know them for the
exam.
Important DHCP Terms

Scope:- A full range of IP addresses that can be leased from a particular DHCP server.

Superscope:- A grouping of scopes used to support logical IP subnets that exist on one physical IP
subnet (called a multinet).

Multicast Scope :- A scope that contains multicast IP addresses, which treat multicast clients as a
group. Multicast is an extension of DHCP and uses a multicast address range of 224.0.0.0 to
239.255.255.255.

Address Pool :- The IP addresses in a scope those are available for lease.
Exclusion Range:- A group of IP address in the scope that are excluded from leasing. Excluded
addresses are normally used to give hardware devices, such as routers, a static IP address.

Reservation:- A means for assigning a permanent IP address to a particular client, server, or hardware
device. Reservations are typically made for servers or hardware devices that need a static IP address.

Lease:- The amount of time that a client may use an IP address before the client must re-lease the IP
address or request another one.

75. What is Domain Controller and Member server?

With Windows 2000, servers in a domain can have one of two roles:Domain controllers, which contain
matching copies of the user accounts and other ActiveDirectory data in a given domain. Member
servers, which belong to a domain but do not contain a copy of the ActiveDirectory data.

76. Can you change the Name of a Domain Controller?

You cannot change the name of a server while it is a domain controller in windows 2000domain.
Instead, you must change it to a member or stand-alone server, change the name, and finally make
the server a domain controller once again. But you can change the name of a domain controller in
windows 2003 Operating System.

77. Why do we need Multiple Domain Controllers?

If you have multiple domain controllers, it provides better support for users than having only one.
Multiple domain controllers provide automatic backup for user accounts and other Active Directory
data, and they work together to support domain controller functions (such as validating logons).

78. What are the roles a Child additional Domain controller will have by default?
By default it won’t get any role. But if want to assign you can transfer from main child domain
controller.
Explain the activities of each role?
1) Schema Master:It will govern the Active Directory to all the Domain Controllers in a forest.

2) Domain Naming Master:Maintains the unique Domain Naming System in a forest to avoid
duplication.

3) RID master:It assigns unique ID to every user account. (Domain + RID)

4)PDC Emulator: If PDC is upgraded to windows 2000 it will send data to BDC’s on the
network.(Replication of user Database)If the user password is not matching in a particular Domain,
then it will contacted emulator of first Domain Controller (Master Domain controller)

5)Infrastructure Master: Maintains the infrastructure group proper files on the master Domain
controller.

79. What are the roles must be on the same server?

Domain Naming Master and Global catalogue

80.What are the roles those must not be on the same Domain Controller?
Infrastructure Master and Global Catalogue

Note: If you have only one domain then you won’t get any problem even if you have both of them in the
same server. If you have two or more domains in a forest then they shouldn’t be in the same server.

81. What is Global Catalogue?

This is a database on one or more domain controllers. Each copy of the database contains replica of
every object in the Active Directory but with a limited number of each object’s attributes. Use of Global
catalogue Contains partial replica of all objects in the entire forest Contains universal groups Validates
user principle names (UPN) when you are creating. This checks that any UPNexists with this name or
not in the entire forest.

82.What is a Domain controller?

Domain controllers, which contain matching copies of the user accounts and other Active Directory
data in a given domain.

83. What is a Member server?

Member servers, which belong to a domain but do not contain a copy of the ActiveDirectory data.

84. What is standalone server?

A server that belongs to a workgroup, not a domain, is called a stand-alone server.

85. What is Main Domain Controller?

The first computer in the entire forest on which you have performed DCPROMO.

86.Who will replicate the Password changes?

PDC emulator (immediately it replicates to all the Domain Controllers)

87. What are Unicast, Multicast, and Broad cast?

Unicast:Just from one computer to one computer.

Multicast:Those who ever register for a particular multicast group to those only.

Broadcast:To all the computers.

88. What is WINS and what it does?

WINS stands for Windows Internet Naming Service. It resolves NETBIOS names to IP addresses.
WINS is used only when you need to access the NETBIOS resources.

89.What is NETBIOS?
NETBIOS stands for Network Basic Input Output System. It is a naming interface, it is interface by
which client can connect to access the lower level of the TCP/IP model to be able to communicate and
access those resources. We share resources with the NETBIOS interface in windows NT. This means
that we are using NetBIOS name to connect the client to the server.

90. What is the length of NETBIOS name?

A NETBIOS name is 16 characters long. The first fifteen characters you can use for the server name,
the 16thcharacter is an identifier for what type of service it is registering.

91. What is the port used for Terminal Services?

3389

92.How to know 3389 is working or not?

Netstat -a (Displays all connections and listening of ports)

93. What is hot swapping?

Replacing the hard disks other than active disk, when the computers on.

94. What are the logical components of Active Directory?

Organizational UnitsDomainsTreesForests

95. What are the physical components of Active Directory?

SitesDomain ControllersGlobal Catalogue

96. Who can create site level Group Policy?

Enterprise Admin

97. Who can create Domain lever Group Policy?

Domain Admin

98. Who can create Organization Unit lever Group Policy?

Domain Admin

99. Who can create Local Group Policy?

Local Administrator or Domain Administrator

100. What is the hierarchy of Group Policy?

Local policy

Site Policy

Domain Policy

OU Policy

Sub OU Policy (If any are there)

101. Explain about Active Directory database.

The information stored in the Active Directory is called Active Directory database. The information
stored in the Active Directory (i. e., Active directory database) on every domain controller in the forest
is partitioned into three categories. They are

•Domain Partition

•Configuration Partition

•Schema Partition

Domain Partition

The domain partition contains all of the objects in the directory for a domain. Domain data in each
domain is replicated to every domain controller in that domain, but not beyond its domain.

Configuration Partition

Schema Partition

The schema partition contains all object types and their attributes that can be created in Active
Directory. This data is common to all domain controllers in the domain tree or forest, and is replicated
by Active Directory to all the domain controllers in the forest.
Windows DNS Server Interview Questions

102. What is the main purpose of a DNS server?

DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa.

103. What is the port no of dns ?

53.

104. What is a Forward Lookup?

Resolving Host Names to IP Addresses

105. What is Reverse Lookup?

Resolving IP Addresses to Host Names

106. What is a Resource Record?

It is a record provides the information about the resources available in the N/W infrastructure.

107. What are the diff. DNS Roles?

Standard Primary, Standard Secondary, & AD Integrated.

108. What is a Zone?

Zone is a sub tree of DNS database.

109. What is primary, Secondary, stub & AD Integrated Zone?

Primary Zone: – zone which is saved as normal text file with filename (.dns) in DBS folder. Maintains a
read, write copy of zone database.

Secondary Zone: – maintains a read only copy of zone database on another DNS server. Provides
fault tolerance and load balancing by acting as backup server to primary server.

Stub zone: – contains a copy of name server and SOA records used for reducing the DNS search
orders. Provides fault tolerance and load balancing.

110. How do you manually create SRV records in DNS?

This is on windows server go to run —dnsmgmt.msc rightclick on the zone you want to add srv record
to and choose “other new record” and choose service location(srv).

111. What does a zone consist of & why do we require a zone?

Zone consists of resource records and we require zone for representing sites.

112. What is Caching Only Server?

When we install 2000 & 2003 server it is configured as caching only server where it maintains the
frequently accessed sites information and again when we access the same site for next time it is
obtain from cached information instead of going to the actual site.

113. What is forwarder?

When one DNS server can’t receive the query it can be forwarded to another DNS once configured as
forwarder.

114. What is secondary DNS Server?

It is backup for primary DNS where it maintains a read only copy of DNS database.

115. How to enable Dynamic updates in DNS?

StartProgramAdmin toolsDNS Zone properties.
116. What are the properties of DNS server?
INTERFACES, FORWARDERS, ADVANCED, ROUTINGS, SECURITY, MONITORING, LOGGING,
DEBUG LOGGING.

116. Properties of a Zone?

General, SOA, NAMESERVER, WINS, Security, and ZONE Transfer.

117. What is scavenging?

Finding and deleting unwanted records.

118. What are SRV records?

SRV are the service records, there are 6 service records. They are useful for locating the services.

119. What are the types of SRV records?

MSDCS: Contains DC’s information.
TCP: Contains Global Catalog, Kerberos & LDAP information.
UDP: Contains Sites information.
Sites:Contains Sites information.
Domain DNS Zone: Conations domain’s DNS specific information.
Forest DNS zone: Contains Forest?s Specific Information.

120. Where does a Host File Reside?

c:\windows\system32\drivers\etc.

121. What is SOA?

Start of Authority: useful when a zone starts. Provides the zone startup information.

122. What is a query?

A request made by the DNS client to provide the name server information.

123. What are the diff. types of Queries?

Recursion, iteration.

124. Tools for troubleshooting DNS?

DNS Console, NSLOOKUP, DNSCMD, IPCONFIG, Logs.

125. What is WINS server? where we use WINS server? difference between DNS and WINS?
WINS is windows internet name service used to resolve the NetBIOS(computer name)name to IP
address.This is proprietary for Windows.You can use in LAN.
DNS is a Domain Naming System, which resolves Host names to IP addresses. It uses fully qualified
domain names. DNS is an Internet standard used to resolve host names.

126. How do I clear the DNS cache on the DNS server?

Go to cmd prompt and type ipconfig /flushdns .

127. What is the main purpose of SRV records?

SRV records are used in locating hosts that provide certain network services.

128. What is the “.” zone in my forward lookup zone?

This setting designates the Windows 2000 or Windows Server 2003 DNS server to be a root hint
server and is usually deleted. If you do not delete this setting, you may not be able to perform external
name resolution to the root hint servers on the Internet.

129. Do I need to configure forwarders in DNS?

No. By default, Windows 2000 DNS uses the root hint servers on the Internet; however, you can
configure forwarders to send DNS queries directly to your ISP’s DNS server or other DNS servers.
Most of the time, when you configure forwarders, DNS performance and efficiency increases, but this
configuration can also introduce a point of failure if the forwarding DNS server is experiencing
problems.

The root hint server can provide a level of redundancy in exchange for slightly increased DNS traffic on
your Internet connection. Windows Server 2003 DNS will query root hints servers if it cannot query the
forwarders.

130. What is the System Startup process ?

Windows 2K boot process on a Intel architecture.

1. Power-On Self Tests (POST) are run.

2. The boot device is found, the Master Boot Record (MBR) is loaded into memory, and its program is
run.

3. The active partition is located, and the boot sector is loaded.

4. The Windows 2000 loader (NTLDR) is then loaded.

The boot sequence executes the following steps:

1. The Windows 2000 loader switches the processor to the 32-bit flat memory model.

2. The Windows 2000 loader starts a mini-file system.

3. The Windows 2000 loader reads the BOOT.INI file and displays the operating system selections
(boot loader menu).

4. The Windows 2000 loader loads the operating system selected by the user. If Windows 2000 is
selected, NTLDR runs NTDETECT.COM. For other operating systems, NTLDR loads
BOOTSECT.DOS and gives it control.

5. NTDETECT.COM scans the hardware installed in the computer, and reports the list to NTLDR for
inclusion in the Registry under the HKEY_LOCAL_MACHINE_HARDWARE hive.

6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information collected by
NTDETECT.COM. Windows NT enters the Windows load phases.

131. How do you view replication properties for AD partitions and DCs?
By using replication monitor
go to start > run > type repadmin
go to start > run > type replmon

132. What’s the difference between transferring a FSMO role and seizing ?
Seizing an FSMO can be a destructive process and should only be attempted if the existing server with
the FSMO is no longer available.

If you perform a seizure of the FSMO roles from a DC, you need to ensure two things:
the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If
you do an FSMO role Seize and then bring the previous holder back online, you’ll have a problem.

An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another
live DC During the process, the current DC holding the role(s) is updated, so it becomes aware it is no
longer the role holder.
133. I want to look at the RID allocation table for a DC. What do I do?
dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)

133. What is the default size of ntds.dit ?

10 MB in Server 2000 and 12 MB in Server 2003 .

134. What is the port no of Kerbrose ?

88

135. What is the port no of Global catalog ?

3268

136. What is the port no of LDAP ?

389

137. What is new features in windows server 2012?

1: DHCP load balance and failover

2: NIC teaming

3: Active directory high availability.

4: It is supportable IIS v8

5: PowerShell support 3.0

6: Direct Access : Remote Access is a network service in Windows Server 2012 that combines the
Direct Access feature

7: With Server 2012 Cluster Shared Volumes are officially supported for use beyond hosting virtual
hard disks for Hyper-V.

8 : Hyper-V 3.0

9: Active Directory Rights Management Services (AD RMS)? the server role that provides you with
management and development tools that work with industry security technologies—including
encryption, certificates, and authentication

10: BitLocker for Windows 8 and Windows Server 2012

138.What is basic and dynamic disk?

Basic disks and dynamic disks are two types of hard disk configurations in Windows. Most personal
computers are configured as basic disks, which are the simplest to manage. Dynamic disks can make
use of multiple hard disks within a computer to duplicate data for increased performance and
reliability.
A basic disk uses primary partitions, extended partitions, and logical drives to organize data. A
formatted partition is also called a volume (the terms volume and partition are often used
interchangeably). In this version of Windows, basic disks can have either four primary partitions or
three primaries and one extended partition. The extended partition can contain an unlimited number of
logical drives. The partitions on a basic disk cannot share or split data with other partitions. Each
partition on a basic disk is a separate entity on the disk.

Dynamic disks can contain an unlimited number of dynamic volumes that function like the primary
partitions used on basic disks. The main difference between basic disks and dynamic disks is that
dynamic disks are able to split or share data among two or more dynamic hard disks on a computer.

139.what are backup types and what is VSS

Volume Shadow Copy Service (VSS) is a Windows service for capturing and creating snapshots called
shadow copies. VSS, which operates at the block level of the file system, provides a backup
infrastructure for Microsoft operating systems.

Windows VSS has three major components in addition to the service — writer, requester and provider.
The service sits logically in the center of the other components and handles communication between
them.

VSS writer – Each VSS-aware application installs its own VSS writer to a computer during the initial
installation.

VSS requestor – Any application that needs to quiescence data for capture can play the role of VSS
requestor.

VSS provider – The provider creates and manages the shadow copies of data on the system.

140. what are different disk part commands and there functions.
Open command line->open Diskpart shell->list disk->select disk->do disk operation

ACTIVE – Mark the selected partition as active.

ADD – Add a mirror to a simple volume.
ASSIGN – Assign a drive letter or mount point to the selected volume.
ATTRIBUTES – Manipulate volume or disk attributes.*
ATTACH – Attaches a virtual disk file.*
AUTOMOUNT – Enable and disable automatic mounting of basic volumes.*
BREAK – Break a mirror set.
CLEAN – Clear the configuration information, or all information, off the disk.
COMPACT – Attempts to reduce the physical size of the file.*
CONVERT – Convert between different disk formats.
CREATE – Create a volume, partition or virtual disk. (No virtual disk management in Windows XP.)
DELETE – Delete an object.
DETAIL – Provide details about an object.
DETACH – Detaches a virtual disk file.*
EXIT – Exit Disk Part.
EXTEND – Extend a volume.
EXPAND – Expands the maximum size available on a virtual disk.*
FILESYSTEMS – Display current and supported file systems on the volume.*
FORMAT – Format the volume or partition.*
GPT – Assign attributes to the selected GPT partition.*
HELP – Display a list of commands.
IMPORT – Import a disk group.
INACTIVE – Mark the selected partition as inactive.
LIST – Display a list of objects.
MERGE – Merges a child disk with its parents.*
ONLINE – Online an object that is currently marked as offline.
OFFLINE – Offline an object that is currently marked as online.
RECOVER – Refreshes the state of all disks in the selected pack. Attempts recovery on disks in the
invalid pack, and resynchronizes mirrored volumes and RAID5 volumes that have stale plex or parity
data.*
REM – Does nothing. This is used to comment scripts.
REMOVE – Remove a drive letter or mount point assignment.
REPAIR – Repair a RAID-5 volume with a failed member.
RESCAN – Rescan the computer looking for disks and volumes.
RETAIN – Place a retained partition under a simple volume.
SAN – Display or set the SAN policy for the currently booted OS.*
SELECT – Shift the focus to an object.
SETID – Change the partition type.*
SHRINK – Reduce the size of the selected volume.*
UNIQUEID – Displays or sets the GUID partition table (GPT) identifier or master boot record (MBR)
signature of a disk.*

141. How can we know if specific port is open or not

Through TELNET 172.18.64.36 80

Command you can check

 21 FTP
 22 SSH
 23 TELNET
 25 SMTP
 53 DNS
 80 HTTP
 110 POP3
 115 SFTP
 135 RPC
 139 NetBIOS
 143 IMAP
 194 IRC
 443 SSL
 445 SMB
 1433 MSSQL
 3306 MySQL
 3389 Remote Desktop
 5632 PCAnywhere
 5900 VNC
 6112 Warcraft III