Documente Academic
Documente Profesional
Documente Cultură
Active Directory enables single sign on to access resources on the network such as desktops, shared
files, printers etc. Active Directory provides advanced security for the entire network and network
resources. Active Directory is more scalable and flexible for administration.
2.What do you mean by Active Directory functional levels? How does it help an organization’s
network functionality?
Functional levels help the coexistence of Active Directory versions such as, Windows NT, Windows
2000 Server, Windows Server 2003 and Windows Server 2008. The functional level of a domain or
forest controls which advanced features are available in the domain or forest. Although lowest
functional levels help to coexist with legacy Active Directory, it will disable some of the new features of
Active Directory. But if you are setting up a new Active Directory environment with latest version of
Windows Server and AD, you can set to the highest functional level, thus all the new AD functionality
will be enabled.
3.What are the Domain and Forest functional levels of Windows Server 2003 AD?
Windows Server 2003 Domain Functional Levels: Windows 2000 mixed (Default), Windows 2000
native, Windows Server 2003 interim, and Windows Server 2003.
Forest Functional Levels: Windows 2000 (default), Windows Server 2003 interim, Windows Server.
4. What are the Domain and Forest functional levels of Windows Server 2008 AD?
Windows Server 2008 Domain Functional Levels: Windows 2000 Native, Windows Server 2003,
Windows Server 2008, Windows Server 2008 R2.
Forest Functional Levels: Windows 2000, Windows Server 2008, Windows Server 2008 R2.
5. How to add additional Domain Controller in a remote site with slower WAN link?
It is possible to take a backup copy of existing Domain Controller, and restore it in Windows Server
machine in the remote locations with slower WAN link.
8. What is FSMO role? (Or what are Single Master Operations / Flexible Single Master
Operations/Operations Master Role/SMO/OMR?)
Flexible Single-Master Operation (FSMO) roles, manage an aspect of the domain or forest to prevent
conflicts, which are handled by Single domain controllers in domain or forest. The tasks which are not
suited to multi-master replication.
There are 5 FSMO roles, and Schema Master and Domain naming master roles are handled by a
single domain controller in a forest, and PDC, RID master and Infrastructure master roles are handled
by a single domain controller in each domain.
9.Explain Infrastructure Master Role. What will be the impact if DC with Infrastructure Master
Role goes down?
Infrastructure master role is a domain-specific role and its purpose is to ensure that cross-domain
object references are correctly handled. For example, if you add a user from one domain to a security
group from a different domain, the Infrastructure Master makes sure this is done properly.
Infrastructure master does not have any functions to do in a single domain environment. If the Domain
controller with Infrastructure master role goes down in a single domain environment, there will be no
impact at all. Whereas in a complex environment with multiple domains it may impact creation and
modification of groups and group authentication.
12. I want to promote a new additional Domain Controller in an existing domain. Which are the
groups I should be a member of?
You should be a member of Enterprise Admins group or the Domain Admins group. Also you should
be member of local Administrators group of the member server which you are going to promote as
additional Domain Controller.
13. Tell me one easiest way to check all the 5 FSMO roles
Try netdom query /domain:YourDomain FSMO command. It will list all the FSMO role handling domain
controllers.
15. Can I configure two Infrastructure Master Role in a forest? If yes, please explain.
There should be only one Domain Controller handling Infrastructure master role in a domain. Hence if
you have two domains in a forest, you can configure two Infrastructure masters one in each domain.
16.What will be the impact on the network if Domain Controller with PDC Emulator crashes?
If PDC emulator crashes, there will be immediate impact on the environment. User authentication will
fail as password changes won’t get effected, and there will be frequent account lock out issues.
Network time synchronization will be impacted. It will also impact DFS consistency and Group policy
replication as well.
19.What are the Active Directory Partitions? (Or what are Active Directory Naming Contexts? Or
what is AD NC?)
Active Directory database is divided into different partitions such as Schema partition, Domain
partition, and Configuration partition.Apart from these partitions, we can create Application partition
based on the requirement.
26. Explain me, how to restore Active Directory using command line?
We can use NTDSUTIL command line to perform Authoritative restore of Active Directory. First, start a
domain controller in ‘Directory Service Restore Mode. Then restore the System State data of Domain
controller using NTBACKUP tool. This is non-authoritative restore. Once non-authoritative restore is
completed, we have to perform authoritative restore immediately before restarting the Domain
Controller.
Open command prompt and type NTDSUTIL and enter, then type authoritative restore and press
enter, then type restore database and press enter, click OK and then click Yes. This will restore all the
data in authoritative restore mode. If you want to restore only a specific object or sub-tree, you can
type below command instead of ‘restore database’.
restore subtree ou=OU_Name,dc=Domain_Name,dc=xyz
32. Is Lost and Found Container included in Windows Server 2008 AD?
Yes, it is included.
37. How do you check currently forest and domain functional levels? Say both GUI and
Command line.
To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain
name and take properties. Both domain and forest functional levels will be listed there. TO find out
forest and domain functional levels, you can use DSQUERY command.
39.What are the tools used to check and troubleshoot replication of Active Directory?
We can use command line tools such as repadmin and dcdiag. GUI tool REPLMON can also be used
for replication monitoring and troubleshooting.
41. What is the use of Kerberos in Active Directory? Which port is used for Kerberos
communication?
Kerberos is a network authentication protocol. Active Directory uses Kerberos for user and resource
authentication and trust relationship functionality. Kerberos uses port number 88.
42. Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory?
All versions of Windows Server Active Directory use Kerberos 5.
43. Name few port numbers related to Active Directory.
Kerberos 88,
LDAP 389
DNS 53
SMB 445.
44.What is an FQDN?
FQDN can be expanded as Fully Qualified Domain Name. It is a hierarchy of a domain name system
which points to a device in the domain at its left most end.
51.what is ADAC?
ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2,
which provides enhanced data management experience to the admin. ADAC helps administrators to
perform common Active Directory object management task across multiple domains with the same
ADAC instance.
52. What is the use of ADSIEDIT? How do we install it in Windows Server 2003 AD?
ADSIEDIT- Active Directory Service Interfaces Editor is a GUI tool which is used to perform advanced
AD object and attribute management. This Active Directory tool helps us to view objects and attributes
that are not visible through normal Active Directory Management Consoles. ADSIEDIT can be
downloaded and installed along with Windows Server 2003 Support Tools.
53.I am unable to create a Universal security group in my Active Directory? What will be the
possible reason?
This is due to domain functional level. If domain functional level of Windows Server 2003 AD is
Windows 2000 Mixed, Universal Group option will be greyed out. You need to raise domain functional
level to Windows 2000 native or above.
55. What do you mean by Lingering Objects in AD? How to remove Lingering Objects?
When a domain controller is disconnected for a period that is longer than the tombstone life time, one
or more objects that are deleted from Active Directory on all other domain controllers may remain on
the disconnected domain controller. Such objects are called lingering objects. Lingering objects can be
removed from Windows Server 2003 or 2008 using REPADMIN utility.
56.Explain Global Catalog. What kind of AD infrastructure makes most use of Global Catalog?
The Global catalog is a container which contains a searchable partial replica of all objects from all
domains of the forest, and full replica of all objects from the domain where it is situated. The global
catalog is stored on domain controllers that have been designated as global catalog servers and is
distributed through multimaster replication. Global catalogs are mostly used in multidomain, multisite
and complex forest environment, whereas Global catalog does not function in a single domain forest.
57. Global Catalog and Infrastructure master roles cannot be configure in same Domain
Controller. Why?
1. GC holds group membership of universal group. while Infrastructure hold group information in
domain level.
2. We can’t set infrastructure master and GC together on same DC.If infrastructure master and GC is
on the same server then infrastructure will not function because it will never find the data that is out of
date.
C:\>repadmin /showreps domain_controller OR you can use Replmon.exe for the same purpose.
OR AD Sites and Services and nslookupgc._msdcs.
To find the in GC from the command line you can try using DSQUERY command.
dsquery server -isgc to find all the gc’s in the forest you can try dsquery server -forest -isgc.
60. Which is default location of Active Directory? What are the main files related to AD?
The actual database file, is %SystemRoot%\ntds\NTDS.DIT
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or
actually, on the same DC) as has been configured by the Active Directory installation process.
However, there are scenarios where an administrator would want to move one or more of the FSMO
roles from the default holder DC to a different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO role holder are
online and operational is called Transferring, and is described in the Transferring FSMO Roles article.
However, when the original FSMO role holder went offline or became non-operational for a long period
of time, the administrator might consider moving the FSMO role from the original, non-operational
holder, to a different DC. The process of moving the FSMO role from a non-operational role holder to a
different DC is called Seizing, and is described in this article.
If a DC holding a FSMO role fails, the best thing to do is to try and get the server online again. Since
none of the FSMO roles are immediately critical (well, almost none, the loss of the PDC Emulator
FSMO role might become a problem unless you fix it in a reasonable amount of time), so it is not a
problem to them to be unavailable for hours or even days.
If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles to a reliable
computer. Administrators should use extreme caution in seizing FSMO roles. This operation, in most
cases, should be performed only if the original FSMO role owner will not be brought back into the
environment. Only seize a FSMO role if absolutely necessary when the original role holder is not
connected to the network.
Windows 2000 Domain controllers each create Active Directory Replication connection objects
representing inbound replication from intra-site replication partners. For inter-site replication, one
domain controller per site has the responsibility of evaluating the inter-site replication topology and
creating Active Directory Replication Connection objects for appropriate bridgehead servers within its
site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology
Generator (ISTG).ISTG is used for replication between sites i.e. intersite replication . It selects the
bridge head server automatically which will be authorized to replicate information to other bridge head
server of other site. If the bridge head server goes down then due to ISTG a new server takes its place
and administrator need not to intervene and there is no problem in replication.
1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored locally.
This processes for both computer and user Group Policy processing.
2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed next.
Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab
for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is
processed last, and therefore has the highest precedence.
3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the administrator,
on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is
processed last, and therefore has the highest precedence.
4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the Active
Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and
so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer
are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can
be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is
specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in
GPMC. The GPO with the lowest link order is processed last, and therefore has the highest
precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational
unit of which the computer or user is a direct member are processed last, which overwrites settings in
the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are
merely aggregated.)
CSVDE is the type of program that you learn for a specific task and then forget about. Therefore, what
you need are a few tried and tested examples to get started. The classic job for CSVDE is to import
user accounts into a Windows domain. While I often use CSVDE to create users on my test network,
my main use for CSVDE is to research LDAP names. What I do is a quick export of Active Directory
into a .csv file. I then open that .csv export file with Excel and study the LDAP fields in the first row of
the spreadsheet.
66. What are the replication intervals for Intersite and intrasite replication? Is there any change
in 2003 and 2008?
Replication between two sites is known as Intersite Replication. Since bandwidth two different sites is
usually very limited, so intersite replication is used to manage and control replication traffic.
Only one domain controller will be used per site to replicate to another site (process called as intersite
replication) it could be a bridge head server (selected DC to do replication from the site) or DC
selected by ISTG protocol if enabled. There would be lot of DCs in intrasite replication within a site.
67. What is Active Directory application partition? What are the uses of it?
Schema Partition
Only one schema partition exists per forest. The schema partition is stored on all domain controllers in
a forest. It contains definitions of all objects and attributes that can be created in the directory, and the
rules for creating and manipulating them. Schema information is replicated to all domain controllers in
the attribute definitions.
Configuration Partition
There is only one configuration partition per forest. Second on all domain controllers in a forest, the
configuration partition contains information about the forest-wide active directory structure including
what domains and sites exist, which domain controllers exist in each forest, and which services are
available. Configuration information is replicated to all domain controllers in a forest.
Domain Partition
Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in
a given domain. A domain partition contains information about users, groups, computers, and
organizational units. The domain partition is replicated to all domain controllers of that domain. All
objects in every domain partition in a forest are stored in the global catalog with only a subset of their
attribute values.
Application Partition
Application partitions store information about applications in Active Directory. Each application
determines how it stores, categorizes, and uses application specific information. To prevent
unnecessary replication to specific application partitions, users can designate which domain controllers
in a forest host specific application partitions. Unlike a domain partition, an application partition cannot
store security principal objects, such as user accounts. In addition, the data in an application partition
is not stored in the global catalog.
As an example of application partition, if a Domain Name System (DNS) that is integrated with Active
Directory is used, there are two application partitions for DNS zones – ForestDNSZones and
DomainDNSZones:
ForestDNSZones is part of a forest. All domain controllers and DNS servers in a forest receive
a replica of this partition. A forest-wide application partition stores the forest zone data.
DomainDNSZones are unique for each domain. All domain controllers that are DNS servers in
that domain receive a replica of this partition. The application partitions store the domain DNS
zone in the DomainDNSZones<domain name>.
1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for virtualization) but only on 64bit
versions. More and more companies are seeing this as a way of reducing hardware costs by running
several ‘virtual’ servers on one physical machine.)
2. Server Core (provides the minimum installation required to carry out a specific server role, such as
for a DHCP, DNS or print server)
3. Better security.
4. Role-based installation.
5. Read Only Domain Controllers (RODC).
6. Enhanced terminal services.
7. Network Access Protection – Microsoft’s system for ensuring that clients connecting to Server 2008
are patched, running a firewall and in compliance with corporate security policies.
8. PowerShell – Microsoft’s command line shell and scripting language has proved popular with some
server administrators.
9. IIS 7 .
10. Bitlocker – System drive encryption can be a sensible security measure for servers located in
remote branch offices. The main difference between 2003 and 2008 is Virtualization, management.
2008 has more in-build components and updated third party drivers.
11. Windows Aero.
In the original implementation of DNS found in RFCs 1034 and 1035, two different types of zones were
defined:
Primary zones, which store their zone information in a writable text file on the name server.
Secondary zones, which store their zone information in a read-only text file on the name server.
It is hold information business impact link like gmail or yahoo because all important URL information
will be hold.
If your bridge head server is down all query will be work with stub zone.
A 1 Host’s IP address
NS 2 Host’s or domain’s name server(s)
DHCP is a dynamic host configuration Protocol, dynamic host configuration protocol assing the
ip(Internet protocol) address inside the network or dhcp used to assign ip address to host or
workstation on the network. Dynamic Host configuration Protocol different IP address every time it
connect to the network (How to work DHCP server).
Ans : 8 days
You should memorize the DHCP terms listed in Table 1, because you need to know them for the
exam.
Important DHCP Terms
Scope:- A full range of IP addresses that can be leased from a particular DHCP server.
Superscope:- A grouping of scopes used to support logical IP subnets that exist on one physical IP
subnet (called a multinet).
Multicast Scope :- A scope that contains multicast IP addresses, which treat multicast clients as a
group. Multicast is an extension of DHCP and uses a multicast address range of 224.0.0.0 to
239.255.255.255.
Address Pool :- The IP addresses in a scope those are available for lease.
Exclusion Range:- A group of IP address in the scope that are excluded from leasing. Excluded
addresses are normally used to give hardware devices, such as routers, a static IP address.
Reservation:- A means for assigning a permanent IP address to a particular client, server, or hardware
device. Reservations are typically made for servers or hardware devices that need a static IP address.
Lease:- The amount of time that a client may use an IP address before the client must re-lease the IP
address or request another one.
78. What are the roles a Child additional Domain controller will have by default?
By default it won’t get any role. But if want to assign you can transfer from main child domain
controller.
Explain the activities of each role?
1) Schema Master:It will govern the Active Directory to all the Domain Controllers in a forest.
2) Domain Naming Master:Maintains the unique Domain Naming System in a forest to avoid
duplication.
4)PDC Emulator: If PDC is upgraded to windows 2000 it will send data to BDC’s on the
network.(Replication of user Database)If the user password is not matching in a particular Domain,
then it will contacted emulator of first Domain Controller (Master Domain controller)
5)Infrastructure Master: Maintains the infrastructure group proper files on the master Domain
controller.
80.What are the roles those must not be on the same Domain Controller?
Infrastructure Master and Global Catalogue
Note: If you have only one domain then you won’t get any problem even if you have both of them in the
same server. If you have two or more domains in a forest then they shouldn’t be in the same server.
Multicast:Those who ever register for a particular multicast group to those only.
89.What is NETBIOS?
NETBIOS stands for Network Basic Input Output System. It is a naming interface, it is interface by
which client can connect to access the lower level of the TCP/IP model to be able to communicate and
access those resources. We share resources with the NETBIOS interface in windows NT. This means
that we are using NetBIOS name to connect the client to the server.
Organizational UnitsDomainsTreesForests
Enterprise Admin
Domain Admin
Domain Admin
Local policy
Site Policy
Domain Policy
OU Policy
The information stored in the Active Directory is called Active Directory database. The information
stored in the Active Directory (i. e., Active directory database) on every domain controller in the forest
is partitioned into three categories. They are
•Domain Partition
•Configuration Partition
•Schema Partition
Domain Partition
The domain partition contains all of the objects in the directory for a domain. Domain data in each
domain is replicated to every domain controller in that domain, but not beyond its domain.
Configuration Partition
Schema Partition
The schema partition contains all object types and their attributes that can be created in Active
Directory. This data is common to all domain controllers in the domain tree or forest, and is replicated
by Active Directory to all the domain controllers in the forest.
Windows DNS Server Interview Questions
Secondary Zone: – maintains a read only copy of zone database on another DNS server. Provides
fault tolerance and load balancing by acting as backup server to primary server.
Stub zone: – contains a copy of name server and SOA records used for reducing the DNS search
orders. Provides fault tolerance and load balancing.
125. What is WINS server? where we use WINS server? difference between DNS and WINS?
WINS is windows internet name service used to resolve the NetBIOS(computer name)name to IP
address.This is proprietary for Windows.You can use in LAN.
DNS is a Domain Naming System, which resolves Host names to IP addresses. It uses fully qualified
domain names. DNS is an Internet standard used to resolve host names.
The root hint server can provide a level of redundancy in exchange for slightly increased DNS traffic on
your Internet connection. Windows Server 2003 DNS will query root hints servers if it cannot query the
forwarders.
2. The boot device is found, the Master Boot Record (MBR) is loaded into memory, and its program is
run.
1. The Windows 2000 loader switches the processor to the 32-bit flat memory model.
3. The Windows 2000 loader reads the BOOT.INI file and displays the operating system selections
(boot loader menu).
4. The Windows 2000 loader loads the operating system selected by the user. If Windows 2000 is
selected, NTLDR runs NTDETECT.COM. For other operating systems, NTLDR loads
BOOTSECT.DOS and gives it control.
5. NTDETECT.COM scans the hardware installed in the computer, and reports the list to NTLDR for
inclusion in the Registry under the HKEY_LOCAL_MACHINE_HARDWARE hive.
6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information collected by
NTDETECT.COM. Windows NT enters the Windows load phases.
131. How do you view replication properties for AD partitions and DCs?
By using replication monitor
go to start > run > type repadmin
go to start > run > type replmon
132. What’s the difference between transferring a FSMO role and seizing ?
Seizing an FSMO can be a destructive process and should only be attempted if the existing server with
the FSMO is no longer available.
If you perform a seizure of the FSMO roles from a DC, you need to ensure two things:
the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If
you do an FSMO role Seize and then bring the previous holder back online, you’ll have a problem.
An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another
live DC During the process, the current DC holding the role(s) is updated, so it becomes aware it is no
longer the role holder.
133. I want to look at the RID allocation table for a DC. What do I do?
dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)
2: NIC teaming
4: It is supportable IIS v8
6: Direct Access : Remote Access is a network service in Windows Server 2012 that combines the
Direct Access feature
7: With Server 2012 Cluster Shared Volumes are officially supported for use beyond hosting virtual
hard disks for Hyper-V.
8 : Hyper-V 3.0
9: Active Directory Rights Management Services (AD RMS)? the server role that provides you with
management and development tools that work with industry security technologies—including
encryption, certificates, and authentication
Basic disks and dynamic disks are two types of hard disk configurations in Windows. Most personal
computers are configured as basic disks, which are the simplest to manage. Dynamic disks can make
use of multiple hard disks within a computer to duplicate data for increased performance and
reliability.
A basic disk uses primary partitions, extended partitions, and logical drives to organize data. A
formatted partition is also called a volume (the terms volume and partition are often used
interchangeably). In this version of Windows, basic disks can have either four primary partitions or
three primaries and one extended partition. The extended partition can contain an unlimited number of
logical drives. The partitions on a basic disk cannot share or split data with other partitions. Each
partition on a basic disk is a separate entity on the disk.
Dynamic disks can contain an unlimited number of dynamic volumes that function like the primary
partitions used on basic disks. The main difference between basic disks and dynamic disks is that
dynamic disks are able to split or share data among two or more dynamic hard disks on a computer.
Volume Shadow Copy Service (VSS) is a Windows service for capturing and creating snapshots called
shadow copies. VSS, which operates at the block level of the file system, provides a backup
infrastructure for Microsoft operating systems.
Windows VSS has three major components in addition to the service — writer, requester and provider.
The service sits logically in the center of the other components and handles communication between
them.
VSS writer – Each VSS-aware application installs its own VSS writer to a computer during the initial
installation.
VSS requestor – Any application that needs to quiescence data for capture can play the role of VSS
requestor.
VSS provider – The provider creates and manages the shadow copies of data on the system.
140. what are different disk part commands and there functions.
Open command line->open Diskpart shell->list disk->select disk->do disk operation
21 FTP
22 SSH
23 TELNET
25 SMTP
53 DNS
80 HTTP
110 POP3
115 SFTP
135 RPC
139 NetBIOS
143 IMAP
194 IRC
443 SSL
445 SMB
1433 MSSQL
3306 MySQL
3389 Remote Desktop
5632 PCAnywhere
5900 VNC
6112 Warcraft III