1/24/2019 Active Directory L2 and L3 Interview Question and Answer

1) Describe the FSMO (Flexible single master operation) and its roles.
Forest-wide operations master roles are Schema Master and Domain Naming Master.
Domain-wide master roles are Rid Master, PDC Emulator Master and Infrastructure Master.

RID - The domain controller assigned to allocate sequences of relative IDs to each domain controller in its domain.
Whenever DC creates security principal object (user, group etc.) RID DC assigns the object a unique security ID
(SID).
PDC Emulator - The PDC emulator handles password authentication requests involving passwords that have
recently changed and not yet replicated. At any time, the PDC emulator master role can be assigned to only one
domain controller in each domain.
Infrastructure master (IM) - The infrastructure is responsible for updating references from objects in its domain
to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure
master in each domain.
Domain naming master - The domain naming master domain controller controls the addition or removal of
domains in the forest. There can be only one domain naming master in the whole forest.
Schema Master - The schema master domain controller controls all updates and modifications to the schema. To
update the schema of a forest, you must have access to the schema master. There can be only one schema master
in the whole forest. regsvr32 schmmgmt.dll for register schema.

02) What is Adprep.exe, What does Adprep.exe do?

Adprep.exe is a rollup of all previous versions of this tool. In other words, if you currently have domain controllers
that run Windows Server 2003 and you want to add domain controllers that run Windows Server 2008 R2, you only
have to run Adprep.exe from the Windows Server 2008 R2 OS disk.

Ø It is not necessary to run the version from Windows Server 2008 because the version in Windows Server 2008 R2
includes all the changes from previous versions.
Ø Beginning with Windows Server 2012, Adprep.exe is integrated into the AD DS installation process and runs
automatically as needed.
What does ADprep Do - Adprep.exe has parameters that perform a variety of operations that help prepare an
existing Active Directory environment.
Ø Updating the Active Directory schema
Ø Updating security descriptors
Ø Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder
Ø Creating new objects, as needed
Ø Creating new containers, as needed
Below is the command parameter –
adprep /forestprep (Once for entire forest) - Must be run on the schema operations master for the forest.
Verify - https://technet.microsoft.com/en-in/library/dd464018(v=ws.10).aspx#BKMK_VerifyForestPrep

https://www.youritadmin.com/interview-qa/37-active-directory-l2-and-l3-interview-question-and-answer 1/2
1/24/2019 Active Directory L2 and L3 Interview Question and Answer

ADSIEdit.msc | Configuration | CN=ForestUpdates,  CN=ActiveDirectoryUpdate | Properties | revision - 2 (2K8), 5 (2K8R2), 11 (2K12), 15

(2K12R2)

Permission – Schema or Enterprise Admins, Domain Admins of the domain that hosts the schema master
adprep /domainprep (Once in each domain) - Run on the infrastructure operations master for the domain.
Verify- https://technet.microsoft.com/en-in/library/dd464018(v=ws.10).aspx#BKMK_VerifyDomainPrep
ADSIEdit.msc | Default naming context | CN=System, CN=DomainUpdates, CN=ActiveDirectoryUpdate | Properties | revision - 3 (2K8), 5

(2K8R2), 9 (2K12), 10 (2K12R2)

Permission - Domain Admins

Logs - C:\Windows\Debug\Adprep\Logs
03) Describe AD replication Model.
Multimaster replication - A replication model in which any domain controller accepts and replicates directory
changes to any other domain controller. All domain controllers accept LDAP requests for changes to attributes of
Active Directory objects for which they are authoritative, subject to security constraints that are in place. Each
originating update is replicated to one or more other domain controllers, which record it as a replicated update.
Pull replication, which means that domain controllers request (pull) updates from replication partners. When an
update occurs on a domain controller, it notifies its replication partner. The partner domain controller responds by
requesting (pulling) the changes from the source domain controller.

Note: - The domain controller in which a change originates does not "push" the change unsolicited to other domain
controllers.
State-based replication, which means that instead of storing a full change log, each directory partition replica
stores per-object and per-attribute data to support replication.
Store-and-forward replication, which means that changes are not sent directly from one domain controller to all
other domain controllers. Instead, a change is sent directly to only a subset of domain controllers. This subset of
domain controllers is responsible for sending the change to other domain controllers, and so on, until the change
has reached every domain controller.
Single-master replication - A type of replication where one domain controller is the master domain controller and
operations are not permitted to occur at different places in a network at the same time. In Active Directory, one or
more domain controllers can be assigned to perform single-master replication.

https://www.youritadmin.com/interview-qa/37-active-directory-l2-and-l3-interview-question-and-answer 2/2