system administrator interview question

with answer Part -1

Posted on March 19, 2009. Filed under: Interview Question | Tags: Interview Question |

KCC
The KCC is a built-in process that runs on all domain controllers and generates
replication topology for the Active Directory forest. The KCC creates separate replication
topologies depending on whether replication is occurring within a site (intrasite) or
between sites (intersite). The KCC also dynamically adjusts the topology to
accommodate new domain controllers, domain controllers moved to and from sites,
changing costs and schedules, and domain controllers that are temporarily unavailable.

How do you view replication properties for AD?

By using Active Directory Replication Monitor.
Start–> Run–> Replmon

What are sites What are they used for?

One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows
administrators to configure Active Directory access and replication topology to take
advantage of the physical network.

Name some OU design considerations?

OU design requires balancing requirements for delegating administrative rights –
independent of Group Policy needs – and the need to scope the application of Group
Policy. The following OU design recommendations address delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active Directory container to which
you can assign Group Policy settings. Delegating administrative authority usually don’t
go more than 3 OU levels

http://technet.microsoft.com/en-us/library/cc783140.aspx

What are FMSO Roles? List them.

Fsmo roles are server roles in a Forest
There are five types of FSMO roles
1-Schema master
2-Domain naming master
3-Rid master
4-PDC Emullator
5-Infrastructure master

Logical Diagram of Active Directory ?, What is the difference between child domain
& additional domain Server?
Well, if you know what a domain is then you have half the answer. Say you have the
domain Microsoft.com. Now microsoft has a server named server1 in that domain, which
happens to the be parent domain. So it’s FQDN is server1.microsoft.com. If you add an
additional domain server and name it server2, then it’s FQDN is server2.microsoft.com.
Now Microsoft is big so it has offices in Europe and Asia. So they make child domains
for them and their FQDN would look like this: europe.microsoft.com &
asia.microsoft.com. Now lets say each of them have a server in those child domains
named server1. Their FQDN would then look like this: server1.europe.microsoft.com &
server1.asia.microsoft.com..

What are Active Directory Groups?

Groups are containers that contain user and computer objects within them as members.
When security permissions are set for a group in the Access Control List on a resource,
all members of that group receive those permissions. Domain Groups enable centralized
administration in a domain. All domain groups are created on a domain controller.
In a domain, Active Directory provides support for different types of groups and group
scopes. The group type determines the type of task that you manage with the group. The
group scope determines whether the group can have members from multiple domains or a
single domain.

Group Types
* Security groups: Use Security groups for granting permissions to gain access to
resources. Sending an e-mail message to a group sends the message to all members of the
group. Therefore security groups share the capabilities of distribution groups.
* Distribution groups: Distribution groups are used for sending e-main messages to
groups of users. You cannot grant permissions to security groups. Even though security
groups have all the capabilities of distribution groups, distribution groups still requires,
because some applications can only read distribution groups.

Group Scopes
Group scope normally describe which type of users should be clubbed together in a way
which is easy for there administration. Therefore, in domain, groups play an important
part. One group can be a member of other group(s) which is normally known as Group
nesting. One or more groups can be member of any group in the entire domain(s) within a
forest.
* Domain Local Group: Use this scope to grant permissions to domain resources that
are located in the same domain in which you created the domain local group. Domain
local groups can exist in all mixed, native and interim functional level of domains and
forests. Domain local group memberships are not limited as you can add members as user
accounts, universal and global groups from any domain. Just to remember, nesting cannot
be done in domain local group. A domain local group will not be a member of another
Domain Local or any other groups in the same domain.
* Global Group: Users with similar function can be grouped under global scope and can
be given permission to access a resource (like a printer or shared folder and files)
available in local or another domain in same forest. To say in simple words, Global
groups can be use to grant permissions to gain access to resources which are located in
any domain but in a single forest as their memberships are limited. User accounts and
global groups can be added only from the domain in which global group is created.
Nesting is possible in Global groups within other groups as you can add a global group
into another global group from any domain. Finally to provide permission to domain
specific resources (like printers and published folder), they can be members of a Domain
Local group. Global groups exist in all mixed, native and interim functional level of
domains and forests.
* Universal Group Scope: these groups are precisely used for email distribution and can
be granted access to resources in all trusted domain as these groups can only be used as a
security principal (security group type) in a windows 2000 native or windows server
2003 domain functional level domain. Universal group memberships are not limited like
global groups. All domain user accounts and groups can be a member of universal group.
Universal groups can be nested under a global or Domain Local group in any domain.

What are the types of backup? Explain each?

Incremental
A “normal” incremental backup will only back up files that have been changed since the
last backup of any type. This provides the quickest means of backup, since it only makes
copies of files that have not yet been backed up. For instance, following our full backup
on Friday, Monday’s tape will contain only those files changed since Friday. Tuesday’s
tape contains only those files changed since Monday, and so on. The downside to this is
obviously that in order to perform a full restore, you need to restore the last full backup
first, followed by each of the subsequent incremental backups to the present day in the
correct order. Should any one of these backup copies be damaged (particularly the full
backup), the restore will be incomplete.

Differential
A cumulative backup of all changes made after the last full backup. The advantage to this
is the quicker recovery time, requiring only a full backup and the latest differential
backup to restore the system. The disadvantage is that for each day elapsed since the last
full backup, more data needs to be backed up, especially if a majority of the data has been
changed.

What is the SYSVOL folder?

The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and
reparse points in the file systems that exist on each domain controller in a domain.
SYSVOL provides a standard location to store important elements of Group Policy
objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them
to other domain controllers within that domain.
You can go to SYSVOL folder by typing : %systemroot%/sysvol

What is the ISTG Who has that role by default?

The first server in the site becomes the ISTG for the site, The domain controller holding
this role may not necessarily also be a bridgehead server.

What is the order in which GPOs are applied?

Local, Site, Domain, OU
Windows Server 2003 Active Directory and
Security questions
By admin | December 7, 2003

1. What’s the difference between local, global and universal groups? Domain
local groups assign access permissions to global domain groups for local domain
resources. Global groups provide access to resources in other trusted domains. Universal
groups grant access to resources in all trusted domains.
2. I am trying to create a new universal user group. Why can’t I? Universal groups
are allowed only in native-mode Windows Server 2003 environments. Native mode
requires that all domain controllers be promoted to Windows Server 2003 Active
Directory.
3. What is LSDOU? It’s group policy inheritance model, where the policies are applied to
Local machines, Sites, Domains and Organizational Units.
4. Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist, it
has the highest priority among the numerous policies.
5. Where are group policies stored? %SystemRoot%System32\GroupPolicy
6. What is GPT and GPC? Group policy template and group policy container.
7. Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
8. You change the group policies, and now the computer and user settings are
in conflict. Which one has the highest priority? The computer settings take
priority.
9. You want to set up remote installation procedure, but do not want the user to
gain access over it. What do you do? gponame–> User Configuration–> Windows
Settings–> Remote Installation Services–> Choice Options is your friend.
10. What’s contained in administrative template conf.adm? Microsoft NetMeeting
policies
11. How can you restrict running certain applications on a machine? Via group
policy, security settings for the group, then Software Restriction Policies.
12. You need to automatically install an app, but MSI file is not available. What
do you do? A .zap text file can be used to add applications using the Software Installer,
rather than the Windows Installer.
13. What’s the difference between Software Installer and Windows Installer? The
former has fewer privileges and will probably require user intervention. Plus, it uses .zap
files.
14. What can be restricted on Windows Server 2003 that wasn’t there in
previous products? Group Policy in Windows Server 2003 determines a users right to
modify network and dial-up TCP/IP properties. Users may be selectively restricted from
modifying their IP address and other network configuration parameters.
15. How frequently is the client policy refreshed? 90 minutes give or take.
16. Where is secedit? It’s now gpupdate.
17. You want to create a new group policy but do not wish to inherit. Make sure
you check Block inheritance among the options when creating the policy.
18. What is "tattooing" the Registry? The user can view and modify user preferences
that are not stored in maintained portions of the Registry. If the group policy is removed
or changed, the user preference will persist in the Registry.
19. How do you fight tattooing in NT/2000 installations? You can’t.
20. How do you fight tattooing in 2003 installations? User Configuration -
Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only.
21. What does IntelliMirror do? It helps to reconcile desktop settings, applications, and
stored files for users, particularly those who move between workstations or those who
must periodically work offline.
22. What’s the major difference between FAT and NTFS on a local machine? FAT
and FAT32 provide no security over locally logged-on users. Only native NTFS provides
extensive permission control on both remote and local files.
23. How do FAT and NTFS differ in approach to user shares? They don’t, both have
support for sharing.
24. Explan the List Folder Contents permission on the folder in NTFS. Same as
Read & Execute, but not inherited by files within a folder. However, newly created
subfolders will inherit this permission.
25. I have a file to which the user has access, but he has no folder permission to
read it. Can he access it? It is possible for a user to navigate to a file for which he does
not have folder permission. This involves simply knowing the path of the file object. Even
if the user can’t drill down the file/folder tree using My Computer, he can still gain access
to the file using the Universal Naming Convention (UNC). The best way to start would be
to type the full path of a file into Run… window.
26. For a user in several groups, are Allow permissions restrictive or
permissive? Permissive, if at least one group has Allow permission for the file/folder,
user will have the same permission.
27. For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, if at least one group has Deny permission for the file/folder, user will be
denied access, regardless of other group permissions.
28. What hidden shares exist on Windows Server 2003 installation? Admin$,
Drive$, IPC$, NETLOGON, print$ and SYSVOL.
29. What’s the difference between standalone and fault-tolerant DFS
(Distributed File System) installations? The standalone server stores the Dfs
directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the
Dfs root server is down, users are left with no link to the shared resources. A fault-
tolerant root node stores the Dfs topology in the Active Directory, which is replicated to
other domain controllers. Thus, redundant root nodes may include multiple connections
to the same data residing in different shared folders.
30. We’re using the DFS fault-tolerant installation, but cannot access it from a
Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access Server
2003 fault-tolerant shares.
31. Where exactly do fault-tolerant DFS shares store information in Active
Directory? In Partition Knowledge Table, which is then replicated to other domain
controllers.
32. Can you use Start->Search with DFS shares? Yes.
33. What problems can you have with DFS installed? Two users opening the
redundant copies of the file at the same time, with no file-locking involved in DFS,
changing the contents and then saving. Only one file will be propagated through DFS.
34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you
can’t. Install a standalone one.
35. Is Kerberos encryption symmetric or asymmetric? Symmetric.
36. How does Windows 2003 Server try to prevent a middle-man attack on
encrypted line? Time stamp is attached to the initial client request, encrypted with the
shared key.
37. What hashing algorithms are used in Windows 2003 Server? RSA Data
Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash
Algorithm 1 (SHA-1), produces a 160-bit hash.
38. What third-party certificate exchange protocols are used by Windows 2003
Server? Windows Server 2003 uses the industry standard PKCS-10 certificate request
and PKCS-7 certificate response to exchange CA certificates with third-party certificate
authorities.
39. What’s the number of permitted unsuccessful logons on Administrator
account? Unlimited. Remember, though, that it’s the Administrator account, not any
account that’s part of the Administrators group.
40. If hashing is one-way function and Windows Server uses hashing for storing
passwords, how is it possible to attack the password lists, specifically the
ones using NTLMv1? A cracker would launch a dictionary attack by hashing every
imaginable term used for password and then compare the hashes.
41. What’s the difference between guest accounts in Server 2003 and other
editions? More restrictive in Windows Server 2003.
42. How many passwords by default are remembered when you check "Enforce
Password History Remembered"? User’s last 6 passwords.