Interview Questions

What is Active Directory Domain Services 2008?

Active Directory Domain Services (AD DS), formerly known as Active Directory Services, is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location.

Domain Functional Level

Domain functionality activates features that affect the whole domain and that domain only. The four domain functional levels, their corresponding features, and supported domain Controllers are as follows: Windows 2000 mixed (Default) Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows Server 2003 Activated features: local and global groups, global catalog support

What is DNS: Domain Name Service/Domain Name System Provides resolution of name to IP addressing and resolution of IP addresses to names

What is DHCP: It gives Addresses automatically to the client who is requesting for an IP address Centralized IP Address management DHCP prevent IP address conflict and help conserve the use of client IP Address on the on the network DHCP reduces the complexity and amount of administrator work by assigning TCP/IP configuration automatically to the clients.

Page | 1

What is the Global Catalog?

A global catalog server is a domain controller. It is a master searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. It has two important functions: Provides group membership information during logon and authentication Helps users locate resources in Active Directory

Read-Only Domain Controllers (RODCs): RODC address some of the problems that are commonly found in branch offices. These locations might not have a DC, Or they might have a writable DC but no physical security to that DC, low network bandwidth, or inadequate expertise to support that DC.

Functionality of RODCs: Read-Only DS database Uni-directional replication Credential caching Administrator role separation

Read-only AD DS Database: Except for accounts password, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC.

What are FMSO Roles? List them.

FSMO roles are server roles in a Forest There are five types of FSMO roles 1-Schema master 2-Domain naming master 3-Rid master
Page | 2

4-PDC Emulator 5-Infrastructure master The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest. Infrastructure Master: When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any
Page | 3

one time, there can be only one domain controller acting as the RID master in the domain. PDC Emulator: The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 Includes the W32Time (Windows Time) time service that is required by the Kerberos Authentication protocol. All Windows 2000/2003-based computers within an enterprise Use a common time. The purpose of the time service is to ensure that the Windows Time Service uses a hierarchical relationship that controls authority and does not permit loops to Ensure appropriate common time usage.

Basic Disk Storage

Basic storage uses normal partition tables supported by MS-DOS, Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows Millennium Edition (Me), Microsoft Windows NT, Microsoft Windows 2000, Windows Server 2003 and Windows XP. A disk initialized for Basic storage is called a basic disk. A basic disk contains basic volumes, such as primary Partitions, extended partitions, and logical drives. Additionally, basic volumes include multidisk volumes that are created by using Windows NT 4.0 or earlier, such as volume sets, stripe sets, mirror sets, and stripe sets with parity. Windows XP does not support these multidisk basic volumes. Any volume sets, stripe sets, mirror sets, or stripe sets with parity must be backed up and deleted or converted to dynamic disks before you install Windows XP Professional.

Dynamic Disk Storage

Dynamic storage is supported in Windows XP Professional, Windows 2000 and Windows Server 2003. A disk initialized for dynamic storage is called a dynamic disk. A dynamic disk contains dynamic volumes, such as simple volumes, spanned volumes, striped volumes, mirrored volumes, and RAID-5 volumes. With dynamic storage, you can perform disk and volume management without the need to restart Windows.

Page | 4

Dynamic Storage Terms A volume is a storage unit made from free space on one or more disks. It can be formatted with a file system and assigned a drive letter. Volumes on dynamic disks can have any of the following layouts: simple, spanned, mirrored, striped, or RAID-5. A simple volume uses free space from a single disk. It can be a single region on a disk or consist of multiple, concatenated regions. A simple volume can be extended within the same disk or onto additional disks. If a simple volume is extended across multiple disks, it becomes a spanned volume. A spanned volume is created from free disk space that is linked together from multiple disks. You can extend a spanned volume onto a maximum of 32 disks. A spanned volume cannot be mirrored and is not fault-tolerant. A striped volume (RAID-0) is a volume whose data is interleaved across two or more physical disks. The data on this type of volume is allocated alternately and evenly to each of the physical disks. A striped volume cannot be mirrored or extended and is not fault-tolerant. A mirrored volume (RAID-1) is a fault-tolerant volume whose data is duplicated on two physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume cannot be extended. A Striping With Parity (RAID-5) volume is a fault-tolerant volume whose data is striped across an array of three or more disks. Parity (a calculated value that can be used to reconstruct data after a failure) is also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on that failed disk can be re-created from the remaining data and the parity. A RAID-5 volume cannot be mirrored or extended. The system volume contains the hardware-specific files that are needed to load Windows (for example, Ntldr, Boot.ini, and Ntdetect.com). The system volume can be, but does not
Page | 5

have to be, the same as the boot volume. The boot volume contains the Windows operating system files that are located in the %Systemroot% and %Systemroot%\System32 folders. The boot volume can be, but does not have to be, the same as the system volume. RAID 0 Striping RAID 1- Mirroring (minimum 2 HDD required) RAID 5 Striping With Parity (Minimum 3 HDD required) RAID levels 1 and 5 only gives redundancy

What is the SYSVOL folder?

The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain controllers. Because junctions are used within the Sysvol folder structure, Windows NT file system (NTFS) version 5.0 is required on domain controllers throughout a Windows distributed file system (DFS) forest. This is a quote from Microsoft themselves basically the domain controller info stored in files like your group policy stuff is replicated through this folder structure.

Whats New in Windows Server 2008 Active Directory Domain Services?

Active Directory Domain Services in Windows Server 2008 provides a number of enhancements over previous versions, including these: AuditingAD DS auditing has been enhanced significantly in Windows Server 2008. The enhancements provide more granular auditing capabilities through four new auditing categories: Directory Services Access, Directory Services Changes, Directory Services Replication, and Detailed Directory Services Replication. Additionally, auditing now provides the capability to log old and new values of an attribute when a successful change is made to that attribute. Fine-Grained Password PoliciesAD DS in Windows Server 2008 now provides the capability to create different password and account lockout policies for different sets of users in a domain. User and group password and account lockout policies are defined and applied via a Password Setting Object (PSO). A PSO has attributes for all the settings that can be defined in the Default Domain Policy, except Kerberos settings. PSOs can be applied to both users and groups.

Page | 6

Read-Only Domain ControllersAD DS in Windows Server 2008 introduces a new type of domain controller called a read-only domain controller (RODC). RODCs contain a read-only copy of the AD DS database. RODCs are covered in more detail in Chapter 6, Manage Sites and Replication. Restartable Active Directory Domain ServicesAD DS in Windows Server 2008 can now be stopped and restarted through MMC snap-ins and the command line. The restartable AD DS service reduces the time required to perform certain maintenance and restore operations. Additionally, other services running on the server remain available to satisfy client requests while AD DS is stopped. AD DS Database Mounting ToolAD DS in Windows Server 2008 comes with a AD DS database mounting tool, which provides a means to compare data as it exists in snapshots or backups taken at different times. The AD DS database mounting eliminates the need to restore multiple backups to compare the AD data that they contain and provides the capability to examine any change made to data stored in AD DS.

What is REPADMIN?
Repadmin.exe: Replication Diagnostics Tool This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers. Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTool) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.

What is NETDOM?
NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels

KCC
The KCC is a built-in process that runs on all domain controllers and generates replication topology for the Active Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain
Page | 7

controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable.

How do you view replication properties for AD?

By using Active Directory Replication Monitor. Start> Run> Replmon

What are sites What are they used for?

One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.

Name some OU design considerations?

OU design requires balancing requirements for delegating administrative rights independent of Group Policy needs and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues: Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. Delegating administrative authority usually dont go more than 3 OU levels

Logical Diagram of Active Directory?, What is the difference between child domain & additional domain Server?
Well, if you know what a domain is then you have half the answer. Say you have the domain Microsoft.com. Now Microsoft has a server named server1 in that domain, which happens to the parent domain. So its FQDN is server1.microsoft.com. If you add an additional domain server and name it server2, then its FQDN is server2.microsoft.com. Now Microsoft is big so it has offices in Europe and Asia. So they make child domains for them and their FQDN would look like this: europe.microsoft.com & asia.microsoft.com. Now lets say each of them have a server in those child domains named server1. Their FQDN would then look like this: server1.europe.microsoft.com & server1.asia.microsoft.com.

Page | 8

What are Active Directory Groups?

Groups are containers that contain user and computer objects within them as members. When security permissions are set for a group in the Access Control List on a resource, all members of that group receive those permissions. Domain Groups enable centralized administration in a domain. All domain groups are created on a domain controller. In a domain, Active Directory provides support for different types of groups and group scopes. The group type determines the type of task that you manage with the group. The group scope determines whether the group can have members from multiple domains or a single domain.

Group Types
* Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups. * Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups.

Can a workstation computer be configured to browse the Internet and yet NOT have a default gateway?
If we are using public ip address, we can browse the internet. If it is having an intranet address a gateway is needed as a router or firewall to communicate with internet.

What is CIDR?
CIDR (Classless Inter-Domain Routing, sometimes known as supernetting) is a way to allocate and specify the Internet addresses used in inter-domain routing more flexibly than with the original system of Internet Protocol (IP) address classes. As a result, the number of available Internet addresses has been greatly increased. CIDR is now the routing system used by virtually all gateway hosts on the Internets backbone network. The Internets regulating authorities now expect every Internet service provider (ISP) to use it for routing.

What is the difference between Authorized DHCP and Non Authorized DHCP?
To avoid problems in the network causing by mis-configured DHCP servers, server in Windows 2000 must be validate by AD before starting service to clients. If an authorized
Page | 9

DHCP finds any DHCP server in the network it stop serving the clients

Difference between inter-site and intra-site replication. Protocols using for Replication.
Intra-site replication can be done between the domain controllers in the same site. Intersite replication can be done between two different sites over WAN links BHS (Bridge Head Servers) is responsible for initiating replication between the sites. Intersite replication can be done B/w BHS in one site and BHS in another site. We can use RPC over IP or SMTP as a replication protocols where as Domain partition is not possible to replicate using SMTP

How to take DNS and WINS, DHCP backup

%System root%/system32/dns %System root%/system32/WINS %System root%/system32/DHCP

What is DFS & its usage

DFS is a distributed file system used to provide common environment for users to access files and folders even when they are shared in different servers physically. There are two types of DFS domain DFS and Standalone DFS. We cannot provide redundancy for standalone DFS in case of failure. Domain DFS is used in a domain Environment which can be accessed by /domain name/root1 (root 1 is DFS root name). Standalone DFS can be used in workgroup environment which can be accessed through /server name/root1 (root 1 is DFS root name). Both the cases we need to create DFS root ( Which appears like a shared folder for end users) and DFS links ( A logical link which is Pointing to the server where the folder is physically shared) The maximum number of DFS roots per server is 1. The maximum numbers of DFS root replicas are 31.
Page | 10

The maximum number of DFS roots per domain is unlimited. The maximum number of DFS links or shared folders in a DFS root is 1,000

What is RIS and what are its requirements

RIS is a remote installation service, which is used to install operation system remotely. requirements PXE DHCP-based boot ROM version 1.00 or later NIC, or a network adapter that is supported by the RIS boot disk. Should meet minimum operating system requirements Software Requirements Below network services must be active on RIS server or any server in the network Domain Name System (DNS Service) Dynamic Host Configuration Protocol (DHCP) Active Directory service

Page | 11