Active Directory Interview Questions With Answers

Active Directory Interview questions
with answers
Learn about basic Active directory functionality.
Happy learning!!!
Below are the Active Directory Interview Questions and answers. However there are more Interview question:
Wintel /AD Interview uestions!" http!//yourco#puter.in/wintel"interview"questions"and"answers
Windows $luster Interview questions !" http!//yourco#puter.in/windows"cluster"interview"questions"and"
answers
%ersonal Interview uestions!" http!//yourco#puter.in/personal"interview"questions"answers

What is &lobal $atalog and its function'
The global catalog is a distributed data repository that contains a searchable partial representation o! every ob"ect in
every domain in a multidomain Active Directory Domain #ervices $AD D#% !orest. The global catalog is stored on
domain controllers that have been designated as global catalog servers and is distributed through multimaster
replication. #earches that are directed to the global catalog are !aster because they do not involve re!errals to
di!!erent domain controllers.
The global catalog provides the ability to locate ob"ects !rom any domain without having to &now the domain name. A
global catalog server is a domain controller that in addition to its !ull writable domain directory partition replica also
stores a partial read'only replica o! all other domain directory partitions in the !orest.
(orest"wide searches. The global catalog provides a resource !or searching an AD D# !orest. (orest'wide
searches are identi!ied by the )DA* port that they use. I! the search query uses port +,-. the query is sent
to a global catalog server.
)ser logon. In a !orest that has more than one domain two conditions require the global catalog during
user authentication: /niversal 0roup 1embership 2aching: In a !orest that has more than one domain in
sites that have domain users but no global catalog server /niversal 0roup 1embership 2aching can be
used to enable caching o! logon credentials so that the global catalog does not have to be contacted !or
subsequent user logons. This !eature eliminates the need to retrieve universal group memberships across a
3A4 lin& !rom a global catalog server in a di!!erent site.
o In a domain that operates at the 3indows ,555 native domain !unctional level or higher domain
controllers must request universal group membership enumeration !rom a global catalog server.
o 3hen a user principal name $/*4% is used at logon and the !orest has more than one domain a
global catalog server is required to resolve the name.
67change Address Boo& loo&ups. #ervers running 1icroso!t 67change #erver rely on access to the global
catalog !or address in!ormation. /sers use global catalog servers to access the global address list $0A)%.

What are the co#ponents of Logical AD'
The logical parts o! Active Directory include !orests trees domains 8/s and global catalogs.
Do#ain 9It is still a logical group o! users and computers that share the characteristics o! centrali:ed security and
administration. A domain is still a boundary !or security 9 this means that an administrator o! a domain is an
administrator !or only that domain and no others by de!ault.
*ree 9 a tree is a collection o! Active Directory domains that share a contiguous namespace.
(orest 9 a !orest is the largest unit in Active Directory and is a collection o! trees that share a common #chema. In a
!orest all trees are connected by transitive two'way trust relationships thus allowing users in any tree access to
resources in another !or which they have been given appropriate permissions and rights. By de!ault the !irst domain
created in a !orest is re!erred to as the root domain.

What are the different %artition in AD and e+plain all'
The Active Directory database is logically separated into directory partitions:
#chema partition
2on!iguration partition
Domain partition
Application partition
6ach partition is a unit o! replication and each partition has its own replication topology. ;eplication occurs between
replicas o! directory partition. 1inimum two directory partitions are common among all domain controllers in the same
!orest: the schema and con!iguration partitions. All domain controllers which are in the same domain in addition
share a common domain partition.
,che#a %artition
8nly one schema partition e7ists per !orest. The schema partition is stored on all domain controllers in a !orest. The
schema partition contains de!initions o! all ob"ects and attributes that you can create in the directory and the rules !or
creating and manipulating them. #chema in!ormation is replicated to all domain controllers in the attribute de!initions.
$onfiguration %artition
There is only one con!iguration partition per !orest. #econd on all domain controllers in a !orest the con!iguration
partition contains in!ormation about the !orest'wide active directory structure including what domains and sites e7ist
which domain controllers e7ist in each !orest and which services are available. 2on!iguration in!ormation is replicated
to all domain controllers in a !orest.
Do#ain %artition
1any domain partitions can e7ist per !orest. Domain partitions are stored on each domain controller in a given
domain. A domain partition contains in!ormation about users groups computers and organi:ational units. The
domain partition is replicated to all domain controllers o! that domain. All ob"ects in every domain partition in a !orest
are stored in the global catalog with only a subset o! their attribute values.
Application %artition
Application partitions store in!ormation about application in Active Directory. 6ach application determines how it
stores categori:es and uses application speci!ic in!ormation. To prevent unnecessary replication to speci!ic
application partitions you can designate which domain controllers in a !orest host speci!ic application partitions.
/nli&e a domain partitions an application partition cannot store security principal ob"ects such as user accounts. In
addition the data in an application partition is not stored in the global catalog.
As an e7ample o! application partition i! you use a Domain 4ame #ystem $D4#% that is integrated with Active
Directory you have two application partitions !or D4# :ones < (orestD4#=ones and DomainD4#=ones:
(orestD4#=ones is part o! a !orest. All domain controllers and D4# servers in a !orest receive a replica o!
this partition. A !orest'wide application partition stores the !orest :one data.
DomainD4#=ones is unique !or each domain. All domain controllers that are D4# servers in that domain
receive a replica o! this partition. The application partitions store the domain D4# :one in the
DomainD4#=ones>domain name?.
6ach domain has a DomainD4#=ones partition but there is only one (orestD4#=ones partition. 4o D4# data is
replicated to the global catalog server.

Different types of Dis- partition'
How #any types of .AID and e+plain any / advantage and disadvantage'
http:@@yourcomputer.in@what'is'raid'con!iguration'in'windows@
.AID Levels and *ypes
;AID an acronym o! .edundant Array of Independent 0Ine+pensive1 Dis-s is the tal& o! the day. These are an
array o! dis& to give more power per!ormance !ault tolerance and accessibility to the data as a single storage
system. ItAs not mere combination o! dis&s but all the dis&s are combined providing standard 1TB( $mean time be!ore
!ailure% reliability schemeB otherwise chances are per!ormance would be a!!ected drastically i! dis&s are not combined
as a single storage unit.
.AID Levels
All the ;AID types and models are commonly classi!ied as ;AID levels since ;AID represented by a higher
number is regarded to be superior more e!!icient high'per!ormance array than the low numbered ;AID. Hence
high security !eature o! ;AID also depends on the ;AID level you are using. ;AID arrays not only provide the
users with ma7imum security and reliability but also ma&e sure that i! a dis& !ails no data is lost. The in'depth
&nowledge about ;AID levels would help you through buying o! ;AID servers.)etAs brie!ly discuss here the main
;AID levels and classes:
.AID 2 3 ,triping!
It is the ,tripped Dis- Array with no !ault tolerance and it requires at least , drives to be implemented. Due to no
redundancy !eature ;AID 5 is considered to be the lowest ran&ed ;AID level. #triped data mapping technique is
implemented !or high per!ormance at low cost. The I@8 per!ormance is also improved as it is loaded across many
channels. ;egeneration ;ebuilding and !unctional redundancy are some salient !eatures o! ;AID 5.
.AID 4 3 5irroring!
It is the 5irroring 0,hadowing1 Array meant to provide high per!ormance. ;AID C controller is able to per!orm ,
separate parallel reads or writes per mirrored pair. It also requires at least , drives to implement a non'redundant dis&
array. High level o! availability access and reliability can be achieved by entry'level ;AID C array. 3ith !ull
redundancy !eature available need o! readability is almost negligible. 2ontroller con!igurations and storage
subsystem design is the easiest and simplest amongst all ;AID levels.
.AID 264!
It is the ;AID array providing high data trans!erence per!ormance with at least D dis&s needed to implement the ;AID
5EC level. ItAs a unique combination o! stripping and mirroring with all the best !eatures o! ;AID 5 and ;AID C
included such as !ast data access and !ault tolerance at single drive level. The multiple stripe segments have added
high I@8 rates to the ;AID per!ormance and it is the best solution !or ma7imum reliability.
.AID 7 08$$1!
It is the combination o! Inherently %arallel 5apping and %rotection .AID array. ItAs also &nown as 622 ;AID
because each data word bit is written to data dis& which is veri!ied !or correct data or correct dis& error when the
;AID dis& is read. Due to special dis& !eatures required ;AID , is not very popular among the corporate data
storage masses despite the e7tremely high data trans!erence rates.
.AID /!
;AID + wor&s on the %arallel *ransfer with %arity technique. The least number o! dis&s required to implement the
;AID array is + dis&s. In the ;AID + data bloc&s are striped and written on data drives and then the stripe parity is
generated saved and a!terwards used to veri!y the dis& reads. ;ead and write data trans!er rate is very high in ;AID
+ array and dis& !ailure causes insigni!icant e!!ects on the overall per!ormance o! the ;AID.
.AID 9!
;AID D requires a minimum o! + drives to be implemented. It is composed o! independent dis&s with shared parity to
protect the data. Data transaction rate !or ;ead is e7ceptionally high and highly aggregated. #imilarly the low ratio o!
parity dis&s to data dis&s indicates high e!!iciency.
.AID :!
;AID# F is Independent Distributed parity bloc- o! data dis&s with a minimum requirement o! at least + drives to
be implemented and 4'C array capacity. It helps in reducing the write inherence !ound in ;AID D. ;AID F array o!!ers
highest data transaction ;ead rate medium data transaction 3rite rate and good cumulative trans!er rate.
.AID ;!
;AID# - is Independent Data Dis- array with Independent Distributed parity. It is &nown to be an e7tension o!
;AID level F with e7tra !ault tolerance and distributed parity scheme added. ;AID - is the best available ;AID array
!or mission critical applications and data storage needs though the controller design is very comple7 and overheads
are e7tremely high.
.AID <!
;AID G is the =pti#i>ed Asynchrony array !or high I@8 and data trans!er rates and is considered to be the most
manageable ;AID controller available. The overall write per!ormance is also &nown to be F5H to I5H better and
improved than the single spindle array levels with no e7tra data trans!erence required !or parity handling. ;AID G is
registered as a standard trademar& o! #torage 2omputer 2orporation.
.AID 42!
;AID C5 is classi!ied as the !uturistic ;AID controller with e7tremely high ;eliability and per!ormance embedded in a
single ;AID controller. The minimum requirement to !orm a ;AID level C5 controller is D data dis&s. The
implementation o! ;AID C5 is based on a striped array o! ;AID C array segments with almost the same !ault
tolerance level as ;AID C. ;AID C5 controllers and arrays are suitable !or uncompromising availability and e7tremely
high throughput required systems and environment.

3ith all the signi!icant ;AID levels discussed here brie!ly another important point to add is that whichever level o!
;AID is used regular and consistent data bac&up maintenance using tape storage is must as the regular tape storage
is best media to recover !rom lost data scene.
What is (,5= .oles'
2lic& here to &now about (#18 in detail
How to find which server hold which role'
4etdom query (#18
How we can replication #onitoring'
The Active Directory ;eplication 1onitor replmon.e7e is part o! the 3indows ,555 #upport /tilities available on the
3indows ,555 #erver 2D in the J#/**8;TJT88)# !older. *rimary uses o! replmon :
2hec& !or replication errors
;un the K22 Knowledge 2onsistency 2hec&er to chec& replication topology
#ynchroni:e each directory partition with all servers
0enerate status reports on replication in!o on servers
)ist domain controllers
2hec& 0roup *olicy 8b"ect status
2hoose per!ormance counters to be monitored
)ist server hosting 0lobal 2atalog
)ist bridgehead servers
Display trust relationships )ist AD meta'data in!o
How we can diagnosis any issue related to ad replication'

What is intersite and Intra site replication e+plain'
http:@@technet.microso!t.com@en'us@library@ccGFFIID$3#.C5%.asp7
What is Authoritative and ?on authorities restoration'
Active Directory is bac&ed up as part o! system state a collection o! system components that depend on each other.
Lou must bac& up and restore system state components together.
2omponents that comprise the system state on a domain controller include:
,yste# ,tart"up (iles 0boot files1. These are the !iles required !or 3indows ,555 #erver to start.
,yste# registry.
$lass registration database of $o#ponent ,ervices. The 2omponent 8b"ect 1odel $281% is a binary
standard !or writing component so!tware in a distributed systems environment.
,@,A=L. The system volume provides a de!ault Active Directory location !or !iles that must be shared !or
common access throughout a domain. The #L#M8) !older on a domain controller contains:
o 46T)8084 shared !olders. These usually host user logon scripts and 0roup *olicy ob"ects
$0*8s% !or non'3indows ,555based networ& clients.
o /ser logon scripts !or 3indows ,555 *ro!essionalbased clients and clients that are running
3indows IF 3indows I. or 3indows 4T D.5.
o 3indows ,555 0*8s.
o (ile system "unctions.
o (ile ;eplication service $(;#% staging directories and !iles that are required to be available and
synchroni:ed between domain controllers.
Active Directory. Active Directory includes:
o 4tds.dit: The Active Directory database.
o 6db.ch&: The chec&point !ile.
o 6dbN.log: The transaction logs each C5 megabytes $1B% in si:e.
o ;esC.log and ;es,.log: ;eserved transaction logs.
?ote! I! you use Active Directory'integrated D4# then the :one data is bac&ed up as part o! the Active Directory
database. I! you do not use Active Directory'integrated D4# you must e7plicitly bac& up the :one !iles. However i!
you bac& up the system dis& along with the system state :one data is bac&ed up as part o! the system dis&.I! you
installed 3indows 2lustering or 2erti!icate #ervices on your domain controller they are also bac&ed up as part o!
system state.
?on"authoritative restore of Active Directory
A non'authoritative restore returns the domain controller to its state at the time o! bac&up then allows normal
replication to overwrite that state with any changes that have occurred a!ter the bac&up was ta&en. A!ter you restore
the system state the domain controller queries its replication partners. The replication partners replicate any changes
to the restored domain controller ensuring that the domain controller has an accurate and updated copy o! the Active
Directory database.
4on'authoritative restore is the de!ault method !or restoring Active Directory and you will use it in most situations that
result !rom Active Directory data loss or corruption. To per!orm a non'authoritative restore you must be able to start
the domain controller in Directory #ervices ;estore 1ode.
?on"authoritative restore of ,@,A=L
3hen you non'authoritatively restore the #L#M8) the local copy o! #L#M8) on the restored domain controller is
compared with that o! its replication partners. A!ter the domain controller restarts it contacts its replication partners
compares #L#M8) in!ormation and replicate the any necessary changes bringing it up'to'date with the other
domain controllers within the domain.
*er!orm a non'authoritative restore o! #L#M8) i! at least one other !unctioning domain controller e7ists in the
domain. This is the de!ault method !or restoring #L#M8) and occurs automatically i! you per!orm a non'authoritative
restore o! the Active Directory.
I! no other !unctioning domain controller e7ists in the domain then per!orm a primary restore o! the #L#M8). A
primary restore builds a new (ile ;eplication service $(;#% database by loading the data present under #L#M8) on
the local domain controller. This method is the same as a non'authoritative restore e7cept that the #L#M8) is
mar&ed primary.
Authoritative restore of Active Directory
An authoritative restore is an e7tension o! the non'authoritative restore process. Lou must per!orm the steps o! a
non'authoritative restore be!ore you can per!orm an authoritative restore. The main di!!erence is that an authoritative
restore has the ability to increment the version number o! the attributes o! all ob"ects in an entire directory all ob"ects
in a subtree or an individual ob"ect $provided that it is a lea! ob"ect% to ma&e it authoritative in the directory. ;estore
the smallest unit necessary !or e7ample do not restore the entire directory in order to restore a single subtree.
As with a non'authoritative restore a!ter a domain controller is bac& online it will contact its replication partners to
determine any changes since the time o! the last bac&up. However because the version number o! the ob"ect
attributes that you want to be authoritative will be higher than the e7isting version numbers o! the attribute held on
replication partners the ob"ect on the restored domain controller will appear to be more recent and there!ore will be
replicated out to the rest o! the domain controllers within the environment.
/nli&e a non'authoritative restore an authoritative restore requires the use o! a separate tool 4tdsutil.e7e. 4o
bac&up utilities< including the 3indows ,555 #erver system tools< can per!orm an authoritative restore.
An authoritative restore will not overwrite new ob"ects that have been created a!ter the bac&up was ta&en. Lou can
authoritatively restore only ob"ects !rom the con!iguration and domain'naming conte7ts. Authoritative restores o!
schema'naming conte7ts are not supported.
*er!orm an authoritative restore when human error is involved such as when an administrator accidentally deletes a
number o! ob"ects and that change replicates to the other domain controllers and you cannot easily recreate the
ob"ects. To per!orm an authoritative restore you must start the domain controller in Directory #ervices ;estore 1ode.
Authoritative restore of ,@,A=L
By authoritatively restoring the #L#M8) you are speci!ying that the copy o! #L#M8) that is restored !rom bac&up is
authoritative !or the domain. A!ter the necessary con!igurations have been made Active Directory mar&s the local
#L#M8) as authoritative and it is replicated to the other domain controllers within the domain.
The authoritative restore o! #L#M8) does not occur automatically a!ter an authoritative restore o! Active Directory.
Additional steps are required.
As with Active Directory authoritative restore you typically per!orm an authoritative restore o! #L#M8) when human
error is involved and the error has replicated to other domain controllers. (or e7ample you might per!orm an
authoritative restore o! #L#M8) i! an administrator has accidentally deleted an ob"ect that resides in #L#M8) such
as a 0roup *olicy ob"ect.
http:@@yourcomputer.in@authoritative'vs'non'authoritative'restoration'o!'active'directory
http:@@technet.microso!t.com@en'us@library@bbG,G5D..asp7
How to restore the AD
http:@@technet.microso!t.com@en'us@library@bbG,G5D..asp7
What is *o#bstone period'
The tombstone li!etime in an Active Directory !orest determines how long a deleted ob"ect $called a OtombstoneP% is
retained in Active Directory Domain #ervices $AD D#%. The tombstone li!etime is determined by the value o!
the to#bstoneLifeti#e attribute on the Directory #ervice ob"ect in the con!iguration directory partition.
In 1icroso!t 3indows #erver ,55+ ;, the de!ault tombstone li!etime $T#)% value remains at -5 days.
?ote In 3indows #erver ,55+ #ervice *ac& C the de!ault T#) value has increased !rom -5 days to C.5 days.
What are Lingering =bBects'
)ingering ob"ects can occur i! a domain controller does not replicate !or an interval o! time that is longer than the
tombstone li!etime $T#)%. The domain controller then reconnects to the replication topology. 8b"ects that are deleted
!rom the Active Directory directory service when the domain controller is o!!line can remain on the domain controller
as lingering ob"ects.
What is the difference between 722/ and 722C'
http:@@yourcomputer.in@di!!erence'between'windows',55+'and',55.@
,55. is combination o! vista and windows ,55+r,.#ome new services are introduced in it
C. ;8D2 one new domain controller introduced in it
Q;ead'only Domain controllers.R
,. 3D# $windows deployment services% instead o! ;I# in ,55+ server
+. shadow copy !or each and every !olders
D.boot sequence is changed
F.installation is +, bit where as ,55+ it is C- as well as +, bit thatAs why installation o! ,55. is !aster
-.services are &nown as role in it
G. 0roup policy editor is a separate option in ads

,% The main di!!erence between ,55+ and ,55. is Mirtuali:ation management.
,55. has more inbuilt components and updated third party drivers 1icroso!t introduces new !eature with ,&. that is
Hyper'M 3indows #erver ,55. introduces Hyper'M $M !or Mirtuali:ation% but only on -Dbit versions. 1ore and more
companies are seeing this as a way o! reducing hardware costs by running several SvirtualA servers on one physical
machine. I! you li&e this e7citing technology ma&e sure that you buy an edition o! 3indows #erver ,55. that includes
Hyper'M then launch the #erver 1anger add ;oles.

+% In 3indows #erver ,55. 1icroso!t is introducing new !eatures and technologies some o! which were not available
in 3indows #erver ,55+ with #ervice *ac& C $#*C% that will help to reduce the power consumption o! server and
client operating systems minimi:e environmental byproducts and increase server e!!iciency.
1icroso!t 3indows #erver ,55. has been designed with energy e!!iciency in mind to provide customers with ready
and convenient access to a number o! new power'saving !eatures. It includes updated support !or Advanced
2on!iguration and *ower Inter!ace $A2*I% processor power management $**1% !eatures including support !or
processor per!ormance states $*'states% and processor idle sleep states on multiprocessor systems. These !eatures
simpli!y power management in 3indows #erver ,55. $3#5.% and can be managed easily across servers and clients
using 0roup *olicies.

What Is ,trict .eplication and How Do @ou 8nable'
#trict ;eplication is a mechanism developed by 1icroso!t developers !or Active Directory ;eplication. I! a domain
controller has the #trict ;eplication enabled then that domain controller will not get O)ingering 8b"ectsP !rom a domain
controller which was isolated !or more than the Tomb#tone )i!e Time. T#) is C.5 days by de!ault on a (orest created
with 3indows #erver ,55+ #*C. A domain controller shouldnAt be outo! sync !or more than this period. )ingering
8b"ects may appear on other domain controllers i! replication happens with the outdated domain controllers. These
domain controllers will not replicate with the outdated domain controllers i! you have set the below mentioned registry
&ey.Lou must set the !ollowing registry setting on all the domain controllers to enable the #trict ;eplication:
D8@ ?a#e! HK6LT)82A)T1A2HI46J#L#T61J2urrent2ontrol#etJ#ervicesJ4TD#J*arameters
.egistry 8ntry! #trict ;eplication 2onsistency
Aalue! C $enabled% 5 $disabled%
Type! ;60TD38;D
What are the new feature of Win722C'
How #any flavours of Win-7-C'

Windows ,erver 722C
Web 8dition
Windows ,erver 722C
,tandard 8dition
Windows ,erver 722C
8nterprise 8dition
Windows ,erver 722C
Datacenter 8dition
,upersedes
3indows #erver ,55+
3eb 6dition
3indows #erver ,55+
;, #tandard 6dition
3indows #erver ,55+
;, #tandard 7-D
6dition
3indows #erver ,55+;,
6nterprise 6dition
3indows #erver ,55+ ;,
6nterprise 7-D 6dition
Datacenter 6dition
Datacenter 7-D 6dition
Hyper"A
virtuali>ation
technology 4ot included Included
C
Included
C
Included
C
=, instances
per#itted per
server license
8ne instance $physical or
virtual%
8ne physical instance
plus one virtual
instance
,
8ne physical instance and
up to D virtual instances
,
/nlimited number o! 8#
instances
5a+i#u# server
.A5 supported
+
+,'bit: D0B
-D'bit: +,0B
+,'bit: D0B
-D'bit: +,0B
+,'bit: -D0B
-D'bit: ,TB
+,'bit: -D0B
-D'bit: ,TB
5a+i#u# nu#ber D D . -D
of $%)s
Hot swap .A5
and $%)s 4o 4o 4o
D
Les
$luster ,ervice
0failover1 4o 4o
Les up to C- nodes per
cluster
Les up to C- nodes per
cluster
*er#inal ,erver 4o Les
F
Les Les
?etwor- Access
%rotection 4o Les
-
Les Les
).,. esti#ated
retail price
G
/#UDG5 per server
$ available only without
Hyper'M%
/#U.55 per server
$/#UGG, without Hyper'
M%
/#U+555 per server
$/#U,IG, without Hyper'
M%
/#U+555 per processor
$/#U,IG, per processor
without Hyper'M%
$ALs or 8+ternal
$onnector
required
.
4o Les Les Les

How you find the server hold DH$%'
How to configure the DH$% server'
If user are not getting I% fro# the DH$% servers what step you ta-e to fi+ the issue'
What is the process of user getting I% fro# DH$% ,erver'
D8;A *;826##
DI#28M6;:3hen a client is con!igured with the ip setting to obtain Ip address automatically. Then the client
will search !or DH2* server and the /D* Broadcast to the server about the DH2* discover
8((6;: DH2* #erver will o!!ers a scope o! ip address available in the pool.
;6Q/6#T: In response to the o!!er the 2lient will requests !or an ip address.
A2K483)6D06:In response to the request server will responds with all Ip address 1as& 0ty Dns and
wins in!o along with the ac&nowledgment pac&et.
DH2* 1essage Types
DH2*DI#28M6;
This DH2* message type is used by the DH2* client to discover DH2* servers.
DH2*8((6;
This DH2* message type is used by the DH2* server to respond to a received DH2*DI#28M6; message
and also o!!ers con!iguration details at that time.
DH2*;6Q/6#T
This message comes !rom a client and to the DH2* server to convey three various messages. The !irst is to
request con!iguration details !rom one speci!ic DH2* server and speci!ically re"ecting o!!ers !rom any other
potential DH2* servers. #econdly it can be used !or veri!ication o! previously used I* address a!ter a
system has undergone a reboot. )astly it can be used to e7tend the lease o! a speci!ic I* address.
How we can sei>e roles'
How we can transfers roles fro# one D$ to another'

What is -erbores and its process'
http:@@technet.microso!t.com@en'us@library@bbGD,FC-.asp7
What contain syste# state bac-up'
(ollowing system components as #ystem #tate data:
;egistry
281E class registration database
Boot !iles including the system !iles
2erti!icate services database
Active Directory
The system volume
I! the wor&station is a domain controller the !ollowing components are bac&ed up:
Active directory $4TD#%
The system volume $#L#M8)%
I! the wor&station is a certi!icate server then the related data is also bac&ed up. 1any security and other disasters
can be !i7ed by restoring #ystem #tate to a good con!iguration.
How you can ta-e the bac-up of D$'
Did you aware of I*IL %rocess'
8+pain the process in I*IL li-e Incident 5anage#ntE $hange 5anage#ent and %roble# 5g#t'
How you do the pactching'
Did you -now ,$=5 and its configuration'
What is the tic-eting tool used'
How to upgrade the =/,'
What are all the different #ode of =/,'
Kernel 1ode
In Kernel mode the e7ecuting code has complete and unrestricted access to the underlying hardware. It can e7ecute
any 2*/ instruction and re!erence any memory address. Kernel mode is generally reserved !or the lowest'level most
trusted !unctions o! the operating system. 2rashes in &ernel mode are catastrophicB they will halt the entire *2.
/ser 1ode
In /ser mode the e7ecuting code has no ability to directly access hardware or re!erence memory. 2ode running in
user mode must delegate to system A*Is to access hardware or memory. Due to the protection a!!orded by this sort
o! isolation crashes in user mode are always recoverable. 1ost o! the code running on your computer will e7ecute in
user mode.
What are all the files contain AD Database'
3indows ,555 Active Directory data store the actual database !ile is H#ystem;ootHJntdsJ4TD#.DIT. The ntds.dit
!ile is the heart o! Active Directory including user accounts. Active DirectoryAs database engine is the 67tensible
#torage 6ngine $ 6#6 % which is based on the Vet database used by 67change F.F and 3I4#. The 6#6 has the
capability to grow to C- terabytes which would be large enough !or C5 million ob"ects. Bac& to the real world. 8nly the
Vet database can maniuplate in!ormation within the AD datastore.
(or in!ormation on domain controller con!iguration to optimi:e Active Directory see =pti#i>e Active Directory Dis-
%erfor#ance
The Active Directory 6#6 database 4TD#.DIT consists o! the !ollowing tables:
#chema table
the types o! ob"ects that can be created in the Active Directory relationships between them and the optional and
mandatory attributes on each type o! ob"ect. This table is !airly static and much smaller than the data table.
)in& table
contains lin&ed attributes which contain values re!erring to other ob"ects in the Active Directory. Ta&e the 1ember8!
attribute on a user ob"ect. That attribute contains values that re!erence groups to which the user belongs. This is also
!ar smaller than the data table.
Data table
users groups application'speci!ic data and any other data stored in the Active Directory. The data table can be
thought o! as having rows where each row represents an instance o! an ob"ect such as a user and columns where
each column represents an attribute in the schema such as 0iven4ame.

Any idea about virtuali>ation technology'
What is virtual #e#ory'
The purpose o! virtual memory is to enlarge the address space the set o! addresses a program can utili:e. (or
e7ample virtual memory might contain twice as many addresses as main memory. A program using all o! virtual
memory there!ore would not be able to !it in main memory all at once. 4evertheless the computer could e7ecute
such a program by copying into main memory those portions o! the program needed at any given point during
e7ecution.
To !acilitate copying virtual memory into real memory the operating system divides virtual memory into pages each
o! which contains a !i7ed number o! addresses. 6ach page is stored on a dis& until it is needed. 3hen the page is
needed the operating system copies it !rom dis& to main memory translating the virtual addresses into real
addresses.

I#portant port nos li-e (*%E *alnetE .D% and D?,'
What is heart beat'
What is the difference between ?*(, and share per#issions' What is A,,'
Are you aware of Aolu#e shadow copy please e+paing'
$an we use a Linu+ D?, ,ever in 7222 Do#ain'
&%5$ F .,=% in windows 722/'
How to use recovery console'
How to ta-e D?, and WI?,E DH$% bac-up ' What is the use of ter#inal services'
And its #ode How is Active Directory scalable'
What is #ulti#aster replication'
5ulti#aster .eplication
Active Directory uses multimaster replication to accomplish the synchroni:ation o! directory in!ormation. True
multimaster replication can be contrasted with other directory services that use a master-slave approach to updates
wherein all updates must be made to the master copy o! the directory and then be replicated to the slave copies. This
system is adequate !or a directory that has a small number o! copies and !or an environment where all o! the changes
can be applied centrally. But this approach does not scale beyond small'si:ed organi:ations nor does it address the
needs o! decentrali:ed organi:ations. 3ith Active Directory no one domain controller is the master. Instead all
domain controllers within a domain are equivalent. 2hanges can be made to any domain controller unli&e a single'
master system where changes must be made to one server. In the single'master system the primary server
replicates the updated in!ormation to all other directory servers in the domain.
3ith multimaster replication it is not necessary !or every domain controller to replicate with every other domain
controller. Instead the system implements a robust set o! connections that determines which domain controllers
replicate to which other domain controllers to ensure that networ&s are not overloaded with replication tra!!ic and that
replication latency is not so long that it causes inconvenience to users. The set o! connections through which
changes are replicated to domain controllers in an enterprise is called the replication topology .
1ultimaster update capability provides high availability o! write access to directory ob"ects because several servers
can contain writable copies o! an ob"ect. 6ach domain controller in the domain can accept updates independently
without communicating with other domain controllers. The system resolves any con!licts in updates to a speci!ic
directory ob"ect. I! updates cease and replication continues all copies o! an ob"ect eventually reach the same value.
The manner in which a directory service stores in!ormation directly determines the per!ormance and scalability o! the
directory service. Directory services must handle a large number o! queries compared to the number o! updates they
must process. A typical ratio o! queries to updates is II:C. By creating multiple copies o! the directory and &eeping
the copies consistent the directory service can handle more queries per second.
1ultimaster replication provides the !ollowing advantages over single'master replication:
I! one domain controller becomes inoperable other domain controllers can continue to update the directory.
In single'master replication i! the primary domain controller becomes inoperable directory updates cannot
ta&e place. (or e7ample i! the !ailed server holds your password and your password has e7pired you
cannot reset your password and there!ore you cannot log on to the domain.
#ervers that are capable o! ma&ing changes to the directory which in 3indows ,555 are domain controllers
can be distributed across the networ& and can be located in multiple physical sites.

Define each of the following na#es! D?E .D?E &)IDE )%?. What is the pri#ary reason for defining an =)'
What is the difference between a site lin- and a connection obBect'
What is the booting process'

C. (irst is the *8#T this stands !or *ower 8n #el! Test !or the computer. This process tests memory as well
as a number o! other subsystems. Lou can usually monitor this as it runs each test. A!ter that is complete
the system will run *8#T !or any device that has a BI8# $Basic Input'8utput #ystem%. An A0* has its own
BI8# as do some networ& cards and various other devices.
,. 8nce the *8#T is complete and the BI8# is sure that everything is wor&ing properly the BI8# will then
attempt to read the 1B; $1aster Boot ;ecord%. This is the !irst sector o! the !irst hard drive $called the
1aster or HD5%. 3hen the 1B; ta&es over it means that 3indows is now in control.
+. The 1B; loo&s at the B88T #62T8; $the !irst sector o! the active partition%. That is where 4T)D; is
located 4T)D; is the B88T )8AD6; !or 3indows W*. 4T)D; will allow memory addressing initiate the
!ile system read the boot.ini and load the boot menu. 4T)D; has to be in the root o! the active partition as
do 4TD6T62T.281 B88T.I4I B88T#62T.D8# $!or multi'8# booting% and 4TB88TDD.#L# $i! you
have #2#I adapters%
D. 8nce W* is selected !rom the Boot 1enu 4T)D; will run 4TD6T62T.281 B88T.I4I and
B88T#62T.D8# to get the proper 8# selected and loaded. The system starts in C-'bit real mode and then
moves into +,'bit protected mode.
F. 4T)D; will then load 4T8#K;4).6W6 and HA).D)). 6!!ectively these two !iles are windows W*. They
must be located in H#ystem;ootH#ystem+,.
-. 4T)D; reads the registry chooses a hardware pro!ile and authori:es device drivers in that e7act order.
G. At this point 4T8#K;4).6W6 ta&es over. It starts 3I4)8084.6W6 that in turn starts )#A##.6W6 this is
the program that display the )ogon screen so that you can logon.
Which co##and use to create the application directory partition'
Dns2md ServerName @6nlistDirectory*artition FQDN of partition
Default settings for password policy

What will we be the ne+t action plan if we get a hardware alert'

What will be the ne+t action plan if a custo#er reports that a server is down'

What is Loopbac- &roup %olicy'
Ans:' 0roup *olicy applies to the user or computer in a manner that depends on where both the user and the
computer ob"ects are located in Active Directory. However in some cases users may need policy applied to them
based on the location o! the computer ob"ect alone. Lou can use the 0roup *olicy loopbac& !eature to apply 0roup
*olicy 8b"ects $0*8s% that depend only on which computer the user logs on to.
*$%/)D% ports used in Windows'
Ans:' http:@@yourcomputer.in@list'port'numbers'windows@
Also clic& this lin& !or more AD questions http:@@yourcomputer.in@wintel'interview'questions'and'answers

What is dhcp ?
Dynamic Host Configuration Protocol (DHCP) is a network protocol that
enables a server to automatically assign an IP address to a computer from a
defined range of numbers (i.e., a scope) configured for a given network.
What is the dhcp process for client machine?
1. A user turns on a computer with a DHCP client.
2. The client computer sends a broadcast request (called aDISCOVER or
DHCPDISCOVER), looking for a DHCP server to answer.
3. The router directs the DISCOVER packet to the correct DHCP server.
4. The server receives the DISCOVER packet. Based on availability and
usage policies set on the server, the server determines an appropriate
address (if any) to give to the client. The server then temporarily reserves that
address for the client and sends back to the client an OFFER (or
DHCPOFFER) packet, with that address information. The server also
configures the clients DNS servers, WINS servers, NTP servers, and
sometimes other services as well.
5. The client sends a REQUEST (or DHCPREQUEST) packet, letting the
server know that it intends to use the address.
6. The server sends an ACK (or DHCPACK) packet, confirming that the client
has a been given a lease on the address for a server-specified period of time.
What is dhcp scope ?
DHCP scopes are used to define ranges of addresses from which a DHCP
server can assign IP addresses to clients.
Types of scopes in windows dhcp ?
Normal Scope Allows A, B and C Class IP address ranges to be specified
including subnet masks, exclusions and reservations. Each normal scope
defined must exist within its own subnet.
Multicast Scope Used to assign IP address ranges for Class D networks.
Multicast scopes do not have subnet masks, reservation or other TCP/IP
options.
Multicast scope address ranges require that a Time To Live (TTL) value be
specified (essentially the number of routers a packet can pass through on the
way to its destination).
Superscope Essentially a collection of scopes grouped together such that
they can be enabled and disabled as a single entity.
What is Authorizing DHCP Servers in Active Directory ?
If a DHCP server is to operate within an Active Directory domain (and is not
running on a domain controller) it must first be authorized.
This can be achieved either as part of the DHCP Server role installation, or
subsequently using either DHCP console or at the command prompt using the
netsh tool.
If the DHCP server was not authorized during installation, invoke the DHCP
console (Start -> All Programs -> Administrative Tools -> DHCP),
right click on the DHCP to be authorized and select Authorize. To achieve the
same result from the command prompt, enter the following command:
netsh dhcp server serverID initiate auth
In the above command syntax, serverID is replaced by the IP address or full
UNC name of system on which the DHCP server is installed.
What ports are used by DHCP and the DHCP clients ?
Requests are on UDP port 68, Server replies on UDP 67 .
List some Benefits of using DHCP
DHCP provides the following benefits for administering your TCP/IP-based
network:
Safe and reliable configuration.DHCP avoids configuration errors caused by
the need to manually type in values at each computer. Also, DHCP helps
prevent address conflicts caused by a previously assigned IP address being
reused to configure a new computer on the network.
Reduces configuration management.
Using DHCP servers can greatly decrease time spent to configuring and
reconfiguring computers on your network. Servers can be configured to supply
a full range of additional configuration values when assigning address leases.
These values are assigned using DHCP options. Also, the DHCP lease
renewal process helps assure that where client configurations need to be
updated often (such as users with mobile or portable computers who change
locations frequently), these changes can be made efficiently
andautomatically by clients communicating directly with DHCP servers.
The following section covers issues that affect the use of the DHCP Server
service with other services or network configurations. UsingDNS servers with
DHCP Using Routing and Remote Access servers with DHCP Multihomed
DHCP servers.
Describe the process of installing a DHCP server in an AD
infrastructure ?
Open Windows Components Wizard. Under Components , scroll to and click
Networking Services. Click Details . Under Subcomponents of Networking
Services , click Dynamic Host Configuration Protocol (DHCP) and then click
OK .
Click Next . If prompted, type the full path to the Windows Server 2003
distribution files, and then click Next. Required files are copied to your hard
disk.
How to authorize a DHCP server in Active Directory Open DHCP ?.
In the console tree, click DHCP
. On the Action menu, click Manage authorized servers.
. The Manage Authorized Servers dialog box appears. Click Authorize.
. When prompted, type the name or IP address of the DHCP server to be
authorized, and then click OK.
What is DHCPINFORM?
DHCPInform is a DHCP message used by DHCP clients to obtain DHCP
options. While PPP remote access clients do not use DHCP to obtain IP
addresses for the remote access connection, Windows 2000 and Windows 98
remote access clients use the DHCPInform message to obtain DNS server IP
addresses, WINS server IP addresses, and a DNS domain name.
The DHCPInform message is sent after the IPCP negotiation is concluded.
The DHCPInform message received by the remote access server is then
forwarded to a DHCP server. The remote access server forwards
DHCPInform messages only if it has been configured with the DHCP Relay
Agent.
Describe the integration between DHCP and DNS?
Traditionally, DNS and DHCP servers have been configured and managed
one at a time. Similarly, changing authorization rights for a particular user on a
group of devices has meant visiting each one and making configuration
changes.
DHCP integration with DNS allows the aggregation of these tasks across
devices, enabling a companys network services to scale in step with the
growth of network users, devices, and policies, while reducing administrative
operations and costs. This integration provides practical operational
efficiencies that lower total cost of ownership.
Creating a DHCP network automatically creates an associated DNS zone, for
example, reducing the number of tasks required of network administrators.
And integration of DNS and DHCP in the same database instance provides
unmatched consistency between service and management views of IP
address-centric network services da
InterviewFAQ No:1 Source to prepare for job interviews.
InterviewFAQ
Dot Net
SAP
Testing
JAVA
Microsoft
Windows Server Group Policy Interview Questions
23. Sep
/
Active Directory
/
No Comments

Below is the list of Windows Server Group Policy Interview Questions Asked
in Windows System Administrator / L1/l2/l3 Support Engineer Interviews.
What is group policy in active directory ? What are Group Policy objects
(GPOs)?
Group Policy objects, other than the local Group Policy object, are virtual
objects. The policy setting information of a GPO is actually stored in two
locations: the Group Policy container and the Group Policy template.
The Group Policy container is an Active Directory container that stores GPO
properties, including information on version, GPO status, and a list
of components that have settings in the GPO.
The Group Policy template is a folder structure within the file system that
stores Administrative Template-based policies, security settings, script files,
and information regarding applications that are available for Group Policy
Software Installation.
The Group Policy template is located in the system volume folder (Sysvol) in
the Policies subfolder for its domain.
What is the order in which GPOs are applied ?
Group Policy settings are processed in the following order:
1.Local Group Policy object : Each computer has exactly one Group Policy
object that is stored locally. This processes for both computer and user Group
Policy processing.
2.Site : Any GPOs that have been linked to the site that the computer belongs
to are processed next. Processing is in the orderthat is specified by the
administrator, on the Linked Group Policy Objects tab for the site in Group
Policy Management Console (GPMC). The GPO with the lowest link order is
processed last, and therefore has the highest precedence.
3.Domain: Processing of multiple domain-linked GPOs is in the
order specified by the administrator, on the Linked Group Policy Objects tab
for the domain in GPMC. The GPO with the lowest link order is processed
last, and therefore has the highest precedence.
4.Organizational units : GPOs that are linked to the organizational unit that is
highest in the Active Directory hierarchy are processed first, then POs that are
linked to its child organizational unit, and so on. Finally, the GPOs that are
linked to the organizational unit that contains the user or computer are
processed.
At the level of each organizational unit in the Active Directory hierarchy, one,
many, or no GPOs can be linked. If several GPOs are linked to an
organizational unit, their processing is in the order that is specified by the
administrator, on the Linked Group Policy Objects tab for the organizational
unit in GPMC.
The GPO with the lowest link order is processed last, and therefore has the
highest precedence.
This order means that the local GPO is processed first, and GPOs that are
linked to the organizational unit of which the computer or user is a direct
member are processed last, which overwrites settings in the earlier GPOs if
there are conflicts. (If there are no conflicts, then the earlier and later settings
are merely aggregated.)
How to backup/restore Group Policy objects ?
Begin the process by logging on to a Windows Server 2008 domain controller,
and opening the Group Policy Management console. Now, navigate through
the console tree to Group Policy Management | Forest: | Domains | | Group
Policy Objects.
When you do, the details pane should display all of the group policy objects
that are associated with the domain. In Figure A there are only two group
policy objects, but in a production environment you may have many more. The
Group Policy Objects container stores all of the group policy objects for the
domain.
Now, right-click on the Group Policy Objects container, and choose the Back
Up All command from the shortcut menu. When you do, Windows will open
the Back Up Group Policy Object dialog box.
As you can see in Figure B, this dialog box requires you to provide the path to
which you want to store the backup files. You can either store the backups in
a dedicated folder on a local drive, or you can place them in a folder on a
mapped network drive. The dialog box also contains a Description field that
you can use to provide a description of the backup that you are creating.
You must provide the path to which you want to store your backup of the
group policy objects.
To initiate the backup process, just click the Back Up button. When the
backup process completes, you should see a dialog box that tells you how
many group policy objects were successfully backed up. Click OK to close the
dialog box, and youre all done.
When it comes to restoring a backup of any Group Policy Object, you have
two options. The first option is to right-click on the Group Policy Object, and
choose the Restore From Backup command from the shortcut menu. When
you do this, Windows will remove all of the individual settings from the Group
Policy Object, and then implement the settings found in the backup.
Your other option is to right-click on the Group Policy Object you want to
restore, and choose the Import Settings option. This option works more like a
merge than a restore.
Any settings that presently reside within the Group Policy Object are retained
unless there is a contradictory settings within the file that is being imported.
You want to standardize the desktop environments (wallpaper, My
Documents, Start menu, printers etc.) on the computers in one
department. How would you do that?
go to Start->programs->Administrative tools->Active Directory Users and
Computers
Right Click on Domain->click on preoperties
On New windows Click on Group Policy
Select Default Policy->click on Edit
on group Policy console
go to User Configuration->Administrative Template->Start menu and Taskbar
Select each property you want to modify and do the same
What?s the difference between software publishing and assigning?
Assign Users :The software application is advertised when the user logs on. It
is installed when the user clicks on the software application icon via the start
menu, or accesses a file that has been associated with the software
application.
Assign Computers :The software application is advertised and installed when
it is safe to do so, such as when the computer is nextrestarted.
Publish to users : The software application does not appear on the start menu
or desktop. This means the user may not know that the software is available.
The software application is made available via the Add/Remove Programs
option in control panel, or by clicking on a file that has been associated with
the application. Published applications do not reinstall themselves in the event
of accidental deletion, and it is not possible to publish to computers.
What are administrative templates?
Administrative Templates are a feature of Group Policy, a Microsoft
technology for centralised management of machines and users in an Active
Directory environment. Administrative Templates facilitate the management of
registry-based policy. An ADM file is used to describe both the user interface
presented to the Group Policy administrator and the registry keys that should
be updated on the target machines.
An ADM file is a text file with a specific syntax which describes both the
interface and the registry values which will be changed if the policy is enabled
or disabled.
ADM files are consumed by the Group Policy Object Editor (GPEdit).
Windows XP Service Pack 2 shipped with five ADM files (system.adm,
inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged
into a unified namespace in GPEdit and presented to the administrator under
the Administrative Templates node (for both machine and user policy).
Can I deploy non-MSI software with GPO?
create the fiile in .zap extension.
Name some GPO settings in the computer and user parts ?
Group Policy Object (GPO) computer=Computer Configuration, User=User
ConfigurationName some GPO settings in the computer and user parts.
A user claims he did not receive a GPO, yet his user and computer
accounts are in the right OU, and everyone else there gets the GPO.
What will you look for?
make sure user not be member of loopback policy as in loopback policy it
doesnt effect user settings only computer policy will applicable. if he is
member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID
1085 then you may want to download the patch to fix this and reboot the
computer.
How can I override blocking of inheritance ?
What can I do to prevent inheritance from above?
Name a few benefits of using GPMC.
How frequently is the client policy refreshed ?
90 minutes give or take.
Where is secedit ?
Its now gpupdate.
What can be restricted on Windows Server 2003 that wasnt there in
previous products ?
Group Policy in Windows Server 2003 determines a users right to modify
network and dial-up TCP/IP properties. Users may be selectively restricted
from modifying their IP address and other network configuration parameters.
You want to create a new group policy but do not wish to inherit.
Make sure you check Block inheritance among the options when creating
the policy.
How does the Group Policy No Override and Block Inheritance work ?
Group Policies can be applied at multiple levels (Sites, domains,
organizational Units) and multiple GPs for each level. Obviously it may be
that some policy settings conflict hence the application order of Site Domain
Organization Unit and within each layer you set order for all defined policies
but you may want to force some polices to never be overridden (No Override)
and you may want some containers to not inherit settings from a parent
container (Block Inheritance).
A good definition of each is as follows:
No Override This prevents child containers from overriding policies set at
higher levels
Block Inheritance Stops containers inheriting policies from parent containers
No Override takes precedence over Block Inheritance so if a child container
has Block Inheritance set but on the parent a group policy has No Override
set then it will get applied.
Also the highest No Override takes precedence over lower No Overrides set.
To block inheritance perform the following:
1. Start the Active Directory Users and Computer snap-in (Start
Programs Administrative Tools Active Directory Users and Computers)
2. Right click on the container you wish to stop inheriting settings from its
parent and select
3. Select the Group Policy tab
4. Check the Block Policy inheritance option
5. Click Apply then OK
To set a policy to never be overridden perform the following:
1. Start the Active Directory Users and Computer snap-in (Start - -
Administrative Tools Active Directory Users and Computers)
2. Right click on the container you wish to set a Group Policy to not be
overridden and select Properties
3. Select the Group Policy tab
4. Click Options
5. Check the No Override option
6. Click OK
7. Click Apply then OK

Previous Page 1 2 3 4 Next Page
1icroso!t publisher !ree trial

Healthcare insurance !or individuals

1anual Testing
Answers

Tent starter pac&s

The )ist

4e7t
Copyright 2014 Theme design by the Bluth Company www.bluth.is
InterviewFAQ
Dot Net
SAP
Testing
JAVA
Microsoft
Windows Active directory Interview Questions User
Submitted Part 10
21. Sep
/
Active Directory
/
No Comments

What is sites ? What are they used for ?
One or more well-connected (highly reliable and fast) TCP/IP subnets.
A site allows administrators to configure Active Directory access and
replication topology to take advantage of the physical network.
A Site object in Active Directory represents a physical geographic location that
hosts networks. Sites contain objects called Subnets.
Sites can be used to Assign Group Policy Objects, facilitate the discovery of
resources, manage active directory replication, and manage network link
traffic.
Sites can be linked to other Sites. Site-linked objects may be assigned a cost
value that represents the speed, reliability, availability, or other real property of
a physical resource. Site Links may also be assigned a schedule.
Trying to look at the Schema, how can I do that ?
register schmmgmt.dll using this command
c:windowssystem32>regsvr32 schmmgmt.dll
Open mmc > add snapin > add Active directory schema
name it as schema.msc
Open administrative tool > schema.msc
What is the port no of Kerbrose ?
88
What is the port no of Global catalog ?
3268
What is the port no of LDAP ?
389
Explain Active Directory Schema ?
Windows 2000 and Windows Server 2003 Active Directory uses a database
set of rules called Schema. The Schema is defines as the formal definition of
all object classes, and the attributes that make up those object classes, that
can be stored in the directory. As mentioned earlier, the Active Directory
database includes a default Schema, which defines many object classes,
such as users, groups, computers, domains, organizational units, and so on.
These objects are also known as Classes. The Active Directory Schema can
be dynamically extensible, meaning that you can modify the schema by
defining new object types and their attributes and by defining new attributes
for existing objects. You can do this either with the Schema Manager snap-in
tool included with Windows 2000/2003 Server, or programmatically.
How can you forcibly remove AD from a server, and what do youdo
later? ? Can I get user passwords from the AD database?
Dcpromo /forceremoval , an administrator can forcibly remove Active
Directory and roll back the system without having to contact or replicate any
locally held changes to another DC in the forest. Reboot the server then After
you use the dcpromo /forceremoval command, all the remaining metadata for
the demoted DC is not deleted on the surviving domain controllers, and
therefore you must manually remove it by using the NTDSUTIL command.
In the event that the NTDS Settings object is not removed correctly you can
use the Ntdsutil.exe utility to manually remove the NTDS Settings object. You
will need the following tool: Ntdsutil.exe, Active Directory Sites and Services,
Active Directory Users and Computers
What are the FSMO roles? Who has them by default? What happens
when each one fails?
Flexible Single Master Operation (FSMO) role. Currently there are five FSMO
roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master
What is domain tree ?
Domain Trees: A domain tree comprises several domains that share a
common schema and configuration, forming a contiguous namespace.
Domains in a tree are also linked together by trust relationships. Active
Directory is a set of one or more trees.
Trees can be viewed two ways. One view is the trust relationships between
domains. The other view is the namespace of the domain tree.
What is forests ?
A collection of one or more domain trees with a common schema and implicit
trust relationships between them. This arrangement would be used if you have
multiple root DNS addresses.
How to Select the Appropriate Restore Method ?
You select the appropriate restore method by considering:
Circumstances and characteristics of the failure. The two major categories of
failure, From an Active Directory perspective, are Active Directory data
corruption and hardware failure.
Active Directory data corruption occurs when the directory contains corrupt
data that has been replicated to all domain controllers or when a large portion
of the Active Directory hierarchy has been changed accidentally (such as
deletion of an OU) and this change has replicated to other domain controllers.
Where are the Windows NT Primary Domain Controller (PDC) and its
Backup Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a
multimaster peer-to-peer read and write relationship that hosts copies of the
Active Directory.
What is Global Catalog?
The Global Catalog authenticates network user logons and fields inquiries
about objects across a forest or tree. Every domain has at least one GC that
is hosted on a domain controller. In Windows 2000, there was typically one
GC on every site in order to prevent user logon failures across the network.
How long does it take for security changes to be replicated among the domain controllers?
Security-related modifications are replicated within a site immediately. These
changes include account and individual user lockout policies, changes to
password policies, changes to computer account passwords, and
modifications to the Local Security Authority (LSA).
When should you create a forest?
Organizations that operate on radically different bases may require separate
trees with distinct namespaces. Unique trade or brand names often give rise
to separate DNS identities. Organizations merge or are acquired and naming
continuity is desired. Organizations form partnerships and joint ventures.
While access to common resources is desired, a separately defined tree can
enforce more direct administrative and security restrictions.
Describe the process of working with an external domain name ?
If it is not possible for you to configure your internal domain as a subdomain of
your external domain, use a stand-alone internal domain. This way, your
internal and external domain names are unrelated. For example, an
organization that uses the domain name contoso.com for their external
namespace uses the name corp.internal for their internal namespace.
The advantage to this approach is that it provides you with a unique internal
domain name. The disadvantage is that this configuration requires you to
manage two separate namespaces. Also, using a stand-alone internal domain
that is unrelated to your external domain might create confusion for users
because the namespaces do not reflect a relationship between resources
within and outside of your network.
In addition, you might have to register two DNS names with an Internet name
authority if you want to make the internal domain publicly accessible.
Previous Page 1 2 3 4 5 Next Page
1anual Testing

Interview uestion

Answers

#ecurity #ystem
3indows Wp

;egistering

;estore windows 7p

#o!tware Testing
InterviewFAQ
Dot Net
SAP
Testing
JAVA
Microsoft
Windows Active directory Interview Questions User
Submitted Part 8
21. Sep
/
Active Directory
/
No Comments

Got a list of some Active Directory Interview Questions submitted by User :
Noel.
What is the default size of ntds.dit ?
10 MB in Server 2000 and 12 MB in Server 2003 .
Where is the AD database held and What are other folders related to
AD ?
AD Database is saved in %systemroot%/ntds. You can see other files also in
this folder. These are the main files controlling the AD structure.
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a write operation,
Win2K records the transaction in the log file (edb.log). Once written to the log
file, the change is then written to the AD database. System performance
determines how fast the systemwrites the data to the AD database from the
log file. Any time the system is shut down, all transactions are saved to the
database.
During the installation of AD, Windows creates two files: res1.log and res2.log.
The initial size of each is 10MB. These files are used to ensure that changes
can be written to disk should the system run out of free disk space. The
checkpoint file (edb.chk) records transactions committed to the AD database
(ntds.dit). During shutdown, a shutdown statement is written to the edb.chk
file.
Then, during a reboot, AD determines that all transactions in the edb.log file
have been committed to the AD database. If, for some reason, the edb.chk file
doesnt exist on reboot or the shutdown statement isnt present, AD will use
the edb.log file to update the AD database. The last file in our list of files to
know is the AD database itself, ntds.dit. By default, the file is located inNTDS,
along with the other files weve discussed
What FSMO placement considerations do you know of ?
Windows 2000/2003 Active Directory domains utilize a Single Operation
Master method called FSMO (Flexible Single Master Operation), as described
in Understanding FSMO Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of
them) in the same spot (or actually, on the same DC) as has been configured
by the Active Directory installation process.
However, there are scenarios where an administrator would want to move one
or more of the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows
2000 version when dealing with FSMO placement.
In this article I will only deal with Windows Server 2003 Active Directory, but
you should bear in mind that most considerations are also true when planning
Windows 2000 AD FSMO roles
What do you do to install a new Windows 2003 R2 DC in a Windows 2003
AD?
If youre installing Windows 2003 R2 on an existing Windows 2003 server with
SP1 installed, you require only the second R2 CD-ROM.
Insert the second CD and the r2auto.exe will display the Windows 2003 R2
Continue Setup screen. If youre installing R2 on a domain controller (DC),
you must first upgrade the schema to the R2 version (this is a minor change
and mostly related to the new Dfs replication engine).
To update the schema, run the Adprep utility, which youll find in the
Componentsr2adprep folder on the second CD-ROM.
Before running this command, ensure all DCs are running Windows 2003 or
Windows 2000 with SP2 (or later).
Heres a sample execution of the Adprep /forestprep
command:
D:CMPNENTSR2ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest
should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE
265089, or to Windows 2000 SP2 (or later).
QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent
potential domain controller corruption.
[User Action] If ALL your existing Windows 2000 domain controllers meet this
requirement, type C and then press ENTER to continue. Otherwise, type any
other key and press ENT ER to quit.
C Opened Connection to SAV
DALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading
schema to version 31 Connecting to SAVDALDC01Logging in as current
user using SSPI Importing directory from file
C:WINDOWSsystem32sch31.ldf Loading entries 139 entries modified
successfully.
The command has completed successfully Adprep successfully updated the
forest-wide information.
After running Adprep, install R2 by performing these steps:
1. Click the Continue Windows Server 2003 R2 Setup link, as the
figureshows.
2. At the Welcome to the Windows Server 2003 R2 Setup Wizard
screen, click Next.
3. Youll be prompted to enter an R2 CD key (this is different from your
existing Windows 2003 keys) if the underlying OS wasnt installed from R2
media (e.g., a regular Windows 2003 SP1 installation).
Enter the R2 key and click Next. Note: The license key entered for R2 must
match the underlying OS type, which means if you installed Windows 2003
using a volume-license version key, then you cant use a retail or Microsoft
Developer Network (MSDN) R2 key.
4. Youll see the setup summary screen which confirms the actions to be
performed (e.g., Copy files). Click Next.
5. After the installation is complete, youll see a confirmation dialog box. Click
Finish
What is OU ?
Organization Unit is a container object in which you can keep objects such as
user accounts, groups, computer, printer . applications and other (OU).
In organization unit you can assign specific permission to the users.
organization unit can also be used to create departmental limitation.
Name some OU design considerations ?
OU design requires balancing requirements for delegating administrative
rights independent of Group Policy needs and the need to scope the
application of Group Policy.
The following OU design recommendations address delegation and scope
issues:
Applying Group Policy An OU is the lowest-level Active Directory container to
which you can assign Group Policy settings.
Delegating administrative authority
usually dont go more than 3 OU levels
Previous Page 2 3 4 5 6 Next Page
1icroso!t publisher !ree trial

Tent starter pac&s

Database (rom
1anual Testing

)icense Key

#tatement

Answers
How do you view replication properties for AD partitions and DCs?
By using replication monitor
go to start > run > type repadmin
go to start > run > type replmon
Why cant you restore a DC that was backed up 4 months ago?
Because of the tombstone life which is set to only 60 days.
Different modes of AD restore ?
A nonauthoritative restore is the default method for restoring Active Directory.
To perform a nonauthoritative restore, you must be able to start the domain
controller in Directory Services Restore Mode. After you restore the domain
controller from backup, replication partners use the standard replication
protocols to update Active Directory and associated information on the
restored domain controller.
An authoritative restore brings a domain or a container back to the state it was
in at the time of backup and overwrites all changes made since the backup. If
you do not want to replicate the changes that have been made subsequent to
the last backup operation, you must perform an authoritative restore. In this
one needs to stop the inbound replication first before performing the An
authoritative restore.
How do you configure a stand-by operation master for any of the roles?
# Open Active Directory Sites and Services.
# Expand the site name in which the standby operations master is located to
display the Servers folder.
# Expand the Servers folder to see a list of the servers in that site.
# Expand the name of the server that you want to be the standby operations
master to display its NTDS Settings.
# Right-click NTDS Settings, click New, and then click Connection.
# In the Find Domain Controllers dialog box, select the name of the current
role holder, and then click OK.
# In the New Object-Connection dialog box, enter an appropriate name for the
Connection object or accept the default name, and click OK.
Whats the difference between transferring a FSMO role and seizing ?
Seizing an FSMO can be a destructive process and should only be attempted
if the existing server with the FSMO is no longer available.
If you perform a seizure of the FSMO roles from a DC, you need to ensure
two things:
the current holder is actually dead and offline, and that the old DC will NEVER
return to the network. If you do an FSMO role Seize and then bring the
previous holder back online, youll have a problem.
An FSMO role TRANSFER is the graceful movement of the roles from a live,
working DC to another live DC During the process, the current DC holding the
role(s) is updated, so it becomes aware it is no longer the role holder
I want to look at the RID allocation table for a DC. What do I do?
dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)
What is BridgeHead Server in AD ?
A bridgehead server is a domain controller in each site, which is used as a
contact point to receive and replicate data between sites. For intersite
replication, KCC designates one of the domaincontrollers as a bridgehead
server. In case the server is down, KCC designates another one from
the domain controller. When a bridgehead server receives replication updates
from another site, it replicates the data to the other domain controllers within
its site.
I am upgrading from NT to 2003. The only things that are NT are the PDC
and BDCs; everything else is 2000 or 2003 member servers. My question
is, when I upgrade my NT domain controllersto 2003, will I need to do
anything else to my Windows 2000/2003 member servers that were in the
NT domain?
Your existing member servers, regardless of operating system, will simply
become member servers in your upgraded AD domain. If you will be using
Organizational Units and Group Policy (and I hope you are), youll probably
want to move them to a specific OU for administration and policy application,
since theyll be in the default Computers container immediately following the
upgrade.
How do I use Registry keys to remove a user from a group?
In Windows Server 2003, you can use the dsmod command-line utility with the
-delmbr switch to remove a group member from the command line. You
should also look into the freeware utilities available from www.joeware.net .
ADFind and ADMod are indispensable tools in my arsenal when it comes to
searching and modifying Active Directory.
Why are my NT4 clients failing to connect to the Windows 2000domain?
Since NT4 relies on NetBIOS for name resolution, verify that your WINS
server (you do have a WINS server running, yes?) contains the records that
you expect for the 2000 domain controller, and that your clients have the
correct address configured for the WINS server.
How to add your first Windows 2003 DC to an existing Windows
2000 domain ?
The first step is to install Windows 2003 on your new DC. This is a
straighforward process, so we aren?t going to discuss that here.
Because significant changes have been made to the Active Directory schema
in Windows 2003, we need to make ourWindows 2000 Active Directory
compatible with the new version. If you already have Windows 2003 DCs
running with Windows 2000 DCs, then you can skip down to the part about
DNS.
Before you attempt this step, you should make sure that you have service
pack 4 installed on your Windows 2000 DC. Next, make sure that you are
logged in as a user that is a member of the Schema Admin and Enterprise
Admin groups.
Next, insert the Windows 2003 Server installation CD into theWindows
2000 Server.
Bring up a command line and change directories to the I386 directory on the
installation CD. At the command prompt, type: Code :
adprep /forestprep After running this command, make sure that the updates
have been replicated to all existing Windows 2000 DCs in the forest. Next, we
need to run the following command: Code : adprep /domainprep
The above command must be run on the Infrastructure Master of the domain
by someone who is a member of the Domain Admins group.
Once this is complete, we move back to the Windows 2003 Server. Click ?
start? then ?run? type in dcpromo and click OK. During the ensuing wizard,
make sure that you select that you are adding this DC to an existing domain.
After this process is complete, the server will reboot. When it comes back
online, check and make sure that the AD database has been replicated to
your new server.
Next, you will want to check and make sure that DNS was installed on your
new server.
If not, go to the control panel,
click on ?Add or Remove Programs?, and click the ?Add/Remove Windows
Components? button.
In the Windows Components screen, click on ?Networking Services? and click
the details button.
In the new window check ?Domain Name System (DNS)? and then click the
OK button. Click ?Next? in the Windows Components screen.
This will install DNS and the server will reboot. After reboot, pull up the DNS
Management window and make sure that your DNS settings have replicated
from the Windows 2000 Server. You will need to re-enter any forwarders or
other properties you had set up, but the DNS records should replicate on their
own.
The next 2 items, global catalog and FSMO roles, are important if you plan on
decomissioning your Windows 2000 server(s). If this is the case, you need to
tansfer the global catalog from the old server to the new one.
First, let?s create a global catalog on our new server. Here are the steps:
1. On the domain controller where you want the new global catalog, start the
Active Directory Sites and Services snap-in.
To start the snap-in, click ?Start?, point to ?Programs?, point to ?
Administrative Tools?, and then click ?Active Directory Sites and Services?.
2. In the console tree, double-click ?Sites?, and then double-click ?sitename?.
3. Double-click ?Servers?, click your domain controller, right-click ?NTDS
Settings?, and then click ?Properties?.
4. On the General tab, click to select the Global catalog check box to assign
the role of global catalog to this server.
5. Restart the domain controller.
Make sure you allow sufficient time for the account and the schema
information to replicate to the new global catalog server before you remove
the global catalog from the original DC or take the DC offline.
After this is complete, you will want to transfer or seize the FSMO roles for
your new server.
For instructions, read Using Ntdsutil.exe to transfer or seize FSMO roles to a
domain controller.
After this step is complete, we can now run DCPROMO on theWindows
2000 Servers in order to demote them.
Once this is complete, copy over any files you need to your new server and
you should have successfully replaced your Windows 2000 server(s) with a
new Windows 2003 server.
How do you change the DS Restore admin password ?
In Windows 2000 Server, you used to have to boot the computer whose
password you wanted to change in Directory Restore mode, then use either
the Microsoft Management Console (MMC) Local User and Groups snap-in or
the command net user administrator * to change the Administrator password.
Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets
you reset the Directory Service Restore Mode password without having to
reboot the computer. (Microsoft refreshed Setpwd in SP4 to improve the
utility?s scripting options.)
In Windows Server 2003, you use the Ntdsutil utility to modify theDirectory
Service Restore Mode Administrator password.
To do so, follow these steps:
1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe).
2. Start the Directory Service Restore Mode Administrator password-reset
utility by entering the argument ?set dsrm password? at the ntdsutil prompt:
ntdsutil: set dsrm password.
3. Run the Reset Password command, passing the name of the server on
which to change the password, or use the null argument to specify the local
machine.
For example, to reset the password on server testing, enter the following
argument at the Reset DSRM Administrator Password prompt: Reset DSRM
Administrator Password: reset password on server testing
To reset the password on the local machine, specify null as the server name:
Reset DSRM Administrator Password: reset password on server null
4. You?ll be prompted twice to enter the new password. You?ll see the
following messages:
5. Please type password for DS Restore Mode Administrator Account:
6. Please confirm new password:
Password has been set successfully.
7. Exit the password-reset utility by typing ?quit? at the following prompts:
8. Reset DSRM Administrator Password: quit
ntdsutil: quit
Explain about Trusts in AD ?
To allow users in one domain to access resources in another, Active Directory
uses trusts. Trusts inside a forest are automatically created when domains are
created.
The forest sets the default boundaries of trust, not the domain, and implicit,
transitive trust is automatic for all domains within a forest. As well as two-way
transitive trust, AD trusts can be a shortcut (joins two domains in different
trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm
(transitive or nontransitive, one- or two-way), or external (nontransitive, one-
or two-way) in order to connect to other forests or non-AD domains.
Trusts in Windows 2000 (native mode)
One-way trust One domain allows access to users on another domain, but
the other domain does not allow access to users on the first domain.
Two-way trust Two domains allow access to users on both domains.
Trusting domain The domain that allows access to users from a trusted
domain.
Trusted domain The domain that is trusted; whose users have access to
the trusting domain.
Transitive trust A trust that can extend beyond two domains to
other trusted domains in the forest.
Intransitive trust A one way trust that does not extend beyond two
domains.
Explicit trust A trust that an admin creates. It is not transitive and is one
way only.
Cross-link trust An explicit trust between domains in different trees or in
the same tree when a descendant/ancestor (child/parent) relationship does
not exist between the two domains.
Windows 2000 Server supports the following types of trusts:
Two-way transitive trusts.
One-way intransitive trusts.
Additional trusts can be created by administrators. These trusts can be:
Shortcut
Windows Server 2003 offers a new trust type the forest root trust. This type
of trust can be used to connect Windows Server 2003 forests if they are
operating at the 2003 forest functional level. Authentication across this type of
trust is Kerberos based (as opposed to NTLM). Forest trusts are also
transitive for all the domains in the forests that are trusted. Forest trusts,
however, are not transitive.
Difference between LDIFDE and CSVDE?
CSVDE is a command that can be used to import and export objects to and
from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file
is a file easily readable in Excel. I will not go to length into this powerful
command, but I will show you some basic samples of how to import a large
number of users into your AD. Of course, as with the DSADD command,
CSVDE can do more than just import users. Consult your help file for more
info.
LDIFDE is a command that can be used to import and export objects to and
from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange
Format) file is a file easily readable in any text editor, however it is not
readable in programs like Excel. The major difference between CSVDE and
LDIFDE (besides the fileformat) is the fact that LDIFDE can be used to edit
and delete existing AD objects (not just users), while CSVDE can only import
and export objects.
What is tombstone lifetime attribute ?
The number of days before a deleted object is removed from thedirectory
services. This assists in removing objects from replicated servers and
preventing restores from reintroducing a deleted object. This value is in
the Directory Service object in the configuration NIC.
What are application partitions? When do I use them ?
AN application diretcory partition is a directory partition that is replicated only
to specific domain controller.Only domain controller running windows Server
2003 can host a replica ofapplication directory partition.
Using an application directory partition provides redundany,availability or fault
tolerance by replicating data to specific domain controller pr any set of domain
controllersanywhere in the forest.
How do you create a new application partition ?
Use the DnsCmd command to create an application directory partition.
To do this, use the following syntax:
DnsCmd ServerName /CreateDirectoryPartition FQDN of partition
How do you view all the GCs in the forest?
C:>repadmin /showreps domain_controller where domain_controller is the DC
you want to query to determine whether it?s a GC.
The output will include the text DSA Options: IS_GC if the DC is a GC.
Can you connect Active Directory to other 3rd-party Directory Services?
Name a few options.
Yes, you can use dirXML or LDAP to connect to other directories.
In Novell you can use E-directory.
What is IPSec Policy
IPSec provides secure gateway-to-gateway connections across outsourced
private wide area network (WAN) or Internet-based connections using
L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec Policy can be
deployed via Group policy to the WindowsDomain controllers 7 Servers.
What are the different types of Terminal Services ?
User Mode & Application Mode.
What is RsOP
RsOP is the resultant set of policy applied on the object (Group Policy).
What is the System Startup process ?
Windows 2K boot process on a Intel architecture.
1. Power-On Self Tests (POST) are run.
2. The boot device is found, the Master Boot Record (MBR) is loaded into
memory, and its program is run.
3. The active partition is located, and the boot sector is loaded.
4. The Windows 2000 loader (NTLDR) is then loaded.
The boot sequence executes the following steps:
1. The Windows 2000 loader switches the processor to the 32-bit flat memory
model.
2. The Windows 2000 loader starts a mini-file system.
3. The Windows 2000 loader reads the BOOT.INI file and displays the
operating system selections (boot loader menu).
4. The Windows 2000 loader loads the operating system selected by the user.
If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other
operating systems, NTLDR loads BOOTSECT.DOS and gives it control.
5. NTDETECT.COM scans the hardware installed in the computer, and
reports the list to NTLDR for inclusion in the Registry under the
HKEY_LOCAL_MACHINE_HARDWARE hive.
6. NTLDR then loads the NTOSKRNL.EXE, and gives it thehardware
information collected by NTDETECT.COM. Windows NT enters the Windows
load phases.
What are the Groups types available in active directory ?
Security groups: Use Security groups for granting permissions to gain access
to resources. Sending an e-mail message to a group sends the message to all
members of the group. Therefore security groups share the capabilities
of distribution groups.
Distribution groups: Distribution groups are used for sending e-main
messages to groups of users. You cannot grant permissions to security
groups. Even though security groups have all the capabilities
of distribution groups, distribution groups still requires, because some
applications can only read distributiongroups.
Explain about the groups scope in AD ?
Domain Local Group: Use this scope to grant permissions to domain
resources that are located in the same domain in which you created the
domain local group. Domain local groups can exist in all mixed, native
and interim functional level of domains and forests. Domain local
group memberships are not limited as you can add members as user
accounts, universal and global groups from any domain. Just to remember,
nesting cannot be done in domain local group. A domain local group will not
be a member of another Domain Local or any other groups in the same
domain.
Global Group: Users with similar function can be grouped under global scope
and can be given permission to access a resource (like a printer or shared
folder and files) available in local or another domain in same forest. To say in
simple words, Global groups can be use to grant permissions to gain access
to resources which are located in any domain but in a single forest as
their membershipsare limited. User accounts and global groups can be added
only from the domain in which global group is created. Nesting is possible in
Global groups within other groups as you can add a global group into another
global group from any domain. Finally to provide permission to domain
specific resources (like printers and published folder), they can be members of
a Domain Local group. Global groups exist in all mixed, native
and interim functional level of domains and forests.
Universal Group Scope: These groups are precisely used for email distribution and can be
granted access to resources in all trusted domain as these groups can only be used as a security
principal (security group type) in a windows 2000 native orwindows server 2003 domain functional
level domain. Universal groupmemberships are not limited like global groups. All domain user
accounts and groups can be a member of universal group. Universal groups can be nested under a
global or Domain Local group in any domain.
What is REPLMON ?
The Microsoft definition of the Replmon tool is as follows; This GUI tool
enables administrators to view the low-level status of Active Directory
replication, force synchronization between domain controllers, view the
topology in a graphical format, and monitor the status and performance of
domain controller replication.
What is ADSIEDIT ?
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that
acts as a low-level editor for Active Directory. It is aGraphical User
Interface (GUI) tool. Network administrators can use it for common
administrative tasks such as adding, deleting, and moving objects with a
directory service. The attributes for each object can be edited or deleted by
using this tool. ADSIEdit uses the ADSI application programming interfaces
(APIs) to access Active Directory. The following are the required files for using
this tool: ADSIEDIT.DLL ADSIEDIT.
What is NETDOM ?
NETDOM is a command-line tool that allows management of Windows domains and trust
relationships. It is used for batch management of trusts, joining computers todomains, verifying
trusts, and secure channels.
What is REPADMIN?
This command-line tool assists administrators in diagnosing replication
problems between Windows domain controllers.Administrators can use
Repadmin to view the replication topology (sometimes referred to as
RepsFrom and RepsTo) as seen from the perspective of each domain
controller. In addition, Repadmin can be used to manually create the
replication topology (although in normal practice this should not be
necessary), to force replication events between domain controllers, and to
view both the replication metadata and up-to-dateness vectors.
How to take backup of AD ?
For taking backup of active directory you have to do this : first go START ->
PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run
window and ntbackup and take systemstate backup when the backup screen
is flash then take the backup of SYSTEM STATE it will take the backup of all
the necessary information about the syatem including AD backup , DNS ETC.
What are the DS* commands ?
The following DS commands: the DS family built in utility .
DSmod modify Active Directory attributes.
DSrm to delete Active Directory objects.
DSmove to relocate objects
DSadd create new accounts
DSquery to find objects that match your query attributes.
DSget list the properties of an object
What are the requirements for installing AD on a new server?
An NTFS partition with enough free space.
An Administrators username and password.
The correct operating system version.
A NIC Properly configured TCP/IP (IP address, subnet mask and optional
default gateway).
A network connection (to a hub or to another computer via a crossover
cable) .
An operational DNS server (which can be installed on the DC itself) .
A Domain name that you want to use .
The Windows 2000 or Windows Server 2003 CD media (or at least the i386
folder) .
Windows 2003 Active Directory introduced a number of new security features,
as well as convenience features such as the ability to rename a domain
controller and even an entire domain
Windows Server 2003 also introduced numerous changes to the default
settings that can be affected by Group Policy you can see adetailed list of
each available setting and which OS is required to support it
by downloading the Group Policy Settings Reference.
ADS stands for Automated Deployment Services, and is used to
quickly roll out identically-configured servers in large-scale
enterprise environments. You can get more information from the ADS
homepage.
I want to setup a DNS server and Active Directory domain. What do I do
first? If I install the DNS service first and name the zone name.org can I
name the AD domain name.org too?
Not only can you have a DNS zone and an Active Directory domainwith the
same name, its actually the preferred way to go if at all possible. You can
install and configure DNS before installing Active Directory, or you can allow
the Active Directory Installation Wizard (dcpromo) itself install DNS on your
server in the background.
How do I determine if user accounts have local administrative access?
You can use the net localgroup administrators command on each workstation
(probably in a login script so that it records its information to a central file for
later review). This command will enumerate the members of the
Administrators group on each machine you run it on. Alternately, you can use
the Restricted Groups feature of Group Policy to restrict the membership of
Administrators to only those users you want to belong.
Why am I having trouble printing with XP domain users?
In most cases, the inability to print or access resources in situations like this
one will boil down to an issue with name resolution, either DNS or
WINS/NetBIOS. Be sure that your Windows XP clients wireless connections
are configured with the correct DNS and WINS name servers, as well as with
the appropriate NetBIOS over TCP/IP settings. Compare your wireless
settings to your wired LAN settings and look for any discrepancies that may
indicate where the functional difference may lie.
What is the ISTG? Who has that role by default?
Windows 2000 Domain controllers each create Active Directory Replication
connection objects representing inbound replication from intra-site replication
partners. For inter-site replication, one domain controller per site has the
responsibility of evaluating the inter-site replication topology and creating
Active Directory Replication Connection objects for appropriate bridgehead
servers within its site. The domain controller in each site that owns this role is
referred to as the Inter-Site Topology Generator (ISTG).
What is difference between Server 2003 vs 2008?
1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for
Virtualization) but only on 64bit versions. More and more companies are
seeing this as a way of reducing hardware costs by running several virtual
servers on one physical machine.)
2. Server Core (provides the minimum installation required to carry out a
specific server role, such as for a DHCP, DNS or print server)
3. Better security.
4. Role-based installation.
5. Read Only Domain Controllers (RODC).
6. Enhanced terminal services.
7. Network Access Protection Microsofts system for ensuring that clients
connecting to Server 2008 are patched, running a firewall and in compliance
with corporate security policies.
8. PowerShell Microsofts command line shell and scripting language has
proved popular with some server administrators.
9. IIS 7 .
10. Bitlocker System drive encryption can be a sensible security measure
for servers located in remote branch offices. >br> The main difference
between 2003 and 2008 is Virtualization, management. 2008 has more in-
build components and updated third party drivers.
11. Windows Aero.
What are the requirements for installing AD on a new server?
1 The Domain structure.
2 The Domain Name .
3 storage location of the database and log file.
4 Location of the shared system volume folder.
5 DNS config Methode.
6 DNS configuration.
What is LDP?
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs
when traffic engineering is not required. It establishes LSPs that follow the
existing IP routing, and is particularly well suited for establishing a full mesh of
LSPs between all of the routers on the network.
Why doesnt LSDOU work under Windows NT ?
If the NTConfig.pol file exist, it has the highest priority among the numerous
policies.
Whats the number of permitted unsuccessful logons on Administrator
account? Unlimited. Remember, though, that its the Administrator account,
not any account thats part of the Administrators group.
Whats the difference between guest accounts in Server 2003 and other
editions?
More restrictive in Windows Server 2003.
How many passwords by default are remembered when you check
Enforce Password History Remembered?
Users last 6 passwords.
Can GC Server and Infrastructure place in single server If not explain
why ?
No, As Infrastructure master does the same job as the GC. It doesnot
work together.
Which is service in your windows is responsible for replication of
Domain controller to another domain controller.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.
What Intrasite and Intersite Replication ?
Intrasite is the replication with in the same site & intersite the replication
between sites.
What is lost & found folder in ADS ?
Its the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication
happed ADS didnt find the OU then it will put that in Lost & Found Folder.
What is Garbage collection ?
Garbage collection is the process of the online defragmentation of active
directory. It happens every 12 Hours.
What System State data contains ?
Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder
Active Directory is a Meta Data. Active Directory is a data base which store a
data base like your user information, computer information and also other
network object info. It has capabilities to manage and administor the complite
Network which connect with AD.
What is domain ?
Windows NT and Windows 2000, a domain is a set of network resources
(applications, printers, and so forth) for a group of users.The user need only
to log in to the domain to gain access to the resources, which may be located
on a number of different servers inthe network. The domain is simply your
computer address not to confused with an URL. A domain address might look
something like 211.170.469.
What is domain controller ?
A Domain controller (DC) is a server that responds to security authentication
requests (logging in, checking permissions, etc.) within the Windows
Server domain. A domain is a concept introduced in Windows NT whereby a
user may be granted access to a number of computer resources with the use
of a single username and password combination.
What is LDAP ?
Lightweight Directory Access Protocol LDAP is the industry standard directory
access protocol, making Active Directory widely accessible to management
and query applications. Active Directory supports LDAPv3 and LDAPv2.
What is KCC ?
KCC ( knowledge consistency checker ) is used to generate replication
topology for inter site replication and for intrasite replication.with in a site
replication traffic is done via remote procedure calls over ip, while between
site it is done through either RPC or SMTP.
Where is the AD database held? What other folders are related to AD?
The AD data base is store in c:windowsntdsNTDS.DIT.
What is the SYSVOL folder?
The sysVOL folder stores the servers copy of the domains public files. The
contents such as group policy, users etc of the sysvol folder are replicated to
all domain controllers in the domain.
What are the Windows Server 2003 keyboard shortcuts ?
Winkey opens or closes the Start menu. Winkey + BREAK displays the
System Properties dialog box. Winkey + TAB moves the focus to the next
application in the taskbar. Winkey + SHIFT + TAB moves the focus to the
previous application in the taskbar. Winkey + B moves the focus to the
notification area. Winkey + D shows the desktop. Winkey + E opens Windows
Explorer showing My Computer. Winkey + F opens the Search panel. Winkey
+ CTRL + F opens the Search panel with Search for Computers module
selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey +
SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U
opens the Utility Manager. Winkey + L locks the computer.
Where are the Windows NT Primary Domain Controller (PDC) and its
Backup Domain Controller (BDC) in Server 2003 ?
The Active Directory replaces them. Now all domain controllers share a
multimaster peer-to-peer read and write relationship that hosts copies of the
Active Directory.
I am trying to create a new universal user group. Why cant I ?
Universal groups are allowed only in native-mode Windows Server2003
environments. Native mode requires that all domain controllers be promoted
to Windows Server 2003 Active Directory.
What is LSDOU ?
Its group policy inheritance model, where the policies are applied toLocal
machines, Sites, Domains and Organizational Units.
What is Active Directory?
An active directory is a directory structure/service used on Microsoft Windows
based computers and servers to store information and data about networks
and domains.A directory is similar to a dictionary; it enables the look up of a
name and information associated with that name.
There is support for the Lightweight Directory Access Protocol (LDAP) to
enable inter-directory operability
Distribution: Distribution groups are intended to be used solely as email
distribution lists
Security: Security groups allow you to manage user and computeraccess
to shared resources.
In order to synchronize the time on your Windows computer with main Active
Directory domain controllers, use the following command at a command
prompt: net time \ads.iu.edu /set /y
What is LDAP?
LDAP is an Internet standard protocol used by applications to access
information in a directory. It runs directly over TCP, and can be used to
access a standalone LDAP directory service or to access a directory
service that is back-ended by X.500.
The LDAP directory service model is based on entries. An entry is a collection
of attributes that describing it. Each attribute has a name, type and one or
more values.
LDAP based implementations are:
Edirectory,Red Had Directory server,Apples open Directory, Apache Directory
Server, Oracle Internet Directory, CA Directory, Sun Java System Directory
Server, IBM Tivoli Directory Server ,Windows NT Directory Services (NTDS)
Can you connect Active Directory to other 3rd-party
Directory Services? Name a few options.
Yes you can connect other vendors Directory Services with Microsofts
version.
Yes. Microsoft Identity Integration Server (MIIS) is used to connect Active
Directory to other 3rd-party Directory Services (including directories used by
SAP, Domino, etc).
Where is Active Directory dataase he!d? What other
fo!ders are re!ated to AD?
AD Database is saved in %systemroot%/ntds. You can see other files also in
this folder.
These are the main files controlling the AD structure
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a write operation,
Win2K records the transaction in the log file (edb.log). Once written to the log
file, the change is then written to the AD database. System performance
determines how fast the system writes the data to the AD database from the
log file. Any time the system is shut down, all transactions are saved to the
database.
During the installation of AD, Windows creates two files: res1.log and res2.log.
The initial size of each is 10MB. These files are used to ensure that changes
can be written to disk should the system run out of free disk space. The
checkpoint file (edb.chk) records transactions committed to the AD database
(ntds.dit). During shutdown, a shutdown statement is written to the edb.chk
file. Then, during a reboot, AD determines that all transactions in the edb.log
file have been committed to the AD database. If, for some reason, the edb.chk
file doesnt exist on reboot or the shutdown statement isnt present, AD will
use the edb.log file to update the AD database.
The last file in our list of files to know is the AD database itself, ntds.dit. By
default, the file is located inNTDS, along with the other files weve discussed
What is the S"S#$L fo!der?
The Windows Server 2003 System Volume (SYSVOL) is a collection of
folders and reparse points in the file systems that exist on each domain
controller in a domain. SYSVOL provides a standard location to store
important elements of Group Policy objects (GPOs) and scripts so that the
File Replication service (FRS) can distribute them to other
domain controllers within that domain.
You can go to SYSVOL folder by typing : %systemroot%/sysvol
Name the AD NCs [naming contexts] and replication issues for each NC
*Schema NC, *Configuration NC, * Domain NC
Schema NC This NC is replicated to every other domain controller in the
forest. It contains information about the Active Directory schema, which in turn
defines the different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC
contains forest-wide configuration information pertaining to the physical layout
of Active Directory, as well as information about display specifiers and forest-
wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a singleActive
Directory domain. This is the NC that contains the most commonly-accessed
Active Directory data: the actual users, groups, computers, and other objects
that reside within a particularActive Directory domain.
What are app!ication partitions? When do % use them
An application directory partition is a directory partition that is replicated only
to specific domain controllers. A domain controller that participates in the
replication of a particular application directory partition hosts a replica of that
partition. Only domaincontrollers running Windows Server 2003 can host a
replica of an application directory partition.
Application directory partitions are usually created by the applications that will
use them to store and replicate data. For testing and troubleshooting
purposes, members of the Enterprise Admins group can manually create or
manage application directory partitions using the Ntdsutil command-line tool.
One of the benefits of an application directory partition is that, for redundancy,
availability, or fault tolerance, the data in it can be replicated to different
domain controllers in a forest
Q1. What is DNS?
Domain Name System is a service that can be installed on anywindows server
operating system to resolve the Name to IPAddress and vice-versa. TCP/IP
networks, such as the Internet, use DNS to locate computers and services
through user-friendly names
Q2. What is DDNS?
Dynamic DNS or DDNS is a method of updating, in real time, aDomain Name
System to point to a changing IP address on the Internet. This is used to
provide a persistent domain name for a resource that may change location
on the network.
Q3. What are the resource records in DNS?
A (Address) Maps a host name to an IP address. When a
computer has multiple adapter cards and IP addresses, it should have
multiple address records.
CNAME (Canonical Name) Sets an alias for a host name. For
example, using this record, zeta.tvpress.com can have an alias as
www.tvpress.com.
MX (Mail Exchange) Specifies a mail exchange server for the domain,
which allows mail to be delivered to the correct mail servers in the domain.
NS (Name Server) Specifies a name server for the domain, which
allows DNS lookups within various zones. Each primary and secondary
name server should be declared through this record.
PTR (Pointer) Creates a pointer that maps an IP address to a host
name for reverse lookups.
SOA (Start of Authority) Declares the host that is the most
authoritative for the zone and, as such, is the best source of DNS
information for the zone. Each zone file must have an SOA record (which
is created automatically when you add a zone).
Q4. What are a Forward and Reverse Lookup?
Forward Lookup: When a name query is send to the DNS server
against to IP address, it is generally said a forward lookup.
Reverse Lookup: DNS also provides a reverse lookup process,
enabling clients to use a known IP address during a name query and look
up a computer name based on its address.
Q5. What is Primary zone?
This is the read and writable copy of a zone file in the DNS namespace. This
is primary source for information about the zone and it stores the master copy
of zone data in a local file or in AD DS. Dy default the primary zone file is
named as zone_name.dns in %windir%System32DNS folder on the server.
Q6. What id Secondary zone?
This is the read only copy of a zone file in the DNS namespace. This is
secondary source for information about the zone and it get the updated
information from the master copy of primary zone. The network access must
be available to connect with primary server. As secondary zone is merely a
copy of a primary zone that is hosted on another server, it cannot be stored in
AD DS.
Q7. What is stub Zone?
A stub zone is a read only copy of a zone that contains only those resource
records which are necessary to identify the authoritative DNS servers for that
particular zone. A stub zone is practically used to resolve names between
separate DNS namespaces. This type of zone is generally created when a
corporate merger or acquire and DNS servers for two separate DNS
namespaces resolve names for clients in both namespaces.
A stub zone contains:
The start of authority (SOA) resource record, name server (NS) resource
records, and the glue A resource records for the delegated zone.
The IP address of one or more master servers that can be used to update the
stub zone.
Q8. What is Caching Only Server?
Caching-only servers are those DNS servers that only perform name
resolution queries, cache the answers, and return the resultsto the client.
Once the query is stored in cache, next time the query in resolved locally from
cached instead of going to the actual site.
Q9. What is Aging and Scavenging?
DNS servers running Windows Server support aging and scavenging features.
These features are provided as a mechanism to perform cleanup and removal
of stale resource records from the server and zone. This feature removes the
dynamically created records when they are stamped as stale.
By default, the aging and scavenging mechanism for the DNS Server service
is disabled.
Scavenging and aging must be enabled both at the DNS server and on the
zone
Q10. What is SRV record in DNS?
The SRV record is a resource record in DNS that is used to identify or point
to a computer that host specific services i.e Active directory.
Q11. What is Forwarding in DNS?
A forwarder is a feature in DNS server that is used to forward DNS queries for
external DNS names to DNS servers outside of that network. We ca configure
a DNS server as a forwarder to forward the name query to other DNS servers
in the network when they cannot resolve locally to that DNS server.
Q12. What is Conditional Forwarding in DNS?
We can configure the DNS server to forward queries according to specific
domain names using conditional forwarders. In this case query is forward to
an IP address against a DNS domain name.
Q13. What are Queries types in DNS?
Recursive Query: This name queries are generally made by a DNS
client to a DNS server or by a DNS server that is configured to pass
unresolved name queries to another DNS server, in the case of a DNS
server configured to use a forwarder.
Iterative Query: An iterative name query is one in which a DNS client
allows the DNS server to return the best answer it can give based on its
cache or zone data. If the queried DNS server does not have an exact
match for the queried name, the best possible information it can return is a
referral. The DNS client can then query the DNS server for which it
obtained a referral. It continues this process until it locates a DNS server
that is authoritative for the queried name, or until an error or time-out
condition is met.
Q14. What are Tools for troubleshooting of DNS?
DNS Console, NSLOOKUP, DNSCMD, IPCONFIG, DNS Logs.
Q15. How to check DNS health?
Using the DCdiag.
i.e. (dcdiag /test:dns /v /e)
GWhat is Active Directory'
Active Directory is a 1eta Data. Active Directory is a data base which stores a data base li&e your user in!ormation
computer in!ormation and also other networ& ob"ect in!o. It has capabilities to manage and administer the complete
4etwor& which connect with AD.
GWhat is do#ain'
3indows 4T and 3indows ,555 a domain is a set o! networ& resources $applications printers and so !orth% !or a
group o! users. The user needs only to log in to the domain to gain access to the resources which may be located on
a number o! di!!erent servers in the networ&. The SdomainA is simply your computer address not to con!use with an
/;). A domain address might loo& something li&e ,CC.CG5.D-I.
GWhat is do#ain controller'
A Domain controller $D2% is a server that responds to security authentication requests $logging in chec&ing
permissions etc.% within the 3indows #erver domain. A domain is a concept introduced in 3indows 4T whereby a
user may be granted access to a number o! computer resources with the use o! a single username and password
combination.
GWhat is LDA%'
)ightweight Directory Access *rotocol )DA* is the industry standard directory access protocol ma&ing Active
Directory widely accessible to management and query applications. Active Directory supports )DA*v+ and )DA*v,.
GWhat is D$$'
K22 $&nowledge consistency chec&er% is used to generate replication topology !or inter site replication and !or intra'
site replication. 3ithin a site replication tra!!ic is done via remote procedure calls over ip while between sites it is
done through either ;*2 or #1T*.
GWhere is the AD database held' What other folders are related to AD'
The AD data base is store in c:JwindowsJntdsJ4TD#.DIT.
GWhat is the ,@,A=L folder'
The sysM8) !older stores the serverAs copy o! the domainAs public !iles. The contents such as group policy users etc
o! the sysvol !older are replicated to all domain controllers in the domain.
>Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server
!!"#
The Active Directory replaces them. 4ow all domain controllers share a multi master peer'to'peer read and write
relationship that hosts copies o! the Active Directory.
>Cannot create a new universal user $roup% Why#
/niversal groups are allowed only in native'mode 3indows #erver ,55+ environments. 4ative mode requires that all
domain controllers be promoted to 3indows #erver ,55+ Active Directory.
>What is &SD'(#
Its group policy inheritance model where the policies are applied to Local machines Sites Domains
and 'rgani:ational (nits.
>Why doesn)t &SD'( work under Windows NT#
I! the NTConfig.pol !ile e7ists it has the highest priority among the numerous policies.
>*ow many num+er o, permitted unsuccess,ul lo$ons on -dministrator account# /nlimited. ;emember though that
itAs the Administrator account not any account thatAs part o! the Administrators group.
> What)s the di,,erence +etween $uest accounts in Server !!" and other editions#
1ore restrictive in 3indows #erver ,55+.
> *ow many passwords +y de,ault are remem+ered when you check ./n,orce Password *istory 0emem+ered1#
/serAs last - passwords.
> Can 2C Server and 3n,rastructure place in sin$le server#
4o As In!rastructure master does the same "ob as the 02. It does not wor& together.
> Which is service in your windows is responsi+le ,or replication o, Domain controller to another domain controller%
K22 generates the replication topology.
/se #1T* @ ;*2 to replicate changes.
What 3ntrasite and 3ntersite 0eplicationX
Intrasite is the replication within the same site Y intersite the replication between sites.
> What is lost 4 ,ound ,older in -DSX
ItAs the !older where you can !ind the ob"ects missed due to con!lict.
67: you created a user in 8/ which is deleted in other D2 Y when replication happed AD# didnAt !ind the 8/ then it
will put that in )ost Y (ound (older.
> What is 2ar+a$e collectionX
0arbage collection is the process o! the online de!ragmentation o! active directory. It happens every C, Hours.
> What System State data containsX
2ontains #tartup !iles
;egistry
2om E ;egistration Database
1emory *age !ile
#ystem !iles
AD in!ormation
2luster #ervice in!ormation
#L#M8) (older
>What is the di,,erence +etween Windows !!! -ctive Directory and Windows !!" -ctive Directory# 3s there any
di,,erence in !!! 2roup Polices and !!" 2roup Polices# What is meant +y -DS and -DS services in Windows !!"#
3indows ,55+ Active Directory introduced a number o! new security !eatures as well as convenience !eatures such
as the ability to rename a domain controller and even an entire domain
3indows #erver ,55+ also introduced numerous changes to the de!ault settings that can be a!!ected by 0roup *olicy
9 you can see a detailed list o! each available setting and which 8# is required to support it by downloading
the 0roup *olicy #ettings ;e!erence.
AD# stands !or Automated Deployment #ervices and is used to quic&ly roll out identically'con!igured servers in
large'scale enterprise environments. Lou can get more in!ormation !rom the AD# homepage.
>3 want to setup a DNS server and -ctive Directory domain% What do 3 do ,irst# 3, 3 install the DNS service ,irst and
name the 5one 6name%or$) can 3 name the -D domain 6name%or$) too#
4ot only can you have a D4# :one and an Active Directory domain with the same name itAs actually the pre!erred
way to go i! at all possible. Lou can install and con!igure D4# be!ore installing Active Directory or you can allow the
Active Directory Installation 3i:ard $dcpromo% itsel! install D4# on your server in the bac&ground.
>*ow do 3 determine i, user accounts have local administrative access#
Lou can use the net local group administrators command on each wor&station $probably in a login script so that it
records its in!ormation to a central !ile !or later review%. This command will enumerate the members o! the
Administrators group on each machine you run it on. Alternately you can use the ;estricted 0roups !eature o! 0roup
*olicy to restrict the membership o! Administrators to only those users you want to belong.
>Why am 3 havin$ trou+le printin$ with 7P domain users#
In most cases the inability to print or access resources in situations li&e this one will boil down to an issue with name
resolution either D4# or 3I4#@4etBI8#. Be sure that your 3indows W* clientsA wireless connections are con!igured
with the correct D4# and 3I4# name servers as well as with the appropriate 4etBI8# over T2*@I* settings.
2ompare your wireless settings to your wired )A4 settings and loo& !or any discrepancies that may indicate where
the !unctional di!!erence may lie.
GWhat is the I,*&' Who has that role by default'
3indows ,555 Domain controllers each create Active Directory ;eplication connection ob"ects representing inbound
replication !rom intra'site replication partners. (or inter'site replication one domain controller per site has the
responsibility o! evaluating the inter'site replication topology and creating Active Directory ;eplication 2onnection
ob"ects !or appropriate bridgehead servers within its site. The domain controller in each site that owns this role is
re!erred to as the Inter'#ite Topology 0enerator $I#T0%.
What is difference between ,erver 722/ vs 722C'
C. Mirtuali:ation. $3indows #erver ,55. introduces Hyper'M $M !or Mirtuali:ation% but only on -Dbit versions. 1ore and
more companies are seeing this as a way o! reducing hardware costs by running several SvirtualA servers on one
physical machine.%
,. #erver 2ore $provides the minimum installation required to carry out a speci!ic server role such as !or a DH2*
D4# or print server%
+. Better security.
D. ;ole'based installation.
F. ;ead 8nly Domain 2ontrollers $;8D2%.
-. 6nhanced terminal services.
G. 4etwor& Access *rotection 9 1icroso!tAs system !or ensuring that clients connecting to #erver ,55. are patched
running a !irewall and in compliance with corporate security policies.
.. *ower #hell 9 1icroso!tAs command line shell and scripting language has proved popular with some server
administrators.
I. II# G.
C5. Bit loc&er 9 #ystem drive encryption can be a sensible security measure !or servers located in remote branch
o!!ices. The main di!!erence between ,55+ and ,55. is Mirtuali:ation management. ,55. has more in'build
components and updated third party drivers.
CC. 3indows Aero.
GWhat are the require#ents for installing AD on a new server'
C The Domain structure.
, The Domain 4ame.
+ storage location o! the database and log !ile.
D )ocation o! the shared system volume !older.
F D4# con!ig 1ethod.
- D4# con!iguration.
GWhat is LD%'
)D*: )abel Distribution *rotocol $)D*% is o!ten used to establish 1*)# )#*s when tra!!ic engineering is not required.
It establishes )#*s that !ollow the e7isting I* routing and is particularly well suited !or establishing a !ull mesh o!
)#*s between all o! the routers on the networ&.
GWhat are the &roups types available in active directory '
Security roups! /se #ecurity groups !or granting permissions to gain access to resources. #ending an e'mail
message to a group sends the message to all members o! the group. There!ore security groups share the capabilities
o! distribution groups.
"istribution roups! Distribution groups are used !or sending e'main messages to groups o! users. Lou cannot grant
permissions to security groups. 6ven though security groups have all the capabilities o! distribution groups
distribution groups still requires because some applications can only read distribution groups.
G8+plain about the groups scope in AD'
"omain #ocal Group! /se this scope to grant permissions to domain resources that are located in the same domain in
which you created the domain local group. Domain local groups can e7ist in all mi7ed native and interim !unctional
level o! domains and !orests. Domain local group memberships are not limited as you can add members as user
accounts universal and global groups !rom any domain. Vust to remember nesting cannot be done in domain local
group. A domain local group will not be a member o! another Domain )ocal or any other groups in the same domain.
Global Group! /sers with similar !unction can be grouped under global scope and can be given permission to access
a resource $li&e a printer or shared !older and !iles% available in local or another domain in same !orest. To say in
simple words 0lobal groups can be use to grant permissions to gain access to resources which are located in any
domain but in a single !orest as their memberships are limited. /ser accounts and global groups can be added only
!rom the domain in which global group is created. 4esting is possible in 0lobal groups within other groups as you can
add a global group into another global group !rom any domain. (inally to provide permission to domain speci!ic
resources $li&e printers and published !older% they can be members o! a Domain )ocal group. 0lobal groups e7ist in
all mi7ed native and interim !unctional level o! domains and !orests.
Universal Group Scope! These groups are precisely used !or email distribution and can be granted access to resources
in all trusted domain as these groups can only be used as a security principal $security group type% in a windows ,555
native or windows server ,55+ domain !unctional level domain. /niversal group memberships are not limited li&e
global groups. All domain user accounts and groups can be a member o! universal group. /niversal groups can be
nested under a global or Domain )ocal group in any domain.
What is .8%L5=?'
The 1icroso!t de!inition o! the ;eplmon tool is as !ollowsB This 0/I tool enables administrators to view the low'level
status o! Active Directory replication !orce synchroni:ation between domain controllers view the topology in a
graphical !ormat and monitor the status and per!ormance o! domain controller replication.
GWhat is AD,I8DI* '
A"SI$"I% !AD#I6dit is a 1icroso!t 1anagement 2onsole $112% snap'in that acts as a low'level editor !or Active
Directory. It is a 0raphical /ser Inter!ace $0/I% tool. 4etwor& administrators can use it !or common administrative
tas&s such as adding deleting and moving ob"ects with a directory service. The attributes !or each ob"ect can be
edited or deleted by using this tool. AD#I6dit uses the AD#I application programming inter!aces $A*Is% to access
Active Directory. The !ollowing are the required !iles !or using this tool: AD#I6DIT.D)) AD#I6DIT.
GWhat is ?8*D=5 '
N/TD'8 is a command'line tool that allows management o! 3indows domains and trust relationships. It is used !or
batch management o! trusts "oining computers to domains veri!ying trusts and secure channels.
GWhat is .8%AD5I?'
This command'line tool assists administrators in diagnosing replication problems between 3indows domain
controllers.Administrators can use ;epadmin to view the replication topology $sometimes re!erred to as ;eps(rom
and ;epsTo% as seen !rom the perspective o! each domain controller. In addition ;epadmin can be used to manually
create the replication topology $although in normal practice this should not be necessary% to !orce replication events
between domain controllers and to view both the replication metadata and up'to'dateness vectors.
GHow to ta-e bac-up of AD '
(or ta&ing bac&up o! active directory you have to do this : !irst go #TA;T '? *;80;A1 '?A226#8;I6# '?
#L#T61 T88)# '? BA2K/* 8; 8pen run window and ntbac&up and ta&e systemstate bac&up when the bac&up
screen is !lash then ta&e the bac&up o! #L#T61 #TAT6 it will ta&e the bac&up o! all the necessary in!ormation about
the syatem including AD bac&up D4# 6T2.
GWhat are the D,H co##ands '
The !ollowing D# commands: the D# !amily built in utility .
DSmod 9 modi!y Active Directory attributes.
DSrm - to delete Active Directory ob"ects.
DSmove 9 to relocate ob"ects
DSadd 9 create new accounts
DSquery 9 to !ind ob"ects that match your query attributes.
DSget 9 list the properties o! an ob"ect
GWhat are the require#ents for installing AD on a new server'
An 4T(# partition with enough !ree space.
An AdministratorAs username and password.
The correct operating system version.
A 4I2 *roperly con!igured T2*@I* $I* address subnet mas& and 9 optional 9 de!ault gateway%.
A networ& connection $to a hub or to another computer via a crossover cable% .
An operational D4# server $which can be installed on the D2 itsel!% .
The 3indows ,555 or 3indows #erver ,55+ 2D media $or at least the i+.- !older% .
8+plain about *rust in AD '
To allow users in one domain to access resources in another Active Directory uses trusts. Trusts inside a !orest are
automatically created when domains are created.
The !orest sets the de!ault boundaries o! trust not the domain and implicit transitive trust is automatic !or all
domains within a !orest. As well as two'way transitive trust AD trusts can be a shortcut $"oins two domains in di!!erent
trees transitive one' or two'way% !orest $transitive one' or two'way% realm $transitive or nontransitive one' or two'
way% or e7ternal $nontransitive one' or two'way% in order to connect to other !orests or non'AD domains.
%rusts in Windows &000 'native mode(
'ne9way trust : 8ne domain allows access to users on another domain but the other domain does not allow access
to users on the !irst domain.
Two9way trust : Two domains allow access to users on both domains.
Trustin$ domain : The domain that allows access to users !rom a trusted domain.
Trusted domain : The domain that is trustedB whose users have access to the trusting domain.
Transitive trust : A trust that can e7tend beyond two domains to other trusted domains in the !orest.
3ntransitive trust : A one way trust that does not e7tend beyond two domains.
/;plicit trust : A trust that an admin creates. It is not transitive and is one way only.
Cross9link trust : An e7plicit trust between domains in di!!erent trees or in the same tree when a descendant@ancestor
$child@parent% relationship does not e7ist between the two domains.
Windows &000 Server supports t)e *ollowin types o* trusts!
Two'way transitive trusts.
8ne'way intransitive trusts.
GWhat is to#bstone lifeti#e attribute '
The number o! days be!ore a deleted ob"ect is removed !rom the directory services. This assists in removing ob"ects
!rom replicated servers and preventing restores !rom reintroducing a deleted ob"ect. This value is in the Directory
#ervice ob"ect in the con!iguration 4I2.
GWhat are application partitions' When do I use the# '
A4 application diretcory partition is a directory partition that is replicated only to speci!ic domain controller.8nly
domain controller running windows #erver ,55+ can host a replica o! application directory partition.
/sing an application directory partition provides redundanyavailability or !ault tolerance by replicating data to speci!ic
domain controller pr any set o! domain controllers anywhere in the !orest.
GHow do you create a new application partition '
/se the Dns2md command to create an application directory partition.
To do this use the !ollowing synta7:
Dns2md #erver4ame @2reateDirectory*artition (QD4 o! partition
GHow do you view all the &$s in the forest'
2:J?repadmin @showreps domainTcontroller where domainTcontroller is the D2 you want to query to determine
whether itXs a 02.
The output will include the te7t D#A 8ptions: I#T02 i! the D2 is a 02.
G$an you connect Active Directory to other /rd"party Directory ,ervices' ?a#e a few options.
Les you can use dirW1) or )DA* to connect to other directories.
In 4ovel you can use 6'directory.
hat is 3PSec Policy
I*#ec provides secure gateway'to'gateway connections across outsourced private wide area networ& $3A4% or
Internet'based connections using ),T*@I*#ec tunnels or pure I*#ec tunnel mode. I*#ec *olicy can be deployed via
0roup policy to the 3indows Domain controllers G #ervers.
>What are the di,,erent types o, Terminal Services X
/ser 1ode Y Application 1ode.
>What is the System Startup process X
3indows ,K boot process on a Intel architecture.
C. *ower'8n #el! Tests $*8#T% are run.
,. The boot device is !ound the 1aster Boot ;ecord $1B;% is loaded into memory and its program is run.
+. The active partition is located and the boot sector is loaded.
D. The 3indows ,555 loader $4T)D;% is then loaded.
The +oot se<uence e;ecutes the ,ollowin$ steps=
C. The 3indows ,555 loader switches the processor to the +,'bit !lat memory model.
,. The 3indows ,555 loader starts a mini'!ile system.
+. The 3indows ,555 loader reads the B88T.I4I !ile and displays the operating system selections $boot loader
menu%.
D. The 3indows ,555 loader loads the operating system selected by the user. I! 3indows ,555 is selected 4T)D;
runs 4TD6T62T.281. (or other operating systems 4T)D; loads B88T#62T.D8# and gives it control.
F. 4TD6T62T.281 scans the hardware installed in the computer and reports the list to 4T)D; !or inclusion in the
;egistry under the HK6LT)82A)T1A2HI46THA;D3A;6 hive.
-. 4T)D; then loads the 4T8#K;4).6W6 and gives it the hardware in!ormation collected by 4TD6T62T.281.
3indows 4T enters the 3indows load phases.
GHow do you change the D, .estore ad#in password '
In 3indows ,555 #erver you used to have to boot the computer whose password you wanted to change in Directory
;estore mode then use either the 1icroso!t 1anagement 2onsole $112% )ocal /ser and 0roups snap'in or the
command net user administrator N to change the Administrator password.
3in,K #erver #ervice *ac& , $#*,% introduced the #etpwd utility which lets you reset the Directory #ervice ;estore
1ode password without having to reboot the computer. $1icroso!t re!reshed #etpwd in #*D to improve the utilityXs
scripting options.%
In 3indows #erver ,55+ you use the 4tdsutil utility to modi!y the Directory #ervice ;estore 1ode Administrator
password.
%o do so+ *ollow t)ese steps!
C. #tart 4tdsutil $clic& #tart ;unB enter cmd.e7eB then enter ntdsutil.e7e%.
,. #tart the Directory #ervice ;estore 1ode Administrator password'reset utility by entering the argument Xset dsrm
passwordX at the ntdsutil prompt: ntdsutil: set dsrm password.
+. ;un the ;eset *assword command passing the name o! the server on which to change the password or use the
null argument to speci!y the local machine.
(or e7ample to reset the password on server testing enter the !ollowing argument at the ;eset D#;1 Administrator
*assword prompt: ;eset D#;1 Administrator *assword: reset password on server testing
To reset the password on the local machine speci!y null as the server name:
;eset D#;1 Administrator *assword: reset password on server null
D. LouXll be prompted twice to enter the new password. LouXll see the !ollowing messages:
F. *lease type password !or D# ;estore 1ode Administrator Account:
-. *lease con!irm new password:
*assword has been set success!ully.
G. 67it the password'reset utility by typing XquitX at the !ollowing prompts:
.. ;eset D#;1 Administrator *assword: quit
ntdsutil: quit
How do I use .egistry -eys to re#ove a user fro# a group'
In 3indows #erver ,55+ you can use the dsmod command'line utility with the 'delmbr switch to remove a group
member !rom the command line. Lou should also loo& into the !reeware utilities available !rom www."oeware.net .
AD(ind and AD1od are indispensable tools in my arsenal when it comes to searching and modi!ying Active
Directory.
GWhy are #y ?*9 clients failing to connect to the Windows 7222 do#ain'
#ince 4TD relies on 4etBI8# !or name resolution veri!y that your 3I4# server $you do have a 3I4# server running
yesX% contains the records that you e7pect !or the ,555 domain controller and that your clients have the correct
address con!igured !or the 3I4# server.
GHow do you view replication properties for AD partitions and D$s'
go to start ? run ? type repadmin
go to start ? run ? type replmon
GWhy canIt you restore a D$ that was bac-ed up 9 #onths ago'
Because o! the tombstone li!e which is set to only -5 days.
GDifferent #odes of AD restore '
A nonaut)oritative restore is the de!ault method !or restoring Active Directory. To per!orm a nonauthoritative restore
you must be able to start the domain controller in Directory #ervices ;estore 1ode. A!ter you restore the domain
controller !rom bac&up replication partners use the standard replication protocols to update Active Directory and
associated in!ormation on the restored domain controller.
An aut)oritative restore brings a domain or a container bac& to the state it was in at the time o! bac&up and overwrites
all changes made since the bac&up. I! you do not want to replicate the changes that have been made subsequent to
the last bac&up operation you must per!orm an authoritative restore. In this one needs to stop the inbound replication
!irst be!ore per!orming the An authoritative restore.
GHow do you configure a stand"by operation #aster for any of the roles'
Z 8pen Active Directory #ites and #ervices.
Z 67pand the site name in which the standby operations master is located to display the #ervers !older.
Z 67pand the #ervers !older to see a list o! the servers in that site.
Z 67pand the name o! the server that you want to be the standby operations master to display its 4TD# #ettings.
Z ;ight'clic& 4TD# #ettings clic& 4ew and then clic& 2onnection.
Z In the (ind Domain 2ontrollers dialog bo7 select the name o! the current role holder and then clic& 8K.
Z In the 4ew 8b"ect'2onnection dialog bo7 enter an appropriate name !or the 2onnection ob"ect or accept the
de!ault name and clic& 8K.
WhatIs the difference between transferring a (,5= role and sei>ing '
#ei:ing an (#18 can be a destructive process and should only be attempted i! the e7isting server with the (#18 is
no longer available.
I! you per!orm a sei:ure o! the (#18 roles !rom a D2 you need to ensure two things:
the current holder is actually dead and o!!line and that the old D2 will 46M6; return to the networ&. I! you do an
(#18 role #ei:e and then bring the previous holder bac& online youAll have a problem.
An (#18 role T;A4#(6; is the grace!ul movement o! the roles !rom a live wor&ing D2 to another live D2 During
the process the current D2 holding the role$s% is updated so it becomes aware it is no longer the role holder
GI want to loo- at the .ID allocation table for a D$. What do I do'
dcdiag @test:ridmanager @s:servername @v $servername is the name o! our D2%
GWhat is JridgeHead ,erver in AD '
A bridgehead server is a domain controller in each site which is used as a contact point to receive and replicate data
between sites. (or intersite replication K22 designates one o! the domain controllers as a bridgehead server. In
case the server is down K22 designates another one !rom the domain controller. 3hen a bridgehead server
receives replication updates !rom another site it replicates the data to the other domain controllers within its site.
GWhat is the default si>e of ntds.dit '
C5 1B in #erver ,555 and C, 1B in #erver ,55+ .
>Where is the -D data+ase held and What are other ,olders related to -D #
AD Database is saved in HsystemrootH@ntds. Lou can see other !iles also in this !older. These are the main !iles
controlling the AD structure.
ntds.dit
edb.log
resC.log
res,.log
edb.ch&
3hen a change is made to the 3in,K database triggering a write operation 3in,K records the transaction in the log
!ile $edb.log%. 8nce written to the log !ile the change is then written to the AD database. #ystem per!ormance
determines how !ast the system writes the data to the AD database !rom the log !ile. Any time the system is shut
down all transactions are saved to the database.
During the installation o! AD 3indows creates two !iles: resC.log and res,.log. The initial si:e o! each is C51B.
These !iles are used to ensure that changes can be written to dis& should the system run out o! !ree dis& space. The
chec&point !ile $edb.ch&% records transactions committed to the AD database $ntds.dit%. During shutdown a
OshutdownP statement is written to the edb.ch& !ile.
Then during a reboot AD determines that all transactions in the edb.log !ile have been committed to the AD
database. I! !or some reason the edb.ch& !ile doesnAt e7ist on reboot or the shutdown statement isnAt present AD will
use the edb.log !ile to update the AD database. The last !ile in our list o! !iles to &now is the AD database itsel!
ntds.dit. By de!ault the !ile is located inJ4TD# along with the other !iles weAve discussed
GWhat (,5= place#ent considerations do you -now of '
3indows ,555@,55+ Active Directory domains utili:e a #ingle 8peration 1aster method called (#18 $(le7ible #ingle
1aster 8peration% as described in /nderstanding (#18 ;oles in Active Directory.
In most cases an administrator can &eep the (#18 role holders $all F o! them% in the same spot $or actually on the
same D2% as has been con!igured by the Active Directory installation process.
However there are scenarios where an administrator would want to move one or more o! the (#18 roles !rom the
de!ault holder D2 to a di!!erent D2.
3indows #erver ,55+ Active Directory is a bit di!!erent than the 3indows ,555 version when dealing with (#18
placement.
In this article I will only deal with 3indows #erver ,55+ Active Directory but you should bear in mind that most
considerations are also true when planning 3indows ,555 AD (#18 roles
What do you do to install a new Windows 722/ .7 D$ in a Windows 722/ AD'
I! youAre installing 3indows ,55+ ;, on an e7isting 3indows ,55+ server with #*C installed you require only the
second ;, 2D';81.
Insert the second 2D and the r,auto.e7e will display the 3indows ,55+ ;, 2ontinue #etup screen. I! youAre installing
;, on a domain controller $D2% you must !irst upgrade the schema to the ;, version $this is a minor change and
mostly related to the new D!s replication engine%.
To update the schema run the Adprep utility which youAll !ind in the 2omponentsJr,Jadprep !older on the second 2D'
;81.
Be!ore running this command ensure all D2s are running 3indows ,55+ or 3indows ,555 with #*, $or later%.
HereAs a sample e7ecution o! the Adprep @!orestprep
command:
D:J21*464T#J;,JAD*;6*?adprep @!orestprep
AD*;6* 3A;4I40:
Be!ore running adprep all 3indows ,555 domain controllers in the !orest should be upgraded to 3indows ,555
#ervice *ac& C $#*C% with Q(6 ,-F5.I or to 3indows ,555 #*, $or later%.
Q(6 ,-F5.I $included in 3indows ,555 #*, and later% is required to prevent potential domain controller corruption.
Q/ser ActionR I! A)) your e7isting 3indows ,555 domain controllers meet this requirement type 2 and then press
64T6; to continue. 8therwise type any other &ey and press 64T 6; to quit.
2 8pened 2onnection to #AM
DA)D25C ##*I Bind succeeded 2urrent #chema Mersion is +5 /pgrading schema to version +C 2onnecting to
O#AMDA)D25C[ )ogging in as current user using ##*I Importing directory !rom !ile
O2:J3I4D83#Jsystem+,Jsch+C.ld!P )oading entries\ C+I entries modi!ied success!ully.
The command has completed success!ully Adprep success!ully updated the !orest'wide in!ormation.
A!ter running Adprep install ;, by per!orming these steps:
C. 2lic& the O2ontinue 3indows #erver ,55+ ;, #etupP lin& as the !igureshows.
,. At the O3elcome to the 3indows #erver ,55+ ;, #etup 3i:ardP screen clic& 4e7t.
+. LouAll be prompted to enter an ;, 2D &ey $this is di!!erent !rom your e7isting 3indows ,55+ &eys% i! the underlying
8# wasnAt installed !rom ;, media $e.g. a regular 3indows ,55+ #*C installation%.
6nter the ;, &ey and clic& 4e7t. 4ote: The license &ey entered !or ;, must match the underlying 8# type which
means i! you installed 3indows ,55+ using a volume'license version &ey then you canAt use a retail or 1icroso!t
Developer 4etwor& $1#D4% ;, &ey.
D. LouAll see the setup summary screen which con!irms the actions to be per!ormed $e.g. 2opy !iles%. 2lic& 4e7t.
F. A!ter the installation is complete youAll see a con!irmation dialog bo7. 2lic& (inish
>What is =) '
8rgani:ation /nit is a container ob"ect in which you can &eep ob"ects such as user accounts groups computer
printer . applications and other $8/%.
In organi:ation unit you can assign speci!ic permission to the userAs. organi:ation unit can also be used to create
departmental limitation.
G?a#e so#e =) design considerations '
8/ design requires balancing requirements !or delegating administrative rights 9 independent o! 0roup *olicy needs
9 and the need to scope the application o! 0roup *olicy.
The !ollowing 8/ design recommendations address delegation and scope issues:
Applying 0roup *olicy An 8/ is the lowest'level Active Directory container to which you can assign 0roup *olicy
settings.
usually donAt go more than + 8/ levels
GWhat is sites ' What are they used for '
8ne or more well'connected $highly reliable and !ast% T2*@I* subnets.
A site allows administrators to con!igure Active Directory access and replication topology to ta&e advantage o! the
physical networ&.
A #ite ob"ect in Active Directory represents a physical geographic location that hosts networ&s. #ites contain ob"ects
called #ubnets.
#ites can be used to Assign 0roup *olicy 8b"ects !acilitate the discovery o! resources manage active directory
replication and manage networ& lin& tra!!ic.
#ites can be lin&ed to other #ites. #ite'lin&ed ob"ects may be assigned a cost value that represents the speed
reliability availability or other real property o! a physical resource. #ite )in&s may also be assigned a schedule.
G*rying to loo- at the ,che#aE how can I do that '
c:JwindowsJsystem+,?regsvr+, schmmgmt.dll
8pen mmc 9? add snapin 9? add Active directory schema
8pen administrative tool 9? schema.msc
What is the port no of Derbrose '
..
GWhat is the port no of &lobal catalog '
+,-.
GWhat is the port no of LDA% '
+.I
G8+plain Active Directory ,che#a '
3indows ,555 and 3indows #erver ,55+ Active Directory uses a database set o! rules called O#chemaP. The
#chema is de!ines as the !ormal de!inition o! all ob"ect classes and the attributes that ma&e up those ob"ect classes
that can be stored in the directory. As mentioned earlier the Active Directory database includes a de!ault #chema
which de!ines many ob"ect classes such as users groups computers domains organi:ational units and so on.
These ob"ects are also &nown as O2lassesP. The Active Directory #chema can be dynamically e7tensible meaning
that you can modi!y the schema by de!ining new ob"ect types and their attributes and by de!ining new attributes !or
e7isting ob"ects. Lou can do this either with the #chema 1anager snap'in tool included with 3indows ,555@,55+
#erver or programmatically.
GHow can you forcibly re#ove AD fro# a serverE and what do you do later' ' $an I get user passwords fro#
the AD database'
Dcpromo @!orceremoval an administrator can !orcibly remove Active Directory and roll bac& the system without
having to contact or replicate any locally held changes to another D2 in the !orest. ;eboot the server then A!ter you
use the dcpromo @!orceremoval command all the remaining metadata !or the demoted D2 is not deleted on the
surviving domain controllers and there!ore you must manually remove it by using the 4TD#/TI) command.
In the event that the 4TD# #ettings ob"ect is not removed correctly you can use the 4tdsutil.e7e utility to manually
remove the 4TD# #ettings ob"ect. Lou will need the !ollowing tool: 4tdsutil.e7e Active Directory #ites and #ervices
Active Directory /sers and 2omputers
GWhat are the (,5= roles' Who has the# by default' What happens when each one fails'
(le7ible #ingle 1aster 8peration $(#18% role. 2urrently there are !ive (#18 roles:
#chema master
;ID master
*D2 emulator
In!rastructure master
GWhat is do#ain tree '
Domain Trees: A domain tree comprises several domains that share a common schema and con!iguration !orming a
contiguous namespace. Domains in a tree are also lin&ed together by trust relationships. Active Directory is a set o!
one or more trees.
Trees can be viewed two ways. 8ne view is the trust relationships between domains. The other view is the
namespace o! the domain tree.
GWhat is forests '
A collection o! one or more domain trees with a common schema and implicit trust relationships between them. This
arrangement would be used i! you have multiple root D4# addresses.
GHow to ,elect the Appropriate .estore 5ethod '
Lou select the appropriate restore method by considering:
2ircumstances and characteristics o! the !ailure. The two ma"or categories o! !ailure (rom an Active Directory
perspective are Active Directory data corruption and hardware !ailure.
Active Directory data corruption occurs when the directory contains corrupt data that has been replicated to all
domain controllers or when a large portion o! the Active Directory hierarchy has been changed accidentally $such as
deletion o! an 8/% and this change has replicated to other domain controllers.
Where are the Windows ?* %ri#ary Do#ain $ontroller 0%D$1 and its Jac-up Do#ain $ontroller 0JD$1 in
,erver 722/'
The Active Directory replaces them. 4ow all domain controllers share a multimaster peer'to'peer read and write
GWhat is &lobal $atalog'
The 0lobal 2atalog authenticates networ& user logons and !ields inquiries about ob"ects across a !orest or tree. 6very
domain has at least one 02 that is hosted on a domain controller. In 3indows ,555 there was typically one 02 on
every site in order to prevent user logon !ailures across the networ&.
GHow long does it ta-e for security changes to be replicated a#ong the do#ain controllers'
#ecurity'related modi!ications are replicated within a site immediately. These changes include account and individual
user loc&out policies changes to password policies changes to computer account passwords and modi!ications to
the )ocal #ecurity Authority $)#A%.
GWhen should you create a forest'
8rgani:ations that operate on radically di!!erent bases may require separate trees with distinct namespaces. /nique
trade or brand names o!ten give rise to separate D4# identities. 8rgani:ations merge or are acquired and naming
continuity is desired. 8rgani:ations !orm partnerships and "oint ventures. 3hile access to common resources is
desired a separately de!ined tree can en!orce more direct administrative and security restrictions.
GDescribe the process of wor-ing with an e+ternal do#ain na#e '
I! it is not possible !or you to con!igure your internal domain as a subdomain o! your e7ternal domain use a stand'
alone internal domain. This way your internal and e7ternal domain names are unrelated. (or e7ample an
organi:ation that uses the domain name contoso.com !or their e7ternal namespace uses the name corp.internal !or
their internal namespace.
The advantage to this approach is that it provides you with a unique internal domain name. The disadvantage is that
this con!iguration requires you to manage two separate namespaces. Also using a stand'alone internal domain that
is unrelated to your e7ternal domain might create con!usion !or users because the namespaces do not re!lect a
relationship between resources within and outside o! your networ&.
In addition you might have to register two D4# names with an Internet name authority i! you want to ma&e the
internal domain publicly accessible.
2:J?repadmin @showreps
domainTcontroller
8;
Lou can use ;eplmon.e7e !or the same purpose.
8;
AD #ites and #ervices and nsloo&up gc.Tmsdcs.
To !ind the in 02 !rom the command line you can try using D#Q/6;L command.
dsquery server 'isgc to !ind all the 02As in the !orest
you can try dsquery server '!orest 'isgc.
G What are the physical co#ponents of Active Directory'
Domain controllers and #ites. Domain controllers are physical computers which are running 3indows #erver
operating system and Active Directory data base. #ites are a networ& segment based on geographical location and
which contains multiple domain controllers in each site.
G What are the logical co#ponents of Active Directory'
Domains 8rgani:ational /nits trees and !orests are logical components o! Active Directory.
? What are the Active Directory %artitions'
Active Directory database is divided into di!!erent partitions such as #chema partition Domain partition and
2on!iguration partition. Apart !rom these partitions we can create Application partition based on the requirement.
G What is group nesting'
Adding one group as a member o! another group is called Sgroup nestingA. This will help !or easy administration and
reduced replication tra!!ic.
G What is the feature of Do#ain Local &roup'
Domain local groups are mainly used !or granting access to networ& resources.A Domain local group can contain
accounts !rom any domain global groups !rom any domain and universal groups !rom any domain. (or e7ample i!
you want to grant permission to a printer located at Domain A to C5 users !rom Domain B then create a 0lobal group
in Domain B and add all C5 users into that 0lobal group. Then create a Domain local group at Domain A and add
0lobal group o! Domain B to Domain local group o! Domain A then add Domain local group o! Domain A to the
printer$o! Domain A% security A2).
*ow will you take -ctive Directory +ackup #
Active Directory is bac&ed up along with #ystem #tate data. #ystem state data includes )ocal registry 281E Boot
!iles 4TD#.DIT and #L#M8) !older. #ystem state can be bac&ed up either using 1icroso!tAs de!ault 4TBA2K/* tool
or third party tools such as #ymantech 4etBac&up IB1 Tivoli #torage 1anager etc.
> Do we use clusterin$ in -ctive Directory # Why #
4o one installs Active Directory in a cluster. There is no need o! clustering a domain controller. Because Active
Directory provides total redundancy with two or more servers.
> What is -ctive Directory 0ecycle Bin #
Active Directory ;ecycle bin is a !eature o! 3indows #erver ,55. AD. It helps to restore accidentally deleted Active
Directory ob"ects without using a bac&ed up AD database rebooting domain controller or restarting any services.
> *ow do you check currently ,orest and domain ,unctional levels# Say +oth 2(3 and Command line%
To !ind out !orest and domain !unctional levels in 0/I mode open AD/2 right clic& on the domain name and ta&e
properties. Both domain and !orest !unctional levels will be listed there. T8 !ind out !orest and domain !unctional
levels you can use D#Q/6;L command.
> Which version o, >er+eros is used ,or Windows !!!?!!" and !!@ -ctive Directory #
All versions o! 3indows #erver Active Directory use Kerberos F.
> Name ,ew port num+ers related to -ctive Directory #
Kerberos .. )DA* +.I D4# F+ #1B DDF
> What is an ABDN #
(QD4 can be e7panded as (ully Quali!ied Domain 4ame.It is a hierarchy o! a domain name system which points to a
device in the domain at its le!t most end. (or e7ample in system.
> *ave you heard o, -D-C #
ADA2' Active Directory Administrative 2enter is a new 0/I tool came with 3indows #erver ,55. ;, which provides
enhanced data management e7perience to the admin. ADA2 helps administrators to per!orm common Active
Directory ob"ect management tas& across multiple domains with the same ADA2 instance.
> *ow many o+Cects can +e created in -ctive Directory# (+oth !!" and !!@)
As per 1icroso!t a single AD domain controller can create around ,.CF billion ob"ects during its li!etime.
> /;plain the process +etween a user providin$ his Domain credential to his workstation and the desktop +ein$ loaded#
'r how the -D authentication works #
3hen a user enters a user name and password the computer sends the user name to the KD2. The KD2 contains a
master database o! unique long term &eys !or every principal in its realm. The KD2 loo&s up the userAs master &ey
$KA% which is based on the userAs password. The KD2 then creates two items: a session &ey $#A% to share with the
user and a Tic&et'0ranting Tic&et $T0T%. The T0T includes a second copy o! the #A the user name and an
e7piration time. The KD2 encrypts this tic&et by using its own master &ey $KKD2% which only the KD2 &nows. The
client computer receives the in!ormation !rom the KD2 and runs the userAs password through a one'way hashing
!unction which converts the password into the userAs KA. The client computer now has a session &ey and a T0T so
that it can securely communicate with the KD2. The client is now authenticated to the domain and is ready to access
other resources in the domain by using the Kerberos protocol.
8+plain about *rust in AD '
To allow users in one domain to access resources in another Active Directory uses trusts. Trusts inside a !orest are
automatically created when domains are created.
The !orest sets the de!ault boundaries o! trust not the domain and implicit transitive trust is automatic !or all
domains within a !orest. As well as two'way transitive trust AD trusts can be a shortcut $"oins two domains in di!!erent
trees transitive one' or two'way% !orest $transitive one' or two'way% realm $transitive or nontransitive one' or two'
way% or e7ternal $nontransitive one' or two'way% in order to connect to other !orests or non'AD domains.
%rusts in Windows &000 'native mode(
'ne9way trust : 8ne domain allows access to users on another domain but the other domain does not allow access
to users on the !irst domain.
Two9way trust : Two domains allow access to users on both domains.
Trustin$ domain : The domain that allows access to users !rom a trusted domain.
Trusted domain : The domain that is trustedB whose users have access to the trusting domain.
Transitive trust : A trust that can e7tend beyond two domains to other trusted domains in the !orest.
3ntransitive trust : A one way trust that does not e7tend beyond two domains.
/;plicit trust : A trust that an admin creates. It is not transitive and is one way only.
Cross9link trust : An e7plicit trust between domains in di!!erent trees or in the same tree when a descendant@ancestor
$child@parent% relationship does not e7ist between the two domains.
Windows &000 Server supports t)e *ollowin types o* trusts!
Two'way transitive trusts.
8ne'way intransitive trusts.
GWhat is to#bstone lifeti#e attribute '
#ervice ob"ect in the con!iguration 4I2.
GWhat are application partitions' When do I use the# '
A4 application diretcory partition is a directory partition that is replicated only to speci!ic domain controller.8nly
domain controller running windows #erver ,55+ can host a replica o! application directory partition.
/sing an application directory partition provides redundanyavailability or !ault tolerance by replicating data to speci!ic
domain controller pr any set o! domain controllers anywhere in the !orest.
GHow do you create a new application partition '
2:J?repadmin @showreps domainTcontroller where domainTcontroller is the D2 you want to query to determine
whether itXs a 02.
The output will include the te7t D#A 8ptions: I#T02 i! the D2 is a 02.
G$an you connect Active Directory to other /rd"party Directory ,ervices' ?a#e a few options.
Les you can use dirW1) or )DA* to connect to other directories.
In 4ovel you can use 6'directory.
What is 3PSec Policy
I*#ec provides secure gateway'to'gateway connections across outsourced private wide area networ& $3A4% or
Internet'based connections using ),T*@I*#ec tunnels or pure I*#ec tunnel mode. I*#ec *olicy can be deployed via
0roup policy to the 3indows Domain controllers G #ervers.
>What are the di,,erent types o, Terminal Services X
/ser 1ode Y Application 1ode.
>What is the System Startup process X
3indows ,K boot process on a Intel architecture.
C. *ower'8n #el! Tests $*8#T% are run.
,. The boot device is !ound the 1aster Boot ;ecord $1B;% is loaded into memory and its program is run.
+. The active partition is located and the boot sector is loaded.
D. The 3indows ,555 loader $4T)D;% is then loaded.
The +oot se<uence e;ecutes the ,ollowin$ steps=
C. The 3indows ,555 loader switches the processor to the +,'bit !lat memory model.
,. The 3indows ,555 loader starts a mini'!ile system.
+. The 3indows ,555 loader reads the B88T.I4I !ile and displays the operating system selections $boot loader
menu%.
D. The 3indows ,555 loader loads the operating system selected by the user. I! 3indows ,555 is selected 4T)D;
runs 4TD6T62T.281. (or other operating systems 4T)D; loads B88T#62T.D8# and gives it control.
F. 4TD6T62T.281 scans the hardware installed in the computer and reports the list to 4T)D; !or inclusion in the
;egistry under the HK6LT)82A)T1A2HI46THA;D3A;6 hive.
-. 4T)D; then loads the 4T8#K;4).6W6 and gives it the hardware in!ormation collected by 4TD6T62T.281.
3indows 4T enters the 3indows load phases.
GHow do you change the D, .estore ad#in password '
In 3indows ,555 #erver you used to have to boot the computer whose password you wanted to change in Directory
;estore mode then use either the 1icroso!t 1anagement 2onsole $112% )ocal /ser and 0roups snap'in or the
command net user administrator N to change the Administrator password.
3in,K #erver #ervice *ac& , $#*,% introduced the #etpwd utility which lets you reset the Directory #ervice ;estore
1ode password without having to reboot the computer. $1icroso!t re!reshed #etpwd in #*D to improve the utilityXs
scripting options.%
In 3indows #erver ,55+ you use the 4tdsutil utility to modi!y the Directory #ervice ;estore 1ode Administrator
password.
%o do so+ *ollow t)ese steps!
,. #tart the Directory #ervice ;estore 1ode Administrator password'reset utility by entering the argument Xset dsrm
passwordX at the ntdsutil prompt: ntdsutil: set dsrm password.
+. ;un the ;eset *assword command passing the name o! the server on which to change the password or use the
null argument to speci!y the local machine.
(or e7ample to reset the password on server testing enter the !ollowing argument at the ;eset D#;1 Administrator
*assword prompt: ;eset D#;1 Administrator *assword: reset password on server testing
D. LouXll be prompted twice to enter the new password. LouXll see the !ollowing messages:
G. 67it the password'reset utility by typing XquitX at the !ollowing prompts:
ntdsutil: quit
How do I use .egistry -eys to re#ove a user fro# a group'
In 3indows #erver ,55+ you can use the dsmod command'line utility with the 'delmbr switch to remove a group
member !rom the command line. Lou should also loo& into the !reeware utilities available !rom www."oeware.net .
AD(ind and AD1od are indispensable tools in my arsenal when it comes to searching and modi!ying Active
Directory.
GWhy are #y ?*9 clients failing to connect to the Windows 7222 do#ain'
#ince 4TD relies on 4etBI8# !or name resolution veri!y that your 3I4# server $you do have a 3I4# server running
yesX% contains the records that you e7pect !or the ,555 domain controller and that your clients have the correct
address con!igured !or the 3I4# server.
GHow do you view replication properties for AD partitions and D$s'
go to start ? run ? type repadmin
go to start ? run ? type replmon
GWhy canIt you restore a D$ that was bac-ed up 9 #onths ago'
Because o! the tombstone li!e which is set to only -5 days.
GDifferent #odes of AD restore '
A nonaut)oritative restore is the de!ault method !or restoring Active Directory. To per!orm a nonauthoritative restore
you must be able to start the domain controller in Directory #ervices ;estore 1ode. A!ter you restore the domain
controller !rom bac&up replication partners use the standard replication protocols to update Active Directory and
associated in!ormation on the restored domain controller.
An aut)oritative restore brings a domain or a container bac& to the state it was in at the time o! bac&up and overwrites
all changes made since the bac&up. I! you do not want to replicate the changes that have been made subsequent to
the last bac&up operation you must per!orm an authoritative restore. In this one needs to stop the inbound replication
!irst be!ore per!orming the An authoritative restore.
GHow do you configure a stand"by operation #aster for any of the roles'
Z 8pen Active Directory #ites and #ervices.
Z 67pand the site name in which the standby operations master is located to display the #ervers !older.
Z 67pand the #ervers !older to see a list o! the servers in that site.
Z 67pand the name o! the server that you want to be the standby operations master to display its 4TD# #ettings.
Z ;ight'clic& 4TD# #ettings clic& 4ew and then clic& 2onnection.
Z In the (ind Domain 2ontrollers dialog bo7 select the name o! the current role holder and then clic& 8K.
Z In the 4ew 8b"ect'2onnection dialog bo7 enter an appropriate name !or the 2onnection ob"ect or accept the
de!ault name and clic& 8K.
WhatIs the difference between transferring a (,5= role and sei>ing '
#ei:ing an (#18 can be a destructive process and should only be attempted i! the e7isting server with the (#18 is
no longer available.
I! you per!orm a sei:ure o! the (#18 roles !rom a D2 you need to ensure two things:
the current holder is actually dead and o!!line and that the old D2 will 46M6; return to the networ&. I! you do an
(#18 role #ei:e and then bring the previous holder bac& online youAll have a problem.
An (#18 role T;A4#(6; is the grace!ul movement o! the roles !rom a live wor&ing D2 to another live D2 During
the process the current D2 holding the role$s% is updated so it becomes aware it is no longer the role holder
GI want to loo- at the .ID allocation table for a D$. What do I do'
dcdiag @test:ridmanager @s:servername @v $servername is the name o! our D2%
GWhat is JridgeHead ,erver in AD '
GWhat is the default si>e of ntds.dit '
C5 1B in #erver ,555 and C, 1B in #erver ,55+ .
>Where is the -D data+ase held and What are other ,olders related to -D #
controlling the AD structure.
ntds.dit
edb.log
resC.log
res,.log
edb.ch&
OshutdownP statement is written to the edb.ch& !ile.
Then during a reboot AD determines that all transactions in the edb.log !ile have been committed to the AD
database. I! !or some reason the edb.ch& !ile doesnAt e7ist on reboot or the shutdown statement isnAt present AD will
use the edb.log !ile to update the AD database. The last !ile in our list o! !iles to &now is the AD database itsel!
ntds.dit. By de!ault the !ile is located inJ4TD# along with the other !iles weAve discussed
GWhat (,5= place#ent considerations do you -now of '
3indows ,555@,55+ Active Directory domains utili:e a #ingle 8peration 1aster method called (#18 $(le7ible #ingle
1aster 8peration% as described in /nderstanding (#18 ;oles in Active Directory.
In most cases an administrator can &eep the (#18 role holders $all F o! them% in the same spot $or actually on the
same D2% as has been con!igured by the Active Directory installation process.
However there are scenarios where an administrator would want to move one or more o! the (#18 roles !rom the
3indows #erver ,55+ Active Directory is a bit di!!erent than the 3indows ,555 version when dealing with (#18
placement.
In this article I will only deal with 3indows #erver ,55+ Active Directory but you should bear in mind that most
considerations are also true when planning 3indows ,555 AD (#18 roles
What do you do to install a new Windows 722/ .7 D$ in a Windows 722/ AD'
I! youAre installing 3indows ,55+ ;, on an e7isting 3indows ,55+ server with #*C installed you require only the
second ;, 2D';81.
Insert the second 2D and the r,auto.e7e will display the 3indows ,55+ ;, 2ontinue #etup screen. I! youAre installing
;, on a domain controller $D2% you must !irst upgrade the schema to the ;, version $this is a minor change and
mostly related to the new D!s replication engine%.
To update the schema run the Adprep utility which youAll !ind in the 2omponentsJr,Jadprep !older on the second 2D'
;81.
Be!ore running this command ensure all D2s are running 3indows ,55+ or 3indows ,555 with #*, $or later%.
HereAs a sample e7ecution o! the Adprep @!orestprep
command:
D:J21*464T#J;,JAD*;6*?adprep @!orestprep
AD*;6* 3A;4I40:
Be!ore running adprep all 3indows ,555 domain controllers in the !orest should be upgraded to 3indows ,555
#ervice *ac& C $#*C% with Q(6 ,-F5.I or to 3indows ,555 #*, $or later%.
Q(6 ,-F5.I $included in 3indows ,555 #*, and later% is required to prevent potential domain controller corruption.
Q/ser ActionR I! A)) your e7isting 3indows ,555 domain controllers meet this requirement type 2 and then press
64T6; to continue. 8therwise type any other &ey and press 64T 6; to quit.
2 8pened 2onnection to #AM
DA)D25C ##*I Bind succeeded 2urrent #chema Mersion is +5 /pgrading schema to version +C 2onnecting to
O#AMDA)D25C[ )ogging in as current user using ##*I Importing directory !rom !ile
O2:J3I4D83#Jsystem+,Jsch+C.ld!P )oading entries\ C+I entries modi!ied success!ully.
The command has completed success!ully Adprep success!ully updated the !orest'wide in!ormation.
A!ter running Adprep install ;, by per!orming these steps:
C. 2lic& the O2ontinue 3indows #erver ,55+ ;, #etupP lin& as the !igureshows.
,. At the O3elcome to the 3indows #erver ,55+ ;, #etup 3i:ardP screen clic& 4e7t.
+. LouAll be prompted to enter an ;, 2D &ey $this is di!!erent !rom your e7isting 3indows ,55+ &eys% i! the underlying
8# wasnAt installed !rom ;, media $e.g. a regular 3indows ,55+ #*C installation%.
6nter the ;, &ey and clic& 4e7t. 4ote: The license &ey entered !or ;, must match the underlying 8# type which
means i! you installed 3indows ,55+ using a volume'license version &ey then you canAt use a retail or 1icroso!t
Developer 4etwor& $1#D4% ;, &ey.
D. LouAll see the setup summary screen which con!irms the actions to be per!ormed $e.g. 2opy !iles%. 2lic& 4e7t.
F. A!ter the installation is complete youAll see a con!irmation dialog bo7. 2lic& (inish
>What is =) '
8rgani:ation /nit is a container ob"ect in which you can &eep ob"ects such as user accounts groups computer
printer . applications and other $8/%.
In organi:ation unit you can assign speci!ic permission to the userAs. organi:ation unit can also be used to create
departmental limitation.
G?a#e so#e =) design considerations '
8/ design requires balancing requirements !or delegating administrative rights 9 independent o! 0roup *olicy needs
9 and the need to scope the application o! 0roup *olicy.
The !ollowing 8/ design recommendations address delegation and scope issues:
Applying 0roup *olicy An 8/ is the lowest'level Active Directory container to which you can assign 0roup *olicy
settings.
usually donAt go more than + 8/ levels
GWhat is sites ' What are they used for '
physical networ&.
called #ubnets.
#ites can be lin&ed to other #ites. #ite'lin&ed ob"ects may be assigned a cost value that represents the speed
reliability availability or other real property o! a physical resource. #ite )in&s may also be assigned a schedule.
What is the port no of Derbrose '
..
+,-.
+.I
3indows ,555 and 3indows #erver ,55+ Active Directory uses a database set o! rules called O#chemaP. The
#chema is de!ines as the !ormal de!inition o! all ob"ect classes and the attributes that ma&e up those ob"ect classes
that can be stored in the directory. As mentioned earlier the Active Directory database includes a de!ault #chema
which de!ines many ob"ect classes such as users groups computers domains organi:ational units and so on.
These ob"ects are also &nown as O2lassesP. The Active Directory #chema can be dynamically e7tensible meaning
that you can modi!y the schema by de!ining new ob"ect types and their attributes and by de!ining new attributes !or
e7isting ob"ects. Lou can do this either with the #chema 1anager snap'in tool included with 3indows ,555@,55+
#erver or programmatically.
GHow can you forcibly re#ove AD fro# a serverE and what do you do later' ' $an I get user passwords fro#
the AD database'
Active Directory /sers and 2omputers
#chema master
;ID master
*D2 emulator
one or more trees.
GWhat is forests '
,erver 722/'
domainTcontroller
8;
8;
G What are the physical co#ponents of Active Directory'
Domain controllers and #ites. Domain controllers are physical computers which are running 3indows #erver
operating system and Active Directory data base. #ites are a networ& segment based on geographical location and
which contains multiple domain controllers in each site.
G What are the logical co#ponents of Active Directory'
? What are the Active Directory %artitions'
Active Directory database is divided into di!!erent partitions such as #chema partition Domain partition and
2on!iguration partition. Apart !rom these partitions we can create Application partition based on the requirement.
G What is group nesting'
G What is the feature of Do#ain Local &roup'
Domain local groups are mainly used !or granting access to networ& resources.A Domain local group can contain
accounts !rom any domain global groups !rom any domain and universal groups !rom any domain. (or e7ample i!
you want to grant permission to a printer located at Domain A to C5 users !rom Domain B then create a 0lobal group
in Domain B and add all C5 users into that 0lobal group. Then create a Domain local group at Domain A and add
0lobal group o! Domain B to Domain local group o! Domain A then add Domain local group o! Domain A to the
printer$o! Domain A% security A2).
*ow will you take -ctive Directory +ackup #
Active Directory is bac&ed up along with #ystem #tate data. #ystem state data includes )ocal registry 281E Boot
!iles 4TD#.DIT and #L#M8) !older. #ystem state can be bac&ed up either using 1icroso!tAs de!ault 4TBA2K/* tool
or third party tools such as #ymantech 4etBac&up IB1 Tivoli #torage 1anager etc.
> Do we use clusterin$ in -ctive Directory # Why #
4o one installs Active Directory in a cluster. There is no need o! clustering a domain controller. Because Active
Directory provides total redundancy with two or more servers.
> What is -ctive Directory 0ecycle Bin #
Active Directory ;ecycle bin is a !eature o! 3indows #erver ,55. AD. It helps to restore accidentally deleted Active
Directory ob"ects without using a bac&ed up AD database rebooting domain controller or restarting any services.
> *ow do you check currently ,orest and domain ,unctional levels# Say +oth 2(3 and Command line%
> Which version o, >er+eros is used ,or Windows !!!?!!" and !!@ -ctive Directory #
> Name ,ew port num+ers related to -ctive Directory #
> What is an ABDN #
(QD4 can be e7panded as (ully Quali!ied Domain 4ame.It is a hierarchy o! a domain name system which points to a
device in the domain at its le!t most end. (or e7ample in system.
> *ave you heard o, -D-C #
ADA2' Active Directory Administrative 2enter is a new 0/I tool came with 3indows #erver ,55. ;, which provides
enhanced data management e7perience to the admin. ADA2 helps administrators to per!orm common Active
Directory ob"ect management tas& across multiple domains with the same ADA2 instance.
> *ow many o+Cects can +e created in -ctive Directory# (+oth !!" and !!@)
> /;plain the process +etween a user providin$ his Domain credential to his workstation and the desktop +ein$ loaded#
'r how the -D authentication works #
3hen a user enters a user name and password the computer sends the user name to the KD2. The KD2 contains a
master database o! unique long term &eys !or every principal in its realm. The KD2 loo&s up the userAs master &ey
$KA% which is based on the userAs password. The KD2 then creates two items: a session &ey $#A% to share with the
user and a Tic&et'0ranting Tic&et $T0T%. The T0T includes a second copy o! the #A the user name and an
e7piration time. The KD2 encrypts this tic&et by using its own master &ey $KKD2% which only the KD2 &nows. The
client computer receives the in!ormation !rom the KD2 and runs the userAs password through a one'way hashing
!unction which converts the password into the userAs KA. The client computer now has a session &ey and a T0T so
that it can securely communicate with the KD2. The client is now authenticated to the domain and is ready to access
other resources in the domain by using the Kerberos protocol.
Active Directory Interview Questions to
*repare Lou to Ace Lour AD Interview
JANUARY 24, 2014 BY BRIGITTA SCHWULST LEAVE A COMMENT
More and more companies are realizing
the power of cloud services and networks. With the release of Office 365, Cloud
services, and employees working away from the office, collaboration is crucial.
Ensuring the networks that connect employees and allow access to the
documents and projects within an organization is therefore critical to allow
organizations to function efficiently. This means that the demand for good
network technicians and system administrators who understand Active Directory
is increasing.
If you love ensuring smooth, efficient operation of a network, have the networking
skills you need to qualify for a networking position, then here are some Active
Directory interview questions that may help you to secure your dream job as a
network administrator by preparing you for your interview. If you want to improve
your interview skills then Job Interview Skills Training Course will help you
master the interview skills you need.
4. Define Active Directory
Active Directory is a database that stores data pertaining to the users within a
network as well as the objects within the network. Active Directory allows the
compilation of networks that connect with AD, as well as the management and
administration thereof.
7. What is a do#ain within Active
Directory'
A domain represents the group of network resources that includes computers,
printers, applications and other resources. Domains share a directory database.
The domain is represented by address of the resources within the database. A
domain address generally looks like 125.170.456. A user can log into a domain
to gain access to the resources that are listed as part that domain.
/. What is the do#ain controller'
The server that responds to user requests for access to the domain is called the
Domain Controller or DC. The Domain Controller allows a user to gain access to
the resources within the domain through the use of a single username and
password.
9. 8+plain what do#ain trees and forests
are
Domains that share common schemas and configurations can be linked to form a
contiguous namespace. Domains within the trees are linked together by creating
special relationships between the domains based on trust.
Forests consist of a number of domain trees that are linked together within AD,
based on various implicit trust relationships. Forests are generally created where
a server setup includes a number of root DNS addresses. Trees within the forest
do not share a contiguous namespace.
;. What is LDA%'
LDAP is an acronym for Lightweight Directory Access Protocol and it refers to the
protocol used to access, query and modify the data stored within the AD
directories. LDAP is an internet standard protocol that runs over TCP/IP.
<. 8+plain what intrasite and intersite
replication is and how D$$ facilitates
replication
The replication of DCs inside a single site is called intrasite replication whilst the
replication of DCs on different sites is called Intersite replication. Intrasite
replication occurs frequently while Intersite replication occurs mainly to ensure
network bandwidth.
KCC is an acronym for the Knowledge Consistency Checker. The KCC is a
process that runs on all of the Domain Controllers. The KCC allows for the
replication topology of site replication within sites and between sites. Between
sites, replication is done through SMTP or RPC whilst Intersite replication is done
using procedure calls over IP.
C. ?a#e a few of the tools available in
Active Directory and which tool would
you use to troubleshoot any replication
issues'
Active Directory tools include:
Dfsutil.exe
Netdiag.exe
Repadmin.exe
Adsiedit.msc
Netdom.exe
Replmon.exe
Replmon.exe is a graphical tool designed to visually represent the AD replication.
Due to its graphical nature, replmon.exe allows you to easily spot and deal with
replication issues.
K. What tool would you use to edit AD'
Adsiedit.msc is a low level editing tool for Active Directory. Adsiedit.msc is a
Microsoft Management Console snap-in with a graphical user interface that
allows administrators to accomplish simple tasks like adding, editing and deleting
objects with a directory service. The Adsiedit.msc uses Application Programming
Interfaces to access the Active Directory. Since Adsiedit.msc is a Microsoft
Management Console snap-in, it requires access MMC and a connection to an
Active Directory environment to function correctly.
44. How would you #anage trust
relationships fro# the co##and pro#pt'
Netdom.exe is another program within Active Directory that allows administrators
to manage the Active Directory. Netdom.exe is a command line application that
allows administrators to manage trust relationship within Active Directory from
the command prompt. Netdom.exe allows for batch management of trusts. It
allows administrators to join computers to domains. The application also allows
administrators to verify trusts and secure Active Directory channels.
42. Where is the AD database held and
how would you create a bac-up of the
database'
The database is stored within the windows NTDS directory. You could create a
backup of the database by creating a backup of the System State data using the
default NTBACKUP tool provided by windows or by Symantecs Netbackup. The
System State Backup will create a backup of the local registry, the Boot files, the
COM+, the NTDS.DIT file as well as the SYSVOL folder.
44. What is ,@,A=LE and why is it
i#portant'
SYSVOL is a folder that exists on all domain controllers. It is the repository for all
of the active directory files. It stores all the important elements of the Active
Directory group policy. The File Replication Service or FRS allows the replication
of the SYSVOL folder among domain controllers. Logon scripts and policies are
delivered to each domain user via SYSVOL.
SYSVOL stores all of the security related information of the AD.
47. Jriefly e+plain how Active Directory
authentication wor-s
When a user logs into the network, the user provides a username and password.
The computer sends this username and password to the KDC which contains the
master list of unique long term keys for each user. The KDC creates a session
key and a ticket granting ticket. This data is sent to the users computer. The
users computer runs the data through a one-way hashing function that converts
the data into the users master key, which in turn enables the computer to
communicate with the KDC, to access the resources of the domain.
For more training on Active Directory, Administering Windows Server 2012 will
teach you how to work with Domain Controllers as well as other AD skills you
may need.
41 What is Active Directory'
A,%I-$ "I.$,%/.0 IS A ,$1%.A#I2$" "A%A3AS$ \3HI2H I# /#6D I4 "/4AI1 (8;
AD1I4I#T;ATIM6 */;*8#6#\
An active directory is a directory structure used on 1icroso!t Windows based computers and servers to
store in!ormation and data about networ&s and domains. It is primarily used !or online in!ormation and
was originally created in CII- and !irst used with Windows &000.
An active directory $sometimes re!erred to as an AD% does a variety o! !unctions including the ability to
provide in!ormation on ob"ects helps organi:e these ob"ects !or easy retrieval and access allows access
by end users and administrators and allows the administrator to set security up !or the directory.
An active directory can be de!ined as a hierarchical structure and this structure is usually bro&en up into
three main categories the resources which might include hardware such as printers services !or end
users such as web email servers and ob"ects which are the main !unctions o! the domain and networ&.
It is interesting to note the !ramewor& !or the ob"ects. ;emember that an ob"ect can be a piece o!
hardware such as a printer end user or security settings set by the administrator. These ob"ects can hold
other ob"ects within their !ile structure. All ob"ects have an ID usually an ob"ect name $!older name%. In
addition to these ob"ects being able to hold other ob"ects every ob"ect has its own attributes which allows
it to be characteri:ed by the in!ormation which it contains. 1ost I% pro*essionals call these setting or
characteri:ations schemas.
Depending on the type o! schema created !or a !older will ultimately determine how these ob"ects are
used. (or instance some ob"ects with certain schemas can not be deleted they can only be deactivated.
8thers types o! schemas with certain attributes can be deleted entirely. (or instance a user ob"ect can be
deleted but the administrator ob"ect can not be deleted.
3hen understanding active directories it is important to &now the !ramewor& that ob"ects can be viewed
at. In !act an active directory can be viewed at either one o! three levelsB these levels are called !orests
trees or domains. The highest structure is called the !orest because you can see all ob"ects included
within the active directory.
3ithin the(oreststructure are trees these structures usually hold one or more domains going !urther
down the structure o! an active directory are single domains. To put the !orest trees and domains into
perspective consider the !ollowing e7ample.
A large organi:ation has many do:ens o! users and processes. The !orest might be the entire networ& o!
end users and speci!ic computers at a set location. 3ithin this !orest directory are now trees that hold
in!ormation on speci!ic ob"ects such as domain controllers program data system etc. 3ithin these
ob"ects are even more ob"ects which can then be controlled and categori:ed
Another Answer
Active Directory in Windows Server &005
The Active Directory is the one o! the important part o! 3indows #erver ,55+ networ&ing .(irst need to
&now and understand Active directory. How does it wor&X It ma&es in!ormation easy !or the administrator
and the users. Lou can use the Active Directory to design an organi:ationAs structure according to the
requirement. I! you are using the Active Directory then you can scale active directory !rom a single
computer to a single networ& or too many networ&s. In active directory you can include every ob"ect
server and domain in a networ&.
)ogical 2omponent
In the organi:ation you set up in 3indows #erver ,55+ and the organi:ation you set up in $6c)ane Server
&005 are the same and the same is the case with 3indows ,555 and 67change ,555 as well. 4ow I am
going to tell you its advantage one user administrator manage all aspects o! user con!iguration. These
logical constructs which are described in the !ollowing subsections allow you to de!ine and group
resources so that they can be located and administered by the name rather than by physical location.
8b"ects
8b"ect is the basic unit in the Active Directory. It is an apocarpous named set o! !eatures that represents
something ad"ective such as a user printer and the application. A user is also an ob"ect. In 67change a
userAs !eatures include its name and location surrounded by other things.
8rgani:ation /nit
8rgani:ation /nit is a persona in which you can &eep ob"ects such as user accounts groups computer
and printer. Applications and other $8/%. In organi:ation unit you can assign speci!ic permission to the
users. 8rgani:ation unit can also be used to create departmental limitation.
Domains
Domains is a group o! computers and other resources that are part o! a networ& and share a common
directory database .8nce a server has been installed you can use the Active Directory 3i:ard to install
Active Directory in order to install Active directory on the !irst server on the networ& that server must have
the access to a server running D4# $"omain 1ame Service%. I! you donAt have installed this service on your
server then you will have to install this service during the Active Directory installation\
Active Directory in 3indows #erver ,55+
The Active Directory is the one o! the important part o! 3indows #erver ,55+ networ&ing .(irst need to
&now and understand Active directory. How does it wor&X It ma&es in!ormation easy !or the administrator
and the users. Lou can use the Active Directory to design an organi:ationAs structure according to the
requirement. I! you are using the Active Directory then you can scale active directory !rom a single
computer to a single networ& or too many networ&s. In active directory you can include every ob"ect
server and domain in a networ&.
)ogical 2omponent
In the organi:ation you set up in 3indows #erver ,55+ and the organi:ation you set up in 67change
#erver ,55+ are the same and the same is the case with 3indows ,555 and 67change ,555 as well.
4ow I am going to tell you its advantage one user administrator manage all aspects o! user con!iguration.
These logical constructs which are described in the !ollowing subsections allow you to de!ine and group
resources so that they can be located and administered by the name rather than by physical location.
8b"ects
8b"ect is the basic unit in the Active Directory. It is an apocarpous named set o! !eatures that represents
something ad"ective such as a user printer and the application. A user is also an ob"ect. In 67change a
userAs !eatures include its name and location surrounded by other things.
8rgani:ation /nit
8rgani:ation /nit is a persona in which you can &eep ob"ects such as user accounts groups computer
and printer. Applications and other $8/%. In organi:ation unit you can assign speci!ic permission to the
userAs. 8rgani:ation unit can also be used to create departmental limitation.
Domains
Domains is a group o! computers and other resources that are part o! a networ& and share a common
directory database .8nce a server has been installed you can use the Active Directory 3i:ard to install
Active Directory in order to install Active directory on the !irst server on the networ& that server must have
the access to a server running D4# $Domain 4ame #ervice%. I! you donAt have installed this service on
your server then you will have to install this service during the Active Directory installation\
Another Answer
An active directory is a directory structure used on 1icroso!t 3indows based computers and servers to
store in!ormation and data about networ&s and domains. It is primarily used !or online in!ormation and
was originally created in CII- and !irst used with 3indows ,555.
An active directory $sometimes re!erred to as an AD% does a variety o! !unctions including the ability to
provide in!ormation on ob"ects helps organi:e these ob"ects !or easy retrieval and access allows access
by end users and administrators and allows the administrator to set security up !or the directory.
An active directory can be de!ined as a hierarchical structure and this structure is usually bro&en up into
three main categories the resources which might include hardware such as printers services !or end
users such as web email servers and ob"ects which are the main !unctions o! the domain and networ&.
It is interesting to note the !ramewor& !or the ob"ects. ;emember that an ob"ect can be a piece o!
hardware such as a printer end user or security settings set by the administrator. These ob"ects can hold
other ob"ects within their !ile structure. All ob"ects have an ID usually an ob"ect name $!older name%. In
addition to these ob"ects being able to hold other ob"ects every ob"ect has its own attributes which allows
it to be characteri:ed by the in!ormation which it contains. 1ost IT pro!essionals call these setting or
characteri:ations schemas.
Depending on the type o! schema created !or a !older will ultimately determine how these ob"ects are
used. (or instance some ob"ects with certain schemas can not be deleted they can only be deactivated.
8thers types o! schemas with certain attributes can be deleted entirely. (or instance a user ob"ect can be
deleted but the administrator ob"ect can not be deleted.
3hen understanding active directories it is important to &now the !ramewor& that ob"ects can be viewed
at. In !act an active directory can be viewed at either one o! three levelsB these levels are called !orests
trees or domains. The highest structure is called the !orest because you can see all ob"ects included
within the active directory.
3ithin the(oreststructure are trees these structures usually hold one or more domains going !urther
down the structure o! an active directory are single domains. To put the !orest trees and domains into
perspective consider the !ollowing e7ample.
A large organi:ation has many do:ens o! users and processes. The !orest might be the entire networ& o!
end users and speci!ic computers at a set location. 3ithin this !orest directory are now trees that hold
in!ormation on speci!ic ob"ects such as domain controllers program data system etc. 3ithin these
ob"ects are even more ob"ects which can then be controlled and categori:ed.
71 What is LDA%'
)DA* means )ight'3eight Directory Access *rotocol. It determines how an ob"ect in an Active directory
should be named. )DA* $)ightweight Directory Access *rotocol% is a proposed open standard !or
accessing global or local directory services over a networ& and@or the Internet. A directory in this sense
is very much li&e a phone boo&. )DA* can handle other in!ormation but at present it is typically used to
associate names with phone numbers and email addresses. )DA* directories are designed to support a
high volume o! queries but the data stored in the directory does not change very o!ten. It wor&s on port
no. +.I. )DA* is sometimes &nown as W.F55 )ite. W.F55 is an international standard !or directories and
!ull'!eatured but it is also comple7 requiring a lot o! computing resources and the !ull 8#I stac&. )DA* in
contrast can run easily on a *2 and over T2*@I*. )DA* can access W.F55 directories but does not
support every capability o! W.F55
A4#36; B:
The )ightweight Directory Access *rotocol or )DA* is an application protocol !or querying and modi!ying
directory services running over T2*@I*. QCRA directory is a set o! ob"ects with attributes organi:ed in a
logical and hierarchical manner. The most common e7ample is the telephone directory which consists o!
a series o! names $either o! persons or organi:ations% organi:ed alphabetically with each name having
an address and phone number attached.
An )DA* directory tree o!ten re!lects various political geographic and@or organi:ational boundaries
depending on the model chosen. )DA* deployments today tend to use Domain name system $D4#%
names !or structuring the topmost levels o! the hierarchy. Deeper inside the directory might appear entries
representing people organi:ational units printers documents groups o! people or anything else that
represents a given tree entry $or multiple entries%.
Its current version is )DA*v+ which is speci!ied in a series o! Internet 6ngineering Tas& (orce $I6T(%
#tandard Trac& ;equests !or comments $;(2s% as detailed in ;(2 DFC5.
/1 $an you connect Active Directory to other /rd"party Directory ,ervices' ?a#e a few options.
Les you can use dirW1) or )DA* to connect to other directories $ie. 6'directory !rom 4ovell%. 4ovell
eDirectory !ormerly called 4ovell Directory #ervices $4D#%
91 Where is the AD database held' What other folders are related to AD'
AD Database is saved in@ntds. Lou can see other !iles also in this !older. These are the main !iles
controlling the AD structure ]ntds7dit
]edb7lo
]resC.log
]res,.log
]edb7c)8
]#ysM8l !older is also created which is used !or replication
3hen a change is made to the 3in,K database triggering a write operation 3in,K records the
transaction in the log !ile $edb7lo%. 8nce written to the log !ile the change is then written to the AD
database. #ystem per!ormance determines how !ast the system writes the data to the AD database !rom
the log !ile. Any time the system is shut downB all transactions are saved to the database.
During the installation o! AD 3indows creates two !iles: resC.log and res,.log. The initial si:e o! each is
C51B. These !iles are used to ensure that changes can be written to dis& should the system run out o!
!ree dis& space. The chec&point !ile $edb7c)8% records transactions committed to the AD database
$ntds7dit%. During shutdown a OshutdownP statement is written to the edb7c)8 !ile. Then during a reboot AD
determines that all transactions in the edb7lo !ile have been committed to the AD database. I! !or some
reason the edb7c)8 !ile doesnAt e7ist on reboot or the shutdown statement isnAt present AD will use
the edb7lo !ile to update the AD database.
The last !ile in our list o! !iles to &now is the AD database itsel! ntds7dit. By de!ault the !ile is located
inJ4TD# along with the other !iles weAve discussed
:1 What is the ,@,A=L folder'
All active directory data base security related in!ormation store in #L#M8) !older and itAs only created on
4T(# partition.
B:
The #ysvol !older on a 3indows domain controller is used to replicate !ile'based data among domain
controllers. Because "unctions are used within the #ysvol !older structure 3indows 4T !ile system
$4T(#% version F.5 is required on domain controllers throughout a 3indows distributed !ile system $D(#%
!orest.
This is a quote !rom 1icroso!t themselvesB basically the domain controller in!o stored in !iles li&e your
group policy stu!! is replicated through this !older structure
;1 ?a#e the AD ?$s and replication issues for each ?$
N#chema 42 N2on!iguration 42 N Domain42
,che#a ?$ This 42 is replicated to every other domain controller in the !orest. It contains in!ormation
about the Active Directory schema which in turn de!ines the di!!erent ob"ect classes and attributes within
Active Directory.
$onfiguration ?$ Also replicated to every other D2 in the !orest this 42 contains !orest'wide
con!iguration in!ormation pertaining to the physical layout o! Active Directory as well as in!ormation about
display speci!ies and !orest'wide Active Directory quotas.
Do#ain ?$ This 42 is replicated to every other D2 within a single Active Directory domain. This is the
42 that contains the most commonly'accessed Active Directory data: the actual users groups
computers and other ob"ects that reside within a particular Active Directory domain.
<1 What are application partitions' When do I use the#'
Application directory partitions: These are speci!ic to 3indows #erver ,55+ domains.
An application directory partition is a directory partition that is replicated only to speci!ic domain
controllers. A domain controller that participates in the replication o! a particular application directory
partition hosts a replica o! that partition. 8nly Domain controllers running 3indows #erver ,55+ can host
a replica o! an application directory partition.
C1 How do you create a new application partition'
3hen you create an application directory partition you are creating the !irst instance o! this partition. Lou
can create an application directory partition by using the create nc option in the domain management
menu o! 4tdsutil. 3hen creating an application directory partition using )D* or AD#I provide a
description in the description attribute o! the domain D4# ob"ect that indicates the speci!ic application that
will use the partition. (or e7ample i! the application directory partition will be used to store data !or a
1icroso!t accounting program the description could be 1icroso!t accounting application. 4tdsutil does not
!acilitate the creation o! a description.
To create or delete an application directory partition
C. 8pen 2ommand *rompt.
,. Type:
4tdsutil
+. At the 4tdsutil command prompt type:
Domain management
D. At the domain management command prompt do one o! the !ollowing:
^ To create an application directory partition type:
2reate ncApplicationDirectory*artitionDomain2ontroller
Answer:
#tart ?? ;/4?? 21D ?? type there O4TD#/TI)P *ress 6nter
4tdsutil: domain management *ress 6nter
Domain 1anagement: 2reate 42 dc_ dc_ dc_com >?
A4#36; B
2reate an application directory partition by using the Dns2md command
/se the Dns2md command to create an application directory partition. To do this use the !ollowing
synta7:
To create an application directory partition that is named 2ustomD4#*artition on a domain controller that
is named D2'C !ollow these steps:
C. 2lic& #tart clic& ;un type cmd and then clic& 8K.
,. Type the !ollowing command and then press 64T6;:dnscmd D2'C
@createdirectorypartition,ustom"1SPartition7contoso7com
3hen the application directory partition has been success!ully created the !ollowing in!ormation appears:
D4# #erver D2'C created directory partition: ,ustom"1SPartition7contoso7com 2ommand completed
success!ully.
2on!igure an additional domain controller D4# server to host the application directory partition
2on!igure an additional domain controller that is acting as a D4# server to host the new application
directory partition that you created. To do this use the !ollowing synta7 with the Dns2md command:
Dns2md #erver4ame @6nlistDirectory*artition (QD4 o! partition
To con!igure the e7ample domain controller that is named D2', to host this custom application directory
partition !ollow these steps:
C. 2lic& #tart clic& ;un type cmd and then clic& 8K.
,. Type the !ollowing command and then press 64T6;:dnscmd D2',
@enlistdirectorypartition,ustom"1SPartition7contoso7com
The !ollowing in!ormation appears:
D4# #erver D2', enlisted directory partition: ,ustom"1SPartition7contoso7com 2ommand completed
success!ully.
K1 How do you view replication properties for AD partitions and D$s'
go to start ? run ? type repad#in
go to start ? run ? type repl#on
421 What is the &lobal $atalog'
The global catalog contains a complete replica o! all ob"ects in Active Directory !or its Host domain and
contains a partial replica o! all ob"ects in Active Directory !or every other domain in the !orest.
A4#36; B:
The global catalog is a distributed data repository that contains a searchable partial representation o!
every ob"ect in every domain in a multidomain Active Directory !orest. The global catalog is stored on
domain controllers that have been designated as global catalog servers and is distributed through
multimaster replication. #earches that are directed to the global catalog are !aster because they do not
involve re!errals to di!!erent domain controllers.
In addition to con!iguration and schema directory partition replicas every domain controller in a 3indows
,555 #erver or 3indows #erver ,55+ !orest stores a !ull writable replica o! a single domain directory
partition. There!ore a domain controller can locate only the ob"ects in its domain. )ocating an ob"ect in a
di!!erent domain would require the user or application to provide the domain o! the requested ob"ect.
The global catalog provides the ability to locate ob"ects !rom any domain without having to &now the
domain name. A global catalog server is a domain controller that in addition to its !ull writable domain
directory partition replica also stores a partial read'only replica o! all other domain directory partitions in
the !orest. The additional domain directory partitions are partial because only a limited set o! attributes is
included !or each ob"ect. By including only the attributes that are most used !or searching every ob"ect in
every domain in even the largest !orest can be represented in the database o! a single global catalog
server.
441 How do you view all the &$s in the forest'
domainTcontroller
8;
Lou can use .eplmon7e6e !or the same purpose.
8;
471 Why not #a-e all D$s in a large forest as &$s'
The reason that all D2s are not 02s to start is that in large $or even 0iant% !orests the D2s would all have
to hold a re!erence to every ob"ect in the entire !orest which could be quite large and quite a replication
burden.
(or a !ew hundred or a !ew thousand users even this not li&ely to matter unless you have really poor
3A4 lines.
4/1 *rying to loo- at the Active Directory ,che#aE how can I do that'
'ption to view the schema
;egister sc)mmmt7dll using this command
c:JwindowsJsystem+,?regsvr+, sc)mmmt7dll
name it as sc)ema7msc
8pen administrative tool 9? sc)ema7msc
491 What are the ,upport *ools' Why do I need the#'
#upport Tools are the tools that are used !or per!orming the complicated tas&s easily. These can also be
the third party tools. #ome o! the #upport tools include DebugMiewer DependencyMiewer
;egistry1onitor etc.
'edit by 2asquehead
I believe this question is re!erring to the 3indows #erver ,55+ #upport Tools which are included with
1icroso!t 3indows #erver ,55+ #ervice *ac& ,. They are also available !or download here:
)ttp!99www74icroso*t7com9downloads9details7asp6:*amilyid;<=A5>011?@"85?A1<"?<5<3?
<ABB&$A&"@<0Cdisplaylan;en
you need them because you cannot properly manage an Active Directory networ& without them.
Here they are it would do you well to !amiliari:e yoursel! with all o! them.
Acldia7e6e
Adsiedit7msc
3itsadmin7e6e
"cdia7e6e
"*sutil7e6e
"nslint7e6e
"sacls7e6e
Iadstools7dll
Dtpass7e6e
#dp7e6e
1etdia7e6e
1etdom7e6e
1t*rsutl7e6e
PortEry7e6e
.epadmin7e6e
.eplmon7e6e
Setspn7e6e
4:1 What is LD%' What is .8%L5=?' What is AD,I8DI*' What is ?8*D=5' What is .8%AD5I?'
3hat is )D*X
A:
The )ightweight Directory Access *rotocol or )DA* is an application protocol !or querying and modi!ying
directory services running over T2*@I*.QCR
A directory is a set o! ob"ects with attributes organi:ed in a logical and hierarchical manner. The most
common e7ample is the telephone directory which consists o! a series o! names $either o! persons or
organi:ations% organi:ed alphabetically with each name having an address and phone number attached.
An )DA* directory tree o!ten re!lects various political geographic and@or organi:ational boundaries
depending on the model chosen. )DA* deployments today tend to use Domain name system $D4#%
names !or structuring the topmost levels o! the hierarchy. Deeper inside the directory might appear entries
representing people organi:ational units printers documents groups o! people or anything else that
represents a given tree entry $or multiple entries%.
Its current version is )DA*v+ which is speci!ied in a series o! Internet 6ngineering Tas& (orce $I6T(%
#tandard Trac& ;equests !or comments $;(2s% as detailed in ;(2 DFC5.
)DA* means )ight'3eight Directory Access *rotocol. It determines how an ob"ect in an Active directory
should be named. )DA* $)ightweight Directory Access *rotocol% is a proposed open standard !or
accessing global or local directory services over a networ& and@or the Internet. A directory in this sense
is very much li&e a phone boo&. )DA* can handle other in!ormation but at present it is typically used to
associate names with phone numbers and email addresses. )DA* directories are designed to support a
high volume o! queries but the data stored in the directory does not change very o!ten. It wor&s on port
no. +.I. )DA* is sometimes &nown as W.F55 )ite. W.F55 is an international standard !or directories and
!ull'!eatured but it is also comple7 requiring a lot o! computing resources and the !ull 8#I stac&. )DA* in
contrast can run easily on a *2 and over T2*@I*. )DA* can access W.F55 directories but does not
support every capability o! W.F55
3hat is ;6*)184X
A: ;eplmon is the !irst tool you should use when troubleshooting Active Directory replication issues. As it
is a graphical tool replication issues are easy to see and somewhat easier to diagnose than using its
command line counterparts. The purpose o! this document is to guide you in how to use it list some
common replication errors and show some e7amples o! when replication issues can stop other networ&
installation actions.
(or more go to )ttp!99www7tec)tutorials7net9articles9replmonF)owtoFa7)tml
3hat is AD#I6DITX
A: Adsiedit.msc is a 1icroso!t 1anagement 2onsole $112% snap'in that acts as a low'
level editor !or Active Directory. It is a 0raphical /ser Inter!ace $0/I% tool. 4etwor&
administrators can use it !or common administrative tas&s such as adding deleting and
moving ob"ects with a directory service. The attributes !or each ob"ect can be edited or
deleted by using this tool. Adsiedit.msc uses the AD#I application programming
inter!aces $A*Is% to access Active Directory. The !ollowing are the required !iles !or using
this tool:
^ AD#I6DIT.D))
^ AD#I6DIT.1#2
;egarding system requirements a connection to an Active Directory environment and
1icroso!t 1anagement 2onsole $112% is necessary
3hat is 46TD81X
A: 46TD81 is a command'line tool that allows management o! 3indows domains and trust relationships.
It is used !or batch management o! trusts "oining computers to domains veri!ying trusts and secure
channels
A:
6nables administrators to manage Active Directory domains and trust relationships !rom the command
prompt.
4etdom is a command'line tool that is built into 3indows #erver ,55.. It is available i! you have the
Active Directory Domain #ervices $AD D#% server role installed. To use 4etdom you must run the
4etdom command !rom an elevated command prompt. To open an elevated command prompt clic&
#tart right'clic& 2ommand *rompt and then clic& ;un as administrator.
Lou can use 4etdom to:
Voin a computer that runs 3indows W* *ro!essional or 3indows Mista to a 3indows #erver ,55. or
3indows #erver ,55+ or 3indows ,555 or 3indows 4T D.5 domain.
*rovide an option to speci!y the organi:ational unit $8/% !or the computer account.
0enerate a random computer password !or an initial Voin operation.
1anage computer accounts !or domain member wor&stations and member servers. 1anagement
operations include:
Add ;emove Query.
An option to speci!y the 8/ !or the computer account.
An option to move an e7isting computer account !or a member wor&station !rom one domain to another
while maintaining the security descriptor on the computer account.
6stablish one'way or two'way trust relationships between domains including the !ollowing &inds o! trust
relationships:
(rom a 3indows ,555 or 3indows #erver ,55+ or 3indows #erver ,55. domain to a 3indows 4T D.5
domain.
(rom a 3indows ,555 or 3indows #erver ,55+ or 3indows #erver ,55. domain to a 3indows ,555 or
3indows #erver ,55+ or 3indows #erver ,55. domain in another enterprise.
Between two 3indows ,555 or 3indows #erver ,55+ or 3indows #erver ,55. domains in an enterprise
$a shortcut trust%.
The 3indows #erver ,55. or 3indows #erver ,55+ or 3indows ,555 #erver hal! o! an interoperable
Kerberos protocol realm.
Meri!y or reset the secure channel !or the !ollowing con!igurations:
1ember wor&stations and servers.
Bac&up domain controllers $BD2s% in a 3indows 4T D.5 domain.
#peci!ic 3indows #erver ,55. or 3indows #erver ,55+ or 3indows ,555 replicas.
1anage trust relationships between domains including the !ollowing operations:
6numerate trust relationships $direct and indirect%.
Miew and change some attributes on a trust.
4;1 What are sites' What are they used for'
8ne or more well'connected $highly reliable and !ast% T2*@I* subnets. A site allows administrators to
con!igure Active Directory access and replication topology to ta&e advantage o! the physical networ&.
B: A #ite ob"ect in Active Directory represents a physical geographic location that hosts networ&s. #ites
contain ob"ects called #ubnets. Q+R #ites can be used to Assign 0roup *olicy 8b"ects !acilitate the
discovery o! resources manage active directory replication and manage networ& lin& tra!!ic. #ites can be
lin&ed to other #ites. #ite'lin&ed ob"ects may be assigned a cost value that represents the speed
reliability availability or other real property o! a physical resource. #ite )in&s may also be assigned a
schedule
4<1 WhatIs the difference between a site lin-Is schedule and interval'
#chedule enables you to list wee&days or hours when the site lin& is available !or replication to happen in
the give interval. Interval is the re occurrence o! the inter site replication in given minutes. It ranges !rom
CF 9 C55.5 mins. The de!ault interval is C.5 mins.
4C1 What is the D$$'
Knowledge consistency chec&er' it generates the replication topology by speci!ying what domain
controllers will replicate to which other domain controllers in the site. The K22 maintains a list o!
connections called a replication topology to other domain controllers in the site. The K22 ensures that
changes to any ob"ect are replicated to all site domain controllers and updates go through no more than
three connections. Also an administrator can con!igure connection ob"ects.
4K1 What is the I,*&' Who has that role by default'
Intersite Topology 0enerator $I#T0% which is responsible !or the connections among the sites. By de!ault
3indows ,55+ (orestlevel !unctionality has this role.
By De!ault the !irst #erver has this role. I! that server can no longer per!orm this role then the ne7t server
with the highest 0/ID then ta&es over the role o! I#T0.
721 What are the require#ents for installing AD on a new server'
^ An 4T(# partition with enough !ree space $,F51B minimum%
^ An AdministratorAs username and password
^ The correct operating system version
^ A 4I2
^ *roperly con!igured T2*@I* $I* address subnet mas& and 9 optional 9 de!ault gateway%
^ A networ& connection $to a hub or to another computer via a crossover cable%
^ An operational D4# server $which can be installed on the D2 itsel!%
^ A Domain name that you want to use
^ The 3indows ,555 or 3indows #erver ,55+ 2D media $or at least the i+.- !older%
721 What can you do to pro#ote a server to D$ if youIre in a re#ote location with slow WA? lin-'
(irst available in 3indows ,55+ you will create a copy o! the system state !rom an e7isting D2 and copy
it to the new remote server. ;un ODcpromo @advP. Lou will be prompted !or the location o! the system state
!iles
___________________________________
Answer J!
Bac&up system state asB
1. 2lic& ,tart clic& .un type ntbac&up and then clic& =D. $I! the Bac&up utility starts in wi:ard
mode clic& the Advanced 5ode hyperlin&.%
2. (rom the Jac-up tab clic& to select the ,yste# ,tate chec& bo7 in the le!t pane. Do not bac&
up the !ile system part o! the #L#M8) tree separately !rom the system state bac&up.
3. In the Jac-up #edia or file na#e bo7 speci!y the drive path and !ile name o! the system
state bac&up.
4ame the !ile .ba& $recommended and general%
;estore system stat as below on the target computerB
C. )og on to the 3indows #erver ,55+'based computer that you want to promote. Lou must be a
member o! the local administrators group on this computer.
2. 2lic& ,tart clic& .un type ntbac&up and then clic& =D. $I! the Bac&up utility starts in wi:ard
mode clic& the Advanced 5ode hyperlin&.%
3. In the Bac&up utility clic& the .estore and 5anage 5edia tab. In the *ools menu
clic&$atalog a bac-up fileL and then locate the .b&! !ile that you created earlier. 2lic& =D.
4. 67pand the contents o! the .b&! !ile and then clic& to select the ,yste# ,tate chec& bo7.
5. In .estore files to! clic& Alternate Location. To restore the system state type the logical
drive and the path. 3e suggest that you type X:J4tdsrestore. In this command X is the
logical drive that will ultimately host the Active Directory database when the member computer
is promoted. The !inal location !or the Active Directory database is selected when you run the
Active Directory Installation 3i:ard. This !older must be di!!erent !rom the !older that
contains the restored system state.
4ow )ast stage is *romoting an additional domain controller
C. Meri!y that the domain controller that is to be promoted has D4# name resolution and networ&
connectivity to e7isting domain controllers in the domain controllerAs target domain.
2. 2lic& ,tart clic& .un type dcpromo @adv and then clic& =D.
3. 2lic& ?e+t to bypass the Welco#e to the Active Directory Installation
Wi>ard and=perating ,yste# $o#patibility dialog bo7es.
4. 8n the Do#ain $ontroller *ype page clic& Additional do#ain controller for an e+isting
do#ain and then clic& ne+t.
5. 8n the $opying Do#ain Infor#ation page clic& fro# these restored bac-up files! and
then type the logical drive and the path o! the alternative location where the system state
bac&up was restored. 2lic& ?e+t.
6. In ?etwor- $redentials type the user name the password and the domain name o! an
account that is a member o! the domain administrators group !or the domain that you are
promoting in.
G. 2ontinue with the remainder o! the Active Directory Installation 3i:ard pages as you would
with the standard promotion o! an additional domain controller.
.. A!ter the #L#M8) tree has replicated in and the #L#M8) share e7ists delete any remaining
restored system !iles and !olders.
741 How can you forcibly re#ove AD fro# a serverE and what do you do later' M $an I get user
passwords fro# the AD database'
Demote the server using dcpromo @!orceremoval and then remove the metadata !rom Active directory
using 4tdsutil. There is no way to get user passwords !rom AD that I am aware o! but you should still be
able to change them.
Another way out too
;estart the D2 is D#;1 mode
a. )ocate the !ollowing registry sub&ey:
HK6LT)82A)T1A2HI46J#L#T61J2urrent2ontrol#etJ2ontrolJ*roduct8ptions
b. In the right'pane double'clic& %roduct*ype.
c. Type ,erver?* in the Aalue data bo7 and then clic& =D.
;estart the server in normal mode
itAs a member server now but AD entries are still there. *romote the server to a !a&e domain
sayA3,7com and then remove grace!ully using Dcpromo. 6lse a!ter restart you can also use 4tdsutil to do
metadata as told in the earlier post
771 ?a#e so#e =) design considerations
8/ design requires balancing requirements !or delegating administrative rights 9 independent o! 0roup
*olicy needs 9 and the need to scope the application o! 0roup *olicy. The !ollowing 8/ design
recommendations address delegation and scope issues:
Applying &roup %olicy An 8/ is the lowest'level Active Directory container to which you can assign
0roup *olicy settings.
Delegating ad#inistrative authority
/sually donAt go more than + 8/ levels
7/1 What is to#bstone lifeti#e attribute'
The number o! days be!ore a deleted ob"ect is removed !rom the directory services. This assists in
removing ob"ects !rom replicated servers and preventing restores !rom reintroducing a deleted ob"ect.
This value is in the Directory #ervice ob"ect in the con!iguration 4I2
By de!ault ,555 $-5 days%
,55+ $C.5 days%
791 How would you find all users that have not logged on since last #onth'
/sing only native commands DS3&&D%+at produces a sorted@!ormated report o! /sers who have not
logged on since LLLL11DD.
The report is sorted by /ser4ame and list the userAs !ull name and last logon date.
The synta7 !or using DS3&&D%+at is:
N,ILLD O(olderO'utputAile%/;t @@@@55DD P/?Q
where:
@@@@55DD will report all users who have not logged on since this date.
/? is an optional parameter that will bypass users who have never logged on.
DS3&&D%+at contains:
ècho o!!
setlocal
i! aH,b__ab goto synta7
i! OH+[__PP goto begin
i! @i OH+[__P@nP goto begin
:synta7
ècho #ynta7: V#I))D (ile yyyymmdd Q@4R
endlocal
goto :68(
:begin
i! @i OH,[__P@nP goto synta7
set dte_H,
set WW_Hdte:c5DH
i! OHWWHP )## OCII+[ goto synta7
set WW_Hdte:cD,H
i! OHWWHP )## O5C[ goto synta7
i! OHWWHP 0T; OC,[ goto synta7
set WW_Hdte:c-,H
i! OHWWHP )## O5C[ goto synta7
i! OHWWHP 0T; O+C[ goto synta7
set never_W
i! @i OH+[__P@nP set never_@n
set !ile_HC
i! e7ist H!ileH del @q H!ileH
!or @! O#&ip_D To&ens_NP HHi in $Snet user @domainde!indstr @v @c:P<'Pde!indstr @v @i @c:PThe command
completedPS% do $
do call :parse OHHiP
%
endlocal
goto :68(
:parse
set str_ZHCZ
set str_Hstr:ZP_H
set str_Hstr:PZ_H
set substr_Hstr:c5,FHZ
set substr_Hsubstr: _H
set substr_Hsubstr: Z_H
set substr_Hsubstr:Z_H
i! OHsubstrHP__PP goto :68(
!or @! O#&ip_C To&ens_NP HHi in $Snet user OHsubstrHP @domainA% do call :parseC OHHiP
set substr_Hstr:c,F,FHZ
set substr_Hstr:cF5,FHZ
goto :68(
:parseC
set ustr_HC
i! HustrH__PThe command completed success!ully.P goto :68(
set ustr_Hustr:P_H
i! @i OHustr:c5IHP__P(ull 4ameP set !ullname_Hustr:c,IIIH
i! @i not OHustr:c5C5HP__P)ast logonP goto :68(
set t7t_Hustr:c,IIIH
!or @! OTo&ens_C,+ Delims_@ P HHi in $Sècho Ht7tHA% do set 11_HHiYset DD_HH"Yset LL_HH&
i! @i OH11HP__P4everP goto tstnvr
goto year
:tstnvr
i! @i OHneverHP__P@nP goto :68(
goto report
:year
i! OHLLHP 0T; OC555[ goto mmm
i! OHLLHP 0T; OI,[ goto LCI
set @a LL_C55HLLHHHC55
set LL_HLLH E ,555
goto mmm
:LCI
set LL_CIHLLH
:mmm
set @a WW_C55H11HHHC55
i! HWWH )## C5 set 11_5HWWH
set @a WW_C55HDDHHHC55
i! HWWH )## C5 set DD_5HWWH
set L1D_HLLHH11HHDDH
i! OHL1DHP 06Q OHdteHP goto :68(
:report
set !ullname_H!ullnameH Z
set !ullname_H!ullname:c5+FH
set substr_HsubstrH Z
set substr_Hsubstr:c5+5H
ècho HsubstrH H!ullnameH Ht7tH ?? H!ileH
7:1 What are the D, co##ands'
4ew D, $Directory #ervice% (amily o! built'in co##and line utilities !or 3indows #erver ,55+ Active
Directory
A:
4ew D# built'in tools !or 3indows #erver ,55+
The D# $Directory #ervice% group o! commands are split into two !amilies. In one branch are D#add
D#mod D#rm and D#1ove and in the other branch are D#Query and D#0et.
3hen it comes to choosing a scripting tool !or Active Directory ob"ects you really are spoilt !or choice.
The D# !amily o! built'in command line e7ecutables o!!ers alternative strategies to 2#MD6 )DI(D6 and
MB#cript.
)et me introduce you to the members o! the D# !amily:
D#add 9 add Active Directory users and groups
D#mod 9 modi!y Active Directory ob"ects
D#rm 9 to delete Active Directory ob"ects
D#move 9 to relocate ob"ects
D#Query 9 to !ind ob"ects that match your query attributes
D#get 9 list the properties o! an ob"ect
D# #ynta7
These D# tools have their own command structure which you can split into !ive parts:
C , + D F
Tool ob"ect OD4P $as in )DA* distinguished name% 'switch value (or e7ample:
D#add user Ocn_billy ou_managers dc_cp dc_comP 'pwd cWDIpQba
This will add a user called Billy to the 1anagers 8/ and set the password to c7DIQba
Here are some o! the common D# switches which wor& with D#add and D#mod
'pwd $password% 'upn $user*rincipal4ame% '!n $(irst4ame% 'samid $#am account name%.
The best way to learn about this D# !amily is to logon at a domain controller and e7periment !rom the
command line. I have prepared e7amples o! the two most common programs. Try some sample
commands !or D#add.f
Two most use!ul Tools: D#Query and D#0et
The D#Query and D#0et remind me o! /4IW commands in that they operate at the command line use
power!ul verbs and produce plenty o! action. 8ne pre'requisite !or getting the most !rom this D# !amily is
a wor&ing &nowledge o! )DA*.
I! you need to query users or computers !rom a range o! 8/As and then return in!ormation !or e7ample
o!!ice department manager. Then D#Query and D#0et would be your tools o! choice. 1oreover you can
e7port the in!ormation into a te7t !ile
7;1 What is the difference between ldifde and csvde usage considerations'
)di!de
)di!de creates modi!ies and deletes directory ob"ects on computers running Windows #erver
,55+operatin systems or Windows GP *ro!essional. Lou can also use )di!de to e7tend the schema e7port
Active Directory user and group in!ormation to other applications or services and populate Active
Directory with data !rom other directory services.
The )DA* Data Interchange (ormat $)DI(% is a dra!t Internet standard !or a !ile !ormat that may be used
!or per!orming batch operations against directories that con!orm to the )DA* standards. )DI( can be
used to e7port and import data allowing batch operations such as add create and modi!y to be
per!ormed against the Active Directory. A utility program called )DI(D6 is included in 3indows ,555 to
support batch operations based on the )DI( !ile !ormat standard. This article is designed to help you
better understand how the )DI(D6 utility can be used to migrate directories.
)ttp!99support7microso*t7com98b9&5B=BB
2svde
Imports and e7ports data !rom Active Directory Domain #ervices $AD D#% using !iles that store data in the
comma'separated value $2#M% !ormat. Lou can also support batch operations based on the 2#M !ile
!ormat standard.
$svde is a command'line tool that is built into 3indows #erver ,55. in the@system+, !older. It is available
i! you have the AD D# or Active Directory )ightweight Directory #ervices $AD )D#% server role installed.
To use csvde you must run the csvde command !rom an elevated command prompt. To open an
elevated command prompt clic& ,tart right'clic& $o##and %ro#pt and then clic& .un as
ad#inistrator.
)ttp!99tec)net7microso*t7com9en?us9library9ccB5&1017asp6
DI((6;6426 /#A06 3I#6
,svde7e6e is a 1icroso!t 3indows ,555 command'line utility that is located in the #ystem;ootJ#ystem+,
!older a!ter you install 3indows ,555. ,svde7e6e is similar to #di*de7e6e but it e7tracts in!ormation in a
comma'separated value $2#M% !ormat. Lou can use 2svde to import and e7port Active Directory data that
uses the comma'separated value !ormat. /se a spreadsheet program such as 1icroso!t 67cel to open
this .csv !ile and view the header and value in!ormation. #ee 1icroso!t 67cel Help !or in!ormation about
!unctions such as $oncatenate that can simpli!y the process o! building a .csv !ile.
?ote Although 2svde is similar to )di!de 2svde has a signi!icant limitation: it can only import and e7port
Active Directory data by using a comma'separated !ormat $.csv%. 1icroso!t recommends that you use the
)di!de utility !or 1odi!y or Delete operations. Additionally the distinguished name $also &nown as D4% o!
the item that you are trying to import must be in the !irst column o! the .csv !ile or the import will not wor&.
The source .csv !ile can come !rom an 67change #erver directory e7port. However because o! the
di!!erence in attribute mappings between the 67change #erver directory and Active Directory you must
ma&e some modi!ications to the .csv !ile. (or e7ample a directory e7port !rom 67change #erver has a
column that is named Oob"'classP that you must rename to Oob"ect2lass.P Lou must also rename ODisplay
4ameP to Odisplay4ame.P
)ttp!99support7microso*t7com98b95&B=&0
7<1 What are the (,5= roles that have the# by default what happens when each one fails'
(#18 stands !or the (le7ible single 1aster 8peration
It has F ;oles: '
,che#a 5aster!
The schema master domain controller controls all updates and modi!ications to the schema. 8nce the
#chema update is complete it is replicated !rom the schema master to all other D2s in the directory. To
update the schema o! a !orest you must have access to the schema master. There can be only one
schema master in the whole !orest.
Do#ain na#ing #aster!
The domain naming master domain controller controls the addition or removal o! domains in the !orest.
This D2 is the only one that can add or remove a domain !rom the directory. It can also add or remove
cross re!erences to domains in e7ternal directories. There can be only one domain naming master in the
whole !orest.
Infrastructure 5aster!
3hen an ob"ect in one domain is re!erenced by another ob"ect in another domain it represents the
re!erence by the 0/ID the #ID $!or re!erences to security principals% and the D4 o! the ob"ect being
re!erenced. The in!rastructure (#18 role holder is the D2 responsible !or updating an ob"ectAs #ID and
distinguished name in a cross'domain ob"ect re!erence. At any one time there can be only one domain
controller acting as the in!rastructure master in each domain.
4ote: The In!rastructure 1aster $I1% role should be held by a domain controller that is not a 0lobal
2atalog server $02%. I! the In!rastructure 1aster runs on a 0lobal 2atalog server it will stop updating
ob"ect in!ormation because it does not contain any re!erences to ob"ects that it does not hold. This is
because a 0lobal 2atalog server holds a partial replica o! every ob"ect in the !orest. As a result cross'
domain ob"ect re!erences in that domain will not be updated and a warning to that e!!ect will be logged on
that D2As event log. I! all the domain controllers in a domain also host the global catalog all the domain
controllers have the current data and it is not important which domain controller holds the in!rastructure
master role.
.elative ID 0.ID1 5aster!
The ;ID master is responsible !or processing ;ID pool requests !rom all domain controllers in a particular
domain. 3hen a D2 creates a security principal ob"ect such as a user or group it attaches a unique
#ecurity ID $#ID% to the ob"ect. This #ID consists o! a domain #ID $the same !or all #IDs created in a
domain% and a relative ID $;ID% that is unique !or each security principal #ID created in a domain. 6ach
D2 in a domain is allocated a pool o! ;IDs that it is allowed to assign to the security principals it creates.
3hen a D2As allocated ;ID pool !alls below a threshold that D2 issues a request !or additional ;IDs to
the domainAs ;ID master. The domain ;ID master responds to the request by retrieving ;IDs !rom the
domainAs unallocated ;ID pool and assigns them to the pool o! the requesting D2. At any one time there
can be only one domain controller acting as the ;ID master in the domain.
%D$ 8#ulator!
The *D2 emulator is necessary to synchroni:e time in an enterprise. 3indows ,555@,55+ includes the
3+,Time $3indows Time% time service that is required by the Kerberos authentication protocol. All
3indows ,555@,55+'based computers within an enterprise use a common time. The purpose o! the time
service is to ensure that the 3indows Time service uses a hierarchical relationship that controls authority
and does not permit loops to ensure appropriate common time usage.
The *D2 emulator o! a domain is authoritative !or the domain. The *D2 emulator at the root o! the !orest
becomes authoritative !or the enterprise and should be con!igured to gather the time !rom an e7ternal
source. All *D2 (#18 role holders !ollow the hierarchy o! domains in the selection o! their in'bound time
partner.
:: In a 3indows ,555@,55+ domain the *D2 emulator role holder retains the !ollowing !unctions:
:: *assword changes per!ormed by other D2s in the domain are replicated pre!erentially to the *D2
emulator.
Authentication !ailures that occur at a given D2 in a domain because o! an incorrect password are
!orwarded to the *D2 emulator be!ore a bad password !ailure message is reported to the user.
Account loc&out is processed on the *D2 emulator.
6diting or creation o! 0roup *olicy 8b"ects $0*8% is always done !rom the 0*8 copy !ound in the *D2
6mulatorAs #L#M8) share unless con!igured not to do so by the administrator.
The *D2 emulator per!orms all o! the !unctionality that a 1icroso!t 3indows 4T D.5 #erver'based *D2 or
earlier *D2 per!orms !or 3indows 4T D.5'based or earlier clients.
This part o! the *D2 emulator role becomes unnecessary when all wor&stations member servers and
domain controllers that are running 3indows 4T D.5 or earlier are all upgraded to 3indows ,555@,55+.
The *D2 emulator still per!orms the other !unctions as described in a 3indows ,555@,55+ environment.
,.% 3hat (#18 placement considerations do you &now o!X
3indows ,555@,55+ Active Directory domains utili:e a #ingle 8peration 1aster method called (#18
$(le7ible #ingle 1aster 8peration% as described in /nderstanding (#18 ;oles in Active Directory.
In most cases an administrator can &eep the (#18 role holders $all F o! them% in the same spot $or
actually on the same D2% as has been con!igured by the Active Directory installation process. However
there are scenarios where an administrator would want to move one or more o! the (#18 roles !rom the
3indows #erver ,55+ Active Directory is a bit di!!erent than the 3indows ,555 version when dealing with
(#18 placement. In this article I will only deal with 3indows #erver ,55+ Active Directory but you
should bear in mind that most considerations are also true when planning 3indows ,555 AD (#18 roles
7K1 I want to loo- at the .ID allocation table for a D$. What do I do'
C.install support tools !rom 8# dis&$8# Inst: Dis&_?support_?tools_?suptools7msi%
,.In 2ommand prompt type dcdiag @test:ridmanager @s:systemC @v $systemC is the name o! our D2%
/21 WhatIs the difference between transferring a (,5= role and sei>ing one' Which one should
you ?=* sei>e' Why'
#ei:ing an (#18 can be a destructive process and should only be attempted i! the e7isting server with
the (#18 is no longer available.
I! the domain controller that is the #chema 1aster (#18 role holder is temporarily unavailable D= ?=*
sei>e the ,che#a 5aster role.
I! you are going to sei:e the #chema 1aster you must permanently disconnect the current #chema
1aster !rom the networ&.
I! you sei:e the #chema 1aster role the boot drive on the original #chema 1aster must be completely
re!ormatted and the operating system must be cleanly installed i! you intend to return this computer to the
networ&.
48T6: The Boot *artition contains the system !iles $J#ystem+,%. The #ystem *artition is the partition that
contains the startup !iles 1%"etect7com 4T)D; 3oot7ini and possibly 1tbootdd7sys.
The Active Directory Installation 3i:ard $"cpromo7e6e% assigns all F (#18 roles to the !irst domain
controller in the !orest root domain. The !irst domain controller in each new child or tree domain is
assigned the three domain'wide roles.
/41 How do you configure a Rstand"by operation #asterS for any of the roles'
1. 8pen Active Directory ,ites and ,ervices.
2. 67pand the site name in which the standby operations master is located to display
the,ervers !older.
3. 67pand the ,ervers !older to see a list o! the servers in that site.
D. 67pand the name o! the server that you want to be the standby operations master to display
its 4TD# #ettings.
5. ;ight'clic& ?*D, ,ettings clic& ?ew and then clic& $onnection.
6. In the (ind Do#ain $ontrollers dialog bo7 select the name o! the current role holder and
then clic& =D.
G. In the ?ew =bBect"$onnection dialog bo7 enter an appropriate name !or the 2onnection
ob"ect or accept the de!ault name and clic& =D.
/71 How do you bac-up F restore AD.
Bac&ing up Active Directory is essential to maintain an Active Directory database. Lou can bac& up Active
Directory by using the 0raphical /ser Inter!ace $0/I% and command'line tools that the 3indows #erver
,55+ !amily provides.
Lou !requently bac&up the system state data on domain controllers so that you can restore the most
current data. By establishing a regular bac&up schedule you have a better chance o! recovering data
when necessary.
To ensure a good bac&up includes at least the system state data and contents o! the system dis& you
must be aware o! the tombstone li!etime. By de!ault the tombstone is -5 days. Any bac&up older than -5
days is not a good bac&up. *lan to bac&up at least two domain controllers in each domain one o! at least
one bac&up to enable an authoritative restore o! the data when necessary.
#ystem#tateData
#everal !eatures in the windows server ,55+ !amily ma&e it easy to bac&up Active Directory. Lou can
bac&up Active Directory while the server is online and other networ& !unction can continue to !unction.
#ystem state data on a domain controller includes the !ollowing components:
Active Directory system state data does not contain Active Directory unless the server on which you are
bac&ing up the system state data is a domain controller. Active Directory is present only on domain
controllers.
The #L#M8) shared !older: This shared !older contains 0roup policy templates and logon scripts. The
#L#M8) shared !older is present only on domain controllers.
The ;egistry: This database repository contains in!ormation about the computerAs con!iguration.
#ystem startup !iles: 3indows #erver ,55+ requires these !iles during its initial startup phase. They
include the boot and system !iles that are under windows !ile protection and used by windows to load
con!igure and run the operating system.
The 281E 2lass ;egistration database: The 2lass registration is a database o! in!ormation about
2omponent #ervices applications.
The 2erti!icate #ervices database: This database contains certi!icates that a server running 3indows
server ,55+ uses to authenticate users. The 2erti!icate #ervices database is present only i! the server is
operating as a certi!icate server.
#ystem state data contains most elements o! a systemAs con!iguration but it may not include all o! the
in!ormation that you require recovering data !rom a system !ailure. There!ore be sure to bac&up all boot
and system volumes including the#ystem#tate when you bac& up your server.
;estoring Active Directory
In 3indows #erver ,55+ !amily you can restore the Active Directory database i! it becomes corrupted or
is destroyed because o! hardware or so!tware !ailures. Lou must restore the Active Directory database
when ob"ects in Active Directory are changed or deleted.
Active Directory restore can be per!ormed in several ways. ;eplication synchroni:es the latest changes
!rom every other replication partner. 8nce the replication is !inished each partner has an updated version
o! Active Directory. There is another way to get these latest updates by Bac&up utility to restore replicated
data !rom a bac&up copy. (or this restore you donAt need to con!igure again your domain controller or no
need to install the operating system !rom scratch.
Active Directory ;estore 1ethods
Lou can use one o! the three methods to restore Active Directory !rom bac&up media: primary restore
normal $non authoritative% restore and authoritative restore.
*rimary restore: This method rebuilds the !irst domain controller in a domain when there is no other way
to rebuild the domain. *er!orm a primary restore only when all the domain controllers in the domain are
lost and you want to rebuild the domain !rom the bac&up.
1embers o! Administrators group can per!orm the primary restore on local computer or user should have
been delegated with this responsibility to per!orm restore. 8n a domain controller only Domain Admins
can per!orm this restore.
4ormal restore: This method reinstates the Active Directory data to the state be!ore the bac&up and then
updates the data through the normal replication process. *er!orm a normal restore !or a single domain
controller to a previously &nown good state.
Authoritative restore: Lou per!orm this method in tandem with a normal restore. An authoritative restore
mar&s speci!ic data as current and prevents the replication !rom overwriting that data. The authoritative
data is then replicated through the domain.
*er!orm an authoritative restore individual ob"ect in a domain that has multiple domain controllers. 3hen
you per!orm an authoritative restore you lose all changes to the restore ob"ect that occurred a!ter the
bac&up. 4tdsutil is a command line utility to per!orm an authoritative restore along with windows server
,55+ system utilities. The 4tdsutil command'line tool is an e7ecutable !ile that you use to mar& Active
Directory ob"ects as authoritative so that they receive a higher version recently changed data on other
domain controllers does not overwrite system state data during replication.
//1 Why canIt you restore a D$ that was bac-ed up 9 #onths ago'
Because o! the tombstone li!e which is set to only -5 days
/91 What are &%=s'
0roup *olicy 8b"ects
/:1 What is the order in which &%=s are applied'
)ocal #ite Domain 8/
0roup *olicy settings are processed in the !ollowing order:
C:' )ocal 0roup *olicy ob"ect'each computer has e7actly one 0roup *olicy ob"ect that is stored locally.
This processes !or both computer and user 0roup *olicy processing.
,:' #ite'Any 0*8s that have been lin&ed to the site that the computer belongs to are processed ne7t.
*rocessing is in the order that is speci!ied by the administrator on the )in&ed 0roup *olicy 8b"ects tab
!or the site in 0roup *olicy 1anagement 2onsole $0*12%. The 0*8 with the lowest lin& order is
processed last and there!ore has the highest precedence.
+:' Domain'processing o! multiple domain'lin&ed 0*8s is in the order speci!ied by the administrator on
the )in&ed 0roup *olicy 8b"ects tab !or the domain in 0*12. The 0*8 with the lowest lin& order is
D:' 8rgani:ational units'0*8s that are lin&ed to the organi:ational unit that is highest in the Active
Directory hierarchy are processed !irst then 0*8s that are lin&ed to its child organi:ational unit and so
on. (inally the 0*8s that are lin&ed to the organi:ational unit that contains the user or computer are
processed.
At the level o! each organi:ational unit in the Active Directory hierarchy one many or no 0*8s can be
lin&ed. I! several 0*8s are lin&ed to an organi:ational unit their processing is in the order that is
speci!ied by the administrator on the )in&ed 0roup *olicy 8b"ects tab !or the organi:ational unit in
0*12. The 0*8 with the lowest lin& order is processed last and there!ore has the highest precedence.
This order means that the local 0*8 is processed !irst and 0*8s that are lin&ed to the organi:ational
unit o! which the computer or user is a direct member are processed last which overwrites settings in the
earlier 0*8s i! there are con!licts. $I! there are no con!licts then the earlier and later settings are merely
aggregated.%
/;1 ?a#e a few benefits of using &%5$.
6asy administration o! all 0*8s across the entireActiveDirectory(orest
Miew o! all 0*8s in one single list
;eporting o! 0*8 settings security !ilters delegation etc.
2ontrol o! 0*8 inheritance with Bloc& Inheritance 6n!orce and #ecurity (iltering
Delegation model
Bac&up and restore o! 0*8s
1igration o! 0*8s across di!!erent domains and !orests
3ith all o! these bene!its there are still negatives in using the 0*12 alone. 0ranted the 0*12 is
needed and should be used by everyone !or what it is ideal !or. However it does !all a bit short when you
want to protect the 0*8s !rom the !ollowing:
;ole based delegation o! 0*8 management
Being edited in production potentially causing damage to des&tops and servers
(orgetting to bac& up a 0*8 a!ter it has been modi!ied
2hange management o! each modi!ication to every 0*8
/<1 What are the &%$ and the &%*' Where can I find the#'
A 0*8 is a collection o! 0roup *olicy settings stored at the domain level as a virtual ob"ect consisting o!
a 0roup *olicy container $0*2% and a 0roup *olicy template $0*T%.
The 0*2 which contains in!ormation on the properties o! a 0*8 is stored in Active Directory on each
domain controller in the domain. The 0*T contains the data in a 0*8 and is stored in the #ysvol in the
@*olicies sub'directory.
/C1 What are &%= lin-s' What special things can I do to the#'
)in&ing 0*8s
To apply the settings o! a 0*8 to the users and computers o! a domain site or 8/ you need to add a
lin& to that 0*8. Lou can add one or more 0*8 lin&s to each domain site or 8/ by using 0*12. Keep
in mind that creating and lin&ing 0*8s is a sensitive privilege that should be delegated only to
administrators who are trusted and understand 0roup *olicy.
)in&ing 0*8s to the #ite
I! you have a number o! policy settings to apply to computers in a particular physical location only 9
certain networ& or pro7y con!iguration settings !or e7ample 9 these settings might be appropriate !or
inclusion in a site'based policy. Because domains and sites are independent it is possible that computers
in the site might need to cross domains to lin& the 0*8 to the site. In this case ma&e sure there is good
connectivity.
I! however the settings do not clearly correspond to computers in a single site it is better to assign the
0*8 to the domain or 8/ structure rather than to the site.
)in&ing 0*8s to the Domain
)in& 0*8s to the domain i! you want them to apply to all users and computers in the domain. (or
e7ample security administrators o!ten implement domain'based 0*8s to en!orce corporate standards.
They might want to create these 0*8s with the 0*12 8nforce option enabled to guarantee that no
other administrator can override these settings.
I#portant
I! you need to modi!y some o! the settings contained in the Default Do#ain %olicy &%= it is
recommended that you create a new 0*8 !or this purpose lin& it to the domain and set
the8nforce option. In general do not modi!y this or the Default Do#ain $ontroller %olicy
&%=. I! you do be sure to bac& up these and any other 0*8s in your networ& by using
0*12 to ensure you can restore them.
As the name suggests the Default Do#ain %olicy &%= is also lin&ed to the domain. The Default
Do#ain %olicy &%= is created when the !irst domain controller in the domain is installed and the
administrator logs on !or the !irst time. This 0*8 contains the domain'wide account policy settings
*assword *olicy Account )oc&out *olicy and Kerberos *olicy which is en!orced by the domain
controller computers in the domain. All domain controllers retrieve the values o! these account policy
settings !rom the Default Do#ain %olicy &%=. In order to apply account policies to domain accounts
these policy settings must be deployed in a 0*8 lin&ed to the domain and it is recommended that you
set these settings in the De!ault Domain *olicy. I! you set account policies at a lower level such as an
8/ the settings only a!!ect local accounts $non'domain accounts% on computers in that 8/ and its
children.
Be!ore ma&ing any changes to the de!ault 0*8s be sure to bac& up the 0*8 using 0*12. I! !or some
reason there is a problem with the changes to the de!ault 0*8s and you cannot revert bac& to the
previous or initial states you can use the "cpo*i67e6e tool to recreate the de!ault policies in their initial
state.
"cpo*i67e6e is a command'line tool that completely restores the De!ault Domain *olicy 0*8 and De!ault
Domain 2ontroller 0*8 to their original states in the event o! a disaster where you cannot use
0*12."cpo*i67e6e restores only the policy settings that are contained in the de!ault 0*8s at the time
they are generated. The only 0roup *olicy e7tensions that include policy settings in the de!ault 0*8s are
;I# #ecurity and 6(#. "cpo*i67e6e does not restore other 0*8s that administrators createB it is only
intended !or disaster recovery o! the de!ault 0*8s.
4ote that "cpo*i67e6e does not save any in!ormation created through applications such as #1# or
67change. The "cpo*i67e6e tool is included with 3indows #erver ,55+ and only wor&s in a 3indows
#erver ,55+ domain.
"cpo*i67e6e is located in the 2:J3indowsJ;epair !older. The synta7 !or "cpo*i67e6e is as !ollows:
2opy 2ode
D$&%=(i+ Q/*arget: Do#ain e D$ e J=*HR
Table ,.C describes the options you can use with the command line parameter @Target: when using
the"cpo*i67e6e tool.
*able 7.4 Dc$po,i;%e;e =ptions for )sing the /*arget %ara#eter
?Tar$et
option=
Description
o, option
"/4AI1Speci*ies t)at t)e "e*ault "omain Policy s)ould be recreated7",Speci*ies
t)at t)e "e*ault "omain ,ontrollers Policy s)ould be recreated73/%HSpeci*ies t)at
bot) t)e "e*ault "omain Policy and t)e "e*ault "omain ,ontrollers Policy s)ould be
recreated7@or more in*ormation about "cpo*i67e6e+ in Help and Support ,enter*or
Windows Server &005 clic8 Tools+ and t)en clic8 ,ommand?line re*erence A?2
)in&ing 0*8s to the 8/ #tructure
1ost 0*8s are normally lin&ed to the 8/ structure because this provides the most !le7ibility and
manageability:
Lou can move users and computers into and out o! 8/s.
8/s can be rearranged i! necessary.
Lou can wor& with smaller groups o! users who have common administrative requirements.
Lou can organi:e users and computers based on which administrators manage them.
8rgani:ing 0*8s into user' and computer'oriented 0*8s can help ma&e your 0roup *olicy environment
easier to understand and can simpli!y troubleshooting. However separating the user and computer
components into separate 0*8s might require more 0*8s. Lou can compensate !or this by ad"usting
the&%= ,tatus to disable the user or computer con!iguration portions o! the 0*8 that do not apply and
to reduce the time required to apply a given 0*8.
2hanging the 0*8 )in& 8rder
3ithin each domain site and 8/ the lin& order controls the order in which 0*8s are applied. To change
the precedence o! a lin& you can change the lin& order moving each lin& up or down in the list to the
appropriate location. )in&s with the lowest number have higher precedence !or a given site domain or
8/. (or e7ample i! you add si7 0*8 lin&s and later decide that you want the last one that you added to
have the highest precedence you can ad"ust the lin& order o! the 0*8 lin& so it has lin& order o! C. To
change the lin& order !or 0*8 lin&s !or a domain 8/ or site use 0*12
)ttp!99tec)net7microso*t7com9en?us9library9ccB5=8157asp6
)ttp!99tec)net7microso*t7com9en?us9library9ccB>B0>07asp6
/K1 What can I do to prevent inheritance fro# above'
Lou can bloc& policy inheritance !or a domain or organi:ational unit. /sing bloc& inheritance prevents
0*8s lin&ed to higher sites domains or organi:ational units !rom being automatically inherited by the
child'level. By de!ault children inherit all 0*8s !rom the parent but it is sometimes use!ul to bloc&
inheritance. (or e7ample i! you want to apply a single set o! policies to an entire domain e7cept !or one
organi:ational unit you can lin& the required 0*8s at the domain level $!rom which all organi:ational
units inherit policies by de!ault% and then bloc& inheritance only on the organi:ational unit to which the
policies should not be applied.
921 How can I override bloc-ing of inheritance'
A. 0roup *olicies can be applied at multiple levels $#ites domains organi:ational /nits% and multiple
0*As !or each level. 8bviously it may be that some policy settings con!lict hence the application order o!
#ite 9 Domain 9 8rgani:ation /nit and within each layer you set order !or all de!ined policies but you may
want to !orce some polices to never be overridden $4o 8verride% and you may want some containers to
not inherit settings !rom a parent container $Bloc& Inheritance%.
A good de!inition o! each is as !ollows:
4o 8verride 9 This prevents child containers !rom overriding policies set at higher levels
Bloc& Inheritance 9 #tops containers inheriting policies !rom parent containers
4o 8verride ta&es precedence over Bloc& Inheritance so i! a child container has Bloc& Inheritance set but
on the parent a group policy has 4o 8verride set then it will get applied.
Also the highest 4o 8verride ta&es precedence over lower 4o 8verrideAs set.
To bloc& inheritance per!orm the !ollowing:
C. #tart the Active Directory /sers and 2omputer snap'in $#tart 9 *rograms 9 Administrative
Tools 9 Active Directory /sers and 2omputers%
,. ;ight clic& on the container you wish to stop inheriting settings !rom its parent and select
*roperties
+. #elect the S0roup *olicyA tab
4. 2hec& the SBloc& *olicy inheritanceA option
,lic8 )ere to view imae
F. 2lic& Apply then 8K
To set a policy to never be overridden per!orms the !ollowing:
C. #tart the Active Directory /sers and 2omputer snap'in $#tart 9 *rograms 9 Administrative
Tools 9 Active Directory /sers and 2omputers%
,. ;ight clic& on the container you wish to set a 0roup *olicy to not be overridden and select
*roperties
+. #elect the S0roup *olicyA tab
D. 2lic& 8ptions
F. 2hec& the S4o 8verrideA option
-. 2lic& 8K
G. 2lic& Apply then 8K
941 How can you deter#ine what &%= was and was not applied for a user' ?a#e a few ways to do
that.
1. &roup %olicy 5anage#ent $onsole 0&%5$1 can provide assistance when you need to
troubleshoot 0*8 behavior. It allows you to e7amine the settings o! a speci!ic 0*8 and is
can also be used to determine how your 0*8s are lin&ed to sites domains and 8/s.
The &roup %olicy .esults report collects in!ormation on a computer and user to list the
policy settings which are enabled. To create a 0roup *olicy ;esults report right'clic&
0roup *olicy ;esults and select 0roup *olicy ;esults 3i:ard on the shortcut menu. This
launches the 0roup *olicy ;esults 3i:ard which guides you through various pages to set
parameters !or the in!ormation that should be displayed in the 0roup *olicy ;esults report.
2. 2presult%e;e 2lic& ,tart ? .)? ? 21D ? gpresult this will also give you in!ormation o!
applied group policies.
1. /. 0S'P%8SC
971 A user clai#s he did not receive a &%=E yet his user and co#puter accounts are in the right
=)E and everyone else there gets the &%=. What will you loo- for'
Here interviewer want to &now the troubleshooting steps
what 0*8s is applyingX
I! it applying in all user and computerX
3hat 0*8s are implemented on ouX
1a&e sure user not is member o! loopbac& policy as in loopbac& policy it doesnAt a!!ect user settings only
computer policy will applicable.
I! he is member o! 0*8s !ilter grp or notX
Lou may also want to chec& the computers event logs. I! you !ind event ID C5.F then you may want to
download the patch to !i7 this and reboot the computer.
_______________________________________________
Answer 7! #tart troubleshooting by running .S/P74S, $;esultant #et o! *olicy% or gpresult @: to veri!y
whether relevant 0*8 actually applies to that userX
This also can be a reason o! slow networ&B you can change the de!ault setting by using the 0roup *olicy
112 snap'in. This !eature is enabled by de!ault but you can disable it by using the !ollowing policy:
Administrative TemplatesJ#ystemJ)ogonJAlways wait for the networ- at co#puter startup and logon.
Identi!y which 0*8s they correspond toB veri!y that they are applicable to the computer@user $based on
the output o! .S/P74S,9presult%
9/1 What are ad#inistrative te#plates'
The 0*8 settings are divided between the 2omputer settings and the /ser settings. In both parts o! the
0*8 you can clearly see a large section called Administrative Templates.
Administrative Templates are a large repository o! registry'based changes $in !act over C+55 individual
settings% that can be !ound in any 0*8 on 3indows ,555 3indows W* and 3indows #erver ,55+.
By using the Administrative Template sections o! the 0*8 you can deploy modi!ications to machine
$called HK6LT)82A)T1A2HI46 in the registry% and user $called HK6LT2/;;64TT/#6; in the
registry% portions o! the ;egistry o! computers that are in!luenced by the 0*8.
The Administrative Templates are /nicode'!ormatted te7t !iles with the e7tension .AD1 and are used to
create the Administrative Templates portion o! the user inter!ace !or the 0*8 6ditor.
991 WhatIs the difference between software publishing and assigning'
An administrator can either assign or publish so!tware applications.
Assign )sers
the so!tware application is advertised when the user logs on. It is installed when the user clic&s on the
so!tware application icon via the start menu or accesses a !ile that has been associated with the so!tware
application.
Assign $o#puters
The so!tware application is advertised and installed when it is sa!e to do so such as when the computer
is ne7t restarted.
%ublish to users
the so!tware application does not appear on the start menu or des&top. This means the user may not
&now that the so!tware is available. The so!tware application is made available via the Add@;emove
*rograms option in control panel or by clic&ing on a !ile that has been associated with the application.
*ublished applications do not reinstall themselves in the event o! accidental deletion and it is not possible
to publish to computers.
9:1 @ou want to standardi>e the des-top environ#ents 0wallpaperE 5y Docu#entsE ,tart #enuE
printers etc.1 on the co#puters in one depart#ent. How would you do that'
Les\ Through 0roup *olicy
3indows Active Directory Interview Questions
>What is Active Directory ?
Active Directory is a Meta Data. Active Directory is a data base which store a data base like
your user information, computer information and also other network object info. It has
capabilities to manage and administor the complite Network which connect with AD.
>What is domain ?
Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so
fort! for a "roup of users. Te user need onl# to lo" in to te domain to "ain access to te resources,
wic ma# $e located on a num$er of different ser%ers in te network. Te &domain& is simpl# #our
computer address not to confused wit an '(). * domain address mi"t look sometin" like
211.1+0.46,.
>What is domain controller ?
* -omain controller (-.! is a ser%er tat responds to securit# autentication re/uests (lo""in" in,
ceckin" permissions, etc.! witin te Windows 0er%er domain. * domain is a concept introduced in
Windows NT were$# a user ma# $e "ranted access to a num$er of computer resources wit te use of a
sin"le username and password com$ination.
>What is LDAP ?
)i"twei"t -irector# *ccess 1rotocol )-*1 is te industr# standard director# access protocol, makin"
*cti%e -irector# widel# accessi$le to mana"ement and /uer# applications. *cti%e -irector# supports
)-*1%3 and )-*1%2.
>What is KCC ?
2.. ( knowled"e consistenc# cecker ! is used to "enerate replication topolo"# for inter site replication
and for intrasite replication.wit in a site replication traffic is done %ia remote procedure calls o%er ip, wile
$etween site it is done trou" eiter (1. or 03T1.
>Where is the AD database held? What other folders are related to AD?
Te *- data $ase is store in c45windows5ntds5NT-0.-6T.
>What is the SYSVOL folder?
Te s#s78) folder stores te ser%er&s cop# of te domain&s pu$lic files. Te contents suc as "roup
polic#, users etc of te s#s%ol folder are replicated to all domain controllers in te domain.
>What are the Windows Server !!" #e$board shortc%ts ?
Winke# opens or closes te 0tart menu. Winke# 9 :(;*2 displa#s te 0#stem 1roperties dialo" $o<.
Winke# 9 T*: mo%es te focus to te ne<t application in te task$ar. Winke# 9 0=6>T 9 T*: mo%es te
focus to te pre%ious application in te task$ar. Winke# 9 : mo%es te focus to te notification area.
Winke# 9 - sows te desktop. Winke# 9 ; opens Windows ;<plorer sowin" 3# .omputer. Winke# 9 >
opens te 0earc panel. Winke# 9 .T() 9 > opens te 0earc panel wit 0earc for .omputers module
selected. Winke# 9 >1 opens =elp. Winke# 9 3 minimi?es all. Winke# 9 0=6>T9 3 undoes minimi?ation.
Winke# 9 ( opens (un dialo". Winke# 9 ' opens te 'tilit# 3ana"er. Winke# 9 ) locks te computer.
>& am tr$in' to create a new %niversal %ser 'ro%() Wh$ can*t & ?
'ni%ersal "roups are allowed onl# in nati%e@mode Windows 0er%er 2003 en%ironments. Nati%e mode
re/uires tat all domain controllers $e promoted to Windows 0er%er 2003 *cti%e -irector#.
>What is LSDO+ ? 6tAs "roup polic# ineritance model, were te policies are applied toLocal
macines, Sites, Domains and Or"ani?ational +nits.
> Which is service in $o%r windows is res(onsible for re(lication of Domain controller to
another domain controller)
2.. "enerates te replication topolo"#.
'se 03T1 B (1. to replicate can"es.
> What &ntrasite and &ntersite ,e(lication C
6ntrasite is te replication wit in te same site D intersite te replication $etween sites.
> What is lost - fo%nd folder in ADS C
6tAs te folder were #ou can find te o$Eects missed due to conflict.
;<4 #ou created a user in 8' wic is deleted in oter -. D wen replication apped *-0 didnAt find te
8' ten it will put tat in )ost D >ound >older.
> What is .arba'e collection C
Far$a"e collection is te process of te online defra"mentation of acti%e director#. 6t appens e%er# 12
=ours.
> What S$stem State data contains C
.ontains 0tartup files,
(e"istr#
.om 9 (e"istration -ata$ase
3emor# 1a"e file
0#stem files
*- information
.luster 0er%ice information
0G078) >older
>What is difference between Server !!" vs !!/?
1. 7irtuali?ation. (Windows 0er%er 200H introduces =#per@7 (7 for 7irtuali?ation! $ut onl# on 64$it
%ersions. 3ore and more companies are seein" tis as a wa# of reducin" ardware costs $# runnin"
se%eral &%irtual& ser%ers on one p#sical macine.!
2. 0er%er .ore (pro%ides te minimum installation re/uired to carr# out a specific ser%er role, suc as for
a -=.1, -N0 or print ser%er!
3. :etter securit#.
4. (ole@$ased installation.
5. (ead 8nl# -omain .ontrollers ((8-.!.
6. ;nanced terminal ser%ices.
+. Network *ccess 1rotection @ 3icrosoft&s s#stem for ensurin" tat clients connectin" to 0er%er 200H are
patced, runnin" a firewall and in compliance wit corporate securit# policies.
H. 1ower0ell @ 3icrosoft&s command line sell and scriptin" lan"ua"e as pro%ed popular wit some
ser%er administrators.
,. 660 + .
10. :itlocker @ 0#stem dri%e encr#ption can $e a sensi$le securit# measure for ser%ers located in remote
$ranc offices. I$rI Te main difference $etween 2003 and 200H is 7irtuali?ation, mana"ement. 200H
as more in@$uild components and updated tird part# dri%ers.
11. Windows *ero.
>What are the re0%irements for installin' AD on a new server?
1 Te -omain structure.
2 Te -omain Name .
3 stora"e location of te data$ase and lo" file.
4 )ocation of te sared s#stem %olume folder.
5 -N0 confi" 3etode.
6 -N0 confi"uration.
>What is ,1PL2O3 ?
Te 3icrosoft definition of te (eplmon tool is as followsJ Tis F'6 tool ena$les administrators to %iew te
low@le%el status of *cti%e -irector# replication, force s#ncroni?ation $etween domain controllers, %iew te
topolo"# in a "rapical format, and monitor te status and performance of domain controller replication.
>What is ADS&1D&4 ?
*-06;-6T 4*-06;dit is a 3icrosoft 3ana"ement .onsole (33.! snap@in tat acts as a low@le%el editor
for *cti%e -irector#. 6t is a Frapical 'ser 6nterface (F'6! tool. Network administrators can use it for
common administrati%e tasks suc as addin", deletin", and mo%in" o$Eects wit a director# ser%ice. Te
attri$utes for eac o$Eect can $e edited or deleted $# usin" tis tool. *-06;dit uses te *-06 application
pro"rammin" interfaces (*16s! to access *cti%e -irector#. Te followin" are te re/uired files for usin"
tis tool4 *-06;-6T.-)) *-06;-6T.

>What is 314DO2 ?
N;T-83 is a command@line tool tat allows mana"ement of Windows domains and trust relationsips. 6t
is used for $atc mana"ement of trusts, Eoinin" computers to domains, %erif#in" trusts, and secure
cannels.
>What is ,1PAD2&3?
Tis command@line tool assists administrators in dia"nosin" replication pro$lems $etween Windows
domain controllers.*dministrators can use (epadmin to %iew te replication topolo"# (sometimes referred
to as (eps>rom and (epsTo! as seen from te perspecti%e of eac domain controller. 6n addition,
(epadmin can $e used to manuall# create te replication topolo"# (altou" in normal practice tis
sould not $e necessar#!, to force replication e%ents $etween domain controllers, and to %iew $ot te
replication metadata and up@to@dateness %ectors.
>5ow to ta#e bac#%( of AD ?
>or takin" $ackup of acti%e director# #ou a%e to do tis 4 first "o 0T*(T @I 1(8F(*3 @I*..;08(6;0
@I 0G0T;3 T88)0 @I :*.2'1 8( 8pen run window and nt$ackup and take s#stemstate $ackup wen
te $ackup screen is flas ten take te $ackup of 0G0T;3 0T*T; it will take te $ackup of all te
necessar# information a$out te s#atem includin" *- $ackup , -N0 ;T..
>What are the DS6 commands ?
Te followin" -0 commands4 te -0 famil# $uilt in utilit# .
-0mod @ modif# *cti%e -irector# attri$utes.
-0rm @ to delete *cti%e -irector# o$Eects.
-0mo%e @ to relocate o$Eects
-0add @ create new accounts
-0/uer# @ to find o$Eects tat matc #our /uer# attri$utes.
-0"et @ list te properties of an o$Eect
>What are the requirements for installing AD on a new server?
An N!" partition with enough free space.
An Administrator#s username and password.
he correct operating system version.
A NI$ %roperly configured $%&I% 'I% address, subnet mask and ( optional ( default
gateway).
A network connection 'to a hub or to another computer via a crossover cable) .
An operational DN" server 'which can be installed on the D$ itself) .
he *indows +,,, or *indows "erver +,,- $D media 'or at least the i-./ folder) .
>Difference between LDIFDE and !"DE?
$"0D1 is a command that can be used to import and e2port objects to and from the AD into
a $"0(formatted file. A $"0 '$omma "eparated 0alue) file is a file easily readable in 12cel.
I will not go to length into this powerful command, but I will show you some basic samples
of how to import a large number of users into your AD. 3f course, as with the D"ADD
command, $"0D1 can do more than just import users. $onsult your help file for more info.
4DI!D1 is a command that can be used to import and e2port objects to and from the AD
into a 4DI!(formatted file. A 4DI! '4DA% Data Interchange !ormat) file is a file easily
readable in any te2t editor, however it is not readable in programs like 12cel. he major
difference between $"0D1 and 4DI!D1 'besides the file format) is the fact that 4DI!D1 can
be used to edit and delete e2isting AD objects 'not just users), while $"0D1 can only import
and e2port objects.
>What is tombstone lifetime attribute ?
he number of days before a deleted object is removed from the directory services. his
assists in removing objects from replicated servers and preventing restores from
reintroducing a deleted object. his value is in the Directory "ervice object in
theconfiguration NI$.
>What are a##lication #artitions? When do I use them ?
AN application diretcory partition is a directory partition that is replicated only to specific
domain controller.3nly domain controller running windows "erver +,,- can host a replica of
application directory partition.
5sing an application directory partition provides redundany,availability or fault tolerance by
replicating data to specific domain controller pr any set of domain controllers anywhere in
the forest.
>$ow do you create a new a##lication #artition ?
5se the Dns$md command to create an application directory partition.
o do this, use the following synta26
Dns$md "erverName &$reateDirectory%artition !7DN of partition
>$ow do you view all the %s in the forest?
$689repadmin &showreps domain:controller where domain:controller is the D$ you want to
;uery to determine whether it<s a =$.
he output will include the te2t D"A 3ptions6 I":=$ if the D$ is a =$.
>an you connect Active Directory to other &rd'#arty Directory !ervices? (ame a
few o#tions)
>es, you can use dir?M4 or 4DA% to connect to other directories.
In Novell you can use 1(directory.
>What is I*!ec *olicy
I%"ec provides secure gateway(to(gateway connections across outsourced private wide area
network '*AN) or Internet(based connections using 4+%&I%"ec tunnels or pure I%"ec
tunnel mode. I%"ec %olicy can be deployed via =roup policy to the*indows
Domain controllers @ "ervers.
>What are the different ty#es of +erminal !ervices <
5ser Mode A Application Mode.
>What is ,s-*
Bs3% is the resultant set of policy applied on the object '=roup %olicy).
>What is the !ystem !tartu# #rocess <
*indows +C boot process on a Intel architecture.
D. %ower(3n "elf ests '%3") are run.
+. he boot device is found, the Master Eoot Becord 'MEB) is loaded into memory, and its
program is run.
-. he active partition is located, and the boot sector is loaded.
F. he *indows +,,, loader 'N4DB) is then loaded.
+he boot sequence e.ecutes the following ste#s/
D. he *indows +,,, loader switches the processor to the -+(bit flat memory model.
+. he *indows +,,, loader starts a mini(file system.
-. he *indows +,,, loader reads the E33.INI file and displays the operating system
selections 'boot loader menu).
F. he *indows +,,, loader loads the operating system selected by the user. If *indows
+,,, is selected, N4DB runs ND11$.$3M. !or other operating systems, N4DB loads
E33"1$.D3" and gives it control.
G. ND11$.$3M scans the hardware installed in the computer, and reports the list to
N4DB for inclusion in the Begistry under the HC1>:43$A4:MA$HIN1:HABD*AB1 hive.
/. N4DB then loads the N3"CBN4.1?1, and gives it the hardware information collected by
ND11$.$3M. *indows N enters the *indows load phases.
>$ow do you view re#lication #ro#erties for AD #artitions and Ds?
Ey using replication monitor
go to start 9 run 9 type repadmin
go to start 9 run 9 type replmon
>What7s the difference between transferrin' a 8S2O role and sei9in' ?
0ei?in" an >038 can $e a destructi%e process and sould onl# $e attempted if te e<istin" ser%er wit
te >038 is no lon"er a%aila$le.
6f #ou perform a sei?ure of te >038 roles from a -., #ou need to ensure two tin"s4
te current older is actuall# dead and offline, and tat te old -. will N;7;( return to te network. 6f
#ou do an >038 role 0ei?e and ten $rin" te pre%ious older $ack online, #ou&ll a%e a pro$lem.
*n >038 role T(*N0>;( is te "raceful mo%ement of te roles from a li%e, workin" -. to anoter li%e
-. -urin" te process, te current -. oldin" te role(s! is updated, so it $ecomes aware it is no lon"er
te role older
>& want to loo# at the ,&D allocation table for a DC) What do & do?
dcdia" Btest4ridmana"er Bs4ser%ername B% (ser%ername is te name of our -.!
>What is :rid'e5ead Server in AD ?* $rid"eead ser%er is a domain controller in eac site, wic is
used as a contact point to recei%e and replicate data $etween sites. >or intersite replication, 2..
desi"nates one of te domain controllers as a $rid"eead ser%er. 6n case te ser%er is down, 2..
desi"nates anoter one from te domain controller. Wen a $rid"eead ser%er recei%es replication
updates from anoter site, it replicates te data to te oter domain controllers witin its site.
>What is the default si0e of ntds)dit ?
D, ME in "erver +,,, and D+ ME in "erver +,,- .
>Where is the AD database held and What are other folders related to AD ?
*- -ata$ase is sa%ed in Ks#stemrootKBntds. Gou can see oter files also in tis folder. Tese are te
main files controllin" te *- structure.
ntds.dit
ed$.lo"
res1.lo"
res2.lo"
ed$.ck
Wen a can"e is made to te Win22 data$ase, tri""erin" a write operation, Win22 records te
transaction in te lo" file (ed$.lo"!. 8nce written to te lo" file, te can"e is ten written to te *-
data$ase. 0#stem performance determines ow fast te s#stem writes te data to te *- data$ase from
te lo" file. *n# time te s#stem is sut down, all transactions are sa%ed to te data$ase.
-urin" te installation of *-, Windows creates two files4 res1.lo" and res2.lo". Te initial si?e of eac is
103:. Tese files are used to ensure tat can"es can $e written to disk sould te s#stem run out of
free disk space. Te ceckpoint file (ed$.ck! records transactions committed to te *- data$ase
(ntds.dit!. -urin" sutdown, a LsutdownL statement is written to te ed$.ck file.
Ten, durin" a re$oot, *- determines tat all transactions in te ed$.lo" file a%e $een committed to te
*- data$ase. 6f, for some reason, te ed$.ck file doesn&t e<ist on re$oot or te sutdown statement isn&t
present, *- will use te ed$.lo" file to update te *- data$ase. Te last file in our list of files to know is
te *- data$ase itself, ntds.dit. :# default, te file is located in5NT-0, alon" wit te oter files we&%e
discussed
>What 8S2O (lacement considerations do $o% #now of ?
Windows 2000B2003 *cti%e -irector# domains utili?e a 0in"le 8peration 3aster metod called >038
(>le<i$le 0in"le 3aster 8peration!, as descri$ed in 'nderstandin" >038 (oles in *cti%e -irector#.
6n most cases an administrator can keep te >038 role olders (all 5 of tem! in te same spot (or
actuall#, on te same -.! as as $een confi"ured $# te *cti%e -irector# installation process.
=owe%er, tere are scenarios were an administrator would want to mo%e one or more of te >038 roles
from te default older -. to a different -..
Windows 0er%er 2003 *cti%e -irector# is a $it different tan te Windows 2000 %ersion wen dealin" wit
>038 placement.
6n tis article 6 will onl# deal wit Windows 0er%er 2003 *cti%e -irector#, $ut #ou sould $ear in mind tat
most considerations are also true wen plannin" Windows 2000 *- >038 roles
>What is sites ? What are they used for ?
3ne or more well(connected 'highly reliable and fast) $%&I% subnets.
A site allows administrators to configure Active Directory access and replication topology to
take advantage of the physical network.
* 0ite o$Eect in *cti%e -irector# represents a p#sical "eo"rapic location tat osts networks. 0ites
contain o$Eects called 0u$nets.
0ites can $e used to *ssi"n Froup 1olic# 8$Eects, facilitate te disco%er# of resources, mana"e acti%e
director# replication, and mana"e network link traffic.
0ites can $e linked to oter 0ites. 0ite@linked o$Eects ma# $e assi"ned a cost %alue tat represents te
speed, relia$ilit#, a%aila$ilit#, or oter real propert# of a p#sical resource. 0ite )inks ma# also $e
assi"ned a scedule.
>4r$in' to loo# at the Schema; how can & do that ?
re"ister scmm"mt.dll usin" tis command
c45windows5s#stem32Ire"s%r32 scmm"mt.dll
8pen mmc @@I add snapin @@I add *cti%e director# scema
name it as scema.msc
8pen administrati%e tool @@I scema.msc
>What is the (ort no of Kerbrose ?
HH
>What is the (ort no of .lobal catalo' ?
326H
>What is the (ort no of LDAP ?
3H,
>$ow can you forcibly remove AD from a server1 and what do you do later? ? an I
get user #asswords from the AD database?
Dcpromo &forceremoval , an administrator can forcibly remove Active Directory and roll back
the system without having to contact or replicate any locally held changes to another D$ in
the forest. Beboot the server then After you use the dcpromo &forceremoval command, all
the remaining metadata for the demoted D$ is not deleted on the surviving domain
controllers, and therefore you must manually remove it by using the ND"5I4 command.
6n te e%ent tat te NT-0 0ettin"s o$Eect is not remo%ed correctl# #ou can use te Ntdsutil.e<e utilit# to
manuall# remo%e te NT-0 0ettin"s o$Eect. Gou will need te followin" tool4 Ntdsutil.e<e, *cti%e -irector#
0ites and 0er%ices, *cti%e -irector# 'sers and .omputers
>What are the 8S2O roles? Who has them b$ defa%lt? What ha((ens when each one fails?
>le<i$le 0in"le 3aster 8peration (>038! role. .urrentl# tere are fi%e >038 roles4
0cema master
-omain namin" master
(6- master
1-. emulator
6nfrastructure master
> What are the (h$sical com(onents of Active Director$ ?
-omain controllers and 0ites. -omain controllers are p#sical computers wic is runnin" Windows
0er%er operatin" s#stem and *cti%e -irector# data $ase. 0ites are a network se"ment $ased on
"eo"rapical location and wic contains multiple domain controllers in eac site.
> What are the lo'ical com(onents of Active Director$ ?
-omains, 8r"ani?ational 'nits, trees and forests are lo"ical components of *cti%e -irector#.
> What are the Active Director$ Partitions ?
*cti%e -irector# data$ase is di%ided into different partitions suc as 0cema partition, -omain partition,
and .onfi"uration partition. *part from tese partitions, we can create *pplication partition $ased on te
re/uirement.
> What is 'ro%( nestin' ?
*ddin" one "roup as a mem$er of anoter "roup is called &"roup nestin"&. Tis will elp for eas#
administration and reduced replication traffic.
> What is Active Director$ ,ec$cle :in ?
*cti%e -irector# (ec#cle $in is a feature of Windows 0er%er 200H *-. 6t elps to restore accidentall#
deleted *cti%e -irector# o$Eects witout usin" a $acked up *- data$ase, re$ootin" domain controller or
restartin" an# ser%ices.
> What is ,ODC ? Wh$ do we confi'%re ,ODC ?
(ead onl# domain controller ((8-.! is a feature of Windows 0er%er 200H 8peratin" 0#stem. (8-. is a
read onl# cop# of *cti%e -irector# data$ase and it can $e deplo#ed in a remote $ranc office were
p#sical securit# cannot $e "uaranteed. (8-. pro%ides more impro%ed securit# and faster lo" on time
for te $ranc office.
> 5ow do $o% chec# c%rrentl$ forest and domain f%nctional levels? Sa$ both .+& and Command
line)
To find out forest and domain functional le%els in F'6 mode, open *-'., ri"t click on te domain name
and take properties. :ot domain and forest functional le%els will $e listed tere. T8 find out forest and
domain functional le%els, #ou can use -0M';(G command.
> Which version of Kerberos is %sed for Windows !!!<!!" and !!/ Active Director$ ?
*ll %ersions of Windows 0er%er *cti%e -irector# use 2er$eros 5.
> 3ame few (ort n%mbers related to Active Director$ ?
2er$eros HH, )-*1 3H,, -N0 53, 03: 445
> e=(lain the (rocess between a %ser (rovidin' his Domain credential to his wor#station and the
des#to( bein' loaded? Or how the AD a%thentication wor#s ?
Wen a user enters a user name and password, te computer sends te user name to te 2-.. Te
2-. contains a master data$ase of uni/ue lon" term ke#s for e%er# principal in its realm. Te 2-. looks
up te user&s master ke# (2*!, wic is $ased on te user&s password. Te 2-. ten creates two items4
a session ke# (0*! to sare wit te user and a Ticket@Frantin" Ticket (TFT!. Te TFT includes a second
cop# of te 0*, te user name, and an e<piration time. Te 2-. encr#pts tis ticket $# usin" its own
master ke# (22-.!, wic onl# te 2-. knows. Te client computer recei%es te information from te
2-. and runs te user&s password trou" a one@wa# asin" function, wic con%erts te password
into te user&s 2*. Te client computer now as a session ke# and a TFT so tat it can securel#
communicate wit te 2-.. Te client is now autenticated to te domain and is read# to access oter
resources in te domain $# usin" te 2er$eros protocol.
> Which 8S2O role directl$ im(actin' the consistenc$ of .ro%( Polic$ ?
1-. ;mulator.
I & want to (romote a new additional Domain Controller in an e=istin' domain) Which are the
'ro%(s & sho%ld be a member of ?
Gou sould $e a mem$er of ;nterprise *dmins "roup or te -omain *dmins "roup. *lso #ou sould $e
mem$er of local *dministrators "roup of te mem$er ser%er wic #ou are "oin" to promote as additional
-omain .ontroller.
G *ell #e one easiest way to chec- all the : (,5= roles '
/se netdom query @domain:LourDomain (#18 command. It will list all the (#18 role handling domain
controllers.
3indows D4# #erver Interview Questions
What is the main #ur#ose of a D(! server?DN" servers are used to resolve
!7DN hostnames into I% addresses and vice versa.
What is the #ort no of dns ?
G-.
What is a Forward Loo2u#?
Besolving Host Names to I% Addresses
What is ,everse Loo2u#?
Besolving I% Addresses to Host Names
What is a ,esource ,ecord?
It is a record provides the information about the resources available in the N&*
infrastructure.
What are the diff) D(! ,oles?
"tandard %rimary, "tandard "econdary, A AD Integrated.
What is a 3one?
Ione is a sub tree of DN" database.
!ecure services in your networ2 require reverse name resolution to
ma2e it more difficult to launch successful attac2s against the services)
+o set this u#1 you configure a reverse loo2u# 0one and #roceed to add
records) Which record ty#es do you need to create?
%B Becords
!-A records must be included in every 0one) What are they used for?
"3A records contain a 4 value, used by default in all resource records in the
Jone. "3A records contain the e(mail address of the person who is responsible
for maintaining the Jone. "3A records contain the current serial number of the
Jone, which is used in Jone transfers.
4y default1 if the name is not found in the cache or local hosts file1 what
is the first ste# the client ta2es to resolve the F5D( name into an I*
address?
%erforms a recursive search through the primary DN" server based on the
network interface configuration
What is #rimary1 !econdary1 stub 6 AD Integrated 3one?
%rimary Ione6 ( Jone which is saved as normal te2t file with filename '.dns) in
DE" folder. Maintains a read, write copy of Jone database.
"econdary Ione6 ( maintains a read only copy of Jone database on another DN"
server. %rovides fault tolerance and load balancing by acting as backup server
to primary server.
"tub Jone6 ( contains a copy of name server and "3A records used for reducing
the DN" search orders. %rovides fault tolerance and load balancing.
$ow do you manually create !," records in D(!?
his is on windows server go to run (((dnsmgmt.msc rightclick on the Jone you
want to add srv record to and choose Kother new recordK and choose service
location'srv).
What is the main #ur#ose of !," records ?
"B0 records are used in locating hosts that provide certain network services.
4efore installing your first domain controller in the networ21 you
installed a D(! server and created a 0one1 naming it as you would
name your AD domain) $owever1 after the installation of the domain
controller1 you are unable to locate infrastructure !," records
anywhere in the 0one) What is the most li2ely cause of this failure ?
he Jone you created was not configured to allow dynamic updates. he local
interface on the DN" server was not configured to allow dynamic updates.
Which of the following conditions must be satisfied to configure
dynamic D(! u#dates for legacy clients ?
he Jone to be used for dynamic updates must be configured to allow dynamic
updates. he DH$% server must support, and be configured to allow, dynamic
updates for legacy clients.
At some #oint during the name resolution #rocess1 the requesting #arty
received authoritative re#ly) Which further actions are li2ely to be
ta2en after this re#ly ?
After receiving the authoritative reply, the resolution process is effectively over.
(ame & benefits of using AD'integrated 0ones)
Active Directory integrated DN" enables Active Directory storage and replication
of DN" Jone databases. *indows +,,, DN" server, the DN" server that is
included with *indows +,,, "erver, accommodates storing Jone data in Active
Directory.
*hen you configure a computer as a DN" server, Jones are usually stored as
te2t files on name servers that is, all of the Jones re;uired by DN" are stored in
a te2t file on the server computer.
hese te2t files must be synchroniJed among DN" name servers by using a
system that re;uires a separate replication topology and schedule called a Jone
transfer However, if you use Active Directory integrated DN" when you
configure a domain controller as a DN" name server, Jone data is stored as an
Active Directory object and is replicated as part of domain replication.
What are the benefits of using Windows 788& D(! when using AD'
integrated 0ones?
If your DN" topology includes Active Directory, use Active Directory integrated
Jones. Active Directory integrated Jones enable you to store Jone data in the
Active Directory database.Ione information about any primary DN" server
within an Active Directory integrated Jone is always replicated.
Eecause DN" replication is single(master, a primary DN" server in a standard
primary DN" Jone can be a single point of failure. In an Active Directory
integrated Jone, a primary DN" server cannot be a single point of failure
because Active Directory uses multimaster replication.
5pdates that are made to any domain controller are replicated to all domain
controllers and the Jone information about any primary DN" server within an
Active Directory integrated Jone is always replicated.
Active Directory integrated Jones6 1nable you to secure Jones by using secure
dynamic update.
%rovide increased fault tolerance. 1very Active Directory integrated Jone can be
replicated to all domain controllers within the Active Directory domain or forest.
All DN" servers running on these domain controllers can act as primary servers
for the Jone and accept dynamic updates.
1nable replication that propagates changed data only, compresses replicated
data, and reduces network traffic. If you have an Active Directory infrastructure,
you can only use Active Directory integrated Jones on Active Directory domain
controllers. If you are using Active Directory integrated Jones, you must decide
whether or not to store Active Directory integrated Jones in the application
directory partition.
>ou can combine Active Directory integrated Jones and file(based Jones in the
same design. !or e2ample, if the DN" server that is authoritative for the private
root Jone is running on an operating system other than *indows "erver +,,-
or *indows +,,,, it cannot act as an Active Directory domain controller.
herefore, you must use file(based Jones on that server. However, you can
delegate this Jone to any domain controller running either *indows "erver
+,,- or *indows +,,,.
9ou installed a new AD domain and the new :and first; D has not registered
its !," records in D(!) (ame a few #ossible causes)
he machine cannot be configured with DN" client her own .
he DN" service cannot be run.
What are the benefits and scenarios of using !tub 0ones?
5nderstanding stub Jones
A stub Jone is a copy of a Jone that contains only those resource records necessary to
identify the authoritative Domain Name "ystem 'DN") servers for that Jone.
A stub Jone is used to resolve names between separate DN" namespaces. his type of
resolution may be necessary when a corporate merger re;uires that the DN" servers for
two separate DN" namespaces resolve names for clients in both namespaces.
A stub Jone consists of6
he start of authority '"3A) resource record, name server 'N") resource records, and the
glue A resource records for the delegated Jone. he I% address of one or more master
servers that can be used to update the stub Jone. he master servers for a stub Jone are
one or more DN" servers authoritative for the child Jone, usually the DN" server hosting
the primary Jone for the delegated domain name.
5se stub Jones to6
Ceep delegated Jone information current.
Ey updating a stub Jone for one of its child Jones regularly, the DN" server hosting both the
parent Jone and the stub Jone will maintain a current list of authoritative DN" servers for
the child Jone.
Improve name resolution.
"tub Jones enable a DN" server to perform recursion using the stub Jone#s list of name
servers without needing to ;uery the Internet or internal root server for the DN"
namespace.
"implify DN" administration.
Ey using stub Jones throughout your DN" infrastructure, you can distribute a list of the
authoritative DN" servers for a Jone without using secondary Jones. However, stub Jones
do not serve the same purpose as secondary Jones and are not an alternative when
considering redundancy and load sharing.
here are two lists of DN" servers involved in the loading and maintenance of a stub Jone6
he list of master servers from which the DN" server loads and updates a stub Jone. A
master server may be a primary or secondary DN" server for the Jone. In both cases, it will
have a complete list of the DN" servers for the Jone.
he list of the authoritative DN" servers for a Jone. his list is contained in the stub Jone
using name server 'N") resource records. *hen a DN" server loads a stub Jone, such as
widgets.e2ample.com, it ;ueries the master servers, which can be in different locations, for
the necessary resource records of the authoritative servers for the Jone
widgets.e2ample.com. he list of master servers may contain a single server or multiple
servers and can be changed anytime.
What is the <in'addr)ar#a< 0one used for?
In a Domain Name "ystem 'DN") environment, it is common for a user or an
application to re;uest a Beverse 4ookup of a host name, given the I% address.
his article e2plains this process. he following is ;uoted from B!$ D,-G6 Khe
Internet uses a special domain to support gateway location and Internet
address to host mapping. 3ther classes may employ a similar strategy in other
domains. he intent of this domain is to provide a guaranteed method to
perform host address to host name mapping, and to facilitate ;ueries to locate
all gateways on a particular network on the Internet.
Khe domain begins at IN(ADDB.AB%A and has a substructure which follows the
Internet addressing structure. KDomain names in the IN(ADDB.AB%A domain are
defined to have up to four labels in addition to the IN(ADDB.AB%A suffi2. 1ach
label represents one octet of an Internet address, and is e2pressed as a
character string for a decimal value in the range ,(+GG 'with leading Jeros
omitted e2cept in the case of a Jero octet which is represented by a single
Jero).
KHost addresses are represented by domain names that have all four labels
specified.K Beverse 4ookup files use the structure specified in B!$ D,-G.
!or e2ample, if you have a network which is DG,.D,.,.,, then the Beverse
4ookup file for this network would be D,.DG,.IN(ADDB.AB%A. Any hosts with I%
addresses in the DG,.D,.,., network will have a %B 'or #%ointer#) entry in
D,.DG,.IN( ADDB.AB%A referencing the host name for that I% address. A single
IN( ADDB.AB%A file may contain entries for hosts in many domains. $onsider
the following scenario. here is a Beverse 4ookup file D,.DG,.IN(ADDB.AB%A
with the following contents6 12p 6 D.+, IN %B *"D.A$M1.$3M.
What does a 0one consist of 6 why do we require a 0one?
Ione consists of resource records and we re;uire Jone for representing sites.
What is aching -nly !erver?
*hen we install +,,, A +,,- server it is configured as caching only server
where it maintains the fre;uently accessed sites information and again when we
access the same site for ne2t time it is obtain from cached information instead
of going to the actual site.
What is forwarder?
*hen one DN" server can<t receive the ;uery it can be forwarded to another
DN" once configured as forwarder.
What is secondary D(! !erver?
It is backup for primary DN" where it maintains a read only copy of DN"
database.
$ow to enable Dynamic u#dates in D(!?
"tart%rogramAdmin toolsDN" Ione properties.
What are the #ro#erties of D(! server?
IN1B!A$1", !3B*ABD1B", AD0AN$1D, B35IN=", "1$5BI>, M3NI3BIN=,
43==IN=, D1E5= 43==IN=.
*ro#erties of a 3one?
=eneral, "3A, NAM1"1B01B, *IN", "ecurity, and I3N1 ransfer.
What is scavenging?
!inding and deleting unwanted records.
What are !," records?
"B0 are the service records, there are / service records. hey are useful for
locating the services.
What are the ty#es of !," records?
M"D$"6$ontains D$s information.
$%6$ontains =lobal $atalog, Cerberos A 4DA% information.
5D%6$ontains "ites information.
"ites6$ontains "ites information.
Domain DN" Ione6$onations domain<s DN" specific information.
!orest DN" Jone6$ontains !orest<s "pecific Information.
Where does a $ost File ,eside?
c68windows8system-+8drivers8etc.
What is !-A?
"tart of Authority6 useful when a Jone starts. %rovides the Jone startup
information.
What is a query?
A re;uest made by the DN" client to provide the name server information.
What are the diff) ty#es of 5ueries?
Becursion, iteration.
+ools for troubleshooting D(!?
DN" $onsole, N"433C5%, DN"$MD, I%$3N!I=, 4ogs.
What is WI(! server? where we use WI(! server? difference between
D(! and WI(!?
*IN" is windows internet name service used to resolve the NetEI3"'computer
name)name to I% address.his is proprietary for *indows.>ou can use in
4AN.DN" is a Domain Naming "ystem, which resolves Host names to I%
addresses. It uses fully ;ualified domain names. DN" is an Internet standard
used to resolve host names.
What is new in Windows !erver 788& regarding the D(! management?
*hen D$ promotion occurs with an e2isting forest, the Active Directory
Installation *iJard contacts an e2isting D$ to update the directory and replicate
from the D$ the re;uired portions of the directory.
If the wiJard fails to locate a D$, it performs debugging and reports what
caused the failure and how to fi2 the problem. In order to be located on a
network, every D$ must register in DN" D$ locator DN" records. he Active
Directory Installation *iJard verifies a proper configuration of the DN"
infrastructure. All DN" configuration debugging and reporting activity is done
with the Active Directory Installation *iJard.
!-A records must be included in every 0one) What are they used for?
"3A records contain a 4 value, used by default in all resource records in the
Jone. "3A records contain the e(mail address of the person who is responsible
for maintaining the Jone. "3A records contain the current serial number of the
Jone, which is used in Jone transfers.
Ey default, if the name is not found in the cache or local hosts file, what is the
first step the client takes to resolve the !7DN name into an I% address<
%erforms a recursive search through the primary DN" server based on the
network interface configuration.
$ow do I clear the D(! cache on the D(! server?
=o to cmd prompt and type ipconfig &flushdns .
What is the main #ur#ose of !," records?
"B0 records are used in locating hosts that provide certain network services.
What is the <)< 0one in my forward loo2u# 0one?
his setting designates the *indows +,,, or *indows "erver +,,- DN" server
to be a root hint server and is usually deleted. If you do not delete this setting,
you may not be able to perform e2ternal name resolution to the root hint
servers on the Internet.
Do I need to configure forwarders in D(!?
No. Ey default, *indows +,,, DN" uses the root hint servers on the InternetL
however, you can configure forwarders to send DN" ;ueries directly to your
I"%#s DN" server or other DN" servers. Most of the time, when you configure
forwarders, DN" performance and efficiency increases, but this configuration
can also introduce a point of failure if the forwarding DN" server is e2periencing
problems.
he root hint server can provide a level of redundancy in e2change for slightly
increased DN" traffic on your Internet connection. *indows "erver +,,- DN"
will ;uery root hints servers if it cannot ;uery the forwarders.
!hould I #oint the other Windows 7888'based and Windows !erver
788&'based com#uters on my LA( to my I!*=s D(! servers?
No. If a *indows +,,,(based or *indows "erver +,,-(based server or
workstation does not find the domain controller in DN", you may e2perience
issues joining the domain or logging on to the domain. A *indows +,,,(based
or *indows "erver +,,-(based computer#s preferred DN" setting should point
to the *indows +,,, or *indows "erver +,,- domain controller running DN".
If you are using DH$%, make sure that you view scope option MDG for the
correct DN" server settings for your 4AN.
Do I need to #oint com#uters that are running Windows (+ >)8 or
?icrosoft Windows @A1 ?icrosoft Windows @B1 or ?icrosoft Windows @B
!econd Edition to the Windows 7888 or Windows !erver 788& D(!
server?
4egacy operating systems continue to use NetEI3" for name resolution to find a
domain controllerL however it is recommended that you point all computers to
the *indows +,,, or *indows "erver +,,- DN" server for name resolution.
What if my Windows 7888 or Windows !erver 788& D(! server is
behind a #ro.y server or firewall?
If you are able to ;uery the I"%#s DN" servers from behind the pro2y server or
firewall, *indows +,,, and *indows "erver +,,- DN" server is able to ;uery
the root hint servers. 5D% and $% %ort G- should be open on the pro2y server
or firewall.
What should I do if the domain controller #oints to itself for D(!1 but
the !," records still do not a##ear in the 0one?
$heck for a disjointed namespace, and then run Netdiag.e2e &fi2.
>ou must install "upport ools from the *indows +,,, "erver or *indows
"erver +,,- $D(B3M to run Netdiag.e2e.
$ow do I set u# D(! for a child domain?
o set up DN" for a child domain, create a delegation record on the parent DN"
server for the child DN" server. $reate a secondary Jone on the child DN"
server that transfers the parent Jone from the parent DN" server.
Note *indows "erver +,,- has additional types of Jones, such as "tub Iones
and forest(level integrated Active Directory Jones, that may be a better fit for
your environment. "et the child domain controller to point to itself first. As soon
as an additional domain controller is available, set the child domain controller to
point to this domain controller in the child domain as its secondary.
What is dhc#?
Dynamic Host $onfiguration %rotocol 'DH$%) is a network protocol that enables
a server to automatically assign an I% address to a computer from a defined
range of numbers 'i.e., a scope) configured for a given network.
What is the dhc# #rocess for client machine?
C. A user turns on a computer with a DH$% client.
7) he client computer sends a broadcast re;uest 'called a DI"$301B or
DH$%DI"$301B), looking for a DH$% server to answer.
&) he router directs the DI"$301B packet to the correct DH$% server.
>) he server receives the DI"$301B packet. Eased on availability and usage
policies set on the server, the server determines an appropriate address 'if any)
to give to the client. he server then temporarily reserves that address for the
client and sends back to the client an 3!!1B 'or DH$%3!!1B) packet, with that
address information. he server also configures the client#s DN" servers, *IN"
servers, N% servers, and sometimes other services as well.
A) he client sends a B1751" 'or DH$%B1751") packet, letting the server
know that it intends to use the address.
D) he server sends an A$C 'or DH$%A$C) packet, confirming that the client
has been given a lease on the address for a server(specified period of time.
What is dhc# sco#e?
DH$% scopes are used to define ranges of addresses from which a DH$% server
can assign I% addresses to clients.
+y#es of sco#es in windows dhc# ?
Normal "cope ( Allows A, E and $ $lass I% address ranges to be specified
including subnet masks, e2clusions and reservations. 1ach normal scope defined
must e2ist within its own subnet.
Multicast "cope ( 5sed to assign I% address ranges for $lass D networks.
Multicast scopes do not have subnet masks, reservation or other $%&I%
options.
Multicast scope address ranges re;uire that a ime o 4ive '4) value be
specified 'essentially the number of routers a packet can pass through on the
way to its destination).
"uperscope ( 1ssentially a collection of scopes grouped together such that they
can be enabled and disabled as a single entity.
What is Authori0ing D$* !ervers in Active Directory?
If a DH$% server is to operate within an Active Directory domain 'and is not
running on a domain controller) it must first be authoriJed.
his can be achieved either as part of the DH$% "erver role installation, or
subse;uently using either DH$% console or at the command prompt using the
netsh tool.
If the DH$% server was not authoriJed during installation, invoke the DH$%
console '"tart ( All %rograms ( Administrative ools ( DH$%),
right click on the DH$% to be authoriJed and select AuthoriJe. o achieve the
same result from the command prompt, enter the following command6
netsh dhcp server serverID initiate auth
In the above command synta2, serverID is replaced by the I% address or full
5N$ name of system on which the DH$% server is installed.
What #orts are used by D$* and the D$* clients ?
Be;uests are on 5D% port /., "erver replies on 5D% /@ .
4enefits of using D$*
DH$% provides the following benefits for administering your $%&I%(based
network6
"afe and reliable configuration. DH$% avoids configuration errors caused by the
need to manually type in values at each computer. Also, DH$% helps prevent
address conflicts caused by a previously assigned I% address being reused to
configure a new computer on the network.
Beduces configuration management.
5sing DH$% servers can greatly decrease time spent to configuring and
reconfiguring computers on your network. "ervers can be configured to supply a
full range of additional configuration values when assigning address leases.
hese values are assigned using DH$% options. Also, the DH$% lease renewal
process helps assure that where client configurations need to be updated often
'such as users with mobile or portable computers who change locations
fre;uently), these changes can be made efficiently and automatically by clients
communicating directly with DH$% servers.
he following section covers issues that affect the use of the DH$% "erver
service with other services or network configurations. 5sing DN" servers with
DH$% 5sing Bouting and Bemote Access servers with DH$% Multihomed DH$%
servers.
Describe the #rocess of installing a D$* server in an AD
infrastructure?
3pen *indows $omponents *iJard. 5nder $omponents , scroll to and click
Networking "ervices. $lick Details . 5nder "ubcomponents of Networking
"ervices , click Dynamic Host $onfiguration %rotocol 'DH$%) and then click 3C .
$lick Ne2t . If prompted, type the full path to the *indows "erver +,,-
distribution files, and then click Ne2t. Be;uired files are copied to your hard
disk.
$ow to authori0e a D$* server in Active Directory -#en D$*?
In the console tree, click DH$%
. 3n the Action menu, click Manage authoriJed servers.
. he Manage AuthoriJed "ervers dialog bo2 appears. $lick AuthoriJe.
. *hen prompted, type the name or I% address of the DH$% server to be
authoriJed, and then click 3C.
What is D$*I(F-,??
DH$%Inform is a DH$% message used by DH$% clients to obtain DH$% options.
*hile %%% remote access clients do not use DH$% to obtain I% addresses for the
remote access connection, *indows +,,, and *indows N. remote access
clients use the DH$%Inform message to obtain DN" server I% addresses, *IN"
server I% addresses, and a DN" domain name.
he DH$%Inform message is sent after the I%$% negotiation is concluded. he
DH$%Inform message received by the remote access server is then forwarded
to a DH$% server. he remote access server forwards DH$%Inform messages
only if it has been configured with the DH$% Belay Agent.
Describe the integration between D$* and D(!?
raditionally, DN" and DH$% servers have been configured and managed one at
a time. "imilarly, changing authoriJation rights for a particular user on a group
of devices has meant visiting each one and making configuration changes.
DH$% integration with DN" allows the aggregation of these tasks across
devices, enabling a company#s network services to scale in step with the growth
of network users, devices, and policies, while reducing administrative operations
and costs. his integration provides practical operational efficiencies that lower
total cost of ownership.
$reating a DH$% network automatically creates an associated DN" Jone, for
e2ample, reducing the number of tasks re;uired of network administrators. And
integration of DN" and DH$% in the same database instance provides
unmatched consistency between service and management views of I% address(
centric network services data.
67change server ,55G@,5C5 Interview Questions@Answers
What are the pre requisites to install 8+change ,erver 722<'
1. 3icrosoft .Net >ramework 2.0
2. 3icrosoft *01 .Net
3. World Wide We$ 0er%ice
4. 33. 3.0
5. Windows power sell
6. 03T1 D NNT1 ser%ice sould not $e installed
) What*s the order to install 1=chan'e Server !!> ,oles in a e=chan'e Server !!"
or'ani9ation?
1. .lient *ccess 0er%er (ole
2. =u$ Transport 0er%er (ole
3. 3ail$o< 0er%er (ole
4. 'nified 3essa"in" 0er%er role
") What are the versions available in 1=chan'e Server !!>?
Tere are two t#pes of ;<can"e 0er%er 200+ %ersion release
N 64 $it O for production en%ironment
N 32 $it O onl# for non@production en%ironment
?) What are the O(eratin' s$stem re0%irements to install 1=chan'e Server !!>?
;<can"e 0er%er 200+ can $e installed on
N Windows 0er%er 2003 012 64@$it,
N Windows 0er%er 2003 (2 012 64@$it or
N Windows 0er%er 200H 64@$it
@) What are the Active director$ re0%irements to install 1=chan'e Server !!>?
1. -omain functional le%el at least windows ser%er 2000 nati%e or i"er
2. 0cema 3aster must $e run on windows 2003 ser%er wit sp1
3. *t least one -omain .ontroller, in eac domain wit windows ser%er 2003 sp1
4. *t least one "lo$al catalo" ser%er in *cti%e -irector# 0ite wic osts e<can"e
0er%er 200+
5. 441 ratio of ;<can"e processor to "lo$al catalo" ser%er processors
A) What are the hardware re0%irements to install 1=chan'e Server !!>?
1rocessor O 64 $it processor
(*3 O 2 F: 9 5 3: per 3ail$o<
-isk 0pace O *t least 1.2 F: on te dri%e on wic #ou install ;<can"e
@ 200 3: of a%aila$le disk space on te s#stem dri%e
>ile >ormat O NT>0
>) What are the Software re0%irements to install 1=chan'e Server !!>?
>ollowin" are te software prere/uisites to install ;<can"e 0er%er 200+
1. 3icrosoft .Net >ramework 2.0
2. 660
3. WWW
4. 33. 3.0
5. 3icrosoft Windows 1ower 0ell
/) What is 4ransition in 1=chan'e Server !!>?
Transition is te scenario in wic #ou up"rade an e<istin" ;<can"e or"ani?ation to 3icrosoft
;<can"e 0er%er 200+. To perform te transition, #ou must mo%e data from te e<istin"
;<can"e ser%ers to new ;<can"e 200+ ser%ers. >or e<ample, wen up"radin" from an
;<can"e 0er%er 2003 or ;<can"e 2000 0er%er or"ani?ation to an ;<can"e 200+
or"ani?ation, #ou perform a transition
Wen transitionin" to ;<can"e 200+, #ou cannot perform an in@place ser%er up"rade on an
e<istin" ;<can"e ser%er. 6nstead, #ou must install a new ;<can"e 200+ ser%er into te
e<istin" or"ani?ation, and ten mo%e data to te new ;<can"e 200+ ser%er.
B) What is 2i'ration in 1=chan'e Server !!>?
Migration is te scenario in wic #ou up"rade to ;<can"e 200+ $# mi"ratin" data from a non@
;<can"e messa"in" s#stem to ;<can"e 200+ or from an e<istin" ;<can"e or"ani?ation to a
completel# new ;<can"e or"ani?ation, witout retainin" an# of te ;<can"e confi"uration
data in te first or"ani?ation. >or e<ample, wen mer"in" wit anoter compan#, #ou can
perform a mi"ration. 6n tis scenario, #ou mo%e mail$o<es and data to te oter compan#As
;<can"e or"ani?ation, witout retainin" an# of te confi"uration data from #our e<istin"
;<can"e or"ani?ation. *noter e<ample is wen up"radin" from )otus Notes to ;<can"e
200+, #ou perform a mi"ration. 6n tis scenario, #ou must mo%e mail$o<es and data to te new
;<can"e 200+ or"ani?ation, witout retainin" an# of te data from te )otus Notes
or"ani?ation.
Te mi"ration process includes installin" a completel# new ;<can"e 200+ or"ani?ation, and
ten mi"ratin" mail$o<es from te old messa"in" s#stem to te new ;<can"e 200+ messa"in"
s#stem, usin" %arious tools for mi"ration.
C!) &s it (ossible to do in (lace %('rade from 1=chan'e Server !!" to 1=chan'e Server
!!>?
No in@place up"rade on e<istin" ;<can"e ser%er or"ani?ation. 6nstall new ;<can"e 0er%er
200+ ser%er into e<istin" or"ani?ation, and mo%e data to new ser%er.
CC) What are the transition o(tions available in 1=chan'e Server !!>
We can make transition in followin" options
Sin'le forest to sin'le forest O #ou a%e an e<istin" sin"le forest ;<can"e 2003 or ;<can"e
2000 topolo"#, #ou can transition to a sin"le forest ;<can"e 200+ or"ani?ation
Sin'le forest to cross forest O 6f #ou a%e an e<istin" sin"le forest ;<can"e 2003 or
;<can"e 2000 topolo"#, #ou can transition to a cross@forest ;<can"e 200+ topolo"#
Cross forest to cross forest O 6f #ou a%e an e<istin" cross@forest ;<can"e 2003 or
;<can"e 2000 topolo"# wit ;<can"e ser%ers and mail$o<es in eac forest, #ou can
transition to an ;<can"e 200+ cross@forest topolo"#.
,eso%rce forest to reso%rce forest D
Sin'le forest to reso%rce forest @
C) What are the considerations for 1=chan'e Server !!> to co e=ists with 1=chan'e
server !!! and 1=chan'e Server !!"?
;<can"e 8r"ani?ation in ;<can"e Nati%e 3odeN ;<can"e 0er%er 200+ routin" "roup
(-W:FP3>-01MN:Q(! is created onl# for coe<istin" wit earlier %ersions of ;<can"e.
(outin" Froup .onnector is re/uired $etween ;<can"e 0er%er 2003 and ;<can"e
0er%er 200+ (created durin" setup!.
;<can"e 0er%er 2003 computers cannot interoperate wit te 'nified 3essa"in"
ser%er role. ;<can"e 2003 mail$o<es cannot $e 'nified 3essa"in"Oena$led.
;<can"e 2003 >ront@ends cannot talk to ;<can"e 0er%er 200+ 3ail$o< 0er%er (oles.
No in@place up"rade on e<istin" ;<can"e ser%er. 6nstall new ;<can"e 0er%er 200+
ser%er into e<istin" or"ani?ation, and mo%e data to new ser%er
C") Will 8ront 1nd server tal# to 1=chan'e Server !!> 2ailbo= server in an 1=chan'e
or'ani9ation havin' both e=chan'e !!" and e=chan'e Server !!>?
;<can"e 0er%er 2003 >ront@end ser%er cannot talk to ;<can"e 0er%er 200+ 3ail$o< 0er%er
(oles
C?) What is the stat%s of ro%tin' 'ro%( connector in co e=isted of 1=chan'e Server !!"
and !!>?
;<can"e 8r"ani?ation in ;<can"e Nati%e 3odeN ;<can"e 0er%er 200+ routin" "roup
(-W:FP3>-01MN:Q(! is created onl# for coe<istin" wit earlier %ersions of ;<can"e.
(outin" Froup .onnector is re/uired $etween ;<can"e 0er%er 2003 and ;<can"e 0er%er
200+ (created durin" setup!.
C@) Which service sho%ld not be installed in 1=chan'e Server !!> installation?
03T1 and NNT1 ser%ice sould not $e installed
CA) What are the 1=chan'e Server editions available?
Tere are two t#pes of ;<can"e 0er%er 200+ editions a%aila$le
1. 0tandard ;dition
2. ;nterprise ;dition
C>) What is the difference between standard and 1nter(rise 1dition?
1=chan'e !!> f%nctions Standard 1dition 1nter(rise 1dition
3%mber of Data Stores
S%((orted
5 includes 3ail$o<B1u$lic >older 50 com$ination of $ot
Cl%sterin' s%((ort No Ges
OS S%((ort Windows 2003 64 $it Windows 2003 64 $it
C/) What to do if e=chan'e Server @)@ in $o%r or'ani9ation in order to %('rade to
1=chan'e Server !!>?
Gou cannot up"rade an e<istin" 3icrosoft ;<can"e 0er%er %ersion 5.5 or"ani?ation to
;<can"e 0er%er 200+. Gou must first mi"rate from te ;<can"e 0er%er 5.5 or"ani?ation to an
;<can"e 0er%er 2003 or an ;<can"e 2000 0er%er or"ani?ation. Ten #ou can transition te
;<can"e 2003 or ;<can"e 2000 or"ani?ation to ;<can"e 200+.
CB) What are the Plannin' considerations for Client Access Server ,ole?
Te .lient *ccess ser%er role supports te 8utlook We$ *ccess, 8utlook *n#were, and
;<can"e *cti%e0#nc client applications, in addition to te 1813 and 63*14 protocols. Te
.lient *ccess ser%er role also osts se%eral ke# ser%ices, suc as te *uto disco%er ser%ice and
;<can"e We$ 0er%ices.
6n order to a%e $etter client access functionalit# we a%e to perform a 1lannin" consideration
on ;<can"e *cti%e 0#nc. 8utlook we$ *ccess, outlook an#were, 1813 and 63*14 protocols
and also securin" client access
!) What are the Plannin' Considerations of 5%b 4rans(ort Server ,ole?
=u$ Transport ser%er role is a re/uired role in a 3icrosoft ;<can"e 0er%er 200+ or"ani?ation
tat pro%ides routin" witin a sin"le or"ani?ational network $# usin" te *cti%e -irector#
director# ser%ice site. =u$ Transport ser%er role installed andles all mail flow inside te
or"ani?ation, appl# transport rules, appl# Eournal rules, and deli%er messa"es to recipientsA
mail$o<es
We a%e to perform a 1lannin" .onsideration on
Topolo"# for mail flow inside and outside te ;<can"e or"ani?ation
0er%er capacit# O determine ow to perform performance monitor
0ecurit# O includes dele"ation of administrati%e roles and %erification tat 61 connections
are onl# ena$led from autori?ed ser%ers
Transport >eatures O determine te transport features tat #ou will ena$le at te =u$
Transport ser%er and ow te# will $e confi"ured
C) What are the Plannin' Considerations of 2ailbo= Server ,ole?
Te 3icrosoft ;<can"e 0er%er 200+ 3ail$o< ser%er role osts mail$o< data$ases and pro%ides
e@mail stora"e and ad%anced scedulin" ser%ices for 3icrosoft 8ffice 8utlook users Te
3ail$o< ser%er role can also ost a pu$lic folder data$ase, wic pro%ides a foundation for
workflow, document sarin", and oter forms of colla$oration
We a%e to perform a plannin" consideration on
0i?in" te data$ase,
1lannin" for pu$lic folder,
.o ostin" wit oter ser%er roles and
1lannin" for clustered 3ail$o< ser%er
) What are the Plannin' Considerations for 1d'e 4rans(ort Server ,ole?
;<can"e 0er%er 200+ ;d"e Transport ser%er role is desi"ned to pro%ide impro%ed anti%irus
and anti@spam protection for te ;<can"e or"ani?ation. .omputers tat a%e te ;d"e
Transport ser%er role also appl# policies to messa"es in transport $etween or"ani?ations. Te
;d"e Transport ser%er role is deplo#ed in an or"ani?ationAs perimeter network.
;d"e Transport 0ould not $e included in *cti%e -irector#
0ould $e installed in a 0tandalone 0er%er
;d"e Transport 0ould not $e 1art of te domain
*-*3 0ould $e 6nstalled
1re re/uisites .Net framework , Windows 3ana"ement 0ell, 33.
Di!!erence Between 67change #erver ,55G #tandard and
6nterprise 6dition.
;<can"e 200+ ;nterprise ;dition supports up to fift# stora"e "roups,
one stora"e "roup support up to fi%e data$ases.
;<can"e 200+ 0tandard ;dition supports onl# fi%e stora"e "roups, one
stora"e "roup support up to fi%e data$ases.
6f Gou are usin" .ontinuous (eplication tecnolo"# 3icrosoft
recommend use one data$ase per stora"e "roup.
;<can"e 200+ ;nterprise ;dition supports up to fift# data$ases per
ser%er.
;<can"e 200+ 0tandard ;dition supports onl# fi%e data$ases per
ser%er.
;<can"e 200+ ;nterprise ;dition data$ase si?e is limited to 16 T:.
;<can"e 200+ 0tandard ;dition data$ases si?e is limited to 16 T:.
3icrosoft recommend limit data$ase si?e to 100 F: or 6f Gou are usin"
.ontinuous (eplication tecnolo"# data$ase si?e sould $e limited 200 F:.
;<can"e 200+ ;nterprise ;dition supports 0in"le .op# .lusters
tecnolo"# ($etter protection mail s#stem wit two ;<can"e ser%ers and one
disc store!.
;<can"e 200+ 0tandard ;dition do not support 0in"le .op# .lusters
tecnolo"#.
)ocal .ontinuous (eplication tecnolo"# ($etter protection mail store
wit one ;<can"e ser%er and two discs store! is supported $# ;<can"e
200+ 0tandard ;dition and ;<can"e 200+ ;nterprise ;dition.
;<can"e 200+ ;nterprise ;dition supports 0in"le .op# .lusters
tecnolo"# ($etter protection mail s#stem and mail store wit two ;<can"e
ser%ers and two discs store!
;<can"e 200+ 0tandard ;dition do not support 0in"le .op# .lusters
tecnolo"#.
0tand$# .ontinuous (eplication tecnolo"# ($etter protection mail
store! is supported $# ;<can"e 200+ 0tandard ;dition 011 and ;<can"e
200+ ;nterprise ;dition 011.
E) 5ow does the OA: distrib%tion ha((ens in 1=chan'e !!>?*ns. Te
;<can"e 0#stem *ttendant ser%ice is responsi$le for te "eneration of oa$.
Tis ser%ice is a%aila$le onl# on a ser%er tat as te mail$o< role installed.
Te 0* in%okes a dll file called oa$"en.dll.
Te oa$ files are stored in .451ro"ram >iles53icrosoft5;<can"e
0er%er5;<can"e8*:. Tis folder is sared so tat it can $e replicated to te
.*0 ser%er for we$ distri$ution.
Te oa$ "eneration ser%er opens te oa$ folders and updates te file. Te
oa$"en.dll file is responsi$le for connectin" to te pu$lic folder.
.*0 ser%er runs a ser%ice named 3icrosoft ;<can"e >ile -istri$ution
0er%ice wic copies te oa$ files from te mail$o< ser%er (;<can"e8*:
folder! to te we$ distri$ution point in te .*0 ser%er.
Te we$ distri$ution folder is a folder on .*0 0er%er were te copied oa$
files are placed. Te default location is .451ro"ram >iles53icrosoft5;<can"e
0er%er5.lient*ccess58*:.
Te we$ distri$ution point is updated once in H ours. 6f #ou want to force an
oa$ update, restart te ;<can"e >ile -istri$ution 0er%ice.
E) &s it recommended to install CAS server in (erimeter networ#? Wh$?
*ns. No. 0ecurit# and a%aila$ilit# of *- attri$utes are two main reasons.
E) 5ow is the (erformance of 1=chan'e !!> better than 1=chan'e
!!"?
*ns. 6n ;<can"e 2003, te data$ase read to write ratio was t#picall# 241 or
66 percent reads. Wit ;<can"e 200+, te lar"er data$ase cace decreases
te num$er of reads to te data$ase on disk causin" te reads to srink as a
percenta"e of total 6B8.
6n ;<can"e 2003, a transaction lo" for a stora"e "roup re/uires rou"l# 10
percent as man# 6B8s as te data$ases in te stora"e "roup. >or e<ample, if
te data$ase )'N is usin" 1000 6B8s, te lo" )'N would use appro<imatel#
100 6B8s. Wit te reduction in data$ase reads in ;<can"e 200+, com$ined
wit te smaller lo" file si?e and te a$ilit# to a%e more stora"e "roups, te
lo"@to@data$ase write ratio is rou"l# 142. >or e<ample, if te data$ase )'N is
consumin" 500 write 6B8s, te lo" )'N will consume appro<imatel# 250 write
6B8s.
E) What is 4rans(ort D%m(ster?
*ns. Te transport dumpster su$mits recentl# deli%ered mail after an
unsceduled outa"e 3a<-umpster0i?e1er0tora"eFroup4 1.5 times te si?e
of te ma< ms" tat can $e sent 3a<-umpsterTime4 =ow lon" te email can
sta# in te transport dumpster /ueue +.00400400 means + da#s
E) What is :ac#DPress%re?
*ns. Te settin"s for $ack@pressure can $e confi"ure on =u$ Transport and
;d"e 0er%er. 6f utili?ation of a s#stem resource e<ceeds te specified limit, te
;<can"e ser%er stops acceptin" new connections and messa"es. Tis
pre%ents te s#stem resources from $ein" completel# o%erwelmed and
ena$les te ;<can"e ser%er to deli%er te e<istin" messa"es.
E) 1=chan'e !!> main ServicesF
3icrosoft ;<can"e *cti%e -irector# Topolo"#
3icrosoft ;<can"e 3onitorin"
3icrosoft ;<can"e 63*14
3icrosoft ;<can"e 1813
3icrosoft ;<can"e Transport )o" 0earc
3icrosoft ;<can"e Transport4 8n =u$ and ;d"e
3icrosoft ;<can"e 0er%ice =ost
3icrosoft ;<can"e 0earc 6nde<er
3icrosoft ;<can"e (eplication 0er%ice
3icrosoft ;<can"e 3ail 0u$mission
3icrosoft ;<can"e 3ail$o< *ssistants
3icrosoft ;<can"e >ile -istri$ution4 8n .*0 0er%er
3icrosoft ;<can"e 6nformation 0tore
3icrosoft ;<can"e 0#stem *ttendant
3icrosoft ;<can"e ;d"e0#nc4 on =u$ Transport 0er%er
3icrosoft ;<can"e
1icroso!t 2luster Interview Questions and Answers
GWhat is $lustering. Jriefly define F e+plain it '
2lustering is a technology which is used to provide High Availability !or mission critical applications. 3e
can con!igure cluster by installing 12# $1icroso!t cluster service% component !rom Add remove
programs which can only available in 6nterprise 6dition and Data center edition.
G*ypes of $lusters '
In 3indows we can con!igure two types o! clusters
4. ?LJ $networ& load balancing% cluster !or balancing load between servers. This cluster will not provide
any high availability. /sually pre!erable at edge servers li&e web or pro7y.
7. ,erver $luster! This provides High availability by con!iguring active'active or active'passive cluster. In
, node active'passive cluster one node will be active and one node will be stand by. 3hen active server
!ails the application will (AI)8M6; to stand by server automatically. 3hen the original server bac&s we
need to (AI)BA2K the application
G What is uoru# ' A shared storage need to provide !or all servers which &eeps in!ormation about
clustered application and session state and is use!ul in (AI)8M6; situation. This is very important i!
Quorum dis& !ails entire cluster will !ails.
GWhy uoru# is necessary '
3hen networ& problems occur they can inter!ere with communication between cluster nodes. A small set
o! nodes might be able to communicate together across a !unctioning part o! a networ& but might not be
able to communicate with a di!!erent set o! nodes in another part o! the networ&. This can cause serious
issues. In this OsplitP situation at least one o! the sets o! nodes must stop running as a cluster.
To prevent the issues that are caused by a split in the cluster the cluster so!tware requires that any set o!
nodes running as a cluster must use a voting algorithm to determine whether at a given time that set has
quorum. Because a given cluster has a speci!ic set o! nodes and a speci!ic quorum con!iguration the
cluster will &now how many OvotesP constitutes a ma"ority $that is a quorum%. I! the number drops below
the ma"ority the cluster stops running. 4odes will still listen !or the presence o! other nodes in case
another node appears again on the networ& but the nodes will not begin to !unction as a cluster until the
quorum e7ists again.
(or e7ample in a !ive node cluster that is using a node ma"ority consider what happens i! nodes C , and
+ can communicate with each other but not with nodes D and F. 4odes C , and + constitute a ma"ority
and they continue running as a cluster. 4odes D and F are a minority and stop running as a cluster which
prevents the problems o! a OsplitP situation. I! node + loses communication with other nodes all nodes
stop running as a cluster. However all !unctioning nodes will continue to listen !or communication so that
when the networ& begins wor&ing again the cluster can !orm and begin to run.
? Different types of uoru# in Windows server 722C '
C.4ode 1a"ority ' /sed when 8dd number o! nodes are in cluster.
,.4ode and Dis& 1a"ority ' 6ven number o! nodes$but not a multi'site cluster%
+.4ode and (ile #hare 1a"ority ' 6ven number o! nodes multi'site cluster
D.4ode and (ile #hare 1a"ority ' 6ven number o! nodes no shared storage
G Different types of uoru# in Windows server 722/ '
,tandard uoru# ! As mentioned above a quorum is simply a con!iguration database !or 1#2# and is
stored in the quorum log !ile. A standard quorum uses a quorum log !ile that is located on a dis& hosted
on a shared storage interconnect that is accessible by all members o! the cluster.
#tandard quorums are available in 3indows 4T D.5 6nterprise 6dition 3indows ,555 Advanced #erver
3indows ,555 Datacenter #erver 3indows #erver ,55+ 6nterprise 6dition and 3indows #erver ,55+
Datacenter 6dition.
5aBority ?ode ,et uoru#s ! A ma"ority node set $14#% quorum is a single quorum resource !rom a
server cluster perspective. However the data is actually stored by de!ault on the system dis& o! each
member o! the cluster. The 14# resource ta&es care to ensure that the cluster con!iguration data stored
on the 14# is &ept consistent across the di!!erent dis&s.
1a"ority node set quorums are available in 3indows #erver ,55+ 6nterprise 6dition and 3indows #erver
,55+ Datacenter 6dition.
G8+plain about each uoru# type '
4ode 1a"ority: 6ach node that is available and in communication can vote. The cluster !unctions only with
a ma"ority o! the votes that is more than hal!.
4ode and Dis& 1a"ority: 6ach node plus a designated dis& in the cluster storage $the Odis& witnessP% can
vote whenever they are available and in communication. The cluster !unctions only with a ma"ority o! the
votes that is more than hal!.
4ode and (ile #hare 1a"ority: 6ach node plus a designated !ile share created by the administrator $the
O!ile share witnessP% can vote whenever they are available and in communication. The cluster !unctions
only with a ma"ority o! the votes that is more than hal!.
4o 1a"ority: Dis& 8nly: The cluster has quorum i! one node is available and in communication with a
speci!ic dis& in the cluster storage.
G How is the quoru# infor#ation located on the syste# dis- of each node -ept in synch'
The server cluster in!rastructure ensures that all changes are replicated and updated on all members in a
cluster.
G $an this #ethod be used to replicate application data as well'
4o that is not possible in this version o! clustering. 8nly Quorum in!ormation is replicated and maintained
in a synchroni:ed state by the clustering in!rastructure.
G $an I convert a standard cluster to an 5?, cluster'
Les. Lou can use 2luster Administrator to create a new 1a"ority 4ode #et resource and then on the
cluster properties sheet uoru# tab change the quorum to that 1a"ority 4ode #et resource.
G What is the difference between a geographically dispersed cluster and an 5?, cluster'
A geographic cluster re!ers to a cluster that has nodes in multiple locations while an 14#'based cluster
re!ers to the type o! quorum resources in use. A geographic cluster can use either a shared dis& or 14#
quorum resource while an 14#'based cluster can be located in a single site or span multiple sites.
G What is the #a+i#u# nu#ber of nodes in an 5?, cluster'
3indows #erver ,55+ supports .'node clusters !or both 6nterprise 6dition and Datacenter 6dition.
G Do I need special hardware to use an 5?, cluster'
There is nothing inherent in the 14# architecture that requires any special hardware other than what is
required !or a standard cluster $!or e7ample there must be on the 1icroso!t 2luster H2)%. However some
situations that use an 14# cluster may have unique requirements $such as geographic clusters% where
data must be replicated in real time between sites.
G Does a cluster aware application need to be rewritten to support 5?,'
4o using an 14# quorum requires no change to the application. However some cluster aware
applications e7pect a shared dis& $!or e7ample #Q) #erver ,555% so while you do not need shared dis&s
!or the quorum you do need shared dis&s !or the application.
G Does 5?, get rid of the need for shared dis-s'
It depends on the application. (or e7ample clustered #Q) #erver ,555 requires shared dis& !or data.
;emember 14# only removes the need !or a shared dis& quorum.
G What does a failover cluster do in Windows ,erver 722C '
A !ailover cluster is a group o! independent computers that wor& together to increase the availability o!
applications and services. The clustered servers $called nodes% are connected by physical cables and by
so!tware. I! one o! the cluster nodes !ails another node begins to provide service $a process &nown as
!ailover%. /sers e7perience a minimum o! disruptions in service.
G What new functionality does failover clustering provide in Windows ,erver 722C '
4ew validation !eature. 3ith this !eature you can chec& that your system storage and networ&
con!iguration is suitable !or a cluster.
#upport !or 0/ID partition table $0*T% dis&s in cluster storage. 0*T dis&s can have partitions larger than
two terabytes and have built'in redundancy in the way partition in!ormation is stored unli&e master boot
record $1B;% dis&s.
G What happens to a running $luster if the quoru# dis- fails in Windows ,erver 722/ $luster '
In 3indows #erver ,55+ the Quorum dis& resource is required !or the 2luster
to !unction. In your e7ample i! the Quorum dis& suddenly became unavailable
to the cluster then both nodes would immediately !ail and not be able to
restart the clussvc.
In that light the Quorum dis& was a single point o! !ailure in a 1icroso!t
2luster implementation. However it was usually a !airly quic& wor&around to
get the cluster bac& up and operational. There are generally two solutions
to that type o! problem.
C. Detemrine why the Quorum dis& !ailed and repair.
,. ;eprovision a new )/4 present it to the cluster assign it a drive
letter and !ormat. Then start one node with the @(Q switch and through
cluadmin designate the new dis& resource as the Quorum. Then stop and
restart the clussvc normally and then bring online the second node.
G What happens to a running $luster if the quoru# dis- fails in Windows ,erver 722C $luster '
2luster continue to wor& but !ailover will not happen in case o! any other !ailure in the active node.
*osted by ;VD- at 55:+,
3indows Des&top Interview Questions and Answers
GHow to 8nable or Disable the (irewall in Windows T% '
6nabling the 3indows W* !irewall
1. 2lic& #tart #ettings 2ontrol *anel and open ?etwor- $onnections.
2. 3ithin the ?etwor- $onnections window right'clic& the Local Area $onnection and
select properties.
3. 3ithin the Local Area $onnection %roperties window clic& the Advanced tab.
D. (inally chec& the %rotect #y co#puter and networ- by li#iting or preventing
access to this co#puter fro# the Internet option.
GDisabling the Windows T% firewall X
1. 2lic& #tart #ettings 2ontrol *aneland open ?etwor- $onnections.
2. 3ithin the ?etwor- $onnections window right'clic& the Local Area $onnection and
select %roperties.
3. 3ithin the Local Area $onnection %roperties window clic& the Advanced tab.
D. (inally unchec& the %rotect #y co#puter and networ- by li#iting or preventing
access to this co#puter fro# the Internet option.
G How would you ,tart or ,top a Windows ,ervice '
)ogon to 3indows with Administrator rights.
2lic& #tart ? 2ontrol *anel.
Double'clic& Administrative Tools.
Double'clic& the #ervices icon.
Double'clic& the service that you want to stop or start.
3hen the #ervice *roperties window appears do one o! the !ollowing:
N I! the service is running clic& #top the service.
N I! the service is not running clic& #tart the service.
2lic& 8K.
G How can you chec- the I% address of your co#puter '
I*284(I0 @A))
G How to access the Windows ,yste# .egistry '
(ollow the steps to access registry on W* computer.
N 2lic& #tart
N 2lic& ;un
N Type ;606DIT
N 2lic& 8K
N The ;egistry 6ditor will now open .
G Where are the *e#p files located and how would you re#ove the# '
There are three di!!erent places that you can !ind temporary !iles on your computer. They are located in
di!!erent place in 3indows Mista and 3indows Wp. In 3indows Mista there are three !ile paths below to
!ollow to view the temporary !iles.
2:J/sersJ/sernameJAppDataJ)ocalJTemp $Htemp%
2:J3indowsJTemp $temp%
2:J/sersJ/sernameJAppDataJ)ocalJ1icroso!tJ3indowsJTemporary Internet (iles
G ?a#e so#e difference between Windows T% and Windows Aista. What are their ,yste#
.equire#ents '
The ma"or Di!!erences between 3indows Wp Y Mista are :
3indows Mista Y 3indows W*
C. Bitloc&er 8ption available 3indows W* has . 4o Bitloc&er option
' Bitloc&er drive encryption Bitloc&er on volume *revents hard drive !rom hac&ers.
,. 3indows Mista has 3indows De!ender tool 3indows W* has 4o 3indows De!ender tool available '
prevents !rom spyware Y unwanted #@3 installing on computer.
+. 3indows Mista has *arental control (eature 3indows W* has 4o *arental control (eature ' This option
enables parents to restrict 2hildrenAs which sites games .so!tware to use Y not .
G What is ,afe 5ode '
#a!e mode is an alternate boot method !or 3indows operating systems that ma&es it easier to diagnose
problems. The only startup programs loaded are the operating systemand drivers !or the mouse
&eyboard and display modes display. It is o!ten possible to get a system to start in sa!e mode when it
wongt start normally. To start in sa!e mode press the (. &ey while the system is booting and select hsa!e
modeh $or the sa!e mode option you want% !rom the menu that appears.
GWhat is Last Dnown &ood $onfiguration '
The )ast Known 0ood con!igurationh is one o! the methods which are used to repair our computer
system. In this method a restore o! data !rom the bac&up is not required. This hlast &nown good
con!igurationh is a bac&up replica o! the e7isting con!iguration which is stored on the registry &ey
hHK)1J#ystemJ2urrent2ontrol#eth. This registry &ey is always updated whenever the system is shut
down by the user a!ter success!ully and e!!ectively logging on. 8ur system can be repaired by restoring
in!ormation !rom this updated registry &ey. (or instance in case when we install some driver which causes
our operating system not to be loaded this type o! repair is help!ul and use!ul.
#o it is a very good practice to repair our system without any loss. #o whenever we see our operating
system!ails to load simply press (. and when the message hplease select the operating system to starth
appears "ust select the )ast Known 0ood 2on!iguration. This option can be seen under the h3indows
Advanced 8ptions 1enuh. The )ast Known 0ood 2on!iguration is only use!ul in the case i! we have not
logged on yet. 3henever we logon and then shut down or even restart all o! the current con!igurations
always become the h)ast Known 0ood 2on!igurationh.
GWhat is windows Device 5anager '
Device 1anager is an e7tension o! the 1icroso!t 1anagement 2onsole that provides a central and
organi:ed view o! all the 1icroso!t 3indows recogni:ed hardware installed in a computer.
Device 1anager is used to manage the hardware devices installed in a computer li&e hard dis& drives
&eyboards sound cards /#B devices and more.
GWhat is 5,$onfig '
mscon!ig.e7e is a !ile which helps to edit and administer te7t con!iguration !iles such as win.ini and
autoe7ec.bat.
1scon!ig is used to control what programs and services start with your computer. Its very help!ul in
troubleshooting startup problems as well as poor per!ormance and getting rid o! spyware and viruses.
GWhat is the Jlue ,creen of Death and what could be itUs causes '
#ometimes bad or !la&y memory $;A1 memory not your hard drive% can cause seemingly random
system crashes. I! you have "ust the right combination o! programs open and system memory in use and
your computer tries to access a hbad spoth on a ;A1 chip the results can be unpredictable. 8r they can
be the Blue #creen o! Death. Lou can try replacing your ;A1 stic&s one at a time to see i! the problem
goes away. This involves opening up the system unit and loo&ing at scary wires and stu!! so !or some
people "ust living with the problem may be a wor&able option.
1ore li&ely you have a so!tware problem. #ome programs "ust dongt get along... they trample on each
othergs memory spaces and con!usion $or the B#8D% results. And it seems that 3indows "ust gets old
and cran&y the longer you have it installed. Lou may solve the problem by using the #ystem (ile 2hec&er
or i! all else !ails by
re'installing the 3indows operating system and@or your so!tware pac&ages. I! the problem seems to be
limited to one particular program try re'installing "ust that one !irst.
#pyware or a computer virus can also ma&e strange things happen.
> What is old 4oot and Warm 4oot ?
A cold boot means turning it on from a powered(down state. A warm boot is pressing the
restart button when the computer is already on.
> What is Dis2 leanu#?
Disk $leanup is a feature of *indows that enables a user to delete system & junk files
safely.
!or e2ample, by using the disk cleanup feature, you can free up a considerable amount of
space on your pc, like getting rid of I! 'emporary Internet !iles) and other #useless#, and
not re;uired, files.
G What is Dis- Defrag#entation'
Dis& de!ragmentation describes the process o! consolidating !ragmented !iles on your computergs hard
dis&.
(ragmentation happens to a hard dis& over time as you save change or delete !iles. The changes that
you save to a !ile are o!ten stored at a location on the hard dis& thatgs di!!erent !rom the original !ile.
Additional changes are saved to even more locations. 8ver time both the !ile and the hard dis& itsel!
become !ragmented and your computer slows down as it has to loo& in many di!!erent places to open a
!ile.
Dis& De!ragmenter is a tool that rearranges the data on your hard dis& and reunites !ragmented !iles so
your computer can run more e!!iciently. In this version o! 3indows Dis& De!ragmenter runs on a schedule
so you dongt have to remember to run it although you can still run it manually or change the schedule it
uses.
G What would you do if a %$ is not turning on '(irst 2hec& the *ower cables and power supply.
G What is the latest =perating ,yste# '
3indows G.
G What is a Heat ,in- '
A component designed to lower the temperature o! an electronic device by dissipating heat into the
surrounding air. All modern 2*/s require a heat sin&. #ome also require a !an. A heat sin& without a !an
is called a passive heat sin&B a heat sin& with a !an is called an active heat sin&. Heat sin&s are generally
made o! an aluminum alloy and o!ten have !ins.
G What is the difference between ,A*A and %A*A Hard"Dis- Drives'
#erial ATA and *arallel ATA are both speciali:ed inter!ace and data trans!er devices that are used in
computers to connect peripheral storage devices. Both serve the same purpose o! data trans!er but di!!er
in their basic technology speed o! per!ormance and there!ore their niche applications these days.
G What would you do if your syste# is running slow '
C.6mpty ;ecycle Bin.
,.6mpty 3indows Temp !older.
+.;un #candis&.
D.;un De!ragmenter.
F.(ull #ystem Mirus scan.
G What are %lug F %lay devices '
They are peices o! computer hardware that already have the so!tware !or them in you system. simply put
you "ust have to plug it in and you computer does the rest.
G What are Device Drivers'
Device drivers are small !iles that act li&e OliaisonsP between hardware in a computer system and the
operating system $8#%. Hardware requires device drivers so that the 8# can OseeP the devices and
handle them e!!ectively and e!!iciently.
G Difference between I8; F I8< '
ie -'security issuse are less
ie G'security issuse are more.
ie -'tabbed browsing is not there
ie G'tabbed browsing is available.
ie -'no advanced printing.
ie G' advanced printing.
ie -'no phishing !ilter.
ie G'phishing !ilter available.
ie -'no tool bar search bo7.
ie G' tool bar search bo7.
ie -'no advanced delete history.
ie G'advanced delete browing history option.
ie -'no page :oom.
ie G'page :oom.
ie -'no add'ons disable mode
ie G'add'ons disable mode.
G What is the difference between a ,erial and a %arallel %ort '
Basically a serial port sends and receives data C gbitg at a time over a single wire while a parallel port
sends the data a gbyteg at a time over several wires simultaneously.
G 8+plain the Windows T% Joot %rocess '
C.(irst is the *8#T this stands !or *ower 8n #el! Test !or the computer. This process tests memory as
well as a number o! other subsystems. Lou can usually monitor this as it runs each test. A!ter that is
complete the system will run *8#T !or any device that has a BI8# $Basic Input'8utput #ystem%. An A0*
has its own BI8# as do some networ& cards and various other devices.
,.8nce the *8#T is complete and the BI8# is sure that everything is wor&ing properly the BI8# will then
attempt to read the 1B; $1aster Boot ;ecord%. This is the !irst sector o! the !irst hard drive $called the
1aster or HD5%. 3hen the 1B; ta&es over it means that 3indows is now in control.
+.The 1B; loo&s at the B88T #62T8; $the !irst sector o! the active partition%. That is where 4T)D; is
located 4T)D; is the B88T )8AD6; !or 3indows W*. 4T)D; will allow memory addressing initiate
the !ile system read the boot.ini and load the boot menu. 4T)D; has to be in the root o! the active
partition as do 4TD6T62T.281 B88T.I4I B88T#62T.D8# $!or multi'8# booting% and
4TB88TDD.#L# $i! you have #2#I adapters%
D.8nce W* is selected !rom the Boot 1enu 4T)D; will run 4TD6T62T.281 B88T.I4I and
B88T#62T.D8# to get the proper 8# selected and loaded. The system starts in C-'bit real mode and
then moves into +,'bit protected mode.
F.4T)D; will then load 4T8#K;4).6W6 and HA).D)). 6!!ectively these two !iles are windows W*. They
must be located in H#ystem;ootH#ystem+,.
-.4T)D; reads the registry chooses a hardware pro!ile and authori:es device drivers in that e7act
order.
G.At this point 4T8#K;4).6W6 ta&es over. It starts 3I4)8084.6W6 that in turn starts )#A##.6W6 this
is the program that display the )ogon screen so that you can logon.
G What do you -now about the %I?& $o##and '
Pinging is a command which tells you i! the connection between your computer and a particular domain is
wor&ing correctly.
6g : 2:JAdministratorJ?*ing CI,.C-..C.C55 or *ing server.domain.com
What is domain ?
In Windows NT and Windows 2000, a domain is a set of network resources
(applications,
printers, and so forth) for a group of users. The user need only to log in to the domain
to gain
access to the resources, which may e located on a numer of different ser!ers in the
network.
The "domain" is simply your computer address not to confused with an #$%. & domain
address might look something like 2''.'(0.)*+
&&
What is domain controller ?
,rimary domain controller (,-.) and ackup domain controller (/-.) are roles that
can e assigned to aser!er in a network of computers that use the Windows NT
operating system. Windows NT uses the idea of a domain to manage access to a set of
network resources (applications, printers, and so forth) for a group of users. The user
need only to log in to the domain to gain access to the resources, which may e located
on a numer of different ser!ers in the network. 0ne ser!er, known as the primary
domain controller, manages the master user dataase for the domain. 0ne or more
other ser!ers are designated as ackup domain controllers. The primary domain
controller periodically sends copies of the dataase to the ackup domain controllers.
& ackup domain controller can step in as primary domain controller if the ,-. ser!er
fails and can also help alance the workload if the network is usy enough. 1etting up
and maintaining ,-.s and /-.s and domain information is a ma2or acti!ity for the
administrator of a Windows NT network. In Windows 2000, the domain controller
concept is retained ut the ,-. and /-. ser!er roles are generally replaced y the
&cti!e -irectory
&&
What are domain trees?
& domain tree comprises se!eral domains that share a common schema and
configuration, forming a contiguous namespace. -omains in a tree are also linked
together y trust relationships. &cti!e -irectory is a set of one or more trees. Trees can
e !iewed two ways. 0ne !iew is the trust relationships etween domains. The other
!iew is the namespace of the domain tree.
&&
What are forests?
& collection of one or moredomain trees with a common schema and implicit trust
relationships etween them. This arrangement would e used if you ha!e multiple root
-N1
addresses.
&&
What is LDAP?
The %ightweight -irectory &ccess ,rotocol, or %-&, , is an application protocol for
3uerying and modifying data using directory ser!ices running o!er T.,4I,.
&&
Can you connect Active Directory to other 3rd-party Directory Services?
Name a few options
5es you can .onnect &cti!e -irectory to other 6rd 7party -irectory 1er!ices such as
dictonaries used y 1&,, -omino etc with the help of 8II1 ( 8icrosoft Identity
Integration 1er!er )
you can use dir98% or %-&, to connect to other directories (ie. :7directory from
No!ell).
&&
Where is the AD data!ase held? What other folders are related to AD?
&- -ataase is sa!ed in ;systemroot;4ntds. 5ou can see other files also in this
folder. These are the main files controlling the &- structure
ntds.dit
ed.log
res'.log
res2.log
ed.chk
When a change is made to the Win2< dataase, triggering a write operation, Win2<
records the transaction in the log file (ed.log). 0nce written to the log file, the change
is then written to the &- dataase. 1ystem performance determines how fast the
system writes the data to the &- dataase from the log file. &ny time the system is
shut down, all transactions are sa!ed to the dataase.
-uring the installation of &-, Windows creates two files= res'.log and res2.log. The
initial si>e of each is '08/. These files are used to ensure that changes can e written
to disk should the system run out of free disk space. The checkpoint file (ed.chk)
records transactions committed to the &- dataase (ntds.dit). -uring shutdown, a
?shutdown? statement is written to the ed.chk file. Then, during a reoot, &-
determines that all transactions in the ed.log file ha!e een committed to the &-
dataase. If, for some reason, the ed.chk file doesn"t e@ist on reoot or the shutdown
statement isn"t present, &- will use the ed.log file to update the &- dataase.
The last file in our list of files to know is the &- dataase itself, ntds.dit. /y default,
the file is located inANT-1, along with the other files we"!e discussed
&&
What is the S"S#$L folder?
&ll acti!e directory data ase security related information store in 151B0% folder and
its only created on NTC1 partition.
/=
The 1ys!ol folder on a Windows domain controller is used to replicate file7ased data
among domain controllers. /ecause 2unctions are used within the 1ys!ol folder
structure, Windows NT file system (NTC1) !ersion D.0 is re3uired on domain
controllers throughout a Windows distriuted file system (-C1) forest.
This is a 3uote from microsoft themsel!es, asically the domain controller info stored
in files like your group policy stuff is replicated through this folder structure.
&&
Name the AD NCs and replication issues for each NC
Schema NC% .onfiguration N., E -omain N.
1chema N. This N. is replicated to e!ery other domain controller in the forest. It
contains information aout the &cti!e -irectory schema, which in turn defines the
different o2ect classes and attriutes within &cti!e -irectory.
.onfiguration N. &lso replicated to e!ery other -. in the forest, this N. contains
forest7wide configuration information pertaining to the physical layout of &cti!e
-irectory, as well as information aout display specifiers and forest7wide &cti!e
-irectory 3uotas.
-omain N. This N. is replicated to e!ery other -. within a single &cti!e -irectory
domain. This is the N. that contains the most commonly7accessed &cti!e -irectory
data= the actual users, groups, computers, and other o2ects that reside within a
particular &cti!e -irectory domain.
&&
What are application partitions? When do & use them?
&n application directory partition is a directory partition that is replicated only to
specific domain controllers. & domain controller that participates in the replication of
a particular application directory partition hosts a replica of that partition. 0nly
domain controllers running Windows 1er!er 2006 can host a replica of an application
directory partition.
&pplication directory partitions are usually created y the applications that will use
them to store and replicate data. Cor testing and trouleshooting purposes, memers
of the :nterprise &dmins group can manually create or manage application directory
partitions using the Ntdsutil command7line tool.
0ne of the enefits of an application directory partition is that, for redundancy,
a!ailaility, or fault tolerance, the data in it can e replicated to different domain
controllers in a forest.
&&
'ow do you create a new application partition?
When you create an application directory partition, you are creating the first instance
of this partition. 5ou can create an application directory partition y using the create
nc option in the domain management menu of Ntdsutil. When creating an application
directory partition using %-, or &-1I, pro!ide a description in the description
attriute of the domain -N1 o2ect that indicates the specific application that will use
the partition. Cor e@ample, if the application directory partition will e used to store
data for a 8icrosoft accounting program, the description could e 8icrosoft
accounting application. Ntdsutil does not facilitate the creation of a description.
To create or delete an application directory partition
'. 0pen .ommand ,rompt.
2. Type=
ntdsutil
6. &t the ntdsutil command prompt, type=
domain management
). &t the domain management command prompt, do one of the following=
F To create an application directory partition, type=
create nc&pplication-irectory,artition-omain.o...
&nswer=
1tart GG $#NGG .8- GG type there ?NT-1#TI%? ,ress :nter
Ntdsutil= domain management ,ress :nter
-omain 8anagement= .reate N. dcH, dcH, dcHcom IG
&N1W:$ /
.reate an application directory partition y using the -ns.md command
#se the -ns.md command to create an application directory partition. To do this, use
the following synta@=
-ns.md 1er!erName 4.reate-irectory,artition CJ-N of partition
To create an application directory partition that is named .ustom-N1,artition on a
domain controller that is named -.7', follow these steps=
.lick 1tart, click $un, type cmd, and then click 0<.
Type the following command, and then press :NT:$=dnscmd -.7'
4createdirectorypartition .ustom-N1,artition.contoso.com
When the application directory partition has een successfully created, the following
information appears=
-N1 1er!er -.7' created directory partition= .ustom-N1,artition.contoso.com
.ommand completed successfully.
.onfigure an additional domain controller -N1 ser!er to host the application
directory partition
.onfigure an additional domain controller that is acting as a -N1 ser!er to host the
new application directory partition that you created. To do this, use the following
synta@ with the -ns.md command=
-ns.md 1er!erName 4:nlist-irectory,artition CJ-N of partition
To configure the e@ample domain controller that is named -.72 to host this custom
application directory partition, follow these steps=
.lick 1tart, click $un, type cmd, and then click 0<.
Type the following command, and then press :NT:$=dnscmd -.72
4enlistdirectorypartition .ustom-N1,artition.contoso.com
The following information appears=
-N1 1er!er -.72 enlisted directory partition= .ustom-N1,artition.contoso.com
.ommand completed successfully
&&
'ow do you view replication properties for AD partitions and DCs?
/y using replication monitor
go to start G run G type repadmin
go to start G run G type replmon
&&
What is the (lo!al Catalo)?
&n ad!anced, hierarchical directory ser!ice that comes with Windows ser!ers.
Introduced with Windows 2000, &cti!e -irectory uses the %-&, directory access
protocol and is uilt upon the Internet"s -omain Naming 1ystem (-N1). Workgroups
are gi!en domain names similar in structure to We addresses, and any %-&,7
compliant Windows, 8ac, #ni@ or %inu@ client can access them.
&cti!e -irectory can function in a heterogeneous, enterprise network and encompass
other directories including N-1 and NI1K. .isco supports &cti!e -irectory in its I01
router operating system. 1ee forests and trees, Internet domain name, &-1I and
directory ser!ice.
&&
'ow do you view all the (Cs in the forest?
.=AGrepadmin 4showreps
domainLcontroller
0$
5ou can use $eplmon.e@e for the same purpose.
0$
&- 1ites and 1er!ices and nslookup gc.Lmsdcs.
To find the in M. from the command line you can try using -1J#:$5 command.
ds3uery ser!er 7isgc to find all the gc"s in the forest
you can try ds3uery ser!er 7forest 7isgc.
&&
*ryin) to loo+ at the Schema% how can & do that?
c=AwindowsAsystem62Gregs!r62 schmmgmt.dll
0pen mmc 77G add snapin 77G add &cti!e directory schema
0pen administrati!e tool 77G schema.msc
&&
What are the Active directory Support *ools Why do you need them?
1upport Tools are the tools that are used for performing the complicated tasks easily.
These can also e the third party tools. 1ome of the 1upport tools include
-eugBiewer, -ependencyBiewer, $egistry8onitor, etc.
7edit y .as3uehead
I elei!e this 3uestion is reffering to the Windows 1er!er 2006 1upport Tools, which
are included with 8icrosoft Windows 1er!er 2006 1er!ice ,ack 2. They are also
a!ailale for download here=
http=44www.microsoft.com4downloads4details.asp@NfamilyidH+*&6D0''7C-O67)'+-7
+6+/7+&((2:&2-C+0PdisplaylangHen
5ou need them ecause you cannot properly manage an &cti!e -irectory network
without them.
Qere they are, it would do you well to familiari>e yourself with all of them.
&cldiag.e@e
&dsiedit.msc
/itsadmin.e@e
-cdiag.e@e
-fsutil.e@e
-nslint.e@e
-sacls.e@e
Iadstools.dll
<tpass.e@e
%dp.e@e
Netdiag.e@e
Netdom.e@e
Ntfrsutl.e@e
,ort3ry.e@e
$epadmin.e@e
$eplmon.e@e
1etspn.e@e
&&
What is LDP? What is ,-PL.$N? What is ADS&-D&*? What is
N-*D$.? What is ,-PAD.&N?
What is %-,N
&=
The %ightweight -irectory &ccess ,rotocol, or %-&, is an application protocol for
3uerying and modifying directory ser!ices running o!er T.,4I,.R'S
& directory is a set of o2ects with attriutes organi>ed in a logical and hierarchical
manner. The most common e@ample is the telephone directory, which consists of a
series of names (either of persons or organi>ations) organi>ed alphaetically, with
each name ha!ing an address and phone numer attached.
&n %-&, directory tree often reflects !arious political, geographic, and4or
organi>ational oundaries, depending on the model chosen. %-&, deployments today
tend to use -omain name system (-N1) names for structuring the topmost le!els of
the hierarchy. -eeper inside the directory might appear entries representing people,
organi>ational units, printers, documents, groups of people or anything else that
represents a gi!en tree entry (or multiple entries).
Its current !ersion is %-&,!6, which is specified in a series of Internet :ngineering
Task Corce (I:TC) 1tandard Track $e3uests for comments ($C.s) as detailed in $C.
)D'0.
%-&, means %ight7Weight -irectory &ccess ,rotocol. It determines how an o2ect in
an &cti!e directory should e named. %-&, (%ightweight -irectory &ccess ,rotocol) is
a proposed open standard for accessing gloal or local directory ser!ices o!er a
network and4or the Internet. & directory, in this sense, is !ery much like a phone
ook. %-&, can handle other information, ut at present it is typically used to
associate names with phone numers and email addresses. %-&, directories are
designed to support a high !olume of 3ueries, ut the data stored in the directory does
not change !ery often. It works on port no. 6O+. %-&, is sometimes known as 9.D00
%ite. 9.D00 is an international standard for directories and full7featured, ut it is also
comple@, re3uiring a lot of computing resources and the full 01I stack. %-&,, in
contrast, can run easily on a ,. and o!er T.,4I,. %-&, can access 9.D00 directories
ut does not support e!ery capaility of 9.D00
What is $:,%80NN
&= $eplmon is the first tool you should use when trouleshooting &cti!e -irectory
replication issues. &s it is a graphical tool, replication issues are easy to see and
somewhat easier to diagnose than using its command line counterparts. The purpose
of this document is to guide you in how to use it, list some common replication errors
and show some e@amples of when replication issues can stop other network
installation actions.
for more go to http=44www.techtutorials.net4articles4replmonLhowtoLa.html
What is &-1I:-ITN
&= &-1I:dit is a 8icrosoft 8anagement .onsole (88.) snap7in that acts as a low7
le!el editor for &cti!e -irectory. It is a Mraphical #ser Interface (M#I) tool. Network
administrators can use it for common administrati!e tasks such as adding, deleting,
and mo!ing o2ects with a directory ser!ice. The attriutes for each o2ect can e
edited or deleted y using this tool. &-1I:dit uses the &-1I application programming
interfaces (&,Is) to access &cti!e -irectory. The following are the re3uired files for
using this tool=
F &-1I:-IT.-%%
F &-1I:-IT.81.
$egarding system re3uirements, a connection to an &cti!e -irectory en!ironment and
8icrosoft 8anagement .onsole (88.) is necessary
What is N:T-08N
&= N:T-08 is a command7line tool that allows management of Windows domains
and trust relationships. It is used for atch management of trusts, 2oining computers
to domains, !erifying trusts, and secure channels
&=
:nales administrators to manage &cti!e -irectory domains and trust relationships
from the command prompt.
Netdom is a command7line tool that is uilt into Windows 1er!er 200O. It is a!ailale
if you ha!e the &cti!e -irectory -omain 1er!ices (&- -1) ser!er role installed. To use
netdom, you must run the netdom command from an ele!ated command prompt. To
open an ele!ated command prompt, click 1tart, right7click .ommand ,rompt, and
then click $un as administrator.
5ou can use netdom to=
Toin a computer that runs Windows 9, ,rofessional or Windows Bista to a Windows
1er!er 200O or Windows 1er!er 2006 or Windows 2000 or Windows NT ).0 domain.
,ro!ide an option to specify the organi>ational unit (0#) for the computer account.
Menerate a random computer password for an initial Toin operation.
8anage computer accounts for domain memer workstations and memer ser!ers.
8anagement operations include=
&dd, $emo!e, Juery.
&n option to specify the 0# for the computer account.
&n option to mo!e an e@isting computer account for a memer workstation from one
domain to another while maintaining the security descriptor on the computer
account.
:stalish one7way or two7way trust relationships etween domains, including the
following kinds of trust relationships=
Crom a Windows 2000 or Windows 1er!er 2006 or Windows 1er!er 200O domain to
a Windows NT ).0 domain.
Crom a Windows 2000 or Windows 1er!er 2006 or Windows 1er!er 200O domain to
a Windows 2000 or Windows 1er!er 2006 or Windows 1er!er 200O domain in
another enterprise.
/etween two Windows 2000 or Windows 1er!er 2006 or Windows 1er!er 200O
domains in an enterprise (a shortcut trust).
The Windows 1er!er 200O or Windows 1er!er 2006 or Windows 2000 1er!er half of
an interoperale <ereros protocol realm.
Berify or reset the secure channel for the following configurations=
8emer workstations and ser!ers.
/ackup domain controllers (/-.s) in a Windows NT ).0 domain.
1pecific Windows 1er!er 200O or Windows 1er!er 2006 or Windows 2000 replicas.
8anage trust relationships etween domains, including the following operations=
:numerate trust relationships (direct and indirect).
Biew and change some attriutes on a trust.
1ynta@
Netdom uses the following general synta@es=
Net-om I0perationG RI.omputerGS RU4d= V 4domain=W I-omainGS RI0ptionsGS
Net-om help I0peration
http=44technet.microsoft.com4en7us4lirary4cc((22'(.asp@
&&
What/s the difference !etween a site lin+/s schedule and interval?
1chedule enales you to list weekdays or hours when the site link is a!ailale for
replication to happen in the gi!e inter!al. Inter!al is the re occurrence of the inter site
replication in gi!en minutes. It ranges from 'D 7 '0,0O0 mins. The default inter!al is
'O0 mins.
&&
What is the 0CC?
The <.. is a uilt7in process that runs on all domain controllers and generates
replication topology for the &cti!e -irectory forest. The <.. creates separate
replication topologies depending on whether replication is occurring within a site
(intrasite) or etween sites (intersite). The <.. also dynamically ad2usts the topology
to accommodate new domain controllers, domain controllers mo!ed to and from sites,
changing costs and schedules, and domain controllers that are temporarily
una!ailale.
Within a site, the connections etween domain controllers are always arranged in a
idirectional ring, with additional shortcut connections to reduce latency in large sites.
0n the other hand, the intersite topology is a layering of spanning trees, which means
one intersite connection e@ists etween any two sites for each directory partition and
generally does not contain shortcut connections. Cor more information aout
spanning trees and &cti!e -irectory replication topology, see &cti!e -irectory
$eplication Topology Technical $eference in the Windows 1er!er 2006 Technical
$eference on the 8icrosoft We site (http=44go.microsoft.com4fwlink4N
%inkIdH))'6().
0n each domain controller, the <.. creates replication routes y creating one7way
inound connection o2ects that define connections from other domain controllers.
Cor domain controllers in the same site, the <.. creates connection o2ects
automatically without administrati!e inter!ention. When you ha!e more than one site,
you configure site links etween sites and a single <.. in each site automatically
creates connections etween sites as well.
&&
What is the &S*( Who has that role !y default?
Intersite Topology Menerator (I1TM), which is responsile for the connections among
the sites. /y default Windows 2006 Corest le!el functionality has this role.
/y -efault the first 1er!er has this role. If that ser!er can no longer preform this role
then the ne@t ser!er with the highest M#I- then takes o!er the role of I1TM.
&&
What are the re1uirements for installin) AD on a new server?
F &n NTC1 partition with enough free space (2D08/ minimum)
F &n &dministrator"s username and password
F The correct operating system !ersion
F & NI.
F ,roperly configured T.,4I, (I, address, sunet mask and 7 optional 7 default
gateway)
F & network connection (to a hu or to another computer !ia a crosso!er cale)
F &n operational -N1 ser!er (which can e installed on the -. itself)
F & -omain name that you want to use
F The Windows 2000 or Windows 1er!er 2006 .- media (or at least the i6O* folder)
Crom the ,etri IT <nowledge ase. Cor more info, follow this link=
http=44www.petri.co.il4acti!eLdirectoryLinstallationLre3uirements.htm
&&
What can you do to promote a server to DC if you/re in a remote location
with slow WAN lin+?
Cirst a!ailale in Windows 2006, you will create a copy of the system state from an
e@isting -. and copy it to the new remote ser!er. $un ?-cpromo 4ad!?. 5ou will e
prompted for the location of the system state files
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
&nswer /=
/ackup system state asX
.lick 1tart, click $un, type ntackup, and then click 0<. (If the /ackup utility starts in
wi>ard mode, click the &d!anced 8ode hyperlink.)
Crom the /ackup ta, click to select the 1ystem 1tate check o@ in the left pane. -o not
ack up the file system part of the 151B0% tree separately from the system state
ackup.
In the /ackup media or file name o@, specify the dri!e, path, and file name of the
system state ackup.
name the file .ak (recommended and general)
$estore system stat as elow on the target computerX
%og on to the Windows 1er!er 20067ased computer that you want to promote. 5ou
must e a memer of the local administrators group on this computer.
.lick 1tart, click $un, type ntackup, and then click 0<. (If the /ackup utility starts in
wi>ard mode, click the &d!anced 8ode hyperlink.)
In the /ackup utility, click the $estore and 8anage 8edia ta. In the Tools menu,
click .atalog a ackup file..., and then locate the .kf file that you created earlier. .lick
0<.
:@pand the contents of the .kf file, and then click to select the 1ystem 1tate check
o@.
In $estore files to=, click &lternate %ocation. To restore the system state, type the
logical dri!e and the path. We suggest that you type 9=ANtdsrestore. In this command,
9 is the logical dri!e that will ultimately host the &cti!e -irectory dataase when the
memer computer is promoted. The final location for the &cti!e -irectory dataase is
selected when you run the &cti!e -irectory Installation Wi>ard. This folder must e
different from the folder that contains the restored system state.
Now %ast stage is ,romoting an additional domain controller
Berify that the domain controller that is to e promoted has -N1 name resolution and
network connecti!ity to e@isting domain controllers in the domain controller"s target
domain.
.lick 1tart, click $un, type dcpromo 4ad!, and then click 0<.
.lick Ne@t to ypass the Welcome to the &cti!e -irectory Installation Wi>ard and
0perating 1ystem .ompatiility dialog o@es.
0n the -omain .ontroller Type page, click &dditional domain controller for an
e@isting domain, and then click Ne@t.
0n the .opying -omain Information page, click Crom these restored ackup files=,
and then type the logical dri!e and the path of the alternati!e location where the
system state ackup was restored. .lick Ne@t.
In Network .redentials, type the user name, the password, and the domain name of an
account that is a memer of the domain administrators group for the domain that you
are promoting in.
.ontinue with the remainder of the &cti!e -irectory Installation Wi>ard pages as you
would with the standard promotion of an additional domain controller.
&fter the 151B0% tree has replicated in, and the 151B0% share e@ists, delete any
remaining restored system files and folders.
&&
'ow can you forci!ly remove AD from a server% and what do you do
later? 2 Can & )et user passwords from the AD data!ase?
-emote the ser!er using dcpromo 4forceremo!al, then remo!e the metadata from
&cti!e directory using ndtsutil. There is no way to get user passwords from &- that I
am aware of, ut you should still e ale to change them.
&nother way out too
$estart the -. is -1$8 mode
a. %ocate the following registry sukey=
Q<:5L%0.&%L8&.QIN:A151T:8A.urrent.ontrol1etA.ontrolA,roduct0ptions
. In the right7pane, doule7click ,roductType.
c. Type 1er!erNT in the Balue data o@, and then click 0<.
$estart the ser!er in normal mode
its a memer ser!er now ut &- entries are still there. ,romote teh ser!er to a fake
domain say &/..com and then remo!e gracefully using -.promo. :lse after restart
you can also use ntdsutil to do metadata as told in the earlier post.
&&
What tool would & use to try to )ra! security related pac+ets from the
wire?
you must use sniffer7detecting tools to help stop the snoops. ...
& good packet sniffer would e ?ethereal?
http=44www.ethereal.com4
&&
Name some $3 desi)n considerations
0# design re3uires alancing re3uirements for delegating administrati!e rights 7
independent of Mroup ,olicy needs 7 and the need to scope the application of Mroup
,olicy. The following 0# design recommendations address delegation and scope
issues=
&pplying Mroup ,olicy &n 0# is the lowest7le!el &cti!e -irectory container to which
you can assign Mroup ,olicy settings.
-elegating administrati!e authority
usually don"t go more than 6 0# le!els
http=44technet.microsoft.com4en7us4lirary4cc(O6')0.asp@
&&
What is tom!stone lifetime attri!ute?
The numer of days efore a deleted o2ect is remo!ed from the directory ser!ices.
This assists in remo!ing o2ects from replicated ser!ers and pre!enting restores from
reintroducing a deleted o2ect. This !alue is in the -irectory 1er!ice o2ect in the
configuration NI.
y default 2000 (*0 days)
2006 ('O0 days)
&&
What do you do to install a new Windows 4553 DC in a Windows 4555
AD?
If you plan to install windows 2006 ser!er domain controllers into an e@isting
windows 2000 domain or upgrade a windows 2000 domain controllers to windows
ser!er 2006, you first need to run the &dprep.e@e utility on the windows 2000 domain
controllers currently holding the schema master and infrastructure master roles. The
adprep 4 forestprer command must first e issued on the windows 2000 ser!er
holding schema master role in the forest root doman to prepare the e@isting schema to
support windows 2006 acti!e directory. The adprep 4domainprep command must e
issued on the se!er holding the infrastructure master role in the domain where 2000
ser!er will e deployed.
&&
What do you do to install a new Windows 4553 ,4 DC in a Windows
4553 AD?
If you"re installing Windows 2006 $2 on an e@isting Windows 2006 ser!er with 1,'
installed, you re3uire only the second $2 .-7$08. Insert the second .- and the
r2auto.e@e will display the Windows 2006 $2 .ontinue 1etup screen.
If you"re installing $2 on a domain controller (-.), you must first upgrade the schema
to the $2 !ersion (this is a minor change and mostly related to the new -fs replication
engine). To update the schema, run the &dprep utility, which you"ll find in the
.mpnentsAr2Aadprep folder on the second .-7$08. /efore running this command,
ensure all -.s are running Windows 2006 or Windows 2000 with 1,2 (or later).
Qere"s a sample e@ecution of the &dprep 4forestprep command=
-=A.8,N:NT1A$2A&-,$:,Gadprep 4forestprep
&-,$:, W&$NINM=
/efore running adprep, all Windows 2000 domain controllers in the forest should e
upgraded to Windows 2000 1er!ice ,ack ' (1,') with JC: 2*D0O+, or to Windows
2000 1,2 (or later).
JC: 2*D0O+ (included in Windows 2000 1,2 and later) is re3uired to pre!ent
potential domain controller corruption.
Cor more information aout preparing your forest and domain see </ article J66'' *'
at http=44support.microsoft.com.
R#ser &ctionS If &%% your e@isting Windows 2000 domain controllers meet this
re3uirement, type . and then press :NT:$ to continue. 0therwise, type any other key
and press :NT :$ to 3uit.
. 0pened .onnection to 1&B-&%-.0' 11,I /ind succeeded .urrent 1chema Bersion
is 60 #pgrading schema to !ersion 6' .onnecting to ?1&B-&%-.0'? %ogging in as
current user using 11,I Importing directory from file
?.=AWIN-0W1Asystem62Asch6'.ldf? %oading
entries..................................................... ...................................................... '6+ entries
modified successfully.
The command has completed successfully &dprep successfully updated the forest7wide
information.
&fter running &dprep, install $2 y performing these steps=
.lick the ?.ontinue Windows 1er!er 2006 $2 1etup? link, as the figureshows.
&t the ?Welcome to the Windows 1er!er 2006 $2 1etup Wi>ard? screen, click Ne@t.
5ou"ll e prompted to enter an $2 .- key (this is different from your e@isting
Windows 2006 keys) if the underlying 01 wasn"t installed from $2 media (e.g., a
regular Windows 2006 1,' installation). :nter the $2 key and click Ne@t. Note= The
license key entered for $2 must match the underlying 01 type, which means if you
installed Windows 2006 using a !olume7license !ersion key, then you can"t use a retail
or 8icrosoft -e!eloper Network (81-N) $2 key.
5ou"ll see the setup summary screen which confirms the actions to e performed (e.g.,
.opy files). .lick Ne@t.
&fter the installation is complete, you"ll see a confirmation dialog o@. .lick Cinish
&&
'ow would you find all users that have not lo))ed on since last month?
#sing only nati!e commands, T1I%%-.at produces a sorted4formated report of #sers
who ha!e not logged on since 555588--.
The report is sorted y #serName and list the user"s full name and last logon date.
The synta@ for using T1I%%-.at is=
T1I%%- AColderA0utputCile.:@t 555588-- R4NS
where=
555588-- will report all users who ha!e not logged on since this date.
4N is an optional parameter that will ypass users who ha!e ne!er logged on.
T1I%%-.at contains=
Yecho off
setlocal
if U;2WHHUW goto synta@
if ?;6?HH?? goto egin
if 4i ?;6?HH?4n? goto egin
=synta@
Yecho 1ynta@= T1I%%- Cile yyyymmdd R4NS
endlocal
goto =:0C
=egin
if 4i ?;2?HH?4n? goto synta@
set dteH;2
set 99H;dte=Z0,);
if ?;99;? %11 ?'++6? goto synta@
set 99H;dte=Z),2;
if ?;99;? %11 ?0'? goto synta@
if ?;99;? MT$ ?'2? goto synta@
set 99H;dte=Z*,2;
if ?;99;? %11 ?0'? goto synta@
if ?;99;? MT$ ?6'? goto synta@
set ne!erH9
if 4i ?;6?HH?4n? set ne!erH4n
set fileH;'
if e@ist ;file; del 43 ;file;
for 4f ?1kipH) TokensHE? ;;i in ("net user 4domain[Vfindstr 4! 4c=?7777?[Vfindstr 4! 4i
4c=?The command completed?") do (
do call =parse ?;;i?
)
endlocal
goto =:0C
=parse
set strH\;'\
set strH;str=\?H;
set strH;str=?\H;
set sustrH;str=Z0,2D;\
set sustrH;sustr= H;
set sustrH;sustr= \H;
set sustrH;sustr=\H;
if ?;sustr;?HH?? goto =:0C
for 4f ?1kipH' TokensHE? ;;i in ("net user ?;sustr;? 4domain") do call =parse' ?;
;i?
set sustrH;str=Z2D,2D;\
;i?
set sustrH;str=ZD0,2D;\
;i?
goto =:0C
=parse'
set ustrH;'
if ;ustr;HH?The command completed successfully.? goto =:0C
set ustrH;ustr=?H;
if 4i ?;ustr=Z0,+;?HH?Cull Name? set fullnameH;ustr=Z2+,++;
if 4i not ?;ustr=Z0,'0;?HH?%ast logon? goto =:0C
set t@tH;ustr=Z2+,++;
for 4f ?TokensH',2,6 -elimsH4 ? ;;i in ("Yecho ;t@t;") do set 88H;;iPset --H;
;2Pset 55H;;k
if 4i ?;88;?HH?Ne!er? goto tstn!r
goto year
=tstn!r
if 4i ?;ne!er;?HH?4n? goto =:0C
goto report
=year
if ?;55;? MT$ ?'000? goto mmm
if ?;55;? MT$ ?+2? goto 5'+
set 4a 55H'00;55;;;'00
set 55H;55; K 2000
goto mmm
=5'+
set 55H'+;55;
=mmm
set 4a 99H'00;88;;;'00
if ;99; %11 '0 set 88H0;99;
set 4a 99H'00;--;;;'00
if ;99; %11 '0 set --H0;99;
set 58-H;55;;88;;--;
if ?;58-;? M:J ?;dte;? goto =:0C
=report
set fullnameH;fullname; \
set fullnameH;fullname=Z0,6D;
set sustrH;sustr; \
set sustrH;sustr=Z0,60;
Yecho ;sustr; ;fullname; ;t@t; GG ;file;
$ead more=
http=44wiki.answers.com4J4QowLwouldLyouLfindLallLusersLthatLha!eLnotLlogge
dLonLsinceLlastLmonth\i@>>'Ihd-rm3d
&&
What are the DS6 commands?
New -1 (-irectory 1er!ice) Camily of uilt7in command line utilities for Windows
1er!er 2006 &cti!e -irectory
&=
New -1 uilt7in tools for Windows 1er!er 2006
The -1 (-irectory 1er!ice) group of commands are split into two families. In one
ranch are -1add, -1mod, -1rm and -18o!e and in the other ranch are -1Juery
and -1Met.
When it comes to choosing a scripting tool for &cti!e -irectory o2ects, you really are
spoilt for choice. The the -1 family of uilt7in command line e@ecutales offer
alternati!e strategies to .1B-:, %-IC-: and B/1cript.
%et me introduce you to the memers of the -1 family=
-1add 7 add &cti!e -irectory users and groups
-1mod 7 modify &cti!e -irectory o2ects
-1rm 7 to delete &cti!e -irectory o2ects
-1mo!e 7 to relocate o2ects
-1Juery 7 to find o2ects that match your 3uery attriutes
-1get 7 list the properties of an o2ect
-1 1ynta@
These -1 tools ha!e their own command structure which you can split into fi!e parts=
' 2 6 ) D
Tool o2ect ?-N? (as in %-&, distinguished name) 7switch !alue Cor e@ample=
-1add user ?cnHilly, ouHmanagers, dcHcp, dcHcom? 7pwd c9)+pJa
This will add a user called /illy to the 8anagers 0# and set the password to c@)+Ja
Qere are some of the common -1 switches which work with -1add and -1mod
7pwd (password) 7upn (user,rincipalName) 7fn (CirstName) 7samid (1am account
name).
The est way to learn aout this -1 family is to logon at a domain controller and
e@periment from the command line. I ha!e prepared e@amples of the two most
common programs. Try some sample commands for -1add.
]
Two most useful Tools= -1Juery and -1Met
The -1Juery and -1Met remind me of #NI9 commands in that they operate at the
command line, use powerful !ers, and produce plenty of action. 0ne pre7re3uisite for
getting the most from this -1 family is a working knowledge of %-&,.
If you need to 3uery users or computers from a range of 0#"s and then return
information, for e@ample, office, department manager. Then -1Juery and -1Met
would e your tools of choice. 8oreo!er, you can e@port the information into a te@t
file.
&&
What is the difference !etween ldifde and csvde usa)e considerations?
%difde
%difde creates, modifies, and deletes directory o2ects on computers running Windows
1er!er 2006 operating systems or Windows 9, ,rofessional. 5ou can also use %difde
to e@tend the schema, e@port &cti!e -irectory user and group information to other
applications or ser!ices, and populate &cti!e -irectory with data from other directory
ser!ices.
The %-&, -ata Interchange Cormat (%-IC) is a draft Internet standard for a file
format that may e used for performing atch operations against directories that
conform to the %-&, standards. %-IC can e used to e@port and import data, allowing
atch operations such as add, create, and modify to e performed against the &cti!e
-irectory. & utility program called %-IC-: is included in Windows 2000 to support
atch operations ased on the %-IC file format standard. This article is designed to
help you etter understand how the %-IC-: utility can e used to migrate directories.
http=44support.microsoft.com4k426(*((
.s!de
Imports and e@ports data from &cti!e -irectory -omain 1er!ices (&- -1) using files
that store data in the comma7separated !alue (.1B) format. 5ou can also support
atch operations ased on the .1B file format standard.
.s!de is a command7line tool that is uilt into Windows 1er!er 200O in the4system62
folder. It is a!ailale if you ha!e the &- -1 or &cti!e -irectory %ightweight -irectory
1er!ices (&- %-1) ser!er role installed. To use cs!de, you must run the cs!de
command from an ele!ated command prompt. To open an ele!ated command prompt,
click 1tart, right7click .ommand ,rompt, and then click $un as administrator.
http=44technet.microsoft.com4en7us4lirary4cc(62'0'.asp@
-ICC:$:N.: #1&M: WI1:
.s!de.e@e is a 8icrosoft Windows 2000 command7line utility that is located in the
1ystem$ootA1ystem62 folder after you install Windows 2000. .s!de.e@e is similar to
%difde.e@e, ut it e@tracts information in a comma7separated !alue (.1B) format. 5ou
can use .s!de to import and e@port &cti!e -irectory data that uses the comma7
separated !alue format. #se a spreadsheet program such as 8icrosoft :@cel to open
this .cs! file and !iew the header and !alue information. 1ee 8icrosoft :@cel Qelp for
information aout functions such as .oncatenate that can simplify the process of
uilding a .cs! file.
Note &lthough .s!de is similar to %difde, .s!de has a significant limitation= it can only
import and e@port &cti!e -irectory data y using a comma7separated format (.cs!).
8icrosoft recommends that you use the %difde utility for 8odify or -elete operations.
&dditionally, the distinguished name (also known as -N) of the item that you are
trying to import must e in the first column of the .cs! file or the import will not work.
The source .cs! file can come from an :@change 1er!er directory e@port. Qowe!er,
ecause of the difference in attriute mappings etween the :@change 1er!er directory
and &cti!e -irectory, you must make some modifications to the .cs! file. Cor e@ample,
a directory e@port from :@change 1er!er has a column that is named ?o27class? that
you must rename to ?o2ect.lass.? 5ou must also rename ?-isplay Name? to
?displayName.?
http=44support.microsoft.com4k462(*20
&&
What are the 7S.$ roles? Who has them !y default? What happens
when each one fails?
C180 stands for the Cle@ile single 8aster 0peration
It nas fi!e role =
1chema 8aster=
The schema master domain controller controls all updates and modifications to the
schema. 0nce the 1chema update is complete, it is replicated from the schema master
to all other -.s in the directory. To update the schema of a forest, you must ha!e
access to the schema master. There can e only one schema master in the whole forest.
-omain naming master=
The domain naming master domain controller controls the addition or remo!al of
domains in the forest. This -. is the only one that can add or remo!e a domain from
the directory. It can also add or remo!e cross references to domains in e@ternal
directories. There can e only one domain naming master in the whole forest.
Infrastructure 8aster=
When an o2ect in one domain is referenced y another o2ect in another domain, it
represents the reference y the M#I-, the 1I- (for references to security principals),
and the -N of the o2ect eing referenced. The infrastructure C180 role holder is the
-. responsile for updating an o2ect"s 1I- and distinguished name in a cross7
domain o2ect reference. &t any one time, there can e only one domain controller
acting as the infrastructure master in each domain.
Note= The Infrastructure 8aster (I8) role should e held y a domain controller that
is not a Mloal .atalog ser!er (M.). If the Infrastructure 8aster runs on a Mloal
.atalog ser!er it will stop updating o2ect information ecause it does not contain any
references to o2ects that it does not hold. This is ecause a Mloal .atalog ser!er
holds a partial replica of e!ery o2ect in the forest. &s a result, cross7domain o2ect
references in that domain will not e updated and a warning to that effect will e
logged on that -."s e!ent log. If all the domain controllers in a domain also host the
gloal catalog, all the domain controllers ha!e the current data, and it is not important
which domain controller holds the infrastructure master role.
$elati!e I- ($I-) 8aster=
The $I- master is responsile for processing $I- pool re3uests from all domain
controllers in a particular domain. When a -. creates a security principal o2ect such
as a user or group, it attaches a uni3ue 1ecurity I- (1I-) to the o2ect. This 1I-
consists of a domain 1I- (the same for all 1I-s created in a domain), and a relati!e I-
($I-) that is uni3ue for each security principal 1I- created in a domain. :ach -. in a
domain is allocated a pool of $I-s that it is allowed to assign to the security principals
it creates. When a -."s allocated $I- pool falls elow a threshold, that -. issues a
re3uest for additional $I-s to the domain"s $I- master. The domain $I- master
responds to the re3uest y retrie!ing $I-s from the domain"s unallocated $I- pool
and assigns them to the pool of the re3uesting -.. &t any one time, there can e only
one domain controller acting as the $I- master in the domain.
,-. :mulator=
The ,-. emulator is necessary to synchroni>e time in an enterprise. Windows
200042006 includes the W62Time (Windows Time) time ser!ice that is re3uired y
the <ereros authentication protocol. &ll Windows 2000420067ased computers
within an enterprise use a common time. The purpose of the time ser!ice is to ensure
that the Windows Time ser!ice uses a hierarchical relationship that controls authority
and does not permit loops to ensure appropriate common time usage.
The ,-. emulator of a domain is authoritati!e for the domain. The ,-. emulator at
the root of the forest ecomes authoritati!e for the enterprise, and should e
configured to gather the time from an e@ternal source. &ll ,-. C180 role holders
follow the hierarchy of domains in the selection of their in7ound time partner.
In a Windows 200042006 domain, the ,-. emulator role holder retains the following
functions=
,assword changes performed y other -.s in the domain are replicated preferentially
to the ,-. emulator.
&uthentication failures that occur at a gi!en -. in a domain ecause of an incorrect
password are forwarded to the ,-. emulator efore a ad password failure message is
reported to the user.
&ccount lockout is processed on the ,-. emulator.
:diting or creation of Mroup ,olicy 02ects (M,0) is always done from the M,0 copy
found in the ,-. :mulator"s 151B0% share, unless configured not to do so y the
administrator.
The ,-. emulator performs all of the functionality that a 8icrosoft Windows NT ).0
1er!er7ased ,-. or earlier ,-. performs for Windows NT ).07ased or earlier
clients.
This part of the ,-. emulator role ecomes unnecessary when all workstations,
memer ser!ers, and domain controllers that are running Windows NT ).0 or earlier
are all upgraded to Windows 200042006. The ,-. emulator still performs the other
functions as descried in a Windows 200042006 en!ironment.
&&
What 7S.$ placement considerations do you +now of?
Windows 200042006 &cti!e -irectory domains utili>e a 1ingle 0peration 8aster
method called C180 (Cle@ile 1ingle 8aster 0peration), as descried in
#nderstanding C180 $oles in &cti!e -irectory.
In most cases an administrator can keep the C180 role holders (all D of them) in the
same spot (or actually, on the same -.) as has een configured y the &cti!e -irectory
installation process. Qowe!er, there are scenarios where an administrator would want
to mo!e one or more of the C180 roles from the default holder -. to a different -..
Windows 1er!er 2006 &cti!e -irectory is a it different than the Windows 2000
!ersion when dealing with C180 placement. In this article I will only deal with
Windows 1er!er 2006 &cti!e -irectory, ut you should ear in mind that most
considerations are also true when planning Windows 2000 &- C180 roles.
&&
& want to loo+ at the ,&D allocation ta!le for a DC What do & do?
'.install support tools from 01 disk(01 Inst= -iskHGsupportHGtoolsHGsuptools.msi)
2.In .ommand prompt type, dcdiag 4test=ridmanager 4s=system' 4! (system' is the
name of our -.)
&&
What/s the difference !etween transferrin) a 7S.$ role and sei8in)
one? Which one should you N$* sei8e? Why?
1ei>ing an C180 can e a destructi!e process and should only e attempted if the
e@isting ser!er with the C180 is no longer a!ailale.
If the domain controller that is the 1chema 8aster C180 role holder is temporarily
una!ailale, -0 N0T sei>e the 1chema 8aster role.
If you are going to sei>e the 1chema 8aster, you must permanently disconnect the
current 1chema 8aster from the network.
If you sei>e the 1chema 8aster role, the oot dri!e on the original 1chema 8aster
must e completely reformatted and the operating system must e cleanly installed, if
you intend to return this computer to the network.
N0T:= The /oot ,artition contains the system files (A1ystem62). The 1ystem ,artition
is the partition that contains the startup files, NT-etect.com, NT%-$, /oot.ini, and
possily Ntootdd.sys.
The &cti!e -irectory Installation Wi>ard (-cpromo.e@e) assigns all D C180 roles to
the first domain controller in the forest root domain. The first domain controller in
each new child or tree domain is assigned the three domain7wide roles. -omain
controllers continue to own C180 roles until they are reassigned y using one of the
following methods=
&n administrator reassigns the role y using a M#I administrati!e tool.
&n administrator reassigns the role y using the ntdsutil 4roles command.
&n administrator gracefully demotes a role7holding domain controller y using the
&cti!e -irectory Installation Wi>ard. This wi>ard reassigns any locally7held roles to an
e@isting domain controller in the forest. -emotions that are performed y using the
dcpromo 4forceremo!al command lea!e C180 roles in an in!alid state until they are
reassigned y an administrator.
We recommend that you transfer C180 roles in the following scenarios=
The current role holder is operational and can e accessed on the network y the new
C180 owner.
5ou are gracefully demoting a domain controller that currently owns C180 roles that
you want to assign to a specific domain controller in your &cti!e -irectory forest.
The domain controller that currently owns C180 roles is eing taken offline for
scheduled maintenance and you need specific C180 roles to e assigned to a ?li!e?
domain controller. This may e re3uired to perform operations that connect to the
C180 owner. This would e especially true for the ,-. :mulator role ut less true for
the $I- master role, the -omain naming master role and the 1chema master roles.
We recommend that you sei>e C180 roles in the following scenarios=
The current role holder is e@periencing an operational error that pre!ents an C1807
dependent operation from completing successfully and that role cannot e transferred.
& domain controller that owns an C180 role is force7demoted y using the
dcpromo 4forceremo!al command.
The operating system on the computer that originally owned a specific role no longer
e@ists or has een reinstalled.
&s replication occurs, non7C180 domain controllers in the domain or forest gain full
knowledge of changes that are made y C1807holding domain controllers. If you
must transfer a role, the est candidate domain controller is one that is in the
appropriate domain that last inound7replicated, or recently inound7replicated a
writale copy of the ?C180 partition? from the e@isting role holder. Cor e@ample, the
1chema master role7holder has a distinguished name path of
.NHschema,.NHconfiguration,dcHIforest root domainG, and this mean that roles
reside in and are replicated as part of the .NHschema partition. If the domain
controller that holds the 1chema master role e@periences a hardware or software
failure, a good candidate role7holder would e a domain controller in the root domain
and in the same &cti!e -irectory site as the current owner. -omain controllers in the
same &cti!e -irectory site perform inound replication e!ery D minutes or 'D seconds.
The partition for each C180 role is in the following list=
.ollapse this tale:@pand this tale C180 role ,artition 1chema
.NH1chema,.NHconfiguration,-.HIforest root domainG -omain Naming 8aster
.NHconfiguration,-.HIforest root domainG ,-. -.HIdomainG $I- -.HIdomainG
Infrastructure -.HIdomainG
& domain controller whose C180 roles ha!e een sei>ed should not e permitted to
communicate with e@isting domain controllers in the forest. In this scenario, you
should either format the hard disk and reinstall the operating system on such domain
controllers or forcily demote such domain controllers on a pri!ate network and then
remo!e their metadata on a sur!i!ing domain controller in the forest y using the
ntdsutil 4metadata cleanup command. The risk of introducing a former C180 role
holder whose role has een sei>ed into the forest is that the original role holder may
continue to operate as efore until it inound7replicates knowledge of the role sei>ure.
<nown risks of two domain controllers owning the same C180 roles include creating
security principals that ha!e o!erlapping $I- pools, and other prolems.
/ack to the top
Transfer C180 roles
To transfer the C180 roles y using the Ntdsutil utility, follow these steps=
%og on to a Windows 2000 1er!er7ased or Windows 1er!er 20067ased memer
computer or domain controller that is located in the forest where C180 roles are
eing transferred. We recommend that you log on to the domain controller that you
are assigning C180 roles to. The logged7on user should e a memer of the
:nterprise &dministrators group to transfer 1chema master or -omain naming
master roles, or a memer of the -omain &dministrators group of the domain where
the ,-. emulator, $I- master and the Infrastructure master roles are eing
transferred.
.lick 1tart, click $un, type ntdsutil in the 0pen o@, and then click 0<.
Type roles, and then press :NT:$.
Note To see a list of a!ailale commands at any one of the prompts in the Ntdsutil
utility, type N, and then press :NT:$.
Type connections, and then press :NT:$.
Type connect to ser!er ser!ername, and then press :NT:$, where ser!ername is the
name of the domain controller you want to assign the C180 role to.
&t the ser!er connections prompt, type 3, and then press :NT:$.
Type transfer role, where role is the role that you want to transfer. Cor a list of roles
that you can transfer, type N at the fsmo maintenance prompt, and then press :NT:$,
or see the list of roles at the start of this article. Cor e@ample, to transfer the $I-
master role, type transfer rid master. The one e@ception is for the ,-. emulator role,
whose synta@ is transfer pdc, not transfer pdc emulator.
&t the fsmo maintenance prompt, type 3, and then press :NT:$ to gain access to the
ntdsutil prompt. Type 3, and then press :NT:$ to 3uit the Ntdsutil utility.
/ack to the top
1ei>e C180 roles
To sei>e the C180 roles y using the Ntdsutil utility, follow these steps=
%og on to a Windows 2000 1er!er7ased or Windows 1er!er 20067ased memer
computer or domain controller that is located in the forest where C180 roles are
eing sei>ed. We recommend that you log on to the domain controller that you are
assigning C180 roles to. The logged7on user should e a memer of the :nterprise
&dministrators group to transfer schema or domain naming master roles, or a
memer of the -omain &dministrators group of the domain where the ,-. emulator,
$I- master and the Infrastructure master roles are eing transferred.
.lick 1tart, click $un, type ntdsutil in the 0pen o@, and then click 0<.
Type roles, and then press :NT:$.
Type connections, and then press :NT:$.
Type connect to ser!er ser!ername, and then press :NT:$, where ser!ername is the
name of the domain controller that you want to assign the C180 role to.
&t the ser!er connections prompt, type 3, and then press :NT:$.
Type sei>e role, where role is the role that you want to sei>e. Cor a list of roles that you
can sei>e, type N at the fsmo maintenance prompt, and then press :NT:$, or see the
list of roles at the start of this article. Cor e@ample, to sei>e the $I- master role, type
sei>e rid master. The one e@ception is for the ,-. emulator role, whose synta@ is sei>e
pdc, not sei>e pdc emulator.
&t the fsmo maintenance prompt, type 3, and then press :NT:$ to gain access to the
ntdsutil prompt. Type 3, and then press :NT:$ to 3uit the Ntdsutil utility.
Notes
#nder typical conditions, all fi!e roles must e assigned to ?li!e? domain controllers in
the forest. If a domain controller that owns a C180 role is taken out of ser!ice efore
its roles are transferred, you must sei>e all roles to an appropriate and healthy domain
controller. We recommend that you only sei>e all roles when the other domain
controller is not returning to the domain. If it is possile, fi@ the roken domain
controller that is assigned the C180 roles. 5ou should determine which roles are to e
on which remaining domain controllers so that all fi!e roles are assigned to a single
domain controller. Cor more information aout C180 role placement, click the
following article numer to !iew the article in the 8icrosoft <nowledge /ase= 2266)*
(http=44support.microsoft.com4k42266)*4 ) C180 placement and optimi>ation on
Windows 2000 domain controllers
If the domain controller that formerly held any C180 role is not present in the
domain and if it has had its roles sei>ed y using the steps in this article, remo!e it
from the &cti!e -irectory y following the procedure that is outlined in the following
8icrosoft <nowledge /ase article= 2'*)+O (http=44support.microsoft.com4k42'*)+O4
) Qow to remo!e data in acti!e directory after an unsuccessful domain controller
demotion
$emo!ing domain controller metadata with the Windows 2000 !ersion or the
Windows 1er!er 2006 uild 6(+0 !ersion of the ntdsutil 4metadata cleanup command
does not relocate C180 roles that are assigned to li!e domain controllers. The
Windows 1er!er 2006 1er!ice ,ack ' (1,') !ersion of the Ntdsutil utility automates
this task and remo!es additional elements of domain controller metadata.
1ome customers prefer not to restore system state ackups of C180 role7holders in
case the role has een reassigned since the ackup was made.
-o not put the Infrastructure master role on the same domain controller as the gloal
catalog ser!er. If the Infrastructure master runs on a gloal catalog ser!er it stops
updating o2ect information ecause it does not contain any references to o2ects that
it does not hold. This is ecause a gloal catalog ser!er holds a partial replica of e!ery
o2ect in the forest.
To test whether a domain controller is also a gloal catalog ser!er=
.lick 1tart, point to ,rograms, point to &dministrati!e Tools, and then click &cti!e
-irectory 1ites and 1er!ices.
-oule7click 1ites in the left pane, and then locate the appropriate site or click
-efault7first7site7name if no other sites are a!ailale.
0pen the 1er!ers folder, and then click the domain controller.
In the domain controller"s folder, doule7click NT-1 1ettings.
0n the &ction menu, click ,roperties.
0n the Meneral ta, !iew the Mloal .atalog check o@ to see if it is selected.
&&
'ow do you confi)ure a 9stand-!y operation master9 for any of the
roles?
0pen &cti!e -irectory 1ites and 1er!ices.
:@pand the site name in which the standy operations master is located to display the
1er!ers folder.
:@pand the 1er!ers folder to see a list of the ser!ers in that site.
:@pand the name of the ser!er that you want to e the standy operations master to
display its NT-1 1ettings.
$ight7click NT-1 1ettings, click New, and then click .onnection.
In the Cind -omain .ontrollers dialog o@, select the name of the current role holder,
and then click 0<.
In the New 02ect7.onnection dialog o@, enter an appropriate name for the
.onnection o2ect or accept the default name, and click 0<.
&&
'ow do you !ac+up AD?
/acking up &cti!e -irectory is essential to maintain an &cti!e -irectory dataase. 5ou
can ack up &cti!e -irectory y using the Mraphical #ser Interface (M#I) and
command7line tools that the Windows 1er!er 2006 family pro!ides.
5ou fre3uently ackup the system state data on domain controllers so that you can
restore the most current data. /y estalishing a regular ackup schedule, you ha!e a
etter chance of reco!ering data when necessary.
To ensure a good ackup includes at least the system state data and contents of the
system disk, you must e aware of the tomstone lifetime. /y default, the tomstone is
*0 days. &ny ackup older than *0 days is not a good ackup. ,lan to ackup at least
two domain controllers in each domain, one of at least one ackup to enale an
authoritati!e restore of the data when necessary.
1ystem 1tate -ata
1e!eral features in the windows ser!er 2006 family make it easy to ackup &cti!e
-irectory. 5ou can ackup &cti!e -irectory while the ser!er is online and other
network function can continue to function.
1ystem state data on a domain controller includes the following components=
&cti!e -irectory system state data does not contain &cti!e -irectory unless the ser!er,
on which you are acking up the system state data, is a domain controller. &cti!e
-irectory is present only on domain controllers.
The 151B0% shared folder= This shared folder contains Mroup policy templates and
logon scripts. The 151B0% shared folder is present only on domain controllers.
The $egistry= This dataase repository contains information aout the computer"s
configuration.
1ystem startup files= Windows 1er!er 2006 re3uires these files during its initial
startup phase. They include the oot and system files that are under windows file
protection and used y windows to load, configure, and run the operating system.
The .08K .lass $egistration dataase= The .lass registration is a dataase of
information aout .omponent 1er!ices applications.
The .ertificate 1er!ices dataase= This dataase contains certificates that a ser!er
running Windows ser!er 2006 uses to authenticate users. The .ertificate 1er!ices
dataase is present only if the ser!er is operating as a certificate ser!er.
1ystem state data contains most elements of a system"s configuration, ut it may not
include all of the information that you re3uire reco!ering data from a system failure.
Therefore, e sure to ackup all oot and system !olumes, including the 1ystem 1tate,
when you ack up your ser!er.
$estoring &cti!e -irectory
In Windows 1er!er 2006 family, you can restore the &cti!e -irectory dataase if it
ecomes corrupted or is destroyed ecause of hardware or software failures. 5ou must
restore the &cti!e -irectory dataase when o2ects in &cti!e -irectory are changed or
deleted.
&cti!e -irectory restore can e performed in se!eral ways. $eplication synchroni>es
the latest changes from e!ery other replication partner. 0nce the replication is
finished each partner has an updated !ersion of &cti!e -irectory. There is another way
to get these latest updates y /ackup utility to restore replicated data from a ackup
copy. Cor this restore you don"t need to configure again your domain controller or no
need to install the operating system from scratch.
&cti!e -irectory $estore 8ethods
5ou can use one of the three methods to restore &cti!e -irectory from ackup media=
primary restore, normal (non authoritati!e) restore, and authoritati!e restore.
,rimary restore= This method reuilds the first domain controller in a domain when
there is no other way to reuild the domain. ,erform a primary restore only when all
the domain controllers in the domain are lost, and you want to reuild the domain
from the ackup.
8emers of &dministrators group can perform the primary restore on local computer,
or user should ha!e een delegated with this responsiility to perform restore. 0n a
domain controller only -omain &dmins can perform this restore.
Normal restore= This method reinstates the &cti!e -irectory data to the state efore
the ackup, and then updates the data through the normal replication process.
,erform a normal restore for a single domain controller to a pre!iously known good
state.
&uthoritati!e restore= 5ou perform this method in tandem with a normal restore. &n
authoritati!e restore marks specific data as current and pre!ents the replication from
o!erwriting that data. The authoritati!e data is then replicated through the domain.
,erform an authoritati!e restore indi!idual o2ect in a domain that has multiple
domain controllers. When you perform an authoritati!e restore, you lose all changes
to the restore o2ect that occurred after the ackup. Ntdsutil is a command line utility
to perform an authoritati!e restore along with windows ser!er 2006 system utilities.
The Ntdsutil command7line tool is an e@ecutale file that you use to mark &cti!e
-irectory o2ects as authoritati!e so that they recei!e a higher !ersion recently
changed data on other domain controllers does not o!erwrite system state data during
replication.
&&
'ow do you chan)e the DS ,estore admin password?
To $eset the -1$8 &dministrator ,assword
.lick, 1tart, click $un, type ntdsutil, and then click 0<.
&t the Ntdsutil command prompt, type set dsrm password.
&t the -1$8 command prompt, type one of the following lines=
To reset the password on the ser!er on which you are working, type reset password on
ser!er null. The null !ariale assumes that the -1$8 password is eing reset on the
local computer. Type the new password when you are prompted. Note that no
characters appear while you type the password.
7or7
To reset the password for another ser!er, type reset password on ser!er ser!ername,
where ser!ername is the -N1 name for the ser!er on which you are resetting the
-1$8 password. Type the new password when you are prompted. Note that no
characters appear while you type the password.
&t the -1$8 command prompt, type 3.
&t the Ntdsutil command prompt, type 3 to e@it.
&&
Why can/t you restore a DC that was !ac+ed up : months a)o?
/ecause of the tomstone life which is set to only *0 or '20 days.
&&
What are (P$s?
Mroup ,olicy gi!es you administrati!e control o!er users and computers in your
network. /y using Mroup ,olicy, you can define the state of a user"s work en!ironment
once, and then rely on Windows 1er!er 2006 to continually force the Mroup ,olicy
settings that you apply across an entire organi>ation or to specific groups of users and
computers.
Mroup ,olicy &d!antages
5ou can assign group policy in domains, sites and organi>ational units.
&ll users and computers get reflected y group policy settings in domain, site and
organi>ational unit.
No one in network has rights to change the settings of Mroup policyX y default only
administrator has full pri!ilege to change, so it is !ery secure.
,olicy settings can e remo!ed and can further rewrite the changes.
&&
What is the order in which (P$s are applied?
%ocal, 1ite, -omain, 0#
Mroup ,olicy settings are processed in the following order=
'=7 %ocal Mroup ,olicy o2ect7each computer has e@actly one Mroup ,olicy o2ect that
is stored locally. This processes for oth computer and user Mroup ,olicy processing.
2=7 1ite7&ny M,0s that ha!e een linked to the site that the computer elongs to are
processed ne@t. ,rocessing is in the order that is specified y the administrator, on the
%inked Mroup ,olicy 02ects ta for the site in Mroup ,olicy 8anagement .onsole
(M,8.). The M,0 with the lowest link order is processed last, and therefore has the
highest precedence.
6=7 -omain7processing of multiple domain7linked M,0s is in the order specified y the
administrator, on the %inked Mroup ,olicy 02ects ta for the domain in M,8.. The
M,0 with the lowest link order is processed last, and therefore has the highest
precedence.
)=7 0rgani>ational units7M,0s that are linked to the organi>ational unit that is highest
in the &cti!e -irectory hierarchy are processed first, then M,0s that are linked to its
child organi>ational unit, and so on. Cinally, the M,0s that are linked to the
organi>ational unit that contains the user or computer are processed.
&t the le!el of each organi>ational unit in the &cti!e -irectory hierarchy, one, many, or
no M,0s can e linked. If se!eral M,0s are linked to an organi>ational unit, their
processing is in the order that is specified y the administrator, on the %inked Mroup
,olicy 02ects ta for the organi>ational unit in M,8.. The M,0 with the lowest link
order is processed last, and therefore has the highest precedence.
This order means that the local M,0 is processed first, and M,0s that are linked to the
organi>ational unit of which the computer or user is a direct memer are processed
last, which o!erwrites settings in the earlier M,0s if there are conflicts. (If there are no
conflicts, then the earlier and later settings are merely aggregated.)
&&
Name a few !enefits of usin) (P.C
8icrosoft released the Mroup ,olicy 8anagement .onsole (M,8.) years ago, which is
an ama>ing inno!ation in Mroup ,olicy management. The tool pro!ides control o!er
Mroup ,olicy in the following manner=
:asy administration of all M,0s across the entire &cti!e -irectory Corest
Biew of all M,0s in one single list
$eporting of M,0 settings, security, filters, delegation, etc.
.ontrol of M,0 inheritance with /lock Inheritance, :nforce, and 1ecurity Ciltering
-elegation model
/ackup and restore of M,0s
8igration of M,0s across different domains and forests
With all of these enefits, there are still negati!es in using the M,8. alone. Mranted,
the M,8. is needed and should e used y e!eryone for what it is ideal for. Qowe!er,
it does fall a it short when you want to protect the M,0s from the following=
$ole ased delegation of M,0 management
/eing edited in production, potentially causing damage to desktops and ser!ers
Corgetting to ack up a M,0 after it has een modified
.hange management of each modification to e!ery M,0
&&
What are the (PC and the (P*? Where can & find them?
M,0s store group policy settings in two locations= a Mroup ,olicy container (M,.)
(preferred) and a Mroup ,olicy template (M,T). The M,. is an &cti!e -irectory o2ect
that stores !ersion information, status information, and other policy information (for
e@ample, application o2ects).
The M,T is used for file7ased data and stores software policy, script, and deployment
information. The M,T is located on the system !olume folder of the domain controller.
& M,0 can e associated with one or more &cti!e -irectory containers, such as a site,
domain, or organi>ational unit. 8ultiple containers can e associated with the same
M,0, and a single container can ha!e more than one associated M,0.
&&
What are (P$ lin+s? What special thin)s can & do to them?
%inking M,0s
To apply the settings of a M,0 to the users and computers of a domain, site, or 0#,
you need to add a link to that M,0. 5ou can add one or more M,0 links to each
domain, site, or 0# y using M,8.. <eep in mind that creating and linking M,0s is a
sensiti!e pri!ilege that should e delegated only to administrators who are trusted and
understand Mroup ,olicy.
%inking M,0s to the 1ite
If you ha!e a numer of policy settings to apply to computers in a particular physical
location only 7 certain network or pro@y configuration settings, for e@ample 7 these
settings might e appropriate for inclusion in a site7ased policy. /ecause domains
and sites are independent, it is possile that computers in the site might need to cross
domains to link the M,0 to the site. In this case, make sure there is good connecti!ity.
If, howe!er, the settings do not clearly correspond to computers in a single site, it is
etter to assign the M,0 to the domain or 0# structure rather than to the site.
%inking M,0s to the -omain
%ink M,0s to the domain if you want them to apply to all users and computers in the
domain. Cor e@ample, security administrators often implement domain7ased M,0s to
enforce corporate standards. They might want to create these M,0s with the M,8.
:nforce option enaled to guarantee that no other administrator can o!erride these
settings.
Important
If you need to modify some of the settings contained in the -efault -omain ,olicy
M,0, it is recommended that you create a new M,0 for this purpose, link it to the
domain, and set the :nforce option. In general, do not modify this or the -efault
-omain .ontroller ,olicy M,0. If you do, e sure to ack up these and any other M,0s
in your network y using M,8. to ensure you can restore them.
&s the name suggests, the -efault -omain ,olicy M,0 is also linked to the domain.
The -efault -omain ,olicy M,0 is created when the first domain controller in the
domain is installed and the administrator logs on for the first time. This M,0 contains
the domain7wide account policy settings, ,assword ,olicy, &ccount %ockout ,olicy,
and <ereros ,olicy, which is enforced y the domain controller computers in the
domain. &ll domain controllers retrie!e the !alues of these account policy settings
from the -efault -omain ,olicy M,0. In order to apply account policies to domain
accounts, these policy settings must e deployed in a M,0 linked to the domain, and it
is recommended that you set these settings in the -efault -omain ,olicy. If you set
account policies at a lower le!el, such as an 0#, the settings only affect local accounts
(non7domain accounts) on computers in that 0# and its children.
/efore making any changes to the default M,0s, e sure to ack up the M,0 using
M,8.. If for some reason there is a prolem with the changes to the default M,0s and
you cannot re!ert ack to the pre!ious or initial states, you can use the -cgpofi@.e@e
tool to recreate the default policies in their initial state.
-cgpofi@.e@e is a command7line tool that completely restores the -efault -omain
,olicy M,0 and -efault -omain .ontroller M,0 to their original states in the e!ent of
a disaster where you cannot use M,8.. -cgpofi@.e@e restores only the policy settings
that are contained in the default M,0s at the time they are generated. The only Mroup
,olicy e@tensions that include policy settings in the default M,0s are $I1, 1ecurity,
and :C1. -cgpofi@.e@e does not restore other M,0s that administrators createX it is
only intended for disaster reco!ery of the default M,0s.
Note that -cgpofi@.e@e does not sa!e any information created through applications,
such as 181 or :@change. The -cgpofi@.e@e tool is included with Windows 1er!er
2006 and only works in a Windows 1er!er 2006 domain.
-cgpofi@.e@e is located in the .=AWindowsA$epair folder. The synta@ for -cgpofi@.e@e
is as follows=
.opy .ode
-.M,0Ci@ R4Target= -omain V -. V /0TQS
Tale 2.' descries the options you can use with the command line parameter 4Target=
when using the -cgpofi@.e@e tool.
Tale 2.' -cgpofi@.e@e 0ptions for #sing the 4Target ,arameter
4Target option= -escription of option -08&IN
1pecifies that the -efault -omain ,olicy should e recreated.
-.
1pecifies that the -efault -omain .ontrollers ,olicy should e recreated.
/0TQ
1pecifies that oth the -efault -omain ,olicy and the -efault -omain .ontrollers
,olicy should e recreated.
Cor more information aout -cgpofi@.e@e, in Qelp and 1upport .enter for Windows
1er!er 2006 click Tools, and then click .ommand7line reference &7^
%inking M,0s to the 0# 1tructure
8ost M,0s are normally linked to the 0# structure ecause this pro!ides the most
fle@iility and manageaility=
5ou can mo!e users and computers into and out of 0#s.
0#s can e rearranged if necessary.
5ou can work with smaller groups of users who ha!e common administrati!e
re3uirements.
5ou can organi>e users and computers ased on which administrators manage them.
0rgani>ing M,0s into user7 and computer7oriented M,0s can help make your Mroup
,olicy en!ironment easier to understand and can simplify trouleshooting. Qowe!er,
separating the user and computer components into separate M,0s might re3uire more
M,0s. 5ou can compensate for this y ad2usting the M,0 1tatus to disale the user or
computer configuration portions of the M,0 that do not apply and to reduce the time
re3uired to apply a gi!en M,0.
.hanging the M,0 %ink 0rder
Within each domain, site, and 0#, the link order controls the order in which M,0s are
applied. To change the precedence of a link, you can change the link order, mo!ing
each link up or down in the list to the appropriate location. %inks with the lowest
numer ha!e higher precedence for a gi!en site, domain, or 0#. Cor e@ample, if you
add si@ M,0 links and later decide that you want the last one that you added to ha!e
the highest precedence, you can ad2ust the link order of the M,0 link so it has link
order of '. To change the link order for M,0 links for a domain, 0#, or site, use M,8.
http=44technet.microsoft.com4en7us4lirary4cc(6*O'6.asp@
http=44technet.microsoft.com4en7us4lirary4cc(D(0D0.asp@
&&
What can & do to prevent inheritance from a!ove?
IN 00,1 .oncept.
-eclare your class as Cinal. & final class cannot e inherited y any other class.
WIN-0W1 1:$B:$ 2006 &-
http=44wiki.answers.com4J4What are M,0 links What special things can you do to
them
/=
5ou can lock policy inheritance for a domain or organi>ational unit. #sing lock
inheritance pre!ents M,0s linked to higher sites, domains, or organi>ational units
from eing automatically inherited y the child7le!el. /y default, children inherit all
M,0s from the parent, ut it is sometimes useful to lock inheritance. Cor e@ample, if
you want to apply a single set of policies to an entire domain e@cept for one
organi>ational unit, you can link the re3uired M,0s at the domain le!el (from which
all organi>ational units inherit policies y default), and then lock inheritance only on
the organi>ational unit to which the policies should not e applied.
source=http=44technet.microsoft.com4en7us4lirary4cc(D(0D0(W1.'0).asp@
&&
'ow can & override !loc+in) of inheritance?
To enforce the Mroup ,olicy settings in a specific M,0, you can specify the No
0!erride option. If you specify this option, policy settings in M,0s that are in lower7
le!el &cti!e -irectory containers cannot o!erride the policy. Cor e@ample, if you define
a M,0 at the domain le!el, and you specify the No 0!erride option, the policies that
the M,0 contains apply to all organi>ational units in that domain. %ower7le!el
organi>ational units will not o!erride the policy applied at the domain le!el.
To lock inheritance of Mroup ,olicy from parent &cti!e -irectory containers, you can
specify the /lock inheritance option. Cor e@ample, if you specify the /lock inheritance
option for an organi>ational unit, it pre!ents the application of policy at that le!el from
higher7le!el &cti!e -irectory containers such as a higher7le!el organi>ational unit or
domain.
/e aware that the No 0!erride option always takes precedence o!er the /lock
inheritance option.
& local M,0 cannot specify the No 0!erride or /lock inheritance option.
&&
'ow can you determine what (P$ was and was not applied for a user?
Name a few ways to do that
1imply use the Mroup ,olicy 8anagement .onsole created y 81 for that !ery
purpose, allows you to run simulated policies on computers or users to determine
what policies are enforced. %ink in sources
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
&nswer 2=
Mroup ,olicy 8anagement .onsole (M,8.) can pro!ide assistance when you need to
trouleshoot M,0 eha!iour. It allows you toe@amine the settings of a specific M,0,
and is can also e used to determine how your M,0s are linked to sites, domains, and
0#s. The Mroup ,olicy $esults report collects information on a computer and user, to
list the policy settings which are enaled. To create a Mroup ,olicy $esults report,
right7click Mroup ,olicy $esults, and select Mroup ,olicy $esults Wi>ard on the
shortcut menu. This launches the Mroup ,olicy $esults Wi>ard, which guides you
through !arious pages to set parameters for the information that should e displayed
in the Mroup ,olicy $esults report.
Mpresult.e@e .lick 1tart G $#N G .8- G gpresult, this will also gi!e you information
of applied group policies.
1ource=
http=44www.tech7fa3.com4trouleshooting7group7policy.html
&&
A user claims he did not receive a (P$% yet his user and computer
accounts are in the ri)ht $3% and everyone else there )ets the (P$ What
will you loo+ for?
Qere inter!iewer want to know the trouleshooting steps
what gpo is applying N
if it applying in all user and computerN
what gpo are implemented on ouN
make sure user not e memer of loopack policy as in loopack policy it doesn"t effect
user settings only computer policy will applicale.
if he is memer of gpo filter grp or notN
5ou may also want to check the computers e!ent logs. If you find e!ent I- '0OD then
you may want to download the patch to fi@ this and reoot the computer.
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
&nswer 2= 1tart Trouleshooting y running $10,.81. ($esultant 1et of ,olicy) or
gpresult 4> to !erify whether rele!ant M,0 actually apply to that userN.
This also can e a reason of slow network, you can change the default setting y using
the Mroup ,olicy 88. snap7in. This feature is enaled y default, ut you can disale
it y using the following policy= &dministrati!e TemplatesA1ystemA%ogonA&lways wait
for the network at computer startup and logon.
Identify which M,0s they correspond to, !erify that they are applicale to the
computer4user (ased on the output of $10,.81.4gpresult)
&&
Name a few differences in #ista (P$s
It is not like Windows 9, ,rofessional 1er!ice ,ack 2 added
enough settings to Mroup ,olicy, Bista is coming in with
e!en more new settings to Mroup ,olicy. There will e
appro@imately 2)00 possile settings in a Mroup ,olicy
02ect that is created for a Windows Bista computer. This
only adds aout O00 settings, which is adding _ again as
much settings compared to Windows 9, 1er!ice ,ack 2. 8any
of the settings are eing added in a response to customer
response, while others are there to support new features
that will e included in Bista. 1ome of the more important
additions include those listed under the following areas.
,ower 8anagement
/y far the numer one area of configuration that people
ha!e wanted since the ad!ent of Mroup ,olicy is the aility
to control ,ower 8anagement. Cinally, 8icrosoft has added
this capaility in Windows Bista. The reasons for
controlling power can pro!ide an immediate impact for
companies, since oth 8icrosoft and the :,& ha!e tested and
reported that you can sa!e o!er `D0 per computer, per year
y estalishing power management settings on desktops. The
idea is simple= there is no reason to ha!e the computer in
a full power state when the end user is not e!en at work.
/efore Bista, companies had to look at products from
-esktop1tandard and Cull &rmor to control power for Windows
2000 and 9,.
-e!ice Installation .ontrols
8ost IT professionals that work in the area of security for
their company are !ery concerned aout remo!ale media
de!ices. These de!ices pose a looming threat to the desktop
and the network as a whole. Without control o!er the
installation and use of these de!ices, users can introduce
!iruses, worms, and other malicious applications using
these media. Bista will include settings that will allow
control o!er the installation and use of #1/ dri!es, .-7$W,
-B-7$W, and other remo!ale media.
1ecurity 1ettings
In Bista, 8icrosoft has 2oined two security related
technologies together= Cirewall and I,1ec. This makes a lot
of sense to protect computes using I,1ec within the
firewall. ,rotection can e gained for ser!er7to7ser!er
communications o!er the Internet, controlling which
resources a computer can access on the network ased on the
computer health, and resource access ased on some
regulatory re3uirement. &s these security settings are
important to e!ery computer, it only makes logical sense
that there are settings for them in Mroup ,olicy.
,rinter &ssignment /ased on %ocation
,rinter management is a nightmare for almost e!ery company
and network admin. With most companies using a rigade of
laptop computers, printer management has ecome e!en more
comple@ as the users mo!e from uilding to uilding or
campus to campus. Bista sol!es this issue y allowing
printers to e configured ased on the current &cti!e
-irectory site the computer elongs to. 1ince &cti!e
-irectory sites typically map out the geographical or
physical network topology, it creates a perfect solution
for deli!ering printers as laptop users. /efore Bista,
companies had to look at products from -esktop1tandard and
Cull &rmor to control printers for Windows 2000 and 9,.
$edesign of &-8 Templates
If you administer Mroup ,olicy for your company, you ha!e
most likely come face7to7face with an &-8 template. These
&-8 templates were first introduced with Windows NT) using
markup language to define and implement changes to the
$egistry. &s Mroup ,olicy was introduced, the concept of
the &-8 template did not change, although some new
capailities did come along. &-8 templates pro!ide a needed
method to alter $egistry !alues, ut ha!e their prolems,
including=
a &-8 loat caused y the duplication of &-8
templates in e!ery M,0
a &-8 template !ersion mismatches, many times caused
y the introduction of a ser!ice pack into the en!ironment
on one or more computers
a .onfusing ?policies? or ?preferences? settings,
depending on which portion of the $egistry is eing
modified
a Inaility to control multi7string or inary
$egistry !alues
8icrosoft knows that &-8 templates are really a stop gap
for your $egistry ?hacking? needs, ut they had done a good
2o until Bista. With Bista, the ma2ority of these issues
are sol!ed y the con!ersion of &-8 templates into a new
98%7ased format, as well as the introduction of a
repository for the templates. The new 98%7ased formatted
files will e called &-89 files, allowing for different
languages to e addressed in a single file. The &-89 files
will also take the large, ulky &-8 templates and chop them
up into smaller, more manageale &-89 files.
0ne of my fa!orite features of Bista is the introduction of
the &-89 central store. This will pro!ide a centrali>ed
method for updating, storing, and managing &-89 files. &-89
files will no longer need to e stored in each M,0.
Instead, each M,0 will look to the central store for the
&-89 files. This will sa!e space on domain controllers and
will allow for easier management of these files.
Network %ocation &wareness
Mroup ,olicy and the application of the settings in Mroup
,olicy 02ects rely hea!ily on the a!ailaility of the
network, as well as the connection speed of the network.
Bista takes a new approach to network awareness, allowing
faster oot times and more reliale application of policy.
The following areas of network awareness are tackled in
Windows Bista=
a When a computer is ooting, the time that is spent
trying to apply policy e!en though the network is not yet
a!ailale can e daunting. Bista will pro!ide indicators to
Mroup ,olicy application as to whether the NI. is enaled
or disaled, as well as indications as to when the network
is a!ailale.
a Bista will introduce the aility for a client to
detect when a domain controller is a!ailale or when one
ecomes a!ailale again after a period of eing offline.
This is ideal for remote access connections, such as dial7
up and B,Ns.
a There will no longer e a reliance on I.8, (,INM)
for determining the connection speed to the computer. This
was needed for slow network connections, ut if I.8, was
disaled for security reasons, the computer would re2ect
the ,INM re3uest, causing Mroup ,olicy application to fail.
Now network location awareness handles the andwidth
determination, allowing policy refresh to succeed.
&&
Name some (P$ settin)s in the computer and user parts
Mroup ,olicy 02ect (M,0) computerH.omputer .onfiguration, #serH#ser
.onfigurationName some M,0 settings in the computer and user parts
&&
What are administrative templates?
dministrati!e Templates are a feature of Mroup ,olicy, a 8icrosoft technology for
centralised management of machines and users in an &cti!e -irectory en!ironment.
&dministrati!e Templates facilitate the management of registry7ased policy. &n &-8
file is used to descrie oth the user interface presented to the Mroup ,olicy
administrator and the registry keys that should e updated on the target machines. &n
&-8 file is a te@t file with a specific synta@ which descries oth the interface and the
registry !alues which will e changed if the policy is enaled or disaled.
&-8 files are consumed y the Mroup ,olicy 02ect :ditor (M,:dit). Windows 9,
1er!ice ,ack 2 shipped with fi!e &-8 files (system.adm, inetres.adm, wmplayer.adm,
conf.adm and wuau.adm). These are merged into a unified ?namespace? in M,:dit and
presented to the administrator under the &dministrati!e Templates node (for oth
machine and user policy).
&&
What/s the difference !etween software pu!lishin) and assi)nin)?
&N1 &n administrator can either assign or pulish software applications.
&ssign #sers
The software application is ad!ertised when the user logs on. It is installed when the
user clicks on the software application icon !ia the start menu, or accesses a file that
has een associated with the software application.
&ssign .omputers
The software application is ad!ertised and installed when it is safe to do so, such as
when the computer is ne@t restarted.
,ulish to users
The software application does not appear on the start menu or desktop. This means
the user may not know that the software is a!ailale. The software application is made
a!ailale !ia the &dd4$emo!e ,rograms option in control panel, or y clicking on a
file that has een associated with the application. ,ulished applications do not
reinstall themsel!es in the e!ent of accidental deletion, and it is not possile to pulish
to computers.
&&
Can & deploy non-.S& software with (P$?
5es= Qow to .reate a Third7,arty 81I ,ackage
Cor this process to work properly, you should start with a clean ,..
1tart with a clean ,., or one that is representati!e of the computers in your network.
1tart -isco!er to take a picture of the representati!e ,."s software configuration. This
is the /efore snapshot.
Install a program on the ,. on which you took the /efore snapshot.
$eoot the ,..
$un the new program to !erify that it works.
Juit the program.
1tart -isco!er and take an &fter snapshot of the ,."s new configuration. -isco!er
compares the /efore and the &fter snapshots and notes the changes. It creates a
8icrosoft Installer package with information aout how to install that program on
such a ,. in the future.
(0ptional) #se Beritas 1oftware .onsole to customi>e the 8icrosoft Installer package.
.lean the reference computer to prepare to run -isco!er again.
(0ptional) ,erform a test installation of the program on non7production workstations.
To otain support for Beritas 1oftware .onsole, please contact Beritas.
&&
"ou want to standardi8e the des+top environments wallpaper .y
Documents Start menu printers etc on the computers in one department
'ow would you do that?
%ogin on client as -omain &dmin user change whate!er you need add printers etc go
to system7#ser profiles copy this user profile to any location y select :!eryone in
permitted to use after copy change ntuser.dat to ntuser.man and assgin this path
under user profile.
. What is Active Directory'
Active Directory is the directory service used by 3indows ,555. A directory service is a centrali:ed hierarchical
database that contains in!ormation about users and resources on a networ&. In 3indows ,555 this database is
called the Active Directory data store. The Active Directory data store contains in!ormation about various types o!
networ& ob"ects including printers shared !olders user accounts groups and computers. In a 3indows ,555
domain a read@write copy o! the Active Directory data store is physically located on each domain controller in the
domain.
*hree pri#ary purposes of Active Directory are!
^ To provide user logon and authentication services
^ To enable administrators to organi:e and manage user accounts groups and networ& resources
^ To enable authori:ed users to easily locate networ& resources regardless o! where they are
located on the networ&
A directory service consists o! two parts<a centrali:ed hierarchical database that contains in!ormation about users
and resources on a networ& and a service that manages the database and enables users o! computers on the
networ& to access the database. In 3indows ,55. the database is called the Active Directory data store or
sometimes "ust the directory. The Active Directory data store contains in!ormation about various types o! networ&
ob"ects including printers shared !olders user accounts groups and computers. 3indows ,555 #erver computers
that have a copy o! the Active Directory data store and that run Active Directory are called domain controllers. In a
3indows ,55. domain a read@write copy o! the Active Directory data store is physically located on each domain
controller in the domain.
. What are the physical co#ponents of active directory'
Logical $o#ponents of Active Directory
In creating the hierarchical database structure o! Active Directory 1icroso!t !acilitated locating resources such as
!olders and printers by name rather than by physical location. These logical building bloc-s include do#ainsE
treesE forestsE and =)s. The physical location o! ob"ects within Active Directory is represented by including all
ob"ects in a given location in its own site. Because a domain is the basic unit on which Active Directory is built the
domain is introduced !irstB !ollowed by trees and !orests $in which domains are located%B and then 8/s which are
containers located within a domain.
Do#ain!
A domain is a logical grouping o! networ&ed computers in which one or more o! the computers has one or more
shared resources such as a shared !older or a shared printer and in which all o! the computers share a common
central domain directory database that contains user account security in!ormation. 8ne distinct advantage o! using a
domain particularly on a large networ& is that administration o! user account security !or the entire networ& can be
managed !rom a centrali:ed location. In a domain a user has only one user account which is stored in the domain
directory database. This user account enables the user to access shared resources $that the user has permissions to
access% located on any computer in the domain
Active Directory domains can hold millions o! ob"ects as opposed to the 3indows 4T domain structure which was
limited to appro7imately D5555 ob"ects. As in previous versions o! Active Directory the Active Directory database !ile
$ntds.dit% de!ines the domain. 6ach domain has its own ntds.dit !ile which is stored on $and replicated among% all
domain controllers by a process called multimaster replication. The domain controllers manage the con!iguration o!
domain security and store the directory services database. This arrangement permits central administration o! domain
account privileges security and networ& resources. 4etwor&ed devices and users belonging to a domain validate
with a domain controller at startup. All computers that re!er to a speci!ic set o! domain controllers ma&e up the
domain. In addition group accounts such as global groups and domain local groups are de!ined on a domain'wide
basis.
*rees
A tree is a group o! domains that shares a contiguous namespace. In other words a tree consists o! a parent domain
plus one or more sets o! child domains whose name re!lects that o! a parent. (or e7ample a parent domain
named e7amcram.com can include child domains with names such
as products.e7amcram.comsales.e7amcram.com and manu!acturing.e7amcram.com. (urthermore the tree
structure can contain grandchild domains such as america.sales.e7amcram.com or europe.sales.e7amcram.com
and so on as shown in (igure C',. A domain called que.com would not belong to the same tree. (ollowing the
inverted tree concept originated by W.F55 the tree is structured with the parent domain at the top and child domains
beneath it. All domains in a tree are lin&ed with two'way transitive trust relationshipsB in other words accounts in any
one domain can access resources in another domain and vice versa.
(orests
A forest is a grouping or hierarchical arrangement o! one or more separate completely independent domain trees. As
such !orests have the !ollowing characteristics:
All domains in a !orest share a common schema.
All domains in a !orest share a common global catalog.
All domains in a !orest are lin&ed by implicit two'way transitive trusts.
Trees in a !orest have di!!erent naming structures according to their domains. Domains in a !orest operate
independently but the !orest enables communication across the entire organi:ation.
=rgani>ational )nit!
An organi:ational unit $8/% is a container used to organi:e ob"ects within one domain into logical administrative
groups. An 8/ can contain ob"ects such as user accounts groups computers printers applications shared !olders
and other 8/s !rom the same domain. 8/s are represented by a !older icon with a boo& inside. The Domain
2ontrollers 8/ is created by de!ault when Active Directory is installed to hold new 1icroso!t 3indows #erver ,55+
domain controllers. 8/s can be added to other 8/s to !orm a hierarchical structureB this process is &nown as nesting
8/s. 6ach domain has its own 8/ structure<the 8/ structure within a domain is independent o! the 8/ structures
o! other domains.
There are three reasons !or de!ining an 8/:
To delegate administration 9 In the 3indows #erver ,55+ operating system you can delegate
administration !or the contents o! an 8/ $all users computers or resource ob"ects in the 8/% by granting
administrators speci!ic permissions !or an 8/ on the 8/As access control list.
To administer 0roup *olicy
To hide ob"ect
%hysical $o#ponents of Active Directory
There are two physical components o! Active Directory:
Domain 2ontrollers
#ites
Do#ain $ontrollers
Any server on which you have installed Active Directory is a domain controller. These servers authenticate all users
logging on to the domain in which they are located and they also serve as centers !rom which you can administer
Active Directory in 3indows #erver ,55.. A domain controller stores a complete copy o! all ob"ects contained within
the domain plus the schema and con!iguration in!ormation relevant to the !orest in which the domain is located.
/nli&e 3indows 4T there are no primary or bac&up domain controllers. #imilar to 3indows ,555 and 3indows
#erver ,55+ all domain controllers hold a master editable copy o! the Active Directory database.
6very domain must have at least one D2. A domain may have more than one D2B having more than one D2
provides the !ollowing bene!its:
(ault tolerance! I! one domain controller goes down another one is available to authenticate logon
requests and locate resources through the directory.
Load balancing! All domain controllers within a site participate equally in domain activities thus
spreading out the load over several servers. This con!iguration optimi:es the speed at which requests are
serviced.
,ites
By contrast to the logical grouping o! Active Directory into !orests trees domains and 8/s 1icroso!t includes the
concept o! sites to group together resources within a !orest according to their physical location and@or subnet. A siteis
a set o! one or more I* subnets which are connected by a high'speed always available local area networ& $)A4%
lin&. (igure C'F shows an e7ample with two sites one located in 2hicago and the other in 4ew Lor&. A site can
contain ob"ects !rom more than one tree or domain within a single !orest and individual trees and domains can
encompass more than one site. The use o! sites enables you to control the replication o! data within the Active
Directory database as well as to apply policies to all users and computers or delegate administrative control to these
ob"ects within a single physical location. In addition sites enable users to be authenticated by domain controllers in
the same physical location rather than a distant location as o!ten as possible. Lou should con!igure a single site !or all
wor& locations connected within a high'speed always available )A4 lin& and designate additional sites !or locations
separated !rom each other by a slower wide area networ& $3A4% lin&. /sing sites permits you to con!igure Active
Directory replication to ta&e advantage
o! the high'speed connection. It also enables users to connect to a domain controller using a reliable high'speed
connection.
. What are the co#ponents of Active Directory!
=bBect!
An object is any speci!ic item that can be cataloged in Active Directory. 67amples o! ob"ects include users
computers printers !olders and !iles. These items are classi!ied by a distinct set o! characteristics &nown
asattributes. (or e7ample a user can be characteri:ed by the username !ull name telephone number
email address and so on. 4ote that in general ob"ects in the same container have the same types o! attributes but
are characteri:ed by di!!erent values o! these attributes. The Active Directory schema de!ines the e7tent o! attributes
that can be speci!ied !or any ob"ect.
$lasses
The Active Directory service in turn classi!ies ob"ects into classes. These classes are logical groupings o! similar
ob"ects such as users. 6ach class is a series o! attributes that de!ine the characteristics o! the ob"ect.
,che#as
The schema is a set o! rules that de!ine the classes o! ob"ects and their attributes that can be created in Active
Directory. It de!ines what attributes can be held by ob"ects o! various types which o! the various classes can e7ist
and what ob"ect class can be a parent o! the current ob"ect class. (or e7ample the /ser class can contain user
account ob"ects and possess attributes such as password group membership home !older and so on.
3hen you !irst install Active Directory on a server a de!ault schema is created containing de!initions o! commonly
used ob"ects and properties such as users computers and groups. This de!ault schema also contains de!initions o!
ob"ects and properties needed !or the !unctioning o! Active Directory.
&lobal catalog
A global catalog server is a domain controller that has an additional duty<it maintains a global catalog. A global
catalog is a master searchable database that contains in!ormation about every ob"ect in every domain in a !orest.
The global catalog contains a complete replica o! all ob"ects in Active Directory !or its host domain and contains a
partial replica o! all ob"ects in Active Directory !or every other domain in the !orest.
A global catalog server per!orms two important !unctions:
*rovides group membership in!ormation during logon and authentication
Helps users locate resources in Active Directory
. What are the protocols used by AD'
Because Active Directory is based on standard directory access protocols such as )ightweight Directory Access
*rotocol $)DA*% version + and the 4ame #ervice *rovider Inter!ace $4#*I% it can interoperate with other directory
services employing these protocols.
)DA* is the directory access protocol used to query and retrieve in!ormation !rom Active Directory. Because it is an
industry'standard directory service protocol programs can be developed using )DA* to share Active Directory
in!ormation with other directory services that also support )DA*.
The 4#*I protocol which is used by 1icroso!t 67change D.5 and F.x clients is supported by Active Directory to
provide compatibility with the 67change directory.
. 5ini#u# require#ent to install Win 722C AD'
C. An 4T(# partition with enough !ree space
,. An AdministratorAs username and password
+. The correct operating system version
D. A 4I2
F. *roperly con!igured T2*@I* $I* address subnet mas& and 9 optional 9 de!ault gateway%
-. A networ& connection $to a hub or to another computer via a crossover cable%
G. An operational D4# server $which can be installed on the D2 itsel!%
.. A Domain name that you want to use
. How do you verify whether the AD installation is proper'
1. De!ault containers: These are created automatically when the !irst domain is created. 8pen Active
Directory )sers and $o#puters and then veri!y that the !ollowing containers are present: $o#puters )sers
and(oreign,ecurity%rincipals.
2. De!ault domain controllers organi:ational unit: 8pen Active Directory )sers and $o#puters and then
veri!y this organi:ational unit.
+. De!ault'(irst'#ite'4ame
4. Active Directory database: The Active Directory database is your 4tds.dit !ile. Meri!y its e7istence in the
H#ystemrootHJ4tds !older.
F. 0lobal catalog server: The !irst domain controller becomes a global catalog server by de!ault. To veri!y this
item:
a. 2lic& ,tart point to %rogra#s clic& Ad#inistrative *ools and then clic& Active Directory ,ites and
,ervices.
b. Double'clic& ,ites to e7pand it e7pand ,ervers and then select your domain controller.
c. Double'clic& the domain controller to e7pand the server contents.
d. Below the server an ?*D, ,ettings ob"ect is displayed. ;ight'clic& the ob"ect and then clic& %roperties.
e. 8n the &eneral tab you can observe a global catalog chec& bo7 which should be selected by de!ault.
.oot do#ain: The !orest root is created when the !irst domain controller is installed. Meri!y your computer networ&
identi!ication in 5y $o#puter. The Domain 4ame #ystem $D4#% su!!i7 o! your computer should match the domain
name that the domain controller belongs to. Also ensure that your computer registers the proper computer role. To
veri!y this role use the net accounts command. The computer role should say OprimaryP or Obac&upP depending on
whether it is the !irst domain controller in the domain.
,hared syste# volu#e: A 3indows ,555 domain controller should have a shared system volume located in the
H#ystemrootHJ#ysvolJ#ysvol !older. To veri!y this item use the net share command. The Active Directory also
creates two standard policies during the installation process: The De!ault Domain policy and the De!ault Domain
2ontrollers policy $located in the H#ystemrootHJ#ysvolJDomainJ*olicies !older%. These policies are displayed as the
!ollowing globally unique identi!iers $0/IDs%:
a+CB,(+D5'5C-D'CCD,'IDF('5525D(BI.D(Ib representing the De!ault Domain policy
a-A2CG.-2'5C-('CCD,'IDF('5525D!BI.D(Ib representing the De!ault Domain 2ontrollers policy
,.A resource records! Lou must have a D4# server installed and con!igured !or Active Directory and the
associated client so!tware to !unction correctly. 1icroso!t recommends that you use 1icroso!t D4# server which is
supplied with 3indows ,555 #erver as your D4# server. However 1icroso!t D4# server is not required. The D4#
server that you use must support the #ervice ;esource ;ecord $#;M ;;% ;equests !or 2omments $;(2% ,5F, and
the dynamic update protocol $;(2 ,C+-%. /se the D4# 1anager 1icroso!t 1anagement 2onsole $112% snap'in to
veri!y that the appropriate :ones and resource records are created !or each D4# :one. Active Directory creates its
#;M ;;s in the !ollowing !olders:
T1sdcs@Dc@T#ites@De!ault'!irst'site'name@TTcp
T1sdcs@Dc@TTcp
In these locations an #;M ;; is displayed !or the !ollowing services:
o T&erberos
o Tldap
. What is LDA%'
#hort !or Lighteight Directory Access Protocol! a set o! protocols !or accessing in!ormation directories. )DA* is
based on the standards contained within the W.F55 standard but is signi!icantly simpler. And unli&e W.F55 )DA*
supports T2*@I* which is necessary !or any type o! Internet access. Because itAs a simpler version o! W.F55 )DA* is
sometimes called "#$%%-lite#
. What is (., 0(ile replication services1'
The (ile ;eplication #ervice $(;#% replicates speci!ic !iles using the same multi'master model that Active Directory
uses. It is used by the Distributed (ile #ystem !or replication o! D(# trees that are designated as domain root
replicas. It is also used by Active Directory to synchroni:e content o! the #L#M8) volume automatically across
domain controllers. The reason the (;# service replicates contents o! the #L#M8) !older is so clients will always get
a consistent logon environment when logging on to the domain no matter which domain controller actually handles
the request. 3hen a client submits a logon request he or she submits that request !or authentication to the #L#M8)
directory. A sub!older o! this directory called Jscripts is shared on the networ& as the netlogon share. Any logon
scripts contained in the netlogon share are processed at logon time. There!ore the (;# is responsible !or all domain
controllers providing the same logon directory structure to clients throughout the domain.
. $an you connect Active Directory to other /rd"party Directory ,ervices' ?a#e
a few options.
Les you can 2onnect Active Directory to other +rd 'party Directory #ervices such as dictonaries used by #A*
Domino etc with the help o! 1II# $ 1icroso!t Identity Integration #erver %
you can use dirW1) or )DA* to connect to other directories $ie. 6'directory !rom 4ovell%.
. Where is the AD database held' What other folders are related to AD'
controlling the AD structure
ntds.dit
edb.log
resC.log
res,.log
edb.ch&
OshutdownP statement is written to the edb.ch& !ile. Then during a reboot AD determines that all transactions in
theedb.log !ile have been committed to the AD database. I! !or some reason the edb.ch& !ile doesnAt e7ist on reboot
or the shutdown statement isnAt present AD will use the edb.log !ile to update the AD database.
The last !ile in our list o! !iles to &now is the AD database itsel! ntds.dit. By de!ault the !ile is located inJ4TD# along
with the other !iles weAve discussed.
. What is the ,@,A=L folder'
The #L#M8) !older is critical because it contains the domainAs public !iles. This directory is shared out $as #L#M8)%
and any !iles &ept in the #L#M8) !older are replicated to all other domain controllers in the domain using the (ile
;eplication #ervice $(;#%<and yes thatAs important to &now on the e7am.
*he ,@,A=L folder also contains the following ite#s!
The 46T)8084 share which is the location where domain logon requests are submitted !or
processing and where logon scripts can be stored !or client processing at logon time.
3indows 0roup *olicies
(;# !olders and !iles that must be available and synchroni:ed between domain controllers i! the
(;# is in use. Distributed (ile #ystem $D(#% !or e7ample uses the (;# to &eep shared data consistent between
replicas.
Lou can go to #L#M8) !older by typing : HsystemrootH@sysvol on D2.
. ?a#e the AD ?$s and replication issues for each ?$
N#chema 42 N2on!iguration 42 N Domain 42
,che#a ?$! This 42 is replicated to every other domain controller in the !orest. It contains in!ormation about the
Active Directory schema which in turn de!ines the di!!erent ob"ect classes and attributes within Active Directory.
$onfiguration ?$! Also replicated to every other D2 in the !orest this 42 contains !orest'wide con!iguration
in!ormation pertaining to the physical layout o! Active Directory as well as in!ormation about display speci!iers and
!orest'wide Active Directory quotas.
Do#ain ?$! This 42 is replicated to every other D2 within a single Active Directory domain. This is the 42 that
contains the most commonly'accessed Active Directory data: the actual users groups computers and other ob"ects
that reside within a particular Active Directory domain.
. What are application partitions' When do I use the#'
AC% Application Directory *artition is a partition space in Active Directory which an application can use to store that
application speci!ic data. This partition is then replicated only to some speci!ic domain controllers.
The application directory partition can contain any type o! data e7cept security principles $users computers groups%.
NNA,% These are speci!ic to 3indows #erver ,55+ domains.
An application directory partition is a directory partition that is replicated only to speci!ic domain controllers. A domain
controller that participates in the replication o! a particular application directory partition hosts a replica o! that
partition. 8nly domain controllers running 3indows #erver ,55+ can host a replica o! an application directory
partition.
. How do you create a new application partition'
The Dns2md command is used to create a new application directory partition. 67. to create a partition named
O4ew*artitionP on the domain controller D2C.contoso.com log on to the domain controller and type !ollowing
command.
Dns2md D2C@createdirectorypartition 4ew*artition.contoso.com
. How do you view replication properties for AD partitions and D$s'
go to start ? run ? type repl#on
. What is the &lobal $atalog'
The global catalog is the central repository o! in!ormation about ob"ects in a tree or !orest. By de!ault a global catalog
is created automatically on the initial domain controller in the !irst domain in the !orest. A domain controller that holds
a copy o! the global catalog is called a global catalog server. Lou can designate any domain controller in the !orest as
a global catalog server. Active Directory uses multimaster replication to replicate the global catalog in!ormation
between global catalog servers in other domains. It stores a !ull replica o! all ob"ect attributes in the directory !or its
host domain and a partial replica o! all ob"ect attributes contained in the directory !or every domain in the !orest. The
partial replica stores attributes most !requently used in search operations $such as a userAs !irst and last names logon
name and so on%. Attributes are mar&ed or unmar&ed !or replication in the global catalog when they are de!ined in
the Active Directory schema. 8b"ect attributes replicated to the global catalog inherit the same permissions as in
source domains ensuring that data in the global catalog is secure.
Another De!inition o! 0lobal 2atalog:
&lobal $atalog ,erver
A global catalog server is a domain controller that has an additional duty<it maintains a global catalog. A global
catalog is a master searchable database that contains in!ormation about every ob"ect in every domain in a !orest.
The global catalog contains a complete replica o! all ob"ects in Active Directory !or its host domain and contains a
partial replica o! all ob"ects in Active Directory !or every other domain in the !orest.
A global catalog server per!orms two important !unctions:
*rovides group membership in!ormation during logon and authentication
Helps users locate resources in Active Directory
. What is sche#a'
The Active Directory schema de!ines ob"ects that can be stored in Active Directory. The schema is a list o! de!initions
that determines the &inds o! ob"ects and the types o! in!ormation about those ob"ects that can be stored in Active
Directory. Because the schema de!initions themselves are stored as ob"ects they can be administered in the same
manner as the rest o! the ob"ects in Active Directory. The schema is de!ined by two types o! ob"ects: schema class
ob"ects $also re!erred to as schema classes% and schema attribute ob"ects $also re!erred to as schema attributes%.
. &$ and infrastructure #aster should not be on sa#e serverE why'
/nless your domain consists o! only one domain controller the infrastructure #aster should not be assigned to a
do#ain controller thatIs also a &lobal $atalog server. I! the in!rastructure master and 0lobal 2atalog are stored
on the same domain controller the in!rastructure master will not !unction because it will never !ind data that is out o!
date. It there!ore wonAt ever replicate changes to the other domain controllers in the domain. There are two
e7ceptions:
I! all your domain controllers are 0lobal 2atalog servers it wonAt matter because all servers will
have the latest changes to the 0lobal 2atalog.
I! you are implementing a single Active Directory domain no other domains e7ist in the !orest to
&eep trac& o! so in e!!ect the in!rastructure master is out o! a "ob
. Why not #a-e all D$s in a large forest as &$s'
3hen all the D2 become a 02 replication tra!!ic will get increased and we could not &eep the In!rastructure master
and 02 on the same domain so atlease one dc should be act without holding the 02 role .
. *rying to loo- at the ,che#aE how can I do that'
;egister the schmmgmt.dll with the command regsvr+,
. What are the ,upport *ools' Why do I need the#'
#upport Tools are the tools that are used !or per!orming the complicated tas&s easily. These can also be the third
party tools. #ome o! the #upport tools include DebugMiewer DependencyMiewer ;egistry1onitor etc.
. What is LD%' What is .8%L5=?' What is AD,I8DI*' What is ?8*D=5' What
is .8%AD5I?'
LD% 9 )abel Distribution *rotocol $)D*% is o!ten used to establish 1*)# )#*s when tra!!ic engineering is not
required. It establishes )#*s that !ollow the e7isting I* routing and is particularly well suited !or establishing a !ull
mesh o! )#*s between all o! the routers on the networ&.
.epl#on 9 ;eplmon displays in!ormation about Active Directory ;eplication.
AD,I8DI* 9 AD#I6dit is a 1icroso!t 1anagement 2onsole $112% snap'in that acts as a low'level editor !or Active
Directory. It is a 0raphical /ser Inter!ace $0/I% tool. 4etwor& administrators can use it !or common administrative
tas&s such as adding deleting and moving ob"ects with a directory service. The attributes !or each ob"ect can be
edited or deleted by using this tool. AD#I6dit uses the AD#I application programming inter!aces $A*Is% to access
Active Directory. The !ollowing are the required !iles !or using this tool: AD#I6DIT.D)) AD#I6DIT.1#2
?8*D=5 ' 46TD81 is a command'line tool that allows management o! 3indows domains and trust relationships. It
is used !or batch management o! trusts "oining computers to domains veri!ying trusts and secure channels.
.8%AD5I? 9 ;6*AD1I4 is a built'in 3indows diagnostic command'line utility that wor&s at the Active Directory
level. Although speci!ic to 3indows it is also use!ul !or diagnosing some 67change replication problems since
67change #erver is Active Directory based. ;6*AD1I4 doesnAt actually !i7 replication problems !or you. But you can
use it to help determine the source o! a mal!unction.
. What are the ?a#ing $onventions used in AD'
3ithin Active Directory each ob"ect has a name. 3hen you create an ob"ect in Active Directory such as a user or a
computer you assign the ob"ect a name. This name must be unique within the domain<you canAt assign an ob"ect
the same name as any other ob"ect $regardless o! its type% in that domain.
At the same time that you create an ob"ect not only do you assign a name to the ob"ect but Active Directory also
assigns identi!iers to the ob"ect. Active Directory assigns every ob"ect a globally unique identi!ier $0/ID% and assigns
many ob"ects a security identi!ier $#ID%. A &'(D is typically a +,'digit he7adecimal number that uniquely identi!ies an
ob"ect within Active Directory. A S(D is a unique number created by the 3indows ,555 #ecurity subsystem that is
assigned only to security principal objects $users groups and computers% when they are created.3indows ,555 uses
#IDs to grant or deny a security principal ob"ect access to other ob"ects and networ& resources.
Active Directory uses a hierarchical naming convention that is based on )ightweight Directory Access *rotocol
$)DA*% and D4# standards.
=bBects in Active Directory can be referenced by using one of three Active Directory na#e types!
;elative distinguished name $;D4%
Distinguished name $D4%
/ser principal name $/*4%
A relative distinguished name $;D4% is the name that is assigned to the ob"ect by the administrator when the
ob"ect is created. (or e7ample when
I create a user named Alan2 the ;D4 o! that user is Alan2. The ;D4 only identi!ies an ob"ect<it doesnAt identi!y the
ob"ectAs location within Active Directory. The ;D4 is the simplest o! the three Active Directory name types and is
sometimes called the common name o! the ob"ect.
A distinguished name 0D?1 consists o! an ob"ectAs ;D4 plus the ob"ectAs location in Active Directory. The D4
supplies the complete path to the ob"ect. An ob"ectAs D4 includes its ;D4 the name o! the organi:ational unit$s% that
contains the ob"ect $i! any% and the (QD4 o! the domain. (or e7ample suppose that I create a user named Alan2 in
an organi:ational unit called /# in a domain named 67portsinc.com. The D4 o! this user would
be:Alan2`/#.67portsinc.com
A user principal name 0)%?1 is a shortened version o! the D4 that is typically used !or logon and e'mail purposes.
A /*4 consists o! the ;D4 plus the (QD4 o! the domain. /sing my previous e7ample the /*4 !or the user named
Alan2 would be: Alan2`67portsinc.com
Another way you can thin& o! a /*4 is as a D4 stripped o! all organi:ational unit re!erences.
. What are sites' What are they used for'
A site consists o! one or more T2*@I* subnets which are speci!ied by an administrator. Additionally i! a site contains
more than one subnet the subnets should be connected by high'speed reliable lin&s. #ites do not correspond to
domains:Lou can have two or more sites within a single domain or you can have multiple domains in a single site.A
site is solely a grouping based on I* addresses. (igure ,'G shows two sites connected by a slow 3A4 lin&.
The purpose o! sites is to enable servers that regularly copy data to other servers $such as Active Directory
replication data% to distinguish between servers in their own site $which are connected by high'speed lin&s% and
servers in another site $which are connected by slower'speed 3A4 lin&s%. ;eplication between domain controllers in
the same site is !ast and typically administrators can permit 3indows ,555 to automatically per!orm this tas&.
;eplication between a domain controller in one site and domain controllers in other sites is slower $because it ta&es
place over a slow 3A4 lin&% and o!ten should be scheduled by the administrator so that use o! networ& bandwidth !or
replication is minimi:ed during the networ&As pea&'activity hours.
#ites and Active Directory replication can be con!igured by using Active Directory #ites and #ervices.
)ses of site!
#ites are primarily used to control replication tra!!ic. Domain controllers within a site are pretty much !ree to replicate
changes to the Active Directory database whenever changes are made. Domain controllers in di!!erent sites
compress the replication tra!!ic and operate based on a de!ined schedule both o! which are intended to cut down on
networ& tra!!ic.
1ore speci!ically sites are used to control the !ollowing:
3or&station logon tra!!ic
;eplication tra!!ic
Distributed (ile #ystem $D(#%
WhatIs the difference between a site lin-Is schedule and interval'
#ite )in& is a physical connection ob"ect on which the replication transport mechanism depends on. Basically to
spea& it is the type o! communication mechanism used to trans!er the data between di!!erent sites. #ite )in&
#chedule is nothing but when the replication process has to be ta&es place and the interval is nothing but how many
times the replication has to be ta&es place in a give time period i.e #ite )in& #chedule.
. What is replication' How it occurs in AD' What is D$$ and I,*&
6ach domain controller stores a complete copy o! all Active domain controllers in the same domain. Domain
controllers in a domain automatically replicate directory in!ormation !or all ob"ects in the domain to each other. 3hen
you per!orm an action that causes an update to Active Directory you are actually ma&ing the change at one o! the
domain controllers. That domain controller then replicates the change to all other domain controllers within the
domain. Lou can control replication o! tra!!ic between domain controllers in the networ& by speci!ying how o!ten
replication occurs and the amount o! data that each domain controller replicates at one time. Domain controllers
immediately replicate certain important updates such as the disabling o! a user account.
Active Directory uses multimaster replication in which no one domain controller is the master domain controller.
Instead all domain controllers within a domain are peers and each domain controller contains a copy o! the directory
database that can be written to. Domain controllers can hold di!!erent in!ormation !or short periods o! time until all
domain controllers have synchroni:ed changes to Active Directory.
Although Active Directory supports multimaster replication some changes are impractical to per!orm in multimaster
!ashion. 8ne or more domain controllers can be assigned to per!orm single'master replication $operations not
permitted to occur at di!!erent places in a networ& at the same time%. )perations master roles are special roles
assigned to one or more domain controllers in a domain to per!orm single'master replication.
Domain controllers detect collisions which can occur when an attribute is modi!ied on a domain controller be!ore a
change to the same attribute on another domain controller is completely propagated. 2ollisions are detected by
comparing each attributeAs property version number a number speci!ic to an attribute that is initiali:ed upon creation
o! the attribute. Active Directory resolves the collision by replicating the changed attribute with the higher property
version number.
. What can you do to pro#ote a server to D$ if youIre in a re#ote location with
slow WA? lin-'
Install !rom 1edia In 3indows #erver ,55+ a new !eature has been added and this time itAs one that will actually
ma&e our lives easier\ Lou can promote a domain controller using !iles bac&ed up !rom a source domain controlleriii
This !eature is called OInstall !rom 1ediaP and itAs available by running D2*;818 with the @adv switch. ItAs not a
replacement !or networ& replication we still need networ& connectivity but now we can use an old #ystem #tate copy
!rom another 3indows #erver ,55+ copy it to our !uture D2 and have the !irst and basic replication ta&e place !rom
the media instead o! across the networ& this saving valuable time and networ& resources.
3hat you basically have to do is to bac& up the systems data o! an e7isting domain controller restore that bac&up to
your replica candidate use D2*romo @Adv to tell it to source !rom local media rather than a networ& source.
This also wor&s !or global catalogs. I! we per!orm a bac&up o! a global catalog server then we can create a new
global catalog server by per!orming D2*romo !rom that restored media.
IFM Limitations
It only wor&s !or the same domain so you cannot bac& up a domain controller in domain A and create a new domain
B using that media.
ItAs only use!ul up to the tombstone li!etime with a de!ault o! -5 days. #o i! you have an old bac&up then you cannot
create a new domain controller using that because youAll run into the problem o! reanimating deleted ob"ects.
. How can you forcibly re#ove AD fro# a serverE and what do you do later'
De#oting Windows ,erver 722/ D$s! D2*;818 $Active Directory Installation 3i:ard% is a toggle switch which
allows you to either install or remove Active Directory D2s. To !orcibly demote a 3indows #erver ,55+ D2 run the
!ollowing command either at the #tart ;un or at the command prompt:
dcpromo @!orceremoval
Note: I! youAre running 2erti!icate #ervices on the D2 you must !irst remove 2erti!icate #ervices be!ore continuing. I!
you speci!y the @!orceremoval switch on a server that doesnAt have Active Directory installed the switch is ignored
and the wi:ard pretends that you want to install Active Directory on that server.
8nce the wi:ard starts you will be prompted !or the Administrator password that you want to assign to the local
administrator in the #A1 database. I! you have 3indows #erver ,55+ #ervice *ac& C installed on the D2 youAll
bene!it !rom a !ew enhancements. The wi:ard will automatically run certain chec&s and will prompt you to ta&e
appropriate actions. (or e7ample i! the D2 is a 0lobal 2atalog server or a D4# server you will be prompted. Lou
will also be prompted to ta&e an action i! your D2 is hosting any o! the operations master roles.
De#oting Windows 7222 D$s: 8n a 3indows ,555 domain controller !orced demotion is supported with #ervice
*ac& , and later. The rest o! the procedure is similar to the procedure I described !or 3indows #erver ,55+. Vust
ma&e sure that while running the wi:ard you clear the OThis server is the last domain controller in the domainP chec&
bo7. 8n 3indows ,555 #ervers you wonAt bene!it !rom the enhancements in 3indows #erver ,55+ #*C so i! the D2
you are demoting is a 0lobal 2atalog server you may have to manually promote some other D2 to a 0lobal 2atalog
server.
$leaning the 5etadata on a ,urviving D$ ! 8nce youAve success!ully demoted the D2 your "ob is not quite done
yet. 4ow you must clean up the Active Directory metadata. Lou may be wondering why I need to clean the metadata
manually. The metadata !or the demoted D2 is not deleted !rom the surviving D2s because you !orced the demotion.
3hen you !orce a demotion Active Directory basically ignores other D2s and does its own thing. Because the other
D2s are not aware that you removed the demoted D2 !rom the domain the re!erences to the demoted D2 need to
be removed !rom the domain.
Although Active Directory has made numerous improvements over the years one o! the biggest criticisms o! Active
Directory is that it doesnAt clean up the mess very well. This is obvious in most cases but in other cases you wonAt
&now it unless you start digging deep into Active Directory database.
To clean up the metadata you use 4TD#/TI). The !ollowing procedure describes how to clean up metadata on a
3indows #erver ,55+ #*C. According to 1icroso!t the version o! 4TD#/TI) in #*C has been enhanced
considerably and does a much better "ob o! clean'up which obviously means that the earlier versions didnAt do a very
good "ob. (or 3indows ,555 D2s you might want to chec& out 1icroso!t Knowledge Base article *+,-./ OHow to
remove data in Active Directory a!ter an unsuccess!ul domain controller demotion.P
HereAs the step'by'step procedure !or cleaning metadata on 3indows #erver ,55+ D2s:
C. )ogon to the D2 as a Domain Administrator.
,. At the command prompt type ntdsutil.
+. Type metadata cleanup.
D. Type connections.
F. Type connect to server servername where servername is the name o! the server you want to connect to.
-. Type quit or q to go one level up. Lou should be at the 1etadata 2leanup prompt.
G. Type select operation target.
.. Type list domains. Lou will see a list o! domains in the !orest each with a di!!erent number.
I. Type select domain number where number is the number associated with the domain o! your server
C5. Type list sites.
CC. Type select site number where number is the number associated with the site o! your server.
C,. Type list servers in site.
C+. Type select server number where number is the number associated with the server you want to remove.
CD. Type quit to go to 1etadata 2leanup prompt.
CF. Type remove selected server. Lou should see a con!irmation that the removal completed success!ully.
C-. Type quit to e7it ntdsutil.
Lou might also want to cleanup D4# database by deleting all D4# records related to the server.
In general you will have better luc& using !orced promotion on 3indows #erver ,55+ because the naming conte7ts
and other ob"ects donAt get cleaned as quic&ly on 3indows ,555 0lobal 2atalog servers especially servers running
3indows ,555 #*+ or earlier. Due to the nature o! !orced demotion and the !act that itAs meant to be used only as a
last resort there are additional things that you should &now about !orced demotion.
6ven a!ter youAve used 4TD#/TI) to clean the metadata you may still need to do additional cleaning manually using
AD#I6dit or other such tools
. $an I get user passwords fro# the AD database'
As o! my Knowledge there is no way to e7tract the password !rom AD Database. By the way there is a tool
calledcache du#p. /sing it we can e7tract the cached passwords !rom 3indows W* machine which is "oined to a
Domain.
. ?a#e so#e =) design considerations.
Design 8/ structure based on Active Directory business requirements
4T ;esource domains may !old up into 8/s
2reate nested 8/s to hide ob"ects
8b"ects easily moved between 8/s
Departments 0eographic ;egion Vob (unction 8b"ect Type
. What is to#bstone lifeti#e attribute'
#ervice ob"ect in the con!iguration 42.
. How would you find all users that have not logged on since last #onth'
I! you are using windows ,55+ domain environment then goto Active Directory /sers and 2omputers select the
#aved Queries right clic& it and select new query then using the custom common queries and de!ine query there is
one which shows days since last logon
. What are the D,H co##ands'
D,#od 9 modi!y Active Directory attributes
D,r# 9 to delete Active Directory ob"ects
D,#ove ' to relocate ob"ects
D,add 9 create new accounts
D,query ' to !ind ob"ects that match your query attributes
D,get ' list the properties o! an ob"ect
WhatIs the difference between LDI(D8 and $,AD8' )sage considerations'
2#MD6 is a command that can be used to import and e7port ob"ects to and !rom the AD into a 2#M'!ormatted !ile. A
2#M $2omma #eparated Malue% !ile is a !ile easily readable in 67cel. I will not go to length into this power!ul
command but I will show you some basic samples o! how to import a large number o! users into your AD. 8! course
as with the D#ADD command 2#MD6 can do more than "ust import users. 2onsult your help !ile !or more in!o. )i&e
2#MD6 )DI(D6 is a command that can be used to import and e7port ob"ects to and !rom the AD into a )DI('
!ormatted !ile. A )DI( $)DA* Data Interchange (ormat% !ile is a !ile easily readable in any te7t editorB however it is not
readable in programs li&e 67cel. The ma"or di!!erence between 2#MD6 and )DI(D6 $besides the !ile !ormat% is the
!act that )DI(D6 can be used to edit and delete e7isting AD ob"ects $not "ust users% while 2#MD6 can only import
and e7port ob"ects
What is D(,'
The Distributed (ile #ystem is used to build a hierarchical view o! multiple !ile servers and shares on the networ&.
Instead o! having to thin& o! a speci!ic machine name !or each set o! !iles the user will only have to remember one
nameB which will be the S&eyA to a list o! shares !ound on multiple servers on the networ&. Thin& o! it as the home o! all
!ile shares with lin&s that point to one or more servers that actually host those shares.
D(# has the capability o! routing a client to the closest available !ile server by using Active Directory site metrics. It
can also be installed on a cluster !or even better per!ormance and reliability.
It is important to understand the new concepts that are part o! D(#. Below is an de!inition o! each o! them.
Dfs root! Lou can thin& o! this as a share that is visible on the networ& and in this share you can have additional !iles
and !olders.
Dfs lin-! A lin& is another share somewhere on the networ& that goes under the root. 3hen a user opens this lin&
they will be redirected to a shared !older.
Dfs target 0or replica1! This can be re!erred to as either a root or a lin&. I! you have two identical shares normally
stored on di!!erent servers you can group them together as D!s Targets under the same lin&.
The image below shows the actual !older structure o! what the user sees when using D(# and load balancing.
The actual !older structure o! D(# and load balancing
. What are the types of replication in D(,'
There are two types o! replication:
Automatic 9 which is only available !or Domain D(#
1anual 9 which is available !or stand alone D(# and requires all !iles to be replicated manually.
. Which service is responsible for replicating files in ,@,A=L folder'
(ile ;eplication #ervice $(;#%
>What is sites ? What are they used for ?
3ne or more well(connected 'highly reliable and fast) $%&I% subnets.
A site allows administrators to configure Active Directory access and replication topology to
take advantage of the physical network.
A #ite ob"ect in Active Directory represents a physical geographic location that hosts networ&s. #ites
contain ob"ects called #ubnets.
#ites can be used to Assign 0roup *olicy 8b"ects !acilitate the discovery o! resources manage active
directory replication and manage networ& lin& tra!!ic.
#ites can be lin&ed to other #ites. #ite'lin&ed ob"ects may be assigned a cost value that represents the
speed reliability availability or other real property o! a physical resource. #ite )in&s may also be
assigned a schedule.
8pen mmc ''? add snapin ''? add Active directory schema
8pen administrative tool ''? schema.msc

GWhat is the port no of Derbrose '
..
+,-.
+.I
3indows ,555 and 3indows #erver ,55+ Active Directory uses a database set o! rules called h#chemah.
The #chema is de!ines as the !ormal de!inition o! all ob"ect classes and the attributes that ma&e up those
ob"ect classes that can be stored in the directory. As mentioned earlier the Active Directory database
includes a de!ault #chema which de!ines many ob"ect classes such as users groups computers
domains organi:ational units and so on.
These ob"ects are also &nown as h2lassesh. The Active Directory #chema can be dynamically e7tensible
meaning that you can modi!y the schema by de!ining new ob"ect types and their attributes and by de!ining
new attributes !or e7isting ob"ects. Lou can do this either with the #chema 1anager snap'in tool included
with 3indows ,555@,55+ #erver or programmatically.
>$ow can you forcibly remove AD from a server1 and what do you do later? ? an I
get user #asswords from the AD database?
Dcpromo &forceremoval , an administrator can forcibly remove Active Directory and roll back
the system without having to contact or replicate any locally held changes to another D$ in
the forest. Beboot the server then After you use the dcpromo &forceremoval command, all
the remaining metadata for the demoted D$ is not deleted on the surviving domain
controllers, and therefore you must manually remove it by using the ND"5I4 command.
In the event that the 4TD# #ettings ob"ect is not removed correctly you can use the 4tdsutil.e7e utility to
manually remove the 4TD# #ettings ob"ect. Lou will need the !ollowing tool: 4tdsutil.e7e Active Directory
#ites and #ervices Active Directory /sers and 2omputers
#chema master
;ID master
*D2 emulator
Domain Trees: A domain tree comprises several domains that share a common schema and
con!iguration !orming a contiguous namespace. Domains in a tree are also lin&ed together by trust
relationships. Active Directory is a set o! one or more trees.
Trees can be viewed two ways. 8ne view is the trust relationships between domains. The other view is
the namespace o! the domain tree.
GWhat is forests '
A collection o! one or more domain trees with a common schema and implicit trust relationships between
them. This arrangement would be used i! you have multiple root D4# addresses.
2ircumstances and characteristics o! the !ailure. The two ma"or categories o! !ailure (rom an Active
Directory perspective are Active Directory data corruption and hardware !ailure.
Active Directory data corruption occurs when the directory contains corrupt data that has been replicated
to all domain controllers or when a large portion o! the Active Directory hierarchy has been changed
accidentally $such as deletion o! an 8/% and this change has replicated to other domain controllers.
>Where are the Windows (+ *rimary Domain ontroller :*D; and its 4ac2u#
Domain ontroller :4D; in !erver 788&?
he Active Directory replaces them. Now all domain controllers share a multimaster peer(to(
peer read and write relationship that hosts copies of the Active Directory.
The 0lobal 2atalog authenticates networ& user logons and !ields inquiries about ob"ects across a !orest
or tree. 6very domain has at least one 02 that is hosted on a domain controller. In 3indows ,555 there
was typically one 02 on every site in order to prevent user logon !ailures across the networ&.
#ecurity'related modi!ications are replicated within a site immediately. These changes include account
and individual user loc&out policies changes to password policies changes to computer account
passwords and modi!ications to the )ocal #ecurity Authority $)#A%.
8rgani:ations that operate on radically di!!erent bases may require separate trees with distinct
namespaces. /nique trade or brand names o!ten give rise to separate D4# identities. 8rgani:ations
merge or are acquired and naming continuity is desired. 8rgani:ations !orm partnerships and "oint
ventures. 3hile access to common resources is desired a separately de!ined tree can en!orce more
direct administrative and security restrictions.
I! it is not possible !or you to con!igure your internal domain as a subdomain o! your e7ternal domain use
a stand'alone internal domain. This way your internal and e7ternal domain names are unrelated. (or
e7ample an organi:ation that uses the domain name contoso.com !or their e7ternal namespace uses the
name corp.internal !or their internal namespace.
The advantage to this approach is that it provides you with a unique internal domain name. The
disadvantage is that this con!iguration requires you to manage two separate namespaces. Also using a
stand'alone internal domain that is unrelated to your e7ternal domain might create con!usion !or users
because the namespaces do not re!lect a relationship between resources within and outside o! your
networ&.
In addition you might have to register two D4# names with an Internet name authority i! you want to
ma&e the internal domain publicly accessible.
domainTcontroller
8;
8;

? 3hat are the physical components o! Active Directory X
Domain controllers and #ites. Domain controllers are physical computers which is running 3indows
#erver operating system and Active Directory data base. #ites are a networ& segment based on
geographical location and which contains multiple domain controllers in each site.
? 3hat are the logical components o! Active Directory X
? 3hat are the Active Directory *artitions X
Active Directory database is divided into di!!erent partitions such as #chema partition Domain partition
and 2on!iguration partition. Apart !rom these partitions we can create Application partition based on the
requirement.
? 3hat is group nesting X
Adding one group as a member o! another group is called ggroup nestingg. This will help !or easy
administration and reduced replication tra!!ic.
? 3hat is the !eature o! Domain )ocal 0roup X
Domain local groups are mainly used !or granting access to networ& resources.A Domain local group can
contain accounts !rom any domain global groups !rom any domain and universal groups !rom any
domain. (or e7ample i! you want to grant permission to a printer located at Domain A to C5 users !rom
Domain B then create a 0lobal group in Domain B and add all C5 users into that 0lobal group. Then
create a Domain local group at Domain A and add 0lobal group o! Domain B to Domain local group o!
Domain A then add Domain local group o! Domain A to the printer$o! Domain A% security A2).
?How will you ta&e Active Directory bac&up X
Active Directory is bac&ed up along with #ystem #tate data. #ystem state data includes )ocal registry
281E Boot !iles 4TD#.DIT and #L#M8) !older. #ystem state can be bac&ed up either using 1icroso!tgs
de!ault 4TBA2K/* tool or third party tools such as #ymantech 4etBac&up IB1 Tivoli #torage 1anager
etc.
? 3hat is )ost and (ound 2ontainer X
In multimaster replication method replication con!licts can happen. 8b"ects with replication con!licts will
be stored in a container called g)ost and (oundg container. This container also used to store orphaned
user accounts and other ob"ects.
? Do we use clustering in Active Directory X 3hy X
4o one installs Active Directory in a cluster. There is no need o! clustering a domain controller. Because
Active Directory provides total redundancy with two or more servers.
? 3hat is Active Directory ;ecycle Bin X
Active Directory ;ecycle bin is a !eature o! 3indows #erver ,55. AD. It helps to restore accidentally
deleted Active Directory ob"ects without using a bac&ed up AD database rebooting domain controller or
restarting any services.
? 3hat is ;8D2 X 3hy do we con!igure ;8D2 X
;ead only domain controller $;8D2% is a !eature o! 3indows #erver ,55. 8perating #ystem. ;8D2 is a
read only copy o! Active Directory database and it can be deployed in a remote branch o!!ice where
physical security cannot be guaranteed. ;8D2 provides more improved security and !aster log on time
!or the branch o!!ice.
? How do you chec& currently !orest and domain !unctional levelsX #ay both 0/I and 2ommand line.
To !ind out !orest and domain !unctional levels in 0/I mode open AD/2 right clic& on the domain name
and ta&e properties. Both domain and !orest !unctional levels will be listed there. T8 !ind out !orest and
domain !unctional levels you can use D#Q/6;L command.
? 3hich version o! Kerberos is used !or 3indows ,555@,55+ and ,55. Active Directory X
? 4ame !ew port numbers related to Active Directory X
? 3hat is an (QD4 X
(QD4 can be e7panded as (ully Quali!ied Domain 4ame.It is a hierarchy o! a domain name system
which points to a device in the domain at its le!t most end. (or e7ample in system.
? Have you heard o! ADA2 X
ADA2' Active Directory Administrative 2enter is a new 0/I tool came with 3indows #erver ,55. ;,
which provides enhanced data management e7perience to the admin. ADA2 helps administrators to
per!orm common Active Directory ob"ect management tas& across multiple domains with the same ADA2
instance.
? How many ob"ects can be created in Active DirectoryX $both ,55+ and ,55.%
? e7plain the process between a user providing his Domain credential to his wor&station and the des&top
being loadedX 8r how the AD authentication wor&s X
3hen a user enters a user name and password the computer sends the user name to the KD2. The
KD2 contains a master database o! unique long term &eys !or every principal in its realm. The KD2 loo&s
up the usergs master &ey $KA% which is based on the usergs password. The KD2 then creates two items:
a session &ey $#A% to share with the user and a Tic&et'0ranting Tic&et $T0T%. The T0T includes a second
copy o! the #A the user name and an e7piration time. The KD2 encrypts this tic&et by using its own
master &ey $KKD2% which only the KD2 &nows. The client computer receives the in!ormation !rom the
KD2 and runs the usergs password through a one'way hashing !unction which converts the password
into the usergs KA. The client computer now has a session &ey and a T0T so that it can securely
communicate with the KD2. The client is now authenticated to the domain and is ready to access other
resources in the domain by using the Kerberos protocol.
? 3hat Is /rgent ;eplication And 3hen Is It /sed X
Lou probably &now how Active Directory core replication wor&s. 3hen thereAs an ob"ect changed the
source D2 the one that serviced the change request noti!ies itAs direct replication neighbours that there
was a change to some ob"ect. The neighbors then start the replication process by requesting the changes
made since the last replication.
Important to &now is that there is a Onoti!ication delayP between the actual change to the ob"ects in the
directory and the noti!ication sent to the replication partners. #erver ,55+ D2s waitj CF seconds be!ore
they !ire out the change noti!ication. This delay is there to only sendj one change noti!ication once the
change transaction to the ob"ect is done. I! there are multiple changes made to an ob"ect letAs say the
phone number the home town and the employeeID o! a user and the changes were made inj C second
delay each we only send one change noti!ication !or those three changes. I! there was no noti!ication
delay and we waitedj a second between the changes to a userAs attributes the source D2 were sending
three change noti!ications to its partners. Too much tra!!ic therei 4ote that the de!ault change noti!icaction
delay in 3indows ,555 wasj F minutes $the numbers may di!!er depending on installation type $upgrade
!rom ,555 to ,55+ !orest !unctional level \%.
0iven that !act one can thin& o! several scenarios which may lead to OproblemP since the change to the
directory is not replicated right away: user *assword changes user loc&out *assword *olicy changed\
(or this reason thereAs urgent replication. /rgent replication wor&s in the same way OnormalP replication
does but has no noti!ication delay o! a !ew seconds@minutes. That ma&es OurgentP changes that need to
be distributed thrughout the sites and D2s to get more quic&ly to all edges. /rgent replication ta&es place
in the !ollowing cases:
The *assword *olicy or account loc&out policy o! a domain has changed
The )#A secret has changed $thatAs used !or the Osecure channelsP between machines and D2s
and trusts%
a user or computer is loc&ed out due to a !ailed logon attempt $in this case the urgent replication
is used to noti!y the D2 with the *D2 emulator role !irst and then to all others%
the ;ID master has changed
#o < i! one o! the mentionedj events ta&e place urgent replication ta&es place and thereAs no
noti!ication delay prior to change noti!ication o! neighbour D2s.
G Which (,5= role directly i#pacting the consistency of &roup %olicy '
*D2 6mulator.
? I want to pro#ote a new additional Do#ain $ontroller in an e+isting do#ain. Which are the
groups I should be a #e#ber of '
Lou should be a member o! 6nterprise Admins group or the Domain Admins group. Also you should be
member o! local Administrators group o! the member server which you are going to promote as additional
Domain 2ontroller.
G *ell #e one easiest way to chec- all the : (,5= roles '
/se netdom query @domain:LourDomain (#18 command. It will list all the (#18 role handling domain
controllers.
>What is ,ealm trust ?
5se realm trusts to form a trust relationship between a non(*indows Cerberos realm and an
Active Directory domain.
G ?a#e few Active Directory Juilt in groups
#ID: #'C'F'+,'FDD ' 4ame: Ad#inistrators ' Description: A built'in group. A!ter the initial
installation o! the operating system the only member o! the group is the Administrator account.
3hen a computer "oins a domain the Domain Admins group is added to the Administrators
group. 3hen a server becomes a domain controller the 6nterprise Admins group also is added
to the Administrators group.
#ID: #'C'F'+,'FD. ' 4ame: Account =perators ' Description: A built'in group that e7ists only on
domain controllers. By de!ault the group has no members. By de!ault Account 8perators have
permission to create modi!y and delete accounts !or users groups and computers in all
containers and organi:ational units o! Active Directory e7cept the Builtin container and the
Domain 2ontrollers 8/. Account 8perators do not have permission to modi!y the Administrators
and Domain Admins groups nor do they have permission to modi!y the accounts !or members o!
those groups.
#ID: #'C'F'+,'FDI ' 4ame: ,erver =perators ' Description: A built'in group that e7ists only on
domain controllers. By de!ault the group has no members. #erver 8perators can log on to a
server interactivelyB create and delete networ& sharesB start and stop servicesB bac& up and
restore !ilesB !ormat the hard dis& o! the computerB and shut down the computer.
#ID: #'C'F'+,'FF5 ' 4ame: %rint =perators ' Description: A built'in group that e7ists only on
domain controllers. By de!ault the only member is the Domain /sers group. *rint 8perators can
manage printers and document queues.
#ID: #'C'F'+,'FFC ' 4ame: Jac-up =perators ' Description: A built'in group. By de!ault the
group has no members. Bac&up 8perators can bac& up and restore all !iles on a computer
regardless o! the permissions that protect those !iles. Bac&up 8perators also can log on to the
computer and shut it down.
In a domain environment these groups are present and are used !or administrative purposes.
#ID: #'C'F',Cdomain'FC, ' 4ame: Do#ain Ad#ins ' Description: A global group whose
members are authori:ed to administer the domain. By de!ault the Domain Admins group is a
member o! the Administrators group on all computers that have "oined a domain including the
domain controllers. Domain Admins is the de!ault owner o! any ob"ect that is created by any
member o! the group.
"ID6 "(D(G(+Droot domain(GD. ( Name6 !chema Admins ( Description6 A universal
group in a native(mode domainL a global group in a mi2ed(mode domain. he group
is authoriJed to make schema changes in Active Directory. Ey default, the only
member of the group is the Administrator account for the forest root domain.
o #ID: #'C'F',Croot domain'FCI ' 4ame: 8nterprise Ad#ins ' Description: A universal
group in a native'mode domainB a global group in a mi7ed'mode domain. The group is
authori:ed to ma&e !orest'wide changes in Active Directory such as adding child
domains. By de!ault the only member o! the group is the Administrator account !or the
!orest root domain.
o #ID: #'C'F',Cdomain'F,5 ' 4ame: &roup %olicy $reator =wners ' Description: A global
group that is authori:ed to create new 0roup *olicy ob"ects in Active Directory. By
de!ault the only member o! the group is Administrator.

4. What are the I#portant Windows port nu#bers!

;D* 9 ++.I 9 $windows rdp port number and remote des&top port number%
(T* 9 ,C 9 $!ile trans!er protocol%
T(T* 9 -I 9 $ t!tp port number %
Telnet 9 ,+ 9 $ telnet port number%
#1T* 9 ,F 9 $ #1T* port number%
D4# 9 F+ 9 $ dns port number and Domain 4ame #ystem port number%
DH2* 9 -. 9 $DH2* port number and Dynamic Host 2on!iguration *rotocol port number %
*8*+ 9 CC5 9 $ post o!!ice *rotocol + port %
HTT* 9 .5 9 $http port number%
HTT*# 9 DD+ 9 $https port number%
44T* 9 CCI 9 $ 4etwor& 4ews Trans!er *rotocol *ort number %
4T* 9 C,+ 9 $ntp port number and networ& Time *rotocol and #4T* port number %
I1A* 9 CD+ 9 $Internet 1essage Access *rotocol port number%
##1T* 9 D-F 9 $ #1T* 8ver ##l %
#I1A* 9 II+ 9 $ I1A* 8ver ##) %
#*8*+ 9 IIF 9 $ *8*Z 8ver ## )%
Time 9 C,+ 9 $ ntp port number and networ& Time *rotocol and #4T* port number %
4etBios 9 C+G 9 $ 4ame #ervice %
4etBios 9 C+I 9 $ Datagram #ervice %
DH2* 2lient 9 FD- 9 $DH2* 2lient port number%
DH2* #erver 9 FDG 9 $DH2* #erver port number%
0lobal 2atalog 9 +,-. 9 $0lobal 2atalog port number%
)DA* 9 +.I 9 $ )DA* port number and )ightweight Directory Access *rotocol port number %
;*2 9 C+F 9 $remote procedure call *ort number%
Kerberos 9 .. 9 $ Kerberos *ort 4umber%
##H 9 ,, 9 $ ssh port number and #ecure #hell port number%
7. How to chec- to#bstone lifeti#e value in your (orest
Tombstone li!etime value di!!erent !rom 8# to 8# !or windows server ,555@,55+ itAs -5 days In 3indows
#erver ,55+ #*C de!ault tombstone li!etime $T#)% value has increased !rom -5 days to C.5 days again
in 3indows #erver ,55+ ;, T#) value has been decreased to -5 days 3indows #erver ,55+ ;, #*,
and windows server ,55. itAs C.5 days
I! you migrating windows ,55+ environment to windows ,55. then its -5 dayAs
you can use the below command to chec&@view the current tombstone li!etime value !or your
Domain@(orest
dsquery N Ocn_directory servicecn_windows ntcn_servicescn_con!igurationdc_P 9scope base 9attr
tombstoneli!etime
;eplace !orestD4 with your domain partition D4 !or domainname.com the D4 would be
dc_domainname dc_com
#ource: http:@@technet.microso!t.com@en'us@library@ccG.DI+,$3#.C5%.asp7
/. How to find the do#ain controller that contains the lingering obBect
If we enable ,trict .eplication $onsistency
)ingering ob"ects are not present on domain controllers that log 6vent ID CI... The source domain
controller contains the lingering ob"ect
If we doesnIt enable ,trict .eplication $onsistency
)ingering ob"ects are not present on domain controllers that log 6vent ID C+... Domain controller that
doesnAt log 6vent ID C+.. and that domain controller contain the lingering ob"ect
Lou have a C55 Domain controllers which doesnAt enable #trict ;eplication 2onsistency then you will get
the 6vent ID C+.. on all the II Domain controllers e7cept the one that contain the lingering ob"ect
4eed to ;emove )ingering 8b"ects !rom the a!!ected domain controller or decommission the domain
controller
Lou can use 6vent 2omb tool $6ventcombmt.e7e% is a multi'threaded tool that can be used to gather
speci!ic events !rom the 6vent Miewer logs o! di!!erent computers at the same time.
Lou can download these tools !rom the !ollowing location:
http:@@www.microso!t.com@downloads@details.asp7X(amilyID_IdD-Ga-I'FG!!'DaeG'I-ee'
bC.cDGI5c!!dYDisplay)ang_en
9. What are Active Directory ports!
)ist o! Active Directory *orts !or Active Directory replication and Active Directory authentication this ports
can be used to con!igure the (irewall
Active Directory replication" There is no de!ined port !or Active Directory replication Active Directory
replication remote procedure calls $;*2% occur dynamically over an available port through ;*2## $;*2
6ndpoint 1apper% by using port C+F
(ile .eplication ,ervices 0(.,1" There is no de!ined port !or (;# (;# replication over remote
procedure calls $;*2s% occurs dynamically over an available port by using ;*2## $;*2 6ndpoint
1apper % on port C+F
=ther required ports for Active Directory
T2* F+ 9 D#4 $D4# Download%
/D* F+ 9 D#4 $D4# Queries%
T2* D,' 3I4#
/D* D,' 3I4#
T2* ++.I' ;D* $;emote Des&top%
T2* C+F 9 1#';*2
T2* C5,F Y C5,- 9 AD )ogin Y replication
T2* +.I 9 )DA*
T2* -+I 9 )DA* over ##)@T)#
T2* +,-. '0lobal 2atalog
T2* +,-. 9 0lobal 2atalog over ##)@T#)
/D* C+G Y C+. 9 4etBI8# related
/D* .. 9 Kerberos vF
T2* DDF 9 #1B 1icroso!t'ds
T2* C+I 9 #1B
:. How to do active directory health chec-s'
As an administrator you have to chec& your active directory health daily to reduce the active directory
related issues i! you are not monitoring the health o! your active directory what will happen
)etAs say one o! the Domain 2ontroller !ailed to replicate !irst day you will not have any issue. I! this will
continue then you will have login issue and you will not !ind the ob"ect change and new ob"ect thatAs
created and changed in other Domain 2ontroller this will lead to other issues
I! the Domain 2ontroller is not replicated more then -5 dayAs then it will lead to )ingering issue
$o##and to chec- the replication to all the D$Is0through this we can chec- Active Directory
Health1
;epadmin @replsum @bysrc @bydest @sort:delta
@ou can also save the co##and output to te+t fileE by using the below co##and
;epadmin @replsum @bysrc @bydest @sort:delta ??c:JreplicationTreport.t7t
this will list the domain controllers that are !ailing to replicate with the delta value
Lou can daily run this to chec& your active directory health
;. &%.8,)L* falied with access denied error!
/nable to get the result !rom gpresult on windows ,55+ server gpresult return with the access denied
errors you can able to update the group policy without issue
;un the !ollowing commands to register the userenv.dll and recompile the rsop mo! !ile
To resolve the access denied error while doing the gpresult.
C. 8pen a cmd
C. re'register the userenv.dll
;egsvr+, @n @I c:JwinntJsystem+,Juserenv.dll
,. 2D c:JwindowsJsystem+,Jwbem
+. 1o!comp scersop.mo!
D. 0pupdate @!orce
F. 0presult
4ow you able to run the gpresult without error and even server reboot not required !or this procedure
<. What is the co##and to find out site na#e for given D$
dsquery server ?@D$24 "site
domain controller name _ 4LD25C
C. $o##and to find all D$s in the given site
2ommand to !ind all the Domain 2ontrollers in the ODe!ault'(irst'#ite'4ameP site
dsquery server "o rdn "site Default"(irst",ite"?a#e
#ite name _ De!ault'(irst'#ite'4ame
K. How #any types of queries D?, does'
Iterative Query
;ecursive Query
Active Directory 788& Interview
5uestion and Answer /'
C; Logical Diagram of Active Directory? What is the difference between child domain 6 additional
domain server?
A) Active directory contains forest, tree, domain and its child domain. $hild domian is comes under parent
domain and it shares the name space, its names space append the parent domain name. Addtional domain
controller is the copy of main domain controller and its for load balancing and fault tolarance.
7; What are the *ort numbers ?
A)
!% 6 +D,14N1 6 +- , "M%6 +G , DN" 6 G- , DH$% 6 /@ , C1BE1B3" 6 .. , %3%- 6 DD, , NN% 6 DDN , IMA%
6 DF- ,
"NM% 6 D/D,4DA%6 -.N,""46 FF-,M"(D"(AD6 FFG, B%$6 G-,, 4DA%("6 /-/,IMA%("6 NN- , %3%("6 NNG,
4otus Notes6 D-G+,
"ametime6 DG--, M"(%%%6D@+-, M"(BD%6 --.N
&; What is Eerberos? Which version is currently used by Windows? $ow does Eerberos wor2?
A) Cerberos is the user authentication used in *in+,,, and *in+,,- Active Directory servers
Cerberos version is G.,. %ort is6 ... ItOs more secure and encrypted than N4M 'N authentication)
Cerberos makes use of a trusted third party, termed a Cey Distribution $enter 'CD$), which consists of two
logically separate parts6 an Authentication "erver 'A") and a icket =ranting "erver '="). Cerberos works
on the basis of PticketsQ which serve to prove the identity of users.
he CD$ maintains a database of secret keysL each entity on the network R whether a client or a server R
shares a secret key known only to itself and to the CD$. Cnowledge of this key serves to prove an entityOs
identity. !or communication between two entities, the CD$ generates a session key which they can use to
secure their interactions.
>; What are F!?- ,oles? List them)
A) !le2ible "ingle Master 3peration Boles '!"M3) roles are server roles in a !orest
here are five types of !"M3 roles
D. Domain Naming Master R !orest *ide Boles
+. "chema Master R !orest *ide Boles
-. BID Master R Domain *ide Boles
F. %D$ 1mulator R Domain *ide Boles
G. Infrastructure Master R Domain *ide Boles
Domain Naming Master 6 Adding & $hanging & Deleting any Domain in a forest it takes care
"chema Master 6 It maintains structure of the Active Directory in a forest.
BID Master 6 It assigns BID and "ID to the newly created object like 5sers and computers. If BID master is
down 'u can create security objects upto BID pools are available in D$s) else u canOt create any object one
its down
%D$ emulator 6 It works as a %D$ to any N ED$s in your environment. It works as ime "erver 'to
maintain same time in your network). It works to change the passwords, lockout, etc.
Infrastructure Master 6 his works when we are renaming any group member ship object this role takes
care.
A; Describe the lease #rocess of the D$* server )
A) A DH$% lease is the amount of time that the DH$% server grants to the DH$% client permission to use a
particular I% address. A typical server allows its administrator to set the lease time.
ItOs a four(step process consisting of
'a) DH$% discovery,
'b) DH$% offer,
'c) DH$% Be;uest and
'd) DH$% Acknowledgement.
D; W$A+ I! +$E FF(+I-( -F D$*?
A) %roviding I% address dynamically
B; What is forest)
A) It is a collection of trees. ree is nothing but collection of domains which is having same name space.
Domain contains domain controllers.
!orest S ree S Domain.
@; What is Active Directory?
A) Active Directory is a network(based object store and service that locates and manages resources, and
makes these resources available to authoriJed users and groups. An underlying principle of the Active
Directory is that everything is considered an objectSpeople, servers, workstations, printers, documents, and
devices. 1ach object has certain attributes and its own security access control list 'A$4).
C8; Where are the Windows (+ *rimary Domain ontroller :*D; and its 4ac2u# Domain
ontroller :4D; in !erver 788&?
A) he Active Directory replaces them. Now all domain controllers share a multimaster peer(to(peer read
and write relationship that hosts copies of the Active Directory.
CC; $ow long does it ta2e for security changes to be re#licated among the domain controllers?
A) "ecurity(related modifications are replicated within a site immediately. hese changes include account
and individual user lockout policies, changes to password policies, changes to computer account passwords,
and modifications to the 4ocal "ecurity Authority '4"A).
C7; What is Active Directory schema?
A) he Active Directory schema contains formal definitions of every object class that can be created in an
Active Directory forest it also contains formal definitions of every attribute that can e2ist in an Active
Directory object. Active Directory stores and retrieves information from a wide variety of applications and
services. "o that it can store and replicate data from a potentially infinite variety of sources, Active Directory
standardiJes how data is stored in the directory. Ey standardiJing how data is stored, the directory service
can retrieve, update, and replicate data while ensuring that the integrity of the data is maintained.
"chema master is a set of rules which is used to define the structure of active directory. It contains
definitions of all the objects which are stored in AD. It maintains information and detail information of
objects.
C&; $ow will you bac2u# Active Directory?
A) ake the system state data backup. his will backup the active directory database. Microsoft
recommend only !ull backup of system state database
C>; What are the contents of !ystem !tate bac2u#?
A) he contents are
Eoot files, "ystem files, Active directory 'if its done on D$), ">"034 folder'if it done on D$),
$ertificate service ' on a $A server), $luster database ' on a cluster server), Begistry
%erformance counter configuration information, $omponent services class registration database
CA; om#are Active directory 6 !A??
Windows 1% Windows &000
Sinle?master replication is used via
P",s and 3",s7
4ultimaster replication is used via
",s7
"omain is t)e smallest unit o*
partitionin7
partitionin7
aut)entication7
/U is t)e smallest unit o*
aut)entication7
policy 'system policies(7
/U is t)e smallest unit o* policy
'roup policy obIects(7
security deleation9administration7
A property o* an obIect is t)e
smallest unit o* security
deleation9administration7
1et3I/S broadcasts as primary
browsin and connection mec)anism7
%,P9IP connections to Active
"irectory as primary browsin and
connection mec)anism7
WI1S or #4H/S%S reEuired *or
e**ective browsin7
"1S and Active "irectory reEuired
*or e**ective browsinWI1S reEuired
*or older clients7
/bIect is t)e smallest unit o*
replication7
Property is t)e smallest unit o*
replication7
4a6imum recommended database
siJe *or SA4 is A0 437
4a6imum database siJe *or Active
"irectory is B0 %37
4a6imum e**ective number o* users
is A0+000 'i* you accept t)e
recommended A0 43 ma6imum(7
4a6imum number o* users 'obIects(
in one domain is between one and
two million4a6imum number o*
users 'obIects( in one *orest is 10
million7
@our domain models 'sinle+ sinle?
master+ multimaster+ complete?trust(
reEuired to solve admin?boundary
and user?limit problems bein per
domain7
1o domain models reEuired as t)e
complete?trust model
isimplemented7/ne?way trusts can
be implemented manually7
Sc)ema is not e6tensible7 Sc)ema is *ully e6tensible7
CD; What is the default domain functional level in Windows !erver 788&?
A) he four domain functional levels are6
*indows +,,, Mi2ed, *indows +,,, Native, *indows "erver +,,- Interim, *indows "erver +,,-, *indows
+,,, Mi2ed
*hen you configure a new *indows "erver +,,- domain, the default domain functional level is *indows
+,,, mi2ed. 5nder this domain functional level, *indows N, +,,,, and +,,- domain controllers are
supported. However, certain features such as group nesting, universal groups, and so on are not available.
*indows +,,, Native
5pgrading the functional level of a domain to *indows +,,, Native should only be done if there are no
*indows N domain controllers remaining on the network. Ey upgrading to *indows +,,, Native functional
level, additional features become available including6 group nesting, universal groups, "IDHistory, and the
ability to convert security groups and distribution groups.
*indows "erver +,,- Interim
he third functional level is *indows "erver +,,- Interim and it is often used when upgrading from
*indows N to *indows "erver +,,-. 5pgrading to this domain functional level provides support for
*indows N and *indows "erver +,,- domain controllers. However, like *indows +,,, Mi2ed, it does not
provide new features.
*indows "erver +,,-
he last functional level is *indows "erver +,,-. his domain functional level only provides support for
*indows "erver +,,- domain controllers. If you want to take advantage of all the features included with
*indows "erver +,,-, you must implement this functional level. 3ne of the most important features
introduced at this functional level is the ability to rename domain controllers
CG; In which domain functional level1 we can rename domain name?
A) All domain controllers must be running *indows "erver +,,-, and the Active Directory functional level
must be at the *indows "erver +,,-. >es u can rename the domain in windows server +,,-
CB; Which is the default #rotocol used in directory services?
A) 4ight weight Directory Access %rotocol '4DA%)
C@; What is a site?
A) "ites6 one or more well(connected highly reliable and fast $%&I% subnets. A site allows administrator to
configure active directory access and replication topology to take advantage of the physical network.
78; Which is the command used to remove active directory from a domain controller?
A) PdcpromoQ in command prompt to add&remove active directory but first AD$ should be removed before
D$ if we want to remove D$ first then check this server is last domain controller in domain.
Bemoving Active Directory6
D. If we want to remove Active Directory then we will use commandTTD$%B3M3
+. If some one deleted parent domain and we want to remove from child domain then we will use
commandT D$%B3M3 &!3B$1B1M30A4
Note6 R 3ne should not remove parent domain first. He should start from bottom means child domain and
after that its parent and so on.
7C; What is trust?
A) o allow users in one domain to access resources in another, AD uses trust. rust is automatically
produced when domains are created. he forest sets the default boundaries of trust, not the domain, and
implicit trust is automatic. As well as two(way transitive trust, AD trusts can be shortcut 'joins two domains
in different trees, transitive, one( or two(way), forest 'transitive, one( or two(way), realm 'transitive or
nontransitive, one( or two(way), or e2ternal 'nontransitive, one( or two(way) in order to connect to other
forests or non(AD domains. AD uses the Cerberos 0G protocol, although N4M is also supported and web
clients use ""4&4".
77; What is the file thatHs res#onsible for 2ee# all Active Directory database?
A) ND".DI. default siJe 6 F, ME
7&; What sna#'in administrative tools are available for Active Directory?
A) Active Directory Domains and rusts Manager, Active Directory "ites and "ervices Manager, Active
Directory 5sers and =roup Manager, Active Directory Beplication 'optional, available from the Besource Cit),
Active Directory "chema Manager 'optional, available from adminpak)
7>; What ty#es of classes e.ist in Windows !erver 788& Active Directory?
A) "tructural class6 he structural class is important to the system administrator in that it is the only type
from which new Active Directory objects are created. "tructural classes are developed from either the
modification of an e2isting structural type or the use of one or more abstract classes.
Abstract class6 Abstract classes are so named because they take the form of templates that actually create
other templates 'abstracts) and structural and au2iliary classes. hink of abstract classes as frameworks for
the defining objects.
Au2iliary class6 he au2iliary class is a list of attributes. Bather than apply numerous attributes when
creating a structural class, it provides a streamlined alternative by applying a combination of attributes with
a single include action.
.. class6 he .. class includes object classes defined prior to DNN-, when the DN.. ?.G,, specification was
adopted. his type does not use the structural, abstract, and au2iliary definitions, nor is it in common use
for the development of objects in *indows "erver +,,- environments.
7A; $ow do you delete a lingering obIect?
A) *indows "erver +,,- provides a command called Bepadmin that provides the ability to delete lingering
objects in the Active Directory.
7D; What is %lobal atalog?
A) he =lobal $atalog authenticates network user logons and fields in;uiries about objects across a forest or
tree. 1very domain has at least one =$ that is hosted on a domain controller. In *indows +,,,, there was
typically one =$ on every site in order to prevent user logon failures across the network.
7G; What is %? $ow many required for A +ree?
A) =lobal $atalog server is a "earchable Inde2 book. *ith this we can find out any object in the Active
Directory. Also it works as logon authentication for =roup memberships. *e can have each domain
controller in domain or only first domain controller in a domain.
7B; What is %lobal atalog server?
A) =lobal $atalog "erver maintains full information about its own domain and partial information about other
domains. It is a forest wide role.
A global catalog server is a domain controller it is a master searchable database that contains information
about every object in every domain in a forest. he global catalog contains a complete replica of all
objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory
for every other domain in the forest. It have two important functions6
i)%rovides group membership information during logon and authentication
ii)Helps users locate resources in Active Directory
7@; an I change #assword if my machineHs connectivity to D who holds *D emulator role has
been fails?
A) No you cannot change the password.
&8; $ow an I De#loy the Latest *atched in *c through %)*) without having the Admin ,ight in
*?
A) $reate a batch file and place all the patches in the Netlogon, and deploy the batch file through =% to all
the pc so the same should take affect after restarting the pc.
he above answer is incorrect.
>ou cannot deploy a batch file using group policy. >ou can only publish or assign .msi packages or Iap files.
hey are the only two valid file formats allowable when using PintellimirrorQ in active directory.
If you create a script and assign it to the "AB5% script in a =%3 applied to the $3M%51B and not the
5"1B, then it runs as a local administrator on the computer.
&C; Difference between 7888 6 788&)
A)
D. *e canOt rename domain in *in+k, u can rename in *in+k-
+. II" G., in *in+k and II" /., in *in+k-
-. No 0olume "hadow $opying in *in+k, itOs available in *in+k-
F. Active Directory !ederation "ystems in *in+k-
4ike that some other security features added in *in+k-, main features are above
&7; What is hot fi.?
A) It is fi2, which Microsoft release whenever there is a bug or for updation of 3perating system.
&&; What is #aging?
A) If a program references a memory location within a virtual page that is not available, the hardware
generates a page fault. *hen this occurs, the memory management hardware invokes an operating system
routine that loads the re;uired page from au2iliary storage 'e.g., a paging file on disk) and turns on the flag
that indicates the page is available. he hardware then adds the offset denoted by the low(order bits in the
address register to the start location of the physical page, accesses the re;uested memory location, and
returns control to the application that originally tried to access the memory. his process takes place
transparently to the application addressing the memory. his scheme is called paging.
&>; E.#lain hidden shares?
A) Hidden or administrative shares are share names with a dollar sign 'U) appended to their names.
Administrative shares are usually created automatically for the root of each drive letter. hey do not display
in the network browse list.
&A; $ow do the #ermissions wor2 in Windows 7888? What #ermissions does folder inherit from
the #arent?
A) *hen you combine N!" permissions based on users and their group memberships, the least
restrictive permissions take precedence. However, e2plicit Deny entries always override Allow entries.
&D; Why canHt I encry#t a com#ressed file on Windows 7888?
A) >ou can either compress it or encrypt it, but not both.
&G; If I rename an account1 what must I do to ma2e sure the renamed account has the same
#ermissions as the original one?
A) Nothing, itOs all maintained automatically.
&B; WhatHs the most #owerful grou# on a Windows system?
A) Administrators.
&@; What are the accessibility features in Windows 7888?
A) "tickyCeys, !ilterCeys Narrator, Magnifier, and 3n("creen Ceyboard.
>8; Why canHt I get to the Fa. !ervice ?anagement console?
A) >ou can only see it if a fa2 had been installed.
>C; What do I need to ensure before de#loying an a##lication via a %rou# *olicy?
A) Make sure itOs either an M"I file, or contains a IA% file for =roup %olicy.
>7; $ow do you configure mandatory #rofiles?
A) Bename ntuser.dat to ntuser.man
>&; I canHt get multi#le dis#lays to wor2 in Windows 7888)
A) Multiple displays have to use peripheral connection interface '%$I) or Accelerated =raphics %ort 'A=%)
port devices to work properly with *indows +,,,.
>>; WhatHs a ma.imum number of #rocessors Win72 su##orts?
A) +
>A; I had some (+F! volumes under my Windows (+ installation) What ha##ened to (+F! after
Win 72 installation?
A) It got upgraded to N!" G.
>D; $ow do you convert a drive from FA+JFA+&7 to (+F! from the command line?
A) convert c6 &fs6ntfs
>G; E.#lain A*I*A)
A) Auto %rivate I% Addressing 'A%I%A) takes effect on *indows +,,, %rofessional computers if no DH$%
server can be contacted. A%I%A assigns the computer an I% address within the range of D/N.+GF.,., through
D/N.+GF.+GG.+GF with a subnet mask of +GG.+GG.,.,.
>B; $ow does Internet onnection !haring wor2 on Windows 7888?
A) Internet $onnection "haring 'I$") uses the DH$% Allocator service to assign dynamic I% addresses to
clients on the 4AN within the range of DN+.D/..,.+ through DN+.D/..,.+GF. In addition, the DN" %ro2y
service becomes enabled when you implement I$".
>@; I canHt seem to access the Internet1 donHt have any access to the cor#orate networ2 and on
i#config my address is CD@)7A>)K)K) What ha##ened?
A) he D/N.+GF.V.V netmask is assigned to *indows machines running N.&+,,,&?% if the DH$% server is not
available. he name for the technology is A%I%A 'Automatic %rivate Internet %rotocol Addressing).
A8; WeHve installed a new Windows'based D$* server1 however1 the users do not seem to be
getting D$* leases off of it)
A) he server must be authoriJed first with the Active Directory.
AC; $ow can you force the client to give u# the D$* lease if you have access to the client *?
A) ipconfig &release
A7; What authentication o#tions do Windows 7888 !ervers have for remote clients?
A) %A%, "%A%, $HA%, M"($HA% and 1A%.
A&; What are the networ2ing #rotocol o#tions for the Windows clients if for some reason you do
not want to use +*JI*?
A) N*4ink 'Novell), NetE15I, Applealk 'Apple).
A>; What is data lin2 layer in the -!I reference model res#onsible for?
A) Data link layer is located above the physical layer, but below the network layer. aking raw data bits
and packaging them into frames. he network layer will be responsible for addressing the frames, while the
physical layer is responsible for retrieving and sending raw data bits.
AA; What is binding order?
A) he order by which the network protocols are used for client(server communications. he most
fre;uently used protocols should be at the top.
AD; $ow do cry#togra#hy'based 2eys ensure the validity of data transferred across the networ2?
A) 1ach I% packet is assigned a checksum, so if the checksums do not match on both receiving and
transmitting ends, the data was modified or corrupted.
AG; !hould we de#loy I*!E'based security or certificate'based security?
A) hey are really two different technologies. I%"ec secures the $%&I% communication and protects the
integrity of the packets. $ertificate(based security ensures the validity of authenticated clients and servers.
AB; What is L?$-!+! file?
A) itOs a file stored on a host machine that is used to resolve NetEI3" to specific I% addresses.
A@; WhatHs the difference between forward loo2u# and reverse loo2u# in D(!?
A) !orward lookup is name(to(addressL the reverse lookup is address(to(name.
D8; $ow can you recover a file encry#ted using EF!?
A) 5se the domain recovery agent.
DC; What is I*vD?
A) Internet %rotocol version / 'I%v/) is a network layer I% standard used by electronic devices to e2change
data across a packet(switched internetwork. It follows I%vF as the second version of the Internet %rotocol to
be formally adopted for general use. It is a D+. bit siJe address. Here we can see total . octets each octet
siJe is D/ bits.
D7; What is multimaster re#lication?
A) In addition to storing primary Jone information in DN" we can also store it in active directory as active
directory object. his integrates DN" with active directory in order to take advantage of active directory
features. he benefits are
Ione can be modified from any domain controller within the domain and this information is
automatically updated or replicated to all the other domain controllers along with the active
directory replication. his replication is said to be Multimaster replication.
*e no longer face the standard DN" server drawbacks. In standard DN" server only the primary
server can modify the Jone and then replicate the changes to other domain controllers 'It was in
windows NF before). Eut when DN" gets integrated with AD .Ione can be modified and replicated
from any domain controller.
!ault tolerance
"ecurity6 >ou can prevent access to any updates to Jone or individual record preventing insecure
dynamic updates.
D&; What is ,!o*?
A) Besultant "et of %olicy 'B"o%) is provided to make policy modification and trouble shooting easier. B"o%
is the ;uery object it has two modes6
D. 4ogging mode6 %olls e2isting policies and the reports the result of the ;uery.
+. %lanning mode6 he ;uestions ask about the planned policy and the report the result of the ;uery.
D>; Difference between (+F! and FA+&7
A)
1%@S @A%5&
Allows access local to Win&8+ Win&85+
WinGP+ Win1%A wit) SPA C later may et
access *or some *ile7
@at 5& Allows access to Win<>+ Win<8+
Win4e+ Win&8+ WinGP on local partition7
4a6imum siJe o* partition is & %erabytes C
more7
4a6imum siJe o* partition is upto & %37
4a6imum @ile siJe is upto 1=%37 4a6imum @ile siJe is upto A G37
@ile C *older $ncryption is possible @ile C *older $ncryption is not possible7
Support &>> c)aracters lon *ile name
@A% support 875 c)aracter *ile name' avail7 in
@A%5&(
DA; What is ?icrosoft !oftware Assurance?
A) It means that if in future some upgrade version is introduced in market, then software assurance allows
upgrading the license without paying any e2tra cost.
DD; $ow is user account security established in Windows !erver 788&?
A) *hen an account is created, it is given a uni;ue access number known as a security identifier '"ID).
1very group to which the user belongs has an associated "ID. he user and related group "IDs together
form the user accountOs security token, which determines access levels to objects throughout the system
and network. "IDs from the security token are mapped to the access control list 'A$4) of any object the
user attempts to access.
DG; If I delete a user and then create a new account with the same username and #assword1
would the !ID and #ermissions stay the same?
A) No. If you delete a user account and attempt to recreate it with the same user name and password, the
"ID will be different.
DB; What do you do with secure sign'ons in an organi0ation with many roaming users?
A) $redential Management feature of *indows "erver +,,- provides a consistent single sign(on e2perience
for users. his can be useful for roaming users who move between computer systems. he $redential
Management feature provides a secure store of user credentials that includes passwords and ?.G,N
certificates.
D@; Anything s#ecial you should do when adding a user that has a ?ac?
A) P"ave password as encrypted clear te2tQ must be selected on 5ser %roperties Account ab 3ptions, since
the Macs only store their passwords that way.
G8; What remote access o#tions does Windows !erver 788& su##ort?
A) Dial(in, 0%N, dial(in with callback.
GC; Where are the documents and settings for the roaming #rofile stored?
A) All the documents and environmental settings for the roaming user are stored locally on the system,
and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder.
herefore, the first time a roaming user logs on to a new system the logon process may take some time,
depending on how large his profile folder is.
G7; Where are the settings for all the users stored on a given machine?
A) 8Document and "ettings8All 5sers
G&; What languages can you use for log'on scri#ts?
A) Wava"cipt, 0E"cript, D3" batch files '.com, .bat, or even .e2e)
G>; $ow do you double'boot a Win 788& server bo.?
A) he Eoot.ini file is set as read(only, system, and hidden to prevent unwanted editing. o change
the Eoot.ini timeout and default settings, use the "ystem option in $ontrol %anel from the Advanced tab and
select "tartup.
GA; What do you do if earlier a##lication doesnHt run on Windows !erver 788&?
A) *hen an application that ran on an earlier legacy version of *indows cannot be loaded during the
setup function or if it later malfunctions, you must run the compatibility mode function. his is accomplished
by right(clicking the application or setup program and selecting %roperties R9 $ompatibility R9 selecting the
previously supported operating system.
GD; If you uninstall Windows !erver 788&1 which o#erating systems can you revert to?
A) *in M1, *in N., +,,,, ?%. Note, however, that you cannot upgrade from M1 and N. to *indows
"erver +,,-.
GG; $ow do you get to Internet Firewall settings?
A) "tart R9 $ontrol %anel R9 Network and Internet $onnections R9 Network $onnections.
GB; WhatHs new in Windows !erver 788& regarding the D(! management?
A) *hen D$ promotion occurs with an e2isting forest, the Active Directory Installation *iJard contacts an
e2isting D$ to update the directory and replicate from the D$ the re;uired portions of the directory. If the
wiJard fails to locate a D$, it performs debugging and reports what caused the failure and how to fi2 the
problem. In order to be located on a network, every D$ must register in DN" D$ locator DN" records. he
Active Directory Installation *iJard verifies a proper configuration of the DN" infrastructure. All DN"
configuration debugging and reporting activity is done with the Active Directory Installation *iJard.
G@; When should you create a forest?
A) 3rganiJations that operate on radically different bases may re;uire separate trees with distinct
namespaces. 5ni;ue trade or brand names often give rise to separate DN" identities. 3rganiJations merge
or are ac;uired and naming continuity is desired. 3rganiJations form partnerships and joint ventures. *hile
access to common resources is desired, a separately defined tree can enforce more direct administrative and
security restrictions.
B8; $ow can you authenticate between forests?
A) !our types of authentication are used across forests6 'D) Cerberos and N4M network logon for remote
access to a server in another forestL '+) Cerberos and N4M interactive logon for physical logon outside the
userOs home forestL '-) Cerberos delegation to N(tier application in another forestL and 'F) user principal
name '5%N) credentials.
BC; WhatHs the difference between local1 global and universal grou#s?
A) Domain local groups assign access permissions to global domain groups for local domain resources.
=lobal groups provide access to resources in other trusted domains. 5niversal groups grant access to
resources in all trusted domains.
B7; I am trying to create a new universal user grou#) Why canHt I?
A) 5niversal groups are allowed only in native(mode *indows "erver +,,- environments. Native mode
re;uires that all domain controllers be promoted to *indows "erver +,,- Active Directory.
B&; What is L!D-F?
A) Its group policy inheritance model, where the policies are applied to 4ocal machines, "ites, Domains
and 3rganiJational 5nits.
B>; Why doesnHt L!D-F wor2 under Windows (+?
A) If the N$onfig.pol file e2ist, it has the highest priority among the numerous policies.
BA; Where are grou# #olicies stored?
A) X"ystemBootX"ystem-+8=roup%olicy
BD; What is %*+ and %*?
A) =roup policy template and group policy container.
BG; Where is %*+ stored?
A) X"ystemBootX8">"0348sysvol8domainname8%olicies8=5ID
BB; 9ou change the grou# #olicies1 and now the com#uter and user settings are in conflict)
Which one has the highest #riority?
A) he computer settings take priority.
B@; 9ou want to set u# remote installation #rocedure1 but do not want the user to gain access
over it) What do you do?
A) gponameR9 5ser $onfigurationR9 *indows "ettingsR9 Bemote Installation "ervicesR9 $hoice 3ptions
is your friend.
@8; WhatHs contained in administrative tem#late conf)adm?
A) Microsoft NetMeeting policies
@C; $ow can you restrict running certain a##lications on a machine?
A) 0ia group policy, security settings for the group, then "oftware Bestriction %olicies.
@7; 9ou need to automatically install an a##1 but ?!I file is not available) What do you do?
A) A .Jap te2t file can be used to add applications using the "oftware Installer, rather than the *indows
Installer.
@&; WhatHs the difference between !oftware Installer and Windows Installer?
A) he former has fewer privileges and will probably re;uire user intervention. %lus, it uses .Jap files.
@>; What can be restricted on Windows !erver 788& that wasnHt there in #revious #roducts?
A) =roup %olicy in *indows "erver +,,- determines a users right to modify network and dial(up $%&I%
properties. 5sers may be selectively restricted from modifying their I% address and other network
configuration parameters.
@A; $ow frequently is the client #olicy refreshed?
A) N, minutes give or take.
@D; Where is secedit?
A) ItOs now gpupdate.
@G; 9ou want to create a new grou# #olicy but do not wish to inherit)
A) Make sure you check Elock inheritance among the options when creating the policy.
@B; What is LtattooingM the ,egistry?
A) he user can view and modify user preferences that are not stored in maintained portions of the
Begistry. If the group policy is removed or changed, the user preference will persist in the Begistry.
@@; $ow do you fight tattooing in (+J7888 installations?
A) >ou canOt.
C88; $ow do you fight tattooing in 788& installations?
A) 5ser $onfiguration R Administrative emplates R "ystem R =roup %olicy R enable R 1nforce "how
%olicies 3nly.
C8C; What does Intelli?irror do?
A) It helps to reconcile desktop settings, applications, and stored files for users, particularly those who
move between workstations or those who must periodically work offline.
C87; WhatHs the maIor difference between FA+ and (+F! on a local machine?
A) !A and !A-+ provide no security over locally logged(on users. 3nly native N!" provides e2tensive
permission control on both remote and local files.
C8&; $ow do FA+ and (+F! differ in a##roach to user shares?
A) hey donOt, both have support for sharing.
C8>; E.#lan the List Folder ontents #ermission on the folder in (+F!)
A) "ame as Bead A 12ecute, but not inherited by files within a folder. However, newly created subfolders
will inherit this permission.
C8A; I have a file to which the user has access1 but he has no folder #ermission to read it) an
he access it?
A) It is possible for a user to navigate to a file for which he does not have folder permission. his involves
simply knowing the path of the file object. 1ven if the user canOt drill down the file&folder tree using My
$omputer, he can still gain access to the file using the 5niversal Naming $onvention '5N$). he best way to
start would be to type the full path of a file into BunT window.
C8D; For a user in several grou#s1 are Allow #ermissions restrictive or #ermissive?
A) %ermissive, if at least one group has Allow permission for the file&folder, user will have the same
permission.
C8G; For a user in several grou#s1 are Deny #ermissions restrictive or #ermissive?
A) Bestrictive, if at least one group has Deny permission for the file&folder, user will be denied access,
regardless of other group permissions.
C8B; What hidden shares e.ist on Windows !erver 788& installation?
A) AdminU, DriveU, I%$U, N143=3N, printU and ">"034.
C8@; WhatHs the difference between standalone and fault'tolerant DF! :Distributed File !ystem;
installations?
A) he standalone server stores the Dfs directory tree structure or topology locally. hus, if a shared
folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A
fault(tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain
controllers. hus, redundant root nodes may include multiple connections to the same data residing in
different shared folders.
CC8; WeHre using the DF! fault'tolerant installation1 but cannot access it from a Win@B bo.)
A) 5se the 5N$ path, not client, only +,,, and +,,- clients can access "erver +,,- fault(tolerant shares.
CCC; Where e.actly do fault'tolerant DF! shares store information in Active Directory?
A) In %artition Cnowledge able, which is then replicated to other domain controllers.
CC7; an you use !tart'>!earch with DF! shares?
A) >es.
CC&; What #roblems can you have with DF! installed?
A) wo users opening the redundant copies of the file at the same time, with no file(locking involved in
D!", changing the contents and then saving. 3nly one file will be propagated through D!".
CC>; I run ?icrosoft luster !erver and cannot install fault'tolerant DF!)
A) >eah, you canOt. Install a standalone one.
CCA; Is Eerberos encry#tion symmetric or asymmetric?
A) "ymmetric.
CCD; $ow does Windows 788& !erver try to #revent a middle'man attac2 on encry#ted line?
A) ime stamp is attached to the initial client re;uest, encrypted with the shared key.
CCG; What hashing algorithms are used in Windows 788& !erver?
A) B"A Data "ecurityOs Message Digest G 'MDG), produces a D+.(bit hash, and the "ecure Hash Algorithm
D '"HA(D), produces a D/,(bit hash.
CCB; What third'#arty certificate e.change #rotocols are used by Windows 788& !erver?
A) *indows "erver +,,- uses the industry standard %C$"(D, certificate re;uest and %C$"(@ certificate
response to e2change $A certificates with third(party certificate authorities.
CC@; WhatHs the number of #ermitted unsuccessful logons on Administrator account?
A) 5nlimited. Bemember, though, that itOs the Administrator account, not any account thatOs part of the
Administrators group.
C78; If hashing is one'way function and Windows !erver uses hashing for storing #asswords1
how is it #ossible to attac2 the #assword lists1 s#ecifically the ones using (+L?vC?
A) A cracker would launch a dictionary attack by hashing every imaginable term used for password and
then compare the hashes.
C7C; WhatHs the difference between guest accounts in !erver 788& and other editions?
A) More restrictive in *indows "erver +,,-.
C77; $ow many #asswords by default are remembered when you chec2 LEnforce *assword
$istory ,ememberedM?
A) 5serOs last / passwords.
C7&; What is #resentation layer res#onsible for in the -!I model?
A) he presentation layer establishes the data format prior to passing it along to the network applicationOs
interface. $%&I% networks perform this task at the application layer.
C7>; Does Windows !erver 788& su##ort I*vD?
A) >es, run ipv/.e2e from command line to disable it.
C7A; an Windows !erver 788& function as a bridge?
A) >es, and itOs a new feature for the +,,- product. >ou can combine several networks and devices
connected via several adapters by enabling I% routing.
C7D; WhatHs the difference between the basic dis2 and dynamic dis2?
A) he basic type contains partitions, e2tended partitions, logical drivers, and an assortment of static
volumesL the dynamic type does not use partitions but dynamically manages volumes and provides
advanced storage options
C7G; WhatHs a media #ool?
A) It is any compilation of disks or tapes with the same administrative properties.
C7B; $ow do you install recovery console?
A) $68i-./8win-+ &cmdcons, assuming that your *in server installation is on drive $.
C7@; WhatHs new in +erminal !ervices for Windows 788& !erver?
A) "upports audio transmissions as well, although prepare for heavy network load.
C&8; Describe the #rocess of clustering with Windows 788& !erver when a new node is added)
A) As a node goes online, it searches for other nodes to join by polling the designated internal network.
In this way, all nodes are notified of the new nodeOs e2istence. If other nodes cannot be found on a
pree2isting cluster, the new node takes control of the ;uorum resources residing on the shared disk that
contains state and configuration data.
C&C; What a##lications are not ca#able of #erforming in Windows 788& !erver clusters?
A) he ones written e2clusively for NetE15I and I%?.
C&7; WhatHs a heartbeat?
A) $ommunication processes between the nodes designed to ensure nodeOs health.
C&&; WhatHs a threshold in clustered environment?
A) he number of times a restart is attempted, when the node fails.
C&>; 9ou need to change and admin #assword on a clustered Windows bo.1 but that requires
rebooting the cluster1 doesnHt it?
A) No, it doesnOt. In +,,- environment you can do that via cluster.e2e utility which does not re;uire
rebooting the entire cluster.
C&A; Which add'on #ac2age for Windows 788& !erver would you use to monitor the installed
software and license com#liance?
A) "M" '"ystem Management "erver).
C&D; Which service do you use to set u# various alerts?
A) M3M 'Microsoft 3perations Manager).
C&G; What are the different Editions of Windows !erver 788&?
.eEuirement Web $dition Standard $dition $nterprise $dition "atacenter $dition
4inimum ,PU Speed 155 4HJ 155 4HJ
155 4HJ *or 68=?
based computersB55
4HJ *or Itanium?
based computersK
A00 4HJ *or 68=?
based computersB55
4HJ *or Itanium?
based computersK
.ecommended ,PU
Speed
>>0 4HJ >>0 4HJ B55 4HJ B55 4HJ
4inimum .A4 1&8 43 1&8 43 1&8 43 >1& 43
.ecommended
4inimum .A4
&>= 43 &>= 43 &>= 43 1 G3
4a6imum .A4 & G3 A G3
=A G3 *or 68=?based
computers& %3 *or
6=A and ia=A
computers
1&8G *or 68=?based
computers& %3 *or
6=A and ia=A
computers
4ultiprocessor SupportUp to & Up to A Up to 8
4inimum &?way
capable mac)ine
reEuired4a6imum =A
"is8 Space .eEuired
17& G3 *or
1etwor8
Install&7< G3
*or ,"
Install
17& G3 *or
1etwor8 Install&7<
G3 *or ,"
Install
17& G3 *or 1etwor8
Install&7< G3 *or ,"
Install
17& G3 *or 1etwor8
Install&7< G3 *or ,"
Install
*eb 1dition
Designed to be used primarily as an II" /., *eb server.
5sed mainly for building and hosting *eb applications, *eb pages, and ?M4 *eb "ervices.
Does not re;uire $lient Access 4icenses and erminal "erver mode is not included. However,
Bemote Desktop for Administration is available.
"upports a ma2imum of F processors with support for a ma2imum of +=E of BAM.
3nly version of *indows "erver +,,- that D31" N3 includes $lient Number limitation upon
*indows update services as it does not re;uire $lient Access 4icenses.
$annot act as a domain controller
"tandard 1dition
Aimed towards small to medium siJed businesses.
"upports file and printer sharing, secure Internet connectivity, and allows centraliJed desktop
application deployment.
$an run on up to F processors with up to F =E BAM.
/F(bit versions are also available for the 2./(/F architecture 'AMD/F and Intel/F, called collectively
2/F by Microsoft).
he /F(bit version is capable of addressing up to -+ =E of BAM.
/F(bit version supports Non(5niform Memory Access 'N5MA), something the -+(bit version does
not do.
1nterprise 1dition
A full(function server operating system aimed towards medium to large businesses.
"upports up to . processors and can support up to -+ =E of memory with addition of the %A1
parameter in the initialiJation file.
%rovides enterprise(class features such as eight(node clustering using Microsoft $luster "erver
'M"$") software.
1nterprise 1dition also comes in /F(bit versions for the Itanium and 2/F architectures.
he /F(bit version is capable of addressing up to D erabyte 'D,+F =E) of BAM.
Eoth -+(bit and /F(bit versions support Non(5niform Memory Access 'N5MA).
Also provides the ability to hot(add supported hardware.
Data$enter 1dition
Aimed for infrastructures demanding high security and reliability.
*indows "erver +,,- is available for 2./ -+(bit, Itanium, and 2/F processors.
"upports a minimum of . processors and a ma2imum of /F processors A memory up to GD+=E. Y V
*hen run on -+(bit architecture 4imited to -+ processors A limits memory addressability to /F=E.Z
*indows "erver +,,-, Datacenter 1dition, also allows limiting processor and memory usage on a
per(application basis.
"upports Non(5niform Memory Access.
"upports .(node clustering.
Eetter support for "torage Area Networks '"AN).
"mall Eusiness "erver
Designed keeping the below goals in mind primarily for "mall Eusinesses6
R %rovide small businesses with connectivity for collaboration, communication, and mobility.
R %rovide simplicity in installation, management, and use.
R %rovide fle2ible deployment features that benefit both small(business customers and technology
providers.
o better meet the variation in a larger population of small businesses, *indows "mall Eusiness
"erver +,,- is available in two editions, "tandard and %remium.
"tandard 1dition is ideal for first(server customers who are looking to leverage the benefits of
server technology in their network, or for customers migrating from a stand(alone server to an
integrated technology platform.
%remium 1dition is ideal for small businesses with more demanding I needs, such as data(intensive
line(of(business applications, or for customers with more stringent monitoring and management of
Internet services and connectivity.
C&B; Are there any differences between &7'bit1 .D>1 and D>'bit versions of Windows !erver
788&?
A)
-ersions 5&?bit 68= =A?bit 6=A =A?bit Itanium
"ata ,enter
$dition
Up to 5&?way+ =A G3
.A4
Up to =A?way+ 1 %3
.A4
Up to =A?way+ 1 %3
.A4
$nterprise $dition
Up to 8?way+ 5& G3
.A4
Up to 8?way+ 1 %3 .A4Up to 8?way+ 1 %3 .A4
Standard $dition Up to A?way+ A G3 .A4
Up to A?way+ 5& G3
.A4
n9a
Web $dition Up to &?way+ & G3 .A4 n9a n9a
"ymmetric Multiprocessing '"M%) support
"M%6 he *indows "erver +,,- !amily supports single or multiple $%5s that conform to the "M% standard.
5sing "M%, the operating system can run threads on any available processor, which makes it possible for
applications to use multiple processors when additional processing power is re;uired to increase the
capability of a system. New features include "M% locking performance, improved registry performance, and
increased erminal "erver sessions.
C&@; WhatHs (ew in Windows 788& ,7?
A) *ith *indows "erver +,,- B+, you get the following improvements6
Identity and access management
Eranch office server management
"torage setup and management
Application development inside and outside your organiJationOs traditional boundaries
his topic describes the following new components that you can install with *indows "erver +,,- B+6
"erver Manageability
Administration ools %acks
Hardware Management
MM$ -.,
!eatures for Active Directory
Active Directory Application Mode 'ADAM)
Active Directory !ederation "ervices
Disk and !ile Management !eatures
Eranch 3ffice6 Distributed !ile "ystem 'D!")
$ommon 4og !ile "ystem '$4!")
!ile "erver Management
Microsoft "ervices for Network !ile "ystem
"torage Management for "ANs
!ile "erver Besource Manager
%rinter and %rotocol "upport
%rint Management
Microsoft .N1 !ramework
Microsoft .N1 !ramework +.,
Internet and 1(Mail "ervices and !eatures
*indows "harepoint "ervices
5NI? Interoperability
Identity Management for 5NI?
"ubsystem for 5NI?(based Applications
C>8; What s#ecific u#dates are there in 788& !*7?
A) he updates are as below6
$lustering
A new event log event has been created to address certain situations in which the $luster service account
becomes e2cessively restricted by domain policy. he new event ID is D+-N. he event te2t includes
troubleshooting information.
Data access components
?ml4ite is new with *indows "erver +,,- "%+. ?ml4ite is a fast, low(level, native ?M4 parser with a small
memory footprint.
Distributed systems
New options have been added to the Dcdiag.e2e Domain Name "ystem 'DN") tests to generate ?M4 tags
when the tests are run with the &test6dns option. It can be used to more easily parse the verbose log that
the DN" tests generate.
!ile systems
Icacls.e2e is an upgrade of the $acls.e2e tool in *indows "erver +,,- "%+, and can be used to reset the
access control lists 'A$4s) on files from Becovery $onsole, and to back up A$4s. Also,
unlike $acls.e2e, Icacles.e2e correctly propagates the creation of inherited A$4s and changes to them.
Microsoft Message 7ueuing
he default storage limit for message ;ueuing has been changed to D gigabyte '=E). If you choose to have a
storage limit of more than D =E, you can change the storage limit setting in Microsoft Management $onsole
'MM$) on the =eneral tab of Message 7ueuing %roperties.
Networking and communications
D. Includes an update that enables you to simplify the creation and maintenance of Internet %rotocol
security 'I%sec) policy. his update enables you to use an I%sec P"imple %olicyQ. !or most environments, the
installation of this update allows you to reduce the number of I%sec filters that are re;uired for a "erver
Isolation deployment or for a Domain Isolation deployment. >ou can reduce the number of I%sec filters from
many hundreds of filters to only two filters.
-. =roup %olicy support for non(broadcasting networks and *i(!i %rotected Access + '*%A+) settings has
been added to the *indows wireless client in *indows "erver +,,- "%+. his update allows the *indows
wireless client to accept additional wireless =roup %olicy configuration options. hese new settings include
support for *%A+ parameters and non(broadcast networks.
F. he *indows wireless client now supports *%A+, which enables you to take advantage of high levels of
standards(based connection and encryption security. New security features include6
Non(broadcast network profiles are now marked with a flag to improve the security of the *indows wireless
client.
*indows will not automatically connect to a peer(to(peer network, even if it has been automatically saved in
the preferred network list. >ou must manually connect to a peer(to(peer network profile.
*indows Deployment "ervices
Bemote Installation "ervices is replaced by *indows Deployment "ervices. >ou can use *indows
Deployment "ervices to set up new computers through a network(based installation without having to be
physically present at each computer and without having to install directly from D0D media.
Windows Ad#in Interview uestions F
Answer
C. 3hat is Active DirectoryX
,. 3hat is )DA*X
+. 2an you connect Active Directory to other +rd'party Directory #ervicesX 4ame a !ew
options.
D. 3here is the AD database heldX 3hat other !olders are related to ADX
F. 3hat is the #L#M8) !olderX
-. 4ame the AD 42s and replication issues !or each 42
G. 3hat are application partitionsX 3hen do I use them
.. How do you create a new application partition
I. How do you view replication properties !or AD partitions and D2sX
C5. 3hat is the 0lobal 2atalogX
CC. How do you view all the 02s in the !orestX
C,. 3hy not ma&e all D2s in a large !orest as 02sX
C+. Trying to loo& at the #chema how can I do thatX
CD. 3hat are the #upport ToolsX 3hy do I need themX
CF. 3hat is )D*X 3hat is ;6*)184X 3hat is AD#I6DITX 3hat is 46TD81X 3hat is
;6*AD1I4X
C-. 3hat are sitesX 3hat are they used !orX
CG. 3hatAs the di!!erence between a site lin&As schedule and intervalX
C.. 3hat is the K22X
CI. 3hat is the I#T0X 3ho has that role by de!aultX
,5. 3hat are the requirements !or installing AD on a new serverX
,C. 3hat can you do to promote a server to D2 i! youAre in a remote location with slow 3A4
lin&X
,,. How can you !orcibly remove AD !rom a server and what do you do laterX ] 2an I get
user passwords !rom the AD databaseX
,+. 3hat tool would I use to try to grab security related pac&ets !rom the wireX
,D. 4ame some 8/ design considerations.
,F. 3hat is tombstone li!etime attributeX
,-. 3hat do you do to install a new 3indows ,55+ D2 in a 3indows ,555 ADX
,G. 3hat do you do to install a new 3indows ,55+ ;, D2 in a 3indows ,55+ ADX
,.. How would you !ind all users that have not logged on since last monthX
,I. 3hat are the D#N commandsX
+5. 3hatAs the di!!erence between )DI(D6 and 2#MD6X /sage considerationsX
L 3hat are the (#18 rolesX 3ho has them by de!aultX 3hat happens when each one !ailsX
L 3hat (#18 placement considerations do you &now o!X
L I want to loo& at the ;ID allocation table !or a D2. 3hat do I doX
L 3hatAs the di!!erence between trans!erring a (#18 role and sei:ing oneX 3hich one should you 48T
sei:eX 3hyX
L How do you con!igure a Ostand'by operation masterP !or any o! the rolesX
L How do you bac&up ADX
L How do you restore ADX
L How do you change the D# ;estore admin passwordX
L 3hy canAt you restore a D2 that was bac&ed up D months agoX
L 3hat are 0*8sX
L 3hat is the order in which 0*8s are appliedX
L 4ame a !ew bene!its o! using 0*12.
L 3hat are the 0*2 and the 0*TX 3here can I !ind themX
L 3hat are 0*8 lin&sX 3hat special things can I do to themX
L 3hat can I do to prevent inheritance !rom aboveX
L How can I override bloc&ing o! inheritanceX
L How can you determine what 0*8 was and was not applied !or a userX 4ame a !ew ways to do that.
L A user claims he did not receive a 0*8 yet his user and computer accounts are in the right 8/ and
everyone else there gets the 0*8. 3hat will you loo& !orX
L 4ame a !ew di!!erences in Mista 0*8s
L 4ame some 0*8 settings in the computer and user parts.
L 3hat are administrative templatesX
L 3hatAs the di!!erence between so!tware publishing and assigningX
L 2an I deploy non'1#I so!tware with 0*8X
L Lou want to standardi:e the des&top environments $wallpaper 1y Documents #tart menu printers
etc.% on the computers in one department. How would you do thatX
3hat is the #L#M8) !olderX
The sysM8) !older stores the serverAs copy o! the domainAs public !iles. The contents such as group
policy users etc o! the sysvol !older are replicated to all domain controllers in the domain.
The sysvol !older must be located on an 4T(# volume.
ue.! What is Active Directory'
Ans. Active Directory is a 1eta Data. Active Directory is a data base which store a data base li&e your
user in!ormation computer in!ormation and also other networ& ob"ect in!o. It has capabilities to manage
and administor the complite 4etwor& which connect with AD.
ue.! What is the &lobal $atalog'
Ans.: 0lobal 2atalog is a server which maintains the in!ormation about multiple domain with trust
relationship agreement..
ue! What is Active Directory'
Ans! Active Directory directory service is an e7tensible and scalable directory service that enables you to
manage networ& resources e!!iciently.
24! What is Active Directory'
Ans!Active Directory is directory service that stores in!ormation about ob"ects on a networ& and ma&es
this in!ormation available to users and networ& administrators.
Active Directory gives networ& users access to permitted resources anywhere on the networ& using a
single logon process.
It provides networ& administrators with an intuitive hierarchical view o! the networ& and a single point o!
administration
+!or all networ& ob"ects.
V What is active directory'
Ans: active directory is a domain controller which is use to authenticate and administrate the group o!
computeruserserver etc. remotely. all the policies and security will be applicable on the client machine
which one is "oin the domain.and all this policies and security is de!ined in active directory.
7! What is LDA%'
Ans,: )DA*$light weight directory accerss protocol% is an internet protocol which 6mail and other services
is used to loo& up in!ormation !rom the server.
4C! What is D$$ '
Ans C.: K22 $ &nowledge consistency chec&er % is used to generate replication topology !or inter site
replication and !or intrasite replication.with in a site replication tra!!ic is done via remote procedure calls
over ip while between site it is done through either ;*2 or #1T*.
42! What is &lobal $atalog ,erver '
Ans C5 : 0lobal 2atalog #erver is basically a container where you put the same type o! member
computer etc and applied the policies and security on the catalog server in place o! individual user or
computer.
V What is active directory'
active directory is a domain controller which is use to authenticate and administrate the group o!
computeruserserver etc. remotely. all the policies and security will be applicable on the client machine
which one is "oin the domain.and all this policies and security is de!ined in active directory.
42 ! what is &lobal catalog server &$'
Ans : i m sorry i was given wrong ans o! this question above but now im giving the e7act ans o! this
question and th ans which iwas given previously is the ans o! 8rganisatinal /nit not o! 02\.. and the
ans is
The global catalog is a distributed data repository that contains a searchable partial representation o!
every ob"ect in every domain in a multidomain Active Directory !orest. The global catalog is stored on
domain controllers that have been designated as global catalog servers and is distributed through
multimaster replication. #earches that are directed to the global catalog are !aster because they do not
involve re!errals to di!!erent domain controllers.
9! Where is the AD database held' What other folders are related to AD'
A 9! *he AD data base is store in ?*D,.DI*.
: ! What is the ,@,A=L folder'
A FB The sysM8) !older stores the serverAs copy o! the domainAs public !iles. The contents such as group
policy users etc o! the sysvol !older are replicated to all domain controllers in the domain.
4K! What is the I,*&' Who has that role by default'
A CI: 3indows ,555 Domain controllers each create Active Directory ;eplication connection ob"ects
representing inbound replication !rom intra'site replication partners. (or inter'site replication one domain
controller per site has the responsibility o! evaluating the inter'site replication topology and creating Active
Directory ;eplication 2onnection ob"ects !or appropriate bridgehead servers within its site. The domain
controller in each site that owns this role is re!erred to as the Inter'#ite Topology 0enerator $I#T0%.
!4: What is LD%' What is .8%L5=?' What is AD,I8DI*' What is ?8*D=5' What is
.8%AD5I?'
A CF : )D* : )abel Distribution *rotocol $)D*% is o!ten used to establish 1*)# )#*s when tra!!ic
engineering is not required. It establishes )#*s that !ollow the e7isting I* routing and is particularly well
suited !or establishing a !ull mesh o! )#*s between all o! the routers on the networ&.
;eplmon : ;eplmon displays in!ormation about Active Directory ;eplication.
AD#I6DIT :AD#I6dit is a 1icroso!t 1anagement 2onsole $112% snap'in that acts as a low'level editor
!or Active Directory. It is a 0raphical /ser Inter!ace $0/I% tool. 4etwor& administrators can use it !or
common administrative tas&s such as adding deleting and moving ob"ects with a directory service. The
attributes !or each ob"ect can be edited or deleted by using this tool. AD#I6dit uses the AD#I application
programming inter!aces $A*Is% to access Active Directory. The !ollowing are the required !iles !or using
this tool: AD#I6DIT.D))
AD#I6DIT.1#246TD81 : 46TD81 is a command'line tool that allows management o! 3indows
domains and trust relationships. It is used !or batch management o! trusts "oining computers to domains
veri!ying trusts and secure channels.
;6*AD1I4 :
This command'line tool assists administrators in diagnosing replication problems between 3indows
domain controllers.Administrators can use ;epadmin to view the replication topology $sometimes re!erred
to as ;eps(rom and ;epsTo% as seen !rom the perspective o! each domain controller. In addition
;epadmin can be used to manually create the replication topology $although in normal practice this
should not be necessary% to !orce replication events between domain controllers and to view both the
replication metadata and up'to'dateness vectors.
/;! how to ta-e bac-up of AD '
A +- : !or ta&ing bac&up o! active directory you have to do this :
!irst go to #TA;T '? *;80;A1 '?A226#8;I6# '? #L#T61 T88)# '? BA2K/*
when the bac&up screen is !lash then ta&e the bac&up o! #L#T61 #TAT6 it will ta&e the bac&up o! all the
necessary in!ormation about the syatem including AD bac&up D4# 6T2.
/< ! how to restore the AD '
a +G : (or ths do the same as above in the question +- but in place o! bac&up you select the restore
option and restore the system state .
4K! What is the I,*&' Who has that role by default'
A CI: Inter'#ite Topology 0enerator$istg% is responsible !or managing the inbound replication connection
ob"ects !or all bridgehead servers in the site in which it is located. This domain controller is &nown as the
Inter'#ite Topology 0enerator $I#T0%. The domain controller holding this role may not necessarily also be
a bridgehead server.
7K !What are the D,H co##ands
A ,I : Lou really are spoilt !or choice when it comes to scripting tools !or creating Active Directory
ob"ects. In addition to 2#MD6 )DI(D6 and MB#cript we now have the !ollowing D# commands: the da
!amily built in utility D#mod ' modi!y Active Directory attributesD#rm ' to delete Active Directory
ob"ectsD#move ' to relocate ob"ectsD#add ' create new accountsD#query ' to !ind ob"ects that match
your query attributesD#get ' list the properties o! an ob"ect
/2 !WhatIs the difference between LDI(D8 and $,AD8' )sage considerations'
A +5 : 2#MD6 is a command that can be used to import and e7port ob"ects to and !rom the AD into a
2#M'!ormatted !ile. A 2#M $2omma #eparated Malue% !ile is a !ile easily readable in 67cel. I will not go to
length into this power!ul command but I will show you some basic samples o! how to import a large
number o! users into your AD. 8! course as with the D#ADD command 2#MD6 can do more than "ust
import users. 2onsult your help !ile !or more in!o.
)i&e 2#MD6 )DI(D6 is a command that can be used to import and e7port ob"ects to and !rom the AD
into a )DI('!ormatted !ile. A )DI( $)DA* Data Interchange (ormat% !ile is a !ile easily readable in any te7t
editor however it is not readable in programs li&e 67cel. The ma"or di!!erence between 2#MD6 and
)DI(D6 $besides the !ile !ormat% is the !act that )DI(D6 can be used to edit and delete e7isting AD
ob"ects $not "ust users% while 2#MD6 can only import and e7port ob"ects.
7: ! What is to#bstone lifeti#e attribute'
A ,F : The number o! days be!ore a deleted ob"ect is removed !rom the directory services. This assists in
removing ob"ects !rom replicated servers and preventing restores !rom reintroducing a deleted ob"ect.
This value is in the Directory #ervice ob"ect in the con!iguration 4I2.
Lou want to standardi:e the des&top environments $wallpaper 1y Documents #tart menu printers etc.%
on the computers in one department. How would you do thatX How it is possibal
0721What are the require#ents for installing AD on a new server'
Ans:C%The Domain structure,%The Domain 4ame+%storage location o! the database and log !ileD%)ocation
o! the shared system volume !olderF%D4# con!ig 1ethode-%D4# con!iguration
<. What are application partitions' When do I use the#.
Ans: A4 application diretcory partition is a directory partition that is replicated only to speci!ic domain
controller.8nly domain controller running windows #erver ,55+ can host a replica o! application directory
partition.
/sing an application directory partition provides redundanyavailabiltiy or !ault tolerance by replicating
data to speci!ic domain controller pr any set o! domain controllers anywhere in the !orest
!@ou want to standardi>e the des-top environ#ents 0wallpaperE 5y Docu#entsE ,tart #enuE
printers etc.1 on the co#puters in one depart#ent. How would you do that' How it is possibal.
Ans:)ogin on client as Domain Admin user change whatever you need add printers etc go to system'/ser
pro!iles copy this user pro!ile to any location by select 6veryone in permitted to use a!ter copy change
ntuser.dat to ntuser.man and assgin this path under user pro!ile
. C. How do you create a new application partition
A4#:
/se the Dns2md command to create an application directory partition. To do this use the !ollowing
synta7:
0lobal catalog provides a central repository o! domain in!ormation !or the !orest by storing partial replicas
o! all domain directory partitions. These partial replicas are distributed by multimaster replication to all
global catalog servers in a !orest.
How do you view all the &$s in the forest'
Ans
domainTcontroller
where domainTcontroller is the D2 you want to query to determine whether itAs a 02. The output will
include the te7t D#A 8ptions: I#T02 i! the D2 is a 02. . . .
*rying to loo- at the ,che#aE how can I do that
Ans:
type Oadsiedit.mscP in run or command prompt
. $an you connect Active Directory to other /rd"party Directory ,ervices' ?a#e a few options.
Ans. Les you can use dirW1) or )DA* to connect to other directories
In 4ovell you can use 6'directory
/C !How do you change the D, .estore ad#in password '
Ans +.: A. In 3indows ,555 #erver you used to have to boot the computer whose password you wanted
to change in Directory ;estore mode then use either the 1icroso!t 1anagement 2onsole $112% )ocal
/ser and 0roups snap'in or the command
net user administrator N
to change the Administrator password. 3in,K #erver #ervice *ac& , $#*,% introduced the #etpwd utility
which lets you reset the Directory #ervice ;estore 1ode password without having to reboot the computer.
$1icroso!t re!reshed #etpwd in #*D to improve the utilityAs scripting options.%
In 3indows #erver ,55+ you use the 4tdsutil utility to modi!y the Directory #ervice ;estore 1ode
Administrator password. To do so !ollow these steps:
,. #tart the Directory #ervice ;estore 1ode Administrator password'reset utility by entering the argument
Oset dsrm passwordP at the ntdsutil prompt:
ntdsutil: set dsrm password
+. ;un the ;eset *assword command passing the name o! the server on which to change the password
or use the null argument to speci!y the local machine. (or e7ample to reset the password on server
thanos enter the !ollowing argument at the ;eset D#;1 Administrator *assword prompt:
;eset D#;1 Administrator *assword: reset password on server thanos
D. LouAll be prompted twice to enter the new password. LouAll see the !ollowing messages:
G. 67it the password'reset utility by typing OquitP at the !ollowing prompts:
ntdsutil: quit
.92! What are &roup %olicy obBects 0&%=s1'
A.D5: 0roup *olicy ob"ects other than the local 0roup *olicy ob"ect are virtual ob"ects. The policy setting
in!ormation o! a 0*8 is actually stored in two locations: the 0roup *olicy container and the 0roup *olicy
template. The 0roup *olicy container is an Active Directory container that stores 0*8 properties
including in!ormation on version 0*8 status and a list o! components that have settings in the 0*8. The
0roup *olicy template is a !older structure within the !ile system that stores Administrative Template'
based policies security settings script !iles and in!ormation regarding applications that are available !or
0roup *olicy #o!tware Installation. The 0roup *olicy template is located in the system volume !older
$#ysvol% in the J*olicies sub!older !or its domain.
94 !What is the order in which &%=s are applied '
A DC: 0roup *olicy settings are processed in the !ollowing order:
C.
)ocal 0roup *olicy ob"ect<6ach computer has e7actly one 0roup *olicy ob"ect that is stored locally. This
processes !or both computer and user 0roup *olicy processing.
,.
#ite<Any 0*8s that have been lin&ed to the site that the computer belongs to are processed ne7t.
*rocessing is in the order that is speci!ied by the administrator on the )in&ed 0roup *olicy 8b"ects tab
!or the site in 0roup *olicy 1anagement 2onsole $0*12%. The 0*8 with the lowest lin& order is
+.
Domain<*rocessing o! multiple domain'lin&ed 0*8s is in the order speci!ied by the administrator on the
)in&ed 0roup *olicy 8b"ects tab !or the domain in 0*12. The 0*8 with the lowest lin& order is
D.
8rgani:ational units<0*8s that are lin&ed to the organi:ational unit that is highest in the Active Directory
hierarchy are processed !irst then 0*8s that are lin&ed to its child organi:ational unit and so on. (inally
the 0*8s that are lin&ed to the organi:ational unit that contains the user or computer are processed.
At the level o! each organi:ational unit in the Active Directory hierarchy one many or no 0*8s can be
lin&ed. I! several 0*8s are lin&ed to an organi:ational unit their processing is in the order that is
speci!ied by the administrator on the )in&ed 0roup *olicy 8b"ects tab !or the organi:ational unit in
0*12. The 0*8 with the lowest lin& order is processed last and there!ore has the highest precedence.
This order means that the local 0*8 is processed !irst and 0*8s that are lin&ed to the organi:ational
unit o! which the computer or user is a direct member are processed last which overwrites settings in the
earlier 0*8s i! there are con!licts. $I! there are no con!licts then the earlier and later settings are merely
aggregated.%
What is LDA%'
)ightweight Directory Access *rotocol
This article will tell you how to add your !irst 3indows ,55+ D2 to an e7isting 3indows ,555 domain. This
article is particularly use!ul i! you have 3indows ,555 servers that will be replaced by new hardware
running 3indows #erver ,55+.
The !irst step is to install 3indows ,55+ on your new D2. This is a straigh!orward process so we arenAt
going to discuss that here.
Because signi!icant changes have been made to the Active Directory schema in 3indows ,55+ we need
to ma&e our 3indows ,555 Active Directory compatible with the new version. I! you already have
3indows ,55+ D2s running with 3indows ,555 D2s then you can s&ip down to the part about D4#.
Be!ore you attempt this step you should ma&e sure that you have service pac& D installed on your
3indows ,555 D2. 4e7t ma&e sure that you are logged in as a user that is a member o! the #chema
Admin and 6nterprise Admin groups. 4e7t insert the 3indows ,55+ #erver installation 2D into the
3indows ,555 #erver. Bring up a command line and change directories to the I+.- directory on the
installation 2D. At the command prompt type:
2ode :
adprep @!orestprep
A!ter running this command ma&e sure that the updates have been replicated to all e7isting 3indows
,555 D2s in the !orest.
4e7t we need to run the !ollowing command:
2ode :
adprep @domainprep
The above command must be run on the In!rastructure 1aster o! the domain by someone who is a
member o! the Domain Admins group.
8nce this is complete we move bac& to the 3indows ,55+ #erver. 2lic& AstartA then SrunP ' type in
dcpromo and clic& 8K. During the ensuing wi:ard ma&e sure that you select that you are adding this D2
to an e7isting domain.
A!ter this process is complete the server will reboot. 3hen it comes bac& online chec& and ma&e sure
that the AD database has been replicated to your new server.
4e7t you will want to chec& and ma&e sure that D4# was installed on your new server. I! not go to the
control panel clic& on SAdd or ;emove *rogramsA and clic& the SAdd@;emove 3indows 2omponentsA
button. In the 3indows 2omponents screen clic& on S4etwor&ing #ervicesA and clic& the details button. In
the new window chec& SDomain 4ame #ystem $D4#%A and then clic& the 8K button. 2lic& S4e7tA in the
3indows 2omponents screen. This will install D4# and the server will reboot. A!ter reboot pull up the
D4# 1anagement window and ma&e sure that your D4# settings have replicated !rom the 3indows
,555 #erver. Lou will need to re'enter any !orwarders or other properties you had set up but the D4#
records should replicate on their own.
The ne7t , items global catalog and (#18 roles are important i! you plan on decomissioning your
3indows ,555 server$s%. I! this is the case you need to trans!er the global catalog !rom the old server to
the new one.
(irst letAs create a global catalog on our new server. Here are the steps:
C. 8n the domain controller where you want the new global catalog start the Active Directory #ites and
#ervices snap'in. To start the snap'in clic& S#tartA point to S*rogramsA point to SAdministrative ToolsA and
then clic& SActive Directory #ites and #ervicesA.
,. In the console tree double'clic& S#itesA and then double'clic& AsitenameA.
+. Double'clic& S#erversA clic& your domain controller right'clic& S4TD# #ettingsA and then clic&
S*ropertiesA.
D. 8n the 0eneral tab clic& to select the 0lobal catalog chec& bo7 to assign the role o! global catalog to
this server.
F. ;estart the domain controller.
1a&e sure you allow su!!icient time !or the account and the schema in!ormation to replicate to the new
global catalog server be!ore you remove the global catalog !rom the original D2 or ta&e the D2 o!!line.
A!ter this is complete you will want to trans!er or sei:e the (#18 roles !or your new server. (or
instructions read /sing 4tdsutil.e7e to trans!er or sei:e (#18 roles to a domain controller.
A!ter this step is complete we can now run D2*;818 on the 3indows ,555 #ervers in order to demote
them. 8nce this is complete copy over any !iles you need to your new server and you should have
success!ully replaced your 3indows ,555 server$s% with a new 3indows ,55+ server$s
0lobal 2atalyst is the one where the authentication happens by de!ault primary domain controller is
0lobal 2atalyst we can add global catalyst to improve the 4etwr& *er!ormance
What is Active Directory'
Its a Directory #ervice which stores and manages the in!ormation o! 8b"ects$/sercomputerprinter
shared !older etc%
What are the require#ents for installing AD on a new server'
3in,K+ 2D
D4#
#tatic I*
Lou want to standardi:e the des&top environments $wallpaper 1y Documents #tart menu printers etc.%
on the computers in one department. How would you do thatX
go to #tart'?programs'?Administrative tools'?Active Directory /sers and 2omputers
;ight 2lic& on Domain'?clic& on preoperties
8n 4ew windows 2lic& on 0roup *olicy
#elect De!ault *olicy'?clic& on 6dit
on group *olicy console
go to /ser 2on!iguration'?Administrative Template'?#tart menu and Tas&bar
#elect each property you want to modi!y and do the same
C. What are the required co#ponents of Windows ,erver 722/ for installing 8+change
722/' ' A#*.46T #1T* 44T* 3+#M2
,. What #ust be done to an AD forest before 8+change can be deployed' ' #etup @!orestprep
+. What 8+change process is responsible for co##unication with AD' ' D#A226##
D. What / types of do#ain controller does 8+change access' ' 4ormal Domain 2ontroller
0lobal 2atalog 2on!iguration Domain 2ontroller
F. What connector type would you use to connect to the InternetE and what are the two
#ethods of sending #ail over that connector' ' #1T* 2onnector: (orward to smart host or
use D4# to route to each address
-. How would you opti#ise 8+change 722/ #e#ory usage on a Windows ,erver 722/ server
with #ore than 4&b of #e#ory' ' Add @+0b switch to boot.ini
G. What would a rise in re#ote queue length generally indicate' ' This means mail is not being
sent to other servers. This can be e7plained by outages or per!ormance issues with the networ&
or remote servers.
.. What would a rise in the Local Delivery queue generally #ean' ' This indicates a
per!ormance issue or outage on the local server. ;easons could be slowness in consulting AD
slowness in handing messages o!! to local delivery or #1T* delivery. It could also be databases
being dismounted or a lac& o! dis& space.
I. What are the standard port nu#bers for ,5*%E %=%/E I5A%9E .%$E LDA% and &lobal
$atalog' ' #1T* 9 ,F *8*+ 9 CC5 I1A*D 9 CD+ ;*2 9 C+F )DA* 9 +.I 0lobal 2atalog '
+,-.
C5. ?a#e the process na#es for the following! ,yste# AttendantX 9 1AD.6W6 In!ormation
#tore 9 #T8;6.6W6 #1T*@*8*@I1A*@83A 9 I46TI4(8.6W6
CC. What is the #a+i#u# a#ount of databases that can be hosted on 8+change 722/
8nterprise' ' ,5 databases. D #0s 7 F DBs.
C,. What are the disadvantages of circular logging' ' In the event o! a corrupt database data can
only be restored to the last bac&up.
4K .esponses to RWindows sysad#in interview questionsS
41 How windows server will configure'
Tell them that you have D55 pc based networ& and you con!igure a Active Directory domain on windows
servers to centrali:e administration tas&s.
C% How windows server will con!igureX
Its depends on the role o! the server. I! you installing Active Directory you have to run D2*;818 on
commond prompt and !ollowed instructions.
8ver all its depends on the role.
#imply you can say9 there is an option in windows O1anage #erverP once you !ollow the instructions it will
guide you to con!igure your server.
,% How many types o! serversX
I! they are concern with Hardware server tell them the hardware con!iguration and vendor o! the server.
I! they are as&ing about the types o! windows server tell them #tandard enterprise or #mall business
server etc.
start ? ;un ? 2md ?
Type
net send 2omputername type ur msg
uestion 7! What #ust be done to an AD forest before 8+change can be deployed' " #etup
@!orestprep
question , is incorrect in order !or ms e7change ,& or ,55+ to be sucess!ully OdeployedP both !orestprep
and domain prep must success!uly complete !irst be!ore the setup.e7e o! the actual e7change install or
the install and will error out i! attempted.
.How windows server will configure'.
7.How #any types of server'.
/.What is the server evnver#ent'.
I !aced one interview they as&ed how many types o! server in your company how u con!igured.
*lease guide me in this mater
C% How to migrate !rom windows ,555 to ,55+ without distrubing the e7isting Domain XXXXXXXXX
,% How to migrage !rom 1s. 67change ,555 to ,55+ and how to con!igure 8utloo& 3eb
Access XXXXXXXX
+% 3hat r the ports to required to con!igure to 67change #erver XXXXXXXX
D% 3hat is II# and how to migrate !rom II# F.5 to II# -.5 XX
C.
C% 3hat r the !requently as&ed questions on AD# ,55+. and what r the main di!!erences between AD#
,555 and ,55+ XXXXXXXX
,% 3hat are main di!!erences between 3I4# and D4# XXX
+% 3hy we have to go to D4# what r the advantages in D4# XXXXXXX
D% 3hat r the !requently as&ed questions on D4# XXXX
F% 3hat r the !requently as&ed questions on DH2* XXXX
-% 3hat r the !requently as&ed questions (T* XXXX
G% 3hat r the !requently as&ed questions on D(# XXXX
.% 3hat r the !requently as&ed questions on (ile #erver XXXXXXXXXX
I% 3hat r the !requently as&ed questions on *rint #erver XXXXXXXXX
,.
C.In windows,555 per!osonal or win7p pc per!omance is very low what is the solution you will giveX
,. what is di!!rent between AD,555 Y AD,55+X
+. what is di!!erent between windows,555 Y 4T Y win7pX
+.
3hat r the !requently as&ed questions on AD# ,55+. and what r the main di!!erences between AD# ,555
and ,55+ XXXXXXXX
,% 3hat are main di!!erences between 3I4# and D4# XXX
+% 3hy we have to go to D4# what r the advantages in D4# XXXXXXX
D% 3hat r the !requently as&ed questions on D4# XXXX
F% 3hat r the !requently as&ed questions on DH2* XXXX
-% 3hat r the !requently as&ed questions (T* XXXX
G% 3hat r the !requently as&ed questions on D(# XXXX
.% 3hat r the !requently as&ed questions on (ile #erver XXXXXXXXXX
I% 3hat r the !requently as&ed questions on *rint #erver XXXXXXXXX
D.
W*
C.(irewall
,.Automatic update
+.1edia *layer I is support to DMD
D.Misual style
F.;emote Des&top
-.8n #creen Board
G.*rogram 2apability wi:ard
. etc\\\\\\..
F.
Question as&ed ` interview
what is use o! 4T)D; !ile
where its location
what will you do i! error occurePntldr missingP
what would be the poroblem i! my mails not outgoing.
what are the protocols use by outloo&.
what are di!! between outloo& Y outloo& e7press.
,#
most o! these are terrible questions !or a general windows@AD sysadmin. TheyAre boo&ish not realisticB
the &ind o! thing one loo&s up i! one doesnAt use every day.
Also too many o! the questions are !ocused on e7change. (or e7ample we outsource e7change so a
windows sysadmin here wouldnAt be as&ed any o! those questions\
3hat are main di!!erences between 3I4# and D4# XXX
3I4#:' It is used to resolve I* address into netbios Miceversa it is used prior version o! win ,555
D4#:'It is used to resolve I* address into host name.Miceversa it is used in ,555 W* ,55+ server
what are di!! between outloo& Y outloo& e7press XXXX
8utloo& 67press
8utloo& 67press is the e'mail client that is included with 1icroso!t Internet 67plorer D.7 1icroso!t Internet
67plorer F.7 the 1icroso!t 3indows I. operating system the 1icroso!t 3indows 1illennium 6dition $1e%
operating system the 1icroso!t 3indows ,555 operating systems and 1icroso!t 8!!ice I. !or the
1acintosh. 8utloo& 67press is designed !or home users who gain access to their e'mail messages by
dialing in to an Internet service provider $I#*%.
8utloo&
8utloo& is 1icroso!tAs premier messaging and collaboration client. It is a stand'alone application that is
integrated into 1icroso!t 8!!ice and 67change #erver. 8utloo& also provides per!ormance and integration
with Internet 67plorer F.F. 2omplete integration o! e'mail calendaring and contact management ma&es
8utloo& the per!ect client !or many business users.
I.
Advantages o! 3I4#: 3I4# will be really helo!ull in a multidomain environment where in userAs would
need to access many o! the resources in di!!erent domains rathere than adding di!!erent D4# su!!i7es o!
each domain on the local machine. 3I4# is the best option. But i could also say 3I4# is not as stable as
D4#.
Windows sysad#in interview questions
C. 3hat is Active Directory schemaX
,. 3hat are the domain !unctional level in 3indows #erver ,55+X
+. 3hat are the !orest !unctional level in 3indows #erver ,55+X
D. 3hat is global catalog serverX
F. How we can raise domain !unctional Y !orest !unctional level in 3indows #erver ,55+X
-. 3hich is the dea!ult protocol used in directory servicesX
G. 3hat is I*v-X
.. 3hat is the de!ault domain !unctional level in 3indows #erver ,55+X
I. 3hat are the physical Y logical components o! AD#
C5. In which domain !unctional level we can rename domain nameX
CC. 3hat is multimaster replicationX
C,. 3hat is a siteX
C+. 3hich is the command used to remove active directory !rom a domain controlerX
CD. How we can create console which contain schemaX
CF. 3hat is trustX
C-. 3hat is the !ile thatAs responsible !or &eep all Active Directory databaseX
Windows ,erver and 5, 8+change interview questions
C. 3hat is DH2*X How we con!igure DH2*X
,. 3hat are the ways to con!igure D4# Y =onesX
+. 3hat are the types o! bac&upX 67plain eachX
D. 3hat are )evels o! ;AID 5 C FX 3hich one is better Y whyX
F. 3hat are (1#8 ;olesX )ist them.
-. Describe the lease process o! the DH2* server.
G. Disaster ;ecovery *lanX
.. 3hat is scope Y super scopeX
I. Di!!erences between 3in ,555 #erver Y Advanced #erverX
C5. )ogical Diagram o! Active DirectoryX 3hat is the di!!erence between child domain Y additional
domain serverX
CC. (T* 44T* #1T* K6;B6;8# D4# DH2* *8*+ port numbersX
C,. 3hat is KerberosX 3hich version is currently used by 3indowsX How does Kerberos wor&X
5icrosoft 8+change ,erver interview questions
C. Distribution )istX
,. 0A) ;outing 0roup #tm !iles 6seutil Y ininteg ' what are they used !orX
+. 3hat is 1I16 Y 1A*IX
D. )ist the services o! 67change #erver ,555X
F. How would you recover 67change server when the log !ile is corruptedX
,ysad#in interview questions
C. 3hat is a level 5 bac&upX
,. 3hat is an incremental bac&upX
+. 3hat steps are required to per!orm a bare'metal recoveryX
D. 4ame &ey !iles or directories on a /4IW system that should always be bac&ed up.
F. 4ame &ey !iles or directories on a 3indows system that should always be bac&ed up.
-. 3hat is ;AID 5X
G. 3hat is ;AID 5ECX 3hy is it better than 5X
.. 3hat is ;AID'FX
I. 3hy would you 48T want to encapsulate a root directory with MeritasX
C5. 3hat is concatenationX
CC. 3hat is stripingX
C,. 3hat is a spindleX
?etwor-ing questions
C. What is a default gateway' ' The e7it'point !rom one networ& and entry'way into another
networ& o!ten the router o! the networ&.
,. How do you set a default route on an I=, $isco router' ' ip route 5.5.5.5 5.5.5.5 7.7.7.7
Qwhere 7.7.7.7 represents the destination addressR
+. What is the difference between a do#ain local group and a global group' ' Domain local
groups grant permissions to ob"ects within the domain in which the reside. 0lobal groups contain
grant permissions tree or !orest wide !or any ob"ects within the Active Directory.
D. What is LDA% used for' ' )DA* is a set o! protocol used !or providing access to in!ormation
directories.
F. What tool have you used to create and analy>e pac-et captures' ' 4etwor& 1onitor in 3in,K
@ 3in,K+ 6thereal in )inu7 8ptiMiew #eries II $by (lu&e 4etwor&s%.
;. How does H,.% wor-'
G. What is the significance of the I% address 7::.7::.7::.7::' ' The limited broadcast address
is utili:ed when an I* node must per!orm a one'to'everyone delivery on the local networ& but the
networ& ID is un&nown.
47 general questions fro# an international co#pany
A TechInterviews reader sent in the questions he !aced at a ma"or global company. The questions are
!airly generic:
C. Tell me about your analytical s&ills cite some e7amples o! how you have used your s&ills in the
past.
,. 3hat are some o! your long term goalsX
+. 3hat are your short term goalsX
D. 3here do you see yoursel! !ive years !rom nowX
F. Tell me why I should hire youX
-. 3hat does customer service mean to youX
G. 3hy did you leave your last "obX
.. Describe your de!inition o! a team playerX
I. #ight e7amples o! when in the past you have proven to be a team playerX
C5. How would you handle a con!lict with another employeeX
CC. 3hat do you believe you can gain by wor&ing at this companyX
C,. 0ive me some e7amples o! times in the past when you were able to avoid a con!lict by thin&ing
on your !eet. Tell what you &now about this company.
" ,ee #ore at! http!//www.24worldnterview questions !or windows ,55+@,55. Active
Directory(#18 roles0lobal catalogDomain controller !orest
Buestion=9What is the ,amily o, Windows NT#
Windows 1% Wor8station '"es8top(
Windows 1% A70 server 'Server(
Windows 1%A70 $nterprise server 'Server(
Question!?W)at is t)e *amily o* Windows &000:
Windows &000 Pro*essional '"es8top /peratin System(
Windows &000 Server 'Server /peratin System(
Window &000 Advanced Server 'Server /peratin System(
Windows &000 "ata center Server 'Server /peratin System(
Buestion=9 What is the ,amily o, Windows !!" ,amily#
Windows Server &005+ Web $dition
Windows Server &005+ Standard $dition
Windows Server &005+ $nterprise $dition
Windows server &005+ "ata center $dition
Buestion=9 What is the ,amily o, windows !!@ ,amily#
Windows Server &008 .& @oundation
Windows Server &008 .& Standard
Windows Server &008 .& $nterprise
Windows Server &008 .& "atacenter
Windows Server &008 .& Web server
Windows HP, Server &008 .& Suite
Windows Server &008 .& *or Itanium?3ased Systems
Buestion=9What is the Di,,erence +etween Desktop and Server#
.eular computers usually run some *lavor o* Windows+ li8e GP or -ista7 4acs o* course run 4ac
so*tware '/S G(+ and t)ere are also open source des8top alternatives suc) as #inu67
Servers enerally run more power*ul operatin systems t)at can )andle networ8in+ email+
internet9intranet )ostin+ *ile s)arin+ databases+ and more7 Windows Server and Windows Small
3usiness Server are Euite popular in small and mid?siJe businesses7 4ac o**ers /S G Server i* you
want to run your entire networ8 on 4acs7
%)e second maIor di**erence between computers and servers! better )ardware7 I* a des8top oes
down+ it impacts a sinle person7 I* a server oes down+ it can easily impact doJens+ even )undreds o*
people at once7 In server you can implement .AI" at )ardware and So*tware .aid *ault tolerance
and riddance7
Buestion= : What is the di,,erence +etween a Work$roup and domain controller#
A wor8roup is a distributed directory maintained on eac) computer wit) t)e wor8roup wit) same
wor8roup name7 A domain is a centraliJed directory o* resources maintained on domain controllers
and presented to t)e user t)rou) Active directory services so t)e user can et loin *rom a sinle
server7
Buestion= : What is a Stand9alone computer or server#
A computer t)at belons to wor8roup+ not a domain is called a standalone server:
Buestion=9 What is a 8em+er server#
4ember server is w)ic) belon to domain but do not contain a copy o* t)e Active "irectory data7
And it is not con*iured as a domain controller7 A member server doesnMt store Active directory
in*ormation and canMt aut)enticate users7 4ember server can provide s)are resources suc) as s)are
*older s)are "river or Printers7
Buestion= 9What is -ctive Directory#
Active "irectory is a tec)noloy created by 4icroso*t t)at provides a variety o* networ8
services+ and database t)at )olds in*ormation about component locations+ users+ roups+ passwords+
security+ Printers+ computers+ Group policy and ot)er ,/4 in*ormation7 Some o* t)is in*ormation is
currently stored in t)e .eistry+ but will eventually 'wit) Windows &008( be moved to t)e Active
"irectory7
Buestion=9What roles does a 8ain Domain Controller will have +y de,ault#
3y "e*ault t)ere are @ive operation master roles !?
Sc)ema maser
"omain 1amin 4aster
P", $mulator
.elative Identi*ier 4aster '.I"(
In*rastructure 4aster
Buestion=9 What are the roles an -dditional Domain controller Will have +y De,ault#
3y de*ault you cannot et any role7 3ut i* you want to assin any role you can trans*er *rom master7
Buestion=9 What are the roles a 8ain Child Domain Controller will have +y de,ault#
3y de*ault t)e @S4/ roles t)e ,)ild ", is )avin are
P", $mulator
.elative Identi*ier '.I"(
In*rastructure 4aster
Buestion=9/;plain the AS8' roles and their activities#
Answer! %)e domain /perations 4aster .oles also 8nown as @S4/ roles+ are t)e core *oundations
o* t)e Active "irectory in*rastructure7
In eac) Active "irectory domain we )ave *ive @S4/ roles t)at can be assined to one server or
multiple servers7
%)ese are t)e *ive @S4/ .oles!
Schema 8aster
,ontrols updates and c)anes to our Active "irectory sc)ema7
%)e domain namin master domain controller controls t)e addition or removal o* domains in t)e
*orest7 %)is ", is t)e only one t)at can add or remove a domain *rom t)e directory7 It can also add or
remove cross re*erences to domains in e6ternal directories7 %)ere can be only one domain namin
master in t)e w)ole *orest7
%o *ind out w)ic) server )old t)is role issue t)e *ollowin command!
dsEuery server )as*smo sc)ema
Domain Namin$ 8aster
,ontrols new addition and removal o* domains in t)e A" *orest7
%)e domain namin master domain controller controls t)e addition or removal o* domains in t)e
*orest7 %)is ", is t)e only one t)at can add or remove a domain *rom t)e directory7 It can also add or
remove cross re*erences to domains in e6ternal directories7 %)ere can be only one domain namin
master in t)e w)ole *orest7
dsEuery server )as*smo name
0elative 3D 8aster
Assins security I" to eac) new obIect created in Active "irectory li8e user+ server+ roup+ etc
%)e .I" master is responsible *or processin .I" pool reEuests *rom all domain controllers in a
particular domain7 W)en a ", creates a security principal obIect suc) as a user or roup+ it attac)es a
uniEue Security I" 'SI"( to t)e obIect7 %)is SI" consists o* a domain SI" 't)e same *or all SI"s
created in a domain(+ and a relative I" '.I"( t)at is uniEue *or eac) security principal SI" created in
a domain7 $ac) ", in a domain is allocated a pool o* .I"s t)at it is allowed to assin to t)e security
principals it creates7 W)en a ",Ms allocated .I" pool *alls below a t)res)old+ t)at ", issues a
reEuest *or additional .I"s to t)e domainMs .I" master7 %)e domain .I" master responds to t)e
reEuest by retrievin .I"s *rom t)e domainMs unallocated .I" pool and assins t)em to t)e pool o*
t)e reEuestin ",7 At any one time+ t)ere can be only one domain controller actin as t)e .I"
master in t)e domain7
dsEuery server )as*smo rid
PDC /mulator
Acts as t)e de*ault time server *or t)e domain and per*orms time sync wit) ot)er time servers i*
needed7
%)e P", emulator is necessary to sync)roniJe time in an enterprise7 Windows &0009&005 includes
t)e W5&%ime 'Windows %ime( time service t)at is reEuired by t)e Derberos aut)entication protocol7
All Windows &0009&005?based computers wit)in an enterprise use a common time7 %)e purpose o*
t)e time service is to ensure t)at t)e Windows %ime service uses a )ierarc)ical relations)ip t)at
controls aut)ority and does not permit loops to ensure appropriate common time usae7
%)e P", emulator o* a domain is aut)oritative *or t)e domain7 %)e P", emulator at t)e root o* t)e
*orest becomes aut)oritative *or t)e enterprise+ and s)ould be con*iured to at)er t)e time *rom an
e6ternal source7 All P", @S4/ role )olders *ollow t)e )ierarc)y o* domains in t)e selection o* t)eir
in?bound time partner7
In a Windows &0009&005 domain+ t)e P", emulator role )older retains t)e *ollowin *unctions!
Password c)anes per*ormed by ot)er ",s in t)e domain are replicated pre*erentially to t)e
P", emulator7
Aut)entication *ailures t)at occur at a iven ", in a domain because o* an incorrect
password are *orwarded to t)e P", emulator be*ore a bad password *ailure messae is reported
to t)e user7
Account loc8out is processed on t)e P", emulator7
$ditin or creation o* Group Policy /bIects 'GP/( is always done *rom t)e GP/ copy *ound
in t)e P", $mulatorMs S0S-/# s)are+ unless con*iured not to do so by t)e administrator7
%)e P", emulator per*orms all o* t)e *unctionality t)at a 4icroso*t Windows 1% A70
Server?based P", or earlier P", per*orms *or Windows 1% A70?based or earlier clients7
%)is part o* t)e P", emulator role becomes unnecessary w)en all wor8stations+ member servers+ and
domain controllers t)at are runnin Windows 1% A70 or earlier are all upraded to Windows
&0009&0057 %)e P", emulator still per*orms t)e ot)er *unctions as described in a Windows
&0009&005 environment7
At any one time+ t)ere can be only one domain controller actin as t)e P", emulator master in eac)
domain in t)e *orest7
dsEuery server )as*smo pdc
3n,rastructure 8aster
4a8es sure all obIects re*erences are up to data on all domain controllers and i* not replicates t)e
data7
W)en an obIect in one domain is re*erenced by anot)er obIect in anot)er domain+ it represents t)e
re*erence by t)e GUI"+ t)e SI" '*or re*erences to security principals(+ and t)e "1 o* t)e obIect bein
re*erenced7 %)e in*rastructure @S4/ role )older is t)e ", responsible *or updatin an obIectMs SI"
and distinuis)ed name in a cross?domain obIect re*erence7 At any one time+ t)ere can be only one
domain controller actin as t)e in*rastructure master in eac) domain7
1ote! %)e In*rastructure 4aster 'I4( role s)ould be )eld by a domain controller t)at is not a Global
,atalo server 'G,(7 I* t)e In*rastructure 4aster runs on a Global ,atalo server it will stop updatin
obIect in*ormation because it does not contain any re*erences to obIects t)at it does not )old7 %)is is
because a Global ,atalo server )olds a partial replica o* every obIect in t)e *orest7 As a result+
cross?domain obIect re*erences in t)at domain will not be updated and a warnin to t)at e**ect will be
loed on t)at ",Ms event lo7 I* all t)e domain controllers in a domain also )ost t)e lobal catalo+
all t)e domain controllers )ave t)e current data+ and it is not important w)ic) domain controller )olds
t)e in*rastructure master role7
dsEuery server )as*smo in*r
Buestion=9What are the roles must +e on the same server#
"omain 1amin 4aster and Global cataloue
Buestion=9What are the roles should not on the same Domain Controller#
In*rastructure 4aster and Global ,ataloue
1ote! I* you )ave only one domain t)en you wonMt et any problem even i* you )ave bot) o* t)em in
t)e same server7 I* you )ave two o* more domains in a *orest t)en t)ey s)ouldnMt be in t)e same
server7
Buestion=9What is a 2lo+al Catalo$ue#
%)e lobal catalo is t)e set o* all obIects in an Active "irectory "omain Services 'A" "S( *orest7 A
lobal catalo server is a domain controller t)at stores a *ull copy o* all obIects in t)e directory *or its
)ost domain and a partial+ read?only copy o* all obIects *or all ot)er domains in t)e *orest7 Global
catalo servers respond to lobal catalo Eueries7
Buestion=9*ow to check the a+ove roles to which server they have assi$ned#
Install support tools *rom Widows server ,"
At command prompt type Nnetdom Euary *smoO
Buestion=9*ow to start?stop a service ,rom command prompt#
/pen command prompt type
N1et start service nameO '%o start a service(
N1et Stop service nameO '%o stop a service(
Buestion=9What are the ,ile system we have in windows#
@A%9@A%1=9@A%5&91%@S A70 91%@S >70
Question!? How to convert *rom @A% to 1%@S:
,onvert drive 9*s!nt*s
Buestion=9What is a ,orest#
,ollection o* one or more domain trees t)at do not *orm a contiuous namespace7 @orests allow
oraniJations to roup divisions t)at operate independently but still need to communicate wit) one
anot)er7
All trees in a *orest s)are common sc)ema+ con*iuration partitions and Global ,atalo7 All trees in a
ive *orest trust eac) ot)er wit) two way transitive trust relations
Buestion=9 What is Domain#
A roup o* computers t)at are part o* a networ8 and s)ares a common directory and security policies7
In Windows server &008 a domain is a security boundary and permissions t)at are ranted in one
domain are not carried over to ot)er domains7
Buestion=9 What is a ,ully Buali,ied Domain name#
Hostname7domainname7com is 8nown as @Q"1
Buestion=9*ow many types o, partitions are there in Windows#
%)ere are %wo types o* partitions t)ere!?
Primary Partition
$6tended Partition7
Buestion=9What is the di,,erence +etween primary and secondary partition#
A Primary partition or system partition is one on w)ic) you can install t)e *iles needed to load an
operatin system7
Buestion=9 *ow many partition can you create ma;imum% *ow many primary and how many
e;tended#
4a6imum we can create *our partitions in basic dis87 Amon t)at we can create ma6imum /ne
e6tended partition7 0ou can create *our primary partitions i* you do not )ave e6tended7
Question!?W)at is a volume:
Disk Eolume is a way o, dividin$ your Physical Disk so that each section ,unctions as a
separate unit%
Buestion=9*ow many types o, volumes are there#
%)ere are > types o* volumes
Simple
Spanned
Striped 'also called .AI" 0(
4irror 'also called .AI" 1(
.AI" > 'also called striped volumes wit) parity(
Question!?W)at is t)e di**erence between partition and volume:
0ou )ave limitations on number o* partitions7
0ou donMt )ave limitations on number o* volumes7
0ou cannot e6tend t)e siJe o* a partition7
0ou can e6tend t)e siJe o* a volume7
Buestion=9what is active partition#
%)e partition in w)ic) your current /peratin System boob *iles are t)ere7
Question!? W)at is system volume and boot volume:
%)e system volume is t)e one in w)ic) your boot *iles are t)ere7
W)atever partition is mar8ed as active t)at partition is called system partition7
%)e boot volume is t)e one in w)ic) your system *iles are t)ere7
Buestion=9What are (nicastF 8ulticast and Broad cast#
Unicast! Pust *rom one computer to one computer7
4ulticast! %)ose w)o ever reister *or a particular multicast roup to t)ose only7
3roadcast! %o all t)e computers7
*osted by vishal chaudhary at C5:5+
.in@p@windows.htmlZsthash.v6m8MC2s.
What are the ?ew (eatures in Windows ,erver 722C .7
4. Active Directory Ad#inistrative $enterW(or administrators the biggest change in #erver ,55. ;, is
undoubtedly the new Active Directory Administrative 2enter which replaces the older Active Directory Domains and
Trusts #ites and #ervices and /sers and 2omputers management tools. The Active Directory Administrative 2enter
is built on top o! *ower#hell and its actions are scriptable. 8ne really nice !eature is the new Active Directory ;ecycle
Bin.
7. .e#ote server #anage#entW#erver 1anager was one o! the best improvements in #erver ,55. because it
provides a centrali:ed and use!ul console !or managing 3indows #erver. However #erver 1anager is limited to
wor&ing with the local system. 3ith ;, #erver 1anager can be installed on networ& clients and can be used to
manage remote #erver ,55. systems.
/. %ower,hell 7.2W#erver ,55. ;, includes *ower#hell ,.5 which !eatures improved 31I cmdlets and support !or
running scripts on remote systems creating #cript2mdlets and running bac&ground "obs. In addition ;, has a new
graphical *ower#hell /I !or developing and debugging *ower#hell scripts. *ower#hell ,.5 is compatible with
*ower#hell C.5
9. ,upport for the .?8* (ra#ewor- in ,erver $oreW8ne o! the biggest disappointments in the original #erver
,55. release was the lac& o! support !or the .46T (ramewor& in #erver 2ore which meant that technologies that
seemed per!ect !or #erver 2ore such as 3indows *ower#hell and ASP71$% applications couldnAt run on #erver
2ore. ;, !i7es this problem by adding support !or a subset o! the .46T (ramewor& that supports both ASP71$% and
*ower#hell.
:. Live 5igrationW*robably one o! the most anticipated !eatures in ;, )ive 1igration improves M1 availability by
letting you move Hyper'M M1s between hosts with no downtime. )ive 1igration is 1icroso!tAs answer to M1wareAs
M1otion. )ive 1igration is built on top o! ;,ks new 2luster #hared Molumes technology which lets multiple cluster
nodes concurrently access the same )/4.
;. ?ew Hyper"AWA new Hyper'M release is included in #erver ,55. ;,. A prerelease version o! Hyper'M was
shipped with the original 3indows #erver ,55.. ;, includes the latest version o! Hyper'M. In this version M1s are
able to address up to +, cores per M1 and the use o! T2* 8!!load and Vumbo (rames provides improved
networ&ing per!ormance. 8ne o! the biggest improvements in Hyper'M is support !or the ne7t item )ive 1igration.
<. .e#ote Des-top ,ervicesWAnother change in 3indows #erver ,55. ;, is the rebranding o! Terminal #ervices
to ;emote Des&top #ervices. However the changes arenAt in name alone. The new ;emote Des&top #ervices
includes support !or the Aero 0lass inter!ace multiple monitors and DirectW CC C5 and I.
C. $ore %ar-ingW3indows #erver ,55. ;,ks new 2ore *ar&ing !unctionality enables improved power management.
2ore *ar&ing lets the 8# suspend cores that arenAt in use thereby saving the power required to run those cores.
*ar&ed cores can be reactivated in milliseconds to respond to increased wor&loads.
K. ,upport for 7:; coresWImproved scalability is another important !eature in #erver ,55. ;, which will be able to
utili:e up to ,F- cores. This number is a huge "ump !rom the -D'core limit in the original 3indows #erver ,55..
42. ;9"bit onlyW3indows #erver ,55. ;, mar&s the !irst time that the 3indows #erver 8# will be -D'bit only
meaning that #erver ,55. ;, must run on 7-D'compatible hardware. Almost all o! todayAs popular server hardware
will accommodate this requirement but the ;, release wonAt run on +,'bit systems.
71 ,yste# ,tate Jac-up includes which co#ponents '
The system state Bac&up includes the !ollowing components on a domain controller:
Active "irectory '1%"S(
%)e boot *iles
%)e ,/4Q class reistration database
%)e reistry
%)e system volume 'S0S-/#(
And on a non'domain controller the !ollowing components are included:
%)e boot *ile
%)e ,/4Q class reistration database
%)e reistry
W)en a member server or domain controller wit) a certi*icate server is installed+ t)e *ollowin additional item is also included!
,erti*icate Server
Note= System State in*ormation is bac8ed up and restored as a unit7
Share this:
dpu!1.What is AD?
Active directory is a centralized database where it contains
information about objects like Users, Groups, Computers,
Printers, OUs, and Contacts shared folders!
2.Feature of AD?
"ully #nte$rated %ecurity, inte$ration with &'%, Policy (ased
Administration, %calable, "le)ible, *)tensible, inter
operability with other directory services!
3.What is the Component of AD?
+o$ical %tructure, &omains, -ress, "orests and OU!
Physical %tructure, %ites and &omain Controllers!
4.What is structure of AD?
+o$ical Physical
5.What is the protocol used by AD for directory Access?
+&AP .+i$ht /ei$ht &irectory Access Protocol0
.What are the namin! con"entions used by #DA$?
&' .&istin$uished 'ame0, 1&' .1elative &istin$uished 'ame0, UP'
.User Principal 'ame0, GU#& .Global Uni2ue #dentifier0
%.What is a Domain?
&omain is collection of computers connected to$ether with a
server and users!
&.What is a 'or(!roup?
Collection of computers connected to$ether without a server
.only client0!
).What is a *ree?
-ree is a lo$ical component of A&, is a collection of domains
which share conti$uous!
1+.What is a Forest?
Collection of trees which don3t share conti$uous name space
11.What is a ,ite?
%ite is a physical component of A&4 $roup of -CP5#P subnets
connected with a hi$h speed was link!
12.What is DC?
%erver with A& install
13.What is a child DC?
C&C is a sub domain controller under root domain controller
which share name space
14.What is an additional DC?
#t is a backup server for &C!
15.-o' to promote DC on a member ser"er?
%tart6run6&CP1O7O .&omain Controller Promotion0
1.What is a roll of ADC?
#t maintains backup of A& to provide fault tolerance and network
load balancin$!
1%.-o' many ADC can create on a DC?
Any no! of A&Cs
1&.What are the additional tools found after installin! a DC?
Active &irectory User and Computers,
Active &irectory %ites and %ervices,
Active &irectory &omain -rust,
&omain Controller %ecurity Policy,
&omain %ecurity Policy
1).What is the diff. functional le"el of 2++3?
&omain functional level "orest functional level
2+.What is a member ser"er?
8999 899: server which is a part of the domain
21.What is a standalone ser"er?
%erver which is not a part of domain
22.What is an .b/ect?
#t is a representation of in entity!
23.What are the different .b/ects in AD?
Users, Groups, Computers, Printers, OUs, Contacts %hare "olders
24.What is a ,chema?
%chema is desi$n of A&, defines objects and classes, set of
rules!
25.What is an Attribute?
Attribute is a place of information about objects .Properties of
Objects0
2.What is Class?
Class is a Collection of A& objects!
2%.What is an F,0.?
"le)ible %in$le 7aster Operation
2&.What is the diff. operation master of 2++3?
%chema 7aster, &omain 'amin$ 7aster, P&C *mulator,
#nfrastructure 7aster, 1#& 7asters!
2).What is a ,chema 0aster?
#s responsible for overall mana$ement, structure and desi$n of
schema Only one schema master in entire forest
3+.What is domain namin! master?
#s responsible for addition or removal of domains and
maintainin$ uni2ue domain names only one domain namin$ master in
entire forest
31.What is a $DC 1mulator?
#s responsible for providin$ backup compatibility for '- (&Cs,
in mi)ed mode it acts like a P&C for (&Cs! #t updates the
password chan$es, synchronizes time between &Cs! Only one P&C
*mulator per domain!
32.What is infrastructure 0aster?
#s responsible for updatin$ user and $roup information and
updatin$ Global Catalo$ Only one infrastructure master per domain
33.What is 23D 0aster?
1elative identifier is responsible for assi$nin$ uni2ue #&s to
the object s created in the A&! Only one 1#& 7aster per domain!
Posted by
Windows Server 4553 Active Directory and
Security 1uestions
/y admin V -ecemer (, 2006
'. What;s the difference !etween local% )lo!al and universal )roups? -omain local groups assign
access permissions to gloal domain groups for local domain resources. Mloal groups pro!ide access to
resources in other trusted domains. #ni!ersal groups grant access to resources in all trusted domains.
2. & am tryin) to create a new universal user )roup Why can;t &? #ni!ersal groups are allowed only in
nati!e7mode Windows 1er!er 2006 en!ironments. Nati!e mode re3uires that all domain controllers e
promoted to Windows 1er!er 2006 &cti!e -irectory.
6. What is LSD$3? Itbs group policy inheritance model, where the policies are applied toLocal
machines, Sites, Domains and $rgani>ational 3nits.
). Why doesn;t LSD$3 wor+ under Windows N*? If the NTConfig.pol file e@ist, it has the highest
priority among the numerous policies.
D. Where are )roup policies stored? ;1ystem$oot;1ystem62AMroup,olicy
*. What is (P* and (PC? Mroup policy template and group policy container.
(. Where is (P* stored? ;1ystem$oot;A151B0%Asys!olAdomainnameA,oliciesAM#I-
O. "ou chan)e the )roup policies% and now the computer and user settin)s are in conflict Which
one has the hi)hest priority? The computer settings take priority.
+. "ou want to set up remote installation procedure% !ut do not want the user to )ain access
over it What do you do? gponamecG #ser .onfigurationcG Windows 1ettingscG $emote Installation
1er!icescG .hoice 0ptions is your friend.
'0. What;s contained in administrative template confadm? 8icrosoft Net8eeting policies
''. 'ow can you restrict runnin) certain applications on a machine? Bia group policy, security
settings for the group, then 1oftware $estriction ,olicies.
'2. "ou need to automatically install an app% !ut .S& file is not availa!le What do you
do? & .zap te@t file can e used to add applications using the 1oftware Installer, rather than the Windows
Installer.
'6. What;s the difference !etween Software &nstaller and Windows &nstaller? The former has fewer
pri!ileges and will proaly re3uire user inter!ention. ,lus, it uses .>ap files.
'). What can !e restricted on Windows Server 4553 that wasn;t there in previous
products? Mroup ,olicy in Windows 1er!er 2006 determines a users right to modify network and dial7up
T.,4I, properties. #sers may e selecti!ely restricted from modifying their I, address and other network
configuration parameters.
'D. 'ow fre1uently is the client policy refreshed? +0 minutes gi!e or take.
'*. Where is secedit? Itbs now gpupdate.
'(. "ou want to create a new )roup policy !ut do not wish to inherit. 8ake sure you check <loc+
inheritance among the options when creating the policy.
'O. What is 9tattooin)9 the ,e)istry? The user can !iew and modify user preferences that are not stored in
maintained portions of the $egistry. If the group policy is remo!ed or changed, the user preference will
persist in the $egistry.
'+. 'ow do you fi)ht tattooin) in N*=4555 installations? 5ou canbt.
20. 'ow do you fi)ht tattooin) in 4553 installations? #ser .onfiguration 7 &dministrati!e Templates 7
1ystem 7 Mroup ,olicy 7 enale 7 :nforce 1how ,olicies 0nly.
2'. What does &ntelli.irror do? It helps to reconcile desktop settings, applications, and stored files for
users, particularly those who mo!e etween workstations or those who must periodically work offline.
22. What;s the ma>or difference !etween 7A* and N*7S on a local machine? C&T and C&T62 pro!ide
no security o!er locally logged7on users. 0nly nati!e NTC1 pro!ides e@tensi!e permission control on oth
remote and local files.
26. 'ow do 7A* and N*7S differ in approach to user shares? They donbt, oth ha!e support for
sharing.
2). -?plan the List Folder Contents permission on the folder in N*7S. 1ame as $ead P :@ecute, ut
not inherited y files within a folder. Qowe!er, newly created sufolders will inherit this permission.
2D. & have a file to which the user has access% !ut he has no folder permission to read it Can he
access it? It is possile for a user to na!igate to a file for which he does not ha!e folder permission. This
in!ol!es simply knowing the path of the file o2ect. :!en if the user canbt drill down the file4folder tree using
8y .omputer, he can still gain access to the file using the #ni!ersal Naming .on!ention (#N.). The est
way to start would e to type the full path of a file into $und window.
2*. 7or a user in several )roups% are Allow permissions restrictive or permissive?,ermissi!e, if at
least one group has &llow permission for the file4folder, user will ha!e the same permission.
2(. 7or a user in several )roups% are Deny permissions restrictive or permissive?$estricti!e, if at
least one group has -eny permission for the file4folder, user will e denied access, regardless of other group
permissions.
2O. What hidden shares e?ist on Windows Server 4553 installation? &dmin`, -ri!e`, I,.`,
N:T%0M0N, print` and 151B0%.
2+. What;s the difference !etween standalone and fault-tolerant D7S @Distri!uted 7ile SystemA
installations? The standalone ser!er stores the -fs directory tree structure or topology locally. Thus, if a
shared folder is inaccessile or if the -fs root ser!er is down, users are left with no link to the shared
resources. & fault7tolerant root node stores the -fs topology in the &cti!e -irectory, which is replicated to
other domain controllers. Thus, redundant root nodes may include multiple connections to the same data
residing in different shared folders.
60. We;re usin) the D7S fault-tolerant installation% !ut cannot access it from a WinBC !o?. #se the
#N. path, not client, only 2000 and 2006 clients can access 1er!er 2006 fault7tolerant shares.
6'. Where e?actly do fault-tolerant D7S shares store information in Active Directory? In ,artition
<nowledge Tale, which is then replicated to other domain controllers.
62. Can you use Start-DSearch with D7S shares? 5es.
66. What pro!lems can you have with D7S installed? Two users opening the redundant copies of the file
at the same time, with no file7locking in!ol!ed in -C1, changing the contents and then sa!ing. 0nly one file
will e propagated through -C1.
6). & run .icrosoft Cluster Server and cannot install fault-tolerant D7S. 5eah, you canbt. Install a
standalone one.
6D. &s 0er!eros encryption symmetric or asymmetric? 1ymmetric.
6*. 'ow does Windows 4553 Server try to prevent a middle-man attac+ on encrypted line? Time
stamp is attached to the initial client re3uest, encrypted with the shared key.
6(. What hashin) al)orithms are used in Windows 4553 Server? $1& -ata 1ecuritybs 8essage -igest
D (8-D), produces a '2O7it hash, and the 1ecure Qash &lgorithm ' (1Q&7'), produces a '*07it hash.
6O. What third-party certificate e?chan)e protocols are used !y Windows 4553 Server? Windows
1er!er 2006 uses the industry standard ,<.17'0 certificate re3uest and ,<.17( certificate response to
e@change .& certificates with third7party certificate authorities.
6+. What;s the num!er of permitted unsuccessful lo)ons on Administrator account? #nlimited.
$ememer, though, that itbs the &dministrator account, not any account thatbs part of the &dministrators
group.
)0. &f hashin) is one-way function and Windows Server uses hashin) for storin) passwords% how
is it possi!le to attac+ the password lists% specifically the ones usin) N*L.vE? & cracker would
launch a dictionary attack y hashing e!ery imaginale term used for password and then compare the
hashes.
)'. What;s the difference !etween )uest accounts in Server 4553 and other editions? 8ore
restricti!e in Windows 1er!er 2006.
)2. 'ow many passwords !y default are remem!ered when you chec+ 9-nforce Password
'istory ,emem!ered9? #serbs last * passwords.
D+. Active Directory Interview Questions and answer
DD. CC@+5@,5C,
DF. 5 2omments
D-.
Active Directory =verview

M What is Active Directory'
An active directory is a directory structure used on 5icrosoft Windows based
co#puters and
servers to store infor#ation and data about networ-s and do#ains. It is pri#arily used
for online
infor#ation and was originally created in 4KK;. It was first used with Windows 7222.
An active directory 0so#eti#es referred to as an AD1 does a variety of functions
including the
ability to rovide infor#ation on obBectsE helps organi>e these obBects for easy retrieval
and
accessE allows access by end users and ad#inistrators and allows the ad#inistrator to
set security
up for the directory.
Active Directory is a hierarchical collection of networ- resources that can contain
usersE
co#putersE printersE and other Active Directories. Active Directory ,ervices 0AD,1
allow
ad#inistrators to handle and #aintain all networ- resources fro# a single location .
Active
Directory stores infor#ation and settings in a central database
M What is LDA%'
*he Lightweight Directory Access %rotocolE or LDA% E is an application protocol for
querying
and #odifying directory services running over *$%/I%. Although not yet widely
i#ple#entedE
LDA% should eventually #a-e it possible for al#ost any application running on virtually
any
co#puter platfor# to obtain directory infor#ationE such as e#ail addresses and public
-eys.
Jecause LDA% is an open protocolE applications need not worry about the type of
server hosting
the directory.
M $an you connect Active Directory to other /rd"party Directory
,ervices' ?a#e a few options.
"@es you can connect other vendors Directory ,ervices with 5icrosoftIs version.
"@esE you can use dirT5L or LDA% to connect to other directories 0ie. 8"directory fro#
?ovell
or ?D, 0?ovel directory ,yste#1.
"@es you can $onnect Active Directory to other /rd "party Directory ,ervices such as
dictonaries
used by ,A%E Do#ino etc with the help of 5II, 0 5icrosoft Identity Integration ,erver 1
M Where is the AD database held' What other folders are related to AD'
AD Database is saved in Xsyste#rootX/ntds. @ou can see other files also in this folder.
*hese
are the #ain files controlling the AD structure
ntds.dit
edb.log
res4.log
res7.log
edb.ch-
When a change is #ade to the Win7D databaseE triggering a write operationE Win7D
records the
transaction in the log file 0edb.log1. =nce written to the log fileE the change is then
written to the
AD database. ,yste# perfor#ance deter#ines how fast the syste# writes the data to
the AD
database fro# the log file. Any ti#e the syste# is shut downE all transactions are saved
to the
database.
During the installation of ADE Windows creates two files! res4.log and res7.log. *he
initial si>e
of each is 425J. *hese files are used to ensure that changes can be written to dis-
should the
syste# run out of free dis- space. *he chec-point file 0edb.ch-1 records transactions
co##itted
to the AD database 0ntds.dit1. During shutdownE a RshutdownS state#ent is written to
the edb.ch-
file. *henE during a rebootE AD deter#ines that all transactions in the edb.log file have
been
co##itted to the AD database. IfE for so#e reasonE the edb.ch- file doesnIt e+ist on
reboot or the
shutdown state#ent isnIt presentE AD will use the edb.log file to update the AD
database.
*he last file in our list of files to -now is the AD database itselfE ntds.dit. Jy defaultE the
file is
located inO?*D,E along with the other files weIve discussed
M What is the ,@,A=L folder'
" All active directory data base security related infor#ation store in ,@,A=L folder and
its only
created on ?*(, partition.
" *he ,ysvol folder on a Windows do#ain controller is used to replicate file"based data
a#ong
do#ain controllers. Jecause Bunctions are used within the ,ysvol folder structureE
Windows ?*
file syste# 0?*(,1 version :.2 is required on do#ain controllers throughout a Windows
distributed file syste# 0D(,1 forest.
*his is a quote fro# #icrosoft the#selvesE basically the do#ain controller info stored
in files
li-e your group policy stuff is replicated through this folder structure

M ?a#e the AD ?$s and replication issues for each ?$
H,che#a ?$E H$onfiguration ?$E Do#ain ?$
,che#a ?$ *his ?$ is replicated to every other do#ain controller in the forest. It
contains
infor#ation about the Active Directory sche#aE which in turn defines the different
obBect classes
and attributes within Active Directory.
$onfiguration ?$ Also replicated to every other D$ in the forestE this ?$ contains
forest"wide
configuration infor#ation pertaining to the physical layout of Active DirectoryE as well
as
infor#ation about display specifiers and forest"wide Active Directory quotas.
Do#ain ?$ *his ?$ is replicated to every other D$ within a single Active Directory
do#ain.
*his is the ?$ that contains the #ost co##only"accessed Active Directory data! the
actual
usersE groupsE co#putersE and other obBects that reside within a particular Active
Directory
do#ain.
M What are application partitions' When do I use the#
Application directory partitions! *hese are specific to Windows ,erver 722/ do#ains.
An application directory partition is a directory partition that is replicated only to
specific
do#ain controllers. A do#ain controller that participates in the replication of a
particular
application directory partition hosts a replica of that partition. =nly Do#ain controllers
running
Windows ,erver 722/ can host a replica of an application directory partition.
M How do you create a new application partition
http!//wi-i.answers.co#//HowYdoYyouYcreateYaYnewYapplicationYpartition
M How do you view replication properties for AD partitions and D$s'
Jy using replication #onitor
go to start G run G type repl#on
M What is the &lobal $atalog'
*he global catalog contains a co#plete replica of all obBects in Active Directory for its
Host
do#ainE and contains a partial replica of all obBects in Active Directory for every other
do#ain in
the forest.
*he global catalog is a distributed data repository that contains a searchableE partial
representation of every obBect in every do#ain in a #ultido#ain Active Directory forest.
*he
global catalog is stored on do#ain controllers that have been designated as global
catalog servers
and is distributed through #ulti#aster replication. ,earches that are directed to the
global catalog
are faster because they do not involve referrals to different do#ain controllers.

In addition to configuration and sche#a directory partition replicasE every do#ain
controller in a
Windows 7222 ,erver or Windows ,erver 722/ forest stores a fullE writable replica of a
single
do#ain directory partition. *hereforeE a do#ain controller can locate only the obBects in
its
do#ain. Locating an obBect in a different do#ain would require the user or application
to provide
the do#ain of the requested obBect.
*he global catalog provides the ability to locate obBects fro# any do#ain without
having to
-now the do#ain na#e. A global catalog server is a do#ain controller thatE in addition
to its fullE
writable do#ain directory partition replicaE also stores a partialE read"only replica of all
other
do#ain directory partitions in the forest. *he additional do#ain directory partitions are
partial
because only a li#ited set of attributes is included for each obBect. Jy including only
the
attributes that are #ost used for searchingE every obBect in every do#ain in even the
largest forest
can be represented in the database of a single global catalog server.
M How do you view all the &$s in the forest'
$!OGrepad#in/showreps
do#ainYcontroller
=.
@ou can use .epl#on.e+e for the sa#e purpose.
=.
AD ,ites and ,ervices and nsloo-up gc.Y#sdcs.X),8.D?,D=5AI?X
M Why not #a-e all D$s in a large forest as &$s'
*he reason that all D$s are not &$s to start is that in large 0or even &iant1 forests the
D$s would
all have to hold a reference to every obBect in the entire forest which could be quite
large and
quite a replication burden.
(or a few hundredE or a few thousand users evenE this not li-ely to #atter unless you
have really
poor WA? lines.
M *rying to loo- at the ,che#aE how can I do that'
adsiedit.e+e
option to view the sche#a
register sch##g#t.dll using this co##and
c!OwindowsOsyste#/7Gregsvr/7 sch##g#t.dll
=pen ##c 3G add snapin 3G add Active directory sche#a
?a#e it as sche#a.#sc
=pen ad#inistrative tool 3G sche#a.#sc
M What are the ,upport *ools' Why do I need the#'
,upport *ools are the tools that are used for perfor#ing the co#plicated tas-s easily.
*hese can
also be the third party tools. ,o#e of the ,upport tools include DebugAiewerE
DependencyAiewerE .egistry5onitorE etc. "edit by $asquehead I beleive this question
is
reffering to the Windows ,erver 722/ ,upport *oolsE which are included with 5icrosoft
Windows ,erver 722/ ,ervice %ac- 7. *hey are also available for download here!
http!//www.#icrosoft.co#/downloads/details.asp+'fa#ilyidZK;A/:244"(DC/"94KD"
K/KJ"
A<<78A7D(K2FdisplaylangZen
@ou need the# because you cannot properly #anage an Active Directory networ-
without the#.
Here they areE it would do you well to fa#iliari>e yourself with all of the#.
Acldiag.e+e
Adsiedit.#sc
Jitsad#in.e+e
Dcdiag.e+e
Dfsutil.e+e
Dnslint.e+e
Dsacls.e+e
Iadstools.dll
Dtpass.e+e
Ldp.e+e
?etdiag.e+e
?etdo#.e+e
?tfrsutl.e+e
%ortqry.e+e
.epad#in.e+e
.epl#on.e+e
,etspn.e+e
M What is .8%L5=?' What is AD,I8DI*' What is ?8*D=5' What is
.8%AD5I?'
AD, 8dit is a 5icrosoft 5anage#ent $onsole 055$1 snap"in that acts as a low"level
editor for
Active Directory. It is a &raphical )ser Interface 0&)I1 tool. ?etwor- ad#inistrators can
use it
for co##on ad#inistrative tas-s such as addingE deletingE and #oving obBects with a
directory
service. *he attributes for each obBect can be edited or deleted by using this tool.
AD,I8dit uses
the AD,I application progra##ing interfaces 0A%Is1 to access Active Directory. *he
following
are the required files for using this tool!
[ AD,I8DI*.DLL
[ AD,I8DI*.5,$
.egarding syste# require#entsE a connection to an Active Directory environ#ent and
5icrosoft
5anage#ent $onsole 055$1 is necessary

A! .epl#on is the first tool you should use when troubleshooting Active Directory
replication
issues. As it is a graphical toolE replication issues are easy to see and so#ewhat easier
to
diagnose than using its co##and line counterparts. *he purpose of this docu#ent is to
guide you
in how to use itE list so#e co##on replication errors and show so#e e+a#ples of
when
replication issues can stop other networ- installation actions.
for #ore go to http!//www.techtutorials.net/articles/repl#onYhowtoYa.ht#l
?8*D=5 is a co##and"line tool that allows #anage#ent of Windows do#ains and
trust
relationships. It is used for batch #anage#ent of trustsE Boining co#puters to do#ainsE
verifying
trustsE and secure channels
A!
8nables ad#inistrators to #anage Active Directory do#ains and trust relationships
fro# the
co##and pro#pt.
?etdo# is a co##and"line tool that is built into Windows ,erver 722C. It is available if
you
have the Active Directory Do#ain ,ervices 0AD D,1 server role installed. *o use
netdo#E you
#ust run the netdo# co##and fro# an elevated co##and pro#pt. *o open an
elevated
co##and pro#ptE clic- ,tartE right"clic- $o##and %ro#ptE and then clic- .un as
ad#inistrator.
.8%AD5I?.8T8 is a co##and line tool used to #onitor and troubleshoot replication on
a
co#puter running Windows. *his is a co##and line tool that allows you to view the
replication
topology as seen fro# the perspective of each do#ain controller.
.8%AD5I? is a built"in Windows diagnostic co##and"line utility that wor-s at the
Active
Directory level. Although specific to WindowsE it is also useful for diagnosing so#e
8+change
replication proble#sE since 8+change ,erver is Active Directory based.
.8%AD5I? doesnIt actually fi+ replication proble#s for you. JutE you can use it to help
deter#ine the source of a #alfunction.
M What are sites' What are they used for'
Active directory sitesE which consist of well"connected networ-s defined by I% subnets
that help
define the physical structure of your ADE give you #uch better control over replication
traffic
and authentication traffic than the control you get with Windows ?* 9.2 do#ains.
)sing Active DirectoryE the networ- and its obBects are organi>ed by constructs such as
do#ainsE
treesE forestsE trust relationshipsE organi>ational units 0=)s1E and sites.
M WhatIs the difference between a site lin-Is schedule and interval'
,chedule enables you to list wee-days or hours when the site lin- is available for
replication to
happen in the give interval. Interval is the re occurrence of the inter site replication in
given
#inutes. It ranges fro# 4: 3 42E2C2 #ins. *he default interval is 4C2 #ins.
M What is the D$$'
*he D$$ is a built"in process that runs on all do#ain controllers and generates
replication
topology for the Active Directory forest. *he D$$ creates separate replication
topologies
depending on whether replication is occurring within a site 0intrasite1 or between sites
0intersite1.
*he D$$ also dyna#ically adBusts the topology to acco##odate new do#ain
controllersE
do#ain controllers #oved to and fro# sitesE changing costs and schedulesE and
do#ain
controllers that are te#porarily unavailable.
M What is the I,*&' Who has that role by default'
Intersite *opology &enerator 0I,*&1E which is responsible for the connections a#ong
the sites.
Jy default Windows 722/ (orest level functionality has this role. Jy Default the first
,erver has
this role. If that server can no longer prefor# this role then the ne+t server with the
highest
&)ID then ta-es over the role of I,*&.
M What are the require#ents for installing AD on a new server'
[ An ?*(, partition with enough free space 07:25J #ini#u#1
[ An Ad#inistratorIs userna#e and password
[ *he correct operating syste# version
[ A ?I$
[ %roperly configured *$%/I% 0I% addressE subnet #as- and 3 optional 3 default
gateway1
[ A networ- connection 0to a hub or to another co#puter via a crossover cable1
[ An operational D?, server 0which can be installed on the D$ itself1
[ A Do#ain na#e that you want to use
[ *he Windows 7222 or Windows ,erver 722/ $D #edia 0or at least the i/C; folder1
(ro# the %etri I* Dnowledge base. (or #ore infoE follow this lin-!
http!//www.petri.co.il/activeYdirectoryYinstallationYrequire#ents.ht#
M What can you do to pro#ote a server to D$ if youIre in a re#ote
location with slow WA? lin-'
(irst available in Windows 722/E you will create a copy of the syste# state fro# an
e+isting D$
and copy it to the new re#ote server. .un RDcpro#o /advS. @ou will be pro#pted for
the
location of the syste# state files
M How can you forcibly re#ove AD fro# a serverE and what do you do
later' M $an I get user passwords fro# the AD database'
De#ote the server using dcpro#o /forcere#ovalE then re#ove the #etadata fro#
Active
directory using ndtsutil. *here is no way to get user passwords fro# AD that I a# aware
ofE but
you should still be able to change the#.
Another way out too
.estart the D$ is D,.5 #ode
a. Locate the following registry sub-ey!
HD8@YL=$ALY5A$HI?8O,@,*85O$urrent$ontrol,etO$ontrolO%roduct=ptions
b. In the right"paneE double"clic- %roduct*ype.
c. *ype ,erver?* in the Aalue data bo+E and then clic- =D.
.estart the server in nor#al #ode
its a #e#ber server now but AD entries are still there. %ro#ote teh server to a fa-e
do#ain say
AJ$.co# and then re#ove gracefully using D$pro#o. 8lse after restart you can also
use
ntdsutil to do #etadata as told in teh earlier post
M What tool would I use to try to grab security related pac-ets fro# the
wire'
you #ust use sniffer"detecting tools to help stop the snoops. L A good pac-et sniffer
would be
RetherealS
www.ethereal.co#
M ?a#e so#e =) design considerations '
=) design requires balancing require#ents for delegating ad#inistrative rights 3
independent of
&roup %olicy needs 3 and the need to scope the application of &roup %olicy. *he
following =)
design reco##endations address delegation and scope issues!
Applying &roup %olicy An =) is the lowest"level Active Directory container to which
you can
assign &roup %olicy settings.
Delegating ad#inistrative authority
usually donIt go #ore than / =) levels
M What is to#bstone lifeti#e attribute'
*he nu#ber of days before a deleted obBect is re#oved fro# the directory services.
*his assists
in re#oving obBects fro# replicated servers and preventing restores fro# reintroducing
a deleted
obBect. *his value is in the Directory ,ervice obBect in the configuration ?I$ by default
7222 0;2
days1 722/ 04C2 days1
M What do you do to install a new Windows 722/ D$ in a Windows 7222
AD'
If you plan to install windows 722/ server do#ain controllers into an e+isting windows
7222
do#ain or upgrade a windows 7222 do#ain controllers to windows server 722/E you
first need to
run the Adprep.e+e utility on the windows 7222 do#ain controllers currently holding
the sche#a
#aster and infrastructure #aster roles. *he adprep / forestprer co##and #ust first be
issued on
the windows 7222 server holding sche#a #aster role in the forest root do#an to
prepare the
e+isting sche#a to support windows 722/ active directory. *he adprep /do#ainprep
co##and
#ust be issued on the sever holding the infrastructure #aster role in the do#ain where
7222
server will be deployed.
M What do you do to install a new Windows 722/ .7 D$ in a Windows
722/ AD'
A. If youIre installing Windows 722/ .7 on an e+isting Windows 722/ server with ,%4
installedE you require only the second .7 $D".=5. Insert the second $D and the
r7auto.e+e will
display the Windows 722/ .7 $ontinue ,etup screen.
If youIre installing .7 on a do#ain controller 0D$1E you #ust first upgrade the sche#a
to the .7
version 0this is a #inor change and #ostly related to the new Dfs replication engine1.
*o update
the sche#aE run the Adprep utilityE which youIll find in the $#pnentsOr7Oadprep folder
on the
second $D".=5. Jefore running this co##andE ensure all D$s are running Windows
722/ or
Windows 7222 with ,%7 0or later1
M How would you find all users that have not logged on since last #onth'
http!//wi-i.answers.co#//HowYwouldYyouYfindYallYusersYthatYhaveYnotYloggedYonY
s
inceYlastY#onth
M What are the D,co##ands'
?ew D, 0Directory ,ervice1 (a#ily of built"in co##and line utilities for Windows ,erver
722/
Active Directory
?ew D, built"in tools for Windows ,erver 722/
*he D, 0Directory ,ervice1 group of co##ands are split into two fa#ilies. In one
branch are
D,addE D,#odE D,r# and D,5ove and in the other branch are D,uery and D,&et.
When it co#es to choosing a scripting tool for Active Directory obBectsE you really are
spoilt for
choice. *he the D, fa#ily of built"in co##and line e+ecutables offer alternative
strategies to
$,AD8E LDI(D8 and AJ,cript.
Let #e introduce you to the #e#bers of the D, fa#ily!
D,add 3 add Active Directory users and groups
D,#od 3 #odify Active Directory obBects
D,r# 3 to delete Active Directory obBects
D,#ove 3 to relocate obBects
D,uery 3 to find obBects that #atch your query attributes
D,get 3 list the properties of an obBect
M What are the (,5= roles' Who has the# by default' What happens
when each one fails'
(,5= stands for the (le+ible single 5aster =peration
It has : .oles! "
M ,che#a 5aster!
*he sche#a #aster do#ain controller controls all updates and #odifications to the
sche#a. =nce
the ,che#a update is co#pleteE it is replicated fro# the sche#a #aster to all other D$s
in the
directory. *o update the sche#a of a forestE you #ust have access to the sche#a
#aster. *here
can be only one sche#a #aster in the whole forest.
M Do#ain na#ing #aster!
*he do#ain na#ing #aster do#ain controller controls the addition or re#oval of
do#ains in the
forest. *his D$ is the only one that can add or re#ove a do#ain fro# the directory. It
can also
add or re#ove cross references to do#ains in e+ternal directories. *here can be only
one do#ain
na#ing #aster in the whole forest.
M Infrastructure 5aster!
When an obBect in one do#ain is referenced by another obBect in another do#ainE it
represents
the reference by the &)IDE the ,ID 0for references to security principals1E and the D? of
the
obBect being referenced. *he infrastructure (,5= role holder is the D$ responsible for
updating
an obBectIs ,ID and distinguished na#e in a cross"do#ain obBect reference. At any one
ti#eE
there can be only one do#ain controller acting as the infrastructure #aster in each
do#ain.
?ote! *he Infrastructure 5aster 0I51 role should be held by a do#ain controller that is
not a
&lobal $atalog server 0&$1. If the Infrastructure 5aster runs on a &lobal $atalog server
it will
stop updating obBect infor#ation because it does not contain any references to obBects
that it does
not hold. *his is because a &lobal $atalog server holds a partial replica of every obBect
in the
forest. As a resultE cross"do#ain obBect references in that do#ain will not be updated
and a
warning to that effect will be logged on that D$Is event log. If all the do#ain controllers
in a
do#ain also host the global catalogE all the do#ain controllers have the current dataE
and it is not
i#portant which do#ain controller holds the infrastructure #aster role.
M .elative ID 0.ID1 5aster!
*he .ID #aster is responsible for processing .ID pool requests fro# all do#ain
controllers in a
particular do#ain. When a D$ creates a security principal obBect such as a user or
groupE it
attaches a unique ,ecurity ID 0,ID1 to the obBect. *his ,ID consists of a do#ain ,ID 0the
sa#e
for all ,IDs created in a do#ain1E and a relative ID 0.ID1 that is unique for each security
principal ,ID created in a do#ain. 8ach D$ in a do#ain is allocated a pool of .IDs that
it is
allowed to assign to the security principals it creates. When a D$Is allocated .ID pool
falls
below a thresholdE that D$ issues a request for additional .IDs to the do#ainIs .ID
#aster. *he
do#ain .ID #aster responds to the request by retrieving .IDs fro# the do#ainIs
unallocated
.ID pool and assigns the# to the pool of the requesting D$. At any one ti#eE there can
be only
one do#ain controller acting as the .ID #aster in the do#ain.
M %D$ 8#ulator!
*he %D$ e#ulator is necessary to synchroni>e ti#e in an enterprise. Windows
7222/722/
includes the W/7*i#e 0Windows *i#e1 ti#e service that is required by the Derberos
authentication protocol. All Windows 7222/722/"based co#puters within an enterprise
use a
co##on ti#e. *he purpose of the ti#e service is to ensure that the Windows *i#e
service uses a
hierarchical relationship that controls authority and does not per#it loops to ensure
appropriate
co##on ti#e usage.
*he %D$ e#ulator of a do#ain is authoritative for the do#ain. *he %D$ e#ulator at the
root of
the forest beco#es authoritative for the enterpriseE and should be configured to gather
the ti#e
fro# an e+ternal source. All %D$ (,5= role holders follow the hierarchy of do#ains in
the
selection of their in"bound ti#e partner.
!! In a Windows 7222/722/ do#ainE the %D$ e#ulator role holder retains the following
functions!
!! %assword changes perfor#ed by other D$s in the do#ain are replicated
preferentially to the
%D$ e#ulator.
Authentication failures that occur at a given D$ in a do#ain because of an incorrect
password
are forwarded to the %D$ e#ulator before a bad password failure #essage is reported
to the user.
Account loc-out is processed on the %D$ e#ulator.
8diting or creation of &roup %olicy =bBects 0&%=1 is always done fro# the &%= copy
found in
the %D$ 8#ulatorIs ,@,A=L shareE unless configured not to do so by the
ad#inistrator.
*he %D$ e#ulator perfor#s all of the functionality that a 5icrosoft Windows ?* 9.2
,erver"
based %D$ or earlier %D$ perfor#s for Windows ?* 9.2"based or earlier clients.
*his part of the %D$ e#ulator role beco#es unnecessary when all wor-stationsE
#e#ber serversE
and do#ain controllers that are running Windows ?* 9.2 or earlier are all upgraded to
Windows
7222/722/. *he %D$ e#ulator still perfor#s the other functions as described in a
Windows
7222/722/ environ#ent.
M What (,5= place#ent considerations do you -now of'
Windows 7222/722/ Active Directory do#ains utili>e a ,ingle =peration 5aster #ethod
called
(,5= 0(le+ible ,ingle 5aster =peration1E as described in )nderstanding (,5= .oles
in
Active Directory.
In #ost cases an ad#inistrator can -eep the (,5= role holders 0all : of the#1 in the
sa#e spot
0or actuallyE on the sa#e D$1 as has been configured by the Active Directory
installation
process. HoweverE there are scenarios where an ad#inistrator would want to #ove one
or #ore
of the (,5= roles fro# the default holder D$ to a different D$.
Windows ,erver 722/ Active Directory is a bit different than the Windows 7222 version
when
dealing with (,5= place#ent. In this article I will only deal with Windows ,erver 722/
Active
DirectoryE but you should bear in #ind that #ost considerations are also true when
planning
Windows 7222 AD (,5= roles
M WhatIs the difference between transferring a (,5= role and sei>ing
one' Which one should you ?=* sei>e' Why'
$ertain do#ain and enterprise"wide operations that are not good for #ulti"#aster
updates are
perfor#ed by a single do#ain controller in an Active Directory do#ain or forest. *he
do#ain
controllers that are assigned to perfor# these unique operations are called operations
#asters or
(,5= role holders.
*he following list describes the : unique (,5= roles in an Active Directory forest and
the
dependent operations that they perfor#!
M ,che#a #aster 3 *he ,che#a #aster role is forest"wide and there is one for each
forest.
*his role is required to e+tend the sche#a of an Active Directory forest or to run the
adprep /do#ainprep co##and.
M Do#ain na#ing #aster 3 *he Do#ain na#ing #aster role is forest"wide and there is
one
for each forest. *his role is required to add or re#ove do#ains or application partitions
to
or fro# a forest.
M .ID #aster 3 *he .ID #aster role is do#ain"wide and there is one for each do#ain.
*his
role is required to allocate the .ID pool so that new or e+isting do#ain controllers can
create user accountsE co#puter accounts or security groups.
M %D$ e#ulator 3 *he %D$ e#ulator role is do#ain"wide and there is one for each
do#ain. *his role is required for the do#ain controller that sends database updates to
Windows ?* bac-up do#ain controllers. *he do#ain controller that owns this role is
also targeted by certain ad#inistration tools and updates to user account and
co#puter
account passwords.
M Infrastructure #aster 3 *he Infrastructure #aster role is do#ain"wide and there is one
for
each do#ain. *his role is required for do#ain controllers to run the adprep /forestprep
co##and successfully and to update ,ID attributes and distinguished na#e attributes
for
obBects that are referenced across do#ains.
*he Active Directory Installation Wi>ard 0Dcpro#o.e+e1 assigns all : (,5= roles to the
first
do#ain controller in the forest root do#ain. *he first do#ain controller in each new
child or tree
do#ain is assigned the three do#ain"wide roles. Do#ain controllers continue to own
(,5=
roles until they are reassigned by using one of the following #ethods!
M An ad#inistrator reassigns the role by using a &)I ad#inistrative tool.
M An ad#inistrator reassigns the role by using the ntdsutil /roles co##and.
M An ad#inistrator gracefully de#otes a role"holding do#ain controller by using the
Active Directory Installation Wi>ard. *his wi>ard reassigns any locally"held roles to an
e+isting do#ain controller in the forest. De#otions that are perfor#ed by using the
dcpro#o /forcere#oval co##and leave (,5= roles in an invalid state until they are
reassigned by an ad#inistrator.
We reco##end that you transfer (,5= roles in the following scenarios!
M *he current role holder is operational and can be accessed on the networ- by the
new
(,5= owner.
M @ou are gracefully de#oting a do#ain controller that currently owns (,5= roles that
you want to assign to a specific do#ain controller in your Active Directory forest.
M *he do#ain controller that currently owns (,5= roles is being ta-en offline for
scheduled #aintenance and you need specific (,5= roles to be assigned to a RliveS
do#ain controller. *his #ay be required to perfor# operations that connect to the
(,5=
owner. *his would be especially true for the %D$ 8#ulator role but less true for the .ID
#aster roleE the Do#ain na#ing #aster role and the ,che#a #aster roles.
We reco##end that you sei>e (,5= roles in the following scenarios!
M *he current role holder is e+periencing an operational error that prevents an (,5="
dependent operation fro# co#pleting successfully and that role cannot be transferred.
M A do#ain controller that owns an (,5= role is force"de#oted by using the dcpro#o
/forcere#oval co##and.
M *he operating syste# on the co#puter that originally owned a specific role no longer
e+ists or has been reinstalled.
As replication occursE non"(,5= do#ain controllers in the do#ain or forest gain full
-nowledge
of changes that are #ade by (,5="holding do#ain controllers. If you #ust transfer a
roleE the
best candidate do#ain controller is one that is in the appropriate do#ain that last
inbound"
replicatedE or recently inbound"replicated a writable copy of the R(,5= partitionS fro#
the
e+isting role holder. (or e+a#pleE the ,che#a #aster role"holder has a distinguished
na#e path
of $?Zsche#aE$?ZconfigurationEdcZ\forest root do#ainGE and this #ean that roles
reside in
and are replicated as part of the $?Zsche#a partition. If the do#ain controller that
holds the
,che#a #aster role e+periences a hardware or software failureE a good candidate role"
holder
would be a do#ain controller in the root do#ain and in the sa#e Active Directory site
as the
current owner. Do#ain controllers in the sa#e Active Directory site perfor# inbound
replication
every : #inutes or 4: seconds.
A do#ain controller whose (,5= roles have been sei>ed should not be per#itted to
co##unicate with e+isting do#ain controllers in the forest. In this scenarioE you
should either
for#at the hard dis- and reinstall the operating syste# on such do#ain controllers or
forcibly
de#ote such do#ain controllers on a private networ- and then re#ove their #etadata
on a
surviving do#ain controller in the forest by using the ntdsutil /#etadata cleanup
co##and.
*he ris- of introducing a for#er (,5= role holder whose role has been sei>ed into the
forest is
that the original role holder #ay continue to operate as before until it inbound"
replicates
-nowledge of the role sei>ure. Dnown ris-s of two do#ain controllers owning the sa#e
(,5=
roles include creating security principals that have overlapping .ID poolsE and other
proble#s.
*ransfer (,5= roles
*o transfer the (,5= roles by using the ?tdsutil utilityE follow these steps!
4. Log on to a Windows 7222 ,erver"based or Windows ,erver 722/"based #e#ber
co#puter or do#ain controller that is located in the forest where (,5= roles are being
transferred. We reco##end that you log on to the do#ain controller that you are
assigning (,5= roles to. *he logged"on user should be a #e#ber of the 8nterprise
Ad#inistrators group to transfer ,che#a #aster or Do#ain na#ing #aster rolesE or a
#e#ber of the Do#ain Ad#inistrators group of the do#ain where the %D$ e#ulatorE
.ID #aster and the Infrastructure #aster roles are being transferred.
7. $lic- ,tartE clic- .unE type ntdsutil in the =pen bo+E and then clic- =D.
/. *ype rolesE and then press 8?*8..?ote *o see a list of available co##ands at any
one
of the pro#pts in the ?tdsutil utilityE type 'E and then press 8?*8..
9. *ype connectionsE and then press 8?*8..
:. *ype connect to server serverna#eE and then press 8?*8.E where serverna#e is
the
na#e of the do#ain controller you want to assign the (,5= role to.
;. At the server connections pro#ptE type qE and then press 8?*8..
<. *ype transfer roleE where role is the role that you want to transfer. (or a list of roles
that
you can transferE type ' at the fs#o #aintenance pro#ptE and then press 8?*8.E or
see
the list of roles at the start of this article. (or e+a#pleE to transfer the .ID #aster roleE
type transfer rid #aster. *he one e+ception is for the %D$ e#ulator roleE whose synta+
is
transfer pdcE not transfer pdc e#ulator.
C. At the fs#o #aintenance pro#ptE type qE and then press 8?*8. to gain access to
the
ntdsutil pro#pt. *ype qE and then press 8?*8. to quit the ?tdsutil utility.
,ei>e (,5= roles
*o sei>e the (,5= roles by using the ?tdsutil utilityE follow these steps!
4. Log on to a Windows 7222 ,erver"based or Windows ,erver 722/"based #e#ber
co#puter or do#ain controller that is located in the forest where (,5= roles are being
sei>ed. We reco##end that you log on to the do#ain controller that you are assigning
(,5= roles to. *he logged"on user should be a #e#ber of the 8nterprise
Ad#inistrators
group to transfer sche#a or do#ain na#ing #aster rolesE or a #e#ber of the Do#ain
Ad#inistrators group of the do#ain where the %D$ e#ulatorE .ID #aster and the
Infrastructure #aster roles are being transferred.
7. $lic- ,tartE clic- .unE type ntdsutil in the =pen bo+E and then clic- =D.
/. *ype rolesE and then press 8?*8..
9. *ype connectionsE and then press 8?*8..
:. *ype connect to server serverna#eE and then press 8?*8.E where serverna#e is
the
na#e of the do#ain controller that you want to assign the (,5= role to.
;. At the server connections pro#ptE type qE and then press 8?*8..
<. *ype sei>e roleE where role is the role that you want to sei>e. (or a list of roles that
you
can sei>eE type ' at the fs#o #aintenance pro#ptE and then press 8?*8.E or see the
list
of roles at the start of this article. (or e+a#pleE to sei>e the .ID #aster roleE type sei>e
rid #aster. *he one e+ception is for the %D$ e#ulator roleE whose synta+ is sei>e pdcE
not sei>e pdc e#ulator.
C. At the fs#o #aintenance pro#ptE type qE and then press 8?*8. to gain access to
the
ntdsutil pro#pt. *ype qE and then press 8?*8. to quit the ?tdsutil utility.?otes
o )nder typical conditionsE all five roles #ust be assigned to RliveS do#ain
controllers in the forest. If a do#ain controller that owns a (,5= role is ta-en out
of service before its roles are transferredE you #ust sei>e all roles to an
appropriate and healthy do#ain controller. We reco##end that you only sei>e all
roles when the other do#ain controller is not returning to the do#ain. If it is
possibleE fi+ the bro-en do#ain controller that is assigned the (,5= roles. @ou
should deter#ine which roles are to be on which re#aining do#ain controllers so
that all five roles are assigned to a single do#ain controller. (or #ore infor#ation
about (,5= role place#entE clic- the following article nu#ber to view the article
in the 5icrosoft Dnowledge Jase! 77//9;
0http!//support.#icrosoft.co#/-b/77//9;/ 1 (,5= place#ent and opti#i>ation on
Windows 7222 do#ain controllers
o If the do#ain controller that for#erly held any (,5= role is not present in the
do#ain and if it has had its roles sei>ed by using the steps in this articleE re#ove it
fro# the Active Directory by following the procedure that is outlined in the
following 5icrosoft Dnowledge Jase article! 74;9KC
0http!//support.#icrosoft.co#/-b/74;9KC/ 1 How to re#ove data in active
directory after an unsuccessful do#ain controller de#otion
o .e#oving do#ain controller #etadata with the Windows 7222 version or the
Windows ,erver 722/ build /<K2 version of the ntdsutil /#etadata cleanup
co##and does not relocate (,5= roles that are assigned to live do#ain
controllers. *he Windows ,erver 722/ ,ervice %ac- 4 0,%41 version of the
?tdsutil utility auto#ates this tas- and re#oves additional ele#ents of do#ain
controller #etadata.
o ,o#e custo#ers prefer not to restore syste# state bac-ups of (,5= role"holders
in case the role has been reassigned since the bac-up was #ade.
o Do not put the Infrastructure #aster role on the sa#e do#ain controller as the
global catalog server. If the Infrastructure #aster runs on a global catalog server it
stops updating obBect infor#ation because it does not contain any references to
obBects that it does not hold. *his is because a global catalog server holds a partial
replica of every obBect in the forest.
*o test whether a do#ain controller is also a global catalog server!
4. $lic- ,tartE point to %rogra#sE point to Ad#inistrative *oolsE and then clic- Active
Directory ,ites and ,ervices.
7. Double"clic- ,ites in the left paneE and then locate the appropriate site or clic-
Default"
first"site"na#e if no other sites are available.
/. =pen the ,ervers folderE and then clic- the do#ain controller.
9. In the do#ain controllerIs folderE double"clic- ?*D, ,ettings.
:. =n the Action #enuE clic- %roperties.
;. =n the &eneral tabE view the &lobal $atalog chec- bo+ to see if it is selected.
(or #ore infor#ation about (,5= rolesE clic- the following article nu#bers to view the
articles
in the 5icrosoft Dnowledge Jase!
M How do you configure a Rstand"by operation #asterS for any of the roles'
4. =pen Active Directory ,ites and ,ervices.
7. 8+pand the site na#e in which the standby operations #aster is located to display
the
,ervers folder.
/. 8+pand the ,ervers folder to see a list of the servers in that site.
9. 8+pand the na#e of the server that you want to be the standby operations #aster to
display its ?*D, ,ettings.
:. .ight"clic- ?*D, ,ettingsE clic- ?ewE and then clic- $onnection.
;. In the (ind Do#ain $ontrollers dialog bo+E select the na#e of the current role
holderE
and then clic- =D.
<. In the ?ew =bBect"$onnection dialog bo+E enter an appropriate na#e for the
$onnection
obBect or accept the default na#eE and clic- =D.
M How do you bac-up AD'
Jac-ing up Active Directory is essential to #aintain an Active Directory database. @ou
can bac-
up Active Directory by using the &raphical )ser Interface 0&)I1 and co##and"line tools
that
the Windows ,erver 722/ fa#ily provides.
@ou frequently bac-up the syste# state data on do#ain controllers so that you can
restore the
#ost current data. Jy establishing a regular bac-up scheduleE you have a better chance
of
recovering data when necessary.
*o ensure a good bac-up includes at least the syste# state data and contents of the
syste# dis-E
you #ust be aware of the to#bstone lifeti#e. Jy defaultE the to#bstone is ;2 days. Any
bac-up
older than ;2 days is not a good bac-up. %lan to bac-up at least two do#ain controllers
in each
do#ainE one of at least one bac-up to enable an authoritative restore of the data when
necessary.
,yste# ,tate Data
,everal features in the windows server 722/ fa#ily #a-e it easy to bac-up Active
Directory.
@ou can bac-up Active Directory while the server is online and other networ- function
can
continue to function.
,yste# state data on a do#ain controller includes the following co#ponents!
Active Directory syste# state data does not contain Active Directory unless the serverE
on which
you are bac-ing up the syste# state dataE is a do#ain controller. Active Directory is
present only
on do#ain controllers.
*he ,@,A=L shared folder! *his shared folder contains &roup policy te#plates and
logon
scripts. *he ,@,A=L shared folder is present only on do#ain controllers.
*he .egistry! *his database repository contains infor#ation about the co#puterIs
configuration.
,yste# startup files! Windows ,erver 722/ requires these files during its initial startup
phase.
*hey include the boot and syste# files that are under windows file protection and used
by
windows to loadE configureE and run the operating syste#.
*he $=56 $lass .egistration database! *he $lass registration is a database of
infor#ation
about $o#ponent ,ervices applications.
*he $ertificate ,ervices database! *his database contains certificates that a server
running
Windows server 722/ uses to authenticate users. *he $ertificate ,ervices database is
present
only if the server is operating as a certificate server.
,yste# state data contains #ost ele#ents of a syste#Is configurationE but it #ay not
include all
of the infor#ation that you require recovering data fro# a syste# failure. *hereforeE be
sure to
bac-up all boot and syste# volu#esE including the ,yste# ,tateE when you bac- up
your server.
.estoring Active Directory In Windows ,erver 722/ fa#ilyE you can restore the Active
Directory database if it beco#es
corrupted or is destroyed because of hardware or software failures. @ou #ust restore
the Active
Directory database when obBects in Active Directory are changed or deleted.
Active Directory restore can be perfor#ed in several ways. .eplication synchroni>es
the latest
changes fro# every other replication partner. =nce the replication is finished each
partner has an
updated version of Active Directory. *here is another way to get these latest updates by
Jac-up
utility to restore replicated data fro# a bac-up copy. (or this restore you donIt need to
configure
again your do#ain controller or no need to install the operating syste# fro# scratch.
Active Directory .estore 5ethods
@ou can use one of the three #ethods to restore Active Directory fro# bac-up #edia!
pri#ary
restoreE nor#al 0non authoritative1 restoreE and authoritative restore.
%ri#ary restore! *his #ethod rebuilds the first do#ain controller in a do#ain when
there is no
other way to rebuild the do#ain. %erfor# a pri#ary restore only when all the do#ain
controllers
in the do#ain are lostE and you want to rebuild the do#ain fro# the bac-up.
5e#bers of Ad#inistrators group can perfor# the pri#ary restore on local co#puterE
or user
should have been delegated with this responsibility to perfor# restore. =n a do#ain
controller
only Do#ain Ad#ins can perfor# this restore.
?or#al restore! *his #ethod reinstates the Active Directory data to the state before the
bac-upE
and then updates the data through the nor#al replication process. %erfor# a nor#al
restore for a
single do#ain controller to a previously -nown good state.
Authoritative restore! @ou perfor# this #ethod in tande# with a nor#al restore. An
authoritative
restore #ar-s specific data as current and prevents the replication fro# overwriting
that data.
*he authoritative data is then replicated through the do#ain.
%erfor# an authoritative restore individual obBect in a do#ain that has #ultiple do#ain
controllers. When you perfor# an authoritative restoreE you lose all changes to the
restore obBect
that occurred after the bac-up. ?tdsutil is a co##and line utility to perfor# an
authoritative
restore along with windows server 722/ syste# utilities. *he ?tdsutil co##and"line
tool is an
e+ecutable file that you use to #ar- Active Directory obBects as authoritative so that
they receive
a higher version recently changed data on other do#ain controllers does not overwrite
syste#
state data during replication.
M How do you restore AD'
.estoring Active Directory!
In Windows ,erver 722/ fa#ilyE you can restore the Active Directory database if it
beco#es
corrupted or is destroyed because of hardware or software failures. @ou #ust restore
the Active
Directory database when obBects in Active Directory are changed or deleted.
Active Directory restore can be perfor#ed in several ways. .eplication synchroni>es
the latest
changes fro# every other replication partner. =nce the replication is finished each
partner has an
updated version of Active Directory. *here is another way to get these latest updates by
Jac-up

utility to restore replicated data fro# a bac-up copy. (or this restore you donIt need to
configure
again your do#ain controller or no need to install the operating syste# fro# scratch.
Active Directory .estore 5ethods!
@ou can use one of the three #ethods to restore Active Directory fro# bac-up #edia!
pri#ary
restoreE nor#al 0non authoritative1 restoreE and authoritative restore.
%ri#ary restore! *his #ethod rebuilds the first do#ain controller in a do#ain when
there is no
other way to rebuild the do#ain. %erfor# a pri#ary restore only when all the do#ain
controllers
in the do#ain are lostE and you want to rebuild the do#ain fro# the bac-up.
5e#bers of Ad#inistrators group can perfor# the pri#ary restore on local co#puterE
or user
should have been delegated with this responsibility to perfor# restore. =n a do#ain
controller
only Do#ain Ad#in can perfor# this restore.
?or#al restore! *his #ethod reinstates the Active Directory data to the state before the
bac-upE
and then updates the data through the nor#al replication process. %erfor# a nor#al
restore for a
single do#ain controller to a previously -nown good state.
Authoritative restore! @ou perfor# this #ethod in tande# with a nor#al restore. An
authoritative restore #ar-s specific data as current and prevents the replication fro#
overwriting
that data. *he authoritative data is then replicated through the do#ain.
%erfor# an authoritative restore individual obBect in a do#ain that has #ultiple do#ain
controllers. When you perfor# an authoritative restoreE you lose all changes to the
restore obBect
that occurred after the bac-up. ?tdsutil is a co##and line utility to perfor# an
authoritative
restore along with windows server 722/ syste# utilities. *he ?tdsutil co##and"line
tool is an
e+ecutable file that you use to #ar- Active Directory obBects as authoritative so that
they receive
a higher version recently changed data on other do#ain controllers does not overwrite
syste#
state data during replication.
58*H=D
A.
@ou canIt restore Active Directory 0AD1 to a do#ain controller 0D$1 while the Directory
,ervice
0D,1 is running. *o restore ADE perfor# the following steps.
.eboot the co#puter.
At the boot #enuE select Windows 7222 ,erver. DonIt press 8nter. InsteadE press (C for
advanced options. @ouIll see the following te+t. =, Loader A:.2
Windows ?* Advanced =ptions 5enu
%lease select an option!
,afe 5ode
,afe 5ode with ?etwor-ing
,afe 5ode with $o##and %ro#pt
8nable Joot Logging
8nable A&A 5ode
Last Dnown &ood $onfiguration
Directory ,ervices .estore 5ode 0Windows ?* do#ain controllers only1
Debugging 5ode
)se ] and ] to #ove the highlight to your choice.
%ress 8nter to choose.
,croll downE and select Directory ,ervices .estore 5ode 0Windows ?* do#ain
controllers
only1.
%ress 8nter.
When you return to the Windows 7222 ,erver boot #enuE press 8nter. At the botto# of
the
screenE youIll see in red te+t Directory ,ervices .estore 5ode 0Windows ?* do#ain
controllers
only1.
*he co#puter will boot into a special safe #ode and wonIt start the D,. Je aware that
during
this ti#e the #achine wonIt act as a D$ and wonIt perfor# functions such as
authentication.
,tart ?* Jac-up.
,elect the .estore tab.
,elect the bac-up #ediaE and select ,yste# ,tate.
$lic- ,tart .estore.
$lic- =D in the confir#ation dialog bo+.
After you restore the bac-upE reboot the co#puter and start in nor#al #ode to use the
restored
infor#ation. *he co#puter #ight hang after the restore co#pletesV ,o#eti#es it ta-es
a /2"
#inute wait on so#e #achines.
M How do you change the D, .estore ad#in password'
When you pro#ote a Windows 7222 ,erver"based co#puter to a do#ain controllerE you
are
pro#pted to type a Directory ,ervice .estore 5ode Ad#inistrator password. *his
password is
also used by .ecovery $onsoleE and is separate fro# the Ad#inistrator password that
is stored in
Active Directory after a co#pleted pro#otion.
*he Ad#inistrator password that you use when you start .ecovery $onsole or when
you press
(C to start Directory ,ervice .estore 5ode is stored in the registry"based ,ecurity
Accounts
5anager 0,A51 on the local co#puter. *he ,A5 is located in theO,yste#/7O$onfig
folder. *he
,A5"based account and password are co#puter specific and they are not replicated to
other
do#ain controllers in the do#ain.
(or ease of ad#inistration of do#ain controllers or for additional security #easuresE
you can
change the Ad#inistrator password for the local ,A5. *o change the local
Ad#inistrator
password that you use when you start .ecovery $onsole or when you start Directory
,ervice
.estore 5odeE use the following #ethod.
4. Log on to the co#puter as the ad#inistrator or a user who is a #e#ber of the
Ad#inistrators
group. 7. ,hut down the do#ain controller on which you want to change the password.
/. .estart
the co#puter. When the selection #enu screen is displayed during restarE press (C to
view
advanced startup options. 9. $lic- the Directory ,ervice .estore 5ode option. :. After
you log
onE use one of the following #ethods to change the local Ad#inistrator password! M At
a
co##and pro#ptE type the following co##and!
net user ad#inistrator
M )se the Local )ser and &roups snap"in 0Lusr#gr.#sc1 to change the Ad#inistrator
password.
;. ,hut down and restart the co#puter. @ou can now use the Ad#inistrator account to
log on to
.ecovery $onsole or Directory ,ervices .estore 5ode using the new password.
M Why canIt you restore a D$ that was bac-ed up 9 #onths ago'
Jecause of the to#bstone life which is set to only ;2 days
M What are &%=s'
&roup %olicy gives you ad#inistrative control over users and co#puters in your
networ-. Jy
using &roup %olicyE you can define the state of a userIs wor- environ#ent onceE and
then rely on
Windows ,erver 722/ to continually force the &roup %olicy settings that you apply
across an
entire organi>ation or to specific groups of users and co#puters.
&roup %olicy Advantages
@ou can assign group policy in do#ainsE sites and organi>ational units.
All users and co#puters get reflected by group policy settings in do#ainE site and
organi>ational
unit.
?o one in networ- has rights to change the settings of &roup policyV by default only
ad#inistrator has full privilege to changeE so it is very secure.
%olicy settings can be re#oved and can further rewrite the changes.
Where &%=Is store &roup %olicy Infor#ation
&roup %olicy obBects store their &roup %olicy infor#ation in two locations!
&roup %olicy $ontainer! *he &%$ is an Active Directory obBect that contains &%=
statusE
version infor#ationE W5I filter infor#ationE and a list of co#ponents that have settings
in the
&%=. $o#puters can access the &%$ to locate &roup %olicy te#platesE and do#ain
controller
does not have the #ost recent version of the &%=E replication occurs to obtain the
latest version
of the &%=.
&roup %olicy *e#plate! *he &%* is a folder hierarchy in the shared ,@,A=L folder on
a
do#ain controller. When you create &%=E Windows ,erver 722/ creates the
corresponding &%*
which contains all &roup %olicy settings and infor#ationE including ad#inistrative
te#platesE
securityE software installationE scriptsE and folder redirection settings. $o#puters
connect to the
,@,A=L folder to obtain the settings.
*he na#e of the &%* folder is the &lobally )nique Identifier 0&)ID1 of the &%= that you
created. It is identical to the &)ID that Active Directory uses to identify the &%= in the
&%$.
*he path to the &%* on a do#ain controller is syste#rootO,@,A=LOsysvol.
5anaging &%=s
*o avoid conflicts in replicationE consider the selection of do#ain controllerE especially
because
the &%= data resides in ,@,A=L folder and the Active Directory. Active Directory uses
two
independent replication techniques to replicate &%= data a#ong all do#ain controllers
in the
do#ain. If two ad#inistratorIs changes can overwrite those #ade by other
ad#inistratorE
depends on the replication latency. Jy default the &roup %olicy 5anage#ent console
uses the
%D$ 8#ulator so that all ad#inistrators can wor- on the sa#e do#ain controller.
W5I (ilter
W5I filters is use to get the current scope of &%=s based on attributes of the user or
co#puter.
In this wayE you can increase the &%=s filtering capabilities beyond the security group
filtering
#echanis#s that were previously available.
Lin-ing can be done with W5I filter to a &%=. When you apply a &%= to the destination
co#puterE Active Directory evaluates the filter on the destination co#puter. A W5I filter
has
few queries that active Directory evaluates in place of W5I repository of the
destination
co#puter. If the set of queries is falseE Active Directory does not apply the &%=. If set
of queries
are trueE Active Directory applies the &%=. @ou write the query by using the W5I uery
Language 0WL1V this language is si#ilar to querying ,L for W5I repository.
%lanning a &roup %olicy ,trategy for the 8nterprise
When you plan an Active Directory structureE create a plan for &%= inheritanceE
ad#inistrationE
and deploy#ent that provides the #ost efficient &roup %olicy #anage#ent for your
organi>ation.
Also consider how you will i#ple#ent &roup %olicy for the organi>ation. Je sure to
consider the
delegation of authorityE separation of ad#inistrative dutiesE central versus
decentrali>ed
ad#inistrationE and design fle+ibility so that your plan will provide for ease of use as
well as
ad#inistration.
%lanning &%=s
$reate &%=s in way that provides for the si#plest and #ost #anageable design W one
in which
you can use inheritance and #ultiple lin-s.
&uidelines for %lanning &%=s
Apply &%= settings at the highest level! *his wayE you ta-e advantage of &roup %olicy
inheritance. Deter#ine what co##on &%= settings for the largest container are
starting with the
do#ain and then lin- the &%= to this container.
.educe the nu#ber of &%=s! @ou reduce the nu#ber by using #ultiple lin-s instead of
creating
#ultiple identical &%=s. *ry to lin- a &%= to the broadest container possible level to
avoid
creating #ultiple lin-s of the sa#e &%= at a deeper level.
$reate speciali>ed &%=s! )se these &%=s to apply unique settings when necessary.
&%=s at a
higher level will not apply the settings in these speciali>ed &%=s.
Disable co#puter or use configuration settings! When you create a &%= to contain
settings for
only one of the two levels"user and co#puter"disable the logon and prevents accidental
&%=
settings fro# being applied to the other area.
M What is the order in which &%=s are applied'
LocalE ,iteE Do#ainE =) &roup %olicy settings are processed in the following order!
4!" Local &roup %olicy obBect"each co#puter has e+actly one &roup %olicy obBect that
is stored
locally. *his processes for both co#puter and user &roup %olicy processing.
7!" ,ite"Any &%=s that have been lin-ed to the site that the co#puter belongs to are
processed
ne+t. %rocessing is in the order that is specified by the ad#inistratorE on the Lin-ed
&roup %olicy
=bBects tab for the site in &roup %olicy 5anage#ent $onsole 0&%5$1. *he &%= with
the
lowest lin- order is processed lastE and therefore has the highest precedence.
/!" Do#ain"processing of #ultiple do#ain"lin-ed &%=s is in the order specified by the
ad#inistratorE on the Lin-ed &roup %olicy =bBects tab for the do#ain in &%5$. *he
&%= with
the lowest lin- order is processed lastE and therefore has the highest precedence.
9!" =rgani>ational units"&%=s that are lin-ed to the organi>ational unit that is highest in
the
Active Directory hierarchy are processed firstE then &%=s that are lin-ed to its child
organi>ational unitE and so on. (inallyE the &%=s that are lin-ed to the organi>ational
unit that
contains the user or co#puter are processed.
At the level of each organi>ational unit in the Active Directory hierarchyE oneE #anyE or
no
&%=s can be lin-ed. If several &%=s are lin-ed to an organi>ational unitE their
processing is in
the order that is specified by the ad#inistratorE on the Lin-ed &roup %olicy =bBects tab
for the
organi>ational unit in &%5$. *he &%= with the lowest lin- order is processed lastE and
therefore has the highest precedence.
*his order #eans that the local &%= is processed firstE and &%=s that are lin-ed to the
organi>ational unit of which the co#puter or user is a direct #e#ber are processed
lastE which
overwrites settings in the earlier &%=s if there are conflicts. 0If there are no conflictsE
then the
earlier and later settings are #erely aggregated.1
M ?a#e a few benefits of using &%5$.
5icrosoft released the &roup %olicy 5anage#ent $onsole 0&%5$1 years agoE which is
an
a#a>ing innovation in &roup %olicy #anage#ent. *he tool provides control over &roup
%olicy
in the following #anner!
M 8asy ad#inistration of all &%=s across the entire Active Directory (orest
M Aiew of all &%=s in one single list
M .eporting of &%= settingsE securityE filtersE delegationE etc.
M $ontrol of &%= inheritance with Jloc- InheritanceE 8nforceE and ,ecurity (iltering
M Delegation #odel
M Jac-up and restore of &%=s
M 5igration of &%=s across different do#ains and forests
With all of these benefitsE there are still negatives in using the &%5$ alone. &rantedE
the &%5$
is needed and should be used by everyone for what it is ideal for. HoweverE it does fall a
bit short
when you want to protect the &%=s fro# the following!
M .ole based delegation of &%= #anage#ent
M Jeing edited in productionE potentially causing da#age to des-tops and servers
M (orgetting to bac- up a &%= after it has been #odified
M $hange #anage#ent of each #odification to every &%=
M How can you deter#ine what &%= was and was not applied for a user'
?a#e a few ways to do that.
,i#ply use the &roup %olicy 5anage#ent $onsole created by 5, for that very purposeE
allows
you to run si#ulated policies on co#puters or users to deter#ine what policies are
enforced.
Lin- in sources
M What are ad#inistrative te#plates'
Ad#inistrative *e#plates are a feature of &roup %olicyE a 5icrosoft technology for
centralised
#anage#ent of #achines and users in an Active Directory environ#ent.
Ad#inistrative *e#plates facilitate the #anage#ent of registry"based policy. An AD5
file is
used to describe both the user interface presented to the &roup %olicy ad#inistrator
and the
registry -eys that should be updated on the target #achines. An AD5 file is a te+t file
with a
specific synta+ which describes both the interface and the registry values which will be
changed
if the policy is enabled or disabled.
AD5 files are consu#ed by the &roup %olicy =bBect 8ditor 0&%8dit1. Windows T%
,ervice
%ac- 7 shipped with five AD5 files 0syste#.ad#E inetres.ad#E w#player.ad#E conf.ad#
and
wuau.ad#1. *hese are #erged into a unified Rna#espaceS in &%8dit and presented to
the
ad#inistrator under the Ad#inistrative *e#plates node 0for both #achine and user
policy1.
M WhatIs the difference between software publishing and assigning'
A?, An ad#inistrator can either assign or publish software applications.
Assign )sers
*he software application is advertised when the user logs on. It is installed when the
user clic-s
on the software application icon via the start #enuE or accesses a file that has been
associated
with the software application.
Assign $o#puters
*he software application is advertised and installed when it is safe to do soE such as
when the
co#puter is ne+t restarted.
%ublish to users
*he software application does not appear on the start #enu or des-top. *his #eans the
user #ay
not -now that the software is available. *he software application is #ade available via
the
Add/.e#ove %rogra#s option in control panelE or by clic-ing on a file that has been
associated
with the application. %ublished applications do not reinstall the#selves in the event of
accidental
deletionE and it is not possible to publish to co#puters.

How to create a third"party 5icrosoft Installer pac-age
http!//support.#icrosoft.co#/-b/7:<<4C/
M @ou want to standardi>e the des-top environ#ents 0wallpaperE 5y Docu#entsE
,tart #enuE printers etc.1 on the co#puters in one depart#ent. How would you do
that'
Login on client as Do#ain Ad#in user change whatever you need add printers etc go to
syste#"
)ser profiles copy this user profile to any location by select 8veryone in per#itted to
use after
copy change ntuser.dat to ntuser.#an and assgin this path under user profile
Active Directory Interview Question and Answers
*osted by admin in Active Directory e Interview *rep e Interview Questions e 12T e 1icroso!t e 3indows ,55+ e 3indows
,55. e 3indows ,55. ;
What is Active Directory '
Active Directory is a database which store a data base li&e your user in!ormation computer in!ormation and also
other networ& ob"ect in!o. It has capabilities to manage and administer the complete 4etwor& which connect with AD.
What is do#ain '
A domain is a named collection o! hosts and subdomains registered with a unique name by the Inter4I2.
What is do#ain controller '
A Domain controller $D2% is a server that responds to security authentication requests $logging in chec&ing
permissions etc.% within the 3indows #erver domain. A domain is a concept introduced in 3indows 4T whereby a
user may be granted access to a number o! computer resources with the use o! a single username and password
combination
What is LDA% '
)ightweight Directory Access *rotocol )DA* is the industry standard directory access protocol ma&ing Active
Directory widely accessible to management and query applications. Active Directory supports )DA*v+ and )DA*v,.
What is D$$ '
K22 $ &nowledge consistency chec&er % is used to generate replication topology !or inter site replication and !or intra
site replication with in a site replication tra!!ic is done via remote procedure calls over ip while between site it is done
through either ;*2 or #1T*.
Where is the AD database held' What other folders are related to AD'
The AD data base is store in c:JwindowsJntdsJ4TD#.DIT.
What is the use of ,@,A=L folder'
The #L#M8) !older stores the serverAs copy o! the domainAs public !iles. The contents such as group policy users etc
o! the #L#M8) !older are replicated to all domain controllers in the domain.
What is L,D=) '
ItAs group policy inheritance model where the policies are applied to )ocal machines #ites Domains and
8rgani:ational /nits
What is lost F found folder in AD, '
ItAs the !older where you can !ind the ob"ects missed due to con!lict. 67: you created a user in 8/ which is deleted in
other D2 Y when replication happed AD# didnAt !ind the 8/ then it will put that in )ost Y (ound (older.
What ,yste# ,tate data contains '
C. 2ontains #tartup !iles
,. ;egistry
+. 2om E ;egistration Database
D. 1emory *age !ile
F. #ystem !iles
-. AD in!ormation
G. 2luster #ervice in!ormation
.. #L#M8) (older
What is the use of LDA% '
)DA* is designed to allow !or the trans!er o! in!ormation between domain controllers and to allow users to query
in!ormation about ob"ects within the directory.
What is the purpose of replication in AD '
The purpose o! replication is to distribute the data stored within the directory throughout the organi:ation !or
increased availability per!ormance and data protection. #ystems administrators can tune replication to occur based
on their physical networ& in!rastructure and other constraints.
What is global catalog '
The 0lobal 2atalog is a database that contains all o! the in!ormation pertaining to ob"ects within all domains in the
Active Directory environment.
What is D?, ônes '
A D4# :one is a portion o! the D4# namespace over which a speci!ic D4# server has authority.
What is a site '
one or more well'connected highly reliable and !ast T2*@I* subnets. A site allows administrator to con!igure active
directory access and replication topology to ta&e advantage o! the physical networ&.
What is Active Directory ,che#a '
The Active Directory schema contains !ormal de!initions o! every ob"ect class that can be created in an Active
Directory !orest. it also contains !ormal de!initions o! every attribute that can e7ist in an Active Directory 8b"ect.
What are the benefits of AD integrated D?, '
C. A !ew advantages that Acrive Directory'integrated :one implementations have over standard primary :one
implementation are :
,. Active Directory replication is !aster which means that the time needed to trans!er :one data between :ones
is !arless.
+. The Active Directory replication topology is used !or Active Directory replication and !or Active Directory'
integrated :one replication. There is no longer a need !or D4# replication when D4# and Active Directory are
integrated.
What is (ile .eplication ,ervice 0(.,1
(ile ;eplication #ervice is a 1icroso!t service which replicates !olders stored in sysvol shared !olders on domain
controllers and distributed !ile system shared !olders. This service is a part o! 1icroso!tAs Active Directory #ervice.
8+plain different >one involved in D?, ,erver'
D4# has two di!!erent =ones (orward )oo&up =one and ;everse )oo&up =one. These two =ones are categori:ed
into three :ones and are as !ollows:
*rimary :one: It contains the read and writable copy o! the D4# Database.
#econdary =one: It acts as a bac&up !or the primary :one and contains the read only copy o! the D4# database.
#tub :one: It is also read'only li&e a secondary :oneB stub :one contains only #8A copies o! 4# and A records !or all
name servers authoritative !or the :one
What is &arbage collection '
0arbage collection is the process o! the online de!ragmentation o! active directory. It happens every C, Hours
What is the difference between localE global and universal groups '
Domain local groups assign access permissions to global domain groups !or local domain resources. 0lobal groups
provide access to resources in other trusted domains. /niversal groups grant access to resources in all trusted
domains.
What is .%$ protocol '
A protocol ;*2 $;emote *rocedure 2all% used to allow communications between system process on remote
computers. The ;*2 protocol is used by the Active Directory !or intrasite replication.
What is .esource .ecord '
;esource ;ecord $;;% is a D4# entry that speci!ies the availability o! speci!ic D4# services.(or 67ample an 1W
record speci!ies the I* address o! a mail server and Host $A% records speci!y the I* addresses o! wor&stations on the
networ&.
What is a *ree '
A set o! Active Directory domains that share a common namespace and are connected by a transitive two'way trust.
;esources can be shared between the domains in an Active Directory.
What is .8%AD5I? '
This command'line tool assists administrators in diagnosing replication problems between windows domain
conrollers. Administrators can use ;epadmin to view the replication topology as seen !rom the perspective o! each
domain contrsoller.
Is the D?, protocol involved when a userIs pings a website na#e'
Les it is involved. 3hen the user pings the website name a D4# request pac&et is sent to the D4# server which
would then respond with the I* address o! the web server on which the website is hosted.
=n a networ-E should the D?, server I% address be configured on the co#puter or the internet router for
users to browse the internet'
The D4# server I* address should be con!igured on the computer !or the users to browse the internet.
In a LA? networ- should the D?, server be inside the networ- or can it reside on the internet'
The D4# server can reside anywhere as long as the computers and devices requiring D4# service have networ&
access to it.
How does a co#puter -now to which D?, server it has to send the request'
The D4# server I* address is con!igured on the T2*@I* adapter setting o! the computer. 3ith this in!ormation the
computer &nows the D4# server to which the request has to be sent.
What are the require#ents for installing AD on a new server'
The Domain structure.
The Domain 4ame .
storage location o! the database and log !ile.
)ocation o! the shared system volume !older.
D4# con!ig 1ethod.
D4# con!iguration.

Which port does a D?, ,erver )se'
/D* port F+
/7.
A user opens the browser and types the I% address of the webserver on which a website is hosted. Is D?,
protocol involved during the scenario'
The D4# protocol is used to resolve the website name into the corresponding I* address. In this case since the I*
address is already &nown D4# protocol is not required and is not involved in the scenario.
?a#e two #ethods by which D?, can be configured on a co#puter.
It can be manually con!igured on the T2*@I* adapter or by a DH2* server.
If a co#puter is configured with a default gateway addressE should the sa#e address be used as the D?,
server I% address '
It is not mandatory. The D4# server I* address can be any value provided the computer has access to it.
What is sites ' What are they used for '
physical networ&.
called #ubnets.
*rying to loo- at the ,che#aE how can I do that '
8pen mmc ? add snapin ? add Active directory schema
8pen administrative tool ? schema.msc
What is the port no of Derberos '
..
What is the port no of &lobal catalog '
+,-.
How can you forcibly re#ove AD fro# a serverE and what do you do later' ' $an I get user passwords fro#
the AD database'
Active Directory /sers and 2omputers.
How #any root D?, servers are available in the world
C+.
What are the (,5= roles'
#chema master
;ID master
*D2 emulator
What is do#ain tree '
one or more trees.
What is forests '
How to ,elect the Appropriate .estore 5ethod '
,erver 722/'
What is &lobal $atalog'
How long does it ta-e for security changes to be replicated a#ong the do#ain controllers'
When should you create a forest'
Describe the process of wor-ing with an e+ternal do#ain na#e '
=ne easiest way to chec- all the : (,5= roles '
/se netdom query @domain:LourDomain (#18 command. It will list all the (#18 role handling domain controllers
Which (,5= role directly i#pacting the consistency of &roup %olicy '
*D2 6mulator.
8+plain the process between a user providing his Do#ain credential to his wor-station and the des-top
being loaded' =r how the AD authentication wor-s '
C. 3hen a user enters a user name and password the computer sends the user name to the KD2.
,. The KD2 contains a master database o! unique long term &eys !or every principal in its realm. The KD2
loo&s up the userAs master &ey $KA% which is based on the userAs password.
+. The KD2 then creates two items: a session &ey $#A% to share with the user and a Tic&et'0ranting Tic&et
$T0T%.
D. The T0T includes a second copy o! the #A the user name and an e7piration time.
F. The KD2 encrypts this tic&et by using its own master &ey $KKD2% which only the KD2 &nows.
-. The client computer receives the in!ormation !rom the KD2 and runs the userAs password through a one'way
hashing !unction which converts the password into the userAs KA.
G. The client computer now has a session &ey and a T0T so that it can securely communicate with the KD2.
The client is now authenticated to the domain and is ready to access other resources in the domain by using the
Kerberos protocol.
?a#e few port nu#bers related to Active Directory '
Kerberos .. )DA* +.I D4# F+ #1B DDF 02 +,-..
Which version of Derberos is used for Windows 7222/722/ and 722C Active Directory '
How do you chec- currently forest and do#ain functional levels' ,ay both &)I and $o##and line.
What is .=D$ ' Why do we configure .=D$ '
;ead only domain controller $;8D2% is a !eature o! 3indows #erver ,55. 8perating #ystem. ;8D2 is a read only
copy o! Active Directory database and it can be deployed in a remote branch o!!ice where physical security cannot be
guaranteed. ;8D2 provides more improved security and !aster log on time !or the branch o!!ice.
What is Active Directory .ecycle Jin '
Active Directory ;ecycle bin is a !eature o! 3indows #erver ,55. ;, AD. It helps to restore accidentally deleted
Active Directory ob"ects without using a bac&ed up AD database rebooting domain controller or restarting any
services.
What is group nesting '
What are the logical co#ponents of Active Directory '
$an you connect Active Directory to other /rd"party Directory ,ervices' ?a#e a few options'
Les you can use dirW1) or )DA* to connect to other directories. In 4ovell you can use 6'directory.
How do you create a new application partition '
;7.
Difference between LDI(D8 and $,AD8'
2#MD6 is a command that can be used to import and e7port ob"ects to and !rom the AD into a 2#M'!ormatted !ile. A
2#M $2omma #eparated Malue% !ile is a !ile easily readable in 67cel. I will not go to length into this power!ul
command but I will show you some basic samples o! how to import a large number o! users into your AD. 8! course
as with the D#ADD command 2#MD6 can do more than "ust import users. 2onsult your help !ile !or more in!o.
)DI(D6 is a command that can be used to import and e7port ob"ects to and !rom the AD into a )DI('!ormatted !ile. A
)DI( $)DA* Data Interchange (ormat% !ile is a !ile easily readable in any te7t editor however it is not readable in
programs li&e 67cel. The ma"or di!!erence between 2#MD6 and )DI(D6 $besides the !ile !ormat% is the !act that
)DI(D6 can be used to edit and delete e7isting AD ob"ects $not "ust users% while 2#MD6 can only import and e7port
ob"ects.
What are the D,H co##ands '
The !ollowing D# commands: the D# !amily built in utility .
C. D#mod 9 modi!y Active Directory attributes.
,. D#rm 9 to delete Active Directory ob"ects.
+. D#move 9 to relocate ob"ects
D. D#add 9 create new accounts
F. D#query 9 to !ind ob"ects that match your query attributes.
-. D#get 9 list the properties o! an ob"ect
What are ,yste# ,tate data contains '
C. 2ontains #tartup !iles
,. ;egistry
+. 2om E ;egistration Database
D. 1emory *age !ile
F. #ystem !iles
-. AD in!ormation
G. 2luster #ervice in!ormation
.. #L#M8) (older
What is lost F found folder or Lingering =bBects in AD, '
ItAs the !older where you can !ind the ob"ects missed due to con!lict. 67: you created a user in 8/ which is deleted in
other D2 Y when replication happed AD# didnAt !ind the 8/ then it will put that in )ost Y (ound (older.
)ingering ob"ects can occur i! a domain controller does not replicate !or an interval o! time that is longer than the
tombstone li!etime $T#)%. The domain controller then reconnects to the replication topology. 8b"ects that are deleted
!rom the Active Directory directory service when the domain controller is o!!line can remain on the domain controller
as lingering ob"ects.

What Intrasite and Intersite .eplication '
Intrasite is the replication with in the same site Y intersite the replication between sites.
Which is service in your windows is responsible for replication of Do#ain controller to another do#ain
controller'
K22 generates the replication topology.
/se #1T* @ ;*2 to replicate changes.
What is L,D=) '
ItAs group policy inheritance model where the policies are applied to )ocal machines #ites Domains and
8rgani:ational /nits.
How to loo- at the ,che#a '
What is JridgeHead ,erver in AD '

Windows ,ever 722C/.7 Interview questions %art 4
V/46 ,, ,5CC C5 281164T#
Difference between 722/ and 722C
41 ,55. is combination o! vista and windows ,55+r,. #ome new services are introduced in it
C. ;8D2 one new domain controller introduced in it Q;ead'only Domain controllers.R
,. 3D# $windows deployment services% instead o! ;I# in ,55+ server
+. shadow copy !or each and every !olders
D.boot sequence is changed
F.installation is +, bit where as ,55+ it is C- as well as +, bit thatAs why installation o! ,55. is !aster
-.services are &nown as role in it
G. 0roup policy editor is a separate option in ads
71 The main di!!erence between ,55+ and ,55. is Mirtuali:ation management.
,55. has more inbuilt components and updated third party drivers 1icroso!t introduces new !eature with ,&. that is
Hyper'M 3indows #erver ,55. introduces Hyper'M $M !or Mirtuali:ation% but only on -Dbit versions. 1ore and more
companies are seeing this as a way o! reducing hardware costs by running several SvirtualA servers on one physical
machine. I! you li&e this e7citing technology ma&e sure that you buy an edition o! 3indows #erver ,55. that includes
Hyper'M then launch the #erver 1anger add ;oles.
Windows server 722C new features
4. Airtuali>ation with Hyper A
7. ,erver $ore 3 provides the minimum installation required to carry out a speci!ic server role such as !or a DH2*
D4# or print server. (rom a security standpoint this is attractive. (ewer applications and services on the sever ma&e
!or a smaller attac& sur!ace. In theory there should also be less maintenance and management with !ewer patches to
install and the whole server could ta&e up as little as +0b o! dis& space according to 1icroso!t
+. II# G
D. .ole based installation 9 rather than con!iguring a !ull server install !or a particular role by uninstalling
unnecessary components $and installing needed e7tras% you simply speci!y the role the server is to play and
3indows will install whatAs necessary < nothing more.
:. .ead =nly Do#ain $ontrollers 0.=D$1
ItAs hardly news that branch o!!ices o!ten lac& s&illed IT sta!! to administer their servers but they also !ace another
less tal&ed about problem. 3hile corporate data centers are o!ten physically secured servers at branch o!!ices rarely
have the same physical security protecting them. This ma&es them a convenient launch pad !or attac&s bac& to the
main corporate servers. ;8D2 provides a way to ma&e an Active Directory database read'only. Thus any mischie!
carried out at the branch o!!ice cannot propagate its way bac& to poison the Active Directory system as a whole. It
also reduces tra!!ic on 3A4 lin&s.
;. 8nhanced ter#inal services
Terminal services has been bee!ed up in #erver ,55. in a number o! ways. T# ;emoteApp enables remote users to
access a centrali:ed application $rather than an entire des&top% that appears to be running on the local computerAs
hard drive. These apps can be accessed via a 3eb portal or directly by double'clic&ing on a correctly con!igured icon
on the local machine. T# 0ateway secures sessions which are then tunnelled over https so users donAt need to use
a M*4 to use ;emoteApps securely over the Internet. )ocal printing has also been made signi!icantly easier.
<. ?etwor- Access %rotection
1icroso!tAs system !or ensuring that clients connecting to #erver ,55. are patched running a !irewall and in
compliance with corporate security policies < and that those that are not can be remediated < is use!ul. However
similar !unctionality has been and remains available !rom third parties.
.. Windows %ower,hell
1icroso!tAs new $ish% command line shell and scripting language has proved popular with some server administrators
especially those used to wor&ing in )inu7 environments. Included in #erver ,55. *ower#hell can ma&e some "obs
quic&er and easier to per!orm than going through the 0/I. Although it might seem li&e a step bac&ward in terms o!
user !riendly operation itAs one o! those !eatures that once youAve gotten used to itB youAll never want to give up.
.estartable Active Directory Do#ain ,ervices! Lou can now per!orm many actions such as o!!line
de!ragmentation o! the database simply by stopping Active Directory. This reduces the number o! instances in which
you must restart the server in Directory #ervices ;estore 1ode and thereby reduces the length o! time the domain
controller is unavailable to serve requests !rom
8nhance#ents to &roup %olicy! 1icroso!t has added many new policy settings. In particular these settings
enhance the management o! 3indows Mista client computers. All policy management is now handled by means o!
the 0roup *olicy 1anagement 2onsole $0*12% which was an optional !eature !irst added to 3indows #erver ,55+
;,. In addition 1icroso!t has added new auditing capabilities to 0roup *olicy and added a searchable database !or
locating policy settings !rom within 0*12. In 3indows #erver ,55. ;, 0*12 enables you to use a series o!
*ower#hell cmdlets to automate many o! the tas&s $such as maintenance and lin&ing o! 0*8s% that you would
otherwise per!orm in the 0/I. In addition ;, adds new policy settings that enhance the management o! 3indows G
computers.
Windows ,erver 722C .7 new features!
Active Directory ;ecycle Bin
3indows *ower#hell ,.5
Active Directory Administrative 2enter $ADA2%
8!!line domain "oin
Active Directory health chec&
Active Directory 3eb #ervices
Active Directory 1anagement *ac&
3indows #erver 1igration Tools
1anaged #ervice Accounts
What is server core' How do you configure and #anage a windows server 722C core installation'
The #erver 2ore installation option is an option that you can use !or installing 3indows #erver ,55. or 3indows
#erver ,55. ;,. A #erver 2ore installation provides a minimal environment !or running speci!ic server roles which
reduces the maintenance and management requirements and the attac& sur!ace !or those server roles. A server
running a #erver 2ore installation o! 3indows #erver ,55. supports the !ollowing server roles:
Active Directory Domain #ervices $AD D#%
Active Directory )ightweight Directory #ervices $AD )D#%
DH2* #erver
D4# #erver
(ile #ervices
Hyper'M
*rint #ervices
#treaming 1edia #ervices
3eb #erver $II#%
A server running a #erver 2ore installation o! 3indows #erver ,55. ;, supports the !ollowing server roles:
Active Directory 2erti!icate #ervices
Active Directory Domain #ervices
Active Directory )ightweight Directory #ervices $AD )D#%
DH2* #erver
D4# #erver
(ile #ervices $including (ile #erver ;esource 1anager%
Hyper'M
*rint and Document #ervices
#treaming 1edia #ervices
3eb #erver $including a subset o! *01.N;T%
A #erver 2ore installation does not include the traditional !ull graphical user inter!ace. 8nce you have con!igured the
server you can manage it locally at a command prompt or remotely using a Terminal #erver connection. Lou can
also manage the server remotely using the 1icroso!t 1anagement 2onsole $112% or command'line tools that
support remote use.
Bene!its o! a #erver 2ore installation
The #erver 2ore installation option o! 3indows #erver ,55. or 3indows #erver ,55. ;, provides the !ollowing
bene!its:
.educed #aintenance. Because the #erver 2ore installation option installs only what is required to have a
manageable server !or the supported roles less maintenance is required than on a !ull installation o! 3indows
#erver ,55..
.educed attac- surface. Because #erver 2ore installations are minimal there are !ewer applications
running on the server which decreases the attac& sur!ace.
.educed #anage#ent. Because !ewer applications and services are installed on a server running the
#erver 2ore installation there is less to manage.
Less dis- space required. A #erver 2ore installation requires only about +.F gigabytes $0B% o! dis& space
to install and appro7imately + 0B !or operations a!ter the installation.
How do you pro#ote a ,erver $ore to D$'
In order to install Active Directory D# on your server core machine you will need to per!orm the !ollowing tas&s:
C. 2on!igure an unattend te7t !ile containing the instructions !or the D2*;818 process. In this e7ample you will
create an additional D2 !or a domain called petrilab7local:
,. 2on!igure the right server core settings
A!ter that you need to ma&e sure the core machine is properly con!igured.
C. *er!orm any con!iguration setting that you require $tas&s such as changing computer name changing and
con!igure I* address subnet mas& de!ault gateway D4# address !irewall settings con!iguring remote des&top
and so on%.
,. A!ter changing the required server con!iguration ma&e sure that !or the tas& o! creating it as a D2 9 you
have the !ollowing requirements in place:
A partition !ormatted with 4T(# $you should itAs a server\%
A networ& inter!ace card con!igure properly with the right driver
A networ& cable plugged in
The right I* address subnet mas& de!ault gateway
And most importantly do not !orget:
The right D4# setting in most cases pointing to an e7isting internal D4# in your corporate networ&
+. 2opy the unattend !ile to the server core machine
4ow you need to copy the unattend !ile !rom wherever youAve stored it. Lou can run it !rom a networ& location but I
pre!er to have it locally on the core machine. Lou can use the 46T /#6 command on server core to map to a
networ& path and copy the !ile to the local drive. Lou can also use a regular server@wor&station to graphically access
the coreAs 2U drive $!or e7ample% and copy the !ile to that location.
D. ;un the D2*;818 process
4e7t you need to manually run D2*;818. To run the Active Directory Domain #ervices Installation 3i:ard in
unattended mode use the !ollowing command at a command prompt:
Dcpromo @unattend
;eboot the machine
In order to reboot the server core machine type the !ollowing te7t in the command prompt and press 6nter.
shutdown @r @t 5
What are .=D$s' What are advantages'
A read'only domain controller $;8D2% is a new type o! domain controller in the 3indows #erverl ,55. operating
system. 3ith an ;8D2 organi:ations can easily deploy a domain controller in locations where physical security
cannot be guaranteed. An ;8D2 hosts read'only partitions o! the Active Directory Domain #ervices $AD D#%
database.
Be!ore the release o! 3indows #erver ,55. i! users had to authenticate with a domain controller over a wide area
networ& $3A4% there was no real alternative. In many cases this was not an e!!icient solution. Branch o!!ices o!ten
cannot provide the adequate physical security that is required !or a writable domain controller. (urthermore branch
o!!ices o!ten have poor networ& bandwidth when they are connected to a hub site. This can increase the amount o!
time that is required to log on. It can also hamper access to networ& resources.
Beginning with 3indows #erver ,55. an organi:ation can deploy an ;8D2 to address these problems. As a result
users in this situation can receive the !ollowing bene!its:
Improved security
(aster logon times
1ore e!!icient access to resources on the networ&
What does an .=D$ do'
Inadequate physical security is the most common reason to consider deploying an ;8D2. An ;8D2 provides a way
to deploy a domain controller more securely in locations that require !ast and reliable authentication services but
cannot ensure physical security !or a writable domain controller.
However your organi:ation may also choose to deploy an ;8D2 !or special administrative requirements. (or
e7ample a line'o!'business $)8B% application may run success!ully only i! it is installed on a domain controller. 8r
the domain controller might be the only server in the branch o!!ice and it may have to host server applications.
In such cases the )8B application owner must o!ten log on to the domain controller interactively or use Terminal
#ervices to con!igure and manage the application. This situation creates a security ris& that may be unacceptable on
a writable domain controller.
An ;8D2 provides a more secure mechanism !or deploying a domain controller in this scenario. Lou can grant a non
administrative domain user the right to log on to an ;8D2 while minimi:ing the security ris& to the Active Directory
!orest.
Lou might also deploy an ;8D2 in other scenarios where local storage o! all domain user passwords is a primary
threat !or e7ample in an e7tranet or application'!acing role.
How do you install an .=D$'
C 1a&e sure you are a member o! Domain Admin group
,. 6nsure that the !orest !unctional level is 3indows #erver ,55+ or higher
+. ;un adprep @rodcprep
+. Install a writable domain controller that runs 3indows #erver ,55. 9 An ;8D2 must replicate domain updates
!rom a writable domain controller that runs 3indows #erver ,55.. Be!ore you install an ;8D2 be sure to install a
writable domain controller that runs 3indows #erver ,55. in the same domain. The domain controller can run either
a !ull installation or a #erver 2ore installation o! 3indows #erver ,55.. In 3indows #erver ,55. the writable domain
controller does not have to hold the primary domain controller $*D2% emulator operations master role.
D. Lou can install an ;8D2 on either a !ull installation o! 3indows #erver ,55. or on a #erver 2ore installation o!
3indows #erver ,55.. (ollow the below steps:
2lic& ,tart type dcpro#o and then press 64T6; to start the Active Directory Domain #ervices Installation
3i:ard.
8n the $hoose a Deploy#ent $onfiguration page clic& 8+isting forest clic& Add a do#ain controller
to an e+isting do#ain
8n the ?etwor- $redentials page type the name o! a domain in the !orest where you plan to install the
;8D2. I! necessary also type a user name and password !or a member o! the Domain Admins group and then
clic&?e+t.
#elect the domain !or the ;8D2 and then clic& ?e+t.
2lic& the Active Directory site !or the ;8D2 and clic& ne7t
#elect the .ead"only do#ain controller chec& bo7 as shown in the !ollowing illustration. By de!ault
the D?, server chec& bo7 is also selected. To run the D4# server on the ;8D2 another domain controller
running 3indows #erver ,55. must be running in the domain and hosting the D4# domain :one. An
Active Directory9integrated :one on an ;8D2 is always a read'only copy o! the :one !ile. /pdates are sent to a
D4# server in a hub site instead o! being made locally on the ;8D2.
To use the de!ault !olders that are speci!ied !or the Active Directory database the log !iles and #L#M8)
clic&?e+t.
Type and then con!irm a Directory #ervices ;estore 1ode password and then clic& ?e+t.
2on!irm the in!ormation that appears on the #ummary page and then clic& ?e+t to start the AD D#
installation. Lou can select the .eboot on co#pletion chec& bo7 to ma&e the rest o! the installation complete
automatically.
What is the #ini#u# require#ent to install Windows 722C server'
*al- about all the AD"related roles in Windows ,erver 722C/.7.
Active Directory Domain #ervices
Active Directory Domain #ervices $AD D#% !ormerly &nown as Active Directory Directory #ervices is the central
location !or con!iguration in!ormation authentication requests and in!ormation about all o! the ob"ects that are stored
within your !orest. /sing Active Directory you can e!!iciently manage users computers groups printers applications
and other directory'enabled ob"ects !rom one secure centrali:ed location.
Bene!its
Lower costs o! managing 3indows networ&s.
,i#plify identity #anage#ent by providing a single view o! all user in!ormation.
Joost security with the ability to enable multiple types o! security mechanisms within a single networ&.
I#prove co#pliance by using Active Directory as a primary source !or audit data.
Active Directory ;ights 1anagement #ervices
Lour organi:ationAs intellectual property needs to be sa!e and highly secure. Active Directory ;ights 1anagement
#ervices a component o! 3indows #erver ,55. is available to help ma&e sure that only those individuals who need
to view a !ile can do so. AD ;1# can protect a !ile by identi!ying the rights that a user has to the !ile. ;ights can be
con!igured to allow a user to open modi!y print !orward or ta&e other actions with the rights'managed in!ormation.
3ith AD ;1# you can now sa!eguard data when it is distributed outside o! your networ&.
Active Directory (ederation #ervices
Active Directory (ederation #ervices is a highly secure highly e7tensible and Internet'scalable identity access
solution that allows organi:ations to authenticate users !rom partner organi:ations. /sing AD (# in 3indows #erver
,55. you can simply and very securely grant e7ternal users access to your organi:ationAs domain resources. AD (#
can also simpli!y integration between untrusted resources and domain resources within your own organi:ation.
Active Directory 2erti!icate #ervices
1ost organi:ations use certi!icates to prove the identity o! users or computers as well as to encrypt data during
transmission across unsecured networ& connections. Active Directory 2erti!icate #ervices $AD 2#% enhances security
by binding the identity o! a person device or service to their own private &ey. #toring the certi!icate and private &ey
within Active Directory helps securely protect the identity and Active Directory becomes the centrali:ed location !or
retrieving the appropriate in!ormation when an application places a request.
Active Directory )ightweight Directory #ervices
Active Directory )ightweight Directory #ervice $AD )D#% !ormerly &nown as Active Directory Application 1ode can
be used to provide directory services !or directory'enabled applications. Instead o! using your organi:ationAs AD D#
database to store the directory'enabled application data AD )D# can be used to store the data. AD )D# can be used
in con"unction with AD D# so that you can have a central location !or security accounts $AD D#% and another location
to support the application con!iguration and directory data $AD )D#%. /sing AD )D# you can reduce the overhead
associated with Active Directory replication you do not have to e7tend the Active Directory schema to support the
application and you can partition the directory structure so that the AD )D# service is only deployed to the servers
that need to support the directory'enabled application.
What are the new Do#ain and (orest (unctional Levels in Windows ,erver 722C/.7'
Do#ain (unction Levels
To activate a new domain !unction level all D2s in the domain must be running the right operating system. A!ter this
requirement is met the administrator can raise the domain !unctional level. HereAs a list o! the available domain
!unction levels available in 3indows #erver ,55.:
Windows 7222 ?ative 5ode
This is the de!ault !unction level !or new 3indows #erver ,55. Active Directory domains.
,upported Do#ain controllers 9 3indows ,555 3indows #erver ,55+ 3indows #erver ,55..
Windows ,erver 722/ 5ode
To activate the new domain !eatures all domain controllers in the domain must be running 3indows #erver ,55+.
A!ter this requirement is met the administrator can raise the domain !unctional level to 3indows #erver ,55+.
,upported Do#ain controllers 9 3indows #erver ,55+ 3indows #erver ,55..
Windows ,erver 722C 5ode
,upported Do#ain controllers 9 3indows #erver ,55..
Windows 722C (orest function levels
(orest !unctionality activates !eatures across all the domains in your !orest. To activate a new !orest !unction level all
the domain in the !orest must be running the right operating system and be set to the right domain !unction level.
A!ter this requirement is met the administrator can raise the !orest !unctional level. HereAs a list o! the available !orest
!unction levels available in 3indows #erver ,55.:
Windows 7222 forest function level
This is the de!ault setting !or new 3indows #erver ,55. Active Directory !orests.
,upported Do#ain controllers in all do#ains in the forest 9 3indows ,555 3indows #erver ,55+ 3indows
#erver ,55..
Windows ,erver 722/ forest function level
To activate new !orest'wide !eatures all domain controllers in the !orest must be running 3indows #erver ,55+.
,upported Do#ain controllers in all do#ains in the forest 9 3indows #erver ,55+ 3indows #erver ,55..
Windows ,erver 722C forest function level
To activate new !orest'wide !eatures all domain controllers in the !orest must be running 3indows #erver ,55..
,upported Do#ain controllers in all do#ains in the forest 9 3indows #erver ,55..
To activate the new domain !eatures all domain controllers in the domain must be running 3indows #erver ,55..
A!ter this requirement is met the administrator can raise the domain !unctional level to 3indows #erver ,55..
When a child do#ain is created in the do#ain treeE what type of trust relationship e+ists between the new
child do#ain and the trees root do#ain'
*ransitive and two way.
http:@@technet.microso!t.com@en'us@library@ccGGFG+-H,.3#.C5H,I.asp7
Which Windows ,erver 722C tools #a-e it easy to #anage and configure a servers roles and features'
The #erver 1anager window enables you to view the roles and !eatures installed on a server and also to quic&ly
access the tools used to manage these various roles and !eatures. The #erver 1anager can be used to add and
remove roles and !eatures as needed
What is WD,' How is WD, configured and #anaged on a server running Windows ,erver 722C'
The 3indows Deployment #ervices is the updated and redesigned version o! ;emote Installation #ervices $;I#%.
3indows Deployment #ervices enables you to deploy 3indows operating systems particularly 3indows Mista. Lou
can use it to set up new computers by using a networ&'based installation. This means that you do not have to install
each operating system directly !rom a 2D or DMD.
0enefits of 1indos Deployment Services
3indows Deployment #ervices provides organi:ations with the !ollowing bene!its:
Allows networ&'based installation o! 3indows operating systems which reduces the comple7ity and cost
when compared to manual installations.
Deploys 3indows images to computers without operating systems.
#upports mi7ed environments that include 3indows Mista 1icroso!t 3indows W* and 1icroso!t 3indows
#erver ,55+.
Built on standard 3indows Mista setup technologies including 3indows *6 .wim !iles and image'based
setup.
Prere2uisites for installing 1indos Deployment Services
Lour computing environment must meet the !ollowing technical requirements to install 3indows Deployment
#ervices:
Active Directory. A 3indows Deployment #ervices server must be either a member o! an Active Directory
domain or a domain controller !or an Active Directory domain. The Active Directory domain and !orest versions
are irrelevantB all domain and !orest con!igurations support 3indows Deployment #ervices.
DH$%. Lou must have a wor&ing Dynamic Host 2on!iguration *rotocol $DH2*% server with an active scope
on the networ& because 3indows Deployment #ervices uses *W6 which relies on DH2* !or I* addressing.
D?,. Lou must have a wor&ing Dynamic 4ame #ervices $D4#% server on the networ& to run 3indows
Deployment #ervices.
An ?*(, partition. The server running 3indows Deployment #ervices requires an 4T(# !ile system
volume !or the image store.
$redentials. To install the role you must be a member o! the )ocal Administrators group on the 3indows
Deployment #ervices server. To install an image you must be a member o! the Domain /sers group.
Windows ,erver 722/ ,%4 or ,%7 with .I, installed. ;I# does not have to be con!igured but must be
installed.
http:@@technet.microso!t.com@en'us@library@ccG--+,5H,.3#.C5H,I.asp7ZBK1KTC
?a#e so#e of the #aBor changes in &%= in Windows ,erver 722C.
3ost savings through poer options
In 3indows #erver ,55. all power options have been 0roup *olicy enabled providing a potentially signi!icant cost
savings. 2ontrolling power options through 0roup *olicy could save organi:ations a signi!icant amount o! money.
Lou can modi!y speci!ic power options through individual 0roup *olicy settings or build a custom power plan that is
deployable by using 0roup *olicy.
Ability to bloc4 device installation
In 3indows #erver ,55. you can centrally restrict devices !rom being installed on computers in your organi:ation.
Lou will now be able to create policy settings to control access to devices such as /#B drives 2D';3 drives DMD'
;3 drives and other removable media.
(mproved security settings
In 3indows #erver ,55. the !irewall and I*sec 0roup *olicy settings are combined to allow you to leverage the
advantages o! both technologies while eliminating the need to create and maintain duplicate !unctionality. #ome
scenarios supported by these combined !irewall and I*sec policy settings are secure server'to'server
communications over the Internet limiting access to domain resources based on trust relationships or health o! a
computer and protecting data communication to a speci!ic server to meet regulatory requirements !or data privacy
and security.
5xpanded (nternet 5xplorer settings management
In 3indows #erver ,55. you can open and edit Internet 67plorer 0roup *olicy settings without the ris& o!
inadvertently altering the state o! the policy setting based on the con!iguration o! the administrative wor&station. This
change replaces earlier behavior in which some Internet 67plorer policy settings would change based on the policy
settings enabled on the administrative wor&station used to view the settings
Printer assignment based on location
The ability to assign printers based on location in the organi:ation or a geographic location is a new !eature in
3indows #erver ,55.. In 3indows #erver ,55. you can assign printers based on site location. 3hen mobile users
move to a di!!erent location 0roup *olicy can update their printers !or the new location. 1obile users returning to
their primary locations see their usual de!ault printers.
Printer driver installation delegated to users
In 3indows #erver ,55. administrators can now delegate to users the ability to install printer drivers by using 0roup
*olicy. This !eature helps to maintain security by limiting distribution o! administrative credentials.
What is the AD .ecycle Jin' How do you use it'
Active Directory ;ecycle Bin helps minimi:e directory service downtime by enhancing your ability to preserve and
restore accidentally deleted Active Directory ob"ects without restoring Active Directory data !rom bac&ups restarting
Active Directory Domain #ervices $AD D#% or rebooting domain controllers.
3hen you enable Active Directory ;ecycle Bin all lin&'valued and non'lin&'valued attributes o! the deleted
Active Directory ob"ects are preserved and the ob"ects are restored in their entirety to the same consistent logical
state that they were in immediately be!ore deletion. (or e7ample restored user accounts automatically regain all
group memberships and corresponding access rights that they had immediately be!ore deletion within and across
domains.
Active Directory ;ecycle Bin is !unctional !or both AD D# and Active Directory )ightweight Directory #ervices
$AD )D#% environments.
By de!ault Active Directory ;ecycle Bin in 3indows #erver ,55. ;, is disabled. To enable it you must !irst raise the
!orest !unctional level o! your AD D# or AD )D# environment to 3indows #erver ,55. ;, which in turn requires all
!orest domain controllers or all servers that host instances o! AD )D# con!iguration sets to be running 3indows
#erver ,55. ;,.
6o enable Active Directory 7ecycle 0in using the 5nable-AD)ptionalFeature cmdlet
C. 2lic& ,tart clic& Ad#inistrative *ools right'clic& Active Directory 5odule for Windows %ower,hell and
then clic& .un as ad#inistrator.
C. At the Active Directory module !or 3indows *ower#hell command prompt type the !ollowing command and
then press 64T6;:
6nable'AD8ptional(eature 'Identity >AD8ptional(eature? '#cope >AD8ptional(eature#cope? 'Target >AD6ntity?
(or e7ample to enable Active Directory ;ecycle Bin !or contoso7com type the !ollowing command and then press
64T6;:
6nable'AD8ptional(eature 9Identity S24_;ecycle Bin (eature24_8ptional (eatures24_Directory
#ervice24_3indows 4T24_#ervices24_2on!igurationD2_contosoD2_comA 9#cope (orest8r2on!iguration#et
9Target Scontoso7comA
What are AD ,napshots' How do you use the#'
A snapshot is a shadow copy<created by the Molume #hadow 2opy #ervice $M##%<o! the volumes that contain the
Active Directory database and log !iles. 3ith Active Directory snapshots you can view the data inside such a
snapshot on a domain controller without the need to start the server in Directory #ervices ;estore 1ode.
3indows #erver ,55. has a new !eature allowing administrators to create snapshots o! the Active Directory database
!or o!!line use. 3ith AD snapshots you can mount a bac&up o! AD D# under a di!!erent set o! ports and have read'
only access to your bac&ups through )DA*.
There are quite a !ew scenarios !or using AD snapshots. (or e7ample i! someone has changed properties o! AD
ob"ects and you need to revert to their previous values you can mount a copy o! a previous snapshot to an alternate
port and easily e7port the required attributes !or every ob"ect that was changed. These values can then be imported
into the running instance o! AD D#. Lou can also restore deleted ob"ects or simply view ob"ects !or diagnostic
purposes.
It does not allow you to move or copy items or in!ormation !rom the snapshot to the live database. In order to do that
you will need to manually e7port the relevant ob"ects or attributes !rom the snapshot and manually import them bac&
to the live AD database.
,teps for using ,napshot!
1. Create a snapshot:
open ,4"7e6e 4tdsutil activate instance ntds snapshot create list all.
7. 5ounting an Active Directory snapshot!
Be!ore connecting to the snapshot we need to mount it. By loo&ing at the results o! the )ist All command in above
step identi!y the snapshot that you wish to mount and note the number ne7t to it.
Type 4tdsutil #napshot )ist all 1ount ,. The snapshot gets mounted to c:JU#4A*T,55I5C,F55+5TM8)/162U.
4ow you can re!er this path to see the ob"ects in these snapshots.
/. $onnecting an Active Directory snapshot!
In order to connect to the AD snapshot youAve mounted you will need to use the D#A1AI4 command. D#A1AI4 is a
command'line tool that is built into 3indows #erver ,55.. It is available i! you have the Active Directory Domain
#ervices $AD D#% or Active Directory )ightweight Directory #ervices $AD )D#% server role installed.
A!ter using D#A1AI4 to e7pose the in!ormation inside the AD snapshot you can use any 0/I tool that can connect
to the speci!ied port tools such as Active Directory /sers and 2omputers $"SA7msc% A"SI$"I%7msc #"P7e6e or
others. Lou can also connect to it by using command line tools such as )DI(D6 or 2#MD6 tools that allow you to
e7port in!ormation !rom that database.
dsamain 'dbpath P c:JU#4A*T,55I5C,F55+5TM8)/162UJ3indowsJ4TD#Jntds7ditP 'ldapport C5,.I
The above command will allow you to access the database using port C5,.I.
4ow you can use#"P7e6etool to connect to this mounted instance.
9. Disconnecting fro# the Active Directory snapshot!
In order to disconnect !rom the AD snapshot all you need to do is to type 2T;)E2 at the D#A1AI4 command prompt
window. LouAll get a message indicating that the D# shut down success!ully.
:. )n#ounting the snapshot!
;un command 4tdsutil #napshot )ist all /nmount ,.
What is =ffline Do#ain Noin' How do you use it'
Lou can use o!!line domain "oin to "oin computers to a domain without contacting a domain controller over the
networ&. Lou can "oin computers to the domain when they !irst start up a!ter an operating system installation. 4o
additional restart is necessary to complete the domain "oin. This helps reduce the time and e!!ort required to complete
a large'scale computer deployment in places such as datacenters.
(or e7ample an organi:ation might need to deploy many virtual machines within a datacenter. 8!!ine domain "oin
ma&es it possible !or the virtual machines to be "oined to the domain when they initially start !ollowing the operating
system installation. 4o additional restart is required to complete the domain "oin. This can signi!icantly reduce the
overall time required !or wide'scale virtual machine deployments.
A domain "oin establishes a trust relationship between a computer running a 3indows operating system and an
Active Directory domain. This operation requires state changes to AD D# and state changes on the computer that is
"oining the domain. To complete a domain "oin in the past using previous 3indows operating systems the computer
that "oined the domain had to be running and it had to have networ& connectivity to contact a domain controller.
8!!line domain "oin provides the !ollowing advantages over the previous requirements:
The Active Directory state changes are completed without any networ& tra!!ic to the computer.
The computer state changes are completed without any networ& tra!!ic to a domain controller.
6ach set o! changes can be completed at a di!!erent time.
http:@@technet.microso!t.com@en'us@library@o!!line'domain'"oin'd"oin'step'by'stepH,.3#.C5H,I.asp7
What are (ine"&rained %asswords' How do you use the#'
Lou can use !ine'grained password policies to speci!y multiple password policies within a single domain. Lou can
use !ine'grained password policies to apply di!!erent restrictions !or password and account loc&out policies to di!!erent
sets o! users in a domain.
(or e7ample you can apply stricter settings to privileged accounts and less strict settings to the accounts o! other
users. In other cases you might want to apply a special password policy !or accounts whose passwords are
synchroni:ed with other data sources.
*al- about .estartable Active Directory Do#ain ,ervices in Windows ,erver 722C/.7. What is this feature
good for'
;estartable AD D# is a !eature in 3indows #erver ,55. that you can use to per!orm routine maintenance tas&s on a
domain controller such as applying updates or per!orming o!!line de!ragmentation without restarting the server.
3hile AD D# is running a domain controller running 3indows #erver ,55. behaves the same way as a domain
controller running 1icroso!tl 3indowsl ,555 #erver or 3indows #erver ,55+.
3hile AD D# is stopped you can continue to log on to the domain by using a domain account i! other domain
controllers are available to service the logon request. Lou can also log on to the domain with a domain account while
the domain controller is started in Directory #ervices ;estore 1ode $D#;1% i! other domain controllers are available
to service the logon request.
I! no other domain controller is available you can log on to the domain controller where AD D# is stopped in Directory
#ervices ;estore 1ode $D#;1% only by using the D#;1 Administrator account and password by de!ault as in
3indows ,555 #erver Active Directory or 3indows #erver ,55+ Active Directory.
Bene!its o! restartable AD D#
;estartable AD D# reduces the time that is required to per!orm o!!line operations such as o!!line de!ragmentation. It
also improves the availability o! other services that run on a domain controller by &eeping them running when AD D#
is stopped. In combination with the #erver 2ore installation option o! 3indows #erver ,55. restartable AD D#
reduces the overall servicing requirements o! a domain controller.
In 3indows ,555 #erver Active Directory and 3indows #erver ,55+ Active Directory you must restart the domain
controller in D#;1 when you per!orm o!!line de!ragmentation o! the database or apply security updates. In contrast
you can stop 3indows #erver ,55. AD D# as you stop other services that are running locally on the server. This
ma&es it possible to per!orm o!!line AD D# operations more quic&ly than you could with 3indows ,555 #erver and
3indows #erver ,55+.
Lou can use 1icroso!t 1anagement 2onsole $112% snap'ins or the 1et7e6e command'line tool to stop or restart
Active Directoryl Domain #ervices $AD D#% in the 3indows #erverl ,55. operating system. Lou can stop AD D# to
per!orm tas&s such as o!!line de!ragmentation o! the AD D# database without restarting the domain controller. 8ther
services that run on the server but that do not depend on AD D# to !unction are available to service client requests
while AD D# is stopped. An e7ample o! such a service is Dynamic H
4+.

Active Directory Interview Questions With Answers

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Active Directory Interview Questions With Answers

Enviado por

Direitos autorais:

Formatos disponíveis

Active Directory Interview questions

Você também pode gostar