What is Active Directory ?

Active Directory is a Meta Data. Active Directory is a data base which store a data base like your
user information, computer information and also other network object info. It has capabilities to
manage and administor the complite Network which connect with AD.
>What is domain ?
indows N! and indows "###, a domain is a set of network resources $applications, printers,
and so forth% for a group of users. !he user need only to log in to the domain to gain access to the
resources, which may be located on a number of different servers in the network. !he &domain& is
simply your computer address not to confused with an '(). A domain address might look
something like "**.*+#.,-..
>What is domain controller ?
A Domain controller $D/% is a server that responds to security authentication re0uests $logging
in, checking permissions, etc.% within the indows 1erver domain. A domain is a concept
introduced in indows N! whereby a user may be granted access to a number of computer
resources with the use of a single username and password combination.
>What is LDAP ?
)ightweight Directory Access 2rotocol )DA2 is the industry standard directory access protocol,
making Active Directory widely accessible to management and 0uery applications. Active
Directory supports )DA2v3 and )DA2v".
>What is KCC ?
4// $ knowledge consistency checker % is used to generate replication topology for inter site
replication and for intrasite replication.with in a site replication traffic is done via remote
procedure calls over ip, while between site it is done through either (2/ or 1M!2.
>Where is the AD database held? What other folders are related to AD?
!he AD data base is store in c56windows6ntds6N!D1.DI!.
>What is the SYSVOL folder?
!he sys78) folder stores the server&s copy of the domain&s public files. !he contents such as
group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain.
>What are the Windos Server !""# $eyboard shortc%ts ?
inkey opens or closes the 1tart menu. inkey 9 :(;A4 displays the 1ystem 2roperties dialog
bo<. inkey 9 !A: moves the focus to the ne<t application in the taskbar. inkey 9 1=I>! 9
!A: moves the focus to the previous application in the taskbar. inkey 9 : moves the focus to
the notification area. inkey 9 D shows the desktop. inkey 9 ; opens indows ;<plorer
showing My /omputer. inkey 9 > opens the 1earch panel. inkey 9 /!() 9 > opens the
1earch panel with 1earch for /omputers module selected. inkey 9 >* opens =elp. inkey 9 M
minimi?es all. inkey 9 1=I>!9 M undoes minimi?ation. inkey 9 ( opens (un dialog.
inkey 9 ' opens the 'tility Manager. inkey 9 ) locks the computer.
>Where are the Windos &' Primary Domain Controller (PDC) and its *ac$%+ Domain
Controller (*DC) in Server !""# ?
!he Active Directory replaces them. Now all domain controllers share a multimaster peer@to@peer
read and write relationship that hosts copies of the Active Directory.
>, am tryin- to create a ne %niversal %ser -ro%+. Why can/t , ?
'niversal groups are allowed only in native@mode indows 1erver "##3 environments. Native
mode re0uires that all domain controllers be promoted to indows 1erver "##3 Active
Directory.
>What is LSDO0 ?
ItAs group policy inheritance model, where the policies are applied toLocal
machines, Sites, Domains and Organi?ational 0nits.
>Why doesn/t LSDO0 or$ %nder Windos &' ?
If the NTConfig.pol file e<ist, it has the highest priority among the numerous policies.
>What/s the n%mber of +ermitted %ns%ccessf%l lo-ons on Administrator
acco%nt? 'nlimited. (emember, though, that itAs the Administrator account, not any account
thatAs part of the Administrators group.
> What/s the difference beteen -%est acco%nts in Server !""# and other editions?
More restrictive in indows 1erver "##3.
> 1o many +assords by defa%lt are remembered hen yo% chec$ 23nforce Passord
1istory 4emembered2?
'serAs last - passwords.
> Can 5C Server and ,nfrastr%ct%re +lace in sin-le server ,f not e6+lain hy B
No, As Infrastructure master does the same job as the C/. It does not work together.
> Which is service in yo%r indos is res+onsible for re+lication of Domain controller to
another domain controller.
4// generates the replication topology.
'se 1M!2 D (2/ to replicate changes.
> What ,ntrasite and ,ntersite 4e+lication B
Intrasite is the replication with in the same site E intersite the replication between sites.
> What is lost 7 fo%nd folder in ADS B
ItAs the folder where you can find the objects missed due to conflict.
;<5 you created a user in 8' which is deleted in other D/ E when replication happed AD1
didnAt find the 8' then it will put that in )ost E >ound >older.
> What is 5arba-e collection B
Carbage collection is the process of the online defragmentation of active directory. It happens
every *" =ours.
> What System State data contains B
/ontains 1tartup files,
(egistry
/om 9 (egistration Database
Memory 2age file
1ystem files
AD information
/luster 1ervice information
1F178) >older
, ant to set%+ a D&S server and Active Directory domain. What do , do first? ,f , install
the D&S service first and name the 8one 9name.or-9 can , name the AD domain 9name.or-9
too?
Not only can you have a DN1 ?one and an Active Directory domain with the same name, it&s
actually the preferred way to go if at all possible. Fou can install and configure DN1 before
installing Active Directory, or you can allow the Active Directory Installation i?ard $dcpromo%
itself install DN1 on your server in the background.
>1o do , determine if %ser acco%nts have local administrative access?
Fou can use the net localgroup administrators command on each workstation $probably in a login
script so that it records its information to a central file for later review%. !his command will
enumerate the members of the Administrators group on each machine you run it on. Alternately,
you can use the (estricted Croups feature of Croup 2olicy to restrict the membership of
Administrators to only those users you want to belong.
>What is the ,S'5? Who has that role by defa%lt?
indows "### Domain controllers each create Active Directory (eplication connection objects
representing inbound replication from intra@site replication partners. >or inter@site replication,
one domain controller per site has the responsibility of evaluating the inter@site replication
topology and creating Active Directory (eplication /onnection objects for appropriate
bridgehead servers within its site. !he domain controller in each site that owns this role is
referred to as the Inter@1ite !opology Cenerator $I1!C%.
>What is difference beteen Server !""# vs !"":?
*. 7irtuali?ation. $indows 1erver "##G introduces =yper@7 $7 for 7irtuali?ation% but only on
-,bit versions. More and more companies are seeing this as a way of reducing hardware costs by
running several &virtual& servers on one physical machine.%
". 1erver /ore $provides the minimum installation re0uired to carry out a specific server role,
such as for a D=/2, DN1 or print server%
3. :etter security.
,. (ole@based installation.
H. (ead 8nly Domain /ontrollers $(8D/%.
-. ;nhanced terminal services.
+. Network Access 2rotection @ Microsoft&s system for ensuring that clients connecting to 1erver
"##G are patched, running a firewall and in compliance with corporate security policies.
G. 2ower1hell @ Microsoft&s command line shell and scripting language has proved popular with
some server administrators.
.. II1 + .
*#. :itlocker @ 1ystem drive encryption can be a sensible security measure for servers located in
remote branch offices. IbrI !he main difference between "##3 and "##G is 7irtuali?ation,
management. "##G has more in@build components and updated third party drivers.
**. indows Aero.
>What are the re;%irements for installin- AD on a ne server?
* !he Domain structure.
" !he Domain Name .
3 storage location of the database and log file.
, )ocation of the shared system volume folder.
H DN1 config Methode.
- DN1 configuration.
>What is LDP?
)D2 5 )abel Distribution 2rotocol $)D2% is often used to establish M2)1 )12s when traffic
engineering is not re0uired. It establishes )12s that follow the e<isting I2 routing, and is
particularly well suited for establishing a full mesh of )12s between all of the routers on the
network.
>What are the 5ro%+s ty+es available in active directory ?
1ecurity groups5 'se 1ecurity groups for granting permissions to gain access to resources.
1ending an e@mail message to a group sends the message to all members of the group. !herefore
security groups share the capabilities of distribution groups.
Distribution groups5 Distribution groups are used for sending e@main messages to groups of
users. Fou cannot grant permissions to security groups. ;ven though security groups have all the
capabilities of distribution groups, distribution groups still re0uires, because some applications
can only read distribution groups.
>36+lain abo%t the -ro%+s sco+e in AD ?
Domain )ocal Croup5 'se this scope to grant permissions to domain resources that are located in
the same domain in which you created the domain local group. Domain local groups can e<ist in
all mi<ed, native and interim functional level of domains and forests. Domain local group
memberships are not limited as you can add members as user accounts, universal and global
groups from any domain. Just to remember, nesting cannot be done in domain local group. A
domain local group will not be a member of another Domain )ocal or any other groups in the
same domain.
Clobal Croup5 'sers with similar function can be grouped under global scope and can be given
permission to access a resource $like a printer or shared folder and files% available in local or
another domain in same forest. !o say in simple words, Clobal groups can be use to grant
permissions to gain access to resources which are located in any domain but in a single forest as
their memberships are limited. 'ser accounts and global groups can be added only from the
domain in which global group is created. Nesting is possible in Clobal groups within other
groups as you can add a global group into another global group from any domain. >inally to
provide permission to domain specific resources $like printers and published folder%, they can be
members of a Domain )ocal group. Clobal groups e<ist in all mi<ed, native and interim
functional level of domains and forests.
'niversal Croup 1cope5 !hese groups are precisely used for email distribution and can be
granted access to resources in all trusted domain as these groups can only be used as a security
principal $security group type% in a windows "### native or windows server "##3 domain
functional level domain. 'niversal group memberships are not limited like global groups. All
domain user accounts and groups can be a member of universal group. 'niversal groups can be
nested under a global or Domain )ocal group in any domain.
>What is 43PL<O& ?
!he Microsoft definition of the (eplmon tool is as followsK !his C'I tool enables administrators
to view the low@level status of Active Directory replication, force synchroni?ation between
domain controllers, view the topology in a graphical format, and monitor the status and
performance of domain controller replication.
>What is ADS,3D,' ?
AD1I;DI! 5AD1I;dit is a Microsoft Management /onsole $MM/% snap@in that acts as a low@
level editor for Active Directory. It is a Craphical 'ser Interface $C'I% tool. Network
administrators can use it for common administrative tasks such as adding, deleting, and moving
objects with a directory service. !he attributes for each object can be edited or deleted by using
this tool. AD1I;dit uses the AD1I application programming interfaces $A2Is% to access Active
Directory. !he following are the re0uired files for using this tool5 AD1I;DI!.D)) AD1I;DI!.
>What is &3'DO< ?
N;!D8M is a command@line tool that allows management of indows domains and trust
relationships. It is used for batch management of trusts, joining computers to domains, verifying
trusts, and secure channels.
>What is 43PAD<,&?
!his command@line tool assists administrators in diagnosing replication problems between
indows domain controllers.Administrators can use (epadmin to view the replication topology
$sometimes referred to as (eps>rom and (eps!o% as seen from the perspective of each domain
controller. In addition, (epadmin can be used to manually create the replication topology
$although in normal practice this should not be necessary%, to force replication events between
domain controllers, and to view both the replication metadata and up@to@dateness vectors.
>1o to ta$e bac$%+ of AD ?
>or taking backup of active directory you have to do this 5 first go 1!A(! @I 2(8C(AM
@IA//;18(I;1 @I 1F1!;M !88)1 @I :A/4'2 8( 8pen run window and ntbackup and
take systemstate backup when the backup screen is flash then take the backup of 1F1!;M
1!A!; it will take the backup of all the necessary information about the syatem including AD
backup , DN1 ;!/.
>What are the DS= commands ?
!he following D1 commands5 the D1 family built in utility .
D1mod @ modify Active Directory attributes.
D1rm @ to delete Active Directory objects.
D1move @ to relocate objects
D1add @ create new accounts
D10uery @ to find objects that match your 0uery attributes.
D1get @ list the properties of an object
>What are the re;%irements for installin- AD on a ne server?
An N!>1 partition with enough free space.
An Administrator&s username and password.
!he correct operating system version.
A NI/ 2roperly configured !/2DI2 $I2 address, subnet mask and @ optional @ default gateway%.
A network connection $to a hub or to another computer via a crossover cable% .
An operational DN1 server $which can be installed on the D/ itself% .
A Domain name that you want to use .
!he indows "### or indows 1erver "##3 /D media $or at least the i3G- folder% .
>36+lain abo%t 'r%st in AD ?
!o allow users in one domain to access resources in another, Active Directory uses trusts. !rusts
inside a forest are automatically created when domains are created.
!he forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is
automatic for all domains within a forest. As well as two@way transitive trust, AD trusts can be a
shortcut $joins two domains in different trees, transitive, one@ or two@way%, forest $transitive,
one@ or two@way%, realm $transitive or nontransitive, one@ or two@way%, or e<ternal $nontransitive,
one@ or two@way% in order to connect to other forests or non@AD domains.
!rusts in indows "### $native mode%
One>ay tr%st ? 8ne domain allows access to users on another domain, but the other domain
does not allow access to users on the first domain.
'o>ay tr%st ? !wo domains allow access to users on both domains.
'r%stin- domain ? !he domain that allows access to users from a trusted domain.
'r%sted domain ? !he domain that is trustedK whose users have access to the trusting domain.
'ransitive tr%st ? A trust that can e<tend beyond two domains to other trusted domains in the
forest.
,ntransitive tr%st ? A one way trust that does not e<tend beyond two domains.
36+licit tr%st ? A trust that an admin creates. It is not transitive and is one way only.
Cross>lin$ tr%st ? An e<plicit trust between domains in different trees or in the same tree when a
descendantDancestor $childDparent% relationship does not e<ist between the two domains.
indows "### 1erver L supports the following types of trusts5
!wo@way transitive trusts.
8ne@way intransitive trusts.
Additional trusts can be created by administrators. !hese trusts can be5
Shortc%t
indows 1erver "##3 offers a new trust type L the forest root trust. !his type of trust can be used
to connect indows 1erver "##3 forests if they are operating at the "##3 forest functional level.
Authentication across this type of trust is 4erberos based $as opposed to N!)M%. >orest trusts
are also transitive for all the domains in the forests that are trusted. >orest trusts, however, are
not transitive.
>Difference beteen LD,@D3 and CSVD3?
/17D; is a command that can be used to import and e<port objects to and from the AD into a
/17@formatted file. A /17 $/omma 1eparated 7alue% file is a file easily readable in ;<cel. I will
not go to length into this powerful command, but I will show you some basic samples of how to
import a large number of users into your AD. 8f course, as with the D1ADD command, /17D;
can do more than just import users. /onsult your help file for more info.
)DI>D; is a command that can be used to import and e<port objects to and from the AD into a
)DI>@formatted file. A )DI> $)DA2 Data Interchange >ormat% file is a file easily readable in
any te<t editor, however it is not readable in programs like ;<cel. !he major difference between
/17D; and )DI>D; $besides the file format% is the fact that )DI>D; can be used to edit and
delete e<isting AD objects $not just users%, while /17D; can only import and e<port objects.
>What is tombstone lifetime attrib%te ?
!he number of days before a deleted object is removed from the directory services. !his assists
in removing objects from replicated servers and preventing restores from reintroducing a deleted
object. !his value is in the Directory 1ervice object in the configuration NI/.
>What are a++lication +artitions? When do , %se them ?
AN application diretcory partition is a directory partition that is replicated only to specific
domain controller.8nly domain controller running windows 1erver "##3 can host a replica of
application directory partition.
'sing an application directory partition provides redundany,availability or fault tolerance by
replicating data to specific domain controller pr any set of domain controllers anywhere in the
forest.
>1o do yo% create a ne a++lication +artition ?
'se the Dns/md command to create an application directory partition.
!o do this, use the following synta<5
Dns/md 1erverName D/reateDirectory2artition >MDN of partition
>1o do yo% vie all the 5Cs in the forest?
/56Irepadmin Dshowreps domainNcontroller where domainNcontroller is the D/ you want to
0uery to determine whether itBs a C/.
!he output will include the te<t D1A 8ptions5 I1NC/ if the D/ is a C/.
>Can yo% connect Active Directory to other #rd>+arty Directory Services? &ame a fe
o+tions.
Fes, you can use dirOM) or )DA2 to connect to other directories.
In Novell you can use ;@directory.
>What is ,PSec Policy
I21ec provides secure gateway@to@gateway connections across outsourced private wide area
network $AN% or Internet@based connections using )"!2DI21ec tunnels or pure I21ec tunnel
mode. I21ec 2olicy can be deployed via Croup policy to the indows Domain controllers +
1ervers.
>What are the different ty+es of 'erminal Services B
'ser Mode E Application Mode.
>What is 4sOP
(s82 is the resultant set of policy applied on the object $Croup 2olicy%.
>1o do yo% vie re+lication +ro+erties for AD +artitions and DCs?
:y using replication monitor
go to start I run I type repadmin
go to start I run I type replmon
>Why can9t yo% restore a DC that as bac$ed %+ A months a-o?
:ecause of the tombstone life which is set to only -# days.
>Different modes of AD restore ?
A nonauthoritative restore is the default method for restoring Active Directory. !o perform a
nonauthoritative restore, you must be able to start the domain controller in Directory 1ervices
(estore Mode. After you restore the domain controller from backup, replication partners use the
standard replication protocols to update Active Directory and associated information on the
restored domain controller.
An authoritative restore brings a domain or a container back to the state it was in at the time of
backup and overwrites all changes made since the backup. If you do not want to replicate the
changes that have been made subse0uent to the last backup operation, you must perform an
authoritative restore. In this one needs to stop the inbound replication first before performing the
An authoritative restore.
>1o do yo% confi-%re a stand>by o+eration master for any of the roles?
P 8pen Active Directory 1ites and 1ervices.
P ;<pand the site name in which the standby operations master is located to display the 1ervers
folder.
P ;<pand the 1ervers folder to see a list of the servers in that site.
P ;<pand the name of the server that you want to be the standby operations master to display its
N!D1 1ettings.
P (ight@click N!D1 1ettings, click New, and then click /onnection.
P In the >ind Domain /ontrollers dialog bo<, select the name of the current role holder, and then
click 84.
P In the New 8bject@/onnection dialog bo<, enter an appropriate name for the /onnection object
or accept the default name, and click 84.
>What9s the difference beteen transferrin- a @S<O role and sei8in- ?
1ei?ing an >1M8 can be a destructive process and should only be attempted if the e<isting
server with the >1M8 is no longer available.
If you perform a sei?ure of the >1M8 roles from a D/, you need to ensure two things5
the current holder is actually dead and offline, and that the old D/ will N;7;( return to the
network. If you do an >1M8 role 1ei?e and then bring the previous holder back online, you&ll
have a problem.
An >1M8 role !(AN1>;( is the graceful movement of the roles from a live, working D/ to
another live D/ During the process, the current D/ holding the role$s% is updated, so it becomes
aware it is no longer the role holder
>, ant to loo$ at the 4,D allocation table for a DC. What do , do?
dcdiag Dtest5ridmanager Ds5servername Dv $servername is the name of our D/%
>What is *rid-e1ead Server in AD ?
A bridgehead server is a domain controller in each site, which is used as a contact point to
receive and replicate data between sites. >or intersite replication, 4// designates one of the
domain controllers as a bridgehead server. In case the server is down, 4// designates another
one from the domain controller. hen a bridgehead server receives replication updates from
another site, it replicates the data to the other domain controllers within its site.
>What is the defa%lt si8e of ntds.dit ?
*# M: in 1erver "### and *" M: in 1erver "##3 .
>Where is the AD database held and What are other folders related to AD ?
AD Database is saved in QsystemrootQDntds. Fou can see other files also in this folder. !hese
are the main files controlling the AD structure.
ntds.dit
edb.log
res*.log
res".log
edb.chk
hen a change is made to the in"4 database, triggering a write operation, in"4 records the
transaction in the log file $edb.log%. 8nce written to the log file, the change is then written to the
AD database. 1ystem performance determines how fast the system writes the data to the AD
database from the log file. Any time the system is shut down, all transactions are saved to the
database.
During the installation of AD, indows creates two files5 res*.log and res".log. !he initial si?e
of each is *#M:. !hese files are used to ensure that changes can be written to disk should the
system run out of free disk space. !he checkpoint file $edb.chk% records transactions committed
to the AD database $ntds.dit%. During shutdown, a RshutdownR statement is written to the edb.chk
file.
!hen, during a reboot, AD determines that all transactions in the edb.log file have been
committed to the AD database. If, for some reason, the edb.chk file doesn&t e<ist on reboot or the
shutdown statement isn&t present, AD will use the edb.log file to update the AD database. !he last
file in our list of files to know is the AD database itself, ntds.dit. :y default, the file is located
in6N!D1, along with the other files we&ve discussed
>What @S<O +lacement considerations do yo% $no of ?
indows "###D"##3 Active Directory domains utili?e a 1ingle 8peration Master method called
>1M8 $>le<ible 1ingle Master 8peration%, as described in 'nderstanding >1M8 (oles in Active
Directory.
In most cases an administrator can keep the >1M8 role holders $all H of them% in the same spot
$or actually, on the same D/% as has been configured by the Active Directory installation
process.
=owever, there are scenarios where an administrator would want to move one or more of the
>1M8 roles from the default holder D/ to a different D/.
indows 1erver "##3 Active Directory is a bit different than the indows "### version when
dealing with >1M8 placement.
In this article I will only deal with indows 1erver "##3 Active Directory, but you should bear
in mind that most considerations are also true when planning indows "### AD >1M8 roles
>What is sites ? What are they %sed for ?
8ne or more well@connected $highly reliable and fast% !/2DI2 subnets.
A site allows administrators to configure Active Directory access and replication topology to take
advantage of the physical network.
A 1ite object in Active Directory represents a physical geographic location that hosts networks.
1ites contain objects called 1ubnets.
1ites can be used to Assign Croup 2olicy 8bjects, facilitate the discovery of resources, manage
active directory replication, and manage network link traffic.
1ites can be linked to other 1ites. 1ite@linked objects may be assigned a cost value that represents
the speed, reliability, availability, or other real property of a physical resource. 1ite )inks may
also be assigned a schedule.
>'ryin- to loo$ at the SchemaB ho can , do that ?
register schmmgmt.dll using this command
c56windows6system3"Iregsvr3" schmmgmt.dll
8pen mmc @@I add snapin @@I add Active directory schema
name it as schema.msc
8pen administrative tool @@I schema.msc
>What is the +ort no of Kerbrose ?
GG
>What is the +ort no of 5lobal catalo- ?
3"-G
>What is the +ort no of LDAP ?
3G.
>36+lain Active Directory Schema ?
indows "### and indows 1erver "##3 Active Directory uses a database set of rules called
R1chemaR. !he 1chema is defines as the formal definition of all object classes, and the attributes
that make up those object classes, that can be stored in the directory. As mentioned earlier, the
Active Directory database includes a default 1chema, which defines many object classes, such as
users, groups, computers, domains, organi?ational units, and so on.
!hese objects are also known as R/lassesR. !he Active Directory 1chema can be dynamically
e<tensible, meaning that you can modify the schema by defining new object types and their
attributes and by defining new attributes for e<isting objects. Fou can do this either with the
1chema Manager snap@in tool included with indows "###D"##3 1erver, or programmatically.
>1o can yo% forcibly remove AD from a serverB and hat do yo% do later? ? Can , -et
%ser +assords from the AD database?
Dcpromo Dforceremoval , an administrator can forcibly remove Active Directory and roll back
the system without having to contact or replicate any locally held changes to another D/ in the
forest. (eboot the server then After you use the dcpromo Dforceremoval command, all the
remaining metadata for the demoted D/ is not deleted on the surviving domain controllers, and
therefore you must manually remove it by using the N!D1'!I) command.
In the event that the N!D1 1ettings object is not removed correctly you can use the Ntdsutil.e<e
utility to manually remove the N!D1 1ettings object. Fou will need the following tool5
Ntdsutil.e<e, Active Directory 1ites and 1ervices, Active Directory 'sers and /omputers
>What are the @S<O roles? Who has them by defa%lt? What ha++ens hen each one fails?
>le<ible 1ingle Master 8peration $>1M8% role. /urrently there are five >1M8 roles5
1chema master
Domain naming master
(ID master
2D/ emulator
Infrastructure master
>What is domain tree ?
Domain !rees5 A domain tree comprises several domains that share a common schema and
configuration, forming a contiguous namespace. Domains in a tree are also linked together by
trust relationships. Active Directory is a set of one or more trees.
!rees can be viewed two ways. 8ne view is the trust relationships between domains. !he other
view is the namespace of the domain tree.
>What is forests ?
A collection of one or more domain trees with a common schema and implicit trust relationships
between them. !his arrangement would be used if you have multiple root DN1 addresses.
>1o to Select the A++ro+riate 4estore <ethod ?
Fou select the appropriate restore method by considering5
/ircumstances and characteristics of the failure. !he two major categories of failure, >rom an
Active Directory perspective, are Active Directory data corruption and hardware failure.
Active Directory data corruption occurs when the directory contains corrupt data that has been
replicated to all domain controllers or when a large portion of the Active Directory hierarchy has
been changed accidentally $such as deletion of an 8'% and this change has replicated to other
domain controllers.
>What is 5lobal Catalo-?
!he Clobal /atalog authenticates network user logons and fields in0uiries about objects across a
forest or tree. ;very domain has at least one C/ that is hosted on a domain controller. In
indows "###, there was typically one C/ on every site in order to prevent user logon failures
across the network.
>1o lon- does it ta$e for sec%rity chan-es to be re+licated amon- the domain controllers?
1ecurity@related modifications are replicated within a site immediately. !hese changes include
account and individual user lockout policies, changes to password policies, changes to computer
account passwords, and modifications to the )ocal 1ecurity Authority $)1A%.
>1o do yo% vie all the 5Cs in the forest?
/56Irepadmin Dshowreps
domainNcontroller
8(
Fou can use (eplmon.e<e for the same purpose.
8(
AD 1ites and 1ervices and nslookup gc.Nmsdcs.
!o find the in C/ from the command line you can try using D1M';(F command.
ds0uery server @isgc to find all the C/As in the forest
you can try ds0uery server @forest @isgc.
I hat are the physical components of Active Directory B
Domain controllers and 1ites. Domain controllers are physical computers which is running
indows 1erver operating system and Active Directory data base. 1ites are a network segment
based on geographical location and which contains multiple domain controllers in each site.
I hat are the logical components of Active Directory B
Domains, 8rgani?ational 'nits, trees and forests are logical components of Active Directory.
I hat are the Active Directory 2artitions B
Active Directory database is divided into different partitions such as 1chema partition, Domain
partition, and /onfiguration partition. Apart from these partitions, we can create Application
partition based on the re0uirement.
I hat is the feature of Domain )ocal Croup B
Domain local groups are mainly used for granting access to network resources.A Domain local
group can contain accounts from any domain, global groups from any domain and universal
groups from any domain. >or e<ample, if you want to grant permission to a printer located at
Domain A, to *# users from Domain :, then create a Clobal group in Domain : and add all *#
users into that Clobal group. !hen, create a Domain local group at Domain A, and add Clobal
group of Domain : to Domain local group of Domain A, then, add Domain local group of
Domain A to the printer$of Domain A% security A/).
I=ow will you take Active Directory backup B
Active Directory is backed up along with 1ystem 1tate data. 1ystem state data includes )ocal
registry, /8M9, :oot files, N!D1.DI! and 1F178) folder. 1ystem state can be backed up
either using Microsoft&s default N!:A/4'2 tool or third party tools such as 1ymantech
Net:ackup, I:M !ivoli 1torage Manager etc.
I hat is )ost and >ound /ontainer B
In multimaster replication method, replication conflicts can happen. 8bjects with replication
conflicts will be stored in a container called &)ost and >ound& container. !his container also used
to store orphaned user accounts and other objects.
I Do we use clustering in Active Directory B hy B
No one installs Active Directory in a cluster. !here is no need of clustering a domain controller.
:ecause Active Directory provides total redundancy with two or more servers.
I hat is Active Directory (ecycle :in B
Active Directory (ecycle bin is a feature of indows 1erver "##G AD. It helps to restore
accidentally deleted Active Directory objects without using a backed up AD database, rebooting
domain controller or restarting any services.
I hat is (8D/ B hy do we configure (8D/ B
(ead only domain controller $(8D/% is a feature of indows 1erver "##G 8perating 1ystem.
(8D/ is a read only copy of Active Directory database and it can be deployed in a remote
branch office where physical security cannot be guaranteed. (8D/ provides more improved
security and faster log on time for the branch office.
I =ow do you check currently forest and domain functional levelsB 1ay both C'I and /ommand
line.
!o find out forest and domain functional levels in C'I mode, open AD'/, right click on the
domain name and take properties. :oth domain and forest functional levels will be listed there.
!8 find out forest and domain functional levels, you can use D1M';(F command.
I hich version of 4erberos is used for indows "###D"##3 and "##G Active Directory B
All versions of indows 1erver Active Directory use 4erberos H.
I Name few port numbers related to Active Directory B
4erberos GG, )DA2 3G., DN1 H3, 1M: ,,H
I hat is an >MDN B
>MDN can be e<panded as >ully Mualified Domain Name.It is a hierarchy of a domain name
system which points to a device in the domain at its left most end. >or e<ample in system.
I =ow many objects can be created in Active DirectoryB $both "##3 and "##G%
As per Microsoft, a single AD domain controller can create around ".*H billion objects during its
lifetime.
> Which @S<O role directly im+actin- the consistency of 5ro%+ Policy ?
2D/ ;mulator.
I , ant to +romote a ne additional Domain Controller in an e6istin- domain. Which are
the -ro%+s , sho%ld be a member of ?
Fou should be a member of ;nterprise Admins group or the Domain Admins group. Also you
should be member of local Administrators group of the member server which you are going to
promote as additional Domain /ontroller.
> 'ell me one easiest ay to chec$ all the C @S<O roles ?
'se netdom 0uery Ddomain5FourDomain >1M8 command. It will list all the >1M8 role
handling domain controllers.
>What is Realm trust ?
Use realm trusts to form a trust relationship between a non-Windows Kerberos realm
and an Active Directory domain.
Windos D&S Server ,ntervie D%estions E

>What is the main +%r+ose of a D&S server?
DN1 servers are used to resolve >MDN hostnames into I2 addresses and vice versa.
>What is the +ort no of dns ?
H3.
>What is a @orard Loo$%+?
(esolving =ost Names to I2 Addresses.
>What is 4everse Loo$%+?
ItBs a file contains host names to I2 mapping information.
>What is a 4eso%rce 4ecord?
It is a record provides the information about the resources available in the ND infrastructure.
>What are the diff. D&S 4oles?
1tandard 2rimary, 1tandard 1econdary, E AD Integrated.
>What is a Fone?
Sone is a sub tree of DN1 database.
>Sec%re services in yo%r netor$ re;%ire reverse name resol%tion to ma$e it more diffic%lt
to la%nch s%ccessf%l attac$s a-ainst the services. 'o set this %+B yo% confi-%re a reverse
loo$%+ 8one and +roceed to add records. Which record ty+es do yo% need to create?
2!( (ecords
>SOA records m%st be incl%ded in every 8one. What are they %sed for ?
18A records contain a !!) value, used by default in all resource records in the ?one. 18A
records contain the e@mail address of the person who is responsible for maintaining the ?one.
18A records contain the current serial number of the ?one, which is used in ?one transfers.
>*y defa%ltB if the name is not fo%nd in the cache or local hosts fileB hat is the first ste+ the
client ta$es to resolve the @DD& name into an ,P address ?
2erforms a recursive search through the primary DN1 server based on the network interface
configuration .
> What is +rimaryB SecondaryB st%b 7 AD ,nte-rated Fone?
2rimary Sone5 @ ?one which is saved as normal te<t file with filename $.dns% in D:1 folder.
Maintains a read, write copy of ?one database.
1econdary Sone5 @ maintains a read only copy of ?one database on another DN1 server. 2rovides
fault tolerance and load balancing by acting as backup server to primary server.
1tub ?one5 @ contains a copy of name server and 18A records used for reducing the DN1 search
orders. 2rovides fault tolerance and load balancing.
> 1o do yo% man%ally create S4V records in D&S?
!his is on windows server go to run @@@I dnsmgmt.msc rightclick on the ?one you want to add
srv record to and choose Rother new recordR and choose service location$srv%.
> What is the main +%r+ose of S4V records ?
1(7 records are used in locating hosts that provide certain network services.
> *efore installin- yo%r first domain controller in the netor$B yo% installed a D&S server
and created a 8oneB namin- it as yo% o%ld name yo%r AD domain. 1oeverB after the
installation of the domain controllerB yo% are %nable to locate infrastr%ct%re S4V records
anyhere in the 8one. What is the most li$ely ca%se of this fail%re ?
!he ?one you created was not configured to allow dynamic updates. !he local interface on the
DN1 server was not configured to allow dynamic updates.
> Which of the folloin- conditions m%st be satisfied to confi-%re dynamic D&S %+dates
for le-acy clients ?
!he ?one to be used for dynamic updates must be configured to allow dynamic updates. !he
D=/2 server must support, and be configured to allow, dynamic updates for legacy clients.
> At some +oint d%rin- the name resol%tion +rocessB the re;%estin- +arty received
a%thoritative re+ly. Which f%rther actions are li$ely to be ta$en after this re+ly ?
After receiving the authoritative reply, the resolution process is effectively over.
> &ame # benefits of %sin- AD>inte-rated 8ones.
Active Directory integrated DN1 enables Active Directory storage and replication of DN1 ?one
databases. indows "### DN1 server, the DN1 server that is included with indows "###
1erver, accommodates storing ?one data in Active Directory.
hen you configure a computer as a DN1 server, ?ones are usually stored as te<t files on name
servers that is, all of the ?ones re0uired by DN1 are stored in a te<t file on the server computer.
!hese te<t files must be synchroni?ed among DN1 name servers by using a system that re0uires
a separate replication topology and schedule called a ?one transfer =owever, if you use Active
Directory integrated DN1 when you configure a domain controller as a DN1 name server, ?one
data is stored as an Active Directory object and is replicated as part of domain replication.
>What are the benefits and scenarios of %sin- St%b 8ones?
'nderstanding stub ?ones
A stub ?one is a copy of a ?one that contains only those resource records necessary to identify the
authoritative Domain Name 1ystem $DN1% servers for that ?one.
A stub ?one is used to resolve names between separate DN1 namespaces. !his type of resolution
may be necessary when a corporate merger re0uires that the DN1 servers for two separate DN1
namespaces resolve names for clients in both namespaces.
A stub ?one consists of5
B !he start of authority $18A% resource record, name server $N1% resource records, and the glue
A resource records for the delegated ?one. !he I2 address of one or more master servers that can
be used to update the stub ?one. !he master servers for a stub ?one are one or more DN1 servers
authoritative for the child ?one, usually the DN1 server hosting the primary ?one for the
delegated domain name.
'se stub ?ones to5
B 4eep delegated ?one information current.
:y updating a stub ?one for one of its child ?ones regularly, the DN1 server hosting both the
parent ?one and the stub ?one will maintain a current list of authoritative DN1 servers for the
child ?one.
B Improve name resolution.
1tub ?ones enable a DN1 server to perform recursion using the stub ?one&s list of name servers
without needing to 0uery the Internet or internal root server for the DN1 namespace.
B 1implify DN1 administration.
:y using stub ?ones throughout your DN1 infrastructure, you can distribute a list of the
authoritative DN1 servers for a ?one without using secondary ?ones. =owever, stub ?ones do not
serve the same purpose as secondary ?ones and are not an alternative when considering
redundancy and load sharing.
!here are two lists of DN1 servers involved in the loading and maintenance of a stub ?one5
B !he list of master servers from which the DN1 server loads and updates a stub ?one. A master
server may be a primary or secondary DN1 server for the ?one. In both cases, it will have a
complete list of the DN1 servers for the ?one.
B !he list of the authoritative DN1 servers for a ?one. !his list is contained in the stub ?one using
name server $N1% resource records. hen a DN1 server loads a stub ?one, such as
widgets.e<ample.com, it 0ueries the master servers, which can be in different locations, for the
necessary resource records of the authoritative servers for the ?one widgets.e<ample.com. !he
list of master servers may contain a single server or multiple servers and can be changed
anytime.
>What are the benefits and scenarios of %sin- Conditional @orardin-?
(ather than having a DN1 server forward all 0ueries it cannot resolve to forwarders, the DN1
server can forward 0ueries for different domain names to different DN1 servers according to the
specific domain names that are contained in the 0ueries. >orwarding according to these domain@
name conditions improves conventional forwarding by adding a second condition to the
forwarding process.
A conditional forwarder setting consists of a domain name and the I2 address of one or more
DN1 servers. !o configure a DN1 server for conditional forwarding, a list of domain names is
set up on the indows 1erver "##3@based DN1 server along with the DN1 server I2 address.
hen a DN1 client or server performs a 0uery operation against a indows 1erver "##3@ based
DN1 server that is configured for forwarding, the DN1 server looks to see if the 0uery can be
resolved by using its own ?one data or the ?one data that is stored in its cache, and then, if the
DN1 server is configured to forward for the domain name that is designated in the 0uery $a
match%, the 0uery is forwarded to the I2 address of a DN1 1erver that is associated with the
domain name. If the DN1 server has no domain name listed for the name that is designated in the
0uery, it attempts to resolve the 0uery by using standard recursion.
> What are the re;%irements from D&S to s%++ort AD?
hen you install Active Directory on a member server, the member server is promoted to a
domain controller. Active Directory uses DN1 as the location mechanism for domain controllers,
enabling computers on the network to obtain I2 addresses of domain controllers. During the
installation of Active Directory, the service $1(7% and address $A% resource records are
dynamically registered in DN1, which are necessary for the successful functionality of the
domain controller locator $)ocator% mechanism.
!o find domain controllers in a domain or forest, a client 0ueries DN1 for the 1(7 and A DN1
resource records of the domain controller, which provide the client with the names and I2
addresses of the domain controllers. In this conte<t, the 1(7 and A resource records are referred
to as )ocator DN1 resource records.
hen adding a domain controller to a forest, you are updating a DN1 ?one hosted on a DN1
server with the )ocator DN1 resource records and identifying the domain controller. >or this
reason, the DN1 ?one must allow dynamic updates $(>/ "*3-% and the DN1 server hosting that
?one must support the 1(7 resource records $(>/ "+G"% to advertise the Active Directory
directory service. >or more information about (>/s, see DN1 (>/s.
If the DN1 server hosting the authoritative DN1 ?one is not a server running indows "### or
indows 1erver "##3, contact your DN1 administrator to determine if the DN1 server supports
the re0uired standards. If the server does not support the re0uired standards, or the authoritative
DN1 ?one cannot be configured to allow dynamic updates, then modification is re0uired to your
e<isting DN1 infrastructure.
>or more information, see /hecklist5 7erifying DN1 before installing Active Directory and
'sing the Active Directory Installation i?ard.
,m+ortant
!he DN1 server used to support Active Directory must support 1(7 resource records for the
)ocator mechanism to function. >or more information, see Managing resource records. It is
recommended that the DN1 infrastructure allows dynamic updates of )ocator DN1 resource
records $1(7 and A% before installing Active Directory, but your DN1 administrator may add
these resource records manually after installation. After installing Active Directory, these records
can be found on the domain controller in the following location5
systemroot61ystem3"6/onfig6Netlogon.dns .
> What does a 8one consist of 7 hy do e re;%ire a 8one?
Sone consists of resource records and we re0uire ?one for representing sites.
> What is Cachin- Only Server?
hen we install "### E "##3 server it is configured as caching only server where it maintains
the fre0uently accessed sites information and again when we access the same site for ne<t time it
is obtain from cached information instead of going to the actual site.
> What is forarder?
hen one DN1 server canBt receive the 0uery it can be forwarded to another DN1 once
configured as forwarder.
> What is secondary D&S Server?
It is backup for primary DN1 where it maintains a read only copy of DN1 database.
> 1o to enable Dynamic %+dates in D&S?
1tartI2rogramIAdmin toolsI DN1 ISone properties.
> What are the +ro+erties of D&S server?
IN!;(>A/;1, >8(A(D;(1, AD7AN/;D, (8'!INC1, 1;/'(I!F, M8NI!8(INC,
)8CCINC, D;:'C )8CCINC.
> Pro+erties of a Fone ?
Ceneral, 18A, NAM;1;(7;(, IN1, 1ecurity, and S8N; !ransfer.
> What is scaven-in-?
>inding and deleting unwanted records.
> What are S4V records?
1(7 are the service records, there are - service records. !hey are useful for locating the services.
> What are the ty+es of S4V records?
M1D/15/ontains D/s information.
!/25/ontains Clobal /atalog, 4erberos E )DA2 information.
'D25/ontains 1ites information.
1ites5/ontains 1ites information.
Domain DN1 Sone5/onations domainBs DN1 specific information.
>orest DN1 ?one5/ontains >orestBs 1pecific Information.
> Where does a 1ost @ile 4eside?
c56windows6system3"6drivers6etc.
> What is SOA?
1tart of Authority5 useful when a ?one starts. 2rovides the ?one startup information.
> What is a ;%ery?
A re0uest made by the DN1 client to provide the name server information.
> What are the diff. ty+es of D%eries?
(ecursion, iteration.
> 'ools for tro%bleshootin- D&S?
DN1 /onsole, N1)884'2, DN1/MD, I2/8N>IC, )ogs.
> What is W,&S server? here e %se W,&S server? difference beteen D&S and W,&S?
IN1 is windows internet name service used to resolve the Net:I81$computer name%name to I2
address.!his is proprietary for indows.Fou can use in )AN.DN1 is a Domain Naming 1ystem,
which resolves =ost names to I2 addresses. It uses fully 0ualified domain names. DN1 is an
Internet standard used to resolve host names.
> What is ne in Windos Server !""# re-ardin- the D&S mana-ement?
hen D/ promotion occurs with an e<isting forest, the Active Directory Installation i?ard
contacts an e<isting D/ to update the directory and replicate from the D/ the re0uired portions
of the directory.
If the wi?ard fails to locate a D/, it performs debugging and reports what caused the failure and
how to fi< the problem. In order to be located on a network, every D/ must register in DN1 D/
locator DN1 records. !he Active Directory Installation i?ard verifies a proper configuration of
the DN1 infrastructure. All DN1 configuration debugging and reporting activity is done with the
Active Directory Installation i?ard.
> SOA records m%st be incl%ded in every 8one. What are they %sed for?
18A records contain a !!) value, used by default in all resource records in the ?one. 18A
records contain the e@mail address of the person who is responsible for maintaining the ?one.
18A records contain the current serial number of the ?one, which is used in ?one transfers.
:y default, if the name is not found in the cache or local hosts file, what is the first step the client
takes to resolve the >MDN name into an I2 addressB 2erforms a recursive search through the
primary DN1 server based on the network interface configuration.
> 1o do , clear the D&S cache on the D&S server?
Co to cmd prompt and type ipconfig Dflushdns .
> What is the main +%r+ose of S4V records?
1(7 records are used in locating hosts that provide certain network services.
> *efore installin- yo%r first domain controller in the netor$B yo% installed a D&S server
and created a 8oneB namin- it as yo% o%ld name yo%r AD domain. 1oeverB after the
installation of the domain controllerB yo% are %nable to locate infrastr%ct%re S4V records
anyhere in the 8one. What is the most li$ely ca%se of this fail%re?
!he ?one you created was not configured to allow dynamic updates. !he local interface on the
DN1 server was not configured to allow dynamic updates.
> What is the 2.2 8one in my forard loo$%+ 8one?
!his setting designates the indows "### or indows 1erver "##3 DN1 server to be a root hint
server and is usually deleted. If you do not delete this setting, you may not be able to perform
e<ternal name resolution to the root hint servers on the Internet.
> Do , need to confi-%re forarders in D&S?
No. :y default, indows "### DN1 uses the root hint servers on the InternetK however, you can
configure forwarders to send DN1 0ueries directly to your I12&s DN1 server or other DN1
servers. Most of the time, when you configure forwarders, DN1 performance and efficiency
increases, but this configuration can also introduce a point of failure if the forwarding DN1
server is e<periencing problems.
!he root hint server can provide a level of redundancy in e<change for slightly increased DN1
traffic on your Internet connection. indows 1erver "##3 DN1 will 0uery root hints servers if it
cannot 0uery the forwarders.
> What sho%ld , do if the domain controller +oints to itself for D&SB b%t the S4V records
still do not a++ear in the 8one?
/heck for a disjointed namespace, and then run Netdiag.e<e Dfi<.
Fou must install 1upport !ools from the indows "### 1erver or indows 1erver "##3 /D@
(8M to run Netdiag.e<e.
> 1o do , set %+ D&S for a child domain?
!o set up DN1 for a child domain, create a delegation record on the parent DN1 server for the
child DN1 server. /reate a secondary ?one on the child DN1 server that transfers the parent ?one
from the parent DN1 server.
Note indows 1erver "##3 has additional types of ?ones, such as 1tub Sones and forest@level
integrated Active Directory ?ones, that may be a better fit for your environment. 1et the child
domain controller to point to itself first. As soon as an additional domain controller is available,
set the child domain controller to point to this domain controller in the child domain as its
secondary.