Escolar Documentos
Profissional Documentos
Cultura Documentos
1/5
7) If a user object is deleted from Active Directory (Windows 2003), what should you do to
restore it?
Reboot a Domain Controller in Restore Mode (DSRM, need specific password setup
during the setup of the DC) and then restore the data and set it as authoritative using the
ntdsutil command
8) What is the AD garbage collector?
When an object is deleted in AD, it is not directly deleted. It has an attribute isDeleted
that is set to 1. The object will be effectively deleted when it is set to this state for a
period that is equal to the tombstone period.
The AD garbage collector is the process, running every 12 hours, that is checking to be
deleted objects and effectively deletes them if the tombstone period is over.
9) What does FSMO stand for? Briefly describe the 5 FSMO roles
In a forest, there are at least five FSMO(Flexible Single Master Operation) roles that are
assigned to one or more domain controllers. The five FSMO roles are:
Schema Master: The schema master domain controller controls all updates and
modifications to the schema. To update the schema of a forest, you must have access
to the schema master. There can be only one schema master in the whole forest.
Domain naming master: The domain naming master domain controller controls the
addition or removal of domains in the forest. There can be only one domain naming
master in the whole forest.
Infrastructure Master: The infrastructure is responsible for updating references from
objects in its domain to objects in other domains. At any one time, there can be only
one domain controller acting as the infrastructure master in each domain.
Relative ID (RID) Master: The RID master is responsible for processing RID pool
requests from all domain controllers in a particular domain. At any one time, there
can be only one domain controller acting as the RID master in the domain.
PDC Emulator: The PDC emulator is a domain controller that advertises itself as the
primary domain controller (PDC) to workstations, member servers, and domain
controllers that are running earlier versions of Windows. For example, if the domain
contains computers that are not running Microsoft Windows XP Professional or
Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT
backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is
also the Domain Master Browser, and it handles password discrepancies. At any one
time, there can be only one domain controller acting as the PDC emulator master in
each domain in the forest.
2/5
10) A user account is regularly locked out. Explain what you would do to investigate and find
out the root cause.
11) You are performing the migration of resources from the AD domain sourcedom.net to
the AD domain targetdom.com.
a. What would you do to ensure users from sourcedom.net are always able to
resolve names from their former domain?
Implement suffix search order via DHCP option or GPO
b. The file server SRCFPS002 holds a lot of files and folders the users need to access.
What would you do to ensure the security is maintained once the users are
migrated using ADMT/other migration tool?
Simply use ADMT/migration tool
c. The file server SRCFPS002 holds a lot of files and folders the users need to access.
What would you do to ensure the security is maintained once the users are
migrated, but their user accounts were created without using ADMT/other
migration tool?
Create name mapping file and use ADMT, subinacls or another tool to translate
security.
12) Describe the different scopes of groups (Domain Local, Universal, Global).
Why having global groups can be an issue in the case of an AD Migration?
If a GROUP_A global group contains another global group GROUP_B, the membership of
this one wont be reflected in the case GROUP_A is migrated to the target domain.
13) At a remote location, you need to change the IP Address of a server that is acting as
Domain Controller, DNS, DHCP, and RADIUS server.
a. Explain the process you would follow to perform that task.
b. What other devices/applications need to be re-configured too?
a. Connect to the Domain Controller using an out-of-band interface (HP iLO, )
b. Following have to be adapted:
Clients/servers that are referring to this server as DNS servers
DHCP authorization has to be re-created
RADIUS clients certainly to be re-configured
Router: IP helpers
Senior Engineer Directory Services Questions for interview
3/5
14) Where can you find the RADIUS logging information on a Windows server?
C:\WINDOWS\system32\LogFiles
15) How can you interpret the following log entry?
10.146.176.192,jcasgbur\a3062208,07/25/2010,23:59:50,IAS,J700S001,4128,A622AP01,25,311 1 10.130.131.174 07/22/2010 12:00:38
718844,4132,Smart Card or other
certificate,4130,ag.eu.jci.com/Sites/AGEU-Germany-Zwickau622/Service_Accounts/a3062208,4294967206,4,4294967207,2,6,2,7,1,4108,10.
146.176.192,4116,9,4155,1,4154,Wireless
Authentication,4129,JCASGBUR\a3062208,4127,5,4149,Wireless Access to
Intranet,4136,2,4142,0
16) You need to find out the value of the userAccountControl of some AD user accounts.
What tool do you use to get the result?
What is this attribute used for?
The value of userAccountControl can be found using ADSIEdit management console,
using the additional account info addition of the ADUC console, using ADSI scripting,
ldp.exe tool or any LDAP browser application.
This attribute shows the state of the user account (enabled, disabled, locked out, )
4/5
The script connects to the root forest and list all subdomains, in an FQDN format.
5/5