6/25/2015

System Administrator Interview Questions and Answers

I want to look at the RID allocation table for a DC. What do I do?
In Command prompt type
C:\>dcdiag /test:ridmanager /s:<dcname> /v
Here dcname is the name of our DC
Labels: Active Directory

What is the difference between LDIFDE and CSVDE? Usage

considerations?
Ldifde
Ldifde creates, modifies, and deletes directory objects on computers running Windows Server 2003
operating systems or Windows XP Professional. You can also use Ldifde to extend the schema,
export Active Directory user and group information to other applications or services, and populate
Active Directory with data from other directory services.
Read more

Labels: Active Directory

What are the DS* commands?

Microsoft included a set of command line tools with their server operating systems to allow better
and more productive management of the directory service. The DS Commands are these tools.
Simple commands with but a few parameters that can increase the productivity of Systems
Administrators and keep their Active Directory Domains running and in tip top shape.
Read more

Labels: Active Directory

How would you find all users that have not logged on since last month?
You can use DSQuery user command for this purpose. DS commands are used to retrieve
information from Active Directory through command line. To use DSQuery, you must run
data:text/html;charset=utf-8,%3Cdiv%20class%3D%22post-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A

1/5

6/25/2015

System Administrator Interview Questions and Answers

theDSQuery command from an elevated command prompt. To open an elevated command prompt,
click Start, right-click Command Prompt, and then click Run as administrator.
C:\>dsquery user -inactive 4
"CN=Service User,OU=IT,DC=nishantsoft,DC=com"
"CN=IT JOURNAL,OU=Management,OU=Gurgaon,DC= nishantsoft,DC= com "
"CN=Dipak Khanna,OU=RC,OU=Gurgaon,DC= nishantsoft,DC= com "
"CN=Amit Mishra,OU=RC,OU=Gurgaon,DC= nishantsoft,DC= com "
"CN=Test Account,OU=Development,OU=Gurgaon,DC= nishantsoft,DC= com "
"CN=Jeevan Singh,OU=Development,OU=Gurgaon,DC= nishantsoft,DC= com "
Labels: Active Directory

What do you do to install a new Windows 2003 R2 DC in a Windows

2003 AD?
If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you
require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the
Windows 2003 R2 Continue Setup screen.
If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2
version (this is a minor change and mostly related to the new Dfs replication engine). To update the
schema, run the Adprep utility, which you'll find in the Cmpnents\r2\adprep folder on the second
CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows
2000 with SP2 (or later).
Labels: Active Directory, L2

What do you do to install a new Windows 2003 DC in a Windows 2000

AD?
Check that Windows 2000 Service Pack 4 installed on all the domain controllers and Exchange
Servers. If it is not already installed install it now, after that run the Adprep.exe utility on the
windows 2000 domain controllers currently holding the schema master and infrastructure master
roles. The adprep /forestprep command must first be issued on the windows 2000 server holding
schema master role in the forest root domain to prepare the existing schema to support windows
2003 active directory.
Labels: Active Directory

data:text/html;charset=utf-8,%3Cdiv%20class%3D%22post-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A

2/5

6/25/2015

System Administrator Interview Questions and Answers

What is tombstone lifetime attribute?

The tombstone lifetime in an Active Directory forest determines how long a deleted object - aka
atombstone - is retained in Active Directory. The tombstone lifetime is determined by the value of
the tombstoneLifetime attribute on the Directory Service object in the configuration directory
partition.
Tombstone Lifetime assists in removing objects from replicated servers and preventing restores
from reintroducing a deleted object. Actually when an object is deleted from Active Directory, it is
not physically removed from the Active Directory for some days. Instead, the Active Directory sets
theisDeleted attribute of the deleted object to TRUE and move it to a special container
calledTombstone.
The default Tombstone Life time period is 60 days in Windows Server 2003
But the default Tombstone Lifetime period has been changed in Windows Server 2003
SP1 and later to 180 days.
The tombstone lifetime attribute remains same on all the domain controllers and it is deleted from
all the servers at the same time. This is because the expiration of a tombstone lifetime is based on
the time when an object was deleted logically from the Active Directory, rather than the time when
it is received as a tombstone on a server through replication.
Labels: Active Directory

Name some OU design considerations.

The Group Policy architecture is flexible and allows for many types of design. The guiding principle
as you design your organizational unit structure should be to create a structure that is easy to
manage and troubleshoot.
Delegation of authority, separation of administrative duties, central versus distributed
administration, and design flexibility are important factors you'll need to consider when designing
Group Policy and selecting which scenarios to use for your organization.
Read more

Labels: Active Directory, Group Policy

What tool would I use to try to grab security related packets from the
wire?
Network tap is best solution for grabbing data packet in a network. It is a hardware device which
provides a way to access the data flowing across a computer network. Computer networks,
including the Internet, are collections of devices, such as computers, routers, and switches that
are connected to each other.
Network taps are commonly used for security applications because they are non-obtrusive, are not
detectable on the network, can deal with full-duplex and non-shared networks, and will usually
data:text/html;charset=utf-8,%3Cdiv%20class%3D%22post-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A

3/5

6/25/2015

System Administrator Interview Questions and Answers

pass-through traffic even if the tap stops working or loses power.

Labels: Netw orking, Wintel

Can I get user passwords from the AD database?

By default user account passwords are stored as password hash (Hash is based on one-way
encryption, which means you cant reverse it to get plaintext). These hashes are stored in Active
Directory (C:\Windows\NTDS\ntds.dit file on DCs). If you need to get user password than you have
to change the way it is stored in AD. You have store passwords ciphered with reversible encryption
algorithm.
To enable this option globally:
1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.
2. In the Active Directory Users and Computers window, right click on your domain and select
Properties.
3. In the Group Policy tab, select "Default Domain Policy" and click Edit.
4. In the Group Policy window, navigate to Password Policy in the left-panel Tree view: Computer
Configuration > Windows Settings > Security Settings > Account Policies > Password
Policy.
5. Right click on "Store password using reversible encryption for all users in the domain" and
select Security.
6. In the Security Policy Setting window, select the "Define this policy setting" checkbox and the
Enabled radio button. Click OK.
7. Close all applications and restart the computer, and log into your domain.
To enable this option for a specific user:
1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.
2. In the Active Directory Users and Computers window, right-click on the user and select
Properties.
3. In the Account tab, check "Store password using reversible encryption." Click OK.
4. Close all applications and restart the computer, and log into your domain.
When this is enabled (per user or for the entire domain), Windows stores the password encrypted,
but in such a way that it can reverse the encryption and recover the plaintext password. This
feature exists because some authentication protocols require the plaintext password to function
correctly; the two most common examples are HTTP Digest Authentication and CHAP.
Niels Teusink have done great research on it
http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
data:text/html;charset=utf-8,%3Cdiv%20class%3D%22post-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A

4/5

6/25/2015

System Administrator Interview Questions and Answers

http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html
He also developed a nice tool called RevDump to decipher this encrypted password.

data:text/html;charset=utf-8,%3Cdiv%20class%3D%22post-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A

5/5