1. What is the different between Workgroup and Domain?

Domain Server has

Centralized Control   Where else Workgroup has no Centralized Control
 Domain Network has higher level of security when compared to Workgroup.
 Domain Network Implementation and Maintained cost is very less when
compared to that of workgroup.
 Time constrain is very less when compared to that of a Workgroup.
 Administrator has overall control on the network where else workgroup has no
control.
2. How will assign Local Administrator rights for domain user? Navigate to
Local User and Groups add the domain users to administrators group in the local
system.

3. How will you restrict user logon timing in domain?Navigate to Active Directory
Users and Computers, User Properties select logon times and restrict the user logon
timing as needed.

4. What is the purpose of sysvol?

The sysvol folder stores the server's copy of the domain's public files. The contents
such as group policy, users, and groups of the sysvol folder are replicated to all
domain controllers in the domain. The sysvol folder must be located on an NTFS
volume.

5. What is OU? Explain its Uses.

Organization Unit is set of active directory object within a domain. It is used to design
an organization structure, Restrict user’s visibility and to delegate control.
6. Explain different edition of windows 2003 Server?
 Windows Server 2003, Standard Edition: - is aimed towards small to medium
sized businesses. Standard Edition supports file and printer sharing, offers secure
Internet connectivity, and allows centralized desktop application deployment.
 Windows Server 2003, Enterprise Edition: - is aimed towards medium to large
businesses. It is a full-function server operating system that supports up to eight
processors and provides enterprise-class features and support for up to 32 GB of
memory.
 Windows Server 2003, Web Edition: - is mainly for building and hosting Web
applications, Web pages, and XML Web Services.
 Windows Server 2003, Datacenter Edition: - is the flagship of the Windows
Server line and designed for immense infrastructures demanding high security and
reliability.
7. What is DNS Server?
Domain Name System is used to resolve domain name to IP Address and also used
to resolve IP Address to Domain Name. It has two zones Forward and Reverse
Lookup Zone. Forward Lookup Zone resolve Domain name to IP address. Reverse
Lookup Zone is used to resolve IP address to Domain Name. Some records
associate with DNS
 A Record binds Name with IP Address
 PTR Record binds IP Address to Name
 8. Why DNS server is required for Active Directory?
The key reason for integrating DNS with AD is that client server communication
takes place with Domain Name. Network needs IP address to reach the destination;
In order to resolve Domain Name to IP Address we need DNS Server. If DNS Server
is not configured properly the network becomes slow.
9. What is the Purpose of A and PTR Record?
 A Record OR Host Record is used to bind a Name with IP Address.
 PTR Record is used to bind an IP Address with Name.
10. What is the purpose of DHCP Server?
DHCP Server is used to assign IP address automatically to all the clients’ computers.
It is useful in large enterprise network, where we may not able track the IP address
and also used to avoid IP conflict.

11. Explain about Scope in DHCP Server?

Scope is collective information of assigning IP address for clients. It contains

information like IP Address Range, Exclusion Range, Lease Period, Reservation,
Router IP Address, DNS Address, etc. Based on the scope configuration DHCP
allocates IP address to its entire client.
12. Explain about Group Scopes?

13. How will you backup DNS Server? 

Backup the directory “%System Root%\System32\DNS”.

14. How will backup DHCP Server?
First Method: Backup the directory in the %System Root%\System32\DHCP folder.

Alternate method: Open DHCP Console select server to backup and restore DHCP
database.

15. Explain APIPA.

A Windows-based computer that is configured to use DHCP can automatically

assign itself an Internet Protocol (IP) address if a DHCP server is not available or
does not exist. The Internet Assigned Numbers Authority (IANA) has reserved
169.254.0.0-169.254.255.255 for Automatic Private IP Addressing (APIPA).
16. Explain about AD Database.
Windows 2003 Active Directory data store, the actual database file, is %System Root
%\NTDS\NTDS.DIT. AD Database all information such as User Accounts, Groups,
Computer Information, Domain Controller information, Group Policy, Organization
Unit,etc.
17. Explain about Group Policy.

Group policies are used by administrators to configure and control user environment
settings. Group Policy Objects (GPOs) are used to configure group policies which
are applied to sites, domains, and organizational units (OUs) .There is a maximum of
1000 applicable group policies.
18. What is the default time for group policy refresh interval time?
The default refresh interval for policies is 90 minutes. The default refresh interval for
domain controllers is 5 minutes. Group policy object's group policy refresh intervals
 may be changed in the group policy object.

19. Explain Hidden Share.

Hidden or administrative shares are share names with a dollar sign ($) appended to
their names. Administrative shares are usually created automatically for the root of
each drive letter. They do not display in the network browse list.
20. What ports are used by DHCP and the DHCP clients?
Requests are on UDP port 68, Server replies on UDP 67.

21. How do I configure a client machine to use a specific IP Address?

By reserving an IP Address using client machine MAC or Physical address.

22. Name 3 benefits of using AD-integrated zones.
 AD Integrated Zones allow Secure Dynamic Updates. I.e. there will not be any
duplicate or unwanted records. Since all the information are validated in active
directory.
 By creating AD- integrated zone you can also trace hacker and spammer by
creating reverse zone. 
 AD integrated zones are stored as part of the active directory and support
domain-wide or forest-wide replication through application partitions in AD. 
23. How do you backup & Restore AD?
Using Windows NTBackup Utility. In Backup select systemstate will include active
directory backup. Restore the Same using NTBackup Utility.

24. How do you change the DS Restore admin password?

Using NTDSUTIL tool.

25. How can you forcibly remove AD from a server?

Using the command dcpromo /forceremoval

26. What will be the problem if DNS Server fails?
If your DNS server fails, No Client will able to reach the Domain Controller, which will
create authentication and Control Issues.

27. How can you restrict running certain applications on a machine?

The Group Policy Object Editor and the Software Restriction Policies extension of
Group Policy Object Editor are used to restrict running certain applications on a
machine. For Windows XP computers that are not participating in a domain, you can
use the Local Security Settings snap-in to access Software Restriction Policies.

28. What can you do to promote a server to DC?

Using the command dcpromo

29. How will map a folder through AD?

 Specify the network share path (UNC) in the active directory users home directory.

30. Explain Quotas.

Disk Quota is a feature or service of NTFS which helps to restrict or manage the disk
usage from the normal user. It can be implemented per user user per volume
basis.By default it is disabled. Administrative privilege is required to perform the task.
In 2003server we can control only drive but in 2008server we can establish quota in
folder level.
31. Explain Backup Methodology.
The different types of backup methodologies are:
 Normal Backup:-This is default backup in which all files are backed up even if
it was backed up before.
 Incremental Backup:-In this type of backup only the files that haven’t been
backed up are taken care of or backed up.
 Differential Backup:-This backup is similar to incremental backup because it
does not take backup of those files backed up by normal backup but different from
incremental because it will take backup of differentially backed up files at next time of
differential backup.
 System Backup:-This type of backup takes backup of files namely, Boot file,
COM+Class Registry, Registry. But in server it takes backup of ADS.
 ASR Backup:-This type of backup takes backup of entire boot partition
including OS and user data. This should be the last troubleshooting method to
recover an os from disaster.
32. Explain how to publish printer through AD.
Navigate to Active Directory Users and Computers, Create new printer and add the
printer i.e. the printer share name (UNC) Path. Automatically the printer will be
published in Active Directory.

33. Explain the functionality of FTP Server?

File Transfer Protocol is used transfer large volume of files and huge number of files
simultaneous between different geographic locations.
34. Specify the Port Number for AD, DNS, DHCP, HTTP, HTTPS, SMTP, POP3 &
FTP
 AD - 389
 DNS - 53
 DHCP - 67,68( 67 for Server and 68 for Client)
 HTTP - 80
 HTTPS - 443
 SMTP - 25
 POP3 - 110
 FTP - 21,22
35. Explain Virtual Directory in IIS?
A virtual server can have one home directory and any number of other publishing
directories. These other publishing directories are referred to as virtual directories.
36. What is Exclusion Range in DHCP Server?

Exclusion Range is used to hold a range IP addresses. Those IP Address can be

used or may not be used in the network, but DHCP server does not assign those IP
to its client.

37.Explain SOA Record.

Start Of Authority (SOA) Records indicate that Name Server is authoritative server
for the domain.
38. What command is used to clear DNS cache in client PC?
Ipconfig /flushdns

39. Explain Secure Dynamic Updates in DNS Server.

Only when installing active directory and DNS in the same server (AD Integrated
Zones) we can select Secure Dynamic Updates. Then all the records will
automatically be updated in DNS. Since all the information is validated in active
directory there will not be any duplicate or unwanted records.

40. Explain FRS in detail.

File Replication Service is a Microsoft service which replicates folders stored in

sysvol shared folders on domain controllers and distributed file system shared
folders. This service is a part of Microsoft’s active directory service.
41. Explain the protocol involved in ADC replication.
Remote Procedure Call (RPC) is the protocol used in ADC replication.

42. Explain the difference between Patches and Service pack.

Patches are fixes, updates or enhancements for a particular program whereas

service packs include a collection of

43. What is WSUS?

WSUS is Windows Software Update Services. It is server provided by Microsoft free

of cost to manage patches for windows environment centralized.
44. How client server communication takes place in WSUS server?
Using Web Server or Web Services

45. What is the difference between Dynamic Disk and Basic Disk?

Basic Disk: Basic Disk uses a partition table to manage all partitions on the disk,
and it is supported by DOS and all Windows versions. A disk with installed OS would
be default initialized to a basic one. A basic disk contains basic volumes, such as
primary partitions, extended partition, and all logical partitions are contained in
extended partition.

Dynamic Disk: Dynamic Disk is supported in Windows 2000 and later operating

 system. Dynamic disks do not use a partition table to track all partitions, but use a
hidden database (LDM) to track information about dynamic volumes or dynamic
partitions on the disk. With dynamic disks you can create volumes that span multiple
disks such as spanned and striped volumes, and can also create fault-tolerant
volumes such as mirrored volumes and RAID 5 volumes. Compared to a Basic Disk,
Dynamic Disk offers greater flexibility. 
46. What is maximum Size of file system NTFS and FAT32?
NTFS - 16TB

FAT32 - 4GB

47. What is “hosts” files?

The hosts file is a computer file used in an operating system to map hostnames to IP
addresses. The hosts file is a plain-text file and is traditionally named hosts.

48. What is “lmhosts” files?

The lmhosts files are a computer file used in an operating system to map NetBIOS
name. It is equivalent that of WINS.
49. Explain About Global Catalog.
global catalog contains a complete replica of all objects in Active Directory for its
Host domain, and contains a partial replica of all objects in Active Directory for every
other domain in the forest.

50. Name some OU design considerations.

It is used to design an organization structure, Restrict user’s visibility and to delegate

control.
51. Name a few benefits of using GPMC.
 GPMC is used to customize group policy.
 It is easy to maintain different OU policy effectively.
 Provide option to take backup and restore group policy.

52. You want to standardize the desktop environments (wallpaper, My

Documents, Start menu, printers etc.) on the computers in one department.
How would you do that?
Configure Group Policy based on OU.

53. By default, if the name is not found in the cache or local hosts file, what is
the first step the client takes to resolve the FQDN name into an IP address?

Create a record in DNS Server

54. You are administering a network connected to the Internet. Your users
complain that everything is slow. Preliminary research of the problem
indicates that it takes a considerable amount of time to resolve names of
resources on the Internet. What is the most likely reason for this?
DNS Issues
55. Describe how the DHCP lease is obtained.
It’s a four-step process consisting of (a) IP request, (b) IP offer, (c) IP selection and
(d) acknowledgement.

56. I can’t seem to access the Internet, don’t have any access to the corporate
network and on ipconfig my address is 169.254.*.*. What happened? 

The 169.254.*.* netmask is assigned to Windows machines running 98/2000/XP if

the DHCP server is not available. The name for the technology is APIPA (Automatic
Private Internet Protocol Addressing).
57. We’ve installed a new Windows-based DHCP server, however, the users do
not seem to be getting DHCP leases off of it.
The server must be authorized first with the Active Directory.

58. How do you configure mandatory profiles? 

Rename ntuser.dat to ntuser.man

59. What is Page File and Virtual Memory? 

Page File Is Storage Space For The Virtual Memory, Page File Uses Hard Disk
Space As a Memory To Provide Memory Allocation...
60. What is the difference between DNS in Windows 2000 & Windows 2003
Server?
We can rename or moved the domain name without rebuilding in windows 2003
server, but in windows 2000 server, we can't do that.

61. Where are group policies stored? 

%SystemRoot%System32\Group Policy

62. What are GPT and GPC? 

Group policy template and group policy container.

63. Where is GPT stored? 

%System Root%\SYSVOL\sysvol\domain name\Policies\GUID

64. You change the group policies, and now the computer and user settings
are in conflict. Which one has the highest priority? 

The computer settings take priority.

65. What hidden shares exist on Windows Server 2003 installation?

Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

1) Mention what is Active Directory?

An active directory is a directory structure used on Microsoft Windows based servers

and computers to store data and information about networks and domains.

2) Mention what are the new features in Active Directory (AD) of Windows
server 2012?

 dcpromo (Domain Controller Promoter) with improved wizard: It allows

you to view all the steps and review the detailed results during the installation
process
 Enhanced Administrative Center: Compared to the earlier version of active
directory, the administrative center is well designed in Windows 2012. The
exchange management console is well designed
 Recycle bin goes GUI: In windows server 12, there are now many ways to
enable the active directory recycle bin through the GUI in the Active Directory
Administrative Center, which was not possible with the earlier version
 Fine grained password policies (FGPP): In windows server 12
implementing FGPP is much easier compared to an earlier  It allows you to
create different password policies in the same domain
 Windows Power Shell History Viewer: You can view the
Windows PowerShell commands that relates to the actions you execute in the
Active Directory Administrative Center UI

3) Mention which is the default protocol used in directory services?

The default protocol used in directory services is LDAP ( Lightweight Directory

Access Protocol).

4) Explain the term FOREST in AD?

Forest is used to define an assembly of AD domains that share a single schema for
the AD.  All DC’s in the forest share this schema and is replicated in a hierarchical
fashion among them.

5) Explain what is SYSVOL?

The SysVOL folder keeps the server’s copy of the domain’s public files.  The
contents such as users, group policy, etc. of the sysvol folders are replicated to all
domain controllers in the domain.
6) Mention what is the difference between domain admin groups and
enterprise admins group in AD?

                Enterprise Admin Group              Domain Admin Group

 Members of this group have complete control of all
domains in the forest
 By default, this group belongs to the administrators
group on all domain controllers in the forest
 As such this group has full control of the forest, add
users with caution
  Members of this group have com
domain
 By default, this group is a memb
administrators group on all doma
workstations and member serve
are linked to the domain
 As such the group has full contro
add users with caution

7) Mention what system state data contains?

System state data contains

 Contains startup files

 Registry
 Com + Registration Database
 Memory page file
 System files
 AD information
 SYSVOL Folder
 Cluster service information

8) Mention what is Kerberos?

Kerberos is an authentication protocol for network.  It is built to offer strong

authentication for server/client applications by using secret-key cryptography.
9) Explain where does the AD database is held? What other folders are related
to AD?

AD database is saved in %systemroot%/ntds. In the same folder, you can also see
other files; these are the main files controlling the AD structures they are

 dit
 log
 res 1.log
 log
 chk

10) Mention what is PDC emulator and how would one know whether PDC
emulator is working or not?

PDC Emulators: There is one PDC emulator per domain, and when there is a failed
authentication attempt, it is forwarded to PDC emulator.  It acts as a “tie-breaker”
and it controls the time sync across the domain.

These are the parameters through which we can know whether PDC emulator is
working or not.

 Time is not syncing

 User’s accounts are not locked out
 Windows NT BDCs are not getting updates
 If pre-windows 2000 computers are unable to change their passwords

11) Mention what are lingering objects?

Lingering objects can exists if a domain controller does not replicate for an interval of
time that is longer than the tombstone lifetime (TSL).

12) Mention what is TOMBSTONE lifetime?

Tombstone lifetime in an Active Directory determines how long a deleted object is

retained in Active Directory.  The deleted objects in Active Directory is stored in a
special object referred as TOMBSTONE.  Usually, windows will use a 60- day
tombstone lifetime if time is not set in the forest configuration.

13) Explain what is Active Directory Schema?

Schema is an active directory component describes all the attributes and objects that
the directory service uses to store data.

14) Explain what is a child DC?

CDC or child DC is a sub domain controller under root domain controller which share
name space
15) Explain what is RID Master?

RID master stands for Relative Identifier for assigning unique IDs to the object
created in AD.

16) Mention what are the components of AD?

Components of AD includes

 Logical Structure: Trees, Forest, Domains and OU

 Physical Structures: Domain controller and Sites

17) Explain what is Infrastructure Master?

Infrastructure Master is accountable for updating information about the user and
group and global catalogue.

What is Active Directory?

Active Directory (AD) is a directory service developed by Microsoft and used to
store objects like User, Computer, printer, Network information, It facilitates to
manage your network effectively with multiple Domain Controllers in different
location with AD database, able to manage/change AD from any Domain Controllers
and this will be replicated to all other DC’s, centralized Administration with multiple
geographical locations and authenticates users and computers in a Windows domain
What is LDAP and how the LDAP been used on Active Directory(AD)?
 http://www.windowstricks.in/ldap-and-ldap-query
What is Tree?

The tree is a hierarchical arrangement of windows Domain that share a contiguous

namespace

What is Domain?

Active Directory Domain Services is Microsoft’s Directory Server. It provides

authentication and authorization mechanisms as well as a framework within which
other related services can be deployed

What is the Active Directory Domain Controller (DC)?

Domain Controller is the server which holds the AD database, All AD changes get
replicated to other DC and vise vase

What is Forest?

Forest consists of multiple Domain trees. The Domain trees in a forest do not form a
contiguous namespace however share a common schema and global catalog (GC)

What is Schema?
Active Directory schema is the set of definitions that define the kinds of object and
the type of information about those objects that can be stored in Active Directory

Active Directory schema is Collection of object class and there attributes

Object Class = User

Attributes = first name, last name, email, and others

Can we restore a schema partition?

http://www.windowstricks.in/2014/01/can-i-restore-schema-partition.html
Tell me about the FSMO roles?

Schema Master

Domain Naming Master

Infrastructure Master

RID Master

PDC

Schema Master and Domain Naming Master are the forest-wide roles and only
available one on each Forest, Other roles are Domain-wide and one for each
Domain

AD replication is multi-master replication and change can be done in any Domain

Controller and will get replicated to others Domain Controllers, except above
file roles, this will be flexible single master operations (FSMO), these changes only
be done on dedicated Domain Controller so it’s single master replication

How to check which server holds which role?

Netdom query FSMO

Which FSMO role is the most important? And why?

An interesting question which role is most important out of 5 FSMO roles or if one
role fails that will impact the end-user immediately

Most armature administrators pick the Schema master role, not sure why maybe
they though Schema is very critical to run the Active Directory

The correct answer is PDC, now the next question why? Will explain role by role
what happens when an FSMO role holder fails to find the answer

Schema Master – Schema Master needed to update the Schema, we don’t update
the schema daily right, when will update the Schema? While the time of operating
system migration, installing a new Exchange version and any other application which
requires extending the schema

So if are Schema Master Server is not available, we can’t able to update the schema
and no way this will going to affect the Active Directory operation and the end-user

Schema Master needs to be online and ready to make a schema change, we can
plan and have more time to bring back the Schema Master Server

Domain Naming Master – Domain Naming Master required to creating a new

Domain and creating an application partition, Like Schema Master we don’t create
Domain and application partition frequently

So if are Domain Naming Master Server is not available, we can’t able to create a
new Domain and application partition, it may not affect the user, user event didn’t
aware Domain Naming Master Server is down

Infrastructure Master – Infrastructure Master updates the cross-domain updates,

what really updates between Domains? Whenever user login to Domain the TGT has
been created with the list of access user got through group membership (user group
membership details) it also contain the user membership details from trusted
domain, Infrastructure Master keep this information up-to-date, it update reference
information every 2 days by comparing its data with the Global Catalog (that’s why
we don’t keep Infrastructure Master and GC in the same server)

In a single Domain and single Forest environment, there is no impact if the

Infrastructure Master server is down

In a Multi-Domain and Forest environment, there will be impact and we have enough
time to fix the issue before it affects the end-user

RID Master –Every DC is initially issued 500 RID’s from RID Master Server.  RID’s
are used to create a new object on Active Directory, all new objects are created with
Security ID (SID) and RID is the last part of a SID. The RID uniquely identifies a
security principal relative to the local or domain security authority that issued the SID
When it gets down to 250 (50%) it requests the second pool of RID’s from the RID
master.  If RID Master Server is not available the RID pools unable to be issued to
DC’s and DC’s are only able to create a new object depends on the available RID’s,
every DC has anywhere between 250 and 750 RIDs available, so no immediate
impact
PDC – PDC required for Time sync, user login, password changes, and Trust, now
you know why the PDC is important FSMO role holder to get back online, PDC role
will impact the end-user immediately and we need to recover ASAP

The PDC emulator Primary Domain Controller for backward compatibility and it’s
responsible for time synchronizing within a domain, also the password master. Any
password change is replicated to the PDC emulator ASAP. If a login request fails
due to a bad password the login request is passed to the PDC emulator to check the
password before rejecting the login request.
Tel me about Active Directory Database and list the Active Directory Database
files?

NTDS.DIT

EDB.Log

EDB.Chk

Res1.log and Res2.log

All AD changes didn’t write directly to NTDS.DIT database file, first write to EDB.Log
and from the log file to the database, EDB.Chk used to track the database update
from the log file, to know what changes are copied to the database file.

NTDS.DIT: NTDS.DIT is the AD database and stores all AD objects, the Default

location is the %system root%\nrds\nrds.dit, Active Directory database engine is the
extensible storage engine which is based on the Jet database
EDB.Log: EDB.Log is the transaction log file when EDB.Log is full, it is renamed to
EDB Num.log where num is the increasing number starting from 1, like EDB1.Log
EDB.Che: EDB.Che is the checkpoint file used to trace the data not yet written to
database file this indicates the starting point from which data is to be recovered from
the log file in case if failure
Res1.log and Res2.log:  Res is reserved transaction log file which provides the
transaction log file enough time to shut down if the disk didn’t have enough space
What RAID configuration can be used in Domain Controllers?
http://www.windowstricks.in/2010/07/recommended-raid-configuration-and-disk.html
Can we keep OS, log files, SYSVOL, AD database on same logical Disk?
http://www.windowstricks.in/2010/07/recommended-raid-configuration-and-disk.html

1. What do you mean by Active Directory?

An active directory is an index structure used on Microsoft Windows-based servers

and computers to stock up data and information about domains and networks.

2. Name the default protocol used in directory services?

The non-payment protocol utilized in directory services is LDAP (Lightweight

Directory Access Protocol).

3. Define SYSVOL?

The SysVOL file keeps the server’s copy of the domain’s public files.  The
fillings such as users, group policy, etc. of the SysVOL folders are simulated to all
area controllers in the domain.
4. Define the term FOREST in AD?

Forest is used to describing a congregation of AD domains that split a separate

schema for the AD.  All DC’s in the forest share this plan and is practical in a
hierarchical fashion among them.

5. What is Kerberos?

Kerberos is a verification protocol for the network.  It is built to present secure
verification for client applications by using secret-key cryptography.

6. What do you mean by lingering objects?

Lingering objects can exist if a field controller does not duplicate for a gap of time
that is longer than the gravestone lifetime.

7. Define Active Directory Schema?

Schema is a lively directory constituent describes all the objects and attributes that

the directory service uses to amass data.

8. Name the components of AD?

The components of AD are:

• Physical Structures: Domain controller and Sites

• Logical Structure: Trees, Forest, Domains and OU

9. Define Infrastructure Master?

Infrastructure Master is answerable for updating information about the customer and
group and universal catalogue.

10. Define the domain?

A domain is a place of network resources for a collection of users. The user needs
only to log in to the domain to increase access to the resources, which may be
situated on a number of several servers in the network.
11. Explain subnet?

In computer networks based upon the Internet Protocol Suite, a subnetwork is a

piece of the network’s computers and network campaign that have a widespread
elected IP address routing prefix.

12. What do you mean by organizational units?

The Organizational Unit is a serious design factor impacting policy, security,

competence and the charge of administration. Organizational Units are a kind of
LDAP (X.500) pot. It can be a reflection of as a sub-domain element with comparable
properties to domains.

13. What do you mean by Active Directory Recycle Bin?

Active Directory Recycle bin is a characteristic of Windows Server 2008 AD. It helps
to re-establish by chance deleted Active Directory objects without using a backed-up
AD database, rebooting area controller.

14. Tell me the purpose of replication in AD?

The reason for replication is to share out the data stored within the index throughout
the organization for amplified availability, performance, and data defense. Systems
administrators can tune duplication to occur based on their physical network
communications and other constraints.

15. Define Mixed Mode?

Allows domain controllers operation both Windows 2000 and previous versions of
Windows NT to co-exist in the area. In mixed mode, the domain features from
preceding versions of Windows NT Server are still enabled, while some Windows
2000 features are disabled. Windows 2000 Server domains are installed in mixed
mode by non-payment.  In a mixed way, the field may have Windows NT 4.0 backup
domain controllers at hand.

16. Explain stale?

Stale refers to references to objects that have been stimulated so that the local copy
of the distant object's name is out of date.

17. Define SID?
Security Identifier is an exceptional variable-length identifier used to recognize a
trustee or refuge principal.

18. Do we use clustering in Active Directory? Why?

No one installs Active Directory in a bunch. There is no need for clustering a field
controller.  Active Directory provides total joblessness with two or more servers.

19. What is RID Master?

RID master refers for Relative Identifier for conveying exceptional IDs to the object
shaped in AD.

20. What is child DC?

Child DC is a sub-area controller under the root domain controller which share a
namespace.

21. What is the port no of Kerbrose?

The port no is 88

22. What is the port number of Global catalog?

The port number of the global catalog is 3268

23. Tell me the port no of LDAP?

The port no of LDAP is 389

24. If I try to look schema, how can I do that?

List schmmgmt.dll using this command:

c:\windows\system32>regsvr32 schmmgmt.dll

Open mmc --> add snapin --> add Active directory schema

name it as schema.msc
Open administrative tool --> schema.msc

25. Define Native Mode?

When all domain controllers in a given area are consecutively Windows 2000 Server,
this way permits organizations to take the lead of new Active Directory features such
as worldwide groups, inter-domain group membership and nested group
membership.

Q (1)  What do you know about active directory in the system administration ?

Ans :- When we are talking about network security, one thing that matters is the
centralized control of everything that can be assured by the active directory. The
information and settings related to the development is stored in the central
database.   for an example :- the database might list 100 users accounts  with
details like each person’s job title, phone number and password . 

Q (2) What is group policy? 

Ans :-  Network administrators can use group policy to control the working
environment of users and computer accounts in active directory . it provides a
central place for administrators to manage and configure operating systems,
applications and user’s settings. If we use it properly  it enables you  to increase
the security of user’s computers and help defend against both insider and
external threats. 

Q (3) Why is it said that we should restore a dc that was backed up 9 months
Ago?

Ans :- We can face problems due to lingering objects as when we are restoring a
backup file the active directory generally requires that the backup file should not
be more than 180 days old. 

Q (4) Can you tell us about the experience you have with hardware
Components ? 
Ans :- System administration should be able to do installation and replacement
operations with hardware sometimes there can be a need to rebuild the hardware
component .

Q (5) What do forest, trees , domain mean ? 

Ans :-  A domain is a logical group of network objects like computers , users,
devices that have the same active directory database . A tree is a collection of
domains within a Microsoft active directory network in which each domain has
exactly one parent, leading to hierarchical tree structure and forest is a group of
active directory trees. 

Q (6) What do you know about wins servers ? 

Ans :- WINS stands for windows internet name service this will allow the users to
access resources by computer name rather than IP address. It is an operating
system that uses a centralized computer that will provide specific functions
predetermined rules for the users and the computers connected to a Network .
For example if you want your computer to keep the track of the names and IP
addresses of other computers in  your Network .  

Q (7) What according to you could be the personal characteristics of a person

administering a system ? 

Ans :- System administrators face a diversity of challenges  .They are the problem
solvers and coordinators. They have in-depth understanding of computer’s
software , hardware and networks and so are able to instruct  employees
regarding the technical issue . Their primary task is to monitor the system. They
are able to  keep  track of the server performance and creative designs for
computer systems and are  able to quickly arrange for replacement in case there
is any hardware failure .
Q (8) Can you give us one of the examples of the systems you have been working
with as an Administrator? 

Ans :- This typically may include:- Windows and linux which supports either the
asset management or the GIS. 

Q (9) What is a lingering Object ? What is the command that we use to remove
lingering objects ? Why is it important to remove the lingering objects ? 

Ans :-  lingering object is a deleted active directory that remains on the restored
domain controller in its local copy of the active directory. When an object is
deleted from the active directory a Tombstone (which is temporary) is created
which then has to be replicated by domain controller before it expires. i.e  they
seem to occur when some changes are made to the directories after system
backups are created. When we restore a backup file the AD (ACTIVE
DIRECTORY ) generally requires that the backup should not be more than 180
days old .This may happen if after the backup was done the object was deleted
on another dc more than 180 days ago. In such case if we want to remove the
lingering object we use windows server 2003 and  windows server 2008 they
have the ability to manually remove the lingering objects using the console utility
command REPADMIN.EXE .it is necessary to remove the lingering object as it
puts an extra burden on the system’s RAM and can create the problems like the
limited space availability .    

Q (10) Can you differentiate between firewall and Antivirus? 

Ans :- antivirus :- we use the antivirus to protect the system from the computer
viruses . When you are using your system It actively monitors for any virus threats
from different sources . if it finds any virus threats it tries to clean or quarantine
the virus and ultimately keeps your system and data safe . 
Firewall :- on the flip side firewall protects your system from outside/ intruder/
hacker attacks. Sometimes hackers may take control of your system remotely and
steal your important information or the data from the system. It happens mostly in
the cases when your system is connected directly to the internet or a large
network. In that case you should install a firewall in your pc to protect yourself
from unauthorized access. It is either  available in the software or in the hardware
form if you have a single pc then software firewall can do the work but when you
want to protect a large corporate you have to install hardware firewall so as to
protect their system from such attacks . 

Q (11) According to you why backing up an active directory is important and how
can you backup an active Directory? 

Ans :-  To maintain the proper health of the AD database the backup of an active
directory is important . 

Windows Server 2003:- In this you can backup the active directory by using the
NTBACKUP tool that is in –built with windows server 2003 or we can also use any
3rd party tool that will support this feature .

Windows server 2008 :- in this there is no option to backup the system state data
through the normal backup utility. Here we need to use the command line inorder
to backup the active Directory . 

Step 1 – open the command prompt by clicking on start , typing “cmd” and then
hit the enter button 

Step 2 –  In the command prompt type “ wbadmin start systemstatebackup –

backuptarget;e:” and then press the enter button.

Step 3 – input “y” and press the enter button inorder to start the backup process 
When the backup  is finished you will get a message that the backup is
successfully completed if it has not completed properly you need to troubleshoot. 

Q (12) What is a domain controller ? 

Ans :-  Domain controller (Dc )is a windows-based computer system which is
used for storing user account data in a central database. It allows the system
administrator to allow or deny users access to system resources, such as
printers, documents , folders , network locations , etc. 

Q (13) According to you what is the difference between FAT and NTFS ?

Ans :-  FAT :-

 There is no security when the user logs in locally .

 It usually supports file names that have only 8 characters .
  it does not support file compression .
  The partition and file size can be up to 4 GB. 
 There is no such security permission for file and folder level .
 It doesn’t support bad cluster mapping so it is not very reliable 

NTFS :-

 There is security for both the  local and the remote users. 
 It usually supports file names that have 255 characters . 
 It supports the file compression 
 The partition size can be upto 16 exabyte . 
 There is security for file and folder level. 
 It supports bad cluster mapping and transaction logging so it is highly
reliable 

Q (14) Can you tell me what is loopback address and in what sense is it useful? 

Ans :-  it is an address that sends outgoing signals back to the same computer for
testing purposes. It is managed entirely within the operating system so the client
and the server process on a single system and can communicate with each other.
It is not physically connected to a network and  it is useful in the sense that the
loopback provides IT professionals an interface so that they can test the IP
software without worrying about the broken or corrupted drives or the hardware.  

Q (15) What do you know about proxy servers ?

Ans :- it acts as the gateway between a local network(for eg:- computers in a

company) and a large-scale network( for ex :- internet ). By using this server there
is an increase in performance and security as it can be used to prevent the
employees from browsing the inappropriate and distracting sites . 

Q (16) Can you tell us about windows registry ? 

Ans :-  it is often referred to as “the registry” . In the Microsoft Windows operating
systems it is the collection of databases of configuration settings (low level
settings) It stores the important information like the location of programs ,files
etc . if you don’t understand what you are doing you should not edit the windows
registry or it will cause problems with the installed applications or the operating
system. 

Q (17) What is the Sysvol Folder ? 

Ans:- we can say that it is a type of shared folder which stores group policies
information or we can say that it contains public files of the domain controllers
and the domain users can access it  . it’S significant feature is that it is used to
deliver policy and login scripts to the domain members.

Q (18) Why is VOIP important ? 

Ans:-  VOIP is important as it makes the user adopt the modern techniques over
the traditional infrastructure. By using it the users can use the transmission
medium by delivering the voice packets which are designed for the telephone
calls. 

Q (19) What do you know about Window deployment services ? 

Ans :- The name itself suggests that it is used to deploy windows operating
system (i.e – there is no need to install each operating system directly from CD or
DVD there are tools that are used for managing the server 

(1)windows deployment services MMC 

(2)windows powershell cmdlets for wds 

(3)WDSUTIL command-line tool 

Q (20) What is the difference between a work group and a domain ? 

Ans :- In a workgroup there is a particular system which has the collection of

systems having their own rules and local users logins. Whereas in domain the
centralized authentication server which is a collection of systems tells what the
rules are . Workgroups are like P2P networks whereas on the flip side domains
are like standard client /server relationships . 

Q (21) What can you tell us about the  light – weight directory access protocol ? 

Ans :- The LDAP (light-weight directory access protocol) is used to name the
object in an AD(Active Directory ) and makes it widely accessible for management
and query applications . it is most commonly used to provide a central place to
store the usernames and passwords 

Q (22) What do you know about the PPP protocol ? 

Ans :-  PPP protocol stands for point to point protocol. This protocol helps us to
communicate between  the two computers (routers ) . The two derivatives of the
point to point protocol are :- (1) point to point protocol over Ethernet (2) point to
point protocol over ATM. It is a multilayer protocol that operates on the same
communication link.

Q  (23) What is IP Spoofing and what can we do to prevent it ? 

Ans :- it is a type of mechanism that is used by the attackers to get the

authorized  access to the system. In this the intruder is sending the message to
the computer with an IP address that it is coming from a trusted source/host. We
can prevent it by performing packet filtering using the special routers and firewalls
we allow packets with recognized formats to enter the network.   

Q (24) What is garbage Collection ? 

Ans  :- The memory that is occupied which is no longer in use is called garbage
collection one of the major advantages of the garbage collection is that it frees the
user for dealing with memory deallocation. The higher level of programming
languages have more garbage collection. The resources other than memory are 
not handled by garbage collection 

Q (25) Tell something about frame relay ? 

Ans :- IN the OSI model it operates at the physical and data link layer and is a
high-speed data communication technology. It uses frames for the transmission of
data in the network . 

Q (26) What is DNS? 

Ans :- The DNS stands for the domain name system. The IP addresses are
always changing so the DNS makes the IP address into human friendly names so
that the  humans can  remember it much more easily and this are less likely to
change for example if you look at the standard  phone book and try to search for
a persons name then you will get his/ her phone number here in this case the
DNS performs the same operation as that of a standard  phone book but with the
updates on hourly or daily basis .due to the tired nature of the DNS it makes it
possible to have repeated queries that can be responded quickly .

Q (27) Can you tell the difference between the  domain admin groups and
Enterprise admin group in ad (active directory )?

Ans:- 
Domain admin groups:-  the members of the domain admin group have complete
control of the
domain                                                                                                                    
  Enterprise admin group:- the members of the enterprise admin group have
complete control of the domains in the forest. 

Q (28) What is authoritative Restore of active directory ?

Ans :- To perform an authoritative restore we first need to perform a non – 

authoritative restore process . As we know that the authoritative restore has the
ability to increment the version number of the attributes and this will make us
restore an object in the directory. On the flip side when we talk about the non
-authoritative restore to determine the changes since the last backup it will
contact the replication partners after a domain controller is back online. 

Q (29) If you are a system administrator what will be your daily routine ?

Ans :- In this you answer should reflect that you are well aware about the
responsibilities of the system administrator or what are the tasks that are to be
performed by the system administrator 

For an example :- tasks like software installation and updates , providing system
access control , creating backups , data recovery , etc. 

Q (30) Can you  tell about the advantages of RAID ? 

Ans :- In this type of question we can tell the definition of RAID and then further
explain about the benefits of using RAID 

Q (31) What do you know about the object server ? 

Ans :-  In this the application of the client/server is written in the form of
communication objects. By using ORB ( Object Request Broker) the client objects
communicate with server objects. This server object provides support for
concurrency and sharing . 

Q (32) What is the working of Traceroute and what protocol does it use ?

Ans :- Depending on the operating system , The Tracert also called as traceroute
it allows you to use to see exactly what all the routers do you touch when you
move along the chain of connections to reach the final destination if a case
arrives in which you can’t ping your final destination in that case a tracert can be
used as it can tell you exactly where the chain of connections stopped. So that
you will be able to contact the correct people, may it be your own firewall or your
ISP or your destination’s ISP or anywhere in the middle . The traceroute uses
ICMP protocol but is also having the ability of using the first step of the TCP to
send the SYN requests for the response . 

Q (33) What do you know about NETBIOS and  NETBEUI ?

Ans :- NETBIOS :-  It  is referred to as the  NETWORK BASic input or output
system. It is a layer 5 protocol that is non-routable. It allows the applications to
communicate with one another over LAN or we can call it a local area network .
NETBIOS normally runs over a TCP/IP which results in having a network with
both an IP address and a NETBIOS name corresponding to the host name .

There are three distinct services that are provided by the NETBIOS :- 
  Name service :- in this the name registration and resolution is done  
 Datagram distribution service :- it is generally used for connectionless
communication 
 Session service :- it is used for connection oriented communication. 

NETBUI :- NETBEUI is an extended version of the NETBIOS. It is a networking

protocol that was developed by IBM and Microsoft in 1985. It is a primary protocol
for the Lan manager and windows for workgroups . it supports both connection
based and connectionless communication. It implements flow control and error
detection. It is one of the fastest and most efficient protocols. The enhanced
implementation of a protocol that is available on Microsoft Windows NT operating
system is called the NETBEUI frame. We should use it only on smaller network
sizes as it relies more heavily on broadcast packets than on the TCP or an IP i.e
it is unsuitable for WAN (wide area networks)  and it Is also  a non-routable
protocol . 

Q (34) Can you tell us about RSVP. And how does it work ? 

Ans :- RSVP refers to Resource Reservation protocol as the name suggests it is

used to reserve resources across a network so when we have a look into the
working of the RSVP in the RSVP the request of the host is carried throughout the
network. It then visits each node in the network. It has two local modules for
reservation of resources: the admission control module and the policy module .
The admission module checks whether there are sufficient available resources.
Whereas the policy module checks about the permission of making a reservation.
After these two checks are performed the RSVP uses packet classifier and the
packet scheduler for desired QoS requests . 

Q(35) Describe the concept of DHCP ?

Ans :- DHCP refers to dynamic host configuration protocol. This protocol is used
to assign the IP address to the computers. So when we use the DHCP protocol
whenever a computer is connected to a network its IP address is changed or in
other words we can say that will have different IP addresses in some cases it can
also happen that the IP address is changed when the computer is in the network
by this we can say that a clearcut advantage of the DHCP protocol is that rather
than using the administrator for managing the IP address we use the software . 

Q(36) Can you tell us the main email servers and which are their ports ? 

Ans :- There are two types in the email servers :- the incoming mail server and
the outgoing mail server 

1. The incoming mail server :- this type of mail server is usually associated
with the email address account to download the emails you should have
the correct settings configuration in your email client program . in this
server there cannot be more than one incoming server 
2. The outgoing mail server :- when we are talking about the outgoing mail
server the protocol that is used to send emails are SMTP which are
known as simple mail transfer protocol . the main email portal includes :-
(POP3 – PORT 110 , IMAP – port 143, STMP – port 25 , HTTP – port 80
, secure SMTP – PORT 465 , Secure IMAP – port 585 , IMAP4 over SSL
– port 993 , secure POP3 – port 995 )

Q (37) Can you differentiate between a hub and a Switch ? 

Ans :- Both the hub and the switch are roughly the same. They both have a larger
number of potential connections and are used for the same basic purpose to
create a network. The only difference that differentiates them is the way they
handle the connections in case of hub they broadcast all the data to every port
and hence can make serious security and reliability concerns as well as there will
occur a number of collisions on that network . on the flip side when we talk about
switches the connections are created dynamically so the requesting portal only
receives the information that is designed for it. We can consider a hub where all
are talking at the same time but this can be inconvenient as it can transmit or
release information to the people whom you don’t want to have access to that
information on the other side when we talk about switches they are creating the
connections between the ports as in need . 

Q(38) What do you know about HTTPS  and what port does it use ? 

Ans :- The HTTPS uses the SSL certificates so as to confirm that the server you
are connecting is the one that it says . the HTTPS traffic goes over the TCP port
443.

Q(40) What  can you tell us about TCP ? 

Ans :-  TCP/IP is not a protocol but is a member of the IP protocol suite. The TCP
refers to Transmission Control Protocol and is a massively used  protocol (for ex:-
HTTP , FTP & SSH ) one of the benefits of TCP is that it establishes the
connection on both the ends before any data starts to flow.  It is also used to sync
up the data flow as if a case arrives when the packets arrive out of order, so the
receiving system should be able to figure out how the puzzle of packets are
supposed to look like .

Q(41) What do you know about UDP ?

Ans :- we can call the UDP the twin of the TCP . The UDP stands for User
Datagram Protocol . The UDP doesn’t care if somebody is listening on  the other
end or not and is called the connectionless protocol. Whereas when we talk about
the TCP it makes everybody stay on the same page . the transmission speed on
an UDP is faster than the transmission speed  of TCP. So if we want to
distinguish between both the TCP & UDP . The TCP always needs a confirmation
from the other side that the message is received or not. On the other side the
UDP is like a television broadcast in which the transmitter  doesn’t care or know
about the person on the other end.  

Q(42) What can you tell us about port forwarding ? 

Ans :- when we want to communicate with the inside of a secured network then
there is the use of a port forwarding table within the router or other connection
management device that will allow the specific traffic to be automatically 
forwarded on to a particular destination. Most probably it does not allow access to
the server from outside directly into your network. 

Q(43) Can you differentiate between a Powershell and a  command prompt ? 

Ans :-  Powershell :- it was introduced in the year 2006. We can open power shell
by typing powershell. it operates on both the batch commands and the powershell
commands. It allows the user to navigate easily between the functions by
providing the ability to create aliases for cmdlets or scripts. The output that comes
is in the form of an object and can be passed from one cmdlet to other cmdlets . it
can also execute a sequence of cmdlets that are put together in a script. It is built
on a net framework so it has access to the programming libraries and can be
used to run all types of programs . it supports the linux based system and can
connect with the Microsoft cloud products and integrates directly with WMI. It also
has an ISE .          

   on the flip side , 

COMMAND PROMPT :- it was introduced in the year 1981. We can open a

command prompt from run by typing cmd. It cannot operate on both the batch
commands and the powershell commands; it only operates on batch commands.
There is no support for the creation of aliases of commands . the output that is
formed is in the form of text . we can not transfer or pass the output from one
command to the other command . when we want to run a certain command the
command that is runned before must be finished . in this case there is no such
command like the help command like in the case of powershell to get the
information regarding the commands. There is no separate ISE there is on;ly a
command line interface it can only run console type of programs . it doesn’t
support the linux based system and cannot connect with te ms online products.
There is a need for an external plugin for WMI interaction. It doesn’t have access
to the libraries .

Q (44) Can you tell what is  the difference between a RDP and a KVM ? 

Ans :-  The RDP stands for Remote desktop protocol as the name itself suggests
about the nature of this protocol it is one of the primary method by which we can
access the windows system remotely for troubleshooting purpose and Is a
software driven method whereas when we talk about the KVM it refers to
keyboard video and mouse it allows fast- switching between different systems but
by using the same keyboard monitor and mouse. It is a hardware driven method
or system in which a junction box is placed between the user and the systems the
KVM does not require any kind of active network connection so it is very useful to
use the same kind of setup on multiple networks without doing the cross talk .  

Q (45) What do you know about FTP and SSH ? What protocol do they use ? 

Ans :- FTP – The FTP is referred to as the file transfer protocol. It is primarily
designed for transferring large files which also has the capability of resuming the
download in the case the download is interrupted. There are two different
techniques following which we can access the FTP server; they are the
Anonymous access and the standard login. There is only one difference between
the techniques which is that the anonymous doesn’t require an active user login
whereas the standard login requires an active user login. The FTP uses ports 20
and 21 of TCP. 

SSH :- The SSH stands for secure shell and is very well known by the linux users
the secure shell is used to create a secure tunnel between devices (for example :-
systems, switches, thermostats , etc ) .it also has the ability to tunnel the other
programs through it . so in case the programs having the unsecured connections
can be used in the secured state if we configure it correctly. The SSH uses port
22 of TCP  

Q(46):- What are ARP and EFS ? 

ANS :- ARP :- it refers to the address resolution protocol that allows the DNS to
be linked for MAC addresses; the mapping of the human-friendly URLs to IP
addresses are allowed by standard DNS . while the address resolution protocol
allows the mapping of IP addresses to mac addresses. In this manner it makes
the system go from a regular domain name to an actual piece of hardware. 

EFS :- it refers to the encrypted file system . the encrypted files that are tied to
the specific user becomes difficult when to try to decrypt a file without the
assistance of the user there can also be a case when the user forgets his or her
password or loses their password  in such case it becomes almost impossible to
decrypt the file as the process of decryption is tied to the user’s login and
password .it can only occur on NTFS formatted partitions. For a larger purpose
the better alternative is a Bitlocker . 

Q(47) What is an Ids ? 

Ans :-  IDs stands for intrusion detection system that has two basic variations :-

1. Host intrusion detection system (HIDS) :- it runs as background utility

like an antivirus 
2. Network intrusion detection system :-  when they go across the network
to start looking  for things that are not ordinary it sniffs packets . 

Q(48) What is Telnet ? 

Ans:-  It is one of the application protocols that allow the connection on any port
and is a very small and versatile utility. It allows the admin to connect to the
remote devices. in case telnet transfers data in the form of text. on a remote host,
telnet provides access to a command-line interface because of some of the
security concerns when we are using the telnet over an open network source
such as the internet it is significantly in the favour of SSH. It has a negotiable
protocol architecture because of which many extensions were adopted. Most of
the implementation of telnet has no authentication which can ensure that the
communication Is carried out between the two desired hosts. it does not encrypt
any data that has been sent over the connection. generally, it is used to establish
a connection to TCP (transmission control protocol )  port 23. where the server
application of the telnet is listening. 

1. What is Active Directory?

Active Directory is a key technology for IT professionals who maintain or manage

computer networks. You can use your response to show the hiring manager your
practical knowledge of this technology. 

Example: “Active Directory is a technology that was developed by Microsoft to

provide a directory service for the various components of a network of computers
and servers with Microsoft Windows operating systems. It stores information on
computers, printers, users, shared folders and network information, manages this
data and supports the process of providing network users and administrators access
to network resources.

I can use Active Directory to manage my network in the Windows domain via a
centralized system of administration. Its authentication process for logging in and
access control for resources enable me to manage my network safely.”

2. How would you react to a coworker’s criticism about your use of Active
Directory?

As a professional in network administration or network security, you will be expected

to manage conflicts professionally. Your response should show the hiring manager
that you can function effectively on a team and handle interpersonal conflicts. You
can describe the behavioral process that you would use to manage this conflict. 

Example: “When engaged in a conflict regarding my Active Directory usage, I would

use my active listening skills to understand my coworker’s concerns and to show my
coworker that I respect their opinion. After understanding the concerns, I would brief
my team leader about the conflict and ask for advice.

My next step would be learning if my coworker’s concerns about my Active Directory

usage have a reasonable basis. I would review my education and work experience
on Active Directory, ask my network of professional contacts and research
Microsoft’s Active Directory support system. Once I have all the information that I
need on the basis for the pushback, I would evaluate my workload, my relationship
with my coworker and my supervisor’s advice before making a decision that meets
my professional obligations.

Once I have made my decision, I would request a meeting with my colleague to

explain and discuss my decision. I would handle the meeting with professionalism,
explain the findings of my research and use the discussion to improve my
relationship with my coworker.”

3. What are the key changes in the 2012 version of Active Directory?

The Windows Server 2012 version of Active Directory introduced several

improvements to the technology, which an ideal job candidate should be able to use
effectively. Your answer should indicate that you know how this technology has
developed. You can identify the major changes in the 2012 version and specify how
these changes impact your usage. 

Example: “The 2012 version of Active Directory introduced major changes in

architecture and usage. Enabling the recycle bin function is easier in the new
version, as there are many methods to use this function through the Active Directory
Administrative Center.

The change in the fine-grain password format is another key change that allows me
to set multiple policies for password creation in a single domain, which was not
possible in the earlier version. This makes it easier to implement fine-grain password
policies and could make securing the network easier.

The improved wizard in the domain controller promoter is another change that
simplifies the installation process as I can now see all the steps and get detailed
results. The new capability of using the history viewer in the Windows power shell to
see the power shell commands lets me keep track of my actions in the Active
Directory Administrative Center.

The enhanced design of the Active Directory Administrative Center is another useful
change in the new version. I find the improved design in components such as the
exchange management console more user-friendly when compared to the previous
version.”

4. Describe tree, forest, domain, schema and Active Directory domain

controller. 

An ideal candidate should understand the architecture of Active Directory to use it

effectively. Your response should demonstrate that you know how and when to use
these major architectural elements. Provide a technical definition for each item. 

Example: “A tree is a group of domains that is organized in a hierarchy and shares

a connected namespace. The domains within a tree can talk to each other using
different levels of trust. A forest is comprised of a group of trees. The trees in a
forest share several important features, such as directory configuration, a directory
schema, a logical structure and a global catalog.
Within a forest, objects can communicate with each other. Forest-level trust is
needed for objects in two separate forests to communicate with each other. Tree
and forest are objects in Active Directory, and within them, there can be many other
objects.

In Active Directory, schema is the component that defines all the object classes that
can be created in a forest. It contains the rules for the objects that can be stored in
Active Directory’s database, the attributes that can be given to objects and can be
used as a reference for the objects and attributes used by the technology to store
information. In other words, schema is a blueprint for the type and format of
information that can be stored in the database.

The Active Directory domain controller runs the Active Directory database, and it is a
server. It uses the information in the database to authenticate and authorize users.
Database changes are replicated across the network via Active Directory’s data
replication service, so all domain controllers in a domain play a role in data
replication and have a complete copy of the Active Directory information for their
domain.”

5.  Describe LDAP and Kerberos.

The Lightweight Directory Access Protocol (LDAP) and Kerberos are two major
protocols that support Active Directory services. Your answer should demonstrate
that you have the technical knowledge needed to use these protocols well. You can
provide a technical definition for each protocol. 

Example: “The Lightweight Directory Access Protocol or LDAP is a protocol that is

used to update and query Active Directory. Basically, it is a method that I use to talk
to Active Directory as it supports a type of LDAP. The LDAP application protocol can
be used for other technologies that provide similar directory services, such as
Apache Directory Server. To access objects in Active Directory, LDAP uses two
naming paths, which are Distinguished names and Relative Distinguished names.

Kerberos is a key component in Active Directory, as it is the default protocol used for
the authentication of all network users. To implement Kerberos by default in a
domain or a forest, you need Active Directory Domain Services installed.

It boosts the security of the authentication process with cryptography that uses
secret keys. Kerberos V5 uses session tickets that can be renewed and encrypted
data. It represents an improvement over the challenge/response or NTLM process of
authentication, which preceded Kerberos, for unlike NTLM, Kerberos does not
assume that all servers are genuine.”

6. What is a PDC Emulator, and how can you find out if it is working?

A Primary Domain Controller (PDC) Emulator is a key component in Active Directory.

Your answer should indicate that you know how to use this element. You can define
the PDC Emulator, list its main features and describe the process that you would use
to find out if it is working.
Example: “A Primary Domain Controller Emulator or a PDC Emulator is one of the
domain controllers of a domain. It handles unique functions. For example, any failed
attempt at authorization is sent to the PDC Emulator, which has access to the latest
passwords and can grant users access even before a password change is replicated
across the domain. This component also maintains the correct time in a domain.

To find out if a PDC Emulator is working, I would check if time is synced across the
domain, if user accounts are being locked properly, if updates are being obtained for
the Backup Domain Controllers (BDCs) of the Windows network. I would also check
if computers with older, pre-2000 Windows can change their passwords as all these
functions require a working PDC Emulator. If these functions are not being provided,
the PDC Emulator is unlikely to be working.”

7. Describe Authoritative restore and Non-Authoritative restore. How can they

be used?

Accidental data loss is a typical issue that IT professionals face, so an ideal

candidate needs to know how to recover lost data in Active Directory. Your answer
should define the two restore methods and describe how they should be used. You
can mention the situations in which each type can be used. 

Example: “There are two types of data restore in Active Directory, Authoritative

restore and Non-Authoritative restore. The main difference between them is that
Authoritative restore can increase the version number of an object’s attributes in the
database, which makes that version the authoritative version in the entire directory.
Non-Authoritative restore is the default restore method in the framework, and it uses
the Active Directory backup to restore a domain controller to its state at the time of
the backup.

This method is suitable when using an Active Directory setting with a single domain
controller where the backup was taken before the data was deleted, but this restore
method is not suitable to update a domain controller in a domain with multiple
domain controllers. In this scenario, after the restoration process is over, the domain
controller that was restored will be updated to match its replication partners and the
restored data will be erased.

1) Explain what is Active Directory?

Active directory just as the name suggests is a directory service. This directory

service acts as a shared platform of information for organizing, managing, locating
and administering the daily items and the network sources. This is developed by
Microsoft solely for supporting the Windows operating systems. The active directory
is found in the processes and services section of the windows server. A number of
services associated with identity and as well as are based on a directory now come
under one roof of active directory.
2) What is KCC?

KCC is an acronym for Knowledge Consistency Checker. In Active directory, KCC

component is responsible for generation replication topology between domain
controllers.

3) What is SYSVOL Folder?

Sysvol folder/directory refers to a location on the Windows Operating System (OS)

where it stores the server's copy of public data and files for the domain. Sysvol is
also known as SYSFOL.

4) Explain the difference between Enterprise and Domain Admin groups in

Active Directory?

Difference between Enterprise and Domain Admin groups in Active Directory

Enterprise Admin: In Enterprise Admin groups, members have full rights over all of
the domains in the forest. This group is also a member of the Administrators group
but on all domain controllers in the forest. You need to add users with caution as
they get access to the forest completely. They can force shutdown from a remote
system, profile system performance, take ownership of files and much more.

Domain Admin groups: In Domain Admin groups, members have complete control
of the domain. On all domain controllers, domain workstations, domain member
servers, they are members of the Administrators group. An administrator account is
also a member of this group. One can adjust the memory quotas for a process,
manage security log, restore files and directories and can do much more.

5) What are application partitions? When do I use them ?

Their purpose is actually to enable the administrators to create new areas in the
Active Directory so that data can be stored on DCs that they choose instead of
allowing it on every DC in a domain. It is used when the user needs to determine
which objects must exist within the Active Directory and what are the kinds of
attributes that each can have.

Download Free : Active Directory Interview Questions PDF

6) What are sites? For what they are used?

Sites are used to deliver data through the online resources on the World Wide Web
all over the world in an address allotted to the processed data and their presentation
open to the users for access. They have User Generated Content and also User
profiles to enhance communication on various extents.

7) What is Forest? How to check tombstone lifetime value in your Forest ?

It is a set of one or more of the domain trees and they do not form a contiguous
namespace. The trees in the forest share a common schema, configuration, and the
global catalog. They also exchange trust. The value of the tombstone lifetime
attribute which is present in the Directory Service object in the configuration directory
partition defines the tombstone lifetime value. The default value depends on the
server’s operating system of the first DC in the forest.

8) Please Explain Active Directory Schema?

It contains in itself the formal definitions of all the object class which can be easily
made in the Active Directory Forest. The details of every attribute that can possibly
exist in the Active Directory Forest are also included in it. It describes the rules of the
types of objects that can be included in the Active Directory.

9) Explain domain controller in AD?

A domain controller is actually the main or the centerpiece of the Windows Active
Directory.

10) List the ports used by Active Directory?

Below is the list of ports that are used by Active Directory

 RPC endpoint mapper: port 135 TCP, UDP

 NetBIOS name service: port 137 TCP, UDP
 NetBIOS datagram service: port 138 UDP
 NetBIOS session service: port 139 TCP
 SMB over IP (Microsoft-DS): port 445 TCP, UDP
 LDAP: port 389 TCP, UDP
 LDAP over SSL: port 636 TCP
  Global catalog LDAP: port 3268 TCP
 Global catalog LDAP over SSL: port 3269 TCP
 Kerberos: port 88 TCP, UDP
 DNS: port 53 TCP, UDP
 WINS resolution: port 1512 TCP, UDP
 WINS replication: 42 TCP, UDP
 RPC: Dynamically-assigned ports TCP, unless restricted

11) Where Active Directory database held and how would you create a backup
of the database?

The Active Directory database is stored in the active storage directory for example

C:\Windows. The default location is %SystemRoot%NTDS. You can create a backup
of the database using Windows Server Backup, Wbadmin.exe or PowerShell.

12) What is Domain Tree?

It is made up of multiple domains that share a common schema and the

configuration. They also form a contiguous namespace too. With the help of trust
relationships, domains are also linked together in a tree. Active Directory is actually a
set of one or more trees.

13) What is RODC ?

RODC can be abbreviated as a read-only domain controller. RODC can be

explained as a controller of the domain that has partitions of Active Directory Domain
Services. But they only possess read-only partitions. RODC is readily available in the
Windows server operating system version of the year 2008 and its further greater
versions. It has mainly been designed to be used in branch offices that are not able
to support their own domain controllers.

14) What is Subnet?

The subnet, popularly known as subnetwork can be understood as one of the logical

subdivisions of the IP network. Now subnetting is the name given to procedures in
which one single network is divided into two or more subnetworks. Now the system
that is connected to a subnet is recognized or referred to with an identical and most
important bit-group. This lies in the IP address of the respective system.
15) How to configure Universal Group Membership Caching in AD?

Steps to configure Universal Group Membership Caching in AD

 Open the Active Directory Sites and Services.

 Select the Site you wish to enable.
 Right-click the NTDS Site Settings object and click on properties.
 A window will pop-up on which on the Site settings Tab, enable the Universal
Group Membership Caching option.
 Refresh the Cache from the field.
 Choose the site to refresh the cache every 8 hours.
 Click Apply, OK 
 it is done.

16) What Export-VM command do?

Export-VM command exports a virtual machine to disk. It creates a folder on a

specified particular location and creates three sub-folders – Snapshots, Virtual Hard
Disks, and the virtual Machines.

17) Explain namespace?

A Namespace is basically a set of signs that are used to identify and refer to objects
of various kinds and ensures that all of a given set of objects have unique names so
that they can be easily identified. They are also used to organize code into logical
groups and to prevent name collisions.

18) What are Schemas?

It refers to the organization of the available data as a blueprint of how the

construction of the database has happened wherein they are divided into database
tables where there are relational databases.

19) What are Flat Namespaces?

Flat Namespaces can be used to find which are those libraries and executables
other than predefined libraries and executables offer all symbols like functions and
external variables. The libraries when loaded might depend on a symbol and that is
why it can look in the Flat Namespace. After all the symbols are found, the library
adds its own symbols in its list. The amount of possible collisions is one of the
biggest advantages of this. The duty of dealing with the collision is given to the
Operating System.

20) What are Hierarchical Namespaces?

A hierarchical namespace is a naming scheme that allows the subdelegation of

namespaces to third parties.

They have a possibility of scaling to extremely larger networks. When you add more
objects to the overall namespace, finding of the unique names for them is done
within the sub-namespace to which they accordingly belong. It is to be known that all
the DNA namespaces are particularly hierarchical.

21) List different types of containers in AD?

Computers, Users, ForeignSecurityPrincipals, Site,Domain and Organizational Unit

are different types of containers in Active Directory.

22) List the components of an Active Directory structure?

Major Components of Active Directory are

 Domain
 Tree
 Forest
 Organizational Unit
 Site

23) What is Multiple-Master Replication?

Multi-master replication in Active Directory is a method to perform database

replication and allow data to be stored by different user groups. It allows any
member of the group to update the data.
All the members are specifically responsive to the client data queries. It allows the
creation of multiple master servers which can be masters of multiple slaves.

24) What is Primary Domain COntroler (PDC Emulator)?

In Windows NT network Primary Domain Controller (PDC) is a server that is used for
maintaining a read-write directory of user security and account Information.

25) What gpupdate /force command do?

Gpupdate /force command is a policy of Windows to refresh or update your group

policies by using a manual method. Although the archive Directory of our PC does it
by unknown sometimes you may need to do force updates of group policies. In
certain situation, you can use

> gpupdate /force

No matter if there are no changes in the group policies of the computer, this
command will forcibly tell windows to the app for an update of GP settings. This not
only forces the background refresh but it will also force the foreground refresh of the
group policies.

If in case you only wanted to refresh your policies then use

> gpupdate

26) What are Subnets?

It is a logical partition of an IP network into many different smaller size network

segments. It is used to subdivide the large networks into smaller ones which will be
more efficient sub-networks. The complete internet is composed of the many
networks which are hosted and also run by many different organizations.

27) What is One Directional Trust and Bi-Directional Trust?

A unidirectional trust consists of a one-way outgoing trust that allows users in the

remote domain to access resources in the local domain. Whereas Bi-Directional
Trust is a two-way trust that can be thought of as a combination of two, opposite-
facing one-way trusts, so that, the trusting and trusted domains both trust each other.
28) Explain Generic Containers?

Generic Containers are the containers where for each container class, there are
two Java-style iterator data types: one that provides read-only access and one that
provides write-only access.

29) How is data presented in active directory ?

The data presented in the form of a hierarchy in the active directory.Active Directory

uses a structured data store as the basis for a logical, hierarchical organization of
directory information.

30) How is data actually stored in active directory?

The data is actually stored in a hierarchical fashion active directory. Active Directory
uses a structured data store as the basis for a logical, hierarchical organization of
directory information.

31) List all Common Rdn prefixes methods?

The RDN prefix used to construct the RDN for the new object that is inserted into the
store. The different methods that it includes are:

 Equals(Object)
 GetHashCode()
 GetType()
 IsDefaultAttribute()
 Match(Object)
 MemberwiseClone()
 ToString()

32) What is difference between OUs and Groups?

OUs contain user objects therefore you can put a user in an OU to control who has
administrative authority over that user. Whereas groups have a list of user objects
therefore you can put a user in a group to control that user's access to resources.
 33) Which file can you view to identify SRV records associated with a domain
controller?

dns is located in the %systemroot%\System32\Config folder, therefore you can use a

text editor, such as Notepad, to view and identify SRV records associated with a
domain controller.

34) What Is the full form of Web I and DSS?

Web I: Web Intelligence

DSS: Decision Support System

We hope your knowledge is enhanced by reading these questions. Stay tuned with
us if you want to learn more interview questions on various topics.

35) What is kdc in active directory?

The Kerberos Key Distribution Center (KDC) is a network service that supplies

session tickets and temporary session keys to users and computers within an Active
Directory domain. The KDC runs on each domain controller as part of Active
Directory Domain Services (AD DS). The Kerberos authentication client is
implemented as a security support provider (SSP) and can be accessed through the
Security Support Provider Interface (SSPI). Initial user authentication is integrated
with the Winlogon single sign-on architecture. The Kerberos Key Distribution Center
(KDC) is integrated with other Windows Server security services running on the
domain controller. The KDC uses the domain’s Active Directory service database as
its account database. An Active Directory server is required for default Kerberos
implementations.

1. Question 1. Mention What Is Active Directory?

Answer :
An active directory is a directory structure used on Micro-soft Windows based
servers and computers to store data and information about networks and
domains.
2. Question 2. What Is Domains In Active Directory?
Answer :
In Windows 2000, a domain defines both an administrative boundary and a
security boundary for a collection of objects that are relevant to a specific group of
users on a network. A domain is an administrative boundary because
administrative privileges do not extend to other domains. It is a security boundary
because each domain has a security policy that extends to all security accounts
 within the domain. Active Directory stores information about objects in one or
more domains.
Domains can be organized into parent-child relationships to form a hierarchy. A
parent domain is the domain directly superior in the hierarchy to one or more
subordinate, or child, domains. A child domain also can be the parent of one or
more child domains.
System Administration Interview Questions
3. Question 3. Mention Which Is The Default Protocol Used In Directory
Services?
Answer :
The default protocol used in directory services is LDAP ( Lightweight Directory
Access Protocol).
4. Question 4. What Is Mixed Mode?
Answer :
Allows domain controllers running both Windows 2000 and earlier versions of
Windows NT to co-exist in the domain. In mixed mode, the domain features from
previous versions of Windows NT Server are still enabled, while some Windows
2000 features are disabled. Windows 2000 Server domains are installed in mixed
mode by default. In mixed mode the domain may have Windows NT 4.0 backup
domain controllers present. Nested groups are not supported in mixed mode.

Windows 10 Tutorial
5. Question 5. Explain The Term Forest In Ad?
Answer :
Forest is used to define an assembly of AD domains that share a single schema
for the AD. All DC’s in the forest share this schema and is replicated in a
hierarchical fashion among them.

Windows Administration Interview Questions

6. Question 6. What Is Native Mode?
Answer :
When all the domain controllers in a given domain are running Windows 2000
Server. This mode allows organizations to take advantage of new Active Directory
features such as Universal groups, nested group membership, and inter-domain
group membership.
7. Question 7. Explain What Is Sysvol?
Answer :
The SysVOL folder keeps the server’s copy of the domain’s public files. The
contents such as users, group policy, etc. of the sysvol folders are replicated to all
domain controllers in the domain.

Windows 10 Development Tutorial   Emc Symmetrix Interview Questions

8. Question 8. What Is Ldap?
Answer :
LDAP is the directory service protocol that is used to query and update AD. LDAP
naming paths are used to access AD objects and include the following:
o Distinguished names
 o Relative Distinguished names
9. Question 9. Mention What Is Kerberos?
Answer :
Kerberos is an authentication protocol for network. It is built to offer strong
authentication for server/client applications by using secret-key cryptography.

Group Policy Interview Questions

10. Question 10. Minimum Requirement For Installing Ad?
Answer :
o Windows Server, Advanced Server, Datacenter Server
o Minimum Disk space of 200MB for AD and 50MB for log files
o NTFS partition
o TCP/IP Installed and Configured to use DNS
o Administrative privilege for creating a domain in existing network
11. Question 11. Mention What Are Lingering Objects?
Answer :
Lingering objects can exists if a domain controller does not replicate for an interval
of time that is longer than the tombstone lifetime (TSL).

Wintel Administrator Interview Questions

12. Question 12. What Is Domain Controller?
Answer :
In an Active directory forest, the domain controller is a server that contains a
writable copy of the Active Directory Database participates in Active directory
replication and controls access to network resource.

System Administration Interview Questions

13. Question 13. Mention What Is Tombstone Lifetime?
Answer :
Tombstone lifetime in an Active Directory determines how long a deleted object is
retained in Active Directory. The deleted objects in Active Directory is stored in a
special object referred as TOMBSTONE. Usually, windows will use a 60- day
tombstone lifetime if time is not set in the forest configuration.
14. Question 14. Why We Need Netlogon?
Answer :
Maintains a secure channel between this computer and the domain controller for
authenticating users and services. If this service is stopped, the computer may not
authenticate users and services, and the domain controller cannot register DNS
records."
15. Question 15. Explain What Is Active Directory Schema?
Answer :
Schema is an active directory component describes all the attributes and objects
that the directory service uses to store data.
16. Question 16. What Is Dns Scavenging?
Answer :
Scavenging will help you clean up old unused records in DNS.
17. Question 17. Explain What Is A Child Dc?
 Answer :
CDC or child DC is a sub domain controller under root domain controller which
share name space
18. Question 18. What Is New In Windows Server 2008 Active Directory
Domain Services?
Answer :
AD Domain Services auditing, Fine-Grained Password Policies,Read-Only
Domain Controllers,Restartable Active Directory Domain Services

Windows Administration Interview Questions

19. Question 19. Explain What Is Rid Master?
Answer :
RID master stands for Relative Identifier for assigning unique IDs to the object
created in AD.
20. Question 20. Explain What Are Rodcs? And What Are The Major
Benefits Of Using Rodcs?
Answer :
Read only Domain Controller, organizations can easily deploy a domain controller
in locations where physical security cannot be guaranteed.
21. Question 21. Mention What Are The Components Of Ad?
Answer :
Components of AD includes
Logical Structure: Trees, Forest, Domains and OU.
Physical Structures: Domain controller and Sites.
22. Question 22. What Is The Number Of Permitted Unsuccessful Log Ons
On Administrator Account?
Answer :
Unlimited. Remember, though, that it’s the Administrator account, not any account
that’s part of the Administrators group.
23. Question 23. Explain What Is Infrastructure Master?
Answer :
Infrastructure Master is accountable for updating information about the user and
group and global catalogue.
24. Question 24. What Hidden Shares Exist On Windows Server 2003
Installation?
Answer :
Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

Emc Symmetrix Interview Questions

25. Question 25. Can You Connect Active Directory To Other 3rd-party
Directory Services? Name A Few Options?
Answer :
Yes you can Connect Active Directory to other 3rd -party Directory Services such
as dictionaries used by SAP, Domino etc with the help of MIIS (Microsoft Identity
Integration Server).
26. Question 26. What Is The List Folder Contents Permission On The
Folder In Ntfs?
Answer :
 Same as Read & Execute, but not inherited by files within a folder. However,
newly created subfolders will inherit this permission.
27. Question 27. How Do I Set Up Dns For Other Dcs In The Domain That
Are Running Dns?
Answer :
For each additional DC that is running DNS, the preferred DNS setting is the
parent DNS server (first DC in the domain), and the alternate DNS setting is the
actual IP address of network interface.

Group Policy Interview Questions

28. Question 28. Where Is Gpt Stored?
Answer :
%SystemRoot%SYSVOLsysvoldomainnamePoliciesGUID
29. Question 29. Tell Me What Should I Do If The Dc Points To Itself For
Dns, But The Srv Records Still Do Not Appear In The Zone?
Answer :
Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install
Support Tools from the Windows 2000 Server CD-ROM to run Netdiag.exe.
30. Question 30. Abbreviate Gpt And Gpc?
Answer :
GPT : Group policy template.
GPC : Group policy container.
31. Question 31. Tell Me What If My Windows 2000 Or Windows Server
2003 Dns Server Is Behind A Proxy Server Or Firewall?
Answer :
If you are able to query the ISP's DNS servers from behind the proxy server or
firewall, Windows 2000 and Windows Server 2003 DNS server is able to query
the root hint servers. UDP and TCP Port 53 should be open on the proxy server or
firewall.
32. Question 32. Explain What Is The Difference Between Local, Global
And Universal Groups?
Answer :
Domain local groups assign access permissions to global domain groups for local
domain resources. Global groups provide access to resources in other trusted
domains. Universal groups grant access to resources in all trusted domains.
33. Question 33. Do You Know What Is The "." Zone In My Forward Lookup
Zone?
Answer :
This setting designates the Windows 2000 DNS server to be a root hint server
and is usually deleted. If you do not delete this setting, you may not be able to
perform external name resolution to the root hint servers on the Internet.

Wintel Administrator Interview Questions

34. Question 34. Define Lsdou?
Answer :
It’s group policy inheritance model, where the policies are applied to Local
machines, Sites, Domains and Organizational Units
35. Question 35. Define Attribute Value?
 Answer :
An object's attribute is set concurrently to one value at one master, and another
value at a second master.
36. Question 36. What Is Netdom?
Answer :
NETDOM is a command-line tool that allows management of Windows domains
and trust relationships
37. Question 37. Do You Know How Kerberos V5 Works?
Answer :
The Kerberos V5 authentication mechanism issues tickets (A set of identification
data for a security principle, issued by a DC for purposes of user authentication.
Two forms of tickets in Windows 2000 are ticket-granting tickets (TGTs) and
service tickets) for accessing network services. These tickets contain encrypted
data, including an encrypted password, which confirms the user's identity to the
requested service.
38. Question 38. What Is Adsiedit?
Answer :
ADSI Edit is an LDAP editor for managing objects in Active Directory. This Active
Directory tool lets you view objects and attributes that are not exposed in the
Active Directory Management Console.
39. Question 39. What Is Kerberos V5 Authentication Process?
Answer :
Kerberos V5 is the primary security protocol for authentication within a domain.
The Kerberos V5 protocol verifies both the identity of the user and network
services. This dual verification is known as mutual authentication.
40. Question 40. Define The Schema Master Failure?
Answer :
Temporary loss of the schema operations master will be visible only if we are
trying to modify the schema or install an application that modifies the schema
during installation. A DC whose schema master role has been seized must never
be brought back online.
41. Question 41. What Is Replmon?
Answer :
Replmon is the first tool you should use when troubleshooting Active Directory
replication issues
42. Question 42. How To Find Fsmo Roles?
Answer :
Netdom query fsmo OR Replmon.exe
43. Question 43. Describe The Infrastructure Fsmo Role?
Answer :
When an object in one domain is referenced by another object in another domain,
it represents the reference by the GUID, the SID (for references to security
principals), and the DN of the object being referenced. The infrastructure FSMO
role holder is the DC responsible for updating an object's SID and distinguished
name in a cross-domain object reference.
44. Question 44. What Are The Advantages Of Active Directory Sites?
Answer :
 Active Directory Sites and Services allow you to specify site information. Active
Directory uses this information to determine how best to use available network
resources.
45. Question 45. Define Edb.chk?
Answer :
This is the checkpoint file used to track the data not yet written to database file.
This indicates the starting point from which data is to be recovered from the log
file, in case of failure.
46. Question 46. Define Edb.log?
Answer :
This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to
EDBnnnn.log. Where nnnn is the increasing number starting from 1.
47. Question 47. How To View All The Gcs In The Forest?
Answer :
repadmin.exe /options * and use IS_GC for current domain options.
nltest /dsgetdc:corp /GC
48. Question 48. How To Seize Fsmo Roles?
Answer :
ntdsutil - type roles - connections - connect servername - q - type seize role - at
the fsmo maintenance prompt - type seize rid master
49. Question 49. How To Transfer Fsmo Roles?
Answer :
ntdsutil - type roles - connections - connect servername - q - type transfer role - at
the fsmo maintenance prompt - type trasfer rid master
50. Question 50. What Is The Kcc (knowledge Consistency Checker)?
Answer :
The KCC generates and maintains the replication topology for replication within
sites and between sites. KCC runs every 15 minutes.
51. Question 51. What Is Schema Information In Active Directory?
Answer :
Definitional details about objects and attributes that one CAN store in the AD.
Replicates to all DCs. Static in nature.
52. Question 52. What Is Online Defragmentation In Active Directory?
Answer :
Online Defragmentation method that runs as part of the garbage collection
process. The only advantage to this method is that the server does not need to be
taken offline for it to run. However, this method does not shrink the Active
Directory database file (Ntds.dit).
53. Question 53. What Is Ads Database Garbage Collection Process?
Answer :
Garbage Collection is a process that is designed to free space within the Active
Directory database. This process runs independently on every DC with a default
lifetime interval of 12 hours.
54. Question 54. Define Res1.log And Res2.log?
Answer :
This is reserved transaction log files of 20 MB (10 MB each) which provides the
transaction log files enough room to shutdown if the other spaces are being used.
55. Question 55. What Is Domain Information In Active Directory?
Answer :
Object information for a domain. Replicates to all DCs within a domain. The object
portion becomes part of GC. The attribute values only replicates within the
domain.
56. Question 56. What Is Lightweight Directory Access Protocol?
Answer :
LDAP is the directory service protocol that is used to query and update AD. LDAP
naming paths are used to access AD objects and include the following:
o Distinguished names
o Relative Distinguished names
57. Question 57. How Will You Verify Whether The Ad Installation Is Proper
With Srv Resource Records?
Answer :
Verify SRV Resource Records: After AD is installed, the DC will register SRV
records in DNS when it restarts. We can check this using DNS MMC or nslookup
command.
58. Question 58. What Is Ntds.dit?
Answer :
This is the AD database and stores all AD objects. Default location is SystemRoot
%ntdsNTDS.DIT.
Active Directory's database engine is the Extensible Storage Engine which is
based on the Jet database and can grow up to 16 TB.
59. Question 59. What Is Ntds.dit Schema Table?
Answer :
The types of objects that can be created in the Active Directory, relationships
between them, and the attributes on each type of object. This table is fairly static
and much smaller than the data table.
60. Question 60. Mention What Is The Difference Between Domain Admin
Groups And Enterprise Admins Group In Ad?
Answer :
Enterprise Admin Group :
Members of this group have complete control of all domains in the forest By
default, this group belongs to the administrators group on all domain controllers in
the forest As such this group has full control of the forest, add users with caution
Domain Admin Group :
Members of this group have complete control of the domain By default, this group
is a member of the administrators group on all domain controllers, workstations
and member servers at the time they are linked to the domain As such the group
has full control in the domain, add users with caution
Active Directory

Active Directory is a centralized and standardized system, stores information about

objects in a network and makes this information available to users and network
administrators.
Domain Controller

In an Active Directory forest, the domain controller is a server that contains a writable
copy of the Active Directory database, participates in Active Directory replication,
and controls access to network resources.
Global catalog server
A global catalog server is a domain controller that stores information about all
objects in the forest. Like all domain controllers, a global catalog server stores full,
writable replicas of the schema and configuration directory partitions and a full,
writable replica of the domain directory partition for the domain that it is hosting. In
addition, a global catalog server stores a partial, read-only replica of every other
domain in the forest. Partial replicas are stored on Global Catalog servers so that
searches of the entire directory can be achieved without requiring referrals from one
domain controller to another.
Partial information of other domains. Partial information nothing but classes and
attributes (first name and last name and phones and addresses) attribute level
security improvement in 2003….
OU:

"Organizational Units", are administrative-level containers on a computer, it allows

administrators to organize groups of users together so that any changes, security
privileges or any other administrative tasks could be accomplished more efficiently.

Domain:

Windows Domain is a logical grouping of computers that share common security and

user account information.

Forest
A Windows forest is a group of one or more trusted Windows trees. The trees do not
need to have contiguous DNS names. A forest shares a schema and global catalog
servers. A single tree can also be called a forest.

Tree:
A Windows tree is a group of one or more trusted Windows domains with contiguous
DNS domains. “Trusted” means that an authenticated account from one domain isn’t
rejected by another domain. “Contiguous DNS domains” means that they all have
the same root DNS name.
Site:
Sites are manually defined groupings of subnets. Objects in a site share the same
global catalog servers, and can have a common set of group policies applied to
them.
Schema:

The schema defines what attributes, objects, classes, and rules are available in the
Active Directory.

SID (Security Identifier):

The SID is a unique name (alphanumeric character string) that is used to identify an
object, such as a user or a group of users. 

Group Policy

Group policy Architecture:

Group Policy objects (GPO):

A GPO is a collection of Group Policy settings, stored at the domain level as a virtual
object consisting of a Group Policy container (GPC) and a Group Policy template
(GPT).
Password history will store
Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy

Group Policy Container (GPC)

The Group Policy container (GPC) is an Active Directory container that contains
GPO properties, such as version information, GPO status, plus a list of other
component settings.
Group Policy Template (GPT)
The Group Policy template (GPT) is a file system folder that includes policy data
specified by .adm files, security settings, script files, and information about
applications that are available for installation. The GPT is located in the system
volume folder (SysVol) in the domain \Policies sub-folder.
Filtering the Scope of a GPO
By default, a GPO affects all users and computers that are contained in the linked
site, domain, or organizational unit. The administrator can further specify the
computers and users that are affected by a GPO by using membership in security
groups.
Starting with Windows 2000, the administrator can add both computers and users to
security groups. Then the administrator can specify which security groups are
affected by the GPO by using the Access Control List editor.

Knowledge Consistency Checker (KCC)

The Knowledge Consistency Checker (KCC) is a Windows component that

automatically generates and maintains the intra-site and inter-site replication
topology.
Intrasite Replication
Replication that happens between controllers inside one site. All of the subnets
inside the site should be connected by high speed network wires.
Intersite Replication
Intersite replication is replication between sites and must be set up by an
administrator. Simple Mail Transfer Protocol (SMTP) may be used for replication
between sites.

Active Directory Replication?

Replication must often occur both (intrasite) within sites and (Intersite) between sites
to keep domain and forest data consistent among domain controllers that store the
same directory partitions
Adprep.exe
Adprep.exe is a command-line tool used to prepare a Microsoft Windows 2000 forest
or a Windows 2000 domain for the installation of Windows Server 2003 domain
controllers.

USE:
When Microsoft Exchange Server is deployed in an organization, Exchange Server
uses Active Directory as a data store and it extends the Windows 2000 Active
Directory schema to enable it to store objects specific to Exchange Server. The
ldapDisplayName of the attribute schema ms-Exch-Assistant-Name, ms-Exch-
LabeledURI, and ms-Exch-House-Identifier defined by Exchange Server conflicts
with the iNetOrgPerson schema that Active Directory uses in Windows Server 2003.
When Windows Server 2003 Service Pack 1 is installed, Adprep.exe will be able to
detect the presence of the schema conflict and block the upgrade of the schema until
the issue has been resolved.

GUID:

When a new domain user or group account is created, Active Directory stores the
account's SID in the Object-SID (objectSID) property of a User or Group object. It
also assigns the new object a globally unique identifier (GUID), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are
assigned to every object created by Active Directory, not just User and Group
objects. Each object's GUID is stored in its Object-GUID (objectGUID) property.
Active Directory uses GUIDs internally to identify objects.

SID:
A security identifier (SID) is a data structure in binary format that contains a variable
number of values. When a DC creates a security principal object such as a user or
group, it attaches a unique Security ID (SID) to the object. This SID consists of a
domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that
is unique for each security Principal SID created in a domain.

Lingering objects

When a domain controller is disconnected for a period that is longer than the TSL,
one or more objects that are deleted from Active Directory on all other domain
controllers may remain on the disconnected domain controller. Such objects are
called lingering objects. Because the domain controller is offline during the time that
the tombstone is alive, the domain controller never receives replication of the
tombstone

Sysvol

Sysvol is a shared directory that stores the server copy of the domain’s public files,
which are replicated among all domain controllers in the domain. The Sysvol
contains the data in a GPO: the GPT, which includes Administrative Template-based
Group Policy settings, security settings, script files, and information regarding
applications that are available for software installation. It is replicated using the File
Replication Service (FRS).

File Replication Service (FRS)

In Windows 2000, the SYSVOL share is used to authenticate users. The SYSVOL
share includes group policy information which is replicated to all local domain
controllers. File replication service (FRS) is used to replicate the SYSVOL share.
The "Active Directory Users and Computers" tool is used to change the file
replication service schedule.

Win logon

A component of the Windows operating system that provides interactive logon

support, Winlogon is the service in which the Group Policy engine runs.
Lightweight Directory Access Protocol (LDAP)
It defines how clients and servers exchange information about a directory. LDAP
version 2 and version 3 are used by Windows 2000 Server's Active Directory.
An LDAP URL names the server holding Active Directory services and the Attributed
Name of the object. For example:

LDAP://SomeServer.Myco.Com/CN=jamessmith,CN=Sys,CN=Product,CN
=Division,DC=myco,DC=domain-controller

USN

Each object has an Update Sequence Number (USN), and if the object is modified,
the USN is incremented. This number is different on each domain controller. USN
provides the key to multimaster replication.

Universal group membership caching

Due to available network bandwidth and server hardware limitations, it may not be
practical to have a global catalog in smaller branch office locations. For these sites,
you can deploy domain controllers running Windows Server 2003, which can store
universal group membership information locally.
By default, the universal group membership information contained in the cache of
each domain controller will be refreshed every 8 hours. Up to 500 universal group
memberships can be updated at once. Universal groups couldn't be created in Mixed
mode.

What is an ACL or access-control list?

 A list of security protections that applies to an object. (An object can be a file,
process, event, or anything else having a security descriptor.)

What is an ACE or access-control entry?

 ACE contains a set of access rights and a security identifier (SID) that identifies a
trustee for whom the rights are allowed, denied, or audited.

Flexible Single Master Operations (FSMO)

MultiMaster Operation:

In Windows 2000 & 2003, every domain controller can receive changes, and the
changes are replicated to all other domain controllers. The day-to-day operations
that are associated with managing users, groups, and computers are typically
multimaster operations.

There is a set of Flexible Single Master Operations (FSMO) which can only be done
on a single controller. An administrator determines which operations must be done
on the master controller. These operations are all set up on the master controller by
default and can be transferred later. FSMO operations types include:

Schema Master: The schema master domain controller controls all updates and
modifications to the schema. There can be only one schema master in the whole
forest.
Domain naming master: The domain naming master domain controller controls the
addition or removal of domains in the forest and responsibility of ensuring that
domain names are unique in the forest. There can be only one domain naming
master in the whole forest.

Infrastructure Master:

Synchronizes cross-domain group membership changes. The infrastructure master

cannot run on a global catalog server (unless all DCs are also GCs.)

The infrastructure is responsible for updating references from objects in its domain to
objects in other domains. At any one time, there can be only one domain controller
acting as the infrastructure master in each domain.

This works when we are renaming any group member ship object this role takes
care.
Note: The Infrastructure Master (IM) role should be held by a domain controller that
is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global
Catalog server it will stop updating object information because it does not contain
any references to objects that it does not hold. This is because a Global Catalog
server holds a partial replica of every object in the forest. As a result, cross-domain
object references in that domain will not be updated and a warning to that effect will
be logged on that DC's event log. If all the domain controllers in a domain also host
the global catalog, all the domain controllers have the current data, and it is not
important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
It assigns RID and SID to the newly created object like Users and computers. If RID
master is down (u can create security objects up to RID pools are available in DCs)
else u can’t create any object one itSDs down
When a DC creates a security principal object such as a user or group, it attaches a
unique Security ID (SID) to the object. This SID consists of a domain SID (the same
for all SIDs created in a domain), and a relative ID (RID) that is unique for each
security principal SID created in a domain.
PDC Emulator - When Active Directory is in mixed mode, the computer Active
Directory is on acts as a Windows NT PDC. The first server that becomes a
Windows 2000 domain controller takes the role of PDC emulator by default.
Functions performed by the PDC emulator:
User account changes and password changes.
SAM directory replication requests.
Domain master browser requests
Authentication requests.
GPO
Time synchronization

         

 
New Active Directory features in Windows Server 2003
• Multiple selection of user objects.
• Drag-and-drop functionality.
 • Efficient search capabilities. Search functionality is object-oriented and
provides an efficient search that minimizes
• Saved queries. Save commonly used search parameters for reuse in Active
Directory Users and Computers
• Active Directory command-line tools.
• InetOrgPerson class. The inetOrgPerson class has been added to the base
schema as a security principal and can be used in the same manner as the user
class. The userPassword attribute can also be used to set the account
password.
• Ability to add additional domain controllers using backup media. Reduce
the time it takes to add an additional domain controller in an existing domain by
using backup media.
• Universal group membership caching. Prevent the need to locate a global
catalog across a WAN when logging on by storing universal group membership
information on an authenticating domain controller.
• Secure LDAP traffic. Active Directory administrative tools sign and encrypt all
LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data
comes from a known source and that it has not been tampered with.
• Active Directory quotas. Quotas can be specified in Active Directory to control
the number of objects a user, group, or computer can own in a given directory
partition. Domain Administrators and Enterprise

Windows Functional levels

In Windows 2000 Active Directory domains is the concept of Mixed and Native
Modes. The default mixed mode allows both NT and Windows 2000 domain
controllers to coexist. Once you convert to Native Mode, you are only allowed to
have Windows 2000 domain controllers in your domain. The conversion is a one-way
conversion -- it cannot be reversed. In Windows Server 2003, Microsoft introduced
forest and domain functional levels. The concept is rather similar to switching from
Mixed to Native Mode in Windows 2000. The new functional levels give you
additional capabilities that the previous functional levels didn’t have.
There are four domain functional levels:

1. Windows 2000 Mixed (supports NT4/2000/2003 DCs)

2. Windows 2000 Native (supports 2000/2003 DCs)
3. Windows Server 2003 Interim (supports NT4/2003 DCs)
4. Windows Server 2003 (supports only 2003 DCs)

And three forest functional levels:

 1. Windows 2000 (supports NT4/2000/2003 DCs)
2. Windows 2000 Interim (supports NT4/2003 DCs)
3. Windows Server 2003 (supports only 2003 DCs)

To raise the domain functional level, you go to the properties of your domain in
Active Directory Domains and Trusts. To raise the forest functional level you go to
the properties of Active Directory Domains and Trusts at the root. Of course, if your
domains are not at the correct level, you won’t be able to raise the forest functional
level. 
Directory partition

A directory partition, or naming context, is a contiguous Active Directory sub tree

replicated on one, or more, Windows 2000 domain controllers in a forest. By default,
each domain controller has a replica of three partitions: the schema partition the
Configuration partition and a Domain partition.

Schema partition
It contains all class and attributes definitions for the forest. There is one schema
directory partition per forest.
Configuration partition
It contains replication configuration information (and other information) for the forest.
There is one configuration directory partition per forest.
Domain partition
It contains all objects that are stored by one domain. There is one domain directory
partition for each domain in the forest.

 Application Directory Partition

Application directory partitions are most often used to store dynamic data. An
application partition can not contain security principles (users, groups, and
computers).The KCC generates and maintains the replication topology for an
application directory partition

Application: The application partition is a new feature introduced in Windows

Server 2003. This partition contains application specific objects. The objects or data
that applications and services store here can comprise of any object type excluding
security principles. Security principles are Users, Groups, and Computers. The
application partition typically contains DNS zone objects, and dynamic data from
 other network services such as Remote Access Service (RAS), and Dynamic Host
Configuration Protocol (DHCP).
Dynamic Data:
A dynamic entry is an object in the directory which has an associated time-to-live
(TTL) value. The TTL for an entry is set when the entry is created.
Security Principles - Objects that can have permissions assigned to them and each
contain security identifiers. The following objects are security principles:
o    User

o Computer
o Group

RPC:
Active Directory uses RPC over IP to transfer both intersite and intrasite replication
between domain controllers. To keep data secure while in transit, RPC over IP
replication uses both the Kerberos authentication protocol and data encryption.
SMTP:
If you have a site that has no physical connection to the rest of your network, but that
can be reached using the Simple Mail Transfer Protocol (SMTP), that site has mail-
based connectivity only. SMTP replication is used only for replication between sites.
You also cannot use SMTP replication to replicate between domain controllers in the
same domain—only inter-domain replication is supported over SMTP (that is, SMTP
can be used only for inter-site, inter-domain replication). SMTP replication can be
used only for schema, configuration, and global catalog partial replica replication.
SMTP replication observes the automatically generated replication schedule.
Changing of ntds.dit file from one Drive to another

1 Boot the domain controller in Directory Services Restore mode and log on with the
. Directory Services Restore mode administrator account and password (this is the
password you assigned during the Dcpromo process).
2 At a command prompt, type ntdsutil.exe. You receive the following prompt:
.
ntdsutil:
3 Type files to receive the following prompt:
.
file maintenance:
4 Type info. Note the path of the database and log files.
.
5 To move the database, type move db to %s (where %s is the target folder).
.
6 To move the log files, type move logs to %s (where %s is the target folder).
.
7 Type quit twice to return to the command prompt.
.
8 Reboot the computer normally.
.

 
DNS
DNS (Domain Name system)
Domain Name System (DNS) is a database system that translates a computer's
fully qualified domain name into an IP address.

The local DNS resolver

The following graphic shows an overview of the complete DNS query process.

DNS Zones

Forward lookup zone - Name to IP address map.

Reverse lookup zone - IP address to name map.

Primary Zones - It Holds Read and Write copies of all resource records (A, NS,
_SRV). 

Secondary Zones- which hold read only copies of the Primary Zones. 

Stub Zones
Conceptually, stub zones are like secondary zones in that they have a read only
copy of a primary zone. Stub zones are more efficient and create less replication
traffic.
Stub Zones only have 3 records, the SOA for the primary zone, NS record and a
Host (A) record.  The idea is that if a client queries a record in the Stub Zone, your
DNS server can refer that query to the correct Name Server because it knows its
Host (A) record.

Queries

Query types are:

Inverse - Getting the name from the IP address. These are used by servers as a
security check.
Iterative - Server gives its best answer. This type of inquiry is sent from one server
to another.
Recursive - Cannot refer the query to another name server.
Conditional Forwarding
Another classic use of forwards is where companies have subsidiaries, partners or
people they know and contact regularly query.  Instead of going the long-way
around using the root hints, the network administrators configure Conditional
Forwarders
Purpose of Resource Records
Without resource records DNS could not resolve queries.  The mission of a DNS
Query is to locate a server that is Authoritative for a particular domain.  The easy
part is for the Authoritative server to check the name in the query against its
resource records.

SOA (start of authority) record each zone has one SOA record that identifies
which DNS server is authoritative for domains and sub domains in the zone.
NS (name server) record An NS record contains the FQDN and IP address of a
DNS server authoritative for the zone. Each primary and secondary name server
authoritative in the domain should have an NS record.

A (address) record          By far the most common type of resource record, an A

record is used to resolve the FQDN of a particular host into its associated IP
address.

CNAME (canonical name) record          A CNAME record contains an alias

(alternate name) for a host.

PTR (pointer) record the opposite of an A record, a PTR record is used to resolve

the IP address of a host into its FQDN.

SRV (service) record        An SRV record is used by DNS clients to locate a

server that is running a particular service—for example, to find a domain controller
so you can log on to the network. SRV records are key to the operation of Active
Directory.

MX (mail exchange) record        An MX record points to one or more computers

that process SMTP mail for an organization or site.

Where DNS resource records will be stored:

After running DCPROMO, A text file containing the appropriate DNS resource
records for the domain controller is created. The file called Netlogon.dns is created
in the %systemroot%\System32\config folder and contains all the records needed
to register the resource records of the domain controller. Netlogon.dns is used by
the Windows 2000 NetLogon service and to support Active Directory for non-
Windows 2000 DNS servers.

Procedures for changing a Server’s IP Address

Once DNS and replication are setup, it is generally a bad idea to change a servers
IP address (at least according to Microsoft). Just be sure that is what you really
want to do before starting the process. It is a bit kin to changing the Internal IPX
number of A Novell server, but it can be done.

1.      Change the Server’s IP address

2.      Stop the NETLOGON service.

3.      Rename or delete SYSTEM32\CONFIG\NETLOGON.DNS and

NETLOGON.DNB

4.      Restart the NETLOGON service and run “IPconfig /registerDNS”

5.      Go to one of the other DCs and verify that its DNS is now pointing to the new
IP address of the server. If not, change the records manually and give it 15
minutes to replicate the DNS changes out.

6.      Run REPLMON and make sure that replication is working now. You may
have to wait a little while for things to straighten out. Give it an hour or two if
necessary.

If a server shows that it isn’t replicating with one of its partners, there are
several issues to address:

A.     Check to see that the servers can ping each other.

B.     Make sure that both servers’ DNS entries for each other point to the proper IP
addresses
C.    If server A says it replicated fine, but server B says it couldn’t contact Server
A, check the DNS setup on Server B. Chances are it has a record for Server A
pointing to the wrong place.

D.    Run Netdiag and see if it reports any errors or problems.

Trust Relationship

 One way trust - When one domain allows access to users on another
domain, but the other domain does not allow access to users on the first
domain.
 Two way trust - When two domains allow access to users on the other
domain.
 Trusting domain - The domain that allows access to users on another
domain.
 Trusted domain - The domain that is trusted, whose users have access to
the trusting domain.
 Transitive trust - A trust which can extend beyond two domains to other
trusted domains in the tree.
 Intransitive trust - A one way trust that does not extend beyond two
domains.
 Explicit trust - A trust that an administrator creates. It is not transitive and
is one way only.
 Cross-link trust - An explicit trust between domains in different trees or in
the same tree when a descendent/ancestor (child/parent) relationship does
not exist between the two domains.
 Forest trust - When two forests have a functional level of Windows 2003,
you can use a forest trust to join the forests at the root.
 Shortcut trust - When domains that authenticate users are logically distant
from one another, the process of logging on to the network can take a long
time. You can manually add a shortcut trust between two domains in the
same forest to speed authentication. Shortcut trusts are transitive and can
either be one way or two way.

Windows 2000 only supports the following types of trusts:

 Two way transitive trusts

 One way non-transitive trusts.