 Active Directory enables single sign on to access resources on the network such as

desktops, shared files, printers etc. Active Directory provides advanced security for the entire
network and network resources. Active Directory is more scalable and flexible for
administration.
 Functional levels help the coexistence of Active Directory versions such as, Windows NT,
Windows 2000 Server, Windows Server 2003 and Windows Server 2008. The functional
level of a domain or forest controls which advanced features are available in the domain or
forest. Although lowest functional levels help to coexist with legacy Active Directory, it will
disable some of the new features of Active Directory. But if you are setting up a new Active
Directory environment with latest version of Windows Server and AD, you can set to the
highest functional level, thus all the new AD functionality will be enabled.
 Windows Server 2003 Domain Functional Levels: Windows 2000 mixed (Default),
Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003.
Forest Functional Levels: Windows 2000 (default), Windows Server 2003 interim, Windows
Server.
 Windows Server 2008 Domain Functional Levels: Windows 2000 Native, Windows
Server 2003, Windows Server 2008, Windows Server 2008 R2.
Forest Functional Levels: Windows 2000, Windows Server 2008, Windows Server 2008 R2.
 It is possible to take a backup copy of existing Domain Controller, and restore it in
Windows Server machine in the remote locations with slower WAN link.
 Active Directory is designed for Server Operating System, and it cannot be installed on
Windows 7.
 Windows Server Operating System. Free hard disk space with NTFS partition.
Administrator's privilege on the computer. Network connection with IP address, Subnet
Mask, Gateway and DNS address. A DNS server, that can be installed along with first
Domain Controller. Windows Server intallation CD or i386 folder.
 Flexible Single-Master Operation (FSMO) roles,manage an aspect of the domain or forest,
to prevent conflicts, which are handled by Single domain controllers in domain or forest. The
tasks which are not suited to multi-master replication, There are 5 FSMO roles, and Schema
Master and Domain naming master roles are handled by a single domain controller in a
forest, and PDC, RID master and Infrastructure master roles are handled by a single domain
controller in each domain.
 Infrastrcture master role is a domain-specific role and its purpose is to ensure that cross-
domain object references are correctly handled. For example, if you add a user from one
domain to a security group from a different domain, the Infrastructure Master makes sure this
is done properly.Intrastrcuture master does not have any functions to do in a single domain
environment.If the Domain controller with Infrastructure master role goes down in a single
domain environemt, there will be no impact at all. Where as, in a complex environment with
multiple domains, it may imact creation and modification of groups and group authentication.
 Schema Master role and Domain Naming Master role.
 PDC Emulator
 You should be a member of Enterprise Admins group or the Domain Admins group. Also
you should be member of local Administrators group of the member server which you are
going to promote as additional Domain Controller.
 Use netdom query /domain:YourDomain FSMO command. It will list all the FSMO role
handling domain controllers.
 No, there should be only one Domain Controller handling RID master role in a Domain.
 There should be only one Domain Controller handling Infrastructure master role in a
domain. Hence if you have two domains in a forest, you can configure two Infrastructure
masters, one in each domain.
 If PDC emulator crashes, there will be immediate impact on the environment. User
authentication will fail as password changes wont get effected, and there will be frequent
account lock out issues. Network time synchronization will be impacted. It will also impact
DFS consistency and Group policy replication as well.
 Domain controllers and Sites. Domain controllers are physical computers which is running
Windows Server operating system and Active Directory data base. Sites are a network
segment based on geographical location and which contains multiple domain controllers in
each site.
 Domains, Organizational Units, trees and forests are logical components of Active
Directory.
 Active Directory database is divided into different partitions such as Schema partition,
Domain partition, and Configuration partition. Apart from these partitions, we can create
Application partition based on the requirement.
 Adding one group as a member of another group is called 'group nesting'. This will help
for easy administration and reduced replication traffic.
 Group types are categorized based on its nature. There are two group types: Security
Groups and Distribution Groups. Security groups are used to apply permissions to resources
where as distribution groups are used to create Exchange server email communication
groups. Group scopes are categorized based on the usage. There are three group types:
Domain Local Group, Global Group and Universal Group.
 Domain local groups are mainly used for granting access to network resources.A Domain
local group can contain accounts from any domain, global groups from any domain and
universal groups from any domain. For example, if you want to grant permission to a printer
located at Domain A, to 10 users from Domain B, then create a Global group in Domain B
and add all 10 users into that Global group. Then, create a Domain local group at Domain A,
and add Global group of Domain B to Domain local group of Domain A, then, add Domain
local group of Domain A to the printer(of Domain A) security ACL.
 Active Directory is backed up along with System State data. System state data includes
Local registry, COM+, Boot files, NTDS.DIT and SYSVOL folder. System state can be
backed up either using Microsoft's default NTBACKUP tool or third party tools such as
Symantech NetBackup, IBM Tivoli Storage Manager etc.
 There are two types of Active Directory restores, Authoritative restore and Non-
Authoritative restore.
 Non-Authoritative means, a normal restore of a single Domain controller in case that
particular domain controller OS or hardware crashed. After non-authoritative restoration
completed, compares its data base with peer domain controllers in the network and accepts all
the directory changes that have been made since the backup. This is done through multi
master replication.
Where as, in Authoritative restore, a restored data base of a Domain controller forcefully
replicated to all the other domain controllers. Authoritative restore is performed to recover an
active directory resource or object(eg. an Organizational Unit) which accidentally deleted and
it needs to be restored.
 We can use NTDSUTIL command line to perform Authoritative restore of Active
Directory. First, start a domain controller in 'Directory Service Restore Mode'. Then, restore
the System State data of Domain controller using NTBACKUP tool. This is non-authoritative
restore. Once non-authoritative restore is completed, we have to perform authoritative restore
immediately before restarting the Domain Controller.
Open command prompt and type NTDSUTIL and enter, then type authoritative restore and
press enter, then type restore database and press enter, click OK and then click Yes. This will
restore all the data in authoritative restore mode. If you want to restore only a specific object
or sub-tree, you can type below command instead of 'restore database'.
restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx
 Authoritative restore, Configurable settings, Partition management, Set DSRM Password
etc.
 A tombstone is a container object for deleted items from Active Directory database, even
if objects are deleted, it will be kept hidden in the active directory data base for a specific
period. This period is known as tombstone lifetime. Tombstone lifetime is 180 days on
Windows Server 2003 SP1 and later versions of Windows Server.
 Garbage collection is a process of Active Directory. This process starts by removing the
remains of previously deleted objects from the database. These objects are known as
tombstones. Then, the garbage collection process deletes unnecessary log files. And the
process starts a defragmentation thread to claim additional free space. The garbage collection
process is running on all the domain controllers in an interval of 12 hours.
 In multimaster replication method, replication conflicts can happen. Objects with
replication conflicts will be stored in a container called 'Lost and Found' container. This
container also used to store orphaned user accounts and other objects.
 Lost and Found container can be viewed by enabling advanced features from View menu
of Active Directory User and Computers MMC.
 Yes, it is included.
 [Never say no] We had set up an additional domain for a new subsidiary of the firm, and I
was a member of the team who handled installation and configuration of domain controllers
for the sub domain.[or] I was supporting an existing Active Directory network environment
of the company, but I have installed and configured Active Directory in test environment
several occasions.
 No one installs Active Directory in a cluster. There is no need of clustering a domain
controller. Because Active Directory provides total redundancy with two or more servers.
 Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to restore
accidentally deleted Active Directory objects without using a backed up AD database,
rebooting domain controller or restarting any services.
 Read only domain controller (RODC) is a feature of Windows Server 2008 Operating
System. RODC is a read only copy of Active Directory database and it can be deployed in a
remote branch office where physical security cannot be guaranteed. RODC provides more
improved security and faster log on time for the branch office.
 To find out forest and domain functional levels in GUI mode, open ADUC, right click on
the domain name and take properties. Both domain and forest functional levels will be listed
there. TO find out forest and domain functional levels, you can use DSQUERY command.
 KCC can be expanded as Knowledge Consistency Checker. It is a protocol procecss
running on all domain controllers, and it generates and maintains the replication topology for
replication within sites and between sites.
 We can use command line tools such as repadmin and dcdiag. GUI tool REPLMON can
also be used for replication monitoring and troubleshooting.
 SYSVOL is a folder exits on each domain controller, which contains Actvie Directory
related files and folders. SYSVOL mainly stores important elements of Group Policy Objects
and scripts, and it is being replicated among domain controllers using File Replication
Service (FRS).
 Kerberos is a network authentication protocol. Active Directory uses Kerberos for user
and resource authentication and trust relationship functionality. Kerberos uses port number
88.
 All versions of Windows Server Active Directory use Kerberos 5.
 Kerberos 88, LDAP 389, DNS 53, SMB 445.
 FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of a domain
name system which points to a device in the domain at its left most end. For example in
system.
 Dsadd - to add an object to the directory, Dsget - displays requested properties of an
object in AD, Dsmove - Used to move one object from one location to another in the
directory, DSquery - To query specific objects.
 A tree in Active Directory is a collection of one or more domains which are
interconnected and sharing global resources each other. If a tree has more than one domain, it
will have contiguous namespace. When we add a new domain in an existing tree, it will be
called a child domain.
A forest is a collection of one or more trees which trust each other and sharing a common
schema.It also shares common configuration and global catalog. When a forest contains more
than one tree, the trees will not form a contiguous namespace.
 Replication between domain controllers inside a single site is called Intrasite replication,
where as replication between domain controllers located in different sites is called Intersite
replication. Intrasite replication will be very frequent, where as Intersite replication will be
with specific interval and in a controlled fashion just to preserve network bandwidth.
 Shortcut trust is a manually created transitive trust which is configured to enable fast and
optimized authentication process.For example, If we create short cut trust between two
domains of different trees, they can quickly authenticate each other without traveling through
the entire parent domains. short cut trust can be either one-way or two-way.
 Selective authentication is generally used in forest trust and external trusts. Selective
authentication is a security setting which allows administrators to grant access to shared
resources in their organization’s forest to a limited set of users in another organization’s
forest. Selective authentication method can decide which groups of users in a trusted forest
can access shared resources in the trusting forest.
 Trusts can be categorized by its nature. There can be two-way trust or one-way
trust,implicit or explicit trust, transitive or non transitive trust. Trust can be categorized by
types, such as parent and child, tree root trust, external trust, realm trust forest trust and
shortcut trust.
 ADAC- Active Directory Administrative Center is a new GUI tool came with Windows
Server 2008 R2, which provides enhanced data management experience to the admin. ADAC
helps administrators to perform common Active Directory object management task across
multiple domains with the same ADAC instance.
 ADSIEDIT- Active Directory Service Interfaces Editor is a GUI tool which is used to
perform advanced AD object and attribute management. This Active Directory tool helps us
to view objects and attributes that are not visible through normal Active Directory
Management Consoles. ADSIEDIT can be downloaded and installed along with Windows
Server 2003 Support Tools.
 This is due to domain functional level. If domain functional level of Windows Server
2003 AD is Windows 2000 Mixed, Universal Group option will be greyed out. You need to
raise domain functional level to Windows 2000 native or above.
 ADMT - Active Directory Migration Tool, is a tool which is used for migrating Active
Directory objects from one domain to another. ADMT is an effective tool that simplifies the
process of migrating users, computers, and groups to new domains.
 When a domain controller is disconnected for a period that is longer than the tombstone
life time, one or more objects that are deleted from Active Directory on all other domain
controllers may remain on the disconnected domain controller. Such objects are called
lingering objects. Lingering objects can be removed from Windows Server 2003 or 2008
using REPADMIN utility.
  The Global catalog is a container which contains a searchable partial replica of all objects
from all domains of the forest, and full replica of all objects from the domain where it is
situated. The global catalog is stored on domain controllers that have been designated as
global catalog servers and is distributed through multimaster replication. Global catalogs are
mostly used in multidomain, multisite and complex forest environment, where as Global
catalog does not function in a single domain forest.

 In a forest that contains only a single Active Directory domain, there is no harm in placing
both GC and Infrastructure master in same DC, because Infrastructure master does not have
any work to do in a single domain environment. But in a forest with multiple and complex
domain structure, the infrastructure master should be located on a DC which is not a Global
Catalog server. Because the global catalog server holds a partial replica of every object in the
forest, the infrastructure master, if placed on a global catalog server, will never update
anything, because it does not contain any references to objects that it does not hold.
 Command line method: nslookup gc._msdcs.<forest root DNS Domain Name>, nltest
/dsgetdc:corp /GC. GUI method: Open DNS management, and under ‘Forward Lookup
Zone’, click on GC container. To check if a server is GC or not, go to Active Directory Sites
and Services MMC and under ‘Servers’ folder, take properties of NTDS settings of the
desired DC and find Global Catalog option is checked.
 As per Microsoft, a single AD domain controller can create around 2.15 billion objects
during its lifetime.
 When a user enters a user name and password, the computer sends the user name to the
KDC. The KDC contains a master database of unique long term keys for every principal in its
realm. The KDC looks up the user's master key (KA), which is based on the user's password.
The KDC then creates two items: a session key (SA) to share with the user and a Ticket-
Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an
expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which
only the KDC knows. The client computer receives the information from the KDC and runs
the user's password through a one-way hashing function, which converts the password into
the user's KA. The client computer now has a session key and a TGT so that it can securely
communicate with the KDC. The client is now authenticated to the domain and is ready to
access other resources in the domain by using the Kerberos protocol.
 Lightweight Directory Access Protocol (LDAP) is an Internet standard protocol which is
used as a standard protocol for Active Directory functions. It runs directly over TCP, and can
be used to access a standalone LDAP directory service or to access a directory service that is
back-ended by X.500.
 Active Directory related files are by default located at %SystemRoot%\ntds folder.
NTDS.DIT is the main Active Directory database file. Apart from this other files such as
EDB.LOG, EDB.CHK, RES1.LOG, TEMP.EDB etc. are also located at the same folder.
 Global Catalog servers produce huge traffic related to the replication process.There for
making all the domain controllers in the forest as Global Catalog servers will cause network
bandwidth poroblem. GCs should be placed based on Network bandwidth and user or
application requirement.

Netdomm is used to manage Active Directory domains and trust relationships from the
command prompt. Some of the Netdom functions include; Join a computer to
domain, Establish one-way or two-way trust relationships between domains,
 Manage trust relationships between domains, Manages the primary and alternate
names for a computer etc.

65. Role seizure is the action of assigning an operations master role to a new domain
controller without the support of the existing role holder (generally because it is
offline due to a hardware failure). During role seizure, a new domain controller
assumes the operations master role without communicating with the existing role
holder. Role seizure can be done using repadmin.exe and Ntdsutil.exe commands.

66. Inter-Site Topology Generator. One domain controller per site holds the Inter-
Site Topology Generator (ISTG) role, which is responsible for managing the inbound
replication connection objects for all bridgehead servers in the site in which it is
located.

67. Yes, this is possible using PowerShell command, with the help of
LastLogonTimeStamp. Commands and pipes such as Get-ADUser, Where-Object,
LastLogonDate etc. can be used to get inactive users.

68. GPO applies in this order – Local Policy, Site, Domain, and Organizational Units.

69. CSVDE and LDIFDE are used to Import or Export Active Directory data to a file.
CSV (comma-separated value) format files can be read with MS Excel and are
simply altered with a batch script. LDIF files (Ldap Data Interchange Format) are a
cross-platform standard.

70. A user object is an object that is a security principal in the directory. A user can
log on to the network with these authorizations and access permissions can be
granted to users. A contact object is an account that does not have any security
permissions. You cannot log on to the network as a contact. Contacts are normally
used to indicate outside users for the purpose of e-mail.

71. A bridgehead server is a domain controller in each site, which is used as a

interaction point to obtain and replicate data between sites. For intersite
replication, KCC entitles one of the domain controllers as a bridgehead server. In
case the server is down, KCC entitles another one from the domain controller.
When a bridgehead server obtains replication updates from another site, it
replicates the data to the other domain controllers within its site.

72. Active Directory replication occurs between domain controllers when directory
data is updated on one domain controller and that update is replicated to all other
domain controllers. When a change in directory data occurs, the source domain
controller sends out a notice that its directory store now contains updated data.
The domain controller’s replication partners then send a request to the source
domain controller to receive those updates. Usually, the source domain controller
sends out a change notification after a delay. However, any delay in replication
can result in a security risk for definite types of changes. Urgent replication
ensures that critical directory changes are immediately replicated, including
account lockouts, changes in the account lockout policy, changes in the domain
password policy, and changes to the password on a domain controller account.
73. Realm trust is a transitive or non-transitive one way or two way trust used to
form a trust relationship between a non-Windows Kerberos realm and a Windows
Server 2003 domain. This trust relationship allows cross-platform interoperability
with security services based on other Kerberos V5 versions such as UNIX and MIT
implementations.

74. An Active Directory structure is an arrangement of information about objects.

The objects fall into two broad categories: resources (e.g., printers) and security
principals (user or computer accounts and groups). Security principals are assigned
unique security identifiers (SIDs).Each object represents a single entity—whether a
user, a computer, a printer, or a group—and its attributes. Certain objects can
contain other objects. An object is uniquely identified by its name and has a set of
attributes—the characteristics and information that the object represents—
defined by a schema, which also determines the kinds of objects that can be
stored in Active Directory.

75. Adding custom attribute involves modification in Active Directory schema which
requires the modifying user to be a member of Schema Administrators and
Enterprise Administrators groups. By default, the Administrator account is a
member of the Schema Administrator group.You can use adsiedit.msc or
schmmgmt.msc to modify the properties of an AD object.

76. When a new domain user or group account is created, Active Directory stores the
account's SID in the Object-SID (objectSID) property of a User or Group object. It
also allocates the new object a globally unique identifier (GUID), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are
assigned to every object created by Active Directory. Each object's GUID is stored
in its Object-GUID (objectGUID) property.

77. Dcpromo

78. Yes. Keeping your Active Directory as simple as possible will help improve overall
efficiency, and it will make the troubleshooting process easier whenever problems
arise. Use the appropriate site topology. Use dedicated domain controllers. Have
at least two DNS servers. Place at least one global catalog server in each site.

79. There are many changes in Active Directory from 2003 version to 2008 version,
like Active Directory is a service now that can be restarted. RODC is a new type of
DC introduce in windows 2008. Group policy preference mode is introduced. New
number of AD templates has been introduced in 2008. DFS is being used for
replication instead of FRS in 2003.Windows Server 2008 AD includes new features
such as Active Directory Recycle Bin, Active Directory Administrative Center,
Active Directory Web Services, Offline domain join etc.

80. In order to configure Windows Server 2008 R2 Domain Controller within Windows
2003 network we need to check if Domain Functional Level is set up at least in
Windows 2000 native mode. But preferable Domain Functional Level is Windows
Server 2003. When it’s set up in Windows Server 2003 mode, and you have only one
domain in a forest or each domains have only Windows 2003 Domain Controllers,
you are also able to raise Forest Functional Level to Windows Server 2003 to use
Read-Only Domain Controller (RODC) within your network.