Windows admin interview questions

Describe how the DHCP lease is obtained.

It’s a four-step process consisting of (a) IP request, (b) IP offer, © IP selection and
(d) acknowledgement.

I can’t seem to access the Internet, don’t have any access to the corporate network and on
ipconfig my address is 169.254.*.*. What happened?
The 169.254.*.* net mask is assigned to Windows machines running 98/2000/XP if the DHCP server
is not available. The name for the technology is APIPA (Automatic Private Internet Protocol
Addressing).

We’ve installed a new Windows-based DHCP server, however, the users do not seem to be
getting DHCP leases off of it.
The server must be authorized first with the Active Directory.

How can you force the client to give up the dhcp lease if you have access to the client PC?
ipconfig /release

What authentication options do Windows 2000 Servers have for remote clients?
PAP, SPAP, CHAP, MS-CHAP and EAP.

What are the networking protocol options for the Windows clients if for some reason you do
not want to use TCP/IP?
NWLink (Novell), NetBEUI, AppleTalk (Apple).

What is binding order?

The order by which the network protocols are used for client-server communications. The most
frequently used protocols should be at the top.

How do cryptography-based keys ensure the validity of data transferred across the network?
Each IP packet is assigned a checksum, so if the checksums do not match on both receiving and
transmitting ends, the data was modified or corrupted.

Should we deploy IPSEC-based security or certificate-based security?

They are really two different technologies. IPSec secures the TCP/IP communication and protects
the integrity of the packets. Certificate-based security ensures the validity of authenticated clients
and servers.

What is LMHOSTS file?

It’s a file stored on a host machine that is used to resolve NetBIOS to specific IP addresses.

What’s the difference between forward lookup and reverse lookup in DNS?
Forward lookup is name-to-address, the reverse lookup is address-to-name.

How can you recover a file encrypted using EFS?

Use the domain recovery agent.

What is the Difference between Windows 2003 standard Enterprise, Premium, Data center
and Web Edition?
WEB EDITION:
To position windows server 2003 more competitively against other web servers, Microsoft has
released a stripped-down-yet-impressive edition of windows server 2003 designed specially for web
services. the feature set and licensing allows customers easy deployment of web pages, web sites,
web applications and web services.

Web Edition supports 2GB of RAM and a two-way symmetric multiprocessor(SMP). It provides
unlimited anonymous web connections but only 10 inbound server message
block(SMB) connections, which should be more than enough for content
publishing. The server cannot be an internet gateway, DHCP or fax server. Although you can
remotely administer the server with Remote Desktop, the server cannot be a terminal

server in the traditional sense. The server can belong to a domain, but cannot be a domain controller.
The included version of the microsoft SQL server database Engine can support as many as 25
concurrent connections.

How do you recover an object in Active Directory, which is accidentally deleted by you, with
no backup?
Using ntdsutil.exe command,we can restored the AD objects.

What is the Logical / Physical Structures of the AD Environment?

physical structure:

Forest, Site, Domain, DC

logical structure:
Schema partition, configuration partition, domain partition and application partition

How to change the windows xp product key if wrongly installed with other product key but
you have original product key? What you will do to Make your os as Genuine?
Some third party software are available for this function or reinstall this system

If 512mb Ram is there what will be the minimum and maximum Virtual memory for the
system?
To workout the total virtual memory (page file) required for windows XP you should take the amount
of ram in the system and + 25% (512MB + 25% (128MB) = 640MB total virtual memory. by setting
both the min and max to 640MB you can increase the performances of the operating system.

What is LDAP?
LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other
programs use to look up information from a server.

What is the SYSVOL folder?

The Sysvol folder on a Windows domain controller is used to replicate file-based data among
domain controllers. Because junctions are used within the Sysvol folder structure, Windows NT file
system (NTFS) version 5.0 is required on domain controllers throughout a Windows distributed file
system (DFS) forest.

What are application partitions? When do we use them?

Application Directory Partition is a partition space in Active Directory which an application
can use to store that application specific data. This partition is then replicated only to some
specific domain controllers.The application directory partition can contain any type of data except
security principles (users, computers, groups).

How do we Backup Active Directory?

Backing up Active Directory is essential to maintain an Active Directory database. You can back up
Active Directory by using the Graphical User Interface (GUI) and command-line tools that
the Windows Server 2003 family provides.You frequently backup the system state data on domain
controllers so that you can restore the most current data. By establishing a regular backup schedule,
you have a better chance of recovering data when necessary.To ensure a good backup includes at
least the system state data and contents of the system disk, you must be aware of the tombstone
lifetime. By default, the tombstone is 60 days. Any backup older than 60 days is not a good backup.
Plan to backup at least two domain controllers in each domain, one of at least one backup to enable
an authoritative restore of the data when necessary.
How do we restore AD?
You can’t restore Active Directory (AD) to a domain controller (DC) while the Directory
Service (DS) is running. To restore AD, perform the following steps.
Reboot the computer.

The computer will boot into a special safe mode and won’t start the DS. Be aware that during this
time the machine won’t act as a DC and won’t perform functions such as authentication.

1. Start NT Backup.
2. Select the Restore tab.
3. Select the backup media, and select System State.
4. Click Start Restore.
5. Click OK in the confirmation dialog box.
After you restore the backup, reboot the computer and start in normal mode to use the restored
information. The computer might hang after the restore completes; I’ve experienced a 30-minute wait
on some machines.

What are GPOs?

Group Policy gives you administrative control over users and computers in your network. By
using Group Policy, you can define the state of a user’s work environment once, and then rely on
Windows Server 2003 to continually force the Group Policy settings that you apply across an entire
organization or to specific groups of users and computers.

What domain services are necessary for you to deploy the Windows Deployment Services on
your network?
Windows Deployment Services requires that a DHCP server and a DNS server be installed in the
domain

What is the difference between a basic and dynamic drive in

theWindowsServer2008environment?
A basic disk embraces the MS-DOS disk structure; a basic disk can be divided into partitions (simple
volumes).
Dynamic disks consist of a single partition that can be divided into any number of volumes. Dynamic
disks also support Windows Server 2008 RAID implementations.

What is the main purpose of a DNS server?

DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa

Commonly Used DNS Records?

A-Records (Host address)
CNAME-Records (Canonical name for an alias)

MX-Records (Mail exchange)

NS-Records (Authoritative name server)

PTR-Records (domain name pointer)

SOA-Records (Start of authority)

Ques-:7. FAT/NTFS?

Ans :- There is major differences are available

between FAT and NTFS File System such as

FAT
 Fat stands for File Allocation Table
 There are two categories in Fat File System
o Fat 16
o Fat 32
 In Fat Up To Folder Level Security is available
 Compression Option is not available
 Encryption Option is not available
 Disk Quota Option is not Available
 FAT Supported By All Of The Microsoft Based Operating
System
NTFS
 NTFS stands for New Technology File System
 There are three categories in NTFS file System
o NTFS 4.0 – NT O/S
o NTFS 5.0 – 2000 O/S
o NTFS 6.0 – 2003O/S
 In NTFS Up-to File Level Security is available
 Compression Option is available
 Encryption Option is available
 Disk Quota Option is Available
  NTFS Supported By only Limited Microsoft Based
Operating System

Ques-:8. What is the difference between Windows

NT/2000/2003?

Ans :- There are many differences are available

between Windows NT, 2000 and 2003 O/S, Such As--

NT
 There is no active directory
 There is no tree/forest hierarchical structure are
available
 There is no Site Relationship
 There is no parent domain and child domain concepts
are available in the network.
 NT support NTFS 4.0 File system
 NT Support NTLM Version 2 Lan Authentication
Protocol
 In NT by default no Trust Relationship are configured
 In NT we will use System Policy
 In NT specific Client Site Operating System is
available i.e. NT Workstation 4.0 Edition
 In NT we will use Exchange 5.5 Server
 In NT We Can Create Only One Way Trust
Relationship inside The Network.
2000
 There is Active Directory
 Tree/Forest Hierarchal Structure are available
 There is Site Relationship is available
 There is parent domain and child domain concept are
available
 2000 support NTFS 5.0 File system
 2000 Support Kerberos Version 5 Authentication Protocol
 In 2000 by default Two-Way Trust Relationship are
configured
 In 2000 we will use Group Policy
 2000 support maximum 32 Processor and 64 GB RAM
  In 2000 specific Client Site Operating System is available
i.e. 2000 Professional
 In 2000 we will use Exchange 2000 Server
 In 2000 no Stub Zone is available in DNS
 In 2000 Resultant Setup Policy is not available
 In 2000 GPMC is not available
 In 2000 Conditional Forwarding option is not available
 In 2000 Effective Permission option is not available
 In 2000 Only some Administrative Command Line Tools
are available
 Active Directory Saved Query Option is not available
 Shadow Copy Option is not available in Windows 2000 O/S
 ASR Option is not available in Windows 2000 O/S
 In Windows 2000 We Can Create Maximum 1 DFS Root
On A Single DFS Server in The Network.
 In 2000 We Can Create Two Way Trust Relationship inside
The Network.
2003
 There is Active Directory
 Tree Forest Hierarchal Structure are available
 There is Site Relationship is available
 There is parent domain and child domain concept are
available
 2003 support NTFS 6.0 File system
 2003 Support Kerberos Version 5 Authentication Protocol
 In 2003 by default Two-Way Trust Relationship are
configured
 In 2003 we will use Group Policy
 2003 support maximum 64 Processor and 512 GB RAM
 In 2003 no specific Client Site Operating System is
available you can use either win 2k Professional either Win
XP Professional in the Network.
 In 2003 we will use Exchange 2003 Server
 In 2003 Stub Zone is available in DNS
 In 2003 Resultant Setup Policy is available
 In 2003 GPMC is available
 In 2003 Conditional Forwarding option is available
 In 2003 Effective Permission option is available
  In 2003 more Administrative Command Line Tools are
available
 Active Directory Saved Query Option is available
 Shadow Copy Option is available in Windows 2003 O/S
 ASR Option is available in Windows 2003 O/S
 In Windows 2003 We Can Create More Than 1 DFS Root
On A Single DFS Server in The Network.
 In 2003 We Can Create Two Way Trust Relationship inside
The Network.

Ques-:9. What is Active Directory?

Ans :- Active Directory is the main concept of

Windows 2000/2003 Network. It stores all of the
information about the whole network such as users,
printers, computers etc.

Ques-:10. What is Tree?

Ans :- A group of domain is called tree and sharing a

contiguous Name space.

Ques-:11. What is Forest?

Ans :- A group of tree is called forest and does not

sharing a contiguous name space but sharing a common
configuration (Schema).

Ques-:12. Difference between D.C. and A.D.C.?

Ans :- D.C. stands for Domain Controller and A.D.C.

stands for Additional Domain Controller. A.D.C. is a back
up copy of D.C. Only one different is available Between
D.C. and A.D.C. i.e. - Operation Master Role. On D.C all
of the three Operation Master Roles are available—
1. RID Master
2. PDC Emulator
3. Infrastructure Operation Master Role
But on A.D.C no any operation master roles are available
Ques-:13. What is the benefit of Child Domain?

Ans :- There are many benefits of Child Domain Such

As—
0. Security Boundary
1. Administrative Overhead Low
2. Network Traffic Low

Ques-:14. What is Group?

Ans :- Group is a collection of user account. It

provides the simplified administration in the network.

Ques-:15. What is OU?

Ans :- OU stands for Organizational Unit. On OU we

define group policy in the network. Group policy is
basically assigned on active directory container i.e. Site,
domain, OU. When ever we want some users in the
network do not use shut down the system, do not use run
command, do not use control panel, then we put that
user in the OU and assign the appropriate Group Policy
on that OU.

Ques-:16. What is Group Policy?

Ans :- Group policy provides the stream line access

to all of the users in the network. Group policy is
basically assigned on active directory container i.e. Site,
domain, OU. Whenever we want some users in the
network do not use shut down the system, do not use run
command, do not use control panel, then we put that
user in the OU and assign the appropriate Group Policy
on That OU.

Ques-:17. Difference between Permission, Right and

Policy?
 Ans :- Permission – Permission are basically
assigned on network resources as for example – File,
Folder, Share Folder, Printer

Right – Right is basically assign to users and groups.

Policy – Policy are basically assigned on active directory

container i.e. - Site, Domain, OU.

Ques-:18. What is ISA Server?

Ans :- ISA stands for Internet Security Acceleration.

ISA Server Provides the Internet connectivity for all of
the users in network ISA server also works as a Proxy
Server in the network. With the help of ISA Server
Administrator can Filtering a Client request For a
Specific Web site in the Network.

Ques-:19. What is Default Gateway?

Ans :- Default Gateway is the IP Address of Router in

the network. Whenever any clients want to go to another
network that query will forward to Default Gateway.

Ques-:20. What is Site?

Ans :- A Site is a geographical area where all of the

domains are available. Site manages the Replication
Traffic between Two or More Different Sites in the
Network.

Ques-:21. What is Operation Master Role?

Ans :- Operation Master Role is available on Domain

controller in the Network. There are Five types of
Operation Master Role –
1. Schema Master
2. Domain Naming Master
3. RID Master
 4. PDC Emulator
5. Infrastructure Operation Master Role

Ques-:22. Difference between Mixed Mode and Native

Mode?

Ans :- There are three types of domain mode—

1. Mixed Mode – In this mode NT, win 2k and win 2k3 D.C
are available.

2. Win 2k Native Modes – In this mode Win 2k And win

2k3 D.C are available.

3. Win 2k3 Native Mode – In this mode only win 2k3 D.C
are available.

Ques-:23. What is SCSI?

Ans :- SCSI stands for Small Computer System

Interface. In SCSI the rate of data transmission is fast.
SCSI Hard Disk Speed—R.P.M is fast In SCSI Data
Transmission Speed Is 320 MBPS in the Network. In
SCSI Controller We Can connect Maximum 15 physical
Devices in the System.

Ques-:24. What are A-Host Record and PTR Record?

Ans :- A record is also called host record. This record

is basically created in forward lookup Zone.

PTR record is also called pointer record. This record is

basically created in reverse lookup Zone.

Ques-:25. What is Reservation?

Ans :- Reservation Is Basically used In DHCP Server.

When Ever we want This Computer Is Always received
 This IP address From DHCP Server in The network, in
That Case we create a Reservation in DHCP Server Of
that particular Computer in The Network.

Ques-:26. IP Address Range/Classes?

Ans :- There are two types of IP address—

1. Class Full IP Address

2. Class Less IP Address

Class Full IP Address – There are five classes –

1. Class A – 0 – 126 (127 is reserved for Loop back)

2. Class B – 128 – 191
3. Class C – 192 – 223
4. Class D – 224 – 239
5. Class E – 240 – 255

Ques-:27. Difference between Hardware Router and

Software Router?

Ans :- Hardware Router – Hardware Router is a

dedicated Router. It’s having a lot of features such as
security, dedicated routing in the network. As for
example Cisco Router.

Software Router – Software Router is not a dedicated

Router. It provides the different services also, such as
DNS server, DHCP Server. i.e.—Windows Based Router.

Ques-:28. Difference between Hardware Firewall and

Software Firewall?

Ans :- Hardware Firewall – It is a dedicated

Firewall. A lots of security features are available on
hardware based firewall. As for example— Cisco pix
Firewall.
 Software Firewall – It is not a dedicated Firewall. Its
provides the normal security in the network—check point

Ques-:29. What is Domain Controller?

Ans :- D.C stands for domain controller. It provides

the centralized management of entire domain in the
network. When ever we will install active directory
database on a server side operating system, then after
that system becomes a D.C. Domain Controller manages
all security related Interaction between users and
Computers in The Network.

Ques-:30. What is B Router?

Ans :- B Router stands for Bridge Router. We can say

this is a layer three bridge that provides the
communication between two or more different network
ID.

Ques-:31. What is Bridge?

Ans :- Bridge is a layer 2 network device that

provides the communication within the same network id.
In Bridge Maximum 16 ports are available.

Ques-:32. Difference between Gateway and Router?

Ans :- Router works on same network architecture

but Gateway works on different network architecture.

Ques-:33. What is POP Server/SMTP Server?

Ans :- POP stands for Post Office Protocol. It is

basically use for mail receiving purpose in the network.

SMTP stands for Simple Mail Transfer Protocol. It is

basically use for sending a mail as well as receiving a mail
in the network.
Ques-:34. What is Active Directory Partitions?

Ans :- Active directory Partition Is a Logical Partition

Of active directory. This Partition Is Basically Use for
replication from D.C To A.D.C & D.C to G.C.S (Global
Catalog server) in the Network. There are three Types Of
active Directory partition—
1. Schema partition
2. Configuration Partition
3. Domain Partition

Ques-:35. Types of Active Directory Partitions?

Ans :- There are three types of Active Directory

partition –

1. Schema Partition
2. Configuration Partition
3. Domain Partition

Ques-:36. What is the Function of Ping Command?

Ans :- Ping provides to check the Physical/IP

Connectivity between two or more devices in the
network. Ping sends an ICMP request from source
computer to destination computer and destination
computer sends an ICMP reply.

Ques-:37. What are Broadcasting, Multicasting and

unicasting?

Ans :- Broadcasting – One to All

Multicasting – One to many not all
Unicasting – One to One

Ques-:38. What is Group Nesting?

 Ans :- When we add two or more Groups within a
Single Group, it is called Group Nesting.

Ques-:39. What is FIXMBR?

Ans :- FIXMBR Repair the Master boot Record of the

Partition Boot Sector.

Ques-:40. What is FIXBOOT?

Ans :- FIXBOOT write a new Partition Boot Sector on

to the system Partition.

Ques-:41. What is SID?

Ans :- SID stands for Security Identifier. Every

Object has a unique ID, it is called SID.

Ques-:42. What is RADIUS Serer?

Ans :- RADIUS Stands for Remote Authentication

Dial-in User Service. RADIUS Server Provides the
Centralized management of Multiple RAS & VPN Server
in the Network. On this Server Remote Access Policy and
Remote Access Logging Options are available.

Ques-:43. What is Trusting Domain?

Ans :- In Trusting Domain Resources are available.

Ques-:44. What is Trusted Domain?

Ans :- In Trusted Domain User Accounts are

available.

Ques-:45. What is Microsoft Exchange Server?

 Ans :- Microsoft Exchange Server is Software that
provides the services such as sending & receiving the
Mail.

Ques-:46. What is Printer?

Ans :- Printer is a Software that Governing the Print

Device. There are two types of Printer—
1. Local Printer
2. Network Printer.

Ques-:47. What is Chatting?

Ans :- Chatting is a Real Time Conversion between

Two or More peoples in the Network.

Ques-:48. What Is Directory Services restore Mode?

Ans :- When our Active Directory Database is Not

Working Properly, Then We Restart the Domain
Controller and Press f8 Key Then after Selecting the
Directory Services Restore Mode and Then after
Restoring the Active directory Database from the Last
Backup.

Ques-:49. What is normal backup?

Ans :- Just like a normal backup. By default backup.

Ques-:50. What is incremental backup?

Ans :- In incremental Backup only incremental parts

are backup not full backup.

Ques-:51. What is Differential backup?

Ans :- In differential backup, we take full backup

after the normal backup.
Ques-:52. What is packet?

Ans :- A packet is a logical grouping of information

that includes a header which contains location
information and user data.

Ques-:53. What is forwarder?

Ans :- It is basically use in DNS Server. When client

query to the DNS Server, In that case if the DNS is
having a best result then DNS Server give the best
result To The Client Computer In The Network
otherwise DNS Server forward the client query to the
root DNS server on own behalf and give the complete
result To The client computers in The Network

Ques-:54. What is encryption?

Ans :- There are four types of encryption—

1. No Encryption – no
2. Basic – MPPE – 40 bits – des
3. Strong – 56 bits – des – MPPE/IPSec
4. Strongest – 128 bit data encryption – MPPE/IPSec

Ques-:55. What is RIP v.1, RIP v.2, IGMP, OSPF?

Ans :-
1. RIP v.1 – Broadcast – Small Network Use
2. RIP v.2 – Multicast
3. IGMP – Multicast
4. OSPF – Multicast – For Larger Network

Ques-:56. What is the requirement Of VPN Server?

Ans :- VPN require IP connectivity between the

client and the server. VPN does not require a dial up
connection Between the Client and server in The
Network.
Ques-:57. What is Inbound Connection?

Ans :- Inbound connection is Created On server

Side.

Ques-:58. What is Outbound Connection?

Ans :- Outbound connection is created on client Side.

Ques-:59. What is The Function of jetpack command In

DHCP Server?

Ans :- Check the database consistency of

DHCP Server in the Network

Ques-:60. What is Remote Access Policy?

Ans :- In Remote Access Policy there are three

options are available—

1. Condition – 8 a.m. to 5 p.m., Marketing Group

2. Permission – Yes/No
3. Profile – Connectivity time, IPSec Policy

Ques-:61. What is TRACERT?

Ans :- TRACERT display Complete route Information

from source computer to destination computer in the
Network.

Ques-:62. What is the function of jetpack command in

WINS server?

Ans :- For Compacting the WINS database, we use

jetpack command.
Jetpack wins.mdb kk.mdb

Ques-:63. What is tunneling form?

 Ans :- The sending and receiving of data through a
secure way in the network, it is called tunneling form.

Ques-:64. What is trust relationship?

Ans :- Trust relationship is an important part in the

client server network. There are two types of trust
relationship—

1. Non Transitive Trust – Non Transitive Trust is a one

way trust relationship in the network. As for example—in
NT network

2. Transitive Trust – Transitive Trust is two way trust

relationship in the network. As for example—in 2000/2003
network.

Ques-:65. What is DACL?

Ans :- DACL stand for Discretionary Access Control

List. In DACL basically permission entry is available of
any user in the network

Ques-:66. What is SACL?

Ans :- SACL stand for System Access Control List. In

SACL basically auditing entry is available of any user in
the network.

Ques-:67. What is MSI?

Ans :- This file is basically use for deploying or

installation of any application in the network.

Ques-:68. What is MST?

Ans :- This file is basically using for repairing of any

application in the network.
Ques-:69. What is zap file?

Ans :- It is basically use for that application, which

do not have the MSI file. We create a text file with zap
extension for deploying or installation purpose of any
application in the network.

Ques-:70. What is ace?

Ans :- Ace stand for access control entry.

Ques-:71. What is operation master role?

Ans :- Operation master role is available on domain

controller in the network.
There are five types of operation master role inside the
active directory

1. Schema Master – Schema Master is responsible for

changes of schema, updating of schema in the Network.

2. Domain Naming Master – Domain Naming Master Is

Responsible For adding or removing a domain inside the
forest.

3. RID Master – RID Master provides RID no. of each D.C

in the Network. Every D.C is having a one id no, it is called
RID NO. domain—rid, object—S.I.D.

4. PDC Emulator – It is basically use For Previous version

Of Windows 2000 Clients in The Network. PDC Emulator
Work as an emulator for previous version of Windows 2000
Clients in the network.
PDC – Primary Domain Controller
BDC – Backup Domain Controller
5. Infrastructure Operation Master – Infrastructure
Operation Master Role provides uniqueness of any object
inside the forest.
Infrastructure operation master role. Updates references to
objects and group membership from other domain In the
Network.

Ques-:72. What is dedicated server?

Ans :- A dedicated server functions as a server only

not as a client. As For Example—Domain Controller.

Ques-:73. What is bridgehead server?

Ans :- A bridgehead server is a central point in the

site that is responsible for replication from another site.

Ques-:74. What is the booting file Of Windows

2000/2003/xp O/s?

Ans :-
1. NTLDR
2. NTDETECT.COM
3. BOOT.INI
4. NTBOOTDD.SYS
5. NTOSKRNL.EXE

Ques-:75. What is clustering?

Ans :- Suppose, I create a web site—

www.yahoo.com. This same web page is available On All
Of The ten computers. I configured clustering on all of
the ten computers. Let Say at a same time one thousand
people access this web site. If this web services are
provided by only one computer, then it may be a very
busy. But in this time workload is sharing among ten
computers. This is called clustering and If One Server
Will Be down Another Server Are providing The Services
in The Network. There are Two Benefits of Clustering—
 1. Fault Tolerance
2. Load Balancing

Ques-:76. What is authoritative restore?

Ans :- In this process the one lacks version no high

of each object in active directory database and this parts
is overrides on other D.C in the network. We will use
This Method in Following Options Such As--- Some
Deletions, Some rename

Ques-:77. What is migration?

Ans :- It is basically use for converting NT, 2000

network to 2003 network. There are two types of
migration—

1. Upgrading – In upgrading Process maintains

current domain model. As for Example—Before
Migration three domains are available and after
Migration again three domains are Available.
2. Restructuring – In restructuring Process no
maintain current domain models. As for example-
Before Migration three domains are available and
after Migration May Be one domain will be Available.

Ques-:78. What Is Schema?

Ans :- Schema basically reads The Attributes and

defines The Classes. Such As User class, Printer Class,
Computer Class.

Ques-:79. What is Stub Zone?

Ans :- STUB Zone is a pointer Record of Sub Child

domain in the network. STUB Zone provides the directly
communication Between Parent domain and Sub child
 domain. If any case middle level DNS Will Down in That
case Parent and Sub Child Domain are still
communicating with each other in the network

Ques-:80. What Is Shadow Copy?

Ans :- Shadow Copy provides the automatic Backup

Of any particular shared Folder in The Network. Shadow
copy provides the No. of previous version Backup of Any
particular Shared folder in the Network. In any time we
can View and restore Of Any Previous Version Backup Of
that particular Folder. This Is the New features of
windows 2003 Operating System.

Ques-:81. What Is RSOP?

Ans :- RSOP stands for Resultant Set of Policy. It is

basically use for, when ever we Want, What ever the
effective policy Is apply On a particular User and
particular computer in The Network

Ques-:82. What Is Group Policy Modeling?

Ans :- In Group policy Modeling, We Can find out

what Ever the effective policy Is Apply On a particular
User and particular computer in The Network

Ques-:83. What Is Group Policy Resulting?

Ans :- In Group policy resulting, we can find Out

What ever the effective policy Is Apply On a particular
User and particular computer in The Network

Ques-:84. What Is SUS Server?

Ans :- SUS stands for software Update server. This

server provides the Automatic Updating from Microsoft
Update Server to All of The Clients and servers in the
network
Ques-:85. What Is Windows update?

Ans :- Windows Update Services Provides the

automatic updating From Microsoft Windows update
Server to all of the Clients & servers in The Network

Ques-:86. What Is GPMC?

Ans :- GPMC stands For Group policy Management

Console. With The Help Of this Tools We Manage the
Group policy Object Of entire Forest from single
Location in The Network. With The Help of This Too we
also take The Backup and restoring Of Group policy
object.

Ques-:87. What Is Conditional Forwarding?

Ans :- Conditional Forwarding Is Basically use in

DNS server. In DNS Server, We define The Condition, If
Any DNS Query Is Related to That Particular Domain, In
That Case That Query Will Directly Forward to That
Domain and If That DNS Query Is Not Related to That
Particular Domain In That Case That Query Will Forward
to ISP DNS server In the Network. With The Help of
Conditional Forwarding, we can say the rate Of Data
Transmission Rate Is Fast in The Network This Is the
New Features in Windows 2003 Operating System.

Ques-:88. What Is Effective Permission?

Ans :- Effective Permission display that is what ever

the effective permission is available of any User in Any
particular resources in the Network.

Ques-:89. What Is the Booting file Of 98 Operating

system?

Ans :-
 1. MSDOS.SYS
1. IO.SYS
2. COMMAND.COM

Ques-:90. What Is ASR?

Ans :- ASR stands for automatic system recovery.

ASR provides the complete backup of any Computers in
The Network.

Ques-:91. What Is the Difference Between system policy

And Group policies?

Ans :- System Policy are Used in NT environment

But Group policy Are Used in Windows 2000 And
Windows 2003 Environment.

Ques-:92. What is Connection Oriented protocol?

Ans :- Before the Data is Sending from Source

Computer to destination Computer in the Network first
of All connection is establish between source to
destination Computer. It Is Called connection Oriented
Protocol. As For Example—TCP.

Ques-:93. What Is IDE?

Ans :- IDE Stands For Integrated device electronics.

In IDE We Can Connect Maximum 4 physical devices in
The System. In IDE the Rate of Data transmission is
slow. In IDE Maximum Speed is –80 MBPS in the
Network.

Ques-:94. Why we Create a Site?

Ans :- There are many benefits for creating a Site

inside the Network Such as:
1. Manage Replication Traffic inside the
Network
 2. For Group policy Purpose
3. Administrative Burden will be Low
4. Network Traffic will be Low
5. Network Performance will be Good
6. Logon Traffic
7. Reduce The No. Of request For Global
Catalog Server

Ques-:95. Difference between IP V-4 and IP V-6?

Ans :- There is major difference between IP V.4 and

IP V.6 such as –
1. In IP V.4 is a 32 bits IP Address but IP v.6 128 bits
IP Address.
2. IP v.4 is a Decimal Format, but IP V.6 is Hexa-
Decimal Number.
3. IP V.4 has 4 Octets, but IP V.6 has 16 Octets.
4. IP V.4 is supported by Operating System, but IP V.6
is supported by only some Operating System.
5. In IP V.4 only limited number of IP Address are
available, but in IP V.6 a number of IP Addresses are
available.

Ques-:96. What Is the Function of Schema partition?

Ans :- Schema Partition is responsible for

Replication to all of the Domains inside the Forest.

Ques-:97. What Is The Function of Configuration

Partition?

Ans :- Configuration Partition is responsible for

Replication to all of the Domains inside the Forest.

Ques-:98. What is the function of Domain Partition?

 Ans :- Domain Partition is responsible for Replication
to all of the Additional Domain Controller inside the own
Domain.

Ques-:99. What is Active Directory Database Location?

Ans :- Systemroot\NTDS Folder\NTDS.DIT

Network:-A group of computers that is connected by cable

or other devices to share their data, information and devices with
each other is called Network. There are two types of Network:

1. Peer-to-Peer:-Peer-to-Peer network is also called

Workgroup. In Workgroup there is no dedicated server. All
Computers are equal, Every Computers Works Both as a
Client and a Server. In Workgroup all users account such as
user name and password Are Available in the SAM
database. SAM Stands for Security Account Management
Database.

2. Client Server:-Client Server network is also called

Domain. In Domain there is one dedicated server; That
Server Is Called D.C. D.C Stands for Domain Controller. In
Client Server Network All users account such as user name
and password are Available in the Active Directory
database. Domain is a security boundary in the Network.
there Are Many Benefits of Domain, Such As—
A. Single logon
B. Single User Account
C. Centralized Management

There are three scopes of Network:

1. LAN:-LAN stands for Local Area Network. In a fixed

area all of the computers are connected to each other, it is
called LAN. In LAN we do not use any third party Service
Provider Network such as Telephone Line, Internet and
Satellite.
 2. WAN:-WAN stands for Wide Area Network. Across the
world all of the computers are connected to each other, it is
called WAN. In WAN we use Third Party Service Provider
Network such as Telephone Line, Internet and Satellite.

3. MAN:-Man stands for Metropolitan Area Network. MAN

is a child of WAN because in a metropolitan city all of the
computers are connected to each other, it is called MAN. In
MAN we use Third Party Service provider Network such as
Telephone Line, Internet and Satellite.

(Example:-Suppose I have a company that name is ABC Pvt.

Ltd. held in Delhi which has four branch offices First is
South Delhi, Second is East Delhi, Third is North Delhi and
Fourth is West Delhi. All the branch offices are connected to
the main office with the help of Third Party Service Provider
Network such as Telephone Line, Internet and Satellite, it is
called MAN.)

NIC:-NIC stands for Network Interface Card...

PXE:-PXE stands for Pre Execution Boot Environment. It is

generally use in RIS.

PXE and Non-PXE:-Boot roam is available on PXE Card. Boot

roam is not available in Non-PXE Card.

Cable:-Cable is a medium that creates a Network and carry the

signals between computers in the Network. There are two types
of cable:

2. Twisted Pair Cable:-Twisted Pair Cable is also called

10Base T. There are four pair in this cable White - Green,
White - Blue, White - Brown, White - Orange. There are two
types of Twisted Pair Cable:

A. UTP:-UTP stands for Unshielded Twister Pair.

There are no mass shielded on the wire.
 B. STP:-STP stands for Shielded Twisted Pair. There
are a mass shielded on wires.

3. Coaxial Cable:-Coaxial Cable just like as a normal TV

cable. In coaxial cable one is copper wire that is located in
the central location of the cable then after a plastic coating
then after shielded with mass and then after upper coating
(Black Coating). There are two types of coaxial cable.

A. Thin Net Coaxial Cable:-Thin Net Coaxial Cable

is also called as 10Base 2. 10 stand for 10 MBPS and
2 stands for up to 200 meters.
B. Thick Net Coaxial Cable:-Thick Net Coaxial
Cable is also called as 10Base 5. 10 stand for
10MBPS and 5 stands for up to 500 meters.

4. Fiber Optic Cable:-In Fiber Optic Cable the data are

sending in digital form not in analog form. The rate of data
transmission is fast by using this cable.

There are two types of device in the network—

1. DTE Device--- D.T.E Stands for Data Terminal

Equipment. As for example—P.C, ROUTER
2. DCE Device---D.C.E Stands For Data
Communication Equipment. As for Example—HUB,
SWITCH, MODEM

Straight Cable:-When we connect Two Different Devices, Such

as DTE to DCE Device in that cases we will use straight cable as
for example Computer to Hub, Computer to Switch.

Cross Cable:-When we connect two similar devices, Such as

DTE to DTE, DCE to DCE in that case we will use cross cable as
for example Computer to Computer, Hub to Hub.
Topology:-Topology is the way of connecting the
computers. Topology requires two or more computers.
There are five types of Topology.

1. Bus-Topology:-In this Topology all of the computers

are connected to a single Wire Such As--coaxial cable. In
Bus-Topology if the cable is break from any where then the
all network is down. In Bus-Topology the network speed is
divided among the computers. In this topology we use BNC
connector. BNC stand For Barrel Net Connector.

2. Star Topology:-In this Topology all of the computers

are connected to a central device such as Hub, or Switch. In
star Topology if one computer Will failed in that case my
network will be still working properly. In this topology we
normally use UTP cable and RJ-45 connecter. RJ stands for
registered jack.

3. Ring Topology:-In this Topology all of the computers

are connected to own next computer and the last computer
is connected to first computer. In this topology if one
computer will fails then my whole network are down. (Cable
Used-? Speed - ?).

4. Mesh Topology:-In this Topology all of the computers

are connected to each other computer in the network by a
separate cable and Separate NIC card. It is also called
complete Topology.

5. Hybrid Topology:-When we will connect two or more

same Topology To a single different Topology, it is called
Hybrid Topology. There are two types of Hybrid Topology:

A. Star wired Bus

B. Star wired Ring
Technology:-The rate of data transmission depends on
your Network Technologies. There are many types of Network
Technologies Are Available in the World---

1. Ethernet:-Ethernet is a popular LAN Technology that

uses CSMA/CD.

2. ATM:-ATM stands for Asynchronous Transfer Mode.

ATM is a packet switching network that sends fixed length
packets over LAN or WAN. The packet size is 53 bytes in
which 48 bites data and 5 bytes for address.

3. Frame Relay:-Frame Relay is a packet switching

networks that sends variable length packets over LAN or
WAN.

4. FDDI:-FDDI stands for Fiber Distributed Data Interface.

The rate of data transmission is fast in this Technology.
There are two types of Ring in this Technology. First is
Primary Ring and second is Secondary Ring. Normally the
data is sending from source computer to destination
computer through the Primary Ring if Primary Ring Will Be
fails then the data Will Be sending through the Secondary
Ring.

Hub:-Hub is a central device in the network that is used in star

topology. Hub does the broadcasting. The rate of data
transmission is slow in the network by using Hub.

Switch:-Switch is a central device in the network that is used in

star topology. Switch does the conditional broadcasting. The rate
of data transmission is fast in the network by using Switch.

Router:-Router is a device that provides the connectivity

between two or more different network id.

Gateway:-Gateway is a device that provides the connectivity

between two or more different network id. Gateway works on
different network architecture.
Repeater:-Repeater receives the signals and retransmits it to
original strength in the network.

IP Address:-IP Address is a unique identifier in the network

from one computer to anther computers. IP Address Is A
Combination Of Network Id + Host Id.

MAC Address:-Each network adaptor are having a unique

address, it is called Physical Address or MAC Address. MAC
stands for media access control.

Subnets:-Network segments that connected to a router are

called Subnets.

Subnet Mask:-The Subnet Mask is a screen that differentiates

from Network ID to Host ID in a IP Address.

Network ID:-The first part of the IP Address that defines the

network is called Network ID.

Host ID:-The second or last part of The IP Address that defines

the Host number is called Host ID.

Sub Netting:-A Big Network Is further divided Into Smaller-

smaller Network that is called sub netting. In sub netting we
increase the Network ID and decrease the Host ID by making
some changes in subnet mask.

Super Netting:-Combining of Smaller-Smaller Network into big

Network That Is Called Super netting. In Super netting we
increase the Host ID and Decrease the Network ID by making
some changes in subnet mask.

Proxy Server:-Proxy Server is a firewall component that enables

us to connect multiple computers in a network to the Internet by
using a single Public IP Address. By Proxy Server we can filter
the client request for a specific Web Site.
NAT:-The NAT is a device or service that translates Private IP
Address to Public IP Address in the Network NAT Provides the
internet connectivity for all Of the Internal User in the Network
through Single Public IP address And Single Line. There are
three Types of NAT—

1. Static Nat
2. Dynamic Nat
3. Overloading Nat—PAT(Port address
Translation)

Firewall:-A Firewall is the combination of hardware and

software that prevents unauthorized access to an internal
network from outside.

Microsoft Proxy Server:-Microsoft Proxy Server provides both

features Such As Proxy Server and a Firewall.

Protocol:-Protocol is the set of rules and regulations that

provides the communication Between Two or More devices in the
Network.

Packet Switching:-In Packet Switching all of the data are

sending from source computer to destination computer through
may be a different way.

Circuit Switching:-In Circuit Switching all of the data are

sending from source computer to destination computer through a
single way.

Disk Quota:-When we want some users in the network do not

use more disk space of the Hard Disk then we put a appropriate
Disk Quota entry on those users.

Compression:-By compression we add free of space in our Hard

Disk.

Terminator:-Terminator absorbed the electric signal and stops

the reflection.
Socket:-A Socket is a combination of IP Address and TCP/UDP
Port.

Port:-A Port is recognized by the service as for example FTP

uses Port 21.

OSI:-OSI stands for Open System Interconnection model. It is a

standard model in the world. When ever One Computer Wants to
communicate with another Computer, A Major Task Is Performed
inside the Computer and that major Task are divided into Seven
Parts and That Seven Parts Is Called seven Layers.

1. Application Layer: - Application Layer Identify the

which types Of Application Are Using By The Client In The
Network. As For example—HTTP, FTP, SMTP, Telnet

2. Presentation Layer: - The format Of Data depends on

the presentation Layer. There Are Two Major Function Of
Presentation Layer—
A. Converting High Level Coding to Low Level
Coding
B. Converting Low level Coding to high Level Coding
Generally there are Two Types Are Coding In this
Layer—
1. ASCII-American Standard Code For Information
Interchange code
2. EBCDIC—Extended Binary Coded For decimal
interchange Code
Some additional Functions are presentation Layers is—
1. Compression
2. Decompression
3. Encryption
4. Decryption

3. Session Layer: - Session Layer Provides which types Of

Session Are Establish between Sources to Destination
Computer in the Network. There Are three Types Of Data
Transmission in the Network—
 A. Simplex Transmission:-Simplex Transmission is only
one way transmission as for example RADIO, T.V

B. Half-Duplex:-Half-Duplex is an only one way

transmission at a time. As for example—hub, walky talky

C. Full-Duplex:-Full-Duplex is a two way transmission at a

same time. As for example—switch, telephone, and
wireless
Session Layer Provide Some Additional Function in the
Network, That Is—
1. Pause the Session
2. Terminate The Session
3. Restart The session
4. Transport Layer:-Transport Layer provides The End to
End Connectivity in The Network. Transport Layer is
responsible to carry the data from source to destination
computer In the Network. Transport Layer provides The
Two types Of Connectivity in The network—
Reliable Connectivity
Unreliable connectivity
Generally There Are Two types Of Protocol in Transport
Layer
1. TCP-Transmission Control Protocol
2. UDP—User Datagram Protocol
TCP provides the reliable connectivity in the Network. &
UDP Provides the Unreliable connectivity in the network.

5. Network Layer:-Network Layer Provides the Source IP

address and destination IP address in the Network. There
are Two Major Function of network Layer—
1. Provides the Logical addressing—IP Addressing.
2. Provides the Routing
Router Is a Layer 3 device in the network

6. Data Link Layer:-Data Link Layer provides the Source

Mac address And destination Mac address in the Network.
All of the Wan Technology Is a Layer 2 technology. Switch
and Bridge Is a Layer 2device in The Network.
 7. Physical Layer:-Physical Layer Is Responsible For Put
The Data on the Cable. Hub, Repeater, Cable, NIC these are
Layer -1 Device in The Network.

TCP:-
1. TCP Stands for Transmission Control protocol
2. TCP is a Connection Oriented protocol
3. It Is a unicasting protocol
4. The Rate of Data transmission Is Slow in TCP
5. In TCP The Guarantee Of Data Delivery
6. In TCP Acknowledgement is must.
UDP:-
1. UDP Stands for User Datagram protocol.
2. It Is a Connection Less protocol
3. It Is a Broadcasting protocol
4. The Rate Of Data transmission is Fast
5. In UDP No Guarantee of Data Delivery
6. In UDP No Acknowledgement

Data transmission Types:-There are three types of data

transmission in the network--

1. Simplex Transmission:-Simplex Transmission is only

one way transmission as for example RADIO, T.V

2. Half-Duplex:-Half-Duplex is a one way transmission at

a time. as for example—hub, walky-talky

3. Full-Duplex:-Full-Duplex is a two way transmission at a

same time. as for example—switch, telephone, wireless

ARP:-ARP stands for Address Resolution Protocol. It is basically

use for resolving IP Address to MAC Address in the network.

DOD model:-
DOD Model Stands For department of defense model. This Model
is also known As TCP/IP Model. There are four Layers in DOD
Model---
1. Application Layer—3 layer of OSI Model
2. Transport layer—transport layer of OSI Model
3. Internet layer—Network layer Of OSI Model
4. Network Interface Layer Or physical Layer—Data link &
Physical Layer of OSI Model.

1.Application Layer:-There are many types of protocols in

Application Layer:
A. HTTP:-HTTP stands for Hyper Text Transfer
Protocol. It is basically use for caring the web page.
HTTP uses Port 80.
B. FTP:-FTP stands for File Transfer Protocol. It is
basically use for transferring the file. FTP uses Port
21.

2. Transport Layer:-There are two types of protocol in

this layer:
A. TCP:- TCP stands for Transmission Control
Protocol. It is a connection oriented protocol. The
rate of data transmission is slow in this protocol. By
this protocol the acknowledgement is must.
B. UDP:- UDP stands for User Datagram Protocol. It
is a connection less protocol. The rate of data
transmission is fast by this protocol. The
acknowledgement is not required.

3. Internet Layer:-There are normally four protocols on

this layer:
A. IP:-IP stands for Internet Protocol. It is
responsible for assigning the IP Address.
B. ICMP:-ICMP stands for Internet Control Manage
Protocol. On the unsuccessful delivery it shows the
error massage to resend the data.
C. IGMP:-IGMP stands for Internet Group
Management Protocol. It is responsible for control
Multicasting and Broadcasting.
 D. ARP:-ARP stands for Address Resolution
Protocol. It is basically used for resolving IP Address
to MAC Address in the network.

Dual Booting:-A Dual Boot configuration allows us to choose

between two or more operating system each time when we start
the computer. In Dual Booting one operating system is belongs to
NOS family and another operating system must be belongs to
simple O/S family and the system partition must be formatted
with either Fat or Fat 32.

File System:-A logical division of the Hard Disk is called File

System such as sector or Tracks.

Partition:-A logical division of Hard Disk is called Partition.

User Profile:-A user profile contents the information about a

specific user’s log on setting Such As Desktop Setting. There are
three types of user profile.

1. Local User Profile:-A local user profile is automatically

created on each computer to which the user log on.

2. Roaming User Profile:-The same profile can be used

from anywhere in the network from which the user log on.
In This Profile User Can Change His Own profile and that
profile Will Be saved In Central Location.

3. Mandatory User Profile:-A permanent profile will be

used of any user in the network from which the user log on.
In this profile user can change his own profile but that
profile will not be saved in central location. That change is
only for temporary purpose.

Offline:-By offline user evenly access to a network share folder

when he disconnected from the network. There Are Three Types
Of offline setting—
1. Manually Caching For document—by Default
2. automatic caching for document
 3. automatic caching for program

Recovery Console:-When my system’s registry is damage and

my operating system is not starting properly in that case we will
use Recovery Console. In Recovery Console we use some
command line tools such as enable, disable, fixmbr, fixboot etc.

Active Directory:-Active Directory is the main concept of

Windows 2000 & Windows 2003 Network. It stores the complete
information about the whole network such as users, printers,
computers etc. Active Directory provides The Centralized
Management in the Network.

Objects:-Everything in Active Directory is called Object such as

users, Printers, computers etc.

Attributes:-Every object has some qualities that are called

Attributes. On the basis of these attributes we identify the object
such as user, printer, computer etc.

Terminal Services:-By Terminal Services we can manage our

server from anywhere in the network. There are two modes in
Terminal Services:
1. Remote Administration Mode:-In this mode at a same
time By Default maximum two administrators can connect
remotely to the server and manage it.

2. Application Server Mode:-By this mode user allow to

run remotely one or more applications on the Server.

Leased Line:-Leased Line is a point to point connection. When

we connect 24 hours a day to the Internet then we have a best
option to choose the Lease Line because it is cost effective(no
Costly)

ISDN Line:-ISDN Line is not a point to point connection. ISDN

networks extend from the local telephone exchange to the
remote user in the network. By ISDN Line the rate of data
transmission is fast. The data are sending in digital form not in
analog form. In ISDN scenario both side (client side and server
side) ISDN Modem is necessary.

USB:-USB stands for Universal Serial Bus. It is basically use for

physically connecting many devices At a Same Time that
supports the USB such as printer, mouse, scanner, web camera
etc. It is compatible with near about 127 devices at the same
time.

Security Template:-Security Template is a readymade designed

by Microsoft for implementing a security configuration in the
network. There are four types of Security Template Basic (By
Default), Compatible (Low-Level Security), Secure and High.
Service Pack:-Service Pack updates the DLL files and adds some
additional features in operating system.

DLL:-DLL stands for Dynamic Link Library. It is the important

files of any application, which helps to run any application.

CRC:-CRC stands for Cyclic Redundancy Check. CRC is a

number provided by a mathematically calculation on the packet
at its source.
Driver:-Driver is software which helps to perform the Hardware
properly.

Multilink:-Multilink connection uses multiple modems to create

a single connection to the Internet or other computers in the
network.

CSMA/CD:-CSMA/CD stands for Carrier Sense Multiple

Access/Collision Detect. At a same time when two computers are
sending data to each other in a single way then collision
happens. In that case CSMA/CD stops the collision and
retransmits the data after sometime in the network.

CAL:-CAL stands for Client Access License. Any client computer

who accesses the server in a network must require a license.
There are two types of license Per Server and Per Seat. We
convert Per Server to Per Seat at one time but we cannot convert
from Per Seat to Per Server.

Adminpack.msi:-For Installing/Uninstalling of Administrative

tools we use Adminpack.msi.

Safe Mode:-In this mode load only basic devices and drivers that
are require to start the computer. not loading the following
drivers such as VGA card, soundcard, network card etc. Only
load the Basic driver Such as keyboard, mouse, and storage
device.

VGA MODE:-Load the basic VGA driver. This mode is useful if a

video driver is preventing windows operating system from
starting properly, basic resolution 480 x 640 pixels setting are
applies.

DNS SERVER:-DNS stands for domain name system. It is a

basically use for name resolution purpose of Windows 2000/2003
clients in the network on working purpose. There are two types
of zones:

1. Forward Lookup Zone:-It is basically used for

resolving Host name to IP Address in the network.

2. Reverse Lookup Zone:-It is basically used for resolving

IP Address to Host name in the network.

Related Domain: - Related to Domain There are three types of

zone:

1. Active Directory Integrated Zone:-Active Directory

Integrated Zone is integrated with Active Directory. For
creating this zone Active Directory and DNS is necessary on
a particular computer in the network.

2. Standard Primary Zone:-Standard Primary Zone is not

integrated with Active Directory. For creating this zone only
DNS is necessary not Active Directory is required.
 3. Standard Secondary Zone:-Standard Secondary Zone
is clone copy of master DNS Server such as Active Directory
Integrated Zone or Standard Primary Zone.

Zone:-Zone is the database in the DNS where all computers A

Record (Host Record) and PTR Record (Pointer Record) are
Available in the network.

Virtual Memory:-Virtual Memory is some space in the Hard

Disk that is used whenever RAM is full in computer.

Unattended Installation:-In this process we create an answer

file. By this process we can run the automatically installation of
Windows 2000/2003 Operating System.

DFS:-DFS stands for Distributed File System. It is a central

location of any user in the network and that is linked with all of
the share folder in the network. By DFS user will be only access
the DFS server and further access any share folder in the
network.

Hardware Profile:-For battery saving purpose or electricity

saving purpose we can use the Hardware Profile. It is basically
use for mobile user in the network. There are two main
important parts in the Hardware Profile for examination point of
view first is Dock and second Undock station. Dock station—
inside the office, undock station—outside the office.

Internet:-The worldwide collection of all Networks and

Gateways that is uses TCP/IP protocol is called Internet. It is a
example of WAN/it is also known as WAN. Internet uses the high
speed data communication lines between the major nodes and
the host computer. Internet is a public Net and everybody can
access it without user name and password.

Intranet:-A private network within an organization that is uses

for distribute the information within the organization is called
Intranet. It is a example of LAN/it is also known as LAN. In
Intranet only the organization people can access and use the
Intranet.

Extranet:-A private network that is working within a

organization and outside the organization but not for
public/everybody is called Extranet. In Extranet the company
employees, distributors, suppliers, customer etc. can access the
network.

DHCP:-DHCP stands for Dynamic Host Configuration Protocol.

DHCP Server provides the automatically TCP/IP configuration of
all of the clients in the network.

APIPA:-APIPA stands for Automatic Private IP Addressing. When

I configure a computer in TCP/IP setting to obtain IP Address
automatically and my DHCP Server is not available or not
responding to DHCP client in that case the computer receive a IP
Address from APIPA in the range of 169.254.0.0.APIPA RANGE—
169.254.0.1 to 169.254.255.254
DHCP Scope: - A DHCP scope is a range of IP Addresses in the
DHCP Server Who leases the IP address to DHCP Client in the
network. There are three types of Scopes:

1. Normal Scope:-

2. Multicast Scope:-

3. Super Scope:-

DHCP Relay Agent:-Suppose I have two subnets that is Subnet

A and Subnet B and both subnets are connected to a Router. I
have a DHCP Server in Subnet A. I configure two scopes in
DHCP Server i.e. Scope A for Subnet A and Scope B for Subnet
B. I want to configure that all the computers in Subnet B receive
the IP Addresses from DHCP Server That Is Located in Subnet A.
But my Router is not RFC 1542 (Request for Comment)
compatible in that case I will install a DHCP relay Agent in
Subnet B.
Scope Option:-Scope Option provides the additional TCP/IP
configuration of any DHCP client in the network such as the IP
Address of DNS Server, WINS Server, Router etc. There are four
types of scope option:

1. Server Level:-

2. Scope Level:-

3. Class Level:-

4. Reserved Client Level:-

Remote Access Connectivity:-There are two types of Remote

Access Connectivity in The Network.

1. Dial-up Remote Access:-For Dial-up Remote Access at

least telephone line and modem are necessary on both side
Client side and Server side. A RAS Server is must be
configured at Server side. In this process Remote Access
Client dial the telephone number of RAS Server and then
after giving user name and password. After verifying user
name and password the Remote Access Client connect to
the RAS Server and further connect to the Internal
Network.

2. VPN:-VPN Stands for Virtual Private Network. In this

process Remote Access Client connect to the VPN Server
via Internet. By this process the communication is very
secure and the data are sending and receiving in tunneling
form.

DNS:-There are two types of DNS Query:

1. Iterative Query:-When a client Query to the DNS

Server and if my DNS Server is having the best result then
it will give the best result to client in the network otherwise
it will send a message not found, it is called Iterative Query.
 2. Recursive Query:-When a client Query to the DNS
Server and if my DNS Server is having the best result then
it will give the best result to client computer otherwise it
forward the client Query on own behalf to the Root DNS
Server and it will give the complete result to the client
Computer in the network, it is called Recursive Query.

CA:-CA stands for Certification Authority. CA provides the secure

communication between two or more computers in the network.
There are four types of CA:

1. Enterprise Root CA:-

2. Enterprise Subordinate CA:-

3. Stand Alone Root CA:-

4. Stand Alone Subordinate CA:-

Enterprise Root CA and Enterprise Subordinate CA required the

Active Directory but Stand Alone Root CA and Stand Alone
Subordinate CA do not require Active Directory.

IP Sec Policy:-IP Sec Policy provides the secure communication

between two or more computers in the network. There are three
types of IP Sec Policy in the network:

1. Client Respond Only:-

2. Secure Server Required Security:-

3. Secure Server Request Security:-

ICS:-ICS stands for Internet Connection Sharing. It is basically

used in workgroup to share the Internet connection.

NS Lookup:-NS Lookup check that my DNS Server is working

properly or not in the network.
Scavenging:-Scavenging is use to clear the stale records in the
DNS Server.

WINS:-WINS stands for Windows Internet Naming System. It is

basically use for Name Resolution purpose for previous version
of Windows 2000 Clients in the network. It is resolving NetBIOS
Name to IP address in The Network There is three types of
Replication partner in the WINS Server:

1. Push Partner:-

2. Pull Partner:-

3. Push-Pull Partner:-(By Default)

There are four Types Of nodes in WINS Server:

B – Node (Broadcasting)
P – Node (Search Server)
M – Node (B + P)
H – Node (P + B)

RIS:-RIS Stands for Remote Installation Service. In this process

the computers are connected to a server running Remote
Installation Service and then after RIS Server install the
Windows 2000 Professional on those computers. In this process
the client computers uses the PXE Card.

Home Folder:-Home Folder is a central location of any user in

the network where he can save file and folder. Home Folder
shows as a drive in the computer when a user login the network
from anywhere.

Tracert:- Tracert display Complete Routes Information from

source computer to destination computer in the network.

Telnet:-Telnet provides the remotely logon the computer and

working on that computer.
Global Catalog Server: - A Global Catalog Server is a forest
root domain that creates a relationship between two computers
within the Single Forest
By default first root domain controller is the global catalog
server in the network. It stores the information about universal
group in the network. Global Catalog Server Maintain The Read
Only Copy To All Of The Domain Inside The Forest.

User Right:-User Rights authorized a user to who logon to the

network or computer to perform certain action on the system.
There are some common User Rights:

A. Log on Locally
B. Change the System Time
C. Shut Down the System
D. Access the Computer from Network

Power User:-A user that Are having the special authority to

maintain the user accounts such as add a user account, delete a
user account, modify a user account, change the password of a
user etc. is called Power User.

Backup Operator:-A user that is having the power of Backup

and Restore the file of a computer it is called Backup Operator.
Wireless Communication:-In Wireless Communication we have
not need to attach a device to the computer by the help of wire.
Wireless Communication device works on the basis of receive
and transmit the analog or digital signals in The Network. There
are two types of Wireless Communication:

1. Infrared Transmission:-In Infrared Transmission an

infrared light beam is used to carry the data between
transmit and receiving device. There must be a clear line
between transmit and receiving device for communication.
TV and Remote is the example of Infrared Transmission.

2. Narrowband Radio Transmission:-In Narrowband

Radio Transmission user tunes both the transmitter and the
receiver to a certain frequency. Narrowband Radio
 Transmission does not require a clear line between both
devices. Radio and FM is the example of Narrowband Radio
Transmission.

PPTP:-PPTP stands for Point to Point Tunneling Protocol. It is

used in RAS connectivity. PPTP enable the secure transfer of
encapsulate data between a PPTP Client and a PPTP Server
across the Internet. PPTP uses MPPE (Microsoft Point-to-Point
Encryption) to encrypt the data.

L2TP:-L2TP stands for Layer Two Tunneling Protocol. It is used

in RAS and more secure then PPTP. L2TP enables the secure
transfer of encapsulate data between L2TP Client and L2TP
Server across the Internet. L2TP uses IP Sec (Internet Protocol
Security) for Encrypt the data.

Three Way Hand Shake:-TCP is a reliable Protocol. When two

computers communicate that using TCP, firstly establish a
connection before the exchange of data, it is called session. Two
computers establish a session by a process that is called Three
Way Hand Shake. There are three steps in Three Way Hand
Shake process:

A. The source computer initiates the connection by

transmitting the session information.
B. The destination computer responds with its
session information.
C. The source computer receives the information
and sends an acknowledgement.

Host Name:-A Host Name is a user friendly name that is given

by us to a computer to identify him. The Host Name is a 15 byte
or up to 255 character length name.

NetBios Name:-A NetBIOS Name is a 15+1 byte name in that

15 byte is host name that is given by us and 1 byte is generated
by computer automatically.1 Byte Depends on That Computer
Are Providing Which Kinds Of services In the Network.
Web Server:-A server computer that provides the services
related to web site/Internet is called Web Server.

Class-full IP Address:-All the IP Addresses are divided into five

classes class A, B, C, D and E. All the classes having a default
subnet mask according to its class. So the IP Address that is
given with its default subnet mask is called Class-full IP Address.

Class-less IP Address:-All the IP Addresses are divided into

Five Classes class A, B, C, D and E. All the classes having its
default subnet mask. When we change the default subnet mask
of an IP Address by the help of sub netting and super netting, it
is called Class-less IP Address.

Driver Signing:-Sometimes when we install a new

driver/software on the computer then its installation process is
overwrite some system files and damage or creating some
problem with our operating system. To stop this thing windows
2000 have a feature i.e. Driver Signing. Driver Signing check the
driver/software is signed by Microsoft or not. There are three
Options in Driver Signing:

1. Ignore:-In Ignore Windows do not check the signed or

unsigned driver and install the driver normally.

2. Warn:-In Warn Windows check the driver is signed or

unsigned and give a warning massage during installation for
unsigned driver.

3. Block:-In Block Windows never install the unsigned

driver.

Permission Inheritance:-All the permissions is assigned to a

folder is automatic apply on its subfolder or files, it is called
Permission Inheritance.

Take Ownership:-If the administrator has no rights or

permissions on an object then the administrator can be the
owner of that object by the using the power i.e. Take ownership
and forcibly get the permission on that object.

Recovery Agent:-Recovery Agent has the power of Decrypt the

file of any user.

Decryption:-Change an Encrypted file to a simple file is called

Decryption.
Or
Remove the Encryption from a file or Folder is called Decryption.

Hidden Share:-When we share a object with the $ sign, it is

called Hidden Share. Hidden Share object is not shown as like
normal share objects.

Print Device:-Print Device is a hardware that is physically prints

a document.

Spool Folder:-Spool Folder shows the entire documents that are

waiting for print in print queue.

Default Printer:-Which printer I want to give priority to print

document that is known as Default Printer.

Printer Pooling:-By the Printer Pooling we can connect one

Printer Driver with two or more print device for load balancing
Purpose In The Network.. In printer Polling We Can say
One Master and More than one servant are Available in the
Network. In printer pooling it is necessary that print device is
same manufacturer and same model no.

Printer Priority:-By Printer Priority we can connect two or more

printers with one print device and set the priority of each printer
that whose document is print firstly In the Network. In printer
priority We Can say one servant and more than one master are
Available in the Network. In that case which work will be first?
We Can configure the priority on the printer, such as—manger—
99, user—1
Internet Printing:-By the Internet printing we can print a
document remotely in the Network. In Internet Printing we can
print the document on the print device that is located in other
city.

Scope of Group:-There are three types of Group scopes In the

Network:-

1. Domain Local Group:-In Domain Local Group –user

Belongs to Any Domain and Access resources My Domain.

2. Global Group:-In Global Group –User Belongs To My

Domain and Access Resources Any Domain.

3. Universal Group;-In Universal Group user –User

Belongs to Any Domain and Access Resources Any Domain.

There are two types of Groups:

1. Security Group:-Security Group is basically used for

give the permission to the user on a Particular resource of
the network. Security Group is having all the features of
Distribution Group.

2. Distribution Group:-Distribution Group is basically

created for sending E-Mails in The Network. On Distribution
Group we can not assign the permission For Any Objects in
The network. Distribution Group Can Not Work As A
Security Group.

Disaster:-An event that becomes a cause to unable to start

Windows properly such as corruption of boot sector, deleting or
missing system file etc. is called disaster.

Disaster Recovery:-When a computer disaster occurs after that

the process of restoring the computer to its original state that is
prior of disaster is called Disaster Recovery.
ERD:-ERD stands for Emergency Repair Disk. ERD having a
backup copy of system state data such as registry, system files,
partition boot sector, startup environment etc. It is most
important tool to recover your system registry.

Disk Duplication:-When we need to install Windows 2000/2003

on a large number of computers. We have create a disk image of
Windows 2000/2003 installation and then copy the image to the
multiple computers that process is called Disk Duplication.

ACTIVE DIRECTORY INTERVIEW QUESTION AND ANSWERS

>What is Active Directory?

Active Directory is a Meta Data. Active Directory is a data base which stores a data base like your
user information, computer information and also other network object info. It has capabilities to
manage and administer the complete Network which connect with AD.

>What is domain?

Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and
so forth) for a group of users. The user needs only to log in to the domain to gain access to the
resources, which may be located on a number of different servers in the network. The ‘domain’ is
simply your computer address not to confuse with an URL. A domain address might look something
like 211.170.469.

>What is domain controller?

A Domain controller (DC) is a server that responds to security authentication requests (logging in,
checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in
Windows NT whereby a user may be granted access to a number of computer resources with the use
of a single username and password combination.

>What is LDAP?

Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol,
making Active Directory widely accessible to management and query applications. Active Directory
supports LDAPv3 and LDAPv2.
>What is KCC?

KCC (knowledge consistency checker) is used to generate replication topology for inter site
replication and for intra-site replication. Within a site replication traffic is done via remote procedure
calls over ip, while between sites it is done through either RPC or SMTP.

>Where is the AD database held? What other folders are related to AD?

The AD data base is store in c:\windows\ntds\NTDS.DIT.

>What is the SYSVOL folder?

The sysVOL folder stores the server’s copy of the domain’s public files. The contents such as group
policy, users etc of the sysvol folder are replicated to all domain controllers in the domain.

>Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller
(BDC) in Server 2003?

The Active Directory replaces them. Now all domain controllers share a multi master peer-to-peer
read and write relationship that hosts copies of the Active Directory.

>Cannot create a new universal user group. Why?

Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode
requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

>What is LSDOU?

Its group policy inheritance model, where the policies are applied to Local machines, Sites, Domains
and Organizational Units.

>Why doesn’t LSDOU work under Windows NT?

If the NTConfig.pol file exists, it has the highest priority among the numerous policies.

>How many number of permitted unsuccessful logons on Administrator account? Unlimited.

Remember, though, that it’s the Administrator account, not any account that’s part of the
Administrators group.

> What’s the difference between guest accounts in Server 2003 and other editions?

More restrictive in Windows Server 2003.

> How many passwords by default are remembered when you check “Enforce Password History
Remembered”?

User’s last 6 passwords.

> Can GC Server and Infrastructure place in single server?

No, As Infrastructure master does the same job as the GC. It does not work together.

> Which is service in your windows is responsible for replication of Domain controller to another
domain controller.

KCC generates the replication topology.

Use SMTP / RPC to replicate changes.

> What Intrasite and Intersite Replication?

Intrasite is the replication within the same site & intersite the replication between sites.

> What is lost & found folder in ADS?

It’s the folder where you can find the objects missed due to conflict.

Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find
the OU then it will put that in Lost & Found Folder.

> What is Garbage collection?

Garbage collection is the process of the online defragmentation of active directory. It happens every
12 Hours.

> What System State data contains?

Contains Startup files,

Registry

Com + Registration Database

Memory Page file

System files

AD information

Cluster Service information

SYSVOL Folder

>What is the difference between Windows 2000 Active Directory and Windows 2003 Active
Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by
ADS and ADS services in Windows 2003?

Windows 2003 Active Directory introduced a number of new security features, as well as convenience
features such as the ability to rename a domain controller and even an entire domain

Windows Server 2003 also introduced numerous changes to the default settings that can be affected
by Group Policy – you can see a detailed list of each available setting and which OS is required to
support it by downloading the Group Policy Settings Reference.

ADS stands for Automated Deployment Services, and is used to quickly roll out identically-configured
servers in large-scale enterprise environments. You can get more information from the ADS
homepage.

>I want to setup a DNS server and Active Directory domain. What do I do first? If I install the DNS
service first and name the zone ‘name.org’ can I name the AD domain ‘name.org’ too?

Not only can you have a DNS zone and an Active Directory domain with the same name, it’s actually
the preferred way to go if at all possible. You can install and configure DNS before installing Active
Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on
your server in the background.

>How do I determine if user accounts have local administrative access?

You can use the net local group administrators command on each workstation (probably in a login
script so that it records its information to a central file for later review). This command will
enumerate the members of the Administrators group on each machine you run it on. Alternately, you
can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to
only those users you want to belong.

>Why am I having trouble printing with XP domain users?

In most cases, the inability to print or access resources in situations like this one will boil down to an
issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients’
wireless connections are configured with the correct DNS and WINS name servers, as well as with
the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN
settings and look for any discrepancies that may indicate where the functional difference may lie.

>What is the ISTG? Who has that role by default?

Windows 2000 Domain controllers each create Active Directory Replication connection objects
representing inbound replication from intra-site replication partners. For inter-site replication, one
domain controller per site has the responsibility of evaluating the inter-site replication topology and
creating Active Directory Replication Connection objects for appropriate bridgehead servers within
its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology
Generator (ISTG).

What is difference between Server 2003 vs 2008?

1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit
versions. More and more companies are seeing this as a way of reducing hardware costs by running
several ‘virtual’ servers on one physical machine.)

2. Server Core (provides the minimum installation required to carry out a specific server role, such as
for a DHCP, DNS or print server)

3. Better security.

4. Role-based installation.

5. Read Only Domain Controllers (RODC).

6. Enhanced terminal services.

7. Network Access Protection – Microsoft’s system for ensuring that clients connecting to Server
2008 are patched, running a firewall and in compliance with corporate security policies.

8. Power Shell – Microsoft’s command line shell and scripting language has proved popular with
some server administrators.

9. IIS 7.

10. Bit locker – System drive encryption can be a sensible security measure for servers located in
remote branch offices. The main difference between 2003 and 2008 is Virtualization, management.
2008 has more in-build components and updated third party drivers.

11. Windows Aero.

>What are the requirements for installing AD on a new server?

1 The Domain structure.

2 The Domain Name.

3 storage location of the database and log file.

4 Location of the shared system volume folder.

5 DNS config Method.

6 DNS configuration.

>What is LDP?

LDP: Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering
is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited
for establishing a full mesh of LSPs between all of the routers on the network.

>What are the Groups types available in active directory ?

Security groups: Use Security groups for granting permissions to gain access to resources. Sending
an e-mail message to a group sends the message to all members of the group. Therefore security
groups share the capabilities of distribution groups.

Distribution groups: Distribution groups are used for sending e-main messages to groups of users.
You cannot grant permissions to security groups. Even though security groups have all the
capabilities of distribution groups, distribution groups still requires, because some applications can
only read distribution groups.

>Explain about the group’s scope in AD?

Domain Local Group: Use this scope to grant permissions to domain resources that are located in the
same domain in which you created the domain local group. Domain local groups can exist in all
mixed, native and interim functional level of domains and forests. Domain local group memberships
are not limited as you can add members as user accounts, universal and global groups from any
domain. Just to remember, nesting cannot be done in domain local group. A domain local group will
not be a member of another Domain Local or any other groups in the same domain.

Global Group: Users with similar function can be grouped under global scope and can be given
permission to access a resource (like a printer or shared folder and files) available in local or another
domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain
access to resources which are located in any domain but in a single forest as their memberships are
limited. User accounts and global groups can be added only from the domain in which global group is
created. Nesting is possible in Global groups within other groups as you can add a global group into
another global group from any domain. Finally to provide permission to domain specific resources
(like printers and published folder), they can be members of a Domain Local group. Global groups
exist in all mixed, native and interim functional level of domains and forests.

Universal Group Scope: These groups are precisely used for email distribution and can be granted
access to resources in all trusted domain as these groups can only be used as a security principal
(security group type) in a windows 2000 native or windows server 2003 domain functional level
domain. Universal group memberships are not limited like global groups. All domain user accounts
and groups can be a member of universal group. Universal groups can be nested under a global or
Domain Local group in any domain.

>What is REPLMON?

The Microsoft definition of the Replmon tool is as follows; This GUI tool enables
administrators to view the low-level status of Active Directory replication, force
synchronization between domain controllers, view the topology in a graphical
format, and monitor the status and performance of domain controller replication.

>What is ADSIEDIT ?

ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts

as a low-level editor for Active Directory. It is a Graphical User Interface (GUI)
tool. Network administrators can use it for common administrative tasks such as
adding, deleting, and moving objects with a directory service. The attributes for
each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI
application programming interfaces (APIs) to access Active Directory. The
following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.

>What is NETDOM ?

NETDOM is a command-line tool that allows management of Windows domains and

trust relationships. It is used for batch management of trusts, joining computers to
domains, verifying trusts, and secure channels.

>What is REPADMIN?

This command-line tool assists administrators in diagnosing replication problems

between Windows domain controllers.Administrators can use Repadmin to view
the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen
from the perspective of each domain controller. In addition, Repadmin can be used
to manually create the replication topology (although in normal practice this
should not be necessary), to force replication events between domain controllers,
and to view both the replication metadata and up-to-dateness vectors.

>How to take backup of AD ?

For taking backup of active directory you have to do this : first go START ->
PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window
and ntbackup and take systemstate backup when the backup screen is flash then
take the backup of SYSTEM STATE it will take the backup of all the necessary
information about the syatem including AD backup , DNS ETC.

>What are the DS* commands ?

The following DS commands: the DS family built in utility .

DSmod – modify Active Directory attributes.

DSrm - to delete Active Directory objects.

DSmove – to relocate objects

DSadd – create new accounts

DSquery – to find objects that match your query attributes.

DSget – list the properties of an object

>What are the requirements for installing AD on a new server?

An NTFS partition with enough free space.

An Administrator’s username and password.

The correct operating system version.

A NIC Properly configured TCP/IP (IP address, subnet mask and – optional –
default gateway).

A network connection (to a hub or to another computer via a crossover cable) .

An operational DNS server (which can be installed on the DC itself) .

A Domain name that you want to use .

The Windows 2000 or Windows Server 2003 CD media (or at least the i386
folder) .

>Explain about Trust in AD ?

To allow users in one domain to access resources in another, Active Directory uses
trusts. Trusts inside a forest are automatically created when domains are created.

The forest sets the default boundaries of trust, not the domain, and implicit,
transitive trust is automatic for all domains within a forest. As well as two-way
transitive trust, AD trusts can be a shortcut (joins two domains in different trees,
transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive
or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in
order to connect to other forests or non-AD domains.

Trusts in Windows 2000 (native mode)

One-way trust – One domain allows access to users on another domain, but the
other domain does not allow access to users on the first domain.

Two-way trust – Two domains allow access to users on both domains.

Trusting domain – The domain that allows access to users from a trusted domain.

Trusted domain – The domain that is trusted; whose users have access to the
trusting domain.

Transitive trust – A trust that can extend beyond two domains to other trusted
domains in the forest.

Intransitive trust – A one way trust that does not extend beyond two domains.

Explicit trust – A trust that an admin creates. It is not transitive and is one way
only.

Cross-link trust – An explicit trust between domains in different trees or in the

same tree when a descendant/ancestor (child/parent) relationship does not exist
between the two domains.

Windows 2000 Server – supports the following types of trusts:

Two-way transitive trusts.

One-way intransitive trusts.

Additional trusts can be created by administrators. These trusts can be:

>What is tombstone lifetime attribute ?

The number of days before a deleted object is removed from the directory services.
This assists in removing objects from replicated servers and preventing restores
from reintroducing a deleted object. This value is in the Directory Service object in
the configuration NIC.

>What are application partitions? When do I use them ?

AN application diretcory partition is a directory partition that is replicated only to

specific domain controller.Only domain controller running windows Server 2003
can host a replica of application directory partition.

Using an application directory partition provides redundany,availability or fault

tolerance by replicating data to specific domain controller pr any set of domain
controllers anywhere in the forest.

>How do you create a new application partition ?

Use the DnsCmd command to create an application directory partition.

To do this, use the following syntax:

DnsCmd ServerName /CreateDirectoryPartition FQDN of partition

>How do you view all the GCs in the forest?

C:\>repadmin /showreps domain_controller where domain_controller is the DC you

want to query to determine whether it?s a GC.

The output will include the text DSA Options: IS_GC if the DC is a GC.

>Can you connect Active Directory to other 3rd-party Directory Services? Name a
few options.

Yes, you can use dirXML or LDAP to connect to other directories.

In Novel you can use E-directory.

>What is IPSec Policy

IPSec provides secure gateway-to-gateway connections across outsourced private

wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels
or pure IPSec tunnel mode. IPSec Policy can be deployed via Group policy to the
Windows Domain controllers 7 Servers.

>What are the different types of Terminal Services ?

User Mode & Application Mode.

>What is the System Startup process ?

Windows 2K boot process on a Intel architecture.

1. Power-On Self Tests (POST) are run.

2. The boot device is found, the Master Boot Record (MBR) is loaded into memory,
and its program is run.

3. The active partition is located, and the boot sector is loaded.

4. The Windows 2000 loader (NTLDR) is then loaded.

The boot sequence executes the following steps:

1. The Windows 2000 loader switches the processor to the 32-bit flat memory
model.
2. The Windows 2000 loader starts a mini-file system.

3. The Windows 2000 loader reads the BOOT.INI file and displays the operating
system selections (boot loader menu).

4. The Windows 2000 loader loads the operating system selected by the user. If
Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other operating
systems, NTLDR loads BOOTSECT.DOS and gives it control.

5. NTDETECT.COM scans the hardware installed in the computer, and reports the
list to NTLDR for inclusion in the Registry under the
HKEY_LOCAL_MACHINE_HARDWARE hive.

6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information
collected by NTDETECT.COM. Windows NT enters the Windows load phases.

>How do you change the DS Restore admin password ?

In Windows 2000 Server, you used to have to boot the computer whose password
you wanted to change in Directory Restore mode, then use either the Microsoft
Management Console (MMC) Local User and Groups snap-in or the command net
user administrator * to change the Administrator password.

Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you
reset the Directory Service Restore Mode password without having to reboot the
computer. (Microsoft refreshed Setpwd in SP4 to improve the utility?s scripting
options.)

In Windows Server 2003, you use the Ntdsutil utility to modify the Directory
Service Restore Mode Administrator password.

To do so, follow these steps:

1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe).

2. Start the Directory Service Restore Mode Administrator password-reset utility

by entering the argument ?set dsrm password? at the ntdsutil prompt: ntdsutil: set
dsrm password.

3. Run the Reset Password command, passing the name of the server on which to
change the password, or use the null argument to specify the local machine.

For example, to reset the password on server testing, enter the following argument
at the Reset DSRM Administrator Password prompt: Reset DSRM Administrator
Password: reset password on server testing

To reset the password on the local machine, specify null as the server name:

Reset DSRM Administrator Password: reset password on server null

4. You?ll be prompted twice to enter the new password. You?ll see the following
messages:

5. Please type password for DS Restore Mode Administrator Account:

6. Please confirm new password:

Password has been set successfully.

7. Exit the password-reset utility by typing ?quit? at the following prompts:

8. Reset DSRM Administrator Password: quit

ntdsutil: quit

>How do I use Registry keys to remove a user from a group?

In Windows Server 2003, you can use the dsmod command-line utility with the -
delmbr switch to remove a group member from the command line. You should also
look into the freeware utilities available from www.joeware.net . ADFind and
ADMod are indispensable tools in my arsenal when it comes to searching and
modifying Active Directory.

>Why are my NT4 clients failing to connect to the Windows 2000 domain?
Since NT4 relies on NetBIOS for name resolution, verify that your WINS server
(you do have a WINS server running, yes?) contains the records that you expect for
the 2000 domain controller, and that your clients have the correct address
configured for the WINS server.

>How do you view replication properties for AD partitions and DCs?

By using replication monitor

go to start > run > type repadmin

go to start > run > type replmon

>Why can’t you restore a DC that was backed up 4 months ago?

Because of the tombstone life which is set to only 60 days.

>Different modes of AD restore ?

A nonauthoritative restore is the default method for restoring Active Directory. To

perform a nonauthoritative restore, you must be able to start the domain controller
in Directory Services Restore Mode. After you restore the domain controller from
backup, replication partners use the standard replication protocols to update
Active Directory and associated information on the restored domain controller.

An authoritative restore brings a domain or a container back to the state it was in

at the time of backup and overwrites all changes made since the backup. If you do
not want to replicate the changes that have been made subsequent to the last
backup operation, you must perform an authoritative restore. In this one needs to
stop the inbound replication first before performing the An authoritative restore.

>How do you configure a stand-by operation master for any of the roles?

# Open Active Directory Sites and Services.

# Expand the site name in which the standby operations master is located to
display the Servers folder.

# Expand the Servers folder to see a list of the servers in that site.
# Expand the name of the server that you want to be the standby operations
master to display its NTDS Settings.

# Right-click NTDS Settings, click New, and then click Connection.

# In the Find Domain Controllers dialog box, select the name of the current role
holder, and then click OK.

# In the New Object-Connection dialog box, enter an appropriate name for the
Connection object or accept the default name, and click OK.

>What’s the difference between transferring a FSMO role and seizing ?

Seizing an FSMO can be a destructive process and should only be attempted if the
existing server with the FSMO is no longer available.

If you perform a seizure of the FSMO roles from a DC, you need to ensure two
things:

the current holder is actually dead and offline, and that the old DC will NEVER
return to the network. If you do an FSMO role Seize and then bring the previous
holder back online, you’ll have a problem.

An FSMO role TRANSFER is the graceful movement of the roles from a live,
working DC to another live DC During the process, the current DC holding the
role(s) is updated, so it becomes aware it is no longer the role holder

>I want to look at the RID allocation table for a DC. What do I do?

dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)

>What is BridgeHead Server in AD ?

A bridgehead server is a domain controller in each site, which is used as a contact

point to receive and replicate data between sites. For intersite replication, KCC
designates one of the domain controllers as a bridgehead server. In case the server
is down, KCC designates another one from the domain controller. When a
bridgehead server receives replication updates from another site, it replicates the
data to the other domain controllers within its site.
>What is the default size of ntds.dit ?

10 MB in Server 2000 and 12 MB in Server 2003 .

>Where is the AD database held and What are other folders related to AD ?

AD Database is saved in %systemroot%/ntds. You can see other files also in this
folder. These are the main files controlling the AD structure.

ntds.dit

edb.log

res1.log

res2.log

edb.chk

When a change is made to the Win2K database, triggering a write operation,

Win2K records the transaction in the log file (edb.log). Once written to the log file,
the change is then written to the AD database. System performance determines
how fast the system writes the data to the AD database from the log file. Any time
the system is shut down, all transactions are saved to the database.

During the installation of AD, Windows creates two files: res1.log and res2.log. The
initial size of each is 10MB. These files are used to ensure that changes can be
written to disk should the system run out of free disk space. The checkpoint file
(edb.chk) records transactions committed to the AD database (ntds.dit). During
shutdown, a “shutdown” statement is written to the edb.chk file.

Then, during a reboot, AD determines that all transactions in the edb.log file have
been committed to the AD database. If, for some reason, the edb.chk file doesn’t
exist on reboot or the shutdown statement isn’t present, AD will use the edb.log
file to update the AD database. The last file in our list of files to know is the AD
database itself, ntds.dit. By default, the file is located in\NTDS, along with the
other files we’ve discussed
>What FSMO placement considerations do you know of ?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master

method called FSMO (Flexible Single Master Operation), as described in
Understanding FSMO Roles in Active Directory.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in
the same spot (or actually, on the same DC) as has been configured by the Active
Directory installation process.

However, there are scenarios where an administrator would want to move one or
more of the FSMO roles from the default holder DC to a different DC.

Windows Server 2003 Active Directory is a bit different than the Windows 2000
version when dealing with FSMO placement.

In this article I will only deal with Windows Server 2003 Active Directory, but you
should bear in mind that most considerations are also true when planning Windows
2000 AD FSMO roles

>What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?

If you’re installing Windows 2003 R2 on an existing Windows 2003 server with SP1
installed, you require only the second R2 CD-ROM.

Insert the second CD and the r2auto.exe will display the Windows 2003 R2
Continue Setup screen. If you’re installing R2 on a domain controller (DC), you
must first upgrade the schema to the R2 version (this is a minor change and mostly
related to the new Dfs replication engine).

To update the schema, run the Adprep utility, which you’ll find in the Components\
r2\adprep folder on the second CD-ROM.

Before running this command, ensure all DCs are running Windows 2003 or
Windows 2000 with SP2 (or later).
Here’s a sample execution of the Adprep /forestprep

command:

D:\CMPNENTS\R2\ADPREP>adprep /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 domain controllers in the forest should
be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to
Windows 2000 SP2 (or later).

QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent
potential domain controller corruption.

[User Action] If ALL your existing Windows 2000 domain controllers meet this
requirement, type C and then press ENTER to continue. Otherwise, type any other
key and press ENT ER to quit.

C Opened Connection to SAV

DALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema

to version 31 Connecting to “SAVDALDC01″ Logging in as current user using SSPI
Importing directory from file “C:\WINDOWS\system32\sch31.ldf” Loading entries…
139 entries modified successfully.

The command has completed successfully Adprep successfully updated the forest-
wide information.

After running Adprep, install R2 by performing these steps:

1. Click the “Continue Windows Server 2003 R2 Setup” link, as the figureshows.

2. At the “Welcome to the Windows Server 2003 R2 Setup Wizard” screen, click
Next.

3. You’ll be prompted to enter an R2 CD key (this is different from your existing

Windows 2003 keys) if the underlying OS wasn’t installed from R2 media (e.g., a
regular Windows 2003 SP1 installation).
Enter the R2 key and click Next. Note: The license key entered for R2 must match
the underlying OS type, which means if you installed Windows 2003 using a
volume-license version key, then you can’t use a retail or Microsoft Developer
Network (MSDN) R2 key.

4. You’ll see the setup summary screen which confirms the actions to be performed
(e.g., Copy files). Click Next.

5. After the installation is complete, you’ll see a confirmation dialog box. Click
Finish

>What is OU ?

Organization Unit is a container object in which you can keep objects such as user
accounts, groups, computer, printer . applications and other (OU).

In organization unit you can assign specific permission to the user’s. organization
unit can also be used to create departmental limitation.

>Name some OU design considerations ?

OU design requires balancing requirements for delegating administrative rights –

independent of Group Policy needs – and the need to scope the application of
Group Policy.

The following OU design recommendations address delegation and scope issues:

Applying Group Policy An OU is the lowest-level Active Directory container to

which you can assign Group Policy settings.

Delegating administrative authority

usually don’t go more than 3 OU levels

>What is sites ? What are they used for ?

One or more well-connected (highly reliable and fast) TCP/IP subnets.

A site allows administrators to configure Active Directory access and replication

topology to take advantage of the physical network.
A Site object in Active Directory represents a physical geographic location that
hosts networks. Sites contain objects called Subnets.

Sites can be used to Assign Group Policy Objects, facilitate the discovery of
resources, manage active directory replication, and manage network link traffic.

Sites can be linked to other Sites. Site-linked objects may be assigned a cost value
that represents the speed, reliability, availability, or other real property of a
physical resource. Site Links may also be assigned a schedule.

>Trying to look at the Schema, how can I do that?

Register schmmgmt.dll using this command

c:\windows\system32>regsvr32 schmmgmt.dll

Open mmc –> add snapin –> add Active directory schema

name it as schema.msc

Open administrative tool –> schema.msc

>What is the port no of Kerbrose ?

88

>What is the port no of Global catalog ?

3268

>What is the port no of LDAP ?

389

>Explain Active Directory Schema ?

Windows 2000 and Windows Server 2003 Active Directory uses a database set of
rules called “Schema”. The Schema is defines as the formal definition of all object
classes, and the attributes that make up those object classes, that can be stored in
the directory. As mentioned earlier, the Active Directory database includes a
default Schema, which defines many object classes, such as users, groups,
computers, domains, organizational units, and so on.

These objects are also known as “Classes”. The Active Directory Schema can be
dynamically extensible, meaning that you can modify the schema by defining new
object types and their attributes and by defining new attributes for existing
objects. You can do this either with the Schema Manager snap-in tool included
with Windows 2000/2003 Server, or programmatically.

>How can you forcibly remove AD from a server, and what do you do later? ? Can I
get user passwords from the AD database?

Dcpromo /forceremoval , an administrator can forcibly remove Active Directory

and roll back the system without having to contact or replicate any locally held
changes to another DC in the forest. Reboot the server then After you use the
dcpromo /forceremoval command, all the remaining metadata for the demoted DC
is not deleted on the surviving domain controllers, and therefore you must
manually remove it by using the NTDSUTIL command.

In the event that the NTDS Settings object is not removed correctly you can use
the Ntdsutil.exe utility to manually remove the NTDS Settings object. You will need
the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active
Directory Users and Computers

>What are the FSMO roles? Who has them by default? What happens when each
one fails?

Flexible Single Master Operation (FSMO) role. Currently there are five FSMO
roles:

Schema master

Domain naming master

RID master

PDC emulator

Infrastructure master

>What is domain tree ?

Domain Trees: A domain tree comprises several domains that share a common
schema and configuration, forming a contiguous namespace. Domains in a tree are
also linked together by trust relationships. Active Directory is a set of one or more
trees.

Trees can be viewed two ways. One view is the trust relationships between
domains. The other view is the namespace of the domain tree.

>What is forests?

A collection of one or more domain trees with a common schema and implicit trust
relationships between them. This arrangement would be used if you have multiple
root DNS addresses.
>How to Select the Appropriate Restore Method?

You select the appropriate restore method by considering:

Circumstances and characteristics of the failure. The two major categories of

failure, From an Active Directory perspective, are Active Directory data corruption
and hardware failure.

Active Directory data corruption occurs when the directory contains corrupt data
that has been replicated to all domain controllers or when a large portion of the
Active Directory hierarchy has been changed accidentally (such as deletion of an
OU) and this change has replicated to other domain controllers.

>Where are the Windows NT Primary Domain Controller (PDC) and its Backup
Domain Controller (BDC) in Server 2003?

The Active Directory replaces them. Now all domain controllers share a
multimaster peer-to-peer read and write relationship that hosts copies of the
Active Directory.

>What is Global Catalog?

The Global Catalog authenticates network user logons and fields inquiries about
objects across a forest or tree. Every domain has at least one GC that is hosted on
a domain controller. In Windows 2000, there was typically one GC on every site in
order to prevent user logon failures across the network.

>How long does it take for security changes to be replicated among the domain
controllers?

Security-related modifications are replicated within a site immediately. These

changes include account and individual user lockout policies, changes to password
policies, changes to computer account passwords, and modifications to the Local
Security Authority (LSA).

>When should you create a forest?

Organizations that operate on radically different bases may require separate trees
with distinct namespaces. Unique trade or brand names often give rise to separate
DNS identities. Organizations merge or are acquired and naming continuity is
desired. Organizations form partnerships and joint ventures. While access to
common resources is desired, a separately defined tree can enforce more direct
administrative and security restrictions.

>Describe the process of working with an external domain name ?

If it is not possible for you to configure your internal domain as a subdomain of

your external domain, use a stand-alone internal domain. This way, your internal
and external domain names are unrelated. For example, an organization that uses
the domain name contoso.com for their external namespace uses the name
corp.internal for their internal namespace.

The advantage to this approach is that it provides you with a unique internal
domain name. The disadvantage is that this configuration requires you to manage
two separate namespaces. Also, using a stand-alone internal domain that is
unrelated to your external domain might create confusion for users because the
namespaces do not reflect a relationship between resources within and outside of
your network.

In addition, you might have to register two DNS names with an Internet name
authority if you want to make the internal domain publicly accessible.

>How do you view all the GCs in the forest?

C:\>repadmin /showreps

domain_controller

OR

You can use Replmon.exe for the same purpose.

OR

AD Sites and Services and nslookup gc._msdcs.

To find the in GC from the command line you can try using DSQUERY command.

dsquery server -isgc to find all the GC’s in the forest

you can try dsquery server -forest -isgc.

> What are the physical components of Active Directory?

Domain controllers and Sites. Domain controllers are physical computers which
are running Windows Server operating system and Active Directory data base.
Sites are a network segment based on geographical location and which contains
multiple domain controllers in each site.

> What are the logical components of Active Directory?

Domains, Organizational Units, trees and forests are logical components of Active
Directory.

> What are the Active Directory Partitions?

Active Directory database is divided into different partitions such as Schema

partition, Domain partition, and Configuration partition. Apart from these
partitions, we can create Application partition based on the requirement.

> What is group nesting?

Adding one group as a member of another group is called ‘group nesting’. This will
help for easy administration and reduced replication traffic.

> What is the feature of Domain Local Group?

Domain local groups are mainly used for granting access to network resources.A
Domain local group can contain accounts from any domain, global groups from any
domain and universal groups from any domain. For example, if you want to grant
permission to a printer located at Domain A, to 10 users from Domain B, then
create a Global group in Domain B and add all 10 users into that Global group.
Then, create a Domain local group at Domain A, and add Global group of Domain B
to Domain local group of Domain A, then, add Domain local group of Domain A to
the printer(of Domain A) security ACL.

>How will you take Active Directory backup ?

Active Directory is backed up along with System State data. System state data
includes Local registry, COM+, Boot files, NTDS.DIT and SYSVOL folder. System
state can be backed up either using Microsoft’s default NTBACKUP tool or third
party tools such as Symantech NetBackup, IBM Tivoli Storage Manager etc.

> Do we use clustering in Active Directory ? Why ?

No one installs Active Directory in a cluster. There is no need of clustering a

domain controller. Because Active Directory provides total redundancy with two or
more servers.

> What is Active Directory Recycle Bin ?

Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to
restore accidentally deleted Active Directory objects without using a backed up AD
database, rebooting domain controller or restarting any services.

> How do you check currently forest and domain functional levels? Say both GUI
and Command line.

To find out forest and domain functional levels in GUI mode, open ADUC, right
click on the domain name and take properties. Both domain and forest functional
levels will be listed there. TO find out forest and domain functional levels, you can
use DSQUERY command.

> Which version of Kerberos is used for Windows 2000/2003 and 2008 Active
Directory ?

All versions of Windows Server Active Directory use Kerberos 5.

> Name few port numbers related to Active Directory ?

Kerberos 88, LDAP 389, DNS 53, SMB 445

> What is an FQDN ?

FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of a

domain name system which points to a device in the domain at its left most end.
For example in system.

> Have you heard of ADAC ?

ADAC- Active Directory Administrative Center is a new GUI tool came with
Windows Server 2008 R2, which provides enhanced data management experience
to the admin. ADAC helps administrators to perform common Active Directory
object management task across multiple domains with the same ADAC instance.

> How many objects can be created in Active Directory? (both 2003 and 2008)

As per Microsoft, a single AD domain controller can create around 2.15 billion
objects during its lifetime.
> Explain the process between a user providing his Domain credential to his
workstation and the desktop being loaded? Or how the AD authentication works?

When a user enters a user name and password, the computer sends the user name
to the KDC. The KDC contains a master database of unique long term keys for
every principal in its realm. The KDC looks up the user’s master key (KA), which is
based on the user’s password. The KDC then creates two items: a session key (SA)
to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a
second copy of the SA, the user name, and an expiration time. The KDC encrypts
this ticket by using its own master key (KKDC), which only the KDC knows. The
client computer receives the information from the KDC and runs the user’s
password through a one-way hashing function, which converts the password into
the user’s KA. The client computer now has a session key and a TGT so that it can
securely communicate with the KDC. The client is now authenticated to the domain
and is ready to access other resources in the domain by using the Kerberos
protocol.

 What is Active Directory?

An active directory is a directory structure used on Microsoft Windows based computers and servers
to store information and data about networks and domains. It is primarily used for online information
and was originally created in 1996. It was first used with Windows 2000.

An active directory (sometimes referred to as an AD) does a variety of functions including the ability
to rovide information on objects, helps organize these objects for easy retrieval and access, allows
access by end users and administrators and allows the administrator to set security up for the
directory.

Active Directory is a hierarchical collection of network resources that can contain users, computers,
printers, and other Active Directories. Active Directory Services (ADS) allow administrators to handle
and maintain all network resources from a single location . Active Directory stores information and
settings in a central database
 What is LDAP?

The Lightweight Directory Access Protocol, or LDAP , is an application protocol for querying and
modifying directory services running over TCP/IP. Although not yet widely implemented, LDAP should
eventually make it possible for almost any application running on virtually any computer platform to
obtain directory information, such as email addresses and public keys. Because LDAP is an open
protocol, applications need not worry about the type of server hosting the directory.
 Can you connect Active Directory to other 3rd-party Directory Services? Name a few
options.
-Yes you can connect other vendors Directory Services with Microsoft’s version.

-Yes, you can use dirXML or LDAP to connect to other directories (ie. E-directory from Novell or NDS
(Novel directory System).

-Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictonaries used
by SAP, Domino etc with the help of MIIS ( Microsoft Identity Integration Server )
 Where is the AD database held? What other folders are related to AD?

AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the
main files controlling the AD structure

ntds.dit

edb.log

res1.log

res2.log

edb.chk

When a change is made to the Win2K database, triggering a write operation, Win2K records the
transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD
database. System performance determines how fast the system writes the data to the AD database
from the log file. Any time the system is shut down, all transactions are saved to the database.

During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each
is 10MB. These files are used to ensure that changes can be written to disk should the system run out
of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database
(ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a
reboot, AD determines that all transactions in the edb.log file have been committed to the AD
database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t
present, AD will use the edb.log file to update the AD database.

The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located
in\NTDS, along with the other files we’ve discussed
 What is the SYSVOL folder?

– All active directory data base security related information store in SYSVOL folder and its only
created on NTFS partition.

– The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain
controllers. Because junctions are used within the Sysvol folder structure, Windows NT file system
(NTFS) version 5.0 is required on domain controllers throughout a Windows distributed file system
(DFS) forest.
This is a quote from microsoft themselves, basically the domain controller info stored in files like your
group policy stuff is replicated through this folder structure
 Name the AD NCs and replication issues for each NC

*Schema NC, *Configuration NC, Domain NC

Schema NC This NC is replicated to every other domain controller in the forest. It contains
information about the Active Directory schema, which in turn defines the different object classes and
attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide
configuration information pertaining to the physical layout of Active Directory, as well as information
about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is
the NC that contains the most commonly-accessed Active Directory data: the actual users, groups,
computers, and other objects that reside within a particular Active Directory domain.
 What are application partitions? When do I use them

Application directory partitions: These are specific to Windows Server 2003 domains.
An application directory partition is a directory partition that is replicated only to specific domain
controllers. A domain controller that participates in the replication of a particular application
directory partition hosts a replica of that partition. Only Domain controllers running Windows Server
2003 can host a replica of an application directory partition.
 How do you create a new application partition

http://wiki.answers.com/Q/How_do_you_create_a_new_application_partition
 How do you view replication properties for AD partitions and DCs?

By using replication monitor

go to start > run > type replmon

 What is the Global Catalog?

The global catalog contains a complete replica of all objects in Active Directory for its Host domain,
and contains a partial replica of all objects in Active Directory for every other domain in the forest.

The global catalog is a distributed data repository that contains a searchable, partial representation of
every object in every domain in a multidomain Active Directory forest. The global catalog is stored on
domain controllers that have been designated as global catalog servers and is distributed through
multimaster replication. Searches that are directed to the global catalog are faster because they do
not involve referrals to different domain controllers.

In addition to configuration and schema directory partition replicas, every domain controller in a
Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single domain
directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating
an object in a different domain would require the user or application to provide the domain of the
requested object.
The global catalog provides the ability to locate objects from any domain without having to know the
domain name. A global catalog server is a domain controller that, in addition to its full, writable
domain directory partition replica, also stores a partial, read-only replica of all other domain directory
partitions in the forest. The additional domain directory partitions are partial because only a limited
set of attributes is included for each object. By including only the attributes that are most used for
searching, every object in every domain in even the largest forest can be represented in the database
of a single global catalog server.
 How do you view all the GCs in the forest?

C:\>repadmin/showreps
domain_controller

OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%
 Why not make all DCs in a large forest as GCs?

The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs would all
have to hold a reference to every object in the entire forest which could be quite large and quite a
replication burden.

For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor
WAN lines.
 Trying to look at the Schema, how can I do that?

adsiedit.exe

option to view the schema

register schmmgmt.dll using this command

c:\windows\system32>regsvr32 schmmgmt.dll

Open mmc –> add snapin –> add Active directory schema

name it as schema.msc

Open administrative tool –> schema.msc

 What are the Support Tools? Why do I need them?

Support Tools are the tools that are used for performing the complicated tasks easily. These can also
be the third party tools. Some of the Support tools include DebugViewer, DependencyViewer,
RegistryMonitor, etc. -edit by Casquehead I beleive this question is reffering to the Windows Server
2003 Support Tools, which are included with Microsoft Windows Server 2003 Service Pack 2. They
are also available for download here:
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-
A772EA2DF90&displaylang=en

You need them because you cannot properly manage an Active Directory network without them.
Here they are, it would do you well to familiarize yourself with all of them.

Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe

> What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?

ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active
Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common
administrative tasks such as adding, deleting, and moving objects with a directory service. The
attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI
application programming interfaces (APIs) to access Active Directory. The following are the required
files for using this tool:

· ADSIEDIT.DLL

· ADSIEDIT.MSC

Regarding system requirements, a connection to an Active Directory environment and Microsoft

Management Console (MMC) is necessary

A: Replmon is the first tool you should use when troubleshooting Active Directory replication issues.
As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using
its command line counterparts. The purpose of this document is to guide you in how to use it, list some
common replication errors and show some examples of when replication issues can stop other
network installation actions.
for more go to http://www.techtutorials.net/articles/replmon_howto_a.html

NETDOM is a command-line tool that allows management of Windows domains and trust
relationships. It is used for batch management of trusts, joining computers to domains, verifying
trusts, and secure channels

A:
Enables administrators to manage Active Directory domains and trust relationships from the
command prompt.

Netdom is a command-line tool that is built into Windows Server 2008. It is available if you have the
Active Directory Domain Services (AD DS) server role installed. To use netdom, you must run
the netdom command from an elevated command prompt. To open an elevated command prompt,
clickStart, right-click Command Prompt, and then click Run as administrator.

REPADMIN.EXE is a command line tool used to monitor and troubleshoot replication on a computer
running Windows. This is a command line tool that allows you to view the replication topology as seen
from the perspective of each domain controller.

REPADMIN is a built-in Windows diagnostic command-line utility that works at the Active Directory
level. Although specific to Windows, it is also useful for diagnosing some Exchange replication
problems, since Exchange Server is Active Directory based.

REPADMIN doesn’t actually fix replication problems for you. But, you can use it to help determine the
source of a malfunction.
 What are sites? What are they used for?

Active directory sites, which consist of well-connected networks defined by IP subnets that help define
the physical structure of your AD, give you much better control over replication traffic and
authentication traffic than the control you get with Windows NT 4.0 domains.
Using Active Directory, the network and its objects are organized by constructs such as domains,
trees, forests, trust relationships, organizational units (OUs), and sites.
 What’s the difference between a site link’s schedule and interval?

Schedule enables you to list weekdays or hours when the site link is available for replication to
happen in the give interval. Interval is the re occurrence of the inter site replication in given minutes.
It ranges from 15 – 10,080 mins. The default interval is 180 mins.
 What is the KCC?

The KCC is a built-in process that runs on all domain controllers and generates replication topology
for the Active Directory forest. The KCC creates separate replication topologies depending on whether
replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically
adjusts the topology to accommodate new domain controllers, domain controllers moved to and from
sites, changing costs and schedules, and domain controllers that are temporarily unavailable.
 What is the ISTG? Who has that role by default?
Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By
default Windows 2003 Forest level functionality has this role. By Default the first Server has this role.
If that server can no longer preform this role then the next server with the highest GUID then takes
over the role of ISTG.

What are the requirements for installing AD on a new server?

· An NTFS partition with enough free space (250MB minimum)

· An Administrator’s username and password

· The correct operating system version

· A NIC

· Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)

· A network connection (to a hub or to another computer via a crossover cable)

· An operational DNS server (which can be installed on the DC itself)

· A Domain name that you want to use

· The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)

From the Petri IT Knowledge base. For more info, follow this link:

http://www.petri.co.il/active_directory_installation_requirements.htm
 What can you do to promote a server to DC if you’re in a remote location with slow WAN
link?

First available in Windows 2003, you will create a copy of the system state from an existing DC and
copy it to the new remote server. Run “Dcpromo /adv”. You will be prompted for the location of the
system state files
 How can you forcibly remove AD from a server, and what do you do later? • Can I get user
passwords from the AD database?

Demote the server using dcpromo /forceremoval, then remove the metadata from Active directory
using ndtsutil. There is no way to get user passwords from AD that I am aware of, but you should still
be able to change them.

Another way out too

Restart the DC is DSRM mode

a. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
b. In the right-pane, double-click ProductType.

c. Type ServerNT in the Value data box, and then click OK.

Restart the server in normal mode

its a member server now but AD entries are still there. Promote teh server to a fake domain
say ABC.com and then remove gracefully using DCpromo. Else after restart you can also use ntdsutil
to do metadata as told in teh earlier post
 What tool would I use to try to grab security related packets from the wire?

you must use sniffer-detecting tools to help stop the snoops. … A good packet sniffer would be
“ethereal”
www.ethereal.com
 Name some OU design considerations ?

OU design requires balancing requirements for delegating administrative rights – independent of

Group Policy needs – and the need to scope the application of Group Policy. The following OU design
recommendations address delegation and scope issues:

Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign
Group Policy settings.

Delegating administrative authority

usually don’t go more than 3 OU levels

 What is tombstone lifetime attribute?

The number of days before a deleted object is removed from the directory services. This assists in
removing objects from replicated servers and preventing restores from reintroducing a deleted object.
This value is in the Directory Service object in the configuration NIC by default 2000 (60 days) 2003
(180 days)

What do you do to install a new Windows 2003 DC in a Windows 2000 AD?

If you plan to install windows 2003 server domain controllers into an existing windows 2000 domain
or upgrade a windows 2000 domain controllers to windows server 2003, you first need to run
the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema master
and infrastructure master roles. The adprep / forestprer command must first be issued on the windows
2000 server holding schema master role in the forest root doman to prepare the existing schema to
support windows 2003 active directory. The adprep /domainprep command must be issued on the
sever holding the infrastructure master role in the domain where 2000 server will be deployed.
 What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?

A. If you’re installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you
require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the
Windows 2003 R2 Continue Setup screen.
If you’re installing R2 on a domain controller (DC), you must first upgrade the schema to the R2
version (this is a minor change and mostly related to the new Dfs replication engine). To update the
schema, run the Adprep utility, which you’ll find in the Cmpnents\r2\adprep folder on the second CD-
ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with
SP2 (or later)
 How would you find all users that have not logged on since last month?
http://wiki.answers.com/Q/How_would_you_find_all_users_that_have_not_logged_on_since_last_mon
th
 What are the DScommands?

New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003 Active
Directory

New DS built-in tools for Windows Server 2003

The DS (Directory Service) group of commands are split into two families. In one branch are DSadd,
DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.

When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for choice.
The the DS family of built-in command line executables offer alternative strategies to CSVDE, LDIFDE
and VBScript.

Let me introduce you to the members of the DS family:

DSadd – add Active Directory users and groups

DSmod – modify Active Directory objects
DSrm – to delete Active Directory objects
DSmove – to relocate objects
DSQuery – to find objects that match your query attributes
DSget – list the properties of an object
 What are the FSMO roles? Who has them by default? What happens when each one fails?

FSMO stands for the Flexible single Master Operation

It has 5 Roles: –
 Schema Master:

The schema master domain controller controls all updates and modifications to the schema. Once the
Schema update is complete, it is replicated from the schema master to all other DCs in the directory.
To update the schema of a forest, you must have access to the schema master. There can be only one
schema master in the whole forest.
 Domain naming master:

The domain naming master domain controller controls the addition or removal of domains in the
forest. This DC is the only one that can add or remove a domain from the directory. It can also add or
remove cross references to domains in external directories. There can be only one domain naming
master in the whole forest.
 Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it represents the
reference by the GUID, the SID (for references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for updating an object’s SID
and distinguished name in a cross-domain object reference. At any one time, there can be only one
domain controller acting as the infrastructure master in each domain.

Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global
Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating
object information because it does not contain any references to objects that it does not hold. This is
because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-
domain object references in that domain will not be updated and a warning to that effect will be
logged on that DC’s event log. If all the domain controllers in a domain also host the global catalog, all
the domain controllers have the current data, and it is not important which domain controller holds
the infrastructure master role.
 Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a
particular domain. When a DC creates a security principal object such as a user or group, it attaches a
unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs
created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a
domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security
principals it creates. When a DC’s allocated RID pool falls below a threshold, that DC issues a request
for additional RIDs to the domain’s RID master. The domain RID master responds to the request by
retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting
DC. At any one time, there can be only one domain controller acting as the RID master in the domain.
 PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the
W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All
Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the
time service is to ensure that the Windows Time service uses a hierarchical relationship that controls
authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the
forest becomes authoritative for the enterprise, and should be configured to gather the time from an
external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their
in-bound time partner.

:: In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:

:: Password changes performed by other DCs in the domain are replicated preferentially to the PDC
emulator.

Authentication failures that occur at a given DC in a domain because of an incorrect password are
forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC
Emulator’s SYSVOL share, unless configured not to do so by the administrator.

The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based
PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and
domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows
2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003
environment.
 What FSMO placement considerations do you know of?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO
(Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or
actually, on the same DC) as has been configured by the Active Directory installation process.
However, there are scenarios where an administrator would want to move one or more of the FSMO
roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing
with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but
you should bear in mind that most considerations are also true when planning Windows 2000 AD
FSMO roles
 What’s the difference between transferring a FSMO role and seizing one? Which one
should you NOT seize? Why?

Certain domain and enterprise-wide operations that are not good for multi-master updates are
performed by a single domain controller in an Active Directory domain or forest. The domain
controllers that are assigned to perform these unique operations are called operations masters or
FSMO role holders.

The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent
operations that they perform:
 Schema master – The Schema master role is forest-wide and there is one for each forest. This role
is required to extend the schema of an Active Directory forest or to run the adprep
/domainprep command.
 Domain naming master – The Domain naming master role is forest-wide and there is one for each
forest. This role is required to add or remove domains or application partitions to or from a forest.
 RID master – The RID master role is domain-wide and there is one for each domain. This role is
required to allocate the RID pool so that new or existing domain controllers can create user
accounts, computer accounts or security groups.
 PDC emulator – The PDC emulator role is domain-wide and there is one for each domain. This role
is required for the domain controller that sends database updates to Windows NT backup domain
controllers. The domain controller that owns this role is also targeted by certain administration
tools and updates to user account and computer account passwords.
 Infrastructure master – The Infrastructure master role is domain-wide and there is one for each
domain. This role is required for domain controllers to run the adprep /forestprep command
 successfully and to update SID attributes and distinguished name attributes for objects that are
referenced across domains.

The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain
controller in the forest root domain. The first domain controller in each new child or tree domain is
assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are
reassigned by using one of the following methods:
 An administrator reassigns the role by using a GUI administrative tool.
 An administrator reassigns the role by using the ntdsutil /roles command.
 An administrator gracefully demotes a role-holding domain controller by using the Active Directory
Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in
the forest. Demotions that are performed by using the dcpromo /forceremoval command leave
FSMO roles in an invalid state until they are reassigned by an administrator.

We recommend that you transfer FSMO roles in the following scenarios:

 The current role holder is operational and can be accessed on the network by the new FSMO
owner.
 You are gracefully demoting a domain controller that currently owns FSMO roles that you want to
assign to a specific domain controller in your Active Directory forest.
 The domain controller that currently owns FSMO roles is being taken offline for scheduled
maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This
may be required to perform operations that connect to the FSMO owner. This would be especially
true for the PDC Emulator role but less true for the RID master role, the Domain naming master
role and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:

 The current role holder is experiencing an operational error that prevents an FSMO-dependent
operation from completing successfully and that role cannot be transferred.
 A domain controller that owns an FSMO role is force-demoted by using the dcpromo
/forceremoval command.
 The operating system on the computer that originally owned a specific role no longer exists or has
been reinstalled.

As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of
changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best
candidate domain controller is one that is in the appropriate domain that last inbound-replicated, or
recently inbound-replicated a writable copy of the “FSMO partition” from the existing role holder. For
example, the Schema master role-holder has a distinguished name path of
CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles reside in and are
replicated as part of the CN=schema partition. If the domain controller that holds the Schema master
role experiences a hardware or software failure, a good candidate role-holder would be a domain
controller in the root domain and in the same Active Directory site as the current owner. Domain
controllers in the same Active Directory site perform inbound replication every 5 minutes or 15
seconds.

A domain controller whose FSMO roles have been seized should not be permitted to communicate
with existing domain controllers in the forest. In this scenario, you should either format the hard disk
and reinstall the operating system on such domain controllers or forcibly demote such domain
controllers on a private network and then remove their metadata on a surviving domain controller in
 the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former
FSMO role holder whose role has been seized into the forest is that the original role holder may
continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of
two domain controllers owning the same FSMO roles include creating security principals that have
overlapping RID pools, and other problems.
Transfer FSMO roles

To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or
domain controller that is located in the forest where FSMO roles are being transferred. We
recommend that you log on to the domain controller that you are assigning FSMO roles to. The
logged-on user should be a member of the Enterprise Administrators group to transfer Schema
master or Domain naming master roles, or a member of the Domain Administrators group of the
domain where the PDC emulator, RID master and the Infrastructure master roles are being
transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.Note To see a list of available commands at any one of the
prompts in the Ntdsutil utility, type ?, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of the
domain controller you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can
transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles
at the start of this article. For example, to transfer the RID master role, type transfer rid master.
The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc
emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to
the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Seize FSMO roles

To seize the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or
domain controller that is located in the forest where FSMO roles are being seized. We recommend
that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user
should be a member of the Enterprise Administrators group to transfer schema or domain naming
master roles, or a member of the Domain Administrators group of the domain where the PDC
emulator, RID master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of the
domain controller that you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize,
type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the
start of this article. For example, to seize the RID master role, type seize rid master. The one
exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to
the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.Notes
 o Under typical conditions, all five roles must be assigned to “live” domain controllers in the
forest. If a domain controller that owns a FSMO role is taken out of service before its roles
are transferred, you must seize all roles to an appropriate and healthy domain controller.
We recommend that you only seize all roles when the other domain controller is not
returning to the domain. If it is possible, fix the broken domain controller that is assigned
the FSMO roles. You should determine which roles are to be on which remaining domain
controllers so that all five roles are assigned to a single domain controller. For more
information about FSMO role placement, click the following article number to view the
article in the Microsoft Knowledge Base: 223346
(http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on Windows
2000 domain controllers
o If the domain controller that formerly held any FSMO role is not present in the domain and
if it has had its roles seized by using the steps in this article, remove it from the Active
Directory by following the procedure that is outlined in the following Microsoft Knowledge
Base article: 216498 (http://support.microsoft.com/kb/216498/ ) How to remove data in
active directory after an unsuccessful domain controller demotion
o Removing domain controller metadata with the Windows 2000 version or the Windows
Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not
relocate FSMO roles that are assigned to live domain controllers. The Windows Server
2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes
additional elements of domain controller metadata.
o Some customers prefer not to restore system state backups of FSMO role-holders in case
the role has been reassigned since the backup was made.
o Do not put the Infrastructure master role on the same domain controller as the global
catalog server. If the Infrastructure master runs on a global catalog server it stops
updating object information because it does not contain any references to objects that it
does not hold. This is because a global catalog server holds a partial replica of every object
in the forest.

To test whether a domain controller is also a global catalog server:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory
Sites and Services.
2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-
name if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller’s folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, view the Global Catalog check box to see if it is selected.

For more information about FSMO roles, click the following article numbers to view the articles in the
Microsoft Knowledge Base:
 How do you configure a “stand-by operation master” for any of the roles?
1. Open Active Directory Sites and Services.
2. Expand the site name in which the standby operations master is located to display
the Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that you want to be the standby operations master to display its
NTDS Settings.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Domain Controllers dialog box, select the name of the current role holder, and then
click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the Connection object
or accept the default name, and click OK.
  How do you backup AD?

Backing up Active Directory is essential to maintain an Active Directory database. You can back up
Active Directory by using the Graphical User Interface (GUI) and command-line tools that the
Windows Server 2003 family provides.
You frequently backup the system state data on domain controllers so that you can restore the most
current data. By establishing a regular backup schedule, you have a better chance of recovering data
when necessary.

To ensure a good backup includes at least the system state data and contents of the system disk, you
must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backup older than
60 days is not a good backup. Plan to backup at least two domain controllers in each domain, one of at
least one backup to enable an authoritative restore of the data when necessary.

System State Data

Several features in the windows server 2003 family make it easy to backup Active Directory. You can
backup Active Directory while the server is online and other network function can continue to
function.

System state data on a domain controller includes the following components:

Active Directory system state data does not contain Active Directory unless the server, on which you
are backing up the system state data, is a domain controller. Active Directory is present only on
domain controllers.

The SYSVOL shared folder: This shared folder contains Group policy templates and logon scripts.
The SYSVOL shared folder is present only on domain controllers.

The Registry: This database repository contains information about the computer’s configuration.

System startup files: Windows Server 2003 requires these files during its initial startup phase. They
include the boot and system files that are under windows file protection and used by windows to load,
configure, and run the operating system.

The COM+ Class Registration database: The Class registration is a database of information about
Component Services applications.

The Certificate Services database: This database contains certificates that a server running
Windows server 2003 uses to authenticate users. The Certificate Services database is present only if
the server is operating as a certificate server.

System state data contains most elements of a system’s configuration, but it may not include all of the
information that you require recovering data from a system failure. Therefore, be sure to backup all
boot and system volumes, including the System State, when you back up your server.

Restoring Active Directory

In Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted
or is destroyed because of hardware or software failures. You must restore the Active Directory
database when objects in Active Directory are changed or deleted.

Active Directory restore can be performed in several ways. Replication synchronizes the latest
changes from every other replication partner. Once the replication is finished each partner has an
updated version of Active Directory. There is another way to get these latest updates by Backup utility
to restore replicated data from a backup copy. For this restore you don’t need to configure again your
domain controller or no need to install the operating system from scratch.

Active Directory Restore Methods

You can use one of the three methods to restore Active Directory from backup media: primary restore,
normal (non authoritative) restore, and authoritative restore.

Primary restore: This method rebuilds the first domain controller in a domain when there is no other
way to rebuild the domain. Perform a primary restore only when all the domain controllers in the
domain are lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on local computer, or user should
have been delegated with this responsibility to perform restore. On a domain controller only Domain
Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the state before the backup, and
then updates the data through the normal replication process. Perform a normal restore for a single
domain controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a normal restore. An authoritative
restore marks specific data as current and prevents the replication from overwriting that data. The
authoritative data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has multiple domain controllers.
When you perform an authoritative restore, you lose all changes to the restore object that occurred
after the backup. Ntdsutil is a command line utility to perform an authoritative restore along with
windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you
use to mark Active Directory objects as authoritative so that they receive a higher version recently
changed data on other domain controllers does not overwrite system state data during replication.
 How do you restore AD?

Restoring Active Directory :

In Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted
or is destroyed because of hardware or software failures. You must restore the Active Directory
database when objects in Active Directory are changed or deleted.

Active Directory restore can be performed in several ways. Replication synchronizes the latest
changes from every other replication partner. Once the replication is finished each partner has an
updated version of Active Directory. There is another way to get these latest updates by Backup utility
to restore replicated data from a backup copy. For this restore you don’t need to configure again your
domain controller or no need to install the operating system from scratch.
 Active Directory Restore Methods
You can use one of the three methods to restore Active Directory from backup media: primary restore,
normal (non authoritative) restore, and authoritative restore.

Primary restore: This method rebuilds the first domain controller in a domain when there is no other
way to rebuild the domain. Perform a primary restore only when all the domain controllers in the
domain are lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on local computer, or user should
have been delegated with this responsibility to perform restore. On a domain controller only Domain
Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the state before the backup, and
then updates the data through the normal replication process. Perform a normal restore for a single
domain controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a normal restore. An authoritative
restore marks specific data as current and prevents the replication from overwriting that data. The
authoritative data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has multiple domain controllers.
When you perform an authoritative restore, you lose all changes to the restore object that occurred
after the backup. Ntdsutil is a command line utility to perform an authoritative restore along with
windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you
use to mark Active Directory objects as authoritative so that they receive a higher version recently
changed data on other domain controllers does not overwrite system state data during replication.

METHOD

A.
You can’t restore Active Directory (AD) to a domain controller (DC) while the Directory Service (DS) is
running. To restore AD, perform the following steps.

Reboot the computer.

At the boot menu, select Windows 2000 Server. Don’t press Enter. Instead, press F8 for advanced
options. You’ll see the following text. OS Loader V5.0

Windows NT Advanced Options Menu

Please select an option:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Enable Boot Logging

Enable VGA Mode
Last Known Good Configuration
Directory Services Restore Mode (Windows NT domain controllers only)
Debugging Mode
Use | and | to move the highlight to your choice.
Press Enter to choose.
Scroll down, and select Directory Services Restore Mode (Windows NT domain controllers only).
Press Enter.
When you return to the Windows 2000 Server boot menu, press Enter. At the bottom of the screen,
you’ll see in red text Directory Services Restore Mode (Windows NT domain controllers only).
The computer will boot into a special safe mode and won’t start the DS. Be aware that during this time
the machine won’t act as a DC and won’t perform functions such as authentication.

Start NT Backup.
Select the Restore tab.
Select the backup media, and select System State.
Click Start Restore.
Click OK in the confirmation dialog box.
After you restore the backup, reboot the computer and start in normal mode to use the restored
information. The computer might hang after the restore completes; Sometimes it takes a 30-minute
wait on some machines.
 How do you change the DS Restore admin password?

When you promote a Windows 2000 Server-based computer to a domain controller, you are prompted
to type a Directory Service Restore Mode Administrator password. This password is also used by
Recovery Console, and is separate from the Administrator password that is stored in Active Directory
after a completed promotion.

The Administrator password that you use when you start Recovery Console or when you press F8 to
start Directory Service Restore Mode is stored in the registry-based Security Accounts Manager
(SAM) on the local computer. The SAM is located in the\System32\Config folder. The SAM-based
account and password are computer specific and they are not replicated to other domain controllers in
the domain.

For ease of administration of domain controllers or for additional security measures, you can change
the Administrator password for the local SAM. To change the local Administrator password that you
use when you start Recovery Console or when you start Directory Service Restore Mode, use the
following method.

1. Log on to the computer as the administrator or a user who is a member of the Administrators
group. 2. Shut down the domain controller on which you want to change the password. 3. Restart the
computer. When the selection menu screen is displayed during restar, press F8 to view advanced
startup options. 4. Click the Directory Service Restore Mode option. 5. After you log on, use one of
the following methods to change the local Administrator password: • At a command prompt, type the
following command:

net user administrator

• Use the Local User and Groups snap-in (Lusrmgr.msc) to change the Administrator password. 6.
Shut down and restart the computer. You can now use the Administrator account to log on to
Recovery Console or Directory Services Restore Mode using the new password.
 Why can’t you restore a DC that was backed up 4 months ago?

Because of the tombstone life which is set to only 60 days

 What are GPOs?

Group Policy gives you administrative control over users and computers in your network. By using
Group Policy, you can define the state of a user’s work environment once, and then rely on Windows
Server 2003 to continually force the Group Policy settings that you apply across an entire organization
or to specific groups of users and computers.
Group Policy Advantages
You can assign group policy in domains, sites and organizational units.
All users and computers get reflected by group policy settings in domain, site and organizational unit.
No one in network has rights to change the settings of Group policy; by default only administrator has
full privilege to change, so it is very secure.
Policy settings can be removed and can further rewrite the changes.
Where GPO’s store Group Policy Information
Group Policy objects store their Group Policy information in two locations:

Group Policy Container: The GPC is an Active Directory object that contains GPO status, version
information, WMI filter information, and a list of components that have settings in the GPO.
Computers can access the GPC to locate Group Policy templates, and domain controller does not have
the most recent version of the GPO, replication occurs to obtain the latest version of the GPO.
Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a domain
controller. When you create GPO, Windows Server 2003 creates the corresponding GPT which
contains all Group Policy settings and information, including administrative templates, security,
software installation, scripts, and folder redirection settings. Computers connect to the SYSVOL folder
to obtain the settings.
The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you created. It is
identical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT
on a domain controller is systemroot\SYSVOL\sysvol.
Managing GPOs
To avoid conflicts in replication, consider the selection of domain controller, especially because the
GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two independent
replication techniques to replicate GPO data among all domain controllers in the domain. If two
administrator’s changes can overwrite those made by other administrator, depends on the replication
latency. By default the Group Policy Management console uses the PDC Emulator so that all
administrators can work on the same domain controller.

WMI Filter
WMI filters is use to get the current scope of GPOs based on attributes of the user or computer. In this
way, you can increase the GPOs filtering capabilities beyond the security group filtering mechanisms
that were previously available.
Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination computer,
Active Directory evaluates the filter on the destination computer. A WMI filter has few queries that
active Directory evaluates in place of WMI repository of the destination computer. If the set of queries
is false, Active Directory does not apply the GPO. If set of queries are true, Active Directory applies
the GPO. You write the query by using the WMI Query Language (WQL); this language is similar to
querying SQL for WMI repository.

Planning a Group Policy Strategy for the Enterprise

When you plan an Active Directory structure, create a plan for GPO inheritance, administration, and
deployment that provides the most efficient Group Policy management for your organization.

Also consider how you will implement Group Policy for the organization. Be sure to consider the
delegation of authority, separation of administrative duties, central versus decentralized
administration, and design flexibility so that your plan will provide for ease of use as well as
administration.

Planning GPOs
Create GPOs in way that provides for the simplest and most manageable design — one in which you
can use inheritance and multiple links.

Guidelines for Planning GPOs

Apply GPO settings at the highest level: This way, you take advantage of Group Policy inheritance.
Determine what common GPO settings for the largest container are starting with the domain and then
link the GPO to this container.
Reduce the number of GPOs: You reduce the number by using multiple links instead of creating
multiple identical GPOs. Try to link a GPO to the broadest container possible level to avoid creating
multiple links of the same GPO at a deeper level.
Create specialized GPOs: Use these GPOs to apply unique settings when necessary. GPOs at a higher
level will not apply the settings in these specialized GPOs.
Disable computer or use configuration settings: When you create a GPO to contain settings for only
one of the two levels-user and computer-disable the logon and prevents accidental GPO settings from
being applied to the other area.
 What is the order in which GPOs are applied?

Local, Site, Domain, OU

Group Policy settings are processed in the following order:

1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored locally.
This processes for both computer and user Group Policy processing.

2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed next.
Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects
tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is
processed last, and therefore has the highest precedence.
3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the administrator,
on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is
processed last, and therefore has the highest precedence.

4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the Active
Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and
so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer
are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can
be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is
specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in
GPMC. The GPO with the lowest link order is processed last, and therefore has the highest
precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational
unit of which the computer or user is a direct member are processed last, which overwrites settings in
the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are
merely aggregated.)
 Name a few benefits of using GPMC.

Microsoft released the Group Policy Management Console (GPMC) years ago, which is an amazing
innovation in Group Policy management. The tool provides control over Group Policy in the following
manner:
 Easy administration of all GPOs across the entire Active Directory Forest
 View of all GPOs in one single list
 Reporting of GPO settings, security, filters, delegation, etc.
 Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering
 Delegation model
 Backup and restore of GPOs
 Migration of GPOs across different domains and forests

With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC is
needed and should be used by everyone for what it is ideal for. However, it does fall a bit short when
you want to protect the GPOs from the following:
 Role based delegation of GPO management
 Being edited in production, potentially causing damage to desktops and servers
 Forgetting to back up a GPO after it has been modified
 Change management of each modification to every GPO
 How can you determine what GPO was and was not applied for a user? Name a few ways to
do that.

Simply use the Group Policy Management Console created by MS for that very purpose, allows you to
run simulated policies on computers or users to determine what policies are enforced. Link in sources
 What are administrative templates?
 Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised
management of machines and users in an Active Directory environment.

Administrative Templates facilitate the management of registry-based policy. An ADM file is used to
describe both the user interface presented to the Group Policy administrator and the registry keys
that should be updated on the target machines. An ADM file is a text file with a specific syntax which
describes both the interface and the registry values which will be changed if the policy is enabled or
disabled.

ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2
shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm).
These are merged into a unified “namespace” in GPEdit and presented to the administrator under the
Administrative Templates node (for both machine and user policy).
 What’s the difference between software publishing and assigning?

ANS An administrator can either assign or publish software applications.

Assign Users
The software application is advertised when the user logs on. It is installed when the user clicks on
the software application icon via the start menu, or accesses a file that has been associated with the
software application.

Assign Computers
The software application is advertised and installed when it is safe to do so, such as when the
computer is next restarted.

Publish to users
The software application does not appear on the start menu or desktop. This means the user may not
know that the software is available. The software application is made available via the Add/Remove
Programs option in control panel, or by clicking on a file that has been associated with the application.
Published applications do not reinstall themselves in the event of accidental deletion, and it is not
possible to publish to computers.
 Can I deploy non-MSI software with GPO?

How to create a third-party Microsoft Installer package

http://support.microsoft.com/kb/257718/
 You want to standardize the desktop environments (wallpaper, My Documents, Start
menu, printers etc.) on the computers in one department. How would you do that?

Login on client as Domain Admin user change whatever you need add printers etc go to system-User
profiles copy this user profile to any location by select Everyone in permitted to use after copy
change ntuser.dat to ntuser.man and assgin this path under user profile

DNS:
What is DNS?
DNS stands for Domain Name Space. It translates names into IP addresses and IP
addresses into names.

What are the components of DNS?

DNS Servers
DNS Database
DNS Clients

What is Domain Namespace?

Domain Namespace is a hierarchical structure naming systems shares the same
contagious namespace. Typically domain namespace ends with . (DOT)
For example: in reality anwaryounus.blogspot.com. is the domain space. In which
. (dot) represents as root domain, as a humans we will not put the dot at the end of
the domain namespace because browsers will automatically associate the . (DOT) while
accessing to it.
COM represents as top-level domains
Blogspot represents as second-level domain
Anwaryounus represents as subdomain

What is DNS query?

DNS query is a request for name resolution directed from DNS clients to a DNS
Servers.

What are the Types of DNS queries?

They are 2 types of DNS queries
Iterative. A query is one in which a DNS client allows the DNS servers to give best
possible answer they have. If there is no exact record matches with the queried name
space for the contacted DNS server. It can return the referral of other DNS server
address that can tell you the answer for the query until a time out or error condition is
met.
Recursive. A recursive name queries are made by a DNS client to a local DNS Server.
Local DNS server will look the query in its database and returns the answers for the
queries to the client. If a name query does not have record in his database of local dns
server then it starts iterative query to the DNS servers.
For more information, please visit this page.

What are DNS forwarders?

A forwarder is a dns server to which other dns servers forward DNS queries for
external DNS names to outside that network.

What are the types of forwarders?

There are 2 types of forwarders.
Standard. A standard forwarder can send queries to other DNS servers outside of
network using their root hints that they cannot resolve locally on a network.
Conditional. A conditional forwarder is a DNS server on a network can send queries
to specific DNS servers that are configured.

What is a DNS Zone?

A zone is an area of DNS namespace to which a DNS server can be authoritative.

What are the types of zones?

Primary zone: it is the master copy of the database. If I am hosting a primary zone it
has complete information of namespace and responsible for read/write to its database.
Secondary Zone: it is the read-only copy of the database. Which means it gets the
latest updates from primary zone and acts as fault tolerance.
Stub Zone: Only contains information about other DNS servers.

What is the use of Stub Zone?

Stub zone allows automatic propagations of delegations to DNS servers and simplify
the name resolution instead of DNS servers querying to root hint servers. It holds the
A, NS and SOA records. It helps the name resolution of different name space.
For example, ABC is a company and acquired XYZ Company and trust relationship is
enabled between the domains. the parent ABC DNS server is configured with a stub
zone for its child XYZ zone then all changes made to the child zone DNS server's NS
records would be available to the parent zone.
Please visit this page to know more

What is active directory integrated zones?

An Active directory has DNS database stored as an object.

What are the benefits of Active Directory integrated zones?

These are the below benefits of active directory integrated zones
Multimaster Replication: All domain controllers have the read/write master copy of
DNS database.
Streamline Data Replication: instead of replicating the local database to all domain
controllers. It does the replication of changes.
Secure Dynamic Updates.
Compatible to Secondary Zones: Primary zones that are not integrated with AD, can
be changed as secondary zones.

What is forward lookup?

Forward lookup means it translates a name to its IP address and this is widely used.

What is reverse lookup?

Reverse lookup means it translates an IP address to its name and not always needed.
However usually used to meet the needs of a particular application

What are dynamic updates?

The records are modified manually or updated from the clients that are replicated
securely with AD integrated zones. For example, you have changed an IP address of a
machine. Machine tells the DNS servers of its new IP address. DNS server will quickly
check the database and updates the IP in database if a duplicate IP address does not
exist. If exist, DNS tells machine that IP address is duplicated and used by another
machine in the network.
Dynamics updates can be integrated with network services like DHCP.

What are the common types of DNS records?

A(Host)
record
PTR(Pointer)
SOA)Start of
Authority
SRV (Service
Locator)
NS (Name
Server)
MX(Mail
Exchange)
CNAME(Alia
s)

Group Policy Interview Questions:

What is Group Policy (GP)?

Group Policy is an infrastructure that allows you to implement specific configurations
for users and computers. Group Policy settings are contained in Group Policy objects
(GPOs), which are linked to the following Active Directory service containers: sites,
domains, or organizational units (OUs). The settings within GPOs are then evaluated
by the affected targets, using the hierarchical nature of Active Directory.
Consequently, Group Policy is one of the top reasons to deploy Active Directory
because it allows you to manage user and computer objects.
Group Policy provides the centralized management and configuration of operating
systems, applications, and users' settings in an Active Directory Environment
 What is Group Policy Objects (GPO)?
Group Policy Settings are stored in Group Policy Objects. Group Policy Objects are
collection of settings that are defined for Users and Computers Configuration. Group
Policy object applies to not only users and Client machine, but also members Servers,
Domain Controllers and any windows computers within the scope of the management.

What can you do with Group Policy?

 Manage- Registry based Polices using Administrative Templates
 Assign Scripts
 Redirect folders
 Manage Applications
 Specify Security Options

What are the kinds of Group Policy?

There are two kinds of Group Policy Objects: Local and Non Local Policy Objects
 Local Policy: these are Stored in Individual Computers. only one object is exist and
has subset of settings that are available in Non-Local Policy
 Non Local Policy Objects: Which are stored on a Domain Controller and be applied
from Active Directory Environment. They apply to users and computers on a site or
domain or Organizational unit with which GPO is applied.
Where do Group Policy Objects that exist by default?
By Default, Active Directory is set up, 2 Non Local Policy Objects are created

 Default Domain Policy is linked to the domain, and it affects all users and computers in
the domain (including computers that are domain controllers) through policy
inheritance. For more information
 Default Domain Controllers Policy is linked to the Domain Controllers organizational
unit, and it generally only affects domain controllers, because computer accounts for
domain controllers are kept exclusively in the Domain Controllers organizational unit.
What are User and Computer Policy?
User Policy Settings are stored under User Configuration in Group Policy and they are
obtained when a user logs on.

Computer Policy Settings are stored under Computer Configuration in Group Policy
and they obtained when a computer starts
What is the Order of GP Processing?
1. Local Policy-The unique local Group Policy object on a computer
2. Site Policy
3. Domain Policy
4. Organizational Unit(OU)
Site, Domain and OU are applied as per administratively specified order. This means
Group Policy objects that are linked to the organizational unit that is highest in the
Active Directory hierarchy are processed first, then Group Policy objects that are
 linked to its child organizational unit, and so on. Finally, the Group Policy objects that
are linked to the organizational unit that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or
no Group Policy objects can be linked. If several Group Policy objects are linked to an
organizational unit, their processing is synchronous and in an order that is specified by
the administrator.
In this processing order sites are applied first but have the least precedence. OUs are
processed last and have the highest precedence.

What is Group Policy inheritance?

There are several Group Policy options that can alter this default inheritance behavior.
These options include:
 Link Order – the precedence order for GPOs linked to a given container. The GPO link
with Link Order of 1 has highest precedence on that container.
 Block Inheritance – the ability to prevent an OU or domain from inheriting GPOs
from any of its parent container. Note that Enforced GPO links will always be
inherited.
 Enforcement – (previously known as “No Override”) the ability to specify that a GPO
should take precedence over any GPOs that are linked to child containers. Enforcing a
GPO link works by moving that GPO to the end of the processing order.
 Link Status – determines if a given GPO link is processed or not for the container to
which it is linked.

What is group policy in active directory ? What are Group

Policy objects (GPOs)?

Group Policy objects, other than the local Group Policy object, are

virtual objects. The policy setting information of a GPO is actually

stored in two locations: the Group Policy container and the Group

Policy template.

The Group Policy container is an Active Directory container that

stores GPO properties, including information on version, GPO

status, and a list of componentsthat have settings in the GPO.

The Group Policy template is a folder structure within the file

system that stores Administrative Template-based policies,

security settings, script files, and information regarding

applications that are available for Group Policy Software

Installation.

The Group Policy template is located in the system volume folder

(Sysvol) in the Policies subfolder for its domain.

What is the order in which GPOs are applied?

Group Policy settings are processed in the following order:

1.Local Group Policy object : Each computer has exactly one

Group Policy object that is stored locally. This processes for both

computer and user Group Policy processing.

2.Site : Any GPOs that have been linked to the site that the

computer belongs to are processed next. Processing is in the order

that is specified by the administrator, on the Linked Group Policy

Objects tab for the site in Group Policy Management Console

(GPMC). The GPO with the lowest link order is processed last, and

therefore has the highest precedence.

3.Domain: Processing of multiple domain-linked GPOs is in the

order specified by the administrator, on the Linked Group Policy

Objects tab for the domain in GPMC. The GPO with the lowest link

order is processed last, and therefore has the highest precedence.

4.Organizational units : GPOs that are linked to the organizational

unit that is highest in the Active Directory hierarchy are processed

first, then POs that are linked to its child organizational unit, and so

on. Finally, the GPOs that are linked to the organizational unit that

contains the user or computer are processed.

At the level of each organizational unit in the Active

Directory hierarchy, one, many, or no GPOs can be linked. If

several GPOs are linked to an organizational unit, their processing

is in the order that is specified by the administrator, on the Linked

Group Policy Objects tab for the organizational unit in GPMC.

The GPO with the lowest link order is processed last, and therefore

has the highest precedence.

This order means that the local GPO is processed first, and GPOs

that are linked to the organizational unit of which the computer or

user is a direct member are processed last, which

overwrites settings in the earlier GPOs if there are conflicts. (If

there are no conflicts, then the earlier and later settings are merely

aggregated.)
How to backup/restore Group Policy objects?

Begin the process by logging on to a Windows Server 2008 domain

controller, and opening the Group Policy Management console.

Now, navigate through the console tree to Group Policy

Management | Forest: | Domains | | Group Policy Objects.

When you do, the details pane should display all of the group policy

objects that are associated with the domain. In Figure A there are

only two group policy objects, but in a production environment you

may have many more. The Group Policy Objects container stores all

of the group policy objects for the domain.

Now, right-click on the Group Policy Objects container, and choose

the Back Up All command from the shortcut menu. When you do,

Windows will open the Back Up Group Policy Object dialog box.

As you can see in Figure B, this dialog box requires you to provide

the path to which you want to store the backup files. You can either

store the backups in a dedicated folder on a local drive, or you can

place them in a folder on a mapped network drive. The dialog box

also contains a Description field that you can use to provide a

description of the backup that you are creating.

You must provide the path to which you want to store your backup

of the group policy objects.

To initiate the backup process, just click the Back Up button. When

the backup process completes, you should see a dialog box that

tells you how many group policy objects were successfully backed

up. Click OK to close the dialog box, and you’re all done.

When it comes to restoring a backup of any Group Policy Object,

you have two options. The first option is to right-click on the Group

Policy Object, and choose the Restore From Backup command from

the shortcut menu. When you do this, Windows will remove all of

the individual settings from the Group Policy Object, and then

implement the settings found in the backup.

Your other option is to right-click on the Group Policy Object you

want to restore, and choose the Import Settings option. This option

works more like a merge than a restore.

Any settings that presently reside within the Group Policy Object

are retained unless there is a contradictory settings within the file

that is being imported.

You want to standardize the desktop environments

(wallpaper, My Documents, Start menu, printers etc.) on

the computers in one department. How would you do that?

go to Start->programs->Administrative tools->Active

Directory Users andComputers

Right Click on Domain->click on preoperties

On New windows Click on Group Policy

Select Default Policy->click on Edit

on group Policy console

go to User Configuration->Administrative Template->Start menu

and Taskbar

Select each property you want to modify and do the same

What’s the difference between software publishing and

assigning?

Assign Users :The software application is advertised when the user

logs on. It is installed when the user clicks on the software

application icon via the start menu, or accesses a file that has been

associated with the software application.

Assign Computers :The software application is advertised and

installed when it is safe to do so, such as when the computer is next

restarted.

Publish to users : The software application does not appear on the

start menu or desktop. This means the user may not know that the

software is available. The software application is made available via

the Add/Remove Programs option in control panel, or by clicking on

a file that has been associated with the application. Published

applications do not reinstall themselves in the event of accidental

deletion, and it is not possible to publish to computers.

What are administrative templates?

Administrative Templates are a feature of Group Policy, a

Microsoft technology for centralized management of machines and

users in an Active Directory environment. Administrative Templates

facilitate the management of registry-based policy. An ADM file is

used to describe both the user interface presented to the Group

Policy administrator and the registry keys that should be updated

on the target machines.

An ADM file is a text file with a specific syntax which describes

both the interface and the registry values which will be changed if

the policy is enabled or disabled.

ADM files are consumed by the Group Policy Object Editor

(GPEdit). Windows XP Service Pack 2 shipped with five ADM files

(system.adm, inetres.adm, wmplayer.adm, conf.adm and

wuau.adm). These are merged into a unified “namespace” in

GPEdit and presented to the administrator under the

Administrative Templates node (for both machine and user policy).

Can I deploy non-MSI software with GPO?

create the fiile in .zap extension.

Name some GPO settings in the computer and user parts?

Group Policy Object (GPO) computer=Computer Configuration,

User=User ConfigurationName some GPO settings in the computer

and user parts.

A user claims he did not receive a GPO, yet his user and

computer accounts are in the right OU, and everyone else

there gets the GPO. What will you look for?

make sure user not be member of loopback policy as in loopback

policy it doesn’t affect user settings only computer policy will

applicable. if he is member of gpo filter grp or not?

You may also want to check the computers event logs. If you find

event ID 1085 then you may want to download the patch to fix this

and reboot the computer.

How can I override blocking of inheritance?

What can I do to prevent inheritance from above?

Name a few benefits of using GPMC.

How frequently is the client policy refreshed?

90 minutes give or take.

Where is secedit ?

It’s now gpupdate.

What can be restricted on Windows Server 2003 that wasn’t

there in previous products?

Group Policy in Windows Server 2003 determines a user’s right to

modify network and dial-up TCP/IP properties. Users may be

selectively restricted from modifying their IP address and other

network configuration parameters.

You want to create a new group policy but do not wish to

inherit.

Make sure you check Block inheritance among the options when

creating the policy.

How does the Group Policy ‘No Override’ and ‘Block

Inheritance’ work ?

Group Policies can be applied at multiple levels (Sites, domains,

organizational Units) and multiple GP’s for each level. Obviously it

may be that some policy settings conflict hence the application

order of Site – Domain – Organization Unit and within each layer

you set order for all defined policies but you may want to force

some polices to never be overridden (No Override) and you may

want some containers to not inherit settings from a parent

container (Block Inheritance).

A good definition of each is as follows:

No Override – This prevents child containers from overriding

policies set at higher levels

Block Inheritance – Stops containers inheriting policies from parent

containers

No Override takes precedence over Block Inheritance so if a child

container has Block Inheritance set but on the parent a group

policy has No Override set then it will get applied.

Also the highest No Override takes precedence over lower No

Override’s set.

To block inheritance perform the following:

1. Start the Active Directory Users and Computer snap-in (Start –

Programs – Administrative Tools – Active Directory Users and

Computers)

2. Right click on the container you wish to stop inheriting settings

from its parent and select

3. Select the ‘Group Policy’ tab

4. Check the ‘Block Policy inheritance’ option

5. Click Apply then OK

To set a policy to never be overridden perform the following:

1. Start the Active Directory Users and Computer snap-in (Start – –

Administrative Tools – Active Directory Users and Computers)

2. Right click on the container you wish to set a Group Policy to not

be overridden and select Properties

3. Select the ‘Group Policy’ tab

4. Click Options

5. Check the ‘No Override’ option

6. Click OK

7. Click Apply then OK

Q. What is loop back processing?

A. Group Policy loop back processing can be used to alter the application of

GPOs to a user by including GPOs based on the location of the computer object.

The typical way to use loop back processing is to apply GPOs that depend on

the computer to which the user logs on.

Q. Where is the local Security Policy stored?

A. The security database in Windows 2000 had a specific table to store local

security policy settings. This approach was changed in Windows XP and

Windows Server 2003. Local security policy settings are written directly to

their respective locations in the registry.

Q. What are the differences between Group Policy, Registry-based policy, and
Security policy?
A. Group Policy is an infrastructure in which IT administrators can implement
standard computing environments for groups of users and computers and
includes both Registry-based and Security Policy. Registry-based policy is one
of the many features of Group Policy that uses Administrative templates to
modify the registry settings for policy-enabled components included in
Windows. Security Policy, another feature delivered by Group Policy, includes a
variety of security-related settings for Microsoft Windows.

Q. Are the new Windows Vista features of GPMC available in an update to the
current version of GPMC?
A. You can join a Windows Vista workstation to your existing domains in order
to benefit from the new features in GPMC. GPMC is integrated directly into the
Windows Vista operating system (Business, Enterprise, and Ultimate versions
only) and is the standard tool for managing Group Policy along with Group
Policy Object Editor. New Windows Vista features are not included in the
current version of GPMC, downloadable from the Microsoft Download Center.

Q. Is there a maximum number of Group Policy objects that I can store in a

domain?
A. Creating a Group Policy object will create a Group Policy container object,
stored in Active Directory, and a Group Policy template, stored on the Sysvol of
the domain controller. Both are limited only to the amount of free disk space.

Q. What is the maximum number of Group Policy objects a user or computer

can process?
A. A user or computer cannot process more than 999 Group Policy objects.
Windows Vista writes a Windows-GroupPolicy error event with an event ID of
1088 to the system event log when a user or computer attempts to process
more than 999 Group Policy objects.

Q. Can I apply a Group Policy object directly to a security group?

A. You cannot apply a Group Policy object directly to a security group.
However, you can use security filtering to refine which users or computers will
receive and apply Group Policy settings. The Group Policy Management
Console (GPMC) is the tool to manage security filtering. For more information
about security filtering, see the Core Group Policy Technical Reference.

Q. What tools do I use to manage Group Policy?

A. Microsoft provides two management consoles to administer Group Policy.
The Group Policy Management Console (GPMC) consists of a Microsoft
Management Console (MMC) snap-in and a set of scriptable interfaces for
managing Group Policy objects (but not Group Policy settings). Group Policy
Object Editor, also a Microsoft Management Console, is used to edit the
individual settings contained within each Group Policy object.

Q. How often is Group Policy applied and how do you change it?
A. Group Policy for computers is triggered at computer startup. For users,
Group Policy is triggered when they log on. Versions of Windows before
Windows XP as well as Windows Server 2003 use synchronous processing,
meaning that computer Group Policy is completed before the logon dialog box
is presented. User Group Policy is completed before the shell is active and
available for the user to interact with it. Windows XP defaults to asynchronous
policy processing. By default, Group Policy is refreshed every 90 minutes with
a randomized delay of up to 30 minutes, for a total maximum refresh interval of
up to 120 minutes. This interval can be changed using the computer policy
setting Group Policy refresh interval for Computer located in the Computer
Configuration\Administrative Templates\System\Group Policy namespace. The
processing of Group Policy is explained in the Core Group Policy Technical
Reference.

Q. How long does it take to process policy settings?

A. Under synchronous processing, there is a time limit of 60 minutes for all of
Group Policy to finish processing on the client computer. Any client side
extensions (CSE) that are not finished after 60 minutes are signaled to stop, in
which case the associated policy settings might not be fully applied.

Q. What is processed under slow link behavior?

A. Administrative Templates and Security Settings are applied over a slow link
and the behavior cannot be changed. By default, Software Installation, Scripts,
and Folder Redirection will not process over a slow link. You can change the
default Policy process behavior for these client side extensions using Group
Policy Object Editor. These settings are located at Computer Configuration\
Administrative Templates\System\Group Policy.

Q. What is Security Policy?

A. Security policies are rules that administrators configure on a computer or
multiple computers for protecting resources on a computer or network. The
Security Settings extension of the Group Policy Object Editor snap-in allows
you to define security configurations as part of a Group Policy object (GPO).
The GPOs are linked to Active Directory containers such as sites, domains, or
organizational units, and enable administrators to manage security settings for
multiple computers from any computer joined to the domain. Security settings
policies are used as part of your overall security implementation to help secure
domain controllers, servers, clients, and other resources in your organization.

2. Group policy is not applying to all clients. Step by step to solve the issue?
 Ans. A) Check Active Directory Users and Computers to see what site, domain, and OU the user and
the computer are in.
B) In GPMC, expand the Active Directory containers that contain the affected client. In the navigation
pane, scan the list of GPOs for each container for disabled links.
C) GPOs are filtered according to the Active Directory groups that the users and computers belong to.
The Active Directory objects in which you place your Active Directory groups and the ways you group
users or computers affect how GPOs can be distributed and applied.
D) Active Directory and FRS replication lag can affect either part of the GPO.
E)If you have an OU that contains other OUs and you remove Read permissions to the parent OU,
then no policy will be processed by computers or users in that OU hierarchy.
F) If there are conflicting settings in the GPOs that apply to the client, they are resolved according to
the Group Policy inheritance rules.

Adding a User or Computer to an OU

When a user or computer is added to an OU, two things need to happen before the GPOs that the new
OU links to are applied to the client:

 The new OU assignment must be replicated to the client’s domain controller.

 After the replication is complete, you must either log off and log back on again if the user account
moved to the new OU, or restart the computer if the computer moved to the new OU.

6. Can we apply group policy to Groups?

Ans.Yes.But we can’t link any GPO to groups or users.GPO can be linked to sites, domain, domain
controller, OU.Groups and users are getting group policies because they can become a member of an
OU, domain…….

Q: – What’s the difference between local, global and universal groups?

Domain local groups assign access permissions to global domain groups for local domain resources.
Global groups provide access to resources in other trusted domains. Universal groups grant access to
resources in all trusted domains.
Q: -I am trying to create a new universal user group. Why can’t I?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode
requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
Q: -What is LSDOU?
It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains
and Organizational Units.
Q: – Why doesn’t LSDOU work under Windows NT?
If the NTConfig.pol file exists, it has the highest priority among the numerous policies.
Q: -Where are group policies stored?
%SystemRoot%System32GroupPolicy
Q: -What is GPT and GPC?
Group policy template and group policy container.
Q: – Where is GPT stored?
%SystemRoot%SYSVOLsysvoldomainnamePoliciesGUID
Q: – You change the group policies, and now the computer and user settings are in conflict.
Which one has the highest priority?
The computer settings take priority.
Q: -You want to set up remote installation procedure, but do not want the user to gain
access over it. What do you do?
gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice
Options is your friend.
Q: – What’s contained in administrative template conf.adm?
Microsoft NetMeeting policies
Q: -How can you restrict running certain applications on a machine?
Via group policy, security settings for the group, then Software Restriction Policies.
Q: -You need to automatically install an app, but MSI file is not available. What do you do?
.zap text file can be used to add applications using the Software Installer, rather than the Windows
Installer.
Q: – What’s the difference between Software Installer and Windows Installer?
The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.
Q: -What can be restricted on Windows Server 2003 that wasn’t there in previous products?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP
properties. Users may be selectively restricted from modifying their IP address and other network
configuration parameters.
Q: -How frequently is the client policy refreshed?
90 minutes give or take.
Q: – Where is secedit?
It’s now gpupdate.
Q: -You want to create a new group policy but do not wish to inherit.
Make sure you check Block inheritance among the options when creating the policy.
Q: -What is “tattooing” the Registry?
The user can view and modify user preferences that are not stored in maintained portions of the
Registry. If the group policy is removed or changed, the user preference will persist in the Registry.
Q: – How do you fight tattooing in NT/2000 installations?
You can’t.
Q: -How do you fight tattooing in 2003 installations?
User Configuration – Administrative Templates – System – Group Policy – enable – Enforce Show
Policies Only.
Q: -What does IntelliMirror do?
It helps to reconcile desktop settings, applications, and stored files for users, particularly those who
move between workstations or those who must periodically work offline.
Q: – What’s the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides
extensive permission control on both remote and local files.
Q: – How do FAT and NTFS differ in approach to user shares?
They don’t, both have support for sharing.
Q: -Explain the List Folder Contents permission on the folder in NTFS.
Same as Read & Execute, but not inherited by files within a folder. However, newly created
subfolders will inherit this permission.
Q: – I have a file to which the user has access, but he has no folder permission to read it.
Can he access it?
It is possible for a user to navigate to a file for which he does not have folder permission. This
involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder
tree using My Computer, he can still gain access to the file using the Universal Naming Convention
(UNC). The best way to start would be to type the full path of a file into Run… window.
Q: – For a user in several groups, are Allow permissions restrictive or permissive?
Permissive, if at least one group has Allow permission for the file/folder, user will have the same
permission.
Q: -For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access,
regardless of other group permissions.
Q: – What hidden shares exist on Windows Server 2003 installation?
Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
Q: - What’s the difference between standalone and fault-tolerant DFS (Distributed File
System) installations?
The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared
folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared
resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is
replicated to other domain controllers. Thus, redundant root nodes may include multiple connections
to the same data residing in different shared folders.
Q: -We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box.
Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant
shares.
Q: – Where exactly do fault-tolerant DFS shares store information in Active Directory?
In Partition Knowledge Table, which is then replicated to other domain controllers.
Q: -What problems can you have with DFS installed?
Two users opening the redundant copies of the file at the same time, with no file-locking involved in
DFS, changing the contents and then saving. Only one file will be propagated through DFS.
Q: – I run Microsoft Cluster Server and cannot install fault-tolerant DFS.
Yeah, you can’t. Install a standalone one.
Q: -Is Kerberos encryption symmetric or asymmetric?
Symmetric.
Q: -How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?
Time stamp is attached to the initial client request, encrypted with the shared key.
Q: – What hashing algorithms are used in Windows 2003 Server?
RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash
Algorithm 1 (SHA-1), produces a 160-bit hash.
Q: – What third-party certificate exchange protocols are used by Windows 2003 Server?
Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate
response to exchange CA certificates with third-party certificate authorities.

Q: -What’s the number of permitted unsuccessful logons on Administrator account?

Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the
Administrators group.
Q: – If hashing is one-way function and Windows Server uses hashing for storing passwords,
how is it possible to attack the password lists, specifically the ones using NTLMv1?
A cracker would launch a dictionary attack by hashing every imaginable term used for password and
then compare the hashes.
Q: -What’s the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003.
Q: -How many passwords by default are remembered when you check “Enforce Password
History Remembered”?
User’s last 6 passwords.

Hyper V:

How Microsoft virtual server manages the virtualization platform?

Microsoft virtual server provides virtualization platform that allows the creation of virtual machine
using a windows operating system. It is developed by Connectix. This platform provides the provision
to create and manage the virtual machines using IIS web based interface that keeps all the settings
and configuration at one place. It also allows the management of network configuration for
communicating with host operating system or other guest operating systems.

What are the features provided in Microsoft Virtual Server?

Microsoft Virtual server includes the following features:

• It includes the support for Linux guest operating system.
• It includes Virtual Disk pre-compactor tool that prepares the disk for compacting.
• It includes SMP (Symmetric multiprocessing) for the host operating system.
• It includes the mounting feature for virtual hard drives on host operating system that enables
backups to be taken.
• It includes the tool to mount VHD images.

What are the limitations of Microsoft Virtual server?

The limitations of Microsoft Virtual server includes:

• It doesn't support 64 bit processors and can't run 64 bit guests.
• It uses SMP but doesn't have virtualization in it.
• It has limitation for guest users to use not more than one CPU.
• It decreases the performance of the system as the instruction set also get virtualized which
increases the overhead on the application.
• It has very limited interaction with the host hardware.
Why Hyper-V Server of Microsoft is getting used?

Hyper-V server is a hypervisor that doesn't require any other operating system to run on. It is a good
platform for organizations that needs one consolidated single server. This is used where the
infrastructure work load is not high. It provides host clustering to produce high availability for virtual
machines. Hyper-V server provides added functionalities like managing, creating and distributing the
virtual machines. It provides flexible and cost effective solutions for enterprise organizations.

What are the challenges faced by remote site virtualization?

Remote site virtualization provides server virtualization and need for remote management for the
virtual machines. It is provided due to limited resources that might not exist. The main challenge is to
apply the server consolidations. Each server is using dedicative service functions and small servers
and not using multiple servers. If single server approach is being given then there will be less power
requirements, space requirements and only one server to manage and backup that will make it prone
to fail and reduce the efficiency.

Why Microsoft Virtual Servers are used?

Microsoft Virtual server is used to access the network application resource that is in a non-clustered
environment. In this clients connected to network must remain connected in case of any failure in
network access to the application and resources get lost or the connection becomes unavailable.
Microsoft Virtual server allows creation of virtual servers. These virtual servers don’t belong to any
particular computer and can be damaged within a group too. The server is used to identify a group
that belongs or communicating with each other in the form of IP addresses.

What are the similarities between the Virtual server and physical server?

The virtual server provided by Microsoft and physical server has few things common in between them
and these are as follows:

• Both allow access to network resources that has to be shared between two computers.
• Both publish the resources to the network clients under a unique server name.
• Both are under same network name and IP address range.
• Both are used to provide same communication option.
• Both provide the same networking modes of operations through which clients can communicate
with each other.

What is the authentication protocol that is used for Microsoft virtual

servers?

Kerberos is the authentication protocol that is being used by virtual servers. It maintains an active
directory computer object that is involved in clustering. This provides the client security and easy to
use features. It provides the provision of message queuing on a virtual server and allows the clients
to publish the information to other computer systems. It provides clustering as well and by
configuring its properties more options can be found out to be used.

What are the limitations of Kerberos protocol?

The limitations of Kerberos protocol that is being used by the Microsoft virtual server are as follows:

• There is no provision to apply group policies to virtual server. This means that there is no provision
to apply policies on the applications that are running on virtual server. Virtual server object can't
define group policies using this protocol.
• Kerberos protocol provides clustering option but it is limited to a certain server computer object.
This object is being managed by active directory by default.
• There is no provision to rename a network name resource and change the configuration of kerberos
authentication at same time. As the actions will be performed the changes will automatically be
reflected on it.

What are the benefits involved in virtual server host clustering?

The benefits that are involved in virtual server host clustering are as follows:
• Server consolidation: allow virtual servers to consolidate multiple servers into one that will be easy
to track and maintain virtual machines at one server together.
• Increased availability: virtual server host clustering increases the availability of consolidated server
due to which if any failure occurs then another server can take up the job that is being served by the
first server. The effect of failure is kept to minimum by providing risk management systems.

What is the difference between Host and Guest clustering?

• Host clustering keeps the physical host as cluster node and if host stops performing then the
processes can be given to another host to run, whereas guest clustering keeps the guest as cluster
node and if guest stops working then it will fail all other guest that are connected with it.

• Host clustering protects from failure of the computer that is crashed, whereas guest clustering
doesn't provide protection from failure.

What is the difference between Host clustering and standard clustering?

• Host clustering protects system from failure due to the fact that guests are configured as clustered
resource group and I consists of generic script resource, whereas standard clustering provide
automatic checks to discover the cause of the failure and recover from it.

• Host clustering doesn't monitor the cluster services, whereas standard clustering monitors the
failure.

What are the steps to be taken to secure Microsoft virtual server?

To secure Microsoft the virtual server the steps that are required are as follows:
• The configuration file of virtual server services has to be secured
• Individual files that contains the configuration files and resources that are associated with the
virtual server has to be secured
• IIS (Internet information services) has to be secured with the administration website to secure the
virtual platform and the virtual machines.
• Virtual server is configured securely such as the security breaches are lower in number as it only
allows those members that are directly associated with the local administrators. The permissions are
given to those who are associated with it. Virtual network configuration file has to be secured to save
the further transmission over the web and between different systems.

What is the process of creating a virtual network?

To create a virtual network virtual machines are required that has to be configured for the accessing.
Virtual network is supported by virtual server to connect many virtual machines that can be shared
with many computers in the network. Virtual network require network adapter to be configured and
installed to a physical computer, this way any computer can access the resources from any other
computer. Virtual server uses DHCP server to dynamically assign the IP address to the computer
systems so that they can connect with other systems. Virtual server in this case has virtual DHCP that
allows system to be uniquely identified.
Multiple Virtual network can be configured on a single network adapter by creating and associating
the virtual network with a network adapter. After the steps virtual machines can be added to the
virtual network of host operating system.

Define Virtual server architecture.

Virtual server consists of virtual network that in turn consists of virtual machines. It allows traffic to
be isolated in virtual network while communicating with the host operating system. It allows the
handling of network devices by virtual machine network service driver. This virtual machine network
service driver come with the virtual server setup that is being performed on the host operating
system. The main function of the network driver is to monitor the traffic and the routing packets. The
virtual network can have several options defined like:
• It is not attached to physical network adapter: it has its own private network with its own DHCP
server.
• It can attach to dedicated physical network adapter: in this case the virtual machines don’t have the
permission to read, monitor or capture the host operating system.
• More than one network can attach to same physical network adapter: in this virtual machines can
read, monitor and capture the inbound network traffic.
• Virtual machines are attached to same virtual network: same case above but in this they can
perform the actions on the other virtual machines that are attached to the one.

Q. What is virtual machine technology?

A. Virtual machine technology applies to both server and client hardware. Virtual machine technology
enables multiple operating systems to run concurrently on a single machine. In particular, Hyper-V, a
key feature of Windows Server 2008 R2, enables one or more operating systems to run
simultaneously on the same physical system. Today, many operating systems are supported by Virtual
PC 2007, Virtual Server 2005, and Hyper-V.

Q. What is virtual machine technology used for?

A. Virtual machine technology serves a variety of purposes. It enables hardware consolidation,

because multiple operating systems can run on one computer. Key applications for virtual machine
technology include cross-platform integration as well as the following:

Server consolidation. If several servers run applications that consume only a fraction of the available
resources, virtual machine technology can be used to enable them to run side by side on a single
server, even if they require different versions of the operating system or middleware.
Consolidation for development and testing environments. Each virtual machine acts as a separate
environment, which reduces risk and enables developers to quickly recreate different operating
system configurations or compare versions of applications designed for different operating systems.
In addition, a developer can test early development versions of an application in a virtual machine
without fear of destabilizing the system for other users.

Legacy application re-hosting. Legacy operating systems and applications can run on new hardware
along with more recent operating systems and applications.

Simplify disaster and recovery. Virtual machine technology can be used as part of a disaster and
recovery plan that requires application portability and flexibility across hardware platforms.

Moving to a dynamic datacenter. Hyper-V, along with systems management solutions, helps you to
now create a dynamic IT environment that not only enables you to react to problems more efficiently
but also to create a proactive and self-managing IT management solution.

Q. What is Microsoft's strategy for virtualization?

A. Our goal is to help customers make their IT systems more self-managing and dynamic so that they
can gain more control of their IT systems, and enable their businesses to respond faster and stay
ahead of the competition. We're doing this by:

Providing a complete set of virtualization products that span from the desktop to the datacenter

Helping manage all IT assets—both physical and virtual—from a single platform

We are making broad investments—in the areas of the platform, management, applications,
interoperability, and licensing, and working to enable customers to take advantage of their existing
platform investments, utilize their existing support skills and infrastructure, and to reduce costs
associated with implementing virtualized environments.

HYPER-V

Q. What is Hyper-V?

A. Hyper-V, previously codenamed Viridian, is a hypervisor-based technology that is a key feature of

Windows Server 2008 R2. It provides a scalable, reliable, and highly available virtualization platform.
It is part of Microsoft's ongoing effort to provide our customers and partners with the best operating
system platform for virtualization.

Q. What is Windows hypervisor?

A. A core component of Hyper-V, Windows hypervisor is a thin layer of software between the
hardware and the OS that allows multiple operating systems to run, unmodified, on a host computer
at the same time. It provides simple partitioning functionality and is responsible for maintaining
strong isolation between partitions. It has an inherently secure architecture with minimal attack
surface, as it does not contain any third-party device drivers.

Q. What benefits does Hyper-V offer customers?

A. Hyper-V provides customers an ideal platform for key virtualization scenarios, such as production
server consolidation, business continuity management, software test and development, and
development of a dynamic datacenter.

Hyper-V provides key functionality, which an ideal virtualization platform should provide—scalability,
high performance, reliability, security, flexibility, and manageability. It provides scalability and high
performance by supporting features like guest multi-processing support and 64-bit guest and host
support; reliability and security through its hypervisor architecture; flexibility and manageability by
supporting features like quick migration of virtual machines from one physical host to another, and
integration with System Center Virtual Machine Manager.

Q. Will Microsoft continue to support Linux operating systems with Hyper-V?

A. Yes, Microsoft provides integration components and technical support for customers running
select Linux distributions as guest operating systems within Hyper-V. Please check the Supported
Guest Operating Systems page for more information and updates.

Q. Can you provide a brief overview of Hyper-V's feature set?

A. Some of the capabilities of Hyper-V include x64 host and guest support, ability to run guest
machines in a multi-processor environment, large memory allocation per virtual machine, integrated
virtual switch support, and ability to migrate virtual machines across hosts with minimal downtime.
With the R2 release of Hyper-V, Live Migration, new processor support, and dynamic virtual machine
capabilities were added.
Q. How will customers migrate to Hyper-V?

A. Customers who invest in the .vhd file format—the format used by Virtual Server, as well as a
multitude of vendor licensees—will have a clear path forward to Hyper-V. Customers can leverage
V2V capabilities in System Center Virtual Machine Manager to conveniently migrate from Virtual
Server or VMware to Hyper-V or work with Microsoft's partners who provide migration solutions.

Q. Are there tools available to assist in planning for Hyper-V migration?

A. Yes, the Microsoft Assessment and Planning (MAP) Toolkit helps you plan for Hyper-V migration by
determining which of your physical servers are underutilized and, therefore, good candidates for
server virtualization.

HYPER-V — WINDOWS SERVER 2008 R2 SPECIFIC

Q. How do users access the Hyper-V?

A.Users can go to Server Manager and install the Hyper-V role. After the Hyper-V role is enabled,
Hyper-V Manager will become available as a part of Administrative Tools. From the Hyper-V Manager
users can easily create and configure virtual machines.

Q. Does Microsoft provide technical support for Hyper-V?

A. Yes, technical support for Hyper-V is part of the support for Windows Server 2008 R2. For more
information on support, please refer to the Windows Server 2008 R2 Support page.

Q. What is the expected performance of Hyper-V? How does it compare to Virtual Server? How does
it compare to ESX server?

A. We are not publishing performance numbers currently. Based on independent reports and
benchmarks from partners like QLogic, we believe that we have a competitive virtualization offering.

Q. What is the list of guests that will be supported on Hyper-V? When can we expect support for key
operating systems like Windows Vista, Windows XP, Linux, etc.?
A. Microsoft supports a number of guest OS environments including Windows Server 2008 R2,
Windows Server 2008, Windows Server 2003, Windows 2000 Server, Windows 7, Windows Vista,
Windows XP and Novell SUSE.

Q. What are the differences between Hyper-V and Virtual Server?

A. Microsoft Virtual Server 2005 R2 is the current server virtualization solution from Microsoft and
is based on a hosted virtualization platform. Hyper-V, a key feature of Windows Server 2008 R2, is a
hypervisor-based virtualization platform that will enable customers to not only consolidate a vast
array of workloads but also enable moving toward a dynamic IT environment. Core feature set
differences include support for 64 guest virtual machines, SMP support, performance improvements,
and other key features in Hyper-V.

LICENSING INFORMATION

Q. How do I know which Windows Server 2008 R2 features or services I am allowed to run on the
host without requiring CALs?

A. When using Windows Server 2008 R2 and Hyper-V to run virtual machines with older versions of
Windows Server, Windows Server 2008 CALs will not be required in certain scenarios.

When the Host OS is only running services related to virtualization, such as Hyper-V and Failover
Clustering, then Windows Server 2008 CALs are not required.

If the Guest OS is Windows Server 2008, or if the Windows Server 2008 host, installs other services,
then Windows Server 2008 CALs would still be required.

Q. What are the licensing considerations in a virtual machine environment?

A. It is important to understand your licensing rights and obligations when running Microsoft
Windows Server and/or other Microsoft applications in a virtual machine environment.

In addition, it's good to understand the licensing terms offered by independent software vendors
(ISVs) for any software provided by those vendors. For more information on licensing considerations
in these cases, you should consult with your ISV.
Q. Does running Windows NT in a virtual machine mean that Microsoft is extending its support for
the product?

A. No. While you may receive benefit from moving the applications from physical hardware to virtual
machines, running applications in a virtual environment does not extend their support life cycles. For
more information about the support life-cycle timeframes.

TECHNICAL INFORMATION

Q. What are the system requirements for Hyper-V?

A. In addition to the systems requirement for Windows Server 2008 R2, the two key requirements for
the Hyper-V platform are the need to ensure that the server is a 64-bit environment and supports
hardware-assisted virtualization (Intel VT or AMD-V) technology.

Q. How many virtual machines can run per processor?

A. The number of virtual machines running per host depends on many factors, including physical
memory, processor, and workload running in the guest. With Hyper-V, you define the amount of
memory available to a virtual machine, and that memory allocation can be altered to reflect the needs
of the virtual machine.

Q. Does Hyper-V support 64-bit processors?

A. Hyper-V runs on a 64-bit (x64) server platform and requires support of either AMD64 or Intel IA-
32e/EM64T (x64) processors with hardware-assisted virtualization support. Note that Hyper-V does
not support Itanium (IA-64) processors. For the virtual machines, Hyper-V supports both 32-bit and
64-bit systems as guest OSes.

Q. Does Hyper-V support symmetric multiprocessing (SMP) in the virtual machine environment?
A. Hyper-V supports both uniprocessor and multiprocessor configurations in the virtual machine
environment.

SETUP AND REQUIREMENTS

Q. What are the prerequisites to install and use Hyper-V?

A. In addition to the system requirements for Windows Server 2008 R2 as described in the release
notes, a 64-bit system with hardware-assisted virtualization enabled and data execution prevention
(DEP) is required. It is also recommended to ensure that you have a clean install of x64 edition of
Windows Server 2008 R2 to be able to use the Hyper-V technology.

IIS

What is the Role of IIS?

Visual studio has ASP.NET Engine which is capable to
run Asp.net web application. So we just click on Run button to start the
application.
IIS provides a redesigned WWW architecture which can help you achieve
better performance, scalability, reliability and security for our Web sites. IIS
supports following Protocol HTTP/HTTPS, FTP, FTPS, SMTP Etc. We need
to host the site on IIS, when request comes from client it first hits the IIS
Server, then the server passed it to ASP.NET worker process to execute.
Then the response also passes to client via IIS itself. Note only Hosting of
Site we can create our FTP Server, SMTP Server using IIS itself. There are
different version of IIS available like 5.1, 6.0, 7.0 etc

What is the different version on IIS that you have worked on?
Before answering this question you need to know what
are the different IIS version is available in different OS. Below is the list of
IIS version with different Operating system.

Windows Server 2008 – Windows Vista – Home Premium/ Ultimate – IIS 7.0
Windows Server 2003 – IIS 6.0
Windows XP Professional – IIS 5.1
 Now based on your working experience you can say that
you have worked on IIS 5.1 and 6.0 or only IIS 7. Etc. Now, the next
question that can asked after answering this question is “what is the
difference between them ? ” – Well I will come with this later.

What is the Role of Http.Sys in IIS?

HTTP.SYS is the kernel level components of IIS. All client requests comes
from client hit the HTTP.Sys of Kernel level. HTTP.SYS then makes a queue
for each and every request for each and individual application pool based on
the request. Whenever we create any application pool IIS automatically
registers the pool with HTTP.SYS to identify the particular during request
processing.

Before Giving the Definition: you can say like this, Concept of
Application pool has from IIS 6.0.
Application pools are used to separate sets of IIS worker
processes that share the same configuration and application boundaries.
Application pools used to isolate our web application for better security,
reliability, and availability and performance and keep running without
impacting each other . The worker process serves as the process boundary
that separates each application pool so that when one worker process or
application is having an issue or recycles, other applications or worker
processes are not affected. One Application Pool can have multiple worker
process Also.

Main Point to Remember:

1. Isolation of Different Web Application
2. Individual worker process for different web application
3. More reliably web application
4. Better Performance

What is the Name of Default Application Pool in IIS?

Though we can create new application pool IIS with different
settings, but IIS having its own default application pool named :
DefaultAppPool.
What are the different types of Identity available in IIS 6.0?
IIS having three different Identities.
1. Local System
2. Local Services
3. Network Services

Name of default Identity of IIS6.0?

Default Identity of IIS 6.0 is Network Services. Which is
having very minimum rights on your system? The user can only have the
read access of the site.

What is Recycling of Application Pool?

Recycling Application pool means recycle the Worker
process (w3wp.exe) and the memory used for the web application. There
are two types of recycling related with Application pool

1. Recycling Worker Process – Predefined Settings

2. Recycling Worker Process – Based on Memory

What are the main layers of IIS Architecture?

IIS having mainly two layers Kernel Mode and User Mode

Below are the subsection of both of them.

1. Kernel Mode
o HTTP.SYS

2. User Mode
o Web Admin Service
o Virtual Directory
o Application Pool

What is the Role of Http.Sys in IIS?

HTTP.SYS is the kernel level components of IIS. All
client requests comes from client hit the HTTP.Sys of Kernel level.
HTTP.SYS then makes a queue for each and every request for each and
individual application pool based on the request. Whenever we create any
application pool IIS automatically registers the pool with HTTP.SYS to
identify the particular during request processing.

What is Web Farm?

When we hosted our web Application on multiple web server under a load
balancer call the Web Farm. This is generally used for heavy load web
application where there are many user requests at a time. So When Web
Application is hosted on Different IIS Server over a load balancer, Load
balancer is responsible for distribute the load on different server.

What is Web Garden?

A Web garden is configured on a single server by specifying multiple worker

processes for an application pool. Web farms use multiple physical servers
for supporting a single Web site.

What is the default Identity of an Application Pool ?

Network Services

What is the available Identity of an Application Pool?

In IIS 6.0 - NetworkServices | LocalService | LocalSystem

In IIS 7.0 - NetworkServices | LocalService | LocalSystem |

ApplicationPoolIdentity
What are the worker process for IIS 5.1 and IIS 6.0 and IIS 7.0?

For IIS 5.1 > aspnet_wp.exe

For IIS 6.0 > w3wp.exe

For IIS 7.0 > w3wp.exe

Types of Authentication available in IIS 6.0 and 7.0

What are the different type of application pool available in IIS 7.0 ?

1. DefaultAppPool (Integrated)

2. ClassicAppPool

Where is the default location for IIS Log files ?

C:\WINDOWS\system32\LogFiles\W3SVC1

What is the use of aspnet_regiis -i command ?

This is used automatically register the .NET Framework with your IIS.
How to check Installed .Net Version on IIS

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322>aspnet_regiis.exe –lv

If there are multiple worker process running on IIS, then how can you
attach a particular worker process for application ?

run cscript iisapi.vbs script to find out the process ID and Application Pool
name . Based on the process Id for particular application I have to attache
the process from Visual studio IDE.

Which Tool is used for Remote IIS Debugging ?

Tools is : msvsmon.exe

This is located at : \Microsoft Visual Studio 8\Common7\IDERemote

Debuggerx86\

IIS Port numbers?

HTTP : 80 (default port for iis), SSL : 443,FTP : 21,SMTP : 25,POP2 :

109,POP3 : 110,IMAP : 143,NNTP : 119,LDAP : 89, DNS : 53,DHCP : 67
IIS Services?

1. www services

2. FTP services

3. SMTP services

4. NNTP services

IIS Application pool ?

Group of web applications are called application pool.

An application pool is a group of one or more URLs that are served by a

worker process or set of worker processes. Any Web directory or virtual
directory can be assigned to an application pool. so that one webiste cannot
be effected by other , if u used seperated application pool.

What is App Pool and App Domain? What is the difference between these
two?

Application Pool is created the each and every website.

Application Domain is created to one domain Purpose.

What is the properties of App Pool in IIS?

1.Recycling
2.Perfomance

3.Health

4.Identity

How do I stop and restart Internet services?

By using the “IISRESET” command

How can I confirm that a server certificate is attached to a Web site?

1.In IIS Manager, right-click the Web site, and click Properties.

2.Click the Directory Security tab.

3.Under Secure communications, if the View Certificate button is activated,

there is a certificate attached to the Web site. If the button is not activated,
you must attach a server certificate to the site to use the Secure Sockets
Layer (SSL) features.

What is the Role of IIS ?

Visual studio having It own ASP.NET Engine which is capable enough to run
Asp.net web application from visual studio. So we just click on Run button
to start the application.

Now this is the scenarios of local environment. But If we want to host it on

server from where all user can access the sites then IIS comes into the
picture.
IIS provides a redesigned WWW architecture that can help you achieve
better performance, reliability, scalability, and security for our Web sites.
IIS can support following Protocol HTTP/HTTPS, FTP, FTPS, SMTP Etc. We
need to host the site on IIS, when request comes from client it first hits the
IIS Server, then the server passed it to ASP.NET worker process to execute.
Then the response also passes to client via IIS itself.

Note only Hosting of Site we can create our FTP Server, SMTP Server using
IIS itself.

There are different version of IIS available like 5.1, 6.0, 7.0 etc

What are the different version on IIS that you have worked on ?

Before answering this question you need to know what are the different IIS
version is available in different OS. Below is the list of IIS version with
different Operating system.

Windows Server 2008 - Windows Vista - Home Premium/ Ultimate - IIS 7.0

Windows Server 2003 - IIS 6.0

Windows XP Professional - IIS 5.1

Now based on your working experience you can say that you have worked
on IIS 5.1 and 6.0 or only IIS 7. Etc.

Now, the next question that can asked after answering this question is
“what is the difference between them ? ” – Well I will come with this later.

What is Application Pool in IIS ?

Before Giving the Definition : you can say like this, Concept of Application
pool has from IIS 6.0 .
Application pools are used to separate sets of IIS worker processes that
share the same configuration and application boundaries. Application pools
used to isolate our web application for better security, reliability, and
availability and performance and keep running with out impacting each
other . The worker process serves as the process boundary that separates
each application pool so that when one worker process or application is
having an issue or recycles, other applications or worker processes are not
affected.

One Application Pool can have multiple worker process Also.

Main Point to Remember:

1. Isolation of Different Web Application

2. Individual worker process for different web application

3. More reliably web application

4. Better Performance

What is the Name of Default Application Pool in IIS ?

Though we can create new application pool IIS with different settings, but
IIS having its own default application pool named : DefaultAppPool

What are the different types of Identity available in IIS 6.0 ?

IIS having three different Identity.

1. Local System

2. Local Services
3. NetworkServices

Name of default Identity of IIS6.0

Default Identity of IIS 6.0 is NetworkServices .

Which is having very minimum rights on your system. The user can only
have the read access of the site.

What is Recycling of Application Pool ?

ecycling Application pool means recycle the Worker process (w3wp.exe )

and the memory used for the web application.

There are two types of recycling related with Application pool

1. Recycling Worker Process - Predefined Settings

2. Recycling Worker Process - Based on Memory

What are the main layers of IIS Architecture ?

IIS having mainly two layer Kernel Mode and User Mode

Below are the subsection of both of them.

1. Kernel Mode

o HTTP.SYS

2. User Mode
o Web Admin Service

o Virtual Directory

o Application Pool

What is the Role of Http.Sys in IIS ?

HTTP.SYS is the kernel level components of IIS. All client request comes
from client hit the HTTP.Sys of Kernel level. HTTP.SYS then makes a queue
for each and every request for each and individual application pool based on
the request.

Whenever we create any application pool IIS automatically registers the

pool with HTTP.SYS to identify the particular during request processing.

What are the different security settings available in IIS ?

Below are the commonly used IIS Security settings

1 Anonymous

2 Integrated Windows Authentication

3. Basic Authentication

4. Digest Authentication

5. Passport Authentication

For Set security permission you need to go to Virtul Directory > Right Click
> Properties > Directory Security
Click on Edit Button .

What is the default authentication settings for IIS ?

Anonymous authentication is the default authentication mode for any site

that is hosted on IIS, and it runs under the "IUSR_[ServerName]" account.

What is web garden ?

By default Each Application Pool runs with a Single Worker Process

(W3Wp.exe). We can assign multiple Worker Process With a Single
Application Pool. An Application Poll with multiple Worker process called
Web Gardens. Each Worker Process Should have there own Thread and
Own Memory space.

Generally its not recommended to use InProc Session mode while we are
using Web Garden.

Where session data stores in case of "In-Proc" Session mode ?

Session data store inside process memory of worker process [ w3wp.exe ] .

How we can create an web garden ?

For creating web graden we need to go to Application Pool, then Right Click
on Application Pool > Properties > Goto Performance Tab

In Web Garden Section, increase the number of worker process. By default

it is 1.

How we can debug a web application which is hosted on IIS ?

We can easily debug any web application that are hosted on IIS by using
Attaching of Worker Process.

From Visual Studio IDE > Tools > Attach To Process

Select the particular Process, then start debugging.

How we can open IIS Configuration manager ?

Just simply Run >inetmgr

Or we can open it from control panel > Administrative tools.

How we can create a Virtual Directory on IIS ?

Open IIS Configuration Manager

First of all Right Click on Default web sites > New > Virtual Directory .

Browse the Physical Path. Set the properites. Click on OK

What are the permission settings are available for Virtual Directory ?

Below are the list of permission that can be set during virtaul directory
creation

1. Read

2. Run Scripts

3. Execute:

4. Write:

5. Browse
What is the folder location for Virtual Directory ?

<Drive>:\inetpub\wwwroot

What is the use of Enable Pinging Properties for Application Pool ?

IIS should periodically monitor the health of a worker process [ Idle or not ,
Time for recycle or not, All Worker process are running properly or not ] .

Pining means, Activation Process monitor Worker process performance,

health, idle time etc.

By default it sets to 30s .

Does One Web Application can have multiple Application Pool ?

No. Every Web Application should have one Application Pool. Bydefault it is
"DefaultAppPool ".

Which version of IIS is available in Windows Server 2008 ?

IIS 7.0 .

Even Vista Home Premium and Ultimate edition is also having IIS 7.0

How we can save an Application Pool Settings?

Application Pool Settings can be save as "XML" Format.

Right Click on Application Pool > All Task > Save Configuration to a File .

This will save all the settings of Application Pool as an XML file.We can
make it password protected also.

Which Tool is used for Remote IIS Debugging ?

Tools is : msvsmon.exe

This is located at : Install path\Microsoft Visual Studio 8\Common7\IDE\

Remote Debugger\x86

What are the different authentication mode available for IIS Remote
Debugging ?

For IIS Remote Debugging msvsmon supported two authentication mode

1. Windows Authentication

2. No-Authentication

How can we get the list of worker process running in IIS along with the
Application pool name

By running iisapp.vbs script from command Prompt.

Below are the steps :

1. Start > Run > Cmd

2. Go To Windows > System32

3. Run cscript iisapp.vbs

If there are multiple worker process running on IIS, then how can you
attach a particular worker process for application ?

Well, If there are multiple worker process running in IIS, it means I have to
know the name of my application pool. Then I can run cscript iisapi.vbs
script to find out the process ID and Application Pool name . Based on the
process Id for particular application I have to attache the process from
Visual studio IDE.

Why do we need to IIS Remote Debugging ?

There are following reasons where we can use remote debugging

1. Your development server does not have IIS installed.

2. Development server and Build/Released/Hosting Server is different

3. Multiple user want to debug simultaneously.

Does IIS allows multiple user to Remote debug simultaneously ?

Yes. This is one of the great features of msvsmon.exe . Each instance of the
remote debugger has a unique server name.we can give an instance of the
remote debugger any server name. Now multiple user can able to access
the server instance.

What is the use of aspnet_regiis -i command ?

This is used automatically register the .NET Framework with your IIS.

Can we have multiple web sites on IIS ?

Yes. IIS Can have multiple web sites and Each and every web sites can have
multiple virtual Directory.

Note : Here web sites means the Root Node.

Where is the default location for IIS Log files ?

C:\WINDOWS\system32\LogFiles\W3SVC1
What is ISAPI Filter ?

This is one of the more important question for experienced guys.

Please read this in details.

http://msdn.microsoft.com/en-us/library/ms524610.aspx

What are the major innovation in IIS 7.0 ?

Below are the Major Innovation in IIS 7.0

Components are designed as module and there are major change in

administration settings.

FYI : You can find out many of them, just go thorugh Microsoft IIS web site.

What is the Role of Windows Activation Process in IIS ?

WAP is the Controller of Worker process under a Application Pool. Windows

Activation Process which is managed by the worker process by starting,
stopping and recycling the application pool. When to start, stop and Recycle
should be defined on Application Pool Settings. Activation Process is also
responsible for Health Monitor of Application Pool during runtime.

FYI : Health monitoring setting can be easily found in Properties of

Application Pool.

What are the different type of application pool available in IIS 7.0 ?

IIS 7.0 having two types of application pool.

1. DefaultAppPool (Integrated)
2. ClassicAppPool

Which is not an Identity of Application Pool ?

NOTE: This is objective type question, Please click question title for correct
answer.

Which application pool having maximum privilege on the server ?

NOTE: This is objective type question, Please click question title for correct
answer.

What is name of default application pool in IIS ?

NOTE: This is objective type question, Please click question title for correct
answer.

What are the worker process for IIS 5.1 and IIS 6.0 ?

For IIS 5.1 > aspnet_wp.exe

For IIS 6.0 > w3wp.exe

Name of the tool which is used for remote debugging of IIS

NOTE: This is objective type question, Please click question title for correct
answer.

What is Web Farm ?

This is one of the most question in IIS. And along with that interviewer can
as what is the different between Web farm and Web Garden ?
When we hosted our web Application on multiple web server under a load
balancer call the Web Farm. This is generally used for heavy load web
application where there are many user request at a time. So When Web
Application is hosted on Different IIS Server over a load balancer, Load
balancer is responsible for distribute the load on different server.

Please have a look into this :

http://www.dotnetfunda.com/articles/article713-difference-between-web-
farm-and-web-garden.aspx

What is the default Identity of an Application Pool ?

NetworkServices

How can we set the default page for any web application ?

We can set the default page for a web site from the Virtual Directory
Setting.

How To :

IIS Manager > Virtual Directory > Right Click > Properties > GoTo
Document Tab.

How we can set the Idle Time out of an worker process ?

We can set the Idle time out for an worker process from Application Pool
Properties.

In Performance Tab of Application pool, we can set the Idle Time out of the
worker process. This means worker process will shut down after that given
time period if it stay idle. And will again wake up again if a new request
comes.
Is there any alternative way to host site on IIS rather than opening IIS
Manager ?

Yes, We can directly host any site from the physical location of directory
itself.

Right Click on Physical Folder > Properties > Web Sharing

There you need to select > "Share This Folder" Option Button. Then it will
ask for alias name and other setting. Then Click on OK.

To Validate : Run > Inetmgr > Check there should an virtual directory with
the same "Alias" name that you have given.

If there are already one Virtual directory exist it will showing you the error
message while you providing the "Alias" name.

Can we create one Application Pool From Another Application Pool ?

Yes. We can.

While creating Application Application Pool From IIS, there should have two
option available first one is for Default Setting and Another is for Existing
Setting as template.

We can select the second one and from the drop down listed below we can
select any on the Application Pool as Template,.

What are the main components of SVCHost.exe ?

Main components for SVCHost.exe are WWW Publishing Service (W3SVC)

and Windows Activation Porcess (WAP) .
W3SVC is the mediator of HTTP.SYS and Windows Activation Process.
Windows Activation Process maintain the worker processes.

What are the different way that we can hosted site on IIS ?

We can hosted site on IIS either creating Virtual Directory through IIS
manager or Using Folder Web Sharing .

Apart from that Visual studio provide some inbuilt features to host the site
on IIS like using Publishing the web site , Using Copy web Tool or Creating
Virtual directory during the creating the project by choosing Location as
HTTP

How does IIS process an ASP.net request ?

When client request for an aspx pages, request comes to kernel level off IIS
means to HTTP.SYS . HTTP.SYS receives the request and based on the
application pool name [ Which is already registred with the HTTP.SYS ] it
send the request to worker process. Windows Activation process works as
mediator of them. w3wp.exe loads "aspnet_isapi.dll" files to start the
HTTPRuntime . HTTPRuntime creates HTTPApplication objects and all
request are passed through HTTPModule and finally reached to
HttpHandler . This is the request pipeline. After end of Request pipeline
ASP.NET Page lifecycle starts.

For more Information :

http://www.codeproject.com/KB/aspnet/aspnetrequestarchitecture.aspx

From where we can set the Session Time Out in IIS ?

We can set the Session time out settings from the Virtual Directory for that
site.
Right Click on Virtual Directory > Properties > Click on "Configuration"
Button

Goto the "Option" Tab. There in Enable Session State Section you can
configure the Session Timeout .

What are the different "Execution Permission" available for IIS for an virtual
directory ?

There are three Execution Permission available.

1. None

2. Scripts Only

3. Scripts and Executable

From where you can change the ASP.NET Version in IIS ?

This can be change from Virtual Directory properties. First open Properties
of Virtual Directory > GoTo ASP.NET Version Tab.

There we can have change the ASP.NET Version.

What is the default user name of an anonymous login in IIS?

In IIS, an anonymous user will be given with a user name of

"IUSR_MachineName "

How can we take back-ups in IIS Server?

Step 1 : In the IIS (inetmgr), right click on the "Computer" icon under
"Internet Information Services" . Click "All Tasks" and select
"Backup/Restore Configuration".
Step 2 : Click on button "Create backup". Give Name for your backup file. If
you want encryption enable encryption option and give UserName and
Password and then click OK.

What is IIS metabase? And In which format IIS stors configurations?

IIS metabase is a special databse which is used to maintain the settings and
configurations data for IIS. In simple term, it is a configuration base for IIS
(Metabase.xml).

IIS 5.0 --> Metabse is in Binary.

IIS 6.0 & 7.5 --> Metabase is in XML.

List of Error & Status codes in IIS 6.0?

Status Code Type of Code

100 Series - Informational

200 Series - Success

300 Series - Redirection

400 Series - Client Error

500 Series - Server Error

How to recycle application pool from the command prompt in IIS7?

1. Use appcmd.exe to recycle the application pool from the command

prompt.

2. appcmd.exe is the command line tool for IIS7, you will find this tool at
following location :
 %systemroot%\system32\inetsrv\appcmd

3. To recycle your application pool use the following command:

appcmd recycle apppool /apppool.name:<application pool name>

What are the Different steps to be followed to get SSL(Secure Sockets

Layer) for our Web Application ?

. Intially we have to Generate a certificate request from our IIS

. Now we have to request a certificate from the certificate authority(CA)

. This CA is an entity which issues Digital Certificates.

. After receiving the certificate we have to install that particular certificate

on our Web Server using IIS

. We have to use Secure Hyper Text Transfer Protocol(HTTPS) when

accessing secure pages in our application.

By this way we could make our web page as SSL protected. !!!

Which DLL is used to translate XML to SQL in Internet Information Services

(IIS) ?

NOTE: This is objective type question, Please click question title for correct
answer.

What is the purpose of IIS application pools?

We use applicaiton pools for isolation purpose. Every application within an

application pool used the same worker process. Each worker process
operates as a separate instance of the worker process executable,
W3wp.exe, the worker process that services one application pool is
separated from the worker process that services another.
In simplest words we use applicaiton pools for ISOLATION purpose.

what is Windows Process Activation Service ?

The Windows Process Activation Service (WAS) provides process activation,

resource management and health management services for message-
activated applications. It manages application pool configuration and the
creation and lifetime of worker processes for HTTP and other protocols
(net.tcp,net.pipe,net.msmq)

Details : http://techprudent.com/the-windows-process-activation-service/

and

MSDN :
http://technet.microsoft.com/en-us/library/cc735229%28WS.10%29.aspx

What are the Different Authentication Methods(Using Windows

Authentication) which are provided by IIS ?

Generally IIS provides four different kinds of Authentication Methods they

are :

Anonymous Method

If we select this authentication, IIS doesn't perform any authentication so

that any one can access the application.
Basic Method

If we select this method, the user who access the application should provide
windows username and password to access the application. Although this is
sent through a network by transmitting direct text so it it very insecure.

Digest Method

This method is almost equal to Basic method but the difference is the
password is hashed before it is transmitted through out a network.

Windows Integrated Method

In this the application uses the Kerberos protocol to validate(Authenticate)

the user. This uses a Secret key cryptography which provides strign
authentication for Client/Server applications.

How can we check whether IIS is being installed in my system or not?

To verify if IIS is installed or not we need to go to ’Add or Remove

Programs’ utility in the Control panel and click on the ’Add/Remove
Windows Components’ in the side menu.

There we must locate an item called "Internet Information Services (IIS)". If

this is checked, IIS should be installed.

So that you can have your IIS installed in your system if it is not installed.

What is the impact of turning off kernel mode cache?

The impact will depend on the server load. If you are doing 10,000 requests/second,
you will sorely miss kernel caching; however, if you are doing 100 requests/second you
probably will not notice. It depends heavily on the content being served, IIS 5.0 did not
have a kernel mode component and it worked well for most customers.

What support does Windows Server® 2008 have for Ruby on Rails?

There is basic ruby support. See following link for more information:

http://mvolo.com/blogs/serverside/archive/2007/02/18/10-steps-to-get-Ruby-on-Rails-
running-on-Windows-with-IIS-FastCGI.aspx

Does the installation order of modules matter?

If you are installing via the Server Manager GUI ("Add Features"), order of installation
does not matter. The Add Features wizard checks all dependencies and will alert you if
you are missing any required modules. In addition, Add Features wizard knows the
correct ordering of modules.

If you are installing from a command line or using an unattended installation, the order
of modules doesn't matter (again, Setup knows the correct ordering of modules), but
you are responsible for identifying all dependencies. If you fail to include a required
dependency, unattended/ command-line setup will fail.

Note: As opposed to the order of modules during setup, the order in which modules
are arranged in the common pipeline (i.e., the order in which modules subscribe to
notifications) is important. For example, if two modules subscribe to the same
notification, the one first on the list gets notified first (With one exception-- the default
IIS 7.0 modules should not have issues with reordering). For the authentication
modules, it is advisable to keep the existing ordering because this will determine with
which authentication scheme IIS challenges first. We order it from most secure to less
secure. IE uses the first authentication scheme it understands and if you put a less
secure authentication scheme first, IE chooses it instead of the more secure one.

What is the memory footprint of an application pool? Does it load the CLR?

An Application Pool that only serves static files with all features installed will have a
footprint of 3 MB private bytes, 5 MB page file. (This is larger than IIS 6.0). Windows
Server 2008 handles multiple application pools better than WS03. When ASP.NET
requests are made we pre-load a small amount of the CLR during startup (~100kb) .
The preload is configurable by a property on the ApplicationPool. It is called
managedRuntimeVersion. The rest of the CLR (~8mb) will be loaded on the first ASPX
request.

Do customers need to have a 32-bit application pool and 64-bit application

pool with the Access customers in 32-bit application pools?

Access only works in 32-Bit application pools. Loading the user profile (loadUserProfile
property on the AppPool) is an issue when Classic ASP is used because Access is using
the temp directory which doesn't allow access to the anonymous user when the user
profile is loaded.

What are the limitations for Windows Server 2008 Web Edition?

Windows Server 2008 web edition is much improved, and we have focused hard on
removing the artificial limits. The final licensing is not yet complete, but we are
planning to remove all hardware restrictions, allow 4x processors and 32GB RAM (on
x64). SQL is allowed, and SharePoint will be installable on the SKU.

What support will Windows Server 2008 have for Front Page Server
Extensions?

FPSE is no longer a part of Windows Server. We are working with a third party to
create a download package for FPSE to run on Windows Server 2008/IIS 7.0. It does
not have any new features or enhancements, only fixes to make it compatible.

Does Windows Server 2008 support in-place upgrades?

We recommend that Windows Server 2008 be installed fresh and migrated to; or, just
put new customers on new servers. We suggest that a well managed list of third party
components and configurations is documented for each server, so that the current
environment can be replicated on the new server. See the recommendations in the
shared hosting paper for site and application pool configuration. A tool to assist in the
migration will be released in the near future.

In-place upgrades are supported for the following scenarios:

  Windows Server 2003 can be upgraded to WS2K8 Beta3, WS2K8 RC0, WS2K8
RC1, and WS2K8 RT

 Windows Server 2008 Beta3 can be upgraded to WS2K8 Beta3, and WS2K8 RC0

 Windows Server 2008 RC0 can be upgraded to WS2K8 RC0, WS2K8 RC1, and
WS2K8 RTM

 Windows Server 2008 RC1 can be upgraded to WS2K8 RC1, and WS2K8 RTM
If the server is in Shared Configuration mode, it must be reverted to standalone
configuration before the upgrade is run. To do so, disable shared config, copy down the
applicationhost.config and encrypted keys to the local machine, run the upgrade on
each server, then re-enable shared config.

Is it possible to specify a log file to be used during unattended setup? If so, is

it possible to be granular on what is or is not logged?

Both the log files that setup is writing and the iis7.log are always on. It is not granular
about what gets logged.

Is it possible to specify 3rd-party modules for use by pkgmgr during an

unattended setup?

We do not provide any way to configure modules other than Windows modules during
setup. There may be a way through generic unattend setup to run something after
setup is done, and in that a user could do some coding.

What is the performance hit for failed request tracing? Is it possible to do

failed request tracing for all web sites on a particular server?

Tracing ALL requests at <1000 requests/second should be <5% CPU. It is possible to

configure a global tracing rule for all sites. Tracing can be enabled for all sites by
changing the <siteDefaults> section.

Is it possible to limit the amount of memory an application pool will use?

No, but there is memory-based recycling, which will recycle AppPools that exceed
configured memory limits.
Will the credentials encrypted with the machine key will be lost as a result of
sysprep? Is there any workaround for this?

Encryptions made before sysprep are lost after sysprep. There is no workaround.

How does shared configuration handle multiple machines dealing with

encrypted credentials?

You can export the machine keys and import them into all the servers so that
decryption works. The UI for Server Beta 3 includes a feature called Shared
Configuration which will allow you to do that. Click Export... and it will encrypt the
machine keys, copy them along with applicationHost.config and administration.config
to a path. After that, from all the other machines you can select "Import..." and it will
import the machine keys and point the config to the shared configuration.

Can both Classic and Integrated Managed Pipeline Mode be enabled at the
same time? If so, can it be configured such that some applications use one,
and some use the other?

Different AppPools can have different values for this setting. Applications can be
assigned to different AppPools

When there is no default document located within a folder being requested

(HTTP Error 403.14), the error lists the server version information as IIS 7.0.
Can that be masked to avoid unwanted information disclosure?

The default file for handling this error is contained in \inetpub\custerr\en-us. The
footer of the error contains "Server Version Information: Internet Information Services
7.0.", which of course can be removed or edited directly from the .htm file.

Can a remote IIS 7.0 server be provisioned using the Managed API?

The managed API (Microsoft.Web.Administration) has access to all of the settings that
the native API does and has DCOM remoting support by using
ServerManager.OpenRemote static method. You can set any configuration settings but
for Beta 3 there is no support for runtime information such as the State of an AppPool
or the list of requests or workerprocess.
What is URL Authorization? Why would it be used?

In previous IIS versions you had to control access via file system ACLs. This is tedious
and there is no web interface to do it. With URL authorization, you can control access
to URLs using the IIS User Interface or using web.config directly. Additionally, you can
use non-windows identities, e.g. Membership users and roles provided by forms
authentication.

What changes (if any) to applicationhost.config and web.config trigger a

restart of ALL application pools?

Any data in the applicationPool section relevant to that app-pool (so either in
applicationPoolDefaults or specific to that app-pool) will cause WAS to recycle the app-
pool. Worker process can ask WAS to recycle app-pools based on certain config
changes, currently the only one we do it for is globalModules, but this is not a closed
list (as modules can ask for recycle based on config change).

Is there a native component of load balancing or clustering within Windows

Server 2008 and/or IIS 7.0?

NLB is part of Windows Server 2008. It is essentially the same as it was in Windows
2003. To install NLB, go to Server Manager > Features > "Add Features" and select
"Network Load Balancing" from the list. To configure NLB, you need to open a
command prompt and run nlbmgr. This is the UI that existed in Windows 2003.

What is meant by configurable CPU usage?

If the system-wide CPU exceeds a threshold dynamic, compression will stop occurring,
freeing up the CPU it was using. If the system-wide CPU drops below a different limit,
dynamic compression will resume, saving bandwidth.

Why would I not enable dynamic compression all the time?

Different users have different opinions on optimal CPU utilization. Some think a 20%
average is perfect, others think 75%. If you want X and you're consistently above X,
you might as well completely remove dynamic compression, as it is never going to be
used.
How does dynamic compressions factor in consistent CPU spiking vs. constant
CPU usage?

It factors in average usage over the 30 second window since the last sample - so, even
with irregular spikes, you will have dynamic compression on for at most 30 seconds
after the spike - and if your spikes are instantaneous (and so do not affect average CPU
usage over 30 seconds much) - they will not affect dynamic compression.

In a shared hosting environment, what should the default LoadUserProfile

setting be?

Setting loadUserProfile=false in applicationPoolDefaults is a good idea for Shared

Hosting scenarios. The startup time of an AppPool will be much faster and you avoid
any temporary directory permission issues.

What is the cause of the "Http 500.19 - Internal Server Error"?

The 500.19 error is caused by the IIS 7.0 feature delegation mode. When a feature is
delegated to site owners, and the site owners modify the feature, then their changes
are persisted in web.config. If the server administration revokes the delegated
management on that feature, then the web site owner has the responsibility of
cleaning up the feature details from web.config. Otherwise, all sites that had modified
that delegated feature will immediately give an "Http Error: 500.19 - Internal Server
Error" message. In order to avoid this issue, we recommend that hosters do not revoke
delegated features once they are published to end customers.

How does IIS 7.0 handle web.config updates?

If the hosted site does not have a web.config, IIS 7.0 will create one. If the site has a
web.config, IIS 7.0 modifies it. If the web.config is modified, then the site owners have
the responsibility of merging the changes and ensuring that the changes are manually
merged and maintained.
At IIS 7.0 install time, we did not install the management service. What are
the impacts of installing this service now that we are using shared
configuration?

Installing Management Service does not modify AppHost.config or

Administration.config at all. The only changes you should see are the new binaries
(wmsvc.exe). A self-sign certificate will be created and a few registry keys will be
added. This means that in theory nothing should break.

Does installing the management service make any changes to the shared
configuration ACLing to make it work with the administration service?

For the most part, it works out of the box since we use the redirection.config settings
for reading apphost/admon.config. However, for a detailed answer, it really depends on
what scenarios you will be using:

 Shared Config using Local Content: Regular Windows or IIS users connecting to
modify their local content and their web.config's - there is nothing to do,
everything should work out of the box.

 Shared Config using Remote Content using Windows Users: It should work,
provided the Windows accounts have access to their content.

 Shared Config using Remote Content using IIS Users: For this scenario you must
change the Identity of the service (WMSVC) to an account that has access to the
remote content, since we use the process identity for accessing content. Note
that apphost.config/admon.config will work, since we use redirection.config

 Windows Administrator managing a Server Connection: It should work, provided

your Windows administrator has write access to the shared config.

How can a web site be created from the command line?

See the following link for information about creating sites in IIS 7.0.

http://technet2.microsoft.com/windowsserver2008/en/library/f6c26eb7-ad7e-4fe2-
9239-9f5aa4ff44ce1033.mspx?mfr=true
Is CLR loaded automatically for each w3wp/apppool?

An Application Pool that only serves static files with all features installed occupies 3
MB private bytes, 5 MB page file. When ASP.NET requests are made we pre-load a
small amount of the CLR during startup (~100kb) . The preload is configurable by a
property on the ApplicationPool. It is called managedRuntimeVersion. The rest of the
CLR (~8mb) will be loaded on the first ASPX request.

When IIS 7.0 provisions a new web site, it creates folders like W3SVC1,
FTPSVC2, etc and assigns permissions: Administrators - Full Control, SYSTEM
- Full Control. As a result, those folders (and log files inside) are unavailable
to the site user for download. Is it possible to override this IIS 7.0 behavior
and force it to create log directories with permissions inherited from parent
directory?

Http.sys creates these folders automatically if they do not exist. If you override the
permissions with something else, it should preserve the new permissions.

Is IIS 7.0 compatible with ColdFusion 8?

We have tested it internally and it seems to work well if ISAPI and Metabase are
installed. There are some blogs online as well that give instructions on how to make it
work. For more information see the following link:

http://blogs.iis.net/bills/archive/2007/03/06/coldfusion-on-iis7.aspx.

After setting up IIS 7.0 with WSS3 and using central administration to create
a site collection,why does the following error occurs "The page cannot be
displayed because your server's current configuration does not support it. To
perform this task, use the command line operations in Stsadm.exe."?

The server is setup in AD Account Creation mode. AD Creation Mode is a deprecated

feature that is still supported, but will be removed in V4. Instead of allowing WSS to
automatically create users in AD, the recommendation is to do user provisioning
outside of WSS.
Where can I find more information about the Shared Centralized Global
Configuration Feature?

More information on Centralized Global Configuration can be found at: The

Configuration System in IIS 7.0

Are there FrontPage server extensions available for Windows Server 2008 64
bit? I only find a download for I386.

There are currently no FPSE for x64. Our shared hosting recommended architecture is
64bit OS with 32bit AppPools. Unfortunately there is currently a bug that prevents
FPSE from installing on 64bit for this scenario.

Windows Server 2008 was installed without a Product Key and is now asking
for an activation code. The Product Key is not available right now, how can I
re-activate Windows Server 2008?

You may re-arm your system three times by completing the following steps:

In order to run slmgr /rearm, open regedit.exe and navigate to HKLM\SOFTWARE\

Microsoft\Windows NT\CurrentVersion\SL. Verify that value "skiprearm" is set to ‘0'. If
this value is non-zero, the re-arm function will not reset the system activation timers.

After verifying that the "skiprearm" registry value equals zero (0), run slmgr /rearm
from an elevated command prompt. Wait for the notice that the process has completed.
This can take a minute or two. Once complete, follow the prompt to shutdown the
computer. Upon restart, the computer will be running in OOB Grace and will have
another 30 days in which to activate. No other changes will be made to the system by
this process.

What is the recommended method to deploy x509 certificates on multiple web

servers?

IIS.CertObj COM-object is still there in IIS 7.0 and we think it is still the best option for
deploying certificates on multiple web servers. This component behavior remains the
same, so all old script should work (if ABOMapper is enabled).
Note: In LH RC0 there will be a new feature of this object that allows specifying
secure bindings as an instance name:
set iiscertobj = CreateObject("IIS.CertObj")

iiscertobj.InstanceName = "0.0.0.0:443"

iiscertobj.Import pfxfile, pfxfilepassword, true, true

And such a script won't be depending on ABOMapper.