1) Physical structure of the AD – Sites and DC

Logical Structures of AD - Domains, Forest, Trees, OU.

2) What are Active Directory Partition?

a) Schema Partition

b) Configuration Partition

c) Domain Partition

d) Application Partition

Every domain controller contains the following three directory partitions:

Configuration Contains the Configuration container, which stores configuration objects for
the entire forest in cn=configuration,dc= forestRootDomain . Updates to this container are
replicated to all domain controllers in the forest. Configuration objects store information about
sites, services, and directory partitions. You can view the contents of the Configuration container
by using ADSI Edit.

Schema Contains the Schema container, which stores class and attribute definitions for all
existing and possible Active Directory objects in cn=schema,cn=configuration,dc=
forestRootDomain . Updates to this container are replicated to all domain controllers in the
forest. You can view the contents of the Schema container in the Active Directory Schema
console.

Domain Contains a < domain > container (for example, the Reskit.com container), which
stores users, computers, groups, and other objects for a specific Windows 2000 domain (for
example, the Reskit.com domain). Updates to the < domain > container are replicated to only
domain controllers within the domain and to Global Catalog servers if the update is made to an
attribute that is marked for replication to the Global Catalog. The < domain > container is
displayed in the Active Directory Users and Computers console. The hierarchy of domain
directory partitions can be viewed in the Active Directory Domains and Trusts console, where
trust relationships between domains can be managed.

3) Command through which we can see the Owner of the FSMO Roles.

Netdom -query FSMO

Dcdiag /v

4) Command through which we can see the Owner of the Global Catalogue.

Dsquery Server –Domain IPL.COM –ISGC ( In a Domain)

Dsquery Server –Forest -ISGC (In a Forest)

A domain controller designated as a global catalog stores a full replica of all objects in Active
Directory for its host domain and a partial replica for all other domains in the domain forest.
Global catalogs are used during logon and for information searches. In fact, if the global catalog
is unavailable, normal users can't log on to the domain. The only way to change this behavior is
to cache universal group membership on local domain controllers. By default, the first domain
controller installed in a domain is designated as the global catalog. You can also add global
catalogs to a domain to help improve response time for logon and search requests. The
recommended technique is to have one global catalog per site within a domain.

Any domain controller hosting a global catalog should be well connected to the network and to
domain controllers acting as infrastructure masters. Infrastructure master is one of the five
operations master roles that you can assign to a domain controller and it is responsible for
updating object references. The infrastructure master does this by comparing its data with that of
a global catalog. If the infrastructure master finds outdated data, it requests the updated data from
a global catalog. The infrastructure master then replicates the changes to the other domain
controllers in the domain.

5) How To enable Universal Group Caching in Global Catalog Server .

a) Go to Active Directory Sites and Services snap-in by going to Administrative Tools.

b) Expand Sites tree and click on the name of the site on which you want to enable Universal
Group Membership Caching from the left pane and from the right pane right click on NTDS
Site Settings.

c) From the available menu click on Properties and on Site Settings tab check Enable
Universal Group Membership Caching checkbox.

6) How to take the Backup of GPO.

GPMC>Domain>Domain Name>Group Policy Object>Right Click on the GP Name> Backup

7) How to look the Schema Master Role.

Regsvr32 schmmgmt.dll>MMC>Add Remove snapin> add schema.msc

8) How to seize the FSMO Roles.

NTDSUTIL>ROLES>CONNECTIONS>Connect to server/Connect to domain>quit

ROLES>SEIZE RID MASTER/SEIZE PDC/SEIZE SCHEMA MASTER/SEIZE INFRASTRUCTURE

MASTER/SEIZE DOMAIN NAMING MASTER

9) Symptoms of FSMO Problems

If one or more of your FSMO role holders has problems, bad things can
happen. To help you troubleshoot such situations, the table below describes
some of the symptoms that can occur when FSMO role holders go missing or
don't work properly.

Possible Role
Symptom Reason
Involved

If system clocks become

Users can't log on. PDC Emulator unsynchronized, Kerberos may
fail.

Can't change Password changes need this role

PDC Emulator
passwords. holder.

Account lockout not Account lockout enforcement

PDC Emulator
working. needs this role holder.

Can't raise the This role holder must be available

functional level for a PDC Emulator when raising the domain
domain. functional level.

Can't create new users

RID Master RID pool has been depleted.
or groups.

Problems with
Infrastructure Cross-domain object references
universal group
Master need this role holder.
memberships.

Can't add or remove a Domain Naming Changes to the namespace need

domain. Master this role holder.

Can't promote or Domain Naming Changes to the namespace need

demote a DC. Master this role holder.

Can't modify the Changes to the schema need this

Schema Master
schema. role holder.
Can't raise the This role holder must be available
functional level for the Schema Master when raising the forest functional
forest. level.

10):- What is OU and how many characters Maximum length of the OU Name?

Ans:- Organizational Units (OU’s) within an Active Directory are a way to delegate control over
part of the directory to a user or group of users.

Max length of OU name is 64 Characters.

11) What is Conditional Forwarding

In standard DNS forwarding, you configure the DNS server so that if someone queries it about

something it can't answer, the server won't search the Internet for the answer. Instead, the
DNS

server asks another DNS server to find the answer. This notion of one DNS server asking
another

to do its searching is called forwarding. - 5 -

With conditional forwarding, you configure the DNS server so that if someone queries it about a

particular domain and it doesn't have the answer, it asks another DNS server (its forwarder) to

find the answer. Where standard forwarding is a broad-spectrum instruction to pose

unanswered

questions about any domain to a particular DNS server, conditional forwarding says to refer to

the forwarder only questions about a particular domain.

Essentially, Windows Server 2003's DNS lets you specify a server or set of servers to answer

queries about a particular domain. Thus if you want to roll out 10 secondary DNS servers a

domain and another 50 DNS servers for resolving internal split-brain DNS requests, you'd

simply need to set up those 50 DNS servers to conditionally forward all queries to the 10

secondary servers.
This eliminates the single point of failure of having a domain forward to a single DNS server for

resolution and can help distribute name resolution in your organization.

12) How to find out the Tombstone Lifetime Period.

1. Open the ADSIEDIT.MSC.

2. Double-click Configuration, CN=Configuration, CN=Services,
and CN=Windows NT.
3. Right-click CN=Directory Service, and then click Properties.
4. In the Attribute column, click tombstoneLifetime.
5. Note the value in the Value column. If the value is <not set>, the
default value is 60 days. But if we have 2003 Server SP1 then the
value goes to 180 Days.
13) How to recover the deleted Objects.

Install Support tools, then run ldp.exe then click on connection and then Bind and then go to
Options and then click on controls

14) What are sites and why we create Sites.

Sites are well connected Subnets. Sites represent the Physical Structure of network,,,while
domain represent the Logical Structure of the Organization.

To help make replication more efficient, Active Directory relies on sites. Sites, defined as groups
of well-connected computers, determine how directory data is replicated.

15) What are the different types of trust.

External trust - Use external trusts to provide access to resources located on

a Windows NT 4.0 domain

Realm Trust-A realm trust can be established between any non-Windows

Kerberos V5 realm and a Windows Server 2003 domain

Forest Trust -Use forest trusts to share resources between forests.

Shortcut Trust- Use shortcut trusts to improve user logon times between two
domains, Shortcut trusts are necessary when many users in a domain
regularly log on to other domains in a forest

Every 12 hours, each domain controller starts a garbage collection

process.
16) How often are Computer Configuration group policies refreshed
by default

90 Minutes

17) How often are Domain Controller group policies refreshed by

default

5 Minutes

Short for dynamic Domain Name System, a method of keeping a domain name linked to
a changing IP address

A physical disk that contains primary partitions, extended partitions, or logical drives.
Basic disks can be accessed by all versions of Windows, MS-DOS, and Windows NT.
Basic disks can contain up to four primary partitions, or three primary partitions and an
extended partition with multiple logical drives. Upgrading a basic disk to dynamic
disk will render the entire disk unreadable to operating systems other than Windows
2000.

Home > dynamic disk

dynamic disk
Supported by Windows 2000, dynamic disk is a physical disk initialized for dynamic
storage. It holds simple volumes, spanned volumes, mirrored volumes, striped volumes,
and RAID-5 volumes. With a dynamic disk you can perform disk and volume
management without having to restart the operating system. Upgrading a basic disk to
dynamic storage will render the entire disk unreadable to operating systems other
than Windows 2000.

18) Different Types of Backup in AD.

 Incremental backup
The incremental backup backs up only those files that have been created or changed
since last incremental or normal backup. It also marks the files as having been backed
up. It means it’s cleared the Archive Bit.A combination of Normal backups and
Incremental backups is common, and also a very good combination. It also requires the
least amount if storage space and is fast for backing up the data.The disadvantage of
this is that it's time-consuming to recover files, simply because you need the last normal
backup set and all incremental backup sets, which can be stored on several backup
drives or tapes.
  Differential backup
The differential backup is similar to the incremental backup and only backup files that
have been created or changed since the last normal or incremental backup. No, it wasn't
a typo, it doesn't check if a differential backup has been run. This is because differential
backups does not mark files as having been backed up. A combination of differential
backups and normal backups is more time-consuming concerning the backup part then
the incremental + normal backups are. But on the other hand it is faster to restore data
because all you need is the last normal backup and the last differential backup.

19) What are the different types of Restore in AD.

Authorative Restore – When we accidentally delete any OU THEN WE CAN RESTORE IT

THROUGH Authorative Restore, by running the DC in DSRM and then run the NTDSUTIL Utility
from the Command Prompt.

Non Authorative Restore- We perform this restore if any reason the DC went down due to
some hardware or application. We have to restart the DC in DSRM mode and then run the
System State to restore the data and after that its automatically sync with the other DC through
the Replication.

20) What are the types of SRV records?

MSDCS:Contains DCs information
TCP:Contains Global Catalog, Kerberos & LDAP information.
UDP:Contains Sites information
Sites:Contains Sites information
Domain DNS Zone:Conations domain’s DNS specific information
Forest DNS zone:Contains Forest’s Specific Information.

21) What is scavenging in DNS ?

# Finding and deleting unwanted records.

22) What are the default protocols used in Directory Services.

# NTLM, LDAP, SMTP & RPC protocol

23) What are Domain Functional Level.

Domain Functional Level

Domain functionality activates features that affect the whole domain and that domain only. The four
domain functional levels, their corresponding features, and supported domain controllers are as
follows:
Windows 2000 mixed (Default)
 Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows Server
2003
 Activated features: local and global groups, global catalog support

Windows 2000 native

 Supported domain controllers: Windows 2000, Windows Server 2003
 Activated features: group nesting, universal groups, SidHistory, converting groups between
security groups and distribution groups, you can raise domain levels by increasing the forest
level settings

Windows Server 2003 interim

 Supported domain controllers: Windows NT 4.0, Windows Server 2003
 Supported features: There are no domain-wide features activated at this level. All domains
in a forest are automatically raised to this level when the forest level increases to interim.
This mode is only used when you upgrade domain controllers in Windows NT 4.0 domains to
Windows Server 2003 domain controllers.

Windows Server 2003

 Supported domain controllers: Windows Server 2003
 Supported features: domain controller rename, logon timestamp attribute updated and
replicated. User password support on the InetOrgPerson objectClass. Constrained
delegation, you can redirect the Users and Computers containers.

24) What are the Forest Functional Level.

Windows 2000 (default)

 Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server 2003
 New features: Partial list includes universal group caching, application partitions, install from
media, quotas, rapid global catalog demotion, Single Instance Store (SIS) for System Access
Control Lists (SACL) in the Jet Database Engine, Improved topology generation event
logging. No global catalog full sync when attributes are added to the PAS Windows Server
2003 domain controller assumes the Intersite Topology Generator (ISTG) role.

Windows Server 2003 interim

 Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the "Upgrade
from a Windows NT 4.0 Domain" section of this article.
 Activated features: Windows 2000 features plus Efficient Group Member Replication using
Linked Value Replication, Improved Replication Topology Generation. ISTG Aliveness no
longer replicated. Attributes added to the global catalog. ms-DS-Trust-Forest-Trust-Info.
Trust-Direction, Trust-Attributes, Trust-Type, Trust-Partner, Security-Identifier, ms-DS-Entry-
Time-To-Die, Message Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-
Memory, Print-Rate, Print-Rate-Unit
 Windows Server 2003
 Supported domain controllers: Windows Server 2003
 Activated features: all features in Interim Level, Defunct schema objects, Cross Forest Trust,
Domain Rename, Dynamic auxiliary classes, InetOrgPerson objectClass change, Application
Groups, 15-second intrasite replication frequency for Windows Server 2003 domain
controllers upgraded from Windows 2000

After the forest functional level is raised, domain controllers that are running earlier operating systems
cannot be introduced into the forest. For example, if you raise forest functional levels to Windows
Server 2003, domain controllers that are running Windows NT 4.0 or Windows 2000 Server cannot be
added to the forest.

 Constrained delegation
 User password support on the InetOrgPerson object

25) How to check which domain function level is set for the domain

1.Open the Active Directory Domains And Trusts console

2.Right-click the particular domain whose functional level you want verify, and select Raise
Domain Functional Level from the shortcut menu.

3.The Raise Domain Functional Level dialog box opens

4.You can view the existing domain functional level for the domain in Current domain
functional level.

26) How to raise the domain functional level to the Windows 2000 native
domain functional level or Windows Server 2003 domain functional level

Before you can raise the domain functional level to Windows Server 2003 domain functional level, each
domain controller in the domain has to running Windows Server 2003.

To raise the domain functional level for a domain,

1. Open the Active Directory Domains And Trusts console

2. Right-click the particular domain whose functional level you want to raise, and select Raise
Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens.
4. Use the Select An Available Domain Functional Level list to choose the domain functional level
for the domain.
5. Click Raise
6. Click OK

27) How to check which forest functional level is set for the forest

1.Open the Active Directory Domains And Trusts console

2.Right-click Active Directory Domains and Trusts in the console tree, and select Raise
Forest Functional Level from the shortcut menu.
 3.The Raise Forest Functional Level dialog box opens

4.You can view the existing domain functional level for the domain in Current forest
functional level.

28) What is REPADMIN?

Repadmin.exe: Replication Diagnostics Tool

This command-line tool assists administrators in diagnosing replication problems between
Windows domain controllers.
Administrators can use Repadmin to view the replication topology (sometimes referred to as
RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition,
Repadmin can be used to manually create the replication topology (although in normal
practice this should not be necessary), to force replication events between domain controllers,
and to view both the replication metadata and up-to-dateness vectors.
Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest.
The operations replsummary, showrepl, showrepl /csv, and showvector /latency can be used to
check for replication problems.

29)What is NETDOM?

NETDOM is a command-line tool that allows management of Windows domains and trust
relationships. It is used for batch management of trusts, joining computers to domains,
verifying trusts, and secure channels

30) Name 3 benefits of using AD-integrated zones.

Benefits as follows

a. you can give easy name resolution to ur clients.

b. By creating AD- integrated zone you can also trace hacker and spammer by
creating reverse zone.

d. AD Integrated zones suport both secure and dynamic updates.

e. AD integrated zones are stored as part of the active directory and support domain-
wide or forest-wide replication through application partitions in AD.

31) The KCC is a built-in process that runs on all domain controllers and generates
replication topology for the Active Directory forest. The KCC creates separate replication
topologies depending on whether replication is occurring within a site (intrasite) or between
sites (intersite). The KCC also dynamically adjusts the topology to accommodate new
domain controllers, domain controllers moved to and from sites, changing costs and
schedules, and domain controllers that are temporarily unavailable.

The Knowledge Consistency Checker (KCC) (running on all domain

controllers) generates the replication topology by specifying what domain
controllers will replicate to which other domain controllers in the site. The KCC
maintains a list of connections, called a replication topology, to other domain
controllers in the site. The KCC ensures that changes to any object are
replicated to all site domain controllers and updates go through no more than
three connections. Also an administrator can configure connection objects.

 Normally Remote Procedure Call (RPC) is used to replicate data and

is always used for intrasite replication since it is required to support the
FRS. RPC depends on IP (internet protocol) for transport.
 Simple Mail Transfer Protocol (SMTP) may be used for replication
between sites.

32)Difference Between Domain Admins and Enterprise Admins

Enterprise admins are designated for the entire forest and domain admins are for specific domain only.

Enterprise Admins are the only group which can perform changes which relate directly to the forest and
not an individual domain; there are very few of these tasks. For instance, Forest Prep for R2 or Exchange
would need to be done by an Enterprise Admin. Creation of trust relationships between forests. Modifying
the values of some object attributes/properties in AD. Creation of Terminal Services Licensing for the
whole forest. Destruction of a child Domain or an entire forest. As a rule, if the Change you are planning
to make would affect more than an individual domain, you will need Enterprise Admin access

33) What does a domain controller register in DNS?

The Netlogon service registers all the SRV records for that domain controller. These records are displayed
as the _msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your domain name.
Other computers look for these records to find Active Directory-related information.

34) Difference between 2000 Server and 2003 Server.

We can rename or moved the domain name without rebulding in windows 2003 server,but in
windows 2000 server, we can't do that.
Shadow copy feature available in windows2003 server but not in windows2000 server.A new
tools to recover files.
There are 220 new group polices are added in windows2003 server over windows2000 server.
In windows2000 server support maximum 10 users access shared folders at a time through
network, but windows2003 server no limitation.

Windows 2003 server includes IIS in it.

Caching Only DNS new Feature in win 2003.

35) Difference between 2003 Server and 2008 Server and 2008 Server R2.

1)RODC

2)Hyper Visior

3)IIS 7 and IIS 7.5(2k8 R2)

4)Restartable DC
 5)Server Manager

6)PowerShell 1.0 and PowerShell 2.0 inbuilt(2008 R2)

7) 16 Roles and 34 Features and 17 Roles And 42 Features(2008 R2)

8)Recovering deleted object through Recycle Bin in 2008 Server R2.

9)WDS (windows deployment services) instead of RIS in 2003 server

10)Shadow copy for each and every folders

11)DFS is installed by default in 2K3 Server ,but we have to add the DFSM through Roles

12)Bit Locker for Drives.

37) Querying the Database

DNS queries can be sent from a client (resolver) to a DNS server (a name server), or between two
name servers.

A query is merely a request for records of a specified type with a specified name. For example, a
query can request all host RRs with a particular name.

There are two types of queries that can be made to a DNS server:

 Recursive
 Iterative

A recursive query forces a DNS server to respond to a request with either a failure or a successful
response. Resolvers typically make recursive queries. With a recursive query, the DNS server must
contact any other DNS servers it needs to resolve the request. When it receives a successful
response from the other DNS Server(s), it then sends a response to the client. The recursive query is
typical for a resolver querying a name server and for a name server querying its forwarder (another
name server configured to handle requests forwarded to it).

When a DNS server processes a recursive query and a query can not be resolved from local zone
files, the query must be escalated to a root DNS server. Each standards-based implementation of
DNS includes a cache file (or root server hints) that contains entries for Root Servers of the Internet
domains. The latest version of the named cache file can be downloaded from InterNIC
atftp://rs.internic.net/domain/named.cache.

An iterative query is one in which the name server is expected to provide the best information (also
known as referral if the server is not authoritative for the name) based on what the server knows
from local zone files or from caching. If a name server doesn't have any information to answer the
query, it simply sends a negative response. A non-forwarding DNS server makes this type of query
as it tries to find names outside its local domain(s). It may have to query a number of outside DNS
Servers in an attempt to resolve the name.

38) What are the default/Builtin group in 2003 server.

The default group are

Administrators

Users

Print Operator

Backup Operator

Terminal services Liscense Group

 Replicator

Guest

Remote Desktop Users

39) What is the ISTG? Who has that role by default?

Windows 2000 Domain controllers each create Active Directory Replication connection objects
representing inbound replication from intra-site replication partners. For inter-site replication,
one domain controller per site has the responsibility of evaluating the inter-site replication
topology and creating Active Directory Replication Connection objects for appropriate
bridgehead servers within its site. The domain controller in each site that owns this role is
referred to as the Inter-Site Topology Generator (ISTG).

40) You are administering a network connected to the Internet. Your users complain that
everything is slow. Preliminary research of the problem indicates that it takes a
considerable amount of time to resolve names of resources on the Internet. What is the
most likely reason for this?

DNS servers are not caching replies.. Local client computers are not caching replies… The
cache.dns file may have been corrupted on the server.

41) User Logon process in 2003 Server.

Consider this Kerberos authentication process for logging onto a domain. At a

Windows 2000 computer, the user presses Ctrl+Alt+Del and enters a user name,
password, and domain name. The local Windows 2000 computer takes this information
and converts the user’s password into an encryption key so that timestamp
information for the logon can be processed. The computer then sends the user
name and encrypted timestamp information to a domain controller. The domain
controller unencrypts the password and checks the Active Directory for the validity
of the user name and password. If the user name and password are valid against the
now encrypted timestamp, the domain controller makes two Kerberos V5 tickets
using the user’s password as an encryption key and then sends the two tickets back
to the local computer where the user initiated the logon attempt. The two tickets
are the following:
✦ Logon Session Key—This ticket contains the permissions that enable the
user to have a logon session in the domain.
✦ Ticket-Granting Ticket—This ticket is used to obtain additional access tickets
One of the more useful policies based under the Computer Configuration setting is the loopback policy, which
allows User Configurations policies to be applied to a computer

42) What is the default size of NTDS.DIT in 2003 and 2008 Server

12 MB