Q: What is Active Directory?
A: An active directory is a directory structure
used on Microsoft Windows based computers and
servers to store
information and data about networks and domains. It is primarily used for
online information and was
originally created in 1996 and first used with Windows 2000.
An active directory
(sometimes referred to as an AD) does a variety of functions including
the ability to provide
information on objects, helps organize these objects for easy retrieval
and access, allows access
by end users and administrators and allows the administrator to set security up for the
directory.
Q: What is LDAP?
A: LDAP, Lightweight Directory Access Protocol, is
an Internet protocol that email and other programs use to look up
information from a server.
Q: I have setup a time server in my internal
network. However, I still get an error message
that The Windows Time
Service was not able to find a Domain Controller.
A: Set the PDC emulator for the domain to synch
with the new time source, the other DCs will synch with the PDC FSMO and
all the clients will synch with the authenticating DC.
Q: I have gp in AD that assigns large application
to authenticated users, now this app is
installed on more than 150
computers, we have slow link to many sites and we don't have
servers there. So the
question is how I can change from authenticated users to a special
group without installing
the software again. I have not tried this because I'm afraid that I
will take many days to
recover if it fails? How are you deploying and assigning to users?
A: Using GP software distribution (GPSD) there are
a number of ways to deploy applications. It
might be best to create
another group called "applicationx". Then start adding your users to this group. Once the entire
members belong to this group you can remove the
authenticated users. If you
have lots of users and slow links it might be best to publish
rather than assign. This
provides a more phased approach to users installing apps.
Providing you users are
happy to go to control panel to install this might be better.
Q: Can I create a script for GPO report?
A: There are pre-prepared scripts you don't need to
create them. There is directory called
scripts created in the
installation, take a look in there
Q: I am currently had a mixed mode topology &
running exchange 5.5. I am planning the
exch. 2000 upgrade is it
best to upgrade directly or install a separate 2000 server and
migrate the mailboxes
(swing method) and what are the pro's and cons.
A: Well, upgrading directly is the easiest way to
go, but often also considered the riskier of the
two options. This method
does not allow for extensive testing ahead of time, thereby
leading to potentially
unknown pitfalls. We recommend in most cases in a production
environment to use the
swing method by installing the ADC. This will allow you to build a
perfect world and migrate
slowly and with less risk.
Q: Is it possible to change the name of root domain
after installation of ADS?
A: Not in Windows 2000 AD
Q: What is the best process for change the pass for
admin? This is for the account manages the exchange, cluster and
other services and do I have to change the pass option in each server and services?
A: If you mean you have a lot of services that are
running under an account with a specific
password you will need to
change the password and then go into each service in Services
applet to change the
password.
Q: How many Domain Controller do I need appr. for
600 User?
A: You could actually use just 1 DC in your
scenario. I would recommend 2 DCs for
redundancy in case 1 DC
goes down
Q: What is the SYSVOL folder?
A: The sysVOL folder stores the server's copy of
the domain's public files. The contents such as group policy, users etc
of the sysvol folder are replicated to all domain controllers in the domain. The sysvol folder
must be located on an NTFS volume.
Q: What is the Global Catalog?
A: The global catalog is a distributed data
repository that contains a searchable, partial
representation of every
object in every domain in a multidomain Active Directory forest.
The global catalog is
stored on domain controllers that have been designated as global
catalog servers and is
distributed through multimaster replication. Searches that are
directed to the global
catalog are faster because they do not involve referrals to different
domain controllers.
Q: What is REPLMON? What is REPADMIN?
A: Replmon displays information about Active
Directory Replication. Repadmin.exe is a
command-line utility that
is designed to help administrators monitor, diagnose, and
troubleshoot replication
problems in Active Directory.
Q: What is NETDOM?
A: NETDOM utility in Microsoft Windows NT Server
4.0 Resource Kit. NETDOM lets you build new trust relationships and
reset existing trusts from the command line.
Q: What are sites? What are they used for?
A: A site is a grouping of machines based on a
subnet of TCP/IP addresses. Generally this
refers to a physical site
such as a portion of the organization in particular city or part of a
city which is linked by
leased lines or other media to other parts of the organization
Q: What is KCC (Knowledge Consistency Checker)
A: A connection object is a connection that AD uses
for replication. Connection objects are fault tolerant. When a
communication fails, AD will automatically reconfigure itself to use another route to continue
replication. The process that creates connection objects is called Knowledge Consistency
Checker (KCC)
Q: What are the requirements for installing AD on a
new server?
A: The following software and hardware requirements
apply to a full installation or a Server Core installation of the
Windows Server 2003 operating system:
§ Install Windows Server 2003
§ Configure appropriate TCP/IP and Domain
Name System (DNS) server addresses.
§ The drives that store the database, log
files, and SYSVOL folder for Active Directory
Domain Services (AD DS)
must be placed on a local fixed volume. SYSVOL must be
placed on a volume that is
formatted with the NTFS file system. For security
purposes, the Active
Directory database and log files should be placed on a volume
that is formatted with NTFS Traditionally, the Active
Directory database and log files are placed on disk drives that are physically local to the
domain controller computer. As an option, you can place the Active Directory database
and log files on a nonlocal storage device if the device appears to be “local” to the
GetDriveType function that Dcpromo.exe uses and it does not have advanced rollback, undo, or
snapshot features enabled. For more information about the GetDriveType function, see
GetDriveType Function
You must perform all
backups and restores of AD DS, including rolling the contents of
AD DS “back in time,” by
using system state backups that are created by supported backup application programming
interfaces (APIs) and methods. You must perform all
backups and restores of AD DS, including rolling the contents of AD DS “back in time,” by
using system state backups that are created by supported backup application programming
interfaces (APIs) and methods. When you use an answer file
to perform an unattended installation of AD DS, specify a [DCINSTALL] section in the
answer file with appropriate parameters. For a list of entries for the [DCINSTALL] section of
the answer file. Verify that Adprep.exe
operations are complete. Before you can add AD DS to a server that is running Windows Server
2008 in an existing Active Directory environment, you must prepare the environment by
running Adprep.exe. For more information about running Adprep.exe Verify that a DNS
infrastructure is in place. Before you add AD DS to create a domain or forest, be sure that a DNS
infrastructure is in place on your network. When you install AD DS, you can include DNS
server installation, if it is needed. When you create a new domain, a DNS delegation is
created automatically during the installation process.
Q: How can you forcibly remove AD from a server?
A: Demote the DC by running DCPromo with the
/forceremoval switch
Q: What are the FSMO roles?
A: In a forest, there are five FSMO roles that are
assigned to one or more domain controllers. The five FSMO roles are:
Schema Master: The schema master domain controller controls all
updates and
modifications to the
schema.
Domain naming master: The domain naming master domain controller
controls the
addition or removal of
domains in the forest.
Infrastructure
Master: When an
object in one domain is referenced by another object in
another domain, it
represents the reference by the GUID, the SID (for references to
security principals), and
the DN of the object being referenced.
Relative ID (RID)
Master: The RID
master is responsible for processing RID pool
requests from all domain
controllers in a particular domain.
PDC Emulator: The PDC emulator is necessary to synchronize
time in an enterprise.
Windows 2000/2003 includes
the W32Time (Windows Time) time service that is required by the Kerberos authentication
protocol
Q: How to backup Active Directory? –
A: Take the system state data backup. This will
backup the active directory database. Microsoft recommend only Full backup
of system state database
Q: What hidden shares exist on Windows Server 2003
installation?
A: Admin$, Drive$, IPC$, NETLOGON, print$ and
SYSVOL.
Q: What’s the difference between standalone and
fault-tolerant DFS (Distributed File System) installations?
A: The standalone server stores the Dfs directory
tree structure or topology locally. Thus, if a shared folder is
inaccessible or if the Dfs root server is down, users are left with no link to
the shared resources. A
fault-tolerant root node stores the Dfs topology in the Active
Directory, which is
replicated to other domain controllers. Thus, redundant root nodes may include multiple
connections to the same data residing in different shared folders.
We’re using the DFS
fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client,
only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
Q: Where exactly do fault-tolerant DFS shares store
information in Active Directory?
A: In Partition Knowledge Table, this is then
replicated to other domain controllers.
Q: Is Kerberos encryption symmetric or asymmetric?
A: Symmetric.
Q: How does Windows 2003 Server try to prevent a
middle-man attack on encrypted line?
A: Time stamp is attached to the initial client
request, encrypted with the shared key.
Q: What hashing algorithms are used in Windows 2003
Server?
A: RSA Data Security’s Message Digest 5 (MD5),
produces a 128-bit hash, and the Secure
Hash Algorithm 1 (SHA-1),
produces a 160-bit hash.
Q: What third-party certificate exchange protocols
are used by Windows 2003 Server?
A: Windows Server 2003 uses the industry standard
PKCS-10 certificate request and PKCS-7 certificate response to
exchange CA certificates with third-party certificate authorities.
Q: What’s the number of permitted unsuccessful
logons on Administrator account?
A: Unlimited. Remember, though, that it’s the
Administrator account, not any account that’s part of the Administrators
group.
Q: If hashing is one-way function and Windows
Server uses hashing for storing passwords, how is it possible to
attack the password lists, specifically the ones using NTLMv1?
A: A cracker would launch a dictionary attack by
hashing every imaginable term used for
password and then compare
the hashes.
Q: What’s the difference between guest accounts in
Server 2003 and other editions?
A: More restrictive in Windows Server 2003.
Q: How many passwords by default are remembered
when you check "Enforce Password
History Remembered"?
A: User’s last 6 passwords.
Q: What’s new in Windows Server 2003 regarding the
DNS management?
A: When DC promotion occurs with an existing
forest, the Active Directory Installation Wizard contacts an existing DC to
update the directory and replicate from the DC the required portions of the directory.
If the wizard fails to locate a DC, it performs debugging and reports what caused the
failure and how to fix the problem. In order to be located on a network, every DC must
register in DNS DC locator DNS records. The Active Directory
Installation Wizard
verifies a proper configuration of the DNS infrastructure. All DNS
configuration debugging and
reporting activity is done with the Active Directory Installation Wizard.
Q: When should you create a forest?
A: Organizations that operate on radically
different bases may require separate trees with
distinct namespaces. Unique
trade or brand names often give rise to separate DNS
identities. Organizations
merge or are acquired and naming continuity is desired.
Organizations form
partnerships and joint ventures. While access to common resources is
desired, a separately
defined tree can enforce more direct administrative and security
restrictions.
Q: If I delete a user and then create a new account
with the same username and password,
would the SID and
permissions stay the same?
A: No. If you delete a user account and attempt to
recreate it with the same user name and
password, the SID will be
different.
Q: What’s the difference between the basic disk and
dynamic disk?
A: The basic type contains partitions, extended
partitions, logical drivers, and an assortment of static volumes; the dynamic
type does not use partitions but dynamically manages volumes and provides advanced
storage options
Q: How do you install recovery console?
A: C:\i386\win32 /cmdcons, assuming that your Win
server installation is on drive C.
Q: What’s new in Terminal Services for Windows 2003
Server?
A: Supports audio transmissions as well, although
prepare for heavy network load.
Q: Why paging is used?
A: Paging is solution to external fragmentation
problem which is to permit the logical address space of a process to be
noncontiguous, thus allowing a process to be allocating physical memory wherever the latter
is available.
Q: What is virtual memory?
A: Virtual memory is hardware technique where the
system appears to have more memory
that it actually does. This
is done by time-sharing, the physical memory and storage parts
of the memory one disk when
they are not actively being used.
Q: What is Context Switch?
A: Switching the CPU to another process requires
saving the state of the old process and
loading the saved state for
the new process. This task is known as a context switch.
Context-switch time is pure
overhead, because the system does no useful work while
switching. Its speed varies
from machine to machine, depending on the memory speed, the
number of registers which
must be copied, the existed of special instructions(such as a
single instruction to load
or store all registers).
Q: What is cache memory?
A: Cache memory is random access memory (RAM) that
a computer microprocessor can
access more quickly than it
can access regular RAM. As the microprocessor processes data, it looks first in the cache
memory and if it finds the data there (from a previous reading of data), it does not have to
do the more time-consuming reading of data from larger memory.
Q: Can I change password if my machine’s
connectivity to DC who holds PDC emulator role has been fails?
A: No you can’t change the password.
Q: What are the standard port numbers for SMTP,
POP3, IMAP4, RPC, LDAP and GlobalCatalog?
A: SMTP – 25, POP3 – 110, IMAP4 – 143, RPC – 135,
LDAP – 389, Global Catalog - 3268
Q: I have been asked if there is set of 30 hard
disk configured for raid 5 if two hard disks failed what about data?
A: It depends how you had configured your RAID, its
only Raid5 or with spare. If it’s only raid 5 then in raid5 if your 2
HDD goes then your raid is gone
Q: How can I Deploy the Latest Patched in Pc
through G.P. without having the Admin Right in Pc?
A: You can publish or assign MSI packages or Zap
files. They are the only two valid file formats allowable when using
“intellimirror” in active directory.
Q: How Can I Resolve the Server name through
Nslookup?
A: Nslookup command will let you know through which
server you are getting routed.
Q: DHCP relay agent where to place it?
A: DHCP Relay agent u need to place in Software
Router.
Q: What is forest?
A: Forest is a collection of trees. Tree is nothing
but collection domains which is having same name space.
Q: What are the chronicle records of DNS zones?
A: In Windows 2000 there are mainly 3 zones (i)
Standard Primary — zone information writes in Txt file (ii) Standard
Secondary — copy of Primary (iii) Active Directory Integrated–Information stores in
Active Directory. In win2k3 one more zone is added that is Stub zone –Stub is like secondary
but it contains only copy of SOA records, copy of NS records, copyof A records for that zone.
No copy of MX, SRV records etc., with this Stub zone DNS trafficwill be low
Q: What are the contents of System State backup?
A: The contents are (a) Boot files, system files
(b) Active directory (if its done on DC) (c)
Sysvol folder(if it done on
DC) (d) Certificate service ( on a CA server) (e) Cluster database (on a cluster server)
registry (f) Performance counter configuration information (g) Component services class
registration database
Q: How can I delete a failed Domain Controller
object from Active Directory?
A: You will need the following tool: Ntdsutil.exe,
Active Directory Sites and Services, Active Directory Users and
Computer. Also, make sure that you use an account that is a member of the Enterprise Admins
universal group
Q: A Company decides to enter into a joint venture
with one of the vendors. This venture willresult in the creation of a
third company that will require its own Internet presence.
Systems administration
duties for the new company will be shared equally by a parent
company and vendor. Parent
Company and vender currently have separate Active Directoryforests. Which
modifications should you make to Active Directory to support the jointventure requirements?
A: Create a new tree for the new company. Create
this tree in parent company’s forest
Q: How do you create a Printers Container in Active
Directory?
A: To create a Printers container in which to list
your printers in Active Directory:
1. Click Start, point to
Programs, point to Windows 2000 Support Tools, point to Tools,
and then click ADSI Edit
2. Expand Domain NC [Domain
Name], and then click DC=Domain, DC=com
3. On the Action menu,
point to New, and then click Object
4. In the Select a class
box, click container, and then click Next.
5. In the Value box, type
Printers, and then click Next.
6. Click Finish.
A CN=Printers container
appears in the right pane of ADSI Edit.
7. Right-click CN=Printers,
and then click Properties.
8. Click the Attributes
tab.
9. In the Select a property
to view box, click showInAdvancedViewOnly, and then click
Clear.
10. In the Edit Attribute
box, type false, click Set, and then click OK.
11. Quit ADSI Edit.
12. Click Start, point to
Programs, point to Administrative Tools, and then click Active
Directory Users and
Computers. The Printers container that you created appears in
the list of directory
objects
13. On the View menu, click
Advanced Features
14. On the View menu, click
Users, Groups, and Computers as containers
15. Move the printers that
you want to the Printers container.
16. Quit Active Directory
Users and Computers
Q: How many users are logged on/connected to a
server?
A: The server's console itself, with native
commands only:
NET SESSION | FIND /C
"\\"
Remotely, with the help of
SysInternals' PSTools:
PSEXEC \\servername NET
SESSION | FIND /C "\\"
Q: When did someone last change his password?
A: With the native NET command: NET USER loginname
/DOMAIN|FIND /I "Password last set"
Q: You are the administrator of your company’s
network. Your company has its main office in Seattle and branch offices
in London, Paris, and Rio de Janeiro. The local admin at each branch office must be able
to control users and local resources.
You want to prevent the local
administrators from controlling resources in branch offices
other than their own. You
want to create an Active Directory structure to accomplish these
goals. What should you do?
A: Create child OUs for each office. Delegate
control of each OU to the local administrators at
each office.
Q: You are installing a new Windows 2000 Server
computer on your existing Windows NT
network. You run
DCPromo.exe to promote the server to a domain controller in a domain
named domain.local. You
receive the following error message: “The domain name specified is already in use on the
network”. There are no other Windows 2000 domains on your network. What should you
do?
A: Change the down level domain name to domain1.
Q: You are the administrator of your company’s
network. The company has two native-mode domains in six sites. Each
site has one or more domain controllers. Users report that at times of high network
usage, authentication and directory searches are extremely slow. You want to improve network
performance. What should you do?
A: Designate a domain controller in each site as a
global catalog server.
Q: You are the administrator of a Windows 2000
network. The network is composed of fourdomains named
arborshoes.com, na.arborshoes.com, sa.arborshoes.com, and
fabrikam.com. the root of
the forest is arborshoes.com. There are two Windows NT BDCs ineach domain. Graphic
artists place finished artwork for Fabrikam, Inc., in a shared folderlocated on a domain
controller named bna01.fabrikam.com. Read and Write permissions are granted to the Artists
Domain Local group in the fabrikam.com domain. Sharon is a member of the Graphic
Artists global distribution group in the na.arborshoes.com domain.
She is unable to gain
access to the shared folder. You want to allow Sharon access to the
shared folder. What should
you do?
A: Change the Graphic Artists group type to
Security and add it to the Artists Domain Local
group.
Q: You are the administrator of a Windows 2000
domain. The domain is in native mode. The domain contains 15 Windows 2000
Server computers that are functioning as domain
controllers and 1,500
Windows NT Workstation client computers During a power outage, the first domain controller
that you installed suffers a catastrophic hardware failure and will not restart. After the power
outage, users report that password changes do not take effect for several hours. In addition,
users are not able to log on or connect to resources by using their new passwords. What
should you do to correct this problem?
A: Using the Ntdsutil utility, connect to another
domain controller and seize the PDC emulator role.
Q: Which FSMO role takes care of user to group
references in a Domain Controller?
A: Infrastructure Master
Q: At which during the startup/logon sequence is
the group policy for the user processed?
A: The group policy for the user applied after the
user logs on but the before the user's
desktop appears.
Q: A domain local group can contain one of the
following:
A: Users from any domain in the forest
Q: What resources are published to the Active
Directory by default?
A: Users, Groups, Computers
Q: Which is the resource to be manually published
in the Active Directory?
A: Shared Folder
Q: You are the administrator of a domain named
wipro.com. The domain contains OU name Sales that has 20 users. In
the Active directory user and computers console on a domain controller computer console
on a domain controller name DC1. You inadvertently delete the sales OU. You want to
reinstate the sales OU. What should you do?
A: Perform authoritative restore of the Sales OU
from the last backup
Q: Which FSMO role takes care of modification to
the schema on a Domain Controller?
A: Schema Master
Q: How many number of global catalog servers you
can have in a forest?
A: Any number
Q: You have accidentally deleted an organizational
unit from your Windows 2003 domain and wish to perform a
authoritative restore for the organizational unit. Which tool do you use to mark the deleted
organizational unit as authoritative during the restore process?
A: NTDSUTIL
Q: What is the Criteria for implementing multiple
Sites in Windows 2003
A: Bandwidth Availability
Q: Which FSMO role takes care of Creation of RID
POOLS?
A: RID Master
Q: When you run DCPromo.exe to install the new
child domain, you receive an error message stating that the existing
domain cannot be contacted. Installation of the new child domain will not proceed. What
should you do to correct this problem?
A: Configure the new domain controller with the
address of an authoritative DNS server for the existing domain.
Q: What is the minimum Disk Space required to
install Active Directory?
A: 200 MB for AD+50 MB for Log Files
Q: You are the administrator of your company. Your
company has its main office in Bangalore and branch offices in
Delhi, and Mumbai. The local admin at each branch office must be able to control users and
local resources. You want to prevent the local administrators from controlling resources in
branch offices other than their own. You want to create an Active Directory structure to
accomplish these goals. What should you do?
A: Create child OUs for each office. Delegate
control of each OU to the local administrators at
each office.
Q: You are the administrator of your company’s
network. The company has two native-mode domains in six sites. Each
site has one or more domain controllers. Users report that at times of high network
usage, authentication and directory searches are extremely slow. You want to improve network
performance. What should you do?
A: Designate a domain controller in each site as a
global catalog server.
Q: You are installing a new Window 2003 Server
computer on your existing Windows 2000 network. You run
DCPromo.exe to promote the server to a domain controller in a domain named domain.local. You
receive the following error message: “The domain
name specified is already
in use on the network”. There are no other Windows 2000
domains on your network.
What should you do?
No comments:
Post a Comment