INTERVIEW QUESTIONS FOR WINDOWS DOMAIN Q: What is Active Directory? A: An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996 and first used with Windows 2000. An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory. Q: What is LDAP? A: LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs use to look up information from a server. Q: I have setup a time server in my internal network. However, I still get an error message that The Windows Time Service was not able to find a Domain Controller. A: Set the PDC emulator for the domain to synch with the new time source, the other DCs will synch with the PDC FSMO and all the clients will synch with the authenticating DC. Q: I have gp in AD that assigns large application to authenticated users, now this app is installed on more than 150 computers, we have slow link to many sites and we don't have servers there. So the question is how I can change from authenticated users to a special group without installing the software again. I have not tried this because I'm afraid that I will take many days to recover if it fails? How are you deploying and assigning to users? A: Using GP software distribution (GPSD) there are a number of ways to deploy applications. It might be best to create another group called "applicationx". Then start adding your users to this group. Once the entire members belong to this group you can remove the authenticated users. If you have lots of users and slow links it might be best to publish rather than assign. This provides a more phased approach to users installing apps. Providing you users are happy to go to control panel to install this might be better. Q: Can I create a script for GPO report? A: There are pre-prepared scripts you don't need to create them. There is directory called scripts created in the installation, take a look in there Q: I am currently had a mixed mode topology & running exchange 5.5. I am planning the exch. 2000 upgrade is it best to upgrade directly or install a separate 2000 server and migrate the mailboxes (swing method) and what are the pro's and cons. A: Well, upgrading directly is the easiest way to go, but often also considered the riskier of the two options. This method does not allow for extensive testing ahead of time, thereby leading to potentially unknown pitfalls. We recommend in most cases in a production environment to use the swing method by installing the ADC. This will allow you to build a perfect world and migrate slowly and with less risk. Q: Is it possible to change the name of root domain after installation of ADS? A: Not in Windows 2000 AD Q: What is the best process for change the pass for admin? This is for the account manages the exchange, cluster and other services and do I have to change the pass option in each server and services? A: If you mean you have a lot of services that are running under an account with a specific password you will need to change the password and then go into each service in Services applet to change the password. Q: How many Domain Controller do I need appr. for 600 User? A: You could actually use just 1 DC in your scenario. I would recommend 2 DCs for redundancy in case 1 DC goes down Q: What is the SYSVOL folder? A: The sysVOL folder stores the server's copy of the domain's public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain. The sysvol folder must be located on an NTFS volume.
INTERVIEW QUESTIONS FOR WINDOWS DOMAIN Q: What is the Global Catalog? A: The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers. Q: What is REPLMON? What is REPADMIN? A: Replmon displays information about Active Directory Replication. Repadmin.exe is a command-line utility that is designed to help administrators monitor, diagnose, and troubleshoot replication problems in Active Directory. Q: What is NETDOM? A: NETDOM utility in Microsoft Windows NT Server 4.0 Resource Kit. NETDOM lets you build new trust relationships and reset existing trusts from the command line. Q: What are sites? What are they used for? A: A site is a grouping of machines based on a subnet of TCP/IP addresses. Generally this refers to a physical site such as a portion of the organization in particular city or part of a city which is linked by leased lines or other media to other parts of the organization Q: What is KCC (Knowledge Consistency Checker) A: A connection object is a connection that AD uses for replication. Connection objects are fault tolerant. When a communication fails, AD will automatically reconfigure itself to use another route to continue replication. The process that creates connection objects is called Knowledge Consistency Checker (KCC) Q: What are the requirements for installing AD on a new server? A: The following software and hardware requirements apply to a full installation or a Server Core installation of the Windows Server 2003 operating system: Install Windows Server 2003 Configure appropriate TCP/IP and Domain Name System (DNS) server addresses. The drives that store the database, log files, and SYSVOL folder for Active Directory Domain Services (AD DS) must be placed on a local fixed volume. SYSVOL must be placed on a volume that is formatted with the NTFS file system. For security purposes, the Active Directory database and log files should be placed on a volume that is formatted with NTFS Traditionally, the Active Directory database and log files are placed on disk drives that are physically local to the domain controller computer. As an option, you can place the Active Directory database and log files on a nonlocal storage device if the device appears to be “local” to the GetDriveType function that Dcpromo.exe uses and it does not have advanced rollback, undo, or snapshot features enabled. For more information about the GetDriveType function, see GetDriveType Function You must perform all backups and restores of AD DS, including rolling the contents of AD DS “back in time,” by using system state backups that are created by supported backup application programming interfaces (APIs) and methods. You must perform all backups and restores of AD DS, including rolling the contents of AD DS “back in time,” by using system state backups that are created by supported backup application programming interfaces (APIs) and methods. When you use an answer file to perform an unattended installation of AD DS, specify a [DCINSTALL] section in the answer file with appropriate parameters. For a list of entries for the [DCINSTALL] section of the answer file. Verify that Adprep.exe operations are complete. Before you can add AD DS to a server that is running Windows Server 2008 in an existing Active Directory environment, you must prepare the environment by running Adprep.exe. For more information about running Adprep.exe Verify that a DNS infrastructure is in place. Before you add AD DS to create a domain or forest, be sure that a DNS infrastructure is in place on your network. When you install AD DS, you can include DNS server installation, if it is needed. When you create a new domain, a DNS delegation is created automatically during the installation process. Q: How can you forcibly remove AD from a server? A: Demote the DC by running DCPromo with the /forceremoval switch
INTERVIEW QUESTIONS FOR WINDOWS DOMAIN Q: What are the FSMO roles? A: In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are: Schema Master: The schema master domain controller controls all updates and modifications to the schema. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. Infrastructure Master: When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. PDC Emulator: The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol Q: How to backup Active Directory? – A: Take the system state data backup. This will backup the active directory database. Microsoft recommend only Full backup of system state database Q: What hidden shares exist on Windows Server 2003 installation? A: Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL. Q: What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations? A: The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders. We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares. Q: Where exactly do fault-tolerant DFS shares store information in Active Directory? A: In Partition Knowledge Table, this is then replicated to other domain controllers. Q: Is Kerberos encryption symmetric or asymmetric? A: Symmetric. Q: How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? A: Time stamp is attached to the initial client request, encrypted with the shared key. Q: What hashing algorithms are used in Windows 2003 Server? A: RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash. Q: What third-party certificate exchange protocols are used by Windows 2003 Server? A: Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities. Q: What’s the number of permitted unsuccessful logons on Administrator account? A: Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group. Q: If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1? A: A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes. Q: What’s the difference between guest accounts in Server 2003 and other editions? A: More restrictive in Windows Server 2003. Q: How many passwords by default are remembered when you check "Enforce Password History Remembered"?
INTERVIEW QUESTIONS FOR WINDOWS DOMAIN A: User’s last 6 passwords.
Q: What’s new in Windows Server 2003 regarding the DNS management? A: When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard. Q: When should you create a forest? A: Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions. Q: If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same? A: No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different. Q: What’s the difference between the basic disk and dynamic disk? A: The basic type contains partitions, extended partitions, logical drivers, and an assortment of static volumes; the dynamic type does not use partitions but dynamically manages volumes and provides advanced storage options Q: How do you install recovery console? A: C:\i386\win32 /cmdcons, assuming that your Win server installation is on drive C. Q: What’s new in Terminal Services for Windows 2003 Server? A: Supports audio transmissions as well, although prepare for heavy network load. Q: Why paging is used? A: Paging is solution to external fragmentation problem which is to permit the logical address space of a process to be noncontiguous, thus allowing a process to be allocating physical memory wherever the latter is available. Q: What is virtual memory? A: Virtual memory is hardware technique where the system appears to have more memory that it actually does. This is done by time-sharing, the physical memory and storage parts of the memory one disk when they are not actively being used. Q: What is Context Switch? A: Switching the CPU to another process requires saving the state of the old process and loading the saved state for the new process. This task is known as a context switch. Context-switch time is pure overhead, because the system does no useful work while switching. Its speed varies from machine to machine, depending on the memory speed, the number of registers which must be copied, the existed of special instructions(such as a single instruction to load or store all registers). Q: What is cache memory? A: Cache memory is random access memory (RAM) that a computer microprocessor can access more quickly than it can access regular RAM. As the microprocessor processes data, it looks first in the cache memory and if it finds the data there (from a previous reading of data), it does not have to do the more time-consuming reading of data from larger memory. Q: Can I change password if my machine’s connectivity to DC who holds PDC emulator role has been fails?
INTERVIEW QUESTIONS FOR WINDOWS DOMAIN A: No you can’t change the password. Q: What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog? A: SMTP – 25, POP3 – 110, IMAP4 – 143, RPC – 135, LDAP – 389, Global Catalog - 3268 Q: I have been asked if there is set of 30 hard disk configured for raid 5 if two hard disks failed what about data? A: It depends how you had configured your RAID, its only Raid5 or with spare. If it’s only raid 5 then in raid5 if your 2 HDD goes then your raid is gone Q: How can I Deploy the Latest Patched in Pc through G.P. without having the Admin Right in Pc? A: You can publish or assign MSI packages or Zap files. They are the only two valid file formats allowable when using “intellimirror” in active directory. Q: How Can I Resolve the Server name through Nslookup? A: Nslookup command will let you know through which server you are getting routed. Q: DHCP relay agent where to place it? A: DHCP Relay agent u need to place in Software Router. Q: What is forest? A: Forest is a collection of trees. Tree is nothing but collection domains which is having same name space. Q: What are the chronicle records of DNS zones? A: In Windows 2000 there are mainly 3 zones (i) Standard Primary — zone information writes in Txt file (ii) Standard Secondary — copy of Primary (iii) Active Directory Integrated– Information stores in Active Directory. In win2k3 one more zone is added that is Stub zone - –Stub is like secondary but it contains only copy of SOA records, copy of NS records, copy of A records for that zone. No copy of MX, SRV records etc., with this Stub zone DNS traffic will be low Q: What are the contents of System State backup? A: The contents are (a) Boot files, system files (b) Active directory (if its done on DC) (c) Sysvol folder(if it done on DC) (d) Certificate service ( on a CA server) (e) Cluster database (on a cluster server) registry (f) Performance counter configuration information (g) Component services class registration database Q: How can I delete a failed Domain Controller object from Active Directory? A: You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computer. Also, make sure that you use an account that is a member of the Enterprise Admins universal group Q: A Company decides to enter into a joint venture with one of the vendors. This venture will result in the creation of a third company that will require its own Internet presence. Systems administration duties for the new company will be shared equally by a parent company and vendor. Parent Company and vender currently have separate Active Directory forests. Which modifications should you make to Active Directory to support the joint venture requirements? A: Create a new tree for the new company. Create this tree in parent company’s forest Q: How do you create a Printers Container in Active Directory? A: To create a Printers container in which to list your printers in Active Directory: 1. Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit 2. Expand Domain NC [Domain Name], and then click DC=Domain, DC=com 3. On the Action menu, point to New, and then click Object 4. In the Select a class box, click container, and then click Next. 5. In the Value box, type Printers, and then click Next. 6. Click Finish. A CN=Printers container appears in the right pane of ADSI Edit. 7. Right-click CN=Printers, and then click Properties. 8. Click the Attributes tab.
INTERVIEW QUESTIONS FOR WINDOWS DOMAIN 9. 10. 11. 12. 13. 14. 15. 16.
In the Select a property to view box, click showInAdvancedViewOnly, and then click Clear. In the Edit Attribute box, type false, click Set, and then click OK. Quit ADSI Edit. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. The Printers container that you created appears in the list of directory objects On the View menu, click Advanced Features On the View menu, click Users, Groups, and Computers as containers Move the printers that you want to the Printers container. Quit Active Directory Users and Computers
Q: How many users are logged on/connected to a server? A: The server's console itself, with native commands only: NET SESSION | FIND /C "\\" Remotely, with the help of SysInternals' PSTools: PSEXEC \\servername NET SESSION | FIND /C "\\" Q: When did someone last change his password? A: With the native NET command: NET USER loginname /DOMAIN|FIND /I "Password last set" Q: A:
"I need an up-to-date list of disk space usage for all servers, on my desk in 5 minutes" With Windows Server 2003 commands: FOR /F %%A IN (servers.txt) DO ( WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format: CSV | MORE /E +2 >> SRVSPACE.CSV )
Q: Difference between Windows 2003 Standard Edition and Windows 2003 Enterprise Edition. Windows 2003 Features Clustering Server clusters Active Directory Federation Services ADFS Proxy Microsoft Identity Integration Server 2003 (MIIS) support 8-way symmetric multiprocessing (SMP) support Support for 32 GB of RAM Support for 64 GB of RAM Hot Add Memory Microsoft Identity Integration Server 2003 (MIIS) support Terminal Server Session Directory Virtualized OS instances with license: Enterprise Edition Non-Uniform Memory Access (NUMA)
Standard Ed
Enterprise Ed
Q: You are the administrator of your company’s network. Your company has its main office in Seattle and branch offices in London, Paris, and Rio de Janeiro. The local admin at each branch office must be able to control users and local resources. You want to prevent the local administrators from controlling resources in branch offices other than their own. You want to create an Active Directory structure to accomplish these goals. What should you do? A: Create child OUs for each office. Delegate control of each OU to the local administrators at each office.
INTERVIEW QUESTIONS FOR WINDOWS DOMAIN Q: You are installing a new Windows 2000 Server computer on your existing Windows NT network. You run DCPromo.exe to promote the server to a domain controller in a domain named domain.local. You receive the following error message: “The domain name specified is already in use on the network”. There are no other Windows 2000 domains on your network. What should you do? A: Change the down level domain name to domain1. Q: You are the administrator of your company’s network. The company has two native-mode domains in six sites. Each site has one or more domain controllers. Users report that at times of high network usage, authentication and directory searches are extremely slow. You want to improve network performance. What should you do? A: Designate a domain controller in each site as a global catalog server. Q: You are the administrator of a Windows 2000 network. The network is composed of four domains named arborshoes.com, na.arborshoes.com, sa.arborshoes.com, and fabrikam.com. the root of the forest is arborshoes.com. There are two Windows NT BDCs in each domain. Graphic artists place finished artwork for Fabrikam, Inc., in a shared folder located on a domain controller named bna01.fabrikam.com. Read and Write permissions are granted to the Artists Domain Local group in the fabrikam.com domain. Sharon is a member of the Graphic Artists global distribution group in the na.arborshoes.com domain. She is unable to gain access to the shared folder. You want to allow Sharon access to the shared folder. What should you do? A: Change the Graphic Artists group type to Security and add it to the Artists Domain Local group. Q: You are the administrator of a Windows 2000 domain. The domain is in native mode. The domain contains 15 Windows 2000 Server computers that are functioning as domain controllers and 1,500 Windows NT Workstation client computers During a power outage, the first domain controller that you installed suffers a catastrophic hardware failure and will not restart. After the power outage, users report that password changes do not take effect for several hours. In addition, users are not able to log on or connect to resources by using their new passwords. What should you do to correct this problem? A: Using the Ntdsutil utility, connect to another domain controller and seize the PDC emulator role. Q: Which FSMO role takes care of user to group references in a Domain Controller? A: Infrastructure Master Q: At which during the startup/logon sequence is the group policy for the user processed? A: The group policy for the user applied after the user logs on but the before the user's desktop appears. Q: A domain local group can contain one of the following: A: Users from any domain in the forest Q: What resources are published to the Active Directory by default? A: Users, Groups, Computers Q: Which is the resource to be manually published in the Active Directory? A: Shared Folder Q: You are the administrator of a domain named wipro.com. The domain contains OU name Sales that has 20 users. In the Active directory user and computers console on a domain controller computer console on a domain controller name DC1. You inadvertently delete the sales OU. You want to reinstate the sales OU. What should you do? A: Perform authoritative restore of the Sales OU from the last backup Q: Which FSMO role takes care of modification to the schema on a Domain Controller? A: Schema Master Q: How many number of global catalog servers you can have in a forest? A: Any number
INTERVIEW QUESTIONS FOR WINDOWS DOMAIN Q: You have accidentally deleted an organizational unit from your Windows 2003 domain and wish to perform a authoritative restore for the organizational unit. Which tool do you use to mark the deleted organizational unit as authoritative during the restore process? A: NTDSUTIL Q: What is the Criteria for implementing multiple Sites in Windows 2003 A: Bandwidth Availability Q: Which FSMO role takes care of Creation of RID POOLS? A: RID Master Q: When you run DCPromo.exe to install the new child domain, you receive an error message stating that the existing domain cannot be contacted. Installation of the new child domain will not proceed. What should you do to correct this problem? A: Configure the new domain controller with the address of an authoritative DNS server for the existing domain. Q: What is the minimum Disk Space required to install Active Directory? A: 200 MB for AD+50 MB for Log Files Q: You are the administrator of your company. Your company has its main office in Bangalore and branch offices in Delhi, and Mumbai. The local admin at each branch office must be able to control users and local resources. You want to prevent the local administrators from controlling resources in branch offices other than their own. You want to create an Active Directory structure to accomplish these goals. What should you do? A: Create child OUs for each office. Delegate control of each OU to the local administrators at each office. Q: You are the administrator of your company’s network. The company has two native-mode domains in six sites. Each site has one or more domain controllers. Users report that at times of high network usage, authentication and directory searches are extremely slow. You want to improve network performance. What should you do? A: Designate a domain controller in each site as a global catalog server. Q: You are installing a new Window 2003 Server computer on your existing Windows 2000 network. You run DCPromo.exe to promote the server to a domain controller in a domain named domain.local. You receive the following error message: “The domain name specified is already in use on the network”. There are no other Windows 2000 domains on your network. What should you do? A: Change the down level domain name to domain1.