Embed Size (px)
Citation preview
22/10/2013 Windows Server 2008 AD Interview Questions
www.techiebird.com/ad12.html 1/3
TechieBird
Home | Windows | Network | Interview Questions | Database | Virtualization | Knowledge Base | Contact Us
Quick Links
Windows 2003 KB
Windows 2008 KB
Windows 2012 KB
Exchange Q&A
Virtualization
Network InterviewQuestions
SQL InterviewQuestions
Windows AdminInterview Q&A
Windows Forum
Other Links
DNS FAQ's
DHCP FAQ's
Active DirectoryFAQ's
AD History
Configuring NewDomain
Deleted ObjectRecovery in AD
Global Catalog Server
NetDom Command
Replmon Command
NTDS Utility Guide
FSMO Guide
FSMO Failure
Network KB
Knowledge BaseHome
Active Directory Trust
Group Policy Guide
IIS 6.0
RAID Levels
Latest Active Directory Interview Questions
> What are the physical components of Active Directory ?
Domain controllers and Sites. Domain controllers are physical computers which is running Windows Serveroperating system and Active Directory data base. Sites are a network segment based on geographicallocation and which contains multiple domain controllers in each site.
> What are the logical components of Active Directory ?
Domains, Organizational Units, trees and forests are logical components of Active Directory.
> What are the Active Directory Partitions ?
Active Directory database is divided into different partitions such as Schema partition, Domain partition, andConfiguration partition. Apart from these partitions, we can create Application partition based on therequirement.
> What is group nesting ?
Adding one group as a member of another group is called 'group nesting'. This will help for easyadministration and reduced replication traffic.
> What is the feature of Domain Local Group ?
Domain local groups are mainly used for granting access to network resources.A Domain local group cancontain accounts from any domain, global groups from any domain and universal groups from any domain.For example, if you want to grant permission to a printer located at Domain A, to 10 users from Domain B,then create a Global group in Domain B and add all 10 users into that Global group. Then, create a Domainlocal group at Domain A, and add Global group of Domain B to Domain local group of Domain A, then, addDomain local group of Domain A to the printer(of Domain A) security ACL.
>How will you take Active Directory backup ?
Active Directory is backed up along with System State data. System state data includes Local registry,COM+, Boot files, NTDS.DIT and SYSVOL folder. System state can be backed up either using Microsoft'sdefault NTBACKUP tool or third party tools such as Symantech NetBackup, IBM Tivoli Storage Manager etc.
> What is Lost and Found Container ?
In multimaster replication method, replication conflicts can happen. Objects with replication conflicts will bestored in a container called 'Lost and Found' container. This container also used to store orphaned useraccounts and other objects.
> Do we use clustering in Active Directory ? Why ?
No one installs Active Directory in a cluster. There is no need of clustering a domain controller. BecauseActive Directory provides total redundancy with two or more servers.
> What is Active Directory Recycle Bin ?
Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to restore accidentallydeleted Active Directory objects without using a backed up AD database, rebooting domain controller orrestarting any services.
> What is RODC ? Why do we configure RODC ?
Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System. RODC is aread only copy of Active Directory database and it can be deployed in a remote branch office wherephysical security cannot be guaranteed. RODC provides more improved security and faster log on time forthe branch office.
> How do you check currently forest and domain functional levels? Say both GUI and Commandline.
22/10/2013 Windows Server 2008 AD Interview Questions
www.techiebird.com/ad12.html 2/3
RPC Guide
Domain & ForestFunctional Levels
SQL Failover Cluster
Hyper-V
Print Server
BitLocker
PowerShell
Planning Trust
Creating Trust
line.
To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain nameand take properties. Both domain and forest functional levels will be listed there. TO find out forest anddomain functional levels, you can use DSQUERY command.
> Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory ?
All versions of Windows Server Active Directory use Kerberos 5.
> Name few port numbers related to Active Directory ?
Kerberos 88, LDAP 389, DNS 53, SMB 445
> What is an FQDN ?
FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of a domain name system whichpoints to a device in the domain at its left most end. For example in system.
> Have you heard of ADAC ?
ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2, whichprovides enhanced data management experience to the admin. ADAC helps administrators to performcommon Active Directory object management task across multiple domains with the same ADAC instance.
> How many objects can be created in Active Directory? (both 2003 and 2008)
As per Microsoft, a single AD domain controller can create around 2.15 billion objects during its lifetime.
> explain the process between a user providing his Domain credential to his workstation and thedesktop being loaded? Or how the AD authentication works ?
When a user enters a user name and password, the computer sends the user name to the KDC. The KDCcontains a master database of unique long term keys for every principal in its realm. The KDC looks up theuser's master key (KA), which is based on the user's password. The KDC then creates two items: asession key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a secondcopy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its ownmaster key (KKDC), which only the KDC knows. The client computer receives the information from theKDC and runs the user's password through a one-way hashing function, which converts the password intothe user's KA. The client computer now has a session key and a TGT so that it can securely communicatewith the KDC. The client is now authenticated to the domain and is ready to access other resources in thedomain by using the Kerberos protocol.
> What Is Urgent Replication And When Is It Used ?
You probably know how Active Directory core replication works. When there’s an object changed, thesource DC, the one that serviced the change request, notifies it’s direct replication neighbours that therewas a change to some object. The neighbors then start the replication process by requesting the changesmade since the last replication.
Important to know is, that there is a “notification delay” between the actual change to the objects in thedirectory and the notification sent to the replication partners. Server 2003 DCs wait 15 seconds beforethey fire out the change notification. This delay is there to only send one change notification once thechange transaction to the object is done. If there are multiple changes made to an object, let’s say thephone number, the home town and the employeeID of a user and the changes were made in 1 seconddelay each, we only send one change notification for those three changes. If there was no notification delayand we waited a second between the changes to a user’s attributes, the source DC were sending threechange notifications to its partners. Too much traffic there! Note that the default change notificaction delayin Windows 2000 was 5 minutes (the numbers may differ depending on installation type (upgrade from2000 to 2003, forest functional level, …).
Given that fact, one can think of several scenarios which may lead to “problem” since the change to thedirectory is not replicated right away: user Password changes, user lockout, Password Policy changed,…
For this reason, there’s urgent replication. Urgent replication works in the same way “normal” replicationdoes, but has no notification delay of a few seconds/minutes. That makes “urgent” changes that need tobe distributed thrughout the sites and DCs to get more quickly to all edges. Urgent replication takes place inthe following cases:
The Password Policy or account lockout policy of a domain has changedThe LSA secret has changed (that’s used for the “secure channels” between machines and DCs andtrusts)a user or computer is locked out due to a failed logon attempt (in this case, the urgent replication isused to notify the DC with the PDC emulator role first and then to all others)the RID master has changed
So — if one of the mentioned events take place, urgent replication takes place and there’s no notificationdelay prior to change notification of neighbour DCs.
22/10/2013 Windows Server 2008 AD Interview Questions
www.techiebird.com/ad12.html 3/3
> Which FSMO role directly impacting the consistency of Group Policy ?
PDC Emulator.
> I want to promote a new additional Domain Controller in an existing domain. Which are thegroups I should be a member of ?
You should be a member of Enterprise Admins group or the Domain Admins group. Also you should bemember of local Administrators group of the member server which you are going to promote as additionalDomain Controller.
> Tell me one easiest way to check all the 5 FSMO roles ?
Use netdom query /domain:YourDomain FSMO command. It will list all the FSMO role handling domaincontrollers.
Recommend this on Google
Continue Next Questions
Previous Questions
Comments
Name
Enter your comment here
Comment by Html Comment Box
No one has commented yet. Be the first!
Windows Home || Network Home || Database Home
Designed by TechieBird
G E T F R E E P A Y M E N T G A T E W A Y
Zero Setup Fees,All Payment Options No Transaction Charges, Try …
