Question 1:- What is Active Directory?
Answer:-AD is called Active Directory. Active Directory is basically a directory service that is used in a windows platform group called domain. It unifies management and the maintainability of a large group of objects like computers, servers and users. It is also a database that can be queried and is hierarchical, replicated, and extensible, basically in the windows server that is responsible of the AD maintenance which is called Domain Controller, there is a file where is database is populated, it's called NTDS.dit.
Question 2:- What is LDAP?
Answer:- LDAP means Light-Weight Directory Access Protocol. It determines how an object in an Active directory should be named. LDAP (Lightweight Directory Access Protocol) is a proposed open standard for accessing global or local directory services over a network and/or the Internet. A directory, in this sense, is very much like a phone book. LDAP can handle other information, but at present it is typically used to associate names with phone numbers and email addresses. LDAP directories are designed to support a high volume of queries, but the data stored in the directory does not change very often. It works on port no. 389. LDAP is sometimes known as X.500 Lite. X.500 is an international standard for directories and full-featured, but it is also complex, requiring a lot of computing resources and the full OSI stack. LDAP, in contrast, can run easily on a PC and over TCP/IP. LDAP can access X.500 directories but does not support every capability of X.500.
Question 3:- Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.
Answer:- Yes we can connect Active Directory to other 3rd-party directory. Microsoft Identity Integration Server (MIIS) is used to connect Active Directory to other 3rd-party Directory Services including directories used by SAP, Domino, Novell Directory etc.
Question 4:- Where is the AD database held? What other folders are related to AD?
Answer:- NTDS.DIT is AD database. Stored in %SystemRoot%\ntds\NTDS.DIT
AD database is held in NTDS and SYSVOL folder for backing up AD you need to take "System State Data" backup.
Question 5:- What is the SYSVOL folder?
Answer:- Every domain controller has a shared folder in its local file system that is
the file system component of Active Directory. This shared folder, named SYSVOL,
Contains files and folders that must be available and synchronized between Domain
Controllers in a domain, including:
1) The NETLOGON shared folder, which includes system policies and user-based logon and logoff scripts for non-Windows Server 2003 and non-Windows 2000 network clients, such as clients running Windows 95, Windows 98, and Windows NT 4.0.
2) Windows Server 2003 and Windows 2000 system policies.
3) Group Policy settings (templates), including Group Policy settings for Domain Controllers running Windows Server 2003 or Windows 2000.
Question 6:- Name the AD NCs and replication issues for each NC?
- Name the AD NCs and replication issues for each NC
*Schema NC, *Configuration NC, * Domain NC
Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.
Question 7:- What are application partitions? When do I use them?
Answer:- An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.
Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
Question 8:- How do you create a new application partition?
Answer:- Start >> RUN>> CMD >> type there "NTDSUTIL" Press Enter
Ntdsutil: domain management Press Enter
Domain Management: Create NC dc=<host name>, dc=<domain>, dc=com <<zone name>>
Question 9:- How do you view replication properties for AD partitions and DCs?
Answer:- By using Active Directory Replication Monitor. Start--> Run--> Replmon
Question 10:- What is the Global Catalog?
Answer:- The global catalog contains a complete replica of all objects in Active Directory for its Host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. The global catalog contains:
1) The commonly used attributes need in queries, such as a user's first and last name, and logon name.
2) All the information or records which are important to determine the location of any object in the directory.
3) A default subset of attributes for each object type.
4) All the access related permissions for every object and attribute that is stored in the global catalog. Without permission you can't access or view the objects. If you are searching for an object where you do not have the appropriate permissions to view, the object will not appear in the search results. These access permissions ensure that users can find only objects to which they have been assigned access.
Question 11:- How do you view all the GCs in the forest?
Answer:- C:\>repadmin /showreps
You can use Replmon.exe for the same purpose.
AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%
Question 12:- Why not make all DCs in a large forest as GCs?
Answer:- With too many DCs are configured to become the GC servers, it will cause the replication overhead between the DCs across the forest.
Question 13:- Trying to look at the Schema, how can I do that?
Answer:- From active directory schema snap-in. But before that you have to register the schmmgmt.dll file by using regsvr32.exe schmmgmt.dll @ cmd prompt
Question 14:- What are the Support Tools? Why do I need them?
Answer:- Support tools is a package come with the Microsoft Server Disk, contains many essential tools for administrators that work with Active Directory. Support tools are invaluable sources of information, along with providing numerous tools that aid administrators in their daily tasks.
Question 15:- What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
Answer:- All above are AD Tools.
Replmon – replication monitor and troubleshooting.
Adsiedit – editing object in the active directory
Netdom – to manage domain and trust relationship,
Repadmin- to diagnose replication issue between domain controllers.
Question 16:- What are sites? What are they used for?
Answer:- Sites in Active Directory are the physical network structure of Active Directory based on subnet or subnets. Each site in Active Directory resembles well connected network. It is sometimes referred as physical structure of AD. Depending upon the locations and connection quality sites are created which include a domain or domains. Creating these sites lets you control replication traffic over WAN links. In a way Sites help define the AD's replication topology.
Question 17:- What's the difference between a site link's schedule and interval?
Answer:- Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the reoccurrence of the inter site replication in given minutes. It ranges from 15 – 10,080 mins. The default interval is 180 mins.
Question 18:- What is the KCC?
Answer:- KCC is Knowledge Consistency Checker, which creates the connection object that links the DCs into common replication topology and dictates the replication routes between one DC to another in Active Directory forest. The default run interval is 15 mins. There are two type of algorithm of KCC - Intrasite KCC – which is responsible for the connection within the site, and Intersite Topology Generator (ISTG) – which is responsible for the connections among the sites.
Question 19:- What is the ISTG? Who has that role by default?
Answer:- Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role.
Question 20:- What are the requirements for installing AD on a new server?
Answer:- 1) An NTFS partition with enough free space
2) An Administrator's username and password
3) The correct operating system version
4) A NIC
5) Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
6) A network connection (to a hub or to another computer via a crossover cable)
7) An operational DNS server (which can be installed on the DC itself)
8) A Domain name that you want to use.
9) The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)
Question 21:- What can you do to promote a server to DC if you're in a remote location with slow WAN link?
Answer:- Take a System State Backup from another DC and restore locally to the server that are going to be the next Domain Controller. Run DCPromo /adv which will prompt in the next screen to specify the path to restore the System Backup. This will prevent replication of the entire configuration over the slow network.
Question 22:- How can you forcibly remove AD from a server, and what do you do later?
Answer:- DCPromo /Forceremoval. Though this command we will seize the Domain Controller role & then we will use NTDSUTIL to cleanup the metadata.
Question 23:- Can I get user passwords from the AD database?
Answer:- No, the password is stored in a hashed state and cannot be retrieved.
Question 24:- What tool would I use to try to grab security related packets from the wire?
Answer:- By using Network Monitor utility under Administrative Tools.
Question 25:- Name some OU design considerations.
Answer:- 1) Flat organizational unit structure: 1 or 2 levels
2) Narrow organizational unit structure: 3 to 5 levels
3) Deep organizational unit structure: more than 5 levels
Question 26:- What is tombstone lifetime attribute?
Answer:- The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC.
Question 28:- How would you find all users that have not logged on since last month?
Answer:- You can check it the schema of user object called "lastlogonTimestamp"
Question 29:- What are the DS* commands?
Answer:- You really are spoilt for choice when it comes to scripting tools for creating Active Directory objects. In addition to CSVDE, LDIFDE and VBScript, we now have the following DS commands: the DS family built in utility DSmod - modify Active Directory attributes, DSrm - to delete Active Directory objects, DSmove - to relocate objects, DSadd - create new accounts, DSquery - to find objects that match your query attributes, DSget - list the properties of an object
Question 30:- What's the difference between LDIFDE and CSVDE? Usage considerations?
Answer:- CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users.
LDIFDE is a command that can be used to import and export objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor, however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects.
Question 31:- What are the FSMO roles? Who has them by default? What happens when each one fails?
Answer:- While Active Directory in general uses a multimaster replication scheme for replicating the directory database between domain controllers, there are certain directory functions that require they be performed on some specific domain controller. These functions are defined by flexible single master operations (FSMO) roles (pronounced "fiz-moe roles") and at any time these roles are uniquely assigned to specific domain controllers in different Active Directory domains. By default GCS (Global Catalog Server) is having all the roles.
If each one of them fails then below are the effects of the same:-
Schema Master – Schema updates are not available – These are generally planned changes and the first step when doing a schema change is normally something like "make sure your environment is healthy". There isn't any urgency if the schema master fails, having it offline is largely irrelevant until you want to make a schema change.
Domain Naming Master – No new domains or application partitions can be added – This sort of falls into the same "healthy environment" bucket as the schema master. When we upgraded the first DC to a beta Server 2003 OS which included the code to create the DNS application partitions, we couldn't figure why they weren't instantiated until we realized that the server hosting the DNM was offline (being upgraded) at the same time. Infrastructure Master – No cross domain updates, can't run any domain preps – Domain preps are planned (again). But no cross-domain updates. That could be important if you have a multi-domain environment with a lot of changes occurring.
RID Master – New RID pools unable to be issued to DC's – This gets a bit more complicated, but let me see if I can make it easy. Every DC is initially issued 500 RID's. When it gets down to 50% (250) it requests a second pool of RID's from the RID master. So when the RID master goes offline, every DC has anywhere between 250 and 750 RIDs available (depending on whether it's hit 50% and received the new pool).
PDC – Time, logins, password changes, trusts – So we made it to the bottom of the list, and by this point you've figured that the PDC has to be the most urgent FSMO role holder to get back online. The rest of them can be offline for varying amounts of time with no impact at all. Users may see funky behavior if they changed their password, but replication will probably have completed before they call the help desk so nothing to worry about, and trust go back to that whole "healthy forest" thing again.
Question 32:- What FSMO placement considerations do you know of?
Answer:- Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles.
Single Domain Forest:- In a single domain forest, leave all of the FSMO roles on the first domain controller in the forest.
You should also configure all the domain controller as Global Catalog servers. This will NOT place additional stress on the DCs, while allowing GC-related applications (such as Exchange Server) to easily perform GC queries.
Multiple Domain Forest:- In a multiple domain forest, use the following guidelines:
In the forest root domain:
If all domain controllers are also global catalog servers, leave all of the FSMO roles on the first DC in the forest.
If all domain controllers are not also global catalog servers, move all of the FSMO roles to a DC that is not a global catalog server.
In each child domain, leave the PDC emulator, RID master, and Infrastructure master roles on the first DC in the domain, and ensure that this DC is never designated as a global catalog server (unless the child domain only contains one DC, then you have no choice but to leave it in place).
Configure a standby operations master - For each server that holds one or more operations master roles, make another DC in the same domain available as a standby operations master. Making a DC as a standby operation master involves the following actions:
The standby operations master should not be a global catalog server except in a single domain environment, where all domain controllers are also global catalog servers.
The standby operations master should have a manually created replication connection to the domain controller that it is the standby operations master for, and it should be in the same site.
Configure the RID master as a direct replication partner with the standby or backup RID master. This configuration reduces the risk of losing data when you seize the role because it minimizes replication latency.
Question 33:- I want to look at the RID allocation table for a DC. What do I do?
Answer:- You can check the RID allocation table or pool by running this "dcdiag /v" at command prompt.
Question 34:- What's the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?
Answer:- In FSMO role transfer, the existing role master relinquishes its role to the target server. Both servers ensure that the proper directory objects get updated in each other's replica of the naming context that contains the role object.
In FSMO role seizing, the target server asks permission first, but takes the role anyway regardless of the answer. The DC that seizes the role makes the necessary changes to the Directory objects in its replica of the naming context that contains the role object.
In case if you want the original FSMO holder DC to get back into the network then avoid to seize the Schema Master, Domain Naming Master & RID role. A machine that once served one of those roles must be reformatted & reinstalled. If two Schema Masters attempt to operate in the same Active Directory forest, the forest becomes inoperable.
Question 35:- How do you configure a "stand-by operation master" for any of the roles?
Answer:- A standby operations master is a domain controller that you identify as the computer that assumes the operations master role if the original computer fails. A single domain controller can act as the standby operations master for all of the operations master roles in a domain, or you can designate a separate standby for each operations master role.
No utilities or special steps are required to designate a domain controller as a standby operations master. However, the current operations master and the standby should be well connected. This means that the network connection between them must support at least a 10-megabit transmission rate and be available at all times. In addition, configure the current role holder and the standby as direct replication partners by manually creating a Connection object between them.
Configuring a replication partner can save some time if you must reassign any operations master roles to the standby operations master. Before transferring a role from the current role holder to the standby operations master, ensure that replication between the two computers is functioning properly. Because they are replication partners, the new operations master is as updated as the original operations master, thus reducing the time required for the transfer operation.
During role transfer, the two domain controllers exchange any unreplicated information to ensure that no transactions are lost. If the two domain controllers are not direct replication partners, a substantial amount of information might need to be replicated before the domain controllers completely synchronize with each other. The role transfer requires extra time to replicate the outstanding transactions. If the two domain controllers are direct replication partners, fewer outstanding transactions exist and the role transfer operation completes sooner.
Designating a domain controller as a standby also minimizes the risk of role seizure. By making the operations master and the standby direct replication partners, you reduce the chance of data loss in the event of a role seizure, thereby reducing the chances of introducing corruption into the directory.
Question 36:- How do you backup AD?
Answer:- Start >> Run >> type there "ntbackup" when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the system including AD backup , DNS(AD Integrated) ETC.
Question 37:- How do you restore AD?
Answer:- There are 2 ways to restore the AD:-
Non-Authoritative Restore:- A non-authoritative restore is the default method for restoring Active Directory. To perform a non-authoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup media, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller.
Restart the domain controller in Directory Services Restore Mode
Restore the backup by using ntbackup.exe command from command prompt.
Authoritative Restore:- An authoritative restore process returns a designated object or container of objects to its state at the time of the backup. For example, you might need to perform an authoritative restore if an administrator inadvertently deletes an organizational unit (OU) containing a large number of users. If you restore the server from backup, the normal, nonauthoritative restore process does not restore the inadvertently deleted OU because the restored domain controller is updated following the restore process to the current status of its replication partners, which have deleted the OU. Recovering the deleted OU requires authoritative restore. You can use authoritative restore to mark the OU as authoritative and let the replication process restore it to all the other domain controllers in the domain.
When an object is marked for authoritative restore, its version number is changed so that it is higher than the existing version number of the (deleted) object in the Active Directory replication system. This change ensures that any data that you restore authoritatively is replicated from the restored domain controller to other domain controllers in the forest.
For this type of backup you can use NTDSUTIL.exe utility
Question 38:- How do you change the DS Restore admin password?
Answer:- Process to change the DSRM admin password is following:-
1. Log on to the computer as the administrator or a user who is a member of the Administrators group.
2. Shut down the domain controller on which you want to change the password.
3. Restart the computer. When the selection menu screen is displayed during restar, press F8 to view advanced startup options.
4. Click the Directory Service Restore Mode option.
5. After you log on, use one of the following methods to change the local Administrator password:
At a command prompt, type the following command:
Net user administrator *
Use the Local User and Groups snap-in (Lusrmgr.msc) to change the Administrator password.
6. Shut down and restart the computer.
Now you can use the Administrator account to log on to Recovery Console or Directory Services Restore Mode using the new password.
Question 39:- Why can't you restore a DC that was backed up 4 months ago?
Answer:- Because the Tombstone Lifetime Attribute maintains the date of backup of AD & by default it consider the AD backup valid till 60 days. After that it is not recognizing that backup. That's why we can't restore the DC that was backed up 4 months ago. But we can do the same by editing the default lifetime of Tombstone.
Question 40:- What are GPOs?
Answer:- A Group Policy Object (GPO) is a collection of settings that define what a system will look like and how it will behave for a defined group of users. The GPO is associated with selected Active Directory containers, such as sites, domains, or organizational units (OUs). The MMC allows you to create a GPO that defines registry-based polices, security options, software installation and maintenance options, scripts options, and folder redirection options.
Question 41:- What is the order in which GPOs are applied?
Answer:- Group Policy settings are processed in the following order:
1) Local Group Policy Objects Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
2) Site Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
3) Domain Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
4) Organizational Units GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
Question 42:- Name a few benefits of using GPMC.
Answer:- GPMC's list of features reads like a Group Policy administrator's wish list. GPMC has a new user interface that lets you view Group Policy Objects (GPOs) across domains and even forests in an intuitive and useful way. You can now generate HTML reports on GPO settings even if you don't have write access to the GPO. You can back up and restore GPOs, export them from one domain and import them into another, and even perform mapping operations to a different set of security principals and Universal Naming Convention (UNC) paths between domains. GPMC also incorporates Resultant Set of Policies (RSoP), the most requested Group Policy enhancement for Windows 2003. You can use the Windows Management Instrumentation Query Language (WQL) to build Windows Management Instrumentation (WMI) filters. GPMC even has a tool that lets you search for GPOs within a domain or across all domains in a forest.
Question 43:- What are the GPC and the GPT? Where can I find them?
Answer:- GPC The Group Policy Container (GPC) is the portion of a GPO stored in Active Directory that resides on each domain controller in the domain. The GPC is responsible for keeping references to Client Side Extensions (CSEs), the path to the GPT, paths to software installation packages, and other referential aspects of the GPO.
GPT One of the parts of the GPO is the GPT, which is responsible for storing the specific settings created within the GPO. The GPT is stored in the Policies subfolder, which is under the SYSVOL folder on each domain controller. The GPT includes key files and folders including:
Machine and User folders
Scripts (Logon, Logoff, Startup, and Shutdown) folders
The GPC is stored at the domain level as a virtual object consisting of a Group Policy container.
The GPT is located under the SYSVOL folder.
Question 44:- What are GPO links? What special things can I do to them?
Answer:- GPO Links A Group policy is associated to an active directory container by a link. You can link the GPO to three types of Active Directory Objects: Sites, Domains & OUs. A GPO can be linked to several containers. Alternatively a container can be associated with several GPOs.
Question 45:- What can I do to prevent inheritance from above?
Answer:- Check mark the Block Inheritance option.
Question 46:- How can I override blocking of inheritance?
Answer:- Check mark the "Enforced" options (if you are using GPMC) & No Override if you are using default Group Policy Editor.
Question 47:- How can you determine what GPO was and was not applied for a user? Name a few ways to do that.
Answer:- I will generate a GP Result Report for that. Procedure:-
To generate a Group Policy Results report
1) Open the Group Policy Management Console.
2) In the console tree, double-click the forest in which you want to create a Group Policy Results query. Right-click Group Policy Results and then click Group Policy Results Wizard.
3) In the Group Policy Results Wizard, click next and enter the appropriate information.
4) After completing the wizard, click Finish.
Question 48:- A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for?
Question 49:- Name some GPO settings in the computer and user parts.
Answer:- Here are some GPO setting in computer & user parts:-
1) Minimum Password Length
2) Maximum Password Age
3) Password Complexity
4) Last Logged-On User Name
5) User Rights Assignment
6) Everyone Group Permissions and Anonymous Users
7) Process GPO Security Settings at Every Refresh
Question 50:- What are administrative templates?
Answer:- Administrative Templates are a feature of Group Policy, a Microsoft technology for centralized management of machines and users in an Active Directory environment.
Question 51:- What's the difference between software publishing and assigning?
Answer:- Publishing The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application. Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers.
Assigning The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application.
Question 52:- Can I deploy Non-MSI software with GPO?
Answer:- Yes we can deploy Non-MSI software with GPO by using .zap file.
Jonathan Swift - "May you live every day of your life."