Interview Questions

QUESTIONS ON ADS
1. What is ADS ? ADS can be defined as a logical network structure or model of Windows 2000 and Windows 2003 in which includes forest, trees, domain, etc. 2. What are the Advantages of ADS ? Centralised Data storing : All domain information is store in a single, distributed repository. Extensibility : We can extended feature of ADS by updating schema Backward compatibility : ADS is compatible with Windows NT directory service. Scalable : ADS is scalable to meets customer requirement. Policy based administration : ADS is enriched with number of policy settings to improve security, etc. LDAP support : ADS uses LDAP which allows other LDAP compatible application to communicate with ADS Directory enabled application support : Using Application data partition feature you can allows application to use ADS feature.

3) What is Function of Sysvol ? Sysvol is a special public folder located on NTFS partition of Domain controller. Sysvol is used for storing public files like Login scripts, GPO templates, etc. The contents of sysvol folder is replicated to all DC in the domain. 4) What is LDAP and its port ? Light Weight Directory Access Protocol (LDAP) is a protocol to query or access active directory database. It uses port number TCP 389. 5) Which service does Sysvol use for replication ? Sysvol uses File Replication Service (FRS) for replication.

www.visioninfosystems.org

Page No : 1

Interview Questions

6) What is FRS ? FRS is replication service used for replication of DFS and Sysvol contents. 7) How to publish Pinter and Shared folder in ADS ?

8) What is Schema ? The Active Directory schema defines objects that can be stored in Active Directory. The schema is a list of definitions that determines the kinds of objects and the types of information about those objects that can be stored in Active Directory. In simple language schema define structure and attributes of every object stored in active directory. 9) What is Global Catalog and its port number ? A global catalog is a domain controller that stores a copy or replica of all Active Directory objects in a forest. The global catalog stores a full copy of all objects of a domain in which it resides and a partial copy of all objects for all other domains in the forest. The partial copy stores the most commonly used attributes of all domain objects. The global catalog provides users to searches objects easily and quickly within forest without affecting network performance. User uses TCP port 3268 to query or access global catalog. 10) How can we change administrator directory service restore mode password ? We can change directory service restore mode password using ntdsuil.exe utility.
Example : ntdsutil "set dsrm password" "reset password on server DC1"

FSMO ROLES
1) Explain in short about 5 FSMO roles Schema Master : is a domain controller that handles all active directory schema related activities in a Forest.

www.visioninfosystems.org

Page No : 2

Interview Questions

Domain Naming Master : handles or controls the addition or removal of domains in the forest. RID master : is a DC which assigns or distributes RIDs to every DC in a Domain. PDC emulator : provides emulated PDC service for Windows NT BDCs in mixed mode. infrastructure master : is responsible for updating references from objects in its domain to objects in other domains.

2) What is PDC emulator role ? PDC emulator provides various services In mixed mode To act as PDC for Windows NT BDCs Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. In native mode Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Account lockout is processed on the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Time synchronization between DCs Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.

3) What happens when PDC emulator is down ? If the PDC master is down or offline is effects network users. User will not able to handle password changes, account lockout, time sync, etc. Therefore, when the PDC emulator master is not available, you may need to immediately seize the role.

www.visioninfosystems.org

Page No : 3

Interview Questions

4) What is difference between Seizing and transfer of roles ? The difference between transfer and seize is that, seizing is used when the source DC is down or offline. Seizing means forcing a DC to be take the control of the role if the original DC is down or offline. While in case of transfer both the source and destination DC should be online.

5) Why is is not recommended to place infrastructure master and Global catalog on same DC ? The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. 6) What is seizing of roles ? Seizing means forcing a DC to be assigning a role to new DC if the original DC is down or offline. 7) What are two methods of transferring Domain level roles Method - I Active Directory Users and Computers snap-in Method - II ntdsutil.exe is command line tools use to transfer or seize operation master roles 8) What are two methods of transferring Forest level roles Method - I Schema master : Active Directory schema snap-in Domain naming master : Active directory domains and trust Method - II ntdsutil.exe is command line tools use to transfer or seize operation master roles 9) Which command is used to view domain naming master role ?

www.visioninfosystems.org

Page No : 4

Interview Questions

Dsquery server hasfsmo name 10) How to view Schema Master role ? Dsquery server hasfsmo schema

FUNCTIONAL LEVEL AND ADS files

1) What are forest level functional and domain level ? Domain Functional Level Windows 2000 mixed (default) Windows NT 4.0 Windows 2000 Windows Server 2003 family Windows 2000 native Windows 2000 Server Windows Server 2003 family Windows Server 2003 interim Windows NT 4.0 Windows Server 2003 family Windows Server 2003 Windows Server 2003 family only Forest functional level Windows 2000 (default) Windows NT 4.0 Windows 2000 Windows Server 2003 family Windows Server 2003 interim Windows NT 4.0 Windows Server 2003 family Windows Server 2003 Windows Server 2003 family only

www.visioninfosystems.org

Page No : 5

Interview Questions

2) How to raise forest functional level ? In Active directory domains and trust snap-in, right-click on the active directory domains and trust and then select Raise Forest functional level. 3) How to raise domain functional level ? In Active directory users and computer snap-in, right-click on the active directory domains and trust and then select Raise Forest functional level. 4) Can we revert back to previous functional level ? No, we cannot move back or revert back to previous functional level. 5) Which mode support domain rename feature ? Forest Functional level : Windows 2003 Server Domain Functional Level : Windows 2003 Server 6) Which mode support mixture of NT and 2003 ? Interim mode 7) What are 4 partitions of NTDS.DIT files ? Schema partition : its stores active directory schema Configuration partition : it stores configuration information about active directory. i.e. our current active directory topology like forest, trees, domains, etc. Domain data partition : it stores information about your current domain like users, group, etc. Application data partition : A new partition type using in Windows 2003. It is a type of directory partition that can be used by applications to store application specific data in active directory database.

8) How to moves ads files to different location We can move active directory file to different location using NTDSUTIL.EXE utility. We can only move files using directory service restore mode.

www.visioninfosystems.org

Page No : 6

Interview Questions

Ntdsutil files move db to <DriveAndFolder> move logs to <DriveAndFolder> QUIT

9) How to compact ads database file ? We can compact active directory file to using NTDSUTIL.EXE utility. 10) Which are ADS files ? NTDS.DIT : active directory database file EDB.log : active directory transaction log file RES1.log and RES2.log : reserved logs file TEMP.edb : temp. active directory database file EDB.chk : checkpoint ifle 11) How to create Application partition using command line ? Creating Application directory partitions 1. Open a command prompt. 2. Type: ntdsutil 3. At the ntdsutil command prompt, type: domain management. 4. At the domain management command prompt, type: connection. 5. At the connection command prompt, type: connect to server ServerName. 6. At the connection command prompt, type: quit. 7. At the domain management command prompt, do one of the following To create an application directory partition, type: create nc ApplicationDirectoryPartition DomainController To delete an application directory partition, type: delete nc ApplicationDirectoryPartition

BACKUP AND RECOVERY

1) What does system state backup includes Contents of System State Backup SysVol Folder Active Directory Database
Page No : 7

www.visioninfosystems.org

Interview Questions

COM+ components Registry Boot Files

2) What is authoritative and non-authoritative restore? Non-Authoritative : In non-authoritative restore, the system state back on a domain controller are restored from backup media and the restored data is then updated through normal replication. Each restored directory partition is updated with that of its replication partners by replication after you restore the data. This restore can be overwritten by other DC if they have latest backup. Authoritative restore : An authoritative restore brings a domain or back to the state it was in at the time of backup and overwrites all changes made since the backup. This restore cannot be overwritten by other DC. Authoritative restore overwrites all DC system state data.

3) What are the different types of restore? Primary Restore : This restore method is used if you have a single DC in a domain. This is also a type of non-authoritative restore. Non-Authoritative restore : This restore is overwritten by other DC if they have latest replication data. Authoritative restore : This restore is not overwritten by other DC. Subtree restore : To restore a particular subset of back. Like to restore a specific OU. Single object restore : To restore a single object like user, group, etc.

4) What is Directory Service Restore mode ? Directory Services Restore Mode (DSRM) is a special boot mode. It is used to log on to the computer when Active Directory has failed or needs to be restored. 5) Explain types of backup method Normal : This option backs up the selected files and clears the archive bit if it is set. Copy : This option backs up the selected files and does not clear the archive bit. Differential : This option backs up only the selected files where the archive bit is set.

www.visioninfosystems.org

Page No : 8

Interview Questions

It does not clear the archive bit. Incremental : This option backs up only the selected files where the archive bit is set. It clears the archive bit. Daily : This option does not use the archive bit. It backs up files with a Modified timestamp that matches the backup date.

Table for Backup bits

Backup type Normal Incremental Differential Daily Copy 6) How to perform authorative restore After restoring the database using NTBACKUP utility do not restart the server. Run the following command to perform authorative restore the entire database:
ntdsutil auth restore restore database quit Restart the computer.

Archive Bit (Clear) Yes Yes No No Yes

7) How to perform authoritive restore of single object

ntdsutil auth restore restore object cn=jsmith,ou=Sales,dc=rallencorp,dc=com quit

8) How to perform authorative restore of subtree

ntdsutil auth restore restore subtree ou=Sales,dc=rallencorp,dc=com quit

9) How to repair/recover Active directory database First, reboot into DS Restore Mode.
www.visioninfosystems.org

Page No : 9

Interview Questions

Run the following command to perform a soft recovery of the transaction log files:
ntdsutil files recover quit

If you continue to experience errors, you may need to run a repair, which does a low level repair of the database, but can result in loss of data:
ntdsutil files repair quit

If either the recover or repair is successful, you should then check the integrity
ntdsutil files integrity quit ntdsutil semantic database analysis verbose on go

10) How to change Directory service restore mode password ? 1. Click, Start, click Run, type ntdsutil, and then click OK. 2. At the Ntdsutil command prompt, type set dsrm password. 3. At the DSRM command prompt, type one of the following lines: To reset the password on the server on which you are working, type reset password on server <Servername>

GROUP POLICY OBJECT =================== 1) At which level GPO are implemented GPO is implemented at Site Level, Domain Level and OU Level. 2) Where are Local Computer Policies are stored ?

www.visioninfosystems.org

Page No : 10

Interview Questions

Local computer policies are stored on local machine under %systemroot %\system32\grouppolicy folder. 3) Which are the default GPO created on a Windows 2003 Domain Controller ? By default, when Active Directory service is installed, two active directory based GPOs are created: Default Domain Policy : This default GPO is created and link to the domain, and it affects all users and computers in the domain. Default Domain Controllers Policy : Controllers OU. This GPO is linked to the Domain

4) What is difference between No override and Block Policy Inheritance Block Policy Inheritance: Blocking of Policy inheritance means to selectively block top level policy to lower level. Eg. If we want a GPO created at domain level should not be applied to a particular OU then we have to set Block Policy Inheritance at OU level. No Override: No override means no one can override this policy. When No Override option is set none of its policy settings can be overridden by any other GPO during the processing of group policies. Eg. When a at top level GPO No Override option is set, then no other GPO at lower level can override it (even if block policy inheritance is set). 5) Which tool is to import or export GPO ? GPMC.exe is a tool used to perform import and export of GPO. 6) Which are the 2 methods of deployment application via GPO? Assign and publish are the 2 methods of deploying software or application via GPO. 7) what file format are supported for software deployment via GPO .msi and .zap are the 2 format supported for software deployment under GPO.

8) what is GPO linking ?

www.visioninfosystems.org

Page No : 11

Interview Questions

GPO linking is a method of linking or applying same policy to multiple OU, site, etc. 9) Where are GPO template or settings stored on DC ? GPO templates or settings are stored under sysvol folder on every DC. 10) What are administrative templates ? Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines. Administrative templates have extension .ADM and we can create custom administrative templates as per our requirement. 11) Which command is use to modify local group policy? Gpedit.msc 12) How to prevent a GPO from applying to a specific user or group ? To prevent a group policy from applying to user or group, go to properties of GPO and set the permission deny apply group policy to user or group. 13) Is it possible to apply group policy to a single user or a single group ? No. You cannot apply GPO to a single user or group. All you have to do is to create and OU and place that user or group in that particular OU and apply GPO to that OU. 14) Can we apply a GPO to a single computer ? No. You cannot apply GPO to a single computer. All you have to do is to create and OU and place that computer in that particular OU and apply GPO to that OU.

TRUST RELATIONSHIP ================== 1) When you will reset trust ? If you've determined a trust is broken, you need to reset it, which will allow users to authenticate across it again.

www.visioninfosystems.org

Page No : 12

Interview Questions

2) Which command line tool is used to create trust ? Netdom.exe is a support tool used to create/view/delete trust 3) What is Trust relationship and when to use it? Trust relationship is a feature which allows one domain to access other domain resources. Trust relationship is used in multi-domain setup. Trust can be configure in one-way fashion or two-way fashion. 4) What is shortcut trust? Trust relationship is a feature which allows one domain to access other domain resources. 5) What is forest trust? Trust relationship is a feature which allows one domain to access other domain resources. 6) What is trusting party and trusted party? Trust relationship is a feature which allows one domain to access other domain resources. 7) What is trust password? Trust relationship is a feature which allows one domain to access other domain resources. 9) What is transitive trust? Trust relationship is a feature which allows one domain to access other domain resources. 10) What is implicit and explicit trust? Trust relationship is a feature which allows one domain to access other domain resources. 11) What is realm trust?

www.visioninfosystems.org

Page No : 13

Interview Questions

Trust relationship is a feature which allows one domain to access other domain resources.

Sites and services =============

www.visioninfosystems.org

Page No : 14