Académique Documents
Professionnel Documents
Culture Documents
An active directory is a directory structure used on Micro-soft Windows based servers and computers to store data and information about
networks and domains.
2) Mention what are the new features in Active Directory (AD) of Windows server 2012?
dcpromo (Domain Controller Promoter) with improved wizard: It allows you to view all the steps and review the detailed results during
Enhanced Administrative Center: Compared to the earlier version of active directory, the administrative center is well designed in
Recycle bin goes GUI: In windows server 12, there are now many ways to enable the active directory recycle bin through the GUI in the
Active Directory Administrative Center, which was not possible with the earlier version
Fine grained password policies (FGPP): In windows server 12 implementing FGPP is much easier compared to an earlier It allows you to
Windows Power Shell History Viewer: You can view the Windows PowerShell commands that relates to the actions you execute in the
domain
As such this group has full control of the forest, add users
with caution
Registry
System files
AD information
SYSVOL Folder
dit
log
res 1.log
log
chk
10) Mention what is PDC emulator and how would one know whether PDC emulator is working or not?
PDC Emulators: There is one PDC emulator per domain, and when there is a failed authentication attempt, it is forwarded to PDC emulator. It
acts as a tie-breaker and it controls the time sync across the domain.
These are the parameters through which we can know whether PDC emulator is working or not.
Components of AD includes
Dcpromo /forceremoval , an administrator can forcibly remove Active Directory and roll back the system without having to
contact or replicate any locally held changes to another DC in the forest. Reboot the server then After you use the dcpromo
/forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers,
and therefore you must manually remove it by using the NTDSUTIL command.
In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings
object. You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers
25) What are the FSMO roles? Who has them by default? What happens when each one fails?
Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master
26) What is domain tree ?
Domain Trees: A domain tree comprises several domains that share a common schema and configuration, forming a contiguous namespace.
Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees.
Trees can be viewed two ways. One view is the trust relationships between domains. The other view is the namespace of the domain tree.
27) What is forests ?
A collection of one or more domain trees with a common schema and implicit trust relationships between them. This arrangement would be used if
you have multiple root DNS addresses.
28) How to Select the Appropriate Restore Method ?
You select the appropriate restore method by considering:
Circumstances and characteristics of the failure. The two major categories of failure, From an Active Directory perspective, are Active Directory
data corruption and hardware failure.
Active Directory data corruption occurs when the directory contains corrupt data that has been replicated to all domain controllers or when a large
portion of the Active Directory hierarchy has been changed accidentally (such as deletion of an OU) and this change has replicated to other
domain controllers.
29) Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in
Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship
that hosts copies of the Active Directory.
30) What is Global Catalog?
The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC
that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the
network.
31) How long does it take for security changes to be replicated among the domain controllers?
Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies,
changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).
32) When should you create a forest?
Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often
give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and
joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security
restrictions.
33) Describe the process of working with an external domain name ?
If it is not possible for you to configure your internal domain as a subdomain of your external domain, use a stand-alone internal domain. This way,
your internal and external domain names are unrelated. For example, an organization that uses the domain name contoso.com for their external
namespace uses the name corp.internal for their internal namespace.
The advantage to this approach is that it provides you with a unique internal domain name. The disadvantage is that this configuration requires
you to manage two separate namespaces. Also, using a stand-alone internal domain that is unrelated to your external domain might create
confusion for users because the namespaces do not reflect a relationship between resources within and outside of your network.
In addition, you might have to register two DNS names with an Internet name authority if you want to make the internal domain publicly accessible.
34) How do you view all the GCs in the forest?
C:\>repadmin /showreps
domain_controller
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.
To find the in GC from the command line you can try using DSQUERY command.
dsquery server -isgc to find all the GCs in the forest
you can try dsquery server -forest -isgc.
35) What are the physical components of Active Directory ?
Domain controllers and Sites. Domain controllers are physical computers which is running Windows Server operating system and Active Directory
data base. Sites are a network segment based on geographical location and which contains multiple domain controllers in each site.
36) What are the logical components of Active Directory ?
Domains, Organizational Units, trees and forests are logical components of Active Directory.
37) What are the Active Directory Partitions ?
Active Directory database is divided into different partitions such as Schema partition, Domain partition, and Configuration partition. Apart from
these partitions, we can create Application partition based on the requirement.
38) What is group nesting ?
Adding one group as a member of another group is called 'group nesting'. This will help for easy administration and reduced replication traffic.
39) What is the feature of Domain Local Group ?
Domain local groups are mainly used for granting access to network resources.A Domain local group can contain accounts from any domain,
global groups from any domain and universal groups from any domain. For example, if you want to grant permission to a printer located at Domain
A, to 10 users from Domain B, then create a Global group in Domain B and add all 10 users into that Global group. Then, create a Domain local
group at Domain A, and add Global group of Domain B to Domain local group of Domain A, then, add Domain local group of Domain A to the
printer(of Domain A) security ACL.
40) How will you take Active Directory backup ?
Active Directory is backed up along with System State data. System state data includes Local registry, COM+, Boot files, NTDS.DIT and SYSVOL
folder. System state can be backed up either using Microsoft's default NTBACKUP tool or third party tools such as Symantech NetBackup, IBM
Tivoli Storage Manager etc.
41) What is Lost and Found Container ?
In multimaster replication method, replication conflicts can happen. Objects with replication conflicts will be stored in a container called 'Lost and
Found' container. This container also used to store orphaned user accounts and other objects.
42) Do we use clustering in Active Directory ? Why ?
No one installs Active Directory in a cluster. There is no need of clustering a domain controller. Because Active Directory provides total
redundancy with two or more servers.
43) What is Active Directory Recycle Bin ?
Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to restore accidentally deleted Active Directory objects without using
a backed up AD database, rebooting domain controller or restarting any services.
44) What is RODC ? Why do we configure RODC ?
Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System. RODC is a read only copy of Active Directory
database and it can be deployed in a remote branch office where physical security cannot be guaranteed. RODC provides more improved security
and faster log on time for the branch office.
> How do you check currently forest and domain functional levels? Say both GUI and Command line.
To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain name and take properties. Both domain and
forest functional levels will be listed there. TO find out forest and domain functional levels, you can use DSQUERY command.
> Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory ?
All versions of Windows Server Active Directory use Kerberos 5.
> Name few port numbers related to Active Directory ?
Kerberos 88, LDAP 389, DNS 53, SMB 445
> What is an FQDN ?
FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of a domain name system which points to a device in the domain at its
left most end. For example in system.
> Have you heard of ADAC ?
ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2, which provides enhanced data management
experience to the admin. ADAC helps administrators to perform common Active Directory object management task across multiple domains with
the same ADAC instance.
> How many objects can be created in Active Directory? (both 2003 and 2008)
As per Microsoft, a single AD domain controller can create around 2.15 billion objects during its lifetime.
> explain the process between a user providing his Domain credential to his workstation and the desktop being loaded? Or how the AD
authentication works ?
When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique
long term keys for every principal in its realm. The KDC looks up the user's master key (KA), which is based on the user's password. The KDC
then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA,
the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows. The client
computer receives the information from the KDC and runs the user's password through a one-way hashing function, which converts the password
into the user's KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now
authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.
> What Is Urgent Replication And When Is It Used ?
You probably know how Active Directory core replication works. When theres an object changed, the source DC, the one that serviced the change
request, notifies its direct replication neighbours that there was a change to some object. The neighbors then start the replication process by
requesting the changes made since the last replication.
Important to know is, that there is a notification delay between the actual change to the objects in the directory and the notification sent to the
replication partners. Server 2003 DCs wait 15 seconds before they fire out the change notification. This delay is there to only send one change
notification once the change transaction to the object is done. If there are multiple changes made to an object, lets say the phone number, the
home town and the employeeID of a user and the changes were made in 1 second delay each, we only send one change notification for those
three changes. If there was no notification delay and we waited a second between the changes to a users attributes, the source DC were
sending three change notifications to its partners. Too much traffic there! Note that the default change notificaction delay in Windows 2000 was 5
minutes (the numbers may differ depending on installation type (upgrade from 2000 to 2003, forest functional level, ).
Given that fact, one can think of several scenarios which may lead to problem since the change to the directory is not replicated right away: user
Password changes, user lockout, Password Policy changed,
For this reason, theres urgent replication. Urgent replication works in the same way normal replication does, but has no notification delay of a
few seconds/minutes. That makes urgent changes that need to be distributed thrughout the sites and DCs to get more quickly to all edges.
Urgent replication takes place in the following cases:
The Password Policy or account lockout policy of a domain has changed
The LSA secret has changed (thats used for the secure channels between machines and DCs and trusts)
a user or computer is locked out due to a failed logon attempt (in this case, the urgent replication is used to notify the DC with the
PDC emulator role first and then to all others)
the RID master has changed
So if one of the mentioned events take place, urgent replication takes place and theres no notification delay prior to change notification of
neighbour DCs.
> Which FSMO role directly impacting the consistency of Group Policy ?
PDC Emulator.
> I want to promote a new additional Domain Controller in an existing domain. Which are the groups I should be a member of ?
You should be a member of Enterprise Admins group or the Domain Admins group. Also you should be member of local Administrators group of
the member server which you are going to promote as additional Domain Controller.
> Tell me one easiest way to check all the 5 FSMO roles ?
Use netdom query /domain:YourDomain FSMO command. It will list all the FSMO role handling domain controllers.
>What is Realm trust ?
Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and an Active Directory domain.