6/25/2015

System Administrator Interview Questions and Answers

What do you understand by forests, trees, and domains?

The Active Directory framework that holds the objects can be viewed at a number of levels. The
forest, tree, and domain are the logical divisions in an Active Directory network.
Within a deployment, objects are grouped into domains. The objects for a single domain are stored
in a single database (which can be replicated). Domains are identified by their DNS name
structure, the namespace.
A domain is defined as a logical group of network objects (computers, users, devices) that share
the same active directory database.
A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked
in a transitive trust hierarchy.
At the top of the structure is the forest. A forest is a collection of trees that share a common global
catalog, directory schema, logical structure, and directory configuration. The forest represents the
security boundary within which users, computers, groups, and other objects are accessible .
Labels: Active Directory, L2

What is an enforced group policy object?

Enforced Group Policy Object (GPO): A Group Policy Object (GPO) that is specifically associated
with a scope of management (SOM) so that the associated GPO has a higher GPO precedence
compared to non-enforced GPOs that are associated with the same SOM and compared to all
GPOs that are associated with descendant SOMs. An enforced GPO cannot be blocked by a
descendant SOM using the gpOptions attribute.
The Enforced within the GPMC controls how the Group Policy Object and the settings within the
Group Policy Object are handled with regard to precedence of the settings. In short, when all
GPOs apply from Active Directory, those GPOs that are linked to organizational units (OUs) have
the highest precedence, then those linked to the domain, and finally those linked to Active
Directory sites. Local GPOs on the target endpoint have the weakest precedence of all. What this
means is that if there is a conflicting setting within two GPOs at different levels, the setting within
the highest precedence GPO will win and be applied over the setting in the GPO that has lower
precedence.
Labels: Active Directory

data:text/html;charset=utf-8,%3Cdiv%20class%3D%22date-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A

1/8

6/25/2015

System Administrator Interview Questions and Answers

What is the order in which GPOs are applied?

The Group Policy objects (GPOs) that apply to a user (or computer) do not all have the same
precedence. Settings that are applied later can override settings that are applied earlier.
Order of processing settings
Group Policy settings are processed in the following order:
1. Local Group Policy object - Each computer has exactly one Group Policy object that is
stored locally. This processes for both computer and user Group Policy processing.
2. Site - Any GPOs that have been linked to the site that the computer belongs to are processed
next. Processing is in the order that is specified by the administrator, on the Linked Group
Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the
lowest link order is processed last, and therefore has the highest precedence.
3. Domain - Processing of multiple domain-linked GPOs is in the order specified by the
administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with
the lowest link order is processed last, and therefore has the highest precedence.
4. Organizational units - GPOs that are linked to the organizational unit that is highest in the
Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational
unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user
or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs
can be linked. If several GPOs are linked to an organizational unit, their processing is in the order
that is specified by the administrator, on the Linked Group Policy Objects tab for the
organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore
has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the
organizational unit of which the computer or user is a direct member are processed last, which
overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the
earlier and later settings are merely aggregated.)
Exceptions to the default order of processing settings
The default order for processing settings is subject to the following exceptions:
A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither
enforced nor disabled.
A GPO may have its user settings disabled, its computer settings disabled, or all
settings disabled. By default, neither user settings nor computer settings are disabled
on a GPO.
An organizational unit or a domain may have Block Inheritance set. By default, Block
Inheritance is not set.
Labels: Active Directory

data:text/html;charset=utf-8,%3Cdiv%20class%3D%22date-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A

2/8

6/25/2015

System Administrator Interview Questions and Answers

What are GPOs?

Group Policy Object (GPO) is a collection of settings that control the working environment
of user accounts and computer accounts. GPOs defines registry-based polices, security
options, software installation and maintenance options, scripts options, and folder redirection
options.
Microsoft provides a program snap-in that allows you to use the Group Policy Microsoft
Management Console (MMC). The selections result in a Group Policy Object. Group Policy Object
Editor can be thought of as an application whose document type is the Group Policy object, just
as a word processor might use .doc or .txt files.
There are two kinds of Group Policy objects: local and nonlocal. Local Group Policy objects are
stored on individual computers. Only one local Group Policy object exists on a computer, and it
has a subset of the settings that are available in a nonlocal Group Policy object. Local Group
Policy object settings can be overwritten by nonlocal settings if they are in conflict; otherwise, both
groups of settings apply. For more information, see Local Group Policy.
Nonlocal Group Policy objects, which are stored on a domain controller, are available only in an
Active Directory environment. They apply to users and computers in the site, domain, or
organizational unit with which the Group Policy object is associated.
Labels: Active Directory

What Are Lingering Objects?

When restoring a backup file, Active Directory generally requires that the backup file be no more
than 180 days old. If attempt to you restore a backup that is expired, you may encounter problems
due to lingering objects.
A lingering object is a deleted AD object that re-appears (lingers) on the restored
domain controller (DC) in its local copy of Active Directory. This can happen if, after the
backup was made, the object was deleted on another DC more than 180 days ago.
When a DC deletes an object it replaces the object with a tombstone object. The tombstone
object is a placeholder that represents the deleted object. When replication occurs, the tombstone
object is transmitted to the other DCs, which causes them to delete the AD object as well.
Tombstone objects are kept for 180 days, after which they are garbage-collected and removed.
If a DC is restored from a backup that contains an object deleted elsewhere, the object will reappear on the restored DC. Because the tombstone object on the other DCs has been removed,
the restored DC will not receive the tombstone object (via replication), and so it will never be
notified of the deletion. The deleted object will linger in the restored local copy of Active Directory.
How to Remove Lingering Objects

Windows Server 2003 and 2008 have the ability to manually remove lingering objects using the
console utility console utility REPADMIN.EXE. Use the command:

data:text/html;charset=utf-8,%3Cdiv%20class%3D%22date-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A

3/8

6/25/2015

System Administrator Interview Questions and Answers

REPADMIN.EXE /removelingeringobjects .
Labels: Active Directory, L3

Why cannot you restore a DC that was backed up 4 months ago?

When restoring a backup file, Active Directory generally requires that the backup file be no more
than 180 days old. If attempt to you restore a backup that is expired, you may encounter problems
due to lingering objects.
Labels: Active Directory, L2, Wintel

How do you change the DS Restore admin password?

To Reset the DSRM Administrator Password
1. Click, Start, click Run, type ntdsutil, and then click OK.
2. At the Ntdsutil command prompt, type set dsrm password.
3. At the DSRM command prompt, type one of the following lines:
o To reset the password on the server on which you are working, type reset password on server
null. The null variable assumes that the DSRM password is being reset on the local computer.
Type the new password when you are prompted. Note that no characters appear while you type
the password.
-oro To reset the password for another server, type reset password on server servername,
whereservername is the DNS name for the server on which you are resetting the DSRM password.
Type the new password when you are prompted. Note that no characters appear while you type
the password.
4. At the DSRM command prompt, type q.
5. At the Ntdsutil command prompt, type q to exit.
Labels: Active Directory

How do you backup AD?

Backing up Active Directory is essential to maintain the proper health of the Active Directory
database. Backing up the Active Directory is done on one or more of your Active Directory domain
Controllers (or DCs), and is performed by backing up the System State on those servers. The
System State contains the local Registry, COM+ Class Registration Database, the System Boot
Files, certificates from Certificate Server (if its installed), Cluster database (if its installed),
data:text/html;charset=utf-8,%3Cdiv%20class%3D%22date-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A

4/8

6/25/2015

System Administrator Interview Questions and Answers

NTDS.DIT, and the SYSVOL folder.

Windows Server 2003
You can backup Active Directory by using the NTBACKUP tool that comes built-in with Windows
Server 2003, or use any 3rd-party tool that supports this feature.
Method #1: Using NTBACKUP
1. Open NTBACKUP by either going to Run, then NTBACKUP and pressing Enter or by going
toStart -> Accessories -> System Tools.
2. If you are prompted by the Backup or Restore Wizard, I suggest you un-check the "Always
Start in Wizard Mode" checkbox, and click on the Advanced Mode link.
3. Inside NTBACKUP's main window, click on the Backup tab.
4. Click to select the System State checkbox. Note you cannot manually select components of
the System State backup. It's all or nothing.
5. Enter a backup path for the BKF file. If you're using a tape device, make sure NTBACKUP is
aware and properly configured to use it.
6. Press Start Backup.
7. The Backup Job Information pops out, allowing you to configure a scheduled backup job and
other settings. For the System State backup, do not change any of the other settings except the
schedule, if so desired. When done, press Start Backup.
8. After a few moments of configuration tasks, NTBACKUP will begin the backup job.
9. When the backup is complete, review the output and close NTBACKUP.
10. Next, you need to properly label and secure the backup file/tape and if possible, store a copy
of it on a remote and secure location.
Method #2: Using the Command Prompt
1. You can use the command line version of NTBACKUP in order to perform backups from the
Command Prompt.
2. For example, to create a backup job named "System State Backup Job" that backs up the
System State data to the file D:\system_state_backup.bkf, type:
ntbackup backup systemstate /J "System State Backup Job" /F "D:\system_state_backup.bkf"
Windows Server 2008
Before you can backup Server 2008 you need to install the backup features from the Server
Manager.
1. To install the backup features click Start Server Manager.
2. Next click Features Add Features
3. Scroll to the bottom and select both the Windows Server Backup and the Command Line Tools.
data:text/html;charset=utf-8,%3Cdiv%20class%3D%22date-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A

5/8

6/25/2015

System Administrator Interview Questions and Answers

In Server 2008, there isnt an option to backup the System State data through the normal
backup utility . We need to go command line to backup Active Directory.
1. Open up your command prompt by clicking Start and type cmd and hit enter.
2. In your command prompt type wbadmin start systemstatebackup -backuptarget:e: and
press enter.
Note: You can use a different backup target of your choosing
3. Type y and press enter to start the backup process.
When the backup is finished running you should get a message that the backup completed
successfully. If it did not complete properly you will need to troubleshoot.
Windows Server 2008 R2
1. Open Windows Server Backup
2. In action panel click Backup Once
3. Different Options is Selected, click Next
4. Choose Custom, click Next
5. Click Add Items
6. Select System State, click Next
7. Specify Backup Destination, Local drive (Apart from System Volume) or Network Share
8. Click Backup to start System State Backup
9. You may close the wizard and the backup operation will continue to run in background.
Labels: Active Directory, L2, Wintel

How do you configure a "stand-by operation master" for any of the

roles?
No utilities or special steps are required to designate a domain controller as a standby
operations master. However, the current operations master and the standby operations
master should be well connected . Well connected means that the network connection
between them must support at least a 10-megabit transmission rate and be available at all times.
In addition, creating a manual connection object between the standby domain controller and the
operations master will ensure direct replication between the two operations masters. By making
the operations master and the standby operations master direct replication partners, you reduce
the chance of data loss in the event of a role seizure, which reduces the chance of directory
corruption.
To ensure that the current operations master role holder and the standby operations master are
replication partners, you can manually create connection objects between the two domain
data:text/html;charset=utf-8,%3Cdiv%20class%3D%22date-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A

6/8

6/25/2015

System Administrator Interview Questions and Answers

controllers. Even if a connection object is generated automatically, we recommend that you

manually create a connection object on both the operations master and the standby operations
master. The replication system can alter automatically created connection objects anytime.
Manually created connections remain the same until an administrator changes them.
You can use this procedure to create the following:
A manual connection object that designates the standby server as the From Server on
the NTDS Settings object of the operations master
A manual connection object that designates the operations master server as the From
Server on the NTDS Settings object of the standby server
Administrative credentials
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure.
1. Click Start, point to Administrative Tools, and then click Active Directory Sites and
Services.
2. Expand the site name in which the current operations master role holder is located to
display the Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. To create a connection object from the standby server on the current operations master,
expand the name of the operations master server on which you want to create the
connection object to display its NTDS Settings object.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Active Directory Domain Controllers dialog box, select the name of the
standby server from which you want to create the connection object, and then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the connection
object or accept the default name, and then click OK.
8. To create a connection object from the current operations master to the standby server,
repeat steps 4 through 7, but in step 4, expand the name of the standby server. In step 6,
select the name of the current operations master.
Labels: Active Directory

What is the difference between transferring a FSMO role and seizing

one? Which one should you NOT seize? Why?
Seizing an FSMO can be a destructive process and should only be attempted if the existing server
with the FSMO is no longer available.
If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable,DO
NOT seizes the Schema Master role.
If you are going to seize the Schema Master, you must permanently disconnect the
current Schema Master from the network.
If you seize the Schema Master role, the boot drive on the original Schema Master must be
data:text/html;charset=utf-8,%3Cdiv%20class%3D%22date-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A

7/8

6/25/2015

System Administrator Interview Questions and Answers

completely reformatted and the operating system must be cleanly installed, if you intend to return
this computer to the network.

data:text/html;charset=utf-8,%3Cdiv%20class%3D%22date-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A

8/8