Vous êtes sur la page 1sur 16

L2 Support-Windows Server Interview Questions & Answers

Active Directory
Active Directory is a centralized and standardized system, stores information about objects in a network and
makes this information available to users and network administrators.
Domain Controller
In an Active Directory forest, the domain controller is a server that contains a writable copy of the Active
Directory database, participates in Active Directory replication, and controls access to network resources.
Global catalog server
A global catalog server is a domain controller that stores information about all objects in the forest. Like all
domain controllers, a global catalog server stores full, writable replicas of the schema and configuration
directory partitions and a full, writable replica of the domain directory partition for the domain that it is hosting.
In addition, a global catalog server stores a partial, read-only replica of every other domain in the forest. Partial
replicas are stored on Global Catalog servers so that searches of the entire directory can be achieved without
requiring referrals from one domain controller to another.
Partial information of other domains. Partial information nothing but classes and attributes (first name and last
name and phones and addresses) attribute level security improvement in 2003.
"Organizational Units", are administrative-level containers on a computer, it allows administrators to organize
groups of users together so that any changes, security privileges or any other administrative tasks could be
accomplished more efficiently.
Windows Domain is a logical grouping of computers that share common security and user account information.
A Windows forest is a group of one or more trusted Windows trees. The trees do not need to have contiguous
DNS names. A forest shares a schema and global catalog servers. A single tree can also be called a forest.
A Windows tree is a group of one or more trusted Windows domains with contiguous DNS domains. Trusted
means that an authenticated account from one domain isnt rejected by another domain. Contiguous DNS
domains means that they all have the same root DNS name.
Sites are manually defined groupings of subnets. Objects in a site share the same global catalog servers, and can
have a common set of group policies applied to them.
The schema defines what attributes, objects, classes, and rules are available in the Active Directory.
SID (Security Identifier):
The SID is a unique name (alphanumeric character string) that is used to identify an object, such as a user or a
group of users.
Group Policy objects (GPO):
A GPO is a collection of Group Policy settings, stored at the domain level as a virtual object consisting of a
Group Policy container (GPC) and a Group Policy template (GPT).
Password history will store
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
Group Policy Container (GPC)
The Group Policy container (GPC) is an Active Directory container that contains GPO properties, such as
version information, GPO status, plus a list of other component settings.
Group Policy Template (GPT)
The Group Policy template (GPT) is a file system folder that includes policy data specified by .adm files,
security settings, script files, and information about applications that are available for installation. The GPT is
located in the system volume folder (SysVol) in the domain \Policies sub-folder.
Filtering the Scope of a GPO

By default, a GPO affects all users and computers that are contained in the linked site, domain, or organizational
unit. The administrator can further specify the computers and users that are affected by a GPO by using
membership in security groups.
Starting with Windows 2000, the administrator can add both computers and users to security groups. Then the
administrator can specify which security groups are affected by the GPO by using the Access Control List
Knowledge Consistency Checker (KCC)
The Knowledge Consistency Checker (KCC) is a Windows component that automatically generates and
maintains the intra-site and inter-site replication topology.
1. What is the purpose of having AD?
Active directory is a directory service that identifies all resources on a network and makes that information
available to users and services. The Main purpose of AD is to control and authenticate network resources.
2. Explain about sysvol folder?
The sysvol folder stores the server's copy of the domain's public files. The contents such as group policy, users,
and groups of the sysvol folder are replicated to all domain controllers in the domain. The sysvol folder must be
located on an NTFS volume.
3.Explain Functions of Active Directory?
AD enables centralization in a domain environment. The Main purpose of AD is to control and authenticate
network resources.
4. What is the name of AD database?
AD database is NTDS.DIT
5. Explain briefly about AD Partition?
The Active Directory database is logically separated into directory partitions:
Schema Partition: Only one schema partition exists per forest. The schema partition is stored on all domain
controllers in a forest. The schema partition contains definitions of all objects and attributes that you can create
in the directory, and the rules for creating and manipulating them. Schema information is replicated to all
domain controllers in the attribute definitions.
Configuration Partition: There is only one configuration partition per forest. Second on all domain controllers
in a forest, the configuration partition contains information about the forest-wide active directory structure
including what domains and sites exist, which domain controllers exist in each forest, and which services are
available. Configuration information is replicated to all domain controllers in a forest.
Domain Partition: Many domain partitions can exist per forest. Domain partitions are stored on each domain
controller in a given domain. A domain partition contains information about users, groups, computers and
organizational units. The domain partition is replicated to all domain controllers of that domain. All objects in
every domain partition in a forest are stored in the global catalog with only a subset of their attribute values.
Application Partition: Application partitions store information about application in Active Directory. Each
application determines how it stores, categorizes, and uses application specific information. To prevent
unnecessary replication to specific application partitions, you can designate which domain controllers in a forest
host specific application partitions. Unlike a domain partitions, an application partition cannot store security
principal objects, such as user accounts. In addition, the data in an application partition is not stored in the
global catalog.

6. Explain different zone involved in DNS Server?

DNS has two different Zones Forward Lookup Zone and Reverse Lookup Zone. There two Zones are
categorized into three zones and are as follows
Primary zone: It contains the read and writable copy of the DNS Database.
Secondary Zone: It acts as a backup for the primary zone and contains the read only copy of the DNS database.
Stub zone: It is also read-only like a secondary zone; stub zone contains only SOA, copies of NS and A records
for all name servers authoritative for the zone.
7. Explain Briefly about Stub Zone?
It is also read-only like a secondary zone, so administrators can't manually add, remove, or modify resource
records on it. But secondary zones contain copies of all the resource records in the corresponding zone on the
master name server; stub zones contain only three kinds of resource records:
A copy of the SOA record for the zone.
Copies of NS records for all name servers authoritative for the zone.
Copies of A records for all name servers authoritative for the zone.
8. Explain File Replication Service (FRS).
File Replication Service is a Microsoft service which replicates folders stored in sysvol shared folders on
domain controllers and distributed file system shared folders. This service is a part of Microsofts Active
Directory Service.
9. What is authoritative and non-authoritative restore?
Nonauthoritative restore: When a nonauthoritative restore is performed, Active Directory is restored from
backup media on the domain controller. This information is then updated during replication from the other
domain controllers. The nonauthoritative restore method is the default method to restore system state data to a
domain controller.
Authoritative restore: In an authoritative restore, Active Directory is installed to the point of the last backup
job. This method is typically used to recover Active Directory objects that were deleted in error. An
authoritative restore is performed by first performing a nonauthoritative restore, and then running the Ntdsutil
utility prior to restarting the server. You use the Ntdsutil utility to indicate those items that are authoritative.
Items that are marked as authoritative are not updated when the other domain controllers replicate to the
particular domain controller.
10. What is the replication protocol involved in replication from PDC and ADC?
Normally Remote Procedure Call (RPC)is used to replicate data and is always used for intrasite replication
since it is required to support the FRS. RPC depends on IP (internet protocol) for transport.
Simple Mail Transfer Protocol (SMTP)may be used for replication between sites.
11. What are the benefits of AD integrated DNS?
A few advantages that Active Directory-integrated zone implementations have over standard primary zone
implementations are:

Active Directory replication is faster, which means that the time needed to transfer zone data between zones
is far less.

The Active Directory replication topology is used for Active Directory replication, and for Active
Directory-integrated zone replication. There is no longer a need for DNS replication when DNS and Active
Directory are integrated.
Active Directory-integrated zones can enjoy the security features of Active Directory.
The need to manage your Active Directory domains and DNS namespaces as separate entities is eliminated.
This in turn reduces administrative overhead.
When DNS and Active Directory are integrated; the Active Directory-integrated zones are replicated, and
stored on any new domain controllers automatically. Synchronization takes place automatically when new
domain controllers are deployed.

12. Explain some types of DNS records?

A Record: Binds an Name with an IP Address
PTR Record: Binds an IP Address with an Host Name
NS Record: Is name of an DNS Server
MX Record: Responsible for Mail receiving mail from different MTA
13. How many tables are there in NTDS.DIT?
The Active Directory ESE database, NTDS.DIT, consists of the following tables:
Schema table
the types of objects that can be created in the Active Directory, relationships between them, and the optional and
mandatory attributes on each type of object. This table is fairly static and much smaller than the data table.
Link table
contains linked attributes, which contain values referring to other objects in the Active Directory. Take the
Member Of attribute on a user object. That attribute contains values that reference groups to which the user
belongs. This is also far smaller than the data table.
Data table
users, groups, application-specific data, and any other data stored in the Active Directory. The data table can be
thought of as having rows where each row represents an instance of an object such as a user, and columns where
each column represents an attribute in the schema such as Given Name.
14. What is the purpose of the command NETDOM?
NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is
used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.
15. What is REPADMIN?
This command-line tool assists administrators in diagnosing replication problems between Windows domain
controllers. Administrators can use Repadmin to view the replication topology (sometimes referred to as
RepsFrom and RepsTo) as seen from the perspective of each domain controller.
16. What is the purpose of the command repmon?
Replmon displays information about Active Directory Replication.
17. How will take backup of registry using NTBACKUP?
Using System State.
18. Explain briefly about Super Scope.
Using a super scope, you can group multiple scopes as a single administrative entity. With this feature, a DHCP
server can: Support DHCP clients on a single physical network segment (such as a single Ethernet LAN

segment) where multiple logical IP networks are used. When more than one logical IP network is used on each
physical subnet or network, such configurations are often called multinets.
19. Explain how client obtain IP address from DHCP Server?
Its a four-step process consisting of (a) IP request, (b) IP offer, (c) IP selection and (d) acknowledgement.
20. Explain about SRV Record.
For mapping a DNS domain name to a specified list of DNS host computers that offer a specific type of service,
such as Active Directory domain controllers.
21. How client are get authenticated with Active Directory Server?
Using PDC Emulator roles involved in FSMO.
If you create same user name or Computer name, AD through an error that the object already exists,
22. Can you explain how AD identifies the existing object?
Using RID Master roles involved in FSMO.
22. What are the advantages of having RAID 5?
Strip set with Distributed Parity. Fault Torrance. 100% Data guarantee.
23. How will verify Active Directory successful installation?
Check DNS services and errors, check for domain name resolution, check for RPC, NTFRS, DNS and
replication related errors
24. Group Policy file extension in Windows 2003 Server
*.adm files
25. What is Global Catalog?
Global Catalog is a server which maintains the information about multiple domains with trust relationship
agreement. The global catalog is a distributed data repository that contains a searchable, partial representation of
every object in every domain in a multidomain Active Directory forest.
26. What is Active Directory schema?
The Active Directory schema contains formal definitions of every object class that can be created in an Active
Directory forest it also contains formal definitions of every attribute that can exist in an Active Directory
27. What is a site?
one or more well-connected highly reliable and fast TCP/IP subnets. A site allows administrator to configure
active directory access and replication topology to take advantage of the physical network.
28. What is the file thats responsible for keep all Active Directory database?
Schema master.
29. What is the ntds.dit file default size?
30. Whats the difference between local, global and universal groups?
Domain local groups assign access permissions to global domain groups for local domain resources.
Global groups provide access to resources in other trusted domains.
Universal groups grant access to resources in all trusted domains.
31. I am trying to create a new universal user group. Why cant I?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires

that all domain controllers be promoted to Windows Server 2003 Active Directory.
32. What is LSDOU?
Its group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and
Organizational Units.
33. What is the command used to change computer name, Make Client Member of Domain?
Using the command netdom

34. Difference between SID and GUID?

A security identifier (SID) is a unique value of variable length that is used to identify a security principal or
security group in Windows operating systems. Well-known SIDs are a group of SIDs that identify generic users
or generic groups. Their values remain constant across all operating systems.
35. Explain FSMO in Details.
In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers.
The five FSMO roles are:
Schema Master: The schema master domain controller controls all updates and modifications to the schema. To
update the schema of a forest, you must have access to the schema master. There can be only one schema master
in the whole forest.
Domain naming master: The domain naming master domain controller controls the addition or removal of
domains in the forest. There can be only one domain naming master in the whole forest.
Infrastructure Master: The infrastructure is responsible for updating references from objects in its domain to
objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure
master in each domain.
Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain
controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID
master in the domain.
PDC Emulator: The PDC emulator is a domain controller that advertises itself as the primary domain
controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of
36. Which service is responsible for replicating files in SYSVOL folder?
File Replication Service (FRS)
37. Can you Move FSMO roles?
Yes, moving a FSMO server role is a manual process, it does not happen automatically. But what if you only
have one domain controller in your domain? That is fine. If you have only one domain controller in your
organization then you have one forest, one domain, and of course the one domain controller. All 5 FSMO server
roles will exist on that DC. There is no rule that says you have to have one server for each FSMO server role.
38. What permissions you should have in order to transfer a FSMO role?
Before you can transfer a role, you must have the appropriate permissions depending on which role you plan to
Schema Master - member of the Schema Admins group

Domain Naming Master - member of the Enterprise Admins group

PDC Emulator - member of the Domain Admins group and/or the Enterprise Admins group
RID Master - member of the Domain Admins group and/or the Enterprise Admins group
Infrastructure Master - member of the Domain Admins group and/or the Enterprise Admins group
39. How to restore Group policy setting back to default?
The following command would replace both the Default Domain Security Policy and Default. Domain
Controller Security Policy. You can specify Domain or DC instead of both, to onlyrestore one or the other.>
dcgpofix /target: Both
40. What is caching only DNS Server?
When DNS is installed, and you do not add or configure any zones for the DNS server, the DNS server
functions as a caching-only DNS server by default. Caching-only DNS servers do not host zones, and are not
authoritative for any DNS domain. The information stored by caching-only DNS servers is the name resolution
data that the server has collected through resolving name resolution queries.
41. By Default how many shares in SYSVOL folder?
By default, a share with the domain name will be there under the SYSVOL folder.
Under the domain name share, two folders named Policies & Scripts will be there.
42. Zone not loaded by DNS server. How you troubleshoot?
Need to check Zone Transfer is enabled for all DNS Servers.
Also check the required Name Server has been added in the Authoritative Name Server Tab in DNS properties.
43. What is LDAP?
LDAP (lightweight directory access protocol) is an internet protocol which Email and other services is used to
look up information from the server.
44. What is ADSIEDIT?
ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active
Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common
administrative tasks such as adding, deleting, and moving objects with a directory service.
45. What are application partitions? When do I use them?
AN application directory partition is a directory partition that is replicated only to specific domain controller.
Only domain controller running windows Server 2003 can host a replica of application directory partition.
Using an application directory partition provides redundancy, availability or fault tolerance by replicating data
to specific domain controller pr any set of domain controllers anywhere in the forest.
46. How do you create a new application partition?
Use the DnsCmd command to create an application directory partition.
47. Why WINS server is required
Windows Internet Naming Service (WINS) is an older network service (a protocol) that takes computer names
as input and returns the numeric IP address of the computer with that name or vice versa.
48. What is the purpose of the command ntdsutil?
To transfer or seize FSMO Roles.
What is the difference between Authorized DHCP and Non Authorized DHCP?
To avoid problems in the network causing by mis-configured DHCP servers, server in windows 2000 must be

validate by AD before starting service to clients. If an authorized DHCP finds any DHCP server in the network
it stop serving the clients
Difference between inter-site and intra-site replication. Protocols using for replication.
Intra-site replication can be done between the domain controllers in the same site. Inter-site replication can be
done between two different sites over WAN links
BHS (Bridge Head Servers) is responsible for initiating replication between the sites. Inter-site replication can
be done B/w BHS in one site and BHS in another site.
We can use RPC over IP or SMTP as a replication protocols where as Domain partition is not possible to
replicate using SMTP
How to monitor replication
We can user Replmon tool from support tools
Brief explanation of RAID Levels
Microsoft Windows XP, Windows 2000 and Windows Server 2003 offer two types of disk storage: basic and
Basic Disk Storage
Basic storage uses normal partition tables supported by MS-DOS, Microsoft Windows 95, Microsoft Windows
98, Microsoft Windows Millennium Edition (Me), Microsoft Windows NT, Microsoft Windows 2000, Windows
Server 2003 and Windows XP. A disk initialized for basic storage is called a basic disk. A basic disk contains
basic volumes, such as primary partitions, extended partitions, and logical drives. Additionally, basic volumes
include multidisk volumes that are created by using Windows NT 4.0 or earlier, such as volume sets, stripe sets,
mirror sets, and stripe sets with parity. Windows XP does not support these multidisk basic volumes. Any
volume sets, stripe sets, mirror sets, or stripe sets with parity must be backed up and deleted or converted to
dynamic disks before you installWindows XP Professional.
Dynamic Disk Storage
Dynamic storage is supported in Windows XP Professional, Windows 2000 and Windows Server 2003. A disk
initialized for dynamic storage is called a dynamic disk. A dynamic disk contains dynamic volumes, such as
simple volumes, spanned volumes, striped volumes, mirrored volumes, and RAID-5 volumes. With dynamic
storage, you can perform disk and volume management without the need to restart Windows.
Note: Dynamic disks are not supported on portable computers or on Windows XP Home Edition-based
You cannot create mirrored volumes or RAID-5 volumes on Windows XP Home Edition, Windows XP
Professional, or Windows XP 64-Bit Edition-based computers. However, you can use a Windows XP
Professional-based computer to create a mirrored or RAID-5 volume on remote computers that are running
Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server, or the
Standard, Enterprise and Data Center versions of Windows Server 2003.
Storage types are separate from the file system type. A basic or dynamic disk can contain any combination of
FAT16, FAT32, or NTFS partitions or volumes.
A disk system can contain any combination of storage types. However, all volumes on the same disk must use
the same storage type.
To convert a Basic Disk to a Dynamic Disk:

Use the Disk Management snap-in in Windows XP/2000/2003 to convert a basic disk to a dynamic disk. To do
this, follow these steps:
1. Log on as Administrator or as a member of the Administrators group.
2. Click Start, and then click Control Panel.
3. Click Performance and Maintenance, click Administrative Tools, and then double-click Computer
Management. You can also right-click My Computer and choose Manage if you have My Computer displayed
on your desktop.
4. In the left pane, click Disk Management.
5. In the lower-right pane, right-click the basic disk that you want to convert, and then click Convert to
Dynamic Disk. You must right-click the gray area that contains the disk title on the left side of the Details pane.
6. Select the check box that is next to the disk that you want to convert (if it is not already selected), and then
click OK.
7. Click Details if you want to view the list of volumes in the disk. Click Convert.
8. Click Yes when you are prompted to convert the disk, and then click OK.
Warning: After you convert a basic disk to a dynamic disk, local access to the dynamic disk is limited to
Windows XP Professional, Windows 2000 and Windows Server 2003. Additionally, after you convert a basic
disk to a dynamic disk, the dynamic volumes cannot be changed back to partitions. You must first delete all
dynamic volumes on the disk and then convert the dynamic disk back to a basic disk. If you want to keep your
data, you must first back up the data or move it to another volume.
Dynamic Storage Terms
A volume is a storage unit made from free space on one or more disks. It can be formatted with a file system
and assigned a drive letter. Volumes on dynamic disks can have any of the following layouts: simple, spanned,
mirrored, striped, or RAID-5.
A simple volume uses free space from a single disk. It can be a single region on a disk or consist of multiple,
concatenated regions. A simple volume can be extended within the same disk or onto additional disks. If a
simple volume is extended across multiple disks, it becomes a spanned volume.
A spanned volume is created from free disk space that is linked together from multiple disks. You can extend a
spanned volume onto a maximum of 32 disks. A spanned volume cannot be mirrored and is not fault-tolerant.
A striped volume is a volume whose data is interleaved across two or more physical disks. The data on this
type of volume is allocated alternately and evenly to each of the physical disks. A striped volume cannot be
mirrored or extended and is not fault-tolerant. Striping is also known as RAID-0.
A mirrored volume is a fault-tolerant volume whose data is duplicated on two physical disks. All of the data on
one volume is copied to another disk to provide data redundancy. If one of the disks fails, the data can still be
accessed from the remaining disk. A mirrored volume cannot be extended. Mirroring is also known as RAID-1.
A RAID-5 volume is a fault-tolerant volume whose data is striped across an array of three or more disks. Parity
(a calculated value that can be used to reconstruct data after a failure) is also striped across the disk array. If a
physical disk fails, the portion of the RAID-5 volume that was on that failed disk can be re-created from the
remaining data and the parity. A RAID-5 volume cannot be mirrored or extended.
The system volume contains the hardware-specific files that are needed to load Windows (for example, Ntldr,
Boot.ini, and Ntdetect.com). The system volume can be, but does not have to be, the same as the boot volume.
The boot volume contains the Windows operating system files that are located in the %Systemroot% and
%Systemroot%\System32 folders. The boot volume can be, but does not have to be, the same as the system
RAID 0 Striping
RAID 1- Mirroring (minimum 2 HDD required)
RAID 5 Striping With Parity (Minimum 3 HDD required)

RAID levels 1 and 5 only gives redundancy

What are the different backup strategies are available
Normal Backup
Incremental Backup
Differential Backup
Daily Backup
Copy Backup
What is a global catalog
Global catalog is a role, which maintains Indexes about objects. It contains full information of the objects in its
own domain and partial information of the objects in other domains. Universal Group membership information
will be stored in global catalog servers and replicate to all GCs in the forest.
What is Active Directory and what is the use of it
Active directory is a directory service, which maintains the relation ship between resources and enabling them
to work together. Because of AD hierarchal structure windows 2000 is more scalable, reliable. Active directory
is derived from X.500 standards where information is stored is hierarchal tree like structure. Active directory
depends on two Internet standards one is DNS and other is LDAP. Information in Active directory can be
queried by using LDAP protocol
What is the physical and logical structure of AD?
Active directory physical structure is a hierarchal structure which fallows ForestsTreesDomainsChild
DomainsGrand Childetc
Active directory is logically divided into 3 partitions
1.Configuration partition 2. Schema Partition 3. Domain partition 4. Application Partition (only in windows
2003 not available in windows 2000)
Out of these Configuration, Schema partitions can be replicated between the domain controllers in the in the
entire forest. Where as Domain partition can be replicated between the domain controllers in the same domain
What is the process of user authentication (Kerberos V5) in windows 2000?
After giving logon credentials an encryption key will be generated which is used to encrypt the time stamp of
the client machine. User name and encrypted timestamp information will be provided to domain controller for
authentication. Then Domain controller based on the password information stored in AD for that user it decrypts
the encrypted time stamp information. If produces time stamp matches to its time stamp. It will provide logon
session key and Ticket granting ticket to client in an encryption format. Again client decrypts and if produced
time stamp information is matching then it will use logon session key to logon to the domain. Ticket granting
ticket will be used to generate service granting ticket when accessing network resources
What are the port numbers for Kerberos, LDAP and Global Catalog?
Kerberos 88, LDAP 389, Global Catalog 3268
What is the use of LDAP (X.500 standard?)
LDAP is a directory access protocol, which is used to exchange directory information from server to clients or
from server to servers
What are the problems that are generally come across DHCP?
Scope is full with IP addresses no IPs available for new machines
If scope options are not configured properly eg default gateway
Incorrect creation of scopes etc
What is the role responsible for time synchronization?
PDC Emulator is responsible for time synchronization. Time synchronization is important because Kerberos
authentication depends on time stamp information
What is TTL & how to set TTL time in DNS?
TTL is Time to Live setting used for the amount of time that the record should remain in cache when name
resolution happened.
We can set TTL in SOA (start of authority record) of DNS
How to take DNS and WINS, DHCP backup
%System root%/system32/dns
%System root%/system32/WINS

%System root%/system32/DHCP
What is recovery console
Recovery console is a utility used to recover the system when it is not booting properly or not at all booting. We
can perform fallowing operations from recovery console
We can copy, rename, or replace operating system files and folders
Enable or disable service or device startup the next time that start computer
Repair the file system boot sector or the Master Boot Record
Create and format partitions on drives
What is DFS & its usage
DFS is a distributed file system used to provide common environment for users to access files and folders even
when they are shared in different servers physically.
There are two types of DFS domain DFS and Stand alone DFS. We cannot provide redundancy for stand alone
DFS in case of failure. Domain DFS is used in a domain environment which can be accessed by /domain
name/root1 (root 1 is DFS root name). Stand alone DFS can be used in workgroup environment which can be
accessed through /server name/root1 (root 1 is DFS root name). Both the cases we need to create DFS root
( Which appears like a shared folder for end users) and DFS links ( A logical link which is pointing to the server
where the folder is physically shared)
The maximum number of Dfs roots per server is 1.
The maximum numbers of Dfs root replicas are 31.
The maximum number of Dfs roots per domain is unlimited.
The maximum number of Dfs links or shared folders in a Dfs root is 1,000
What is RIS and what are its requirements
RIS is a remote installation service, which is used to install operation system remotely.
Client requirements
PXE DHCP-based boot ROM version 1.00 or later NIC, or a network adapter that is supported by the RIS boot
Should meet minimum operating system requirements
Software Requirements
Below network services must be active on RIS server or any server in the network
Domain Name System (DNS Service)
Dynamic Host Configuration Protocol (DHCP)
Active directory Directory service
How many root replicas can be created in DFS?
Can we establish trust relationship between two forests?
In Windows 2000 it is not possible. In Windows 2003 it is possible
What is FSMO Roles
Flexible single master operation (FSMO) roles are
Domain Naming Master
Schema Master
PDC Emulator,
Infrastructure Master and RID Master
Intrasite Replication
Replication that happens between controllers inside one site. All of the subnets inside the site should be
connected by high speed network wires.
Intersite Replication
Intersite replication is replication between sites and must be set up by an administrator. Simple Mail Transfer
Protocol (SMTP) may be used for replication between sites.
Active Directory Replication?
Replication must often occur both (intrasite) within sites and (Intersite) between sites to keep domain and forest
data consistent among domain controllers that store the same directory partitions

Adprep.exe is a command-line tool used to prepare a Microsoft Windows 2000 forest or a Windows 2000
domain for the installation of Windows Server 2003 domain controllers.
When Microsoft Exchange Server is deployed in an organization, Exchange Server uses Active Directory as a
data store and it extends the Windows 2000 Active Directory schema to enable it to store objects specific to
Exchange Server. The ldapDisplayName of the attribute schema ms-Exch-Assistant-Name, ms-ExchLabeledURI, and ms-Exch-House-Identifier defined by Exchange Server conflicts with the iNetOrgPerson
schema that Active Directory uses in Windows Server 2003. When Windows Server 2003 Service Pack 1 is
installed, Adprep.exe will be able to detect the presence of the schema conflict and block the upgrade of the
schema until the issue has been resolved.
When a new domain user or group account is created, Active Directory stores the account's SID in the ObjectSID (objectSID) property of a User or Group object. It also assigns the new object a globally unique identifier
(GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are
assigned to every object created by Active Directory, not just User and Group objects. Each object's GUID is
stored in its Object-GUID (objectGUID) property.
Active Directory uses GUIDs internally to identify objects.
A security identifier (SID) is a data structure in binary format that contains a variable number of values. When a
DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the
object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID)
that is unique for each security Principal SID created in a domain.
Lingering objects
When a domain controller is disconnected for a period that is longer than the TSL, one or more objects that are
deleted from Active Directory on all other domain controllers may remain on the disconnected domain
controller. Such objects are called lingering objects. Because the domain controller is offline during the time
that the tombstone is alive, the domain controller never receives replication of the tombstone
Sysvol is a shared directory that stores the server copy of the domains public files, which are replicated among
all domain controllers in the domain. The Sysvol contains the data in a GPO: the GPT, which includes
Administrative Template-based Group Policy settings, security settings, script files, and information regarding
applications that are available for software installation. It is replicated using the File Replication Service (FRS).
File Replication Service (FRS)
In Windows 2000, the SYSVOL share is used to authenticate users. The SYSVOL share includes group policy
information which is replicated to all local domain controllers. File replication service (FRS) is used to replicate
the SYSVOL share. The "Active Directory Users and Computers" tool is used to change the file replication
service schedule.
Win logon
A component of the Windows operating system that provides interactive logon support, Winlogon is the service
in which the Group Policy engine runs.
Lightweight Directory Access Protocol (LDAP)
It defines how clients and servers exchange information about a directory. LDAP version 2 and version 3 are
used by Windows 2000 Server's Active Directory.
An LDAP URL names the server holding Active Directory services and the Attributed Name of the object. For
LDAP://SomeServer.Myco.Com/CN=jamessmith,CN=Sys,CN=Product,CN =Division,DC=myco,DC=domaincontroller
Each object has an Update Sequence Number (USN), and if the object is modified, the USN is incremented.

This number is different on each domain controller. USN provides the key to multimaster replication.
Universal group membership caching
Due to available network bandwidth and server hardware limitations, it may not be practical to have a global
catalog in smaller branch office locations. For these sites, you can deploy domain controllers running Windows
Server 2003, which can store universal group membership information locally.
By default, the universal group membership information contained in the cache of each domain controller will
be refreshed every 8 hours. Up to 500 universal group memberships can be updated at once. Universal groups
couldn't be created in Mixed mode.
What is an ACL or access-control list?
A list of security protections that applies to an object. (An object can be a file, process, event, or anything else
having a security descriptor.)
What is an ACE or access-control entry?
ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights
are allowed, denied, or audited.
Flexible Single Master Operations (FSMO) Roles
MultiMaster Operation:
In Windows 2000 & 2003, every domain controller can receive changes, and the changes are replicated to all
other domain controllers. The day-to-day operations that are associated with managing users, groups, and
computers are typically multimaster operations.
There is a set of Flexible Single Master Operations (FSMO) which can only be done on a single controller. An
administrator determines which operations must be done on the master controller. These operations are all set up
on the master controller by default and can be transferred later. FSMO operations types include:
Schema Master: The schema master domain controller controls all updates and modifications to the schema.
There can be only one schema master in the whole forest.
Domain naming master: The domain naming master domain controller controls the addition or removal of
domains in the forest and responsibility of ensuring that domain names are unique in the forest. There can be
only one domain naming master in the whole forest.
Infrastructure Master:
Synchronizes cross-domain group membership changes. The infrastructure master cannot run on a global
catalog server (unless all DCs are also GCs.)
The infrastructure is responsible for updating references from objects in its domain to objects in other domains.
At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
This works when we are renaming any group member ship object this role takes care.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog
server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information
because it does not contain any references to objects that it does not hold. This is because a Global Catalog
server holds a partial replica of every object in the forest. As a result, cross-domain object references in that
domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain
controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not
important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
It assigns RID and SID to the newly created object like Users and computers. If RID master is down (u can
create security objects up to RID pools are available in DCs) else u cant create any object one itSDs down
When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to
the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID
(RID) that is unique for each security principal SID created in a domain.
PDC Emulator - When Active Directory is in mixed mode, the computer Active Directory is on acts as a
Windows NT PDC. The first server that becomes a Windows 2000 domain controller takes the role of PDC
emulator by default.
Functions performed by the PDC emulator:
User account changes and password changes.
SAM directory replication requests.

Domain master browser requests

Authentication requests.
Time synchronization
Dynamic Data:
A dynamic entry is an object in the directory which has an associated time-to-live (TTL) value. The TTL for an
entry is set when the entry is created.
Security Principles - Objects that can have permissions assigned to them and each contain security identifiers.
The following objects are security principles:
o User
Active Directory uses RPC over IP to transfer both intersite and intrasite replication between domain
controllers. To keep data secure while in transit, RPC over IP replication uses both the Kerberos authentication
protocol and data encryption.
If you have a site that has no physical connection to the rest of your network, but that can be reached using the
Simple Mail Transfer Protocol (SMTP), that site has mail-based connectivity only. SMTP replication is used
only for replication between sites. You also cannot use SMTP replication to replicate between domain
controllers in the same domainonly inter-domain replication is supported over SMTP (that is, SMTP can be
used only for inter-site, inter-domain replication). SMTP replication can be used only for schema, configuration,
and global catalog partial replica replication. SMTP replication observes the automatically generated replication
Changing of ntds.dit file from one Drive to another
1.Boot the domain controller in Directory Services Restore mode and log on with the Directory Services
Restore mode administrator account and password (this is the password you assigned during the Dcpromo
2.At a command prompt, type ntdsutil.exe. You receive the following prompt:
3.Type files to receive the following prompt:
file maintenance:
4.Type info. Note the path of the database and log files.
5.To move the database, type move db to %s (where %s is the target folder).
6.To move the log files, type move logs to %s (where %s is the target folder).
7.Type quit twice to return to the command prompt.
8.Reboot the computer normally.
DNS (Domain Name system)
Domain Name System (DNS) is a database system that translates a computer's fully qualified domain name into
an IP address.
DNS Zones
Forward lookup zone - Name to IP address map.
Reverse lookup zone - IP address to name map.
Primary Zones - It Holds Read and Write copies of all resource records (A, NS, _SRV).
Secondary Zones- which hold read only copies of the Primary Zones.
Stub Zones
Conceptually, stub zones are like secondary zones in that they have a read only copy of a primary zone. Stub
zones are more efficient and create less replication traffic.
Stub Zones only have 3 records, the SOA for the primary zone, NS record and a Host (A) record. The idea is

that if a client queries a record in the Stub Zone, your DNS server can refer that query to the correct Name
Server because it knows its Host (A) record.
Query types are:
Inverse - Getting the name from the IP address. These are used by servers as a security check.
Iterative - Server gives its best answer. This type of inquiry is sent from one server to another.
Recursive - Cannot refer the query to another name server.
Conditional Forwarding
Another classic use of forwards is where companies have subsidiaries, partners or people they know and contact
regularly query. Instead of going the long-way around using the root hints, the network administrators
configure Conditional Forwarders
Purpose of Resource Records
Without resource records DNS could not resolve queries. The mission of a DNS Query is to locate a server that
is Authoritative for a particular domain. The easy part is for the Authoritative server to check the name in the
query against its resource records.
SOA (start of authority) record each zone has one SOA record that identifies which DNS server is
authoritative for domains and sub domains in the zone.
NS (name server) record An NS record contains the FQDN and IP address of a DNS server authoritative for
the zone. Each primary and secondary name server authoritative in the domain should have an NS record.
A (address) record
By far the most common type of resource record, an A record is used to resolve the
FQDN of a particular host into its associated IP address.
CNAME (canonical name) record
A CNAME record contains an alias (alternate name) for a host.
PTR (pointer) record the opposite of an A record, a PTR record is used to resolve the IP address of a host into
its FQDN.
SRV (service) record
An SRV record is used by DNS clients to locate a server that is running a particular
servicefor example, to find a domain controller so you can log on to the network. SRV records are key to the
operation of Active Directory.
MX (mail exchange) record
An MX record points to one or more computers that process SMTP mail for
an organization or site.
Where DNS resource records will be stored:
After running DCPROMO, A text file containing the appropriate DNS resource records for the domain
controller is created. The file called Netlogon.dns is created in the %systemroot%\System32\config folder and
contains all the records needed to register the resource records of the domain controller. Netlogon.dns is used by
the Windows 2000 NetLogon service and to support Active Directory for non-Windows 2000 DNS servers.
Procedures for changing a Servers IP Address
Once DNS and replication are setup, it is generally a bad idea to change a servers IP address (at least according
to Microsoft). Just be sure that is what you really want to do before starting the process. It is a bit kin to
changing the Internal IPX number of A Novell server, but it can be done.
1. Change the Servers IP address
2. Stop the NETLOGON service.
4.Restart the NETLOGON service and run IPconfig /registerDNS
5.Go to one of the other DCs and verify that its DNS is now pointing to the new IP address of the server. If not,
change the records manually and give it 15 minutes to replicate the DNS changes out.
6.Run REPLMON and make sure that replication is working now. You may have to wait a little while for things
to straighten out. Give it an hour or two if necessary.
If a server shows that it isnt replicating with one of its partners, there are several issues to address:
A. Check to see that the servers can ping each other.
B. Make sure that both servers DNS entries for each other point to the proper IP addresses
C. If server A says it replicated fine, but server B says it couldnt contact Server A, check the DNS setup on

Server B. Chances are it has a record for Server A pointing to the wrong place.
D.Run Netdiag and see if it reports any errors or problems.
Trust Relationship
One way trust - When one domain allows access to users on another domain, but the other domain does not
allow access to users on the first domain.
Two way trust - When two domains allow access to users on the other domain.
Trusting domain - The domain that allows access to users on another domain.
Trusted domain - The domain that is trusted, whose users have access to the trusting domain.
Transitive trust - A trust which can extend beyond two domains to other trusted domains in the tree.
Intransitive trust - A one way trust that does not extend beyond two domains.
Explicit trust - A trust that an administrator creates. It is not transitive and is one way only.
Cross-link trust - An explicit trust between domains in different trees or in the same tree when a
descendent/ancestor (child/parent) relationship does not exist between the two domains.
Forest trust - When two forests have a functional level of Windows 2003, you can use a forest trust to join the
forests at the root.
Shortcut trust - When domains that authenticate users are logically distant from one another, the process of
logging on to the network can take a long time. You can manually add a shortcut trust between two domains in
the same forest to speed authentication. Shortcut trusts are transitive and can either be one way or two way.
49. Explain Forest Functional Level in Windows 2003 Server.
50. Explain Domain Functional Level in Windows 2003 Server.
51. How will you extend schema database?
52. What is the purpose of adprep command?
53. Briefly explain about netlogon?
54. What are forwarders in DNS server?
55. Explain about root hints.
56. Explain types of DNS queries?
57. How you will defragment AD Database?