Active Directory Interview Questions & Answers

1) Mention what is Active Directory?

An active directory is a directory structure used on Microsoft Windows based servers and
computers to store data and information about networks and domains.

2) Mention what are the new features in Active Directory (AD) of Windows server 2012?

 dcpromo (Domain Controller Promoter) with improved wizard: It allows you to view
all the steps and review the detailed results during the installation process
 Enhanced Administrative Center: Compared to the earlier version of active directory,
the administrative center is well designed in Windows 2012. The exchange management
console is well designed
 Recycle bin goes GUI: In windows server 12, there are now many ways to enable the
active directory recycle bin through the GUI in the Active Directory Administrative
Center, which was not possible with the earlier version
 Fine grained password policies (FGPP): In windows server 12 implementing FGPP is
much easier compared to an earlier It allows you to create different password policies in
the same domain
 Windows Power Shell History Viewer: You can view the Windows PowerShell
commands that relates to the actions you execute in the Active Directory Administrative
Center UI

3) Mention which is the default protocol used in directory services?

The default protocol used in directory services is LDAP ( Lightweight Directory Access
Protocol).

4) Explain the term FOREST in AD?

Forest is used to define an assembly of AD domains that share a single schema for the AD. All
DC’s in the forest share this schema and is replicated in a hierarchical fashion among them.

5) Explain what is SYSVOL?

The SysVOL folder keeps the server’s copy of the domain’s public files. The contents such as
users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the
domain.

6) Mention what is the difference between domain admin groups and enterprise admins
group in AD?

Enterprise Admin
Domain Admin Group
Group
 Members of this group have  Members of this group have
complete control of all domains in complete control of the domain
the forest  By default, this group is a member
  By default, this group belongs to the
administrators group on all domain
controllers in the forest
 As such this group has full control of
the forest, add users with caution
of the administrators group on all
domain controllers, workstations and
member servers at the time they are
linked to the domain
 As such the group has full control in
the domain, add users with caution

7) Mention what system state data contains?

System state data contains

 Contains startup files

 Registry
 Com + Registration Database
 Memory page file
 System files
 AD information
 SYSVOL Folder
 Cluster service information

8) Mention what is Kerberos?

Kerberos is an authentication protocol for network. It is built to offer strong authentication for
server/client applications by using secret-key cryptography.

9) Explain where does the AD database is held? What other folders are related to AD?

AD database is saved in %systemroot%/ntds. In the same folder, you can also see other files;
these are the main files controlling the AD structures they are

 dit
 log
 res 1.log
 log
 chk

10) Mention what is PDC emulator and how would one know whether PDC emulator is
working or not?

PDC Emulators: There is one PDC emulator per domain, and when there is a failed
authentication attempt, it is forwarded to PDC emulator. It acts as a “tie-breaker” and it controls
the time sync across the domain.

These are the parameters through which we can know whether PDC emulator is working or not.

 Time is not syncing

 User’s accounts are not locked out
 Windows NT BDCs are not getting updates
  If pre-windows 2000 computers are unable to change their passwords

11) Mention what are lingering objects?

Lingering objects can exists if a domain controller does not replicate for an interval of time that
is longer than the tombstone lifetime (TSL).

12) Mention what is TOMBSTONE lifetime?

Tombstone lifetime in an Active Directory determines how long a deleted object is retained in
Active Directory. The deleted objects in Active Directory is stored in a special object referred as
TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is not set in the
forest configuration.

13) Explain what is Active Directory Schema?

Schema is an active directory component describes all the attributes and objects that the directory
service uses to store data.

14) Explain what is a child DC?

CDC or child DC is a sub domain controller under root domain controller which share name
space

15) Explain what is RID Master?

RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.

16) Mention what are the components of AD?

Components of AD includes

 Logical Structure: Trees, Forest, Domains and OU

 Physical Structures: Domain controller and Sites

17) Explain what is Infrastructure Master?

Infrastructure Master is accountable for updating information about the user and group and
global catalogue.

Active Directory (AD) Real Time Interview

Questions and Answers
I would like to share some of the Windows Active Directory Interview Questions and
answers, will start with basic questions and continue with L1, L2, L3 level questions

Also Read: Windows Server Administrator Interview Questions and Answers

What is Active Directory?

Active Directory (AD) is a directory service developed by Microsoft and used to store objects
like User, Computer, printer, Network information, It facilitate to manage your network
effectively with multiple Domain Controllers in different location with AD database, able to
manage/change AD from any Domain Controllers and this will be replicated to all other DC’s,
centralized Administration with multiple geographical location and authenticates users and
computers in a Windows domain

What is LDAP and how the LDAP been used on Active Directory(AD)?

http://www.windowstricks.in/ldap-and-ldap-query

What is Tree?

Tree is a hierarchical arrangement of windows Domain that share a contiguous name space

What is Domain?

Active Directory Domain Services is Microsoft’s Directory Server. It provides authentication

and authorization mechanisms as well as a framework within which other related services can be
deployed

What is Active Directory Domain Controller (DC)?

Domain Controller is the server which holds the AD database, All AD changes get replicated to
other DC and vise vase

What is Forest?

Forest consists of multiple Domains trees. The Domain trees in a forest do not form a contiguous
name space however share a common schema and global catalog (GC)

What is Schema?

Active directory schema is the set of definitions that define the kinds of object and the type of
information about those objects that can be stored in Active Directory

Active directory schema is Collection of object class and there attributes

Object Class = User

Attributes = first name, last name, email, and others

Can we restore a schema partition?

http://www.windowstricks.in/2014/01/can-i-restore-schema-partition.html

Tel me about the FSMO roles?

Schema Master

Domain Naming Master

Infrastructure Master

RID Master

PDC

Schema Master and Domain Naming Master are forest wide role and only available one on each
Forest, Other roles are Domain wide and one for each Domain

AD replication is multi master replication and change can be done in any Domain Controller and
will get replicated to others Domain Controllers, except above file roles, this will be flexible
single master operations (FSMO), these changes only be done on dedicated Domain Controller
so it’s single master replication

How to check which server holds which role?

Netdom query FSMO

Which FSMO role is the most important? And why?

Interesting question which role is most important out of 5 FSMO roles or if one role fails that
will impact the end-user immediately

Most armature administrators pick the Schema master role, not sure why maybe they though
Schema is very critical to run the Active Directory

Correct answer is PDC, now the next question why? Will explain role by role what happens
when a FSMO role holder fails to find the answer

Schema Master – Schema Master needed to update the Schema, we don’t update the schema
daily right, when will update the Schema? While the time of operating system migration,
installing new Exchange version and any other application which requires extending the schema

So if are Schema Master Server is not available, we can’t able to update the schema and no way
this will going to affect the Active Directory operation and the end-user

Schema Master needs to be online and ready to make a schema change, we can plan and have
more time to bring back the Schema Master Server

Domain Naming Master – Domain Naming Master required to creating a new Domain and
creating an application partition, Like Schema Master we don’t cerate Domain and application
partition frequently
So if are Domain Naming Master Server is not available, we can’t able to create a new Domain
and application partition, it may not affect the user, user event didn’t aware Domain Naming
Master Server is down

Infrastructure Master – Infrastructure Master updates the cross domain updates, what really
updates between Domains? Whenever user login to Domain the TGT has been created with the
list of access user got through group membership (user group membership details) it also contain
the user membership details from trusted domain, Infrastructure Master keep this information up-
to-date, it update reference information every 2 days by comparing its data with the Global
Catalog (that’s why we don’t keep Infrastructure Master and GC in same server)

In a single Domain and single Forest environment there is no impact if the Infrastructure
Master server is down

In a Multi Domain and Forest environment, there will be impact and we have enough time to fix
the issue before it affect the end-user

RID Master –Every DC is initially issued 500 RID’s from RID Master Server. RID’s are used
to create a new object on Active Directory, all new objects are created with Security ID (SID)
and RID is the last part of a SID. The RID uniquely identifies a security principal relative to the
local or domain security authority that issued the SID

When it gets down to 250 (50%) it requests a second pool of RID’s from the RID master. If
RID Master Server is not available the RID pools unable to be issued to DC’s and DC’s are
only able to create a new object depends on the available RID’s, every DC has anywhere
between 250 and 750 RIDs available, so no immediate impact

PDC – PDC required for Time sync, user login, password changes and Trust, now you know
why the PDC is important FSMO role holder to get back online, PDC role will impact the end-
user immediately and we need to recover ASAP

The PDC emulator Primary Domain Controller for backwards compatibility and it’s responsible
for time synchronizing within a domain, also the password master. Any password change is
replicated to the PDC emulator ASAP. If a logon request fails due to a bad password the logon
request is passed to the PDC emulator to check the password before rejecting the login request.

Tel me about Active Directory Database and list the Active Directory Database files?

NTDS.DIT

EDB.Log

EDB.Che

Res1.log and Res2.log

All AD changes didn’t write directly to NTDS.DIT database file, first write to EDB.Log and
from log file to database, EDB.Che used to track the database update from log file, to know what
changes are copied to database file.
NTDS.DIT: NTDS.DIT is the AD database and store all AD objects, Default location is the
%system root%\nrds\nrds.dit, Active Directory database engine is the extensible storage engine
which us based on the Jet database

EDB.Log: EDB.Log is the transaction log file when EDB.Log is full, it is renamed to EDB
Num.log where num is the increasing number starting from 1, like EDB1.Log

EDB.Che: EDB.Che is the checkpoint file used to trace the data not yet written to database file
this indicate the starting point from which data is to be recovered from the log file in case if
failure

Res1.log and Res2.log: Res is reserved transaction log file which provide the transaction log
file enough time to shutdown if the disk didn’t have enough space

What RAID configuration can be used in Domain Controllers?

http://www.windowstricks.in/2010/07/recommended-raid-configuration-and-disk.html

Can we keep OS, log files, SYSVOL, AD database on same logical Disk?

http://www.windowstricks.in/2010/07/recommended-raid-configuration-and-disk.html

AD Interview Questions (Part 2)

What is Active Directory Partitions?

Active Directory partition is how and where the AD information logically stored.

What are all the Active Directory Partitions?

Schema
Configuration
Domain
Application partition

What is use Active Directory Partitions? And

How to find the Active Directory Partitions and there location?

Schema Partition – It store details about objects and attributes. Replicates to all domain
controllers in the Forest

DN location is CN=Schema,CN=Configuration,DC=Domainname, DC=com

Configuration Partition – It store details about the AD configuration information like, Site,
site-link, subnet and other replication topology information. Replicates to all domain controllers
in the Forest

DN Location is CN=Configuration,DC=Domainname,DC=com
Domain Partitions – object information for a domain like user, computer, group, printer and
other Domain specific information. Replicates to all domain controllers within a domain

DN Location is DC=Domainname,DC=com

Application Partition – information about applications in Active Directory. Like AD integrated

DNS is used there are two application partitions for DNS zones – ForestDNSZones and
DomainDNSZones, see more

How to configure Active Directory Partitions?

You can only configure the Application partition manually to use with AD integrated
applications, refer to this article for details on that

How to create DNS zone in Application Directory Partition?

see on my previous article

How to move the DNS zone from Domain Partition to Application partition?

see on my previous article

How to take active directory backup?

System state backup will backup the Active Directory, NTbackup can be used to backup active
directory

Active Directory restores types?

Authoritative restore
Non-authoritative restore

Non-authoritative restore of Active Directory

Non-authoritative restore is restore the domain controller to its state at the time of backup, and
allows normal replication to overwrite restored domain controller with any changes that have
occurred after the backup. After system state restore, domain controller queries its replication
partners and get the changes after backup date, to ensure that the domain controller has an
accurate and updated copy of the Active Directory database.
Non-authoritative restore is the default method for restoring Active Directory, just a restore of
system state is non-authoritative restore and mostly we use this for Active Directory data loss or
corruption.

How perform a non-authoritative restore?

Just start the domain controller in Directory Services Restore Mode and perform system state
restore from backup

Authoritative restore of Active Directory

An authoritative restore is next step of the non-authoritative restore process. We have do non-
authoritative restore before you can perform an authoritative restore. The main difference is that
an authoritative restore has the ability to increment the version number of the attributes of all
objects or an individual object in an entire directory, this will make it authoritative restore an
object in the directory. This can be used to restore a single deleted user/group and event an entire
OU.
In a non-authoritative restore, after a domain controller is back online, it will contact its
replication partners to determine any changes since the time of the last backup. However the
version number of the object attributes that you want to be authoritative will be higher than the
existing version numbers of the attribute, the object on the restored domain controller will appear
to be more recent and therefore, restored object will be replicated to other domain controllers in
the Domain

How perform a non-authoritative restore?

Unlike a non-authoritative restore, an authoritative restores need to Ntdsutil.exe to increment the
version number of the object attributes

What are Active Directory Partitions can be restored?

You can authoritatively restore only objects from configuration and domain partition.
Authoritative restores of schema-naming contexts are not supported.

How many domain controllers need to back up? Or which domain controllers to back up?
Minimum requirement is to back up two domain controllers in each domain, one should be an
operations master role holder DC, no need to backup RID Master (relative ID) because RID
master should not be restored

Can we restore backup of domain controller to other/different domain controller?

Backup of one domain controller can’t be restoring to other domain controller, should be
restored to same domain controller

Sysvol Interview Questions and Answers

I would like to share collection of Sysvol and FRS Interview questions and answers this will be
asked on Windows Active Directory administrator job interview

What is the SYSVOL folder and why it’s used?

The Sysvol folder on a Windows domain controller is used to stores domain’s Group Policy
settings, default profiles and logon/logoff/startup/shutdown scripts, which is available in
C:\Windows\SYSVOL directory in all domain controllers within the Domain

What is NETLOGON folder?

Netlogon folder contain logon/logoff/startup/shutdown scripts which is inside the Sysvol folder

What is junctions point?

Check more about: Sysvol Junction point

What other folders in Sysvol and Sysvol folder structure/ Contents?

Check more about: netlogon and sysvol folder location

How policies get replicated from one DC to other DC?

Check more about: how sysvol replication works

What is the Difference between FRS and DFS-R?

Check more about: Difference between FRS and DFSR

How to Force sysvol replication?

Check more about: force sysvol replication on Windows 2003 and force sysvol replication on
Windows 2008 and windows server 2012

What is the Sysvol Replication change in Windows 2008?

Check more about: sysvol replication change on windows 2012

Any Sysvol issues which you have faced in your environment?

USN journal wrap Error on sysvol

Morphed folder on Sysvol

FRS replication issues –

Sysvol share not sharing – May be an replication issue, please event log got more information

Tel me about Non-authoritative restore of SYSVOL or D2 restore

D2 is the default method for restoring SYSVOL and occurs automatically when you do a non-
authoritative restore of the Active Directory

When you non-authoritatively restore the SYSVOL, the local copy of SYSVOL on the restored
domain controller is compared with that of its replication partners. After the domain controller
restarts, it replicates the any necessary changes, bringing it up-to-date with the other domain
controllers within the domain.
Tel me about Authoritative restore of SYSVOL or D4 restore

IN D4 restore a copy of SYSVOL that is restored from backup is authoritative for the domain.
After the necessary configurations have been made, Active Directory marks the local SYSVOL
as authoritative and it is replicated to the other domain controllers within the domain.

How to D2 and D4 restore?

Enable BurFlags registry to D2 or D4

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/R
estore\Process at Startup
BurFlags
D2, for nonauthoritative mode restore
D4, for an authoritative mode restore

Active Directory real time issues and

solutions
By ganesamoorthy s | June 9, 2015

1 Comment

As an Windows AD Administrator I have many Active Directory real time issues and solutions,
we have seen the questions like, Tel me about 2 real time issues which you have faced in your
current Active Directory environment, share one or two challenging issues which you have
worked and resolved, Tel me most challenging issues you recently involved

Many of my blog readers are asked to share couple of real time scenarios from my past
experience to preparing for an Windows and Active Directory interview, list of articles from my
previous post, read and understand to face the interview confidently

Active Directory real time issues and solutions

DNS Entry of Domain Controller is Resolving to Incorrect value

Replsummary showing unknown for largest delta on AD replication checks

Domain Controller failed test Machineaccount on DCDIAG

AD Slow Authentication and prompting for credentials again and again

How secure channel determine the Domain controller in cross-forest

Active directory Troubleshooting

Active Directory Replication failed with “Target principal name is incorrect”

Replication failed with “The destination server is currently rejecting replication requests” Error

Troubleshoot Active Directory Server Replication

Group Policy (GPO) real time issues and solutions

Issue managing IE configuration through GPO

Why we can’t edit/view windows 2008, Vista and windows 7 GPO settings from windows 2003

Gpresult failed with ERROR Access Denied

Home page URL not working for IE7

GPO update failed in Slow Link VPN site with Event ID 1000 and 1054

Group Policy Processing over Slow Links

Group Policy slow link detection on windows server 2008

Other real time issues and solutions, Printer, User Profile and Account lockout

Account lockout

How to resolve the Print Spooler service crash issue (Print spooler service is not running)

How to find the domain controller that contains the lingering object

Reconfigure roaming profile folder and home folder permission for all the users

Roaming profile issues

Windows Server 2012 Active Directory

Interview Questions

Ehab Shana

 Active Directory
 Exchange Connectivity
 Infrastructure Engineer
 interview
 microsoft
 Microsoft BASIC
 Microsoft DNS
 Microsoft Exchange Server
 System administrator
 Systems Engineer
 Got these skills? Find your job match or Get your personalised skills analysis.

More and more companies are realizing the power of cloud services and networks. With the
release of Office 365, Cloud services, and employees working away from the office,
collaboration is crucial. Ensuring the networks that connect employees and allow access to the
documents and projects within an organization is therefore critical to allow organizations to
function efficiently. This means that the demand for good network administrators and system
administrators who understand Active Directory is increasing.
1. What is Active Directory? Active Directory (AD) is a directory service developed by
Microsoft and used to store objects like User, Computer, printer, Network information, It
facilitate to manage your network effectively with multiple Domain Controllers in
different location with AD database, able to manage/change AD from any Domain
Controllers and this will be replicated to all other DC’s, centralized Administration with
multiple geographical location and authenticates users and computers in a Windows
domain.
2. Define Active Directory? Active Directory is a database that stores data pertaining to the
users within a network as well as the objects within the network. Active Directory allows
the compilation of networks that connect with AD, as well as the management and
administration thereof.
3. What is Domain? Active Directory Domain Services is Microsoft’s Directory Server. It
provides authentication and authorization mechanisms as well as a framework within
which other related services can be deployed.
4. What is Active Directory Domain Controller (DC)? Domain Controller is the server
which holds the AD database, All AD changes get replicated to other DC and vise vase.
5. What is a domain within Active Directory? A domain represents the group of network
resources that includes computers, printers, applications and other resources. Domains
share a directory database. The domain is represented by address of the resources within
the database. A domain address generally looks like 125.170.456. A user can log into a
domain to gain access to the resources that are listed as part that domain.
6. What is the domain controller? The server that responds to user requests for access to the
domain is called the Domain Controller or DC. The Domain Controller allows a user to
gain access to the resources within the domain through the use of a single username and
password.
7. What is Tree? Tree is a hierarchical arrangement of windows Domain that share a
contiguous name space.
8. What is Forest? Forest consists of multiple Domains trees. The Domain trees in a forest
do not form a contiguous name space however share a common schema and global
catalog (GC).
9. Explain what domain trees and forests are? Domains that share common schemas and
configurations can be linked to form a contiguous namespace. Domains within the trees
are linked together by creating special relationships between the domains based on trust.
Forests consist of a number of domain trees that are linked together within AD, based on
various implicit trust relationships. Forests are generally created where a server setup
includes a number of root DNS addresses. Trees within the forest do not share a
contiguous namespace.
10. What is Schema? Active directory schema is the set of definitions that define the kinds of
object and the type of information about those objects that can be stored in Active
Directory Active directory schema is Collection of object class and there attributes Object
Class = User Attributes = first name, last name, email, and others
11. What is FSMO? FSMO (flexible single master operations) is a specialized domain
controller (DC) set of tasks, used where standard data transfer and update methods are
inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD
database, being synchronized by multi-master replication.
12. Tel me about the FSMO roles? Schema Master Domain Naming Master Infrastructure Master
RID Master PDC
Schema Master The schema is shared between every Tree and Domain in a forest and must be
consistent between all objects. The schema master controls all updates and modifications to the
schema.

Domain Naming Master Domain Naming Master FSMO Role. The Domain Naming Master
FSMO role owner is the DC responsible for making changes to the forest-wide domain name
space of the directory in the Partitions container.

Infrastructure Master The Infrastructure FSMO role is one of the three "per domain" Operations
Masters. The infrastructure FSMO keeps its domain's references to objects in other domains up-
to-date by comparing its data with information in the Global Catalog (GC).

RID Master This SID consists of a domain SID (the same for all SIDs created in a domain) and a
relative ID (RID) that is unique for each security principal SID created in a domain. RIDs are
allocated from a RID pool that is controlled by the RID Master FSMO.

Relative ID (RID) Master Allocates RIDs to DCs within a Domain. When an object such as a
user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID
(which is the same for all SIDs created in the domain) and a RID which is unique to the Domain.
When moving objects between domains you must start the move on the DC which is the RID
master of the domain that currently holds the object.

PDC Microsoft recommends the careful division of FSMO roles, with standby DCs ready to take
over each role. The PDC emulator and the RID master should be on the same DC, if possible.
The Schema Master and Domain Naming Master should also be on the same DC.

PDC Emulator The PDC emulator acts as a Windows NT PDC for backwards compatibility, it
can process updates to a BDC.It is also responsible for time synchronizing within a domain. It is
also the password master (for want of a better term) for a domain. Any password change is
replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad
password the logon request is passed to the PDC emulator to check the password before rejecting
the login request.

1. How to check which server holds which role? Netdom query FSMO.
2. What is LDAP? LDAP is an acronym for Lightweight Directory Access Protocol and it
refers to the protocol used to access, query and modify the data stored within the AD
directories. LDAP is an internet standard protocol that runs over TCP/IP.
3. Explain what intrasite and intersite replication is and how KCC facilitates replication?
The replication of DC’s inside a single site is called intrasite replication whilst the
replication of DC’s on different sites is called Intersite replication. Intrasite replication
occurs frequently while Intersite replication occurs mainly to ensure network bandwidth.
KCC is an acronym for the Knowledge Consistency Checker. The KCC is a process that
runs on all of the Domain Controllers. The KCC allows for the replication topology of
site replication within sites and between sites. Between sites, replication is done through
SMTP or RPC whilst Intersite replication is done using procedure calls over IP.
4. Name a few of the tools available in Active Directory and which tool would you use to
troubleshoot any replication issues? Active Directory tools include: • Dfsutil.exe •
Netdiag.exe • Repadmin.exe • Adsiedit.msc • Netdom.exe • Replmon.exe Replmon.exe is
a graphical tool designed to visually represent the AD replication. Due to its graphical
nature, replmon.exe allows you to easily spot and deal with replication issues.
5. What tool would you use to edit AD? Adsiedit.msc is a low level editing tool for Active
Directory. Adsiedit.msc is a Microsoft Management Console snap-in with a graphical
user interface that allows administrators to accomplish simple tasks like adding, editing
and deleting objects with a directory service. The Adsiedit.msc uses Application
Programming Interfaces to access the Active Directory. Since Adsiedit.msc is a
Microsoft Management Console snap-in, it requires access MMC and a connection to an
Active Directory environment to function correctly.
6. How would you manage trust relationships from the command prompt? Netdom.exe is
another program within Active Directory that allows administrators to manage the Active
Directory. Netdom.exe is a command line application that allows administrators to
manage trust relationship within Active Directory from the command prompt.
Netdom.exe allows for batch management of trusts. It allows administrators to join
computers to domains. The application also allows administrators to verify trusts and
secure Active Directory channels.
7. Where is the AD database held and how would you create a backup of the database? The
database is stored within the windows NTDS directory. You could create a backup of the
database by creating a backup of the System State data using the default NTBACKUP
tool provided by windows or by Symantec’s Netbackup. The System State Backup will
create a backup of the local registry, the Boot files, the COM+, the NTDS.DIT file as
well as the SYSVOL folder.
8. What is SYSVOL, and why is it important? SYSVOL is a folder that exists on all domain
controllers. It is the repository for all of the active directory files. It stores all the
important elements of the Active Directory group policy. The File Replication Service or
FRS allows the replication of the SYSVOL folder among domain controllers. Logon
scripts and policies are delivered to each domain user via SYSVOL. SYSVOL stores all
of the security related information of the AD.
9. Briefly explain how Active Directory authentication works? When a user logs into the
network, the user provides a username and password. The computer sends this username
and password to the KDC which contains the master list of unique long term keys for
each user. The KDC creates a session key and a ticket granting ticket. This data is sent to
the user’s computer. The user’s computer runs the data through a one-way hashing
function that converts the data into the user’s master key, which in turn enables the
computer to communicate with the KDC, to access the resources of the domain.
Microsoft 70-410

 Get 100% Free 70-410 Question ,Answers

 Frequently Updated Exams
 Fast and Reliable
 70-410 was last updated at : February 15th, 2018

Installing and Configuring Windows Server

2012
1
(Page 1 out of 32)

Showing 15 of 479 Questions

Exam Version: 31.0

Question No : 1 - Topic 1

You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the
Hyper-V server role installed. On Server1, you create a virtual machine named VM1. VM1
has a legacy network adapter.
You need to assign a specific amount of available network bandwidth to VM1.
What should you do first?

 A. Remove the legacy network adapter, and then run the Set-VMNetworkAdapter cmdlet.
 B. Add a second legacy network adapter, and then run the Set-VMNetworkAdopter cmdlet.
 C. Add a second legacy network adapter, and then configure network adapter teaming.
 D. Remove the legacy network adapter, and then add a network adapter.

24

Answer : D

Explanation: A. Set-VMNetworkAdaptercmdlet configures features of the virtual network

adapter in a virtual machine or the management operating system B. The legacy network adapter
doesnt support bandwidth management C. The legacy network adapter doesnt support bandwidth
management D. Add a New network adapter. The legacy network adapter doesnt support
bandwidth management.

Question No : 2 - Topic 1

Your network contains an Active Directory forest named contoso.com. The forest contains
a single domain. The domain contains two domain controllers named DC1 and DC2 that
run Windows Server 2012 R2.
The domain contains a user named User1 and a global security group named Group1.
You need to modify the SAM account name of Group1.
Which cmdlet should you run?

 A. Add-AdPrincipalGroupMembership
 B. Install-AddsDomainController
 C. Install-WindowsFeature
 D. Install-AddsDomain
 E. Rename-AdObject
 F. Set AdAccountControl
 G. Set-AdGroup
 H. Set-User

13

Answer : G

Question No : 3 - Topic 1

You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the
Hyper-V server role installed.
An iSCSI SAN is available on the network.
Server1 hosts four virtual machines named VM1, VM2, VM3, and VM4.
You create a LUN on the SAN to host the virtual hard drive files for the virtual machines.
You need to create a 3-TB virtual hard disk for VM1 on the LUN. The solution must prevent
VM1 from being paused if the LUN runs out of disk space.
Which type of virtual hard disk should you create on the LUN?

 A. Dynamically expanding VHDX

 B. Fixed-size VHDX
 C. Fixed-size VHD
 D. Dynamically expanding VHD

10

Answer : B

Explanation: The virtual disk needs to be a VHDX file since it is going to be over 2TB in size
and it must be fixed-size so that the space is already taken on the server (that way the server does
not run out of space as the volume grows) even if the actual virtual disk does not yet hold that
amount of data.

Question No : 4 - Topic 1

You have a server named Server1 that runs Windows Server 2012 R2.
Server1 has three physical network adapters named NIC1, NIC2, and NIC3.
On Server1, you create a NIC team named Team1 by using NIC1 and NIC2. You configure
Team1 to accept network traffic on VLAN 10.
You need to ensure that Server1 can accept network traffic on VLAN 10 and VLAN 11. The
solution must ensure that the network traffic can be received on both VLANs if a network
adapter fails.
What should you do?

 A. From Server Manager, change the load balancing mode of Team1.

 B. Run the New-NetLbfoTeam cmdlet.
 C. From Server Manager, add an interface to Team1.
 D. Run the Add-NetLbfoTeamMember cmdlet.

14

Answer : C

Question No : 5 - Topic 1

Your network contains a server named Server1 that runs Windows Server 2012 R2.
Server1 has the Hyper-V server role installed.
Server1 hosts four virtual machines named VM1, VM2, VM3, and VM4.
Server1 is configured as shown in the following table.

You install a network monitoring application on VM2.

You need to ensure that all of the traffic sent to VM3 can be captured on VM2.
What should you configure?

 A. NUMA topology
 B. Resource control
 C. Resource metering
 D. Virtual Machine Chimney
 E. The VLAN ID
 F. Processor Compatibility
 G. The startup order
 H. Automatic Start Action
  I. Integration Services
 J. Port mirroring K. Single-root I/O virtualization

Answer : J

Explanation: With Hyper-V Virtual Switch port mirroring, you can select the switch ports that
are monitored as well as the switch port that receives copies of all the traffic. And since Port
mirroring allows the network traffic of a virtual machine to be monitored by copying the traffic
and forwarding it to another virtual machine that is configured for monitoring, you should
configure port mirroring on VM2. Reference: http://technet.microsoft.com/en-
us/library/jj679878.aspx#bkmk_portmirror

Question No : 6 - Topic 1

In an isolated test environment, you deploy a server named Server1 that runs a Server
Core Installation of Windows Server 2012 R2. The test environment does not have Active
Directory Domain Services (AD DS) installed.
You install the Active Directory Domain Services server role on Server1.
You need to configure Server1 as a domain controller.
Which cmdlet should you run?

 A. Install-ADDSDomainController
 B. Install-ADDSDomain
 C. Install-ADDSForest
 D. Install-WindowsFeature

Answer : C

Explanation: Install-ADDSDomainController Installs a domain controller in Active Directory.

Install-ADDSDomain Installs a new Active Directory domain configuration. Install-ADDSForest
Installs a new Active Directory forest configuration. Install-WindowsFeature Installs one or
more Windows Server roles, role services, or features on either the local or a specified remote
server that is running Windows Server 2012 R2. This cmdlet is equivalent to and replaces Add-
WindowsFeature, the cmdlet that was used to install roles, role services, and features.
C:\PS>Install-ADDSForest -DomainName corp.contoso.com -CreateDNSDelegation
DomainMode Win2008 - ForestMode Win 2008 R2 -DatabasePath d:\NTDS -SysvolPath
d:\SYSVOL LogPath e:\LogsInstalls a new forest named corp.contoso.com, creates a DNS
delegation in the contoso.com domain, sets domain functional level to Windows Server 2008 R2
and sets forest functional level to Windows Server 2008,installs the Active Directory database
and SYSVOL on the D:\ drive, installs the log files on the E:\ drive and has the server
automatically restart after AD DS installation is complete and prompts the user to provide and
confirm the Directory Services Restore Mode (DSRM) password.
Question No : 7 - Topic 1

You have a server named Server1 that runs Windows Server 2012 R2.
You plan to create a storage pool that will contain a new volume.
You need to create a new 600-GB volume by using thin provisioning. The new volume
must use the parity layout.
What is the minimum number of 256-GB disks required for the storage pool?

 A. 2
 B. 3
 C. 4
 D. 5

17

Answer : C

Explanation: It takes 3 discs (minimum) in order to create a storage pool array with parity. If this
array were using fixed provisioning, this would not be enough given the 256MB capacity (since
only 2/3rds of 256 X 3 - less than 600 - could be used as actual data with the rest being parity
bits), but since this array uses thin provisioning, a 600GB volume could technically be set up on
a 20GB disc and it would still show as 600GB. (So, essentially, the question really becomes how
many drives it takes in a storage pool to create a parity array.) References:
http://technet.microsoft.com/en-us/library/hh831391.aspx
http://www.ibeast.com/content/tools/RaidCalc/RaidCalc.asp http://www.raid-
calculator.com/default.aspx https://www.icc-usa.com/raid-calculator

Question No : 8 - Topic 1

Your network contains an Active Directory domain named contoso.com.

You have a DHCP server named Server1 that runs Windows Server 2008.
You install Windows Server 2012 R2 on a server named Server2. You install the DHCP
Server server role on Server2.
You need to migrate the DHCP services from Server1 to Server2. The solution must meet
the following requirements:
✑Ensure that existing leases are migrated.
✑Prevent lease conflicts.
Which three actions should you perform? (Each correct answer presents part of the
solution. Choose three.)

 A. On Server1, run the Export-DhcpServer cmdlet.

 B. On Server1, run the Stop-Service cmdlet.
 C. On Server2, run the Receive-SmigServerData cmdlet.
 D. On Server2, run the Stop-Service cmdlet.
 E. On Server2, run the Import-DhcpServer cmdlet.
  F. On Server1, run the Send-SmigServerData cmdlet.

Answer : A,B,E

Question No : 9 - Topic 1

Your network contains an Active Directory forest. The forest functional level is Windows
Server 2012 R2. The forest contains a single domain. The domain contains a member
server named Server1. Server1 runs windows Server 2012 R2.
You purchase a network scanner named Scanner1 that supports Web Services on Devices
(WSD).
You need to share the network scanner on Server1.
Which server role should you install on Server1?

 A. Web Server (IIS)

 B. Fax Server
 C. Print and Document Services
 D. File and Storage Services

10

Answer : C

Explanation: The Print and Document Services role allows for the configuration to share printers,
scanners and fax devices. References: Exam Ref 70-410: Installing and Configuring Windows
Server 2012 R2, Chapter 1: Installing and Configuring servers, Objective 1.2: Configure servers,
p. 8 http://technet.microsoft.com/en-us/library/hh831468.aspx

Question No : 10 - Topic 1

You have a print server named Server1 that runs Windows Server 2012 R2.
On Server1, you create and share a printer named Printer1.
The Advanced settings of Printer1 are shown in the Advanced exhibit. (Click the Exhibit
button.)
The Security settings of Printer1 are shown in the Security exhibit. (Click the Exhibit
button.)
The Members settings of a group named Group1 are shown in the Group1 exhibit. (Click
the Exhibit button.)
Select Yes if the statement can be shown to be true based on the available information;
otherwise select No. Each correct selection is worth one point.

Answer :
Question No : 11 - Topic 1

You have a server named Server1 that runs Windows Server 2012 R2.
You plan to use Windows PowerShell Desired State Configuration (DSC) to confirm that
the Application Identity service is running on all file servers.
You define the following configuration in the Windows PowerShell Integrated Scripting
Environment (ISE):

You need to use DSC to configure Server1 as defined in the configuration.

What should you run first?

 A. Service1
 B. Configuration1
 C. Start DscConfiguration
 D. Test-DscConfigu ration

Answer : B
Question No : 12 - Topic 1

Your network contains a server named Server1 that runs Windows Server 2012 R2.
Server1 has the Hyper-V server role installed.
Server1 hosts four virtual machines named VM1, VM2, VM3, and VM4.
Server1 is configured as shown in the following table.

VM2 sends and receives large amounts of data over the network.
You need to ensure that the network traffic of VM2 bypasses the virtual switches of the
parent partition.
What should you configure?

 A. NUMA topology
 B. Resource control
 C. resource metering
 D. virtual Machine Chimney
 E. The VLAN ID
 F. Processor Compatibility
 G. The startup order
 H. Automatic Start Action
 I. Integration Services
 J. Port mirroring K. Single-root I/O virtualization

Answer : K

Explanation: Single-root I/O virtualization -capable network adapters can be assigned directly to
a virtual machine to maximize network throughput while minimizing network latency and the
CPU overhead required for processing network traffic. References:
http://technet.microsoft.com/en-us/library/cc766320(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/hh831410.aspx Exam Ref 70-410, Installing and
Configuring Windows Server 2012 R2, Chapter 3: Configure Hyper-V, Objective 3.1: Create
and Configure virtual machine settings, p.144 Training Guide: Installing and Configuring
Windows Server 2012 R2: Chapter 7: Hyper-V Virtualization, Lesson 2: Deploying and
configuring virtual machines, p.335
Question No : 13 - Topic 1

Your network contains an Active Directory domain named contoso.com. The domain
contains a domain controller named DC1 that hosts the primary DNS zone for
contoso.com.
All client computers are configured to use DC1 as the primary DNS server.
You need to configure DC1 to resolve any DNS requests that are not for the contoso.com
zone by querying the DNS server of your Internet Service Provider (ISP).
What should you configure?

 A. Naming Authority Pointer (NAPTR) DNS resource records (RR)

 B. Name server (NS) records
 C. A Forwarders
 D. Conditional forwarders

Answer : C

Explanation: On a network with several servers and/or client computers a server that is
configured as a forwarder will manage the Domain Name System (DNS) traffic between your
network and the Internet.

Question No : 14 - Topic 1

Your network contains an Active Directory domain named contoso.com.

The domain contains an organizational unit (OU) named OU1 as shown in the OU1 exhibit.
(Click the Exhibit button.)
The membership of Group1 is shown in the Group1 exhibit. (Click the Exhibit button.)
You configure GPO1 to prohibit access to Control Panel. GPO1 is linked to OU1 as shown
in the GPO1 exhibit. (Click the Exhibit button.)

Select Yes if the statement can be shown to be true based on the available information;
otherwise select No. Each correct selection is worth one point.
10

Answer :

Explanation:
C:\Users\Kamran\Desktop\1.jpg Group Policy does NOT APPLY TO SECURITY GROUPS, only users and
computers in an OU. Consequently, the only users in the OU are User2 and User4. Since the Security
Filtering specifies that the policy will only apply to users/computers in the OU who are members of
Group1 or User3, User4 will not have the policy applied. Since User2 is, in fact, a member of Group1, the
policy will be applied to user 2. Thus, the only user who will not be able to access the control panel is
User2.

Question No : 15 - Topic 1

Your network contains an Active Directory forest named contoso.com. The forest contains
a single domain. All servers run Windows Server 2012 R2. The domain contains two
domain controllers named DC1 and DC2. Both domain controllers are virtual machines on
a Hyper-V host.
You plan to create a cloned domain controller named DC3 from an image of DC1.
You need to ensure that you can clone DC1.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)

 A. Add the computer account of DC1 to the Cloneable Domain Controllers group.
 B. Create a DCCloneConfig.xml file on DC1.
 C. Add the computer account of DC3 to the Cloneable Domain Controllers group.
 D. Run the Enable-AdOptionalFeaturecmdlet.
 E. Modify the contents of the DefaultDCCIoneAllowList.xml file on DC1.

Answer : A,B

Explanation: A. Cloneable Domain Controllers Group Theres a new group in town. Its called
Cloneable Domain Controllers and you can find it in the Users container. Membership in this
group dictates whether a DC can or cannot be cloned. This group has some permissions set on
the domain head that should not be removed. Removing these permissions will cause cloning to
fail. Also, as a best practice, DCs shouldnt be added to the group until you plan to clone and DCs
should be removed from the group once cloning is complete. Cloned DCs will also end up in the
Cloneable Domain Controllers group. B. DCCloneConfig.xml Theres one key difference
between a cloned DC and a DC that is being restored to a previous snapshot:
DCCloneConfig.XML. DCCloneConfig.xml is an XML configuration file that contains all of the
settings the cloned DC will take when it boots. This includes network settings, DNS, WINS, AD
site name, new DC name and more. This file can be generated in a few different ways. The New-
ADDCCloneConfigcmdlet in PowerShell By hand with an XML editor By editing an existing
config file, again with an XML editor. Reference: Virtual Domain Controller Cloning in
Windows Server 2012.