Interviewg

VMWARE L2 and L3 Interview Questions
VMWARE Questions
1). What's new with vsphere 5.1?

http://www.vmware.com/files/pdf/products/vsphere/vmware-what-is-new-vsphere5.pdf
2). Difference between ESX and ESXi?
3). How does vmotion works?
Live migration of a virtual machine from one physical server to another with VMware
VMotion is enabled by three underlying technologies.
First, the entire state of a virtual machine is encapsulated by a set of files

stored on shared storage such as Fibre Channel or iSCSI Storage Area Network (SAN)
or Network Attached Storage (NAS). VMware vStorage VMFS allows multiple
installations of VMware ESX� to access the same virtual machine files concurrently.
Second, the active memory and precise execution state of the virtual machine is
rapidly transferred over a high speed network, allowing the virtual machine to
instantaneously switch from running on the source ESX host to the destination ESX
host. VMotion keeps the transfer period imperceptible to users by keeping track of
on-going memory transactions in a bitmap. Once the entire memory and system state
has been copied over to the target ESX host, VMotion suspends the source virtual
machine, copies the bitmap to the target ESX host, and resumes the virtual machine
on the target ESX host. This entire process takes less than two seconds on a
Gigabit Ethernet network.
Third, the networks being used by the virtual machine are also virtualized by the
underlying ESX host, ensuring that even after the migration, the virtual machine
network identity and network connections are preserved. VMotion manages the virtual
MAC address as part of the process. Once the destination machine is activated,
VMotion pings the network router to ensure that it is aware of the new physical
location of the virtual MAC address.
Since the migration of a virtual machine with VMotion preserves the precise
execution state, the network identity, and the active network connections, the
result is zero downtime and no disruption to users.
4). Pre-requisites of vMotion?

1. ESX Servers must be configured with VMkenerl ports enabled for vmotion and
on the same network segment
2. ESX Servers must be managed by the same Virtual Center server
3. ESX Must have compatible CPUs
4. ESX Servers must have consistent Networks and Netwroks labels
5. The VMs must be stored on shared storage - iSCSI or FC SAN or NAS/NFS
6. The VMs cannot use local cd/floppy or internal only vrtual switches on the
ESX server
5). Difference between h/w version 4 vs 7 vs 8 vs 9?

http://pubs.vmware.com/vsphere-50/index.jsp?topic=
%2Fcom.vmware.vsphere.upgrade.doc_50%2FGUID-68E5EDAE-66DE-43F8-9420-
F424AFEADB1D.html
6). What is storage DRS?

http://www.vmware.com/ap/products/datacenter-virtualization/vsphere/storage-
drs.html
7). How is HA of vsphere 4.1 different from vsphere 5.x?
http://www.yellow-bricks.com/vmware-high-availability-deepdiv/
8). What is NMP (native multipathing)?

9). If one host is showing disconected to vcenter, how will you troubleshoot it?
10). What is PSOD, how will you troubleshoot it?
11). Where does the logs of hostd and vpx go?
12). what is in-memory filesystem and is introduced with which version?
13). Pr-requisites of FT?
14). What can be the maxium size of snapshot, how it grows?
15). Commands to create vswitch?
16). What is lockdown mode?
17). what is CPU ready time?
18). How to enable hot-add feature?
19). how to generate logs using CLI?
20). What is the default location for AAM logs?
21). Difference between VMF3 and VMFS5 filesystem?
22). How to troubleshoot VMs performance using CLI?
23). Difference between vpxa and hostd deamons?
24). How many simultaneous vmotions are possible in 1gigs n/w?
25). What are default roles in vcenter?
26). Whati s the difference between vmdk and flat.vmdk?
27). What is "shared nothing" vmotion and its pre-requisites?
28). Licensing model in 5.0 and how it is changed in 5.1?
29). How to upgrade from ESX 3.5 to 4.0 /4.x to 5.x?
30). What is a slot-size and how is it calculated?
31). Importance of VMware tools?
32). How many disk failures does RAID 5 support?
33). which is better RAID 10 or RAID 01
Storage Questions
1). What is zoning, different types of zoning?

2). Difference b/w soft and hard zoning?
3). Whati s LUN masking?
4). What is vault drive?
5). What is LUN masking and how is it different from zoning?
6. How many maximum number of disks can be placed in EMC clariion CX4 - 960
7). What is LCC and its importance?
8). What is difference between contcatination and Striping in lun expansion?
9). How is a LUN presented to a server, all steps like RAID grouping, LUN binding
etc?
10). what is WWN and IQN
11). What are different types of backup techniques?
12). What is deduplication?
***********************************************************************************
*************
WINTEL L2 or L3 Interview Questions
As of now I am just posting the questions only. In due course of time I'll publish
the answers as well.
1) Difference between sharing and security permissions.

2) FSMO roles detailed.
3) Raid 5 & 1 scenario based questions.
4) Disk expansion C & D
5) Recetly faced issues.
6) Incident and Change managment processes.
7) How to deal with Memory leak issue.
8) Performance analysis.
9) How to analyze DUMP.
10) Setting up cluster servers
11) Stub zone
12) Global Catalog server
13) Difference between 2008 and 2008R2
14) New features in 2008
15) Boot process in Win 2008
16) How many types of Quorums are there in a Cluster?
17) Have you used DRAC, iDRAC or iLO or IBM remote management tool?
18)
================================================================
1) What is Paged pool memory

2) What is Non paged pool memory
3) What is Virtual Memory and how it is different from a Page file?
4) What is a Page File?
6) What is PAE Switch and why it is needed?
7) What is /3GB switch and why its needed?
8 What is the difference between 64bit OS and 32bit OS?
================================================================
How to troubleshoot event Id 2019 and 2020?

http://blogs.msdn.com/b/ntdebugging/archive/2006/12/18/understanding-pool-
consumption-and-event-id_3a00_--2020-or-2019.aspx
How to open a Dump File?

http://support.microsoft.com/kb/315263
Why BSOD happens and How to fix BSOD error? Look for a detailed answer.
1) Reboot
2) REboot with "Last known good configuration"
3) Reboot in safe mode with networking.
4) Reboot with safe mode.
5) Check if Stop x7B error is there. If yes check of Raid disk/s have an issue.
6) Do a dump analysis. Use step mentioned in KB: 315263 to open a dump file.
What is PAE Switch?

What is /3GB switch? How to use them in Windows 2003 and Windows 2008?
What is virtual memory and how it is organized in Windows? How does it gets more
importance as far as 32bit or 64Bit Os goes?
Read this Blog to know about troubleshooting causes of "RPC Server unavailable"
issues. It'll help you know about different ports needed, memory depletion due to
leak and others. - http://microsoftworld.blogspot.ca/2011/03/troubleshooting-rpc-
server-is.html
What is DHCP? What is DORA process? What is APIPA? What is a SCOPE and Superscope?
What is a reservation? What is the name of DHCP database?
For DNS questions please read - http://dnsfunda.blogspot.com/
For VMWARE
1) What id P2V? What is the tool that is used?

2) What is V2V and what is the tool that is used?
3) What is HA?
4) What is DRS?
5) What is storage vmotion?
6) What is system vmotion?
7) What is the difference between ESX and ESXi
For questions on Active Directory, please visit this blog.

Some questions along with answers are here.
***********************************************************************************
**************************************************
VMWARE Questions and Answers

1. Is VMware Kernel a Linux/Unix Kernel?
VMware Kernel is a Proprietary Kernel and is not based on any of the UNIX operating
systems, it's a kernel developed by VMware Company.
2. Does the VMKernel boot by itself?
The VMKernel can't boot by itself, so it takes the help of the 3rd party operating
system. In the case of VMware the kernel is booted by RedHat Linux operating system
which is known as service console.
3. The service console is developed based up on Redhat Linux Operating system; it

is used to manage the VMKernel
4. Which command is used to restart webaccess service on vmware?service vmware-

webaccess restart � this will restart apache tomcat app
5. What is the command to restart ssh service on vmware?service sshd restart
6. What is the command to restart host agent(vmware-hostd) on VMware esx server?

service mgmt-vmware restart
7. What is the Path of the struts-config.xml?
/usr/lib/vmware/webAccess/tomcat/apache-tomcat-5.5.17/webapps/ui/WEB-INF/
8. What is the command to start the scripted install?

esx ks=nfs:111.222.333.444:/data/KS.config ksdevice=eth0
location device name
9. Virtual Network in Simple��.

Virtual Nic(s) on Virtual Machine(s) ----->
Physical Nic on the ESX Server (Virtual Switch - 56 Ports) ----->
Physical Switch Port should be trunked with all the VLANS to which the VM's need
access
All the ESX servers should be configured with Same number of Physical Nics
(vSwitches) and Connectivity also should be same, So that vMotion succeeds.
All the Virtual Machines are connected to one vSwitch with Different VLANS, this
means the Physical Nic(vSwitch) needs to be trunked with the same VLANS on the
Physical Switch Port
10 What are the three port groups present in ESX server networking?1. Virtual
Machine Port Group - Used for Virtual Machine Network
2. Service Console Port Group - Used for Service Console Communications
3. VMKernel Port Group - Used for VMotion, iSCSI, NFS Communications
11. What is the use of a Port Group?

The port group segregates the type of communication.
12. What are the types of communications which requires an IP address for sure?
Service Console and VMKernel (VMotion and iSCSI), these communications does not
happen without an ip address (Whether it is a single or dedicated)
13. In the ESX Server licensing features VMotion License is showing as Not used,
why?
Even though the license box is selected, it shows as "License Not Used" until, you
enable the VMotion option for specific vSwitch.
14. How the Virtual Machine Port group communication works?
All the vm's which are configured in VM Port Group are able to connect to the
physical machines on the network. So this port group enables communication between
vSwitch and Physical Switch to connect vm's to Physical Machine's
15. What is a VLAN?A VLAN is a logical configuration on the switch port to segment
the IP Traffic. For this to happen, the port must be trunked with the correct VLAN
ID.
16. Does the vSwitches support VLAN Tagging? Why?Yes, the vSwitches support VLAN
Tagging; otherwise if the virtual machines in an esx host are connected to
different VLANS, we need to install a separate physical nic (vSwitch) for every
VLAN. That is the reason vmware included the VLAN tagging for vSwitches. So every
vSwitch supports upto 1016 ports, and BTW they can support 1016 VLANS if needed,
but an ESX server doesn�t support that many VM�s.
17. What is Promiscuous Mode on vSwitch? What happens if it sets to accept?If the
promiscuous mode set to Accept, all the communication is visible to all the virtual
machines, in other words all the packets are sent to all the ports on vSwitch
If the promiscuous mode set to Reject, the packets are sent to inteded port, so
that the intended virtual machine was able to see the communication.
18. What is MAC address Changes? What happens if it is set to accept?

When we create a virtual machine the configuration wizard generates a MAC address
for that machine, you can see it in the .vmx (VM Config) file. If it doesn't
matches with the MAC address in the OS this setting does not allow incoming traffic
to the VM. So by setting Reject Option both MAC addresses will be remains same, and
the incoming traffic will be allowed to the VM.
19. What is Forged Transmits? What happens if it is set to Accept?When we create a

virtual machine the configuration wizard generates a MAC address for that machine,
you can see it in the .vmx (VM Config) file. If it doesn't matches with the MAC
address in the OS this setting does not allow outgoing traffic from the VM. So by
setting Reject Option both MAC addresses will be remains same and the outgoing
traffic will be allowed from the VM.
20. What are the core services of VC?

VM provisioning, Task Scheduling and Event Logging
21. Can we do vMotion between two datacenters? If possible how it will be?
Yes we can do vMotion between two datacenters, but the mandatory requirement is the
VM should be powered off.
22. What is VC agent? What service it corresponds to? What are the minimum
requisites for VC agent installation?VC agent is an agent installed on ESX server
which enables communication between VC and ESX server. The daemon associated with
it is called vmware-hostd, and the service which corresponds to it is called as
mgmt-vmware, in the event of VC agent failure just a restart of the service by
typing the following command at the service console helps. " service mgmt-vmware
restart " VC agent is installed on the ESX server when we add it to the VC, so at
the time of installation if you are getting an error like " VC Agent service failed
to install ", check the /Opt size whether it is sufficient or not.
23. How can you edit VI Client Settings and VC Server Settings?Click Edit Menu on
VC and Select Client Settings to change VI settings
Click Administration Menu on VC and Select VC Management Server Configuration to
Change VC Settings.
24. What are the files that make a Virtual Machine?

.vmx - Virtual Machine Configuration File
.nvram - Virtual Machine BIOS
.vmdk - Virtual Machine Disk file
.vswp - Virtual Machine Swap File
.vmsd - Virtual Machine Snapshot Database
.vmsn - Virtual Machine Snapshot file
.vmss - Virtual Machine Suspended State file
.vmware.log - Current Log File
.vmware-#.log - Old Log file
25. What are the devices that can be added while the virtual Machine running?
In VI 3.5 we can add Hard Disk and NIC's while the machine running. In vSphere 4.0
we can add Memory and Processor along with HDD and NIC's while the machine running
26. How to set the time delay for BIOS screen for a Virtual Machine?
Right Click on VM, select edit settings, choose options tab and select boot
option, set the delay how much you want.
27. What is a template?

We can convert a VM into Template, and it cannot be powered on once it�s changed
to template. This is used to quick provisioning of VM's.
23. What to do to customize the windows virtual machine clone?

Copy the sysprep files to Virtual center directory on the server, so that the
wizard will take the advantage of it.
24. What to do to customize the linux/unix virtual machine clone?

VC itself includes the customization tools, as these operating systems are
available as open source.
25. Does cloning from template happen between two datacenters?

Yes... it can, if the template is in one datacenter, we can deploy the vm from
that template in another datacenter without any problem.
26. What are the common issues with snapshots? What stops from taking a snapshot
and how to fix it?
If you configure the VM with Mapped LUN's, then the snapshot failed. If it is
mapped as virtual then we can take a snapshot of it.
If you configure the VM with Mapped LUN's as physical, you need to remove it to
take a snapshot.
27. What are the settings that are taken into to consideration when we initiate a
snapshot?
Virtual Machine Configuration (What hardware is attached to it)
State of the Virtual Machine Hard Disk file (To revert back if needed)
State of the Virtual Machine Memory (if it is powered on).
28. What are the requirements for Converting a Physical machine to VM?
An agent needs to be installed on the Physical machine
VI client needs to be installed with Converter Plug-in
A server to import/export virtual machines
29. What is VMWare consolidated backup?

It is a backup framework, which supports 3rd party utilities to take backups of
ESX servers and Virtual Machines. It�s not a backup service.
30. To open the guided consolidation tool, what are the user requirements?
The user must be member of administrator, the user should have "Logon as service"
privileges - To give a user these privileges, open local sec policy, select Logon
as service policy and add the user the user should have read access to AD to send
queries
31. Difference between HA and Vmotion?

VMotion and HA are not related and are not dependents of each other. DRS has a
dependency on vMotion,but not HA. HA is used in the event that a hosts fails you
can have your virtual machines restart on another host in the cluster. vMotion
allows you to move a virtual machine from one host to another while it is running
without service interruption. Ideally you will utilize vMotion, HA and DRS within
your cluster to achieve a well balanced VI environment.
So HA fail over is not really seamless since you mentioned it has virtual machines
restart on another host in the Cluster? No, your VM's will go down If there is a
host failure and then HA will restart them on another ESX Host in the cluster. This
is where DRS will take over and start to balance out the load across the remaining
ESX Hosts in the cluster using vmotion.
32. What is DRS? DRS : Distributed Resource Scheduling (Youtube Video)
VMware DRS dynamically balances computing capacity across a collection of hardware

resources aggregated into logical resource pools, continuously monitoring
utilization across resource pools and intelligently allocating available resources
among the virtual machines based on pre-defined rules that reflect business needs
and changing priorities. When a virtual machine experiences an increased load,
VMware DRS automatically allocates additional resources by redistributing virtual
machines among the physical servers in the resource pool. VMware DRS allows IT
organizations to:
� Prioritize resources to the highest value applications in order to align
resources with business goals
� Optimize hardware utilization automatically and continuously to respond to
changing conditions
� Provide dedicated resources to business units while still profiting from higher
hardware utilization through
resource pooling.
� Conduct zero-downtime server maintenance
* Lower power consumption costs by up to 20 percent.
33. What is HA? HA : High Availability (Youtube video)

vSphere High Availability (HA) delivers the availability needed by many
applications running in virtual machines, independent of the operating system and
application running in it. HA provides uniform, cost-effective failover protection
against hardware and operating system failures within your virtualized IT
environment.
Monitors virtual machines to detect operating system and hardware failures.
Restarts virtual machines on other physical servers in the resource pool without
manual intervention when server failure is detected.
Protects applications from operating system failures by automatically restarting
virtual machines when an operating system failure is detected.
34. What is DPM in VMWARE? DPM : Distributed Power Management

VMware Distributed Power Management (DPM) is a pioneering new feature of VMware DRS
that continuously monitors resource requirements in a VMware DRS cluster. When
resource requirements of the cluster decrease during periods of low usage, VMware
DPM consolidates workloads to reduce power consumption by the cluster. When
resource requirements of workloads increase during periods of higher usage, VMware
DPM brings powered-down hosts back online to ensure service levels are met. VMware
DPM allows IT organizations to:
� Cut power and cooling costs in the datacenter
� Automate management of energy efficiency in the datacenter
What is dvSwitch? Distributed vSwitch
It�s a new feature introduced in vSphere4.0.The configuration of vDS is centralized

to vCenter. The ESX/ESXi 4.xand ESXi 5.x hosts that belong to a dvSwitch do not
need further configuration to be compliant. Distributed Switches provide similar
functionalities to vSwitches. dvPortgroups is a set of dvPorts. The vDS equivalent
of portgroups is a set of ports in a vSwitch. Configuration is inherited from
dvSwitch to dvPortgroup, like what happens for vSwitch/Portgroup. Virtual machines,
Service Console interface (vswif), and VMKernel interfaces can be connected to
dvPortgroups just as like they could be connected to portgroups in vSwitches
Administrative rights are required to create the following virtual adapters on each
ESX/ESXi host dvSwitch in vCenter:
Service Console and VMKernel interfaces
Physical NICs and their assignment to dvSwitch Uplink groups
Configuring vNetwork Distributed Switch using vCenter
What is FT in vmware? FT : Fault Tolerance for Virtual Machines

vSphere Fault Tolerance (FT) provides continuous availability for applications in
the event of server failures, by creating a live shadow instance of a virtual
machine that is in virtual lockstep with the primary instance. By allowing
instantaneous failover between the two instances in the event of hardware failure,
FT eliminates even the smallest chance of data loss or disruption.
VMware Fault Tolerance FAQ
What is vApps in vmware?

vApps : vApp is a container same as resource pool, but it is having some features
of virtual machines, a vApp can be powered on or powered off, and it can be cloned
too.
More details on vApps along with a video.
What is vSafe?
vmSafe : VMsafe's application programming interfaces are designed to help third-
party vendors create virtualization security products that better secure VMware
ESX, vShield Zones is a security tool targets the VMware administrator.
In other words VMware VMsafe� is a program for integrating partner security
solutions into VMware-virtualized environments, offering visibility, control and
choice to customers. The result is an approach to virtualized security that
provides customers with a choice of enhanced security and IT compliance solutions
enabling comprehensive protection for virtual datacenters and cloud environments
What is vShields?
vShield : VShield Zones is essentially a virtual firewall designed to protect VMs
and analyze virtual network traffic. This three-part series describes vShield
Zones, explains how to install it and provides useful management tips.
whats new in vShields 5?
.
***********************************************************************************
*********************************************
"System Error 1920 has occured" 3

Distributed File system or DFS in Windows 2003 1
Some more active directory FAQ

Microsoft Active Directory Questions.
? What is Active Directory?

Active Directory is Microsoft's trademarked directory service, an integral part of
the Windows 2000 architecture. Like other directory services, such as Novell
Directory Services (NDS), Active Directory is a centralized and standardized system
that automates network management of user data, security, and distributed
resources, and enables interoperation with other directories. Active Directory is
designed especially for distributed networking environments.
? What is LDAP?
Short for Lightweight Directory Access Protocol, a set of protocols for accessing
information directories. LDAP is based on the standards contained within the X.500
standard, but is significantly simpler. And unlike X.500, LDAP supports TCP/IP,
which is necessary for any type of Internet access. Because it's a simpler version
of X.500, LDAP is sometimes called X.500-lite.
? Can you connect Active Directory to other 3rd-party Directory Services? Name a
few options?
Yes. Microsoft Identity Integration Server (MIIS) is used to connect Active
Directory to other 3rd-party Directory Services (including directories used by SAP,
Domino, etc).
? Where is the AD database held? What other folders are related to AD?
AD Database is saved in %systemroot%/ntds. You can see other files also in this
folder. These are the main files controlling the AD structure
? ntds.dit
? edb.log
? res1.log
? res2.log
? edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K
records the transaction in the log file (edb.log). Once written to the log file,
the change is then written to the AD database. System performance determines how
fast the system writes the data to the AD database from the log file. Any time the
system is shut down, all transactions are saved to the database.
During the installation of AD, Windows creates two files: res1.log and res2.log.
The initial size of each is 10MB. These files are used to ensure that changes can
be written to disk should the system run out of free disk space. The checkpoint
file (edb.chk) records transactions committed to the AD database (ntds.dit). During
shutdown, a "shutdown" statement is written to the edb.chk file. Then, during a
reboot, AD determines that all transactions in the edb.log file have been committed
to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot
or the shutdown statement isn't present, AD will use the edb.log file to update the
AD database.
The last file in our list of files to know is the AD database itself, ntds.dit. By
default, the file is located in\NTDS, along with the other files we've discussed.
? What is the SYSVOL folder?

The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and
reparse points in the file systems that exist on each domain controller in a
domain. SYSVOL provides a standard location to store important elements of Group
Policy objects (GPOs) and scripts so that the File Replication service (FRS) can
distribute them to other domain controllers within that domain.
You can go to SYSVOL folder by typing : %systemroot%/sysvol
? Name the AD NCs and replication issues for each NC.

*Schema NC, *Configuration NC, * Domain NC
Schema NC: This NC is replicated to every other domain controller in the forest. It
contains information about the Active Directory schema, which in turn defines the
different object classes and attributes within Active Directory.
Configuration NC: Also replicated to every other DC in the forest, this NC contains
forest-wide configuration information pertaining to the physical layout of Active
Directory, as well as information about display specifiers and forest-wide Active
Directory quotas.
Domain NC: This NC is replicated to every other DC within a single Active Directory
domain. This is the NC that contains the most commonly-accessed Active Directory
data: the actual users, groups, computers, and other objects that reside within a
particular Active Directory domain.
? What are application partitions? When do I use them?
There are two answers to this question. Answer A1 and A2 given below.
A1) Application Directory Partition is a partition space in Active Directory which

an application can use to store that application specific data. This partition is
then replicated only to some specific domain controllers.
The application directory partition can contain any type of data except security
principles (users, computers, groups).
**A2) These are specific to Windows Server 2003 domains.

An application directory partition is a directory partition that is replicated only
to specific domain controllers. A domain controller that participates in the
replication of a particular application directory partition hosts a replica of that
partition. Only domain controllers running Windows Server 2003 can host a replica
of an application directory partition.
? How do you create a new application partition?

The DnsCmd command is used to create a new application directory partition. Ex. to
create a partition named �NewPartition � on the domain controller DC1.contoso.com,
log on to the domain controller and type following command.
DnsCmd DC1/createdirectorypartition NewPartition.contoso.com
? How do you view replication properties for AD partitions and DCs?

By using replication monitor
go to start > run > type replmon
? What is the Global Catalog?

The Global Catalog (GC) contains an entry for every object in an enterprise forest
but only a few properties for each object. An entire forest shares a GC, with
multiple servers holding copies. You can perform an enterprisewide forest search
only on the properties in the GC, whereas you can search for any property in a
user�s domain tree. Only Directory Services (DSs) or domain controllers (DCs) can
hold a copy of the GC.
Configuring an excessive number of GCs in a domain wastes network bandwidth during
replication. One GC server per domain in each physical location is sufficient.
Windows NT sets servers as GCs as necessary, so you don�t need to configure
additional GCs unless you notice slow query response times.
Because full searches involve querying the whole domain tree rather than the GC,
grouping the enterprise into one tree will improve your searches. Thus, you can
search for items not in the GC.
? How do you view all the GCs in the forest?
C:\repadmin /showreps
where domain_controller is the DC you want to query to determine whether it�s a GC.
The output will include the text DSA Options: IS_GC if the DC is a GC. . . .
You would need script to make such query, but you can also check your DNS for SRV
records which contain _gc in their name.
? Why not make all DCs in a large forest as GCs?

When all the DC become a GC replication traffic will get increased and we could not
keep the Infrastructure master and GC on the same domain ,so atlease one dc should
be act without holding the GC role .
? Trying to look at the Schema, how can I do that?
Register the schmmgmt.dll with the command regsvr32
? What are the Support Tools? Why do I need them?
Support Tools are the tools that are used for performing the complicated tasks
easily. These can also be the third party tools. Some of the Support tools include
DebugViewer, DependencyViewer, RegistryMonitor, etc.
? What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when
traffic engineering is not required. It establishes LSPs that follow the existing
IP routing, and is particularly well suited for establishing a full mesh of LSPs
between all of the routers on the network.
Replmon : Replmon displays information about Active Directory Replication.
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a

low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool.
Network administrators can use it for common administrative tasks such as adding,
deleting, and moving objects with a directory service. The attributes for each
object can be edited or deleted by using this tool. ADSIEdit uses the ADSI
application programming interfaces (APIs) to access Active Directory. The following
are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.MSC
NETDOM : NETDOM is a command-line tool that allows management of Windows domains

and trust relationships. It is used for batch management of trusts, joining
computers to domains, verifying trusts, and secure channels.
REPADMIN : REPADMIN is a built-in Windows diagnostic command-line utility that
works at the Active Directory level. Although specific to Windows, it is also
useful for diagnosing some Exchange replication problems, since Exchange Server is
Active Directory based. REPADMIN doesn't actually fix replication problems for you.
But, you can use it to help determine the source of a malfunction.
? What are sites? What are they used for?
Active Directory (AD) sites, which consist of well-connected networks defined by IP
subnets that help define the physical structure of your AD, give you much better
control over replication traffic and authentication traffic than the control you
get with Windows NT 4.0 domains. Because AD relies on IP, all LAN segments should
have a defined IP subnet. This makes creating your AD site structure
straightforward; you simply group well-connected subnets to form a site.
Creating AD sites benefits you in several ways, the first of which is that creating
these sites lets you control replication traffic over WAN links. This control is
important in Windows 2000 because any Win2K domain controller (DC) can originate
changes to AD. To ensure that a change you make on one DC propagates to all DCs,
Win2K uses multimaster replication (instead of the single-master replication that
NT 4.0 uses). You might think that multimaster replication would make it difficult
to plan for AD replication�s effect on your WAN links, but you can overcome this
obstacle using AD sites.
? What's the difference between a site link's schedule and interval?

Site Link is a physical connection object on which the replication transport
mechanism depends on. Basically to speak it is the type of communication mechanism
used to transfer the data between different sites. Site Link Schedule is nothing
but when the replication process has to be takes place and the interval is nothing
but how many times the replication has to be takes place in a give time period i.e
Site Link Schedule.
? What is the KCC?

KCC stands for knowledge consistency checker. Apart of the ISTG role in active
directory. The kcc checks and as an option, recreates topology information for the
active directory domain.
? What is the ISTG? Who has that role by default?

Windows 2000 Domain controllers each create Active Directory Replication connection
objects representing inbound replication from intra-site replication partners. For
inter-site replication, one domain controller per site has the responsibility of
evaluating the inter-site replication topology and creating Active Directory
Replication Connection objects for appropriate bridgehead servers within its site.
The domain controller in each site that owns this role is referred to as the Inter-
Site Topology Generator (ISTG).
? What are the requirements for installing AD on a new server?

? An NTFS partition with enough free space (if you have FAT or FAT32 use convert
c:/fs:ntfs command to convert it to NTFS)
? An Administrator's username and password
? The correct operating system version
? A NIC
? Properly configured TCP/IP (IP address, subnet mask and - optional - default
gateway)
? A network connection (to a hub or to another computer via a crossover cable)
? An operational DNS server (which can be installed on the DC itself)
? A Domain name that you want to use
? The Windows Server 2003 CD media (or at least the i386 folder)
? Brains (recommended, not required...)
? What can you do to promote a server to DC if you're in a remote location with
slow WAN link?
Install from Media In Windows Server 2003 a new feature has been added, and this
time it's one that will actually make our lives easier... You can promote a domain
controller using files backed up from a source domain controller!!!
This feature is called "Install from Media" and it's available by running DCPROMO
with the /adv switch. It's not a replacement for network replication, we still need
network connectivity, but now we can use an old System State copy from another
Windows Server 2003, copy it to our future DC, and have the first and basic
replication take place from the media, instead of across the network, this saving
valuable time and network resources.
What you basically have to do is to back up the systems data of an existing domain
controller, restore that backup to your replica candidate, use DCPromo /Adv to tell
it to source from local media, rather than a network source.
This also works for global catalogs. If we perform a backup of a global catalog
server, then we can create a new global catalog server by performing DCPromo from
that restored media.
IFM Limitations
It only works for the same domain, so you cannot back up a domain controller in
domain A and create a new domain B using that media.
It's only useful up to the tombstone lifetime with a default of 60 days. So if you
have an old backup, then you cannot create a new domain controller using that,
because you'll run into the problem of reanimating deleted objects.
Answer Link:http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm
? How can you forcibly remove AD from a server, and what do you do later?
Demoting Windows Server 2003 DCs: DCPROMO (Active Directory Installation Wizard) is
a toggle switch, which allows you to either install or remove Active Directory DCs.
To forcibly demote a Windows Server 2003 DC, run the following command either at
the Start, Run, or at the command prompt:
dcpromo /forceremoval
Note: If you're running Certificate Services on the DC, you must first remove
Certificate Services before continuing. If you specify the /forceremoval switch on
a server that doesn't have Active Directory installed, the switch is ignored and
the wizard pretends that you want to install Active Directory on that server.
Once the wizard starts, you will be prompted for the Administrator password that
you want to assign to the local administrator in the SAM database. If you have
Windows Server 2003 Service Pack 1 installed on the DC, you'll benefit from a few
enhancements. The wizard will automatically run certain checks and will prompt you
to take appropriate actions. For example, if the DC is a Global Catalog server or a
DNS server, you will be prompted. You will also be prompted to take an action if
your DC is hosting any of the operations master roles.
Demoting Windows 2000 DCs: On a Windows 2000 domain controller, forced demotion is
supported with Service Pack 2 and later. The rest of the procedure is similar to
the procedure I described for Windows Server 2003. Just make sure that while
running the wizard, you clear the "This server is the last domain controller in the
domain" check box. On Windows 2000 Servers you won't benefit from the enhancements
in Windows Server 2003 SP1, so if the DC you are demoting is a Global Catalog
server, you may have to manually promote some other DC to a Global Catalog server.
Cleaning the Metadata on a Surviving DC : Once you've successfully demoted the DC,
your job is not quite done yet. Now you must clean up the Active Directory
metadata. You may be wondering why I need to clean the metadata manually. The
metadata for the demoted DC is not deleted from the surviving DCs because you
forced the demotion. When you force a demotion, Active Directory basically ignores
other DCs and does its own thing. Because the other DCs are not aware that you
removed the demoted DC from the domain, the references to the demoted DC need to be
removed from the domain.
Although Active Directory has made numerous improvements over the years, one of the
biggest criticisms of Active Directory is that it doesn't clean up the mess very
well. This is obvious in most cases but, in other cases, you won't know it unless
you start digging deep into Active Directory database.
To clean up the metadata you use NTDSUTIL. The following procedure describes how to
clean up metadata on a Windows Server 2003 SP1. According to Microsoft, the version
of NTDSUTIL in SP1 has been enhanced considerably and does a much better job of
clean-up, which obviously means that the earlier versions didn't do a very good
job. For Windows 2000 DCs, you might want to check out Microsoft Knowledge Base
article 216498, "How to remove data in Active Directory after an unsuccessful
domain controller demotion."
Here�s the step-by-step procedure for cleaning metadata on Windows Server 2003 DCs:
1. Logon to the DC as a Domain Administrator.
2. At the command prompt, type ntdsutil.
3. Type metadata cleanup.
4. Type connections.
5. Type connect to server servername, where servername is the name of the server
you want to connect to.
6. Type quit or q to go one level up. You should be at the Metadata Cleanup prompt.
7. Type select operation target.
8. Type list domains. You will see a list of domains in the forest, each with a
different number.
9. Type select domain number, where number is the number associated with the domain
of your server
10. Type list sites.
11. Type select site number, where number is the number associated with the site of
your server.
12. Type list servers in site.
13. Type select server number, where number is the number associated with the
server you want to remove.
14. Type quit to go to Metadata Cleanup prompt.
15. Type remove selected server. You should see a confirmation that the removal
completed successfully.
16. Type quit to exit ntdsutil.
You might also want to cleanup DNS database by deleting all DNS records related to
the server.
In general, you will have better luck using forced promotion on Windows Server
2003, because the naming contexts and other objects don't get cleaned as quickly on
Windows 2000 Global Catalog servers, especially servers running Windows 2000 SP3 or
earlier. Due to the nature of forced demotion and the fact that it's meant to be
used only as a last resort, there are additional things that you should know about
forced demotion.
Even after you've used NTDSUTIL to clean the metadata, you may still need to do
additional cleaning manually using ADSIEdit or other such tools. You might want to
check out Microsoft�s Knowledge Base article 332199, "Domain controllers do not
demote gracefully when you use the Active Directory Installation Wizard to force
demotion in Windows Server 2003 and in Windows 2000 Server," for more information
Read original full answer at http://redmondmag.com/columns/print.asp?
EditorialsID=1352
And best read this also
http://www.petri.co.il/forcibly_removing_active_directoy_from_dc.htm
? Can I get user passwords from the AD database?

As of my Knowledge there is no way to extract the password from AD Database. By the
way there is a tool called cache dump. Using it we can extract the cached passwords
from Windows XP machine which is joined to a Domain.
? What tool would I use to try to grab security related packets from the wire?
Network Monitor, Ethereal or Wireshark.
? Name some OU design considerations.
? Design OU structure based on Active Directory business requirements
? NT Resource domains may fold up into OUs
? Create nested OUs to hide objects
? Objects easily moved between OUs
? Departments , Geographic Region, Job Function, Object Type
Good Article about OU Design:

http://www.windowsnetworking.com/articles_tutorials/Clearing-Confusion-OU-
Design.html
? What is tombstone lifetime attribute?

The number of days before a deleted object is removed from the directory services.
This assists in removing objects from replicated servers and preventing restores
from reintroducing a deleted object. This value is in the Directory Service object
in the configuration NC.
To Change the tombstone lifetime attribute read this article
http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm
? What do you do to install a new Windows 2003 DC in a Windows 2000 AD?

Before you can introduce Windows Server 2003 domain controllers, you must prepare
the forest and domains with the ADPrep utility.
? ADPrep /forestprep on the schema master in your Windows 2000 forest.
? ADPrep /domainprep on the Infrastructure Master in each AD domain.
ADPrep is located in the i386 directory of the Windows Server 2003 install media.
Note: In Windows Server 2003 R2, ADPrep is not located in the same folder as in the
older Windows Server 2003 media, and instead you need to look for it in the second
CD. You see, Windows Server 2003 R2 comes on two installation disks. Installation
disk 1 contains a slip-streamed version of Windows Server 2003 with Service Pack 2
(SP2). Installation disk 2 contains the Windows Server 2003 R2 files.
The correct version of the ADPrep.exe tool for Windows Server 2003 R2 is
5.2.3790.2075.
You can find the R2 ADPrep tool in the following folder on the second CD:
drive:\CMPNENTS\R2\ADPREP\
(where drive is the drive letter of your CD-Rom drive)
Read more about ADPrep and Windows Server 2003 R2 in KB 917385
Exchange 2000 note: Please make sure you read Windows 2003 ADPrep Fix for Exchange
2000 before installing the first Windows Server 2003 DC in your existing
organization.
Microsoft recommends that you have at least Service Pack (SP) 2 installed on your
domain controllers before running ADPrep. SP2 fixed a critical internal AD bug,
which can manifest itself when extending the schema. There were also some fixes to
improve the replication delay that can be seen when indexing attributes.
Similar to the Exchange setup.exe /forestprep and /domainprep switches.
? The Exchange /forestprep command extends the schema and adds some objects in the
Configuration Naming Context.
? The Exchange / domainprep command adds objects within the Domain Naming Context
of the domain it is being run on and sets some ACLs.
The ADPrep command follows the same logic and performs similar tasks to prepare for
the upgrade to Windows Server 2003.
The ADPrep /forestprep command extends the schema with quite a few new classes and
attributes. These new schema objects are necessary for the new features supported
by Windows Server 2003.
You can view the schema extensions by looking at the .ldf files in the \i386
directory on the Windows Server 2003 CD. These files contain LDIF entries for
adding and modifying new and existing classes and attributes.
Since the schema is extended and objects are added in several places in the
Configuration NC, the user running /forestprep must be a member of both the Schema
Admins and Enterprise Admins groups.
The ADPrep /domainprep creates new containers and objects, modifies ACLs on some
objects, and changes the meaning of the Everyone security principal.
Before you can run ADPrep /domainprep, you must be sure that the updates from
/forestprep have replicated to all domain controllers in the forest.
/domainprep must be run on the Infrastructure Master of a domain and under the
credentials of someone in the Domain Admins group.
You can view detailed output of the ADPrep command by looking at the log files in
the %Systemroot%\system32\debug\adprep\logs directory.
Each time ADPrep is executed, a new log file is generated that contains the actions
taken during that particular invocation.
The log files are named based on the time and date ADPrep was run.
Once you�ve run both /forestprep and /domainprep and allowed time for the changes
to replicate to all domain controllers, you can then start upgrading your domain
controllers to Windows Server 2003 or installing new Windows Server 2003 domain
controllers.
? What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?

If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1
installed, you require only the second R2 CD-ROM. Insert the second CD and the
r2auto.exe will display the Windows 2003 R2 Continue Setup screen.
If you're installing R2 on a domain controller (DC), you must first upgrade the
schema to the R2 version (this is a minor change and mostly related to the new Dfs
replication engine). To update the schema, run the Adprep utility, which you'll
find in the Cmpnents\r2\adprep folder on the second CD-ROM. Before running this
command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or
later). Here's a sample execution of the Adprep /forestprep command:
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should be
upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000
SP2 (or later).
QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent poten
tial domain controller corruption.
For more information about preparing your forest and domain see KB article Q3311
61 at http://support.microsoft.com.
[User Action]
If ALL your existing Windows 2000 domain controllers meet this requirement, type
C and then press ENTER to continue. Otherwise, type any other key and press ENT
ER to quit.
C
Opened Connection to SAVDALDC01
SSPI Bind succeeded
Current Schema Version is 30
Upgrading schema to version 31
Connecting to "SAVDALDC01"
Logging in as current user using SSPI
Importing directory from file "C:\WINDOWS\system32\sch31.ldf"
Loading entries.....................................................
......................................................
139 entries modified successfully.
The command has completed successfully

Adprep successfully updated the forest-wide information.
After running Adprep, install R2 by performing these steps:
1. Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows.
2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click Next.
3. You'll be prompted to enter an R2 CD key (this is different from your existing
Windows 2003 keys) if the underlying OS wasn't installed from R2 media (e.g., a
regular Windows 2003 SP1 installation). Enter the R2 key and click Next. Note: The
license key entered for R2 must match the underlying OS type, which means if you
installed Windows 2003 using a volume-license version key, then you can't use a
retail or Microsoft Developer Network (MSDN) R2 key.
4. You'll see the setup summary screen which confirms the actions to be performed
(e.g., Copy files). Click Next.
5. After the installation is complete, you'll see a confirmation dialog box. Click
Finish.
? How would you find all users that have not logged on since last month?
If you are using windows 2003 domain environment, then goto Active Directory Users
and Computers, select the Saved Queries, right click it and select new query, then
using the custom common queries and define query there is one which shows days
since last logon
? What are the DS* commands?
Answer is at http://www.computerperformance.co.uk/Logon/DSadd_DSmod_DSrm.htm
? DSmod - modify Active Directory attributes
? DSrm - to delete Active Directory objects
? DSmove - to relocate objects
? DSadd - create new accounts
? DSquery - to find objects that match your query attributes
? DSget - list the properties of an object
DSmod
Adding objects is great, but there are times in Windows 2003 when you need to
change the Active Directory properties.
Scenario, you wish to quickly change a user's password. This is task you are going
to have to do regularly, and you would like to able to do it quickly from the
command line. Let us now modify the the user's password with DSmod
Example 1 Modify Password
Logon to your domain controller. Check which users you have, if necessary create an
ou called guyds and user called guyt.
Examine the script below. Decide how cn= or ou= or dc= need editing.
Run, CMD then copy your script and paste into the command window. Alternatively
type it starting with dsmod user .........
Command : dsmod user "cn=guyt, ou=guyds, dc=cp, dc=com" -pwd a1yC24kg
Example 2 Create user WITH password
Note 1: We could have created the password at the same time we created the user.
For ease of learning I introduce one variable at a time. However, here is the
complete command to add a user with a password.
Command : dsadd user "cn=pault, ou=guyds, dc=cp, dc=com" -pwd a1yC24kg

Example 3 Modify Groups
Another use of DSmod is to add members to a group.
In this instance you need the full distinguished name (DN) of the group then the
-addmbr switch followed by the DN of the users. Tricky method! Try dsmod group /?
for more help.
Problems contact Guy Thomas see below for email address
Introduction to DSadd
DSadd is the most important member of this DS scripting family. The primary use of
DSadd is to quickly add user accounts to Windows Server 2003 Active Directory.
However, you can also use this method to create OUs computers, groups, or even
contacts.
Creating an OU - DSadd ou....
Let us create an OU (organizational unit) to hold the rest of the test objects.
Edit the dc=cp and dc =com to the fully qualified name of your Windows 2003 domain.
As ever, pay close attention to the syntax, for instance the DN "ou=guyds, dc=cp,
dc=com" is enclosed in double speech marks. Single 'speech marks' will not work.
Also remember that DS is new in Window 2003, so will not work in Windows 2000.
Example 1 Using DSadd to Create an Organizational Unit in Windows 2003
Preparation:
Logon to your domain controller.
Examine the script below. Edit ou= or dc= to reflect YOUR domain.
type it starting with dsadd ou .........
Command : dsadd ou "ou=guyds, dc=cp, dc=com"
Note 1: dsadd ou. This command tells Active Directory which object to create, in
this case an OU (not a user).
Note 2: You only really need speech marks if there is a space in any of your names.
So ou=guyds, dc=cp, dc=com would work fine, but ou=GUY Space DS, dc=cp, dc=com
fails because of the spaces in the GUY Space DS, name. In this second example you
would type: "ou=GUY Space DS, dc=cp, dc=com"
Example 2 Employing DSadd to Create a User. (Assumes you have completed Example 1)
The purpose of this example is to create a new user in an OU called guyds.
Preparation:
Logon to your domain controller.
Examine the script below. Decide if cn= or ou= or dc= need editing.
type it starting with dsadd user .........
Creating a User - DSadd user....
Command: dsadd user "cn=guyt, ou=guyds, dc=cp, dc=com"
Note: DSadd requires the complete distinguished name. Note also that the
distinguished name is encased in double "speech marks". I expect you spotted that
the user will be created in the guyds organizational unit that was created in the
first example. Change "cn=guyt to a different user name if you wish.
DS Error Messages
DS has its own family of error messages. I found that they are specific and varied,
just remember to pay attention to detail. READ ERROR MESSAGES SLOWLY.
New DS built-in tools for Windows Server 2003
At last I have found a real useful member of the DS family of utilities. If I need
to find a user quickly from the command prompt, i call for DSQuery.
Example 1 - DSQuery to list all the OUs in your domain
Let us find how many Organizational Units are there in your domain? This command
will produce a listing of all OUs with this command.
Commands:
Dsquery ou dc=mydom,dc=com
or
dsquery ou domainroot
Learning Points
Note 1: dc does NOT mean domain controller, it means domain context.
Note 2: The dc commands are not case sensitive, but they dislike spaces.
dc=mydom, dc=com will draw an error.
Note 3: If you haven't got any OUs (Organizational Units), I seriously suggest that
you create some to organize your users.
Note 4: Best of all, in this scenario, you can substitute domainroot for dc=cp.
Example 2 - To find all users in the default Users folder with DSQuery
In this example we just want to trawl the users folder and find out who is in that
container.
Commands: dsquery user cn=users,dc=cp,dc=com
Learning Points
Note 1: The default users' folder is actually a container object called cn=users.
My point is if you try ou=users, the command fails.
Note 2: I queried users, however dsquery requires the singular user, not userS.
Other objects that you can query are computer (not computers!), group or even
contact.
Challenge 1: Substitute OU=xyz for cn=users, where xyz is the name of your OU.
Unfortunately, cn=users domainroot does not work.
Challenge 2: Substitute computer for user
Example 3 - DSQuery to list all your Domain Controllers
Suppose you want to list all of your domain controllers, (not computers). Which
command do you think would supply the information?
Commands:
dsquery server
dsquery server domainroot
dsquery server dc=cp,dc=com
Learning Points
Note 1: Amazingly, dsquery server, the simplest command get the job done.
Note 2: I thank Jim D for pointing out that we want here is the singular 'server'.
Example 4 - To query the FSMO roles of your Domain Controllers
Here is a wonderful command to find the FSMO roles (Flexible Single Master Roles)
-hasfsmo. The arguments, which correspond to the 5 roles are: schema, rid, name,
infr and pdc.
Commands:
dsquery server -hasfsmo schema
Learning Points
Note 1: The command is -hasfsmo not ?hasfsmo as in some documents.
Example 5 - DSQuery to find all users whose name begins with smith*
This DSQuery example shows two ways to filter your output and so home in on what
you are looking for. Let us pretend that we know the user's name but have no idea
which OU they are to be found. Moreover, we are not sure whether their name is
spelt Smith, Smithy or Smithye.
Commands :
dsquery user domainroot -name smith*
or
dsquery user dc=cp,dc=com -name smith* d
or plain
dsquery user smith*
Learning Points
Note 1: Remember to type the singular user.
Note 2: Probably no need to introduce *, you probably realize it's a wildcard.
Note 3: -name is but one of a family of filters. -desc or -disabled are others.
Example 6 - DSQuery to filter the output with -o rdn
The purpose of -o rdn is to reduce the output to just the relative distinguished
name. In a nutshell rdn strips away the OU=, DC= part which you may not be
interested in.
Command: dsquery user -name smith* -o rdn
Learning Points
Note 1: o is the letter oh (not a number). In my minds eye o stands for output.
Note 2: There is a switch -o dn, but this is not a switch I use.
Summary - DSQuery
Knowledge is power. The DS family in general and DSQuery in particular, are handy
commands for interrogating Active Directory from the command line. Perhaps the day
will come when you need to find a user, computer or group without calling for the
Active Users and Computers GUI.
DSGet
DSGet is a logical progression from DSQuery. The idea is that when DSQuery returns
a list of objects, DSGet can interrogate those objects for extra properties such
as, description, manager or department. Naturally this pre-supposes you entered the
relevant information in the user's properties sheet!
Introduction to DSGet
My assumption is that you are comfortable with DSQuery, if this is not the case
take the time to have a refresher
Next a reminder to pay close attention to DS syntax. In this instance what we need
is a pipe symbol ( ) to join DSQuery with DSGet. Just to be clear, you type this
pipe () with the shift key and the key next to the Z. (A colon : would produce an
error).
Example 1 To Check that DSQuery is working
Let build a solid foundation with a DSQuery (Only found on a Windows Server 2003
DC)
Commands:
or
dsquery user -name smith*
Learning Points
Note 1: You need a Windows Server 2003 machine. Perhaps you could remote desktop
into such a server?
Note 2: Feel free to change smith* to one of your users. Better still, create a
test account and start filling in those user properties.
Note 3: This example is just to build a foundation. Now let us move on to DSGet.
Example 2 Basic DSGet
We need to interrogate the output for more information. So we use DSGet to retrieve
the description.
Commands:
or
dsquery user -name smith* dsget user -dn -desc
Learning Points for DSGet
Note 1: Master the pipe command which separates dsquery from dsget. To create ,
Hold down the shift key while pressing the key next to the Z.
Note 2: Even though dsquery told the operating system it was a user object, dsget
still has to invoke user in its section of the command.
Challenge: See what happens if you omit the -dn.
Example 3 - Which extra properties shall we query?
-display Display name is different from the user's description field. If you
haven't done so already, time to get a user's properties sheet and start filling in
those attribute boxes.
-office Useful property
-sn This command does not work. What's the matter with -sn? I will tell you what's
wrong; dsget requires -ln instead of -sn and -fn instead of givenName
grrrrrrrrrrrrrrrrrr. Calm down Guy, go with the flow; think of all these useful
switches.
O.K. No more moaning. DSGet is actually fun and productive. Guess what information
these switches return?
-email, -tel, -mgr, -mobile
Answers: General (tab), email address, telephone number, Organization (tab),
Manager, Telephones (tab), Mobile.
Now find them on the user's properties sheet.
Example 4 - Change the DSget output.
They say the old tricks the best, so let us try exporting the DSGet output not to
screen but a text file. Here we need a different type of pipe command; this time
it's the greater than symbol, for example, > filename.txt. So, just tag on >
filename.txt to your DS command. Follow up with: notepad filename.txt.
Commands:
or
dsquery user -name smith* dsget user -fn -ln -mgr > dsget.txt
Learning Points
Note 1: To read the file type, notepad dsget.txt
Note 2: I am impressed by the column format of the output
I would like to leave you with a few more DSGet object that you can interrogate or
experiment with. In addition to user, there are the following DSGet commands :
Computer, also Server - meaning DC, OU, Group, even Site and Subnet.
Note. There are also two commands called partition and quota, however, in the
context of DSGet, partition and quota refer to Active Directory, not disk. For
example, the application partition in Active Directory. Tell the truth, it was a
big disappointment that DSGet did not return the disk information, but on
reflection I was expecting the impossible. DSGet partition means Active Directory
partition.
Summary - DSGet
As far as DSGet is concerned, I have come from Philistine to champion. Now I really
enjoy the challenge of DSGet and appreciate the way it works hand in glove with
DSQuery. It also reminds of that old truism the more you know the easier it gets.
? What's the difference between LDIFDE and CSVDE? Usage considerations?
CSVDE is a command that can be used to import and export objects to and from the AD
into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily
readable in Excel. I will not go to length into this powerful command, but I will
show you some basic samples of how to import a large number of users into your AD.
Of course, as with the DSADD command, CSVDE can do more than just import users.
Consult your help file for more info. Like CSVDE, LDIFDE is a command that can be
used to import and export objects to and from the AD into a LDIF-formatted file. A
LDIF (LDAP Data Interchange Format) file is a file easily readable in any text
editor; however it is not readable in programs like Excel. The major difference
between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be
used to edit and delete existing AD objects (not just users), while CSVDE can only
import and export objects.
? What are the FSMO roles? Who has them by default? What happens when each one
fails?
Windows 2000/2003 Multi-Master Model

A multi-master enabled database, such as the Active Directory, provides the
flexibility of allowing changes to occur at any DC in the enterprise, but it also
introduces the possibility of conflicts that can potentially lead to problems once
the data is replicated to the rest of the enterprise. One way Windows 2000/2003
deals with conflicting updates is by having a conflict resolution algorithm handle
discrepancies in values by resolving to the DC to which changes were written last
(that is, "the last writer wins"), while discarding the changes in all other DCs.
Although this resolution method may be acceptable in some cases, there are times
when conflicts are just too difficult to resolve using the "last writer wins"
approach. In such cases, it is best to prevent the conflict from occurring rather
than to try to resolve it after the fact.
For certain types of changes, Windows 2000/2003 incorporates methods to prevent
conflicting Active Directory updates from occurring.
Windows 2000/2003 Single-Master Model
To prevent conflicting updates in Windows 2000/2003, the Active Directory performs
updates to certain objects in a single-master fashion.
In a single-master model, only one DC in the entire directory is allowed to process
updates. This is similar to the role given to a primary domain controller (PDC) in
earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is
responsible for processing all updates in a given domain.
In a forest, there are five FSMO roles that are assigned to one or more domain
controllers. The five FSMO roles are:
Schema Master:
The schema master domain controller controls all updates and modifications to the
schema. Once the Schema update is complete, it is replicated from the schema master
to all other DCs in the directory. To update the schema of a forest, you must have
access to the schema master. There can be only one schema master in the whole
forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal of
domains in the forest. This DC is the only one that can add or remove a domain from
the directory. It can also add or remove cross references to domains in external
directories. There can be only one domain naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it
represents the reference by the GUID, the SID (for references to security
principals), and the DN of the object being referenced. The infrastructure FSMO
role holder is the DC responsible for updating an object's SID and distinguished
name in a cross-domain object reference. At any one time, there can be only one
domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller
that is not a Global Catalog server (GC). If the Infrastructure Master runs on a
Global Catalog server it will stop updating object information because it does not
contain any references to objects that it does not hold. This is because a Global
Catalog server holds a partial replica of every object in the forest. As a result,
cross-domain object references in that domain will not be updated and a warning to
that effect will be logged on that DC's event log. If all the domain controllers in
a domain also host the global catalog, all the domain controllers have the current
data, and it is not important which domain controller holds the infrastructure
master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain
controllers in a particular domain. When a DC creates a security principal object
such as a user or group, it attaches a unique Security ID (SID) to the object. This
SID consists of a domain SID (the same for all SIDs created in a domain), and a
relative ID (RID) that is unique for each security principal SID created in a
domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to
assign to the security principals it creates. When a DC's allocated RID pool falls
below a threshold, that DC issues a request for additional RIDs to the domain's RID
master. The domain RID master responds to the request by retrieving RIDs from the
domain's unallocated RID pool and assigns them to the pool of the requesting DC. At
any one time, there can be only one domain controller acting as the RID master in
the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows
2000/2003 includes the W32Time (Windows Time) time service that is required by the
Kerberos authentication protocol. All Windows 2000/2003-based computers within an
enterprise use a common time. The purpose of the time service is to ensure that the
Windows Time service uses a hierarchical relationship that controls authority and
does not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at
the root of the forest becomes authoritative for the enterprise, and should be
configured to gather the time from an external source. All PDC FSMO role holders
follow the hierarchy of domains in the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following
functions:
? Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator.
? Authentication failures that occur at a given DC in a domain because of an
incorrect password are forwarded to the PDC emulator before a bad password failure
message is reported to the user.
? Account lockout is processed on the PDC emulator.
? Editing or creation of Group Policy Objects (GPO) is always done from the GPO
copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by
the administrator.
? The PDC emulator performs all of the functionality that a Microsoft Windows NT
4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier
clients.
This part of the PDC emulator role becomes unnecessary when all workstations,
member servers, and domain controllers that are running Windows NT 4.0 or earlier
are all upgraded to Windows 2000/2003. The PDC emulator still performs the other
functions as described in a Windows 2000/2003 environment.
At any one time, there can be only one domain controller acting as the PDC emulator
master in each domain in the forest.
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method
called FSMO (Flexible Single Master Operation).
The five FSMO roles are:
? Schema master - Forest-wide and one per forest.
? Domain naming master - Forest-wide and one per forest.
? RID master - Domain-specific and one for each domain.
? PDC - PDC Emulator is domain-specific and one for each domain.
? Infrastructure master - Domain-specific and one for each domain.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in
the same spot (or actually, on the same DC) as has been configured by the Active
Directory installation process. However, there are scenarios where an administrator
would want to move one or more of the FSMO roles from the default holder DC to a
different DC.
In order to better understand your AD infrastructure and to know the added value
that each DC might possess, an AD administrator must have the exact knowledge of
which one of the existing DCs is holding a FSMO role, and what role it holds. With
that knowledge in hand, the administrator can make better arrangements in case of a
scheduled shut-down of any given DC, and better prepare him or herself in case of a
non-scheduled cease of operation from one of the DCs.
How to find out which DC is holding which FSMO role?
Well, one can accomplish this task by many means. This article will list a few of
the available methods.
Method #1: Know the default settings
The FSMO roles were assigned to one or more DCs during the DCPROMO process. The
following table summarizes the FSMO default locations:
FSMO Role Number of DCs holding this role Original DC holding the FSMO role
Schema One per forest The first DC in the first domain in the forest (i.e. the
Forest Root Domain)
Domain Naming One per forest
RID One per domain The first DC in a domain (any domain, including the Forest Root
Domain, any Tree Root Domain, or any Child Domain)
PDC Emulator One per domain
Infrastructure One per domain
Method #2: Use the GUI
The FSMO role holders can be easily found by use of some of the AD snap-ins. Use
this table to see which tool can be used for what FSMO role:
FSMO Role Which snap-in should I use?

Schema Schema snap-in
Domain Naming AD Domains and Trusts snap-in
RID AD Users and Computers snap-in
PDC Emulator
Infrastructure
Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and
Infrastructure Master FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrative
Tools folder.
2. Right-click the Active Directory Users and Computers icon again and press
Operation Masters.
3. Select the appropriate tab for the role you wish to view.
4. When you're done click Close.
Finding the Domain Naming Master via GUI
To find out who currently holds the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative
Tools folder.
2. Right-click the Active Directory Domains and Trusts icon again and press
Operation Masters.
3. When you're done click Close.
Finding the Schema Master via GUI
To find out who currently holds the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing: regsvr32
schmmgmt.dll
2. Press OK. You should receive a success confirmation.
3. From the Run command open an MMC Console by typing MMC.
4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. Click the Active Directory Schema icon. After it loads right-click it and press
Operation Masters.
8. Press the Close button.
Method #3: Use the Ntdsutil command
The FSMO role holders can be easily found by use of the Ntdsutil command.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete
loss of Active Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box,
and then click OK.
2. Type roles, and then press ENTER.
Note: To see a list of available commands at any of the prompts in the Ntdsutil
tool, type ?, and then press ENTER.
1. Type connections, and then press ENTER.
2. Type connect to server , where is the name of the server you want to use, and
then press ENTER.
3. At the server connections: prompt, type q, and then press ENTER again.
4. At the FSMO maintenance: prompt, type Select operation target, and then press
ENTER again.
5. At the select operation target: prompt, type List roles for connected server,
and then press ENTER again.
6. Type q 3 times to exit the Ntdsutil prompt.
Method #4: Use the Netdom command
The FSMO role holders can be easily found by use of the Netdom command.
Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You must either
download it separately (from here Download Free Windows 2000 Resource Kit Tools) or
by obtaining the correct Support Tools pack for your operating system. The Support
Tools pack can be found in the \Support\Tools folder on your installation CD (or
you can Download Windows 2000 SP4 Support Tools, Download Windows XP SP1 Deploy
Tools).
1. On any domain controller, click Start, click Run, type CMD in the Open box, and
then click OK.
2. In the Command Prompt window, type netdom query /domain: fsmo (where is the name
of YOUR domain).
Method #5: Use the Replmon tool
The FSMO role holders can be easily found by use of the Netdom command.
Just like Netdom, Replmon.exe is a part of the Windows 2000/XP/2003 Support Tools.
Replmon can be used for a wide verity of tasks, mostly with those that are related
with AD replication. But Replmon can also provide valuable information about the
AD, about any DC, and also about other objects and settings, such as GPOs and FSMO
roles. Install the package before attempting to use the tool.
1. On any domain controller, click Start, click Run, type REPLMON in the Open box,
and then click OK.
2. Right-click Monitored servers and select Add Monitored Server.
3. In the Add Server to Monitor window, select the Search the Directory for the
server to add. Make sure your AD domain name is listed in the drop-down list.
4. In the site list select your site, expand it, and click to select the server you
want to query. Click Finish.
5. Right-click the server that is now listed in the left-pane, and select
Properties.
6. Click on the FSMO Roles tab and read the results.
7. Click Ok when you're done.
? What FSMO placement considerations do you know of?

called FSMO (Flexible Single Master Operation), as described in Understanding FSMO
Roles in Active Directory.
different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000
version when dealing with FSMO placement. In this article I will only deal with
Windows Server 2003 Active Directory, but you should bear in mind that most
considerations are also true when planning Windows 2000 AD FSMO roles.
Single Domain Forest
In a single domain forest, leave all of the FSMO roles on the first domain
controller in the forest.
You should also configure all the domain controller as a Global Catalog servers.
This will NOT place additional stress on the DCs, while allowing GC-related
applications (such as Exchange Server) to easily perform GC queries.
Multiple Domain Forest
In a multiple domain forest, use the following guidelines:
? In the forest root domain:
? If all domain controllers are also global catalog servers, leave all of the FSMO
roles on the first DC in the forest.
? If all domain controllers are not also global catalog servers, move all of the
FSMO roles to a DC that is not a global catalog server.
? In each child domain, leave the PDC emulator, RID master, and Infrastructure
master roles on the first DC in the domain, and ensure that this DC is never
designated as a global catalog server (unless the child domain only contains one
DC, then you have no choice but to leave it in place).
Configure a standby operations master - For each server that holds one or more
operations master roles, make another DC in the same domain available as a standby
operations master. Making a DC as a standby operation master involves the following
actions:
? The standby operations master should not be a global catalog server except in a
single domain environment, where all domain controllers are also global catalog
servers.
? The standby operations master should have a manually created replication
connection to the domain controller that it is the standby operations master for,
and it should be in the same site.
? Configure the RID master as a direct replication partner with the standby or
backup RID master. This configuration reduces the risk of losing data when you
seize the role because it minimizes replication latency.
To create a connection object on the current operations master:
1. In Active Directory Sites and Services snap-in, in the console tree in the left
pane, expand the Sites folder to see the list of available sites.
2. Expand the site name in which the current role holder is located to display the
Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that is currently hosting the operations master
role to display NTDS Settings.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Domain Controllers dialog box, select the name of the standby
operations master then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the
connection object or accept the default name and click OK.
To create a connection object on the standby operations master perform the same
procedure as above, and point the connection to the current FSMO role holder.
Note regarding Windows 2000 Active Directory domains: If the forest is set to a
functional level of Windows 2000 native, you must locate the domain naming master
on a server that hosts the global catalog. If the forest is set to a functional
level of Windows Server 2003, it is not necessary for the domain naming master to
be on a global catalog server.
Server performance and availability
Most FSMO roles require that the domain controller that holds the roles be:
Highly available server - FSMO functions require that the FSMO role holder is
highly available at all times. A highly available DC is one that uses computer
hardware that enables it to remain operational even during a hardware failure. For
example, having a RAID1 or RAID5 configuration enables the server to keep running
even if one hard disk fails.
Although most FSMO losses can be dealt with within a matter of hours (or even days
at some cases), some FSMO roles, such as the PDC Emulator role, should never be
offline for more than a few minutes at a time.
What will happen if you keep a FSMO role offline for a long period of time? This
table has the info:
FSMO Role Loss implications

Schema The schema cannot be extended. However, in the short term no one will notice
a missing Schema Master unless you plan a schema upgrade during that time.
Domain Naming Unless you are going to run DCPROMO, then you will not miss this FSMO
role.
RID Chances are good that the existing DCs will have enough unused RIDs to last
some time, unless you're building hundreds of users or computer object per week.
PDC Emulator Will be missed soon. NT 4.0 BDCs will not be able to replicate, there
will be no time synchronization in the domain, you will probably not be able to
change or troubleshoot group policies and password changes will become a problem.
Infrastructure Group memberships may be incomplete. If you only have one domain,
then there will be no impact.
Not necessarily high capacity server - A high-capacity domain controller is one
that has comparatively higher processing power than other domain controllers to
accommodate the additional work load of holding the operations master role. It has
a faster CPU and possibly additional memory and network bandwidth. FSMO roles
usually do not place stress on the server's hardware.
One exception is the performance of the PDC Emulator, mainly when used in Windows
2000 Mixed mode along with old NT 4.0 BDCs. That is why you should:
? Increase the size of the DC's processing power.
? Do not make the DC a global catalog server.
? Reduce the priority and the weight of the service (SRV) record in DNS to give
preference for authentication to other domain controllers in the site.
? Do not require that the standby domain controller be a direct replication partner
(Seizing the PDC emulator role does not result in lost data, so there is no need to
reduce replication latency for a seize operation).
? Centrally locate this DC near the majority of the domain users.
? I want to look at the RID allocation table for a DC. What do I do?
? What's the difference between transferring a FSMO role and seizing one?
Transferring FSMO Role
called FSMO (Flexible Single Master Operation), as described in Understanding FSMO
Roles in Active Directory.
different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO
role holder are online and operational is called Transferring, and is described in
this article.
The transfer of an FSMO role is the suggested form of moving a FSMO role between
domain controllers and can be initiated by the administrator or by demoting a
domain controller. However, the transfer process is not initiated automatically by
the operating system, for example a server in a shut-down state. FSMO roles are not
automatically relocated during the shutdown process - this must be considered when
shutting down a domain controller that has an FSMO role for maintenance, for
example.
In a graceful transfer of an FSMO role between two domain controllers, a
synchronization of the data that is maintained by the FSMO role owner to the server
receiving the FSMO role is performed prior to transferring the role to ensure that
any changes have been recorded before the role change.
However, when the original FSMO role holder went offline or became non operational
for a long period of time, the administrator might consider moving the FSMO role
from the original, non-operational holder, to a different DC. The process of moving
the FSMO role from a non-operational role holder to a different DC is called
Seizing, and is described in the Seizing FSMO Roles article.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by
using an MMC snap-in tool. Depending on the FSMO role that you want to transfer,
you can use one of the following three MMC snap-in tools:
? Active Directory Schema snap-in
? Active Directory Domains and Trusts snap-in
? Active Directory Users and Computers snap-in
To transfer the FSMO role the administrator must be a member of the following
group:
FSMO Role Administrator must be a member of

Schema Schema Admins
Domain Naming Enterprise Admins
RID Domain Admins
PDC Emulator
Infrastructure
Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master
FSMO Roles:
1. Open the Active Directory Users and Computers snap-in from the Administrative
Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-
click the icon next to Active Directory Users and Computers and press Connect to
Domain Controller.
3. Select the domain controller that will be the new role holder, the target, and
press OK.
4. Right-click the Active Directory Users and Computers icon again and press
Operation Masters.
5. Select the appropriate tab for the role you wish to transfer and press the
Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.
Transferring the Domain Naming Master via GUI
To Transfer the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative
Tools folder.
click the icon next to Active Directory Domains and Trusts and press Connect to
Domain Controller.
3. Select the domain controller that will be the new role holder and press OK.
4. Right-click the Active Directory Domains and Trusts icon again and press
Operation Masters.
5. Press the Change button.
6. Press OK to confirm the change.
Transferring the Schema Master via GUI
To Transfer the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
1. Press OK. You should receive a success confirmation.

2. From the Run command open an MMC Console by typing MMC.
3. On the Console menu, press Add/Remove Snap-in.
4. Press Add. Select Active Directory Schema.
5. Press Add and press Close. Press OK.
click the Active Directory Schema icon in the Console Root and press Change Domain
Controller.
7. Press Specify .... and type the name of the new role holder. Press OK.
8. Right-click right-click the Active Directory Schema icon again and press
Operation Masters.
9. Press the Change button.
Transferring the FSMO Roles via Ntdsutil
To transfer the FSMO roles from the Ntdsutil command:
and then click OK.
then press ENTER.
1. Type transfer . where is the role you want to transfer.

For example, to transfer the RID Master role, you would type transfer rid master:
Options are:
1. You will receive a warning window asking if you want to perform the transfer.
Click on Yes.
2. After you transfer the roles, type q and press ENTER until you quit
Ntdsutil.exe.
3. Restart the server and make sure you update your backup.
Seizing the FSMO ROLES.

called FSMO (Flexible Single Master Operation).
The five FSMO roles are:
? Schema master - Forest-wide and one per forest.
? Domain naming master - Forest-wide and one per forest.
? RID master - Domain-specific and one for each domain.
? PDC - PDC Emulator is domain-specific and one for each domain.
? Infrastructure master - Domain-specific and one for each domain.
different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO
role holder are online and operational is called Transferring, and is described in
the Transferring FSMO Roles article.
However, when the original FSMO role holder went offline or became non operational
for a long period of time, the administrator might consider moving the FSMO role
from the original, non-operational holder, to a different DC. The process of moving
the FSMO role from a non-operational role holder to a different DC is called
Seizing, and is described in this article.
If a DC holding a FSMO role fails, the best thing to do is to try and get the
server online again. Since none of the FSMO roles are immediately critical (well,
almost none, the loss of the PDC Emulator FSMO role might become a problem unless
you fix it in a reasonable amount of time), so it is not a problem to them to be
unavailable for hours or even days.
If a DC becomes unreliable, try to get it back on line, and transfer the FSMO roles
to a reliable computer. Administrators should use extreme caution in seizing FSMO
roles. This operation, in most cases, should be performed only if the original FSMO
role owner will not be brought back into the environment. Only seize a FSMO role if
absolutely necessary when the original role holder is not connected to the network.
What will happen if you do not perform the seize in time? This table has the info:
FSMO Role Loss implications

Schema The schema cannot be extended. However, in the short term no one will notice
a missing Schema Master unless you plan a schema upgrade during that time.
Domain Naming Unless you are going to run DCPROMO, then you will not miss this FSMO
role.
RID Chances are good that the existing DCs will have enough unused RIDs to last
some time, unless you're building hundreds of users or computer object per week.
PDC Emulator Will be missed soon. NT 4.0 BDCs will not be able to replicate, there
will be no time synchronization in the domain, you will probably not be able to
change or troubleshoot group policies and password changes will become a problem.
Infrastructure Group memberships may be incomplete. If you only have one domain,
then there will be no impact.
Important: If the RID, Schema, or Domain Naming FSMOs are seized, then the original
domain controller must not be activated in the forest again. It is necessary to
reinstall Windows if these servers are to be used again.
The following table summarizes the FSMO seizing restrictions:
FSMO Role Restrictions

Schema Original must be reinstalled
Domain Naming
RID
PDC Emulator Can transfer back to original
Infrastructure
Another consideration before performing the seize operation is the administrator's
group membership, as this table lists:
FSMO Role Administrator must be a member of

Schema Schema Admins
Domain Naming Enterprise Admins
RID Domain Admins
PDC Emulator
Infrastructure
To seize the FSMO roles by using Ntdsutil, follow these steps:
and then click OK.
C:\WINDOWS>ntdsutil
ntdsutil: roles
fsmo maintenance:
fsmo maintenance: connections
server connections:
then press ENTER.
server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
Server connections:
server connections: q
fsmo maintenance:
2. Type seize , where is the role you want to seize. For example, to seize the RID
Master role, you would type seize rid master:
Options are:
Seize domain naming master
Seize infrastructure master
Seize PDC
Seize RID master
Seize schema master
7. You will receive a warning window asking if you want to perform the seize. Click
on Yes.
fsmo maintenance: Seize infrastructure master
Attempting safe transfer of infrastructure FSMO before seizure.
ldap_modify_sW error 0x34(52 (Unavailable).
Ldap extended error message is 000020AF: SvcErr: DSID-03210300, problem 5002
(UNAVAILABLE)
, data 1722
Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holde
r could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.
Transfer of infrastructure FSMO failed, proceeding with seizure ...
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-
RID - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-Site-
fsmo maintenance:
Note: All five roles need to be in the forest. If the first domain controller is
out of the forest then seize all roles. Determine which roles are to be on which
remaining domain controllers so that all five roles are not on only one server.
1. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
2. After you seize or transfer the roles, type q, and then press ENTER until you
quit the Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain controller
as the Global Catalog server. If the Infrastructure Master runs on a GC server it
will stop updating object information because it does not contain any references to
objects that it does not hold. This is because a GC server holds a partial replica
of every object in the forest.
Better look of this answer can be found at
http://www.petri.co.il/seizing_fsmo_roles.htm
? Which FSMO role should you NOT seize? Why?
? How do you configure a "stand-by operation master" for any of the roles?
? How do you backup AD?
? How do you restore AD?
? How do you change the DS Restore admin password?
? Why can't you restore a DC that was backed up 4 months ago?
? What are GPOs?
? What is the order in which GPOs are applied?
? Name a few benefits of using GPMC.
? What are the GPC and the GPT? Where can I find them?
? What are GPO links? What special things can I do to them?
? What can I do to prevent inheritance from above?
? How can I override blocking of inheritance?
? How can you determine what GPO was and was not applied for a user? Name a few
ways to do that.
? A user claims he did not receive a GPO, yet his user and computer accounts are in
the right OU, and everyone else there gets the GPO. What will you look for?
? Name a few differences in Vista GPOs
? Name some GPO settings in the computer and user parts.
? What are administrative templates?
? What's the difference between software publishing and assigning?
? Can I deploy non-MSI software with GPO?
? You want to standardize the desktop environments (wallpaper, My Documents, Start
menu, printers etc.) on the computers in one department. How would you do that?
Source :
http://www.petri.co.il/mcse_system_administrator_active_directory_interview_questio
ns.htm
Windows Server 2003 Active Directory and Security questions
What�s the difference between local, global and universal groups?

Domain local groups assign access permissions to global domain groups for local
domain resources. Global groups provide access to resources in other trusted
domains. Universal groups grant access to resources in all trusted domains.
I am trying to create a new universal user group. Why can�t I?

Universal groups are allowed only in native-mode Windows Server 2003 environments.
Native mode requires that all domain controllers be promoted to Windows Server 2003
Active Directory.
What is LSDOU?
It�s group policy inheritance model, where the policies are applied to Local
machines, Sites, Domains and Organizational Units.
Why doesn�t LSDOU work under Windows NT?

If the NTConfig.pol file exist, it has the highest priority among the numerous
policies.
Where are group policies stored?

%SystemRoot%System32\GroupPolicy
What is GPT and GPC?

Group policy template and group policy container.
Where is GPT stored?

%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
You change the group policies, and now the computer and user settings are in
conflict. Which one has the highest priority?
The computer settings take priority.
You want to set up remote installation procedure, but do not want the user to gain
access over it. What do you do?
gponame�> User Configuration�> Windows Settings�> Remote Installation Services�>
Choice Options is your friend.
What�s contained in administrative template conf.adm?

Microsoft NetMeeting policies
How can you restrict running certain applications on a machine?

Via group policy, security settings for the group, then Software Restriction
Policies.
You need to automatically install an app, but MSI file is not available. What do
you do?
A .zap text file can be used to add applications using the Software Installer,
rather than the Windows Installer.
What�s the difference between Software Installer and Windows Installer?

The former has fewer privileges and will probably require user intervention. Plus,
it uses .zap files.
What can be restricted on Windows Server 2003 that wasn�t there in previous
products?
Group Policy in Windows Server 2003 determines a users right to modify network and
dial-up TCP/IP properties. Users may be selectively restricted from modifying their
IP address and other network configuration parameters.
How frequently is the client policy refreshed?

90 minutes give or take.
Where is secedit?
It�s now gpupdate.
You want to create a new group policy but do not wish to inherit. Make sure you
check Block inheritance among the options when creating the policy.
What is "tattooing" the Registry?

The user can view and modify user preferences that are not stored in maintained
portions of the Registry. If the group policy is removed or changed, the user
preference will persist in the Registry.
How do you fight tattooing in NT/2000 installations?

You can�t.
How do you fight tattooing in 2003 installations?

User Configuration - Administrative Templates - System - Group Policy - enable -
Enforce Show Policies Only.
What does IntelliMirror do?

It helps to reconcile desktop settings, applications, and stored files for users,
particularly those who move between workstations or those who must periodically
work offline.
What�s the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native NTFS
provides extensive permission control on both remote and local files.
How do FAT and NTFS differ in approach to user shares?

They don�t, both have support for sharing.
Explain the List Folder Contents permission on the folder in NTFS.

Same as Read & Execute, but not inherited by files within a folder. However, newly
created subfolders will inherit this permission.
I have a file to which the user has access, but he has no folder permission to read
it. Can he access it?
It is possible for a user to navigate to a file for which he does not have folder
permission. This involves simply knowing the path of the file object. Even if the
user can�t drill down the file/folder tree using My Computer, he can still gain
access to the file using the Universal Naming Convention (UNC). The best way to
start would be to type the full path of a file into Run� window.
For a user in several groups, are Allow permissions restrictive or permissive?

Permissive, if at least one group has Allow permission for the file/folder, user
will have the same permission.
For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, if at least one group has Deny permission for the file/folder, user
will be denied access, regardless of other group permissions.
What hidden shares exist on Windows Server 2003 installation?

Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
What�s the difference between standalone and fault-tolerant DFS (Distributed File
System) installations?
The standalone server stores the Dfs directory tree structure or topology locally.
Thus, if a shared folder is inaccessible or if the Dfs root server is down, users
are left with no link to the shared resources. A fault-tolerant root node stores
the Dfs topology in the Active Directory, which is replicated to other domain
controllers. Thus, redundant root nodes may include multiple connections to the
same data residing in different shared folders.
We�re using the DFS fault-tolerant installation, but cannot access it from a Win98
box. Use the UNC path, not client, only 2000 and 2003 clients can access Server
2003 fault-tolerant shares.
Where exactly do fault-tolerant DFS shares store information in Active Directory?

In Partition Knowledge Table, which is then replicated to other domain controllers.
Can you use Start->Search with DFS shares?

Yes.
What problems can you have with DFS installed?

Two users opening the redundant copies of the file at the same time, with no file-
locking involved in DFS, changing the contents and then saving. Only one file will
be propagated through DFS.
I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you
can�t. Install a standalone one.
Is Kerberos encryption symmetric or asymmetric?

Symmetric.
How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?
Time stamp is attached to the initial client request, encrypted with the shared
key.
What hashing algorithms are used in Windows 2003 Server?

RSA Data Security�s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure
Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
What third-party certificate exchange protocols are used by Windows 2003 Server?
Windows Server 2003 uses the industry standard PKCS-10 certificate request and
PKCS-7 certificate response to exchange CA certificates with third-party
certificate authorities.
What�s the number of permitted unsuccessful logons on Administrator account?

Unlimited. Remember, though, that it�s the Administrator account, not any account
that�s part of the Administrators group.
If hashing is one-way function and Windows Server uses hashing for storing
passwords, how is it possible to attack the password lists, specifically the ones
using NTLMv1?
A cracker would launch a dictionary attack by hashing every imaginable term used
for password and then compare the hashes.
What�s the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003.
How many passwords by default are remembered when you check "Enforce Password
History Remembered"?
User�s last 6 passwords.
Describe how the DHCP lease is obtained?

It�s a four-step process consisting of (a) IP request, (b) IP offer, � IP selection
and (d) acknowledgement.
I can�t seem to access the Internet, don�t have any access to the corporate network
and on ipconfig my address is 169.254.*.*. What happened?
The 169.254.*.* netmask is assigned to Windows machines running 98/2000/XP if the
DHCP server is not available. The name for the technology is APIPA (Automatic
Private Internet Protocol Addressing).
We�ve installed a new Windows-based DHCP server, however, the users do not seem to
be getting DHCP leases off of it? The server must be authorized first with the
Active Directory.
How do you double-boot a Win 2003 server box?
The Boot.ini file is set as read-only, system, and hidden to prevent unwanted
editing. To change the Boot.ini timeout and default settings, use the System option
in Control Panel from the Advanced tab and select Startup.
What do you do if earlier application doesn�t run on Windows Server 2003?
When an application that ran on an earlier legacy version of Windows cannot be

loaded during the setup function or if it later malfunctions, you must run the
compatibility mode function. This is accomplished by right-clicking the application
or setup program and selecting Properties �> Compatibility �> selecting the
previously supported operating system.
What snap-in administrative tools are available for Active Directory?
Active Directory Domains and Trusts Manager, Active Directory Sites and Services
Manager, Active Directory Users and Group Manager, Active Directory Replication
(optional, available from the Resource Kit), Active Directory Schema Manager
(optional, available from adminpak)
What types of classes exist in Windows Server 2003 Active Directory? Structural
class. The structural class is important to the system administrator in that it is
the only type from which new Active Directory objects are created. Structural
classes are developed from either the modification of an existing structural type
or the use of one or more abstract classes.
What is presentation layer responsible for in the OSI model?
The presentation layer establishes the data format prior to passing it along to the
network application�s interface. TCP/IP networks perform this task at the
application layer.
Does Windows Server 2003 support IPv6?
Yes, run ipv6.exe from command line to disable it.
Can Windows Server 2003 function as a bridge?

Yes, and it�s a new feature for the 2003 product. You can combine several networks
and devices connected via several adapters by enabling IP routing.
What�s the role of http.sys in IIS?
It is the point of contact for all incoming HTTP requests. It listens for requests
and queues them until they are all processed, no more queues are available, or the
Web server is shut down.
Where�s ASP cache located on IIS 6.0? On disk, as opposed to memory, as it used to
be in IIS 5.
What is socket pooling? Non-blocking socket usage, introduced in IIS 6.0. More than
one application can use a given socket.
Which characters should be enclosed in quotes when searching the index? &, @, $, #,
^, ( ), and .
How would you search for C++? Just enter C++, since + is not a special character
(and neither is C).
What about Barnes&Noble? Should be searched for as Barnes�&�Noble.
Are the searches case-sensitive? No.
What�s the order of precedence of Boolean operators in Microsoft Windows 2003
Server Indexing Service? NOT, AND, NEAR, OR.
How many group policies can be applied to an OU?

How many objects can be created in a Directory Partition?
In Active Directory Replication, which FSMO roles is participating in replication.?
A Case:
A Min DC (Windows 2003) & A BDC (windows 2000 Server) when the time of replication,
All partition will replicated, but what about "Applicatoin Partition in main DC".?
What is Active Directory schema?
The Active Directory schema contains formal definitions of every object class that
can be created in an Active Directory forest it also contains formal definitions of
every attribute that can exist in an Active Directory object.
Active Directory stores and retrieves information from a wide variety of

applications and services.
What is Global Catalog Server?

A global catalog server is a domain controller it is a master searchable database
that contains information about every object in every domain in a forest. The
global catalog contains a complete replica of all objects in Active Directory for
its host domain, and contains a partial replica of all objects in Active Directory
for every other domain in the forest. It have two important functions:
? Provides group membership information during logon and authentication
? Helps users locate resources in Active Directory
What is the ntds.tit file default size?
40 MB
What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global
Catalog?
SMTP � 25, POP3 � 110, IMAP4 � 143, RPC � 135, LDAP � 389, Global Catalog - 3268
What is a default gateway?

The exit-point from one network and entry-way into another network, often the
router of the network.
How do you set a default route on an Cisco router?

ip route 0.0.0.0 0.0.0.0 x.x.x.x [where x.x.x.x represents the destination address]
Describe the lease process of the DHCP server. DHCP Server leases the IP addresses
to the clients as follows:
DORA
D (Discover) : DHCP Client sends a broadcast packets to identify the dhcp server,
this packet will contain the source MAC.
O (Offer) : Once the packet is received by the DHCP server, the server will send
the packet containing Source IP and Source MAC.
R (Request) : Client will now contact the DHCP server directly and request for the
IP address.
A (Acknowledge) : DHCP server will send an ack packet which contains the IP
address.
What is IPv6? Internet Protocol version 6 (IPv6) is a network layer IP standard

used by electronic devices to exchange data across a packet-switched internetwork.
It follows IPv4 as the second version of the Internet Protocol to be formally
adopted for general use. ip v6 it is a 128 bit size address. This is total 8
octants each octant size is 16 bits separated with �:�, it is in hexa decimal
format. These 3 types:
1. unicast address
2. multicast address
3. anycast address
loopback address of ip v6 is ::1
How do you double-boot a Win 2003 server box?
The Boot.ini file is set as read-only, system, and hidden to prevent unwanted
editing. To change the Boot.ini timeout and default settings, use the System option
in Control Panel from the Advanced tab and select Startup.
What do you do if earlier application doesn�t run on Windows Server 2003?

When an application that ran on an earlier legacy version of Windows cannot be
loaded during the setup function or if it later malfunctions, you must run the
compatibility mode function. This is accomplished by right-clicking the application
or setup program and selecting Properties �> Compatibility �> selecting the
previously supported operating system.
If you uninstall Windows Server 2003, which operating systems can you revert to?
Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and 98 to
Windows Server 2003.
How do you get to Internet Firewall settings?

Start �> Control Panel �> Network and Internet Connections �> Network Connections.
What are the Windows Server 2003 keyboard shortcuts?

Winkey opens or closes the Start menu. Winkey + BREAK displays the System
Properties dialog box. Winkey + TAB moves the focus to the next application in the
taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the
taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the
desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens
the Search panel. Winkey + CTRL + F opens the Search panel with Search for
Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey
+ SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the
Utility Manager. Winkey + L locks the computer.
What is Active Directory?

Active Directory is a network-based object store and service that locates and
manages resources, and makes these resources available to authorized users and
groups. An underlying principle of the Active Directory is that everything is
considered an object�people, servers, workstations, printers, documents, and
devices. Each object has certain attributes and its own security access control
list (ACL).
Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain
Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster
peer-to-peer read and write relationship that hosts copies of the Active Directory.
How long does it take for security changes to be replicated among the domain
controllers?
Security-related modifications are replicated within a site immediately. These
changes include account and individual user lockout policies, changes to password
policies, changes to computer account passwords, and modifications to the Local
Security Authority (LSA).
What�s new in Windows Server 2003 regarding the DNS management?

When DC promotion occurs with an existing forest, the Active Directory Installation
Wizard contacts an existing DC to update the directory and replicate from the DC
the required portions of the directory. If the wizard fails to locate a DC, it
performs debugging and reports what caused the failure and how to fix the problem.
In order to be located on a network, every DC must register in DNS DC locator DNS
records. The Active Directory Installation Wizard verifies a proper configuration
of the DNS infrastructure. All DNS configuration debugging and reporting activity
is done with the Active Directory Installation Wizard.
When should you create a forest?

Organizations that operate on radically different bases may require separate trees
with distinct namespaces. Unique trade or brand names often give rise to separate
DNS identities. Organizations merge or are acquired and naming continuity is
desired. Organizations form partnerships and joint ventures. While access to common
resources is desired, a separately defined tree can enforce more direct
administrative and security restrictions.
How can you authenticate between forests?

Four types of authentication are used across forests: (1) Kerberos and NTLM network
logon for remote access to a server in another forest; (2) Kerberos and NTLM
interactive logon for physical logon outside the user�s home forest; (3) Kerberos
delegation to N-tier application in another forest; and (4) user principal name
(UPN) credentials.
What snap-in administrative tools are available for Active Directory?

Active Directory Domains and Trusts Manager, Active Directory Sites and Services
Manager, Active Directory Users and Group Manager, Active Directory Replication
(optional, available from the Resource Kit), Active Directory Schema Manager
(optional, available from adminpak)
What types of classes exist in Windows Server 2003 Active Directory?
Structural class. The structural class is important to the system administrator in

that it is the only type from which new Active Directory objects are created.
Structural classes are developed from either the modification of an existing
structural type or the use of one or more abstract classes.
Abstract class. Abstract classes are so named because they take the form of
templates that actually create other templates (abstracts) and structural and
auxiliary classes. Think of abstract classes as frameworks for the defining
objects.
Auxiliary class. The auxiliary class is a list of attributes. Rather than apply
numerous attributes when creating a structural class, it provides a streamlined
alternative by applying a combination of attributes with a single include action.
88 class. The 88 class includes object classes defined prior to 1993, when the 1988
X.500 specification was adopted. This type does not use the structural, abstract,
and auxiliary definitions, nor is it in common use for the development of objects
in Windows Server 2003 environments.
How do you delete a lingering object?

Windows Server 2003 provides a command called Repadmin that provides the ability to
delete lingering objects in the Active Directory.
What is Global Catalog?

The Global Catalog authenticates network user logons and fields inquiries about
objects across a forest or tree. Every domain has at least one GC that is hosted on
a domain controller. In Windows 2000, there was typically one GC on every site in
order to prevent user logon failures across the network.
How is user account security established in Windows Server 2003?

When an account is created, it is given a unique access number known as a security
identifier (SID). Every group to which the user belongs has an associated SID. The
user and related group SIDs together form the user account�s security token, which
determines access levels to objects throughout the system and network. SIDs from
the security token are mapped to the access control list (ACL) of any object the
user attempts to access.
If I delete a user and then create a new account with the same username and
password, would the SID and permissions stay the same?
No. If you delete a user account and attempt to recreate it with the same user name
and password, the SID will be different.
What do you do with secure sign-ons in an organization with many roaming users?
Credential Management feature of Windows Server 2003 provides a consistent single
sign-on experience for users. This can be useful for roaming users who move between
computer systems. The Credential Management feature provides a secure store of user
credentials that includes passwords and X.509 certificates.
Anything special you should do when adding a user that has a Mac?
"Save password as encrypted clear text" must be selected on User Properties Account
Tab Options, since the Macs only store their passwords that way.
What remote access options does Windows Server 2003 support?

Dial-in, VPN, dial-in with callback.
Where are the documents and settings for the roaming profile stored?
All the documents and environmental settings for the roaming user are stored
locally on the system, and, when the user logs off, all changes to the locally
stored profile are copied to the shared server folder. Therefore, the first time a
roaming user logs on to a new system the logon process may take some time,
depending on how large his profile folder is.
Where are the settings for all the users stored on a given machine?
\Document and Settings\All Users
What languages can you use for log-on scripts?
JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe)
What are the differences between a site-to-site VPN and a VPN client connecting to
a VPN server? What protocols are used for these?
>
EXPERT RESPONSE
Site-to-site VPNs connect entire networks to each other -- for example, connecting
a branch office network to a company headquarters network. In a site-to-site VPN,
hosts do not have VPN client software; they send and receive normal TCP/IP traffic
through a VPN gateway. The VPN gateway is responsible for encapsulating and
encrypting outbound traffic, sending it through a VPN tunnel over the Internet, to
a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips
the headers, decrypts the content, and relays the packet towards the target host
inside its private network.
Remote access VPNs connect individual hosts to private networks -- for example,
travelers and teleworkers who need to access their company's network securely over
the Internet. In a remote access VPN, every host must have VPN client software
(more on this in a minute). Whenever the host tries to send any traffic, the VPN
client software encapsulates and encrypts that traffic before sending it over the
Internet to the VPN gateway at the edge of the target network. Upon receipt, that
VPN gateway behaves as described above for site-to-site VPNs. If the target host
inside the private network returns a response, the VPN gateway performs the reverse
process to send an encrypted response back to the VPN client over the Internet.
The most common secure tunneling protocol used in site-to-site VPNs is the IPsec
Encapsulating Security Payload (ESP), an extension to the standard IP protocol used
by the Internet and most corporate networks today. Most routers and firewalls now
support IPsec and so can be used as a VPN gateway for the private network behind
them. Another site-to-site VPN protocol is Multi-Protocol Label Switching (MPLS),
although MPLS does not provide encryption.
Remote access VPN protocols are more varied. The Point to Point Tunneling Protocol
(PPTP) has been included in every Windows operating system since Windows 95. The
Layer 2 Tunneling Protocol (L2TP) over IPsec is present in Windows 2000 and XP and
is more secure than PPTP. Many VPN gateways use IPsec alone (without L2TP) to
deliver remote access VPN services. All of these approaches require VPN client
software on every host, and a VPN gateway that supports the same protocol and
options/extensions for remote access.
Over the past few years, many vendors have released secure remote access products
that use SSL and ordinary web browsers as an alternative to IPsec/L2TP/PPTP VPNs.
These "SSL VPNs" are often referred to as "clientless," but it is more accurate to
say that they use web browsers as VPN clients, usually in combination with
dynamically-downloaded software (Java applet, ActiveX control, or temporary Win32
program that is removed when the session ends). Also, unlike PPTP, L2TP, and IPsec
VPNs, which connect remote hosts to an entire private network, SSL VPNs tend to
connect users to specific applications protected by the SSL VPN gateway.
To learn more about VPN protocols and topologies, watch the New directions in VPN
searchSecurity webcast, or read this InfoSec Magazine article on SSL VPNs.
http://www.petri.co.il/mcse_system_administrator_active_directory_interview_questio
ns.htm

Interviewg

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Interviewg

Caricato da

Copyright:

Formati disponibili

VMWARE L2 and L3 Interview Questions

1). What's new with vsphere 5.1?

2). Difference between ESX and ESXi?

3). How does vmotion works?

First, the entire state of a virtual machine is encapsulated by a set of files

4). Pre-requisites of vMotion?

5). Difference between h/w version 4 vs 7 vs 8 vs 9?

6). What is storage DRS?

8). What is NMP (native multipathing)?

1). What is zoning, different types of zoning?

1) Difference between sharing and security permissions.

1) What is Paged pool memory

How to troubleshoot event Id 2019 and 2020?

How to open a Dump File?

What is PAE Switch?

1) What id P2V? What is the tool that is used?

For questions on Active Directory, please visit this blog.

VMWARE Questions and Answers

2. Does the VMKernel boot by itself?

3. The service console is developed based up on Redhat Linux Operating system; it

4. Which command is used to restart webaccess service on vmware?service vmware-

5. What is the command to restart ssh service on vmware?service sshd restart

6. What is the command to restart host agent(vmware-hostd) on VMware esx server?

8. What is the command to start the scripted install?

9. Virtual Network in Simple������.

11. What is the use of a Port Group?

18. What is MAC address Changes? What happens if it is set to accept?

19. What is Forged Transmits? What happens if it is set to Accept?When we create a

20. What are the core services of VC?

24. What are the files that make a Virtual Machine?

27. What is a template?

23. What to do to customize the windows virtual machine clone?

24. What to do to customize the linux/unix virtual machine clone?

25. Does cloning from template happen between two datacenters?

29. What is VMWare consolidated backup?

31. Difference between HA and Vmotion?

32. What is DRS? DRS : Distributed Resource Scheduling (Youtube Video)

VMware DRS dynamically balances computing capacity across a collection of hardware

33. What is HA? HA : High Availability (Youtube video)

34. What is DPM in VMWARE? DPM : Distributed Power Management

What is dvSwitch? Distributed vSwitch

It�s a new feature introduced in vSphere4.0.The configuration of vDS is centralized

What is FT in vmware? FT : Fault Tolerance for Virtual Machines

What is vApps in vmware?

More details on vApps along with a video.

whats new in vShields 5?

"System Error 1920 has occured" 3

Some more active directory FAQ

? What is Active Directory?

? What is the SYSVOL folder?

? Name the AD NCs and replication issues for each NC.

? What are application partitions? When do I use them?

A1) Application Directory Partition is a partition space in Active Directory which

**A2) These are specific to Windows Server 2003 domains.

? How do you create a new application partition?

? How do you view replication properties for AD partitions and DCs?

? What is the Global Catalog?

? Why not make all DCs in a large forest as GCs?

Replmon : Replmon displays information about Active Directory Replication.

ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a

NETDOM : NETDOM is a command-line tool that allows management of Windows domains

? What's the difference between a site link's schedule and interval?

? What is the KCC?

9. Virtual Network in Simple��.