Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
VMWARE Questions
Live migration of a virtual machine from one physical server to another with VMware
VMotion is enabled by three underlying technologies.
Second, the active memory and precise execution state of the virtual machine is
rapidly transferred over a high speed network, allowing the virtual machine to
instantaneously switch from running on the source ESX host to the destination ESX
host. VMotion keeps the transfer period imperceptible to users by keeping track of
on-going memory transactions in a bitmap. Once the entire memory and system state
has been copied over to the target ESX host, VMotion suspends the source virtual
machine, copies the bitmap to the target ESX host, and resumes the virtual machine
on the target ESX host. This entire process takes less than two seconds on a
Gigabit Ethernet network.
Third, the networks being used by the virtual machine are also virtualized by the
underlying ESX host, ensuring that even after the migration, the virtual machine
network identity and network connections are preserved. VMotion manages the virtual
MAC address as part of the process. Once the destination machine is activated,
VMotion pings the network router to ensure that it is aware of the new physical
location of the virtual MAC address.
Since the migration of a virtual machine with VMotion preserves the precise
execution state, the network identity, and the active network connections, the
result is zero downtime and no disruption to users.
Storage Questions
***********************************************************************************
*************
WINTEL L2 or L3 Interview Questions
As of now I am just posting the questions only. In due course of time I'll publish
the answers as well.
================================================================
Why BSOD happens and How to fix BSOD error? Look for a detailed answer.
1) Reboot
2) REboot with "Last known good configuration"
3) Reboot in safe mode with networking.
4) Reboot with safe mode.
5) Check if Stop x7B error is there. If yes check of Raid disk/s have an issue.
6) Do a dump analysis. Use step mentioned in KB: 315263 to open a dump file.
What is virtual memory and how it is organized in Windows? How does it gets more
importance as far as 32bit or 64Bit Os goes?
Read this Blog to know about troubleshooting causes of "RPC Server unavailable"
issues. It'll help you know about different ports needed, memory depletion due to
leak and others. - http://microsoftworld.blogspot.ca/2011/03/troubleshooting-rpc-
server-is.html
What is DHCP? What is DORA process? What is APIPA? What is a SCOPE and Superscope?
What is a reservation? What is the name of DHCP database?
For DNS questions please read - http://dnsfunda.blogspot.com/
For VMWARE
***********************************************************************************
**************************************************
VMware Kernel is a Proprietary Kernel and is not based on any of the UNIX operating
systems, it's a kernel developed by VMware Company.
The VMKernel can't boot by itself, so it takes the help of the 3rd party operating
system. In the case of VMware the kernel is booted by RedHat Linux operating system
which is known as service console.
10 What are the three port groups present in ESX server networking?1. Virtual
Machine Port Group - Used for Virtual Machine Network
2. Service Console Port Group - Used for Service Console Communications
3. VMKernel Port Group - Used for VMotion, iSCSI, NFS Communications
12. What are the types of communications which requires an IP address for sure?
Service Console and VMKernel (VMotion and iSCSI), these communications does not
happen without an ip address (Whether it is a single or dedicated)
13. In the ESX Server licensing features VMotion License is showing as Not used,
why?
Even though the license box is selected, it shows as "License Not Used" until, you
enable the VMotion option for specific vSwitch.
14. How the Virtual Machine Port group communication works?
All the vm's which are configured in VM Port Group are able to connect to the
physical machines on the network. So this port group enables communication between
vSwitch and Physical Switch to connect vm's to Physical Machine's
15. What is a VLAN?A VLAN is a logical configuration on the switch port to segment
the IP Traffic. For this to happen, the port must be trunked with the correct VLAN
ID.
16. Does the vSwitches support VLAN Tagging? Why?Yes, the vSwitches support VLAN
Tagging; otherwise if the virtual machines in an esx host are connected to
different VLANS, we need to install a separate physical nic (vSwitch) for every
VLAN. That is the reason vmware included the VLAN tagging for vSwitches. So every
vSwitch supports upto 1016 ports, and BTW they can support 1016 VLANS if needed,
but an ESX server doesn�t support that many VM�s.
17. What is Promiscuous Mode on vSwitch? What happens if it sets to accept?If the
promiscuous mode set to Accept, all the communication is visible to all the virtual
machines, in other words all the packets are sent to all the ports on vSwitch
If the promiscuous mode set to Reject, the packets are sent to inteded port, so
that the intended virtual machine was able to see the communication.
22. What is VC agent? What service it corresponds to? What are the minimum
requisites for VC agent installation?VC agent is an agent installed on ESX server
which enables communication between VC and ESX server. The daemon associated with
it is called vmware-hostd, and the service which corresponds to it is called as
mgmt-vmware, in the event of VC agent failure just a restart of the service by
typing the following command at the service console helps. " service mgmt-vmware
restart " VC agent is installed on the ESX server when we add it to the VC, so at
the time of installation if you are getting an error like " VC Agent service failed
to install ", check the /Opt size whether it is sufficient or not.
23. How can you edit VI Client Settings and VC Server Settings?Click Edit Menu on
VC and Select Client Settings to change VI settings
Click Administration Menu on VC and Select VC Management Server Configuration to
Change VC Settings.
25. What are the devices that can be added while the virtual Machine running?
In VI 3.5 we can add Hard Disk and NIC's while the machine running. In vSphere 4.0
we can add Memory and Processor along with HDD and NIC's while the machine running
26. How to set the time delay for BIOS screen for a Virtual Machine?
Right Click on VM, select edit settings, choose options tab and select boot
option, set the delay how much you want.
26. What are the common issues with snapshots? What stops from taking a snapshot
and how to fix it?
If you configure the VM with Mapped LUN's, then the snapshot failed. If it is
mapped as virtual then we can take a snapshot of it.
If you configure the VM with Mapped LUN's as physical, you need to remove it to
take a snapshot.
27. What are the settings that are taken into to consideration when we initiate a
snapshot?
Virtual Machine Configuration (What hardware is attached to it)
State of the Virtual Machine Hard Disk file (To revert back if needed)
State of the Virtual Machine Memory (if it is powered on).
28. What are the requirements for Converting a Physical machine to VM?
An agent needs to be installed on the Physical machine
VI client needs to be installed with Converter Plug-in
A server to import/export virtual machines
What is vSafe?
vmSafe : VMsafe's application programming interfaces are designed to help third-
party vendors create virtualization security products that better secure VMware
ESX, vShield Zones is a security tool targets the VMware administrator.
In other words VMware VMsafe� is a program for integrating partner security
solutions into VMware-virtualized environments, offering visibility, control and
choice to customers. The result is an approach to virtualized security that
provides customers with a choice of enhanced security and IT compliance solutions
enabling comprehensive protection for virtual datacenters and cloud environments
What is vShields?
vShield : VShield Zones is essentially a virtual firewall designed to protect VMs
and analyze virtual network traffic. This three-part series describes vShield
Zones, explains how to install it and provides useful management tips.
.
***********************************************************************************
*********************************************
? What is LDAP?
Short for Lightweight Directory Access Protocol, a set of protocols for accessing
information directories. LDAP is based on the standards contained within the X.500
standard, but is significantly simpler. And unlike X.500, LDAP supports TCP/IP,
which is necessary for any type of Internet access. Because it's a simpler version
of X.500, LDAP is sometimes called X.500-lite.
? Can you connect Active Directory to other 3rd-party Directory Services? Name a
few options?
Yes. Microsoft Identity Integration Server (MIIS) is used to connect Active
Directory to other 3rd-party Directory Services (including directories used by SAP,
Domino, etc).
? Where is the AD database held? What other folders are related to AD?
AD Database is saved in %systemroot%/ntds. You can see other files also in this
folder. These are the main files controlling the AD structure
? ntds.dit
? edb.log
? res1.log
? res2.log
? edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K
records the transaction in the log file (edb.log). Once written to the log file,
the change is then written to the AD database. System performance determines how
fast the system writes the data to the AD database from the log file. Any time the
system is shut down, all transactions are saved to the database.
During the installation of AD, Windows creates two files: res1.log and res2.log.
The initial size of each is 10MB. These files are used to ensure that changes can
be written to disk should the system run out of free disk space. The checkpoint
file (edb.chk) records transactions committed to the AD database (ntds.dit). During
shutdown, a "shutdown" statement is written to the edb.chk file. Then, during a
reboot, AD determines that all transactions in the edb.log file have been committed
to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot
or the shutdown statement isn't present, AD will use the edb.log file to update the
AD database.
The last file in our list of files to know is the AD database itself, ntds.dit. By
default, the file is located in\NTDS, along with the other files we've discussed.
There are two answers to this question. Answer A1 and A2 given below.
? What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when
traffic engineering is not required. It establishes LSPs that follow the existing
IP routing, and is particularly well suited for establishing a full mesh of LSPs
between all of the routers on the network.
? How can you forcibly remove AD from a server, and what do you do later?
Demoting Windows Server 2003 DCs: DCPROMO (Active Directory Installation Wizard) is
a toggle switch, which allows you to either install or remove Active Directory DCs.
To forcibly demote a Windows Server 2003 DC, run the following command either at
the Start, Run, or at the command prompt:
dcpromo /forceremoval
Note: If you're running Certificate Services on the DC, you must first remove
Certificate Services before continuing. If you specify the /forceremoval switch on
a server that doesn't have Active Directory installed, the switch is ignored and
the wizard pretends that you want to install Active Directory on that server.
Once the wizard starts, you will be prompted for the Administrator password that
you want to assign to the local administrator in the SAM database. If you have
Windows Server 2003 Service Pack 1 installed on the DC, you'll benefit from a few
enhancements. The wizard will automatically run certain checks and will prompt you
to take appropriate actions. For example, if the DC is a Global Catalog server or a
DNS server, you will be prompted. You will also be prompted to take an action if
your DC is hosting any of the operations master roles.
Demoting Windows 2000 DCs: On a Windows 2000 domain controller, forced demotion is
supported with Service Pack 2 and later. The rest of the procedure is similar to
the procedure I described for Windows Server 2003. Just make sure that while
running the wizard, you clear the "This server is the last domain controller in the
domain" check box. On Windows 2000 Servers you won't benefit from the enhancements
in Windows Server 2003 SP1, so if the DC you are demoting is a Global Catalog
server, you may have to manually promote some other DC to a Global Catalog server.
Cleaning the Metadata on a Surviving DC : Once you've successfully demoted the DC,
your job is not quite done yet. Now you must clean up the Active Directory
metadata. You may be wondering why I need to clean the metadata manually. The
metadata for the demoted DC is not deleted from the surviving DCs because you
forced the demotion. When you force a demotion, Active Directory basically ignores
other DCs and does its own thing. Because the other DCs are not aware that you
removed the demoted DC from the domain, the references to the demoted DC need to be
removed from the domain.
Although Active Directory has made numerous improvements over the years, one of the
biggest criticisms of Active Directory is that it doesn't clean up the mess very
well. This is obvious in most cases but, in other cases, you won't know it unless
you start digging deep into Active Directory database.
To clean up the metadata you use NTDSUTIL. The following procedure describes how to
clean up metadata on a Windows Server 2003 SP1. According to Microsoft, the version
of NTDSUTIL in SP1 has been enhanced considerably and does a much better job of
clean-up, which obviously means that the earlier versions didn't do a very good
job. For Windows 2000 DCs, you might want to check out Microsoft Knowledge Base
article 216498, "How to remove data in Active Directory after an unsuccessful
domain controller demotion."
Here�s the step-by-step procedure for cleaning metadata on Windows Server 2003 DCs:
1. Logon to the DC as a Domain Administrator.
2. At the command prompt, type ntdsutil.
3. Type metadata cleanup.
4. Type connections.
5. Type connect to server servername, where servername is the name of the server
you want to connect to.
6. Type quit or q to go one level up. You should be at the Metadata Cleanup prompt.
7. Type select operation target.
8. Type list domains. You will see a list of domains in the forest, each with a
different number.
9. Type select domain number, where number is the number associated with the domain
of your server
10. Type list sites.
11. Type select site number, where number is the number associated with the site of
your server.
12. Type list servers in site.
13. Type select server number, where number is the number associated with the
server you want to remove.
14. Type quit to go to Metadata Cleanup prompt.
15. Type remove selected server. You should see a confirmation that the removal
completed successfully.
16. Type quit to exit ntdsutil.
You might also want to cleanup DNS database by deleting all DNS records related to
the server.
In general, you will have better luck using forced promotion on Windows Server
2003, because the naming contexts and other objects don't get cleaned as quickly on
Windows 2000 Global Catalog servers, especially servers running Windows 2000 SP3 or
earlier. Due to the nature of forced demotion and the fact that it's meant to be
used only as a last resort, there are additional things that you should know about
forced demotion.
Even after you've used NTDSUTIL to clean the metadata, you may still need to do
additional cleaning manually using ADSIEdit or other such tools. You might want to
check out Microsoft�s Knowledge Base article 332199, "Domain controllers do not
demote gracefully when you use the Active Directory Installation Wizard to force
demotion in Windows Server 2003 and in Windows 2000 Server," for more information
Read original full answer at http://redmondmag.com/columns/print.asp?
EditorialsID=1352
And best read this also
http://www.petri.co.il/forcibly_removing_active_directoy_from_dc.htm
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should be
upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000
SP2 (or later).
QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent poten
tial domain controller corruption.
For more information about preparing your forest and domain see KB article Q3311
61 at http://support.microsoft.com.
[User Action]
If ALL your existing Windows 2000 domain controllers meet this requirement, type
C and then press ENTER to continue. Otherwise, type any other key and press ENT
ER to quit.
C
Opened Connection to SAVDALDC01
SSPI Bind succeeded
Current Schema Version is 30
Upgrading schema to version 31
Connecting to "SAVDALDC01"
Logging in as current user using SSPI
Importing directory from file "C:\WINDOWS\system32\sch31.ldf"
Loading entries.....................................................
......................................................
139 entries modified successfully.
? How would you find all users that have not logged on since last month?
If you are using windows 2003 domain environment, then goto Active Directory Users
and Computers, select the Saved Queries, right click it and select new query, then
using the custom common queries and define query there is one which shows days
since last logon
? What are the DS* commands?
Answer is at http://www.computerperformance.co.uk/Logon/DSadd_DSmod_DSrm.htm
? DSmod - modify Active Directory attributes
? DSrm - to delete Active Directory objects
? DSmove - to relocate objects
? DSadd - create new accounts
? DSquery - to find objects that match your query attributes
? DSget - list the properties of an object
DSmod
Adding objects is great, but there are times in Windows 2003 when you need to
change the Active Directory properties.
Scenario, you wish to quickly change a user's password. This is task you are going
to have to do regularly, and you would like to able to do it quickly from the
command line. Let us now modify the the user's password with DSmod
Example 1 Modify Password
Logon to your domain controller. Check which users you have, if necessary create an
ou called guyds and user called guyt.
Examine the script below. Decide how cn= or ou= or dc= need editing.
Run, CMD then copy your script and paste into the command window. Alternatively
type it starting with dsmod user .........
Command : dsmod user "cn=guyt, ou=guyds, dc=cp, dc=com" -pwd a1yC24kg
Example 2 Create user WITH password
Note 1: We could have created the password at the same time we created the user.
For ease of learning I introduce one variable at a time. However, here is the
complete command to add a user with a password.
Note 1: dsadd ou. This command tells Active Directory which object to create, in
this case an OU (not a user).
Note 2: You only really need speech marks if there is a space in any of your names.
So ou=guyds, dc=cp, dc=com would work fine, but ou=GUY Space DS, dc=cp, dc=com
fails because of the spaces in the GUY Space DS, name. In this second example you
would type: "ou=GUY Space DS, dc=cp, dc=com"
Example 2 Employing DSadd to Create a User. (Assumes you have completed Example 1)
The purpose of this example is to create a new user in an OU called guyds.
Preparation:
Logon to your domain controller.
Examine the script below. Decide if cn= or ou= or dc= need editing.
Run, CMD then copy your script and paste into the command window. Alternatively
type it starting with dsadd user .........
Creating a User - DSadd user....
Command: dsadd user "cn=guyt, ou=guyds, dc=cp, dc=com"
Note: DSadd requires the complete distinguished name. Note also that the
distinguished name is encased in double "speech marks". I expect you spotted that
the user will be created in the guyds organizational unit that was created in the
first example. Change "cn=guyt to a different user name if you wish.
DS Error Messages
DS has its own family of error messages. I found that they are specific and varied,
just remember to pay attention to detail. READ ERROR MESSAGES SLOWLY.
New DS built-in tools for Windows Server 2003
At last I have found a real useful member of the DS family of utilities. If I need
to find a user quickly from the command prompt, i call for DSQuery.
Example 1 - DSQuery to list all the OUs in your domain
Let us find how many Organizational Units are there in your domain? This command
will produce a listing of all OUs with this command.
Commands:
Dsquery ou dc=mydom,dc=com
or
dsquery ou domainroot
Learning Points
Note 1: dc does NOT mean domain controller, it means domain context.
Note 2: The dc commands are not case sensitive, but they dislike spaces.
dc=mydom, dc=com will draw an error.
Note 3: If you haven't got any OUs (Organizational Units), I seriously suggest that
you create some to organize your users.
Note 4: Best of all, in this scenario, you can substitute domainroot for dc=cp.
Example 2 - To find all users in the default Users folder with DSQuery
In this example we just want to trawl the users folder and find out who is in that
container.
Commands: dsquery user cn=users,dc=cp,dc=com
Learning Points
Note 1: The default users' folder is actually a container object called cn=users.
My point is if you try ou=users, the command fails.
Note 2: I queried users, however dsquery requires the singular user, not userS.
Other objects that you can query are computer (not computers!), group or even
contact.
Challenge 1: Substitute OU=xyz for cn=users, where xyz is the name of your OU.
Unfortunately, cn=users domainroot does not work.
Challenge 2: Substitute computer for user
Example 3 - DSQuery to list all your Domain Controllers
Suppose you want to list all of your domain controllers, (not computers). Which
command do you think would supply the information?
Commands:
dsquery server
dsquery server domainroot
dsquery server dc=cp,dc=com
Learning Points
Note 1: Amazingly, dsquery server, the simplest command get the job done.
Note 2: I thank Jim D for pointing out that we want here is the singular 'server'.
Example 4 - To query the FSMO roles of your Domain Controllers
Here is a wonderful command to find the FSMO roles (Flexible Single Master Roles)
-hasfsmo. The arguments, which correspond to the 5 roles are: schema, rid, name,
infr and pdc.
Commands:
dsquery server -hasfsmo schema
Learning Points
Note 1: The command is -hasfsmo not ?hasfsmo as in some documents.
Example 5 - DSQuery to find all users whose name begins with smith*
This DSQuery example shows two ways to filter your output and so home in on what
you are looking for. Let us pretend that we know the user's name but have no idea
which OU they are to be found. Moreover, we are not sure whether their name is
spelt Smith, Smithy or Smithye.
Commands :
dsquery user domainroot -name smith*
or
dsquery user dc=cp,dc=com -name smith* d
or plain
dsquery user smith*
Learning Points
Note 1: Remember to type the singular user.
Note 2: Probably no need to introduce *, you probably realize it's a wildcard.
Note 3: -name is but one of a family of filters. -desc or -disabled are others.
Example 6 - DSQuery to filter the output with -o rdn
The purpose of -o rdn is to reduce the output to just the relative distinguished
name. In a nutshell rdn strips away the OU=, DC= part which you may not be
interested in.
Command: dsquery user -name smith* -o rdn
Learning Points
Note 1: o is the letter oh (not a number). In my minds eye o stands for output.
Note 2: There is a switch -o dn, but this is not a switch I use.
Summary - DSQuery
Knowledge is power. The DS family in general and DSQuery in particular, are handy
commands for interrogating Active Directory from the command line. Perhaps the day
will come when you need to find a user, computer or group without calling for the
Active Users and Computers GUI.
DSGet
DSGet is a logical progression from DSQuery. The idea is that when DSQuery returns
a list of objects, DSGet can interrogate those objects for extra properties such
as, description, manager or department. Naturally this pre-supposes you entered the
relevant information in the user's properties sheet!
Introduction to DSGet
My assumption is that you are comfortable with DSQuery, if this is not the case
take the time to have a refresher
Next a reminder to pay close attention to DS syntax. In this instance what we need
is a pipe symbol ( ) to join DSQuery with DSGet. Just to be clear, you type this
pipe () with the shift key and the key next to the Z. (A colon : would produce an
error).
Example 1 To Check that DSQuery is working
Let build a solid foundation with a DSQuery (Only found on a Windows Server 2003
DC)
Commands:
dsquery user domainroot -name smith*
or
dsquery user -name smith*
Learning Points
Note 1: You need a Windows Server 2003 machine. Perhaps you could remote desktop
into such a server?
Note 2: Feel free to change smith* to one of your users. Better still, create a
test account and start filling in those user properties.
Note 3: This example is just to build a foundation. Now let us move on to DSGet.
Example 2 Basic DSGet
We need to interrogate the output for more information. So we use DSGet to retrieve
the description.
Commands:
dsquery user domainroot -name smith*
or
dsquery user -name smith* dsget user -dn -desc
Learning Points for DSGet
Note 1: Master the pipe command which separates dsquery from dsget. To create ,
Hold down the shift key while pressing the key next to the Z.
Note 2: Even though dsquery told the operating system it was a user object, dsget
still has to invoke user in its section of the command.
Challenge: See what happens if you omit the -dn.
Example 3 - Which extra properties shall we query?
-display Display name is different from the user's description field. If you
haven't done so already, time to get a user's properties sheet and start filling in
those attribute boxes.
-office Useful property
-sn This command does not work. What's the matter with -sn? I will tell you what's
wrong; dsget requires -ln instead of -sn and -fn instead of givenName
grrrrrrrrrrrrrrrrrr. Calm down Guy, go with the flow; think of all these useful
switches.
O.K. No more moaning. DSGet is actually fun and productive. Guess what information
these switches return?
-email, -tel, -mgr, -mobile
Answers: General (tab), email address, telephone number, Organization (tab),
Manager, Telephones (tab), Mobile.
Now find them on the user's properties sheet.
Example 4 - Change the DSget output.
They say the old tricks the best, so let us try exporting the DSGet output not to
screen but a text file. Here we need a different type of pipe command; this time
it's the greater than symbol, for example, > filename.txt. So, just tag on >
filename.txt to your DS command. Follow up with: notepad filename.txt.
Commands:
dsquery user domainroot -name smith*
or
dsquery user -name smith* dsget user -fn -ln -mgr > dsget.txt
Learning Points
Note 1: To read the file type, notepad dsget.txt
Note 2: I am impressed by the column format of the output
I would like to leave you with a few more DSGet object that you can interrogate or
experiment with. In addition to user, there are the following DSGet commands :
Computer, also Server - meaning DC, OU, Group, even Site and Subnet.
Note. There are also two commands called partition and quota, however, in the
context of DSGet, partition and quota refer to Active Directory, not disk. For
example, the application partition in Active Directory. Tell the truth, it was a
big disappointment that DSGet did not return the disk information, but on
reflection I was expecting the impossible. DSGet partition means Active Directory
partition.
Summary - DSGet
As far as DSGet is concerned, I have come from Philistine to champion. Now I really
enjoy the challenge of DSGet and appreciate the way it works hand in glove with
DSQuery. It also reminds of that old truism the more you know the easier it gets.
? What's the difference between LDIFDE and CSVDE? Usage considerations?
CSVDE is a command that can be used to import and export objects to and from the AD
into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily
readable in Excel. I will not go to length into this powerful command, but I will
show you some basic samples of how to import a large number of users into your AD.
Of course, as with the DSADD command, CSVDE can do more than just import users.
Consult your help file for more info. Like CSVDE, LDIFDE is a command that can be
used to import and export objects to and from the AD into a LDIF-formatted file. A
LDIF (LDAP Data Interchange Format) file is a file easily readable in any text
editor; however it is not readable in programs like Excel. The major difference
between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be
used to edit and delete existing AD objects (not just users), while CSVDE can only
import and export objects.
? What are the FSMO roles? Who has them by default? What happens when each one
fails?
Well, one can accomplish this task by many means. This article will list a few of
the available methods.
Method #1: Know the default settings
The FSMO roles were assigned to one or more DCs during the DCPROMO process. The
following table summarizes the FSMO default locations:
FSMO Role Number of DCs holding this role Original DC holding the FSMO role
Schema One per forest The first DC in the first domain in the forest (i.e. the
Forest Root Domain)
Domain Naming One per forest
RID One per domain The first DC in a domain (any domain, including the Forest Root
Domain, any Tree Root Domain, or any Child Domain)
PDC Emulator One per domain
Infrastructure One per domain
Method #2: Use the GUI
The FSMO role holders can be easily found by use of some of the AD snap-ins. Use
this table to see which tool can be used for what FSMO role:
? I want to look at the RID allocation table for a DC. What do I do?
? What's the difference between transferring a FSMO role and seizing one?
Transferring FSMO Role
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method
called FSMO (Flexible Single Master Operation), as described in Understanding FSMO
Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in
the same spot (or actually, on the same DC) as has been configured by the Active
Directory installation process. However, there are scenarios where an administrator
would want to move one or more of the FSMO roles from the default holder DC to a
different DC.
Moving the FSMO roles while both the original FSMO role holder and the future FSMO
role holder are online and operational is called Transferring, and is described in
this article.
The transfer of an FSMO role is the suggested form of moving a FSMO role between
domain controllers and can be initiated by the administrator or by demoting a
domain controller. However, the transfer process is not initiated automatically by
the operating system, for example a server in a shut-down state. FSMO roles are not
automatically relocated during the shutdown process - this must be considered when
shutting down a domain controller that has an FSMO role for maintenance, for
example.
In a graceful transfer of an FSMO role between two domain controllers, a
synchronization of the data that is maintained by the FSMO role owner to the server
receiving the FSMO role is performed prior to transferring the role to ensure that
any changes have been recorded before the role change.
However, when the original FSMO role holder went offline or became non operational
for a long period of time, the administrator might consider moving the FSMO role
from the original, non-operational holder, to a different DC. The process of moving
the FSMO role from a non-operational role holder to a different DC is called
Seizing, and is described in the Seizing FSMO Roles article.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by
using an MMC snap-in tool. Depending on the FSMO role that you want to transfer,
you can use one of the following three MMC snap-in tools:
? Active Directory Schema snap-in
? Active Directory Domains and Trusts snap-in
? Active Directory Users and Computers snap-in
To transfer the FSMO role the administrator must be a member of the following
group:
Note: To see a list of available commands at any of the prompts in the Ntdsutil
tool, type ?, and then press ENTER.
1. Type connections, and then press ENTER.
2. Type connect to server , where is the name of the server you want to use, and
then press ENTER.
1. At the server connections: prompt, type q, and then press ENTER again.
1. You will receive a warning window asking if you want to perform the transfer.
Click on Yes.
2. After you transfer the roles, type q and press ENTER until you quit
Ntdsutil.exe.
3. Restart the server and make sure you update your backup.
Note: All five roles need to be in the forest. If the first domain controller is
out of the forest then seize all roles. Determine which roles are to be on which
remaining domain controllers so that all five roles are not on only one server.
1. Repeat steps 6 and 7 until you've seized all the required FSMO roles.
2. After you seize or transfer the roles, type q, and then press ENTER until you
quit the Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM) role on the same domain controller
as the Global Catalog server. If the Infrastructure Master runs on a GC server it
will stop updating object information because it does not contain any references to
objects that it does not hold. This is because a GC server holds a partial replica
of every object in the forest.
Better look of this answer can be found at
http://www.petri.co.il/seizing_fsmo_roles.htm
? Which FSMO role should you NOT seize? Why?
? How do you configure a "stand-by operation master" for any of the roles?
? How do you backup AD?
? How do you restore AD?
? How do you change the DS Restore admin password?
? Why can't you restore a DC that was backed up 4 months ago?
? What are GPOs?
? What is the order in which GPOs are applied?
? Name a few benefits of using GPMC.
? What are the GPC and the GPT? Where can I find them?
? What are GPO links? What special things can I do to them?
? What can I do to prevent inheritance from above?
? How can I override blocking of inheritance?
? How can you determine what GPO was and was not applied for a user? Name a few
ways to do that.
? A user claims he did not receive a GPO, yet his user and computer accounts are in
the right OU, and everyone else there gets the GPO. What will you look for?
? Name a few differences in Vista GPOs
? Name some GPO settings in the computer and user parts.
? What are administrative templates?
? What's the difference between software publishing and assigning?
? Can I deploy non-MSI software with GPO?
? You want to standardize the desktop environments (wallpaper, My Documents, Start
menu, printers etc.) on the computers in one department. How would you do that?
Source :
http://www.petri.co.il/mcse_system_administrator_active_directory_interview_questio
ns.htm
What is LSDOU?
It�s group policy inheritance model, where the policies are applied to Local
machines, Sites, Domains and Organizational Units.
You change the group policies, and now the computer and user settings are in
conflict. Which one has the highest priority?
The computer settings take priority.
You want to set up remote installation procedure, but do not want the user to gain
access over it. What do you do?
gponame�> User Configuration�> Windows Settings�> Remote Installation Services�>
Choice Options is your friend.
You need to automatically install an app, but MSI file is not available. What do
you do?
A .zap text file can be used to add applications using the Software Installer,
rather than the Windows Installer.
What can be restricted on Windows Server 2003 that wasn�t there in previous
products?
Group Policy in Windows Server 2003 determines a users right to modify network and
dial-up TCP/IP properties. Users may be selectively restricted from modifying their
IP address and other network configuration parameters.
Where is secedit?
It�s now gpupdate.
You want to create a new group policy but do not wish to inherit. Make sure you
check Block inheritance among the options when creating the policy.
What�s the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native NTFS
provides extensive permission control on both remote and local files.
I have a file to which the user has access, but he has no folder permission to read
it. Can he access it?
It is possible for a user to navigate to a file for which he does not have folder
permission. This involves simply knowing the path of the file object. Even if the
user can�t drill down the file/folder tree using My Computer, he can still gain
access to the file using the Universal Naming Convention (UNC). The best way to
start would be to type the full path of a file into Run� window.
What�s the difference between standalone and fault-tolerant DFS (Distributed File
System) installations?
The standalone server stores the Dfs directory tree structure or topology locally.
Thus, if a shared folder is inaccessible or if the Dfs root server is down, users
are left with no link to the shared resources. A fault-tolerant root node stores
the Dfs topology in the Active Directory, which is replicated to other domain
controllers. Thus, redundant root nodes may include multiple connections to the
same data residing in different shared folders.
We�re using the DFS fault-tolerant installation, but cannot access it from a Win98
box. Use the UNC path, not client, only 2000 and 2003 clients can access Server
2003 fault-tolerant shares.
I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you
can�t. Install a standalone one.
How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?
Time stamp is attached to the initial client request, encrypted with the shared
key.
What third-party certificate exchange protocols are used by Windows 2003 Server?
Windows Server 2003 uses the industry standard PKCS-10 certificate request and
PKCS-7 certificate response to exchange CA certificates with third-party
certificate authorities.
If hashing is one-way function and Windows Server uses hashing for storing
passwords, how is it possible to attack the password lists, specifically the ones
using NTLMv1?
A cracker would launch a dictionary attack by hashing every imaginable term used
for password and then compare the hashes.
What�s the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003.
How many passwords by default are remembered when you check "Enforce Password
History Remembered"?
User�s last 6 passwords.
Active Directory Domains and Trusts Manager, Active Directory Sites and Services
Manager, Active Directory Users and Group Manager, Active Directory Replication
(optional, available from the Resource Kit), Active Directory Schema Manager
(optional, available from adminpak)
What types of classes exist in Windows Server 2003 Active Directory? Structural
class. The structural class is important to the system administrator in that it is
the only type from which new Active Directory objects are created. Structural
classes are developed from either the modification of an existing structural type
or the use of one or more abstract classes.
The presentation layer establishes the data format prior to passing it along to the
network application�s interface. TCP/IP networks perform this task at the
application layer.
Does Windows Server 2003 support IPv6?
Yes, run ipv6.exe from command line to disable it.
It is the point of contact for all incoming HTTP requests. It listens for requests
and queues them until they are all processed, no more queues are available, or the
Web server is shut down.
Where�s ASP cache located on IIS 6.0? On disk, as opposed to memory, as it used to
be in IIS 5.
What is socket pooling? Non-blocking socket usage, introduced in IIS 6.0. More than
one application can use a given socket.
Which characters should be enclosed in quotes when searching the index? &, @, $, #,
^, ( ), and .
How would you search for C++? Just enter C++, since + is not a special character
(and neither is C).
What about Barnes&Noble? Should be searched for as Barnes�&�Noble.
Are the searches case-sensitive? No.
What�s the order of precedence of Boolean operators in Microsoft Windows 2003
Server Indexing Service? NOT, AND, NEAR, OR.
Describe the lease process of the DHCP server. DHCP Server leases the IP addresses
to the clients as follows:
DORA
D (Discover) : DHCP Client sends a broadcast packets to identify the dhcp server,
this packet will contain the source MAC.
O (Offer) : Once the packet is received by the DHCP server, the server will send
the packet containing Source IP and Source MAC.
R (Request) : Client will now contact the DHCP server directly and request for the
IP address.
A (Acknowledge) : DHCP server will send an ack packet which contains the IP
address.
If you uninstall Windows Server 2003, which operating systems can you revert to?
Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and 98 to
Windows Server 2003.
Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain
Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster
peer-to-peer read and write relationship that hosts copies of the Active Directory.
How long does it take for security changes to be replicated among the domain
controllers?
Security-related modifications are replicated within a site immediately. These
changes include account and individual user lockout policies, changes to password
policies, changes to computer account passwords, and modifications to the Local
Security Authority (LSA).
If I delete a user and then create a new account with the same username and
password, would the SID and permissions stay the same?
No. If you delete a user account and attempt to recreate it with the same user name
and password, the SID will be different.
What do you do with secure sign-ons in an organization with many roaming users?
Credential Management feature of Windows Server 2003 provides a consistent single
sign-on experience for users. This can be useful for roaming users who move between
computer systems. The Credential Management feature provides a secure store of user
credentials that includes passwords and X.509 certificates.
Anything special you should do when adding a user that has a Mac?
"Save password as encrypted clear text" must be selected on User Properties Account
Tab Options, since the Macs only store their passwords that way.
Where are the documents and settings for the roaming profile stored?
All the documents and environmental settings for the roaming user are stored
locally on the system, and, when the user logs off, all changes to the locally
stored profile are copied to the shared server folder. Therefore, the first time a
roaming user logs on to a new system the logon process may take some time,
depending on how large his profile folder is.
Where are the settings for all the users stored on a given machine?
\Document and Settings\All Users
What languages can you use for log-on scripts?
JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe)
What are the differences between a site-to-site VPN and a VPN client connecting to
a VPN server? What protocols are used for these?
>
EXPERT RESPONSE
Site-to-site VPNs connect entire networks to each other -- for example, connecting
a branch office network to a company headquarters network. In a site-to-site VPN,
hosts do not have VPN client software; they send and receive normal TCP/IP traffic
through a VPN gateway. The VPN gateway is responsible for encapsulating and
encrypting outbound traffic, sending it through a VPN tunnel over the Internet, to
a peer VPN gateway at the target site. Upon receipt, the peer VPN gateway strips
the headers, decrypts the content, and relays the packet towards the target host
inside its private network.
Remote access VPNs connect individual hosts to private networks -- for example,
travelers and teleworkers who need to access their company's network securely over
the Internet. In a remote access VPN, every host must have VPN client software
(more on this in a minute). Whenever the host tries to send any traffic, the VPN
client software encapsulates and encrypts that traffic before sending it over the
Internet to the VPN gateway at the edge of the target network. Upon receipt, that
VPN gateway behaves as described above for site-to-site VPNs. If the target host
inside the private network returns a response, the VPN gateway performs the reverse
process to send an encrypted response back to the VPN client over the Internet.
The most common secure tunneling protocol used in site-to-site VPNs is the IPsec
Encapsulating Security Payload (ESP), an extension to the standard IP protocol used
by the Internet and most corporate networks today. Most routers and firewalls now
support IPsec and so can be used as a VPN gateway for the private network behind
them. Another site-to-site VPN protocol is Multi-Protocol Label Switching (MPLS),
although MPLS does not provide encryption.
Remote access VPN protocols are more varied. The Point to Point Tunneling Protocol
(PPTP) has been included in every Windows operating system since Windows 95. The
Layer 2 Tunneling Protocol (L2TP) over IPsec is present in Windows 2000 and XP and
is more secure than PPTP. Many VPN gateways use IPsec alone (without L2TP) to
deliver remote access VPN services. All of these approaches require VPN client
software on every host, and a VPN gateway that supports the same protocol and
options/extensions for remote access.
Over the past few years, many vendors have released secure remote access products
that use SSL and ordinary web browsers as an alternative to IPsec/L2TP/PPTP VPNs.
These "SSL VPNs" are often referred to as "clientless," but it is more accurate to
say that they use web browsers as VPN clients, usually in combination with
dynamically-downloaded software (Java applet, ActiveX control, or temporary Win32
program that is removed when the session ends). Also, unlike PPTP, L2TP, and IPsec
VPNs, which connect remote hosts to an entire private network, SSL VPNs tend to
connect users to specific applications protected by the SSL VPN gateway.
To learn more about VPN protocols and topologies, watch the New directions in VPN
searchSecurity webcast, or read this InfoSec Magazine article on SSL VPNs.
http://www.petri.co.il/mcse_system_administrator_active_directory_interview_questio
ns.htm