VMware and Windows Interview Questions: Part 1

VMware & Windows Interview Questions : Part 1

1. Windows 2003 vs Windows 2008

o RODC
o WDS instead of RIS
o Services have been changed as roles - server manager
o Introduction of hyper V- only on 64 bit versions
o Enhanced event viewer
o Bitlocker feature
o Server core installation without GUI
o MMC 3.0, with three pane view
o Key management services(KMS) to activate Windows OS without connecting to
Microsoft site
o Performance enhancement using technologies like Windows
SuperFetch,ReadyBoost and Readydrive
o Windows Aero user interface
o Instant search
o Support for IPv6 in DNS

2. ESX vs ESXi

o ESXi has no service console which is a modified version of RHEL

o ESXi is extremely thin hence results in fast installation + fast boot
o ESXi can be purchased as an embedded hypervisor on hardware
o ESXi has builtin server health status check

3. ESXi 4.1 vs ESXi 5.0 - Migration

 o Local upgrade from CD
o VMware update manager (only supports upgrade of ESX/ESXi 4.x to ESXi 5.0)

4. ESXi 4.1 vs ESXi 5.0 - Features

o vSphere Auto deploy

o Storage DRS
o HA - Primary/secondary concept changed to master/slave
o Profile driven storage
o VMFS version - 3 → 5
o ESXi firewall
o VMware hardware version - 7 → 8
o VMware tools version - 4.1 → 5
o vCPU - 8 → 32
o vRAM - 256 → 1 TB
o VMs per host - 320 → 512
o RAM per host - 1TB → 2TB
o USB 3.0 support
o vApp

5. FSMO roles

o Schema Master
o Domain naming master
o Infrastructure master
o PDC Emulator
o RID master

6. GPO
 o GPO
o Templates (ADMX)
o Block inheritance
o Enforced
o Loopback policy

7. Forest and Domain concepts

8. OSI layer

o Application Layer
o Presentation Layer
o Sessions Layer
o Transport Layer
o Network Layer
o DataLink layer
o Physical Layer

9. ASA - site to site VPN

10. HA 5.0

o Uses an agent called FDM - Fault domain manager

o HA now talks directly to hostd instead of using vcenter agent vpxa
o Master/slave concept
o Master
 monitors availability of hosts/VMs
 manages VM restarts after host failure
 maintains list of all VMs in each host
 restarting failed VMs
 exchanging state with vcenter
  monitor state of slaves
o Slave
 monitor running VMs and send status to master and performs restart on
request from master
 monitors master node health
 if master fails, participates in election
o Two different heartbeat mechanisms - Network heartbeat and datastore heartbeat
o Network heartbeat
 Sends between slave and master per second
 When slave is not receiving heartbeat from master, checks whether it is
isolated or master is isolated or has failed
o Datastore heartbeat
 To distinct between isolation and failure
 Uses ‘Power On’ file in datastore to determine isolation
 This mechanism is used only when master loses network connectivity with
hosts
 2 datastores are chosen for this purpose

o Isolation response
 PowerOff
 Leave Powered On
 Shutdown

11. vMotion
o vMotion enables live migration of running virtual machines from one host to
another with zero downtime
o Prerequisites
i. Host must be licensed for vMotion
ii. Configure host with at least one vMotion n/w interface (vmkernel port
group)
iii. Shared storage (this has been compromised in 5.1)
iv. Same VLAN and VLAN label
v. GigaBit ethernet network required between hosts
vi. Processor compatibility between hosts
vii. vMotion does not support migration of applications clustered using
Microsoft clustering service
viii. No CD ROM attached
ix. No affinity is enabled
x. vmware tools should be installed
12. RAID
o Redundant Array of Independent disks
o A category of disk drives that uses 2 or more drives in a combination for redundancy
and performance
o Most common RAIDs: RAID 0(Striped), RAID 1(Mirroring), RAID 5

13. Backup types

o Backup types
i. Full backup - Will take the backup of all selected files and reset the archive
bit
ii. Copy backup - Will take the backup of all selected files but does not reset the
archive bit
iii. Incremental backup - Will take the backup of files whose archive bits are set
and resets it after backup
iv. Differential backup - Will take the backup of files whose archive bits are set
but does not reset it after backup

14. 2003 → 2008 migration

o Can be done only by logging in to Windows 2003 server

o Min of Windows 2003 SP1 required
o Can be migrated only to same version, except for Windows server 2003 standard
which can be migrated to either standard or enterprise
o Extra space of 30 GB required prior migration
o Cannot upgrade to server core
o Perform forestprep and domainprep to 2008 using 2008 cd before migrating. (Copy
sources/adprep folder for this)

15. ESXi update manager

16. Global Catalog

o Global catalog (GC) is a role handled by domain controllers in an Active directory

model.
o The global catalog stores a full copy of all objects in the directory for its host domain
and a partial copy of all objects for all other domains in the forest.
 o ‘Partial copy’ refers to the set of attributes that are most used for searching every
object in every domain.
o All domain controllers can be promoted as a GC.
o GC helps in faster search of AD objects.
o The replicas that are replicated to the global catalog also include the access
permissions for each object and attribute.
o If you are searching for an object that you do not have permission to access, you do
not see the object in the list of search results. Users can find only objects to which
they are allowed access.
o Global catalog server clients depend on DNS to provide the IP address of global
catalog servers. DNS is required to advertise global catalog servers for domain
controller location.
o By default, first DC of in a forest will be a global catalog server

17. Basic networking concepts

18. RODC
o New feature in Windows 2008
o Only have the read only copy of directory database
o RODC will have all the objects of a normal DC in read only mode. But this doesn’t
include passwords. RODC does not store password of accounts.
o Updates are replicated to RODC by writable DC
o Password caching : A feature which enables RODC to cache password of the logged
in users.
o Password Replication Policy: Determines whether the password can be cached or
not.
o DNS can be integrated with RODC but will not directly register client updates. For
any DNS change, the RODC refers the client to DNS server that hosts a primary or AD
integrated zone

19. NAS vs SAN

o Both used as storage solution
o NAS can be used by any device connected using LAN whereas SAN is used only by
server class devices with SCSI
o NAS is file based whereas SAN is block based storage
o NAS is cheap while SAN is expensive
o SAN is comparatively faster than NAS
 20. What is DRS? Types of DRS
o Distributed Resource Scheduler
o It is a feature of a cluster
o DRS continuously monitors utilization across the hosts and moves virtual machines
to balance the computing capacity
o DRS uses vMotion for its functioning
o Types of DRS
i. Fully automated - The VMs are moved across the hosts automatically. No
admin intervention required.
ii. Partially automated - The VMs are moved across the hosts automatically
during the time of VM bootup. But once up, vCenter will provide DRS
recommendations to admin and has to perform it manually.
iii. Manual - Admin has to act according to the DRS recommendations

21. DRS prerequisites

o Shared storage
o Processor compatibility of hosts in the DRS cluster
o vMotion prerequisites

22. vMotion is not working. What are the possible reasons?

o Ensure vMotion is enabled on all ESX/ESXi hosts
o Ensure that all vmware pre requisites are met
o Verify if the ESXi/ESX host can be reconnected or if reconnecting the ESX/ESXi host
resolves the issue
o Verify that time is synchronized across environment
o Verify that the required disk space is available

23. What happens if a host is taken to maintenance mode

o Hosts are taken to maintenance mode during the course of maintenance
o In a single ESX/ESXi setup, all the VMs need to be shutdown before getting into
maintenance mode
o In a vCenter setup If DRS is enabled, the VMs will be migrated to other hosts
automatically.
o
24. How will you clone a VM in an ESXi without vCenter
o Using vmkftools
 o Copy the vmdk file and attach to a new VM
o Using VMware converter

25. Explain traverse folder

o Allows or denies moving through a restricted folder to reach files and folders
beneath the restricted folder in the folder hierarchy.
o Traverse folder takes effect only when the group or user is not granted the "Bypass
traverse checking user" right in the Group Policy snap-in. This permission does not
automatically allow running program files

1. Maximum number of LUNs that can be attached to a host (ESXi 5.0)

o 256

2. Maximum number of vCPUs that can be assigned to a VM (ESXi 5.0)

o 32

3. What are the uses of ntdsutil tool?

o Some of the main uses of ntdsutil tool
i. Authoritative Restore - Authoritatively restores the Active Directory
database or AD LDS instance
ii. ifm - Create installation media for writable and RODC setups (Offline DC
provisioning)
iii. metadata cleanup - Cleans up objects of decommissioned servers
iv. roles - Transfers and seizes operations master roles
v. set DSRM password - Resets DSRM administrator password
vi. snapshot - Manages snapshots of the volumes that contain the Active
Directory database and log files

4. FSMO roles and its failure scenarios

 o http://www.systemadminguide.in/2013/07/fsmo-roles-in-nutshell.html

5. IPv6 addresses and its DNS record

o 128 bit address
o Represented as 8 groups of 4 hexadecimel digits seperated by colons
o Represented by ‘AAAA’ record in DNS
o Uses DHCP v6 for addressing

6. Loadbalancer vs Clustering
o Clustering
i. Cluster is a group of resources that are trying to achieve a common
objective, and are aware of one another.
ii. Clustering usually involves setting up the resources (servers usually) to
exchange details on a particular channel (port) and keep exchanging their
states, so a resource’s state is replicated at other places as well.
iii. It usually also includes load balancing, wherein, the request is routed to one
of the resources in the cluster as per the load balancing policy
o Load Balancing
. Used to forward requests to either one server or other, but one server does not use
the other server’s resources. Also, one resource does not share its state with other
resources.

7. Software installation using group policy

o This can be done using 2 methods
i. Assigning
ii. Publishing
o Assign :
. If you assign the program to a user, it is installed when the user logs on to
the computer. When the user first runs the program, the installation is
completed.
 i. If you assign the program to a computer, it is installed when the computer
starts, and it is available to all users who log on to the computer. When a
user first runs the program, the installation is completed.
o Publish :
. You can publish a program distribution to users.
i. When the user logs on to the computer, the published program is displayed
in the Add or Remove Programs dialog box, and it can be installed from
there.
o msi packages are used for installation. Normal exe would not work.
o Windows cannot install the software while the user is already logged on. The user
need to log off and log in

8. Group policy security filtering for users. Which all users are in there by default. Members
of Authenticated Users group
o Security filtering is a way of refining which users and computers will receive and
apply the settings in a Group Policy object (GPO)
o In order for the GPO to apply to a given user or computer, that user or computer
must have both Read and Apply Group Policy (AGP) permissions on the GPO, either
explicitly, or effectively through group membership
o By default, all GPOs have Read and AGP both Allowed for the Authenticated Users
group.
o The Authenticated Users group includes both users and computers. This is how all
authenticated users receive the settings of a new GPO when it is applied to an
organizational unit, domain or site

9. Relevance of host file and its location

o Came before the concept of DNS
o An FQDN is first checked in Host file
o Location : C:\Windows\System32\Drivers\etc

10. L3 switch vs Routers

o L3 switches just have the ethernet ports only whereas the routers have WAN
interfaces
 o QoS is not available with L3 switches whereas in routers it can be enabled
o Routers have expansion slots and cards that allow them to use different media
types, like serial connections for T1 and T3 circuits
o Routers are more intelligent in handling packets
o L3 switches does not support NAT

11. VLAN vs Subnet

o VLAN works at layer 2 while subnet is at layer 3
o Subnets are more concerned about IP addresses.
o VLANs bring more network efficiency
o Subnets have weaker security than VLANs as all the subnet uses the same physical
network

12. Contents of System state backup

o Registry
o COM+ Class Registration database
o Boot files, including the system files
o System files that are under Windows File Protection
o Active Directory directory service (If it is domain controller)
o SYSVOL directory (If it is domain controller)
o Cluster service information (If it is a part of a cluster)
o IIS Metadirectory (If it is an IIS server)
o Certificate Services database (If it is a certificate server)

13. Incremental vs Differential backups

o Incremental backup - Will take the backup of files whose archive bits are set and
resets it after backup
o Differential backup - Will take the backup of files whose archive bits are set but does
not reset it after backup

14. Robocopy
 o Microsoft tool used for copying files effectively
o It has plenty of options to manage the copy process

15. How do you patch microsoft applications? Frequency of patches released by Microsoft
o The Microsoft applications can be patched using WSUS
o In WSUS, we can create several computer groups to manage this patch process.
o MS patches are released once in a month

16. Explain GPO, GPC & GPT

o GPO - Group Policy Object : Refers to the policy that is configured at the Active
Directory level and is inherited by the domain member computers. You can
configure a GPO at the site level, domain level or OU level. GPO stores policy
settings in two locations GPC and GPT
o GPO behaviour : Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO
o GPC - Group Policy Container :This is the AD portion of the group policy. This can be
viewed using ADSI edit. It stores version information, status information, and other
policy information. When you create a new GPO, an AD object of class
groupPolicyContainer gets created under the System\Policies container within your
AD domain
o GPT - Group Policy Template : The GPT is where the GPO stores the actual settings.
It stores software policy script, and deployment information.
o GPT is stored in SYSVOL share (\\DomainNameHere\SYSVOL\Policies) whereas GPC
is stored in the AD

17. What is CPU affinity in VMware? Its impact on DRS?

o CPU refers to a logical processor on a hyperthreaded system and refers to a core on
a non-hyperthreaded system
o By setting CPU affinity for each VM, you can restrict the assignment of VMs to a
subset of available processors
o The main use of setting CPU affinity is when there are display intensive workloads
which requires additional threads with vCPUs.
o DRS will not work with CPU affinity
 http://frankdenneman.nl/2011/01/11/beating-a-dead-horse-using-cpu-affinity/

18. VMversion 4 vs VMversion 7

o Version 4
i. Runs on ESX 3.x
ii. Max supported RAM 64 GB
iii. Max vCPUs 4
iv. MS cluster is not supported
v. 4 NICs/VM
vi. No USB Support
o Version 7
. Runs on vSphere 4.x
i. Max supported RAM 256 GB
ii. Max vCPUs 8
iii. MS cluster is supported
iv. 10 NICs/VM
v. USB support

19. What happens to the VMs if a standalone host is taken to maintenance mode?
o In case of standalone servers , VMware recommends that VMs should be powered
off before putting the server in maintenance mode
o If we put the standalone host in maintenance mode without powering off the VMs,
it will remain in the ‘entering maintenance mode’ state until the VMs are all
shutdown
o When all the VMs are powered down, the host status changes to ‘under
maintenance’

http://pubs.vmware.com/vsphere-4-esx-
vcenter/index.jsp#using_drs_clusters_to_manage_resources/c_using_maintenance_mode.html
20. What is new in Windows server 2012
o Server core improvements: no need of fresh installation, you can add/remove GUI
from server manager
o Remotely manage servers , add/remove roles etc using Server manager-manage
2008 and 2008 R2 with WMF 3.0 installation, installed by default in Server 2012
o Remote server administration tools available for windows 8 to manage Windows
server 2012 infrastructure
o Powershell v3
o Hyper-V 3.0
i. supports upto 64 processors and 1 TB RAM per virtual machine
ii. upto 320 logical hardware processors and 4 TB RAM per host
iii. Shared nothing live migration, move around VMs without shared storage

o ReFS(Resilient file system), upgraded version of NTFS- supports larger file and
directory sizes. Removes the 255 character limitation on long file names and paths,
the limit on the path/filename size is now 32K characters!
o Improved CHKDSK utility that will fix disk corruptions in the background without
disruption

21. How does the backup software recognize that a file has changed since last backup?
o The files use a bit called archive bit for tracking any change in the file.
o The backup softwares normally checks the archive bit of the file to determine
whether the file has to be backed up or not

22. How can you edit a vm template?

o The VM templates cannot be modified as such
o First , the VM template have to be converted to a virtual machine
o After making necessary machines in the virtual machine, convert the virtual machine
back to template

23. VMware configuration maximums

 ESXi 5.5 ESXi 5.1 ESXi 5.0 ESXi 4.x
VMs
vCPU 64 64 32 8
RAM 1 TB 1 TB 1 TB 255 GB
vNIC 10 10 10 10
VMDK size 62 TB 1 TB 1 TB 2 TB for 8MB block
Hosts
Logical CPU 320 160 160 160
Memory 4 TB 2 TB 2 TB 1 TB
LUNs 256 256 256 256
LUN size 64 TB 64 TB 64 TB 64 TB
Virtual Machines 512 512 512 320

24. What is the major difference between Windows server 2008 and windows server 2012 in
terms of AD promotion?

In Win 2012, dcpromo has been depreciated. In order to make a Windows server 2012 to a
domain controller, the ADDS service has to be installed from the server manager. After installation,
run the post-deployment configuration wizard from server manager to promote the server as AD

25. VMware hardware version comparison

 VMware and Windows Interview
Questions: Part 3
 Get link
 Facebook
 Twitter
 Pinterest
 Google+
 Email

September 12, 2014

1. What is vSAN?
o It is a hypervisor-converged storage solution built by aggregating the local storage
attached to the ESXi hosts managed by a vCenter.
2. Recommended iSCSI configuration?
o A separate vSwitch, and a separate network other than VMtraffic network for iSCSI
traffic. Dedicated physical NICs should be connected to vSwitch configured for iSCSI
traffic.
3. What is iSCSI port binding ?
o Port binding is used in iSCSI when multiple VMkernel ports for iSCSI reside in the
same broadcast domain and IP subnet, to allow multiple paths to an iSCSI array that
broadcasts a single IP address.
4. iSCSI port binding considerations ?
o Array Target iSCSI ports must reside in the same broadcast domain and IP subnet as
the VMkernel port.
o All VMkernel ports used for iSCSI connectivity must reside in the same broadcast
domain and IP subnet.
o All VMkernel ports used for iSCSI connectivity must reside in the same vSwitch.
o Currently, port binding does not support network routing.
5. Recommended iSCSI configuration of a 6 NIC infrastructure ? (Answer changes as per the
infrastructure requirements)
o 2 NICs for VM traffic
 o 2 NICs for iSCSI traffic
o 1 NIC for vMotion
o 1 NIC for management network
6. Post conversion steps in P2V
o Adjust the virtual hardware settings as required
o Remove non present device drivers
o Remove all unnecessary devices such as serial ports, USB controllers, floppy drives
etc..
o Install VMware tools
7. Which esxtop metric will you use to confirm latency issue of storage ?
o esxtop --> d --> DAVG
8. What are standby NICs
o These adapters will only become Active if the defined Active adapters have failed.
9. Path selection policies in ESXi
1. Most Recently Used (MRU)
2. Fixed
3. Round Robin
10. Which networking features are recommended while using iSCSI traffic
o iSCSI port binding
o Jumbo Frames
11. Can I deploy non-MSI software with GPO?
o Yes, you can. Apart from MSI packages, GPO also supports deployment of ZAP files
12. How frequently is the client policy refreshed ?
o By default, group policy is updated in the background every 90 minutes.You can
specify an update rate from 0 to 44,640 minutes (31 days). If you select 0 minutes,
the computer tries to update Group Policy every 7 seconds. However, because
updates might interfere with users' work and increase network traffic, very short
update intervals are not appropriate for most installations.
o The refresh interval can be configured manually using group policy - GPO -->
Computer Configuration --> Administrative Templates --> System --> Group Policy -->
Set Group Policy refresh interval for Computers
13. How does the Group Policy ‘No Override’ and ‘Block Inheritance’ work ?
 o No Override - This prevents child containers from overriding policies set at higher
levels
o Block Inheritance - Stops containers inheriting policies from parent containers
14. Why can’t you restore a DC that was backed up 4 months ago?
o The reason is 'Tombstoning' . If a domain controller was restored from a backup that
was older than the tombstone lifetime, then the domain controller might contain
deleted objects, and because the tombstones are deleted from the replica, the
deletion event does not replicate into the restored domain controller. This is why
Backup does not allow you to restore data from a backup that is older than the
tombstone lifetime.
o More details about tombstoning
- http://www.systemadminguide.in/2013/11/active-directory-tombstone.html
15. I want to look at the RID allocation table for a DC. What do I do?
o Dcdiag.exe /TEST:RidManager /v | find /i "Available RID Pool for the Domain"
16. Can you connect Active Directory to other 3rd-party Directory Services? Name a few
options.
o Microsoft Identity Integration Server (MIIS)
o Forefront Identity Manager (FIM)
17. Can you explain Netlogon services ?
o The Netlogon services help the client servers to connect to the Domain
18. What is urgent replication in AD ?
o Normally, a change in a DC (say DC1) is notified to its replication partner(say DC2)
after 15 seconds. Once the change is notified, DC2 makes the change in its database.
DC2 then notifies its replication partner after another 15 seconds. If it's a multi-site
setup, the 15 seconds delay would cost a big delay for the final recipient DC.
Suppose if the change was an 'Account Lock Out', this big delay will be a pain. Here
comes Urgent notification. Urgent notification bypasses the change notification
delay and processes the change immediately across all DCs.
19. How to migrate AD location to another ? (from C:\AD to D:\AD)
o First, stop the Active Directory Domain Services
o Open Command Prompt with Admin privilege
o Run ntdsutil tool
o In the ntdsutil prompt, type Activate instance ntds
 o Then type files
o In the next prompt (file maintenance), type move db to D:\AD
o Once the database is moved, move the logs using the command move logs to D:\AD
o Once completed, start the Active Directory Domain Services
20. What is the schema version of Windows 2008 R2 ?
o Windows 2003 R2 - 31
o Windows 2008 - 44
o Windows 2008 R2 - 47
o Windows 2012 - 56
o Windows 2012 R2 - 69

21. What’s the number of permitted unsuccessful logons for Administrator

account?
22. a. Unlimited - Only for Administrator, not for others in Administrators group
23. 2. Difference between Everyone and Authenticated users?
24. a. Authenticated Users - Include all Users and Computers whose identities
have been authenticated.
25. b. Everyone - For Windows 2003 and above, 'Everyone' includes all
Authenticated Users including Guest accounts. Before Windows 2003,
'Everyone' includes all Authenticated Users , Guest accounts and Anonymous
account.
26. 3. How many passwords by default are remembered when you check
“Enforce Password History Remembered”?
27. a. 24
28. 4. What is an IP Helper address feature and why is it required in a DHCP
environment ?
29. a. IP helper-address helps to implement DHCP relay agent in Cisco routers
30. b. This is configured at the network interface of the router containing the
DHCP client
31. c. The IP helper-address intercepts the DHCP discover message from the
client and unicasts it to the DHCP server after adding 'Option 82'.
32. d. With the help of Option 82, the DHCP server identifies the client network
and assigns an IP from that network.
33. 5. What is FRS and DFS-R ?
34. a. File Replication Service (FRS), introduced in Windows 2000 server to
replicate DFS and Sysvol folder in DC. FRS is no longer used in new versions.
 35. b. Distributed File System Replication (DFS-R), introduced in Windows
2008R2, came out as a replacement to FRS for replicating DFS and Sysvol.
36. 6. What is group policy preference ?
37. a. Group policy preference is a set of new settings that were released with
Windows 2008, that allows IT administrators to do anything they want to
configure in a corporate environment.
38. 7. What is the use of LDP.exe
39. a. This is a part of Windows Support tools which helps us to make any LDAP
searches against the Active Directory
40. 8. How to replace a failed RAID controller ?
41. a. This depends on the type of controller used. If you are using modern RAID
controllers and are trying to replace with the same model, then the RAID
should work without any issues as the RAID configuration or metadata is
stored in the disk array. But you should ensure that you are using the same
model from vendor or a model which is compatible with the failed controller.
42. 9. What is the difference between RAID 1 and RAID 5 ?
43. a. RAID 1 - Mirroring - This RAID configuration gives you maximum
redundancy as the same data is written into two disks at a time. But this
solution will be costly as you always need to have disks double of what you
actually require. Minimum 2 disks required.
44. b. RAID 5 - This RAID is the most popular RAID configuration. This works on
the parity principle. Minimum 3 disks required. Even if one disk fail, the data
of the failed disk can be calculated from the parity stored in the other 2 disks.
45. 10. In RAID 5, which activity is faster - Read or Write ?
46. a. Good Read performance but slower Write operations due to parity
calculation.
47. b. RAID 0 and RAID 1 has got excellent Read and Write performance

VMware and Windows Interview

Questions: Part 6
 Get link
 Facebook
 Twitter
 Pinterest
 Google+
 Email

April 04, 2017

1. Can we setup an AD site without a DC ?
a. Yes..
2. What is DAS ? How is it connected to the server ?
a. DAS is Direct Attached Storage. DAS is available with many vendors. When a server
has exhausted all its storage resource, we can connect a DAS solution to it. DAS can
be connected to a server using SAS cable.
3. How is an iscsi device connected to a server ?
a. An iscsi device can be connected using the iqn number.
4. How can I add new HDD space to an existing drive ?
a. Convert the drive from Basic to Dynamic
5. What happens when a standalone host is taken into maintenance mode ?
a. The activity will wait until all VMs are shutdown.
6. What if all GC in the environment are down ?
a. GC is required for multi domain forests - In a single domain infrastructure, the DCs
will not contact the GC for authenticating. But in multi domain infrastructure, GC is
required for authentication.
b. Universal Group Membership evaluation - Universal Group Membership which exists
in a multi domain forests works only with GC.
c. UPN resolution - The users cannot login to the domain using the username
abc@example.com
7. How to update Dell server BIOS ?
a. Dell provides the update in different file formats. One for Windows , one for linux...If
it is a VMware server, then download the Non-Packaged exe format from Dell
website and copy it to a DOS bootable USB drive. Shutdown the server and boot
from USB drive and execute the file.
8. DSET
a. Dell Server E-Support Tool (DSET) provides the ability to collect hardware, storage
and operating system information from Dell PowerEdge server.
9. How to upgrade ESXi 5.1 to ESXi 5.5 ?
a. Using vSphere update manager
b. Upgrade interactively using the ESXi installer ISO image on CD/DVD or Flash drive
c. Using vSphere Auto Deploy
d. Using esxcli command-line interface
10. What is default time after which the DHCP client assigns itself an APIPA ?
a. The client waits for 60 seconds before which it assigns automatic private ip address
Which networking features are recommended while using iSCSI traffic
o iSCSI port binding
o Jumbo Frames
2. Ports used by vCenter
o 80,443,902
3. What is 'No Access' role
o Users assigned with the 'No Access' role for an object, cannot view or change the
object in any way
4. When is a swap file created
o When the guest OS is first installed in the VM
5. The active directory group, where the members will be ESXi administrators by
default.
o ESX Admins
6. Which is the command used in ESXi to manage and retrieve information from
virtual machines ?
o vmware-cmd
7. Which is the command used in ESXi to view live performance data?
o esxtop
8. Command line tool used in ESXi to manage virtual disk files?
o vmkfstools
9. Port used for vMotion
o 8000
10. Log file location of VMware host
o \var\log\vmware
Can you map a single physical NIC to multiple virtual switches ?
o No
2. Can you map a single virtual switch to multiple physical NICs?
o Yes. This method is called NIC teaming.
3. In vSphere 5.5, VMKernel portgroup can be used for:
o vMotion
o Fault Tolerance Logging
o Management traffic
4. Major difference between ESXi 5.1 and ESXi 5.5 (above) free versions
o Till ESXi 5.1 free version there was a limit to the maximum physical memory to 32 GB.
But from 5.5 onwards this limit has been lifted.
5. What is IPAM server in Windows server 2012?
o IPAM is IP Address Management server in Windows Server 2012. It enables central
management of both DHCP and DNS servers. It can also be used to discover,
monitor, and audit DHCP and DNS servers.
6. How to promote a server to domain controller in Windows server 2012?
o DCPROMO was the conventional tool used to promote a normal server to DC. This is
now deprecated in Server 2012.
o In Server 2012, you can convert a server into DC using the server manager console.
Under Server Manager, add a new role "Active Directory Domain Services"
7. What is Pluggable Storage Architecture in VMware?
o To manage storage multipathing, ESX/ESXi uses a special VMkernel layer called
Pluggable Storage Architecture (PSA)
o Handles I/O queueing to the logical devices. Handles physical path discovery and
removal
8. Which is the partition type used in VMware ESXi scratch partition?
o VFAT
9. What is NMP and its role in VMware?
o NMP is Native Multipath Plugin
o It is the default multipath plugin in VMware
o Manages physical path claiming and unclaiming
o Registers and de-registers logical devices
o Associates physical paths with logical devices
o Processes I/O requests to logical devices
10. What are the sub plugins in NMP?
o SATP and PSP are the two sub plugins of NMP
o SATP or Storage Array Type Plugins take care of the fail over mechanism of datastore
and keeps track of paths available to a LUN or datastore
o PSP or Path Selection Plugins determines which physical path should be used to issue
I/O requests to a storage device

1. How can I change the EVC mode of an existing cluster?

o You need to shutdown all running VMs in that cluster to change the EVC mode
2. What if reconnecting the ESXi host back to an EVC cluster fails?
o Make a note of the VM folders
o Remove the ESXi host from the inventory
o Add the ESXi host directly to the vCenter outside the EVC cluster
o Now move the server to the EVC cluster
o Add the VMs back to the folders
3. What is PSC?
o PSC is Platform Service Controller
o This is an extended SSO model which was there in pre 6.0 versions
o It takes care of authentication,licensing,certificates etc..
4. What are the two deployment models of PSC?
o Embedded & External
o Embedded if PSC is installed in vCenter box
o External if PSC is installed outside vCenter in separate box
5. How can I check if storage is VAAI capable?
o Check datastore and confirm if it supports Hardware Acceleration
6. What is vmx~?
o In addition to the normal vmx file, from vSphere 6.0 onwards there is an additional
file vmx~
o vmx~ first takes any configuration changes and then writes to the actual vmx file
o This ensures that the actual vmx file do not get corrupted
7. What are the various memory states in ESXi ?
o High
 o Clear
o Soft
o Hard
o Low
8. What is VMCP?
o VMCP is VMware Component Protection
o This new feature in 6.0 ensures that VMs are rebooted in other servers during APD
or PDL situations
9. What is the name of ballooning driver in ESXi?
o vmmemctl
10. What is scratch partition?
o Scratch partition stores the logs and other details of ESXi which helps in
troubleshooting

VMware vMotion error at 14%

 Get link
 Facebook
 Twitter
 Pinterest
 Google+
 Email

July 23, 2014

Issue

While performing vMotion, the operation fails at 14% with the below error :

A general system error occurred: Migrtion to host <Destination ESXi IP> failed with erro Connection
closed by remote host, possibly due to timeout (0xbad003f).

Migrate virtual machine:A general system error occurred: Migration to host <Destination ESXi IP>
failed with error Connection closed by remote host, possibly due to timeout (0xbad003f).

vMotion migration [-1062729272:1406020861428172] (19-71629048648008) failed to receive...

Scenarios

Scenario 1: Your management network and vmotion network are in the same subnet using the
same physical NIC.

Consider the case, where the management network and vmotion network are in the same subnet
and you have assigned a VLAN id to the vMotion network, the operation fails at 14%.

My first point will be to avoid using same IP subnet for both management and vmotion networks.
Because if you use the same subnet, all the vmotion traffic will be forwarded to the physical NIC
connected to the management network. Because, by default all traffic from vmkernel portgroups
from the same subnet will be forwarded to the first NIC configured in the ESXi for that IP subnet.
Obviously this will be the management network.

And if you still stick to the plan of using same subnet, please make sure that you have not assigned
any VLAN id to the vMotion portgroup.

What happens when we assign a VLAN to the vMotion portgroup ? vMotion vmknic will try to
communicate with the default gateway and since the default gateway is not tagged with the VLAN
id you choose for vMotion, the operation fails.

Scenario 2: Your management network and vmotion network are in the same subnet using different
physical NIC (may be using different vswitches as well).
 The comments in the above scenario applies to this scenario also. It doesn't matter if you have
created a new vSwitch or a new portgroup or a dedicated physical NIC for the vmotion network, if
your management network is in the same subnet, do not assign a VLAN id to the portgroup.

Scenario 3: Your management network and vmotion network are in different subnet.

In this case you need to check the physical switch configuration.

VMware vMotion error at 14%

 Get link
 Facebook
 Twitter
 Pinterest
 Google+
 Email

July 23, 2014

Issue

While performing vMotion, the operation fails at 14% with the below error :

A general system error occurred: Migrtion to host <Destination ESXi IP> failed with erro Connection
closed by remote host, possibly due to timeout (0xbad003f).

Migrate virtual machine:A general system error occurred: Migration to host <Destination ESXi IP>
failed with error Connection closed by remote host, possibly due to timeout (0xbad003f).

vMotion migration [-1062729272:1406020861428172] (19-71629048648008) failed to receive...

Scenarios

Scenario 1: Your management network and vmotion network are in the same subnet using the
same physical NIC.

Consider the case, where the management network and vmotion network are in the same subnet
and you have assigned a VLAN id to the vMotion network, the operation fails at 14%.

My first point will be to avoid using same IP subnet for both management and vmotion networks.
Because if you use the same subnet, all the vmotion traffic will be forwarded to the physical NIC
connected to the management network. Because, by default all traffic from vmkernel portgroups
from the same subnet will be forwarded to the first NIC configured in the ESXi for that IP subnet.
Obviously this will be the management network.

And if you still stick to the plan of using same subnet, please make sure that you have not assigned
any VLAN id to the vMotion portgroup.

What happens when we assign a VLAN to the vMotion portgroup ? vMotion vmknic will try to
communicate with the default gateway and since the default gateway is not tagged with the VLAN
id you choose for vMotion, the operation fails.

Scenario 2: Your management network and vmotion network are in the same subnet using different
physical NIC (may be using different vswitches as well).

The comments in the above scenario applies to this scenario also. It doesn't matter if you have
created a new vSwitch or a new portgroup or a dedicated physical NIC for the vmotion network, if
your management network is in the same subnet, do not assign a VLAN id to the portgroup.

Scenario 3: Your management network and vmotion network are in different subnet.

In this case you need to check the physical switch configuration.

I Agree!
This website uses cookies to ensure you get the best experience on our website More
info

 Home
 About
 Technology
 Contact

Active Directory Interview Questions

In Active Directory Interview questions / By Awesome Dev / 29 March 2016
Frequently asked interview questions on Active Directory.

This is a compilation of question and answers

on Active Directory from various sources listed below.This provides a starting point in
preparation for Windows Administration interview.

1. Define Active Directory

Active Directory is a database that stores data pertaining to the users and objects within the
network. Active Directory allows the compilation of networks that connect with AD, as well
as the management and administration.
2. What is a domain within Active Directory?

A domain represents the group of network resources that includes computers, printers,
applications and other resources. Domains share a directory database. The domain is
represented by address of the resources within the database. A user can log into a domain
to gain access to the resources that are listed as part that domain.

3. What is the domain controller?

The server that responds to user requests for access to the domain is called the Domain
Controller or DC. The Domain Controller allows a user to gain access to the resources within
the domain through the use of a single username and password.

4. Explain what domain trees and forests are

Domains that share common schemas and configurations can be linked to form a contiguous
namespace. Domains within the trees are linked together by creating special relationships
between the domains based on trust. Forests consist of a number of domain trees that are
linked together within AD, based on various implicit trust relationships. Forests are generally
created where a server setup includes a number of root DNS addresses. Trees within the
forest do not share a contiguous namespace.

5. What is LDAP?

LDAP is an acronym for Lightweight Directory Access Protocol and it refers to the protocol
used to access, query and modify the data stored within the AD directories. LDAP is an
internet standard protocol that runs over TCP/IP.

6. Mention which is the default protocol used in directory services?

 The default protocol used in directory services is LDAP ( Lightweight Directory Access
Protocol).

7. What tool would you use to edit AD?

Adsiedit.msc is a low level editing tool for Active Directory. Adsiedit.msc is a Microsoft
Management Console snap-in with a graphical user interface that allows administrators to
accomplish simple tasks like adding, editing and deleting objects with a directory service.
The Adsiedit.msc uses Application Programming Interfaces to access the Active Directory.
Since Adsiedit.msc is a Microsoft Management Console snap-in, it requires access MMC and
a connection to an Active Directory environment to function correctly.

8. How would you manage trust relationships from the command prompt?

Netdom.exe is another program within Active Directory that allows administrators to

manage the Active Directory. Netdom.exe is a command line application that allows
administrators to manage trust relationship within Active Directory from the command
prompt. Netdom.exe allows for batch management of trusts. It allows administrators to join
computers to domains. The application also allows administrators to verify trusts and secure
Active Directory channels.

9. Where is the AD database held and how would you create a backup of the database?

The database is stored within the windows NTDS directory. You could create a backup of the
database by creating a backup of the System State data using the default NTBACKUP tool
provided by windows or by Symantec’s Netbackup. The System State Backup will create a
backup of the local registry, the Boot files, the COM+, the NTDS.DIT file as well as the
SYSVOL folder.

10. What is SYSVOL, and why is it important?

 SYSVOL is a folder that exists on all domain controllers. It is the repository for all of the
active directory files. It stores all the important elements of the Active Directory group
policy. The File Replication Service or FRS allows the replication of the SYSVOL folder among
domain controllers. Logon scripts and policies are delivered to each domain user via SYSVOL.
SYSVOL stores all of the security related information of the AD.

11. Briefly explain how Active Directory authentication works

When a user logs into the network, the user provides a username and password. The
computer sends this username and password to the KDC which contains the master list of
unique long term keys for each user. The KDC creates a session key and a ticket granting
ticket. This data is sent to the user’s computer. The user’s computer runs the data through a
one-way hashing function that converts the data into the user’s master key, which in turn
enables the computer to communicate with the KDC, to access the resources of the domain.

12. Mention what is the difference between domain admin groups and enterprise admins
group in AD?

Enterprise Admin Group

o Members of this group have complete control of all domains in the forest.

o By default, this group belongs to the administrators group on all domain controllers in the forest.

o As such this group has full control of the forest, add users with caution.

Domain Admin Group

o Members of this group have complete control of the domain

o By default, this group is a member of the administrators group on all domain controllers,
workstations and member servers at the time they are linked to the domain.

o As such the group has full control in the domain, add users with caution.
13. Mention what is Kerberos?

Kerberos is an authentication protocol for network. It is built to offer strong authentication

for server/client applications by using secret-key cryptography.

14. Mention what are lingering objects?

Lingering objects can exists if a domain controller does not replicate for an interval of time
that is longer than the tombstone lifetime (TSL).

15. Mention what is TOMBSTONE lifetime?

Tombstone lifetime in an Active Directory determines how long a deleted object is retained
in Active Directory. The deleted objects in Active Directory is stored in a special object
referred as TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is
not set in the forest configuration.

16. Mention what is PDC emulator and how would one know whether PDC emulator is
working or not?

PDC Emulators: There is one PDC emulator per domain, and when there is a failed
authentication attempt, it is forwarded to PDC emulator. It acts as a “tie-breaker” and it
controls the time sync across the domain. These are the parameters through which we can
know whether PDC emulator is working or not.

o Time is not syncing

o User’s accounts are not locked out

o Windows NT BDCs are not getting updates

o If pre-windows 2000 computers are unable to change their passwords.

17. Explain what is Active Directory Schema?
 Schema is an active directory component describes all the attributes and objects that the
directory service uses to store data.

18. Explain what is a child DC?

CDC or child DC is a sub domain controller under root domain controller which share name
space

19. Explain what is RID Master?

RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.

20. Mention what are the components of AD?

Components of AD includes

o Logical Structure: Trees, Forest, Domains and OU

o Physical Structures: Domain controller and Sites

21. Explain what is Infrastructure Master?

Infrastructure Master is accountable for updating information about the user and group and
global catalogue.

22. What is FSMO?

Flexible single master operation is a specialized domain controller (DC) set of tasks, used
where standard data transfer and update methods are inadequate. AD normally relies on
multiple peer DCs, each with a copy of the AD database, being synchronized by multi-master
replication.
23. Tel me about the FSMO roles?

o Schema Master

o Domain Naming Master

o Infrastructure Master

o RID Master

o PDC

Schema Master and Domain Naming Master are forest wide role and only available one on
each Forest, Other roles are Domain wide and one for each Domain AD replication is multi
master replication and change can be done in any Domain Controller and will get replicated
to others Domain Controllers, except above file roles, this will be flexible single master
operations (FSMO), these changes only be done on dedicated Domain Controller so it’s
single master replication.

24. Which FSMO role is the most important? And why?

Interesting question which role is most important out of 5 FSMO roles or if one role fails that
will impact the end-user immediately Most amateur administrators pick the Schema master
role, not sure why maybe they though Schema is very critical to run the Active Directory
Correct answer is PDC, now the next question why? Will explain role by role what happens
when a FSMO role holder fails to find the answer
Schema Master – Schema Master needed to update the Schema, we don’t update the
schema daily right, when will update the Schema? While the time of operating system
migration, installing new Exchange version and any other application which requires
extending the schema So if are Schema Master Server is not available, we can’t able to
update the schema and no way this will going to affect the Active Directory operation and
the end-user
Schema Master needs to be online and ready to make a schema change, we can plan and
have more time to bring back the Schema Master Server
Domain Naming Master – Domain Naming Master required to creating a new Domain and
creating an application partition, Like Schema Master we don’t create Domain and
application partition frequently. So if are Domain Naming Master Server is not available, we
can’t able to create a new Domain and application partition, it may not affect the user, user
event didn’t aware Domain Naming Master Server is down
Infrastructure Master – Infrastructure Master updates the cross domain updates, what
really updates between Domains? Whenever user login to Domain the TGT has been created
with the list of access user got through group membership (user group membership details)
it also contain the user membership details from trusted domain, Infrastructure Master keep
this information up-to-date, it update reference information every 2 days by comparing its
data with the Global Catalog (that’s why we don’t keep Infrastructure Master and GC in
same server) In a single Domain and single Forest environment there is no impact if the
Infrastructure Master server is down
In a Multi Domain and Forest environment, there will be impact and we have enough time to
fix the issue before it affect the end-user
RID Master –Every DC is initially issued 500 RID’s from RID Master Server. RID’s are used to
create a new object on Active Directory, all new objects are created with Security ID (SID)
and RID is the last part of a SID. The RID uniquely identifies a security principal relative to the
local or domain security authority that issued the SID When it gets down to 250 (50%) it
requests a second pool of RID’s from the RID master. If RID Master Server is not available the
RID pools unable to be issued to DC’s and DC’s are only able to create a new object depends
on the available RID’s, every DC has anywhere between 250 and 750 RIDs available, so no
immediate impact
PDC – PDC required for Time sync, user login, password changes and Trust, now you know
why the PDC is important FSMO role holder to get back online, PDC role will impact the end-
user immediately and we need to recover ASAP The PDC emulator Primary Domain
Controller for backwards compatibility and it’s responsible for time synchronizing within a
domain, also the password master. Any password change is replicated to the PDC emulator
ASAP. If a logon request fails due to a bad password the logon request is passed to the PDC
emulator to check the password before rejecting the login request.
25. What is Active Directory Partitions?

Active Directory partition is how and where the AD information logically stored.

26. What are all the Active Directory Partitions?

o Schema

o Configuration

o Domain

o Application partition
27. What is KCC?

KCC (knowledge consistency checker) is used to generate replication topology for inter site
replication and for intra-site replication. Within a site replication traffic is done via remote
procedure calls over ip, while between sites it is done through either RPC or SMTP.

28. Explain what intrasite and intersite replication is and how KCC facilitates replication

The replication of DC’s inside a single site is called intrasite replication whilst the replication
of DC’s on different sites is called Intersite replication. Intrasite replication occurs frequently
while Intersite replication occurs mainly to ensure network bandwidth.

KCC is an acronym for the Knowledge Consistency Checker. The KCC is a process that runs on
all of the Domain Controllers. The KCC allows for the replication topology of site replication
within sites and between sites. Between sites, replication is done through SMTP or RPC
whilst Intersite replication is done using procedure calls over IP.

29. What is group policy?

 Group Policy is one of the most exciting -- and potentially complex -- mechanisms that the
Active Directory enables. Group policy allows a bundle of system and user settings (called a
"Group Policy Object" or GPO) to be created by an administrator of a domain or OU and
have it automatically pushed down to designated systems.

Group Policy can control everything from user interface settings such as screen background
images to deep control settings in the client such as its TCP/IP configuration and
authentication settings. There are currently over 500 controllable settings. Microsoft has
provided some templates as well to provide a starting point for creating policy objects.

A significant advantage of group policy over the old NT-style policies is that the changes they
make are reversed when the policy no longer applies to a system. In NT 4, once a policy was
applied to a system, removing that policy did not by itself roll back the settings that it
imposed on the client. With Windows 2000, when a specified policy no longer applies to a
system it will revert to its previous state without administrative interference.

Multiple policies from different sources can be applied to the same object. For example, a
domain might have one or more domain-wide policies that apply to all systems in the
domain. Below that, systems in an OU can also have policy objects applied to it, and the OU
can even be further divided into sub-OU's with their own policies.

This can create a very complex web of settings so administrators must be very careful when
creating these multiple layers of policy to make sure the end result -- which is the union of
all of the applicable policies with the "closest" policy taking priority in most cases -- is correct
for that system. In addition, because Group policy is checked and applied during the system
boot process for machine settings and again during logon for user settings, it is
recommended that GPO's be applied to a computer from no more than five "layers" in the
AD to keep reboot and/or login times from becoming unacceptably long.

30. Why do we need Netlogon?

 Maintains a secure channel between this computer and the domain controller for
authenticating users and services. If this service is stopped, the computer may not
authenticate users and services, and the domain controller cannot register DNS records.

31. What are the Groups types available in active directory ?

Security groups: Use Security groups for granting permissions to gain access to resources.
Sending an e-mail message to a group sends the message to all members of the group.
Therefore security groups share the capabilities of distribution groups.

Distribution groups: Distribution groups are used for sending e-mail messages to groups of
users. You cannot grant permissions to security groups. Even though security groups have all
the capabilities of distribution groups, distribution groups still requires, because some
applications can only read distribution groups.

32. Explain about the groups scope in AD?

Domain Local Group: Use this scope to grant permissions to domain resources that are
located in the same domain in which you created the domain local group. Domain local
groups can exist in all mixed, native and interim functional level of domains and forests.
Domain local group memberships are not limited as you can add members as user accounts,
universal and global groups from any domain. Just to remember, nesting cannot be done in
domain local group. A domain local group will not be a member of another Domain Local or
any other groups in the same domain.

Global Group: Users with similar function can be grouped under global scope and can be
given permission to access a resource (like a printer or shared folder and files) available in
local or another domain in same forest. To say in simple words, Global groups can be use to
grant permissions to gain access to resources which are located in any domain but in a single
forest as their memberships are limited. User accounts and global groups can be added only
 from the domain in which global group is created. Nesting is possible in Global groups within
other groups as you can add a global group into another global group from any domain.
Finally to provide permission to domain specific resources (like printers and published
folder), they can be members of a Domain Local group. Global groups exist in all mixed,
native and interim functional level of domains and forests.

Universal Group Scope: These groups are precisely used for email distribution and can be
granted access to resources in all trusted domain as these groups can only be used as a
security principal (security group type) in a windows 2000 native or windows server 2003
domain functional level domain. Universal group memberships are not limited like global
groups. All domain user accounts and groups can be a member of universal group. Universal
groups can be nested under a global or Domain Local group in any domain.

33. What is REPLMON?

The Microsoft definition of the Replmon tool is as follows; This GUI tool enables
administrators to view the low-level status of Active Directory replication, force
synchronization between domain controllers, view the topology in a graphical format, and
monitor the status and performance of domain controller replication.

34. What is NETDOM ?

NETDOM is a command-line tool that allows management of Windows domains and trust
relationships. It is used for batch management of trusts, joining computers to domains,
verifying trusts, and secure channels.

35. Explain about Trust in AD ?

To allow users in one domain to access resources in another, Active Directory uses trusts.
Trusts inside a forest are automatically created when domains are created. The forest sets
 the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for
all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut
(joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or
two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive,
one- or two-way) in order to connect to other forests or non-AD domains.

36. Different modes of AD restore ?

A nonauthoritative restore is the default method for restoring Active Directory. To perform
a nonauthoritative restore, you must be able to start the domain controller in Directory
Services Restore Mode. After you restore the domain controller from backup, replication
partners use the standard replication protocols to update Active Directory and associated
information on the restored domain controller.

An authoritative restore brings a domain or a container back to the state it was in at the
time of backup and overwrites all changes made since the backup. If you do not want to
replicate the changes that have been made subsequent to the last backup operation, you
must perform an authoritative restore. In this one needs to stop the inbound replication first
before performing the An authoritative restore.

37. What is OU ?

Organization Unit is a container object in which you can keep objects such as user accounts,
groups, computer, printer . applications and other (OU). In organization unit you can assign
specific permission to the user’s. organization unit can also be used to create departmental
limitation.

38. What is Global Catalog?

 The Global Catalog authenticates network user logons and fields inquiries about objects
across a forest or tree. Every domain has at least one GC that is hosted on a domain
controller. In Windows 2000, there was typically one GC on every site in order to prevent
user logon failures across the network.

39. When should you create a forest?

Organizations that operate on radically different bases may require separate trees with
distinct namespaces. Unique trade or brand names often give rise to separate DNS
identities. Organizations merge or are acquired and naming continuity is desired.
Organizations form partnerships and joint ventures. While access to common resources is
desired, a separately defined tree can enforce more direct administrative and security
restrictions.

40. What is group nesting?

Adding one group as a member of another group is called ‘group nesting’. This will help for
easy administration and reduced replication traffic.

41. How the AD authentication works?

When a user enters a user name and password, the computer sends the user name to the
Key Distribution Centre (KDC). The KDC contains a master database of unique long term keys
for every principal in its realm. The KDC looks up the user’s master key (KA), which is based
on the user’s password. The KDC then creates two items: a session key (SA) to share with the
user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user
name, and an expiration time. The KDC encrypts this ticket by using its own master key
(KKDC), which only the KDC knows. The client computer receives the information from the
KDC and runs the user’s password through a one-way hashing function, which converts the
password into the user’s KA. The client computer now has a session key and a TGT so that it
 can securely communicate with the KDC. The client is now authenticated to the domain and
is ready to access other resources in the domain by using the Kerberos protocol.

42. What is Global Catalog and its function?

The global catalog is a distributed data repository that contains a searchable, partial
representation of every object in every domain in a multidomain Active Directory Domain
Services (AD DS) forest. The global catalog is stored on domain controllers that have been
designated as global catalog servers and is distributed through multi master replication.
Searches that are directed to the global catalog are faster because they do not involve
referrals to different domain controllers.

The global catalog provides the ability to locate objects from any domain without having to
know the domain name. A global catalog server is a domain controller that, in addition to its
full, writable domain directory partition replica, also stores a partial, read-only replica of all
other domain directory partitions in the forest.

Forest-wide searches. The global catalog provides a resource for searching an AD DS forest.
Forest-wide searches are identified by the LDAP port that they use. If the search query uses
port 3268, the query is sent to a global catalog server. User logon. In a forest that has more
than one domain, two conditions require the global catalog during user authentication:
Universal Group Membership Caching: In a forest that has more than one domain, in sites
that have domain users but no global catalog server, Universal Group Membership Caching
can be used to enable caching of logon credentials so that the global catalog does not have
to be contacted for subsequent user logons. This feature eliminates the need to retrieve
universal group memberships across a WAN link from a global catalog server in a different
site.

o In a domain that operates at the Windows 2000 native domain functional level or higher, domain
controllers must request universal group membership enumeration from a global catalog server.
 o When a user principal name (UPN) is used at logon and the forest has more than one domain, a
global catalog server is required to resolve the name.

Exchange Address Book lookups. Servers running Microsoft Exchange Server rely on access
to the global catalog for address information. Users use global catalog servers to access the
global address list (GAL).

43. What are the physical components of Active Directory?

Domain controllers and Sites. Domain controllers are physical computers which is running
Windows Server operating system and Active Directory data base. Sites are a network
segment based on geographical location and which contains multiple domain controllers in
each site.

44. What are the logical components of Active Directory?

Domains, Organizational Units, trees and forests are logical components of Active Directory.

45. What is RODC? Why do we configure RODC?

Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System.
RODC is a read only copy of Active Directory database and it can be deployed in a remote
branch office where physical security cannot be guaranteed. RODC provides more improved
security and faster log on time for the branch office.

46. What is role seizure? Who do we perform role seizure?

Role seizure is the action of assigning an operations master role to a new domain controller
without the support of the existing role holder (generally because it is offline due to a
hardware failure). During role seizure, a new domain controller assumes the operations
 master role without communicating with the existing role holder. Role seizure can be done
using repadmin.exe and Ntdsutil.exe commands.

47. Tell me few uses of NTDSUTIL commands?

We can use ntdsutil commands to perform database maintenance of AD DS, manage and
control single master operations, Active Directory Backup restoration and remove metadata
left behind by domain controllers that were removed from the network without being
properly uninstalled.

48. A user is unable to log into his desktop which is connected to a domain. What are the
troubleshooting steps you will consider?

Check the network connection on the desktop. Try to ping to the domain controller. Run and
check if name resolution is working. Check Active Directory for the computer account of the
desktop. Compare the time settings on the desktop and Domain controller. Remove the
desktop from domain and rejoin to domain.

49. A Domain Controller called ABC is failing replication with XYZ. How do you troubleshoot
the issue?

Active Directory replication issue can occur due to variety of reasons. For example, DNS
issue, network problems, security issues etc. Troubleshooting can start by verifying DNS
records. Then remove and recreate Domain Controller replication link. Check the time
settings on both replication partners.

50. What do you understand by Garbage Collection? Explain.

Garbage collection is a process of Active Directory. This process starts by removing the
remains of previously deleted objects from the database. These objects are known as
tombstones. Then, the garbage collection process deletes unnecessary log files. And the
process starts a defragmentation thread to claim additional free space. The garbage
collection process is running on all the domain controllers in an interval of 12 hours.

© 2016 Labbots. All right reserved.