Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
o RODC
o WDS instead of RIS
o Services have been changed as roles - server manager
o Introduction of hyper V- only on 64 bit versions
o Enhanced event viewer
o Bitlocker feature
o Server core installation without GUI
o MMC 3.0, with three pane view
o Key management services(KMS) to activate Windows OS without connecting to
Microsoft site
o Performance enhancement using technologies like Windows
SuperFetch,ReadyBoost and Readydrive
o Windows Aero user interface
o Instant search
o Support for IPv6 in DNS
2. ESX vs ESXi
5. FSMO roles
o Schema Master
o Domain naming master
o Infrastructure master
o PDC Emulator
o RID master
6. GPO
o GPO
o Templates (ADMX)
o Block inheritance
o Enforced
o Loopback policy
8. OSI layer
o Application Layer
o Presentation Layer
o Sessions Layer
o Transport Layer
o Network Layer
o DataLink layer
o Physical Layer
10. HA 5.0
o Isolation response
PowerOff
Leave Powered On
Shutdown
11. vMotion
o vMotion enables live migration of running virtual machines from one host to
another with zero downtime
o Prerequisites
i. Host must be licensed for vMotion
ii. Configure host with at least one vMotion n/w interface (vmkernel port
group)
iii. Shared storage (this has been compromised in 5.1)
iv. Same VLAN and VLAN label
v. GigaBit ethernet network required between hosts
vi. Processor compatibility between hosts
vii. vMotion does not support migration of applications clustered using
Microsoft clustering service
viii. No CD ROM attached
ix. No affinity is enabled
x. vmware tools should be installed
12. RAID
o Redundant Array of Independent disks
o A category of disk drives that uses 2 or more drives in a combination for redundancy
and performance
o Most common RAIDs: RAID 0(Striped), RAID 1(Mirroring), RAID 5
18. RODC
o New feature in Windows 2008
o Only have the read only copy of directory database
o RODC will have all the objects of a normal DC in read only mode. But this doesn’t
include passwords. RODC does not store password of accounts.
o Updates are replicated to RODC by writable DC
o Password caching : A feature which enables RODC to cache password of the logged
in users.
o Password Replication Policy: Determines whether the password can be cached or
not.
o DNS can be integrated with RODC but will not directly register client updates. For
any DNS change, the RODC refers the client to DNS server that hosts a primary or AD
integrated zone
6. Loadbalancer vs Clustering
o Clustering
i. Cluster is a group of resources that are trying to achieve a common
objective, and are aware of one another.
ii. Clustering usually involves setting up the resources (servers usually) to
exchange details on a particular channel (port) and keep exchanging their
states, so a resource’s state is replicated at other places as well.
iii. It usually also includes load balancing, wherein, the request is routed to one
of the resources in the cluster as per the load balancing policy
o Load Balancing
. Used to forward requests to either one server or other, but one server does not use
the other server’s resources. Also, one resource does not share its state with other
resources.
8. Group policy security filtering for users. Which all users are in there by default. Members
of Authenticated Users group
o Security filtering is a way of refining which users and computers will receive and
apply the settings in a Group Policy object (GPO)
o In order for the GPO to apply to a given user or computer, that user or computer
must have both Read and Apply Group Policy (AGP) permissions on the GPO, either
explicitly, or effectively through group membership
o By default, all GPOs have Read and AGP both Allowed for the Authenticated Users
group.
o The Authenticated Users group includes both users and computers. This is how all
authenticated users receive the settings of a new GPO when it is applied to an
organizational unit, domain or site
14. Robocopy
o Microsoft tool used for copying files effectively
o It has plenty of options to manage the copy process
15. How do you patch microsoft applications? Frequency of patches released by Microsoft
o The Microsoft applications can be patched using WSUS
o In WSUS, we can create several computer groups to manage this patch process.
o MS patches are released once in a month
19. What happens to the VMs if a standalone host is taken to maintenance mode?
o In case of standalone servers , VMware recommends that VMs should be powered
off before putting the server in maintenance mode
o If we put the standalone host in maintenance mode without powering off the VMs,
it will remain in the ‘entering maintenance mode’ state until the VMs are all
shutdown
o When all the VMs are powered down, the host status changes to ‘under
maintenance’
http://pubs.vmware.com/vsphere-4-esx-
vcenter/index.jsp#using_drs_clusters_to_manage_resources/c_using_maintenance_mode.html
20. What is new in Windows server 2012
o Server core improvements: no need of fresh installation, you can add/remove GUI
from server manager
o Remotely manage servers , add/remove roles etc using Server manager-manage
2008 and 2008 R2 with WMF 3.0 installation, installed by default in Server 2012
o Remote server administration tools available for windows 8 to manage Windows
server 2012 infrastructure
o Powershell v3
o Hyper-V 3.0
i. supports upto 64 processors and 1 TB RAM per virtual machine
ii. upto 320 logical hardware processors and 4 TB RAM per host
iii. Shared nothing live migration, move around VMs without shared storage
o ReFS(Resilient file system), upgraded version of NTFS- supports larger file and
directory sizes. Removes the 255 character limitation on long file names and paths,
the limit on the path/filename size is now 32K characters!
o Improved CHKDSK utility that will fix disk corruptions in the background without
disruption
21. How does the backup software recognize that a file has changed since last backup?
o The files use a bit called archive bit for tracking any change in the file.
o The backup softwares normally checks the archive bit of the file to determine
whether the file has to be backed up or not
24. What is the major difference between Windows server 2008 and windows server 2012 in
terms of AD promotion?
In Win 2012, dcpromo has been depreciated. In order to make a Windows server 2012 to a
domain controller, the ADDS service has to be installed from the server manager. After installation,
run the post-deployment configuration wizard from server manager to promote the server as AD
1. What is vSAN?
o It is a hypervisor-converged storage solution built by aggregating the local storage
attached to the ESXi hosts managed by a vCenter.
2. Recommended iSCSI configuration?
o A separate vSwitch, and a separate network other than VMtraffic network for iSCSI
traffic. Dedicated physical NICs should be connected to vSwitch configured for iSCSI
traffic.
3. What is iSCSI port binding ?
o Port binding is used in iSCSI when multiple VMkernel ports for iSCSI reside in the
same broadcast domain and IP subnet, to allow multiple paths to an iSCSI array that
broadcasts a single IP address.
4. iSCSI port binding considerations ?
o Array Target iSCSI ports must reside in the same broadcast domain and IP subnet as
the VMkernel port.
o All VMkernel ports used for iSCSI connectivity must reside in the same broadcast
domain and IP subnet.
o All VMkernel ports used for iSCSI connectivity must reside in the same vSwitch.
o Currently, port binding does not support network routing.
5. Recommended iSCSI configuration of a 6 NIC infrastructure ? (Answer changes as per the
infrastructure requirements)
o 2 NICs for VM traffic
o 2 NICs for iSCSI traffic
o 1 NIC for vMotion
o 1 NIC for management network
6. Post conversion steps in P2V
o Adjust the virtual hardware settings as required
o Remove non present device drivers
o Remove all unnecessary devices such as serial ports, USB controllers, floppy drives
etc..
o Install VMware tools
7. Which esxtop metric will you use to confirm latency issue of storage ?
o esxtop --> d --> DAVG
8. What are standby NICs
o These adapters will only become Active if the defined Active adapters have failed.
9. Path selection policies in ESXi
1. Most Recently Used (MRU)
2. Fixed
3. Round Robin
10. Which networking features are recommended while using iSCSI traffic
o iSCSI port binding
o Jumbo Frames
11. Can I deploy non-MSI software with GPO?
o Yes, you can. Apart from MSI packages, GPO also supports deployment of ZAP files
12. How frequently is the client policy refreshed ?
o By default, group policy is updated in the background every 90 minutes.You can
specify an update rate from 0 to 44,640 minutes (31 days). If you select 0 minutes,
the computer tries to update Group Policy every 7 seconds. However, because
updates might interfere with users' work and increase network traffic, very short
update intervals are not appropriate for most installations.
o The refresh interval can be configured manually using group policy - GPO -->
Computer Configuration --> Administrative Templates --> System --> Group Policy -->
Set Group Policy refresh interval for Computers
13. How does the Group Policy ‘No Override’ and ‘Block Inheritance’ work ?
o No Override - This prevents child containers from overriding policies set at higher
levels
o Block Inheritance - Stops containers inheriting policies from parent containers
14. Why can’t you restore a DC that was backed up 4 months ago?
o The reason is 'Tombstoning' . If a domain controller was restored from a backup that
was older than the tombstone lifetime, then the domain controller might contain
deleted objects, and because the tombstones are deleted from the replica, the
deletion event does not replicate into the restored domain controller. This is why
Backup does not allow you to restore data from a backup that is older than the
tombstone lifetime.
o More details about tombstoning
- http://www.systemadminguide.in/2013/11/active-directory-tombstone.html
15. I want to look at the RID allocation table for a DC. What do I do?
o Dcdiag.exe /TEST:RidManager /v | find /i "Available RID Pool for the Domain"
16. Can you connect Active Directory to other 3rd-party Directory Services? Name a few
options.
o Microsoft Identity Integration Server (MIIS)
o Forefront Identity Manager (FIM)
17. Can you explain Netlogon services ?
o The Netlogon services help the client servers to connect to the Domain
18. What is urgent replication in AD ?
o Normally, a change in a DC (say DC1) is notified to its replication partner(say DC2)
after 15 seconds. Once the change is notified, DC2 makes the change in its database.
DC2 then notifies its replication partner after another 15 seconds. If it's a multi-site
setup, the 15 seconds delay would cost a big delay for the final recipient DC.
Suppose if the change was an 'Account Lock Out', this big delay will be a pain. Here
comes Urgent notification. Urgent notification bypasses the change notification
delay and processes the change immediately across all DCs.
19. How to migrate AD location to another ? (from C:\AD to D:\AD)
o First, stop the Active Directory Domain Services
o Open Command Prompt with Admin privilege
o Run ntdsutil tool
o In the ntdsutil prompt, type Activate instance ntds
o Then type files
o In the next prompt (file maintenance), type move db to D:\AD
o Once the database is moved, move the logs using the command move logs to D:\AD
o Once completed, start the Active Directory Domain Services
20. What is the schema version of Windows 2008 R2 ?
o Windows 2003 R2 - 31
o Windows 2008 - 44
o Windows 2008 R2 - 47
o Windows 2012 - 56
o Windows 2012 R2 - 69
While performing vMotion, the operation fails at 14% with the below error :
A general system error occurred: Migrtion to host <Destination ESXi IP> failed with erro Connection
closed by remote host, possibly due to timeout (0xbad003f).
Migrate virtual machine:A general system error occurred: Migration to host <Destination ESXi IP>
failed with error Connection closed by remote host, possibly due to timeout (0xbad003f).
Scenarios
Scenario 1: Your management network and vmotion network are in the same subnet using the
same physical NIC.
Consider the case, where the management network and vmotion network are in the same subnet
and you have assigned a VLAN id to the vMotion network, the operation fails at 14%.
My first point will be to avoid using same IP subnet for both management and vmotion networks.
Because if you use the same subnet, all the vmotion traffic will be forwarded to the physical NIC
connected to the management network. Because, by default all traffic from vmkernel portgroups
from the same subnet will be forwarded to the first NIC configured in the ESXi for that IP subnet.
Obviously this will be the management network.
And if you still stick to the plan of using same subnet, please make sure that you have not assigned
any VLAN id to the vMotion portgroup.
What happens when we assign a VLAN to the vMotion portgroup ? vMotion vmknic will try to
communicate with the default gateway and since the default gateway is not tagged with the VLAN
id you choose for vMotion, the operation fails.
Scenario 2: Your management network and vmotion network are in the same subnet using different
physical NIC (may be using different vswitches as well).
The comments in the above scenario applies to this scenario also. It doesn't matter if you have
created a new vSwitch or a new portgroup or a dedicated physical NIC for the vmotion network, if
your management network is in the same subnet, do not assign a VLAN id to the portgroup.
Scenario 3: Your management network and vmotion network are in different subnet.
While performing vMotion, the operation fails at 14% with the below error :
A general system error occurred: Migrtion to host <Destination ESXi IP> failed with erro Connection
closed by remote host, possibly due to timeout (0xbad003f).
Migrate virtual machine:A general system error occurred: Migration to host <Destination ESXi IP>
failed with error Connection closed by remote host, possibly due to timeout (0xbad003f).
Scenarios
Scenario 1: Your management network and vmotion network are in the same subnet using the
same physical NIC.
Consider the case, where the management network and vmotion network are in the same subnet
and you have assigned a VLAN id to the vMotion network, the operation fails at 14%.
My first point will be to avoid using same IP subnet for both management and vmotion networks.
Because if you use the same subnet, all the vmotion traffic will be forwarded to the physical NIC
connected to the management network. Because, by default all traffic from vmkernel portgroups
from the same subnet will be forwarded to the first NIC configured in the ESXi for that IP subnet.
Obviously this will be the management network.
And if you still stick to the plan of using same subnet, please make sure that you have not assigned
any VLAN id to the vMotion portgroup.
What happens when we assign a VLAN to the vMotion portgroup ? vMotion vmknic will try to
communicate with the default gateway and since the default gateway is not tagged with the VLAN
id you choose for vMotion, the operation fails.
Scenario 2: Your management network and vmotion network are in the same subnet using different
physical NIC (may be using different vswitches as well).
The comments in the above scenario applies to this scenario also. It doesn't matter if you have
created a new vSwitch or a new portgroup or a dedicated physical NIC for the vmotion network, if
your management network is in the same subnet, do not assign a VLAN id to the portgroup.
Scenario 3: Your management network and vmotion network are in different subnet.
I Agree!
This website uses cookies to ensure you get the best experience on our website More
info
Home
About
Technology
Contact
Active Directory is a database that stores data pertaining to the users and objects within the
network. Active Directory allows the compilation of networks that connect with AD, as well
as the management and administration.
2. What is a domain within Active Directory?
A domain represents the group of network resources that includes computers, printers,
applications and other resources. Domains share a directory database. The domain is
represented by address of the resources within the database. A user can log into a domain
to gain access to the resources that are listed as part that domain.
The server that responds to user requests for access to the domain is called the Domain
Controller or DC. The Domain Controller allows a user to gain access to the resources within
the domain through the use of a single username and password.
Domains that share common schemas and configurations can be linked to form a contiguous
namespace. Domains within the trees are linked together by creating special relationships
between the domains based on trust. Forests consist of a number of domain trees that are
linked together within AD, based on various implicit trust relationships. Forests are generally
created where a server setup includes a number of root DNS addresses. Trees within the
forest do not share a contiguous namespace.
5. What is LDAP?
LDAP is an acronym for Lightweight Directory Access Protocol and it refers to the protocol
used to access, query and modify the data stored within the AD directories. LDAP is an
internet standard protocol that runs over TCP/IP.
Adsiedit.msc is a low level editing tool for Active Directory. Adsiedit.msc is a Microsoft
Management Console snap-in with a graphical user interface that allows administrators to
accomplish simple tasks like adding, editing and deleting objects with a directory service.
The Adsiedit.msc uses Application Programming Interfaces to access the Active Directory.
Since Adsiedit.msc is a Microsoft Management Console snap-in, it requires access MMC and
a connection to an Active Directory environment to function correctly.
8. How would you manage trust relationships from the command prompt?
9. Where is the AD database held and how would you create a backup of the database?
The database is stored within the windows NTDS directory. You could create a backup of the
database by creating a backup of the System State data using the default NTBACKUP tool
provided by windows or by Symantec’s Netbackup. The System State Backup will create a
backup of the local registry, the Boot files, the COM+, the NTDS.DIT file as well as the
SYSVOL folder.
When a user logs into the network, the user provides a username and password. The
computer sends this username and password to the KDC which contains the master list of
unique long term keys for each user. The KDC creates a session key and a ticket granting
ticket. This data is sent to the user’s computer. The user’s computer runs the data through a
one-way hashing function that converts the data into the user’s master key, which in turn
enables the computer to communicate with the KDC, to access the resources of the domain.
12. Mention what is the difference between domain admin groups and enterprise admins
group in AD?
o Members of this group have complete control of all domains in the forest.
o By default, this group belongs to the administrators group on all domain controllers in the forest.
o As such this group has full control of the forest, add users with caution.
o By default, this group is a member of the administrators group on all domain controllers,
workstations and member servers at the time they are linked to the domain.
o As such the group has full control in the domain, add users with caution.
13. Mention what is Kerberos?
Lingering objects can exists if a domain controller does not replicate for an interval of time
that is longer than the tombstone lifetime (TSL).
Tombstone lifetime in an Active Directory determines how long a deleted object is retained
in Active Directory. The deleted objects in Active Directory is stored in a special object
referred as TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is
not set in the forest configuration.
16. Mention what is PDC emulator and how would one know whether PDC emulator is
working or not?
PDC Emulators: There is one PDC emulator per domain, and when there is a failed
authentication attempt, it is forwarded to PDC emulator. It acts as a “tie-breaker” and it
controls the time sync across the domain. These are the parameters through which we can
know whether PDC emulator is working or not.
CDC or child DC is a sub domain controller under root domain controller which share name
space
RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.
Components of AD includes
Infrastructure Master is accountable for updating information about the user and group and
global catalogue.
Flexible single master operation is a specialized domain controller (DC) set of tasks, used
where standard data transfer and update methods are inadequate. AD normally relies on
multiple peer DCs, each with a copy of the AD database, being synchronized by multi-master
replication.
23. Tel me about the FSMO roles?
o Schema Master
o Infrastructure Master
o RID Master
o PDC
Schema Master and Domain Naming Master are forest wide role and only available one on
each Forest, Other roles are Domain wide and one for each Domain AD replication is multi
master replication and change can be done in any Domain Controller and will get replicated
to others Domain Controllers, except above file roles, this will be flexible single master
operations (FSMO), these changes only be done on dedicated Domain Controller so it’s
single master replication.
Interesting question which role is most important out of 5 FSMO roles or if one role fails that
will impact the end-user immediately Most amateur administrators pick the Schema master
role, not sure why maybe they though Schema is very critical to run the Active Directory
Correct answer is PDC, now the next question why? Will explain role by role what happens
when a FSMO role holder fails to find the answer
Schema Master – Schema Master needed to update the Schema, we don’t update the
schema daily right, when will update the Schema? While the time of operating system
migration, installing new Exchange version and any other application which requires
extending the schema So if are Schema Master Server is not available, we can’t able to
update the schema and no way this will going to affect the Active Directory operation and
the end-user
Schema Master needs to be online and ready to make a schema change, we can plan and
have more time to bring back the Schema Master Server
Domain Naming Master – Domain Naming Master required to creating a new Domain and
creating an application partition, Like Schema Master we don’t create Domain and
application partition frequently. So if are Domain Naming Master Server is not available, we
can’t able to create a new Domain and application partition, it may not affect the user, user
event didn’t aware Domain Naming Master Server is down
Infrastructure Master – Infrastructure Master updates the cross domain updates, what
really updates between Domains? Whenever user login to Domain the TGT has been created
with the list of access user got through group membership (user group membership details)
it also contain the user membership details from trusted domain, Infrastructure Master keep
this information up-to-date, it update reference information every 2 days by comparing its
data with the Global Catalog (that’s why we don’t keep Infrastructure Master and GC in
same server) In a single Domain and single Forest environment there is no impact if the
Infrastructure Master server is down
In a Multi Domain and Forest environment, there will be impact and we have enough time to
fix the issue before it affect the end-user
RID Master –Every DC is initially issued 500 RID’s from RID Master Server. RID’s are used to
create a new object on Active Directory, all new objects are created with Security ID (SID)
and RID is the last part of a SID. The RID uniquely identifies a security principal relative to the
local or domain security authority that issued the SID When it gets down to 250 (50%) it
requests a second pool of RID’s from the RID master. If RID Master Server is not available the
RID pools unable to be issued to DC’s and DC’s are only able to create a new object depends
on the available RID’s, every DC has anywhere between 250 and 750 RIDs available, so no
immediate impact
PDC – PDC required for Time sync, user login, password changes and Trust, now you know
why the PDC is important FSMO role holder to get back online, PDC role will impact the end-
user immediately and we need to recover ASAP The PDC emulator Primary Domain
Controller for backwards compatibility and it’s responsible for time synchronizing within a
domain, also the password master. Any password change is replicated to the PDC emulator
ASAP. If a logon request fails due to a bad password the logon request is passed to the PDC
emulator to check the password before rejecting the login request.
25. What is Active Directory Partitions?
Active Directory partition is how and where the AD information logically stored.
o Schema
o Configuration
o Domain
o Application partition
27. What is KCC?
KCC (knowledge consistency checker) is used to generate replication topology for inter site
replication and for intra-site replication. Within a site replication traffic is done via remote
procedure calls over ip, while between sites it is done through either RPC or SMTP.
28. Explain what intrasite and intersite replication is and how KCC facilitates replication
The replication of DC’s inside a single site is called intrasite replication whilst the replication
of DC’s on different sites is called Intersite replication. Intrasite replication occurs frequently
while Intersite replication occurs mainly to ensure network bandwidth.
KCC is an acronym for the Knowledge Consistency Checker. The KCC is a process that runs on
all of the Domain Controllers. The KCC allows for the replication topology of site replication
within sites and between sites. Between sites, replication is done through SMTP or RPC
whilst Intersite replication is done using procedure calls over IP.
Group Policy can control everything from user interface settings such as screen background
images to deep control settings in the client such as its TCP/IP configuration and
authentication settings. There are currently over 500 controllable settings. Microsoft has
provided some templates as well to provide a starting point for creating policy objects.
A significant advantage of group policy over the old NT-style policies is that the changes they
make are reversed when the policy no longer applies to a system. In NT 4, once a policy was
applied to a system, removing that policy did not by itself roll back the settings that it
imposed on the client. With Windows 2000, when a specified policy no longer applies to a
system it will revert to its previous state without administrative interference.
Multiple policies from different sources can be applied to the same object. For example, a
domain might have one or more domain-wide policies that apply to all systems in the
domain. Below that, systems in an OU can also have policy objects applied to it, and the OU
can even be further divided into sub-OU's with their own policies.
This can create a very complex web of settings so administrators must be very careful when
creating these multiple layers of policy to make sure the end result -- which is the union of
all of the applicable policies with the "closest" policy taking priority in most cases -- is correct
for that system. In addition, because Group policy is checked and applied during the system
boot process for machine settings and again during logon for user settings, it is
recommended that GPO's be applied to a computer from no more than five "layers" in the
AD to keep reboot and/or login times from becoming unacceptably long.
Security groups: Use Security groups for granting permissions to gain access to resources.
Sending an e-mail message to a group sends the message to all members of the group.
Therefore security groups share the capabilities of distribution groups.
Distribution groups: Distribution groups are used for sending e-mail messages to groups of
users. You cannot grant permissions to security groups. Even though security groups have all
the capabilities of distribution groups, distribution groups still requires, because some
applications can only read distribution groups.
Domain Local Group: Use this scope to grant permissions to domain resources that are
located in the same domain in which you created the domain local group. Domain local
groups can exist in all mixed, native and interim functional level of domains and forests.
Domain local group memberships are not limited as you can add members as user accounts,
universal and global groups from any domain. Just to remember, nesting cannot be done in
domain local group. A domain local group will not be a member of another Domain Local or
any other groups in the same domain.
Global Group: Users with similar function can be grouped under global scope and can be
given permission to access a resource (like a printer or shared folder and files) available in
local or another domain in same forest. To say in simple words, Global groups can be use to
grant permissions to gain access to resources which are located in any domain but in a single
forest as their memberships are limited. User accounts and global groups can be added only
from the domain in which global group is created. Nesting is possible in Global groups within
other groups as you can add a global group into another global group from any domain.
Finally to provide permission to domain specific resources (like printers and published
folder), they can be members of a Domain Local group. Global groups exist in all mixed,
native and interim functional level of domains and forests.
Universal Group Scope: These groups are precisely used for email distribution and can be
granted access to resources in all trusted domain as these groups can only be used as a
security principal (security group type) in a windows 2000 native or windows server 2003
domain functional level domain. Universal group memberships are not limited like global
groups. All domain user accounts and groups can be a member of universal group. Universal
groups can be nested under a global or Domain Local group in any domain.
The Microsoft definition of the Replmon tool is as follows; This GUI tool enables
administrators to view the low-level status of Active Directory replication, force
synchronization between domain controllers, view the topology in a graphical format, and
monitor the status and performance of domain controller replication.
NETDOM is a command-line tool that allows management of Windows domains and trust
relationships. It is used for batch management of trusts, joining computers to domains,
verifying trusts, and secure channels.
To allow users in one domain to access resources in another, Active Directory uses trusts.
Trusts inside a forest are automatically created when domains are created. The forest sets
the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for
all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut
(joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or
two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive,
one- or two-way) in order to connect to other forests or non-AD domains.
A nonauthoritative restore is the default method for restoring Active Directory. To perform
a nonauthoritative restore, you must be able to start the domain controller in Directory
Services Restore Mode. After you restore the domain controller from backup, replication
partners use the standard replication protocols to update Active Directory and associated
information on the restored domain controller.
An authoritative restore brings a domain or a container back to the state it was in at the
time of backup and overwrites all changes made since the backup. If you do not want to
replicate the changes that have been made subsequent to the last backup operation, you
must perform an authoritative restore. In this one needs to stop the inbound replication first
before performing the An authoritative restore.
37. What is OU ?
Organization Unit is a container object in which you can keep objects such as user accounts,
groups, computer, printer . applications and other (OU). In organization unit you can assign
specific permission to the user’s. organization unit can also be used to create departmental
limitation.
Organizations that operate on radically different bases may require separate trees with
distinct namespaces. Unique trade or brand names often give rise to separate DNS
identities. Organizations merge or are acquired and naming continuity is desired.
Organizations form partnerships and joint ventures. While access to common resources is
desired, a separately defined tree can enforce more direct administrative and security
restrictions.
Adding one group as a member of another group is called ‘group nesting’. This will help for
easy administration and reduced replication traffic.
When a user enters a user name and password, the computer sends the user name to the
Key Distribution Centre (KDC). The KDC contains a master database of unique long term keys
for every principal in its realm. The KDC looks up the user’s master key (KA), which is based
on the user’s password. The KDC then creates two items: a session key (SA) to share with the
user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user
name, and an expiration time. The KDC encrypts this ticket by using its own master key
(KKDC), which only the KDC knows. The client computer receives the information from the
KDC and runs the user’s password through a one-way hashing function, which converts the
password into the user’s KA. The client computer now has a session key and a TGT so that it
can securely communicate with the KDC. The client is now authenticated to the domain and
is ready to access other resources in the domain by using the Kerberos protocol.
The global catalog is a distributed data repository that contains a searchable, partial
representation of every object in every domain in a multidomain Active Directory Domain
Services (AD DS) forest. The global catalog is stored on domain controllers that have been
designated as global catalog servers and is distributed through multi master replication.
Searches that are directed to the global catalog are faster because they do not involve
referrals to different domain controllers.
The global catalog provides the ability to locate objects from any domain without having to
know the domain name. A global catalog server is a domain controller that, in addition to its
full, writable domain directory partition replica, also stores a partial, read-only replica of all
other domain directory partitions in the forest.
Forest-wide searches. The global catalog provides a resource for searching an AD DS forest.
Forest-wide searches are identified by the LDAP port that they use. If the search query uses
port 3268, the query is sent to a global catalog server. User logon. In a forest that has more
than one domain, two conditions require the global catalog during user authentication:
Universal Group Membership Caching: In a forest that has more than one domain, in sites
that have domain users but no global catalog server, Universal Group Membership Caching
can be used to enable caching of logon credentials so that the global catalog does not have
to be contacted for subsequent user logons. This feature eliminates the need to retrieve
universal group memberships across a WAN link from a global catalog server in a different
site.
o In a domain that operates at the Windows 2000 native domain functional level or higher, domain
controllers must request universal group membership enumeration from a global catalog server.
o When a user principal name (UPN) is used at logon and the forest has more than one domain, a
global catalog server is required to resolve the name.
Exchange Address Book lookups. Servers running Microsoft Exchange Server rely on access
to the global catalog for address information. Users use global catalog servers to access the
global address list (GAL).
Domain controllers and Sites. Domain controllers are physical computers which is running
Windows Server operating system and Active Directory data base. Sites are a network
segment based on geographical location and which contains multiple domain controllers in
each site.
Domains, Organizational Units, trees and forests are logical components of Active Directory.
Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System.
RODC is a read only copy of Active Directory database and it can be deployed in a remote
branch office where physical security cannot be guaranteed. RODC provides more improved
security and faster log on time for the branch office.
Role seizure is the action of assigning an operations master role to a new domain controller
without the support of the existing role holder (generally because it is offline due to a
hardware failure). During role seizure, a new domain controller assumes the operations
master role without communicating with the existing role holder. Role seizure can be done
using repadmin.exe and Ntdsutil.exe commands.
We can use ntdsutil commands to perform database maintenance of AD DS, manage and
control single master operations, Active Directory Backup restoration and remove metadata
left behind by domain controllers that were removed from the network without being
properly uninstalled.
48. A user is unable to log into his desktop which is connected to a domain. What are the
troubleshooting steps you will consider?
Check the network connection on the desktop. Try to ping to the domain controller. Run and
check if name resolution is working. Check Active Directory for the computer account of the
desktop. Compare the time settings on the desktop and Domain controller. Remove the
desktop from domain and rejoin to domain.
49. A Domain Controller called ABC is failing replication with XYZ. How do you troubleshoot
the issue?
Active Directory replication issue can occur due to variety of reasons. For example, DNS
issue, network problems, security issues etc. Troubleshooting can start by verifying DNS
records. Then remove and recreate Domain Controller replication link. Check the time
settings on both replication partners.
Garbage collection is a process of Active Directory. This process starts by removing the
remains of previously deleted objects from the database. These objects are known as
tombstones. Then, the garbage collection process deletes unnecessary log files. And the
process starts a defragmentation thread to claim additional free space. The garbage
collection process is running on all the domain controllers in an interval of 12 hours.