Question1. Mention What Is Active Directory?

Answer : An active directory is a directory structure used on Micro-soft Windows based servers and
computers to store data and information about networks and domains.

Question2. What Is Domains In Active Directory?

Answer : In Windows 2000, a domain defines both an administrative boundary and a security boundary for
a collection of objects that are relevant to a specific group of users on a network. A domain is an
administrative boundary because administrative privileges do not extend to other domains. It is a security
boundary because each domain has a security policy that extends to all security accounts within the
domain. Active Directory stores information about objects in one or more domains.
Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the
domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also
can be the parent of one or more child domains.

Question3. Mention Which Is The Default Protocol Used In Directory Services?

Answer : The default protocol used in directory services is LDAP ( Lightweight Directory Access Protocol).

Question4. What Is Mixed Mode?

Answer : Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-
exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are
still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed
in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain
controllers present. Nested groups are not supported in mixed mode.

Question5. Explain The Term Forest In Ad?

Answer : Forest is used to define an assembly of AD domains that share a single schema for the AD. All
DC’s in the forest share this schema and is replicated in a hierarchical fashion among them.

o Question6. What Is Native Mode?

Answer : When all the domain controllers in a given domain are running Windows 2000 Server. This mode
allows organizations to take advantage of new Active Directory features such as Universal groups, nested
group membership, and inter-domain group membership.

Question7. Explain What Is Sysvol?

Answer : The SysVOL folder keeps the server’s copy of the domain’s public files. The contents such as
users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.

Question8. What Is Ldap?

Answer : LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths
are used to access AD objects and include the following:
Distinguished names & Relative Distinguished names
 Question9. Mention What Is Kerberos?

Answer : Kerberos is an authentication protocol for network. It is built to offer strong authentication for
server/client applications by using secret-key cryptography.

Question10. Minimum Requirement For Installing Ad?

Answer :

o Windows Server, Advanced Server, Datacenter Server

o Minimum Disk space of 200MB for AD and 50MB for log files
o NTFS partition
o TCP/IP Installed and Configured to use DNS
o Administrative privilege for creating a domain in existing network

Question11. Mention What Are Lingering Objects?

Answer : Lingering objects can exists if a domain controller does not replicate for an interval of time that is
longer than the tombstone lifetime (TSL).

Question12. What Is Domain Controller?

Answer : In an Active directory forest, the domain controller is a server that contains a writable copy of the
Active Directory Database participates in Active directory replication and controls access to network
resource.

Question13. Mention What Is Tombstone Lifetime?

Answer : Tombstone lifetime in an Active Directory determines how long a deleted object is retained in
Active Directory. The deleted objects in Active Directory is stored in a special object referred as
TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is not set in the forest
configuration.

Question14. Why We Need Netlogon?

Answer : Maintains a secure channel between this computer and the domain controller for authenticating
users and services. If this service is stopped, the computer may not authenticate users and services, and
the domain controller cannot register DNS records."

Question15. Explain What Is Active Directory Schema?

Answer : Schema is an active directory component describes all the attributes and objects that the
directory service uses to store data.

Question16. What Is Dns Scavenging?

Answer : Scavenging will help you clean up old unused records in DNS.

Question17. Explain What Is A Child Dc?

Answer : CDC or child DC is a sub domain controller under root domain controller which share name
space

Question18. What Is New In Windows Server 2008 Active Directory Domain Services?

Answer : AD Domain Services auditing, Fine-Grained Password Policies,Read-Only Domain

Controllers,Restartable Active Directory Domain Services

Question19. Explain What Is Rid Master?

Answer : RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.

Question20. Explain What Are Rodcs? And What Are The Major Benefits Of Using Rodcs?

Answer : Read only Domain Controller, organizations can easily deploy a domain controller in locations
where physical security cannot be guaranteed.

Question21. Mention What Are The Components Of Ad?

Answer : Components of AD includes

Logical Structure: Trees, Forest, Domains and OU.
Physical Structures: Domain controller and Sites.

Question22. What Is The Number Of Permitted Unsuccessful Log Ons On Administrator

Account?

Answer : Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of
the Administrators group.

Question23. Explain What Is Infrastructure Master?

Answer : Infrastructure Master is accountable for updating information about the user and group and global
catalogue.

Question24. What Hidden Shares Exist On Windows Server 2003 Installation?

Answer : Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

Question25. Can You Connect Active Directory To Other 3rd-party Directory Services? Name
A Few Options?

Answer : Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictionaries
used by SAP, Domino etc with the help of MIIS (Microsoft Identity Integration Server).

Question26. What Is The List Folder Contents Permission On The Folder In Ntfs?

Answer : Same as Read & Execute, but not inherited by files within a folder. However, newly created
subfolders will inherit this permission.

Question27. How Do I Set Up Dns For Other Dcs In The Domain That Are Running Dns?
Answer : For each additional DC that is running DNS, the preferred DNS setting is the parent DNS server
(first DC in the domain), and the alternate DNS setting is the actual IP address of network interface.

Question28. Where Is Gpt Stored?

Answer : %SystemRoot%SYSVOLsysvoldomainnamePoliciesGUID

Question29. Tell Me What Should I Do If The Dc Points To Itself For Dns, But The Srv
Records Still Do Not Appear In The Zone?

Answer : Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools
from the Windows 2000 Server CD-ROM to run Netdiag.exe.

Question30. Abbreviate Gpt And Gpc?

Answer : GPT : Group policy template.

GPC : Group policy container.

Question31. Tell Me What If My Windows 2000 Or Windows Server 2003 Dns Server Is Behind
A Proxy Server Or Firewall?

Answer : If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows
2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53
should be open on the proxy server or firewall.

Question32. Explain What Is The Difference Between Local, Global And Universal Groups?

Answer : Domain local groups assign access permissions to global domain groups for local domain
resources. Global groups provide access to resources in other trusted domains. Universal groups grant
access to resources in all trusted domains.

Question33. Do You Know What Is The "." Zone In My Forward Lookup Zone?

Answer : This setting designates the Windows 2000 DNS server to be a root hint server and is usually
deleted. If you do not delete this setting, you may not be able to perform external name resolution to the
root hint servers on the Internet.

Question34. Define Lsdou?

Answer : It’s group policy inheritance model, where the policies are applied to Local machines, Sites,
Domains and Organizational Units

Question35. Define Attribute Value?

Answer : An object's attribute is set concurrently to one value at one master, and another value at a
second master.

Question36. What Is Netdom?

Answer : NETDOM is a command-line tool that allows management of Windows domains and trust
relationships
Question37. Do You Know How Kerberos V5 Works?

Answer : The Kerberos V5 authentication mechanism issues tickets (A set of identification data for a
security principle, issued by a DC for purposes of user authentication. Two forms of tickets in Windows
2000 are ticket-granting tickets (TGTs) and service tickets) for accessing network services. These tickets
contain encrypted data, including an encrypted password, which confirms the user's identity to the
requested service.

Question38. What Is Adsiedit?

Answer : ADSI Edit is an LDAP editor for managing objects in Active Directory. This Active Directory tool
lets you view objects and attributes that are not exposed in the Active Directory Management Console.

Question39. What Is Kerberos V5 Authentication Process?

Answer : Kerberos V5 is the primary security protocol for authentication within a domain. The Kerberos V5
protocol verifies both the identity of the user and network services. This dual verification is known as mutual
authentication.

Question40. Define The Schema Master Failure?

Answer : Temporary loss of the schema operations master will be visible only if we are trying to modify the
schema or install an application that modifies the schema during installation. A DC whose schema master
role has been seized must never be brought back online.

Question41. What Is Replmon?

Answer : Replmon is the first tool you should use when troubleshooting Active Directory replication issues

Question42. How To Find Fsmo Roles?

Answer : Netdom query fsmo OR Replmon.exe

Question43. Describe The Infrastructure Fsmo Role?

Answer : When an object in one domain is referenced by another object in another domain, it represents
the reference by the GUID, the SID (for references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and
distinguished name in a cross-domain object reference.

Question44. What Are The Advantages Of Active Directory Sites?

Answer : Active Directory Sites and Services allow you to specify site information. Active Directory uses
this information to determine how best to use available network resources.

Question45. Define Edb.chk?

Answer : This is the checkpoint file used to track the data not yet written to database file. This indicates the
starting point from which data is to be recovered from the log file, in case of failure.

Question46. Define Edb.log?

Answer : This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log.
Where nnnn is the increasing number starting from 1.

Question47. How To View All The Gcs In The Forest?

Answer : repadmin.exe /options * and use IS_GC for current domain options.
nltest /dsgetdc:corp /GC

Question48. How To Seize Fsmo Roles?

Answer : ntdsutil - type roles - connections - connect servername - q - type seize role - at the fsmo
maintenance prompt - type seize rid master

Question49. How To Transfer Fsmo Roles?

Answer : ntdsutil - type roles - connections - connect servername - q - type transfer role - at the fsmo
maintenance prompt - type trasfer rid master

Question50. What Is The Kcc (knowledge Consistency Checker)?

Answer : The KCC generates and maintains the replication topology for replication within sites and
between sites. KCC runs every 15 minutes.

Question51. What Is Schema Information In Active Directory?

Answer : Definitional details about objects and attributes that one CAN store in the AD. Replicates to all
DCs. Static in nature.

Question52. What Is Online Defragmentation In Active Directory?

Answer : Online Defragmentation method that runs as part of the garbage collection process. The only
advantage to this method is that the server does not need to be taken offline for it to run. However, this
method does not shrink the Active Directory database file (Ntds.dit).

Question53. What Is Ads Database Garbage Collection Process?

Answer : Garbage Collection is a process that is designed to free space within the Active Directory
database. This process runs independently on every DC with a default lifetime interval of 12 hours.

Question54. Define Res1.log And Res2.log?

Answer : This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction log
files enough room to shutdown if the other spaces are being used.

Question55. What Is Domain Information In Active Directory?

Answer : Object information for a domain. Replicates to all DCs within a domain. The object portion
becomes part of GC. The attribute values only replicates within the domain.

Question56. What Is Lightweight Directory Access Protocol?

 Answer : LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths
are used to access AD objects and include the following:

o Distinguished names
o Relative Distinguished names

Question57. How Will You Verify Whether The Ad Installation Is Proper With Srv Resource
Records?

Answer : Verify SRV Resource Records: After AD is installed, the DC will register SRV records in DNS
when it restarts. We can check this using DNS MMC or nslookup command.

Question58. What Is Ntds.dit?

Answer : This is the AD database and stores all AD objects. Default location is SystemRoot
%ntdsNTDS.DIT.
Active Directory's database engine is the Extensible Storage Engine which is based on the Jet database
and can grow up to 16 TB.

Question59. What Is Ntds.dit Schema Table?

Answer : The types of objects that can be created in the Active Directory, relationships between them, and
the attributes on each type of object. This table is fairly static and much smaller than the data table.

Question60. Mention What Is The Difference Between Domain Admin Groups And Enterprise
Admins Group In Ad?

Answer : Enterprise Admin Group :

Members of this group have complete control of all domains in the forest By default, this group belongs to
the administrators group on all domain controllers in the forest As such this group has full control of the
forest, add users with caution

Domain Admin Group :

Members of this group have complete control of the domain By default, this group is a member of the
administrators group on all domain controllers, workstations and member servers at the time they are linked
to the domain As such the group has full control in the domain, add users with caution

Question1. Differences B/w Conditional Forwarding And Stub Zones?

Answer : Both do the same thing like forwarding the requests to appropriate name servers who are
authoritative for the domains in the queries. However, there is difference in both, Stub Zone are Dynamic
and Conditional forwarder are static.

Conditional Forwarding –   Where you want DNS clients in separate networks to resolve each others’
names without having to query DNS servers on the Internet, such as in the case of a company merger, you
should configure the DNS servers in each network to forward queries for names in the other network. DNS
servers in one network will forward names for clients in the other network to a specific DNS server that will
build up a large cache of information about the other network. When forwarding in this way, you create a
direct point of contact between two networks’ DNS servers, reducing the need for recursion.

Stub Zone– Stub-Zones are dynamic -A stub zone is like a secondary zone in that it obtains its resource
records from other name servers (one or more master name servers). A stub zone is also read-only like a
 secondary zone, so administrators can’t manually add, remove, or modify resource records on it. But the
differences end here, as stub zones are quite different from secondary zones in a couple of significant
ways.First, while secondary zones contain copies of all the resource records in the corresponding zone on
the master name server, stub zones contain only three kinds of resource records:

o A copy of the SOA record for the zone.

o Copies of NS records for all name servers authoritative for the zone.
o Copies of A records for all name servers authoritative for the zone.

Question2. What Is Gpt And Gpc?

Answer : A GPO (Group Policy Object) is a collection of Group Policy settings, it consists of GPC and
GPT.

GPC (Group Policy Container): Contains the information of property of GPO like Security Filtering, GPO
Status, GPO GUID etc.

GPT (Group Policy Template): Contains the data of GPO in Sysvol folder that can be checked after the
configuration of the GPO that what settings have been configured to the client.

Question3. What Is Majority Node Set?

Answer : A majority node set is a single quorum resource, from a server cluster perspective; however, the
data is actually stored on multiple disks across the cluster. Each cluster node stores the configuration on a
local disk it can have access to when it starts up. By default, the location is pointed to %systemroot
%clusterResourceGUID

Further Explained :- http://www.yourcomputer.in/windows-cluster-interview-questions-and-answers/

If the configuration of the cluster changes, that change is replicated across the different disks

Question4. What Is Nlb?

Answer : NLB (Network Load Balance)  is a Microsoft implementation of clustering and load balancing that
is intended to provide high availability and high reliability, as well as high scalability.

http://technet.microsoft.com/en-us/library/cc779570(v=ws.10).aspx

Question5. Difference Between Unicast And Multicast ?

Answer : Unicast:

Unicast is a one-to one connection between the client and the server. Unicast uses IP delivery methods
such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), which are session-
based protocols. When a Windows Media Player client connects using unicast to a Windows Media server,
that client has a direct relationship to the server. Each unicast client that connects to the server takes up
additional bandwidth. For example, if you have 10 clients all playing 100-kilobits per second (Kbps)
streams, those clients as a group are taking up 1,000 Kbps. If you have only one client playing the 100
Kbps stream, only 100 Kbps is being used.

Multicast:
 Multicast is a true broadcast. The multicast source relies on multicast-enabled routers to forward the
packets to all client subnets that have clients listening. There is no direct relationship between the clients
and Windows Media server. The Windows Media server generates an .nsc (NetShow channel) file when
the multicast station is first created. Typically, the .nsc file is delivered to the client from a Web server. This
file contains information that the Windows Media Player needs to listen for the multicast. This is similar to
tuning into a station on a radio. Each client that listens to the multicast adds no additional overhead on the
server. In fact, the server sends out only one stream per multicast station. The same load is experienced on
the server whether only one client or 1,000 clients are listening

http://support.microsoft.com/kb/291786

Question6. What Is New In Windows 2008 Ad?

Answer :

o Read-Only Domain Controllers

o Fine-Grained Password Policies
o Restartable Active Directory Service
o Backup and Recovery
o SYSVOL Replication with DFS-R
o Auditing Improvements
o UI Improvements

Question7. What Is Strict Replication?

Answer : Strict Replication is a mechanism developed by Microsoft developers for Active Directory
Replication. If a domain controller has the Strict Replication enabled then that domain controller will not get
“Lingering Objects” from a domain controller which was isolated for more than the TombStone Life Time.
TSL is 180 days by default on a Forest created with Windows Server 2003 SP1. A domain controller
shouldn’t be outof sync for more than this period. Lingering Objects may appear on other domain
controllers if replication happens with the outdated domain controllers. These domain controllers will not
replicate with the outdated domain controllers if you have set the below mentioned registry key.You must
set the following registry setting on all the domain controllers to enable the Strict Replication:

  KEY Name:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters

  Registry Entry: Strict Replication Consistency

  Value: 1 (enabled), 0 (disabled)

  Type: REG_DWORD

Question8. What Is Super Scope In Dhcp?

Answer : A superscope is an administrative feature of Dynamic Host Configuration Protocol (DHCP)

servers running Windows Server 2008 that you can create and manage by using the DHCP Microsoft
Management Console (MMC) snap-in. By using a superscope, you can group multiple scopes as a single
administrative entity. With this feature, a DHCP server can:

o Support DHCP clients on a single physical network segment (such as a single Ethernet
LAN segment) where multiple logical IP networks are used. When more than one logical IP network is used
on each physical subnet or network, such configurations are often called multinets.
o Support remote DHCP clients located on the far side of DHCP and BOOTP relay agents
(where the network on the far side of the relay agent uses multinets).

In multinet configurations, you can use DHCP superscopes to group and activate individual scope ranges
of IP addresses used on your network. In this way, the DHCP server can activate and provide leases from
more than one scope to clients on a single physical network.

o Superscopes can resolve specific types of DHCP deployment issues for multinets,
including situations in which:
o The available address pool for a currently active scope is nearly depleted, and more
computers need to be added to the network. The original scope includes the full addressable range for a
single IP network of a specified address class. You need to use another range of IP addresses to extend
the address space for the same physical network segment.
o Clients must be migrated over time to a new scope (such as to renumber the current IP
network from an address range used in an existing active scope to a new scope that contains another
range of IP addresses).
o You want to use two DHCP servers on the same physical network segment to manage
separate logical IP networks.

Question9. What Is The Requirement To Configure Full Memory Dump In Windows?

Answer : To generate a complete memory dump file:

o Click Start > right-click Computer and select Properties in the menu.
o Click Advanced > Settings > Startup and Recovery > Settings > Write debugging
information > Complete memory dump.
o Click OK twice.

Question10. Which Dns Record Is Required For Replication?

Answer : Host A records of replication partners (Domain Controllers), Srv Records to find out the Domain
Controllers  GUID in _msdcs zone (DC Locator).

Question11. Tools To Analyze Memory Dump?

Answer : Windows Debugger (WinDbg.exe) tool & Dumpchk.exe

Question12. Tools To Troubleshoot Group Policy Issues?

Answer : You can use AD inbuilt features to troubleshoot group policy issue like RSOP.msc or can run
RSOP by selecting users in Active Directory users and computers, gpresult -v, gpt.ini in sysvol under Group
Policy GUID folder can be checked to find out the GPO settings configured.

Question13. How To Troubleshoot Ad Replication Issues?

Answer :It can be troubleshooted by repmon command that generates the error result in eventvwr. DNS
can be checked between two destination. Network/Firewall issue

Question14. Booting Sequence In Windows 2008?

Answer : Here’s the brief description of Windows Server 2008 Boot process:
o System is powered on
o The CMOS loads the BIOS and then runs POST
o Looks for the MBR on the bootable device
o Through the MBR the boot sector is located and the BOOTMGR is loaded
o BOOTMGR looks for active partition
o BOOTMGR reads the BCD file from the boot directory on the active partition
o The BCD (boot configuration database) contains various configuration parameters( this
information was previously stored in the boot.ini)
o BOOTMGR transfer control to the Windows Loader (winload.exe) or winresume.exe in
case the system was hibernated.
o Winloader loads drivers that are set to start at boot and then transfers the control to the
windows kernel.

Question15. How To Edit Schema In Ad?

Answer : Firstly, schmmgmt.dll has to be registered. Then ADSI Edit tool can be used to edit schema.

Question16. Difference Between Windows 2003 & Windows 2008 Boot Process?

Answer : Windows 2003 Boot Process:

o POST
o The MBR reads the boot sector which is the first sector of the active partition.
o Ntldr looks path of os from boot.ini
o Ntldr to run ntdedetect.com to get information about installed hardware.
o Ntldr reads the registry files then select a hardware profile, control set and loads device
drivers.
o After that Ntoskrnl.exe takes over and starts winlogon.exe which starts lsass.exe

Windows Server 2008 Boot process.

o System is powered on
o The CMOS loads the BIOS and then runs POST
o Looks for the MBR on the bootable device
o Through the MBR the boot sector is located and the BOOTMGR is loaded
o BOOTMGR looks for active partition
o BOOTMGR reads the BCD file from the boot directory on the active partition
o The BCD (boot configuration database) contains various configuration parameters( this
information was previously stored in the boot.ini)
o BOOTMGR transfer control to the Windows Loader (winload.exe) or winresume.exe in
case the system was hibernated.
o Winloader loads drivers that are set to start at boot and then transfers the control to the
windows kernel.

Question17. Name Of Utilities That Is Being Used To Check Multipathing.

Answer : FCInfo utility or Storage Explorer (windows 2008) can be used to check the same.

Question18. How To Create Host A Record Remotely?

Answer : dnscmd command can be used for creating a Resource Record on DNS server.
Below is the command:

dnscmd [<ServerName>] /recordadd <ZoneName> <NodeName> <RRType> <RRData>

Question19. What Is Glue Record?

Answer : Name servers in delegations are identified by name, rather than by IP address. This means that
a resolving name server must issue another DNS request to find out the IP address of the server to which it
has been referred. If the name given in the delegation is a subdomain of the domain for which the
delegation is being provided, there is a circular dependency. In this case the name server providing the
delegation must also provide one or more IP addresses for the authoritative name server mentioned in the
delegation. This information is called glue. The delegating name server provides this glue in the form of
records in the additional section of the DNS response, and provides the delegation in the answer section of
the response.

For example, if the authoritative name server for example.org is ns1.example.org, a computer trying to
resolve www.example.org first resolves ns1.example.org. Since ns1 is contained in example.org, this
requires resolving example.org first, which presents a circular dependency. To break the dependency, the
name server for the top level domain org includes glue along with the delegation for example.org. The glue
records are address records that provide IP addresses for ns1.example.org. The resolver uses one or more
of these IP addresses to query one of the domain’s authoritative servers, which allows it to complete the
DNS query.

Question20. What Is Loopback Group Policy?

Answer : Group Policy applies to the user or computer in a manner that depends on where both the user
and the computer objects are located in Active Directory. However, in some cases, users may need policy
applied to them based on the location of the computer object alone. You can use the Group Policy
loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs
on to.

Question1. Mention What Is Active Directory?

Answer : An active directory is a directory structure used on Micro-soft Windows based servers and
computers to store data and information about networks and domains.

Question2. What Is Domains In Active Directory?

Answer : In Windows 2000, a domain defines both an administrative boundary and a security boundary for
a collection of objects that are relevant to a specific group of users on a network. A domain is an
administrative boundary because administrative privileges do not extend to other domains. It is a security
boundary because each domain has a security policy that extends to all security accounts within the
domain. Active Directory stores information about objects in one or more domains.
Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the
domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also
can be the parent of one or more child domains.

Question3. Mention Which Is The Default Protocol Used In Directory Services?

Answer : The default protocol used in directory services is LDAP ( Lightweight Directory Access Protocol).

Question4. What Is Mixed Mode?

 Answer : Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-
exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are
still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed
in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain
controllers present. Nested groups are not supported in mixed mode.

Question5. Explain The Term Forest In Ad?

Answer : Forest is used to define an assembly of AD domains that share a single schema for the AD. All
DC’s in the forest share this schema and is replicated in a hierarchical fashion among them.

Question6. What Is Native Mode?

Answer : When all the domain controllers in a given domain are running Windows 2000 Server. This mode
allows organizations to take advantage of new Active Directory features such as Universal groups, nested
group membership, and inter-domain group membership.

Question7. Explain What Is Sysvol?

Answer : The SysVOL folder keeps the server’s copy of the domain’s public files. The contents such as
users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.

Question8. What Is Ldap?

Answer : LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths
are used to access AD objects and include the following:

o Distinguished names
o Relative Distinguished names

Question9. Mention What Is Kerberos?

Answer : Kerberos is an authentication protocol for network. It is built to offer strong authentication for
server/client applications by using secret-key cryptography.

Question10. Minimum Requirement For Installing Ad?

Answer :

o Windows Server, Advanced Server, Datacenter Server

o Minimum Disk space of 200MB for AD and 50MB for log files
o NTFS partition
o TCP/IP Installed and Configured to use DNS
o Administrative privilege for creating a domain in existing network

Question11. Mention What Are Lingering Objects?

Answer : Lingering objects can exists if a domain controller does not replicate for an interval of time that is
longer than the tombstone lifetime (TSL).

Question12. What Is Domain Controller?

Answer : In an Active directory forest, the domain controller is a server that contains a writable copy of the
Active Directory Database participates in Active directory replication and controls access to network
resource.

Question13. Mention What Is Tombstone Lifetime?

Answer : Tombstone lifetime in an Active Directory determines how long a deleted object is retained in
Active Directory. The deleted objects in Active Directory is stored in a special object referred as
TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is not set in the forest
configuration.

Question14. Why We Need Netlogon?

Answer : Maintains a secure channel between this computer and the domain controller for authenticating
users and services. If this service is stopped, the computer may not authenticate users and services, and
the domain controller cannot register DNS records."

Question15. Explain What Is Active Directory Schema?

Answer : Schema is an active directory component describes all the attributes and objects that the
directory service uses to store data.

Question16. What Is Dns Scavenging?

Answer : Scavenging will help you clean up old unused records in DNS.

Question17. Explain What Is A Child Dc?

Answer : CDC or child DC is a sub domain controller under root domain controller which share name
space

Question18. What Is New In Windows Server 2008 Active Directory Domain Services?

Answer : AD Domain Services auditing, Fine-Grained Password Policies,Read-Only Domain

Controllers,Restartable Active Directory Domain Services

Question19. Explain What Is Rid Master?

Answer : RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.

Question20. Explain What Are Rodcs? And What Are The Major Benefits Of Using Rodcs?

Answer : Read only Domain Controller, organizations can easily deploy a domain controller in locations
where physical security cannot be guaranteed.

Question21. Mention What Are The Components Of Ad?

Answer : Components of AD includes

Logical Structure: Trees, Forest, Domains and OU.
Physical Structures: Domain controller and Sites.
Question22. What Is The Number Of Permitted Unsuccessful Log Ons On Administrator
Account?

Answer :Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of
the Administrators group.

Question23. Explain What Is Infrastructure Master?

Answer : Infrastructure Master is accountable for updating information about the user and group and global
catalogue.

Question24. What Hidden Shares Exist On Windows Server 2003 Installation?

Answer : Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

Question25. Can You Connect Active Directory To Other 3rd-party Directory Services? Name
A Few Options?

Answer : Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictionaries
used by SAP, Domino etc with the help of MIIS (Microsoft Identity Integration Server).

Question26. What Is The List Folder Contents Permission On The Folder In Ntfs?

Answer : Same as Read & Execute, but not inherited by files within a folder. However, newly created
subfolders will inherit this permission.

Question27. How Do I Set Up Dns For Other Dcs In The Domain That Are Running Dns?

Answer : For each additional DC that is running DNS, the preferred DNS setting is the parent DNS server
(first DC in the domain), and the alternate DNS setting is the actual IP address of network interface.

Question28. Where Is Gpt Stored?

Answer : %SystemRoot%SYSVOLsysvoldomainnamePoliciesGUID

Question29. Tell Me What Should I Do If The Dc Points To Itself For Dns, But The Srv
Records Still Do Not Appear In The Zone?

Answer :Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools
from the Windows 2000 Server CD-ROM to run Netdiag.exe.

Question31. Tell Me What If My Windows 2000 Or Windows Server 2003 Dns Server Is Behind
A Proxy Server Or Firewall?

Answer : If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows
2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53
should be open on the proxy server or firewall.

Question32. Explain What Is The Difference Between Local, Global And Universal Groups?
Answer : Domain local groups assign access permissions to global domain groups for local domain
resources. Global groups provide access to resources in other trusted domains. Universal groups grant
access to resources in all trusted domains.

Question33. Do You Know What Is The "." Zone In My Forward Lookup Zone?

Answer : This setting designates the Windows 2000 DNS server to be a root hint server and is usually
deleted. If you do not delete this setting, you may not be able to perform external name resolution to the
root hint servers on the Internet.

Question34. Define Lsdou?

Answer : It’s group policy inheritance model, where the policies are applied to Local machines, Sites,
Domains and Organizational Units

Question35. Define Attribute Value?

Answer : An object's attribute is set concurrently to one value at one master, and another value at a
second master.

Question36. What Is Netdom?

Answer : NETDOM is a command-line tool that allows management of Windows domains and trust
relationships

Question37. Do You Know How Kerberos V5 Works?

Answer : The Kerberos V5 authentication mechanism issues tickets (A set of identification data for a
security principle, issued by a DC for purposes of user authentication. Two forms of tickets in Windows
2000 are ticket-granting tickets (TGTs) and service tickets) for accessing network services. These tickets
contain encrypted data, including an encrypted password, which confirms the user's identity to the
requested service.

Question38. What Is Adsiedit?

Answer : ADSI Edit is an LDAP editor for managing objects in Active Directory. This Active Directory tool
lets you view objects and attributes that are not exposed in the Active Directory Management Console.

Question39. What Is Kerberos V5 Authentication Process?

Answer : Kerberos V5 is the primary security protocol for authentication within a domain. The Kerberos V5
protocol verifies both the identity of the user and network services. This dual verification is known as mutual
authentication.

Question40. Define The Schema Master Failure?

Answer : Temporary loss of the schema operations master will be visible only if we are trying to modify the
schema or install an application that modifies the schema during installation. A DC whose schema master
role has been seized must never be brought back online.

Question41. What Is Replmon?

Answer : Replmon is the first tool you should use when troubleshooting Active Directory replication issues

Question42. How To Find Fsmo Roles?

Answer : Netdom query fsmo OR Replmon.exe

Question43. Describe The Infrastructure Fsmo Role?

Answer : When an object in one domain is referenced by another object in another domain, it represents
the reference by the GUID, the SID (for references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and
distinguished name in a cross-domain object reference.

Question44. What Are The Advantages Of Active Directory Sites?

Answer : Active Directory Sites and Services allow you to specify site information. Active Directory uses
this information to determine how best to use available network resources.

Question45. Define Edb.chk?

Answer : This is the checkpoint file used to track the data not yet written to database file. This indicates the
starting point from which data is to be recovered from the log file, in case of failure.

Question46. Define Edb.log?

Answer : This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log.
Where nnnn is the increasing number starting from 1.

Question47. How To View All The Gcs In The Forest?

Answer : repadmin.exe /options * and use IS_GC for current domain options.
nltest /dsgetdc:corp /GC

Question48. How To Seize Fsmo Roles?

Answer : ntdsutil - type roles - connections - connect servername - q - type seize role - at the fsmo
maintenance prompt - type seize rid master

Question49. How To Transfer Fsmo Roles?

Answer : ntdsutil - type roles - connections - connect servername - q - type transfer role - at the fsmo
maintenance prompt - type trasfer rid master

Question50. What Is The Kcc (knowledge Consistency Checker)?

Answer : The KCC generates and maintains the replication topology for replication within sites and
between sites. KCC runs every 15 minutes.

Question51. What Is Schema Information In Active Directory?

 Answer : Definitional details about objects and attributes that one CAN store in the AD. Replicates to all
DCs. Static in nature.

Question52. What Is Online Defragmentation In Active Directory?

Answer : Online Defragmentation method that runs as part of the garbage collection process. The only
advantage to this method is that the server does not need to be taken offline for it to run. However, this
method does not shrink the Active Directory database file (Ntds.dit).

Question53. What Is Ads Database Garbage Collection Process?

Answer : Garbage Collection is a process that is designed to free space within the Active Directory
database. This process runs independently on every DC with a default lifetime interval of 12 hours.

Question54. Define Res1.log And Res2.log?

Answer : This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction log
files enough room to shutdown if the other spaces are being used.

Question55. What Is Domain Information In Active Directory?

Answer : Object information for a domain. Replicates to all DCs within a domain. The object portion
becomes part of GC. The attribute values only replicates within the domain.

Question56. What Is Lightweight Directory Access Protocol?

Answer : LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths
are used to access AD objects and include the following:

o Distinguished names
o Relative Distinguished names

Question57. How Will You Verify Whether The Ad Installation Is Proper With Srv Resource
Records?

Answer : Verify SRV Resource Records: After AD is installed, the DC will register SRV records in DNS
when it restarts. We can check this using DNS MMC or nslookup command.

Question58. What Is Ntds.dit?

Answer : This is the AD database and stores all AD objects. Default location is SystemRoot
%ntdsNTDS.DIT.
Active Directory's database engine is the Extensible Storage Engine which is based on the Jet database
and can grow up to 16 TB.

Question59. What Is Ntds.dit Schema Table?

Answer : The types of objects that can be created in the Active Directory, relationships between them, and
the attributes on each type of object. This table is fairly static and much smaller than the data table.
 Question60. Mention What Is The Difference Between Domain Admin Groups And Enterprise
Admins Group In Ad?

Answer : Enterprise Admin Group :

Members of this group have complete control of all domains in the forest By default, this group belongs to
the administrators group on all domain controllers in the forest As such this group has full control of the
forest, add users with caution

Domain Admin Group :

Members of this group have complete control of the domain By default, this group is a member of the
administrators group on all domain controllers, workstations and member servers at the time they are linked
to the domain As such the group has full control in the domain, add users with caution

Question1. Why Should We Use Group Policy?

Answer :

o For deploying software

o We can apply security
o For controlling Users environment, settings, per computer settings
o To manage desktop environment (To standardize environment)
o To modify the registry

Question2. What Is Group Policy Object?

Answer : We call the actual unit that we are creating, deleting, managing, working with is called Group
Policy object.

Group Policy objects have two components:

o Group Policy container

o Group Policy template

Question3. What Is Group Policy Container?

Answer : It is the container in the Active Directory where the Group Policy can be applied. (i.e., either
Organizational unit or Domain or Site)

Question4. What Is Group Policy Template?

Answer :When you create a group policy container automatically a template will be created in the hard
drive, in sysvol folder of the Domain Controller that is called Group Policy template.

Question5. Where Is Group Policy Template Stored?

Answer : Group Policy template stored in sysvol folder.

Question6. How To Create A Group Policy?

 Answer :Start –>Programs –>Administrative tools ->Active Directory Users and computers ->Right click on
the container on which you want to apply Group Policy->Select properties-> Click on Group Policy tab-
>Click on New

Question7. What Are The Steps Do We Have When We Are Creating Group Policy?

Answer : There are two steps, one is creating Group policy and linking to the container. Generally we
create the group policy at container only so when you click on New it creates and links the GPO to that
container at a time. Suppose if you want to link a group policy object to a container which is already created
click on Add select the group policy.

Question8. What Are The Buttons Available On Group Policy Tab In Properties Of A
Container?

Answer :

o New (Creates new GPO)

o Add (links a GPO to this container which has created already)
o Edit (Edits the existing GPO)
o Delete Deletes the GPO
o Options (here you get the following check boxes): (i) No override – Prevent other GPO
from overriding policy set in this one; and(ii) Disabled – This GPO is not applicable to this container
o Properties

Note: When you are deleting a GPO it asks two things:

o Remove the link from this list

o Remove the link and delete the GPO permanently

Question9. What Is No Override Option In Gpo?

Answer :Generally the policies set at one level will be overridden in other level, so if don’t want to override
this policy under the sub levels of this one you can set this.

Ex: If you set No override at Domain level then that GPO will be applied through out the Domain, even
though you have the same policy differently at OU level.

Question10. What Is Block Inheritance Of Gpo And Where It Is?

Answer : The Block inheritance GPO option blocks the group policies inheriting from the top level, and
takes effect of this present GPO.

Right click on the container –> click on Group Policy –ègo to properties >on the bottom of the General tab
you will find Block inheritance check box

Ex: If you select Block inheritance at OU level then no policy from the Domain level, or Site level or local
policy will not applied to this OU.

Question11. You Have Set The No Override Option At Domain Level And Block Inheritance At
Ou Level. Which Policy Will Take Effect?
 Answer : If you have set both then No override wins over the Block inheritance. So No override will take
effect.

Question12. What Are The Options That Are Available When You Click On Option Button On
General Tab?

Answer :

o General
o Disable computer configuration settings (The settings those are set under computer
configuration of this GPO will not take effect.)
o Disable user configuration settings (The settings those are set under User configuration of
this GPO will not take effect.)
o Links (Displays the containers which have links to this GPO)
o Security (With security option you can set level of permissions and settings to the
individual users and groups. Ex: If you want to disable this GPO to a particular user on this container, on
security tab select that user and select the deny check box for apply the Group Policy. Then the GPO will
not take effect to that user even though he is in that container.)

Question13. What Will You See In The Group Policy Snap In?

Answer : You will see two major portions, and under those you have sub portions, they are:

o Computer Configuration
o Software settings
o Software installations
o Windows settings
o Administrative templates
o User configuration
o Software settings
o Software installations
o Windows settings
o Administrative templates

Note: Administrative templates are for modifying the registry of windows 2000 clients.

Question14. What Is The Hierarchy Of Group Policy?

Answer :

o Local policy
o Site Policy
o Domain Policy
o OU Policy
o Sub OU Policy (If any are there)

Question15. Who Can Create Site Level Group Policy?

Answer :Enterprise Admin

Question16. Who Can Create Domain Level Group Policy?

 Answer :Domain Admin

Question17. Who Can Create Organizational Unit Lever Group Policy?

Answer : Domain Admin

Question18. Who Can Create Local Group Policy?

Answer :Local Administrator or Domain Administrator

Question19. What Is The Refresh Interval For Group Policy?

Answer : Refresh interval for Domain Controllers is 5 minutes, and the refresh interval for all other
computers in the network is 45 minutes (this one doubt).

Question20. Why Do We Need To Manage And Control Desktop Environment?

Answer :

o To decrease support time

o Eliminate potential for problems
o One standard environment to support
o Eliminate distractions
o To increase productivity

Question21. What Is Group Policy Loop Back Process? How To Set It?

Answer : Start –>programs –>Administrative tools –>Active Directory users and computers –>Right click
on the container –>click on Group policy tab –>Click on edit –>click on Computer settings –>click on
Administrative templates –>system –>Group policy –>click on User group policy loop back processing
mode –> click OK –> Select enable

Question22. What Are The Players That Are Involved In Deploying Software?

Answer :

o Group Policy: Within GP we specify that this software application gets installed to this
particular computer or to this particular user.
o Active Directory: Group Policy will be applied somewhere in Active Directory.
o Microsoft Installer service
o Windows installer packages: The type of package that can be used by Group Policy to
deploy applications is .msi packages i.e., Microsoft Installer packages.

Question23. What Is The Package That Can Be Used To Deploy Software Through Group
Policy?

Answer : Windows installer packages (.msi files)

Question24. What Is Microsoft Installer Service?

 Answer : Microsoft Installer Service runs on the client machines in the Windows 2000 domain. It installs
the minimum amount of an application, as you extend functionality it installs the remaining part of
application. It is responsible for installing software in the client. It is also responsible for modifying,
upgrading, applying service packs.

Question25. What Is Local Security Policy, Domain Security Policy, And Domain Controller
Security Policy In The Administrative Tools?

Answer :

o Local Security policy: This is group policy applied to local machine

o Domain Security Policy: Group Policy applied at domain level
o Domain Controller Security Policy: Group Policy applied at domain controller level.

Question26. What Are The Design Considerations For Group Policy?

Answer : The following should be considered for designing group policies:

o Minimize linking: Because there may be a chance deleting the original one with seeing
who else are using this GPO. Minimizing linking for simplicity.
o Minimum number of GPO’s: Microsoft suggests that one GPO with 100 settings will
process faster than 100 GPO’s each with one setting. This is for performance.
o Delegate
o Minimize filtering: To keep simple your environment, try to minimize filtering.

If you have more number of GPO’s for a container, whatever GPO is on top will be applied first. If you want,
you can move GPO’s up and down.

If there is conflict between two GPO’s of same container, the last applied GPO will be effective. i.e., the
bottom one will be effective.

Question27. What Is Group Policy In Active Directory ? What Are Group Policy Objects
(gpos)?

Answer : Group Policy objects, other than the local Group Policy object, are virtual objects. The policy
setting information of a GPO is actually stored in two locations: the Group Policy container and the Group
Policy template.

The Group Policy container is an Active Directory container that stores GPO properties, including
information on version, GPO status, and a list of components that have settings in the GPO.

The Group Policy template is a folder structure within the file system that stores Administrative Template-
based policies, security settings, script files, and information regarding applications that are available for
Group Policy Software Installation.

The Group Policy template is located in the system volume folder (Sysvol) in the Policies subfolder for its
domain.

Question28. What Is The Order In Which Gpos Are Applied ?

Answer : Group Policy settings are processed in the following order:

o Local Group Policy object : Each computer has exactly one Group Policy object that is
stored locally. This processes for both computer and user Group Policy processing.
o Site : Any GPOs that have been linked to the site that the computer belongs to are
processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy
Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order
is processed last, and therefore has the highest precedence.
o Domain: Processing of multiple domain-linked GPOs is in the order specified by the
administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest
link order is processed last, and therefore has the highest precedence.
o Organizational units : GPOs that are linked to the organizational unit that is highest in
the Active Directory hierarchy are processed first, then POs that are linked to its child organizational unit,
and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer
are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be
linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified
by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC.

The GPO with the lowest link order is processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit
of which the computer or user is a direct member are processed last, which overwrites settings in the
earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely
aggregated.)

Question29. How To Backup/restore Group Policy Objects ?

Answer :

o Begin the process by logging on to a Windows Server 2008 domain controller, and
opening the Group Policy Management console. Now, navigate through the console tree to Group Policy
Management | Forest: | Domains | | Group Policy Objects.
o When you do, the details pane should display all of the group policy objects that are
associated with the domain. In Figure A there are only two group policy objects, but in a production
environment you may have many more. The Group Policy Objects container stores all of the group policy
objects for the domain.
o Now, right-click on the Group Policy Objects container, and choose the Back Up All
command from the shortcut menu. When you do, Windows will open the Back Up Group Policy Object
dialog box.
o As you can see in Figure B, this dialog box requires you to provide the path to which you
want to store the backup files. You can either store the backups in a dedicated folder on a local drive, or
you can place them in a folder on a mapped network drive. The dialog box also contains a Description field
that you can use to provide a description of the backup that you are creating.
o You must provide the path to which you want to store your backup of the group policy
objects.
o To initiate the backup process, just click the Back Up button. When the backup process
completes, you should see a dialog box that tells you how many group policy objects were successfully
backed up. Click OK to close the dialog box, and you’re all done.
o When it comes to restoring a backup of any Group Policy Object, you have two options.
The first option is to right-click on the Group Policy Object, and choose the Restore From Backup command
from the shortcut menu. When you do this, Windows will remove all of the individual settings from the
Group Policy Object, and then implement the settings found in the backup.
o Your other option is to right-click on the Group Policy Object you want to restore, and
choose the Import Settings option. This option works more like a merge than a restore.
o Any settings that presently reside within the Group Policy Object are retained unless there
is a contradictory settings within the file that is being imported.

Question30. You Want To Standardize The Desktop Environments (wallpaper, My Documents,

Start Menu, Printers Etc.) On The Computers In One Department. How Would You Do That?

Answer :

o Go to Start->programs->Administrative tools->Active Directory Users and Computers

o Right Click on Domain->click on preoperties
o On New windows Click on Group Policy
o Select Default Policy->click on Edit
o on group Policy console
o go to User Configuration->Administrative Template->Start menu and Taskbar.
o Select each property you want to modify and do the same.

Question31. What Is The Difference Between Software Publishing And Assigning?

Answer : Assign Users :The software application is advertised when the user logs on. It is installed when
the user clicks on the software application icon via the start menu, or accesses a file that has been
associated with the software application.

Assign Computers :The software application is advertised and installed when it is safe to do so, such as
when the computer is next restarted.

Publish to users : The software application does not appear on the start menu or desktop. This means the
user may not know that the software is available. The software application is made available via the
Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the
application. Published applications do not reinstall themselves in the event of accidental deletion, and it is
not possible to publish to computers.

Question32. What Are Administrative Templates?

Answer : Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised
management of machines and users in an Active Directory environment. Administrative Templates facilitate
the management of registry-based policy. An ADM file is used to describe both the user interface presented
to the Group Policy administrator and the registry keys that should be updated on the target machines.

An ADM file is a text file with a specific syntax which describes both the interface and the registry values
which will be changed if the policy is enabled or disabled.

ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped
with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are
merged into a unified “namespace” in GPEdit and presented to the administrator under the Administrative
Templates node (for both machine and user policy).

Question33. Can I Deploy Non-msi Software With Gpo?

Answer :create the file in.zap extension.

Question34. Name Some Gpo Settings In The Computer And User Parts ?

Answer : Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName

some GPO settings in the computer and user parts.

Question35. A User Claims He Did Not Receive A Gpo, Yet His User And Computer Accounts
Are In The Right Ou, And Everyone Else There Gets The Gpo. What Will You Look For?

Answer : make sure user not be member of loopback policy as in loopback policy it doesn’t effect user
settings only computer policy will applicable. if he is member of gpo filter grp or not.

You may also want to check the computers event logs. If you find event ID 1085 then you may want to
download the patch to fix this and reboot the computer.

Question36. How Frequently Is The Client Policy Refreshed ?

Answer : 90 minutes give or take.

Question37. Where Is Secedit ?

Answer :It’s now gpupdate.

Question38. What Can Be Restricted On Windows Server 2003 That Wasn’t There In Previous
Products ?

Answer :Group Policy in Windows Server 2003 determines a users right to modify network and dial-up
TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network
configuration parameters.

Question39. You Want To Create A New Group Policy But Do Not Wish To Inherit.

Answer : Make sure you check Block inheritance among the options when creating the policy.

Question40. How Does The Group Policy ‘no Override’ And ‘block Inheritance’ Work ?

Answer : Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and
multiple GP’s for each level. Obviously it may be that some policy settings conflict hence the application
order of Site – Domain – Organization Unit and within each layer you set order for all defined policies but
you may want to force some polices to never be overridden (No Override) and you may want some
containers to not inherit settings from a parent container (Block Inheritance).

A good definition of each is as follows:

No Override – This prevents child containers from overriding policies set at higher levels

Block Inheritance – Stops containers inheriting policies from parent containers

No Override takes precedence over Block Inheritance so if a child container has Block Inheritance set but
on the parent a group policy has No Override set then it will get applied.

Also the highest No Override takes precedence over lower No Override’s set.
 To block inheritance perform the following:

o Start the Active Directory Users and Computer snap-in (Start – Programs – Administrative
Tools – Active Directory Users and Computers)
o Right click on the container you wish to stop inheriting settings from its parent and select
o Select the ‘Group Policy’ tab
o Check the ‘Block Policy inheritance’ option
o Click Apply then OK

To set a policy to never be overridden perform the following:

o Start the Active Directory Users and Computer snap-in (Start – – Administrative Tools –
Active Directory Users and Computers)
o Right click on the container you wish to set a Group Policy to not be overridden and select
Properties
o Select the ‘Group Policy’ tab
o Click Options
o Check the ‘No Override’ option
o Click OK
o Click Apply then OK