Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Answer : An active directory is a directory structure used on Micro-soft Windows based servers and
computers to store data and information about networks and domains.
Answer : In Windows 2000, a domain defines both an administrative boundary and a security boundary for
a collection of objects that are relevant to a specific group of users on a network. A domain is an
administrative boundary because administrative privileges do not extend to other domains. It is a security
boundary because each domain has a security policy that extends to all security accounts within the
domain. Active Directory stores information about objects in one or more domains.
Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the
domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also
can be the parent of one or more child domains.
Answer : The default protocol used in directory services is LDAP ( Lightweight Directory Access Protocol).
Answer : Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-
exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are
still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed
in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain
controllers present. Nested groups are not supported in mixed mode.
Answer : Forest is used to define an assembly of AD domains that share a single schema for the AD. All
DC’s in the forest share this schema and is replicated in a hierarchical fashion among them.
Answer : When all the domain controllers in a given domain are running Windows 2000 Server. This mode
allows organizations to take advantage of new Active Directory features such as Universal groups, nested
group membership, and inter-domain group membership.
Answer : The SysVOL folder keeps the server’s copy of the domain’s public files. The contents such as
users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.
Answer : LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths
are used to access AD objects and include the following:
Distinguished names & Relative Distinguished names
Question9. Mention What Is Kerberos?
Answer : Kerberos is an authentication protocol for network. It is built to offer strong authentication for
server/client applications by using secret-key cryptography.
Answer :
Answer : Lingering objects can exists if a domain controller does not replicate for an interval of time that is
longer than the tombstone lifetime (TSL).
Answer : In an Active directory forest, the domain controller is a server that contains a writable copy of the
Active Directory Database participates in Active directory replication and controls access to network
resource.
Answer : Tombstone lifetime in an Active Directory determines how long a deleted object is retained in
Active Directory. The deleted objects in Active Directory is stored in a special object referred as
TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is not set in the forest
configuration.
Answer : Maintains a secure channel between this computer and the domain controller for authenticating
users and services. If this service is stopped, the computer may not authenticate users and services, and
the domain controller cannot register DNS records."
Answer : Schema is an active directory component describes all the attributes and objects that the
directory service uses to store data.
Answer : Scavenging will help you clean up old unused records in DNS.
Question18. What Is New In Windows Server 2008 Active Directory Domain Services?
Answer : RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.
Question20. Explain What Are Rodcs? And What Are The Major Benefits Of Using Rodcs?
Answer : Read only Domain Controller, organizations can easily deploy a domain controller in locations
where physical security cannot be guaranteed.
Answer : Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of
the Administrators group.
Answer : Infrastructure Master is accountable for updating information about the user and group and global
catalogue.
Question25. Can You Connect Active Directory To Other 3rd-party Directory Services? Name
A Few Options?
Answer : Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictionaries
used by SAP, Domino etc with the help of MIIS (Microsoft Identity Integration Server).
Question26. What Is The List Folder Contents Permission On The Folder In Ntfs?
Answer : Same as Read & Execute, but not inherited by files within a folder. However, newly created
subfolders will inherit this permission.
Question27. How Do I Set Up Dns For Other Dcs In The Domain That Are Running Dns?
Answer : For each additional DC that is running DNS, the preferred DNS setting is the parent DNS server
(first DC in the domain), and the alternate DNS setting is the actual IP address of network interface.
Answer : %SystemRoot%SYSVOLsysvoldomainnamePoliciesGUID
Question29. Tell Me What Should I Do If The Dc Points To Itself For Dns, But The Srv
Records Still Do Not Appear In The Zone?
Answer : Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools
from the Windows 2000 Server CD-ROM to run Netdiag.exe.
Question31. Tell Me What If My Windows 2000 Or Windows Server 2003 Dns Server Is Behind
A Proxy Server Or Firewall?
Answer : If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows
2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53
should be open on the proxy server or firewall.
Question32. Explain What Is The Difference Between Local, Global And Universal Groups?
Answer : Domain local groups assign access permissions to global domain groups for local domain
resources. Global groups provide access to resources in other trusted domains. Universal groups grant
access to resources in all trusted domains.
Question33. Do You Know What Is The "." Zone In My Forward Lookup Zone?
Answer : This setting designates the Windows 2000 DNS server to be a root hint server and is usually
deleted. If you do not delete this setting, you may not be able to perform external name resolution to the
root hint servers on the Internet.
Answer : It’s group policy inheritance model, where the policies are applied to Local machines, Sites,
Domains and Organizational Units
Answer : An object's attribute is set concurrently to one value at one master, and another value at a
second master.
Answer : NETDOM is a command-line tool that allows management of Windows domains and trust
relationships
Question37. Do You Know How Kerberos V5 Works?
Answer : The Kerberos V5 authentication mechanism issues tickets (A set of identification data for a
security principle, issued by a DC for purposes of user authentication. Two forms of tickets in Windows
2000 are ticket-granting tickets (TGTs) and service tickets) for accessing network services. These tickets
contain encrypted data, including an encrypted password, which confirms the user's identity to the
requested service.
Answer : ADSI Edit is an LDAP editor for managing objects in Active Directory. This Active Directory tool
lets you view objects and attributes that are not exposed in the Active Directory Management Console.
Answer : Kerberos V5 is the primary security protocol for authentication within a domain. The Kerberos V5
protocol verifies both the identity of the user and network services. This dual verification is known as mutual
authentication.
Answer : Temporary loss of the schema operations master will be visible only if we are trying to modify the
schema or install an application that modifies the schema during installation. A DC whose schema master
role has been seized must never be brought back online.
Answer : Replmon is the first tool you should use when troubleshooting Active Directory replication issues
Answer : When an object in one domain is referenced by another object in another domain, it represents
the reference by the GUID, the SID (for references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and
distinguished name in a cross-domain object reference.
Answer : Active Directory Sites and Services allow you to specify site information. Active Directory uses
this information to determine how best to use available network resources.
Answer : This is the checkpoint file used to track the data not yet written to database file. This indicates the
starting point from which data is to be recovered from the log file, in case of failure.
Answer : repadmin.exe /options * and use IS_GC for current domain options.
nltest /dsgetdc:corp /GC
Answer : ntdsutil - type roles - connections - connect servername - q - type seize role - at the fsmo
maintenance prompt - type seize rid master
Answer : ntdsutil - type roles - connections - connect servername - q - type transfer role - at the fsmo
maintenance prompt - type trasfer rid master
Answer : The KCC generates and maintains the replication topology for replication within sites and
between sites. KCC runs every 15 minutes.
Answer : Definitional details about objects and attributes that one CAN store in the AD. Replicates to all
DCs. Static in nature.
Answer : Online Defragmentation method that runs as part of the garbage collection process. The only
advantage to this method is that the server does not need to be taken offline for it to run. However, this
method does not shrink the Active Directory database file (Ntds.dit).
Answer : Garbage Collection is a process that is designed to free space within the Active Directory
database. This process runs independently on every DC with a default lifetime interval of 12 hours.
Answer : This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction log
files enough room to shutdown if the other spaces are being used.
Answer : Object information for a domain. Replicates to all DCs within a domain. The object portion
becomes part of GC. The attribute values only replicates within the domain.
o Distinguished names
o Relative Distinguished names
Question57. How Will You Verify Whether The Ad Installation Is Proper With Srv Resource
Records?
Answer : Verify SRV Resource Records: After AD is installed, the DC will register SRV records in DNS
when it restarts. We can check this using DNS MMC or nslookup command.
Answer : This is the AD database and stores all AD objects. Default location is SystemRoot
%ntdsNTDS.DIT.
Active Directory's database engine is the Extensible Storage Engine which is based on the Jet database
and can grow up to 16 TB.
Answer : The types of objects that can be created in the Active Directory, relationships between them, and
the attributes on each type of object. This table is fairly static and much smaller than the data table.
Question60. Mention What Is The Difference Between Domain Admin Groups And Enterprise
Admins Group In Ad?
Answer : Both do the same thing like forwarding the requests to appropriate name servers who are
authoritative for the domains in the queries. However, there is difference in both, Stub Zone are Dynamic
and Conditional forwarder are static.
Conditional Forwarding – Where you want DNS clients in separate networks to resolve each others’
names without having to query DNS servers on the Internet, such as in the case of a company merger, you
should configure the DNS servers in each network to forward queries for names in the other network. DNS
servers in one network will forward names for clients in the other network to a specific DNS server that will
build up a large cache of information about the other network. When forwarding in this way, you create a
direct point of contact between two networks’ DNS servers, reducing the need for recursion.
Stub Zone– Stub-Zones are dynamic -A stub zone is like a secondary zone in that it obtains its resource
records from other name servers (one or more master name servers). A stub zone is also read-only like a
secondary zone, so administrators can’t manually add, remove, or modify resource records on it. But the
differences end here, as stub zones are quite different from secondary zones in a couple of significant
ways.First, while secondary zones contain copies of all the resource records in the corresponding zone on
the master name server, stub zones contain only three kinds of resource records:
Answer : A GPO (Group Policy Object) is a collection of Group Policy settings, it consists of GPC and
GPT.
GPC (Group Policy Container): Contains the information of property of GPO like Security Filtering, GPO
Status, GPO GUID etc.
GPT (Group Policy Template): Contains the data of GPO in Sysvol folder that can be checked after the
configuration of the GPO that what settings have been configured to the client.
Answer : A majority node set is a single quorum resource, from a server cluster perspective; however, the
data is actually stored on multiple disks across the cluster. Each cluster node stores the configuration on a
local disk it can have access to when it starts up. By default, the location is pointed to %systemroot
%clusterResourceGUID
If the configuration of the cluster changes, that change is replicated across the different disks
Answer : NLB (Network Load Balance) is a Microsoft implementation of clustering and load balancing that
is intended to provide high availability and high reliability, as well as high scalability.
http://technet.microsoft.com/en-us/library/cc779570(v=ws.10).aspx
Answer : Unicast:
Unicast is a one-to one connection between the client and the server. Unicast uses IP delivery methods
such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), which are session-
based protocols. When a Windows Media Player client connects using unicast to a Windows Media server,
that client has a direct relationship to the server. Each unicast client that connects to the server takes up
additional bandwidth. For example, if you have 10 clients all playing 100-kilobits per second (Kbps)
streams, those clients as a group are taking up 1,000 Kbps. If you have only one client playing the 100
Kbps stream, only 100 Kbps is being used.
Multicast:
Multicast is a true broadcast. The multicast source relies on multicast-enabled routers to forward the
packets to all client subnets that have clients listening. There is no direct relationship between the clients
and Windows Media server. The Windows Media server generates an .nsc (NetShow channel) file when
the multicast station is first created. Typically, the .nsc file is delivered to the client from a Web server. This
file contains information that the Windows Media Player needs to listen for the multicast. This is similar to
tuning into a station on a radio. Each client that listens to the multicast adds no additional overhead on the
server. In fact, the server sends out only one stream per multicast station. The same load is experienced on
the server whether only one client or 1,000 clients are listening
http://support.microsoft.com/kb/291786
Answer :
Answer : Strict Replication is a mechanism developed by Microsoft developers for Active Directory
Replication. If a domain controller has the Strict Replication enabled then that domain controller will not get
“Lingering Objects” from a domain controller which was isolated for more than the TombStone Life Time.
TSL is 180 days by default on a Forest created with Windows Server 2003 SP1. A domain controller
shouldn’t be outof sync for more than this period. Lingering Objects may appear on other domain
controllers if replication happens with the outdated domain controllers. These domain controllers will not
replicate with the outdated domain controllers if you have set the below mentioned registry key.You must
set the following registry setting on all the domain controllers to enable the Strict Replication:
KEY Name:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters
Type: REG_DWORD
o Support DHCP clients on a single physical network segment (such as a single Ethernet
LAN segment) where multiple logical IP networks are used. When more than one logical IP network is used
on each physical subnet or network, such configurations are often called multinets.
o Support remote DHCP clients located on the far side of DHCP and BOOTP relay agents
(where the network on the far side of the relay agent uses multinets).
In multinet configurations, you can use DHCP superscopes to group and activate individual scope ranges
of IP addresses used on your network. In this way, the DHCP server can activate and provide leases from
more than one scope to clients on a single physical network.
o Superscopes can resolve specific types of DHCP deployment issues for multinets,
including situations in which:
o The available address pool for a currently active scope is nearly depleted, and more
computers need to be added to the network. The original scope includes the full addressable range for a
single IP network of a specified address class. You need to use another range of IP addresses to extend
the address space for the same physical network segment.
o Clients must be migrated over time to a new scope (such as to renumber the current IP
network from an address range used in an existing active scope to a new scope that contains another
range of IP addresses).
o You want to use two DHCP servers on the same physical network segment to manage
separate logical IP networks.
o Click Start > right-click Computer and select Properties in the menu.
o Click Advanced > Settings > Startup and Recovery > Settings > Write debugging
information > Complete memory dump.
o Click OK twice.
Answer : Host A records of replication partners (Domain Controllers), Srv Records to find out the Domain
Controllers GUID in _msdcs zone (DC Locator).
Answer : You can use AD inbuilt features to troubleshoot group policy issue like RSOP.msc or can run
RSOP by selecting users in Active Directory users and computers, gpresult -v, gpt.ini in sysvol under Group
Policy GUID folder can be checked to find out the GPO settings configured.
Answer :It can be troubleshooted by repmon command that generates the error result in eventvwr. DNS
can be checked between two destination. Network/Firewall issue
Answer : Here’s the brief description of Windows Server 2008 Boot process:
o System is powered on
o The CMOS loads the BIOS and then runs POST
o Looks for the MBR on the bootable device
o Through the MBR the boot sector is located and the BOOTMGR is loaded
o BOOTMGR looks for active partition
o BOOTMGR reads the BCD file from the boot directory on the active partition
o The BCD (boot configuration database) contains various configuration parameters( this
information was previously stored in the boot.ini)
o BOOTMGR transfer control to the Windows Loader (winload.exe) or winresume.exe in
case the system was hibernated.
o Winloader loads drivers that are set to start at boot and then transfers the control to the
windows kernel.
Answer : Firstly, schmmgmt.dll has to be registered. Then ADSI Edit tool can be used to edit schema.
Question16. Difference Between Windows 2003 & Windows 2008 Boot Process?
o POST
o The MBR reads the boot sector which is the first sector of the active partition.
o Ntldr looks path of os from boot.ini
o Ntldr to run ntdedetect.com to get information about installed hardware.
o Ntldr reads the registry files then select a hardware profile, control set and loads device
drivers.
o After that Ntoskrnl.exe takes over and starts winlogon.exe which starts lsass.exe
o System is powered on
o The CMOS loads the BIOS and then runs POST
o Looks for the MBR on the bootable device
o Through the MBR the boot sector is located and the BOOTMGR is loaded
o BOOTMGR looks for active partition
o BOOTMGR reads the BCD file from the boot directory on the active partition
o The BCD (boot configuration database) contains various configuration parameters( this
information was previously stored in the boot.ini)
o BOOTMGR transfer control to the Windows Loader (winload.exe) or winresume.exe in
case the system was hibernated.
o Winloader loads drivers that are set to start at boot and then transfers the control to the
windows kernel.
Answer : FCInfo utility or Storage Explorer (windows 2008) can be used to check the same.
Answer : dnscmd command can be used for creating a Resource Record on DNS server.
Below is the command:
Answer : Name servers in delegations are identified by name, rather than by IP address. This means that
a resolving name server must issue another DNS request to find out the IP address of the server to which it
has been referred. If the name given in the delegation is a subdomain of the domain for which the
delegation is being provided, there is a circular dependency. In this case the name server providing the
delegation must also provide one or more IP addresses for the authoritative name server mentioned in the
delegation. This information is called glue. The delegating name server provides this glue in the form of
records in the additional section of the DNS response, and provides the delegation in the answer section of
the response.
For example, if the authoritative name server for example.org is ns1.example.org, a computer trying to
resolve www.example.org first resolves ns1.example.org. Since ns1 is contained in example.org, this
requires resolving example.org first, which presents a circular dependency. To break the dependency, the
name server for the top level domain org includes glue along with the delegation for example.org. The glue
records are address records that provide IP addresses for ns1.example.org. The resolver uses one or more
of these IP addresses to query one of the domain’s authoritative servers, which allows it to complete the
DNS query.
Answer : Group Policy applies to the user or computer in a manner that depends on where both the user
and the computer objects are located in Active Directory. However, in some cases, users may need policy
applied to them based on the location of the computer object alone. You can use the Group Policy
loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs
on to.
Answer : An active directory is a directory structure used on Micro-soft Windows based servers and
computers to store data and information about networks and domains.
Answer : In Windows 2000, a domain defines both an administrative boundary and a security boundary for
a collection of objects that are relevant to a specific group of users on a network. A domain is an
administrative boundary because administrative privileges do not extend to other domains. It is a security
boundary because each domain has a security policy that extends to all security accounts within the
domain. Active Directory stores information about objects in one or more domains.
Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the
domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also
can be the parent of one or more child domains.
Answer : The default protocol used in directory services is LDAP ( Lightweight Directory Access Protocol).
Answer : Forest is used to define an assembly of AD domains that share a single schema for the AD. All
DC’s in the forest share this schema and is replicated in a hierarchical fashion among them.
Answer : When all the domain controllers in a given domain are running Windows 2000 Server. This mode
allows organizations to take advantage of new Active Directory features such as Universal groups, nested
group membership, and inter-domain group membership.
Answer : The SysVOL folder keeps the server’s copy of the domain’s public files. The contents such as
users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.
Answer : LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths
are used to access AD objects and include the following:
o Distinguished names
o Relative Distinguished names
Answer : Kerberos is an authentication protocol for network. It is built to offer strong authentication for
server/client applications by using secret-key cryptography.
Answer :
Answer : Lingering objects can exists if a domain controller does not replicate for an interval of time that is
longer than the tombstone lifetime (TSL).
Answer : Tombstone lifetime in an Active Directory determines how long a deleted object is retained in
Active Directory. The deleted objects in Active Directory is stored in a special object referred as
TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is not set in the forest
configuration.
Answer : Maintains a secure channel between this computer and the domain controller for authenticating
users and services. If this service is stopped, the computer may not authenticate users and services, and
the domain controller cannot register DNS records."
Answer : Schema is an active directory component describes all the attributes and objects that the
directory service uses to store data.
Answer : Scavenging will help you clean up old unused records in DNS.
Answer : CDC or child DC is a sub domain controller under root domain controller which share name
space
Question18. What Is New In Windows Server 2008 Active Directory Domain Services?
Answer : RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.
Question20. Explain What Are Rodcs? And What Are The Major Benefits Of Using Rodcs?
Answer : Read only Domain Controller, organizations can easily deploy a domain controller in locations
where physical security cannot be guaranteed.
Answer :Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of
the Administrators group.
Answer : Infrastructure Master is accountable for updating information about the user and group and global
catalogue.
Question25. Can You Connect Active Directory To Other 3rd-party Directory Services? Name
A Few Options?
Answer : Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictionaries
used by SAP, Domino etc with the help of MIIS (Microsoft Identity Integration Server).
Question26. What Is The List Folder Contents Permission On The Folder In Ntfs?
Answer : Same as Read & Execute, but not inherited by files within a folder. However, newly created
subfolders will inherit this permission.
Question27. How Do I Set Up Dns For Other Dcs In The Domain That Are Running Dns?
Answer : For each additional DC that is running DNS, the preferred DNS setting is the parent DNS server
(first DC in the domain), and the alternate DNS setting is the actual IP address of network interface.
Answer : %SystemRoot%SYSVOLsysvoldomainnamePoliciesGUID
Question29. Tell Me What Should I Do If The Dc Points To Itself For Dns, But The Srv
Records Still Do Not Appear In The Zone?
Answer :Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools
from the Windows 2000 Server CD-ROM to run Netdiag.exe.
Question31. Tell Me What If My Windows 2000 Or Windows Server 2003 Dns Server Is Behind
A Proxy Server Or Firewall?
Answer : If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows
2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53
should be open on the proxy server or firewall.
Question32. Explain What Is The Difference Between Local, Global And Universal Groups?
Answer : Domain local groups assign access permissions to global domain groups for local domain
resources. Global groups provide access to resources in other trusted domains. Universal groups grant
access to resources in all trusted domains.
Question33. Do You Know What Is The "." Zone In My Forward Lookup Zone?
Answer : This setting designates the Windows 2000 DNS server to be a root hint server and is usually
deleted. If you do not delete this setting, you may not be able to perform external name resolution to the
root hint servers on the Internet.
Answer : It’s group policy inheritance model, where the policies are applied to Local machines, Sites,
Domains and Organizational Units
Answer : An object's attribute is set concurrently to one value at one master, and another value at a
second master.
Answer : NETDOM is a command-line tool that allows management of Windows domains and trust
relationships
Answer : The Kerberos V5 authentication mechanism issues tickets (A set of identification data for a
security principle, issued by a DC for purposes of user authentication. Two forms of tickets in Windows
2000 are ticket-granting tickets (TGTs) and service tickets) for accessing network services. These tickets
contain encrypted data, including an encrypted password, which confirms the user's identity to the
requested service.
Answer : ADSI Edit is an LDAP editor for managing objects in Active Directory. This Active Directory tool
lets you view objects and attributes that are not exposed in the Active Directory Management Console.
Answer : Kerberos V5 is the primary security protocol for authentication within a domain. The Kerberos V5
protocol verifies both the identity of the user and network services. This dual verification is known as mutual
authentication.
Answer : Temporary loss of the schema operations master will be visible only if we are trying to modify the
schema or install an application that modifies the schema during installation. A DC whose schema master
role has been seized must never be brought back online.
Answer : When an object in one domain is referenced by another object in another domain, it represents
the reference by the GUID, the SID (for references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and
distinguished name in a cross-domain object reference.
Answer : Active Directory Sites and Services allow you to specify site information. Active Directory uses
this information to determine how best to use available network resources.
Answer : This is the checkpoint file used to track the data not yet written to database file. This indicates the
starting point from which data is to be recovered from the log file, in case of failure.
Answer : This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log.
Where nnnn is the increasing number starting from 1.
Answer : repadmin.exe /options * and use IS_GC for current domain options.
nltest /dsgetdc:corp /GC
Answer : ntdsutil - type roles - connections - connect servername - q - type seize role - at the fsmo
maintenance prompt - type seize rid master
Answer : ntdsutil - type roles - connections - connect servername - q - type transfer role - at the fsmo
maintenance prompt - type trasfer rid master
Answer : The KCC generates and maintains the replication topology for replication within sites and
between sites. KCC runs every 15 minutes.
Answer : Online Defragmentation method that runs as part of the garbage collection process. The only
advantage to this method is that the server does not need to be taken offline for it to run. However, this
method does not shrink the Active Directory database file (Ntds.dit).
Answer : Garbage Collection is a process that is designed to free space within the Active Directory
database. This process runs independently on every DC with a default lifetime interval of 12 hours.
Answer : This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction log
files enough room to shutdown if the other spaces are being used.
Answer : Object information for a domain. Replicates to all DCs within a domain. The object portion
becomes part of GC. The attribute values only replicates within the domain.
Answer : LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths
are used to access AD objects and include the following:
o Distinguished names
o Relative Distinguished names
Question57. How Will You Verify Whether The Ad Installation Is Proper With Srv Resource
Records?
Answer : Verify SRV Resource Records: After AD is installed, the DC will register SRV records in DNS
when it restarts. We can check this using DNS MMC or nslookup command.
Answer : This is the AD database and stores all AD objects. Default location is SystemRoot
%ntdsNTDS.DIT.
Active Directory's database engine is the Extensible Storage Engine which is based on the Jet database
and can grow up to 16 TB.
Answer : The types of objects that can be created in the Active Directory, relationships between them, and
the attributes on each type of object. This table is fairly static and much smaller than the data table.
Question60. Mention What Is The Difference Between Domain Admin Groups And Enterprise
Admins Group In Ad?
Answer :
Answer : We call the actual unit that we are creating, deleting, managing, working with is called Group
Policy object.
Answer : It is the container in the Active Directory where the Group Policy can be applied. (i.e., either
Organizational unit or Domain or Site)
Answer :When you create a group policy container automatically a template will be created in the hard
drive, in sysvol folder of the Domain Controller that is called Group Policy template.
Question7. What Are The Steps Do We Have When We Are Creating Group Policy?
Answer : There are two steps, one is creating Group policy and linking to the container. Generally we
create the group policy at container only so when you click on New it creates and links the GPO to that
container at a time. Suppose if you want to link a group policy object to a container which is already created
click on Add select the group policy.
Question8. What Are The Buttons Available On Group Policy Tab In Properties Of A
Container?
Answer :
Answer :Generally the policies set at one level will be overridden in other level, so if don’t want to override
this policy under the sub levels of this one you can set this.
Ex: If you set No override at Domain level then that GPO will be applied through out the Domain, even
though you have the same policy differently at OU level.
Answer : The Block inheritance GPO option blocks the group policies inheriting from the top level, and
takes effect of this present GPO.
Right click on the container –> click on Group Policy –ègo to properties >on the bottom of the General tab
you will find Block inheritance check box
Ex: If you select Block inheritance at OU level then no policy from the Domain level, or Site level or local
policy will not applied to this OU.
Question11. You Have Set The No Override Option At Domain Level And Block Inheritance At
Ou Level. Which Policy Will Take Effect?
Answer : If you have set both then No override wins over the Block inheritance. So No override will take
effect.
Question12. What Are The Options That Are Available When You Click On Option Button On
General Tab?
Answer :
o General
o Disable computer configuration settings (The settings those are set under computer
configuration of this GPO will not take effect.)
o Disable user configuration settings (The settings those are set under User configuration of
this GPO will not take effect.)
o Links (Displays the containers which have links to this GPO)
o Security (With security option you can set level of permissions and settings to the
individual users and groups. Ex: If you want to disable this GPO to a particular user on this container, on
security tab select that user and select the deny check box for apply the Group Policy. Then the GPO will
not take effect to that user even though he is in that container.)
Question13. What Will You See In The Group Policy Snap In?
Answer : You will see two major portions, and under those you have sub portions, they are:
o Computer Configuration
o Software settings
o Software installations
o Windows settings
o Administrative templates
o User configuration
o Software settings
o Software installations
o Windows settings
o Administrative templates
Note: Administrative templates are for modifying the registry of windows 2000 clients.
Answer :
o Local policy
o Site Policy
o Domain Policy
o OU Policy
o Sub OU Policy (If any are there)
Answer : Refresh interval for Domain Controllers is 5 minutes, and the refresh interval for all other
computers in the network is 45 minutes (this one doubt).
Answer :
Question21. What Is Group Policy Loop Back Process? How To Set It?
Answer : Start –>programs –>Administrative tools –>Active Directory users and computers –>Right click
on the container –>click on Group policy tab –>Click on edit –>click on Computer settings –>click on
Administrative templates –>system –>Group policy –>click on User group policy loop back processing
mode –> click OK –> Select enable
Question22. What Are The Players That Are Involved In Deploying Software?
Answer :
o Group Policy: Within GP we specify that this software application gets installed to this
particular computer or to this particular user.
o Active Directory: Group Policy will be applied somewhere in Active Directory.
o Microsoft Installer service
o Windows installer packages: The type of package that can be used by Group Policy to
deploy applications is .msi packages i.e., Microsoft Installer packages.
Question23. What Is The Package That Can Be Used To Deploy Software Through Group
Policy?
Question25. What Is Local Security Policy, Domain Security Policy, And Domain Controller
Security Policy In The Administrative Tools?
Answer :
o Minimize linking: Because there may be a chance deleting the original one with seeing
who else are using this GPO. Minimizing linking for simplicity.
o Minimum number of GPO’s: Microsoft suggests that one GPO with 100 settings will
process faster than 100 GPO’s each with one setting. This is for performance.
o Delegate
o Minimize filtering: To keep simple your environment, try to minimize filtering.
If you have more number of GPO’s for a container, whatever GPO is on top will be applied first. If you want,
you can move GPO’s up and down.
If there is conflict between two GPO’s of same container, the last applied GPO will be effective. i.e., the
bottom one will be effective.
Question27. What Is Group Policy In Active Directory ? What Are Group Policy Objects
(gpos)?
Answer : Group Policy objects, other than the local Group Policy object, are virtual objects. The policy
setting information of a GPO is actually stored in two locations: the Group Policy container and the Group
Policy template.
The Group Policy container is an Active Directory container that stores GPO properties, including
information on version, GPO status, and a list of components that have settings in the GPO.
The Group Policy template is a folder structure within the file system that stores Administrative Template-
based policies, security settings, script files, and information regarding applications that are available for
Group Policy Software Installation.
The Group Policy template is located in the system volume folder (Sysvol) in the Policies subfolder for its
domain.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be
linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified
by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC.
The GPO with the lowest link order is processed last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit
of which the computer or user is a direct member are processed last, which overwrites settings in the
earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely
aggregated.)
Answer :
o Begin the process by logging on to a Windows Server 2008 domain controller, and
opening the Group Policy Management console. Now, navigate through the console tree to Group Policy
Management | Forest: | Domains | | Group Policy Objects.
o When you do, the details pane should display all of the group policy objects that are
associated with the domain. In Figure A there are only two group policy objects, but in a production
environment you may have many more. The Group Policy Objects container stores all of the group policy
objects for the domain.
o Now, right-click on the Group Policy Objects container, and choose the Back Up All
command from the shortcut menu. When you do, Windows will open the Back Up Group Policy Object
dialog box.
o As you can see in Figure B, this dialog box requires you to provide the path to which you
want to store the backup files. You can either store the backups in a dedicated folder on a local drive, or
you can place them in a folder on a mapped network drive. The dialog box also contains a Description field
that you can use to provide a description of the backup that you are creating.
o You must provide the path to which you want to store your backup of the group policy
objects.
o To initiate the backup process, just click the Back Up button. When the backup process
completes, you should see a dialog box that tells you how many group policy objects were successfully
backed up. Click OK to close the dialog box, and you’re all done.
o When it comes to restoring a backup of any Group Policy Object, you have two options.
The first option is to right-click on the Group Policy Object, and choose the Restore From Backup command
from the shortcut menu. When you do this, Windows will remove all of the individual settings from the
Group Policy Object, and then implement the settings found in the backup.
o Your other option is to right-click on the Group Policy Object you want to restore, and
choose the Import Settings option. This option works more like a merge than a restore.
o Any settings that presently reside within the Group Policy Object are retained unless there
is a contradictory settings within the file that is being imported.
Answer :
Answer : Assign Users :The software application is advertised when the user logs on. It is installed when
the user clicks on the software application icon via the start menu, or accesses a file that has been
associated with the software application.
Assign Computers :The software application is advertised and installed when it is safe to do so, such as
when the computer is next restarted.
Publish to users : The software application does not appear on the start menu or desktop. This means the
user may not know that the software is available. The software application is made available via the
Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the
application. Published applications do not reinstall themselves in the event of accidental deletion, and it is
not possible to publish to computers.
Answer : Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised
management of machines and users in an Active Directory environment. Administrative Templates facilitate
the management of registry-based policy. An ADM file is used to describe both the user interface presented
to the Group Policy administrator and the registry keys that should be updated on the target machines.
An ADM file is a text file with a specific syntax which describes both the interface and the registry values
which will be changed if the policy is enabled or disabled.
ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped
with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are
merged into a unified “namespace” in GPEdit and presented to the administrator under the Administrative
Templates node (for both machine and user policy).
Question35. A User Claims He Did Not Receive A Gpo, Yet His User And Computer Accounts
Are In The Right Ou, And Everyone Else There Gets The Gpo. What Will You Look For?
Answer : make sure user not be member of loopback policy as in loopback policy it doesn’t effect user
settings only computer policy will applicable. if he is member of gpo filter grp or not.
You may also want to check the computers event logs. If you find event ID 1085 then you may want to
download the patch to fix this and reboot the computer.
Question38. What Can Be Restricted On Windows Server 2003 That Wasn’t There In Previous
Products ?
Answer :Group Policy in Windows Server 2003 determines a users right to modify network and dial-up
TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network
configuration parameters.
Question39. You Want To Create A New Group Policy But Do Not Wish To Inherit.
Answer : Make sure you check Block inheritance among the options when creating the policy.
Question40. How Does The Group Policy ‘no Override’ And ‘block Inheritance’ Work ?
Answer : Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and
multiple GP’s for each level. Obviously it may be that some policy settings conflict hence the application
order of Site – Domain – Organization Unit and within each layer you set order for all defined policies but
you may want to force some polices to never be overridden (No Override) and you may want some
containers to not inherit settings from a parent container (Block Inheritance).
No Override – This prevents child containers from overriding policies set at higher levels
No Override takes precedence over Block Inheritance so if a child container has Block Inheritance set but
on the parent a group policy has No Override set then it will get applied.
Also the highest No Override takes precedence over lower No Override’s set.
To block inheritance perform the following:
o Start the Active Directory Users and Computer snap-in (Start – Programs – Administrative
Tools – Active Directory Users and Computers)
o Right click on the container you wish to stop inheriting settings from its parent and select
o Select the ‘Group Policy’ tab
o Check the ‘Block Policy inheritance’ option
o Click Apply then OK
o Start the Active Directory Users and Computer snap-in (Start – – Administrative Tools –
Active Directory Users and Computers)
o Right click on the container you wish to set a Group Policy to not be overridden and select
Properties
o Select the ‘Group Policy’ tab
o Click Options
o Check the ‘No Override’ option
o Click OK
o Click Apply then OK