Active Directory: Questions and Answers

What is the difference between Windows 2000 Active Directory and Windows 2003 Active
Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is
meant by ADS and ADS services in Windows 2003?
Windows 2003 Active Directory introduced a number of new security features, as well as
convenience features such as the ability to rename a domain controller and even an entire domain
- see Microsoft's website for more details.
Windows Server 2003 also introduced numerous changes to the default settings that can be
affected by Group Policy - you can see a detailed list of each available setting and which OS is
required to support it by downloading the Group Policy Settings Reference.
ADS stands for Automated Deployment Services, and is used to quickly roll out identicallyconfigured servers in large-scale enterprise environments. You can get more information from
the ADS homepage.
The benefits of AD over NT4 directory services ?
Active Directory marked a shift in the way that Microsoft manages directory services, moving
from the flat and fairly restrictive namespaces used by NT4 domains and moving to an actual
hierarchical directory structure. There's a sample chapter from theWindows 2000 technical
reference available here that will give you a good introduction into the major differences
between the NT4 and Active Directory directory services.
I want to setup a DNS server and Active Directory domain. What do I do first? If I install
the DNS service first and name the zone 'name.org' can I name the AD domain 'name.org'
too?
Not only can you have a DNS zone and an Active Directory domain with the same name, it's
actually the preferred way to go if at all possible. You can install and configure DNS before
installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo)
itself install DNS on your server in the background.
What is the best way to migrate Exchange 2000 mailboxes to Exchange 2003?
The nice folks at MSExchange.org have put together a pretty detailed tutorial on how to migrate
from Exchange 2000 to Exchange 2003 on new hardware. The MSExchange site also hosts
online forums that are frequented by Exchange MVPs who can help you with any specific errors
that you run into along the way.
How do I design two Active Directory domains in a client network?
For Windows Server 2003, your best bet is going to be theDeployment Kit. The section on
"Deploying Network Services" will assist you in designing and installing your DNS servers, and
the section on "Designing and Deploying Directory and Security Services" will assist you with

deploying Active Directory and configuring trust relationships.

What is difference between ADS and domain controller?
ADS is the Automated Deployment Service, which is used to quickly image, deploy, and
administer servers and domain controllers on a large scale. You can find more information at
the ADS Technology Center.
How can I modify the path of all my users' home directory within Active Directory using a
vbs logon script?
Check out the source code from Robbie Allen's "Active Directory Cookbook". Recipe 6.4 shows
you how to modify a property value for multiple users. Essentially, you select a container such as
an OU or a domain and then use a FOR loop to loop through each user object in that container.
How do I determine if user accounts have local administrative access?
You can use the net localgroup administrators command on each workstation (probably in a
login script so that it records its information to a central file for later review). This command will
enumerate the members of the Administrators group on each machine you run it on. Alternately,
you can use the Restricted Groups feature of Group Policy to restrict the membership of
Administrators to only those users you want to belong.
Why am I having trouble printing with XP domain users?
In most cases, the inability to print or access resources in situations like this one will boil down
to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP
clients' wireless connections are configured with the correct DNS and WINS name servers, as
well as with the appropriate NetBIOS over TCP/IPsettings. Compare your wireless settings to
your wired LAN settings and look for any discrepancies that may indicate where the functional
difference may lie.
I am upgrading from NT to 2003. The only things that are NT are the PDC and BDCs;
everything else is 2000 or 2003 member servers. My question is, when I upgrade my NT
domain controllers to 2003, will I need to do anything else to my Windows 2000/2003
member servers that were in the NT domain?
Your existing member servers, regardless of operating system, will simply become member
servers in your upgraded AD domain. If you will be using Organizational Units and Group
Policy (and I hope you are), you'll probably want to move them to a specific OU for
administration and policy application, since they'll be in the default "Computers" container
immediately following the upgrade.
How do I use Registry keys to remove a user from a group?
In Windows Server 2003, you can use the dsmod command-line utility with the -delmbr switch
to remove a group member from the command line. You should also look into the freeware
utilities available from www.joeware.net . ADFind and ADMod are indispensable tools in my
arsenal when it comes to searching and modifying Active Directory.
Why are my NT4 clients failing to connect to the Windows 2000 domain?
Since NT4 relies on NetBIOS for name resolution, verify that your WINS server (you do have a

WINS server running, yes?) contains the records that you expect for the 2000 domain controller,
and that your clients have the correct address configured for the WINS server.
Posted by Anuj Sharma at 6:52:00 PM 0 comments

Links to this post

Labels:server 2008.server2003 Active Directory, INTERVIEW QUESTION, Quick

Answers, SERVER 2003, SERVER 2008

Wednesday, October 15
Server 2008 Questions And Answers
Q.What are some of the new tools and features provided by Windows Server 2008?
A.Windows Server 2008 now provides a desktop environment similar to Microsoft Windows
Vista and includes tools also found in Vista, such as the new backup snap-in and the BitLocker
drive encryption feature. Windows Server 2008 also provides the new IIS7 web server and the
Windows Deployment Service.
Q.What are the different editions of Windows Server 2008?
A.The entry-level version of Windows Server 2008 is the Standard Edition. The Enterprise
Edition provides a platform for large enterprisewide networks. The Datacenter Edition provides
support for unlimited Hyper-V virtualization and advanced clustering services. The Web Edition
is a scaled-down version of Windows Server 2008 intended for use as a dedicated web server.
The Standard, Enterprise, and Datacenter Editions can be purchased with or without the Hyper-V
virtualization technology.
Q.What two hardware considerations should be an important part of the planning process for a
Windows Server 2008 deployment?
A.Any server on which you will install Windows Server 2008 should have at least the minimum
hardware requirement for running the network operating system. Server hardware should also be
on the Windows Server 2008 Hardware Compatibility List to avoid the possibility of hardware
and network operating system incompatibility.
Q.How does the activation process differ on Windows Server 2008 as compared to Windows
Server 2003?
A.You can select to have activation happen automatically when the Windows Server 2008
installation is complete. Make sure that the Automatically Activate Windows When I'm Online
check box is selected on the Product Key page.
Q.What are the options for installing Windows Server 2008?
A.You can install Windows Server 2008 on a server not currently configured with NOS, or you
can upgrade existing servers running Windows 2000 Server and Windows Server 2003.
Q.How do you configure and manage a Windows Server 2008 core installation?
A.This stripped-down version of Windows Server 2008 is managed from the command line.

Q.Which Control Panel tool enables you to automate the running of server utilities and other
applications?
A.The Task Scheduler enables you to schedule the launching of tools such as Windows Backup
and Disk Defragmenter.
Q.What are some of the items that can be accessed via the System Properties dialog box?
A.You can access virtual memory settings and the Device Manager via the System Properties
dialog box.
Q.Which Windows Server utility provides a common interface for tools and utilities and
provides access to server roles, services, and monitoring and drive utilities?
A.The Server Manager provides both the interface and access to a large number of the utilities
and tools that you will use as you manage your Windows server.
Q.How are local user accounts and groups created?
A.Local user accounts and groups are managed in the Local Users and Groups node in the Server
Manager. Local user accounts and groups are used to provide local access to a server.
Q.When a child domain is created in the domain tree, what type of trust relationship exists
between the new child domain and the tree's root domain?
A.Child domains and the root domain of a tree are assigned transitive trusts. This means that the
root domain and child domain trust each other and allow resources in any domain in the tree to
be accessed by users in any domain in the tree.
Q.What is the primary function of domain controllers?
A.The primary function of domain controllers is to validate users to the network. However,
domain controllers also provide the catalog of Active Directory objects to users on the network.
Q.What are some of the other roles that a server running Windows Server 2008 could fill on the
network?
A.A server running Windows Server 2008 can be configured as a domain controller, a file server,
a print server, a web server, or an application server. Windows servers can also have roles and
features that provide services such as DNS, DHCP, and Routing and Remote Access.
Q.Which Windows Server 2008 tools make it easy to manage and configure a server's roles and
features?
A.The Server Manager window enables you to view the roles and features installed on a server
and also to quickly access the tools used to manage these various roles and features. The Server
Manager can be used to add and remove roles and features as needed.
Q.What Windows Server 2008 service is used to install client operating systems over the
network?
A.Windows Deployment Services (WDS) enables you to install client and server operating
systems over the network to any computer with a PXE-enabled network interface.
Q.What domain services are necessary for you to deploy the Windows Deployment Services on
your network?

A.Windows Deployment Services requires that a DHCP server and a DNS server be installed in
the domain.
Q.How is WDS configured and managed on a server running Windows Server 2008?
A.The Windows Deployment Services snap-in enables you to configure the WDS server and add
boot and install images to the server.
Q.What utility is provided by Windows Server 2008 for managing disk drives, partitions, and
volumes?
A.The Disk Manager provides all the tools for formatting, creating, and managing drive volumes
and partitions.
Q.What is the difference between a basic and dynamic drive in the Windows Server 2008
environment?
A.A basic disk embraces the MS-DOS disk structure; a basic disk can be divided into partitions
(simple volumes). Dynamic disks consist of a single partition that can be divided into any
number of volumes. Dynamic disks also support Windows Server 2008 RAID implementations.
Q.What is RAID?
A.RAID, or Redundant Array of Independent Disks, is a strategy for building fault tolerance into
your file servers. RAID enables you to combine one or more volumes on separate drives so that
they are accessed by a single drive letter. Windows Server 2008 enables you to configure RAID
0 (a striped set), RAID 1 (a mirror set), and RAID 5 (disk striping with parity).
Q.What is the most foolproof strategy for protecting data on the network?
A.Regular backups of network data provides the best method of protecting you from data loss.
Q.What conceptual model helps provide an understanding of how network protocol stacks such
as TCP/IP work?
A.The OSI model, consisting of the application, presentation, session, transport, network, data
link, and physical layers, helps describe how data is sent and received on the network by protocol
stacks.
Q.What protocol stack is installed by default when you install Windows Server 2008 on a
network server?
A.TCP/IP (v4 and v6) is the default protocol for Windows Server 2008. It is required for Active
Directory implementations and provides for connectivity on heterogeneous networks.
Q.When TCP/IP is configured on a Windows server (or domain client), what information is
required?
A.You must provide at least the IP address and the subnet mask to configure a TCP/IP client for
an IPv4 client, unless that client obtains this information from a DHCP server. For IPv6 clients,
the interface ID is generated automatically from the MAC hardware address on the network
adapter. IPv6 can also use DHCP as a method to configure IP clients on the network.
Q.What are two command-line utilities that can be used to check TCP/IP configurations and IP
connectivity, respectively?

A.The ipconfig command can be used to check a computer's IP configuration and also renew the
client's IP address if it is provided by a DHCP server. ping can be used to check the connection
between the local computer and any computer on the network, using the destination computer's
IP address.
Q.What term is used to refer to the first domain created in a new Active Directory tree?
A.The first domain created in a tree is referred to as the root domain. Child domains created in
the tree share the same namespace as the root domain.
Q.How is a server running Windows Server 2008 configured as a domain controller, such as the
domain controller for the root domain or a child domain?
A.Installing the Active Directory on a server running Windows Server 2008 provides you with
the option of creating a root domain for a domain tree or of creating child domains in an existing
tree. Installing Active Directory on the server makes the server a domain controller.
Q.What are some of the tools used to manage Active Directory objects in a Windows Server
2008 domain?
A.When the Active Directory is installed on a server (making it a domain controller), a set of
Active Directory snap-ins is provided. The Active Directory Users and Computers snap-in is
used to manage Active Directory objects such as user accounts, computers, and groups. The
Active Directory Domains and Trusts snap-in enables you to manage the trusts that are defined
between domains. The Active Directory Sites and Services snap-in provides for the management
of domain sites and subnets.
Q.How are domain user accounts created and managed?
A.The Active Directory Users and Computers snap-in provides the tools necessary for creating
user accounts and managing account properties. Properties for user accounts include settings
related to logon hours, the computers to which a user can log on, and the settings related to the
user's password.
Q.What type of Active Directory objects can be contained in a group?
A.A group can contain users, computers, contacts, and other nested groups.
Q.What type of group is not available in a domain that is running at the mixed-mode functional
level?
A.Universal groups are not available in a mixed-mode domain. The functional level must be
raised to Windows 2003 or Windows 2008 to make these groups available.
Q.What types of Active Directory objects can be contained in an Organizational Unit?
A.Organizational Units can hold users, groups, computers, contacts, and other OUs. The
Organizational Unit provides you with a container directly below the domain level that enables
you to refine the logical hierarchy of how your users and other resources are arranged in the
Active Directory.
Q.What are Active Directory sites?
A.Active Directory sites are physical locations on the network's physical topology. Each regional

domain that you create is assigned to a site. Sites typically represent one or more IP subnets that
are connected by IP routers. Because sites are separated from each other by a router, the domain
controllers on each site periodically replicate the Active Directory to update the Global Catalog
on each site segment.
Q.How can client computer accounts be added to the Active Directory?
A.Client computer accounts can be added through the Active Directory Users and Computers
snap-in. You can also create client computer accounts via the client computer by joining it to the
domain via the System Properties dialog box. This requires a user account that has administrative
privileges, such as members of the Domain Administrator or Enterprise Administrator groups.
Q.What firewall setting is required to manage client computers such as Vista clients and
Windows 2008 member servers?
A.The Windows Firewall must allow remote administration for a computer to be managed
remotely.
Q.Can servers running Windows Server 2008 provide services to clients when they are not part
of a domain?
A.Servers running Windows Server 2008 can be configured to participate in a workgroup. The
server can provide some services to the workgroup peers but does not provide the security and
management tools provided to domain controllers.
Q.What does the use of Group Policy provide you as a network administrator?
A.Group Policy provides a method of controlling user and computer configuration settings for
Active Directory containers such as sites, domains, and OUs. GPOs are linked to a particular
container, and then individual policies and administrative templates are enabled to control the
environment for the users or computers within that particular container.
Q.What tools are involved in managing and deploying Group Policy?
A.GPOs and their settings, links, and other information such as permissions can be viewed in the
Group Policy Management snap-in.
Q.How do you deal with Group Policy inheritance issues?
A.GPOs are inherited down through the Active Directory tree by default. You can block the
inheritance of settings from upline GPOs (for a particular container such as an OU or a local
computer) by selecting Block Inheritance for that particular object. If you want to enforce a
higher-level GPO so that it overrides directly linked GPOs, you can use the Enforce command on
the inherited (or upline) GPO.
Q.How can you make sure that network clients have the most recent Windows updates installed
and have other important security features such as the Windows Firewall enabled before they can
gain full network access?
A.You can configure a Network Policy Server (a service available in the Network Policy and
Access Services role). The Network Policy Server can be configured to compare desktop client
settings with health validators to determine the level of network access afforded to the client.

Q.What is the purpose of deploying local DNS servers?

A.A domain DNS server provides for the local mapping of fully qualified domain names to IP
addresses. Because the DNS is a distributed database, the local DNS servers can provide record
information to remote DNS servers to help resolve remote requests related to fully qualified
domain names on your network.
Q.What types of zones would you want to create on your DNS server so that both queries to
resolve hostnames to IP addresses and queries to resolve IP addresses to hostnames are handled
successfully?
A.You would create both a forward lookup zone and a reverse lookup zone on your Windows
Server 2008 DNS server.
Q.What tool enables you to manage your Windows Server 2008 DNS server?
A.The DNS snap-in enables you to add or remove zones and to view the records in your DNS
zones. You can also use the snap-in to create records such as a DNS resource record.
Q.In terms of DNS, what is a caching-only server?
A.A caching-only DNS server supplies information related to queries based on the data it
contains in its DNS cache. Caching-only servers are often used as DNS forwarders. Because they
are not configured with any zones, they do not generate network traffic related to zone transfers.
Q.How is the range of IP addresses defined for a Windows Server 2008 DHCP server?
A.The IP addresses supplied by the DHCP server are held in a scope. A scope that contains more
than one subnet of IP addresses is called a superscope. IP addresses in a scope that you do not
want to lease can be included in an exclusion range.
Q.What TCP/IP configuration parameters can be provided to a DHCP client?
A.The DHCP server can supply a DHCP client an IP address and subnet mask. It also can
optionally include the default gateway address, the DNS server address, and the WINS server
address to the client.
Q.How can you configure the DHCP server so that it provides certain devices with the same IP
address each time the address is renewed?
A.You can create a reservation for the device (or create reservations for a number of devices). To
create a reservation, you need to know the MAC hardware address of the device. You can use the
ipconfig or nbstat command-line utilities to determine the MAC address for a network device
such as a computer or printer.
Q.To negate rogue DHCP servers from running with a domain, what is required for your DHCP
server to function?
A.The DHCP server must be authorized in the Active Directory before it can function in the
domain.
Posted by Anuj Sharma at 4:50:00 PM 0 comments

Links to this post

Labels:server 2008.server2003 INTERVIEW QUESTION, Quick Answers, SERVER 2008

Tuesday, August 19
How a Kerberos Logon Works
As most of you are aware, Windows includes a new authentication package, which is Microsoft's
implementation of MIT's Kerberos protocol. This protocol is much more secure than NTLM and
NTLMv2. And with that, I'm going to show you how a client logon happens with Kerberos.
Bob comes into work in the morning, grabs his coffee, and sits down at his workstation. He looks
at the Windows 2000 professional logon at the logon screen, hits ctrl+alt+del, and proceeds to
type his username, password, and after being authenticated by a Windows 2000 domain
controller, logs onto his domain. He starts Microsoft Outlook, to take a look at this morning's
pile of email. This seems like a simple process, but that's far from the truth. Let's take a look at
what happened in the past few seconds.
Domain Logon Authentication
When Bob pressed "Enter" after typing his password, the Kerberos client on his workstation
converted his password to an encryption key. Kerberos is based on the concept of symmetric
encryption keys, which means that the same key is used to encrypt and decrypt a message. This
is also referred to as a shared private key.
After the Kerberos client converted Bob's password to an encryption key, it's saved in the
workstation's credential cache. The workstation then sent an authentication request to the
Domain Controller, or KDC (Key Distribution Center is a Kerberos term, used to describe the
service that distributes the "keys to the kingdom"). The authentication request identifies Bob, and
names the service that he's requesting access to, and some pre-authentication data, that proves
that Bob knows the password. The first portion of the authentication request identifies Bob, and
asks for access to the TGS(Ticket Granting Service). The TGS is the service on the KDC that
issues tickets for access to other services. All of the services within the Kerberos domain trust
the TGS, so they know if a ticket was issued by the TGS, that the user successfully authenticated
himself, and is really who he claims to be..

The second part of the authentication request contains the pre-authentication data, and is a
generic timestamp, encrypted with Bob's long-term key (or password in this case)
When the KDC receives the authentication request, it checks the local AD database for Bob's
password. Decrypts the pre-authentication info that was sent in the package, and if the timestamp
is within the permissible guidelines (allowable clock difference, usually of 5 minutes or so),
sends Bob a TGT (Ticket Granting Ticket) that he's going to use to access the TGS in the future.

But even this process isn't so simple (Kerberos is much more complicated than NTLM). To
accomplish this task, the KDC creates a session key for itself and Bob to use in their future
communications, then it encrypts that session key with Bob's password, and embeds another
copy of the session key and some authorization info about Bob (This authorization info is the list
of Bob's SID's (SID history, group membership, and Bob's own SID) which is used where ACL's
are applied.). It encrypts all of this with it's own long-term key. (The portion that was encrypted
with the KDC's long-term key is the actual TGT) The Kerberos implementation in Windows
2000 places the SIDS in the TGT in a field that is defined as optional in the RFC's, which Win2k
uses for access control information, which extends Kerberos from not only authentication, but a
piece of the access control puzzle as well.
When Bob's workstation receives a reply from the KDC, it decrypts the session ticket with Bob's
password, and stores this in the credentials cache. This is the authentication info that Bob's
workstation will use to communicate with the KDC from now on, the next time Bob logs on, the
session ticket will be completely different, as the KDC doesn't reuse it's session keys. The
workstation also extracts the TGT, which will still be encrypted with the KDC's long-term key,
(which Bob's workstation doesn't know) and stores the encrypted TGT in it's credentials cache.

What does all of this have to do with the way I access resources?" you might ask. I'm going to
give you a bonus, here's how resource access works in the same domain, with the user being
authenticated by Kerberos. Authentication works a bit differently when you are traversing trusts.
I will show you that process in an upcoming article.

Resource Access Authentication

Since Bob was authenticated by the KDC, he received a TGT, which allows him to request
access to other resources. Since Bob needs to access the word doc reports.doc on the
FILESERV1 fileserver, he's going to request access to FILESERV1. Bob might be opening the
document from the recent documents menu, or browsing for it in Windows Explorer, however
Bob is opening the file, is irrelevant. The Kerberos client performs all authentication in the
background, without any user intervention. Below is a detailed process of the entire negotiation.
First Bob's workstation sends a message to the domain controller that granted it's TGT. The
message is a Ticket Granting Service Request, that includes Bob's username, the authenticator,
the TGT that was sent back to Bob's workstation during the logon, and the name of the service
that Bob is requesting access to. (In this case it's FILESERV1) When the KDC receives the
message from Bob's workstation, it decrypts the TGT portion of the message, with it's own
private long-term key, and pulls out the session key that it embedded during the logon session. It

uses the session key to decrypt the authenticator section of the message. If everything checks out
OK, it creates a session key for Bob to utilize when talking to FILESERV1.
The KDC now constructs a message to Bob in 2 parts. The first part is the actual session key for
Bob to use when talking to the FILESERV1 file server, which is then encrypted in Bob's logon
session key. The second part is the session key that Bob is going to use to talk to the
FILESERV1 server, but it's encrypted in FILESERV1's long-term key. This message is sent to
Bob's workstation
When Bob's machine gets this message, it decrypts the first part of the message and saves the
session key for FILESERV1 in it's credentials cache. Then, it pulls the second portion of the
message out (which is encrypted in FILESERV1's long term key, which by the way, Bob's
workstation does not know the key by which it was encrypted) and also stores it in it's credentials
cache.
Now Bob's workstation is going to access the FILESERV1 server. Bob's machine sends
FILESERV1 a Kerberos App Request, which sends the has in it an authenticator encrypted in the
session key that the KDC gave to Bob to use when talking to FILESERV1, and the encrypted
ticket that the KDC gave to Bob, which is the Bob-FILESERV1 session key, encrypted in
FILESERV1's long-term key, that the KDC stores in the Database.
When FILESERV1 receives this message, FILESERV1 decrypts the ticket with it's own longterm key, and is able to read the session key that the KDC gave to Bob for use with FILESERV1.
It then decrypts the rest of Bob's message with the session key, viola', an authenticated session is
established.
I know this seems extremely complicated, but in relative terms of authentication, it's a simple,
and secure process. I'm more than satisfied with Microsoft's implementation of Kerberos in
Windows 2000, I think it's a long needed building block for a secure OS. We won't see full
benefit of Kerberos, until all of our clients are Win2k, since AD servers still support the old
NTLM, and NTLM2 authentication protocols, but I think that day is coming soon....
There is another set of events that occurs after this exchange, that set of events refers to access
control, I'll also explain that in another article
Posted by Anuj Sharma at 9:29:00 PM 0 comments

Links to this post

Labels:server 2008.server2003 DHCP, INTERVIEW QUESTION,KEYWORDS, SERVER

2003, SERVER 2008

Tuesday, August 12

Some Networking Questions

What are the two types of transmission technology available?
(i) Broadcast and (ii) point-to-point
What is subnet?
A generic term for section of a large networks usually separated by a bridge or router.
Difference between the communication and transmission.
Transmission is a physical movement of information and concern issues like bit polarity,
synchronisation, clock etc.
Communication means the meaning full exchange of information between two communication
media.
What are the possible ways of data exchange?
(i) Simplex (ii) Half-duplex (iii) Full-duplex.
What is SAP?
Series of interface points that allow other computers to communicate with the other layers of
network protocol stack.
What do you meant by "triple X" in Networks?
The function of PAD (Packet Assembler Disassembler) is described in a document known as
X.3. The standard protocol has been defined between the terminal and the PAD, called X.28;
another standard protocol exists between hte PAD and the network, called X.29. Together, these
three recommendations are often called "triple X"
What is frame relay, in which layer it comes?
Frame relay is a packet switching technology. It will operate in the data link layer.
What is terminal emulation, in which layer it comes?
Telnet is also called as terminal emulation. It belongs to application layer.
What is Beaconing?
The process that allows a network to self-repair networks problems. The stations on the network
notify the other stations on the ring when they are not receiving the transmissions. Beaconing is
used in Token ring and FDDI networks.
What is redirector?
Redirector is software that intercepts file or prints I/O requests and translates them into network
requests. This comes under presentation layer.

What is NETBIOS and NETBEUI?

NETBIOS is a programming interface that allows I/O requests to be sent to and received from a
remote computer and it hides the networking hardware from applications.
NETBEUI is NetBIOS extended user interface. A transport protocol designed by microsoft and
IBM for the use on small subnets.
What is RAID?
A method for providing fault tolerance by using multiple hard disk drives.
What is passive topology?
When the computers on the network simply listen and receive the signal, they are referred to as
passive because they dont amplify the signal in any way. Example for passive topology - linear
bus.
What is Brouter?
Hybrid devices that combine the features of both bridges and routers.
What is cladding?
A layer of a glass surrounding the center fiber of glass inside a fiber-optic cable.
What is point-to-point protocol.?
A communications protocol used to connect computers to remote networking services including
Internet service providers.
How Gateway is different from Routers?
A gateway operates at the upper levels of the OSI model and translates information between two
completely different network architectures or data formats
What is attenuation?
The degeneration of a signal over distance on a network cable is called attenuation.
What is MAC address?
The address for a device as it is identified at the Media Access Control (MAC) layer in the
network architecture. MAC address is usually stored in ROM on the network adapter card and is
unique.
Difference between bit rate and baud rate.?
Bit rate is the number of bits transmitted during one second whereas baud rate refers to the

number of signal units per second that are required to represent those bits.
baud rate = bit rate / N
where N is no-of-bits represented by each signal shift

What is Bandwidth?
Every line has an upper limit and a lower limit on the frequency of signals it can carry. This
limited range is called the bandwidth.
What are the types of Transmission media?
Signals are usually transmitted over some transmission media that are broadly classified in to
two categories.
Guided Media:These are those that provide a conduit from one device to another that include
twisted-pair, coaxial cable and fiber-optic cable. A signal traveling along any of these media is
directed and is contained by the physical limits of the medium. Twisted-pair and coaxial cable
use metallic that accept and transport signals in the form of electrical current. Optical fiber is a
glass or plastic cable that accepts and transports signals in the form of light.
Unguided Media: This is the wireless media that transport electromagnetic waves without using
a physical conductor. Signals are broadcast either through air. This is done through radio
communication, satellite communication and cellular telephony.
What is Project 802?
It is a project started by IEEE to set standards to enable intercommunication between equipment
from a variety of manufacturers. It is a way for specifying functions of the physical layer, the
data link layer and to some extent the network layer to allow for interconnectivity of major LAN
protocols.It consists of the following:
802.1 is an internetworking standard for compatibility of different LANs and MANs across
protocols.
802.2 Logical link control (LLC) is the upper sublayer of the data link layer which is nonarchitecture-specific, that is remains the same for all IEEE-defined LANs.
Media access control (MAC) is the lower sublayer of the data link layer that contains some
distinct modules each carrying proprietary information specific to the LAN product being used.
The modules are Ethernet LAN (802.3), Token ring LAN (802.4), Token bus LAN (802.5).
802.6 is distributed queue dual bus (DQDB) designed to be used in MANs.

What is Protocol Data Unit?

The data unit in the LLC level is called the protocol data unit (PDU). The PDU contains of four
fields a destination service access point (DSAP), a source service access point (SSAP), a control
field and an information field. DSAP, SSAP are addresses used by the LLC to identify the
protocol stacks on the receiving and sending machines that are generating and using the data.
The control field specifies whether the PDU frame is a information frame (I - frame) or a
supervisory frame (S - frame) or a unnumbered frame (U - frame).
What are the different type of networking / internetworking devices?
Repeater:Also called a regenerator, it is an electronic device that operates only at physical layer.
It receives the signal in the network before it becomes weak, regenerates the original bit pattern
and puts the refreshed copy back in to the link.
Bridges: These operate both in the physical and data link layers of LANs of same type. They
divide a larger network in to smaller segments. They contain logic that allow them to keep the
traffic for each segment separate and thus are repeaters that relay a frame only the side of the
segment containing the intended recipent and control congestion.
Routers:They relay packets among multiple interconnected networks (i.e. LANs of different
type). They operate in the physical, data link and network layers. They contain software that
enable them to determine which of the several possible paths is the best for a particular
transmission.
Gateways:They relay packets among networks that have different protocols (e.g. between a LAN
and a WAN). They accept a packet formatted for one protocol and convert it to a packet
formatted for another protocol before forwarding it. They operate in all seven layers of the OSI
model.
What is ICMP?
ICMP is Internet Control Message Protocol, a network layer protocol of the TCP/IP suite used by
hosts and gateways to send notification of datagram problems back to the sender. It uses the echo
test / reply to test whether a destination is reachable and responding. It also handles both control
and error messages.

What are the data units at different layers of the TCP / IP protocol suite?

The data unit created at the application layer is called a message, at the transport layer the data
unit created is called either a segment or an user datagram, at the network layer the data unit
created is called the datagram, at the data link layer the datagram is encapsulated in to a frame
and finally transmitted as signals along the transmission media.
What is difference between ARP and RARP?
The address resolution protocol (ARP) is used to associate the 32 bit IP address with the 48 bit
physical address, used by a host or a router to find the physical address of another host on its
network by sending a ARP query packet that includes the IP address of the receiver.
The reverse address resolution protocol (RARP) allows a host to discover its Internet address
when it knows only its physical address.
What is the minimum and maximum length of the header in the TCP segment and IP
datagram?
The header should have a minimum length of 20 bytes and can have a maximum length of 60
bytes.
What is the range of addresses in the classes of internet addresses?
Class A 0.0.0.0 - 127.255.255.255
Class B 128.0.0.0 - 191.255.255.255
Class C 192.0.0.0 - 223.255.255.255
Class D 224.0.0.0 - 239.255.255.255
Class E 240.0.0.0 - 247.255.255.255
What is the difference between TFTP and FTP application layer protocols?
The Trivial File Transfer Protocol (TFTP) allows a local host to obtain files from a remote host
but does not provide reliability or security. It uses the fundamental packet delivery services
offered by UDP.
The File Transfer Protocol (FTP) is the standard mechanism provided by TCP / IP for copying a
file from one host to another. It uses the services offer by TCP and so is reliable and secure. It
establishes two connections (virtual circuits) between the hosts, one for data transfer and another
for control information.
What are major types of networks and explain?
Server-based network
Peer-to-peer network

Peer-to-peer network, computers can act as both servers sharing resources and as clients using
the resources.
Server-based networks provide centralized control of network resources and rely on server
computers to provide security and network administration

What are the Types Of topologies for networks?

BUS topology:In this each computer is directly connected to primary network cable in a single
line.
Advantages:Inexpensive, easy to install, simple to understand, easy to extend.
STAR topology:In this all computers are connected using a central hub.
Advantages:
Can be inexpensive, easy to install and reconfigure and easy to trouble shoot physical problems.
RING topology:In this all computers are connected in loop.
Advantages:
All computers have equal access to network media, installation can be simple, and signal does
not degrade as much as in other topologies because each computer regenerates it.
What is mesh network?
A network in which there are multiple network links between computers to provide multiple
paths for data to travel.
What is difference between baseband and broadband transmission?
In a baseband transmission, the entire bandwidth of the cable is consumed by a single signal. In
broadband transmission, signals are sent on multiple frequencies, allowing multiple signals to be
sent simultaneously.
Explain 5-4-3 rule?
In a Ethernet network, between any two points on the network ,there can be no more than five
network segments or four repeaters, and of those five segments only three of segments can be
populated.
What MAU?
In token Ring , hub is called Multistation Access Unit(MAU).

What is the difference between routable and non- routable protocols?

Routable protocols can work with a router and can be used to build large networks. NonRoutable protocols are designed to work on small, local networks and cannot be used with a
router
Why should you care about the OSI Reference Model?
It provides a framework for discussing network operations and design.
What is logical link control?
One of two sublayers of the data link layer of OSI reference model, as defined by the IEEE 802
standard. This sublayer is responsible for maintaining the link between computers when they are
sending data across the physical network connection.
What is virtual channel?
Virtual channel is normally a connection from one source to one destination, although multicast
connections are also permitted. The other name for virtual channel is virtual circuit.
What is virtual path?
Along any transmission path from a given source to a given destination, a group of virtual
circuits can be grouped together into what is called path.
What is packet filter?
Packet filter is a standard router equipped with some extra functionality. The extra functionality
allows every incoming or outgoing packet to be inspected. Packets meeting some criterion are
forwarded normally. Those that fail the test are dropped.
What is traffic shaping?
One of the main causes of congestion is that traffic is often busy. If hosts could be made to
transmit at a uniform rate, congestion would be less common. Another open loop method to help
manage congestion is forcing the packet to be transmitted at a more predictable rate. This is
called traffic shaping.
What is multicast routing?
Sending a message to a group is called multicasting, and its routing algorithm is called multicast
routing.
What is region?
When hierarchical routing is used, the routers are divided into what we will call regions, with
each router knowing all the details about how to route packets to destinations within its own

region, but knowing nothing about the internal structure of other regions.
What is silly window syndrome?
It is a problem that can ruin TCP performance. This problem occurs when data are passed to the
sending TCP entity in large blocks, but an interactive application on the receiving side reads 1
byte at a time.
What are Digrams and Trigrams?
The most common two letter combinations are called as digrams. e.g. th, in, er, re and an. The
most common three letter combinations are called as trigrams. e.g. the, ing, and, and ion.
Expand IDEA.
IDEA stands for International Data Encryption Algorithm.
What is wide-mouth frog?
Wide-mouth frog is the simplest known key distribution center (KDC) authentication protocol.
What is Mail Gateway?
It is a system that performs a protocol translation between different electronic mail delivery
protocols.
What is IGP (Interior Gateway Protocol)?
It is any routing protocol used within an autonomous system.
What is EGP (Exterior Gateway Protocol)?
It is the protocol the routers in neighboring autonomous systems use to identify the set of
networks that can be reached within or via each autonomous system.
What is autonomous system?
It is a collection of routers under the control of a single administrative authority and that uses a
common Interior Gateway Protocol.
What is BGP (Border Gateway Protocol)?
It is a protocol used to advertise the set of networks that can be reached with in an autonomous
system. BGP enables this information to be shared with the autonomous system. This is newer
than EGP (Exterior Gateway Protocol).
What is Gateway-to-Gateway protocol?
It is a protocol formerly used to exchange routing information between Internet core routers.

What is NVT (Network Virtual Terminal)?

It is a set of rules defining a very simple virtual terminal interaction. The NVT is used in the start
of a Telnet session.
What is a Multi-homed Host?
It is a host that has a multiple network interfaces and that requires multiple IP addresses is called
as a Multi-homed Host.
What is Kerberos?
It is an authentication service developed at the Massachusetts Institute of Technology. Kerberos
uses encryption to prevent intruders from discovering passwords and gaining unauthorized
access to files.
What is OSPF?
It is an Internet routing protocol that scales well, can route traffic along multiple paths, and uses
knowledge of an Internet's topology to make accurate routing decisions.
What is Proxy ARP?
It is using a router to answer ARP requests. This will be done when the originating host believes
that a destination is local, when in fact is lies beyond router.
What is SLIP (Serial Line Interface Protocol)?
It is a very simple protocol used for transmission of IP datagrams across a serial line.
What is RIP (Routing Information Protocol)?
It is a simple protocol used to exchange information between the routers.
What is source route?
It is a sequence of IP addresses identifying the route a datagram must follow. A source route may
optionally be included in an IP datagram header.
What is the purpose of the finally clause of a try-catch-finally statement?
The finally clause is used to provide the capability to execute code no matter whether or not an
exception is thrown or caught.
What is the Locale class?
The Locale class is used to tailor program output to the conventions of a particular geographic,
political, or cultural region.

What must a class do to implement an interface?

It must provide all of the methods in the interface and identify the interface in its implements
clause.
What is an abstract method?
An abstract method is a method whose implementation is deferred to a subclass. Or, a method
that has no implementation (an interface of a method).
What is a static method?
A static method is a method that belongs to the class rather than any object of the class and
doesn't apply to an object or even require that any objects of the class have been instantiated.
What is a protected method?
A protected method is a method that can be accessed by any method in its package and inherited
by any subclass of its class.
What is the difference between a static and a non-static inner class?
A non-static inner class may have object instances that are associated with instances of the class's
outer class. A static inner class does not have any object instances.
What is an object's lock and which object's have locks?
An object's lock is a mechanism that is used by multiple threads to obtain synchronized access to
the object. A thread may execute a synchronized method of an object only after it has acquired
the object's lock. All objects and classes have locks. A class's lock is acquired on the class's
Class object.
When can an object reference be cast to an interface reference?
An object reference be cast to an interface reference when the object implements the referenced
interface.
What is the difference between a Window and a Frame?
The Frame class extends Window to define a main application window that can have a menu bar.

What do heavy weight components mean?

Heavy weight components like Abstract Window Toolkit (AWT), depend on the local
windowing toolkit. For example, java.awt.Button is a heavy weight component, when it is
running on the Java platform for Unix platform, it maps to a real Motif button. In this
relationship, the Motif button is called the peer to the java.awt.Button. If you create two Buttons,
two peers and hence two Motif Buttons are also created. The Java platform communicates with
the Motif Buttons using the Java Native Interface. For each and every component added to the
application, there is an additional overhead tied to the local windowing system, which is why
these components are called heavy weight.
Which package has light weight components?
javax.Swing package. All components in Swing, except JApplet, JDialog, JFrame and JWindow
are lightweight components.
What are peerless components?
The peerless components are called light weight components.
What is the difference between the Font and FontMetrics classes?
The FontMetrics class is used to define implementation-specific properties, such as ascent and
descent, of a Font object.
What happens when a thread cannot acquire a lock on an object?
If a thread attempts to execute a synchronized method or synchronized statement and is unable to
acquire an object's lock, it enters the waiting state until the lock becomes available.
What is the difference between the Reader/Writer class hierarchy and the
InputStream/OutputStream class hierarchy?
The Reader/Writer class hierarchy is character-oriented, and the InputStream/OutputStream class
hierarchy is byte-oriented.
What classes of exceptions may be caught by a catch clause?
A catch clause can catch any exception that may be assigned to the Throwable type. This

includes the Error and Exception types.

What is the difference between throw and throws keywords?
The throw keyword denotes a statement that causes an exception to be initiated. It takes the
Exception object to be thrown as argument. The exception will be caught by an immediately
encompassing try-catch construction or propagated further up the calling hierarchy. The throws
keyword is a modifier of a method that designates that exceptions may come out of the mehtod,
either by virtue of the method throwing the exception itself or because it fails to catch such
exceptions that a method it calls may throw.
If a class is declared without any access modifiers, where may the class be accessed?
A class that is declared without any access modifiers is said to have package or friendly access.
This means that the class can only be accessed by other classes and interfaces that are defined
within the same package.
What is the Map interface?
The Map interface replaces the JDK 1.1 Dictionary class and is used associate keys with values.
Does a class inherit the constructors of its superclass?
A class does not inherit constructors from any of its superclasses.
Name primitive Java types.
The primitive types are byte, char, short, int, long, float, double, and boolean.
Which class should you use to obtain design information about an object?
The Class class is used to obtain information about an object's design.
How can a GUI component handle its own events?
A component can handle its own events by implementing the required event-listener interface
and adding itself as its own event listener.
How are the elements of a GridBagLayout organized?
The elements of a GridBagLayout are organized according to a grid. However, the elements are

of different sizes and may occupy more than one row or column of the grid. In addition, the rows
and columns may have different sizes.
What advantage do Java's layout managers provide over traditional windowing systems?
Java uses layout managers to lay out components in a consistent manner across all windowing
platforms. Since Java's layout managers aren't tied to absolute sizing and positioning, they are
able to accommodate platform-specific differences among windowing systems.
What are the problems faced by Java programmers who don't use layout managers?
Without layout managers, Java programmers are faced with determining how their GUI will be
displayed across multiple windowing systems and finding a common sizing and positioning that
will work within the constraints imposed by each windowing system.
What is the difference between static and non-static variables?
A static variable is associated with the class as a whole rather than with specific instances of a
class. Non-static variables take on unique values with each object instance.
What is the difference between the paint() and repaint() methods?
The paint() method supports painting via a Graphics object. The repaint() method is used to
cause paint() to be invoked by the AWT painting thread.
What is the purpose of the File class?
The File class is used to create objects that provide access to the files and directories of a local
file system.
What restrictions are placed on method overloading?
Two methods may not have the same name and argument list but different return types.
What restrictions are placed on method overriding?
Overridden methods must have the same name, argument list, and return type. The overriding
method may not limit the access of the method it overrides. The overriding method may not
throw any exceptions that may not be thrown by the verridden method.

What is casting?
There are two types of casting, casting between primitive numeric types and casting between
object references. Casting between numeric types is used to convert larger values, such as double
values, to smaller values, such as byte values. Casting between object references is used to refer
to an object by a compatible class, interface, or array type reference.
Name Container classes.
Window, Frame, Dialog, FileDialog, Panel, Applet, or ScrollPane
What class allows you to read objects directly from a stream?
The ObjectInputStream class supports the reading of objects from input streams.
How are this() and super() used with constructors?
this() is used to invoke a constructor of the same class. super() is used to invoke a superclass
constructor.
How is it possible for two String objects with identical values not to be equal under the ==
operator?
The == operator compares two objects to determine if they are the same object in memory. It is
possible for two String objects to have the same value, but located indifferent areas of memory.
What an I/O filter?
An I/O filter is an object that reads from one stream and writes to another, usually altering the
data in some way as it is passed from one stream to another.
What is the Set interface?
The Set interface provides methods for accessing the elements of a finite mathematical set. Sets
do not allow duplicate elements.
What is the List interface?
The List interface provides support for ordered collections of objects.
What is the purpose of the enableEvents() method?

The enableEvents() method is used to enable an event for a particular object. Normally, an event
is enabled when a listener is added to an object for a particular event. The enableEvents() method
is used by objects that handle events by overriding their event-dispatch methods.
What is the difference between the File and RandomAccessFile classes?
The File class encapsulates the files and directories of the local file system. The
RandomAccessFile class provides the methods needed to directly access data contained in any
part of a file.
What interface must an object implement before it can be written to a stream as an object?
An object must implement the Serializable or Externalizable interface before it can be written to
a stream as an object.
What is the ResourceBundle class?
The ResourceBundle class is used to store locale-specific resources that can be loaded by a
program to tailor the program's appearance to the particular locale in which it is being run.
What is the difference between a Scrollbar and a ScrollPane?
A Scrollbar is a Component, but not a Container. A ScrollPane is a Container. A ScrollPane
handles its own events and performs its own scrolling.
What is a Java package and how is it used?
A Java package is a naming context for classes and interfaces. A package is used to create a
separate name space for groups of classes and interfaces. Packages are also used to organize
related classes and interfaces into a single API unit and to control accessibility to these classes
and interfaces.
What are the Object and Class classes used for?
The Object class is the highest-level class in the Java class hierarchy. The Class class is used to
represent the classes and interfaces that are loaded by a Java program.
What is Serialization and deserialization?
Serialization is the process of writing the state of an object to a byte stream. Deserialization is the

process of restoring these objects.

what is tunnelling?
Tunnelling is a route to somewhere. For example, RMI tunnelling is a way to make RMI
application get through firewall. In CS world, tunnelling means a way to transfer data.
Does the code in finally block get executed if there is an exception and a return statement in
a catch block?
If an exception occurs and there is a return statement in catch block, the finally block is still
executed. The finally block will not be executed when the System.exit(1) statement is executed
earlier or the system shut down earlier or the memory is used up earlier before the thread goes to
finally block.
How you restrict a user to cut and paste from the html page?
Using javaScript to lock keyboard keys. It is one of solutions.
Is Java a super set of JavaScript?
No. They are completely different. Some syntax may be similar.
What is a Container in a GUI?
A Container contains and arranges other components (including other containers) through the use
of layout managers, which use specific layout policies to determine where components should go
as a function of the size of the container.
How the object oriented approach helps us keep complexity of software development under
control?
We can discuss such issue from the following aspects:
o Objects allow procedures to be encapsulated with their data to reduce potential
interference.
o Inheritance allows well-tested procedures to be reused and enables changes to make
once and have effect in all relevant places.
o The well-defined separations of interface and implementation allows constraints to
be imposed on inheriting classes while still allowing the flexibility of
overriding and overloading.

What is polymorphism?
Polymorphism allows methods to be written that needn't be concerned about the specifics of the
objects they will be applied to. That is, the method can be specified at a higher level of
abstraction and can be counted on to work even on objects of yet unconceived classes.
What is design by contract?
The design by contract specifies the obligations of a method to any other methods that may use
its services and also theirs to it. For example, the preconditions specify what the method required
to be true when the method is called. Hence making sure that preconditions are. Similarly,
postconditions specify what must be true when the method is finished, thus the called method has
the responsibility of satisfying the post conditions.
In Java, the exception handling facilities support the use of design by contract, especially in the
case of checked exceptions. The assert keyword can be used to make such contracts.
What are use cases?
A use case describes a situation that a program might encounter and what behavior the program
should exhibit in that circumstance. It is part of the analysis of a program. The collection of use
cases should, ideally, anticipate all the standard circumstances and many of the extraordinary
circumstances possible so that the program will be robust.
What is the difference between interface and abstract class?
o interface contains methods that must be abstract; abstract class may contain
concrete methods.
o interface contains variables that must be static and final; abstract class may
contain non-final and final variables.
o members in an interface are public by default, abstract class may contain nonpublic members.
o interface is used to "implements"; whereas abstract class is used to "extends".
o interface can be used to achieve multiple inheritance; abstract class can be used
as a single inheritance.
o interface can "extends" another interface, abstract class can "extends" another
class and "implements" multiple interfaces.
o interface is absolutely abstract; abstract class can be invoked if a main() exists.
o interface is more flexible than abstract class because one class can

only "extends" one super class, but "implements" multiple interfaces.

o If given a choice, use interface instead of abstract class
Posted by Anuj Sharma at 10:19:00 PM 0 comments

Links to this post

Labels:server 2008.server2003 INTERVIEW QUESTION

Tuesday, August 5
ADS MORE INTERVIEW QUESTIONS
What is an Active Directory (AD)?
The Microsoft Windows 2003 Active Directory glossary defines an Active Directory as a
structure supported by Windows 2003 that lets any object on a network be tracked and located.
Active Directory is the directory service used in Windows 2003 Server and provides the
foundation for Windows 2003 distributed networks. A directory service provides the methods
for storing directory data and making this data available to network users and administrators. For
example, Active Directory stores information about user accounts, such as names, phone
numbers, and so on, and enables other authorized users on the same network to access this
information.
The AD, or Active Directory, is a database based on the LDAP (Lightweight Directory Access
Protocol) standard, which makes the information contained within the AD easily available to
other applications across different platforms. The AD contains user accounts, computer accounts,
organizational units, security groups, and group policy object - all of which have a unique name
and a unique path. All unique objects in the AD use a domain contained within the AD as a
means of authentication.
What is a domain?
The Microsoft Windows 2003 Active Directory glossary defines a domain as a single security
boundary of a Windows NT-based computer network. Active Directory is made up of one or
more domains. On a standalone workstation, the domain is the computer itself. A domain can
span more than one physical location. Every domain has its own security policies and security
relationships with other domains. When multiple domains are connected by trust relationships
and share a common schema, configuration, and global catalog, they constitute a domain tree.
Multiple domain trees can be connected together to create a forest.
What is a tree?
The Microsoft Windows 2003 Active Directory glossary defines a tree as a set of Windows NT
domains connected together through transitive, bidirectional trust, sharing a common schema,
configuration, and global catalog. The domains must form a contiguous hierarchical namespace
such that if a.com is the root of the tree, b.a.com is a child of a.com, c.b.a.com is a child of
b.a.com, and so on.

What is a forest?
The Microsoft Windows 2003 Active Directory glossary defines a forest as a group of one or
more Active Directory trees that trust each other. All trees in a forest share a common schema,
configuration, and global catalog. When a forest contains multiple trees, the trees do not form a
contiguous namespace. All trees in a given forest trust each other through transitive bidirectional
trust relationships. Unlike a tree, a forest does not need a distinct name. A forest exists as a set of
cross-referenced objects and trust relationships known to the member trees. Trees in a forest
form a hierarchy for the purposes of trust.
What is a schema?
The Microsoft Windows 2003 Active Directory glossary defines a schema as the definition of
an entire database; the universe of objects that can be stored in the directory is defined in
the schema. For each object class, the schema defines what attributes an instance of the class
must have, what additional attributes it may have, and what object class can be a parent of the
current object base.
What is a global catalog (GC)?
The Microsoft Windows 2003 Active Directory glossary defines a global catalog (GC) as the
global catalog contains a partial replica of every Windows 2003 domain in the directory. The GC
lets users and applications find objects in an Active Directory domain tree given one or more
attributes of the target object. It also contains the schema and configuration of directory
partitions. This means the global catalog holds a replica of every object in the Active Directory,
but with only a small number of their attributes. The attributes in the global catalog are those
most frequently used in search operations (such as a users first and last names, logon names, and
so on), and those required to locate a full replica of the object. The GC allows users to find
objects of interest quickly without knowing what domain holds them and without requiring a
contiguous extended namespace in the enterprise. The global catalog is built automatically by the
Active Directory replication system.
What is an organizational unit (OU)?
The Microsoft Windows 2003 Active Directory glossary defines an organizational unit as a
container object that is an Active Directory administrative partition. OUs can contain users,
groups, resources, and other OUs. Organizational Units enable the delegation of administration
to distinct subtrees of the directory.
What is a group policy?
The Microsoft Windows 2003 Active Directory glossary states that a group policy refers to
applying policy to groups of computers and/or users contained within Active Directory
containers. The type of policy includes not only registry-based policy found in Windows NT

Server 4.0, but is enabled by Directory Services to store many types of policy data, for example:
file deployment, application deployment, logon/logoff scripts and startup/shutdown scripts,
domain security, Internet Protocol security (IPSec), and so on. The collections of policies are
referred to as Group Policy objects (GPOs).
A group policy object (GPO) is defined as a virtual collection of policies. It is given a unique
name, such as a globally unique identifier (GUID). GPOs store group policy settings in two
locations: a Group Policy container (GPC) (preferred) and a Group Policy template (GPT). The
GPC is an Active Directory object that stores version information, status information, and other
policy information (for example, application objects). The GPT is used for file-based data and
stores software policy, script, and deployment information. The GPT is located on the system
volume folder of the domain controller. A GPO can be associated with one or more Active
Directory containers, such as a site, domain, or organizational unit. Multiple containers can be
associated with the same GPO, and a single container can have more than one associated GPO.
A GPO is broken into two major sections, the Computer Configuration and the User
Configuration. The Computer Configuration holds policies that are relevant only to the machine
itself. The Computer Configuration can control printers, network settings, Startup and Shutdown
scripts. One of the more useful policies based under the Computer Configuration setting is the
loopback policy, which allows User Configurations policies to be applied to a computer,
regardless of the user (unless the user is denied the GPO). Under the
User Configuration, logon and logoff scripts can be configured, folders can be redirected, and
security settings can be tweaked.
What is an access control list (ACL)?
The Microsoft Windows 2003 Active Directory glossary defines an access control list as a set
of data associated with a file, directory, or other resource that defines the permissions that users
and/or groups have for accessing it. In the Active Directory service, an ACL is a list of access
control entries (ACEs) stored with the object it protects. In the Windows NT operating system,
an ACL is stored as a binary value, called a security descriptor.
What is an access control entry (ACE)?
The Microsoft Windows 2003 Active Directory glossary states that each ACE contains a
security identifier (SID), which identifies the principal (user or group) to whom the ACE applies,
and information on what type of access the ACE grants or denies.
P01 - Can we add a Server within Windows Server 2003 in a 2000 Domain ?
Yes, DC under Windows Server 2000 and Windows Server 2003 can cohexist.
Before doing this you have to prepare the AD schema ,with adprep /forestprep

P02 - How to name an AD domain ?

The rules are mainly given from DNS : acceptable naming conventions for domain names
include the use of alphanumeric characters (the letters A through Z and numerals 0 through 9)
and the hyphen (-). A period (.) in a domain name is always used to separate the discrete parts of
a domain name commonly known as labels. Each domain label can be no longer than 63 bytes.
The first label may not be a number.
Extra restrictions must be considered :
_ If you want that the NetBIOS domain name corresponding to your domain reman simple, use
less than 15 characters. _ don't use the same domain that you use on the internet, but in order to
avoid that it happens after, book the domain you use internaly on the internet _ don't use the
prefixe .local
Q01 - How to create a forest with a domain ?
1. Click Start, Run, and type dcpromo.
2. On the Welcome page, click Next.
3. On the Operating System Compatibility page, click Next.
4. On the Domain Controller Type page, click Domain controller
for a new domain and click Next.
5. On the Create New Domain page, click Domain in a new forest
and click Next.
6. Type the full DNS name for the new domain and click Next.
7. Verify the NetBIOS name and click Next.
8. Specify a location and click Next.
9. Choose a location and click Next.
10. Verify an existing DNS server or click Install and configure,
and then click Next.
11. Specify whether or not to assign default permissions.
12. When prompted, specify a password.
13. Review the Summary page, and click Next.
14. When prompted, restart the computer.
Q02 - How to add a DC (Domain Controler) to an existing domain ? 1. Run dcpromo.
2. On the Domain Controller Type page, select the Additional
domain controller for an existing domain checkbox.
3. On the Network Credentials page, type the user name,
password, and user domain.
4. On the Database and Log Folders page, type the location in
which you want to install the database and log folders, or click

Browse.
5. On the Shared System Volume page, type the location in which
you want to install the SYSVOL folder, or click Browse.
6. On the Directory Services Restore Mode Administrator
Password page, type and confirm the Directory Services
Restore Mode password and click Next.
7. Review the Summary page, and then click Next.
8. When prompted, restart the computer.
Q03 - How to rename a Domain Controler ?
1. In the Control Panel, double-click System.
2. In the System Properties dialog box click Change.
3. When prompted, confirm that you want to rename the domain
controller.
4. Enter the full computer name and click OK.

Q04 - How to delete (remove from domain) a Domain Controler ? Delete a DC :

To remove a domain controller that is online and is no longer required:
1. Open the Active Directory Installation Wizard (Run dcpromo).
2. On the Remove Active Directory page select the This server is the last domain
controller in the domain check box, and then click Next.
3. On the Administrator Password page type your new administrator password,
and then click Next.
4. On the Summary page, review the summary, and then click Next.
To remove a domain controller that is damaged and cannot be started from Active Directory:
In this case, you have to use ntdsutil , read the
http://support.microsoft.com/default.aspx?scid=kb;en-us;216498
Q05 - How to check the correct initialisation of Active Directory ?
After you have performed an upgrade, you can verify the promotion of a server to a domain
controller by verifying the following items.
Default Containers These are created automatically when the first domain is created. Open the
Active Directory Users and Computers Microsoft Management Console (MMC), and then verify
that the following containers appear here: Computers, Users, ForeignSecurityPrincipals
Default Domain Controllers Organizational Unit Open Active Directory Users and Computers,
and then verify that this organizational unit appears here.
Default-First-Site-Name You can verify this item by using Active Directory Sites and Services.

Active Directory Database Your Ntds.dit file is the Active Directory database. Verify that it
resides in the %Systemroot%\Ntds folder.
Global Catalog Server
By default, the first domain controller becomes a global catalog server. To verify this item:
1. Click Start, click Administrative Tools, and then click Active Directory Sites and Services.
2. Double-click Sites, expand Servers, and then select your domain controller.
3. Double-click the domain controller to expand the server contents.
4. Below the server, an NTDS Settings object is displayed. Right-click the object, and then click
Properties.
5. On the General tab, make sure that the Global Catalog check box is selected (this is the default
setting).
Root Domain
To verify this role, use the net accounts command. The computer role should be "primary" or
"backup," depending on whether the computer is the first domain controller in the domain.
Shared System Volume
A Windows Server 2003 domain controller should have a shared system volume located in the
%Systemroot%\Sysvol\Sysvol folder.
SRV Resource Records You must have a DNS server installed and configured for Active
Directory and the associated client software to function correctly. Use the DNS Manager MMC
snap-in to verify that the correct zones and resource records are created for each DNS zone.
Active Directory creates its SRV RRs in the following folders:
o _Msdcs/Dc/_Sites/Default-first-site-name/_Tcp
o _Msdcs/Dc/_Tcp
In these locations, an SRV RR is displayed for the following services:
o _kerberos
o _ldap
Q06 - How to create a child domain ?
You can't use a DC which manage the root domain as DC for a child domain, setup a new server
and then follow the instructions :
1. Run dcpromo.
2. On the Domain Controller Type page, Click Child domain in an existing domain tree.
3. Type the user name, password, and user domain of the user account you want to use.
4. Verify the parent domain, and then type the new child domain name.
Q07 - How to create a new tree ? 1. Run dcpromo.
2. On the Domain Controller Type page, click Domain tree in an existing forest.

3. Type the user name, password, and user domain of the user account you want to use.
4. Type the full DNS name for the new domain.
Q10 - How to Determine the RID, PDC, and Infrastructure FSMO Holders of a Selected Domain
?
1. Click Start, click Run, type dsa.msc, and then click OK.
2. Right-click the selected Domain Object in the top left pane, and then click Operations Masters.
3. Click the PDC tab to view the server holding the PDC master role.
4. Click the Infrastructure tab to view the server holding the Infrastructure master role.
5. Click the RID Pool tab to view the server holding the RID master role.
Q11 - How to Determine the Schema FSMO Holder in a Forest ? 1. Click Start, click Run, type mmc, and then click OK.
2. On the Console menu, click Add/Remove Snap-in, click Add, double-click Active Directory
Schema, click Close, and then click OK.
3. Right-click Active Directory Schema in the top left pane, and then click Operations Masters to
view the server holding the schema master rle.
Q12 - How to create a trust relationship beetween two forest ? - to
1. Open Active Directory Domains and Trusts.
2. Click Properties for forest root domain shortcut trust domain, external trust domain, or realm
trust domain.
3. Click New Trust, then Next, on the Trust tab.
4. Click Next on the Welcome page.
5. Type DNS name on the appropriate Trust Name page and click Next.
6. Select the desired trust type on the Trust Type Page and click Next.
7. Select the desired trust direction on the Direction of Trust page,then follow wizard
instructions.
Q13 - How to check trust relationships ? Using Active Directory Domains and Trusts:
1. Right-click the desired domain and click Properties.
2. Click the desired trust, then click Properties.
3. Click Validate, click No, do not.
4. Repeat steps 1 through 3 for the other domain in the relationship.
Using netdom:
NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /Verify
Q14 - How to delete trust relationships ? Using Active Directory Domains and Trusts:

1. Right-click the desired domain and click Properties.

2. Click the desires trust, then click Remove.
3. Repeat steps 1 and 2 for the other domain in the relationship.
Q15 - How to Create and Configure Sites and Subnets ?
To use sites to manage replication between sites, you create additional sites and subnets and
delegate control of sites. Creating a site involves providing a name for the new site and
associating the site with a site link. To create sites, you must log on as a member of the
Enterprise Admins group or the Domain Admins group in the forest root domain.
To create a site, perform the following steps:
1. Open Active Directory Sites and Services from the Administrative Tools menu.
2. In the console tree, right-click Sites, and then click New Site.
3. In the Name box, type the name of the new site.
4. Click a site link object, and then click OK twice.
To create a subnet object, perform the following steps:
1. In Active Directory Sites and Services, in the console tree, double-click Sites, right-click
Subnets, and then click New Subnet.
2. In the Address box, type the subnet IP address.
3. In the Mask box, type the subnet mask that describes the range of addresses for the subnet.
4. Select a site to associate the subnet with, and then click OK.
To associate a site with a subnet object, perform the following steps:
1. In Active Directory Sites and Services, expand Sites, expand Subnets, and then in the console
tree, right-click the subnet that you want to associate the site with, and then click Properties.
2. On the General page, in the Site box, click the site that you want to associate with this subnet,
and then click OK.
Q16 - How to move a DC to a different site ? To move a domain controller to a different site, perform the following steps:
1. In Active Directory Sites and Services, expand Sites, expand the site that the domain
controller is in, expand Servers, and then in the console tree, right-click the domain controller,
and then click Move.
2. In the Move Server dialog box, in the Site Name list, select the site that you want to move the
domain controller to, and then click OK.
Q17 - How to Create and Configure Site Links ?
You create site links in Active Directory to map connections between two or more sites. When
you configure site links, you can define the site link properties, which include the cost,
replication interval, schedule, and sites that the link is associated with.
To create a site link, perform the following steps:
1. In Active Directory Sites and Services, expand Sites, expand Inter-Site Transports, right-click

IP or SMTP, depending on which protocol the site link you will use, and then click New Site
Link.
2. In the Name box, type a name for the link.
3. Click two or more sites to connect, click Add, and then click OK.
To configure site links, perform the following steps:
1. Open Active Directory Sites and Services, expand Sites, expand Inter-Site Transports, and
then click IP or SMTP, depending on which protocol the site link is configured to use.
2. Right-click the site link, and then click Properties.
3. On the General page of the Properties dialog box, change the values for site associations, cost,
replication interval, and schedule as required, and then click OK.
4. Perform one of the following as appropriate:
In the Sites not in this site link box, click the site you want to add, and then click Add.
In the Sites in this site link box, click the site you want removed and then click Remove.
In the Cost box, enter a value for the cost of replication.
5. Click Change Schedule, select the block of time you want to schedule, and then click either
Replication Not Available or Replication Available, and then click OK.
If you want to Create a Site Link Bridge
Before you can create new site link bridges, you must first disable default bridging of all site
links to permit the creation of new site link bridges.
To disable default bridging of all site links, perform the following steps:
1. Open Active Directory Sites and Services, expand Sites, expand Inter-Site Transports, rightclick either IP or SMTP, depending on the protocol for which you want to disable bridging of all
site links, and then click Properties.
2. In the Properties dialog box, clear the Bridge all site links check box, and then click OK.
To create a site link bridge, perform the following steps:
1. Open Active Directory Sites and Services, expand Sites, expand Inter-Site Transports, rightclick either IP or SMTP, depending on the protocol that
you want to create a site link bridge for, and then click New Site Link Bridge.
2. In the Name box, type a name for the site link bridge.
3. Click two or more site links to be bridged, click Add, and then click OK.
Q18 - How to Manage a Site Topology ?
How to Manage a Site Topology ?
To create a preferred bridgehead server, perform the following steps:
1. Open Active Directory Sites and Services, expand Sites, expand the site that contains the
server that you want to configure, expand Servers, and then in the console tree, right-click the
domain controller that you want to make a preferred bridgehead server, and then click Properties.
2. Choose the intersite transport or transports to designate the computer a preferred bridgehead
server, click Add, and then click OK.
To determine the domain controller that holds the role of the intersite topology generator in the

site, perform the following steps:

1. In Active Directory Sites and Services, expand Sites, and then select the site.
2. In the details pane, right-click NTDS Site Settings, and then click Properties.
To force the KCC to run, perform the following steps:
1. In Active Directory Sites and Services, in the console tree, expand Sites, expand the site that
contains the server on which you want to run the KCC, expand Servers, and then select the
server object for the domain controller that you want to run the KCC on.
2. In the details pane, right-click NTDS Settings, click All Tasks, and then click Check
Replication Topology.
You use the Active Directory Sites and Services to force replication over a connection. You may
be required to force replication if the event log displays replication inconsistencies or if you
receive a message on the domain controller console alerting you to replication problems. To
force replication over a connection, perform the following steps:
1. In Active Directory Sites and Services, expand the domain controller for the site that contains
the connection that you use to replicate directory information.
2. In the console tree, click NTDS Settings.
3. In the details pane, right-click the connection that you use to replicate directory information,
and then click Replicate Now.
Q19 - How to Transfer the Schema Master Role ?
Use the Active Directory Schema Master snap-in to transfer the schema master role.
1. Click Start, click Run, type mmc in the Open box, and then click OK.
2. On the File, menu click Add/Remove Snap-in.
3. Click Add.
4. Click Active Directory Schema, click Add, click Close, and then click OK.
5. In the console tree, right-click Active Directory Schema, and then click Change Domain
Controller.
6. Click Specify Name, type the name of the domain controller that will be the new role holder,
and then click OK.
7. In the console tree, right-click Active Directory Schema, and then click Operations Master.
8. Click Change.
9. Click OK to confirm that you want to transfer the role, and then click Close.
Q20 - How to transfer the Domain Naming Master Role ?
1. Click Start, point to Administrative Tools, and then click Active Directory Domains and
Trusts.
2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain
Controller. NOTE: You must perform this step if you are not on the domain controller to which
you want to transfer the role. You do not have to perform this step if you are already connected
to the domain controller whose role you want to transfer.

3. Do one of the following:

o In the Enter the name of another domain controller box, type the name of the domain controller
that will be the new role holder, and then click OK. -oro In the Or, select an available domain controller list, click the domain controller that will be the
new role holder, and then click OK.
4. In the console tree, right-click Active Directory Domains and Trusts, and then click
Operations Master.
5. Click Change.
6. Click OK to confirm that you want to transfer the role, and then click Close.
Q21 - How to Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles ?
1. Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.
2. Right-click Active Directory Users and Computers, and then click Connect to Domain
Controller. NOTE: You must perform this step if you are not on the domain controller to which
you want to transfer the role. You do not have to perform this step if you are already connected
to the domain controller whose role you want to transfer.
3. Do one of the following:
o In the Enter the name of another domain controller box, type the name of the domain controller
that will be the new role holder, and then click OK. -oro In the Or, select an available domain controller list, click the domain controller that will be the
new role holder, and then click OK.
4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and
then click Operations Master.
5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure),
and then click Change.
6. Click OK to confirm that you want to transfer the role, and then click Close.
Q22 - How to backup AD ?
AD is backed Up when you save the System State on a DC with the Backup accessory.
1. Click Start, point to Programs, point to Accessories, point to System Tools, and then click
Backup.
2. Click the Backup tab.
3. Click to select the System State check box. (All of the components to be backed up are listed
in the right pane. You cannot individually select each item.) NOTE: During the system state
backup, you must select to back up the Winnt\Sysvol folder. You must also select this option
during the restore operation to have a working sysvol after the recovery.
The following information applies only to domain controllers. You can restore member servers
the same way, but in normal mode. If any of the following conditions are not met, the system
state is not restored. Backup attempts to restore the system state, but does not succeed.

The drive letter on which the %SystemRoot% folder is located must be the same as when it was
backed up.
The %SystemRoot% folder must be the same folder as when it was backed up.
If sysvol or other Active Directory databases were located on another volume, they must exist
and have the same drive letters also. The size of the volume does not matter.
Q23 - How to restore AD ?
There is different methods, depending with the state of your AD : Normal : if you have lost only
one DC, you have to restore DC and then datas Authoritative : with many DCs, you can restaure
whatever you want and select it.
How to Perform a Normal Restore
To perform a primary restore, you must be a member of the Administrators group on the local
computer, or you must have been delegated the appropriate permissions. If the computer is in a
domain, members of the Domain Admins group can perform this procedure.
To perform a primary restore of Active Directory, perform the following steps:
1. Restart your domain controller in Directory Services Restore Mode.
2. Start the Backup utility.
3. On the Welcome to the Backup or Restore Wizard page, click Advanced Mode.
4. On the Welcome to Backup Utility Advanced Mode page, on the Restore and Manage Media
tab, select what you want to restore, and then click Start Restore.
5. In the Warning dialog box, click OK.
6. In the Confirm Restore dialog box, click Advanced.
7. In the Advanced Restore Options dialog box, click When restoring replicated data sets, mark
the restored data as the primary data for all replicas, and then click OK twice. Important
Selecting this option ensures that the File Replication Service (FRS) data is
replicated to the other servers. Select this option only when you want to restore the first replica
set to the network.
8. In the Restore Progress dialog box, click Close.
9. In the Backup Utility dialog box, click Yes.
Warning
When you restore the system state data, the Backup utility erases the system state data that is on
your computer and replaces it with the system state data that you are restoring, including system
state data that is not related to Active Directory. Depending on how old the system state data is,
you may lose configuration changes that you recently made to the computer. To minimize this
risk, back up the system state data regularly.
How to Perform an Authoritative Restore
Unlike a normal restore, an authoritative restore requires the use of a separate command-line
tool, Ntdsutil. No backup utilities, including the Windows Server 2003 system utilities, can
perform an authoritative restore.

To perform an authoritative restore, perform the following steps:

1. Restart your domain controller in Directory Services Restore Mode.
2. Restore Active Directory to its original location.
3. If you must perform an authoritative restore on the SYSVOL folder, restore Active Directory
to an alternate location by using the Backup utility, but do not restart the computer when
prompted after the restore. If you are not performing an authoritative restore on SYSVOL, skip
to step 4.
4. At the command prompt, run Ntdsutil.exe.
5. At the ntdsutil prompt, type authoritative restore.
6. At the authoritative restore prompt, type .restore subtree distinguished_name_of_object
(where distinguished_name_of_object is the distinguished name, or path, to the object). For
example, to restore an organizational unit called Sales, which existed directly below the domain
called contoso.msft, type .restore subtree OU=Sales,DC=contoso,DC=msft.
7. Type quit and then press ENTER.
8. Type quit again, and then press ENTER to exit ntdsutil.
9. Restart the domain controller.
10. After FRS publishes the SYSVOL folder, copy the SYSVOL folder and only those Group
Policy folders that correspond to the restored Group Policy objects from the alternate location to
the existing locations.
To verify that the copy operation was successful, examine the contents of the SYSVOL\Domain
folder, where Domain is the name of the domain.
Q30 - How to Delegate Administrative Control for Managing Group Policy Links ?
You can delegate the ability to manage Group Policy links by selecting Manage Group Policy
links in the Delegation of Control Wizard to enable a user to link and unlink GPOs.
To delegate administrative control for managing Group Policy links, perform the following
steps:
1. Open Group Policy Management.
2. Browse to the forest and domain in which you want to delegate administrative control for
managing Group Policy links, and then click the link.
3. In the details pane, on the Delegation tab, click Add.
4. In the Select User, Computer, or Group dialog box, in the Enter the object name to select
(examples) box, type the security principal, click Check Names, and then click OK.
5. In the Add Group or User dialog box, in the Permissions box, select the appropriate
permission, and then click OK.
If you prefer the flexibility of the Properties dialog box, it is still available in Group Policy
Management by clicking Advanced on the Delegation tab.
Q31 - How to Delegate Administrative Control for Creating and Editing GPOs
You use the Delegation of Control Wizard to delegate administrative control to create and edit

GPOs.
To delegate administrative control for creating GPOs, perform the following steps:
1. Open Group Policy Management.
2. Browse to the forest and domain in which you want to delegate administrative control for
creating GPOs, and then click Group Policy Objects.
3. In the details pane, on the Delegation tab, click Add.
4. In the Select User, Computer, or Group dialog box, in the Enter the object name to select
(examples) box, type the security principal, click Check Names, and then click OK.
To delegate administrative control for editing GPOs, perform the following steps:
1. Open Group Policy Management.
2. Browse to the forest and domain in which you want to delegate administrative control for
editing GPOs, and then click the link.
3. In the details pane, on the Delegation tab, click Add.
4. In the Select User, Computer, or Group dialog box, in the Enter the object name to select
(examples) box, type the security principal, click Check Names, and then click OK.
5. In the Add Group or User dialog box, in the Permissions box, select the appropriate
permission, and then click OK.
Q50 - I can't add another DC to the AD Domain. What can I check ?
Steps for fixing the problem when DCPROMO does not find the domain.
1. Verify that the existing domain controller is pointing to a Windows 2000 DNS server. Do not
point it to any external ISP DNS servers.
2. Open the DNS MMC, double click forwarders so that you can see the zone for your domain.
3. Right click on this zone and select properties. Verify that your zone is set to allow dynamic
updates, if not change it so that it does.
4. Double click your zone to expand it. You should have 4 subfolders (_MSDCS, _SITES, _TCP,
_UDP) and a few records.
5. If the zones do not exist you should open a command prompt.
6. Type IPconfig /registerdns and enter
7. Type net stop netlogon
8. Type net start netlogon (restarting netlogon will force the service to register its SRV records
with the DNS zone thus create the missing subfolders. The records that will be registered are in
winnt\system32\config\netlogon.dns).
9. After restarting netlogon go back into your DNS zone and verify that you have the subfolders
that were mentioned in 4. above.
10. If the folders are not there you may want to try running netdiag.exe /fix from the support
tools. Or try restarting netlogon again.
11. On the DC that you are trying to promote verify that it is pointing to the Windows 2000 DNS
server that we have been working on for DNS.
Posted by Anuj Sharma at 7:51:00 PM 0 comments

Links to this post

Labels:server 2008.server2003 INTERVIEW QUESTION

Quick Questions

How are Relative Identifiers allocated?

A: Relative Identifiers (RIDs) are used to uniquely identify each object within a domain. In any
Active Directory (AD) domain, each domain controller has the ability to create new objects
users, computers, groups, and so forth. Each of these new objects needs a unique ID number to
avoid conflict with other new objects being created at any given time by other domain controllers
in the domain.

The RID Master

In order to ensure that domain controllers dont duplicate ID numbers, AD includes a special
Flexible Single Master Operations (FSMO) role in each domain, called the RID master. The RID
masters job is to allocate each domain controller with a unique range of RIDs. Because all RIDs
stem from this single source and the RID master doesnt issue overlapping pools to different
domain controllers, each domain controller has a unique range of spare ID numbers to use
when creating new objects.

As part of its role in ensuring uniqueness for each AD object, the RID master is also responsible
for removing the entries for domain objects that are moved to another domain. However, you
should note that the RID from the removed object is never reused in the domain.

SID Construction

The unique number assigned to each domain object is called a Security Identifier (SID). A
typical SID looks like this:

S-1-5-21-917267712-1342860078-1792151419-500

 S designates this identifier as a SID

1 indicates the revision level of the SID construction scheme
5 represents the identifier authority
Everything else is the SID itself; the combination of domain ID and RID.

RID Management

You cant directly affect the allocation of RIDs except through a few documented workarounds
to specific operating system (OS) problems. You can view certain RID attributes directly in AD.

(It is possible for a domain controller to use up its allocated RID pool more quickly than it
can request a new one. For example, if youre migrating thousands of users to a domain
controller that has poor connectivity to the RID master, the domain controller might run
out of RIDs. For more information about this problem, see the Microsoft article RID Pool
Allocation and Sizing Changes in Windows 2000 SP4.)

AD contains several attributes that contain information about RIDs; these attributes, in fact, are

the sources that DisplayRID queries for its output. The major attributes are:

FsmoRoleOwnerContains the fully qualified domain name of the current holder of the RID
master role.
RidAvailablePoolDefines the number of security principals that the domain can contain (a
fixed value
currently just over 1 billion), and the number of RIDs that have been allocated already.
RidAllocationPoolDefines the current pool for a domain controller, and its next pool.
RidNextRidThe next RID that will be used on the domain controller.
RidPreviousAllocationPoolThe current pool of RIDs used to create new SIDs; this value
includes the

value of RidNextRid.
RidUsedPool and NextRidUnused attributes that are still defined in AD.
Posted by Anuj Sharma at 11:54:00 PM 0 comments

Links to this post

Labels:server 2008.server2003 Active Directory, Quick Answers,SERVER 2003

How do client computers locate a domain controller ?

A: One of the first major tasks a domain member computer has to do when it starts is to locate
adomain controller. Generally, this task requires the use of a Domain Name System (DNS)
server, which contains records for each domain controller in the domain, and the Locator, a
remote procedure call to the computers local Netlogon service.

Starting Up
When the client computer starts, its Netlogon service starts automatically (in the default
configuration). This service implements the DsGetDcName application programming interface
(API), which is used to locate a domain controller
The client begins by collecting a number of pieces of information that will be used to locate a
domain controller. This information includes the clients local IP address, which is used to
determine the clients Active Directory site membership, the desired domain name, and a DNS
server address.
Finding the Domain Controllers
Netlogon then queries the configured DNS server. Netlogon retrieves the service resource (SRV)
records and host (A) records from DNS that correspond to the domain controllers for the desired
domain. The general form for the queried SRV records is _service._protocol.domainname, where
service is the domain service, protocol is the TCP/IP protocol, and domainname is the desired
Active Directory fully qualified domain name (FQDN). For example, because Active Directory
is a Lightweight Directory Access Protocol (LDAP)-compliant directory service, clients query
for _ldap._tcp.domainname (or or _ldap._tcp.dc._msdcs.domainname when locating the nearest
domain controller).
Each domain controller in a domain will register its host name with the SRV record, so the
clients query results will be a list of domain controller host names. The client also retrieves the
associated A records, providing the client with the IP address of every domain controller in the
domain. The client then sends an LDAP search query, via the User Datagram Protocol (UDP), to
each domain controller.
Selecting a Domain Controller
After the client locates a domain controller, the client uses LDAP to access Active Directory on a

domain controller, preferably one in the clients own subnet. The domain controller uses the
clients IP address to identify the clients Active Directory site. If the domain controller is not in
the closest site, then the domain controller returns the name of the clients site, and the client
tries to find a domain controller in that site by querying DNS. If the client has already attempted
to find a domain controller in that site, then the client will continue using the current, nonoptimal
domain controller. Once the client finds a domain controller it likes, it caches that domain
controllers information, and the client will continue to use that domain controller for future
contacts (unless the domain

Use of Netdom command NetDom examples Sample workstation or member server operations Adding
a workstation or member server to a domain Add the workstation mywksta to the Windows NT 4.0
domain microsoft: NETDOM ADD /d:microsoft mywksta /ud:mydomain\admin /pd:password Add the
workstation mywksta to the Windows 2000 domain devgroup.microsoft.com in the organizational unit
(OU) Dsys/workstations: NETDOM ADD /d:devgroup.microsoft.com mywksta
/OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com Note If /OU is not specified the account is
created in the Computers container. Joining a workstation or member server to a domain Join mywksta
to the devgroup.microsoft.com domain in the Dsys/workstations organizational unit. NETDOM JOIN
/d:devgroup.microsoft.com mywksta /OU:OU=Dsys,OU=Workstations,DC=microsoft,DC=com In addition
to adding the computer account to the domain, the workstation is modified to contain the appropriate
shared secret to complete the Join operation. Removing a workstation or member server from a domain
To remove mywksta from the mydomain domain and have the workstation be part of a workgroup:
NETDOM REMOVE /d:mydomain mywksta /ud:mydomain\admin /pd:password Moving a workstation or
member server from one domain to another To move mywksta from its current domain into the
mydomain domain: NETDOM MOVE /d:mydomain mywksta /ud:mydomain\admin /pd:password If the
destination is a Windows 2000 domain, the SIDHistory for the workstation is updated, retaining the
security permissions that the computer account had previously. Resetting the secure channel for a
workstation, member server, or Windows NT 4.0 BDC To reset the secure channel secret maintained
between mywksta and devgroup.microsoft.com (regardless of OU): NETDOM RESET
/d:devgroup.microsoft.com mywksta To reset the secure channel between the Windows NT 4.0 PDC for
Northamerica and the backup domain controller NABDC: NETDOM RESET /d:Northamerica NABDC
Forcing a secure channel session between a member and a specific domain controller Members may
often establish secure channel sessions with non-local domain controllers. To force a secure channel
session between a member and a specific domain controller, add the /Server option to the RESET
command: NETDOM RESET /d:devgroup.microsoft.com mywksta /Server:mylocalbdc Verifying a
workstation or member server secure channel To verify the secure channel secret maintained between
mywksta and devgroup.microsoft.com: NETDOM VERIFY /d:devgroup.microsoft.com mywksta Sample
domain TRUST operations Establishing a trust relationship When used with the TRUST command, the
/d:domain parameter always refers to the trusted domain. To have the Windows NT 4.0 resource

domain USA-Chicago trust the Windows NT 4.0 account domain Northamerica: NETDOM TRUST
/d:Northamerica USA-Chicago NetDom examples Page 1 of 4
mk:@MSITStore:C:\Program%20Files\Support%20Tools\w2rksupp.chm::/topics/netdom_exa...
1/22/2005 /ADD /Ud:Northamerica\admin /Pd:* /Uo:USA-Chicago\admin /Po:* >Password for
Northamerica\admin: xxxx >Password for USA-Chicago\admin: yyyy The user must have credentials for
both domains. /Pd: can be used to specify the password for Northamerica\admin while /Po: can be used
to specify the password for USA-Chicago\admin. If passwords are not provided on the command line,
the user will be prompted for both. The /TWOWAY option can be appended to specify a bidirectional
trust: NETDOM TRUST /d:marketing.microsoft.com engineering.microsoft.com /ADD /TWOWAY
/Uo:admin@engineering.microsoft.com /Ud:admin@marketing.microsoft.com Establishing a trust
relationship with a non-Windows Kerberos realm To establish a one-way trust so that Northamerica
trusts the non-Windows Kerberos realm ATHENA: NETDOM TRUST /d:ATHENA Northamerica /ADD
/PT:password /REALM The /d option specifies the TRUSTED domain and /REALM indicates that this is a
non-Windows Kerberos realm. The order of the domains is not important and credentials to the
Windows 2000 domain can be supplied if needed. Note that verifying a specific trust relationship will
usually require credentials unless the user has domain admin privileges on both domains. To allow the
Kerberos realm ATHENA to trust the Northamerica domain: NETDOM TRUST /d:Northamerica ATHENA
/ADD To make the trust bi-directional, you can specify /TWOWAY. Changing the trust from ATHENA to
Northamerica to transitive (non-Windows Kerberos trusts are created nontransitive) NETDOM TRUST
Northamerica /d:ATHENA /TRANS:yes Displaying the transitive state NETDOM TRUST Northamerica
/d:ATHENA /TRANS The order of the two domains above is not important (either can be the nonWindows Kerberos domain). Breaking a trust relationship To undo the trust that USA-Chicago has for
Northamerica, NETDOM TRUST /d:Northamerica USA-Chicago /REMOVE To break a two-way trust
relationship NETDOM TRUST /d:marketing.microsoft.com Engineering.microsoft.com /REMOVE
/TWOWAY /Uo:admin@engineering.microsoft.com /Ud:admin@marketing.microsoft.com Verifying a
specific trust relationship To verify the one-way trust that USA-Chicago has for Northamerica: NETDOM
TRUST /d:Northamerica USA-Chicago /VERIFY To verify a two-way trust between the Northamerica and
Europe domains: NETDOM TRUST /d:Northamerica EUROPE /VERIFY /TWOWAY The verify command
checks that the appropriate shared secrets are synchronized between the two items involved in the
trust. Resetting a specific trust relationship To reset the secure channel for the one-way trust between
Northamerica and USA-Chicago: NETDOM TRUST /d:Northamerica USA-Chicago
/Ud:Northamerica\admin /RESET The reset command synchronizes the appropriate shared secrets if
they are not already synchronized. Verifying Kerberos functionality To verify Kerberos authentication
between a workstation and a service located in domain devgroup.microsoft.com: NETDOM TRUST
/d:devgroup.microsoft.com NetDom examples Page 2 of 4
mk:@MSITStore:C:\Program%20Files\Support%20Tools\w2rksupp.chm::/topics/netdom_exa...
1/22/2005 [workstation] /VERIFY /KERBEROS If the workstation parameter is omitted, the current
workstation is used. The NETDOM TRUST command with the /Verify /Kerberos options attempts to get a
session ticket for the Kerberos Admin service in the target domain. If successful, it can be concluded that
all Kerberos operations (for example KDC referrals) are operating correctly between the workstation and
the target domain. Note The operation can not be executed remotely; it must be run on the workstation
being tested. Sample domain QUERY operations Viewing domain membership List all the workstations in

the domain Northamerica: NETDOM QUERY /d:Northamerica WORKSTATION List all of the Servers in
Northamerica: NETDOM QUERY /d:Northamerica SERVER List all the domain controllers in the domain
Northamerica: NETDOM QUERY /d:Northamerica DC List all of the OUs in devgroup.microsoft.com:
NETDOM QUERY /d:devgroup.microsoft.com OU List the PDC for Northamerica: NETDOM QUERY
/d:Northamerica PDC List the current PDC Emulator for devgroup.microsoft.com: NETDOM QUERY
/d:devgroup.microsoft.com FSMO Secure channel batch repair The QUERY command can be used in
conjunction with the /Verify and /Reset options to perform these operations all together. The output of
the QUERY command can be piped to the NETDOM VERIFY or NETDOM RESET command. List all servers
and verify secure channel secret: NETDOM QUERY /d:Northamerica SERVER /VERIFY List all workstations
and reset any unsynchronized secure channel secrets: NETDOM QUERY /d:Northamerica WORKSTATION
/RESET Viewing domain trusts To view all the direct trust relationships for the domain Northamerica:
NETDOM QUERY /d:Northamerica /Ud:Northamerica\admin DOMAIN /Direct To view all the direct and
indirect trust relationships for the domain Northamerica: NETDOM QUERY /d:Northamerica
/Ud:Northamerica\admin DOMAIN To view all trust relationships and check their status: NETDOM
QUERY /d:devgroup.microsoft.com DOMAIN /VERIFY Sample domain TIME operations Viewing domain
controller time status To verify the current time for all domain controllers in devgroup.microsoft.com:
NETDOM TIME /d:devgroup.microsoft.com To verify the time for a specific server: NETDOM TIME
/d:devgroup.microsoft.com dc1.devgroup.microsoft.com Synchronizing time The /Synch switch may be
used to resynchronize a specified domain controller or all domain controllers that are out of synch:
NetDom examples Page 3 of 4
mk:@MSITStore:C:\Program%20Files\Support%20Tools\w2rksupp.chm::/topics/netdom_exa...
1/22/2005 NETDOM TIME /d:devgroup.microsoft.com /SYNCH Specifying a domain controller: NETDOM
TIME /d:devgroup.microsoft.com dc1.devgroup.microsoft.com /SYNCH Renaming the domain name for
a Windows NT 4.0 BDC Changing the name of a Windows NT 4.0 domain is a complex process and
requires: Renaming the domain name on the Windows NT 4.0 PDC. Modifying all Windows NT 4.0 BDCs.
Rejoining all Members (workstations and servers). Deleting and Reestablishing all Trusts. The following
NETDOM syntax is provided to support the modifications necessary to rejoin a BDC to the renamed
domain. (step 2 above): NETDOM RENAME /d:newdomainname BDCServer Windows 2000 Domain
Manager (Netdom.exe) NetDom syntax NetDom examples Page 4 of 4
mk:@MSITStore:C:\Program%20Files\Support%20Tools\w2rksupp.chm::/topics/netdom_exa...
1/22/2005
posted by ramu a system administrator at 5:17 am no comments:

the main email ports are:

* POP3 port 110

* IMAP port 143

* SMTP port 25

* HTTP port 80

* Secure SMTP (SSMTP) port 465

* Secure IMAP (IMAP4-SSL) port 585

* IMAP4 over SSL (IMAPS) port 993

* Secure POP3 (SSL-POP) port 995

LDAP directory can be accessed on port 3268