Active Directory Q & A

1. Mention What Is Active Directory?
Answer :
An active directory is a directory structure used on Micro-soft Windows based servers
and computers to store data and information about networks and domains.
2. What Is Domains In Active Directory?
Answer :
In Windows 2000, a domain defines both an administrative boundary and a security
boundary for a collection of objects that are relevant to a specific group of users on a
network. A domain is an administrative boundary because administrative privileges do
not extend to other domains. It is a security boundary because each domain has a
security policy that extends to all security accounts within the domain. Active Directory
stores information about objects in one or more domains.
Domains can be organized into parent-child relationships to form a hierarchy. A parent
domain is the domain directly superior in the hierarchy to one or more subordinate, or
child, domains. A child domain also can be the parent of one or more child domains.
3. Mention Which Is The Default Protocol Used In Directory Services?
Answer :
The default protocol used in directory services is LDAP ( Lightweight Directory Access
Protocol).
4. What Is Mixed Mode?
Answer :
Allows domain controllers running both Windows 2000 and earlier versions of Windows
NT to co-exist in the domain. In mixed mode, the domain features from previous versions
of Windows NT Server are still enabled, while some Windows 2000 features are
disabled. Windows 2000 Server domains are installed in mixed mode by default. In
mixed mode the domain may have Windows NT 4.0 backup domain controllers present.
Nested groups are not supported in mixed mode.
5. Explain The Term Forest In Ad?
Answer :
Forest is used to define an assembly of AD domains that share a single schema for the
AD. All DC’s in the forest share this schema and is replicated in a hierarchical fashion
among them.
6. What Is Native Mode?
Answer :
When all the domain controllers in a given domain are running Windows 2000 Server.
This mode allows organizations to take advantage of new Active Directory features such
as Universal groups, nested group membership, and inter-domain group membership.
7. Explain What Is Sysvol?
Answer :
The SysVOL folder keeps the server’s copy of the domain’s public files. The contents
such as users, group policy, etc. of the sysvol folders are replicated to all domain
controllers in the domain.
8. What Is Ldap?
Answer :
LDAP is the directory service protocol that is used to query and update AD. LDAP
naming paths are used to access AD objects and include the following:
o Distinguished names
o Relative Distinguished names
9. Mention What Is Kerberos?
Answer :
Kerberos is an authentication protocol for network. It is built to offer strong authentication
for server/client applications by using secret-key cryptography.
10. Minimum Requirement For Installing Ad?
Answer :
o Windows Server, Advanced Server, Datacenter Server

o Minimum Disk space of 200MB for AD and 50MB for log files
o NTFS partition
o TCP/IP Installed and Configured to use DNS
o Administrative privilege for creating a domain in existing network
11. Mention What Are Lingering Objects?

Answer :
Lingering objects can exists if a domain controller does not replicate for an interval of
time that is longer than the tombstone lifetime (TSL).
12. What Is Domain Controller?
Answer :
In an Active directory forest, the domain controller is a server that contains a writable
copy of the Active Directory Database participates in Active directory replication and
controls access to network resource.
13. Mention What Is Tombstone Lifetime?
Answer :
Tombstone lifetime in an Active Directory determines how long a deleted object is
retained in Active Directory. The deleted objects in Active Directory is stored in a special
object referred as TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime
if time is not set in the forest configuration.
14. Why We Need Netlogon?
Answer :
Maintains a secure channel between this computer and the domain controller for
authenticating users and services. If this service is stopped, the computer may not
authenticate users and services, and the domain controller cannot register DNS
records."
15. Explain What Is Active Directory Schema?
Answer :
Schema is an active directory component describes all the attributes and objects that the
directory service uses to store data.
16. What Is Dns Scavenging?
Answer :
Scavenging will help you clean up old unused records in DNS.
17. Explain What Is A Child Dc?
Answer :
CDC or child DC is a sub domain controller under root domain controller which share
name space
18. What Is New In Windows Server 2008 Active Directory Domain
Services?
Answer :
AD Domain Services auditing, Fine-Grained Password Policies,Read-Only Domain
Controllers,Restartable Active Directory Domain Services
19. Explain What Is Rid Master?
Answer :
RID master stands for Relative Identifier for assigning unique IDs to the object created in
AD.
20. Explain What Are Rodcs? And What Are The Major Benefits Of Using
Rodcs?
Answer :
Read only Domain Controller, organizations can easily deploy a domain controller in
locations where physical security cannot be guaranteed.
21. Mention What Are The Components Of Ad?
Answer :
Components of AD includes
Logical Structure: Trees, Forest, Domains and OU.
Physical Structures: Domain controller and Sites.
22. What Is The Number Of Permitted Unsuccessful Log On s On

Administrator Account?
Answer :
Unlimited. Remember, though, that it’s the Administrator account, not any account that’s
part of the Administrators group.
23. Explain What Is Infrastructure Master?
Answer :
Infrastructure Master is accountable for updating information about the user and group
and global catalogue.
24. What Hidden Shares Exist On Windows Server 2003 Installation?
Answer :
Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
25. Can You Connect Active Directory To Other 3rd -party Directory
Services? Name A Few Options?
Answer :
Yes you can Connect Active Directory to other 3rd -party Directory Services such as
dictionaries used by SAP, Domino etc with the help of MIIS (Microsoft Identity Integration
Server).
26. What Is The List Folder Contents Permission On The Folder In

Ntfs?
Answer :
Same as Read & Execute, but not inherited by files within a folder. However, newly
created subfolders will inherit this permission.
27. How Do I Set Up Dns For Other Dcs In The Domain That Are
Running Dns?
Answer :
For each additional DC that is running DNS, the preferred DNS setting is the parent DNS
server (first DC in the domain), and the alternate DNS setting is the actual IP address of
network interface.
28. Where Is Gpt Stored?

Answer :
%SystemRoot%SYSVOLsysvoldomainnamePoliciesGUID
29. Tell Me What Should I Do If The Dc Points To Itself For Dns, But
The Srv Records Still Do Not Appear In The Zone?
Answer :
Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install
Support Tools from the Windows 2000 Server CD-ROM to run Netdiag.exe.
30. Abbreviate Gpt And Gpc?
Answer :
GPT : Group policy template.

GPC : Group policy container.
31. Tell Me What If My Windows 2000 Or Windows Server 2003 Dns

Server Is Behind A Proxy Server Or Firewall?
Answer :
If you are able to query the ISP's DNS servers from behind the proxy server or firewall,
Windows 2000 and Windows Server 2003 DNS server is able to query the root hint
servers. UDP and TCP Port 53 should be open on the proxy server or firewall.
32. Explain What Is The Difference Between Local, Global And

Universal Groups?
Answer :
Domain local groups assign access permissions to global domain groups for local
domain resources. Global groups provide access to resources in other trusted domains.
Universal groups grant access to resources in all trusted domains.
33. Do You Know What Is The "." Zone In My Forward Lookup Zone?
Answer :
This setting designates the Windows 2000 DNS server to be a root hint server and is
usually deleted. If you do not delete this setting, you may not be able to perform external
name resolution to the root hint servers on the Internet.
34. Define Lsdou?
Answer :
It’s group policy inheritance model, where the policies are applied to Local machines,
Sites, Domains and Organizational Units
35. Define Attribute Value?
Answer :
An object's attribute is set concurrently to one value at one master, and another value at
a second master.
36. What Is Netdom?
Answer :
NETDOM is a command-line tool that allows management of Windows domains and

trust relationships
37. Do You Know How Kerberos V5 Works?
Answer :
The Kerberos V5 authentication mechanism issues tickets (A set of identification data for
a security principle, issued by a DC for purposes of user authentication. Two forms of
tickets in Windows 2000 are ticket-granting tickets (TGTs) and service tickets) for
accessing network services. These tickets contain encrypted data, including an
encrypted password, which confirms the user's identity to the requested service.
38. What Is Adsiedit?
Answer :
ADSI Edit is an LDAP editor for managing objects in Active Directory. This Active
Directory tool lets you view objects and attributes that are not exposed in the Active
Directory Management Console.
39. What Is Kerberos V5 Authentication Process?
Answer :
Kerberos V5 is the primary security protocol for authentication within a domain. The
Kerberos V5 protocol verifies both the identity of the user and network services. This
dual verification is known as mutual authentication.
40. Define The Schema Master Failure?
Answer :
Temporary loss of the schema operations master will be visible only if we are trying to
modify the schema or install an application that modifies the schema during installation.
A DC whose schema master role has been seized must never be brought back online.
41. What Is Replmon?
Answer :
Replmon is the first tool you should use when troubleshooting Active Directory replication
issues
42. How To Find Fsmo Roles?
Answer :
Netdom query fsmo OR Replmon.exe
43. Describe The Infrastructure Fsmo Role?
Answer :
When an object in one domain is referenced by another object in another domain, it

represents the reference by the GUID, the SID (for references to security principals), and
the DN of the object being referenced. The infrastructure FSMO role holder is the DC
responsible for updating an object's SID and distinguished name in a cross-domain
object reference.
44. What Are The Advantages Of Active Directory Sites?
Answer :
Active Directory Sites and Services allow you to specify site information. Active Directory
uses this information to determine how best to use available network resources.
45. Define Edb.chk?
Answer :
This is the checkpoint file used to track the data not yet written to database file. This
indicates the starting point from which data is to be recovered from the log file, in case of
failure.
46. Define Edb.log?
Answer :
This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to
EDBnnnn.log. Where nnnn is the increasing number starting from 1.
47. How To View All The Gcs In The Forest?
Answer :
repadmin.exe /options * and use IS_GC for current domain options.

nltest /dsgetdc:corp /GC
48. How To Seize Fsmo Roles?
Answer :
ntdsutil - type roles - connections - connect servername - q - type seize role - at the fsmo
maintenance prompt - type seize rid master
49. How To Transfer Fsmo Roles?
Answer :
ntdsutil - type roles - connections - connect servername - q - type transfer role - at the
fsmo maintenance prompt - type trasfer rid master
50. What Is The Kcc (knowledge Consistency Checker)?
Answer :
The KCC generates and maintains the replication topology for replication within sites and
between sites. KCC runs every 15 minutes.
51. What Is Schema Information In Active Directory?
Answer :
Definitional details about objects and attributes that one CAN store in the AD. Replicates
to all DCs. Static in nature.
52. What Is Online Defragmentation In Active Directory?
Answer :
Online Defragmentation method that runs as part of the garbage collection process. The
only advantage to this method is that the server does not need to be taken offline for it to
run. However, this method does not shrink the Active Directory database file (Ntds.dit).
53. What Is Ads Database Garbage Collection Process?
Answer :
Garbage Collection is a process that is designed to free space within the Active Directory
database. This process runs independently on every DC with a default lifetime interval of
12 hours.
54. Define Res1.log And Res2.log?
Answer :
This is reserved transaction log files of 20 MB (10 MB each) which provides the
transaction log files enough room to shutdown if the other spaces are being used.
55. What Is Domain Information In Active Directory?
Answer :
Object information for a domain. Replicates to all DCs within a domain. The object
portion becomes part of GC. The attribute values only replicates within the domain.
56. What Is Lightweight Directory Access Protocol?
Answer :
LDAP is the directory service protocol that is used to query and update AD. LDAP
naming paths are used to access AD objects and include the following:
o Distinguished names
o Relative Distinguished names
57. How Will You Verify Whether The Ad Installation Is Proper With
Srv Resource Records?
Answer :
Verify SRV Resource Records: After AD is installed, the DC will register SRV records in
DNS when it restarts. We can check this using DNS MMC or nslookup command.
58. What Is Ntds.dit?
Answer :
This is the AD database and stores all AD objects. Default location is
SystemRoot%ntdsNTDS.DIT.
Active Directory's database engine is the Extensible Storage Engine which is based on
the Jet database and can grow up to 16 TB.
59. What Is Ntds.dit Schema Table?
Answer :
The types of objects that can be created in the Active Directory, relationships between
them, and the attributes on each type of object. This table is fairly static and much
smaller than the data table.
60. Mention What Is The Difference Between Domain Admin Groups

And Enterprise Admins Group In Ad?
Answer :
Enterprise Admin Group :

Members of this group have complete control of all domains in the forest By default, this
group belongs to the administrators group on all domain controllers in the forest As such
this group has full control of the forest, add users with caution
Domain Admin Group :

Members of this group have complete control of the domain By default, this group is a
member of the administrators group on all domain controllers, workstations and member
servers at the time they are linked to the domain As such the group has full control in the
domain, add users with caution
Basic Active Directory interview

questions answers
by Amit Saxena/ June 9, 2016/ Active Directory, Interview Questions, Windows
Commands, Windows Tips and Tricks, Windows Troubleshoot/ 6 Comments
Best and Most asked Windows Active Directory Interview Questions Answers
Q. What is Active Directory?

Answer – Active Directory is database which stores network user
data, computer information, printers as well as the other network
objects. AD allows to make policies to manage all the network
objects.
Q.What is AD Domain?
Answer – AD domains a logical group of network objects i.e
users, PCs or devices and share the same AD database. AD
domain provide authorization and authentication for all network
objects and the server which respond for these request is called
Domain Controller (DC).
Q.Name default protocol used in directory services?
Answer – LDAP ( Lightweight Directory Access Protocol).
What is Tree?
Answer – Tree is a hierarchical arrangement of windows Domain
that share a contiguous name space.
Q.What is Forest?
Answer – Forest is collection of multiple domain tree. At its
highest level, a forest is a single instance of Active Directory.
Therefore, a forest is synonymous with Active Directory, meaning
that the set of all directory partitions in a particular Active
Directory instance (which includes all domain, configuration,
schema and optional application information) makes up a forest.
Q.What is Active Directory Schema?
Answer – Schema is component of AD and it stores in the
Directory. Schema defines all the objects and attributes that the
directory service uses to store data. Schema also defines the
rules that govern the structure of objects and structure with the
content of the directory itself.
Q.What is KCC?
Answer – KCC is knowledge consistency checker. The KCC is
Microsoft windows built-in process and component that runs on
all domain controllers and generates replication topology for the
AD forest. The KCC creates separate replication topologies
depending on whether replication is occurring within a site
(intrasite) or between sites (intersite). You can disable KCC’s
automatic generation of intra-site/inter-site topology
management.
Q.Explain TOMBSTONE lifetime (TSL)?
Answer – When we remove any object in AD, removed object is
stored in special object called TOMBSTONE. How long AD will
retain removed object in TOMBSTONE is called TCL or
TOMBSTONE lifetime. The basic purpose of tombstone is to keep
all domain controllers in sync. The default value of the tombstone
lifetime is 180 days for forests set to the windows Server 2003,
windows Server 2008, windows Server 2008 R2, windows Server
2012 and windows 2012 R2 function level but anyone can change
it by using ADSIEdit or by suing the set-ADObject window
powershell cmdlet..
Read Also – What is Active Directory
Read Also System Administrator Interview Questions and Answers
Q.what are the basic components of AD?

Answer – The AD components helps a Administrators in executing
various tasks i.e. authorizing the users, certifying the users,
network management, etc. Basic categoy of Components are –
1) Logical Structure: Trees, Forest, Domains and OU 2) Physical
Structures: Domain controller and Sites.
Q.what is Kerberos?
Answer – Kerberos is an network authentication protocol.
Q.What is OU?
Answer -OS is smallest unit and container to which an
administrator can assign group policy or account permission. This
can hold users, groups and computers.
Q.What is Group Policy?
Answer – AD Group Policy allows to implement or push
configuration on users, computers and objects. GP settings
contained in GPOs which are linked to AD containers i.e sites,
domains or OU.
Q.What is SYSVOL folder?
Answer -SYSVOl refers to System volume folder. Sysvol is group
of files and folders that stores on the each domain controller in
the domain network. keeps the server
Q.FSMO role?
Answer -FSMO refers to Flexible Single Master Operation Roles.
Active Directory hasfive special roles which are important for the
smooth running of AD as a multi-master system.
a) Forest Wide Roles:
Schema Master
Domain Naming
b) Domain Wide Roles:
Relative ID (RID) Master
PDC Emulator
Infrastructure Master
Q.Global Catalog?
Answer – In the network, a Domain Controller which keeps copy
of all AD objects called Global Catalog.
Windows: Interview Q & A: L1 & L2 Interview question

Active Directory
Active Directory is a centralized and standardized system, stores information about objects
in a network and makes this information available to users and network administrators.
Domain Controller
In an Active Directory forest, the domain controller is a server that contains a writable copy
of the Active Directory database, participates in Active Directory replication, and controls
access to network resources.
Global catalog server

A global catalog server is a domain controller that stores information about all objects in the
forest. Like all domain controllers, a global catalog server stores full, writable replicas of the
schema and configuration directory partitions and a full, writable replica of the domain
directory partition for the domain that it is hosting. In addition, a global catalog server
stores a partial, read-only replica of every other domain in the forest. Partial replicas are
stored on Global Catalog servers so that searches of the entire directory can be achieved
without requiring referrals from one domain controller to another.
Partial information of other domains. Partial information nothing but classes and attributes
(first name and last name and phones and addresses) attribute level security improvement
in 2003….
OU:
"Organizational Units", are administrative-level containers on a computer, it allows

administrators to organize groups of users together so that any changes, security privileges
or any other administrative tasks could be accomplished more efficiently.
Domain:
Windows Domain is a logical grouping of computers that share common security and user
account information.
Forest
A Windows forest is a group of one or more trusted Windows trees. The trees do not need to
have contiguous DNS names. A forest shares a schema and global catalog servers. A single
tree can also be called a forest.
Tree:
A Windows tree is a group of one or more trusted Windows domains with contiguous DNS
domains. “Trusted” means that an authenticated account from one domain isn’t rejected by
another domain. “Contiguous DNS domains” means that they all have the same root DNS
name.
Site:
Sites are manually defined groupings of subnets. Objects in a site share the same global catalog servers,
and can have a common set of group policies applied to them.
Schema:
The schema defines what attributes, objects, classes, and rules are available in the Active Directory.
SID (Security Identifier):
The SID is a unique name (alphanumeric character string) that is used to identify an object, such as a
user or a group of users.
Group Policy
Group policy Architecture:

Group Policy objects (GPO):
A GPO is a collection of Group Policy settings, stored at the domain level as a virtual object
consisting of a Group Policy container (GPC) and a Group Policy template (GPT).
Password history will store
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
Group Policy Container (GPC)
The Group Policy container (GPC) is an Active Directory container that contains GPO
properties, such as version information, GPO status, plus a list of other component settings.
Group Policy Template (GPT)
The Group Policy template (GPT) is a file system folder that includes policy data specified by
.adm files, security settings, script files, and information about applications that are
available for installation. The GPT is located in the system volume folder (SysVol) in the
domain \Policies sub-folder.
Filtering the Scope of a GPO

By default, a GPO affects all users and computers that are contained in the linked site,
domain, or organizational unit. The administrator can further specify the computers and
users that are affected by a GPO by using membership in security groups.
Starting with Windows 2000, the administrator can add both computers and users to
security groups. Then the administrator can specify which security groups are affected by
the GPO by using the Access Control List editor.
Knowledge Consistency Checker (KCC)
The Knowledge Consistency Checker (KCC) is a Windows component that automatically

generates and maintains the intra-site and inter-site replication topology.
Intrasite Replication
Replication that happens between controllers inside one site. All of the subnets inside the
site should be connected by high speed network wires.
Intersite Replication
Intersite replication is replication between sites and must be set up by an administrator.
Simple Mail Transfer Protocol (SMTP) may be used for replication between sites.
Active Directory Replication?

Replication must often occur both (intrasite) within sites and (Intersite) between sites to
keep domain and forest data consistent among domain controllers that store the same
directory partitions
Adprep.exe
Adprep.exe is a command-line tool used to prepare a Microsoft Windows 2000 forest or a

Windows 2000 domain for the installation of Windows Server 2003 domain controllers.
USE:
When Microsoft Exchange Server is deployed in an organization, Exchange Server uses

Active Directory as a data store and it extends the Windows 2000 Active Directory schema
to enable it to store objects specific to Exchange Server. The ldapDisplayName of the
attribute schema ms-Exch-Assistant-Name, ms-Exch-LabeledURI, and ms-Exch-House-
Identifier defined by Exchange Server conflicts with the iNetOrgPerson schema that Active
Directory uses in Windows Server 2003. When Windows Server 2003 Service Pack 1 is
installed, Adprep.exe will be able to detect the presence of the schema conflict and block
the upgrade of the schema until the issue has been resolved.
GUID:
When a new domain user or group account is created, Active Directory stores the account's
SID in the Object-SID (objectSID) property of a User or Group object. It also assigns the
new object a globally unique identifier (GUID), which is a 128-bit value that is unique not
only in the enterprise but also across the world. GUIDs are assigned to every object created
by Active Directory, not just User and Group objects. Each object's GUID is stored in its
Object-GUID (objectGUID) property.
Active Directory uses GUIDs internally to identify objects.
SID:
A security identifier (SID) is a data structure in binary format that contains a variable
number of values. When a DC creates a security principal object such as a user or group, it
attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the
same for all SIDs created in a domain), and a relative ID (RID) that is unique for each
security Principal SID created in a domain.
Lingering objects
When a domain controller is disconnected for a period that is longer than the TSL, one or
more objects that are deleted from Active Directory on all other domain controllers may
remain on the disconnected domain controller. Such objects are called lingering objects.
Because the domain controller is offline during the time that the tombstone is alive, the
domain controller never receives replication of the tombstone
Sysvol
Sysvol is a shared directory that stores the server copy of the domain’s public files, which
are replicated among all domain controllers in the domain. The Sysvol contains the data in a
GPO: the GPT, which includes Administrative Template-based Group Policy settings, security
settings, script files, and information regarding applications that are available for software
installation. It is replicated using the File Replication Service (FRS).
File Replication Service (FRS)
In Windows 2000, the SYSVOL share is used to authenticate users. The SYSVOL share
includes group policy information which is replicated to all local domain controllers. File
replication service (FRS) is used to replicate the SYSVOL share. The "Active Directory Users
and Computers" tool is used to change the file replication service schedule.
Win logon
A component of the Windows operating system that provides interactive logon support,
Winlogon is the service in which the Group Policy engine runs.
Lightweight Directory Access Protocol (LDAP)

It defines how clients and servers exchange information about a directory. LDAP version 2
and version 3 are used by Windows 2000 Server's Active Directory.
An LDAP URL names the server holding Active Directory services and the Attributed Name of the object. For
example:
LDAP://SomeServer.Myco.Com/CN=jamessmith,CN=Sys,CN=Product,CN
=Division,DC=myco,DC=domain-controller
USN
Each object has an Update Sequence Number (USN), and if the object is modified, the USN
is incremented. This number is different on each domain controller. USN provides the key to
multimaster replication.
Universal group membership caching

Due to available network bandwidth and server hardware limitations, it may not be practical
to have a global catalog in smaller branch office locations. For these sites, you can deploy
domain controllers running Windows Server 2003, which can store universal group
membership information locally.
By default, the universal group membership information contained in the cache of each
domain controller will be refreshed every 8 hours. Up to 500 universal group memberships
can be updated at once. Universal groups couldn't be created in Mixed mode.
What is an ACL or access-control list?
A list of security protections that applies to an object. (An object can be a file, process, event, or anything
else having a security descriptor.)
What is an ACE or access-control entry?
ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the
rights are allowed, denied, or audited.
Flexible Single Master Operations (FSMO)
MultiMaster Operation:
In Windows 2000 & 2003, every domain controller can receive changes, and the changes
are replicated to all other domain controllers. The day-to-day operations that are associated
with managing users, groups, and computers are typically multimaster operations.
There is a set of Flexible Single Master Operations (FSMO) which can only be done on a
single controller. An administrator determines which operations must be done on the master
controller. These operations are all set up on the master controller by default and can be
transferred later. FSMO operations types include:
Schema Master: The schema master domain controller controls all updates and
modifications to the schema. There can be only one schema master in the whole forest.
Domain naming master: The domain naming master domain controller controls the
addition or removal of domains in the forest and responsibility of ensuring that domain
names are unique in the forest. There can be only one domain naming master in the whole
forest.
Infrastructure Master:
Synchronizes cross-domain group membership changes. The infrastructure master cannot

run on a global catalog server (unless all DCs are also GCs.)
The infrastructure is responsible for updating references from objects in its domain to
objects in other domains. At any one time, there can be only one domain controller acting
as the infrastructure master in each domain.
This works when we are renaming any group member ship object this role takes care.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a
Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it
will stop updating object information because it does not contain any references to objects
that it does not hold. This is because a Global Catalog server holds a partial replica of every
object in the forest. As a result, cross-domain object references in that domain will not be
updated and a warning to that effect will be logged on that DC's event log. If all the domain
controllers in a domain also host the global catalog, all the domain controllers have the
current data, and it is not important which domain controller holds the infrastructure master
role.
Relative ID (RID) Master:
It assigns RID and SID to the newly created object like Users and computers. If RID master
is down (u can create security objects up to RID pools are available in DCs) else u can’t
create any object one itSDs down
When a DC creates a security principal object such as a user or group, it attaches a unique
Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs
created in a domain), and a relative ID (RID) that is unique for each security principal SID
created in a domain.
PDC Emulator - When Active Directory is in mixed mode, the computer Active Directory is
on acts as a Windows NT PDC. The first server that becomes a Windows 2000 domain
controller takes the role of PDC emulator by default.
Functions performed by the PDC emulator:
User account changes and password changes.

SAM directory replication requests.
Domain master browser requests
Authentication requests.
GPO
Time synchronization
New Active Directory features in Windows Server 2003

• Multiple selection of user objects.
• Drag-and-drop functionality.
• Efficient search capabilities. Search functionality is object-oriented and provides an

efficient search that minimizes
• Saved queries. Save commonly used search parameters for reuse in Active Directory
Users and Computers
• Active Directory command-line tools.
• InetOrgPerson class. The inetOrgPerson class has been added to the base schema as a
security principal and can be used in the same manner as the user class. The
userPassword attribute can also be used to set the account password.
• Ability to add additional domain controllers using backup media. Reduce the time
it takes to add an additional domain controller in an existing domain by using backup
media.
• Universal group membership caching. Prevent the need to locate a global catalog
across a WAN when logging on by storing universal group membership information on an
authenticating domain controller.
• Secure LDAP traffic. Active Directory administrative tools sign and encrypt all LDAP
traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a
known source and that it has not been tampered with.
• Active Directory quotas. Quotas can be specified in Active Directory to control the
number of objects a user, group, or computer can own in a given directory partition.
Domain Administrators and Enterprise
Windows Functional levels
In Windows 2000 Active Directory domains is the concept of Mixed and Native Modes. The
default mixed mode allows both NT and Windows 2000 domain controllers to coexist. Once
you convert to Native Mode, you are only allowed to have Windows 2000 domain controllers
in your domain. The conversion is a one-way conversion -- it cannot be reversed. In
Windows Server 2003, Microsoft introduced forest and domain functional levels. The concept
is rather similar to switching from Mixed to Native Mode in Windows 2000. The new
functional levels give you additional capabilities that the previous functional levels didn’t
have.
There are four domain functional levels:
1. Windows 2000 Mixed (supports NT4/2000/2003 DCs)

2. Windows 2000 Native (supports 2000/2003 DCs)
3. Windows Server 2003 Interim (supports NT4/2003 DCs)
4. Windows Server 2003 (supports only 2003 DCs)
And three forest functional levels:
1. Windows 2000 (supports NT4/2000/2003 DCs)
2. Windows 2000 Interim (supports NT4/2003 DCs)
3. Windows Server 2003 (supports only 2003 DCs)
To raise the domain functional level, you go to the properties of your domain in Active
Directory Domains and Trusts. To raise the forest functional level you go to the properties of
Active Directory Domains and Trusts at the root. Of course, if your domains are not at the
correct level, you won’t be able to raise the forest functional level.
Directory partition
A directory partition, or naming context, is a contiguous Active Directory sub tree replicated
on one, or more, Windows 2000 domain controllers in a forest. By default, each domain
controller has a replica of three partitions: the schema partition the Configuration partition
and a Domain partition.
Schema partition
It contains all class and attributes definitions for the forest. There is one schema
directory partition per forest.
Configuration partition
It contains replication configuration information (and other information) for the forest. There
is one configuration directory partition per forest.
Domain partition
It contains all objects that are stored by one domain. There is one domain directory
partition for each domain in the forest.
Application Directory Partition
Application directory partitions are most often used to store dynamic data. An application
partition can not contain security principles (users, groups, and computers).The KCC
generates and maintains the replication topology for an application directory partition
Application: The application partition is a new feature introduced in Windows Server 2003.
This partition contains application specific objects. The objects or data that applications and
services store here can comprise of any object type excluding security principles. Security
principles are Users, Groups, and Computers. The application partition typically contains
DNS zone objects, and dynamic data from other network services such as Remote Access
Service (RAS), and Dynamic Host Configuration Protocol (DHCP).
Dynamic Data:
A dynamic entry is an object in the directory which has an associated time-to-live (TTL)
value. The TTL for an entry is set when the entry is created.
Security Principles - Objects that can have permissions assigned to them and each
contain security identifiers. The following objects are security principles:
o User
 Computer
 Group
RPC:
Active Directory uses RPC over IP to transfer both intersite and intrasite replication between
domain controllers. To keep data secure while in transit, RPC over IP replication uses both
the Kerberos authentication protocol and data encryption.
SMTP:
If you have a site that has no physical connection to the rest of your network, but that can
be reached using the Simple Mail Transfer Protocol (SMTP), that site has mail-based
connectivity only. SMTP replication is used only for replication between sites. You also
cannot use SMTP replication to replicate between domain controllers in the same domain—
only inter-domain replication is supported over SMTP (that is, SMTP can be used only for
inter-site, inter-domain replication). SMTP replication can be used only for schema,
configuration, and global catalog partial replica replication. SMTP replication observes the
automatically generated replication schedule.
Changing of ntds.dit file from one Drive to another
1. Boot the domain controller in Directory Services Restore mode and log on with the
Directory Services Restore mode administrator account and password (this is the
password you assigned during the Dcpromo process).
2. At a command prompt, type ntdsutil.exe. You receive the following prompt:
ntdsutil:
3. Type files to receive the following prompt:
file maintenance:
4. Type info. Note the path of the database and log files.
5. To move the database, type move db to %s (where %s is the target folder).
6. To move the log files, type move logs to %s (where %s is the target folder).
7. Type quit twice to return to the command prompt.
8. Reboot the computer normally.
DNS
DNS (Domain Name system)
Domain Name System (DNS) is a database system that translates a computer's fully
qualified domain name into an IP address.
The local DNS resolver
The following graphic shows an overview of the complete DNS query process.
DNS Zones
Forward lookup zone - Name to IP address map.
Reverse lookup zone - IP address to name map.
Primary Zones - It Holds Read and Write copies of all resource records (A, NS, _SRV).
Secondary Zones- which hold read only copies of the Primary Zones.
Stub Zones
Conceptually, stub zones are like secondary zones in that they have a read only copy of a
primary zone. Stub zones are more efficient and create less replication traffic.
Stub Zones only have 3 records, the SOA for the primary zone, NS record and a Host (A)
record. The idea is that if a client queries a record in the Stub Zone, your DNS server can
refer that query to the correct Name Server because it knows its Host (A) record.
Queries
Query types are:
Inverse - Getting the name from the IP address. These are used by servers as a security
check.
Iterative - Server gives its best answer. This type of inquiry is sent from one server to
another.
Recursive - Cannot refer the query to another name server.
Conditional Forwarding
Another classic use of forwards is where companies have subsidiaries, partners or people
they know and contact regularly query. Instead of going the long-way around using the
root hints, the network administrators configure Conditional Forwarders
Purpose of Resource Records
Without resource records DNS could not resolve queries. The mission of a DNS Query is
to locate a server that is Authoritative for a particular domain. The easy part is for the
Authoritative server to check the name in the query against its resource records.
SOA (start of authority) record each zone has one SOA record that identifies which
DNS server is authoritative for domains and sub domains in the zone.
NS (name server) record An NS record contains the FQDN and IP address of a DNS
server authoritative for the zone. Each primary and secondary name server authoritative
in the domain should have an NS record.
A (address) record By far the most common type of resource record, an A record
is used to resolve the FQDN of a particular host into its associated IP address.
CNAME (canonical name) record A CNAME record contains an alias (alternate

name) for a host.
PTR (pointer) record the opposite of an A record, a PTR record is used to resolve the IP
address of a host into its FQDN.
SRV (service) record An SRV record is used by DNS clients to locate a server that
is running a particular service—for example, to find a domain controller so you can log on
to the network. SRV records are key to the operation of Active Directory.
MX (mail exchange) record An MX record points to one or more computers that

process SMTP mail for an organization or site.
Where DNS resource records will be stored:
After running DCPROMO, A text file containing the appropriate DNS resource records for
the domain controller is created. The file called Netlogon.dns is created in the
%systemroot%\System32\config folder and contains all the records needed to register
the resource records of the domain controller. Netlogon.dns is used by the Windows 2000
NetLogon service and to support Active Directory for non-Windows 2000 DNS servers.
Procedures for changing a Server’s IP Address
Once DNS and replication are setup, it is generally a bad idea to change a servers IP
address (at least according to Microsoft). Just be sure that is what you really want to do
before starting the process. It is a bit kin to changing the Internal IPX number of A Novell
server, but it can be done.
1. Change the Server’s IP address
2. Stop the NETLOGON service.
3. Rename or delete SYSTEM32\CONFIG\NETLOGON.DNS and NETLOGON.DNB
4. Restart the NETLOGON service and run “IPconfig /registerDNS”

5. Go to one of the other DCs and verify that its DNS is now pointing to the new IP
address of the server. If not, change the records manually and give it 15 minutes to
replicate the DNS changes out.
6. Run REPLMON and make sure that replication is working now. You may have to wait
a little while for things to straighten out. Give it an hour or two if necessary.
If a server shows that it isn’t replicating with one of its partners, there are
several issues to address:
A. Check to see that the servers can ping each other.
B. Make sure that both servers’ DNS entries for each other point to the proper IP
addresses
C. If server A says it replicated fine, but server B says it couldn’t contact Server A,
check the DNS setup on Server B. Chances are it has a record for Server A pointing to the
wrong place.
D. Run Netdiag and see if it reports any errors or problems.
Trust Relationship
 One way trust - When one domain allows access to users on another domain, but
the other domain does not allow access to users on the first domain.
 Two way trust - When two domains allow access to users on the other domain.
 Trusting domain - The domain that allows access to users on another domain.
 Trusted domain - The domain that is trusted, whose users have access to the
trusting domain.
 Transitive trust - A trust which can extend beyond two domains to other trusted
domains in the tree.
 Intransitive trust - A one way trust that does not extend beyond two domains.
 Explicit trust - A trust that an administrator creates. It is not transitive and is
one way only.
 Cross-link trust - An explicit trust between domains in different trees or in the
same tree when a descendent/ancestor (child/parent) relationship does not exist between
the two domains.
 Forest trust - When two forests have a functional level of Windows 2003, you can
use a forest trust to join the forests at the root.
 Shortcut trust - When domains that authenticate users are logically distant from
one another, the process of logging on to the network can take a long time. You can
manually add a shortcut trust between two domains in the same forest to speed
authentication. Shortcut trusts are transitive and can either be one way or two way.
Windows 2000 only supports the following types of trusts:
 Two way transitive trusts
 One way non-transitive trusts.
What is Active Directory?

Active Directory (AD) is a directory service developed by Microsoft and used to store objects like
User, Computer, printer, Network information, It facilitate to manage your network effectively with
multiple Domain Controllers in different location with AD database, able to manage/change AD from
any Domain Controllers and this will be replicated to all other DC’s, centralized Administration with
multiple geographical location and authenticates users and computers in a Windows domain
What is LDAP and how the LDAP been used on Active Directory(AD)?
http://www.windowstricks.in/ldap-and-ldap-query
What is Tree?
Tree is a hierarchical arrangement of windows Domain that share a contiguous name space
What is Domain?
Active Directory Domain Services is Microsoft’s Directory Server. It provides authentication and
authorization mechanisms as well as a framework within which other related services can be
deployed
What is Active Directory Domain Controller (DC)?

Domain Controller is the server which holds the AD database, All AD changes get replicated to other
DC and vise vase
What is Forest?
Forest consists of multiple Domains trees. The Domain trees in a forest do not form a contiguous
name space however share a common schema and global catalog (GC)
What is Schema?
Active directory schema is the set of definitions that define the kinds of object and the type of
information about those objects that can be stored in Active Directory
Active directory schema is Collection of object class and there attributes
Object Class = User
Attributes = first name, last name, email, and others
Can we restore a schema partition?

http://www.windowstricks.in/2014/01/can-i-restore-schema-partition.html
Tel me about the FSMO roles?
Schema Master
Domain Naming Master
RID Master
PDC
Schema Master and Domain Naming Master are forest wide role and only available one on each
Forest, Other roles are Domain wide and one for each Domain
AD replication is multi master replication and change can be done in any Domain Controller and will
get replicated to others Domain Controllers, except above file roles, this will be flexible single master
operations (FSMO), these changes only be done on dedicated Domain Controller so it’s
single master replication
How to check which server holds which role?

Netdom query FSMO
Which FSMO role is the most important? And why?

Interesting question which role is most important out of 5 FSMO roles or if one role fails that will
impact the end-user immediately
Most armature administrators pick the Schema master role, not sure why maybe they though
Schema is very critical to run the Active Directory
Correct answer is PDC, now the next question why? Will explain role by role what happens when a
FSMO role holder fails to find the answer
Schema Master – Schema Master needed to update the Schema, we don’t update the schema daily
right, when will update the Schema? While the time of operating system migration, installing new
Exchange version and any other application which requires extending the schema
So if are Schema Master Server is not available, we can’t able to update the schema and no way
this will going to affect the Active Directory operation and the end-user
Schema Master needs to be online and ready to make a schema change, we can plan and have
more time to bring back the Schema Master Server
Domain Naming Master – Domain Naming Master required to creating a new Domain and creating
an application partition, Like Schema Master we don’t cerate Domain and application partition
frequently
So if are Domain Naming Master Server is not available, we can’t able to create a new Domain and
application partition, it may not affect the user, user event didn’t aware Domain Naming Master
Server is down
Infrastructure Master – Infrastructure Master updates the cross domain updates, what really
updates between Domains? Whenever user login to Domain the TGT has been created with the list
of access user got through group membership (user group membership details) it also contain the
user membership details from trusted domain, Infrastructure Master keep this information up-to-date,
it update reference information every 2 days by comparing its data with the Global Catalog (that’s
why we don’t keep Infrastructure Master and GC in same server)
In a single Domain and single Forest environment there is no impact if the Infrastructure
Master server is down
In a Multi Domain and Forest environment, there will be impact and we have enough time to fix the
issue before it affect the end-user
RID Master –Every DC is initially issued 500 RID’s from RID Master Server. RID’s are used to
create a new object on Active Directory, all new objects are created with Security ID (SID) and RID is
the last part of a SID. The RID uniquely identifies a security principal relative to the local or domain
security authority that issued the SID
When it gets down to 250 (50%) it requests a second pool of RID’s from the RID master. If RID
Master Server is not available the RID pools unable to be issued to DC’s and DC’s are only able to
create a new object depends on the available RID’s, every DC has anywhere between 250 and 750
RIDs available, so no immediate impact
PDC – PDC required for Time sync, user login, password changes and Trust, now you know why the
PDC is important FSMO role holder to get back online, PDC role will impact the end-user
immediately and we need to recover ASAP
The PDC emulator Primary Domain Controller for backwards compatibility and it’s responsible for
time synchronizing within a domain, also the password master. Any password change is replicated
to the PDC emulator ASAP. If a logon request fails due to a bad password the logon request is
passed to the PDC emulator to check the password before rejecting the login request.
Tel me about Active Directory Database and list the Active Directory Database files?
NTDS.DIT
EDB.Log
EDB.Che
Res1.log and Res2.log
All AD changes didn’t write directly to NTDS.DIT database file, first write to EDB.Log and from log
file to database, EDB.Che used to track the database update from log file, to know what changes are
copied to database file.
NTDS.DIT: NTDS.DIT is the AD database and store all AD objects, Default location is the %system
root%\nrds\nrds.dit, Active Directory database engine is the extensible storage engine which us
based on the Jet database
EDB.Log: EDB.Log is the transaction log file when EDB.Log is full, it is renamed to EDB Num.log
where num is the increasing number starting from 1, like EDB1.Log
EDB.Che: EDB.Che is the checkpoint file used to trace the data not yet written to database file this
indicate the starting point from which data is to be recovered from the log file in case if failure
Res1.log and Res2.log: Res is reserved transaction log file which provide the transaction log file
enough time to shutdown if the disk didn’t have enough space
What RAID configuration can be used in Domain Controllers?
http://www.windowstricks.in/2010/07/recommended-raid-configuration-and-disk.html
Can we keep OS, log files, SYSVOL, AD database on same logical Disk?
Active Directory (AD) Real Time Interview Questions

and Answers
I would like to share some of the Windows Active Directory Interview Questions and answers,
will start with basic questions and continue with L1, L2, L3 level questions
Also Read: Windows Server Administrator Interview Questions and Answers
What is Active Directory?
Active Directory (AD) is a directory service developed by Microsoft and used to store objects like
User, Computer, printer, Network information, It facilitate to manage your network effectively with
multiple Domain Controllers in different location with AD database, able to manage/change AD from
any Domain Controllers and this will be replicated to all other DC’s, centralized Administration with
multiple geographical location and authenticates users and computers in a Windows domain
What is LDAP and how the LDAP been used on Active Directory(AD)?
http://www.windowstricks.in/ldap-and-ldap-query
What is Tree?
Tree is a hierarchical arrangement of windows Domain that share a contiguous name space
What is Domain?
Active Directory Domain Services is Microsoft’s Directory Server. It provides authentication and
authorization mechanisms as well as a framework within which other related services can be
deployed
What is Active Directory Domain Controller (DC)?

Domain Controller is the server which holds the AD database, All AD changes get replicated to other
DC and vise vase
What is Forest?
Forest consists of multiple Domains trees. The Domain trees in a forest do not form a contiguous
name space however share a common schema and global catalog (GC)
What is Schema?
Active directory schema is the set of definitions that define the kinds of object and the type of
information about those objects that can be stored in Active Directory
Active directory schema is Collection of object class and there attributes
Object Class = User
Attributes = first name, last name, email, and others
Can we restore a schema partition?

http://www.windowstricks.in/2014/01/can-i-restore-schema-partition.html
Tel me about the FSMO roles?
Schema Master
Domain Naming Master
RID Master
PDC
Schema Master and Domain Naming Master are forest wide role and only available one on each
Forest, Other roles are Domain wide and one for each Domain
AD replication is multi master replication and change can be done in any Domain Controller and will
get replicated to others Domain Controllers, except above file roles, this will be flexible single master
operations (FSMO), these changes only be done on dedicated Domain Controller so it’s
single master replication
How to check which server holds which role?

Netdom query FSMO
Which FSMO role is the most important? And why?

Interesting question which role is most important out of 5 FSMO roles or if one role fails that will
impact the end-user immediately
Most armature administrators pick the Schema master role, not sure why maybe they though
Schema is very critical to run the Active Directory
Correct answer is PDC, now the next question why? Will explain role by role what happens when a
FSMO role holder fails to find the answer
Schema Master – Schema Master needed to update the Schema, we don’t update the schema daily
right, when will update the Schema? While the time of operating system migration, installing new
Exchange version and any other application which requires extending the schema
So if are Schema Master Server is not available, we can’t able to update the schema and no way
this will going to affect the Active Directory operation and the end-user
Schema Master needs to be online and ready to make a schema change, we can plan and have
more time to bring back the Schema Master Server
Domain Naming Master – Domain Naming Master required to creating a new Domain and creating
an application partition, Like Schema Master we don’t cerate Domain and application partition
frequently
So if are Domain Naming Master Server is not available, we can’t able to create a new Domain and
application partition, it may not affect the user, user event didn’t aware Domain Naming Master
Server is down
Infrastructure Master – Infrastructure Master updates the cross domain updates, what really
updates between Domains? Whenever user login to Domain the TGT has been created with the list
of access user got through group membership (user group membership details) it also contain the
user membership details from trusted domain, Infrastructure Master keep this information up-to-date,
it update reference information every 2 days by comparing its data with the Global Catalog (that’s
why we don’t keep Infrastructure Master and GC in same server)
In a single Domain and single Forest environment there is no impact if the Infrastructure
Master server is down
In a Multi Domain and Forest environment, there will be impact and we have enough time to fix the
issue before it affect the end-user
RID Master –Every DC is initially issued 500 RID’s from RID Master Server. RID’s are used to
create a new object on Active Directory, all new objects are created with Security ID (SID) and RID is
the last part of a SID. The RID uniquely identifies a security principal relative to the local or domain
security authority that issued the SID
When it gets down to 250 (50%) it requests a second pool of RID’s from the RID master. If RID
Master Server is not available the RID pools unable to be issued to DC’s and DC’s are only able to
create a new object depends on the available RID’s, every DC has anywhere between 250 and 750
RIDs available, so no immediate impact
PDC – PDC required for Time sync, user login, password changes and Trust, now you know why the
PDC is important FSMO role holder to get back online, PDC role will impact the end-user
immediately and we need to recover ASAP
The PDC emulator Primary Domain Controller for backwards compatibility and it’s responsible for
time synchronizing within a domain, also the password master. Any password change is replicated
to the PDC emulator ASAP. If a logon request fails due to a bad password the logon request is
passed to the PDC emulator to check the password before rejecting the login request.
Tel me about Active Directory Database and list the Active Directory Database files?
NTDS.DIT
EDB.Log
EDB.Che
Res1.log and Res2.log
All AD changes didn’t write directly to NTDS.DIT database file, first write to EDB.Log and from log
file to database, EDB.Che used to track the database update from log file, to know what changes are
copied to database file.
NTDS.DIT: NTDS.DIT is the AD database and store all AD objects, Default location is the %system
root%\nrds\nrds.dit, Active Directory database engine is the extensible storage engine which us
based on the Jet database
EDB.Log: EDB.Log is the transaction log file when EDB.Log is full, it is renamed to EDB Num.log
where num is the increasing number starting from 1, like EDB1.Log
EDB.Che: EDB.Che is the checkpoint file used to trace the data not yet written to database file this
indicate the starting point from which data is to be recovered from the log file in case if failure
Res1.log and Res2.log: Res is reserved transaction log file which provide the transaction log file
enough time to shutdown if the disk didn’t have enough space
What RAID configuration can be used in Domain Controllers?
Can we keep OS, log files, SYSVOL, AD database on same logical Disk?
What is Active Directory Partitions?

Active Directory partition is how and where the AD information logically stored.
What are all the Active Directory Partitions?

Schema
Configuration
Domain
Application partition
What is use Active Directory Partitions? And
How to find the Active Directory Partitions and there location?
Schema Partition – It store details about objects and attributes. Replicates to all domain controllers
in the Forest
DN location is CN=Schema,CN=Configuration,DC=Domainname, DC=com
Configuration Partition – It store details about the AD configuration information like, Site, site-link,
subnet and other replication topology information. Replicates to all domain controllers in the Forest
DN Location is CN=Configuration,DC=Domainname,DC=com
Domain Partitions – object information for a domain like user, computer, group, printer and other
Domain specific information. Replicates to all domain controllers within a domain
DN Location is DC=Domainname,DC=com
Application Partition – information about applications in Active Directory. Like AD integrated DNS
is used there are two application partitions for DNS zones – ForestDNSZones and
DomainDNSZones, see more
How to configure Active Directory Partitions?
You can only configure the Application partition manually to use with AD integrated applications,
refer to this article for details on that
How to create DNS zone in Application Directory Partition?
see on my previous article
How to move the DNS zone from Domain Partition to Application partition?
see on my previous article
How to take active directory backup?
System state backup will backup the Active Directory, NTbackup can be used to backup active
directory
Active Directory restores types?
Authoritative restore
Non-authoritative restore
Non-authoritative restore of Active Directory
Non-authoritative restore is restore the domain controller to its state at the time of backup, and
allows normal replication to overwrite restored domain controller with any changes that have
occurred after the backup. After system state restore, domain controller queries its replication
partners and get the changes after backup date, to ensure that the domain controller has an
accurate and updated copy of the Active Directory database.
Non-authoritative restore is the default method for restoring Active Directory, just a restore of system
state is non-authoritative restore and mostly we use this for Active Directory data loss or corruption.
How perform a non-authoritative restore?
Just start the domain controller in Directory Services Restore Mode and perform system state
restore from backup
Authoritative restore of Active Directory
An authoritative restore is next step of the non-authoritative restore process. We have do non-
authoritative restore before you can perform an authoritative restore. The main difference is that an
authoritative restore has the ability to increment the version number of the attributes of all objects or
an individual object in an entire directory, this will make it authoritative restore an object in the
directory. This can be used to restore a single deleted user/group and event an entire OU.
In a non-authoritative restore, after a domain controller is back online, it will contact its replication
partners to determine any changes since the time of the last backup. However the version number of
the object attributes that you want to be authoritative will be higher than the existing version numbers
of the attribute, the object on the restored domain controller will appear to be more recent and
therefore, restored object will be replicated to other domain controllers in the Domain
How perform a non-authoritative restore?

Unlike a non-authoritative restore, an authoritative restores need to Ntdsutil.exe to increment the
version number of the object attributes
What are Active Directory Partitions can be restored?
You can authoritatively restore only objects from configuration and domain partition. Authoritative
restores of schema-naming contexts are not supported.
How many domain controllers need to back up? Or which domain controllers to back up?
Minimum requirement is to back up two domain controllers in each domain, one should be an
operations master role holder DC, no need to backup RID Master (relative ID) because RID master
should not be restored
Can we restore backup of domain controller to other/different domain controller?
Backup of one domain controller can’t be restoring to other domain controller, should be restored to
same domain controller
Sysvol Interview Questions and Answers

I would like to share collection of Sysvol and FRS Interview questions and answers this will be asked
on Windows Active Directory administrator job interview
What is the SYSVOL folder and why it’s used?

The Sysvol folder on a Windows domain controller is used to stores domain’s Group Policy settings,
default profiles and logon/logoff/startup/shutdown scripts, which is available in C:\Windows\SYSVOL
directory in all domain controllers within the Domain
What is NETLOGON folder?

Netlogon folder contain logon/logoff/startup/shutdown scripts which is inside the Sysvol folder
What is junctions point?

Check more about: Sysvol Junction point
What other folders in Sysvol and Sysvol folder structure/ Contents?
Check more about: netlogon and sysvol folder location
How policies get replicated from one DC to other DC?
Check more about: how sysvol replication works
What is the Difference between FRS and DFS-R?
Check more about: Difference between FRS and DFSR
How to Force sysvol replication?
Check more about: force sysvol replication on Windows 2003 and force sysvol replication on
Windows 2008 and windows server 2012
What is the Sysvol Replication change in Windows 2008?
Check more about: sysvol replication change on windows 2012
Any Sysvol issues which you have faced in your environment?
USN journal wrap Error on sysvol
Morphed folder on Sysvol
FRS replication issues –
Sysvol share not sharing – May be an replication issue, please event log got more information
Tel me about Non-authoritative restore of SYSVOL or D2 restore

D2 is the default method for restoring SYSVOL and occurs automatically when you do a non-
authoritative restore of the Active Directory
When you non-authoritatively restore the SYSVOL, the local copy of SYSVOL on the restored
domain controller is compared with that of its replication partners. After the domain controller
restarts, it replicates the any necessary changes, bringing it up-to-date with the other domain
controllers within the domain.
Tel me about Authoritative restore of SYSVOL or D4 restore
IN D4 restore a copy of SYSVOL that is restored from backup is authoritative for the domain. After
the necessary configurations have been made, Active Directory marks the local SYSVOL as
authoritative and it is replicated to the other domain controllers within the domain.
How to D2 and D4 restore?

Enable BurFlags registry to D2 or D4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\
Process at Startup
BurFlags
D2, for nonauthoritative mode restore

D4, for an authoritative mode restore
More info from MS

Active Directory real time issues and solutions
By ganesamoorthy s | June 9, 2015
2 Comments
As an Windows AD Administrator I have many Active Directory real time issues and solutions, we
have seen the questions like, Tel me about 2 real time issues which you have faced in your current
Active Directory environment, share one or two challenging issues which you have worked and
resolved, Tel me most challenging issues you recently involved
Many of my blog readers are asked to share couple of real time scenarios from my past experience
to preparing for an Windows and Active Directory interview, list of articles from my previous post,
read and understand to face the interview confidently
Active Directory real time issues and solutions
DNS Entry of Domain Controller is Resolving to Incorrect value

Replsummary showing unknown for largest delta on AD replication checks
Domain Controller failed test Machineaccount on DCDIAG
AD Slow Authentication and prompting for credentials again and again
How secure channel determine the Domain controller in cross-forest
Active directory Troubleshooting
Active Directory Replication failed with “Target principal name is incorrect”
Replication failed with “The destination server is currently rejecting replication requests” Error
Troubleshoot Active Directory Server Replication
Group Policy (GPO) real time issues and solutions
Issue managing IE configuration through GPO

Why we can’t edit/view windows 2008, Vista and windows 7 GPO settings from windows 2003
Gpresult failed with ERROR Access Denied
Home page URL not working for IE7
GPO update failed in Slow Link VPN site with Event ID 1000 and 1054
Group Policy Processing over Slow Links
Group Policy slow link detection on windows server 2008
Other real time issues and solutions, Printer, User Profile and Account
lockout
Account lockout
How to resolve the Print Spooler service crash issue (Print spooler service is not running)
How to find the domain controller that contains the lingering object
Reconfigure roaming profile folder and home folder permission for all the users
Roaming profile issues
1) Mention what is Active Directory?
An active directory is a directory structure used on Microsoft Windows based servers and
computers to store data and information about networks and domains.
2) Mention what are the new features in Active Directory (AD) of Windows server 2012?
 dcpromo (Domain Controller Promoter) with improved wizard: It allows you to view all the
steps and review the detailed results during the installation process
 Enhanced Administrative Center: Compared to the earlier version of active directory, the
administrative center is well designed in Windows 2012. The exchange management console is well
designed
 Recycle bin goes GUI: In windows server 12, there are now many ways to enable the active
directory recycle bin through the GUI in the Active Directory Administrative Center, which was not
possible with the earlier version
 Fine grained password policies (FGPP): In windows server 12 implementing FGPP is much
easier compared to an earlier It allows you to create different password policies in the same domain
 Windows Power Shell History Viewer: You can view the Windows PowerShell commands that
relates to the actions you execute in the Active Directory Administrative Center UI
3) Mention which is the default protocol used in directory services?
The default protocol used in directory services is LDAP ( Lightweight Directory Access
Protocol).
4) Explain the term FOREST in AD?

Forest is used to define an assembly of AD domains that share a single schema for the AD. All
DC’s in the forest share this schema and is replicated in a hierarchical fashion among them.
5) Explain what is SYSVOL?

The SysVOL folder keeps the server’s copy of the domain’s public files. The contents such as
users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the
domain.
6) Mention what is the difference between domain admin groups and enterprise admins
group in AD?
Enterprise Admin Group Domain Admin Group
 Members of this group have complete control of all domains in  Members of this group have complete control o
the forest  By default, this group is a member of the admini
 By default, this group belongs to the administrators group on all on all domain controllers, workstations and member
domain controllers in the forest time they are linked to the domain
 As such this group has full control of the forest, add users with  As such the group has full control in the domain
caution caution
7) Mention what system state data contains?

System state data contains
 Contains startup files
 Registry
 Com + Registration Database
 Memory page file
 System files
 AD information
 SYSVOL Folder
 Cluster service information
8) Mention what is Kerberos?
Kerberos is an authentication protocol for network. It is built to offer strong authentication for
server/client applications by using secret-key cryptography.
9) Explain where does the AD database is held? What other folders are related to AD?
AD database is saved in %systemroot%/ntds. In the same folder, you can also see other files;
these are the main files controlling the AD structures they are
 dit
 log
 res 1.log
 log
 chk
10) Mention what is PDC emulator and how would one know whether PDC emulator is
working or not?
PDC Emulators: There is one PDC emulator per domain, and when there is a failed
authentication attempt, it is forwarded to PDC emulator. It acts as a “tie-breaker” and it controls
the time sync across the domain.
These are the parameters through which we can know whether PDC emulator is working or not.
 Time is not syncing
 User’s accounts are not locked out
 Windows NT BDCs are not getting updates
 If pre-windows 2000 computers are unable to change their passwords
11) Mention what are lingering objects?
Lingering objects can exists if a domain controller does not replicate for an interval of time that
is longer than the tombstone lifetime (TSL).
12) Mention what is TOMBSTONE lifetime?

Tombstone lifetime in an Active Directory determines how long a deleted object is retained in
Active Directory. The deleted objects in Active Directory is stored in a special object referred as
TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is not set in the
forest configuration.
13) Explain what is Active Directory Schema?

Schema is an active directory component describes all the attributes and objects that the directory
service uses to store data.
14) Explain what is a child DC?

CDC or child DC is a sub domain controller under root domain controller which share name
space
15) Explain what is RID Master?

RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.
16) Mention what are the components of AD?

Components of AD includes
 Logical Structure: Trees, Forest, Domains and OU
 Physical Structures: Domain controller and Sites
17) Explain what is Infrastructure Master?
Infrastructure Master is accountable for updating information about the user and group and
global catalogue.
Active Directory Interview Questions and Answers will guide us now that Active Directory is a
technology created by Microsoft that provides a variety of network services, including LDAP-like
directory services, Kerberos-based authentication, DNS-based naming and other network
information, Central location for network administration and delegation, Information security and
single sign-on for user access to networked based resources so learn more by this Active Directory
Interview Questions Answer
146 Active Directory Questions and Answers:

1 :: Explain Active Directory?
"Active Directory is the directory service used in Windows 2000 Server and is the foundation of
Windows 2000 distributed networks."
The core of Active Directory is a combination of an LDAP server and MIT Kerberos 5 KDC running on
a Windows 2000 server acting as a domain controller that work as a unit to provide authentication
("Who are you?") and authorization ("What are you allowed to do?") information within a group of
interlinked systems.
Above and beyond that, the LDAP "face" of this structure behaves as an enterprise-wide distributed
database that not only contains Windows-specific information but can be extended to incorporate
user-defined data as well.
The AD is held together by DNS, which is used not only to locate specific machines within the AD
but also to locate which functions of the AD are running on which domain controllers.
Is This Answer Correct?553 Yes 25 No
Post Your Answer
2 :: What is Forest?
The term "forest" is used to describe a collection of AD domains that share a single schema for the
AD. All DC's in the forest share this schema and it is replicated in a hierarchical fashion among them.
The preferred model for Windows 2000 AD is to have an organization use a single forest that spans
an entire enterprise.
While not an administrative block by themselves, forests are a major boundary in that only limited
communication is available between forests. For example, it is difficult for a user in one forest to
access a resource in another forest.
It is very difficult to integrate forests at this time because of potential problems reconciling schema
differences between two forests.
Post Your Answer
3 :: What is Domains in Active Directory?

In Windows 2000, a domain defines both an administrative boundary and a security boundary for a
collection of objects that are relevant to a specific group of users on a network. A domain is an
administrative boundary because administrative privileges do not extend to other domains. It is a
security boundary because each domain has a security policy that extends to all security accounts
within the domain. Active Directory stores information about objects in one or more domains.
Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is
the domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child
domain also can be the parent of one or more child domains, as shown below.
Post Your Answer
4 :: What is Organizational Units?

OU's have many of the attributes of an NT 4 domain. However, instead of requiring server resources
to create and support, they are a logical construct within the Active Directory so an OU does not
have to support and maintain a domain controller.
OU's are created by an administrator of an AD domain and can be freely named (and renamed). The
OU can then be populated objects of many types including computers, groups, printers, users and
other sub-OU's.
The real power of an OU is that once it is established, the administrator of its "parent" can delegate
administrative authority -- in total or in part -- to any user or group that is in the AD.
When this happens, the designated user/group gains complete administrative authority over all
objects in their OU and thus has all of the rights and abilities that a Windows NT domain
administrator would have as well as some new ones such as the ability to further segment their OU
into sub-OU's and delegate authority over those sub-elements as they see fit.
Post Your Answer
5 :: What is the Group Policy?

Group Policy is one of the most exciting -- and potentially complex -- mechanisms that the Active
Directory enables. Group policy allows a bundle of system and user settings (called a "Group Policy
Object" or GPO) to be created by an administrator of a domain or OU and have it automatically
pushed down to designated systems.
Group Policy can control everything from user interface settings such as screen background images
to deep control settings in the client such as its TCP/IP configuration and authentication settings.
There are currently over 500 controllable settings. Microsoft has provided some templates as well
to provide a starting point for creating policy objects.
A significant advantage of group policy over the old NT-style policies is that the changes they make
are reversed when the policy no longer applies to a system. In NT 4, once a policy was applied to a
system, removing that policy did not by itself roll back the settings that it imposed on the client.
With Windows 2000, when a specified policy no longer applies to a system it will revert to its
previous state without administrative interference.
Multiple policies from different sources can be applied to the same object. For example, a domain
might have one or more domain-wide policies that apply to all systems in the domain. Below that,
systems in an OU can also have policy objects applied to it, and the OU can even be further divided
into sub-OU's with their own policies.
This can create a very complex web of settings so administrators must be very careful when
creating these multiple layers of policy to make sure the end result -- which is the union of all of the
applicable policies with the "closest" policy taking priority in most cases -- is correct for that system.
In addition, because Group policy is checked and applied during the system boot process for
machine settings and again during logon for user settings, it is recommended that GPO's be applied
to a computer from no more than five "layers" in the AD to keep reboot and/or login times from
becoming unacceptably long.
Post Your Answer
6 :: What is Empty Root Domain?

The "empty root domain" is an AD design element that has become increasingly popular at
organizations with decentralized IT authority such as universities.
The empty root domain acts as a placeholder for the root of Active Directory, and does not typically
contain any users or resources that are not required to fulfill this roll [sic]. [...] Only those privileges
that have tree or forest-wide scope are restricted to the empty root domain administrators.
Departmental administrators can work independently of other departments.
This politically neutral root domain provides a central source of authority and policy enforcement,
and provides a single schema and global catalog that allows users to find resources anywhere in the
university/district/state system. Individual IT departments retain a significant degree of
independence and can control their own users and resources without having to worry that actions
by administrators in other departments will disrupt their domain.
Post Your Answer
7 :: What is Mixed Mode?

Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-
exist in the domain. In mixed mode, the domain features from previous versions of Windows NT
Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server
domains are installed in mixed mode by default. In mixed mode the domain may have Windows NT
4.0 backup domain controllers present. Nested groups are not supported in mixed mode.
Post Your Answer
8 :: What is Native Mode?

When all the domain controllers in a given domain are running Windows 2000 Server. This mode
allows organizations to take advantage of new Active Directory features such as Universal groups,
nested group membership, and inter-domain group membership.

Post Your Answer
9 :: What is LDAP?
LDAP is the directory service protocol that is used to query and update AD. LDAP naming
paths are used to access AD objects and include the following:
• Distinguished names
• Relative Distinguished names
Post Your Answer
10 :: Minimum Requirement for Installing AD?

1. Windows Server, Advanced Server, Datacenter Server
2. Minimum Disk space of 200MB for AD and 50MB for log files
3. NTFS partition
4. TCP/IP Installed and Configured to use DNS
5. Administrative privilege for creating a domain in existing network
Post Your Answer
11 :: How will you verify whether the AD installation is

proper?
1. Verify SRV Resource Records
After AD is installed, the DC will register SRV records in DNS when it restarts. We can
check this using DNS MMC or nslookup command.
Using MMC
If the SRV records are registered, the following folders will be there in the domain
folder in Forward Lookup Zone.
• msdes
• sites
• tcp
• adp
Using nslookup
>nslookup
>ls –t SRV Domain
If the SRV records are properly created, they will be listed.
2. Verifying SYSVOL
If SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO,
etc will not be replicated between DCs.
First verify the following folder structure is created in SYSVOL
Domain
Staging
Staging areas
Sysvol
Then verify necessary shares are created.
>net share
It should show two shares, NETLOGON and SYSVOL
3. Verifying Database and Log files

Make sure that the following files are there at %systemroot%ntds
Ntds.dit, Edb.*, Res*.log
Post Your Answer
12 :: Explain Active Directory schema?

The Active Directory schema is the set of definitions that defines the kinds of objects, and the
types of information about those objects, that can be stored in Active Directory. The
definitions are themselves stored as objects so that Active Directory can manage the schema
objects with the same object management operations used for managing the rest of the
objects in the directory.
There are two types of definitions in the schema: attributes and classes. Attributes and
classes are also referred to as schema objects or metadata.
Attributes are defined separately from classes. Each attribute is defined only once and can be
used in multiple classes. For example, the Description attribute is used in many classes, but is
defined once in the schema, assuring consistency.
Post Your Answer

13 :: Can you explain LDAP?
The Lightweight Directory Access Protocol, or LDAP , is an application protocol for querying and
modifying data using directory services running over TCP/IP
Post Your Answer
14 :: What is Domain Controller?

In an Active directory forest, the domain controller is a server that contains a writable copy of the
Active Directory Database participates in Active directory replication and controls access to network
resource.
Post Your Answer
15 :: Define Active Directory?

An active directory is a directory structure used on Microsoft Windows based computers and
servers to store information and data about networks and domains.
Post Your Answer
16 :: Why we need Netlogon?

Maintains a secure channel between this computer and the domain controller for authenticating
users and services. If this service is stopped, the computer may not authenticate users and services,
and the domain controller cannot register DNS records."
Post Your Answer
17 :: Define Kerberos?
Kerberos is a network authentication protocol. It is designed to provide strong authentication for
client/server applications by using secret-key cryptography.
Post Your Answer

18 :: Explain What are the standard Port numbers?
SMTP - 25,
POP3 - 110,
IMAP4 - 143,
RPC - 135,
LDAP - 389,
SSL - 443,
HTTP - 80,
RDP - 3389,
DNS - 53,
DHCP - 67,68,
FTP-21,
GC-3268,
Secure LDAP - 636,
Kerberos - 88,
NNTP - 119,
TFTP - 69,
SNMP - 161.
Post Your Answer
19 :: What is DNS Scavenging?

Scavenging will help you clean up old unused records in DNS.
Post Your Answer
20 :: Explain Where is the AD database held? What other

folders are related to AD?
%SystemRoot%\ntds\NTDS.DIT.
Edb*.log is the transaction log file. Each transaction file is 10 megabytes (MB). When Edb.log file is
full, active directory renames it to Edbnnnnn.log, where nnnnn is an increasing number starts from
1.
Edb.chk is a checkpoint file which is use by database engine to track the data which is not yet
written to the active directory database file. The checkpoint file act as a pointer that maintains the
status between memory and database file on disk. It indicates the starting point in the log file from
which the information must be recovered if a failure occurs.
Res1.log and Res2.log: These are reserved transaction log files. The amount of disk space that is
reserved on a drive or folder for this log is 20 MB. This reserved disk space provides a sufficient
space to shut down if all the other disk space is being used.
Post Your Answer
21 :: How to upgrade from Windows 2003 DC to Windows

2008 DC?
Windows 2003 must be running with SP2
Run adprep /forestprep
Run adprep /domainprep
Start the installation from Windows 2008 DVD
Domain level must be in Native Mode
Installation must be started from windows 2003 OS
Post Your Answer
22 :: What is new in Windows Server 2008 Active Directory

Domain Services?
AD Domain Services auditing, Fine-Grained Password Policies,Read-Only Domain
Controllers,Restartable Active Directory Domain Services
Post Your Answer
23 :: Explain What are RODCs? And what are the major

benefits of using RODCs?
Read only Domain Controller, organizations can easily deploy a domain controller in locations
where physical security cannot be guaranteed.
Post Your Answer

24 :: Tell me What is the SYSVOL folder?
The Sysvol folder on a Windows domain controller is used to replicate file-based data among
domain controllers. %systemroot%\SYSVOL
Post Your Answer
25 :: Do you know How frequently is the group policy

refreshed?
90 minutes give or take.
Post Your Answer
26 :: What is the number of permitted unsuccessful logons on

Administrator account?
Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of
the Administrators group.
Post Your Answer
27 :: What hidden shares exist on Windows Server 2003

installation?
Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
Post Your Answer
28 :: What is the List Folder Contents permission on the folder

in NTFS?
Same as Read & Execute, but not inherited by files within a folder. However, newly created
subfolders will inherit this permission.

Post Your Answer
29 :: Where is GPT stored?

%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
Post Your Answer
30 :: Explain GPT and GPC?

Group policy template and group policy container.
Post Your Answer
31 :: Tell me Where are group policies stored?

%SystemRoot%System32\GroupPolicy
Post Your Answer
32 :: Explain What is the difference between local, global and

universal groups?
Domain local groups assign access permissions to global domain groups for local domain resources.
Global groups provide access to resources in other trusted domains. Universal groups grant access
to resources in all trusted domains.
Post Your Answer
33 :: Define LSDOU?
It’s group policy inheritance model, where the policies are applied to Local machines, Sites,
Domains and Organizational Units
Post Your Answer

34 :: Define REPADMIN?
is a command line tool used to monitor and troubleshoot replication on a computer running
Windows.
• Checks replication consistency between replication partners.
• Monitors replication status.
• Displays replication metadata.
• Forces replication events.
Post Your Answer
35 :: What is NETDOM?
NETDOM is a command-line tool that allows management of Windows domains and trust
relationships
Post Your Answer
36 :: What is ADSIEDIT?
ADSI Edit is an LDAP editor for managing objects in Active Directory. This Active Directory tool lets
you view objects and attributes that are not exposed in the Active Directory Management Console.
Post Your Answer
37 :: What is REPLMON?
Replmon is the first tool you should use when troubleshooting Active Directory replication issues
Post Your Answer
38 :: How to find FSMO roles?

Netdom query fsmo OR Replmon.exe
Post Your Answer

39 :: How to view all the GCs in the forest?
repadmin.exe /options * and use IS_GC for current domain options.
nltest /dsgetdc:corp /GC
Post Your Answer
40 :: Explain Global Catalog?

A global catalog server is a domain controller that, in addition to its full, writable domain directory
partition replica, also stores a partial, read-only replica of all other domain directory partitions in
the forest
Global group's membership is limited to accounts from the same domain. The membership is
replicated in its own domain only.
Universal group's memership is limited to accounts from the same forest.The membership is
replicated across the forest
Post Your Answer
41 :: How to view replication properties for AD partitions and

DCs?
Replmon
Post Your Answer
42 :: What is the the Directory Partitions?

Schema Partition:
Only one schema partition exists per forest. The schema partition is stored on all domain controllers
in a forest. It contains definitions of all objects and attributes that can be created in the directory.
Configuration Partition:
There is only one configuration partition per forest. the configuration partition contains information
about the forest-wide active directory structure.
Domain Partition:
Many domain partitions can exist per forest. Domain partitions are stored on each domain
controller in a given domain. A domain partition contains information about users, groups,
computers, and organizational units.
Application Partition:
It stores information about applications in Active Directory. It is replicated only to specific domain
controllers.
Post Your Answer
43 :: How to Seize FSMO Roles?

ntdsutil - type roles - connections - connect servername - q - type seize role - at the fsmo
maintenance prompt - type seize rid master
Post Your Answer
44 :: How to transfer FSMO Roles?

ntdsutil - type roles - connections - connect servername - q - type transfer role - at the fsmo
maintenance prompt - type trasfer rid master
Post Your Answer
45 :: What is a Flexible Single Master Operation?

It is a role that only one DC can (or should) hold at any given time within its boundary.
Schema Master - Use MMC "Active Directory Schema Snap-in". The schema master domain
controller controls all updates and modifications to the schema. Once the Schema update is
complete, it is replicated from the schema master to all other DCs in the directory.
Domain Naming Master - Use "Active Directory Domains and Trusts". It controls the addition or
removal of domains in the forest.
Primary Domain Controller (PDC) Emulator - Use the "ADUC" . The PDC emulator is necessary to
synchronize time in an enterprise.
Relative ID Master (RID Master) - Use "ADUC". All objects have a SID and a domain SID. The RID
assigns relative IDs to each domain controller.
Infrastructure Master - Use the "ADUC". Updates group membership information when users from
other domains are moved or renamed.
The Infrastructure Master (IM) role should be held by a domain controller that is not a Global
Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating
object information because it does not contain any references to objects that it does not hold.
Post Your Answer
46 :: What is the ISTG - Intersite topology generator?

ISTG is responsible for creating Active Directory Replication Connection objects for appropriate
bridgehead servers within its site. Intersite replication can utilize either RPC over IP or SMTP to
convey replication data.
Bridgehead server - A domain controller that is used to send replication information to one or more
other sites
DHCP Superscope:
A rage of IP address that span several subnets. The DHCP server can assign these address to clients
that are on several subnets.
DHCP Scope:
A range of IP address that the DHCP server can assign to clients that are on one subnet
A stub zone
It is a copy of a zone that contains only those resource records necessary to identify the
authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve
names between separate DNS namespaces. This type of resolution may be necessary when a
corporate merger requires that the DNS servers for two separate DNS namespaces resolve names
for clients in both namespaces.
A stub zone consists of: SOA, NS, A Records
Post Your Answer
47 :: What is the KCC (Knowledge consistency checker)?

The KCC generates and maintains the replication topology for replication within sites and between
sites. KCC runs every 15 minutes.
Post Your Answer
48 :: How you add a user in ad by commandline?

dsadd
Post Your Answer

49 :: How to do the work with human?
Its very easy please logon to lelopdf.com and see this answer
Post Your Answer
50 :: What is Lightweight Directory Access Protocol?

LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths are
used to access AD objects and include the following:
★ Distinguished names
★ Relative Distinguished names
Post Your Answer
51 :: What is the minimum requirement for installing AD?

★ Windows Server, Advanced Server, Data center Server
★ Minimum Disk space of 200 MB for AD and 50 MB for log files
★ NTFS partition
★ TCP/IP Installed and Configured to use DNS
★ Administrative privilege for creating a domain in existing network
Post Your Answer
52 :: How will you verify whether the AD installation is proper

with SRV resource records?
Verify SRV Resource Records:
After AD is installed, the DC will register SRV records in DNS when it restarts. We can check this
using DNS MMC or nslookup command.
Post Your Answer

53 :: How to Verifying SYSVOL?
If SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO, etc will not be
replicated between DCs.
First verify the following folder structure is created in SYSVOL.
★ Domain
★ Staging
★ Staging areas
★ Sysvol
Then verify necessary shares are created.
Post Your Answer
54 :: How to verifying database and Log files?

Make sure that the following files are there at %systemroot%ntds
Ntds.dit, Edb.*, Res*.log
Post Your Answer
55 :: What is NTDS.DIT?
This is the AD database and stores all AD objects. Default location is SystemRoot%ntdsNTDS.DIT.
Active Directory's database engine is the Extensible Storage Engine which is based on the Jet
database and can grow up to 16 TB.
Post Your Answer
56 :: What is NTDS.DIT schema table?

The types of objects that can be created in the Active Directory, relationships between them, and
the attributes on each type of object. This table is fairly static and much smaller than the data table.
Post Your Answer

57 :: What is NTDS.DIT Link table?
Link Table contains linked attributes, which contain values referring to other objects in the Active
Directory. Take the Member Of attribute on a user object. That attribute contains values that
reference groups to which the user belongs. This is also far smaller than the data table.
Post Your Answer
58 :: What is NTDS.DIT Data table?

Data Table users, groups, application-specific data, and any other data stored in the Active
Directory.
Post Your Answer
59 :: How many types of Active Directory data?

★ Active Directory has three types of data:
★ Schema information
★ Configuration information
★ Domain information
Post Your Answer
60 :: What is Domain information in Active Directory?

Object information for a domain. Replicates to all DCs within a domain. The object portion becomes
part of GC. The attribute values only replicates within the domain.
Post Your Answer
61 :: Define Res1.log and Res2.log?

This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction log files
enough room to shutdown if the other spaces are being used.

Post Your Answer
62 :: What is ADS Database garbage collection process?

Garbage Collection is a process that is designed to free space within the Active Directory database.
This process runs independently on every DC with a default lifetime interval of 12 hours.
Post Your Answer
63 :: List the main steps of Garbage collection process?

★ Removing "tombstones" from the database. Tombstones are remains of objects that have been
previously deleted.
★ Deletion of any unnecessary log files.
★ The process launches a defragmentation thread to claim additional free space.
Post Your Answer
64 :: What is Online Defragmentation in Active Directory?

Online Defragmentation method that runs as part of the garbage collection process. The only
advantage to this method is that the server does not need to be taken offline for it to run. However,
this method does not shrink the Active Directory database file (Ntds.dit).
Post Your Answer
65 :: What is Schema information in Active Directory?

Definitional details about objects and attributes that one CAN store in the AD. Replicates to all DCs.
Static in nature.
Post Your Answer
66 :: What is Schema Configuration in Active Directory?

Configuration data about forest and trees. Replicates to all DCs. Static as your forest is.

Post Your Answer
67 :: What is Offline Defragmentation in Active Directory?

Offline Defragmentation is done by taking the server offline and use Ntdsutil.exe to defragment the
database. This approach requires that the ADS database be started in repair mode. The advantage
to this method is that the database is resized, unused space is removed, and the size is reflected by
the Ntds.dit file.
Post Your Answer
68 :: How to do Offline Defragmentation of Active Directory?

Active Directory routinely performs online database defragmentation, but this is limited to the
disposal of tombstoned objects. The database file cannot be compacted while Active Directory is
mounted.
To defrag ntds.dit offline:
★ Back up System State in the backup wizard.
★ Reboot and select Directory Services Restore Mode.
★ At the command prompt:
★ Ntdsutil
★ Files
★ Info
This will display current information about the path and size of the Active Directory database
and its log files.
Compact to D:DbBackup
You must specify a directory path and if the path name has spaces, the command will not work
unless you use quotation marks:
Quit (till you reach the command prompt)
A new compacted database named Ntds.dit can be found in D:DbBackup.
Copy the new ntds.dit file over the old ntds.dit file. You have successfully compacted the Active
Directory database.
Post Your Answer

69 :: Define EDB.LOG?
This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log. Where
nnnn is the increasing number starting from 1.
Post Your Answer
70 :: Define EDB.CHK?
This is the checkpoint file used to track the data not yet written to database file. This indicates the
starting point from which data is to be recovered from the log file, in case of failure.
Post Your Answer
71 :: Define Domain Forests in Active Directory?

A forest consists of multiple domain trees. The domain trees in a forest do not form a contiguous
namespace but share a common schema and GC. The forest root domain is the first domain created
in the forest. The root domains of all domain trees in the forest establish transitive trust
relationships with the forest root domain. This is necessary for the purposes of establishing trust
across all the domain trees in the forest. All of the Windows 2000 domains in all of the domain trees
in a forest share the following traits:
★ Transitive trust relationships between the domains
★ Transitive trust relationships between the domain trees
★ A common schema
★ Common configuration information
★ A common global catalog
Using both domain trees and forests provides you with the flexibility of both contiguous and non-
contiguous naming conventions. This can be useful in, for example, companies with independent
divisions that must each maintain their own DNS names.
Post Your Answer
72 :: Define domain Trees in Active Directory?

Tree is a hierarchical arrangement of W2K domains that share a contiguous name space. The first
domain in a domain tree is called the root domain. Additional domains in the same domain tree are
child domains. A domain immediately above another domain in the same domain tree is referred to
as the parent of the child domain. The name of the chills domain is combined with its parent
domain to form its DNS name. Every child domain has a two two-way, transitive trust relationship
with its parent domain Because these trust relationships are two-way and transitive, a Windows
2000 domain newly created in a domain tree or forest immediately has trust relationships
established with every other Windows 2000 domain in the domain tree or forest.
These trust relationships allow a single logon process to authenticate a user on all domains in the
domain tree or forest. This does not necessarily mean that the authenticated user has rights and
permissions in all domains in the domain tree. Because a domain is a security boundary, rights and
permissions must be assigned on a per-domain basis.
Post Your Answer
73 :: Define Active Directory Schema Attributes?

Attributes are defined separately from classes. Each attribute is defined only once and can be used
in multiple classes. For example, the Description attribute is used in many classes, but is defined
once in the schema, assuring consistency.
Post Your Answer
74 :: Define Active Directory schema?

The Active Directory schema is the set of definitions that defines the kinds of objects, and the types
of information about those objects, that can be stored in Active Directory. The definitions are
themselves stored as objects so that Active Directory can manage the schema objects with the
same object management operations used for managing the rest of the objects in the directory.
There are two types of definitions in the schema: attributes and classes. Attributes and classes are
also referred to as schema objects or metadata.
Post Your Answer
75 :: Define Active Directory Sites?

Site consists of one or more IP subnets connected by a high speed link. Wide area networks should
employ multiple sites for efficiently handling servicing requests and reducing replication traffic.
Sites map the physical structure of your network whereas domains generally map the logical
structure of your organization.
Active Directory Sites and Services allow you to specify site information. Active Directory uses this
information to determine how best to use available network resources.
Post Your Answer
76 :: What are the advantages of Active Directory Sites?

Active Directory Sites and Services allow you to specify site information. Active Directory uses this
information to determine how best to use available network resources.
Post Your Answer
77 :: Define Active Directory Classes?

Classes, also referred to as object classes; describe the possible directory objects that can be
created. Each class is a collection of attributes. When you create an object, the attributes store the
information that describes the object. The User class, for example, is composed of many attributes,
including Network Address, Home Directory, and so on. Every object in Active Directory is an
instance of an object class.
Post Your Answer
78 :: Define Service requests in Active Directory?

When a client requests a service from a domain controller, it directs the request to a domain
controller in the same site. Selecting a domain controller that is well-connected to the client makes
handling the request more efficient.
Post Your Answer
79 :: What is GC in Active Directory?

GC is created automatically on the first DC in the forest. It stores a full replica of all objects in the
directory for its host domain and a partial replica of all objects of every other domain in the forest.
The replica is partial because it stores only some attributes for each objects.

Post Your Answer
80 :: List the GC key directory roles?

★ It enables network logon by providing universal group membership information to a DC when a
logon process is initiated.
★ It enables finding directory information regardless of which domain in the forest actually
contains the data.
Post Your Answer
81 :: Define Replication in Active Directory?

Site streamlines replication of directory information and reduces replication traffic.
Site membership is determined differently for domain controllers and clients. A client determines it
is in when it is turned on, so its site location will often be dynamically updated. A domain
controller's site location is established by which site its Server object belongs to in the directory, so
its site location will be consistent unless the domain controller's Server object is intentionally
moved to a different site.
Post Your Answer
82 :: Define the global catalog key directory roles?

When a user logs on to the network, the global catalog provides universal group membership
information for the account sending the logon request to the domain controller. If there is only one
domain controller in the domain, the domain controller and the global catalog are the same server.
If there are multiple domain controllers in the network, the global catalog is hosted on the domain
controller configured as such. If a global catalog is not available when a user initiates a network
logon process, the user is only able to log on to the local computer.
Post Your Answer
83 :: What is the role of Global Catalog Server in a Domain?

By default, a global catalog is created automatically on the initial domain controller in the forest. It
stores a full replica of all objects in the directory for its host domain and a partial replica of all
objects contained in the directory of every other domain in the forest. The replica is partial because
it stores some, but not all, of the property values for every object in the forest.
Post Your Answer
84 :: Suppose if a user is a member of the Domain Admins

group, Did he able to log on to the network even when a global
catalog is not available?
The global catalog is designed to respond to queries about objects anywhere in the forest with
maximum speed and minimum network traffic. Because a single global catalog contains information
about objects in all domains in the forest, a query about an object can be resolved by a global
catalog in the domain in which the query is initiated. Thus, finding information in the directory does
not produce unnecessary query traffic across domain
boundaries.
You can optionally configure any domain controller to host a global catalog, based on your
organization's requirements for servicing logon requests and search queries. After additional
domain controllers are installed in the domain, you can change the default location of the global
catalog to another domain controller using Active Directory Sites and Services.
Post Your Answer
85 :: Do you know why GC and infrastructure master should

not be on the same server?
The infrastructure master is responsible for updating references from objects in its domain to
objects in other domains. The infrastructure master compares its data with that of a global catalog.
Global catalogs receive regular updates for objects in all domains through replication, so the global
catalog's data will always be up-to-date. If the infrastructure master finds data that is out-of-date, it
requests the updated data from a global catalog. The infrastructure master then replicates that
updated data to the other domain controllers in the domain.
★ If the infrastructure master and global catalog are on the same domain controller, the
infrastructure master will not function. The infrastructure master will never find data that is out of
date, so will never replicate any changes to the other domain controllers in the domain.
★ If all of the domain controllers in a domain are also hosting the global catalog, all of the domain
controllers will have the current data and it does not matter which domain controller holds the
infrastructure master role.

Post Your Answer
86 :: Define the Domain naming master role?

Domain Naming Master DC controls the addition or removal of domains in the forest.
Post Your Answer
87 :: Define Schema master role?

The schema master DC controls all updates and modifications to the schema.
Post Your Answer
88 :: Define Forest-Wide operations master roles?

Every Active Directory forest must have the following roles:
★ Schema master
★ Domain naming master
There can be only one schema master and one domain naming master for the entire forest.
Post Your Answer
89 :: Define Domain-Wide operations master roles?

Every domain in the forest must have the following roles:
★ Relative ID master
★ Primary DC (PDC) emulator
★ Infrastructure master
Each domain in the forest can have only one RID master, PDC Emulator, and Infrastructure Master.
Post Your Answer
90 :: Define Relative ID master role?

The RID master allocates pool of relative IDs to each DC in its domain. Whenever a DC creates a
user, group, or computer object, it assigns a unique security ID to that object. The security ID
consists of a domain security ID (that is the same for all security IDs created in the domain), and a
relative ID that is unique for each security ID created in the domain. To move an object between
domains (using Movetree.exe), you must initiate the move on the DC acting as the relative ID
master of the domain that currently contains the object.
Post Your Answer
91 :: Define PDC emulator role?

For pre-W2K clients, the PDC emulator acts as a Windows NT PDC. It processes password changes
from clients and replicates updates to the BDCs.
In native-mode, the PDC emulator receives preferential replication of password changes performed
by other DCs in the domain. If a password was recently changed, that change takes time to replicate
to every DC in the domain. If a logon authentication fails at another DC due to a bad password, that
DC will forward the authentication request to the PDC emulator before rejecting the log on
attempt.
Post Your Answer
92 :: Define the Infrastructure master role?

The infrastructure master is responsible for updating the group-to-user references whenever the
members of groups are renamed or changed. At any time, there can be only one DC acting as the
infrastructure master in each domain. When you rename or move a member of a group (and that
member resides in a different domain from the group), the group may temporarily appear not to
contain that member. The infrastructure master of the group's domain is responsible for updating
the group so it knows the new name or location of the member. The infrastructure master
distributes the update via multi-master replication.
There is no compromise to security during the time between the member rename and the group
update. Only an administrator looking at that particular group membership would notice the
temporary inconsistency.
Post Your Answer
93 :: Define the single master operations?

Active Directory supports multi-master replication of the directory data between all DCs in the
domain. Some changes are impractical to perform in multi-master fashion, so only one DC, called
the operations master, accepts requests for such changes. Because the operations master roles can
be moved to other DCs within the domain or forest, these roles are sometimes referred to as
Flexible Single Master Operations. In any Active Directory there are five operations master roles.
Some roles must appear in every forest. Other roles must appear in every domain in the forest.
Post Your Answer
94 :: List the FSMO roles?

★ Schema master
★ Domain naming master
★ RID master
★ PDC emulator
★ Infrastructure daemon
Post Your Answer
95 :: Describe the Infrastructure FSMO role?

When an object in one domain is referenced by another object in another domain, it represents the
reference by the GUID, the SID (for references to security principals), and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID
and distinguished name in a cross-domain object reference.
Post Your Answer
96 :: How to place the FSMO roles?

★ Place the RID and PDC emulator roles on the same domain controller. Good communication from
the PDC to the RID master is desirable as down-level clients and applications target the PDC, making
it a large consumer of RIDs.
★ As a general rule, the infrastructure master should be located on a non-global catalog server that
has a direct connection object to some global catalog in the forest, preferably in the same Active
Directory site.
Post Your Answer

97 :: How to responding operations master failures?
Some of the operations master roles are crucial to the operation of your network. Others can be
unavailable for quite some time before their absence becomes a problem If an operations master is
not available due to computer failure or network problems, you can seize the operations master
role.
In general, seizing an operations master role is a drastic step that should be considered only if the
current operations master will never be available again.
Post Your Answer
98 :: Define the Schema master failure?

Temporary loss of the schema operations master will be visible only if we are trying to modify the
schema or install an application that modifies the schema during installation. A DC whose schema
master role has been seized must never be brought back online.
Post Your Answer
99 :: How to create a container to list printers in Active

Directory?
To create a Printers container in which to list your printers in Active Directory:
1) Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then
click ADSI Edit.
2) Expand Domain NC [Domain Name], and then click DC=Domain, DC=com.
3) On the Action menu, point to New, and then click Object.
4) In the Select a class box, click container, and then click Next.
5) In the Value box, type Printers, and then click Next.
6) Click Finish.
A CN=Printers container appears in the right pane of ADSI Edit.

1) Right-click CN=Printers, and then click Properties.
2) Click the Attributes tab.
3) In the Select a property to view box, click "show In Advanced View Only", and then click Clear.
4) In the Edit Attribute box, type false, click Set, and then click OK.
5) Quit ADSI Edit.
6) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users
and Computers. The Printers container that you created appears in the list of directory objects.
7) On the View menu, click Advanced Features.
8) On the View menu, click Users, Groups, and Computers as containers.
9) Move the printers that you want to the Printers container.
10) Quit Active Directory Users and Computers.
Post Your Answer
100 :: How to publish a printer in AD?

1) Log on to the computer as an administrator.
2) Click Start, point to Settings, and then click Printers.
3) In the Printers folder, right-click the printer that you want to publish in Active Directory, and then
click Properties.
4) Click the Sharing tab, click Share As, and then either type a share name or accept the default
name. Use only letters and numbers; do not use spaces, punctuation, or special characters.
5) Click to select the List in the Directory check box, and then click OK.
6) Close the Printers folder.
Post Your Answer
101 :: How to configure an authoritative time server in

Windows 2000?
Windows includes the W32Time time service tool that is required by the Kerberos authentication
protocol. The purpose of the Time service is to ensure that all computers that are running Windows
2000 in an organization use a common time.
Windows-based computers use the following hierarchy by default:
• All client PCs and member servers nominate the authenticating DC as their in-bound time Server.
• DCs may nominate the PDC operations master as their in-bound time partner but may use a
parent DC based on stratum numbering.
• All PDC operations masters follow the hierarchy of domains in the selection of their inbound time
partner.
PDC operations master at the root of the forest becomes authoritative for the organization. This
PDC can be configured to recognize an external Simple Network Time Protocol (SNTP) time server
as authoritative by using the following net time command:
Net time /setsntp: server_list
To reset the local computer's time against the authoritative time server for the domain:
Net time /domain_name /set
Net stop w32time
W32tm -once
Net start w32time
SNTP defaults to using UDP port 123. If this port is not open to the Internet, you cannot synchronize
your server to Internet SNTP servers. Administrators can also configure an internal time server as
authoritative by using the net time command. If the administrator directs the command to the
operations master, it may be necessary to reboot the server for the changes to take effect.
Post Your Answer
102 :: What is Loop back Processing of group policy?

Group Policy applies to the user or computer in a manner that depends on where both the user and
the computer objects are located in Active Directory. However, in some cases, users may need
policy applied to them based on the location of the computer object alone. You can use the Group
Policy loop back feature to apply GPOs that depend only on which computer the user logs on to.
Post Your Answer
103 :: What is Kerberos V5 authentication process?

Kerberos V5 is the primary security protocol for authentication within a domain. The Kerberos V5
protocol verifies both the identity of the user and network services. This dual verification is known
as mutual authentication.
Post Your Answer
104 :: Do you know how Kerberos V5 works?

The Kerberos V5 authentication mechanism issues tickets (A set of identification data for a security
principle, issued by a DC for purposes of user authentication. Two forms of tickets in Windows 2000
are ticket-granting tickets (TGTs) and service tickets) for accessing network services. These tickets
contain encrypted data, including an encrypted password, which confirms the user's identity to the
requested service.

Post Your Answer
105 :: How to change the recovery console administrator

password on a DC?
1) In a DC use the %systemroot%system32Setpwd.exe (SP2 or Later) utility to change the SAM-
based Administrator password. To change the SAM Administrator password on a remote DC, type
the following command
Setpwd /s: servername
2) Restart the DC in Directory Service Restore Mode. Use the command net user administrator * or
Local User and Groups
Who can "Log On locally" to a DC
By default Account Operators, Administrators, Backup Operators, Print Operators, Server
Operators, Internet Guest Account, and Terminal Services User Account are assigned the log on
locally right.
Post Your Answer
106 :: Define user accounts in Active Directory?

In Active Directory, each user account has a user logon name, a pre-Windows 2000 user logon name
(SAM account name), and a user principal name suffix. Active Directory suggests a pre-Windows
2000 user logon name using the first 20 bytes of the user logon name.
Post Your Answer
107 :: Define computer acccounts in Active Directory?

Each computer account created in Active Directory has a relative distinguished name, a
preWindows 2000 computer name (SAM account name), a primary DNS suffix, a DNS host name
and a service principal name. This computer name is used as the LDAP relative distinguished name.
Active Directory suggests the pre-Windows 2000 name using the first 15 bytes of the relative
distinguished name. This can be changed at any time. The primary DNS suffix defaults to the full
DNS name of the domain to which the computer is joined. The DNS host name is built from the first
15 characters of the relative distinguished name + the primary DNS suffix. The service principal
name is built from the DNS host name. The service principal name is used in the process of mutual
authentication between the client and the server hosting a particular service. The client finds a
computer account based on the service principal name of the service to which it is trying to
connect.
Post Your Answer
108 :: How to seize the schema master role?

1) Click Start, click Run, and then type cmd.
2) At the command prompt, type ntdsutil.
3) At the ntdsutil prompt, type roles.
4) At the fsmo maintenance prompt, type connections.
5) At the server connections prompt, type connect to server, followed by the fully qualified domain
name.
6) At the server connections prompt, type quit.
7) At the fsmo maintenance prompt, type seize schema master.
8) At the fsmo maintenance prompt, type quit.
9) At the ntdsutil prompt, type quit.
Post Your Answer
109 :: How will you remove Orphaned Domains from Active

Directory?
Typically, when the last DC for a domain is demoted, the administrator selects this server is the last
DC in the domain option in the DC Promo tool, which removes the domain metadata from Active
Directory.
1) Determine the DC that holds the Domain Naming Master FSMO role.
2) Verify that all servers for the specified domain have been demoted.
3) At the command prompt:
★ ntdsutil
★ metadata cleanup
★ connections
★ connect to server servername
Post Your Answer

110 :: How to configure auditing for specific active directory
objects?
You can configure auditing for specific objects, such as users, computers, organizational units, or
groups, by specifying both the types of access and the users whose access that you want to audit.
To configure auditing for specific Active Directory objects, follow these steps:
1) Open Active Directory Users and Computers.
2) Select Advanced Features on the View menu.
3) Right-click the Active Directory object that you want to audit, and then click Properties.
4) Click the Security tab, and then click Advanced.
5) Click the Auditing tab, and then click Add.
6) Enter the name of either the user or the group whose access you want to audit. Click to select
either the Successful check box or the Failed check box for the actions that you want to audit, and
then click OK.
Post Your Answer
111 :: How to configure a one-way trust?

Perform the following steps to configure the one-way trust:
1) On a domain controller in the trusted domain, start the Active Directory Domains and Trusts
console.
2) In the Domains that trust this domain pane, click Add.
3) In the Add Trusting Domain dialog box, type the name of the trusting domain, type a password,
and then type the password again in the Confirm password box.
4) Click OK.
5) In the Active Directory dialog box, click OK to verify the trust.
6) Enter a user name and password of a user that has permissions to modify trust relationships in
the trusting domain.
Post Your Answer
112 :: Distinguishing a DC from a Windows 2000 member

server?
★ The NTDS registry key exists in the HKLMSYSTEMCCSSERVICES portion of the registry.
★ The SYSVOL and NETLOGON shares exist. (The SYSVOL share and its contents exist after
demotion of a DC.)
★ NBTSTAT shows that the 1C name (Domain) has been registered. Type nbtstat -n from a
command prompt and note the presence of the 1C name.
★ The computer role from the NET ACCOUNTS utility lists the computer role as "PRIMARY" and
standalone servers as "SERVERS." Type net accounts from the command prompt.
★ The NET START command indicates that the Kerberos Key Distribution Center (KDC) service is
running. Type net start |more.
★ The computer responds to LDAP queries (specifically, to port 389 or 3268).
★ The "Connect to server %S" command in Ntdsutil.exe functions only against Windows 2000 DCs.
★ The Change button on the Network Identification tab in My Computer is disabled when Windows
2000 is configured as a DC. A note appears indicating this.
★ Run Netdiag (a Resource Kit utility) and observe the "Machine is a Primary DC" entry in the
output. Type netdiag /v from the command prompt.
Post Your Answer
113 :: How to create Third-Party Microsoft installer package?

If you want to install a third-party program by using this method, you must install a copy of Veritas
Software Console by Seagate Software at a location that is accessible by the reference computer.
This program is available on the Windows 2000 CD-ROM in
Valueadd3rdpartyMgmtWinstleSwiadmle.msi. This includes a copy of WinINSTALL limited edition,
which allows for basic functionality.
Post Your Answer
114 :: Define Attribute value?

An object's attribute is set concurrently to one value at one master, and another value at a second
master.
Post Your Answer

115 :: Do you know what are the common mistakes that are
made when administrators set up DNS on network that
contains a single Windows 2000 or Windows Server 2003 DC?
The most common mistakes are:
★ The DC is not pointing to itself for DNS resolution on all network interfaces.
★ The "." zone exists under forward lookup zones in DNS.
★ Other computers on the local area network (LAN) do not point to the Windows 2000 DNS server
for DNS.
Post Your Answer
116 :: Do you know why do I have to point my DC to itself for

DNS?
The Netlogon service on the DC registers a number of records in DNS that enable other DCs and
computers to find Active Directory-related information. If the DC is pointing to the Internet service
provider's (ISP) DNS server, Netlogon does not register the correct records for Active Directory, and
errors are generated in Event Viewer. The preferred DNS setting for the DC is itself; no other DNS
servers should be listed. The only exception to this rule is with additional DCs. Additional DCs in the
domain must point to the first DC (which runs DNS) that was installed in the domain and then to
themselves as secondary.
Post Your Answer
117 :: Do you know what does a DC register in DNS?

The Netlogon service registers all the SRV records for that DC. These records are displayed as the
_msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your domain name.
Other computers look for these records to find Active Directory-related information.
Post Your Answer

118 :: Tell me why can't I use WINS for name resolution like it
is used in Microsoft Windows NT 4.0?
A Windows 2000 DC does not register Active Directory-related information with a WINS server; it
only registers this information with a DNS server that supports dynamic updates such as a Windows
2000 DNS server. Other Windows 2000-based computers do not query WINS to find Active
Directory-related information.
Post Your Answer
119 :: Suppose if I remove the ISP's DNS server settings from

the DC, how does it resolve names such as Microsoft.com on
the Internet?
As long as the "." zone does not exist under forward lookup zones in DNS, the DNS service uses the
root hint servers. The root hint servers are well-known servers on the Internet that help all DNS
servers resolve name queries.
Post Your Answer
120 :: Do you know what is the "." zone in my forward lookup

zone?
This setting designates the Windows 2000 DNS server to be a root hint server and is usually deleted.
If you do not delete this setting, you may not be able to perform external name resolution to the
root hint servers on the Internet.
Post Your Answer
121 :: Tell me do I need to configure forwarders in DNS?

By default, Windows 2000 DNS use the root hint servers on the Internet; however, you can
configure forwarders to send DNS queries directly to your ISP's DNS server or other DNS servers. In
most cases, when you configure forwarders, DNS performance and efficiency increases, but this
configuration can also introduce a point of failure if the forwarding DNS server is experiencing
problems. The root hint server can provide a level of redundancy in exchange for slightly increased
DNS traffic on your Internet connection.
Post Your Answer
122 :: How to synchronies time amongst DCs using net time?

★ Net time mypdc /set /y
★ This synchronizes the local computer time with the server named Mypdc.
★ The /set - Time not only be queried, but synchronized with the specified server.
★ The /y switch skips the confirmation for changing the time on the local computer
Post Your Answer
123 :: Tell me do I need to point computers that are running

Windows NT 4.0 or Microsoft Windows 95, Microsoft
Windows 98, or Microsoft Windows 98 Second Edition to the
Windows 2000 or Windows Server 2003 DNS server?
Legacy operating systems continue to use NetBIOS for name resolution to find a DC; however it is
recommended that you point all computers to the Windows 2000 or Windows Server 2003 DNS
server for name resolution.
Post Your Answer
124 :: Tell me should I point the other Windows 2000-based

and Windows Server 2003-based computers on my LAN to my
ISP's DNS servers?
No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find
the DC in DNS, you may experience issues joining the domain or logging on to the domain. A
Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should
point to the Windows 2000 or Windows Server 2003 DC running DNS. If you are using DHCP, make
sure that you view scope option #15 for the correct DNS server settings for your LAN.
Post Your Answer

125 :: Tell me what if my Windows 2000 or Windows Server
2003 DNS server is behind a proxy server or firewall?
If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows
2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port
53 should be open on the proxy server or firewall.
Post Your Answer
126 :: Tell me what should I do if the DC points to itself for

DNS, but the SRV records still do not appear in the zone?
Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools
from the Windows 2000 Server CD-ROM to run Netdiag.exe.
Post Your Answer
127 :: How do I set up DNS for other DCs in the domain that
are running DNS?
For each additional DC that is running DNS, the preferred DNS setting is the parent DNS server (first
DC in the domain), and the alternate DNS setting is the actual IP address of network interface.
Post Your Answer
128 :: Do you know how to set up DNS for a child domain?

To set up DNS for a child domain, create a delegation record on the parent DNS server for the child
DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from
the parent DNS server. Set the child DNS server to point to itself only.
Post Your Answer

129 :: How to configure DNS dynamic update in Windows
2000?
The DNS service allows client computers to dynamically update their resource records in DNS and
improves DNS administration. You can use DDNS in conjunction with DHCP to update resource
records when a computer's IP address is changed.
Post Your Answer
130 :: How Windows 2000-Based Computers Update Their

DNS Names?
Windows 2000 computers try to dynamically register host address (A) and pointer (PTR) resource
records. All computers register records based on their full computer name. Dynamic updates can be
sent for any of the following reasons or events:
★ An IP address is added, removed, or modified for any one of the installed network connections.
★ An IP address lease changes or renews. For example, if you use the ipconfig /renew command.
★ You use the ipconfig /registered command to manually force a refresh of the client name
registration in DNS.
★ At startup time, when the computer is turned on.
When one of these events triggers a dynamic update, the DHCP Client service (not the DNS Client
service) sends updates. This process is designed so that if a change to the IP address information
occurs because of DHCP, corresponding updates in DNS are performed to synchronize name-to-
address mappings for the computer. The DHCP Client service performs this function for all network
connections used on the system, including connections that are not configured to use DHCP.
Post Your Answer
131 :: How to configure DNS dynamic update on a Windows

2000 DNS client computer?
1) Click Start, point to Settings, and then click Network and Dial-up Connections.
2) Right-click the network connection that you want to configure, and then click Properties.
3) Click either the General tab (for the local area connection) or the Networking tab (for all other
connections), click Internet Protocol (TCP/IP), and then click Properties.
4) Click Advanced, and then click the DNS tab.
5) To use DNS dynamic update to register both the IP addresses for this connection and the full
computer name of the computer, click to select the Register this connection's addresses in DNS
check box. This check box is selected by default.
6) To configure a connection-specific DNS suffix, type the DNS suffix in the DNS suffix for this
connection box.
7) To use DNS dynamic update to register the IP addresses and the connection-specific domain
name for this connection, click to select the Use this connection's DNS suffix in DNS registration
check box. This check box is selected by default.
Post Your Answer
132 :: How to configure DNS Dynamic Update on a Windows

2000 DNS Server?
1) Click Start, point to Programs, point to Administrative Tools, and then click DNS.
2) Click the appropriate zone under either Forward Lookup Zones or Reverse Lookup Zones.
3) On the Action menu, click Properties.
4) On the General tab, verify that the zone type is either Primary or Active Directory integrated.
5) If the zone type is Primary, click Yes in the Allow dynamic updates? list.
6) If the zone types is Active Directory-integrated, click either Yes or Only secure updates in the
Allow dynamic updates? list, depending on whether you want DNS dynamic updates to be secure.
Post Your Answer
133 :: How to Configure DNS Dynamic Update on a Windows

2000 DHCP Server?
1) Click Start, point to Programs, point to Administrative Tools, and then click DHCP.
2) Click the appropriate DHCP server or a scope on the appropriate DHCP server.
4) Click the DNS tab.
5) To enable DNS dynamic update for DHCP clients that support it, click to select the Automatically
update DHCP client information in DNS check box. This check box is selected by default.
6) To enable DNS dynamic update for DHCP clients that do not support it, click to select the Enable
updates for DNS clients that do not support dynamic updates check box. This check box is selected
by default.

Post Your Answer
134 :: How to enable DNS Dynamic Updates on a DHCP

Server?
1) Select the scope or DHCP server on which you want to permit dynamic DNS updates.
2) On the Action menu, click Properties, and then click the DNS tab.
3) Click to select the Automatically Update DHCP Client Information In DNS check box.
4) To update a client's DNS records based on the type of DHCP request that the client makes and
only when it is requested, click Update DNS Only If DHCP Client Requests.
5) To always update a client's forward and reverse lookup records, click Always Update DNS.
6) Click to select the Discard Forward Lookups When Leases Expire check box to have the DHCP
server delete the Host resource record for a client when its DHCP lease expires and is not renewed.
7) Click to select the Enable Updates For DNS Clients That Do Not Support Dynamic Updates check
box to enable the DHCP server to update the forward and reverse lookup records for clients that
cannot update their own forward lookup records. If you do not select this check box, the DHCP
server does not automatically update the DNS records of non-Windows 2000 clients.
Post Your Answer
135 :: How to create a DNS entry for the Web Server?

1) Start the DNS snap-in.
2) Under DNS, expand Server1 (where Server1 is the host name of the DNS server). Expand Forward
Lookup Zones.
4) Under Forward Lookup Zones, right-click the zone that you want (for example, Microsoft.com),
and then click New Alias.
5) In the Alias name box, type www.
6) In the Fully qualified name for target host box, type the fully qualified host name of the DNS
server on which IIS is installed. For example, type dns.microsoft.com, and then click OK.
Post Your Answer
136 :: How to configure a secondary Name Server in Windows

2000?
1) Open DNS MMC.
2) In the console tree, click Host name (where Host name is the host name of the DNS server).
3) In the console tree, click Forward Lookup Zones.
4) Right-click the zone that you want (for example, example.com), and then click Properties.
5) Click the Name Servers tab, and then click Add.
6) In the Server name box, type the host name of the server that you want to add, for example,
namesvr2.example.com.
7) In the IP address box, type the IP address of the name server that you want to add (for example,
192.168.0.22), and then click Add.
8) Click OK, and then click OK.
9) In the console tree, click Reverse Lookup Zones, right-click the zone that you want, and then click
Properties.
10) Click the Name Servers tab, and then click Add.
11) In the Server name box, type the host name of the server that you want to add, for example,
namesvr2.example.com.
12) In the IP address box, type the IP address of the name server that you want to add (for example,
192.168.0.22), and then click Add.
13) Click OK, and then click OK.
Post Your Answer
137 :: How to configure the Forward Lookup Zone?

1) Open the DNS MMC in the Secondary Name Server.
2) In the console tree, under DNS, click Host name (where Host name is the host name of the DNS
server).
3) In the console tree, click Forward Lookup Zones.
4) Right-click Forward Lookup Zones, and then click New Zone.
5) When the New Zone Wizard starts, click Next to continue.
6) Click Standard secondary, and then click Next.
7) In the Name box, type the name of the zone (for example, example.com), and then click Next.
8) On the Master DNS Servers page, type the IP address of the primary name server for this zone,
click Add, click Next, and then click Finish.
Post Your Answer
138 :: How to configure the Reverse Lookup Zone?

2) In the console tree, click Host name (where Host name is the host name of the DNS server).
3) In the console tree, click Reverse Lookup Zones.
4) Right-click Reverse Lookup Zones, and then click New Zone.
5) When the New Zone Wizard starts, click Next to continue.
6) Click Standard secondary, and then click Next. In the Network ID box, type the network ID (for
example, type 192.168.0), and then click Next.
7) On the Zone File page, click Next, and then click Finish.
Post Your Answer
139 :: How to configure the Windows 2000 Domain Name

System to age records?
When any records are orphaned, dynamic DNS on a Windows 2000-based server does not age these
records by renaming them or by moving computers to different subnets out of their zones, unless
the server is configured to perform this task. Orphans can occur if a group of computers are
installed from an image, and then renamed at a later time on another subnet. The reverse look up
pointers may not be deleted if the computer is disconnected from the network immediately after
the installation. The automatic deletion of these records is possible by enabling the Aging and
Scavenging feature on the DNS server.
Post Your Answer
140 :: How to enable Aging and Scavenging?

1) Open the DNS manager.
2) In the left pane, under the DNS icon, right-click the server name.
3) Click Set Aging/Scavanging for all zones.
4) Click to select the Scavenge Stale Resource Records check box, and then set the interval that you
want the Aging feature to use.
Post Your Answer
141 :: How to set the Aging feature on an individual zone?

1) Right-click the zone, and then click Properties.
2) Click Aging.
3) Click to select the Scavenge Stale Resource Records check box, and then set the interval that you
want the Aging feature to use.
If the Aging feature is not enabled at the server level, and you attempt to enable the Aging feature
at the zone level, the Aging feature does not work. After you select the appropriate aging periods
and you enable the Scavenging feature on the server, outdated records are scavenged.
Post Your Answer
142 :: How to allow only secure dynamic updates?

2) Under DNS, expand the applicable DNS server, expand Forward Lookup Zones (or Reverse Lookup
Zones) , and then click the applicable zone.
4) On the General tab, verify that the zone type is Active Directory-integrated.
5) In the Allow dynamic updates? box, click Only secure updates.
Post Your Answer
143 :: How to create a Site link in Active Directory?

To create a new site link:
1) Click Active Directory Sites and Services.
2) Expand the Inter-Site Transports node, right-click IP (or click SMTP if you want to
use SMTP as the inter-site transport protocol), and then click New Site Link. If you have only one
site in Active Directory, you receive a message that states that two sites are required for the site
link to work. Click OK to continue.
Post Your Answer
144 :: How to create a Third-Party MSI package in Active

Directory?
1) Start with a clean PC, or one that is representative of the computers in your network.
2) Start Discover to take a picture of the representative PC's software configuration. This
is the Before snapshot.
3) Install a program on the PC on which you took the Before snapshot.
4) Reboot the PC.
5) Run the new program to verify that it works.
6) Quit the program.
7) Start Discover and take an After snapshot of the PC's new configuration. Discover compares the
Before and the After snapshots and notes the changes. It creates a Microsoft Installer package with
information about how to install that program on such a PC in the future.
8) (Optional) Use Veritas Software Console to customize the Microsoft Installer package.
9) Clean the reference computer to prepare to run Discover again.
10) (Optional) Perform a test installation of the program on non-production workstations.
Post Your Answer
145 :: Define clean PC in Active Directory?

A clean PC is defined as a computer with only the following items on it before you run Discover:
★ The operating system
★ The service packs for the operating system
If you install Veritas Software Console on the computer, it is by definition no longer a clean PC. You
must install Veritas Software Console somewhere, but not on the clean PC.
Post Your Answer
146 :: Can you connect active directory to other 3rd-party

directory services? name a few options?
Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictionaries
used by SAP, Domino etc with the help of MIIS (Microsoft Identity Integration Server)
Post Your Answer
Add New Question
Interview Categories:
Interview Questions Guide
Accounting
Administration
Adobe
Aerospace
Agencies
Analysis
Applications Programs
Artificial intelligence (AI)
Arts
Audit
Banking
Basic Common
Biological Sciences
BizTalk Server
Business and Economy
Business intelligence (BI)
C Language
C++ Programming
Career Counselor
Certifications
Chemistry
Client Server
Client Side Scripting
Cloud Computing
CMS (Content Management System)
Community
Companies
Computer Basics
Computer Editors
Computer Embedded Systems
Computer Graphics
Computer Hardware
Computer Programming
Construction
Consultation
Cryptography
Customer Services
Data Structure
Data Warehouse
Databases Programming
Debugging
Designing
Education and Science
Engineering
Enterprise Application Integration (EAI)
Enterprise Resource Planning
Fashion Designing and Modeling
Finance and Accounts
Financial
Government Section
GUI
Health Care
Help Desk
Home
HR
IBM Tools
IELTS Test
Immigration And Visa
Information Technology (IT)
Insurance
Intelligence Quotient (IQ)
Java Programing
Journalism
Labour
Law Enforcement
Live Stock
Logistics
Mainframes
Management
Marketing
Medical
Microsoft .Net Technologies
Middleware
Mobile Technologies
MS SQL Server
Multimedia
Networking
Active Directory
Basic Networking
Cable Tester
CCNA
CCNA Security
CCNP
CDMA
Client Server
Client-Server Computing
Computer Networks
Corba
Data Communications
Data Link Layer
Digital Router
Ethernet Networking
FOC (Fiber Optic Route Checker)
Java Network programming
LAN (Local area network)
MAN (Metropolitan area network)
MCSA
MCSE
Network Administrator
Network Programming
Networks and Security
Routers
Routing
SWG and AWG
System Administrator
VoIP
VPN
WAN (Wide area network)
Non Technical
Operating System
Operating System Linux
Oracle
Oracle Applications
OS Solaris
OS Unix
OS Windows
Other Professions
PeopleSoft
Physics
Protocols
Quality Assurance
Restaurants And Cafes
Sales
SAP (Systems, Applications, Products)
Science
Search Engine Optimization
Security
Server (Computing)
Siebel CRM
Smartphone OS
Social Networking And Marketing
Software Design
Software Development Life Cycle(SDLC)
Software Testing
Sports
Stocks
Teaching
Technical
Technology Errors
Telecommunication
Testing
Testing Model
Training
Traveling
Version Control
Virtualization
Web Development
Web Servers / Services
WiFi
Wireless
World Wide Web
Most Popular Quiz Categories:

SAT (Scholastic Aptitude Test) Sentence CorrectionNetworkingManagementTestingBank PO
(Probationary Officer)C Language PreprocessorWeb TechnologiesNetwork SecurityJQueryC
Language
Share This Page:
Most Popular Interview Guides

Active Directory Q &amp; A

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Active Directory Q &amp; A

Загружено:

Авторское право:

Доступные форматы

1. Mention What Is Active Directory?

o Windows Server, Advanced Server, Datacenter Server

11. Mention What Are Lingering Objects?

22. What Is The Number Of Permitted Unsuccessful Log On s On

23. Explain What Is Infrastructure Master?

24. What Hidden Shares Exist On Windows Server 2003 Installation?

Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

26. What Is The List Folder Contents Permission On The Folder In

28. Where Is Gpt Stored?

30. Abbreviate Gpt And Gpc?

GPT : Group policy template.

31. Tell Me What If My Windows 2000 Or Windows Server 2003 Dns

32. Explain What Is The Difference Between Local, Global And

35. Define Attribute Value?

36. What Is Netdom?

NETDOM is a command-line tool that allows management of Windows domains and

37. Do You Know How Kerberos V5 Works?

38. What Is Adsiedit?

39. What Is Kerberos V5 Authentication Process?

41. What Is Replmon?

42. How To Find Fsmo Roles?

Netdom query fsmo OR Replmon.exe

43. Describe The Infrastructure Fsmo Role?

When an object in one domain is referenced by another object in another domain, it

44. What Are The Advantages Of Active Directory Sites?

45. Define Edb.chk?

47. How To View All The Gcs In The Forest?

repadmin.exe /options * and use IS_GC for current domain options.

48. How To Seize Fsmo Roles?

49. How To Transfer Fsmo Roles?

50. What Is The Kcc (knowledge Consistency Checker)?

51. What Is Schema Information In Active Directory?

52. What Is Online Defragmentation In Active Directory?

53. What Is Ads Database Garbage Collection Process?

54. Define Res1.log And Res2.log?

55. What Is Domain Information In Active Directory?

56. What Is Lightweight Directory Access Protocol?

58. What Is Ntds.dit?

59. What Is Ntds.dit Schema Table?

60. Mention What Is The Difference Between Domain Admin Groups

Enterprise Admin Group :

Domain Admin Group :

Basic Active Directory interview

Q. What is Active Directory?

Read Also System Administrator Interview Questions and Answers

Q.what are the basic components of AD?

Windows: Interview Q & A: L1 & L2 Interview question

Global catalog server

"Organizational Units", are administrative-level containers on a computer, it allows

SID (Security Identifier):

Group policy Architecture:

Password history will store

Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy

Group Policy Container (GPC)

Group Policy Template (GPT)

Filtering the Scope of a GPO

Knowledge Consistency Checker (KCC)

The Knowledge Consistency Checker (KCC) is a Windows component that automatically

Active Directory Replication?

Adprep.exe is a command-line tool used to prepare a Microsoft Windows 2000 forest or a

When Microsoft Exchange Server is deployed in an organization, Exchange Server uses

Active Directory uses GUIDs internally to identify objects.

Lightweight Directory Access Protocol (LDAP)

Universal group membership caching

Active Directory Q & A

Active Directory Q & A