L2 Support-Windows Server Interview Questions & Answers Active Directory Active Directory is a centralized and standardized system, stores information about objects in a network and makes this information available to users and network administrators. Domain Controller In an Active Directory forest, the domain controller is a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources. Global cataloserver A global catalog server is a domain controller that stores information about all objects in the forest. Like all domain controllers, a global catalog server stores full, writable replicas of the schema and configuration directory partitions and a full, writable replica of the domain directory p artition for the domain that it is hosting. In addition, a global catalog server stores a partial, readonly replica of every other domain in the forest. !artial replicas are stored on "lobal #atalog servers so that searches o f the entire directory can be achieved without re$uiring referrals from one domain controller to another. !artial information of other domains. !artial information nothing but classes and attributes %first name and last name and phones and addresses& attribute level security improvement in '(()*. !"# +rganizational -nits+, are administrativelevel containers on a computer, it allows administrators to organize groups of users together so that any ch anges, security privileges or any other administrative tasks could be accomplished more efficiently . Domain# indows Domain is a logical grouping of computers that share common security and user account information. $orest A indows forest is a group of one or more trusted indows trees. /he trees do not need to have contiguous D01 names. A fores t shares a schema and global catalog servers. A single tree can also be called a forest. %ree# A indows tree is a group of one or more trusted indows domains with contiguous D01 do mains. 2/rusted3 means that an authenticated account from one domain isn4t rejected by another domain. 2#ontiguous D01 domains3 means that they all have the same root D01 name. Site# 1ites are manually defined groupings of subnets. bjects in a site share the same global catalog servers, and can have a common set of g roup policies applied to them. Scema# /he schema defines what attributes, objects, classes, and rules are available in the Active Directory . SID 'Security Identi(ier)# /he 1ID is a uni$ue na me %alphanumeric character string& that is used to identify an object, such as a user or a group of users. Group *olicy ob+ects 'G*!)# A "!is a collection of "roup !olicy settings, stored at the domain level as a virtual object consisting of a "roup !olicy container %"!#& and a "roup !olicy template %"!/&. !assword history will store #omputer #onfiguration5indows 1ettings51ecurity 1ettings5Account !olicies5!assword !olicy Group *olicy Container 'G*C) /he "roup !olicy container %"!#& is an Active Directory container that contains "!properties, such as version information, "!status, plus a list of other component settings. Group *olicy %emplate 'G*%) /he "roup !olicy template %"!/& is a file system folder that includes policy data specified by .adm files, security settings, script files, and information about applications that are available for installation. /he "!/ is located in the system volume folder %1ys6o l& in the domain 5!olicies subfolder. 7iltering the 1cope of a "!
Transcript
7/23/2019 L2 Support-Windows Server Interview Question & Answers
L2 Support-Windows Server Interview Questions & Answers
Active Directory
Active Directory is a centralized and standardized system, stores information about objects in a network and
makes this information available to users and network administrators.
Domain Controller
In an Active Directory forest, the domain controller is a server that contains a writable copy of the Active
Directory database, participates in Active Directory replication, and controls access to network resources.
Global catalo server
A global catalog server is a domain controller that stores information about all objects in the forest. Like all
domain controllers, a global catalog server stores full, writable replicas of the schema and configuration
directory partitions and a full, writable replica of the domain directory partition for the domain that it is hosting.
In addition, a global catalog server stores a partial, readonly replica of every other domain in the forest. !artialreplicas are stored on "lobal #atalog servers so that searches of the entire directory can be achieved without
re$uiring referrals from one domain controller to another.
!artial information of other domains. !artial information nothing but classes and attributes %first name and lastname and phones and addresses& attribute level security improvement in '(()*.
!"#
+rganizational -nits+, are administrativelevel containers on a computer, it allows administrators to organizegroups of users together so that any changes, security privileges or any other administrative tasks could be
accomplished more efficiently.Domain#
indows Domain is a logical grouping of computers that share common security and user account information.
$orest
A indows forest is a group of one or more trusted indows trees. /he trees do not need to have contiguous
D01 names. A forest shares a schema and global catalog servers. A single tree can also be called a forest.
%ree#
A indows tree is a group of one or more trusted indows domains with contiguous D01 domains. 2/rusted3
means that an authenticated account from one domain isn4t rejected by another domain. 2#ontiguous D01domains3 means that they all have the same root D01 name.
Site#
1ites are manually defined groupings of subnets. bjects in a site share the same global catalog servers, and canhave a common set of group policies applied to them.
Scema#
/he schema defines what attributes, objects, classes, and rules are available in the Active Directory.
SID 'Security Identi(ier)#
/he 1ID is a uni$ue name %alphanumeric character string& that is used to identify an object, such as a user or a
group of users.
Group *olicy ob+ects 'G*!)#
A "! is a collection of "roup !olicy settings, stored at the domain level as a virtual object consisting of a
"roup !olicy container %"!#& and a "roup !olicy template %"!/&.
/he "roup !olicy container %"!#& is an Active Directory container that contains "! properties, such as
version information, "! status, plus a list of other component settings.
Group *olicy %emplate 'G*%)
/he "roup !olicy template %"!/& is a file system folder that includes policy data specified by .adm files,
security settings, script files, and information about applications that are available for installation. /he "!/ islocated in the system volume folder %1ys6ol& in the domain 5!olicies subfolder.
7iltering the 1cope of a "!
7/23/2019 L2 Support-Windows Server Interview Question & Answers
8y default, a "! affects all users and computers that are contained in the linked site, domain, or organizationa
unit. /he administrator can further specify the computers and users that are affected by a "! by usingmembership in security groups.
1tarting with indows '(((, the administrator can add both computers and users to security groups. /hen the
administrator can specify which security groups are affected by the "! by using the Access #ontrol Listeditor.
,nowlede Consistency Cecer ',CC)
/he 9nowledge #onsistency #hecker %9##& is a indows component that automatically generates and
maintains the intrasite and intersite replication topology.
./ Wat is te purpose o( avin AD0
Active directory is a directory service that identifies all resources on a network and makes that information
available to users and services. /he :ain purpose of AD is to control and authenticate network resources.
2/ 1plain about sysvol (older0
/he sysvol folder stores the server;s copy of the domain;s public files. /he contents such as group policy, users,
and groups of the sysvol folder are replicated to all domain controllers in the domain. /he sysvol folder must be
located on an 0/71 volume.
3/1plain $unctions o( Active Directory0
AD enables centralization in a domain environment. /he :ain purpose of AD is to control and authenticate
network resources.
4/ Wat is te name o( AD database0
AD database is 0/D1.DI/
5/ 1plain brie(ly about AD *artition0
/he Active Directory database is logically separated into directory partitions<
Scema *artition# nly one schema partition e=ists per forest. /he schema partition is stored on all domain
controllers in a forest. /he schema partition contains definitions of all objects and attributes that you can create
in the directory, and the rules for creating and manipulating them. 1chema information is replicated to alldomain controllers in the attribute definitions.
Con(iuration *artition# /here is only one configuration partition per forest. 1econd on all domain controllers
in a forest, the configuration partition contains information about the forestwide active directory structure
including what domains and sites e=ist, which domain controllers e=ist in each forest, and which services are
available. #onfiguration information is replicated to all domain controllers in a forest.
Domain *artition# :any domain partitions can e=ist per forest. Domain partitions are stored on each domain
controller in a given domain. A domain partition contains information about users, groups, computers and
organizational units. /he domain partition is replicated to all domain controllers of that domain. All objects in
every domain partition in a forest are stored in the global catalog with only a subset of their attribute values.Application *artition# Application partitions store information about application in Active Directory. >ach
application determines how it stores, categorizes, and uses application specific information. /o prevent
unnecessary replication to specific application partitions, you can designate which domain controllers in a forest
host specific application partitions. -nlike a domain partitions, an application partition cannot store security
principal objects, such as user accounts. In addition, the data in an application partition is not stored in the
global catalog.
7/23/2019 L2 Support-Windows Server Interview Question & Answers
D01 has two different ?ones 7orward Lookup ?one and @everse Lookup ?one. /here two ?ones are
categorized into three zones and are as follows
*rimary 7one# It contains the read and writable copy of the D01 Database.
Secondary 9one# It acts as a backup for the primary zone and contains the read only copy of the D01 database
Stub 7one# It is also readonly like a secondary zone stub zone contains only 1A, copies of 01 and A recordsfor all name servers authoritative for the zone.
:/ 1plain ;rie(ly about Stub 9one0
It is also readonly like a secondary zone, so administrators can;t manually add, remove, or modify resource
records on it. 8ut secondary zones contain copies of all the resource records in the corresponding zone on the
master name server stub zones contain only three kinds of resource records<
A copy of the 1A record for the zone. #opies of 01 records for all name servers authoritative for the zone. #opies of A records for all name servers authoritative for the zone.
</ 1plain $ile =eplication Service '$=S)/
7ile @eplication 1ervice is a :icrosoft service which replicates folders stored in sysvol shared folders on
domain controllers and distributed file system shared folders. /his service is a part of :icrosoft4s Active
Directory 1ervice.
>/ Wat is autoritative and non-autoritative restore0
8onautoritative restore< hen a nonauthoritative restore is performed, Active Directory is restored from
backup media on the domain controller. /his information is then updated during replication from the other
domain controllers. /he nonauthoritative restore method is the default method to restore system state data to a
domain controller.
Autoritative restore# In an authoritative restore, Active Directory is installed to the point of the last backup
job. /his method is typically used to recover Active Directory objects that were deleted in error. An
authoritative restore is performed by first performing a nonauthoritative restore, and then running the 0tdsutil
utility prior to restarting the server. Bou use the 0tdsutil utility to indicate those items that are authoritative.
Items that are marked as authoritative are not updated when the other domain controllers replicate to the
particular domain controller.
.?/ Wat is te replication protocol involved in replication (rom *DC and ADC0
0ormally @emote !rocedure #all %@!#&is used to replicate data and is always used for intrasite replication
since it is re$uired to support the 7@1. @!# depends on I* %internet protocol& for transport.1imple :ail /ransfer !rotocol %1:/!&may be used for replication between sites.
../ Wat are te bene(its o( AD interated D8S0
A few advantages that Active Directoryintegrated zone implementations have over standard primary zone
implementations are<
Active Directory replication is faster, which means that the time needed to transfer zone data between zones
is far less.
7/23/2019 L2 Support-Windows Server Interview Question & Answers
/he Active Directory replication topology is used for Active Directory replication, and for Active
Directoryintegrated zone replication. /here is no longer a need for D01 replication when D01 and ActiveDirectory are integrated.
Active Directoryintegrated zones can enjoy the security features of Active Directory. /he need to manage your Active Directory domains and D01 namespaces as separate entities is eliminated.
/his in turn reduces administrative overhead. hen D01 and Active Directory are integrated the Active Directoryintegrated zones are replicated, and
stored on any new domain controllers automatically. 1ynchronization takes place automatically when new
domain controllers are deployed.
.2/ 1plain some types o( D8S records0
A @ecord< 8inds an 0ame with an I! Address
!/@ @ecord< 8inds an I! Address with an Cost 0ame
01 @ecord< Is name of an D01 1erver
: @ecord< @esponsible for :ail receiving mail from different :/A
.3/ @ow many tables are tere in 8%DS/DI%0
/he Active Directory >1> database, 0/D1.DI/, consists of the following tables<Scema table
the types of objects that can be created in the Active Directory, relationships between them, and the optional and
mandatory attributes on each type of object. /his table is fairly static and much smaller than the data table.
Lin table
contains linked attributes, which contain values referring to other objects in the Active Directory. /ake the
:ember f attribute on a user object. /hat attribute contains values that reference groups to which the user
belongs. /his is also far smaller than the data table.
Data table
users, groups, applicationspecific data, and any other data stored in the Active Directory. /he data table can be
thought of as having rows where each row represents an instance of an object such as a user, and columns where
each column represents an attribute in the schema such as "iven 0ame.
.4/ Wat is te purpose o( te command 81%D!0
0>/D: is a commandline tool that allows management of indows domains and trust relationships. It is
used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.
.5/ Wat is =1*ADI80
/his commandline tool assists administrators in diagnosing replication problems between indows domain
controllers. Administrators can use @epadmin to view the replication topology %sometimes referred to as
@eps7rom and @eps/o& as seen from the perspective of each domain controller.
.6/ Wat is te purpose o( te command repmon0
@eplmon displays information about Active Directory @eplication.
.:/ @ow will tae bacup o( reistry usin 8%;AC,"*0
-sing 1ystem 1tate.
.</ 1plain brie(ly about Super Scope/
-sing a super scope, you can group multiple scopes as a single administrative entity. ith this feature, a DC#!
server can< 1upport DC#! clients on a single physical network segment %such as a single >thernet LA0
7/23/2019 L2 Support-Windows Server Interview Question & Answers
that all domain controllers be promoted to indows 1erver '(() Active Directory.
32/ Wat is LSD!"0
Its group policy inheritance model, where the policies are applied to Local machines, 1ites, Domains and
rganizational -nits.
33/ Wat is te command used to cane computer name ae Client ember o( Domain0
-sing the command netdom
34/ Di((erence between SID and G"ID0
A security identifier %1ID& is a uni$ue value of variable length that is used to identify a security principal or
security group in indows operating systems. ellknown 1IDs are a group of 1IDs that identify generic users
or generic groups. /heir values remain constant across all operating systems.
)J. 1plain $S! in Details/
In a forest, there are at least five 71: roles that are assigned to one or more domain controllers.
/he five 71: roles are<
Scema aster< /he schema master domain controller controls all updates and modifications to the schema. /o
update the schema of a forest, you must have access to the schema master. /here can be only one schema master
in the whole forest.
Domain namin master# /he domain naming master domain controller controls the addition or removal of
domains in the forest. /here can be only one domain naming master in the whole forest.
In(rastructure aster# /he infrastructure is responsible for updating references from objects in its domain to
objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure
master in each domain.
=elative ID '=ID) aster# /he @ID master is responsible for processing @ID pool re$uests from all domain
controllers in a particular domain. At any one time, there can be only one domain controller acting as the @ID
master in the domain.
*DC 1mulator# /he !D# emulator is a domain controller that advertises itself as the primary domain
controller %!D#& to workstations, member servers, and domain controllers that are running earlier versions of
indows.
36/ Wic service is responsible (or replicatin (iles in SESB!L (older0
7ile @eplication 1ervice %7@1&
3:/ Can you ove $S! roles0
Bes, moving a 71: server role is a manual process, it does not happen automatically. 8ut what if you onlyhave one domain controller in your domainK /hat is fine. If you have only one domain controller in your
organization then you have one forest, one domain, and of course the one domain controller. All J 71: server
roles will e=ist on that D#. /here is no rule that says you have to have one server for each 71: server role.
3</ Wat permissions you sould ave in order to trans(er a $S! role0
8efore you can transfer a role, you must have the appropriate permissions depending on which role you plan to
transfer<
1chema :aster member of the 1chema Admins group
7/23/2019 L2 Support-Windows Server Interview Question & Answers
validate by AD before starting service to clients. If an authorized DC#! finds any DC#! server in the network
it stop serving the clients
Di((erence between inter-site and intra-site replication/ *rotocols usin (or replication/
Intrasite replication can be done between the domain controllers in the same site. Intersite replication can be
done between two different sites over A0 links
8C1 %8ridge Cead 1ervers& is responsible for initiating replication between the sites. Intersite replication can
be done 8Hw 8C1 in one site and 8C1 in another site.e can use @!# over I! or 1:/! as a replication protocols where as Domain partition is not possible to
replicate using 1:/!
@ow to monitor replication
e can user @eplmon tool from support tools
;rie( eplanation o( =AID Levels
:icrosoft indows !, indows '((( and indows 1erver '(() offer two types of disk storage< basic and
dynamic.
;asic Dis Storae
8asic storage uses normal partition tables supported by :1D1, :icrosoft indows J, :icrosoft indows
storage, you can perform disk and volume management without the need to restart indows.
8ote# Dynamic disks are not supported on portable computers or on indows ! Come >ditionbased
computers.
Bou cannot create mirrored volumes or @AIDJ volumes on indows ! Come >dition, indows !
!rofessional, or indows ! P8it >ditionbased computers. Cowever, you can use a indows !
!rofessionalbased computer to create a mirrored or @AIDJ volume on remote computers that are runningindows '((( 1erver , indows '((( Advanced 1erver , or indows '((( Datacenter 1erver, or the
1tandard, >nterprise and Data #enter versions of indows 1erver '(().
1torage types are separate from the file system type. A basic or dynamic disk can contain any combination of
7A/EP, 7A/)', or 0/71 partitions or volumes.
A disk system can contain any combination of storage types. Cowever, all volumes on the same disk must use
the same storage type.
%o convert a ;asic Dis to a Dynamic Dis#
7/23/2019 L2 Support-Windows Server Interview Question & Answers
-se the Disk :anagement snapin in indows !H'(((H'(() to convert a basic disk to a dynamic disk. /o do
this, follow these steps<
E. Log on as Administrator or as a member of the Administrators group.
'. #lick 1tart, and then click #ontrol !anel.
). #lick !erformance and :aintenance, click Administrative /ools, and then doubleclick #omputer
:anagement. Bou can also rightclick :y #omputer and choose :anage if you have :y #omputer displayed
on your desktop.. In the left pane, click Disk :anagement.
J. In the lowerright pane, rightclick the basic disk that you want to convert, and then click #onvert to
Dynamic Disk. Bou must rightclick the gray area that contains the disk title on the left side of the Details pane.
P. 1elect the check bo= that is ne=t to the disk that you want to convert %if it is not already selected&, and then
click 9.
Q. #lick Details if you want to view the list of volumes in the disk. #lick #onvert.
O. #lick Bes when you are prompted to convert the disk, and then click 9.
Warnin# After you convert a basic disk to a dynamic disk, local access to the dynamic disk is limited to
indows ! !rofessional, indows '((( and indows 1erver '((). Additionally, after you convert a basic
disk to a dynamic disk, the dynamic volumes cannot be changed back to partitions. Bou must first delete all
dynamic volumes on the disk and then convert the dynamic disk back to a basic disk. If you want to keep your
data, you must first back up the data or move it to another volume.
Dynamic Storae %erms
A volume is a storage unit made from free space on one or more disks. It can be formatted with a file system
and assigned a drive letter. 6olumes on dynamic disks can have any of the following layouts< simple, spanned,
mirrored, striped, or @AIDJ.
A simple volume uses free space from a single disk. It can be a single region on a disk or consist of multiple,
concatenated regions. A simple volume can be e=tended within the same disk or onto additional disks. If a
simple volume is e=tended across multiple disks, it becomes a spanned volume.A spanned volume is created from free disk space that is linked together from multiple disks. Bou can e=tend a
spanned volume onto a ma=imum of )' disks. A spanned volume cannot be mirrored and is not faulttolerant.
A striped volume is a volume whose data is interleaved across two or more physical disks. /he data on this
type of volume is allocated alternately and evenly to each of the physical disks. A striped volume cannot bemirrored or e=tended and is not faulttolerant. 1triping is also known as @AID(.
A mirrored volume is a faulttolerant volume whose data is duplicated on two physical disks. All of the data on
one volume is copied to another disk to provide data redundancy. If one of the disks fails, the data can still beaccessed from the remaining disk. A mirrored volume cannot be e=tended. :irroring is also known as @AIDE.
A =AID-5 volume is a faulttolerant volume whose data is striped across an array of three or more disks. !arity
%a calculated value that can be used to reconstruct data after a failure& is also striped across the disk array. If a
physical disk fails, the portion of the @AIDJ volume that was on that failed disk can be recreated from theremaining data and the parity. A @AIDJ volume cannot be mirrored or e=tended.
%e system volume contains the hardwarespecific files that are needed to load indows %for e=ample, 0tldr,8oot.ini, and 0tdetect.com&. /he system volume can be, but does not have to be, the same as the boot volume.
%e boot volume contains the indows operating system files that are located in the F1ystemrootF and
F1ystemrootF51ystem)' folders. /he boot volume can be, but does not have to be, the same as the system
volume.
=AID ? R 1triping
=AID . :irroring %minimum ' CDD re$uired&
=AID 5 R 1triping ith !arity %:inimum ) CDD re$uired&
7/23/2019 L2 Support-Windows Server Interview Question & Answers
Wat are te di((erent bacup strateies are available
0ormal 8ackup
Incremental 8ackup
Differential 8ackupDaily 8ackup
#opy 8ackup
Wat is a lobal catalo
"lobal catalog is a role, which maintains Inde=es about objects. It contains full information of the objects in itsown domain and partial information of the objects in other domains. -niversal "roup membership information
will be stored in global catalog servers and replicate to all "#4s in the forest.
Wat is Active Directory and wat is te use o( it
Active directory is a directory service, which maintains the relation ship between resources and enabling them
to work together. 8ecause of AD hierarchal structure windows '((( is more scalable, reliable. Active directory
is derived from .J(( standards where information is stored is hierarchal tree like structure. Active directorydepends on two Internet standards one is D01 and other is LDA!. Information in Active directory can be
$ueried by using LDA! protocol
Wat is te pysical and loical structure o( AD0
Active directory physical structure is a hierarchal structure which fallows 7orestsS/reesSDomainsS#hild
DomainsS"rand #hildSetcActive directory is logically divided into ) partitions
E.#onfiguration partition '. 1chema !artition ). Domain partition . Application !artition %only in windows'(() not available in windows '(((&
ut of these #onfiguration, 1chema partitions can be replicated between the domain controllers in the in the
entire forest. here as Domain partition can be replicated between the domain controllers in the same domain
Wat is te process o( user autentication ',erberos B5) in windows 2???0
After giving logon credentials an encryption key will be generated which is used to encrypt the time stamp of
the client machine. -ser name and encrypted timestamp information will be provided to domain controller forauthentication. /hen Domain controller based on the password information stored in AD for that user it decrypts
the encrypted time stamp information. If produces time stamp matches to its time stamp. It will provide logon
session key and /icket granting ticket to client in an encryption format. Again client decrypts and if producedtime stamp information is matching then it will use logon session key to logon to the domain. /icket granting
ticket will be used to generate service granting ticket when accessing network resources
Wat are te port numbers (or ,erberos LDA* and Global Catalo0
9erberos R OO, LDA! R )O, "lobal #atalog R )'PO
Wat is te use o( LDA* '/5?? standard0)
LDA! is a directory access protocol, which is used to e=change directory information from server to clients or
from server to servers
Wat are te problems tat are enerally come across D@C*0
1cope is full with I! addresses no I!4s available for new machines
If scope options are not configured properly eg default gateway
Incorrect creation of scopes etcWat is te role responsible (or time syncroni7ation0
!D# >mulator is responsible for time synchronization. /ime synchronization is important because 9erberos
authentication depends on time stamp information
Wat is %%L & ow to set %%L time in D8S0
//L is /ime to Live setting used for the amount of time that the record should remain in cache when name
resolution happened.e can set //L in 1A %start of authority record& of D01
@ecovery console is a utility used to recover the system when it is not booting properly or not at all booting. e
can perform fallowing operations from recovery console
e can copy, rename, or replace operating system files and folders>nable or disable service or device startup the ne=t time that start computer
@epair the file system boot sector or the :aster 8oot @ecord
#reate and format partitions on drives
Wat is D$S & its usaeD71 is a distributed file system used to provide common environment for users to access files and folders even
when they are shared in different servers physically.
/here are two types of D71 domain D71 and 1tand alone D71. e cannot provide redundancy for stand aloneD71 in case of failure. Domain D71 is used in a domain environment which can be accessed by Hdomain
nameHrootE %root E is D71 root name&. 1tand alone D71 can be used in workgroup environment which can be
accessed through Hserver nameHrootE %root E is D71 root name&. 8oth the cases we need to create D71 root% hich appears like a shared folder for end users& and D71 links % A logical link which is pointing to the server
where the folder is physically shared&
/he ma=imum number of Dfs roots per server is E./he ma=imum numbers of Dfs root replicas are )E.
/he ma=imum number of Dfs roots per domain is unlimited./he ma=imum number of Dfs links or shared folders in a Dfs root is E,(((
Wat is =IS and wat are its reFuirements @I1 is a remote installation service, which is used to install operation system remotely.
Client reFuirements
!> DC#!based boot @: version E.(( or later 0I#, or a network adapter that is supported by the @I1 bootdisk.
1hould meet minimum operating system re$uirements
1oftware @e$uirements8elow network services must be active on @I1 server or any server in the network
Domain 0ame 1ystem %D01 1ervice&
Dynamic Cost #onfiguration !rotocol %DC#!&Active directory 2Directory3 service
@ow many root replicas can be created in D$S0
)E
Can we establis trust relationsip between two (orests0
In indows '((( it is not possible. In indows '(() it is possible
Wat is $S! =oles
7le=ible single master operation %71:& roles areDomain 0aming :aster
1chema :aster
!D# >mulator,
Infrastructure :aster and @ID :aster
Intrasite =eplication
@eplication that happens between controllers inside one site. All of the subnets inside the site should beconnected by high speed network wires.
Intersite =eplication
Intersite replication is replication between sites and must be set up by an administrator. 1imple :ail /ransfer!rotocol %1:/!& may be used for replication between sites.
Active Directory =eplication0
@eplication must often occur both %intrasite& within sites and %Intersite& between sites to keep domain and forestdata consistent among domain controllers that store the same directory partitions
7/23/2019 L2 Support-Windows Server Interview Question & Answers
Adprep.e=e is a commandline tool used to prepare a :icrosoft indows '((( forest or a indows '(((domain for the installation of indows 1erver '(() domain controllers.
"S1#
hen :icrosoft >=change 1erver is deployed in an organization, >=change 1erver uses Active Directory as adata store and it e=tends the indows '((( Active Directory schema to enable it to store objects specific to
>=change 1erver. /he ldapDisplay0ame of the attribute schema ms>=chAssistant0ame, ms>=ch
Labeled-@I, and ms>=chCouseIdentifier defined by >=change 1erver conflicts with the i0etrg!erson
schema that Active Directory uses in indows 1erver '((). hen indows 1erver '(() 1ervice !ack E isinstalled, Adprep.e=e will be able to detect the presence of the schema conflict and block the upgrade of the
schema until the issue has been resolved.
G"ID#
hen a new domain user or group account is created, Active Directory stores the account;s 1ID in the bject
1ID %object1ID& property of a -ser or "roup object. It also assigns the new object a globally uni$ue identifier
%"-ID&, which is a E'Obit value that is uni$ue not only in the enterprise but also across the world. "-IDs areassigned to every object created by Active Directory, not just -ser and "roup objects. >ach object;s "-ID is
stored in its bject"-ID %object"-ID& property.
Active Directory uses "-IDs internally to identify objects.
SID#
A security identifier %1ID& is a data structure in binary format that contains a variable number of values. hen aD# creates a security principal object such as a user or group, it attaches a uni$ue 1ecurity ID %1ID& to the
object. /his 1ID consists of a domain 1ID %the same for all 1IDs created in a domain&, and a relative ID %@ID&that is uni$ue for each security !rincipal 1ID created in a domain.
Linerin ob+ects
hen a domain controller is disconnected for a period that is longer than the /1L, one or more objects that aredeleted from Active Directory on all other domain controllers may remain on the disconnected domain
controller. 1uch objects are called lingering objects. 8ecause the domain controller is offline during the time
that the tombstone is alive, the domain controller never receives replication of the tombstone
Sysvol
1ysvol is a shared directory that stores the server copy of the domain4s public files, which are replicated among
all domain controllers in the domain. /he 1ysvol contains the data in a "!< the "!/, which includesAdministrative /emplatebased "roup !olicy settings, security settings, script files, and information regarding
applications that are available for software installation. It is replicated using the 7ile @eplication 1ervice %7@1&.
$ile =eplication Service '$=S)
In indows '(((, the 1B16L share is used to authenticate users. /he 1B16L share includes group policyinformation which is replicated to all local domain controllers. 7ile replication service %7@1& is used to replicate
the 1B16L share. /he +Active Directory -sers and #omputers+ tool is used to change the file replication
service schedule.
Win loon
A component of the indows operating system that provides interactive logon support, inlogon is the service
in which the "roup !olicy engine runs.
Litweit Directory Access *rotocol 'LDA*)
It defines how clients and servers e=change information about a directory. LDA! version ' and version ) areused by indows '((( 1erver;s Active Directory.
An LDA! -@L names the server holding Active Directory services and the Attributed 0ame of the object. 7or
/his number is different on each domain controller. -10 provides the key to multimaster replication.
"niversal roup membersip cacin
Due to available network bandwidth and server hardware limitations, it may not be practical to have a global
catalog in smaller branch office locations. 7or these sites, you can deploy domain controllers running indows
1erver '((), which can store universal group membership information locally.8y default, the universal group membership information contained in the cache of each domain controller will
be refreshed every O hours. -p to J(( universal group memberships can be updated at once. -niversal groups
couldn;t be created in :i=ed mode.
Wat is an ACL or access-control list0 A list of security protections that applies to an object. %An object can be a file, process, event, or anything else
having a security descriptor.&
Wat is an AC1 or access-control entry0
A#> contains a set of access rights and a security identifier %1ID& that identifies a trustee for whom the rights
are allowed, denied, or audited.
$leible Sinle aster !perations '$S!) =oles
ultiaster !peration#
In indows '((( N '((), every domain controller can receive changes, and the changes are replicated to all
other domain controllers. /he daytoday operations that are associated with managing users, groups, andcomputers are typically multimaster operations.
/here is a set of 7le=ible 1ingle :aster perations %71:& which can only be done on a single controller. Anadministrator determines which operations must be done on the master controller. /hese operations are all set up
on the master controller by default and can be transferred later. 71: operations types include<
Scema aster# /he schema master domain controller controls all updates and modifications to the schema.
/here can be only one schema master in the whole forest.
Domain namin master# /he domain naming master domain controller controls the addition or removal ofdomains in the forest and responsibility of ensuring that domain names are uni$ue in the forest. /here can be
only one domain naming master in the whole forest.
In(rastructure aster#
1ynchronizes crossdomain group membership changes. /he infrastructure master cannot run on a global
catalog server %unless all D#s are also "#s.&
/he infrastructure is responsible for updating references from objects in its domain to objects in other domains.At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
/his works when we are renaming any group member ship object this role takes care.
0ote< /he Infrastructure :aster %I:& role should be held by a domain controller that is not a "lobal #atalog
server %"#&. If the Infrastructure :aster runs on a "lobal #atalog server it will stop updating object information because it does not contain any references to objects that it does not hold. /his is because a "lobal #atalog
server holds a partial replica of every object in the forest. As a result, crossdomain object references in that
domain will not be updated and a warning to that effect will be logged on that D#;s event log. If all the domaincontrollers in a domain also host the global catalog, all the domain controllers have the current data, and it is not
important which domain controller holds the infrastructure master role.
=elative ID '=ID) aster#
It assigns @ID and 1ID to the newly created object like -sers and computers. If @ID master is down %u cancreate security objects up to @ID pools are available in D#s& else u can4t create any object one it1Ds down
hen a D# creates a security principal object such as a user or group, it attaches a uni$ue 1ecurity ID %1ID& to
the object. /his 1ID consists of a domain 1ID %the same for all 1IDs created in a domain&, and a relative ID%@ID& that is uni$ue for each security principal 1ID created in a domain.
*DC 1mulator hen Active Directory is in mi=ed mode, the computer Active Directory is on acts as a
indows 0/ !D#. /he first server that becomes a indows '((( domain controller takes the role of !D#emulator by default.
7unctions performed by the !D# emulator<
-ser account changes and password changes.1A: directory replication re$uests.
7/23/2019 L2 Support-Windows Server Interview Question & Answers
A dynamic entry is an object in the directory which has an associated timetolive %//L& value. /he //L for an
entry is set when the entry is created.
1ecurity !rinciples bjects that can have permissions assigned to them and each contain security identifiers.
/he following objects are security principles<o -ser
#omputer
"roup
=*C#
Active Directory uses @!# over I! to transfer both intersite and intrasite replication between domain
controllers. /o keep data secure while in transit, @!# over I! replication uses both the 9erberos authentication protocol and data encryption.
S%*#
If you have a site that has no physical connection to the rest of your network, but that can be reached using the1imple :ail /ransfer !rotocol %1:/!&, that site has mailbased connectivity only. 1:/! replication is used
only for replication between sites. Bou also cannot use 1:/! replication to replicate between domaincontrollers in the same domainSonly interdomain replication is supported over 1:/! %that is, 1:/! can be
used only for intersite, interdomain replication&. 1:/! replication can be used only for schema, configurationand global catalog partial replica replication. 1:/! replication observes the automatically generated replication
schedule.
Canin o( ntds/dit (ile (rom one Drive to anoter
E.8oot the domain controller in Directory 1ervices @estore mode and log on with the Directory 1ervices
@estore mode administrator account and password %this is the password you assigned during the Dcpromo
process&.'.At a command prompt, type ntdsutil.e=e. Bou receive the following prompt<
ntdsutil<
)./ype files to receive the following prompt<file maintenance<
./ype info. 0ote the path of the database and log files.
J./o move the database, type move db to Fs %where Fs is the target folder&.
P./o move the log files, type move logs to Fs %where Fs is the target folder&.Q./ype $uit twice to return to the command prompt.
O.@eboot the computer normally.
D8S 'Domain 8ame system)
Domain 0ame 1ystem %D01& is a database system that translates a computer;s fully $ualified domain name into
an I! address.
D8S 9ones
$orward looup 7one 0ame to I! address map.
=everse looup 7one I! address to name map.
*rimary 9ones It Colds @ead and rite copies of all resource records %A, 01, U1@6&.
Secondary 9ones which hold read only copies of the !rimary ?ones.
Stub 9ones
#onceptually, stub zones are like secondary zones in that they have a read only copy of a primary zone. 1tub
zones are more efficient and create less replication traffic.1tub ?ones only have ) records, the 1A for the primary zone, 01 record and a Cost %A& record. /he idea is
7/23/2019 L2 Support-Windows Server Interview Question & Answers
that if a client $ueries a record in the 1tub ?one, your D01 server can refer that $uery to the correct 0ame
1erver because it knows its Cost %A& record.
Queries
Vuery types are<
Inverse "etting the name from the I! address. /hese are used by servers as a security check.
Iterative 1erver gives its best answer. /his type of in$uiry is sent from one server to another.
=ecursive #annot refer the $uery to another name server.
Conditional $orwardin
Another classic use of forwards is where companies have subsidiaries, partners or people they know and contactregularly $uery. Instead of going the longway around using the root hints, the network administrators
configure #onditional 7orwarders
*urpose o( =esource =ecords
ithout resource records D01 could not resolve $ueries. /he mission of a D01 Vuery is to locate a server that
is Authoritative for a particular domain. /he easy part is for the Authoritative server to check the name in the
$uery against its resource records.
S!A 'start o( autority) record each zone has one 1A record that identifies which D01 server is
authoritative for domains and sub domains in the zone.
8S 'name server) record An 01 record contains the 7VD0 and I! address of a D01 server authoritative forthe zone. >ach primary and secondary name server authoritative in the domain should have an 01 record.
A 'address) record 8y far the most common type of resource record, an A record is used to resolve the7VD0 of a particular host into its associated I! address.
C8A1 'canonical name) record A #0A:> record contains an alias %alternate name& for a host.
*%= 'pointer) record the opposite of an A record, a !/@ record is used to resolve the I! address of a host into
its 7VD0.
S=B 'service) record An 1@6 record is used by D01 clients to locate a server that is running a particular
serviceSfor e=ample, to find a domain controller so you can log on to the network. 1@6 records are key to theoperation of Active Directory.
'mail ecane) record An : record points to one or more computers that process 1:/! mail for
an organization or site.Were D8S resource records will be stored#
After running D#!@:, A te=t file containing the appropriate D01 resource records for the domain
controller is created. /he file called 0etlogon.dns is created in the FsystemrootF51ystem)'5config folder and
contains all the records needed to register the resource records of the domain controller. 0etlogon.dns is used bythe indows '((( 0etLogon service and to support Active Directory for nonindows '((( D01 servers.
*rocedures (or canin a Servers I* Address
nce D01 and replication are setup, it is generally a bad idea to change a servers I! address %at least accordingto :icrosoft&. Wust be sure that is what you really want to do before starting the process. It is a bit kin to
changing the Internal I! number of A 0ovell server, but it can be done.
E. #hange the 1erver4s I! address
'. 1top the 0>/L"0 service.).@ename or delete 1B1/>:)'5#07I"50>/L"0.D01 and 0>/L"0.D08
.@estart the 0>/L"0 service and run 2I!config HregisterD013
J."o to one of the other D#s and verify that its D01 is now pointing to the new I! address of the server. If not,change the records manually and give it EJ minutes to replicate the D01 changes out.
P.@un @>!L:0 and make sure that replication is working now. Bou may have to wait a little while for things
to straighten out. "ive it an hour or two if necessary.
I( a server sows tat it isnt replicatin wit one o( its partners tere are several issues to address#
A. #heck to see that the servers can ping each other.
8. :ake sure that both servers4 D01 entries for each other point to the proper I! addresses#. If server A says it replicated fine, but server 8 says it couldn4t contact 1erver A, check the D01 setup on
7/23/2019 L2 Support-Windows Server Interview Question & Answers
1erver 8. #hances are it has a record for 1erver A pointing to the wrong place.
D.@un 0etdiag and see if it reports any errors or problems.
%rust =elationsip
!ne way trust hen one domain allows access to users on another domain, but the other domain does not
allow access to users on the first domain.
%wo way trust hen two domains allow access to users on the other domain.
%rustin domain /he domain that allows access to users on another domain.
%rusted domain /he domain that is trusted, whose users have access to the trusting domain.
%ransitive trust A trust which can e=tend beyond two domains to other trusted domains in the tree.Intransitive trust A one way trust that does not e=tend beyond two domains.
1plicit trust - A trust that an administrator creates. It is not transitive and is one way only.
Cross-lin trust An e=plicit trust between domains in different trees or in the same tree when adescendentHancestor %childHparent& relationship does not e=ist between the two domains.
$orest trust - hen two forests have a functional level of indows '((), you can use a forest trust to join the
forests at the root.
Sortcut trust - hen domains that authenticate users are logically distant from one another, the process of
logging on to the network can take a long time. Bou can manually add a shortcut trust between two domains in
the same forest to speed authentication. 1hortcut trusts are transitive and can either be one way or two way.
4>/ 1plain $orest $unctional Level in Windows 2??3 Server/5?/ 1plain Domain $unctional Level in Windows 2??3 Server/
