Active directory:
1) What is the active directory?
Ans: Active directory is a centralized hierarchical directory database and it’s a directory service which contains information of all user accounts and shared resources on a network.
2) What is the organizational unit?
Ans: OU are additional container objects that can store users, computers, groups &other OU’s.
3) What is the use of organizational unit?
Ans: OU are additional container objects that can store users, computers, groups &other OU’s.
Uses:1) To control replication traffic
2) To make authentication faster and more efficient.
3) To locate the nearest server providing directory enabled services
4) To manage the application of group policy.
4) What are the main roles in active directory?
Ans: FSOM stands for flexible Single operation Master
1)Domain naming master
2)Schema master
3)PDC Emulator
4) RID master
5)Infrastructure master
5) What is the location & file system type where the active directory
Information is installed?
Ans: On NTFS partition, c:\windows\ntds.dit & c:\windows\sysvolv.
6) For the replication between DC&ADC some file are used, what is the location of
that Directory?
Ans: c:\windows\sysvolv.
7)What is the use of SYSVOL folder
SYS VOL folder contains data and files common between DC and AD. SYSVOL is included in the system state backup. The win 2003 SYSVOL is collection of folders and repairs point in the file systems that exist on each domain controller in a domain. SYSVOL provides standard location to store important elements of Group policy objects (GPO) and scripts so that the File replication system (FRS) can distribute them to other domain controllers within that domain
8) What is the protocol used by the active directory to perform it’s function?
Ans: LDAP: Lightweight directory access protocol base on TCP/IP.
9) What is a tree?
Ans: a tree is a collection of domains that share a single dns name space and are connected by transitive trust relationship.
10) What is forest?
Ans:A forest is collection of one or more domains that share a common schema and global catalog.
Forest — Tree — Domain
11)what are sites?
Ans: a site is a physical component of active directory that is used to define and represent the topology of a network. A site is collection of one or more well connected IP subnets.
Uses:1)To control replication traffic
2)To make authentication faster and more efficient.
3)To locate the nearest server providing directory enabled services.
12)what is domain controllers?
Ans: domain controllers are the physical storage location for the active directory database.
13) What is Active Directory schema?
A) The Active Directory schema contains formal definitions of every object class that can be created in an Active Directory forest it also contains formal definitions of every attribute that can exist in an Active Directory object. Active Directory stores and retrieves information from a wide variety of applications and services. So that it can store and replicate data from a potentially infinite variety of sources, Active Directory standardizes how data is stored in the directory. By standardizing how data is stored, the directory service can retrieve, update, and replicate data while ensuring that the integrity of the data is maintained.
Schema master is a set of rules which is used to define the structure of active directory. It contains definitions of all the objects which are stored in AD. It maintains information and detail information of objects.
14)what are physical components of a active directory?
Ans: Domain controllers, sites.
15)what are logical components of active directory?
Ans: Forests, trees, domains, OU’s
16)what is the command to make a server into domain controller in win 2000&2003?
Ans: DCPROMO.
17) What is the command to remove the domain controller functionality?
Ans: DCPROMO /FORCEREMOVAL.
18)which version of active directory in win2000&win2003?
Ans: Win2000 : 1.0
Win2003 : 1.1.
19)what is the command used to install active directory on remote servers?
Ans: dcpromo /answer: answerfile
(answer file is a text file created from the /support/tool folder by using deploy.cab file)
20)Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?
A) The Active Directory replaces them. Now all domain controllers share a multi-master peer-to-peer read and write relationship that hosts copies of the Active Directory.
21)How long does it take for security changes to be replicated among the domain controllers?
A) Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).
22)What is Kerberos?
Ans: this protocol is an internet standard authentication protocol that provides a higher level of security. More efficient than windows NT LAN Manager
23)What is Win NT LAN Manager (NTLM)?
Ans: This protocol enables users of win95 and win98 and Win NT client’s computers to be authenticated to win 2000 domains. This protocol is only available when win 2000 Active Directory is configured to operate in mixed-mode
24) What command line utility is used on windows 2000 servers domain controllers before they upgrade to plan win2003 domain controllers?
Ans:1) adprep /forest prep.
(This command must be issued on win 2000server holding schema master role in forest root domain to prepare existing schema to support win2003AD.)
2)adprep /domain prep
(Infrastructure master to be deployed on win 2003 server
Note: adprep tool on win 2003 CD ROM i386 directory
25) How can you authenticate between forests?
Ans: Windows 2000 always uses NTLM for authentication between forests; 2003 will use kerebros if and only if dns is used while setting up the domains. If the netbios name is uses; NTLM is used for 2003.
26) Compare Active directory & SAM?
| Windows NT | Windows 2000 |
| Single-master replication is used via PDCs and BDCs. | Multimaster replication is used via DCs. |
| Domain is the smallest unit of partitioning. | Domain is the smallest unit of partitioning. |
| Domain is the smallest unit of authentication. | OU is the smallest unit of authentication. |
| Domain is the smallest unit of policy (system policies). | OU is the smallest unit of policy (group policy objects). |
| Domain is the smallest unit of security delegation/administration. | A property of an object is the smallest unit of security delegation/administration. |
| NetBIOS broadcasts as primary browsing and connection mechanism. | TCP/IP connections to Active Directory as primary browsing and connection mechanism. |
| WINS or LMHOSTS required for effective browsing. | DNS and Active Directory required for effective browsing WINS required for older clients. |
| Object is the smallest unit of replication. | Property is the smallest unit of replication. |
| Maximum recommended database size for SAM is 40 MB. | Maximum database size for Active Directory is 70 TB. |
| Maximum effective number of users is 40,000 (if you accept the recommended 40 MB maximum). | Maximum number of users (objects) in one domain is between one and two million Maximum number of users (objects) in one forest is 10 million. |
| Four domain models (single, single-master, multimaster, complete-trust) required to solve admin-boundary and user-limit problems being per domain. | No domain models required as the complete-trust model is implemented. One-way trusts can be implemented manually. |
| Schema is not extensible. | Schema is fully extensible. |
27)Which protocol plays the security role for the authentication in 2000&2003?
Ans: KEREBROS
28) What is version of kerebros in 2003 o/s?
Ans: KEREBROS v 5.5
29) What is the command, which display the DC? Adc, Member server?
Ans: Net accounts.
30) what is the type of backup is used to take the active directory?
Ans: system state data backup.
32)what is command to know the SID,RID,DID of a user?
Ans: who am I /user(SID: security identifier
33)can you create a new domain tree in existing forest in win2000?
Ans:No, in win 2003 only we can create.
34)In what replication process goes in win2000 and win2003?
Ans: two way replication process.(ADC::read &write copy)
35) What types of classes exist in Windows Server 2003 Active Directory?
A: Structural class. The structural class is important to the system administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes.
Abstract class. Abstract classes are so named because they take the form of templates that actually create other templates (abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for the defining objects.
Auxiliary class. The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural class, it provides a streamlined alternative by applying a combination of attributes with a single include action.
88 class. The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the development of objects in Windows Server 2003 environments
36)What is the default domain functional level in Windows Server 2003?
A) The four domain functional levels are:
Windows 2000 Mixed Windows 2000 Native
Windows Server 2003 Interim Windows Server 2003
Windows Server 2003 Interim Windows Server 2003
Windows 2000 Mixed
When you configure a new Windows Server 2003 domain, the default domain functional level is Windows 2000 mixed. Under this domain functional level, Windows NT, 2000, and 2003 domain controllers are supported. However, certain features such as group nesting, universal groups, and so on are not available.
Windows 2000 Native
Upgrading the functional level of a domain to Windows 2000 Native should only be done if there are no Windows NT domain controllers remaining on the network. By upgrading to Windows 2000 Native functional level, additional features become available including: group nesting, universal groups, SIDHistory, and the ability to convert security groups and distribution groups.
Upgrading the functional level of a domain to Windows 2000 Native should only be done if there are no Windows NT domain controllers remaining on the network. By upgrading to Windows 2000 Native functional level, additional features become available including: group nesting, universal groups, SIDHistory, and the ability to convert security groups and distribution groups.
Windows Server 2003 Interim
The third functional level is Windows Server 2003 Interim and it is often used when upgrading from Windows NT to Windows Server 2003. Upgrading to this domain functional level provides support for Windows NT and Windows Server 2003 domain controllers. However, like Windows 2000 Mixed, it does not provide new features.
Windows Server 2003
The last functional level is Windows Server 2003. This domain functional level only provides support for Windows Server 2003 domain controllers. If you want to take advantage of all the features included with Windows Server 2003, you must implement this functional level. One of the most important features introduced at this functional level is the ability to rename domain controllers
The last functional level is Windows Server 2003. This domain functional level only provides support for Windows Server 2003 domain controllers. If you want to take advantage of all the features included with Windows Server 2003, you must implement this functional level. One of the most important features introduced at this functional level is the ability to rename domain controllers
37) When should you create a forest?
A: Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.
38) what type domain names are used in win 2003& win2000?
Ans:Fully qualified domain names(Any name with extension)
39) what are FSOM rules?
Ans: FSOM stands for flexible Single operation Master
1)Domain naming master
2)Schema master
3)PDC Emulator
4) RID master
5)Infrastructure master
40) what are the six underplaying major roles in active directory to be transferred to ADC from DC to make additional domain controller to act as a domain controller?
Ans: Forest Level Domain Level
1)Domain naming master 4)PDC Emulator
2)Schema master 5) RID master
3)Global catalog server. 6)Infrastructure master
41) Define the six responsibilities of an active directory?
Ans: Domain naming master: ensures the domain names to be unique.
Schema master: classes and attributes and architecture is maintained by the schema.
Global catalog Server: help to find objects across domains ,supply information about universal group membership and authenticate
RID Master: ensures user accounts to be unique
PDC Emulator: Act as a emulator for user login, replication between DC and BDC’s.
Infrastructure Master: responsible for changes or modifications in group membership.
Allows to user to move from one group to other.
42)Can I change password if my machine’s connectivity to DC who holds PDC emulator role has been fails?
Ans:No you cannot change the password.
43)what is Global catalog Server?
Ans: A Global catalog server is a searchable index which stores all the information about all objects in an active directory. The main role of global catalog server is to help quickly find objects across domains ,supply information about universal group membership and authenticate user principal names(UPN) are supplied.
44)What is Global Catalog?
Ans:The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.
45)What is GC? How many required for A Tree?
Ans:Global Catalog server is a Searchable Index book. With this we can find out any object in the Active Directory. Also it works as logon authentication for Group memberships. We can have each domain controller in domain or only first domain controller in a domain.
46)where global catalog servers are configured?
Ans:Domain controller individually
47)which type of zone is created when you install active directory?
Ans:active directory integrated zone with six service records are created with domain name when you install A.D on application directory partition.
48)How many services are installed ,when you install active directory and what are they?
Ans: Total five services
1)Active directory domains &t rusts
2)Active directory sites and services
3)Active directory users and groups
4)Domain controller security policy.
5)Domain security policy.
50) What snap-in administrative tools are available for Active Directory?
A: Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from admin pack)
51) How do you delete a lingering object?
A: Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory.
52)where universal group membership cache is configured?
Ans:At the site ,it applies to all domain controllers with in a specific site.
53) what are the types of partitions a win2000 domain controller holds in a active directory?
Ans: Domain Partition: It contains all objects,objects associated with particular domain.
Schema master: It contains a copy of active directory schema for a given forest. this partition was replicated to all DC.
Configuration Master: which contains information about active directory sites& services.
Global catalog partition: :which contains a subset of the attributes of all objects in active directory forest.
54)what are the types of partitions that is supported by win 2003 server?
Ans: win 2003 server supports all four partitions, i.e supports win 2000 server.it also supports new partition.
Application directory partition: the main purpose of this partition is to store data (objects and attributes) related to active directory integrated application and services.
Note: it’s a partition that is replicated only to specific domain controller. it is used to store data relating to services such as DNS
Some benefits of using this partition
1)provides redundancy, availability, fault tolerance.
2) reduce replication traffic
3)allows applications or services that use LDAP to store& access their data In A.D.
4)it holds any type of object except security principal such as users & computer & security groups.
55)How to check DC replication status,
Ans: Go to event logs for NTFRS (File Replication Service) It will tell you when the last synch was.
56)How to Enable or Disable a Global Catalog (GC)
Ans:Open to Administrative Tools>Active Directory Sites and Services>Sites, and then double-click the domain controller you want to work with in the Server folder for your desired site: Right-click NTDS Settings>Properties. Make a change accordingly.
WARNING: Do not turn on this option unless you are certain it will provide value in your deployment. For this option to be useful, your deployment must have multiple domains, and even then, only one global catalog is (typically) useful in each site.
57)How to install/remove AD/DC
Ans:To install/remove AD/DC, use Promote and Demote command.
58)How to repopulate AD DNS entries
Ans:Manually repopulate the Active Directory DNS entries. You can use the Windows 2000 Netdiag tool to repopulate the Active Directory DNS entries. Netdiag is included with the Windows 2000 Support tools. At a command prompt, type netdiag /fix.
This domain controller holds the last replica of the following application directory partitions
Symptoms: When you demote a DC by using the Active Dcpromo, you may receive the following error message: This domain controller holds the last replica of the following application directory partitions:
DC=MSTAPI,DC=yourdomain,DC=com
Resolutions: Try NTDSUTIL, Tapicfg.exe and dcpromo /forceremoval. Refer to case 082604JH.
59)What will happen when demoting a DC
Ans:When a domain controller is demoted, if it is not the last domain controller in the domain, it performs a final replication and then transfers the roles to another domain controller. If the domain controller is a global catalog, that role is not transferred to another domain controller. In this case, you must manually select the check box in Active Directory Sites and Services Manager for another domain controller to take over the role.
60)What is Active Directory Defragmentation?
Windows 2000 running Directory services (DS s) performs a directory online defragmentation every 12 hours by default as part of the garbage collection process. This defragmentation only moves data around the database file (ntds.dit ) and doesn’t reduce the file size.
61)Difference between online and offline Defragmentation?
On line defragmentation makes space available, but does not reduce the size of the database file.
Only offline defragmentation provides you with clear picture of the amount of space consumed by the database file.
62)What is tombstone period
Tomb stone objects have quotas. When security principle deletes objects windows creates tombstone object for a designated period of time by default 60 days before purging the tombstone from the system. These tombstone objects count towards the security principle quota
A. Because of the complex replication available in Windows 2000 and the Active Directory just deleting an object would result in it potentially being recreated at the next replication interval and so deleted objects are 'Tombstone' instead. This basically marks them as deleted and applies to all objects.Objects marked as tombstoned are actually deleted 60 days after their original tombstone status setting, however this time can be changed by modifying tombstone lifetime.
63)How can I change the Recovery Console administrator password on a domain controller
A. When you use the Recovery Console (RC), the system uses the account passwords in the local SAM file. But if a system is a domain controller (DC), it doesn't use the local SAM file, so changing the Administrator password changes the Active Directory (AD) account and not the local SAM password. To modify the SAM password, perform the following steps:
1. Shut down the DC on which you want to change the password.
2. Restart the computer. When the system displays the selection menu during the restart process, press F8 to view advanced startup options.
3. Select Directory Service Restore Mode.
4. After you successfully log on, to change the local Administrator password, at a command prompt, type the following command:
net user administrator *
5. Restart the computer.
If you don't know the password, you can demote the DC to a regular server, change the password, then promote the system to a DC. You can also copy the SAM in the %SystemRoot%\Repair folder to the %SystemRoot%\System32\Config folder.
What is GPO ?
Ans: Group Policy gives you administrative control over users and computers in your network.
No comments:
Post a Comment