Posted by Eswar Koneti on May 1st, 2009
the questions that are posted here needs some corrections,these are posted roughly.
Technical Interview Questions – Active Directory
- What is Active Directory?
Active directory is a centralized database which maintains information about the network objects, its access levels etc.
- What is LDAP?
LDAP (Lightweight Directory Access Protocol) is a lightweight protocol which can be used for finding and accessing the directory objects and its properties.
- Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.
Yes, we can. Some of the third party directory services to which we can connect are LDAP, X500, NDS.
- Where is the AD database held? What other folders are related to AD?
Active directory database is held in ntds.dit file in ntds folder inside systemroot folder. The other files related to AD are sysvol (holds the group policies and other scripts) and log files.
- What is the SYSVOL folder?
SYSVOL is a domain wide DFS share which contains the different group policies applied in the domain.
- Name the AD NCs and replication issues for each NC
The main AD NCs are Domain NC, Schema NC, Configuration NC and Application NC.
- What are application partitions? When do I use them
Active directory being a common relational database for a domain can be extended for various applications which inturn can extend the capabilities of AD database.
Application partition allows you to designate a particular area of Active directory for use by an application. Further we can designate which specific domain controller the application partition should replicate to.
- How do you create a new application partition
CREATE NC appliaction_partition domain_controller
- How do you view replication properties for AD partitions and DCs?
We can view replication properties for AD partitions and DCs in replmon tool.
- What is the Global Catalog?
Global Catalog is a logical component of Active directory. It contains full information about objects in the current domain and partial information about objects in other domain within the same forest.
- How do you view all the GCs in the forest?
We can check the GC’s in the forest using Active directory Sites and Services tool, wherein you can get the information about whether a DC has been configured as a GC or not.
You can also see that in DNS- FLZ- all_gc location
- Why not make all DCs in a large forest as GCs?
In a forest with multiple domains the Infrastructure Master FSMO role should be held by a DC which is not a Global Catalog, else cross-references of objects in other domains in the same forest will not be updated.
Another factor to consider is the replication overhead which may occur when we have many GCs in the network. Network traffic will have a serious impact in case if we have remote locations with low bandwidth connections.
- Trying to look at the Schema, how can I do that?
You can have a look at the Schema using ADSIEDIT tool from windows support tools.
- What are the Support Tools? Why do I need them?
Windows support tools help system and network administrators in managing and troubleshooting problems. Many support tools provide diagnostic features that are useful for troubleshooting Windows OS configurations.
- What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
LDP is a windows support tool for performing search against LDAP searches to Active directory.
REPLMON is a tool for managing replication and its properties of AD partitions.
ADSIEDIT is the tool for managing schema partitions in a domain controller.
NETDOM command is used to rename a domain controller.
REPADMIN is the command line utility which serves the same purpose of REPLMON, which is a GUI, based one.
- What are sites? What are they used for?
As domain has no physical boundaries, it can spread over any geographical location. An Active directory site determines how and when the updated data of each domain controller in a domain is replicated to other domain controllers in same site and different sites.
A site also determines as to which domain controller a particular client authenticates to using TCP subnets to which a client belongs to. To add up it is recommended to have at least one Global Catalog configured in one AD site.
- What’s the difference between a site link’s schedule and interval?
A site link’s schedule determines the timeslot in which replication happens to and fro that site (for example between 2100 and 0900 hrs). Interval refers to the idle time between two replications.
- What is the KCC?
In a multi master replication model any DC can be modified at any stage. Knowledge Consistency Check creates and manages connections dynamically between domain controllers and triggers replication. The KCC balances the need of consistency against bandwidth requirement using the timely contact rule. This means that no domain controller is allowed to be more than 3 connections from any other domain controller.
Replication in turn KCC can be forcefully invoked using the repadmin utility.
- What is the ISTG? Who has that role by default?
ISTG stands for Intersite Topology Generator; AD runs ISTG in one DC in a site to consider the cost of intersite connections and to check if any previously available DCs are available or if new DCs has been added. The KCC uses this info to add or remove connection objects as needed for efficient replication. This role is by default held by the first domain controller in the domain.
- What are the requirements for installing AD on a new server?
Windows server OS, 250MB free disk space, NTFS partition, admin privilege, static IP address
- What can you do to promote a server to DC if you’re in a remote location with slow WAN link?
- How can you forcibly remove AD from a server, and what do you do later?
We can forcible remove AD from a server using dcpromo /forceremoval command. After demoting the DC we remove metadata using NTDSUTIL utility.
- Can I get user passwords from the AD database?
No, user passwords cannot be obtained from AD database as it is in encrypted format.
- What tool would I use to try to grab security related packets from the wire?
- Name some OU design considerations.
In most organizations, organizational unit structure is likely to fall into one of the following categories:
Flat organizational unit structure: 1 or 2 levels
Narrow organizational unit structure: 3 to 5 levels
Deep organizational unit structure: more than 5 levels
For organizations with simple administration requirements, it is recommended that administrators use a simple model in which a flat organizational unit structure is used and GPOs are linked at the domain or organizational unit level. Limited use of security groups or WMI filtering to filter GPOs is recommended. If you need additional flexibility, it is suggested that you reconsider your organizational unit structure.
For organizations with moderate administration requirements, it is recommended that administrators use a narrow organizational unit structure and GPOs are linked at the site, domain, or organizational unit level as necessary. Limited use of the Block Policy Inheritance options, the Enforce Policy options, security groups or WMI filtering to filter GPOs is recommended.
For organizations with complex administration requirements, the Active Directory namespace may use flat, narrow, or deep organizational unit structures. In such cases, administrators should consider the following issues:
Flat organizational unit model: use security groups and DACLs or WMI filtering to filter effects of GPOs as a primary method, and Block Policy Inheritance and Enforce Policy options as secondary methods.
Narrow organizational unit model: link to GPOs at site, domain, and organizational unit. As a secondary method, use Block Policy Inheritance and Enforce Policy options, and security groups and DACLs, or WMI filtering for filtering effects of GPOs.
Deep organizational unit model: link to GPOs at site, domain, and organizational unit with security groups filtering and DACLs or WMI filtering. As a secondary method, use Block Policy Inheritance and Enforce Policy options.
- What is tombstone lifetime attribute?
Windows backup tool (ntbackup) can be used to backup and restore AD of Windows 2003. The tombstone lifetime attribute determines lifetime of the backup copy which can be used for the restoration. By default a backup which is 60 days or less can be used for restoration. This value can be changed in the below mentioned location in:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=COMPANY,DC=COM
- What do you do to install a new Windows 2003 DC in a Windows 2000 AD?
We can use ADMT version 2 for upgrading Windows 2000 DC to Windows 2003 DC.
- What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
- How would you find all users that have not logged on since last month?
This can be achieved using a small ADSI script which compares today’s date with users’ ‘LastLogon’ property.
- What are the DS* commands?
dsadd–Adds objects to the directory
dsget–Displays properties of objects in the directory
dsmod–Modifies select attributes of an existing object in the directory
dsquery–Finds objects in the directory that match a specified search criteria
dsmove–Moves an object from its current location to a new parent location
dsrm–Removes an object
- What’s the difference between LDIFDE and CSVDE? Usage considerations?
LDIFDE: Lightweight Data Interchange Format, Data Exchange has separate lines of values between each record. The data is not suitable for spreadsheets. This will help when we want to create users with passwords. We can add/delete/modify accounts using LDIFDE.
CSVDE: We can create accounts from spreadsheets with this. Syntax is much easier.
- What are the FSMO roles? Who has them by default? What happens when each one fails?
The five FSMO roles are Schema Master, Domain naming Master (Forest wide roles) and Infrastructure Master, RID Master, PDC Emulator (Domain wide roles). All these roles are held by the first domain controller configured in the forest/domain.
Schema master role: The failure of schema master role does not have a major impact users and network/system administrators. However if any package which modifies the AD schema has to be installed in the network, it is not possible without this server. A domain controller whose schema master role has been seized must never be brought back online.
Domain naming master: The failure of domain naming master role does not have a serious impact on users and administrators. Its non-availability will be a problem only if we are adding/modifying a domain in the same forest. A domain controller whose domain naming master role has been seized must never be brought back online.
RID Master: Temporary failure of RID master role is not visible to users, but for administrators it is in case they are creating objects in a domain controller where RID pool is running out. A domain controller whose RID master role has been seized must never be brought back online.
PDC Emulator: The failure of PDC emulator does have a serious impact for users. Especially if we have clients which is running client OS below Win 2000 or if we have Win NT DCs. We can temporarily seize the role to another DC and once the original server is back in network, we can transfer the role back to it.
Infrastructure Master: The failure of Infrastructure master role does not have an impact on users and administrators unless there has been a movement/rename of large number of accounts. In case of failure of server having this role we can seize the role to another server which is not a Global Catalog. It is recommended to seize the role to a DC which is not a GC in the same AD site.
- What FSMO placement considerations do you know of?
In a single domain forest we can place all FSMO roles in the first DC.
In a multiple domain forest if,
- In the forest root domain
- If all DCs are GCs, leave all FSMO roles in first DC.
- If all DCs are not GCs, then assign all roles to that DC which is not GC.
- In the child domain, leave PDC emulator, RID and infrastructure master on the first dc in the domain, ensure that this DC is not GC (unless there is only one DC in the child domain)
- I want to look at the RID allocation table for a DC. What do I do?
- What’s the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?
FSMO role is transferred to another server in a situation in which the source and target domain controllers are online in the network. Whereas seizing is done when the source DC is offline in the network.
- How do you configure a “stand-by operation master” for any of the roles?
Making a DC as stand-by operations master involves the following actions.
- The stand-by DC should not be a GC except in single domain architecture.
- It should have a manually created replication connection to the DC that is stand-by for in the same site.
- Configure the RID master as a direct replication partner with the standby or backup RID master. This configuration reduces the risk of losing data when you seize the role because it reduces replication latency.
- How do you backup AD?
The system-state backup of a server consists of Active directory data.
- How do you restore AD?
Restoration of AD has two ways Authoritative restore and non-authoritative restore. For both types first you need to restore the system-state backup which is less old than the tombstone life to a location. Then using NTDSUITL tool we can do two types of restore.
- Authoritative restore: In this type of restore Windows backup restores all files, including AD objects with their original Update Sequence Numbers (USN).
- Non-authoritative restore: While performing non-authoritative restore the DC will be restored as per the state it was while backup was taken. It will get updates thru normal replication from other DCs.
- How do you change the DS Restore admin password?
DSRM or Directory Service Restore Mode password is the property of a domain controller. It is used while restoring a DC from backup copy. We can change DSRM password using NTDSUTIL utility.
- Why can’t you restore a DC that was backed up 4 months ago?
By default the tombstone period for a domain is set to 60 days. In a DC if an object has been deleted, it will not get permanently removed till the tombstone lifetime period. Hence if we restore data from a backup older than 60 days then those objects which got deleted will not be active and it will lead to problems.
- What are GPOs?
Group Policy Objects are objects which contain certain settings which can be applied to computer and user objects in a domain. There are two groups of settings in GPO: Computer and User setting. User settings are applicable to the user objects and Computer settings are applicable to domain computers.
- What is the order in which GPOs are applied?
Group policy is applied in LSDOU order (Local-Site-Domain-OU). It is in such a format that if there is one setting set in local machine and the same parameter is set with a different value in OU then the OU setting will take effect.
- Name a few benefits of using GPMC.
GPMC (Group Policy Management Console) has following benefits:
- It has a User Interface that makes group policy management easier.
- We can do backup/restore of GPOs within the console.
- Import/export, copy/paste, linking/de-linking of GPOs’ made easy.
- Delegation and GPO security made simple.
- RSOP can be obtained for any object easily.
- WMI filtering is much easier in GPMC.
- What are the GPC and the GPT? Where can I find them?
GPC and GPT stands for Group policy container and Group policy template respectively. GPT is located in the Netlogon share on DCs.
- What are GPO links? What special things can I do to them?
I feel it is something related to linking GPOs’ to objects like OU, domain etc.
- What can I do to prevent inheritance from above?
After linking a GPO to a container we can check ‘Block Inheritance’ option of that GPO. It will prevent group policy settings from being overridden.
- How can I override blocking of inheritance?
Reverse procedure of above question
- How can you determine what GPO was and was not applied for a user? Name a few ways to do that.
We can query for RSOP (Resultant Set of Policy) in the client machine against the given computer or user object to fetch the policies applied for the user.
- A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for?
We will check with the help of RSOP whether there is any conflict of policies happening for the user. Secondly we will check whether any local policies are configured.
- Name a few differences in Vista GPOs
I don’t know Vista.
- Name some GPO settings in the computer and user parts.
Computer: WSUS server location, startup/shutdown scripts, account policies, user profile settings etc.
User: account policies, logoff/logon policies, internet connection properties, shared folders, taskbar etc.
- What are administrative templates?
Administrative templates are file templates that are used by Group policies to define where registry-based policies are stored in registry. ADM files also describe the user interface that administrators see in the group policy snap in. Some of the ADM files are:
Conf.adm: Have setting related to Windows Netmeeting
Wmplayer.adm: Have setting related to Windows media player.
- What’s the difference between software publishing and assigning?
Once you publish software in a domain, site, OU, the users can use ‘Add and Remove Programs’ to install the software.
In the case of assigning we can do in two ways: Assigning to users and computers and Assigning to users.
Assigning to users
Assigning software to be available on demand: After you assign a software package to users in a site, domain, or OU, the software is advertised on the desktop. The application becomes available to the user the next time the user logs on (if application’s GPO applies to that user). The application is fully installed by the user from the Start menu, from Add or Remove Programs, from a desktop shortcut, or by opening a document (on demand) that has a file name extension that is associated with the application.
The user can remove the software, and then later choose to reinstall it as they did previously. By using Group Policy, you make sure that assigned applications that are available on-demand are available, regardless of whether users remove them, and that the applications are available again the next time the user logs on or starts the computer.
Assigning software to users: After you assign a software package to users in a site, domain, or OU, you can use the Install this application at logon option to install the whole application the next time the computer starts, or after the user logs off and then logs on again. The application is also immediately available in Add or Remove Programs. The user can remove the software, and then later choose to reinstall it as they did previously.
Assigning software to computers: After you assign a software package to computers in a site, domain, or OU, the software is installed the next time the computer restarts or the user logs on. Only the local or network administrator can remove the software, though a user can repair the software.
- Can I deploy non-MSI software with GPO?
Yes, non-MSI software can be deployed with GPO using .zap files.
- You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that?
Configure group policy for the same.
- Which are the different types of DNS servers in Win 2003?
Primary DNS, Secondary DNS, Active Directory Integrated DNS, Forwarder, Caching only DNS
57. Different port number
FTP-21, Telnet – 23, HTTP-80, DNS-53, Kerberos-88, LDAP-389, RDP-3389, Global Catalog – 3268
58. What is the difference between authorized and non-authorized DHCP
To avoid problems in the network causing by misconfigured DHCP servers, server in windows 2000 must be validate by AD before starting service to clients. If an authorized DHCP finds any DHCP server in the network it stops serving the clients.
- Difference between inter-site and intra-site replication. Protocols using for replication.
Intra-site replication can be done between the domain controllers in the same site. Inter-site replication can be done between two different sites over WAN links
BHS (Bridge Head Servers) is responsible for initiating replication between the sites. Inter-site replication can be done B/w BHS in one site and BHS in another site.
We can use RPC over IP or SMTP as a replication protocol where as Domain partition is not possible to replicate using SMTP.
- What is the process of user authentication (Kerberos V5) in windows 2000
After giving logon credentials an encryption key will be generated this is used to encrypt the time stamp of the client machine. User name and encrypted timestamp information will be provided to domain controller for authentication. Then Domain controller based on the password information stored in AD for that user it decrypts the encrypted time stamp information. If produces time stamp matches to its time stamp. It will provide logon session key and Ticket granting ticket to client in an encryption format. Again client decrypts and if produced time stamp information is matching then it will use logon session key to logon to the domain. Ticket granting ticket will be used to generate service granting ticket when accessing network resources.
- What are the two services used for replication?
FRS and KCC
- List and explain the AD functional levels (Domain and Forest)
Hope I need not explain
- Describe UGMC
Information is stored locally once this option is enabled and a user attempts to log on for the first time. The domain controller obtains the universal group membership for that user from a global catalog. Once the universal group membership information is obtained, it is cached on the domain controller for that site indefinitely and is periodically refreshed. The next time that user attempts to log on, the authenticating domain controller running Windows Server 2003 will obtain the universal group membership information from its local cache without the need to contact a global catalog. By default, the universal group membership information contained in the cache of each domain controller will be refreshed every 8 hours.