Friday 7 September 2012

Windows server 2003/08 Interview Q & A



[Type the document title]
    

    

    
    
    
    
 


Windows Server 2008 now provides a desktop environment similar to Microsoft Windows Vista and includes tools also found in Vista, such as the new backup snap-in and the BitLocker drive encryption feature. Windows Server 2008 also provides the new IIS7 web server and the Windows Deployment Service.
The entry-level version of Windows Server 2008 is the Standard Edition. The Enterprise Edition provides a platform for large enterprisewide networks. The Datacenter Edition provides support for unlimited Hyper-V virtualization and advanced clustering services. The Web Edition is a scaled-down version of Windows Server 2008 intended for use as a dedicated web server. The Standard, Enterprise, and Datacenter Editions can be purchased with or without the Hyper-V virtualization technology.
Any server on which you will install Windows Server 2008 should have at least the minimum hardware requirement for running the network operating system. Server hardware should also be on the Windows Server 2008 Hardware Compatibility List to avoid the possibility of hardware and network operating system incompatibility.
You can select to have activation happen automatically when the Windows Server 2008 installation is complete. Make sure that the Automatically Activate Windows When I’m Online check box is selected on the Product Key page.
You can install Windows Server 2008 on a server not currently configured with NOS, or you can upgrade existing servers running Windows 2000 Server and Windows Server 2003

This stripped-down version of Windows Server 2008 is managed from the command line.
The Task Scheduler enables you to schedule the launching of tools such as Windows Backup and Disk Defragmenter.
You can access virtual memory settings and the Device Manager via the System Properties dialog box.
The Server Manager provides both the interface and access to a large number of the utilities and tools that you will use as you manage your Windows server.
Local user accounts and groups are managed in the Local Users and Groups node in the Server Manager. Local user accounts and groups are used to provide local access to a serve

Child domains and the root domain of a tree are assigned transitive trusts. This means that the root domain and child domain trust each other and allow resources in any domain in the tree to be accessed by users in any domain in the tree.
The primary function of domain controllers is to validate users to the network. However, domain controllers also provide the catalog of Active Directory objects to users on the network.
A server running Windows Server 2008 can be configured as a domain controller, a file server, a print server, a web server, or an application server. Windows servers can also have roles and features that provide services such as DNS, DHCP, and Routing and Remote Access.
The Server Manager window enables you to view the roles and features installed on a server and also to quickly access the tools used to manage these various roles and features. The Server Manager can be used to add and remove roles and features as needed.
Windows Deployment Services (WDS) enables you to install client and server operating systems over the network to any computer with a PXE-enabled network interface.
Windows Deployment Services requires that a DHCP server and a DNS server be installed in the domain.
The Windows Deployment Services snap-in enables you to configure the WDS server and add boot and install images to the server.
The Disk Manager provides all the tools for formatting, creating, and managing drive volumes and partitions.
A basic disk embraces the MS-DOS disk structure; a basic disk can be divided into partitions (simple volumes).
Dynamic disks consist of a single partition that can be divided into any number of volumes. Dynamic disks also support Windows Server 2008 RAID implementations.
RAID, or Redundant Array of Independent Disks, is a strategy for building fault tolerance into your file servers. RAID enables you to combine one or more volumes on separate drives so that they are accessed by a single drive letter. Windows Server 2008 enables you to configure RAID 0 (a striped set), RAID 1 (a mirror set), and RAID 5 (disk striping with parity).

Regular backups of network data provides the best method of protecting you from data loss.
The OSI model, consisting of the application, presentation, session, transport, network, data link, and physical layers, helps describe how data is sent and received on the network by protocol stacks.
TCP/IP (v4 and v6) is the default protocol for Windows Server 2008. It is required for Active Directory implementations and provides for connectivity on heterogeneous networks.
You must provide at least the IP address and the subnet mask to configure a TCP/IP client for an IPv4 client, unless that client obtains this information from a DHCP server. For IPv6 clients, the interface ID is generated automatically from the MAC hardware address on the network adapter. IPv6 can also use DHCP as a method to configure IP clients on the network.
The ipconfig command can be used to check a computer’s IP configuration and also renew the client’s IP address if it is provided by a DHCP server. ping can be used to check the connection between the local computer and any computer on the network, using the destination computer’s IP address.
The first domain created in a tree is referred to as the root domain. Child domains created in the tree share the same namespace as the root domain.
Installing the Active Directory on a server running Windows Server 2008 provides you with the option of creating a root domain for a domain tree or of creating child domains in an existing tree. Installing Active Directory on the server makes the server a domain controller.
When the Active Directory is installed on a server (making it a domain controller), a set of Active Directory snap-ins is provided. The Active Directory Users and Computers snap-in is used to manage Active Directory objects such as user accounts, computers, and groups. The Active Directory Domains and Trusts snap-in enables you to manage the trusts that are defined between domains. The Active Directory Sites and Services snap-in provides for the management of domain sites and subnets.
The Active Directory Users and Computers snap-in provides the tools necessary for creating user accounts and managing account properties. Properties for user accounts include settings related to logon hours, the computers to which a user can log on, and the settings related to the user’s password.
A group can contain users, computers, contacts, and other nested groups.
Universal groups are not available in a mixed-mode domain. The functional level must be raised to Windows 2003 or Windows 2008 to make these groups available.
Organizational Units can hold users, groups, computers, contacts, and other OUs. The Organizational Unit provides you with a container directly below the domain level that enables you to refine the logical hierarchy of how your users and other resources are arranged in the Active Directory.
Active Directory sites are physical locations on the network’s physical topology. Each regional domain that you create is assigned to a site. Sites typically represent one or more IP subnets that are connected by IP routers. Because sites are separated from each other by a router, the domain controllers on each site periodically replicate the Active Directory to update the Global Catalog on each site segment.
Client computer accounts can be added through the Active Directory Users and Computers snap-in. You can also create client computer accounts via the client computer by joining it to the domain via the System Properties dialog box. This requires a user account that has administrative privileges, such as members of the Domain Administrator or Enterprise Administrator groups.
The Windows Firewall must allow remote administration for a computer to be managed remotely.
Servers running Windows Server 2008 can be configured to participate in a workgroup. The server can provide some services to the workgroup peers but does not provide the security and management tools provided to domain controllers.
Group Policy provides a method of controlling user and computer configuration settings for Active Directory containers such as sites, domains, and OUs. GPOs are linked to a particular container, and then individual policies and administrative templates are enabled to control the environment for the users or computers within that particular container.
GPOs and their settings, links, and other information such as permissions can be viewed in the Group Policy Management snap-in.
GPOs are inherited down through the Active Directory tree by default. You can block the inheritance of settings from upline GPOs (for a particular container such as an OU or a local computer) by selecting Block Inheritance for that particular object. If you want to enforce a higher-level GPO so that it overrides directly linked GPOs, you can use the Enforce command on the inherited (or upline) GPO.
You can configure a Network Policy Server (a service available in the Network Policy and Access Services role). The Network Policy Server can be configured to compare desktop client settings with health validators to determine the level of network access afforded to the client.

A domain DNS server provides for the local mapping of fully qualified domain names to IP addresses. Because the DNS is a distributed database, the local DNS servers can provide record information to remote DNS servers to help resolve remote requests related to fully qualified domain names on your network.
You would create both a forward lookup zone and a reverse lookup zone on your Windows Server 2008 DNS server.
The DNS snap-in enables you to add or remove zones and to view the records in your DNS zones. You can also use the snap-in to create records such as a DNS resource record.
A caching-only DNS server supplies information related to queries based on the data it contains in its DNS cache. Caching-only servers are often used as DNS forwarders. Because they are not configured with any zones, they do not generate network traffic related to zone transfers.
The IP addresses supplied by the DHCP server are held in a scope. A scope that contains more than one subnet of IP addresses is called a superscope. IP addresses in a scope that you do not want to lease can be included in an exclusion range.
The DHCP server can supply a DHCP client an IP address and subnet mask. It also can optionally include the default gateway address, the DNS server address, and the WINS server address to the client.
You can create a reservation for the device (or create reservations for a number of devices). To create a reservation, you need to know the MAC hardware address of the device. You can use the ipconfig or nbstat command-line utilities to determine the MAC address for a network device such as a computer or printer.
The DHCP server must be authorized in the Active Directory before it can function in the domain.

ACTIVE DIRECTORY QUESTION AND ANSWERS

• What is Active Directory?
Active Directory is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location.

• What is LDAP?
LDAP (Lightweight Directory Access Protocol) is a protocol for communications between LDAP Servers and LDAP clients. LDAP servers store "directories" which are access by LDAP clients.
LDAP is called lightweight because it is a smaller and easier protocol which was derived from the X.500 DAP (Directory Access Protocol) defined in the OSI network protocol stack.
LDAP servers store a hierarchical directory of information. In LDAP parlance, a fully-qualified name for a directory entry is called a Distinguished Name. Unlike DNS (Domain Name Service) FQDN's (Fully Qualified Domain Name), LDAP DN's store the most significant data to the right.

What do you do if earlier application doesn’t run on Windows Server 2003?
When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties –> Compatibility –> selecting the previously supported operating system.


If you uninstall Windows Server 2003, which operating systems can you revert to?
Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and Windows 98 to Windows 2003.

Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.

How Active Directory replication works in a domain setup?
Only the changes are replicated, once a domain controller has been established
The controller the change was made on (after five minutes of stablilty), notifies its replication partners that a change was made. It sends a change notification to these partners, but only notifies one partner every 30 seconds so it is not overwhelmed with update requests. Each controller, in turn, when it is updated, sends a change notice to its respective replication partners.
The replication partners each send an update request with a USN to the domain controller that the change was made on. The USN identifies the current state of the domain controller making the change. Each change has a unique USN. This way the domain controller that has the change knows the state of the domain controller requesting the changes and only the changes are required to be sent. The time on each controller, therefore, does not need to be synchronized exactly although timestamps are used to break ties regarding changes.

When should you create a forest?
Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.

How can you authenticate between forests?
Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials.

What snap-in administrative tools are available for Active Directory?
Active Directory Domains and Trusts Manager, Active Directory Sites and Services , Active Directory Users and Computers, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Master (optional, available from adminpak) ,DHCP,DNS,Group Policy Management Console (optional).

What types of classes exist in Windows Server 2003 Active Directory?

1. Structural class. The structural class is important to the system administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes.
2. Abstract class. Abstract classes are so named because they take the form of templates that actually create other templates (abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for the defining objects.
3. Auxiliary class. The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural class, it provides a streamlined alternative by applying a combination of attributes with a single include action.
4. 88 class. The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the development of objects in Windows Server 2003 environments.

How do you delete a lingering object?
Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory.

What is Global Catalog?
A global catalog server is a domain controller. it is a master searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. It have two important functions:
o Provides group membership information during logon and authentication
o Helps users locate resources in Active Directory

How is user account security established in Windows Server 2003?
When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user account’s security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access.


If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same?
No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different.

What do you do with secure sign-ons in an organization with many roaming users? Credential Management feature of Windows Server 2003 provides a consistent single sign-on experience for users. This can be useful for roaming users who move between computer systems. The Credential Management feature provides a secure store of user credentials that includes passwords and X.509 certificates.


Where are the documents and settings for the roaming profile stored?
All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.

What’s the difference between local, global and universal groups?
Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.

· I am trying to create a new universal user group. Why can’t I?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

· What is LSDOU?
It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.

· Why doesn’t LSDOU work under Windows NT?
If the NTConfig.pol file exist, it has the highest priority among the numerous policies.

· Where are group policies stored?
%SystemRoot%System32\GroupPolicy

· What is GPT and GPC?
Group policy template and group policy container.

· Where is GPT stored?
%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID

· You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority?
The computer settings take priority.

· You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do?
gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice Options is your friend.
· What’s contained in administrative template conf.adm?
Microsoft NetMeeting policies

· How can you restrict running certain applications on a machine?
Via group policy, security settings for the group, then Software Restriction Policies.

· You need to automatically install an app, but MSI file is not available. What do you do?
A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.

· What’s the difference between Software Installer and Windows Installer?
The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.

· What can be restricted on Windows Server 2003 that wasn’t there in previous products?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.

· How frequently is the client policy refreshed? 90 minutes give or take.

· Where is secedit? It’s now gpupdate.

· You want to create a new group policy but do not wish to inherit.
Make sure you check Block inheritance among the options when creating the policy.

· What is "tattooing" the Registry?
The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry.

· How do you fight tattooing in NT/2000 installations? You can’t.

· How do you fight tattooing in 2003 installations?
User Configuration - Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only.

· What does IntelliMirror do?
It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.

· What’s the major difference between FAT and NTFS on a local machine?
FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.

· How do FAT and NTFS differ in approach to user shares? They don’t, both have support for sharing.

· Explan the List Folder Contents permission on the folder in NTFS.
Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.

· I have a file to which the user has access, but he has no folder permission to read it. Can he access it?
It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.

· For a user in several groups, are Allow permissions restrictive or permissive?
Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.

· For a user in several groups, are Deny permissions restrictive or permissive?
Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.

· What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

· What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations?
The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.

· We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box.
Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.

· Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain controllers.

· Can you use Start->Search with DFS shares? Yes.

· What problems can you have with DFS installed?
Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.

· I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a standalone one.

· Is Kerberos encryption symmetric or asymmetric? Symmetric.

· How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?
Time stamp is attached to the initial client request, encrypted with the shared key.

· What hashing algorithms are used in Windows 2003 Server?
RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.

· What third-party certificate exchange protocols are used by Windows 2003 Server?
Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities.

· What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.

· If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1?
A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes.

· What’s the difference between
guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003.

· How many passwords by default are remembered when you check "Enforce Password History Remembered"? User’s last 6 passwords.
What is Active Directory Schema?

The Active Directory schema contains formal definitions of every object class that can be created in an Active Directory forest it also contains formal definitions of every attribute that can exist in an Active Directory object.
What is Global Catalog Server?
· A global catalog server is a domain controller it is a master searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest. It have two important functions:
o Provides group membership information during logon and authentication
o Helps users locate resources in Active Directory

What is NTDS.dit default size?
40 MB

What are the standard ports for SMTP, POP3,IMAP4,RPC,LDAPand Global catalog?SMTP – 25, POP3 – 110, IMAP4 – 143, RPC – 135, LDAP – 389, Global Catalog – 3268

What is a default gateway?
The exit-point from one network and entry-way into another network, often the router of the network.
Describe the lease process of DHCP?

· DHCP Server leases the IP addresses to the clients as follows: DORAD (Discover) : DHCP Client sends a broadcast packets to identify the dhcp server, this packet will contain the source MAC.O (Offer) : Once the packet is received by the DHCP server, the server will send the packet containing Source IP and Source MAC.R (Request) : Client will now contact the DHCP server directly and request for the IP address.A (Acknowledge) : DHCP server will send an acknowledge packet which contains the IP address.
Networking
What is a NIC?
Ans: A network interface card, more commonly referred to as a NIC, is a device that allows computers to be joined together in a LAN, or local area network. Networked computers communicate with each other using a given protocol or agreed-upon language for transmitting data packets between the different machines, known as nodes. The network interface card acts as the liaison for the machine to both send and receive data on the LAN.
The most common language or protocol for LANs is Ethernet, sometimes referred to as IEEE 802.3.
Note: Ethernet is a standard communications protocol embedded in software and hardware devices, intended for building a local area network.

What is a MAC Address?
MAC address ( Media Access Control) is a unique value associated with a Network Interface Card. MAC address is also known as Hardware address or Physical Address. MAC address uniquely identifies a Network adaptor in the LAN.
MAC addresses are 48 bits in length.

When would you use a crosslink cable?
Cross link cables are used to connect a PC to PC, this cable is special because there are a few wires switched that allow the computer to send and receive data packets with Network card.

What is the difference between a Hub and a Switch?
A hub is typically the least expensive, least intelligent, and least complicated device than Switch. Its job is very simple: anything that comes in one port is sent out to the others. Every computer connected to the hub "sees" everything that every other computer on the hub sees. The hub itself is blissfully ignorant of the data being transmitted.
A switch does essentially what a hub does but more efficiently. By paying attention to the traffic that comes across it, it can "learn" where particular addresses are. For example, if it sees traffic from machine A coming in on port 2, it now knows that machine A is connected to that port and that traffic to machine A needs to only be sent to that port and not any of the others. The net result of using a switch over a hub is that most of the network traffic only goes where it needs to rather than to every port. On busy networks this can make the network significantly faster.

On which OSI layer can a router be found?
The OSI layer 2 and layer 3 router provides additional intelligence to networks by implementing the data link and network layers of the OSI model. The data link layer describes the logical organization of data bits transmitted on a particular medium; for example, this layer defines the framing, addressing, and cyclic redundancy checks of Ethernet packets. The network layer describes how a series of exchanges over various data links delivers data between any two nodes in a network and defines the addressing and routing structure of the Internet.

What is CSMA/CD?
CSMA/CD (Carrier Sense Multiple Access / Collision Detection) is the protocol used in Ethernet Network to ensure that only one network node is transmitting on the network wire at any one time.

What is multicast?
Multicasting may be used for streaming multimedia, video conferencing, shared white boards and more as the internet grows. Multicasting is still new to the internet and not widely supported by routers. New routing protocols are being developed to enable multicast traffic to be routed. Some of these routing protocols are:
Hierarchical Distance Vector Multicast Routing Protocol (HDVMRP)
Multicast Border Gateway
Protocol Independent Multicast
An IP multicast address is in the range 224.0.0.0 through 239.255.255.255.

What is Broadcast?

Broadcast - A transmission to all interface cards on the network.
RFC 919 and 922 describe IP broadcast datagrams as,

Limited Broadcast - Sent to all NICs on the some network segment as the source NIC. It is represented with the 255.255.255.255 TCP/IP address. This broadcast is not forwarded by routers so will only appear on one network segment.
Direct broadcast - Sent to all hosts on a network. Routers may be configured to forward directed broadcasts on large networks. For network 192.168.0.0, the broadcast is 192.168.255.255.

Below mentioned are examples of broadcast
ARP on IP
DHCP on IP
Routing table updates. Broadcasts sent by routers with routing table updates to other routers.

The ethernet broadcast address in hexadecimal is FF:FF:FF:FF:FF:FF.
There are several types of IP broadcasting:
The IP limited broadcast address is 255.255.255.255. This broadcast is not forwarded by a router.
A broadcast directed to a network has a form of x.255.255.255 where x is the address of a Class A network. This broadcast may be forwarded depending on the router program.
A broadcast sent to all subnetworks. If the broadcast is 10.1.255.255 on network 10.1.0.0 and the network is subnetted with multiple networks 10.1.x.0, then the broadcast is a broadcast to all subnetworks.
A broadcast sent to a subnet in the form 10.1.1.255 is a subnet broadcast if the subnet mask is 255.255.255.0.

What is the difference between TCP and UDP?
Describe some of the settings that are added by TCP and by UDP to the packet's header.
What are TCP Ports? Name a few.
What is a TCP Session?
What three elements make up a socket?
What will happen if you leave the default gateway information empty while manually configuring TCP/IP?
What will happen if you execute the following command: "arp –d *"?
What is ICMP?
When would you use the ping command with the "-t" switch?
Windows Active directory Interview Questions – User Submitted Part 10
By admin | Published: June 26, 2012
What is sites ? What are they used for ?
One or more well-connected (highly reliable and fast) TCP/IP subnets.
A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.
A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called Subnets.
Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network link traffic.
Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule.
Trying to look at the Schema, how can I do that ?
register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc –> add snapin –> add Active directory schema
name it as schema.msc
Open administrative tool –> schema.msc
What is the port no of Kerbrose ?
88
What is the port no of Global catalog ? 
3268
What is the port no of LDAP ?
389
Explain Active Directory Schema ? 
Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called “Schema”. The Schema is defines as the formal definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory. As mentioned earlier, the Active Directory database includes a default Schema, which defines many object classes, such as users, groups, computers, domains, organizational units, and so on.
These objects are also known as “Classes”. The Active Directory Schema can be dynamically extensible, meaning that you can modify the schema by defining new object types and their attributes and by defining new attributes for existing objects. You can do this either with the Schema Manager snap-in tool included with Windows 2000/2003 Server, or programmatically.
How can you forcibly remove AD from a server, and what do you do later? ? Can I get user passwords from the AD database? 
Dcpromo /forceremoval , an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest. Reboot the server then After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command.
In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers
What are the FSMO roles? Who has them by default? What happens when each one fails? 
Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master
What is domain tree ? 
Domain Trees: A domain tree comprises several domains that share a common schema and configuration, forming a contiguous namespace. Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees.
Trees can be viewed two ways. One view is the trust relationships between domains. The other view is the namespace of the domain tree.
What is forests ? 
A collection of one or more domain trees with a common schema and implicit trust relationships between them. This arrangement would be used if you have multiple root DNS addresses.
How to Select the Appropriate Restore Method ?
You select the appropriate restore method by considering:
Circumstances and characteristics of the failure. The two major categories of failure, From an Active Directory perspective, are Active Directory data corruption and hardware failure.
Active Directory data corruption occurs when the directory contains corrupt data that has been replicated to all domain controllers or when a large portion of the Active Directory hierarchy has been changed accidentally (such as deletion of an OU) and this change has replicated to other domain controllers.
Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
 What is Global Catalog?
The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.
 How long does it take for security changes to be replicated among the domain controllers?
Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).
When should you create a forest?
Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.
 Describe the process of working with an external domain name ?
If it is not possible for you to configure your internal domain as a subdomain of your external domain, use a stand-alone internal domain. This way, your internal and external domain names are unrelated. For example, an organization that uses the domain name contoso.com for their external namespace uses the name corp.internal for their internal namespace.
The advantage to this approach is that it provides you with a unique internal domain name. The disadvantage is that this configuration requires you to manage two separate namespaces. Also, using a stand-alone internal domain that is unrelated to your external domain might create confusion for users because the namespaces do not reflect a relationship between resources within and outside of your network.
In addition, you might have to register two DNS names with an Internet name authority if you want to make the internal domain publicly accessible

Windows Active directory Interview Questions – User Submitted Part 8
By admin | Published: June 26, 2012
Got a list of some Active Directory Interview Questions submitted by User : Noel.
What is the default size of ntds.dit ?
10 MB in Server 2000 and 12 MB in Server 2003 .
Where is the AD database held and What are other folders related to AD ?
AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure.
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file.
Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database. The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we’ve discussed
What FSMO placement considerations do you know of ?
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process.
However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement.
In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles
What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
If you’re installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM.
Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen. If you’re installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine).
To update the schema, run the Adprep utility, which you’ll find in the Components\r2\adprep folder on the second CD-ROM.
Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later).
Here’s a sample execution of the Adprep /forestprep
command:
D:\CMPNENTS\R2\ADPREP>adprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later).
QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain controller corruption.
[User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type C and then press ENTER to continue. Otherwise, type any other key and press ENT ER to quit.
C Opened Connection to SAV
DALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgrading schema to version 31 Connecting to “SAVDALDC01″ Logging in as current user using SSPI Importing directory from file “C:\WINDOWS\system32\sch31.ldf” Loading entries… 139 entries modified successfully.
The command has completed successfully Adprep successfully updated the forest-wide information.
After running Adprep, install R2 by performing these steps:
1. Click the “Continue Windows Server 2003 R2 Setup” link, as the figureshows.
2. At the “Welcome to the Windows Server 2003 R2 Setup Wizard” screen, click Next.
3. You’ll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if the underlying OS wasn’t installed from R2 media (e.g., a regular Windows 2003 SP1 installation).
Enter the R2 key and click Next. Note: The license key entered for R2 must match the underlying OS type, which means if you installed Windows 2003 using a volume-license version key, then you can’t use a retail or Microsoft Developer Network (MSDN) R2 key.
4. You’ll see the setup summary screen which confirms the actions to be performed (e.g., Copy files). Click Next.
5. After the installation is complete, you’ll see a confirmation dialog box. Click Finish
What is OU ?
Organization Unit is a container object in which you can keep objects such as user accounts, groups, computer, printer . applications and other (OU).
In organization unit you can assign specific permission to the user’s. organization unit can also be used to create departmental limitation.
Name some OU design considerations ?
OU design requires balancing requirements for delegating administrative rights – independent of Group Policy needs – and the need to scope the application of Group Policy.
The following OU design recommendations address delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.
Delegating administrative authority
usually don’t go more than 3 OU levels




How do you view replication properties for AD partitions and DCs?
By using replication monitor
go to start > run > type repadmin
go to start > run > type replmon
Why can’t you restore a DC that was backed up 4 months ago?
Because of the tombstone life which is set to only 60 days.
Different modes of AD restore ? 
A nonauthoritative restore is the default method for restoring Active Directory. To perform a nonauthoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller.
An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. If you do not want to replicate the changes that have been made subsequent to the last backup operation, you must perform an authoritative restore. In this one needs to stop the inbound replication first before performing the An authoritative restore.
How do you configure a stand-by operation master for any of the roles? 
# Open Active Directory Sites and Services.
# Expand the site name in which the standby operations master is located to display the Servers folder.
# Expand the Servers folder to see a list of the servers in that site.
# Expand the name of the server that you want to be the standby operations master to display its NTDS Settings.
# Right-click NTDS Settings, click New, and then click Connection.
# In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK.
# In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.
What’s the difference between transferring a FSMO role and seizing ? 
Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available.
If you perform a seizure of the FSMO roles from a DC, you need to ensure two things:
the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you’ll have a problem.
An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another live DC During the process, the current DC holding the role(s) is updated, so it becomes aware it is no longer the role holder
I want to look at the RID allocation table for a DC. What do I do?
dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)
What is BridgeHead Server in AD ?
A bridgehead server is a domain controller in each site, which is used as a contact point to receive and replicate data between sites. For intersite replication, KCC designates one of the domain controllers as a bridgehead server. In case the server is down, KCC designates another one from the domain controller. When a bridgehead server receives replication updates from another site, it replicates the data to the other domain controllers within its site.
I am upgrading from NT to 2003. The only things that are NT are the PDC and BDCs; everything else is 2000 or 2003 member servers. My question is, when I upgrade my NT domain controllers to 2003, will I need to do anything else to my Windows 2000/2003 member servers that were in the NT domain?
Your existing member servers, regardless of operating system, will simply become member servers in your upgraded AD domain. If you will be using Organizational Units and Group Policy (and I hope you are), you’ll probably want to move them to a specific OU for administration and policy application, since they’ll be in the default “Computers” container immediately following the upgrade.
How do I use Registry keys to remove a user from a group?
In Windows Server 2003, you can use the dsmod command-line utility with the -delmbr switch to remove a group member from the command line. You should also look into the freeware utilities available from www.joeware.net . ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory.
Why are my NT4 clients failing to connect to the Windows 2000 domain?
Since NT4 relies on NetBIOS for name resolution, verify that your WINS server (you do have a WINS server running, yes?) contains the records that you expect for the 2000 domain controller, and that your clients have the correct address configured for the WINS server.
How to add your first Windows 2003 DC to an existing Windows 2000 domain ?
The first step is to install Windows 2003 on your new DC. This is a straighforward process, so we aren?t going to discuss that here.
Because significant changes have been made to the Active Directory schema in Windows 2003, we need to make our Windows 2000 Active Directory compatible with the new version. If you already have Windows 2003 DCs running with Windows 2000 DCs, then you can skip down to the part about DNS.
Before you attempt this step, you should make sure that you have service pack 4 installed on your Windows 2000 DC. Next, make sure that you are logged in as a user that is a member of the Schema Admin and Enterprise Admin groups.
Next, insert the Windows 2003 Server installation CD into the Windows 2000 Server.
Bring up a command line and change directories to the I386 directory on the installation CD. At the command prompt, type: Code :
adprep /forestprep After running this command, make sure that the updates have been replicated to all existing Windows 2000 DCs in the forest. Next, we need to run the following command: Code : adprep /domainprep
The above command must be run on the Infrastructure Master of the domain by someone who is a member of the Domain Admins group.
Once this is complete, we move back to the Windows 2003 Server. Click ?start? then ?run? – type in dcpromo and click OK. During the ensuing wizard, make sure that you select that you are adding this DC to an existing domain.
After this process is complete, the server will reboot. When it comes back online, check and make sure that the AD database has been replicated to your new server.
Next, you will want to check and make sure that DNS was installed on your new server.
If not, go to the control panel,
click on ?Add or Remove Programs?, and click the ?Add/Remove Windows Components? button.
In the Windows Components screen, click on ?Networking Services? and click the details button.
In the new window check ?Domain Name System (DNS)? and then click the OK button. Click ?Next? in the Windows Components screen.
This will install DNS and the server will reboot. After reboot, pull up the DNS Management window and make sure that your DNS settings have replicated from the Windows 2000 Server. You will need to re-enter any forwarders or other properties you had set up, but the DNS records should replicate on their own.
The next 2 items, global catalog and FSMO roles, are important if you plan on decomissioning your Windows 2000 server(s). If this is the case, you need to tansfer the global catalog from the old server to the new one.
First, let?s create a global catalog on our new server. Here are the steps:
1. On the domain controller where you want the new global catalog, start the Active Directory Sites and Services snap-in.
To start the snap-in, click ?Start?, point to ?Programs?, point to ?Administrative Tools?, and then click ?Active Directory Sites and Services?.
2. In the console tree, double-click ?Sites?, and then double-click ?sitename?.
3. Double-click ?Servers?, click your domain controller, right-click ?NTDS Settings?, and then click ?Properties?.
4. On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server.
5. Restart the domain controller.
Make sure you allow sufficient time for the account and the schema information to replicate to the new global catalog server before you remove the global catalog from the original DC or take the DC offline.
After this is complete, you will want to transfer or seize the FSMO roles for your new server.
For instructions, read Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller.
After this step is complete, we can now run DCPROMO on the Windows 2000 Servers in order to demote them.
Once this is complete, copy over any files you need to your new server and you should have successfully replaced your Windows 2000 server(s) with a new Windows 2003 server.
How do you change the DS Restore admin password ?
In Windows 2000 Server, you used to have to boot the computer whose password you wanted to change in Directory Restore mode, then use either the Microsoft Management Console (MMC) Local User and Groups snap-in or the command net user administrator * to change the Administrator password.
Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you reset the Directory Service Restore Mode password without having to reboot the computer. (Microsoft refreshed Setpwd in SP4 to improve the utility?s scripting options.)
In Windows Server 2003, you use the Ntdsutil utility to modify the Directory Service Restore Mode Administrator password.
To do so, follow these steps:
1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe).
2. Start the Directory Service Restore Mode Administrator password-reset utility by entering the argument ?set dsrm password? at the ntdsutil prompt: ntdsutil: set dsrm password.
3. Run the Reset Password command, passing the name of the server on which to change the password, or use the null argument to specify the local machine.
For example, to reset the password on server testing, enter the following argument at the Reset DSRM Administrator Password prompt: Reset DSRM Administrator Password: reset password on server testing
To reset the password on the local machine, specify null as the server name:
Reset DSRM Administrator Password: reset password on server null
4. You?ll be prompted twice to enter the new password. You?ll see the following messages:
5. Please type password for DS Restore Mode Administrator Account:
6. Please confirm new password:
Password has been set successfully.
7. Exit the password-reset utility by typing ?quit? at the following prompts:
8. Reset DSRM Administrator Password: quit
ntdsutil: quit
Explain about Trusts in AD ?
To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created.
The forest sets the default boundaries of trust, not the domain, and implicit, transitive trust is automatic for all domains within a forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins two domains in different trees, transitive, one- or two-way), forest (transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or external (nontransitive, one- or two-way) in order to connect to other forests or non-AD domains.
Trusts in Windows 2000 (native mode)
One-way trust – One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
Two-way trust – Two domains allow access to users on both domains.
Trusting domain – The domain that allows access to users from a trusted domain.
Trusted domain – The domain that is trusted; whose users have access to the trusting domain.
Transitive trust – A trust that can extend beyond two domains to other trusted domains in the forest.
Intransitive trust – A one way trust that does not extend beyond two domains.
Explicit trust – A trust that an admin creates. It is not transitive and is one way only.
Cross-link trust – An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains.
Windows 2000 Server – supports the following types of trusts:
Two-way transitive trusts.
One-way intransitive trusts.
Additional trusts can be created by administrators. These trusts can be:
Shortcut
Windows Server 2003 offers a new trust type – the forest root trust. This type of trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are also transitive for all the domains in the forests that are trusted. Forest trusts, however, are not transitive.
Difference between LDIFDE and CSVDE?
CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users. Consult your help file for more info.
LDIFDE is a command that can be used to import and export objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor, however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects.
What is tombstone lifetime attribute ?
The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC.
What are application partitions? When do I use them ?
AN application diretcory partition is a directory partition that is replicated only to specific domain controller.Only domain controller running windows Server 2003 can host a replica of application directory partition.
Using an application directory partition provides redundany,availability or fault tolerance by replicating data to specific domain controller pr any set of domain controllers anywhere in the forest.
How do you create a new application partition ?
Use the DnsCmd command to create an application directory partition.
To do this, use the following syntax:
DnsCmd ServerName /CreateDirectoryPartition FQDN of partition
How do you view all the GCs in the forest? 
C:\>repadmin /showreps domain_controller where domain_controller is the DC you want to query to determine whether it?s a GC.
The output will include the text DSA Options: IS_GC if the DC is a GC.
Can you connect Active Directory to other 3rd-party Directory Services? Name a few options. 
Yes, you can use dirXML or LDAP to connect to other directories.
In Novell you can use E-directory.
What is IPSec Policy
IPSec provides secure gateway-to-gateway connections across outsourced private wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec Policy can be deployed via Group policy to the Windows Domain controllers 7 Servers.
What are the different types of Terminal Services ?
User Mode & Application Mode.
What is RsOP
RsOP is the resultant set of policy applied on the object (Group Policy).
What is the System Startup process ?
Windows 2K boot process on a Intel architecture.
1. Power-On Self Tests (POST) are run.
2. The boot device is found, the Master Boot Record (MBR) is loaded into memory, and its program is run.
3. The active partition is located, and the boot sector is loaded.
4. The Windows 2000 loader (NTLDR) is then loaded.
The boot sequence executes the following steps:
1. The Windows 2000 loader switches the processor to the 32-bit flat memory model.
2. The Windows 2000 loader starts a mini-file system.
3. The Windows 2000 loader reads the BOOT.INI file and displays the operating system selections (boot loader menu).
4. The Windows 2000 loader loads the operating system selected by the user. If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other operating systems, NTLDR loads BOOTSECT.DOS and gives it control.
5. NTDETECT.COM scans the hardware installed in the computer, and reports the list to NTLDR for inclusion in the Registry under the HKEY_LOCAL_MACHINE_HARDWARE hive.
6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware information collected by NTDETECT.COM. Windows NT enters the Windows load phases.
What are the Groups types available in active directory ?
Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.
Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups.
Explain about the groups scope in AD ? 
Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.
Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.
Universal Group Scope: These groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.
What is REPLMON ?
The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication.
What is ADSIEDIT ? 
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.
What is NETDOM ?
NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.
What is REPADMIN?
This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.
How to take backup of AD ?
For taking backup of active directory you have to do this : first go START -> PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC.
What are the DS* commands ?
The following DS commands: the DS family built in utility .
DSmod – modify Active Directory attributes.
DSrm – to delete Active Directory objects.
DSmove – to relocate objects
DSadd – create new accounts
DSquery – to find objects that match your query attributes.
DSget – list the properties of an object
What are the requirements for installing AD on a new server? 
An NTFS partition with enough free space.
An Administrator’s username and password.
The correct operating system version.
A NIC Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway).
A network connection (to a hub or to another computer via a crossover cable) .
An operational DNS server (which can be installed on the DC itself) .
A Domain name that you want to use .
The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) .
What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003?
Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain
Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy – you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference.
ADS stands for Automated Deployment Services, and is used to quickly roll out identically-configured servers in large-scale enterprise environments. You can get more information from the ADS homepage.
I want to setup a DNS server and Active Directory domain. What do I do first? If I install the DNS service first and name the zone ‘name.org’ can I name the AD domain ‘name.org’ too?
Not only can you have a DNS zone and an Active Directory domain with the same name, it’s actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.
How do I determine if user accounts have local administrative access?
You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong.
Why am I having trouble printing with XP domain users?
In most cases, the inability to print or access resources in situations like this one will boil down to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients’ wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie.
What is the ISTG? Who has that role by default?
Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).
What is difference between Server 2003 vs 2008?
1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several ‘virtual’ servers on one physical machine.)
2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server)
3. Better security.
4. Role-based installation.
5. Read Only Domain Controllers (RODC).
6. Enhanced terminal services.
7. Network Access Protection – Microsoft’s system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies.
8. PowerShell – Microsoft’s command line shell and scripting language has proved popular with some server administrators.
9. IIS 7 .
10. Bitlocker – System drive encryption can be a sensible security measure for servers located in remote branch offices. >br> The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers.
11. Windows Aero.
What are the requirements for installing AD on a new server?
1 The Domain structure.
2 The Domain Name .
3 storage location of the database and log file.
4 Location of the shared system volume folder.
5 DNS config Methode.
6 DNS configuration.
What is LDP? 
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network.
Why doesn’t LSDOU work under Windows NT ?
If the NTConfig.pol file exist, it has the highest priority among the numerous policies.
What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.
What’s the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003.
How many passwords by default are remembered when you check “Enforce Password History Remembered”?
User’s last 6 passwords.
Can GC Server and Infrastructure place in single server If not explain why ?
No, As Infrastructure master does the same job as the GC. It does not work together.
Which is service in your windows is responsible for replication of Domain controller to another domain controller.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.
What Intrasite and Intersite Replication ?
Intrasite is the replication with in the same site & intersite the replication between sites.
What is lost & found folder in ADS ?
It’s the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.
What is Garbage collection ?
Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours.
What System State data contains ?
Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder
What is Active Directory ? 
Active Directory is a Meta Data. Active Directory is a data base which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administor the complite Network which connect with AD.
What is domain ? 
Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The ‘domain’ is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469.
What is domain controller ? 
A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.
What is LDAP ? 
Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.
What is KCC ? 
KCC ( knowledge consistency checker ) is used to generate replication topology for inter site replication and for intrasite replication.with in a site replication traffic is done via remote procedure calls over ip, while between site it is done through either RPC or SMTP.
Where is the AD database held? What other folders are related to AD?
The AD data base is store in c:\windows\ntds\NTDS.DIT.
What is the SYSVOL folder?
The sysVOL folder stores the server’s copy of the domain’s public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain.
What are the Windows Server 2003 keyboard shortcuts ?
Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.
Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003 ?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
I am trying to create a new universal user group. Why can’t I ?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
What is LSDOU ?
 It’s group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units.
§  What is Active Directory?
An active directory is a directory structure/service used on Microsoft Windows based computers and servers to store information and data about networks and domains.A directory is similar to a dictionary; it enables the look up of a name and information associated with that name.
There is support for the Lightweight Directory Access Protocol (LDAP) to enable inter-directory operability
Distribution: Distribution groups are intended to be used solely as email distribution lists
Security: Security groups allow you to manage user and computer access to shared resources.
In order to synchronize the time on your Windows computer with main Active Directory domain controllers, use the following command at a command prompt: net time \\ads.iu.edu /set /y
§  What is LDAP?
LDAP is an Internet standard protocol used by applications to access information in a directory. It runs directly over TCP, and can be used to access a standalone LDAP directory service or to access a directory service that is back-ended by X.500.
The LDAP directory service model is based on entries. An entry is a collection of attributes that describing it. Each attribute has a name, type and one or more values.
LDAP based implementations are:
Edirectory,Red Had Directory server,Apples open Directory, Apache Directory Server, Oracle Internet Directory, CA Directory, Sun Java System Directory Server, IBM Tivoli Directory Server ,Windows NT Directory Services (NTDS)
§  Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.
Yes you can connect other vendors Directory Services with Microsoft’s version.
Yes. Microsoft Identity Integration Server (MIIS) is used to connect Active Directory to other 3rd-party Directory Services (including directories used by SAP, Domino, etc).
§  Where is Active Directory database held? What other folders are related to AD?
AD Database is saved in %systemroot%/ntds. You can see other files also in this folder.
These are the main files controlling the AD structure
• ntds.dit
• edb.log
• res1.log
• res2.log
• edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database.
The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we’ve discussed
§  What is the SYSVOL folder?
The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and reparse points in the file systems that exist on each domain controller in a domain. SYSVOL provides a standard location to store important elements of Group Policy objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them to other domain controllers within that domain.
You can go to SYSVOL folder by typing : %systemroot%/sysvol
Name the AD NCs [naming contexts] and replication issues for each NC
*Schema NC, *Configuration NC, * Domain NC
Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.
§  What are application partitions? When do I use them
An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.
Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.
One of the benefits of an application directory partition is that, for redundancy, availability, or fault tolerance, the data in it can be replicated to different domain controllers in a forest

1. How to check AD configured properly?
Ans: Check NTDS and SYSVOL shared folder at %systemroot%windows\.

2. How to transfer global catalog to another domain?
Ans: We can not transfer the global catalog; we can only remove the global catalog from one server and enable other server as a global catalog.

3. How to configure global catalog server?
Ans: Go to Active directory site and services and expand till your desire server’s NTDS settings and then right click; property and check mark the Global catalog check box.

4. What are the fsmo roles and it gets down what will impact?
Ans: Flexible Single Master Operation, There are five roles.
Domain Naming Master (Forest wide role)
Schema Master (Forest wide role)
PDC Emulator (Domain wide role)
RID Master (Domain wide role)
Infrastructure Master (Domain wide role)

5. What is the RID pool?
Ans: RID Master provides the RID (Relative Identifier) pool to Domain controller of the Domain. When an object is create in a domain, a Unique SID (Security ID) is assigned to it which consisting of a RID (Unique ID) and a SID (Common ID for all Object), A RID pool contain 500 RIDs.

6. How to check FSMO roles running on which server? 
Ans: By using “DCdiag /test:Knowsofroleholders /v” command.
ii) Type “Netdom query fsmo”

7. How to transfer FSMO role one domain controller to another domain controller command prompt and GUI?
Ans: Go to Startà Run à dsa.mscà go the property of users and computers and transfer the RID, PDC, and Infrastructure roles.
Go to Start à Runà à go to the property of the active directory domain and trust and transfer the Domain naming master role
For transferring schema master role, first we have to register the schema master by using “regsvr32 schmgmt.dll” command in run. Than Go start à Runà MMCàAdd Active directory schema and transfer the schema master role.

8. What is AD data base file and log file where it stored is and what is the use of log file?
Ans: AD Data base is NTDS.DIT and its location is %system root%\windows\NTDS\ntds.dit. AD Log files are EDB.log ,EDB.chk and REG.log and the location of there files are %system root%\windows\NTDS\ntds.dit.

9. How to recover corrupted AD data base file?

10. Is it possible to rename domain name in windows 2003?
Ans: Yes, We can rename the domain name in windows 2003.

11. What are the two types of replication?
Ans: Inter-site replication, Intra-site replication.

12. What are the protocols used in replication?
13. What is default time for replication?
Ans: KCC (Knowledge Consistency Checker) is the algorithm and the two protocols used are RPC over IP and SMTP over IP. They replicate in every 15 min.

14. What is the difference between the two types of replication i.e. intrasite and intersite? 
Intersite replication is for replication with in the site and Intra-site replication is for the replication between the sites.

15. What are replication partition and tell about partition?
Ans: FSMO role Partition
Schema CN=Schema,CN=configuration, DC=
Domain Naming Master CN=configuration,DC=
PDC DC=
RID DC=
Infrastructure DC=
Replication partitions are.
Schema Partition
Configuration Partition
Domain Partition
Application Partition

16. Is application partition available in windows 2003?
Ans: Yes, Windows 2003 contains application partition, mainly application partition contains the application information like: DNS

17. What is the DNS?
Ans: Domain Naming System.
Used to resolve the host name (FQDN) name to IP Address and Vice Versa

18. What are types of DNS and zones?
(i)Primary DNS zone
(ii)Secondary DNS zone
(iii)Active directory integrated zone
(IV)Stub zone

19. What is the authority’s record and is the use?
20. What are records available in dns?
Ans: Address records, Host Records, MX Records, and CNAME records.

21. Explain about SRV, MX and CNAME records?
22. Where DNS file stored and data base of DNS?
Ans: %SYSTEMROOT%\Windows\System32\DNS

23. How do configure DHCP Server and steps?
24. How to reserve IP address?
Ans: We can assign a particular IP address to the MAC address of a machine using IP reservation in DHCP.

25. Why do we need two subnets?
To segment or restrict one type of traffic to one segment.

26. Two different subnet, how to configure it in single DHCP server?
Two different scopes are created for two subnets.

27. What is the use of relay agent?
A router drops the DHCP packet as its a broadcast packet. The relay agent helps in sending it over to the destined subnet.

28. What is the group policy?
Ans: It is way to provide the desirable predefined environment to all users and it is centrally manageable.

29. My requirement is to need disable USB port, how will you do?
Through Group policy.

30. How to take backup group policy?
Ans: We can use GPMC (Group Policy Management Console), right click on the GPO and select backup and take backup on destination folder

31. You are administrator; my requirement is to configure active directory for four different locations. How will you plan it?
Ans: Depending on the requirement I' ll configure one parent domain and three child domains, or One domain with four sites, or four different domains (least preferred).

32. What are the two type’s terminal servers?
User mode and applciation mode.

33. What is the default security group, groups give explanations?
Ans:

34. You are maintaining remote servers that u can take remote but you can’t to ping them, now how to troubleshoot?

35. What is use of Kerberos protocol?
Ans: Kerberos protocol is an authentication protocol.

36. What is the version Kerberos protocol?
Ans: We are using Kerberos V 5.0.

37. What is the authentication protocol in Windows NT?
Ans:Windows NT supported two kinds of challenge/response authentication:
LanManager (LM) challenge/response
Windows NT challenge/response (also known as NTLM challenge/response)

38. What are RAID levels?
Ans: Main RAID levels are RAID-0, RAID-1, RAID-5 and RAID-10.

39. Which RAID you will recommend and why?
Ans: RAID-1 for O.S - mirroring
RAID-5 for DATA partition- Stripe set with parity.

40. What are the different RAID1 and RAID 5?
RAID-1:- In RAID-1 two hard disk are there and the data on one is mirrored to another. So even if one fails other one is there with the same data for service continuity. 
RAID-5: We can use minimum three hard disk and maximum depend upon RAID controller card, Data written on disk in stripes with distributed parity set.

41. What are the Different between and disk mirroring and disk duplex?
42. What is the dynamic disk?
43. What is disk striping?

44. What are the backup types?
Ans: (i) Normal or full Backup
(ii) Deferential Backup
(iii)Incremental Backup
(iv)Copy backup
(v)Daily Backup

45. Which type backup reset archive bits?
Ans:- The bit which have checked mark on that folder which have been normal backuped.

46. What is the use of DFS?
Ans: Distributed File System, It is used for the fault tolerance because it makes the duplicate copy of every DFS root. Not only that the domain login process uses DFS to find out the nearest DC to login.

47. Do you know about FRS?
Ans: File Replication Services.
Example: Replication of SYSVOL folder.

48. What are difference between TCP and UDP protocol?
Ans: TCP is a connection orientated protocol while UDP is not a connection orientated protocol.

49. What is different between HUB and Switch?
Ans: HUB broadcast the data packet but Switches multicast the data packet into the network which reduces the collision of data packets.

50. Which layer working in router?
Ans: One layer Three (Network layer)

51. You are going to migrate the domain how to plan?
52. For project requirement you going to share 20 folders what is the step you will take?

53. Why is it requiring VLAN?
Ans: To divide/restrict the traffic to one segment of the network.

54. Right required to transfer FSMO roles?
Ans. logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.

55. Write down the command line to transfer all the FSMO roles to other server?
Ans: Click Start, click Run, type ntdsutil in the Open box, and then click OK
Type roles, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type transfer role, where role is the role that you want to transfer. For example,
To transfer the RID master role, type transfer schema master
To transfer the RID master role, type transfer domain naming master
To transfer the RID master role, type transfer rid master
To transfer the RID master role, type transfer pdc
To transfer the RID master role, type transfer infrastructure master
7. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.

56. Write down the command line to seize all the FSMO roles to a server?
Ans:
Click Start, click Run, type ntdsutil in the Open box, and then click OK
Type roles, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type seize role, where role is the role that you want to seize. For example,
To seize the RID master role, type seize schema master
To seize the RID master role, type seize domain naming master
To seize the RID master role, type seize rid master
To seize the RID master role, type seize pdc
To seize the RID master role, type seize infrastructure master.
7. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.

57. Command for removing active directory?
Ans: dcpromo /forceremoval

58. How to test whether a domain controller is also a global catalog server: 

Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.

Open the Servers folder, and then click the domain controller.

In the domain controller's folder, double-click NTDS Settings.

On the Action menu, click Properties.

On the General tab, view the Global Catalog check box to see if it is selected.
>What is dhcp ?
Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network.

>What is the dhcp process for client machine?
1. A user turns on a computer with a DHCP client.
2. The client computer sends a broadcast request (called a DISCOVER or DHCPDISCOVER), looking for a DHCP server to answer.
3. The router directs the DISCOVER packet to the correct DHCP server.
4. The server receives the DISCOVER packet. Based on availability and usage policies set on the server, the server determines an appropriate address (if any) to give to the client. The server then temporarily reserves that address for the client and sends back to the client an OFFER (or DHCPOFFER) packet, with that address information. The server also configures the client's DNS servers, WINS servers, NTP servers, and sometimes other services as well.
5. The client sends a REQUEST (or DHCPREQUEST) packet, letting the server know that it intends to use the address.
6. The server sends an ACK (or DHCPACK) packet, confirming that the client has a been given a lease on the address for a server-specified period of time.

>What is dhcp scope ?
DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients.
>Types of scopes in windows dhcp ?
Normal Scope - Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet.
Multicast Scope - Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options. 
Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination).
Superscope - Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity.
>What is Authorizing DHCP Servers in Active Directory ?
If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized. 
This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console or at the command prompt using the netsh tool.
If the DHCP server was not authorized during installation, invoke the DHCP console (Start -> All Programs -> Administrative Tools -> DHCP),
right click on the DHCP to be authorized and select Authorize. To achieve the same result from the command prompt, enter the following command: 
netsh dhcp server serverID initiate auth 
In the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed.
>What ports are used by DHCP and the DHCP clients ? 
Requests are on UDP port 68, Server replies on UDP 67 .
>Benefits of using DHCP 
DHCP provides the following benefits for administering your TCP/IP-based network: 
Safe and reliable configuration.DHCP avoids configuration errors caused by the need to manually type in values at each computer. Also, DHCP helps prevent address conflicts caused by a previously assigned IP address being reused to configure a new computer on the network. 
Reduces configuration management.
Using DHCP servers can greatly decrease time spent to configuring and reconfiguring computers on your network. Servers can be configured to supply a full range of additional configuration values when assigning address leases. These values are assigned using DHCP options. Also, the DHCP lease renewal process helps assure that where client configurations need to be updated often (such as users with mobile or portable computers who change locations frequently), these changes can be made efficiently and automatically by clients communicating directly with DHCP servers.
The following section covers issues that affect the use of the DHCP Server service with other services or network configurations. Using DNS servers with DHCP Using Routing and Remote Access servers with DHCP Multihomed DHCP servers.
>Describe the process of installing a DHCP server in an AD infrastructure ?
Open Windows Components Wizard. Under Components , scroll to and click Networking Services. Click Details . Under Subcomponents of Networking Services , click Dynamic Host Configuration Protocol (DHCP) and then click OK .
Click Next . If prompted, type the full path to the Windows Server 2003 distribution files, and then click Next. Required files are copied to your hard disk.

Windows Server DHCP Interview Questions
By admin | Published: July 3, 2012
Below is the list of Basic Windows Server DHCP Interview Questions asked in Interviews for the post of Windows System Administrator/ L1/L2/L3 Windows Support Engineer.
What is dhcp ?
Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope) configured for a given network.
 What is the dhcp process for client machine?
1. A user turns on a computer with a DHCP client.
2. The client computer sends a broadcast request (called a DISCOVER or DHCPDISCOVER), looking for a DHCP server to answer.
3. The router directs the DISCOVER packet to the correct DHCP server.
4. The server receives the DISCOVER packet. Based on availability and usage policies set on the server, the server determines an appropriate address (if any) to give to the client. The server then temporarily reserves that address for the client and sends back to the client an OFFER (or DHCPOFFER) packet, with that address information. The server also configures the client’s DNS servers, WINS servers, NTP servers, and sometimes other services as well.
5. The client sends a REQUEST (or DHCPREQUEST) packet, letting the server know that it intends to use the address.
6. The server sends an ACK (or DHCPACK) packet, confirming that the client has a been given a lease on the address for a server-specified period of time.
 What is dhcp scope ?
DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients.
Types of scopes in windows dhcp ?
Normal Scope – Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet.
Multicast Scope – Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options.
Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination).
Superscope – Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity.
What is Authorizing DHCP Servers in Active Directory ?
If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized.
This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console or at the command prompt using the netsh tool.
If the DHCP server was not authorized during installation, invoke the DHCP console (Start -> All Programs -> Administrative Tools -> DHCP),
right click on the DHCP to be authorized and select Authorize. To achieve the same result from the command prompt, enter the following command:
netsh dhcp server serverID initiate auth
In the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed.
What ports are used by DHCP and the DHCP clients ? 
Requests are on UDP port 68, Server replies on UDP 67 .
List some Benefits of using DHCP 
DHCP provides the following benefits for administering your TCP/IP-based network:
Safe and reliable configuration.DHCP avoids configuration errors caused by the need to manually type in values at each computer. Also, DHCP helps prevent address conflicts caused by a previously assigned IP address being reused to configure a new computer on the network.
Reduces configuration management.
Using DHCP servers can greatly decrease time spent to configuring and reconfiguring computers on your network. Servers can be configured to supply a full range of additional configuration values when assigning address leases. These values are assigned using DHCP options. Also, the DHCP lease renewal process helps assure that where client configurations need to be updated often (such as users with mobile or portable computers who change locations frequently), these changes can be made efficiently and automatically by clients communicating directly with DHCP servers.
The following section covers issues that affect the use of the DHCP Server service with other services or network configurations. Using DNS servers with DHCP Using Routing and Remote Access servers with DHCP Multihomed DHCP servers.
Describe the process of installing a DHCP server in an AD infrastructure ?
Open Windows Components Wizard. Under Components , scroll to and click Networking Services. Click Details . Under Subcomponents of Networking Services , click Dynamic Host Configuration Protocol (DHCP) and then click OK .
Click Next . If prompted, type the full path to the Windows Server 2003 distribution files, and then click Next. Required files are copied to your hard disk.
How to authorize a DHCP server in Active Directory Open DHCP ?. 
In the console tree, click DHCP
. On the Action menu, click Manage authorized servers.
. The Manage Authorized Servers dialog box appears. Click Authorize.
. When prompted, type the name or IP address of the DHCP server to be authorized, and then click OK.
What is DHCPINFORM? 
DHCPInform is a DHCP message used by DHCP clients to obtain DHCP options. While PPP remote access clients do not use DHCP to obtain IP addresses for the remote access connection, Windows 2000 and Windows 98 remote access clients use the DHCPInform message to obtain DNS server IP addresses, WINS server IP addresses, and a DNS domain name.
The DHCPInform message is sent after the IPCP negotiation is concluded. The DHCPInform message received by the remote access server is then forwarded to a DHCP server. The remote access server forwards DHCPInform messages only if it has been configured with the DHCP Relay Agent.
Describe the integration between DHCP and DNS? 
Traditionally, DNS and DHCP servers have been configured and managed one at a time. Similarly, changing authorization rights for a particular user on a group of devices has meant visiting each one and making configuration changes.
DHCP integration with DNS allows the aggregation of these tasks across devices, enabling a company’s network services to scale in step with the growth of network users, devices, and policies, while reducing administrative operations and costs. This integration provides practical operational efficiencies that lower total cost of ownership.
Creating a DHCP network automatically creates an associated DNS zone, for example, reducing the number of tasks required of network administrators. And integration of DNS and DHCP in the same database instance provides unmatched consistency between service and management views of IP address-centric network services data.

>What is the main purpose of a DNS server?
DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa.
>What is the port no of dns ?
53.
>What is a Forward Lookup?
Resolving Host Names to IP Addresses.
>What is Reverse Lookup?
It?s a file contains host names to IP mapping information.
>What is a Resource Record?
It is a record provides the information about the resources available in the N/W infrastructure.
>What are the diff. DNS Roles?
Standard Primary, Standard Secondary, & AD Integrated.
>What is a Zone?
Zone is a sub tree of DNS database.
>Secure services in your network require reverse name resolution to make it more difficult to launch successful attacks against the services. To set this up, you configure a reverse lookup zone and proceed to add records. Which record types do you need to create? 
PTR Records
>SOA records must be included in every zone. What are they used for ?
SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers.
>By default, if the name is not found in the cache or local hosts file, what is the first step the client takes to resolve the FQDN name into an IP address ? 
Performs a recursive search through the primary DNS server based on the network interface configuration .
> What is primary, Secondary, stub & AD Integrated Zone?
Primary Zone: - zone which is saved as normal text file with filename (.dns) in DBS folder. Maintains a read, write copy of zone database.
Secondary Zone: - maintains a read only copy of zone database on another DNS server. Provides fault tolerance and load balancing by acting as backup server to primary server.
Stub zone: - contains a copy of name server and SOA records used for reducing the DNS search orders. Provides fault tolerance and load balancing.
> How do you manually create SRV records in DNS? 
This is on windows server go to run ---> dnsmgmt.msc rightclick on the zone you want to add srv record to and choose "other new record" and choose service location(srv).
> What is the main purpose of SRV records ? 
SRV records are used in locating hosts that provide certain network services.
> Before installing your first domain controller in the network, you installed a DNS server and created a zone, naming it as you would name your AD domain. However, after the installation of the domain controller, you are unable to locate infrastructure SRV records anywhere in the zone. What is the most likely cause of this failure ?
The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates.
> Which of the following conditions must be satisfied to configure dynamic DNS updates for legacy clients ? 
The zone to be used for dynamic updates must be configured to allow dynamic updates. The DHCP server must support, and be configured to allow, dynamic updates for legacy clients.
> At some point during the name resolution process, the requesting party received authoritative reply. Which further actions are likely to be taken after this reply ? 
After receiving the authoritative reply, the resolution process is effectively over.
> Name 3 benefits of using AD-integrated zones. 
Active Directory integrated DNS enables Active Directory storage and replication of DNS zone databases. Windows 2000 DNS server, the DNS server that is included with Windows 2000 Server, accommodates storing zone data in Active Directory.
When you configure a computer as a DNS server, zones are usually stored as text files on name servers that is, all of the zones required by DNS are stored in a text file on the server computer.
These text files must be synchronized among DNS name servers by using a system that requires a separate replication topology and schedule called a zone transfer However, if you use Active Directory integrated DNS when you configure a domain controller as a DNS name server, zone data is stored as an Active Directory object and is replicated as part of domain replication.
> Your company uses ten domain controllers, three of which are also used as DNS servers. You have one companywide AD-integrated zone, which contains several thousand resource records. This zone also allows dynamic updates, and it is critical to keep this zone up-to-date. Replication between domain controllers takes up a significant amount of bandwidth. You are looking to cut bandwidth usage for the purpose of replication. What should you do?
Change the replication scope to all DNS servers in the domain. 
>You are administering a network connected to the Internet. Your users complain that everything is slow. Preliminary research of the problem indicates that it takes a considerable amount of time to resolve names of resources on the Internet. What is the most likely reason for this?
DNS servers are not caching replies.. Local client computers are not caching replies… The cache.dns file may have been corrupted on the server.
>What are the benefits of using Windows 2003 DNS when using AD-integrated zones?
If your DNS topology includes Active Directory, use Active Directory integrated zones. Active Directory integrated zones enable you to store zone data in the Active Directory database.Zone information about any primary DNS server within an Active Directory integrated zone is always replicated.
Because DNS replication is single-master, a primary DNS server in a standard primary DNS zone can be a single point of failure. In an Active Directory integrated zone, a primary DNS server cannot be a single point of failure because Active Directory uses multimaster replication.
Updates that are made to any domain controller are replicated to all domain controllers and the zone information about any primary DNS server within an Active Directory integrated zone is always replicated. 
Active Directory integrated zones: Enable you to secure zones by using secure dynamic update.
Provide increased fault tolerance. Every Active Directory integrated zone can be replicated to all domain controllers within the Active Directory domain or forest. All DNS servers running on these domain controllers can act as primary servers for the zone and accept dynamic updates.
Enable replication that propagates changed data only, compresses replicated data, and reduces network traffic. If you have an Active Directory infrastructure, you can only use Active Directory integrated zones on Active Directory domain controllers.If you are using Active Directory integrated zones, you must decide whether or not to store Active Directory integrated zones in the application directory partition.
You can combine Active Directory integrated zones and file-based zones in the same design. For example, if the DNS server that is authoritative for the private root zone is running on an operating system other than Windows Server 2003 or Windows 2000, it cannot act as an Active Directory domain controller. Therefore, you must use file-based zones on that server. However, you can delegate this zone to any domain controller running either Windows Server 2003 or Windows 2000.
>You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS. Name a few possible causes.
The machine cannot be configured with DNS client her own .
The DNS service cannot be run.

>What are the benefits and scenarios of using Stub zones?
Understanding stub zones 
A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. 
A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.
A stub zone consists of: 
? The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone. The IP address of one or more master servers that can be used to update the stub zone. The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary zone for the delegated domain name.
Use stub zones to: 
? Keep delegated zone information current. 
By updating a stub zone for one of its child zones regularly, the DNS server hosting both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone.
? Improve name resolution. 
Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers without needing to query the Internet or internal root server for the DNS namespace.
? Simplify DNS administration. 
By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones and are not an alternative when considering redundancy and load sharing.
There are two lists of DNS servers involved in the loading and maintenance of a stub zone:
? The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone.
? The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS) resource records. When a DNS server loads a stub zone, such as widgets.example.com, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone widgets.example.com. The list of master servers may contain a single server or multiple servers and can be changed anytime.
>What are the benefits and scenarios of using Conditional Forwarding? 
Rather than having a DNS server forward all queries it cannot resolve to forwarders, the DNS server can forward queries for different domain names to different DNS servers according to the specific domain names that are contained in the queries. Forwarding according to these domain-name conditions improves conventional forwarding by adding a second condition to the forwarding process.
A conditional forwarder setting consists of a domain name and the IP address of one or more DNS servers. To configure a DNS server for conditional forwarding, a list of domain names is set up on the Windows Server 2003-based DNS server along with the DNS server IP address. When a DNS client or server performs a query operation against a Windows Server 2003- based DNS server that is configured for forwarding, the DNS server looks to see if the query can be resolved by using its own zone data or the zone data that is stored in its cache, and then, if the DNS server is configured to forward for the domain name that is designated in the query (a match), the query is forwarded to the IP address of a DNS Server that is associated with the domain name. If the DNS server has no domain name listed for the name that is designated in the query, it attempts to resolve the query by using standard recursion.

>What is the 224.0.1.24 address used for? 
WINS server group address. Used to support auto discovery and dynamic configuration of replication for WINS servers. For more information, see WINS replication overview WINS server group address. Used to support auto discovery and dynamic configuration of replication for WINS servers.
> Describe the importance of DNS to AD ?
When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority. Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet.
While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher. When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority.
Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet.
While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher
> What is the "in-addr.arpa" zone used for? 
In a Domain Name System (DNS) environment, it is common for a user or an application to request a Reverse Lookup of a host name, given the IP address. This article explains this process. The following is quoted from RFC 1035: "The Internet uses a special domain to support gateway location and Internet address to host mapping. Other classes may employ a similar strategy in other domains. The intent of this domain is to provide a guaranteed method to perform host address to host name mapping, and to facilitate queries to locate all gateways on a particular network on the Internet.
"The domain begins at IN-ADDR.ARPA and has a substructure which follows the Internet addressing structure. "Domain names in the IN-ADDR.ARPA domain are defined to have up to four labels in addition to the IN-ADDR.ARPA suffix. Each label represents one octet of an Internet address, and is expressed as a character string for a decimal value in the range 0-255 (with leading zeros omitted except in the case of a zero octet which is represented by a single zero).
"Host addresses are represented by domain names that have all four labels specified." Reverse Lookup files use the structure specified in RFC 1035.
For example, if you have a network which is 150.10.0.0, then the Reverse Lookup file for this network would be 10.150.IN-ADDR.ARPA. Any hosts with IP addresses in the 150.10.0.0 network will have a PTR (or 'Pointer') entry in 10.150.IN- ADDR.ARPA referencing the host name for that IP address. A single IN- ADDR.ARPA file may contain entries for hosts in many domains. Consider the following scenario. There is a Reverse Lookup file 10.150.IN-ADDR.ARPA with the following contents: Exp : 1.20 IN PTR WS1.ACME.COM.
> What are the requirements from DNS to support AD? 
When you install Active Directory on a member server, the member server is promoted to a domain controller. Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain IP addresses of domain controllers. During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS, which are necessary for the successful functionality of the domain controller locator (Locator) mechanism. 
To find domain controllers in a domain or forest, a client queries DNS for the SRV and A DNS resource records of the domain controller, which provide the client with the names and IP addresses of the domain controllers. In this context, the SRV and A resource records are referred to as Locator DNS resource records.
When adding a domain controller to a forest, you are updating a DNS zone hosted on a DNS server with the Locator DNS resource records and identifying the domain controller. For this reason, the DNS zone must allow dynamic updates (RFC 2136) and the DNS server hosting that zone must support the SRV resource records (RFC 2782) to advertise the Active Directory directory service. For more information about RFCs, see DNS RFCs.
If the DNS server hosting the authoritative DNS zone is not a server running Windows 2000 or Windows Server 2003, contact your DNS administrator to determine if the DNS server supports the required standards. If the server does not support the required standards, or the authoritative DNS zone cannot be configured to allow dynamic updates, then modification is required to your existing DNS infrastructure. 
For more information, see Checklist: Verifying DNS before installing Active Directory and Using the Active Directory Installation Wizard.
Important 
The DNS server used to support Active Directory must support SRV resource records for the Locator mechanism to function. For more information, see Managing resource records. It is recommended that the DNS infrastructure allows dynamic updates of Locator DNS resource records (SRV and A) before installing Active Directory, but your DNS administrator may add these resource records manually after installation. After installing Active Directory, these records can be found on the domain controller in the following location: systemroot\System32\Config\Netlogon.dns .
> What does a zone consist of & why do we require a zone?
Zone consists of resource records and we require zone for representing sites.
> What is Caching Only Server?
When we install 2000 & 2003 server it is configured as caching only server where it maintains the frequently accessed sites information and again when we access the same site for next time it is obtain from cached information instead of going to the actual site.
> What is forwarder?
When one DNS server can?t receive the query it can be forwarded to another DNS once configured as forwarder.
> What is secondary DNS Server?
It is backup for primary DNS where it maintains a read only copy of DNS database.
> How to enable Dynamic updates in DNS? 
Start>Program>Admin tools> DNS >Zone properties.
> What are the properties of DNS server? 
INTERFACES, FORWARDERS, ADVANCED, ROUTINGS, SECURITY, MONITORING, LOGGING, DEBUG LOGGING.
> Properties of a Zone ? 
General, SOA, NAMESERVER, WINS, Security, and ZONE Transfer.
> What is scavenging?
Finding and deleting unwanted records.
> What are SRV records? 
SRV are the service records, there are 6 service records. They are useful for locating the services.

> What are the types of SRV records?
MSDCS:Contains DCs information.
TCP:Contains Global Catalog, Kerberos & LDAP information.
UDP:Contains Sites information.
Sites:Contains Sites information.
Domain DNS Zone:Conations domain?s DNS specific information.
Forest DNS zone:Contains Forest?s Specific Information.
> Where does a Host File Reside?
c:\windows\system32\drivers\etc.
> What is SOA?
Start of Authority: useful when a zone starts. Provides the zone startup information.
> What is a query?
A request made by the DNS client to provide the name server information.
> What are the diff. types of Queries?
Recursion, iteration.
> Tools for troubleshooting DNS?
DNS Console, NSLOOKUP, DNSCMD, IPCONFIG, Logs.
> What is WINS server? where we use WINS server? difference between DNS and WINS?
WINS is windows internet name service used to resolve the NetBIOS(computer name)name to IP address.This is proprietary for Windows.You can use in LAN.DNS is a Domain Naming System, which resolves Host names to IP addresses. It uses fully qualified domain names. DNS is an Internet standard used to resolve host names.
> What is new in Windows Server 2003 regarding the DNS management?
When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory.
If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard.
> SOA records must be included in every zone. What are they used for?
SOA records contain a TTL value, used by default in all resource records in the zone. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. SOA records contain the current serial number of the zone, which is used in zone transfers.
By default, if the name is not found in the cache or local hosts file, what is the first step the client takes to resolve the FQDN name into an IP address? Performs a recursive search through the primary DNS server based on the network interface configuration.
> How do I clear the DNS cache on the DNS server? 
Go to cmd prompt and type ipconfig /flushdns .
> What is the main purpose of SRV records?
SRV records are used in locating hosts that provide certain network services.
> Before installing your first domain controller in the network, you installed a DNS server and created a zone, naming it as you would name your AD domain. However, after the installation of the domain controller, you are unable to locate infrastructure SRV records anywhere in the zone. What is the most likely cause of this failure?
The zone you created was not configured to allow dynamic updates. The local interface on the DNS server was not configured to allow dynamic updates.
> What is the "." zone in my forward lookup zone?
This setting designates the Windows 2000 or Windows Server 2003 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet.
> Do I need to configure forwarders in DNS?
No. By default, Windows 2000 DNS uses the root hint servers on the Internet; however, you can configure forwarders to send DNS queries directly to your ISP's DNS server or other DNS servers. Most of the time, when you configure forwarders, DNS performance and efficiency increases, but this configuration can also introduce a point of failure if the forwarding DNS server is experiencing problems.
The root hint server can provide a level of redundancy in exchange for slightly increased DNS traffic on your Internet connection. Windows Server 2003 DNS will query root hints servers if it cannot query the forwarders.
> Should I point the other Windows 2000-based and Windows Server 2003-based computers on my LAN to my ISP's DNS servers? 
No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the domain controller in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 domain controller running DNS.
If you are using DHCP, make sure that you view scope option #15 for the correct DNS server settings for your LAN.
> Do I need to point computers that are running Windows NT 4.0 or Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows 98 Second Edition to the Windows 2000 or Windows Server 2003 DNS server?
Legacy operating systems continue to use NetBIOS for name resolution to find a domain controller; however it is recommended that you point all computers to the Windows 2000 or Windows Server 2003 DNS server for name resolution.
> What if my Windows 2000 or Windows Server 2003 DNS server is behind a proxy server or firewall?
If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall.
> What should I do if the domain controller points to itself for DNS, but the SRV records still do not appear in the zone?
Check for a disjointed namespace, and then run Netdiag.exe /fix.
You must install Support Tools from the Windows 2000 Server or Windows Server 2003 CD-ROM to run Netdiag.exe.
> How do I set up DNS for a child domain?
To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server.
Note Windows Server 2003 has additional types of zones, such as Stub Zones and forest-level integrated Active Directory zones, that may be a better fit for your environment. Set the child domain controller to point to itself first. As soon as an additional domain controller is available, set the child domain controller to point to this domain controller in the child domain as its secondary.
What is group policy in active directory ? What are Group Policy objects (GPOs)?
Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template.
The Group Policy container is an Active Directory container that stores GPO properties, including information on version, GPO status, and a list of components that have settings in the GPO.
The Group Policy template is a folder structure within the file system that stores Administrative Template-based policies, security settings, script files, and information regarding applications that are available for Group Policy Software Installation.
The Group Policy template is located in the system volume folder (Sysvol) in the \Policies subfolder for its domain.
What is the order in which GPOs are applied ?
Group Policy settings are processed in the following order:
1.Local Group Policy object : Each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.
2.Site : Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.
3.Domain: Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.
4.Organizational units : GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then POs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC.
The GPO with the lowest link order is processed last, and therefore has the highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)
How to backup/restore Group Policy objects ? 
Begin the process by logging on to a Windows Server 2008 domain controller, and opening the Group Policy Management console. Now, navigate through the console tree to Group Policy Management | Forest: | Domains | | Group Policy Objects.
When you do, the details pane should display all of the group policy objects that are associated with the domain. In Figure A there are only two group policy objects, but in a production environment you may have many more. The Group Policy Objects container stores all of the group policy objects for the domain.

Now, right-click on the Group Policy Objects container, and choose the Back Up All command from the shortcut menu. When you do, Windows will open the Back Up Group Policy Object dialog box.
As you can see in Figure B, this dialog box requires you to provide the path to which you want to store the backup files. You can either store the backups in a dedicated folder on a local drive, or you can place them in a folder on a mapped network drive. The dialog box also contains a Description field that you can use to provide a description of the backup that you are creating.

You must provide the path to which you want to store your backup of the group policy objects.
To initiate the backup process, just click the Back Up button. When the backup process completes, you should see a dialog box that tells you how many group policy objects were successfully backed up. Click OK to close the dialog box, and you're all done. 

When it comes to restoring a backup of any Group Policy Object, you have two options. The first option is to right-click on the Group Policy Object, and choose the Restore From Backup command from the shortcut menu. When you do this, Windows will remove all of the individual settings from the Group Policy Object, and then implement the settings found in the backup.

Your other option is to right-click on the Group Policy Object you want to restore, and choose the Import Settings option. This option works more like a merge than a restore.
Any settings that presently reside within the Group Policy Object are retained unless there is a contradictory settings within the file that is being imported.
You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that? 
go to Start->programs->Administrative tools->Active Directory Users and Computers
Right Click on Domain->click on preoperties
On New windows Click on Group Policy
Select Default Policy->click on Edit
on group Policy console
go to User Configuration->Administrative Template->Start menu and Taskbar
Select each property you want to modify and do the same
What?s the difference between software publishing and assigning?
Assign Users :The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application.
Assign Computers :The software application is advertised and installed when it is safe to do so, such as when the computer is next restarted.
Publish to users : The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application. Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers.

What are administrative templates? 
Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment. Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines.
An ADM file is a text file with a specific syntax which describes both the interface and the registry values which will be changed if the policy is enabled or disabled.

ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged into a unified "namespace" in GPEdit and presented to the administrator under the Administrative Templates node (for both machine and user policy).

Can I deploy non-MSI software with GPO?
create the fiile in .zap extension.
Name some GPO settings in the computer and user parts ?
Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some GPO settings in the computer and user parts.

A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for? 
make sure user not be member of loopback policy as in loopback policy it doesn't effect user settings only computer policy will applicable. if he is member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID 1085 then you may want to download the patch to fix this and reboot the computer.
How can I override blocking of inheritance ?
What can I do to prevent inheritance from above?
Name a few benefits of using GPMC.
 How frequently is the client policy refreshed ?
 90 minutes give or take.
Where is secedit ?
It’s now gpupdate.
What can be restricted on Windows Server 2003 that wasn’t there in previous products ?
Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.
You want to create a new group policy but do not wish to inherit.
Make sure you check Block inheritance among the options when creating the policy.
How does the Group Policy 'No Override' and 'Block Inheritance' work ?
Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and multiple GP's for each level. Obviously it may be that some policy settings conflict hence the application order of Site - Domain - Organization Unit and within each layer you set order for all defined policies but you may want to force some polices to never be overridden (No Override) and you may want some containers to not inherit settings from a parent container (Block Inheritance).
A good definition of each is as follows:
No Override - This prevents child containers from overriding policies set at higher levels
Block Inheritance - Stops containers inheriting policies from parent containers
No Override takes precedence over Block Inheritance so if a child container has Block Inheritance set but on the parent a group policy has No Override set then it will get applied.
Also the highest No Override takes precedence over lower No Override's set.
To block inheritance perform the following:
  1. Start the Active Directory Users and Computer snap-in (Start - Programs - Administrative Tools - Active Directory Users and Computers)
  2. Right click on the container you wish to stop inheriting settings from its parent and select 
  3. Select the 'Group Policy' tab
  4. Check the 'Block Policy inheritance' option
  5. Click Apply then OK
To set a policy to never be overridden perform the following:
  1. Start the Active Directory Users and Computer snap-in (Start - - Administrative Tools - Active Directory Users and Computers)
  2. Right click on the container you wish to set a Group Policy to not be overridden and select Properties
  3. Select the 'Group Policy' tab
  4. Click Options
  5. Check the 'No Override' option
  6. Click OK
  7. Click Apply then OK
8.   L2 Interview Question for Windows
9.      No comments
10.   Email ThisBlogThis!Share to TwitterShare to Facebook
11.  1) What is the Difference between Win NT and Win 2000?
12.  Ans:
13.  Win NT
14.  Win 2000
15.  No concept of Active directory
16.  Concept of Active directory
17.  PDC,BDC--(read only copy)
18.  DC,ADC--(read ,write copy)
19.  Database stored in SAM(fixed size-40 MB)
20.  Database stored in NTDS.DIT(Not fixed)
21.  Not supported RIS
22.  Supported RIS
23.   
24.  2) What is the Difference between Win 2000 and Win 2003?
25.  Ans:
26.  Win 2000
27.  Win 2003
28.  Can’t rename the Domain
29.  Can rename the Domain
30.  No authorization with DHCP
31.  Authorization with DHCP
32.  Can’t create new domain tree in existing forest
33.  Can create new domain tree in existing forest
34.   
35.   
36.  3) What are the versions in Win 2000?
37.  Ans: win 2000 server and win adv 2000 server and win 2000 Data center server.
38.   
39.  4) What are the versions in Win 2003?
40.  Ans: standard version and enterprise version and web version and data center server
41.   
42.  5) How much RAM, Processor supported by Win 2000 versions?
43.  Ans: 2000Server: 4GBRAM, 4 Processors, 2000Advanced server: 8GB RAM, 8 Processors, data center server: 64 GB RAM, 32 Processors
44.   
45.  6) How much RAM, Processors supported by Win 2003 versions?
46.  Ans: standard – 4Gb , Web- 2 Gb,2 Proce, Enterprise-32 Gb,8 Processors, Data Center – 64 Gb, 32 processors
47.   
48.  7) What is the diff between win 2000server and Advanced server?
49.  Ans: Network load balancing and clustering
50.   
51.  8) Can I rename the win 2003 DC?
52.  Ans: If you have a Windows 2003 DC, you can use the Netdom tool to rename the DC. The Netdom provides a secure and supported methodology to rename one or more domains. You can find the tool from the Windows 2003 installation CD-ROM
53.   
54.  9) What is Privilege mode?
55.  Ans: A protected Memory Space Allocated for the win 2000 kernel that cannot be directly accessed by software applications.
56.   
57.  9) In win2000, what is the partition Size, File Size in FAT 16?
58.  Ans: 4 GB partition size and 2 GB File Size.
59.   
60.  10) In win2000, what is the partition Size, File Size in FAT 32?
61.  Ans: 2 GB to 2 TB partition size and 4GB file Size
62.   
63.  11) In win2000, what is the Partition Size, File Size in NTFS?
64.  Ans: 2 TB Partition size, File size is theoretically 16 Exabytes.
65.   
66.  12)what is the difference between FAT and NTFS?
67.  Ans:FAT does not support Data compression and encryption
68.   
69.  13) what is the difference between win98 and Windows XP?
70.  Supports Fat16 and Fat32
71.  Supports Fat16 and Fat32,NTFS
72.  No disk quotas
73.  Disk quotas
74.  Only Disk compression
75.  Supports Data compression and encryption
76.  No remote assistance and remote desktop
77.  remote assistance and remote desktop
78.   
79.  14)What is System restore?
80.   
81.  15)What is the difference between Basic Disk and dynamic Disk?
82.   
83.  16)Can you convert dynamic to basic?
84.   
85.  17)What is the difference between system restore and last known configuration?
86.   
87.  18)What is the difference between remote assistance and remote desktop?
88.   
89.  19)What is the difference between IP4.0 and IP 6.0?
90.   
91.  20)what is the difference between router and switch?
92.   
93.  21)what is the difference between switch and hub?
94.   
95.  22) Hub works in which layer?
96.   
97.  23) switch works in which Layer?
98.   
99.  24) router works in which Layer?
100.                 
101.                25) Describe all layers?
102.                 
103.                26)what is the port numbers of FTP,SMTP,Telnet,SMTP,DNS,DHCP,POP3,TFTP,SNTP?
104.           L2 Interview Question for Windows
105. 1) What is the Difference between Win NT and Win 2000?
Ans: 
Win NT
Win 2000
No concept of Active directory
Concept of Active directory
PDC,BDC--(read only copy)
DC,ADC--(read ,write copy)
Database stored in SAM(fixed size-40 MB)
Database stored in NTDS.DIT(Not fixed)
Not supported RIS
Supported RIS

2) What is the Difference between Win 2000 and Win 2003?
Ans:
Win 2000
Win 2003
Can’t rename the Domain
Can rename the Domain
No authorization with DHCP
Authorization with DHCP
Can’t create new domain tree in existing forest
Can create new domain tree in existing forest



3) What are the versions in Win 2000?

Ans: win 2000 server and win adv 2000 server and win 2000 Data center server.
4) What are the versions in Win 2003?

Ans: standard version and enterprise version and web version and data center server
5) How much RAM, Processor supported by Win 2000 versions?
Ans: 2000Server: 4GBRAM, 4 Processors, 2000Advanced server: 8GB RAM, 8 Processors, data center server: 64 GB RAM, 32 Processors
6) How much RAM, Processors supported by Win 2003 versions?
Ans: standard – 4Gb , Web- 2 Gb,2 Proce, Enterprise-32 Gb,8 Processors, Data Center – 64 Gb, 32 processors
7) What is the diff between win 2000server and Advanced server?
Ans: Network load balancing and clustering
8) Can I rename the win 2003 DC?
Ans: If you have a Windows 2003 DC, you can use the Netdom tool to rename the DC. The Netdom provides a secure and supported methodology to rename one or more domains. You can find the tool from the Windows 2003 installation CD-ROM
9) What is Privilege mode?
Ans: A protected Memory Space Allocated for the win 2000 kernel that cannot be directly accessed by software applications.
9) In win2000, what is the partition Size, File Size in FAT 16?
Ans: 4 GB partition size and 2 GB File Size.
10) In win2000, what is the partition Size, File Size in FAT 32?
Ans: 2 GB to 2 TB partition size and 4GB file Size
11) In win2000, what is the Partition Size, File Size in NTFS?
Ans: 2 TB Partition size, File size is theoretically 16 Exabytes.
12)what is the difference between FAT and NTFS?
Ans:FAT does not support Data compression and encryption
13) what is the difference between win98 and Windows XP? 
Supports Fat16 and Fat32
Supports Fat16 and Fat32,NTFS
No disk quotas
Disk quotas
Only Disk compression
Supports Data compression and encryption
No remote assistance and remote desktop
remote assistance and remote desktop
14)What is System restore?
15)What is the difference between Basic Disk and dynamic Disk?
16)Can you convert dynamic to basic?
17)What is the difference between system restore and last known configuration?
18)What is the difference between remote assistance and remote desktop?
19)What is the difference between IP4.0 and IP 6.0?
20)what is the difference between router and switch?
21)what is the difference between switch and hub?
22) Hub works in which layer?
23) switch works in which Layer?
24) router works in which Layer?
25) Describe all layers?
26)what is the port numbers of FTP,SMTP,Telnet,SMTP,DNS,DHCP,POP3,TFTP,SNTP?

PROFILES
1) What is profile?
Ans: Windows maintains a group of settings for each individual user that logs into he system. This group setting is known as a user ‘profile’.
2) Where are the documents and settings for the roaming profile stored?
Ans: All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.
3) What is Roaming and Mandatory profile?
Ans: Roaming user profile: A user profile that is copied to a network server so that it can be downloaded each workstation where the user logon
Mandatory profile: A user profile set up by the server administrator that is loaded from the server to the client each times the user logon. Changes that user makes to the profile are not saved
Active directory:
1) What is the organizational unit?
Ans: OU are additional container objects that can store users, computers, groups&other OU’s.
2) What is the use of organizational unit?
Ans: Uses:
1) To control replication traffic
2) To make authentication faster and more efficient.
3) To locate the nearest server providing directory enabled services

3) What is the active directory? 
Ans: Active directory is a centralized hierarchical directory database and it’s a directory service which contains information of all user accounts and shared resources on a network.
4) What are the main roles in active directory?
Ans: FSOM stands for flexible Single operation Master
:1)Domain naming master
2)Schema master
3)PDC Emulator
4) RID master
5)Infrastructure master
5) What is the location & file system type where the active directory
Information is installed?
Ans: On NTFS partition, c:\windows\ntds.dit&c:\windows\sysvolv.
6) For the replication between DC&ADC some file are used, what is the location of that Directory?
Ans: c:\windows\sysvolv.
7)What is Kerberos?
Ans: this protocol is an internet standard authentication protocol that provides a higher level of security. More efficient than windows NT LAN Manager
8)What is Win NT LAN Manager (NTLM)?
Ans: This protocol enables users of win95 and win98 and Win NT client’s computers to be authenticated to win 2000 domains. This protocol is only available when win 2000 Active Directory is configured to operate in mixed-mode
9) Which protocol plays the security role for the authentication in 2000&2003?
Ans: KEREBROS
10) What is version of kerebros in 2003 o/s?
Ans: KEREBROS v 5.5

11) What is the protocol used by the active directory to perform it’s function?
Ans: LDAP: Lightweight directory access protocol base on TCP/IP.
12) What is the command, which display the DC? Adc, Member server?
Ans: Net accounts.
13) What is the command to make a server into domain controller in win 2000&2003?
Ans: DCPROMO
14) what is the type of backup is used to take the active directory?
Ans: system state data backup.
15) What command line utility is used on windows 2000 servers domain controllers before they upgrade to plan win2003 domain controllers?
Ans:
1) adprep /forest prep.
(This command must be issued on win 2000server holding schema master role in forest root domain to prepare existing schema to support win2003AD.)
2)adprep /domain prep
(Infrastructure master to be deployed on win 2003 server
Note: adprep tool on win 2003 CD ROM i386 directory

POLICIES :

1) What is group policy?
Ans:
2) Is Win NT supports Group policy?
Ans: NO, Supports only system Policy.
3) What is system policy?
4) What is difference between system policy and group policy?
5) What is policy order?
Ans: Local Group Policy-Site level Policy-Domain level policy-Organizational level policy
6) Will group policy applicable for win 98,win 95 and winNt workstation?
Ans: No, Only applicable for system policy 
7) In Win NT, where policies are stored?
Ans: NTCONFIG.POL
8) Suppose your sever is win 2000 and clients are win98and win95 which policy applicable? And where it is stored?
Ans: System policy and policies stored in CONFIG.POL
9) In win 2000, After Assigning policies, which command is to update policies?
Ans: Secedit /refresh policy user-policy/ enforce
Secedit /refresh policy machine-policy/ enforce

10) In win 2003, After Assigning policies, which command is to update policies?
Ans: GPUPDATE
11)what is the order in which group policy is applied?
Ans: Local—Site Level—Domain Level---Organizational Unit

BACKUP:

1)what is user data?
2)what is system state data?
3)what are three primary tasks you can perform using backup?
4)what is emergency repair disk?
5)who can take backup?
6)what are the 2 types of restore you can perform on active directory?
Ans: Authoritative,Non- Authoritative.
7)list 3 win2k tools use to recover a system failure?
8)what is the tool used to create ERD ?
Ans: Backup programme.
9)which type of backup reduce the time In order to take backup daily?
Ans: Incremental backup will take least amount of time.

10)which win2k tool is used to restore of user, data on a DC?
Ans: Backup.
11)what is the command used to add recovery console to the boot loader menu?
Ans: Winnt32 /cmdcons.
12) what is command is used to perform authoritative restore before booting?
Ans: ntdsutil
Authoritative restore
Restore data base
Restore sub tree
13)what is the type of mode in which you try to restore system state data or active directory data base?
Ans: Directory Services restore mode.
14) what is the extension used for a backup file?
Ans: .bkf
15)Name 5 standard types of backups?
Ans: Normal, daily, incremental, differential, copy.
16)Is it possible to backup & restore data on network drive?
Ans: Yes , it is possible.
17)Is it possible to restore system state data on networked pc’s?
Ans: No , It is not possible.
18)what is non authoritative ?
Ans: 
19)what is normal backup?
Ans: It is full and complete backup used to backup all selected files and folders. It removes the archive bit form backed up files and folders. 
20)what is copy backup?
Ans: A copy backup backs up all selected files and folders .but it does not affect remove or otherwise affect the archive bit.
21) What is incremental?
Ans: It is used to backup all selected files and folders that have changed since last normal backup or incremental backup. It removes archive bit from the backed up file and folders. 
It is not cumulative. It takes less time to backup .multiple backup sets are required at the time of restore. 
22) What is differential backup?
Ans: It backups all selected files and folders that have changed since last normal backup.
It does not remove the archive bit. It is commulative backup. It takes much time to backup. last backup set is used to restore
23) What is daily backup?
Ans: A daily backup backups all selected files and folders that have changed during the day the back is made.
24) Back utility advanced mode features?
Ans: 1) Backup wizard
2) Restore wizard 
3) ERD 
25)Backup Wizard
Backup every thing.
Backup selected files, drives.
Only backup system state data. 
26) What is non authoritative?
Tape drives & Models
HP DDS3 Dat Tape drive HP DDS3 Dat Tape drive 
Model C1537 Model C1537E
SCSI Internal 50 Pin SCSI External 50 Pin
Capacity 12/24 GB Capacity 12/24 GB






Print Management & Administration
1) What is a printer in win2k terminology?
Ans: it is the software interface between win 2k o/s & the device that produces the printer output. 
2) Which win2k printing term is defined as a printer that has multiple ports and multiple print devices assigned to it?
Ans: printer Pool
3) Name 3 printer permissions?
Ans: Print, Manage Documents, Manage printers 
4) What is EMF?
5) Print Process:
Ans: User starts print process
Using an application ex (Ms word)
Print job (Data & commands to print a document)
Graphical user Interface
Request to drivers
Driver converts file in to EMF or RAW
Backs again into GDI
Win 2k spooler
Determines local or network
Local printer provider Network
Print processor Network local
Print monitor HDD spooler
Communicates Directly to print device Print Processor
Print monitor
Print device 
6) What is print spooler?
Ans: printer spooler is a temporary storage area for print jobs waiting to be sent to a print device. Systemroot\system32\spool\printers
7) Who can add printers and manage printer?
Ans: administrators or power users (built in) 
8) Adding printer on a remote computer
Ans: start windows explorer>click my network places>entire network>domain or work group>select computer>highlight printer folder> double click printer folder.
9) Adding printers to printer pool
Ans: ports 1) lpt1 2) lpt2 3) lpt3 Enable printer pooling
10) Printer properities 
Ans: 99 highest for managers
1 lowest for employees 
Note: if managers and employees send print jobs to same print device you can set priorities 
11) Print permissions are
Print: send only print jobs to printer
Manage Documents: resume and restart and delete print jobs.
Manage printers: perform all tasks also share printers can change spooler settings and can assign printer permissions.
12)What is a printer?
Ans: printer is software which acts as a interface between the print device and the operating system.
13)What is print device?
Ans: print device is a hardware component which is attached to the system to the print documents. 
14)What is local print device?
Ans: print device which is attached to the local system.
15)What is network print device?
Ans:print device which is there in the network.
16) What is print server?
Ans:The computer responsible for managing the print queues for group of printers.
17) What is print queue?
Ans: The collection of print jobs waiting to be printed by a specific printer.

DHCP (Dynamic Host Configuration Protocol) port: 67
1)What is DHCP?
Ans: DHCP is a TCP/IP protocol that provides that provides way to dynamically allocated IP address to computers on the network.
2)Advantages of DHCP?
Ans: Centrally manages IP address allocation
Helps prevent address conflicts
Reduces administrative effort
Help converse IP addresses
3)What is SCOPE?
Ans: It is range of IP Address which is assigned to computers requesting for a Dynamic IP Address.
4)What is authorization?
Ans: It is Security precaution that ensures that only authorized DHCP Servers Can run in the network..
To avoid computers running illegal DHCP Servers in the network.
5) We’ve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP leases off of it.
Ans: The server must be authorized first with the Active Directory.
6)How can you force the client to give up the dhcp lease if you have access to the client PC?
Ans: ipconfig /release
7)Cannot find DHCP Server
Ans: Cause: DHCP service is stopped or disable.
8)How to restore or move a DHCP into another computer
Ans:The DHCP database is contained in the Dhcp.mdb file located in the %SystemRoot%\System32\Dhcp folder. The DHCP server uses this file to record and store information concerning active leases and reservations. After you install a new DHCP, you can copy Dhcp.mdb into the above mentioned location.

9) Describe how the DHCP lease is obtained. It’s a four-step process consisting of 
Ans(a) IP request, (b) IP offer, © IP selection and (d) acknowledgement.
10) What is super scope?
Ans: the super scope is assigned a range of IP addresses that can be assigned to DHCP clients that reside on multiple subnets.
11) What is multicast scope?
Ans: the multicast scope contains a range of classD multicast IP address ,and is used to assign these addresses to client computers that request them. 
12) What is difference between scope and super scope?
Ans: A scope is assigned a range of IP address that can be assigned to DHCP clients that reside on a single subnet. Where the super scope is assigned a range of IP addresses that can be assigned to DHCP clients that reside on multiple subnets.
13) What is BOOTP?
14) What is range of multicast scope?
Ans: Only IP address range from 224.0.0.0 to 239.255.255.255
DNS (Domain Naming Service) port -53
What is the difference between WINS and DNS?
Ans: WINS resolves NETBIOS Names to IP address where DNS resolves Host names to IP address
1)List the types of DNS servers?
Ans: Standard primary, standard secondary, active directory integrated zone, root 
4)what is the primary purpose of DNS?
Ans: For host resolution.
5) what is start of authority?
Ans: It contains serial no. , this indicates the modification done to the zone.
6)what is Dynamic DNS?
Ans: Dynamically update the service records
7)what is the maximum character size of DNS?
Ans:63
What is the maximum character size of WINS?
9)what is zone or zone file?
Ans: A zone is a Database for either a DNS domain or for a DNS domain and one or more of it’s Sub domains. This storage database is special text file called zone or zone file.
11)why multiple DNS services are created for the same zone?
Ans: load balancing, fault tolerance.
12)what is caching only server?
Ans: Caching only servers does not stores only zones.it resolves host names
To IP address for client computers and stores the resulting mapping information in it’s cache. this DNS server provides the cached information to the client computer with contacting other DNS servers to resolve the query.
It is the temporary storage of zone information.
13)what is zone transfer?
Ans: The process of copying zone to a standard DNS server is called zone transfer.
14)what is master DNS server?
Ans: As the DNS contains the master copy of the zone information is called Master DNS.
15)what is forwarders?
Ans: The queries of one server will be forwarded to other DNS act as forwarder by internal name resolution.
17)which protocol is supported by DNS server?
Ans: Dynamic Updated protocol.
18)what are four service records?
Ans: _msdcs,_sites,_tcp,_udp
19) what are six service records in win 2003?
Ans: -msdcs: (Microsoft Domain controller service)
It contains the information which domain controller is hosting the zone.
Site: In which site the zone has been configured.
Tcp& Udp: These are two protocols that are responsible for communicating with active directory.
Domain DNS Zones & Forest DNS Zones:
In which domain & Forest, DNS has be configured the information.
19) What is Resource record?
Ans: The entries are in zone is called Resource record. The entry may be host name IP address mapping entry.
20) What is the primary thing you have to do on a DNS server before it starts resolution of host name?
21) When will you configure root DNS server?
Ans: : A root server should be used only when a network is not connected to the internet or when a network is connected to the internet or when a network is connected to the internet by using a proxy server
22)what is forward lookup zone?
Ans:Resolves hostnames to ip address.
23)what is reverse look up zone?
Ans: Resolves ip address to hostnames.
24)what is standard primary zone?
Ans: Standard primary DNS server stores DNS entries(IP address to host mapping and other DNS resource records ) in zone file that is maintained on the server. The primary server maintains the master copy of zone file. When changes need to be the zone they should be made only standard primary server.
25)what is standard secondary zone?
Ans: Standard secondary DNS server stores copies of zones from the standard primary.
26) what is root server?
Ans:Root server contains a copy of a zone for the root domain – either the root domain for the internet, or the root domain for a company private, internal network. the purpose of the root server is to enable other DNS servers on a network to access the second level domains on the internet.
Note: A root server should be used only when a network is not connected to the internet or when a network is connected to the internet or when a network is connected to the internet by using a proxy server


27)what is round robin?
Ans: Round robin is used when multiple servers (such as web servers) have identical configurations and identical host names ,but different IP addresses. 
28) can you configure root server to use a forwarder?
Ans: NO.
29)what are Root hints?
Ans:Root hints are server names and ip address combination that point to the root servers located either on the internet or on your organization private network.
Root hint tab contains list of DNS Servers can contract to resolve client DNS queries.
Maintains all the information of 13 root servers.
32)what is Active Directory integrated zone?
Ans: Active directory integrated DNS server just like standard primary except DNS entries stored in active directory data store rather than in a zone file. Active directory supports multi master replication when changes need to be made to the zone. They can be on any active directory –integrated DNS server that containg the zone. 
33)what is simple query?
Ans: A simple query is a query that DNS server can resolve without contacting any other DNS servers.
34) what is recursive query?
Ans: a recursive is a query that can’t resolve it self it must be contract one or more additional DNS servers to resolve the query.
35) what is scavenging?
Ans: Scavenging is the process of searching for and Deletes stele resource records in a zone
PTR: Pointer resource record
SRV: Service locator resource record

36)What is SRV?
Ans: Used to map specific service (tcp/ip) to list of servers that provide that service.
37) What is CNAME?
Ans: Alias resource record .used to map an additional host name to the actual name of the host. 
38) What is stub zone in 2003?
Ans: stub zone contains the information of Name Server & start of authority. It gives the information in which system, in which server, in which domain DNS has been configured
The properties of DNS in Advanced Tab
(Disable Recursion or disable forwarder)
By default this option is unchecked telling that recursive property
is present.
BIND Secondaries:
The zone transfers between the primary & secondary (replication between primary and secondary) BIND is responsible.
Fail on load if bad zone data:
This option is unchecked telling that even if the zone contains some errors it will be loaded if it is checked the zone will not be loaded.
Enable Round Robin: 
If the same zone is present in the same subnet the query will be passed on round robin passion until it gets resolved.
Enable Net Mask ordering:
This option is utilized for DNS Server maintained on multihome pc (A pc having multiple NIC cards) and solving the queries of diff clients subnets 
106.                         
>What new attributes support the RODC Password Replication Policy?
Password Replication Policy is the mechanism for determining whether a user or computer’s credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running SERVER 2008.
The following attributes have been added to the Active Directory schema to expedite the functionality that is required for RODC caching operations:
  • msDS-Reveal-OnDemandGroup. This attribute points to the distinguished name (DN) of the Allowed List. The credentials of the members of the Allowed List are permitted to replicate to the RODC.
  • msDS-NeverRevealGroup. This attribute points to the distinguished names of security principals whose credentials are denied replication to the RODC. This has no impact on the ability of these security principals to authenticate using the RODC. The RODC never caches the credentials of the members of the Denied List. A default list of security principals whose credentials are denied replication to the RODC is provided. This improves the security of RODCs that are deployed with default settings.
  • msDS-RevealedList. This attribute is a list of security principals whose current passwords have been replicated to the RODC.
  • msDS-AuthenticatedToAccountList. This attribute contains a list of security principals in the local domain that have authenticated to the RODC. The purpose of the attribute is to help an administrator determine which computers and users are using the RODC for logon. This enables the administrator to refine the Password Replication Policy for the RODC.

>How can you clear a password that is cached on an RODC?
There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches.
In the branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle, at which time its value that is stored on the RODC will be changed to Null. The new password will be cached only after the user authenticates with it—or the new password is prepopulated on the RODC—and if the PRP has not been changed.In the event that an RODC is compromised, you should reset the passwords for all accounts that have cached passwords and then rebuild the RODC.

>Can an RODC replicate to other RODCs?
No, an RODC can only replicate from a writable Windows Server 2008 domain controller. In addition, two RODCs for the same domain in the same site do not share cached credentials. You can deploy multiple RODCs for the same domain in the same site, but it can lead to inconsistent logon experiences for users if the WAN to the writeable domain controller in a hub site is offline.
This is because the credentials for a user might be cached on one RODC but not the other. If the WAN to a writable domain controller is offline and the user tries to authenticate with an RODC that does not have the user’s credentials cached, then the logon attempt will fail.

>What operations fail if the WAN is offline, but the RODC is online in the branch office?
If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail:
  • Password changes
  • Attempts to join a computer to a domain
  • Computer rename
  • Authentication attempts for accounts whose credentials are not cached on the RODC
  • Group Policy updates that an administrator might attempt by running the gpupdate /forcecommand.
>What operations succeed if the WAN is offline, but the RODC is online in the branch office?
If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations succeed:
  • Authentication and logon attempts, if the credentials for the resource and the requester are already cached.
  • Local RODC server administration performed by a delegated RODC server administrator.
>Will RODC support my Active Directory–integrated application?
Yes, RODC supports an Active Directory–integrated application if the application conforms to the following rules:
  • If the application performs write operations, it must support referrals (enabled by default on clients).
  • The application must tolerate Write outages when the hub is offline.
>Does an RODC contain all of the objects and attributes that a writable domain controller contains?
Yes, an RODC contains all the objects that a writable domain controller contains. If you compare the LDAP store on a writable domain controller to the LDAP store of an RODC, they are identical, except that the RODC does not contain all of the credentials or attributes that are defined in the RODC filtered attribute set.
>Why does the RODC not have a relative ID (RID) pool?
All writable domain controllers can allocate RIDs from their respective RID pools to create security principals as needed. Because an RODC cannot create security principals, it cannot provide any RIDs, and it is never allocated a RIDpool.
>Can I list the krbtgt account that is used by each RODC in the domain?
Yes. To list the krbtgt account that is used by each RODC in the domain, type the following command at a command line, and then press ENTER:
Repadmin /showattr <WritableDcName> <distinguished name of the domain partition> /subtree /filter:”(&(objectclass=computer)(msDS-Krbtgtlink=*))” /atts:msDS-krbtgtlink
>How does the client DNS update referral mechanism work?
Because the DNS server that runs on an RODC cannot directly register client updates, it has to refer the client to a DNS server that hosts a primary or Active Directory-integrated copy of the zone file. This server is sometimes referred to as a “writable DNS server.” When a client presents a Find Authoritative Query, which is the precursor to an update request, the DNS server on the RODC uses the domain controller Locator to find domain controllers in the closest site.
The RODC then compares the list of domain controllers that is returned with the list of name server (NS) resource records that it has. The RODC returns to the client the NS resource record of a writable DNS server that the client can use to perform the update. The client can then perform its update.
If no domain controller in the closest site matches an entry in the list of NS records for the zone, the RODC attempts to discover any domain controller in the forest that matches an entry in the list.
Suppose that a new client is introduced to a site that has a DNS server running only on an RODC. In this case, the RODC DNS server tries to replicate the DNS record that the client has tried to update on the writable DNS server. This occurs approximately five minutes after the RODC provides a response to the original Find Authoritative Query.
If the DNS client on the RODC attempts a DNS update, a writable domain controller running Windows Server 2008 is returned so that the RODC can perform the update.

>Why doesn’t the KCC on writable domain controllers try to build connections from an RODC? 
To build the replication topology, the Knowledge Consistency Checker (KCC) examines the following:
  • All the sites that contain domain controllers
  • The directory partitions that each domain controller holds
  • The cost that is associated with the site links to build a least-cost spanning tree
The KCC determines if there is a domain controller in a site by querying AD DS for objects of the NTDS-DSA category—the objectcategory attribute value of the NTDS Settings object. The NTDS Settings objects for RODCs do not have this object category. Instead, they support a new objectcategory value named NTDS-DSA-RO.
As a result, the KCCs on writable domain controllers never consider an RODC as part of the replication topology. This is because the NTDS Settings objects are not returned in the query.
However, the KCC on an RODC also needs to consider the local domain controller (itself) to be part of the replication topology to build inbound connection objects. This is achieved by a minor logic change to the algorithm that the KCC uses on all domain controllers running Windows Server 2008 that forces it to add the NTDS Settings object of the local domain controller to the list of potential domain controllers in the topology. This makes it possible for the KCC on an RODC to add itself to the topology. However, the KCC on an RODC does not add any other RODCs to the list of domain controllers that it generates.

>How does the KCC build inbound connections locally on an RODC when the RODC is supposed to be read-only?
An RODC is completely read-only from the perspective of external clients, but it can internally originate changes for a limited set of objects. It permits replicated write operations and a limited set of originating write operations.
Both the KCC and the replication engine are special “writers” on an RODC. The replication engine performs replicated write operations on an RODC in exactly the same way as it does on the read-only partitions of a global catalog server that runs Windows Server 2003. The KCC is permitted to perform originating write operations of the objects that are required to perform Active Directory replication, such as connection objects.

>Why does an RODC have two inbound connection objects?
This is because File Replication Service (FRS) requires its own pair of connection objects in order to function correctly. In previous versions of Windows Server, FRS was able to utilize the existing connection objects between two domain controllers to support its replication of SYSVOL content.
However, because an RODC only performs inbound replication of Active Directory data, a reciprocal connection object on the writable replication partner is not needed.
Consequently, the Active Directory Domain Services Installation Wizard generates a special pair of connection objects to support FRS replication of SYSVOL when you install an RODC. The FRS connection objects are not required by DFS Replication.

>How does RODC connection failover work?
If the bridgehead replication partner of an RODC becomes unavailable, the KCC on the RODC builds a connection to another partner. By default, this happens after about two hours, which is the same for a writable domain controller. However, the FRS connection object on an RODC must use the same target as the connection object that the KCC generates on the RODC for Active Directory replication. To achieve this, the fromServer value on the two connections is synchronized.
However, the trigger for changing the fromServer value on the FRS connection object is not the creation of the new connection; instead, it is the removal of the old connection. The removal step happens some hours after the new connection object is created. Consequently, the fromServer value continues to reference the original partner until the old connection is removed by the KCC.
A side effect of this is that while Active Directory replication works successfully against the new partner, FRS replication fails during this period. The additional delay is by design—it avoids causing FRS to perform an expensive VVJoin operation against the new partner, which is unnecessary if the outage of the original partner is only temporary.

>How can an administrator delete a connection object locally on an RODC?
The KCC on an RODC will build inbound connection objects for Active Directory replication. These objects cannot be seen on other writeable domain controllers because they are not replicated from the RODC.
You cannot use the Active Directory Sites and Services snap-in to remove these connection objects, but you can use Ldp.exe or Adsiedit.msc. The KCC on the RODC will then rebuild a connection. This way, you can trigger redistribution of connection objects across a set of RODCs that have site links to a single hub site that has multiple bridgehead servers.

>How can an administrator trigger replication to an RODC?
You can use the following methods:
  1. By running the repadmin /replicate or repadmin /syncall operations.
  2. By using the Active Directory Sites and Services snap-in. In this case, you can right-click the connection object and click Replicate Now.
  3. You can use Active Directory Sites and Services on a writable domain controller to create an inbound replication connection object on any domain controller, including an RODC, even if no inbound connection exists on the domain controller.This is similar to running a repadmin /add operation.
>How are writable directory partitions differentiated from read-only directory partitions?
This comes from an attribute on the directory partition head called instancetype. This is a bit mask. If bit 3 (0×4) is set, the directory partition is writable. If the bit is not set, the directory partition is read only.

>Why can an RODC only replicate the domain directory partition from a domain controller running Windows Server 2008 in the same domain?
This is how the filtering of secrets is enforced during inbound replication to an RODC. A domain controller running Windows Server 2008 is programmed not to send secret material to an RODC during replication, unless the Password Replication Policy permits it. Because a domain controller running Windows Server 2003 has no concept of the Password Replication Policy, it sends all secrets, regardless of whether they are permitted.

>How does the KCC differentiate between domain controllers running Windows Server 2003 and domain controllers running Windows Server 2008?
The NTDS-DSA object has an msDS-Behavior-Version attribute. A value of 2 indicates that the domain controller is running Windows Server 2003. A value of 3 indicates that it is running Windows Server 2008.

>Why are built-in groups such as Account Operators and Server Operators specified separately in the Denied List attribute, but not in the Denied RODC Password Replication Group?
The Allowed RODC Password Replication Group and the Denied RODC Password Replication Group are domain local groups. Domain local groups cannot contain built-in groups.

>What actually happens when you add a user to an Administrator Role Separation role?
The configuration adds entries to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\control\lsa\rodcroles
  • Name: 544
  • Data type: REG_MULTI_SZ
  • Value: S-1-5-21-760266474-1386482297-4237089879-1107
The role is denoted by the entry name—544, for example, is the well known RID for the builtin\administrators group. Then, each value represents the security identifier (SID) of a user who has been assigned to the role.

>How can an administrator determine the closest site for any given site?
  • Look at the site link costs that appear in Active Directory Sites and Services.-or-
  • After an RODC is installed successfully in an Active Directory site, run the nltest command against the RODC.
The following example shows the command and the results:
C:\>nltest /dsgetdc:rodc /server:rodc-dc-02 /try_next_closest_site /avoidself
DC: \\HUB-DC-01
Address: \\2001:4898:28:4:5e1:903a:7987:eea5
Dom Guid: 00e80237-c5ce-4143-b0b8-cfa5c83a5654
Dom Name: RODC
Forest Name: rodc.nttest.contoso.com
Dc Site Name: Hub
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET
The command completed successfully.

>Why does %logonserver% have the name of a domain controller in my hub site rather than the RODC in my site? 
If your user account password cannot be replicated to the RODC in your site or if the RODC does not currently have your password, the Kerberos AS_REQ is forwarded to a hub domain controller that provides your TGT.
The process that updates the environment variables uses the hub domain controller as the logon server for the environment variable. The %logonserver% environment variable is not updated for the duration of that logon session, even though the user is forced to reauthenticate against the RODC.

>Password changes are not always “chained” by an RODC. Why?
Some password-change operations, such as a user initiating a password-change request by pressing Ctrl+Alt+Del, specifically require a writable domain controller. When the client computer detects that the RODC is not writable, it locates a writable domain controller instead. Other password-change operations, such as a user’s password expiring and when the user is prompted to change it at logon, do not specifically require a writable domain controller.

>How does a hub domain controller recognize that a request to replicate a password is coming from an RODC?
The RODC does a bind and calls the “replicate single object” application programming interface (API). The binding handle shows that it is an RODC account.

>Why does an RODC replicate in a cached password both by RSO operation and normal replication?
When a single object is replicated to the RODC in the branch site, the update sequence number (USN) and the high-water mark are not updated. As a result, the object is replicated to the branch site again at a later time.

>Does an RODC perform password validation forwarding even when it has a password for a user?
Yes, in the case where a user presents a password that does not match what the RODC has stored locally, the RODC will forward the authentication request. The RODC forwards the request to the writable Windows Server 2008 domain controller that is its replication partner, which in turn forwards the request to the PDC emulator if required. If the authentication is validated at the writable Windows Server 2008 domain controller or the PDC emulator, the RODC will purge the currently stored password and replicate the new password by RSO operation.

>Can you remove the last domain controller in a domain if there are unoccupied (or disabled) RODC accounts in the domain?
As for all previous versions of Windows Server, it is a requirement that all other domain controllers have been removed from the domain before you can remove the last domain controller. For Windows Server 2008, this requirement includes the removal of all RODCs and the removal of any precreated but unused RODC accounts.

>What relevant RODC event log entries are there?
If an RODC attempts a Replicate Single Object (RSO) operation to cache a password that the Password Replication Policy prevents from replicating to the RODC, the hub domain controller that the RODC contacts logs event ID 1699.
The details for event ID 1699 include:
Log Name: Directory Service
Source: NTDS Replication
Date: 5/2/2006 2:37:39 PM
Event ID: 1699
Task Category: Replication
Level: Error
Keywords: Classic
User: RODC\RODC-DC-02$
Computer: HUB-DC-01
Description:
This directory service failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send change requests to the directory service at the following network address.
Directory partition:
CN=test10,OU=Branch1,OU=Branches,DC=rodc,DC=nttest,DC=contoso,DC=com
Network address:
c6ef8d14-f015-4cd0-94cc-c7f5c9c834ba._msdcs.rodc.nttest.contoso.com
Extended request code:
7
Additional Data
Error value:
8453 Replication access was denied.
A successful logon logs event ID 4768 on the hub domain controller and on the RODC.
The details of event ID 4768 on the hub domain controller include the following:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/2/2006 3:58:05 PM
Event ID: 4768
Task Category: Kerberos Ticket Events
Level: Information
Keywords: Audit Success
User: N/A
Computer: hub-dc-01.rodc.nttest.contoso.com
Description:
Authentication Ticket Request:
Account Name: test10
Supplied Realm Name: RODC
User ID: S-1-5-21-3503915162-2421288034-2003080229-1128
Service Name: krbtgt
Service ID: S-1-5-21-3503915162-2421288034-2003080229-502
Ticket Options: 0×40810010
Result Code: 0×0
Ticket Encryption Type: 0×17
Pre-Authentication Type: 2
Client Address: 2001:4898:28:4:6182:4acd:65c9:283a
Client Port: 55763
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
At the default Event log settings, no replication event shows that the password has replicated to the RODC.

DHCP : Dynamic Host Configuration Protocol
Hi Friends,
Let’s support our organizations using simple way of IP Management. DHCP stands for Dynamic Host Configuration Protocol. 
Dynamic = Automatic
Host Configuration = Basic Network Configuration 
Protocol = Rules which needs to be followed to make this happen. 

DHCP is an application which is either installed on Windows Server Operating system or on UNIX OS to service an enterprise in the aspect of IP configuration and management. Its main goal is to provide & configure the client computers with specific ip configuration to enable identification and communication in the network. Prior to DHCP another protocol have been used, it is called BOOTP. BOOTP(Boot Protocol) has only one future that is Reservation. So the administrators who are worked with BOOTP, need to get all the MAC addresses and write them on a notepad to enable the use of BOOTP. After writing all the MAC addresses, the same need to be added to BOOTP table with corresponding IP addresses. That makes lot of work for administrators, even though its an automated process, but admin’s need to work a lot to get the MAC addresses of all the machines in the network. Later it has gained lot of improvements to serve the network and became DHCP.

How to Install and Configure DHCP? 
It very simple and straight forward process. First you need to install the application from Add/Remove Windows Components. After installing you will have a console in the Administrative Tools. I think instead of giving lot of steps.. i will post a simple video of 7mins, just watch it for better understanding of this concept. 
Video Link
Now you are ready with your DHCP server installed and configured. so lets talk about why and how it is used? As i said previously it is used for Automatic assignment of IP addresses to client computers which are in the same network with DHCP server. This is the way it will be used. Whenever a computer powered on, it will check itself for the network configuration, if it is configured with manual ip address, the machine broadcasts a message that it was powered on. If it is configured to get the ip automatically, then the machine broadcast a message in search of DHCP server. Then starts the process. It is simply called as “DORA” process.
D = Discovery – Request for discovering DHCP server from client machine.
O = Offer – Respective DHCP server Offers the IP Configuration.
R = Received – Client receives the IP configuration. 
A = Acknowledgement  - Client Acknowledges that it has received the IP configuration.
Once the client gets the IP configuration, it will then broadcasts another message to all other clients in the network with its identity. 
Interview Questions related to DHCP
1. Explain the DORA process
2. What is an exclusion range and reservation?
An exclusion range is a range of IP addresses which needs to be excluded from DHCP scope, so that these IP’s never assigned automatically. A reservation is an IP address will be reserved for a server every time it boots up and it has been done using the MAC address of that server. Before configuring reservations, we need to exclude them from DHCP scope. 
3. How do you configure the AD Server, DNS Server, IIS Server and FTP Server using the DHCP server?
Using the reservations only, so that every time the same address will be assigned to the server. If you take a DNS server, it should have same IP all the time, because it is responsible for name resolutions in that network.  If the IP address getting changed every time, its very difficult to the clients which are requesting name resolutions. That is the reason, it should have same IP all the time, we can do that automatically using reservations. 
4. What is DHCP relay agent? 
DHCP relay agent, is an option configured on DHCP server. Which enables the client machine requests to go through the routers. That means, if the DHCP server is in one network and the client is in another network, these networks are connected by routers. By default the routes will never allow the DHCP packets through them, by configuring this option, these requests will pass between two networks. 
Share
inShare
Download SocButtons

DHCP Server - Core Interview Questions and Answers

Define DHCP process.

DHCP Discovery:
The client broadcasts on the local physical subnet to find available servers. Network administrators can configure a local router to forward DHCP packets to a DHCP server on a different subnet. This client-implementation creates a UDP packet with the broadcast
destination of 255.255.255.255 or subnet broadcast address and also requests its last-known IP address (in the example below, 192.168.1.100) although the server may ignore this optional parameter....
DHCP Offers:
When a DHCP server receives an IP lease request from a client, it extends an IP lease offer.
This is done by reserving an IP address for the client and broadcasting a DHCPOFFER message across the network. This message contains the client's MAC address, followed by the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer.
The server determines the configuration, based on the client's hardware address as specified in the CHADDR field. Here the server, 192.168.1.1, specifies the IP address in the YIADDR field.
DHCP Requests:
Whenever a computer comes on line, it checks to see if it currently has an IP address leased. If it does not, it requests a lease from a DHCP server. Because the client computer does not know the address of a DHCP server, it uses 0.0.0.0 as its own IP address and 255.255.255.255 as the destination address. Doing so allows the client to broadcast a DHCPDISCOVER message
across the network. Such a message consists of the client computer's Media Access Control (MAC) address (the hardware address built into the network card) and its NetBIOS name.
The client selects a configuration out of the DHCP "Offer" packets it has received and broadcasts it on the local subnet. Again, this client requests the 192.168.1.100 address that the server specified. In case the client has received multiple offers it specifies the server from which it has accepted the offer.
DHCP Acknowledgement:
When the DHCP server receives the DHCPREQUEST message from the client, it initiates the final phase of the configuration process. This acknowledgement phase involves sending a DHCPACK packet to the client. This packet includes the lease duration and any other configuration information that the client might have requested. At this point, the TCP/IP configuration process is complete.
The server acknowledges the request and sends the acknowledgement to the client. The system as a whole expects the client to configure its network interface with the supplied options.
What is DNS?
DNS stands for Domain Naming Server, it is a standard of naming domains in any operational environment (Windows,Linux,Solaris,Any environment). It is a server which contains a database of all the domains and all the servers which are associated with those domains.
Why it is Used?
Its a service dedicated  to identify all the machines (domains & member servers) in a network. To make this possible, every machine has to be registered in the authoritative DNS server of that network. That means every operational network should have a dedicated DNS server to enable identification and communication between the machines.
How it works?
As i said, it is dedicatedly used for identification, in technical words for “name resolution”. Every machine in a network has a dedicated IP address & hostname as its identity. Whenever a machine tries to communicate with another machine on the network it should first identify the second machine, that means it should know the ip address of that particular machine. After knowing the identity (i.e ip address), it will directly communicates with the second machine. So to speak, a machine should know the ip address of the another machine, with which its going to communicate before it starts. Another question… Why the hostnames are used, if the machine already have an identity in the terms of IP address? Hostname is an English word which is useful for Human remembrance. It is impossible for a human being to remember lots of  IP addresses, but it is possible to remember English names of the same hosts (as we configure the hostnames generally with employee name or department name or location name etc). For example we can rememberwww.yahoo.com but not its ip address, because we are not having only one website on the internet. To sum up Hostnames and IP addresses both are used to identification and communication between two machines in a network. But machines are only able to communicate with the IP addresses and which are impossible to remember for Humans (Keep in mind machines never communicate with hostnames). To solve this situation DNS was implemented. It basically contains a database of host records in a network. A host record contains “Hostname : IP address”, see the image below for better under standing. Out Internet is purely depended on DNS, when we access a particular website we will give its English name, when we press ENTER immediately the machines starts finding the IP address of the website using the DNS server configured on it. I will explain the name resolution process in details. And one more thing about the DNS is, it is the only largest database on the internet which changes every second. If this database goes down by a chance, we must remember all the ip addresses to access the internet. hahaha it will not happen, why because we have so many backup solutions already implemented.
How the name resolution takes place?
I will explain this concept with internet as an example. Before that i want you to check some settings on your machine. Check the TCP/IP properties and see whether DNS server is configured or not. If you are seeing obtain automatically option, open command prompt and type “ipconfig /all” and press Enter. You will get DNS servers information along with your machine’s IP address. Now lets talk about the scenario, When you try to open a website like www.google.com, what happens next? how your machine gets  IP address of the www.google.com. Here it goes….
1. The request sent to the DNS server which is configured on your machine.
2. The DNS server checks for the host record of www.google.com in its database, if it contains a record forwww.google.com, it will directly send response with the IP address of www.google.com. Otherwise it starts requesting another DNS server.
3. Before it goes to another DNS server, how it identifies which DNS server is responsible for this request ? It checks the entire hostname (it is called as FQDN : Fully Qualified Domain Name), i.e in google’s case www.google.com. (note the FQDN ends with a period, and this period is called as root domain).
4. Every DNS server contains a roothint file associated with it, and the same will be used to identify the responsible DNS server. Root hint file contains Master DNS servers information. Here you go it looks like this. These are the master DNS servers for .com, .net, .edu, .org domains etc.
5. So in your case, the domain is .com, DNS server sends request to .com master DNS server (for ex: assume it as 198.41.0.4), the .com master DNS server contains name server records for all machines ending with .com . That means it definitely contains DNS server IP address for google.com. In the same way it contains all .com servers yahoo.com, microsoft.com & so on.
6. It does not contain the IP address of google.com, it contains DNS server IP of google.com.
7. So then the request is forwarded to google.com DNS server, in that server you will have a host record with the name www and its IP address. Finally you reached it. With the found IP address the request comes back as a response in the same reverse way to the DNS server which is configured in your machine, that DNS server tells the IP address ofwww.google.com to your machine.     
8. This process happens in milliseconds in the background. i.e by the time you will get “Website found waiting for reply” message in the status bar of your internet explorer.
9. Oh my god!!!! Is that simple? Yes it is. The same process occurs in corporate networks also. But the requests are handled by their local DNS servers only.
10. See the below animation for better understanding.



Understanding DNS : Part - II
Hi Guys,
In my previous discussion about Understanding DNS, you learned most of the basic things related to DNS. In this post i want to elaborate more about DNS. Let's start...
DNS Records
There are so many records associated with a DNS Server. Name resolution process does not happen in a proper way with out these records.
As you know the DNS server main purpose is to resolve the host names to IP's and vice versa.
·                     A Record : Contains information about IP address. It is helpful in resolving host names to IP addresses.
·                     PTR Record : Pointer record, contains information about host name. It is helpful in resolving IP address to hostname.
·                     CNAME Record : Alias of A Record. It is helpful in giving multiple names to a single host. Which means, the same host is able to provide multiple services. In that case, for segregation of service and to communicate with that service we need to give different names to each service. Even though these services are hosted on a single server, but we can send our request to the target service. CNAME record was helpful in identifying and communicating with that service on that server.
·                     MX Record : It is a record helpful in identifying the mail server in a DNS domain (for that organization)
·                     NS Record : It is a record helpful in identifying the DNS server in a DNS domain (for that organization)
·                     SRV Record : This record is created when we install a service which is DNS dependent. It is automatically generated and will be associated with a specific IP address. It is called as Service record.
·                     SOA Record : Start of Authority record, this is not a record associated with any IP address. But it is associated with a number, which determines the update number. What ever the update, when ever it is done this number will be incremented.
These are the records associated with each and every server in this world. A fact is that " DNS is the biggest database in the world and that is the only one which gets updated every second " And this database is not located at a single place, it is spread across the world in different places like, different companies, different ISP's, different homes etc. And the name resolution process is explained in my previous post Understanding DNS. That is the reason why, a DNS request goes to different location to get the correct answer.
>What is Active Directory ? 
Active Directory is a Meta Data. Active Directory is a data base which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administor the complite Network which connect with AD.
>What is domain ? 
Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The 'domain' is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469.
>What is domain controller ? 
A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.
>What is LDAP ? 
Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.
>What is KCC ? 
KCC ( knowledge consistency checker ) is used to generate replication topology for inter site replication and for intrasite replication.with in a site replication traffic is done via remote procedure calls over ip, while between site it is done through either RPC or SMTP.
>Where is the AD database held? What other folders are related to AD?
The AD data base is store in c:\windows\ntds\NTDS.DIT.
>What is the SYSVOL folder?
The sysVOL folder stores the server's copy of the domain's public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain.
>What are the Windows Server 2003 keyboard shortcuts ?  
Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.

>Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003 ?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
>I am trying to create a new universal user group. Why can’t I ?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
>What is LSDOU ?
 It’s group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units.
>Why doesn’t LSDOU work under Windows NT ?
If the NTConfig.pol file exist, it has the highest priority among the numerous policies.
>What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.
> What’s the difference between guest accounts in Server 2003 and other editions?
 More restrictive in Windows Server 2003.
> How many passwords by default are remembered when you check "Enforce Password History Remembered"?
User’s last 6 passwords.
> Can GC Server and Infrastructure place in single server If not explain why ? 
No, As Infrastructure master does the same job as the GC. It does not work together.
> Which is service in your windows is responsible for replication of Domain controller to another domain controller.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.
> What Intrasite and Intersite Replication ? 
Intrasite is the replication with in the same site & intersite the replication between sites.
> What is lost & found folder in ADS ? 
It’s the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.
> What is Garbage collection ? 
Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours.
> What System State data contains ? 
Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder
>What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003?
Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain 
Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy - you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference.

ADS stands for Automated Deployment Services, and is used to quickly roll out identically-configured servers in large-scale enterprise environments. You can get more information from the ADS homepage.
>I want to setup a DNS server and Active Directory domain. What do I do first? If I install the DNS service first and name the zone 'name.org' can I name the AD domain 'name.org' too?
Not only can you have a DNS zone and an Active Directory domain with the same name, it's actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.
>How do I determine if user accounts have local administrative access?
You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong.
>Why am I having trouble printing with XP domain users?
In most cases, the inability to print or access resources in situations like this one will boil down to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients' wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie.
>What is the ISTG? Who has that role by default?
Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG).

>What is difference between Server 2003 vs 2008?
1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several 'virtual' servers on one physical machine.) 
2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server)
3. Better security. 
4. Role-based installation. 
5. Read Only Domain Controllers (RODC). 
6. Enhanced terminal services. 
7. Network Access Protection - Microsoft's system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies. 
8. PowerShell - Microsoft's command line shell and scripting language has proved popular with some server administrators.
9. IIS 7 .
10. Bitlocker - System drive encryption can be a sensible security measure for servers located in remote branch offices. >br> The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers. 
11. Windows Aero.
>What are the requirements for installing AD on a new server?
1 The Domain structure.
2 The Domain Name .
3 storage location of the database and log file. 
4 Location of the shared system volume folder.
5 DNS config Methode.
6 DNS configuration. 
>What is LDP? 
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network

>What are the Groups types available in active directory ?
Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups.
Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups.
>Explain about the groups scope in AD ? 
Domain Local Group: Use this scope to grant permissions to domain resources that are located in the same domain in which you created the domain local group. Domain local groups can exist in all mixed, native and interim functional level of domains and forests. Domain local group memberships are not limited as you can add members as user accounts, universal and global groups from any domain. Just to remember, nesting cannot be done in domain local group. A domain local group will not be a member of another Domain Local or any other groups in the same domain.
Global Group: Users with similar function can be grouped under global scope and can be given permission to access a resource (like a printer or shared folder and files) available in local or another domain in same forest. To say in simple words, Global groups can be use to grant permissions to gain access to resources which are located in any domain but in a single forest as their memberships are limited. User accounts and global groups can be added only from the domain in which global group is created. Nesting is possible in Global groups within other groups as you can add a global group into another global group from any domain. Finally to provide permission to domain specific resources (like printers and published folder), they can be members of a Domain Local group. Global groups exist in all mixed, native and interim functional level of domains and forests.
Universal Group Scope: These groups are precisely used for email distribution and can be granted access to resources in all trusted domain as these groups can only be used as a security principal (security group type) in a windows 2000 native or windows server 2003 domain functional level domain. Universal group memberships are not limited like global groups. All domain user accounts and groups can be a member of universal group. Universal groups can be nested under a global or Domain Local group in any domain.
>What is REPLMON ?
The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication.
>What is ADSIEDIT ? 
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.
>What is NETDOM ?
NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.
>What is REPADMIN?
This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.
>How to take backup of AD ?
For taking backup of active directory you have to do this : first go START -> PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC.
>What are the DS* commands ?
The following DS commands: the DS family built in utility .
DSmod - modify Active Directory attributes.
DSrm - to delete Active Directory objects.
DSmove - to relocate objects
DSadd - create new accounts
DSquery - to find objects that match your query attributes.
DSget - list the properties of an object
>What are the requirements for installing AD on a new server? 
An NTFS partition with enough free space.
An Administrator's username and password.
The correct operating system version.
A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway).
A network connection (to a hub or to another computer via a crossover cable) .
An operational DNS server (which can be installed on the DC itself) .
A Domain name that you want to use .
The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) .
  1.  Active Directory enables single sign on to access resources on the network such as desktops, shared files, printers etc. Active Directory provides advanced security for the entire network and network resources.  Active Directory is more scalable and flexible for administration.
  2. Functional levels help the coexistence of Active Directory versions such as, Windows NT, Windows 2000 Server, Windows Server 2003 and Windows Server 2008. The functional level of a domain or forest controls which advanced features are available in the domain or forest. Although lowest functional levels help to coexist with legacy Active Directory, it will disable some of the new features of Active Directory. But if you are setting up a new Active Directory environment with latest version of Windows Server and AD, you can set to the highest functional level, thus all the new AD functionality will be enabled.
  3. Windows Server 2003 Domain Functional Levels: Windows 2000 mixed (Default), Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003.
    Forest Functional Levels: Windows 2000 (default), Windows Server 2003 interim, Windows Server.
  4. Windows Server 2008 Domain Functional Levels: Windows 2000 Native, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2.
    Forest Functional Levels: Windows 2000, Windows Server 2008, Windows Server 2008 R2.
  5.  It is possible to take a backup copy of existing Domain Controller, and restore it in Windows Server machine in the remote locations with slower WAN link.
  6.  Active Directory is designed for Server Operating System, and it cannot be installed on Windows 7.
  7. Windows Server Operating System. Free hard disk space with NTFS partition. Administrator's privilege on the computer. Network connection with IP address, Subnet Mask, Gateway and DNS address. A DNS server, that can be installed along with first Domain Controller. Windows Server intallation CD or i386 folder.
  8. Flexible Single-Master Operation (FSMO) roles,manage an aspect of the domain or forest, to prevent conflicts, which are handled by Single domain controllers in domain or forest. The tasks which are not suited to multi-master replication, There are 5 FSMO roles, and Schema Master and Domain naming master roles are handled by a single domain controller in a forest, and PDC, RID master and Infrastructure master roles are handled by a single domain controller in each domain.
  9. Infrastrcture master role is a domain-specific role and its purpose is to ensure that cross-domain object references are correctly handled. For example, if you add a user from one domain to a security group from a different domain, the Infrastructure Master makes sure this is done properly.Intrastrcuture master does not have any functions to do in a single domain environment.If the Domain controller with Infrastructure master role goes down in a single domain environemt, there will be no impact at all. Where as, in a complex environment with multiple domains, it may imact creation and modification of groups and group authentication.
  10. Schema Master role and Domain Naming Master role.
  11. PDC Emulator
  12. You should be a member of Enterprise Admins group or the Domain Admins group. Also you should be member of local Administrators group of the member server which you are going to promote as additional Domain Controller.
  13. Use netdom query /domain:YourDomain FSMO command. It will list all the FSMO role handling domain controllers.
  14. No, there should be only one Domain Controller handling RID master role in a Domain.
  15. There should be only one Domain Controller handling Infrastructure master role in a domain. Hence if you have two domains in a forest, you can configure two Infrastructure masters, one in each domain.
  16. If PDC emulator crashes, there will be immediate impact on the environment. User authentication will fail as password changes wont get effected, and there will be frequent account lock out issues. Network time synchronization will be impacted. It will also impact DFS consistency and Group policy replication as well.
  17. Domain controllers and Sites. Domain controllers are physical computers which is running Windows Server operating system and Active Directory data base. Sites are a network segment based on geographical location and which contains multiple domain controllers in each site.
  18. Domains, Organizational Units, trees and forests are logical components of Active Directory.
  19. Active Directory database is divided into different partitions such as Schema partition, Domain partition, and Configuration partition. Apart from these partitions, we can create Application partition based on the requirement.
  20. Adding one group as a member of another group is called 'group nesting'. This will help for easy administration and reduced replication traffic.
  21. Group types are categorized based on its nature. There are two group types: Security Groups and Distribution Groups. Security groups are used to apply permissions to resources where as distribution groups are used to create Exchange server email communication groups. Group scopes are categorized based on the usage. There are three group types: Domain Local Group, Global Group and Universal Group.
  22. Domain local groups are mainly used for granting access to network resources.A Domain local group can contain accounts from any domain, global groups from any domain and universal groups from any domain. For example, if you want to grant permission to a printer located at Domain A, to 10 users from Domain B, then create a Global group in Domain B and add all 10 users into that Global group. Then, create a Domain local group at Domain A, and add Global group of Domain B to Domain local group of Domain A, then, add Domain local group of Domain A to the printer(of Domain A) security ACL.
  23. Active Directory is backed up along with System State data. System state data includes Local registry, COM+, Boot files, NTDS.DIT and SYSVOL folder. System state can be backed up either using Microsoft's default NTBACKUP tool or third party tools such as Symantech NetBackup, IBM Tivoli Storage Manager etc.
  24. There are two types of Active Directory restores, Authoritative restore and Non-Authoritative restore.
  25. Non-Authoritative means, a normal restore of a single Domain controller in case that particular domain controller OS or hardware crashed. After non-authoritative restoration completed, compares its data base with peer domain controllers in the network and accepts all the directory changes that have been made since the backup. This is done through multi master replication.
    Where as, in Authoritative restore, a restored data base of a Domain controller forcefully replicated to all the other domain controllers. Authoritative restore is performed to recover an active directory resource or object(eg. an Organizational Unit) which accidentally deleted and it needs to be restored.
  26. We can use NTDSUTIL command line to perform Authoritative restore of Active Directory. First, start a domain controller in 'Directory Service Restore Mode'. Then, restore the System State data of Domain controller using NTBACKUP tool. This is non-authoritative restore. Once non-authoritative restore is completed, we have to perform authoritative restore immediately before restarting the Domain Controller.
    Open command prompt and type NTDSUTIL and enter, then type authoritative restore and press enter, then type restore database and press enter, click OK and then click Yes. This will restore all the data in authoritative restore mode. If you want to restore only a specific object or sub-tree, you can type below command instead of 'restore database'.
    restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx
  27. Authoritative restore, Configurable settings, Partition management, Set DSRM Password etc.
  28. A tombstone is a container object for deleted items from Active Directory database, even if objects are deleted, it will be kept hidden in the active directory data base for a specific period. This period is known as tombstone lifetime. Tombstone lifetime is 180 days on Windows Server 2003 SP1 and later versions of Windows Server.
  29. Garbage collection is a process of Active Directory. This process starts by removing the remains of previously deleted objects from the database. These objects are known as tombstones. Then, the garbage collection process deletes unnecessary log files. And the process starts a defragmentation thread to claim additional free space. The garbage collection process is running on all the domain controllers in an interval of 12 hours.
  30. In multimaster replication method, replication conflicts can happen. Objects with replication conflicts will be stored in a container called 'Lost and Found' container. This container also used to store orphaned user accounts and other objects.
  31. Lost and Found container can be viewed by enabling advanced features from View menu of Active Directory User and Computers MMC.
  32. Yes, it is included.
  33. [Never say no] We had set up an additional domain for a new subsidiary of the firm, and I was a member of the team who handled installation and configuration of domain controllers for the sub domain.[or] I was supporting an existing Active Directory network environment of the company, but I have installed and configured Active Directory in test environment several occasions.
  34. No one installs Active Directory in a cluster. There is no need of clustering a domain controller. Because Active Directory provides total redundancy with two or more servers.
  35. Active Directory Recycle bin is  a feature of Windows Server 2008 AD. It helps to restore accidentally deleted Active Directory objects without using a backed up AD database, rebooting domain controller or restarting any services.
  36. Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System. RODC is a read only copy of Active Directory database and it can be deployed in a remote branch office where physical security cannot be guaranteed. RODC provides more improved security and faster log on time for the branch office.
  37. To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain name and take properties. Both domain and forest functional levels will be listed there. TO find out forest and domain functional levels, you can use DSQUERY command.
  38. KCC can be expanded as Knowledge Consistency Checker. It is a protocol procecss running on all domain controllers, and it generates and maintains the replication topology for replication within sites and between sites.
  39. We can use command line tools such as repadmin and dcdiag. GUI tool REPLMON can also be used for replication monitoring and troubleshooting.
  40. SYSVOL is a folder exits on each domain controller, which contains Actvie Directory related files and folders. SYSVOL mainly stores important elements of Group Policy Objects and scripts, and it is being replicated among domain controllers using File Replication Service (FRS).
  41. Kerberos is a network authentication protocol. Active Directory uses Kerberos for user and resource authentication and trust relationship functionality. Kerberos uses port number 88.
  42. All versions of Windows Server Active Directory use Kerberos 5.
  43. Kerberos 88, LDAP 389, DNS 53, SMB 445.
  44. FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of a domain name system which points to a device in the domain at its left most end. For example in system.
  45. Dsadd - to add an object to the directory, Dsget - displays requested properties of an object in AD, Dsmove - Used to move one object from one location to another in the directory, DSquery - To query specific objects.
  46. A tree in Active Directory is a collection of one or more domains which are interconnected and sharing global resources each other. If a tree has more than one domain, it will have contiguous namespace. When we add a new domain in an existing tree, it will be called a child domain.
    A forest is a collection of one or more trees which trust each other and sharing a common schema.It also shares common configuration and global catalog. When a forest contains more than one tree, the trees will not form a contiguous namespace.
  47. Replication between domain controllers inside a single site is called Intrasite replication, where as replication between domain controllers located in different sites is called Intersite replication. Intrasite replication will be very frequent, where as Intersite replication will be with specific interval and in a controlled fashion just to preserve network bandwidth.
  48. Shortcut trust is a manually created transitive trust which is configured to enable fast and optimized authentication process.For example, If we create short cut trust between two domains of different trees, they can quickly authenticate each other without traveling through the entire parent domains. short cut trust can be either one-way or two-way.
  49. Selective authentication is generally used in forest trust and external trusts. Selective authentication is a security setting which allows administrators to grant access to shared resources in their organization’s forest to a limited set of users in another organization’s forest. Selective authentication method can decide which groups of users in a trusted forest can access shared resources in the trusting forest.
  50. Trusts can be categorized by its nature. There can be two-way trust or one-way trust,implicit or explicit trust, transitive or non transitive trust. Trust can be categorized by types, such as parent and child, tree root trust, external trust, realm trust forest trust and shortcut trust.
  51. ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2, which provides enhanced data management experience to the admin. ADAC helps administrators to perform common Active Directory object management task across multiple domains with the same ADAC instance.
  52. ADSIEDIT- Active Directory Service Interfaces Editor is a GUI tool which is used to perform advanced AD object and attribute management. This Active Directory tool helps us to view objects and attributes that are not visible through normal  Active Directory Management Consoles. ADSIEDIT can be downloaded and installed along with Windows Server 2003 Support Tools.
  53. This is due to domain functional level. If domain functional level of Windows Server 2003 AD is Windows 2000 Mixed, Universal Group option will be greyed out. You need to raise domain functional level to Windows 2000 native or above.
  54. ADMT - Active Directory Migration Tool, is a tool which is used for migrating Active Directory objects from one domain to another. ADMT is an effective tool that simplifies the process of migrating users, computers, and groups to new domains.
  55. When a domain controller is disconnected for a period that is longer than the tombstone life time, one or more objects that are deleted from Active Directory on all other domain controllers may remain on the disconnected domain controller. Such objects are called lingering objects. Lingering objects can be removed from Windows Server 2003 or 2008 using REPADMIN utility.
  56. The Global catalog is a container which contains a searchable partial replica of all objects from all domains of the forest, and full replica of all objects from the domain where it is situated. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Global catalogs are mostly used in multidomain, multisite and complex forest environment, where as Global catalog does not function in a single domain forest.
  57. In a forest that contains only a single Active Directory domain, there is no harm in placing both GC and Infrastructure master in same DC, because Infrastructure master does not have any work to do in a single domain environment. But in a forest with multiple and complex domain structure, the infrastructure master should be located on a DC which is not a Global Catalog server. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold.
  58. Command line method:  nslookup gc._msdcs.<forest root DNS Domain Name>, nltest /dsgetdc:corp /GC. GUI method: Open DNS management, and under ‘Forward Lookup Zone’, click on GC container. To check if a server is GC or not, go to Active Directory Sites and Services MMC and under ‘Servers’ folder, take properties of NTDS settings of the desired DC and find Global Catalog option is checked.
  59. As per Microsoft, a single AD domain controller can create around 2.15 billion objects during its lifetime.
  60. When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm. The KDC looks up the user's master key (KA), which is based on the user's password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows. The client computer receives the information from the KDC and runs the user's password through a one-way hashing function, which converts the password into the user's KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.
  61. Lightweight Directory Access Protocol (LDAP) is an Internet standard protocol which is used as a standard protocol for Active Directory functions. It runs directly over TCP, and can be used to access a standalone LDAP directory service or to access a directory service that is back-ended by X.500.
  62. Active Directory related files are by default located at %SystemRoot%\ntds folder. NTDS.DIT is the main Active Directory database file. Apart from this other files such as EDB.LOG, EDB.CHK, RES1.LOG, TEMP.EDB etc. are also located at the same folder.
  63. Global Catalog servers produce huge traffic related to the replication process.There for making all the domain controllers in the forest as Global Catalog servers will cause network bandwidth poroblem. GCs should be placed based on Network bandwidth and user or application requirement.
What is DNS?
DNS stands for Domain Naming Server, it is a standard of naming domains in any operational environment (Windows,Linux,Solaris,Any environment). It is a server which contains a database of all the domains and all the servers which are associated with those domains.
Why it is Used?
Its a service dedicated  to identify all the machines (domains & member servers) in a network. To make this possible, every machine has to be registered in the authoritative DNS server of that network. That means every operational network should have a dedicated DNS server to enable identification and communication between the machines.
How it works?
As i said, it is dedicatedly used for identification, in technical words for “name resolution”. Every machine in a network has a dedicated IP address & hostname as its identity. Whenever a machine tries to communicate with another machine on the network it should first identify the second machine, that means it should know the ip address of that particular machine. After knowing the identity (i.e ip address), it will directly communicates with the second machine. So to speak, a machine should know the ip address of the another machine, with which its going to communicate before it starts. Another question… Why the hostnames are used, if the machine already have an identity in the terms of IP address? Hostname is an English word which is useful for Human remembrance. It is impossible for a human being to remember lots of  IP addresses, but it is possible to remember English names of the same hosts (as we configure the hostnames generally with employee name or department name or location name etc). For example we can rememberwww.yahoo.com but not its ip address, because we are not having only one website on the internet. To sum up Hostnames and IP addresses both are used to identification and communication between two machines in a network. But machines are only able to communicate with the IP addresses and which are impossible to remember for Humans (Keep in mind machines never communicate with hostnames). To solve this situation DNS was implemented. It basically contains a database of host records in a network. A host record contains “Hostname : IP address”, see the image below for better under standing. Out Internet is purely depended on DNS, when we access a particular website we will give its English name, when we press ENTER immediately the machines starts finding the IP address of the website using the DNS server configured on it. I will explain the name resolution process in details. And one more thing about the DNS is, it is the only largest database on the internet which changes every second. If this database goes down by a chance, we must remember all the ip addresses to access the internet. hahaha it will not happen, why because we have so many backup solutions already implemented.
How the name resolution takes place?
I will explain this concept with internet as an example. Before that i want you to check some settings on your machine. Check the TCP/IP properties and see whether DNS server is configured or not. If you are seeing obtain automatically option, open command prompt and type “ipconfig /all” and press Enter. You will get DNS servers information along with your machine’s IP address. Now lets talk about the scenario, When you try to open a website like www.google.com, what happens next? how your machine gets  IP address of the www.google.com. Here it goes….
1. The request sent to the DNS server which is configured on your machine.
2. The DNS server checks for the host record of www.google.com in its database, if it contains a record forwww.google.com, it will directly send response with the IP address of www.google.com. Otherwise it starts requesting another DNS server.
3. Before it goes to another DNS server, how it identifies which DNS server is responsible for this request ? It checks the entire hostname (it is called as FQDN : Fully Qualified Domain Name), i.e in google’s case www.google.com. (note the FQDN ends with a period, and this period is called as root domain).
4. Every DNS server contains a roothint file associated with it, and the same will be used to identify the responsible DNS server. Root hint file contains Master DNS servers information. Here you go it looks like this. These are the master DNS servers for .com, .net, .edu, .org domains etc.
5. So in your case, the domain is .com, DNS server sends request to .com master DNS server (for ex: assume it as 198.41.0.4), the .com master DNS server contains name server records for all machines ending with .com . That means it definitely contains DNS server IP address for google.com. In the same way it contains all .com servers yahoo.com, microsoft.com & so on.
6. It does not contain the IP address of google.com, it contains DNS server IP of google.com.
7. So then the request is forwarded to google.com DNS server, in that server you will have a host record with the name www and its IP address. Finally you reached it. With the found IP address the request comes back as a response in the same reverse way to the DNS server which is configured in your machine, that DNS server tells the IP address ofwww.google.com to your machine.     
8. This process happens in milliseconds in the background. i.e by the time you will get “Website found waiting for reply” message in the status bar of your internet explorer.
9. Oh my god!!!! Is that simple? Yes it is. The same process occurs in corporate networks also. But the requests are handled by their local DNS servers only.
10. See the below animation for better understanding.



Understanding DNS : Part - II
Hi Guys,
In my previous discussion about Understanding DNS, you learned most of the basic things related to DNS. In this post i want to elaborate more about DNS. Let's start...
DNS Records
There are so many records associated with a DNS Server. Name resolution process does not happen in a proper way with out these records.
As you know the DNS server main purpose is to resolve the host names to IP's and vice versa.
·                     A Record : Contains information about IP address. It is helpful in resolving host names to IP addresses.
·                     PTR Record : Pointer record, contains information about host name. It is helpful in resolving IP address to hostname.
·                     CNAME Record : Alias of A Record. It is helpful in giving multiple names to a single host. Which means, the same host is able to provide multiple services. In that case, for segregation of service and to communicate with that service we need to give different names to each service. Even though these services are hosted on a single server, but we can send our request to the target service. CNAME record was helpful in identifying and communicating with that service on that server.
·                     MX Record : It is a record helpful in identifying the mail server in a DNS domain (for that organization)
·                     NS Record : It is a record helpful in identifying the DNS server in a DNS domain (for that organization)
·                     SRV Record : This record is created when we install a service which is DNS dependent. It is automatically generated and will be associated with a specific IP address. It is called as Service record.
·                     SOA Record : Start of Authority record, this is not a record associated with any IP address. But it is associated with a number, which determines the update number. What ever the update, when ever it is done this number will be incremented.
These are the records associated with each and every server in this world. A fact is that " DNS is the biggest database in the world and that is the only one which gets updated every second " And this database is not located at a single place, it is spread across the world in different places like, different companies, different ISP's, different homes etc. And the name resolution process is explained in my previous post Understanding DNS. That is the reason why, a DNS request goes to different location to get the correct answer.









Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)